We achieved a 200% increase in our client’s website traffic in 16 months. Learn More
xFor this episode of Ecoffee with Experts, we have Cliff Rohde, CEO and Founder of GoatCloud with us. During the conversation, Matt and Cliff discuss SEO plugins and website security at great length. Watch now for effective strategies that guarantee growth.
I think WordPress has gotten a bad rep. It’s like being insecure. Which I think is not justified, and it’s just people trying to emphasize convenience over security.
Cliff Rohde
CEO and Founder of GoatCloud
Hello everyone. Welcome to this episode of Ecoffee with Experts. I'm your host, Matt Fraser. And on today's show, I have with me, Cliff Rohde. Cliff is the CEO and founder of GoatCloud, a full-service Digital Marketing and web development agency headquartered in upstate New York. He built his first website in 1996. And his first WordPress website in 2011. Cliff has been helping small, medium, and nonprofits to thrive online since 2013. Cliff, thanks for being here. Welcome to the show.
Matt, it is my pleasure. Thanks for inviting me.
Hey, no problem. So, Cliff, I know you've been building and tinkering with websites for quite some time since 1996. You know, not to date me, but that was my first year out of high school. So that's a long time to be building websites. Since going back to the days of tables, and HTML tables, I don't think CSS existed back then. And WordPress has changed the game with it powering like 33% of the internet now. I'm a WordPress user myself, I started with Joomla. And then realized that WordPress is way easier and focused on that and used since the last, I don't know how many years. But since WordPress 2.7. I remember when 3.0 came out. I think Matt Mullenweg decided that he wanted to democratize the internet with WordPress. And of course, I think he's worth half a billion dollars now, but it has and for small businesses especially. It enabled them to get online. It lowered the barrier to entry, would you say? First statement?
I do think so. It’s not the only one that’s out there, of course.
No, no, of course not.
I think, especially initially, WordPress did a great job of making it very easy for people to get on.
Are there any WordPress themes you recommend for small businesses? Or various themes that fit for them?
Yeah, so I have to say that I am probably a Divi fanboy. I feel like that product from Elegant Themes is just a terrific product, and it has developed so much, and so well, over the last, what, 10 years or so are eight years. And I feel like Divi is sort of where WordPress ought to be. I know that sounds very fanboyish. They’re not paying me money to talk about their themes. But it’s pretty intuitive to use. I will say that clients come to me in all different shapes and forms, and experiences and history online. So it’s not unusual that clients will be onboarded, and they have a particular theme that’s not Divi, and they want to continue using that. And that’s fine, too. But if I’m building a site from scratch, usually that is the theme I will go to.
Yeah. What is it that you like about Divi? I mean, you mentioned one thing: intuitiveness. Are specific child themes easy to launch for different types of businesses?
I mean, it’s easy enough to have a child theme with Divi, that is for sure. What I like about Divi is that one of the things I like about it anyway, is that it starts with a blank slate in my mind. It’s just a blank canvas, but it’s very easy to create some, this will sound vain, so masterpieces with it. I don’t know if I’ve created that, but I’ve seen it make some very nice-looking websites, starting from zero. I love that as compared to the way WordPress started right with themes that gave the site its look and feel; I want to do this, I got to do this. And it offers you so much more flexibility. Now. There are certainly other page builders out there. But I don’t like them as much as I like Divi.
Yeah, that's awesome. So the flexibility of it and the intuitiveness of it. Are there any other things that you would say?
Well, yeah, sure. And maybe this is a springboard for a larger conversation, or I should put this away because one of its other really powerful parts is that it is so widely used. And it’s created a dedicated group of developers responsive to hundreds of 1000s of users. They, to my mind, are committed to the product and their customers. So, I’m sure you can find some sort of theme out there with all sorts of bells and whistles, but if it’s not supported that way, it may be a mistake to use.
And the flexibility of it is that you can start with a blank canvas and build something or go places with it. The community has been built around developer support, which is important. Are you able to use it to make changes to their pages?
Yeah, so that’s a great question. And that goes beyond WordPress to the extent clients want to get involved in their websites. Whether you’re using WordPress with or without Divi or Squarespace or Wix, Weebly, Webflow, or whatever it’s going to be, there’s a learning curve for everybody. Some of these products will sound like a complaint, but I think it reflects where we are today. These tools we use to make our presence online are amazingly sophisticated and can do tremendous things. But with that comes a bit of complexity, and you need to find people, whether you’re in-house or hiring someone to do this, but who knows how to do this stuff. And it’s not always the easiest thing. Do my clients like Divi? I don’t know. A lot of times, they don’t care, honestly. Because they want me to do stuff on their website. Do they have any more complaints about Divi than they do about any other platform? Absolutely not.
Yeah, that's awesome.
I was going to say that I’m sure that if a WordPress purist is listening to me say this about Divi, they’re going to say, Oh, my God, this guy is giving everybody such bad advice because we should be building the site from scratch with our CSS and all that stuff. And I think that can work for certain projects. For small business people, they don’t want that. They don’t need that. And they don’t want it.
They don't need it and don't want it. There is a place for frameworks like Divi or, let's be frank, Beaver Builder, Elementor, or visual composer. Some people just like everything from scratch.
There is a shortcoming. It’s because of the shortcodes. Any page builder, whether Divi or any others you mentioned, will have its shortcodes if you want to change out of that platform.
Yeah, you need to redesign your website. So that's something to think about regarding a page builder, making sure you like it. What about the integration? To be frank with you, I don't know how I feel about this. I'm getting mixed emotions about WP Engine buying all of the plugins. They bought advanced custom fields from the delicious brain. Yeah, he's a fellow Canadian out in Nova Scotia. I don't know how I feel about that, but we don't necessarily need to discuss it. But I'm trying to point out that his ACF advanced custom fields seem quite a popular plugin. And maybe we'll talk about it. What about its integration with Divi is what I'm trying to ask, to build more sophisticated, I say complex websites?
Divi accommodates custom post types and fields.
Is there any direct integration?
I never found it to be a beautiful thing. But there are workarounds. So I feel like some of that stuff is coming right out of the box, but I’ll give you a perfect example. A client that I have wanted to build a directory of people who perform the function for the new organization, and it didn’t make sense to add those as posts because that’s just not what they were. So really made sense to create some sort of custom post type. These particular fields and the ability to display that information on a Divi website are doable. But again, you need workarounds. So there’s probably a way to do some of that with the native or WooCommerce, but with the WordPress blocks and stuff with Gutenberg, but I have never really loved that block editor. And I think it’s still in development mode in my mind. I am not a big fan of Gutenberg. So that’s what I was saying before where. I think that Divi is where I think WordPress ought to be because there are Gutenberg-like functionalities within Divi. But they’re better, Just better. Divi is not going to supplant WordPress. No, they wouldn’t. I don’t know what they’d have to do, but they’re not there.
Do you think Gutenberg and Mullenweg plan to be the bold site editing? I think he's trying to make WordPress like wicks or full site editing, and page builders seem to have filled that space. I don't know why he's trying to interrupt and disrupt that. Do you think Gutenberg will take over and put Divi out of business?
I don’t know. I’m sure that the Divi people worry about that a little bit. It’s something that I have thought about, like, would WordPress forever automatically buy themes and say this is the way or any of the other builders? I don’t know. I don’t. I feel the goal was, like you’re saying to make it a bit easier to build a nice-looking website. But I don’t think it makes it much easier. I don’t
It does not. It makes it harder. I've tried to use it. It's terrible. Sorry, man.
You can see my beard’s color, right? Yeah, maybe you’re asking the wrong guy this question.
I don't think so. No, I mean, I'm not that young. I'm not a spring chicken either. But I'm pretty active in WordPress Facebook groups. And nobody's jumping on the Gutenberg bandwagon, at least from me. Maybe I'm wrong, maybe some companies are embracing building Gutenberg blocks. And there's that other thing but, looking for ultimate Beaver, like ultimate Beaver is put on by brainstorm force wherever they are. And they have modules for Beaver Builder. They have modules for Elementor. I'm not sure if they have stuff for Divi. But they've converted all those modules into Gutenberg blocks. And I've tried using them, but they're not as good. It's not as intuitive as Elementor, Divi, and Beaver Builder that I've used, so it will be interesting to see. Such clients like using Divi, that's awesome. What are your favorite SEO plugins for WordPress? Like, what's your preferred one?
My go-to is Yoast, although I think it’s a great plugin in many respects. I sometimes feel like, so I should just say, as an aside for a second, part of my business, the website design, of course, but then another substantial part of my business as well as hosting and maintaining websites. GoatCloud offers a Managed WordPress environment. But it’s different from some of the ones you may get, Like a GoDaddy or wherever else SiteGround, etc. I’m just happy to be naming them. There’s no reason I wouldn’t name other hosts who have a managed service. But I feel like my managed service is much more managed. One of my colleagues and I will be looking at the website and trying to figure out, should we be updating this plugin right now or not? So there’s a long way to getting to the Yoast question. I feel like sometimes, and maybe not so bad recently, but they’ve pushed out changes to the plugin before it was ready to be pushed out, so they’d be pretty quick to release the subsequent version. And so I find that a little bit annoying. I would much rather have fewer iterations. But each one is more stable. I also use All In One SEO.
Now that that one, I think, was bought by Syedh, sorry, I don't know his name. Forgive me, the guy who started WP beginner. WordPress has made him a very wealthy person. Yeah, Syedh Balkhi. He bought All In One SEO, Monster, Divi.
A lot of them. I was going to say that. Let’s not lose track of talking about SEO, it’s a thought I’d had about Gutenberg, too, as long as Gutenberg kind of continues, and WordPress continues to be kind of an open platform where other developers can bring pretty cool stuff to the table, I think it’ll be okay. It will weather the Gutenberg storm.
Yeah, I agree with you. I don't think they will catch up if they have enough of a customer base. I don't think Gutenberg is going to be able to disrupt. It's like somebody's trying to disrupt Google. Do you know what I mean? Like, you're not going to disrupt Google. It's not going to happen. Maybe 3000 years from now, but they've got such an amazing product. And then, of course, the comparison between Divi and Google is that there's much more market sharing. You have Divi, Elementary, Beaver Builder, and WP visual composer. But I'm trying to make a point, do they have enough loyalty amongst their base? I don't think that unless they stopped being innovative. They've had far too much of a head start, just like Google had a huge head start on Microsoft, made Microsoft ignore the internet, and they laughed at it. They have way too much of a head start. So what is it that you like about Yoast compared to All in one SEO? Or have you dabbled with rank math a bit?
I have not, but I’d love to hear about it. It’s easy to use, and I think the interface is great. I think the guidance it provides, right within the plugin, is a little bloating, but it’s also good advice, especially for people who don’t know a lot about building websites and SEO. I will tell my clients who want to do this on their own, give them a little bit of training and say, well, here, you have your page up, look at what Yoast SEO is telling you about this page and get everything to green, and you’ll be at a better place than you were before then. That’s very helpful.
Yeah. Besides Yoast, are there any other SEO plugins?
They are the same. I do use All In One SEO on occasion. There are some that I’ve used for very particular purposes. Like, if it’s an e-commerce Store, find some that do a better job at creating Schemas for products and stuff. So trying to remember what the names of those are. Yoast has a product in that regard, and others are in the repository.
Excuse me for generating schema.
Yeah, that’s helpful. SEO itself is a very broad term.
Oh, of course. Depends on the job page and technical aspects of those things.
Yeah, core goals can be considered. Yeah, exactly. All that stuff.
Oh, do you bother with caching anymore? Some say you get a good enough host and don't need to use a caching plugin.
Yeah, it depends on the website. But what I like to do, especially, is get my sites up on Cloudflare. It does a terrific job. Caching, security performance, etc. I’ve generally removed the extra caching plugins for the Divi sites I manage because they provide some caching, relatively recent development within Divi. Over the last six months or so, I don’t know that I have my dates exactly right, but they made speed a particular purpose they were striving for. And so, they refashioned what was under the hood. And so the sites are much faster than they used to be. So with CloudFlare, I don’t tend to drill down crazily. My sites are not YouTube or eBay or something like that. They’re you want to be building fast sites for your customers.
They're under 100 pages, is what I think you're trying to say?
They’re also not visited as often. And most small-scale customers typically have a shared hosting thing going on. They don’t need to be blazing, blazing fast. And that’s going to sound like heresy, I suppose. But, I’m going to say that most small clients don’t have the money to pay you or to pay for the service to get the fastest website possible. And I just don’t know that you always need the fastest website.
Yeah, that's true. I mean, a plumber might not. If a page takes 10 seconds to load, that's crazy. But if we're talking milliseconds or even if we're talking, I don't know, but I get what you're saying. Not everybody needs Lamborghini speed. But if you're getting a vast amount of traffic, and you're an e-commerce website, I guess it would be a different conversation because every second in site load costs a certain amount of money, which has been documented. I understand the point you're trying to make, though, is that a plumber doesn't need a Lamborghini speed website. It's okay if he has a Mustang speed website. It doesn't want a Pinto speed website.
No, of course not. It has to be mobile-friendly. It has to be secure. It has to be easy to look at. It has to be easy to maneuver through, and you get people to the contact page, or you have a clickable link to the phone, and you’re pretty good.
Yeah. Have you ever seen a WordPress website hacked or ever had one hacked?
I have not had mine. I have not had one of my sites hacked. Security is a super important issue. I have helped people recover from a hack.
It's not fun, is it? I created a course a long time ago, more than 10 years ago, called WP Security, lockdown.com. Launched on the Warrior Forum, and it did terribly. It got product of the day on JVZoo. But I found that people don't want to pay for WordPress security knowledge. They think of it after the fact. They don't think about WordPress security until they get hacked and look for a solution. So I dropped the product, even though I made about 31 videos. But anyway, the point I'm trying to make is that there are ways to secure WordPress so that it doesn't get hacked to harden it. Are there any tips you can share? I'm sure from your experience in regard.
Yeah, for sure. And I think that a lot of the hacks happen on low-hanging fruit. To people who have put no security precautions or measures in place to keep their site away from the bad guys, gals, and bots. So, I use security plugins. I tend to use WorkFence more than any of the others. One of the things I like about them, too, is that they are recent. They’ve changed the way or made it possible to do a better job securing login by putting two factors on a website to log in.
Yeah, that's important, isn't it?
It is especially for administrators. It’s one of the conversations I have with my clients who, by and large, are not always the most technologically sophisticated, and they don’t want to be and don’t have to be. If they’re a lawyer or a plumber or whatever they are, pest control person, they don’t necessarily care about a website. They are subject matter experts on what they do. But talking with them about a WordPress website, where some organizations might have multiple Administrators because different people are doing different things is like, every Admin on a WordPress site is a Super Admin. And that’s a real security issue.
Yeah. It's another point of failure, for lack of a better word. It's another point of hackability.
I mean, it’s another potential weakness right there.
Yes, that's a potential weakness. The more administrators you have, the more of a weakness it has. And so, how do you bring up that conversation? Because listen, I use BitWarden for my password management. I have like 1500 passwords in there. That has two-factor authentication. And in every single website that it possibly offers, I use two-factor authentication. So how do you have that conversation with your clients? Maybe other agency owners, because that's predominantly our audience, encourage them? Because I talked to this one business owner, she's a florist. I don't have time for stupid thought password management; I just use the same password for everything. I'm just like, oh, my gosh, are you kidding me? I am using a stupid two-factor authentication, it is an extra step. It's five minutes to set up and less than 30 seconds to use once it is set up. And yet, you're adding such a level of hardening to your site. The only way someone's getting in there is if they brute force attack your password and hack it, other than have your phone. I mean, good luck with that. Everybody's married to their phones. So it's an add-on, but you get resistance from them, or is it a matter of education in talking to them about it?
Yeah. That’s well said, Matt. It is a matter of education, and then we have a conversation about it and the risks. I had one nonprofit client, this was very recently. I’ve been hosting and maintaining their site for years, but they hadn’t asked me to do anything to check in and stuff. So they had turnover over time and just acted like all these people when I finally came back because they had some other stuff they needed to do. It was like we had 13 administrators on this website. And I asked, are you are these people even still around? Here’s why it’s not a good idea to do that. So yeah, I think people are receptive.
I guess that's education, telling them you need to have an internal process, HR process for when people are added and removed. I was the Marketing Director of a car dealership, and we had a WordPress website, this company developed a platform for car dealers' hosting. But we were limited. Of course, I was the main person because of my position and knowledge of this stuff, but we maintained control of the churn rate in car dealerships, so you know, it's huge. Both for Sales Managers and Salespeople, the churn rate is huge. So I had to have a document and a list of what to do when someone was like, oh, and the GM would phone me. He'd have the person in the office that he's going to fire and just pick up the phone and say, do it. I felt bad, but hey, what am I supposed to do? I must do my job. So lock you out of CRM, email, lock you out of everything, and they love you. It is what it is. That's what you're getting. So I guess you talked about 13 different Administrators. It would be a good idea to have a process.
Again. Each one is a super Admin so that they can change other Administrator stuff, that is a huge amount of power.
I know there are WordPress plugins that will create another permissions level. WP Role Editor is one of them. I think they are for Admin management, for scaling down, and not being able to change. I would do that 100% to mitigate the ability or the risk of someone being able to delete me as a user, who is the main Administrator, delete another Administrator, delete a WordPress plugin, a WordPress theme, or pages. Think about that, a bad actor, a small business fires an employee or, in my case, the Manager, and he goes in and deletes all the inventory. Next, you know all these folders and the amount of business that could be lost. It's incredible.
It is and the mayhem that can cause. You were asking about some other security steps I took. This is another one that I enjoy doing via cloud flare. It can be done even in the free plans at Cloud flare, and I am a big fan of It. They are not paying me to say any of this, but although they did have an outage recently, it took down a few of my sites. That’s another issue that is hard for people to understand, systems will fail occasionally. Even the big ones. There is a way that you can set up firewalls in Cloudflare. Because most of my clients are in the US, most of them, to the extent that they have people working on their website, the people are in the United States as well. You can put a block on the WP login page in Cloudflare so no one in the country can get in. There are bad actors in the United States as well. When I look at statistics on websites I manage, I go into cloud flare, telling me all the security things it did for me. They are mostly blocking attempts from countries outside of the United States.
You can Google a list of the countries that are bad actors for hacking, better known for it, and there is a list with about ten to fifteen countries. I have been using cloud flare since it came out. So I am fully aware of what you are talking about, and I am a huge fan. I use it on all my sites. I use it to manage my DNS. I use it for everything. It's phenomenal what you can do with it. As you just said, create page rules and web application firewalls, and they have one specifically for WordPress, the WordPress rules to be able to do that. I use a plug-in for CRM management, Ground Hog, for marketing automation and CRM. I am not sure if you are familiar with the setup of it, but in the setup of it, they use these con jobs. There are PHV files in the root folder on the website that it generates, and so I created a page rule not to cache those because you don't want those to be cached. That's one of the benefits of using cloud flare with WordPress.
I think the number one thing for people you hit on the head for getting hacked is brute force attacks and password management. You have an easy password. People think that when it comes to passwords that it's a human being that you have to try and keep your password from. They don't realize it's not, it's the robots. They can go through the alphabet, make a brute force attack, and keep trying to log in. Of course, there are things you can do to keep those things from happening. You can hide your log-in page. Installing a brute force attack plug-in. They can't do that, it will lock them out because it will lock them out after five attempts. The point I am trying to make is even with all that, the number one for defense is a strong password. And people have to know that. That is why we talk about two-step authentication because if you have a weak password, it gives you another layer. I think that is what WordPress security is about. If you would agree or feel free to disagree, the layers of security start with good hosting.
I think WordPress has gotten a bad rep. It’s like being insecure. Which I think is not justified, and it’s just people trying to emphasize convenience over security. Another tip I have, you probably do this too. Matt is for usernames. I also use a password manager. I use LastPass. I will have LastPass generate a random username unique to me. You never want to have an admin named admin. It boggles my mind that I still find websites where that is going on.
That is crazy.
I think with security, there are steps that bad guys and the bad bots take, and you try to come off at every step. Making it harder for them at every step.
Make it harder. Lock those countries. Hide your login page. One plug-in allows you to create a secret phrase, and that's the only way you can access the log-in page. I am not sure if WordPress does it or not because I haven't used it. So if you don't have a username, you can create a string that replaces your wp login.php, and every time they go to wp-login.php, it redirects them to the home page or wherever you want. Sorry suckers, you can't get on my log-in page. And the only way to get there is to access that string. It's not always ideal for some websites.
There is always that tension between convenience and security. Sometimes we think they are so inconvenient that they are not worth doing anymore. You could create a login page for just a particular IP address. That would stop everybody. Your IP address is going to change.
Most homeowners don't have a static IP. I don't have a static IP. I have an economical IP.
My IP changes every eight months, but in the last two years, it changes now and again.
You have to pay as a business to get a static IP, at least where I am from. What are some of the more common issues you see with WordPress websites?
What kind of websites are we talking about?
Small Business, who you predominantly deal with. Not E-commerce.
A common thread that goes through many of my clients when they first come to me and I am onboarding them is set it and forget it. It’s not unusual that when someone comes to me for help, we’ll look at the website and say, ” Oh, nobody was updating your plug-ins. We will find all sorts of issues like that correctable. I think again that goes to the notion that the small business person wants to be focused on their business, not on their website. And I think that’s not particular to WordPress. You were talking before about adding plug-ins to perform more functions. I would say an approach that I have, which is a common approach among WordPress developers, is to have a minimum number of plug-ins. At the same time, I don’t like to create all sorts of custom codes for a website because my client may decide next month that they want to move on and do something else. They want to hire somebody else. I am lucky that doesn’t happen very often, but it can happen. I feel like part of my job is to help future-proof them. I have one client that I just revamped their website, which was a WordPress website. The person had set it up bizarrely, and my client said they set it up so that we could not do anything on the website. I was like, What? It just seemed unethical to me.
That is unethical.
While I believe in reducing the number of plug-ins, I try not to load up a website with codes. I try to make a website that is at least approachable from the client’s perspective. If they wanted to learn, they could do stuff if they wanted.
That's some great advice. Is there one big takeaway you want listeners to get from this episode?
I would say that it’s doable. I guess I feel that way about WordPress. Before we talked, I even led the conversation by talking about how hard it is sometimes with WordPress. It’s doable. I find, and maybe you find this too sometimes, Matt, that clients you work with are slightly fearful of technology.
Yes, they are scared they are going to blow it up.
At times, they are going like, Oh my God, what am I going to do? I feel like a part of my job is talking people down. It’s. Going to be ok, or we will fix this, and you can have access if you want. If you want to do all this, we will provide some training, and you can do it. I would say that I think it’s rare these days. When I started this, some people still questioned whether they even needed a website. I think we are well beyond that point now. But people are still fearful about doing it themselves, and I think people may have heard chatter in the background about WordPress. It’s hard, insecure, and I think that’s gooey.
I agree with you.
You don’t have to, but you can.
I know one such individual who has that mentality and refuses to use it because it's one of the most hacked platforms on the internet, in his opinion. It could be, but it is also one of the most used platforms. It's thirty-three percent of the internet.
It’s a target as a consequence.
Yes, exactly. It's a target as a consequence, but as you and I have said, if there are certain things you do to secure and harden it, I don't know wif the right word is to mitigate, but you can lessen the ability of persons to do those things. It is a fantastic tool, as you shared with Divi. You can make some amazing sites if you have advanced fields and custom post types. Usually, there is nothing you can't do with it.
And not just with Divi, you can make some very great sites with WordPress. It is my main tool.
Yes, mine too. If our listeners want to connect with you, where can they do that?
I have a website, strangely enough, that is goatcloud.com. That is a goat, like the barnyard animal. My email address is cliff@goatcloud.com.
Are you on Twitter or LinkedIn personally?
LinkedIn yes. We didn’t talk about social media. It wasn’t the focus of the conversation. I try to avoid social media. LinkedIn, I am there.
It is, isn't it?
Emphasis on evil.
Hey Cliff, thank you so much for being on the show. It's been a pleasure having you here.
It’s been a fun conversation, Matt. I hope we can do it again.
We could. We can talk about many things in WordPress and even Digital marketing. I will do that. Have a great day.
You too. Thank you.
