In This Episode We Discuss All Things Security & How To Keep Your Website Safe
Brian holds a B.S. degree in Computer Science from the University of Wisconsin, Madison. He is a software architect and data recovery expert. He is well-versed in the firmware architectures of all the major storage vendors. He is a co-founder of Phoenix Nuclear Labs and served on PNL’s board from inception to when it decided to spin-off SHINE Medical Technologies. He also previously served on the board for the Madison Scouts Drum and Bugle Corps.
Brian co-authored the first edition of the WebLogic Server Bible, published by John Wiley & Sons in 2002. He was named one of Madison’s 40 under 40 by In Business, even though sadly he is 40 now. He and his wife Kara have 3 sons, Charlie, Tanner and Eli. He is an avid but terrible fisherman and has never participated in even a single session of CrossFit. As CEO of Gillware, Inc, Brian oversees and assists all aspects of the business.
Jonathon: Welcome back folks to the WP Tonic Show. This is episode 455. We’ve got a great special guest. And we’re going to be talking about all things security around your website. If you’re actually working for a client, the things you really got to understand about security. Or if you’ve got your own website and you’re looking for an expert that can give some great insights. About how you can keep your site away from those horrible hacker types. Unfortunately, my cohost, Adrian the good looking one and the intelligent one couldn’t make it for this show. But I’m sure Brian Gills founder and chairman of Gillware will be the expert that we’re looking for. So Brian, can you give the audience a quick intro about yourself?
Brian: Yeah, so I’m a computer scientist by trade. About 15 years ago, a group of friends and I we started a company that essentially has been digging mostly American businesses out of data related disasters. Some of which are website in nature. But all the different ways businesses can either lose data, get data stolen, and for the last five years we’ve been heavily concentrated on what’s called incident response. And the type of incidents that we respond to our data breaches, ransom ware, that type of thing.
Jonathon: Oh, that’s great. Before we go into the main part of our great conversation, I just want to mention our major sponsor. They have been sponsoring the show for the last couple of years. Where if those two years gone? I cannot tell you. And that’s Kinsta Hosting. And Kinsta only specialize in hosting WordPress websites. They are big enough to have all the technology and knowledge small enough to still care what they host. The WP tonic website, it’s been fantastic hosting. You get Google hosting through them, but what you get from them is a great UX design.
And the main thing is you get some of the best 24/7 support in the market at the present moment. And if you’ve got a WooCommerce website or e-learning platform based on WordPress, your normal cheap hosting just won’t hack it. You really need a better hosting provider. And that’s what you get from Kinsta. So if that sounds interesting for yourself or for your clients, go over to kinsta.com. Look around, buy one of their packages and please, please tell them that you heard about them on the WP Tonic podcast. So Brian, let’s start off. So what are some of the things that in general you come across that are consistent patterns that people do wrong when it comes to website security in general?
Brian: Yeah, and I think that overall, it’s a bigger theme than that even. But user authentication is a consistent problem. Something as simple as, sometimes when we will do an organization, we’ll find that there’s users that could authenticate onto their network or onto their website that haven’t worked there in years. Or a specialty vendor they hired five years ago to come in and do punch up one little part of the website still as like full blown administrative access. And boy you got to wonder why? And you got to understand who are your users, what levels of permission should they have. And then you’ve got to work really hard to make sure that it’s actually them.
Jonathon: I think you’re so spot on. And it’s understandable when it comes to WordPress. Because there is a slight weakness with WordPress. Is that a lot of the functionality, you really want to give them 80 to roll, but it’s just not high enough for them to do a lot of jobs. So you end up hoping to give them admin access. And then it’s so easy if there isn’t a formulated plan structure of dealing with subcontractors for people to forget. And those people to have full admin control, isn’t it?
Brian: Yeah. And it’s not that they would do something malicious. It’s that somebody else that obtains their access cause they had an incredibly weak password or something along those lines.
Jonathon: Yeah. And this is one other thing, but I have got a vested interest in this. Because we run a a website maintenance service business. So I’ve got to point it out to listeners and viewers that I have a bias here. But I do think it’s better to select a company that has a tract record that has a presence in the security or WordPress community. Than just going to freelance websites and getting somebody that you absolutely know nothing about. Apart from that freelance website as in some way. But you really fundamentally don’t know anything about them.
Brian: Yeah. And on the subject of being somebody that, or being a company that has access to dozens or hundreds or thousands of other businesses information. There’s a much deeper burden to understand that first of all, you might be an actual target. If you are identified as a company that if we could penetrate this company, look at all the havoc we could cause. So simple things like you shouldn’t have the same administrative password and an administrative username on all 500 places you go. And again, if you have a staff of a dozen people, you need to have the rules in place where no, I don’t actually trust you to have strong, unique passwords and all the places you go.
Like here, when you work here, the way we log in is with this, key pass password manager or a YubiKey or whatever the situation is. Unfortunately everybody needs to know quite a bit about security these days.
Jonathon: Yeah. I think you made a great point there. Because the other factor is your passwords for your email accounts. Isn’t it? Because they’re after that also. And if somehow that’s on the website somewhere and they manage to crack the password. And you’re using that password for your email accounts that can be a bit of a problem. Can it?
Brian: Yeah, sure can. And in general, if you have the same password for a bunch of stuff. Or you have three different or four different passwords you use at the 50 different places you have to login, it’s a huge problem. Because sometimes that provider gets all the way owned and their whole database of everybody’s password gets available on the dark net. And even though through no fault of your own, you didn’t get fished, you didn’t get tricked, you didn’t cough up the password unnecessarily. The company that had it wasn’t encrypting it in the right way. And they got their network kind of traded. And now they’re going to try to use that at all these other places. And all of a sudden they’re you and you see the nightmare. You know when you’re a successful business and you have all these good clients. And the black eye, the reputation hit that that you can get when you get breached and that breach has ramifications to your clients it’s devastating.
Jonathon: So I get a lot of clients saying to me. Well my hosting provider backs up our website. I’ve got nothing to worry about. What’s the problem with that attitude, Brian?
Brian: Well first of all, if they’re paying for a high quality service, like the one you just promoted, they probably are and they’re probably doing a relatively good job. But the main problem I see when I’m talking with WordPress admins or somebody that just set up a WordPress website for a small business. And they say, yep, it’s backed up and it’s backed up with this plugin. And then the incident, the problem may happen three years down the road. And that business owner has absolutely no idea what to do. They think a backup exists because maybe they’ve been paying $12 a month for one. But how do you access it? How do you download it? How do you spin up a new server or a new cloud service? Or how do I set up a new container to put it on? And okay I finally ate 12/16 hours later, figured out how to log into my backups and figured out how to migrate it over.
And I’ve got a login to this DNS thing and try to figure out how to repoint my DNS now. And this whole time your business has been down. So all of this can be avoided with making sure that you do a mock restore occasionally. Once every six months, once every 12 months. Pretend that you need to spin up from your backups. Let’s see if it works. Let’s see if all those integrations that you have with your marketing automation software or your internal CRM. Let’s make sure that those still function and they still can talk to those things. And let’s make sure it’s recent. Oh geez. Well, I have my website, but it’s, five weeks old and it’s the Christmas season. I can’t retrieve these 200 products again. So again, do a mock restore, understand how to access it in the first place.
And if you have a one page word document, which is a kind of a break glass in case of emergency as a business owner or a host. Where if the worst of the worst happens, these are the exact steps on how we start all the way from scratch. And we know that it works and we know that it takes an hour or it takes two hours or it takes four hours. Because your phone might be ringing off the hook with people complaining. What are you going to tell them? What is your staff going to tell them? Hey listen, we had a major outage, we’re going to be back in 57 minutes. That’s a much better way to live. Than we’re working on it and you have no idea. And when you go through that mock restore process, what you’re probably gonna find are issues.
Maybe it turns out you need to upgrade to the gold plan with that service provider. So that you have a guaranteed number where you’re going to be talking to a human within five minutes. Because you cheap out and you went with the entry level plan. And they guarantee email response in four hours in that level a service. And maybe that’s not good enough for you and your clients. And you didn’t really realize that until you had to go through the mock restore. You might realize that it wasn’t complete or that your WordPress theme looks a little goofy or some graphics aren’t quite right. Or geez, our sub domain isn’t even here. Where did that go? Oh crap. That wasn’t even in the backup. You might realize your backup was incomplete or out of date. Or the service wasn’t good enough. So I can’t preach.
Jonathon: Well, I think you’re preaching to the converted. Because at WP Tonic we are really about backup. Backup is the number one element of a security strategy. Isn’t it? So we have one backup which we take straight away and we store it. And that’s our final, final backup. And then the other thing is it really depends on the kind of hosting the client has. I’m personally a bit snobbish about hosting. And well I think any hosting provider that doesn’t provide really good staging mechanisms. So you have a staging site and then you have a production site. I personally wouldn’t really host my site if it’s a business critical website on a hosting provider that didn’t provide that suburb ability for staging as well. Would you agree with that Brian?
Brian: Oh, of course. You know we usually have about four different versions of our websites. Different developers have their own versions, they’re kicking around. And there’s kind of, hey listen, I’ve checked it all into source control. And now we’re going to check everything out and make sure that this is our kind of beta candidate. And then boom! Now let’s promote it up to production. And having a solid strategy or a host that really facilitates that is huge. And when it comes to backups, you should understand where it’s going.
A surprising amount of backups will be backing up to the same.
Jonathon: To the same server.
Brian: To the same server. That’s not a backup. If it’s backing up to the same piece of hardware to the same private cloud or the same piece of on premise hardware, you’re still going to be subject to all the bad stuff that can happen to that. No, it needs to be a different node with a different layer of network authentication. And probably the number one problem that I see with these backups is the mechanism to authenticate in and access that back up lacks two factor authentication.
Jonathon: Yup. Well that’s great. Well we are going to be coming back. We are going to be delving into this fascinating subject a bit more. I’m going to be putting a thing that’s a bit of a bugbear to me to Brian. And see what his thoughts are in the second half of the show. We will be back in a few moments’ folks.
Announcer: Are you a WordPress consultant, designer or small digital agency owner? Then you need WP Tonic as your trusted white label developer partner for your next big e-learning or woo commerce project. WP Tonic has the knowledge to help you build out custom functionality that your clients need in LearnDash, Lifter LMS and WooCommerce. WP Tonic is well known and trusted in the WordPress community. They stand behind their work with a full no question asked 30 day money back guarantee, so don’t delay. Find out how WP Tonic`s white label services can help your agency today. Go to wp-tonic.com homepage and book a free consultation with Jonathan. That’s wp-tonic. Just like the podcast.
Jonathon: We’re coming back. We’ve been talking all things WordPress and security. Before we go on to this fascinating conversation, I want to talk about one of my other sponsors and that’s Lifter LMS. Now, if you’ve got a job for a client and they’re looking for a superb learning management system for their course. And they want the base, obviously they’re intelligent, they want to base it on WordPress. You cannot really go wrong by using Lifter LMS. It’s one of the most superb products that you can use on WordPress. So go over, have a look at what they’ve got to offer. And if you do decide to buy for yourself or for a client, they are pro versions. Please tell them that you heard about them on the WP Tonic show. Now Brian, a little bit bout bearer of buying. It’s a little ink here.
I might go on a little rant, so be patient with me Brian. Is in the WordPress developer community. There’s a set of developers and also there’s some plugin software providers that provide tools to allow people to host clients websites on Google, Amazon web services. And I think it’s the road to hell myself. Because I think for the right products or the right SAS, or the right service, Amazon web service is totally logical. And especially if you’ve got a powerful team that can administrator what’s going on. But Amazon web services, they don’t provide any real effective support or it’s extremely difficult. And I’m not a Linux administrator Brian. I have many talents, but that is not one of them. What do you think about people that try and push clients for them to host their websites on Amazon web services?
Brian: Well, I think you make a really valid point. It’s an incredibly powerful cloud platform. And every time I log in to AWS there are about five new features. So I think it’s really difficult. And they’ve got probably 800 people that are developing that platform right at Amazon. So it’s changing all the time. So I think the more you know about some of these cloud services, the more you realize how fast it’s moving. And the less confident you are in maybe a micro sized business or a small business. Trying to configure those things properly, trying to configure them properly for security. And the more difficult it might be to have.
You might have a lot of those ongoing problems where you might not be able to. I have roughly a dozen people with computer science degrees and a bunch of these Linux server administrators. So we would be comfortable with that type of thing. But for a lot of businesses it might be too modular or they may not have the ability to keep up to date with all the things that are happening.
Jonathon: I personally think that you’ve got to know the savings when you take in what will happen if this developer, we part company with this developer. And then we haven’t got somebody on call that supposedly has the Linux. And I’m not attacking developers. We all been there, all developers like to think they’re the best developer on the market. And they think they can deal with almost anything. But in my experience, being a top notch Linux administrator and I’ve been a top notch WordPress developer, are two entirely different things. Well that’s my opinion. So at least go on. So another thing I hear, Brian, is I hear a lot of people say, well, why would somebody want to hack my sites? You know it’s a nonprofit. We help orphans in Northern Nevada. Nobody is going to want to hack our site. What’s the reality, Brian?
Brian: Well, the reality is that they want to hack everybody. Well, first of all, the primary motivation these days, it’s not like it was 20 years ago. Where somebody wanted to hack your sites and throw up a JPEG of their pirate flag and get some sort of street credit in the hacker community for hacking somebodies website. That kind of thing probably happens occasionally. But these modern hackers, they’re coming from a place of organized crime and they want money. And they may not specifically target that nonprofit that serves orphans. They’re targeting everybody at once.
And especially with WordPress, congratulations WordPress, it’s the number one web platform on the planet. And they have the same burden that like Microsoft has, where it’s the number one operating system on the planet. So every hacker is trying to come up with exploits. And they will try to send these exploits off in bulk to every website on the planet.
And if you’re running a version of WordPress from four years ago, you’re probably gonna have a bad time. Because you haven’t kept up with your patch management strategy. So yeah, everybody’s a target and it’s unfortunate. But it’s not going away. And there are a couple of quick, easy things that probably to most of your audience they’re already doing. If you’ve ever looked at those server logs or if those audit logs, first of all, look at them and you’ll be very, very scared about how frequently somebody trying to hack into your website. Often before it’s even live. Like wow, I’m in beta here and there’s already some IP address in Romania is trying to log into my server. And you’ll see all these failed entry attempts.
So you can rename the WP dash login or the WP dash admin. You can rename those URLs and that will get you out of some of these kinds of automated attacks. Do you really want your administrative user to be called admin? Because maybe you don’t want it to be called admin because a lot of these automated attacks are going to be trying to log in as admin. And they’re going to be using these databases of millions of known passwords. That’s another subject you could be thinking about, making sure that you find a security plugin.
Or you add a rule where you can’t just sit there and kind of brute force. If one IP address has tried to log in to your server 10 times in a row, do you really want to let that IP address continue to try? A surprising amount of websites the answer is yes. They can just try infinitely and they will cause it costs them almost nothing to continue to hammer you. So turn it off.
And obviously one of the things I’ve talked about a little bit, a couple of different times is two factor authentications. So every user who’s logging into your WordPress should be forced not only to have a username and a password, but have that like mini orange plugin. And I’m not here to push any particular plugins or anything. But make sure you’re using like a Google authenticator smartphone rotating digit code as a second factor of authentication. And then if you’re growing into that enterprise level and you’re supporting a user, thousands of concurrent users.
And there are big ramifications to any problems; you might even start to consider some of these third factor authentications. Like if you want to log in to our WordPress, you have to come from these specific IP ranges. I’m sorry, nobody in Romania, even if they had the username and the password and they spoofed somehow the second factor of authentication. We don’t let people outside of these very fixed IP ranges even get to these specific URLs.
Jonathon: Yeah, I think what Brian’s pointing out, but there’s always a balance here, Brian. Because fundamentally I agree with almost everything you’re saying. But the thing you got to be aware of listeners and views is as the security threshold increases, the mythologies that you’re utilizing to keep the site secure. It becomes less convenient. So there’s always has to be a kind of balance between. But on the other hand, if you’re making a substantial living from your website or that website if it was down, it could affect a lot of people. You really got to be looking at these kinds of security questions. Haven’t you Brian?
Brian: Yeah, and you just stumbled on a huge topic. And all this technical mumbo jumbo that I’m rambling about. It may or may not have certain relevance to any particular situation. And it’s all about risk assessment and risk management. And there are a couple different things you can do with risk. You can buy insurance policies or cyber insurance policies. You can hire security experts to try to defend against things. Or you can do nothing.
You can just take a piece of bread and polished all your risk on it and just eat it. And if the bad stuff happens, it happens. And all three of those things are appropriate in different circumstances. But the burden for people is to think about it, think about the risk. And make intelligent decisions for how you ensure or how much resource you put into this to beef up your security.
Or if you shrug your shoulders and say, you know what, if this whole thing gets owned and crashes, it’s really no big deal to me. Okay, well that’s fine then. You probably shouldn’t be buying insurance or spending 1000 bucks a month on a security contractor. And there was another thing that you mentioned, which was convenience. And everything that we do in security, it has a convenience problem. It’s inconvenient to spend a bunch of money on security. I’d rather spend that money on other stuff and my family and my children’s education and pay my employees bonuses. And that’s pretty inconvenience. And every time I go to log into this website, I’ve got to have this stupid YubiKey in my pockets. And I’ve got to VPN into that network because that’s the only network that can get onto the thing. And I’ve got to have this rotating phone thing and I’ve got to make sure it’s all synchronized.
And every time I added an employee, it’s an hour of crap to get them all set up. And all of these little inconveniences are the price we pay for increased security. It’s a direct trade off. And it’s important that the business owners and the board members and the executives aren’t. Sometimes like you’re like, hey, you know, CEO, like you have to do these eight things now. And they’re like, Oh, I’m not doing that. Well they need to have the opposite approach. You know, that those executives or those business owners are those host providers.
They need to understand the overall risk profile that they have. And they need to be making important decisions to support security when it makes sense. And they themselves cannot personally be counterculture to that. It’s sometimes the IT people or the nerds in the world room and the Linux administrators, they know all the things that they should be doing. But they don’t have that political organizational control to make it happen.
Jonathon: That’s so true. Well we’re going to come to the end of the podcast part of the show. Hopefully Brian’s gonna agree or I think he is going to agree to stay on for about 10 minutes, which is going to be bonus content. Which you can see the whole interview with the bonus content on the WP Tonic YouTube channel. And also on the WP tonic website where we will have a full transcript and all the links to some of the things we’ve mentioned during this interview. So Brian, what’s the best way for people to find out more about you and your company and services?
Brian: Yeah. www.gillware.com . Hopefully you never need us. Almost nobody wants to be our client cause it usually means something’s going sideways. But we’re a great to have if you or your clients ever end up in kind of data related emergencies. You can find me at Brian Gill on LinkedIn. I connect with just about everybody who wants to connect with me. So that’s great.
Jonathon: Oh, thanks Brian. And if you really want to support the show folks, go over to iTunes and give us a review. It can be good, bad, or ugly. And if it’s a funny one, I will probably read it out. But go over, I know it is a pain in the posterior, but go over to iTunes and give us a review. Because if you’re getting real value from this show, hopefully you help us out and give us that review. We’ll be back next week with another great guest with other great insights to help you make your business a success into 2020. We will be back next week. See you soon. Thanks. Bye.
What don’t you join us on Facebook every Friday at 8:30 am PST and be part of our live show where you can a be part of the discussion? https://www.facebook.com/wptonic/