We discuss WordPress and security one of the main selling points of WordPress connected to building a great online education platform for an eLearning entrepreneur is its flexibility and you have full control of your business platform i.e. you not leasing your main business platform from a landlord i.e. a SaaS company. However the one area connected to owning your own home is that you have to do your maintenance and security.
This weeks show is Sponsored By Kinsta Hosting
Jonathon: Welcome back folks is WP tonic. This is episode 393. We haven’t got a guest this week. Unfortunately our guest was ill, but they will be coming on the show probably in June. But you’ve got me and my better half. You’ve got Cindy Nicholson, the Course Whisperer. Cindy would you like to introduce yourself to the listeners and viewers?
Cindy: Absolutely Jonathan. Hi everyone. Cindy Nicholson here from, as John said the coursewhisperer.com. And basically I help people create better online courses.
Jonathon: She’s got used to my humor folks. You have being on the Show a while though. I think we have some great interviews. Thank you so much for putting up with me Cindy. Most people wouldn`t actually. I think you got used to coincide colonic English humor. What we’re going to be discussing today folks we’re going to be discussing security. Yes. Especially if you’re taking payments on a membership stroke, learning management course base website. This whole area of taking payments and payment gateways and Stripe and PayPal. We’re going to delve deep. What do you reckon Cindy?
Cindy: I think it’s a good topic. It’s one of those things that after something happen you wish that you spent more time on figuring it out at the outset. So this is hopefully going to, help people avoid some problems in the future.
Jonathon: I’m going to start with some basics folks. Obviously when it comes to security and taking payments, some of the hosted SAS solutions like Thinkific and Kajabi. They seem initially to have a easier vector and they handle that part of it. The truth is and I’m not choosing any specific company here because they probably sue me. But what I’m saying is that an internal company, when it has a security breach folks. The natural way or it’s to deal with it is totally different to open source approach. And what I mean by that folks are that if they do get a breach, they’re going to keep it quiet. And they’re going to keep it internal and not publicize it, and deal with it. Sometimes they do deal with it effectively. Sometimes they don’t. But they’re not going to publicize it. That`s the total opposite to open source folks. Open source when a security, it’s called security vectors.
When a vector is found in the core of the software or in a plugin. Normally in the community, gives a period of time where it’s not publicize for the developers of the core of WordPress or a developer of a specific plugin. They give them a little bit of time to actually fix that vector and then they publicize it. They don’t want to publicize it normally before the vectors being solved because that would increase the number of sites that have been breached. If the developer or the developer of the plug in is not responding responsive or doesn’t seem to want to fix the vector, the community will publicize it. And then in the end the community will come together and fix the problem for them. And there have been cases in the WordPress community of certain developers or certain plugins. That their plugin has been removed from the public directory of WordPress. And they bring kind of Quasar band from the community. Because they have actually been engaged in behavior that isn’t tolerated by the community in general. Did that make sense?
Cindy: Yep, but I do have a few questions for you. A vector like that is, that means somebody has been trying to come in and hack. Explain what an actual vector is. The security vector.
Jonathon: Fundamentally all codes, the buzzword are artificial intelligence that we’re all going to be replaced by robots at some stage. I am looking forward to being replaced by robots. So to be serious for once. All codes are coded by humans. And all human beings we make mistakes. So fundamentally there are normally bugs in code. And we live another buzz word this, I’m going to introduce a few buzzwords here folks I apologize. These APIs and what API`s are there public gateways that allow programs to communicate with other programs. So it’s kind of like a handshake. API publicly shows a number of ways that other software communicates with your software. Now the problem and we’re getting more and more services that rely on external services to provide the service to the end client. So we have a number of API`s all working together. The problem with that though is it increases the level, it opens you up to security vector problems. Because not only are you relying on your own software, you’re relying on other peoples. And with theses SAS platforms, I won’t name them again. Because I’m not specifically pointing my finger at them.
They normally are also in a heavily integrate into other services providing video, email. They don’t run those email servers themselves. They’re relying on other companies and they bundle their services to the end user by utilizing modern APIs. But the point I’m making is even these SAS platforms are open to security breaches by having very elaborate API systems. Is that making any sense?
Cindy: Yes, now that makes sense.
Jonathon: So they’re not that enclosed actually model software, almost all modern software is utilizing other company services for API`s. And by that they’re opening themselves out to the security quality or the code quality of those external services that they are relying on. And all software has bugs in it. And the great thing about open source software, Cindy, is it does has as many bags as non-open software. But you have more eyes looking at it so you have more eyes looking at it. There’s more chance that the bugs will be found. Within closed software, the bugs aren’t looked at so much. And if you get a bad player, a hacker or somebody that’s part of the dark web and I find a bug which allows them into that software. Then they can came to sometimes take control.
Especially if you’re dealing with financial information, people’s credit cards, and other information that can become quite serious.
Cindy: So that makes sense in terms with the code that makes your website more susceptible to being access by hackers or what have you. So that makes sense. So thank you for that. So my, my follow up question to that is how do you know, like how do you know if you have these security vectors? Is it just problems when you’re trying to do certain things on your website? Like how do you know that you’ve got one?
Jonathon: Let`s talk about WordPress and open source here. I have a maintenance company that supports learning management systems. My knowledge is probably more than the average person or probably a lot higher. But I’m not a security expert so I don’t want to tell myself like that. But okay. But I wanted this initial discussion because I didn’t want people to think that these problems are just around WordPress or open source in general. It’s just that they’re more open about discussing where other players are totally opposite. They don`t want to discuss any security breaches. So people get the impression that is only open source that you get these problems. That’s a total fallacy. Now let’s get into it. So fundamentally it depends on why they will, you know, if your site’s got hacked. Well it really depends on the type of people that are hacking your site. What I mean by that and the reasons why they’re hacking your site.
There were people that wanted to hack websites to utilize the actual server. Now all websites are hosted on servers and servers are just big computers. Whether there was a host of hacking because they actually wanted to take control of the band width of the server that your site was on. That’s what I didn’t actually want to do anything to your site. They just wanted access to the computer power because they were involved in Cryptocurrency. And this is a whole other side, fundamentally the mining of crypto coins. You need computer power and if you could take over hundreds of websites by thousands of websites. And take a little bit of computer power, then you could mine these crypto coins. So there were people that were doing that. The problem with that it’s semi benign, but the people a lot, not all of them. But a lot of the people that were behind that worrying that we’re also engaged in other activities that were much more highly illegal.
And also they shared, if your site got hacked for that particular reasoning, they normally shared the information on the dark web. Which is a massive international forums and other places that rather unpleasant individual share data on. They would normally also the time, not all, but also they love bragging about the amount of websites they’ve hacked into. And then normally in a community where they share information. So you normally find if you get hacked for that semi benign reason, other people were polling that can be down to link building. Which do Google’s technology still relies as a key part of how your website is ranked.
The amount of external websites that link from their website to your website. Google’s technology got a lot more sophisticated in some ways by is still this linking element is the core part of Google’s ability to judge how popular your website. So you still get a lot of hackers that you want to link, use automatic scripts to build links. Others just basically want to deface your website there. And you find that one day, your website, it’s great. The next day it’s got pornographic images all over it. And it can happen to any website that’s hosted by them. But a lot of this can be avoided Cindy.
Cindy: So if your website’s been hacked to get the extra bandwidth. Are you going to know this? Like are you going to your website going to slow down?
Jonathon: You’re probably not going to know it. That’s why having this periodically scan. We on our WordPress, on one of our plans, we utilize external company and we put a bit of software on the websites. And there’s scans 24 seven. And they’re looking for unusual bandwidth activity. Then we are notified and then we go in and investigate on the behalf of the client.
Cindy: All right, cool. I think that’s a good time for a break and then I’ve got some more questions for you Jonathan.
Jonathon: Oh superb, Cindy`s right. It’s time to go for our break. She is becoming a pro folks. She is becoming a pro. We will be back in a few moments’ folks.
Announcer: Do you want to spend more time making money online? The use WP Tonic as your trusted WordPress developer partner. They will keep your WordPress website secure and up-to-date so you can concentrate on the things that make you money. Examples of WP Tonic`s client services, are landing pages, page layouts, widgets, updates and modifications. WP Tonic is well known and trusted in the WordPress community. They stand behind their work with full, no questions asked. 30 day money back guarantee. So don’t delay signup with WP tonic today. That`s wp-tonic.com just like the podcast.
Jonathon: We are coming back. We are discussing all about security. Cindy’s got some more questions. Hopefully I won’t bore you to tears folks because this is really important stuff actually in you know, in some of the fundamentals. So before we delve some more in the murky world of security. And I have to talk about one of our great sponsors and that’s Kinsta hosting. And now if you host with Kinsta you’d be solving a certain high percentage of your security problems. By being with a quality hosting provider. And that’s what you get with Kinsta. Especially if you’re looking for something like a membership learning management system or a woo ecommerce website. You need better quality hosting than some of the providers. And that’s what you get with Kinsta. So if that sounds really interesting, I’d suggest that you go over to www.kinsta.com. And find out some more about the great hosting packages. And tell him that you heard about it from WP Tonic. That’d be much appreciated. So Cindy, you got some other questions?
Cindy: Well this is follow up with the last one. You talked about having a company that scans for this. What is the average Joe supposed to do? You know, they’ve got a website. They’ve got a membership site. What can they do to protect their websites?
Jonathon: Well, there’s only one key way. It’s just a number of things that will help you keep your site secure. The first and the biggest is having decent hosting. Unfortunately there’s a lot of cheap hosting out there. I’m not gonna name names. Well there is the perception of hosting being at a certain cost, which is around $3 to $5 a month. That works for very small business that has a very basic website. Now when you talk about a membership site or ecommerce or anything that’s larger, which you want a certain degree of people to be utilizing your service, you need much better hosting. And that will normally cost $15 to $30 a month. And you can talk about hosting over 3 episodes. It’s always a really hot topic on the Facebook forums. Facebook discussion groups everywhere.
But finding a decent place to have your site hosted is important. And they also make sure that they had technical people employed that are keeping all the software that runs these servers. They run on different forms of Linux normally not exclusively, but normally. And keeping those servers up to date patched, kept secure as possible is a full time job for really experience IT individuals. And that’s what you’re paying from that level of hosting. Then you’ve got to do your bit and your bit. The other great thing about these companies that are in the slightly higher price range around the 30 is they’re going to offer what is called a staging site. Where you can have a full copy of your live website way where you can update your plugins and the core of WordPress, whatever open source software you’re using.
And then you can check out the site before you then with one click can migrate that version of the staging site to your live site. So that avoids you updating something on your live site and having problems. And especially with a membership site, you don’t really want that. So they provide all these bells and whistles that we’ll keep your life happy. And also keep it much more secure, Cindy.
Cindy: We have hosting. What else?
Jonathon: Well, you’ve got to keep your plugins up to date. And you’re going to be fussy where you get your plugins. At WP tonic, we offer a turnkey solution where, we provide a platform with some of the best WordPress technology. Aimed at those looking to build a accessible course platform. But we’ve checked them all over. They’re all premier plugins that we off offer in our suite. And we know all the developers and we’ve used them over number years. And we know the quality of code. And they work together. A lot of people when they go in, starting off with WordPress, they go crazy. They know nothing about the code in these plugins. And also they tend to multiple versions of plugins that are doing the same kind of job. And then that’s where you get into trouble. And also not keeping them updated. To avoid security problems you need to keep everything updated as much as possible.
Cindy: So when it comes to plugins, what red flags would you have people look for in order to avoid downloading certain plugins? Because there’s thousands of them out there. So what is the process for making that decision?
Jonathon: At the present moment on WordPress on the plug in exchange. These 18,500.
Cindy: Is that how many there is?
Jonathon: 18,500. Well basically, is this their first plugin? If they’ve got other plugins they got track record. Basically you have to keep that plug in updated. When was the last time it was updated? Does it work? All this information will be showing in the WordPress exchange. It shows when it was updated, how regular it’s being updated, how many people have downloaded it and used it. When it was developed and have the developers developed other WordPress plugins? I suggest when it’s key functionality, you then either hire a company like us or you do the research yourself. You should be reasonably fussy about what kind of plugins you’re putting on your website.
But the truth is, and let’s be frank. This is one of the reasons why the SAS services are attractive initially to people is that, you don`t have to deal with that. But on the other hand, they are other hybrid solutions like what WP Tonic offers. That solves a lot of that hassle. So you get the best of both worlds. You get an open system that’s yours. But you’re not having to deal with all this research and hassle part of it.
Cindy: If a plug in hasn`t being updated. What frame of time would you then get concerned?
Jonathon: Well, if it hasn’t been updated for three to four months, alarm bells start ringing. But it just really depends on if the core WordPress has been updated also. And there is no fixed date about core patches updates when they are published. So it`s relying on that. They have a plugin for about six months, hasn’t seen any updates. I would start getting a little bit alarmed myself.
Cindy: That’s a good kind of benchmark to look for. All right, so you’ve talked about hosting, you talked about plugins and keeping your plugins up to date. Anything else that people can do to kind of protect their website membership sites?
Jonathon: Well, almost all websites now are HTTPS. This is a certificate, secure socket certificate and almost all websites. Not all of them, there’s still a vote, you know, medians. But over the past 18 months, almost all websites are now HTTPS. The main drivers of this was that Google said that if your site wasn’t HTTPS. You are going to have a search, penalty imposed on your website. And also if you go to chrome or any of the leading up to date browsers, which is Chrome 60%, Firefox, about 20%. Safari around 10%. Mobile or desktop, you go to a site that isn’t the HTTPS. You’re going to probably see some indication that that site isn’t secure. With chrome they actually come up with a message. So does all the leading ones, do you want to browse this page? This page is un-secure. Have you seen those messages?
Cindy: I have definitely seen those messages.
Jonathon: Well what we are saying is the site hasn’t got secured socket certificate. And they used to be really quite expensive. And you still normally have to pay for one. When you’re dealing with a membership learning management system. But not always, it does depend on the volume and the level of security that’s necessary. A free secure socket technology, it’s called in crypt came on the market. But they drastically reduce the price of the certificate to a level where their technologies was free. And that’s what most coaches hosting providers, provides secured socket certificate which is difficult through them. So there’s no reason why your site shouldn’t be secure. If you’re hosting provider can’t provide that. Normally that’s a sign that you’re with are pretty crap hosting provider and maybe it’s time to move on.
Cindy: My first question around this is. How does somebody know if this is set up on their website? I know that, I’ve seen the not secure beside the URL up in the search bar. But how does somebody know if they have this already set up on their website?
Jonathon: Yeah, well you will see the HTTPS and you also see the green padlock in your browser. If you don’t see that it hasn’t been set up correct. And in 2019 you really do need that. Because you are going to be penalized especially on the mobile. 80% of people that are going to be coming to your website. I’m going to be coming through either phone or tablet. There is depending on the kind of site and the audience that your site is aimed at. But when it comes to actual Kohl’s website, a lot of people will initially be coming to it. I don’t know, you probably got more aware about the actual logistics about how people consume courses after they buy them. I’d imagine there’s a high level, a lot of people using tablets to actually consume courses. This is classified as a mobile device. We’ve getting to the end of this.
Cindy: We get into the half hour. So hopefully listeners and viewers, this has been useful. What I would also like to tell you is that I and Cindy are doing a course. We are doing a Webinar on Thursday the 30th of this month and it’s going to be at [9:00] AM Pacific Standard Time on Thursday the 30th of May. And me and Cindy, I’m going to be talking about the seven things that you need to know and get right when you’re doing your first course. And we’re going to be covering a lot of ground, aren’t we? I think its excellent value and it’s free and it’s going to be live. You’d be able to ask questions at the end of our presentation. We’ll be covering a lot of stuff, a bit about security as well. And you’d be allowed to say you’d be able to answer questions. And you have to do is go to the WP tonic website, that WP tonic backslash Webinar and you’ll be able to register for this free course. We had some technical problems last month so we couldn’t do it, but they have been fixed. So you’d be able to register for the course for the Webinar and you’ll be able to learn some tips and inflammation. That’s great. It’s going to be great. So we’re gonna wrap up the podcast part of the show folks next week. Hopefully we’re going to have a great guest and we’ll see you next week. Thanks. Bye. Bye.
Every Friday at 8:30am PST we have a great and hard-hitting round-table show with a group of WordPress developers, online business owners and WordPress junkies where we discuss the latest and most interesting WordPress and online articles/stories of the week. You can also watch the show LIVE every Friday at 8:30am PST on our Facebook WP-Tonic Show page. https://www.facebook.com/wptonic/