When it comes to WordPress security, there are a lot of things you can do to lock down your site to prevent hackers and vulnerabilities from affecting your eCommerce site or blog. The last thing you want to happen is to wake up one morning to discover your site in shambles. So today we are going to be sharing a lot of tips, strategies, and techniques you can use to better your WordPress security and stay protected.
Jonathon: Welcome back folks to the WP Tonic Show. It is episode 546. It is going to be an internal discussion between me and my great co-host Steven. And we’re going to be talking about security. How you can make your site secure the position of your hosting provider in security. It’s all going to be about securing your own sites, and securing client sites. It’s all going to be about security. But before we go into the main meat of this episode I want to talk about one of our great sponsors and that’s Kinsta hosting. Kinsta hosting is a premier WordPress hosting provider. They’ve been hosting the WP tonic site for over two years now. Why should you be interested or for your clients? Well, if you’ve got a website, a WooCommerce website and learning management system, anything that needs more performance, more go, you would be advised to look at Kinsta.
All their sites are hosted on the Google cloud and they provide fantastic support. They provide all the technical bells and whistles, latest versions of PHB, one click backup and one-click staging site. All the things that you expect from modern hosting. I’ve been absolutely blown away by the hosting they provided to the WP Tonic website. And their general support has been fantastic. So if that sounds interesting for yourself or for clients, and it should go over to Kinsta and have a look at their packages and buy one for yourself or for your clients. And the main thing is if you do that is tell them that you heard about them on the WP Tonic show. So Stephen, first of all, would you like to quickly introduce yourself to the new listeners and viewers?
Steven: Yeah, my name’s Steven Sater from zipfish.io. We optimize both the servers and the code that runs on your WordPress site. You kind of have to have both those things working in tandem to make your site blazing fast.
Jonathon: That’s great. Great company. We’ve used them ourselves. Our clients have been absolutely blown away with what Steven and his team has been able to do around speed. So Steven, where do we start about this subject on security? I suppose there’s the plugins side, there’s the hosting side and then there’s the psychometric side of it where you’re dealing with people’s actions. You know, spoofing and all the rest of it. So I see it as kind of like three buckets. First of all, would you agree with that? Or you’ve got a different outlook to it and how should we begin that if we have some agreement?
Steven: Yeah. Security is a little bit of a convoluted sort of world because everything builds on the next thing. And the way that let’s say a hacker is trying to get into a site, it’s just finding the easiest and path of least resistance to get into.
Jonathon: Can I interrupt? I think we need to start with just what you’ve just said. Is hackers, well, majority of security breaches aren’t done by some individual? It’s done by scripts and those scripts, you have people that can go to certain websites or certain communities, and they can actually buy these scripts. I understand or they’re freely available. And there’s a whole ecosystem around buying these scripts. And basically they come from people that are looking at WordPress code, WordPress plugins, the most popular plugins. Or anything that comes under their radar and they find security issues or, ways that would allow somebody to actually get into a site and have administrative rights. To that site, and then they are pushed upon these forums websites. And then you’ve got a host of other people that haven’t got the technical skills to actually find a security breach. But they have the ability to run a script. Am I correct? In what I’ve just said first?
Steven: Yeah, yeah. You’re a hundred percent correct. And that really points to this idea that oftentimes when a website gets hacked, it’s generally not a specific target they’re targeting sites in general, and they just want to get into as many sites as they possibly can. The higher profile your site gets, the more likely it is that somebody could choose to target an attack on your site. When it comes to security, I think the really important thing to understand is every site can be hacked to say a site is impossible. There’s no way into a site is completely, is a very false statement. The idea of security is that you have to make it hard enough to hack that whatever value will be derived from hacking that site, that that value is less significant than the time and effort it takes to hack.
So think of a safe, if you have $5 in a safe, somebody may be willing to spend 10 minutes to get into that safe after that. Nope, like they’re done. It’s not worth their time or effort. If you have $50 million in a safe, right, somebody willing to spend years of planning of how they’re going to break into that safe. So the bigger your site is as far as like more recognition, more controversial you store the more secure you have to make sure you have your site.
Jonathon: Yeah. I’m sorry to interrupt, but I don’t think you were able to attend last week’s round table show. I can’t remember actually it all blurs into one. But last week, one of our stories we were discussing was president Trump’s campaign website got hacked into it. Wasn’t actually being run on WordPress. It was being run on another CRM system called expression engine. And but the same things apply, you know, but with a site that so much in the public eye and is from somebody who let’s be fair is extremely controversial. In a particular era that really get people going Iike politics. That site has to be what is called hardened as much as possible. The problem making a site is always a balance between hardening and usability because normally the two things don’t go together, the more you harden a particular website, and the less usable it’s going to be for the average user. Not the public side, but people who are maintaining the website, putting content on the website. The general backend users are going to be less convenient. Would you agree with that?
Steven: Yeah. Yeah, for sure. There’s always a tradeoff between security and safety or protecting something. I mean, you can look at, at an airport. As airport security, ramps up the harder and harder it is to get to your flight on time. The longer the delay is in the life, it’s just how it works. A password. The longer a password is the harder it is to remember or store, or the more you have to type. Things become inconvenient, or you start locking down parts of the site, which means you can’t do X, Y, or Z. But it’s really important because if you do get hacked, trying to unravel that can be a really hard process. If you have backups and you have kind of some fail processes in place, like if that happens, what are you going to do then recovering from that can be a lot more straightforward and a lot simpler.
But I think a good way to think about WordPress security is kind of in three different buckets. Your site being the first, like your plugins and the people, username and passwords that are on your site. And then to the server what they call a WEF or web application firewall. So that’s like, what’s on top of your server dictating the traffic between the server and the WordPress site. And then you can go one layer on top of that and like buy a domain or like with Cloud Flare does, for instance.
Jonathon: Well, yeah, that was, I was going to mention because CloudFlare has become. Also obviously they provide increasingly a number of services, CloudFlare I’ve mixed feelings because one of the especially when it comes to learning management system when you come to us because we know what we’re doing and we specialize in learning management systems, the hosting and support of them. We know how to set up the caching for our clients. When you go to a more general listing hosting provider and I’m not including you, I’m sure you understand this and your team does. But when you go to one of the much larger providers they won’t set up the server. So the one get around to is that CloudFlare, when it comes to us, it offers another level of caching. So it can complicate things a little bit, obviously. But I always understood one of the great things that switched to the free surface is that it’s a barrier to dos attacks. So what is a dos attack?
Steven: I think we talked about it a little one of the shows a little while ago, but it’s essentially where a bunch of computers just try to make a request from one server or one site as fast as many times, they possible to just overwhelm that site. And if that site gets overwhelmed, it’ll eventually crumble, actual hack. You’re not getting access to the site. You’re just taking down the site.
Jonathon: It’s like somebody at your front door. And instead one guy there are 15, really big guys hammering away at your front door. It will break it down. You know, one guy would take her out. It’s a big, hefty bounce, tight still would take him. You know, it’s not film here, big, hefty, secure front. Door’s going to ticket one person. But if you’ve got full guys hammering away at it, it’s going to take a lot less time. But so first of all, is understood how cloud layer deals with that is that it’s got lists. It looks over its whole network and it identifies IP addresses that are involved in dos attacks. And then it binds them. Is that roughly how it works when it comes to them?
Steven: There are great benefits from CloudFlare. CloudFlare has knowledge of what’s going on across the entire internet. And so there are a lot closer to what traffic is going on any given day or hour, a minute. So they can shut things down and protect sites a lot faster. They’re also not on your server. So if somebody is making a request, they can stop that request before it even hits your server. If your web application firewall is on your server, then every hit is going to your server. So it can get overwhelmed a little bit faster.
Jonathon: Now you have the software. First of all, I hope you’re impressed from my knowledge levels, Steven.
Steven: Yes it’s good.
Jonathon: He knows that he’s got big grin on his face. So the software, what’s the term that you use in the software? What was the term you were using software?
Steven: Like Wordfence, like end point firewalls?
Jonathon: Firewalls that was it. So that’s one of the things I think I’m correct when it comes to Wordfence, they’re running that on the actual server on a site called Securi. And we, we don’t use Securi ourselves, even though it’s a great product. Is that we run another software. We use a company called mail are and they provide a similar product to Securi, but it’s not on server. So the actual results is it’s not using anything like the resources or something like Wordfence where they actually running that on your server. Am I correct about that?
Steven: Yeah. So let’s talk about the difference between like Wordfence and Securi, just because I think those are two good examples. Wordfence is a plugin that you install on your WordPress site. So the security is actually being managed and handled by your WordPress instance. So as traffic is coming into your site, that Wordfence as a plugin is looking at that traffic and deciding what it wants to do with it. It doesn’t want to respond with the webpage. Doesn’t want to block that IP address. How does it want to handle that? It’s not actually installed on the server level. It’s sold on the application level. So the application being WordPress. Security does two things. It does what Wordfence does. It has its own little plugin that you install on inside of WordPress. And handles these requests coming in, but also does what CloudFlare does. And it sits above that. So they can monitor traffic coming into the site before.
Jonathon: So if you’re not using CloudFlare, that is one of the good parts, but if you’re using CloudFlare and you can unfold obviously they’ve got the free version. But I think the free version. They don’t do the firewall bit with the free version. I think you have to pay that, but then it’s fair value. I’m not saying, but you probably can get a, if you look around, you probably can get a service that’s external. And this is only my opinion. Don’t get me wrong, listeners and viewers. Wordfence is a very reputable WordPress security company. I’m just giving you my honest opinion. That’s why I shy away from it. And I don’t personally feel it’s the best solution. What are your thoughts Steven?
Steven: So the nice thing about having a firewall installed on your WordPress site is one, it can be aware of some of the like custom intricate sort of settings that you have on your WordPress install. So like, if you have some sophisticated, let’s say learning management system, that requires some really interesting ways of handling traffic Wordfence or the security plugin can better adapt to those kinds of things, because they understand your website more because they’re on installed directly on WordPress. Something like CloudFlare that sits outside has very little knowledge of what’s going on the WordPress level. All it knows is about the traffic coming in. And so sometimes you have to configure some things in a kind of accustomed sort of way to make it so that traffic will work. And it’s a little bit more complex at times. It’s not specific to WordPress.
It’s specific to the web as a whole. Wordfence has a really good image of kind of how both of these work, if you go to their site and check it out. The way that CloudFlare gets all of its power is by obscuring your server’s IP address. So if you’re using CloudFlare, you have to change your name servers to point to their name servers. And then you put your IP address or whatever to point to your server, but CloudFlare never gives that your servers IP address out to the end user. They obscure it, and they have their own IP address that they give them. And so all of that traffic gets routed through that CloudFlare IP address. If somebody would find out about your server’s IP address, a lot of that power that CloudFlare has to prevent attacks and to stop threats is circumvented.
Jonathon: You know, this is a fascinating discussion. Hopefully we haven’t lost a lot, the listeners and viewers. But I do understand where you’re coming from. My only observation with Stephen is it is doesn’t that really only apply if you had a knowledgeable actual individual group of individuals that are actively engaged in trying to hack your site. Would that really make a difference when we’re talking about just a generally purpose purchase script attack?
Steven: I mean, it really depends what people are doing with those scripts. There are some very sophisticated, automated things out there and there’s less sophisticated stuff. So and it’s hard to know exactly what’s going on right now at any given time. We usually learn about it after people are in general. Generally CloudFlare is a great first layer of security, but it should not be your own malaria. If that was the only thing you were doing from a security standpoint. You would be kind of leading your band.
Jonathon: That would apply to everything we’re going to talk about, but I’m just getting the impression before we go for a break in general. You’re more generous towards Wordfence than I am. Would that be the correct?
Steven: My stance is that the correct way to handle security is primarily on the server itself. So the web application firewall that’s on the server, that’s above WordPress itself. So WordPress we can talk about this more after our break, but WordPress shouldn’t be the thing. That’s your line, your security on your server should be hardened and should have security measures in place out the gate.
Jonathon: Exactly. I’m so glad that you brought that up, which I’ve got some observations that going to put to you about that after we come back from our break. So we’re going to go for our break folks. We will be back in a few moments.
Announcer: Launch flows turn your WooCommerce website into a selling machine. We make it easy to create gorgeous sales funnels, no friction checkouts order bumps, upsells down sells, and much more. Gain full control over your buyer’s journey from the top of your WooCommerce sales funnel, all the way to the bottom. Best of all, you can use your favorite page builder, such as Elementor, Devi, Beaver Builder Gutenberg, or one of the high converting templates we’ve included inside. Get rid of the clunky WooCommerce shop pages and checkout process in favor of an optimized buyer flow that instantly increases conversions and makes you more money. Launch flows provides one click order bumps that increase the total value of every sale with a 10 to 30% conversion rate. This is perfect for anyone offering complimentary products, training or extended warranties. With unlimited upsells and down sells your buyer’s journey. Doesn’t need to end at the checkout.
Instead, we make it easy to display a series of additional offers as part of the original transaction. This is perfect for one time offers related products, mastermind class offers, high ticket software sales or subscription supplements, not an expert. Don’t worry. We’ve got the training and the consultation you need. WP launch will teach you how to get the most out of launch flows with personal consultation on WordPress, WooCommerce, marketing automation, and much more. If you want to earn more money with your WooCommerce online business, you owe it to yourself to try launch flows today.
Jonathon: We’re coming back. I keep interrupting good Stephen, but it’s not to be rude. It’s just I wanted to place my observation, but he knows being there. But I think we’ve had a good discussion so far. Before we go into the second half of this great discussion about WordPress security, I just want to mention that we’re doing a webinar. Me and Spencer forum. He’s a regular on the WordPress round table show like Steven. He’s going to be doing a free webinar with me on Friday the 13th. Yes, I noted spooky is there, but I think we’ve got the experience to handle it me and Spencer. Why should you be interested? Well, we’re going to be delving into how you are using the power of WordPress for your own site or for your client’s sites with some freely available plugins and some very low priced premiere plugins.
You can build a system that is the equivalent or better than click funnels, not only for yourself, but for your clients. And you can do that for a third or less of the cost of click funnels. And let’s be Frank about it. Click funnels is a great product. It’s got some competitors as well that are pretty expensive. It’s a great product. But it is pretty expensive. And a lot of the templates now are looking a bit dated. We’re talking about something that we can make really great landing pages and then build the funnels that are linked to the landing page, all using WordPress. And we will be delving through how you do that for yourself, for clients. What’s the best way of doing it. It’s going to be fantastic. So that’s going to be at 10:30 Pacific standard time on Friday the 13th. And how do you register?
And you can freely register, just go to the WP tonic home page and in the top menu on the right, there’s a button that says webinar. You click it and you can register for this great results that this great webinar we’re going to be doing on the 13th. So back onto the story. So before we went to our break, you, you brought up something that it’s a hot subject me. And I’m going to tell you why, because you were talking about that. Not only, but I still think you need to do basic security on your website. But you were also saying that it’s really important that you’re hosting before they hardens, the host in it, they’re on their side of the deal.
And this has been a real thing that I’ve tried to explain to clients. And it’s funny enough, it’s been the bigger clients where they looking to host themselves on Amazon web services, or they’re looking to host on digital ocean or some of the other so the cloud providers. And they want to do it themselves. The I’m trying to explain to them, these are people that normally have come from the Microsoft world and they know a lot about Microsoft and Microsoft technology, but they don’t know anything about the nix world, Linux administration or hosting. And I’m trying to explain to them, and sometimes on deaf ears that this isn’t a great idea. First of all, do you, would you agree with what I’m saying or not, what was your position of what I’ve just said?
Steven: Yeah, if you don’t know what you’re doing you can spin up a WordPress installed pretty easily on Visual Ocean. Let’s say it’s not that hard.
Jonathon: Don’t get me wrong when it comes to actually email or storage. I think these systems are pretty good. But you still got to manage, but when it comes to host I just do, it’s a totally different cup of tea.
Steven: Yeah. And really out of the box the default WordPress installation on Digital Ocean, isn’t terrible. Like but there are still a lot of things that should be done and ought to be done to make sure that WordPress site stays secure. So you need some sort of web application firewall kind of the two most popular ones are 60 or 70. Now that just came out or Mod sec, which is another really popular web application firewall. And these firewalls will sit on top of your server or on your server, really. And as requests come into the server, they look at that request and decide what to do with it. Do I block them? Do I send the data back? Do I strip some sort of strings from the URL? There’s a lot that one can do at, to protect their site on the server level and to really configure that correctly, to make sure that you’re not getting too many false positives or too many false negatives, you really need to know what you’re doing, especially from a WordPress site.
So even somebody who is not very familiar with WordPress, they could do a general setup of what’s that web application firewall should look like. But there are a lot of unique things to WordPress in itself and how it likes to interact with the web. They’re having a deep knowledge of WordPress and what it needs to do will benefit you greatly. So if somebody wants to host their site themselves and own the servers of their site, I always say, go use a management platform like grid pain is a great one or cloud ways or run cloud. There’s several ways out there and they’ll set up a lot of these things.
Jonathon: After we finished with this, if you can send me a list of the three to four that you recommend to and send it to me. I’ll make sure they’re in the show notes which I’m sure our listeners and viewers obviously CloudFlare they’ve done a fantastic job of publicizing themselves in the WordPress community, but you say, you know, that it’s about four or five other ones, which probably our listeners and viewers are not aware of. But I think the other thing is that that’s got to be pointed out about this and why, what you’ve just said is so important is that you can set it up, but this isn’t a kind of concrete situation.
This is a free flowing situation when it comes to security and servers. Because the server world is very like WordPress. There are people actively involved in trying to find faults or security breaches in server software. Because to breach a medium to large hosting provider is like the wet dream of hackers. It’s literally, apart from breaking into banking or financial network is like the wet dream of these hackers to be able to say, we actually broke in to this a well-known hosting provider. And recap it.
Steven: Yeah, yeah, and for sure. And it’s always like security in a hosting environment is always in an evolving sort of thing. So you have to keep things updated. You have to be logging into your server. And a lot of these things are done oftentimes through your command line tool. So if you’re not really familiar with SSH into a server and using command line to run updates or see what’s going on, then it’s probably far better for you to go and use something like grid pane or cloud ways. So if you want to go and try it yourself, like do it with a site that’s not a production site. Like it’s a fun thing to do. And it is fun to experiment around with, but I wouldn’t put a live site that I was counting to be up and running and be messing around with that.
Jonathon: Okay. Trying to explain to organization where their site is crucial. And they’re talking about trying to run it on Amazon web services, and they’re talking about saving like three, $400 a month. And to this organization, this is just peanuts. And the other people you’ve got to get up to a certain level of traffic where you’re 30, your hundred dollars a hosting from a respect of all hosting provider. Doesn’t meet your needs. You’ve got to get out to a certain level usage or traffic. So it always makes me laugh that a lot of people look at this and in both instances, data’s are lacking traffic or those that get in tons of traffic, but they’re normally much bigger organizations. It doesn’t really matter.
Anyway, to me, you’re just you’re just exposing yourself to a lot of aggravation. The best people we all make mistakes and we learn from them, but the really intelligent people don’t make the mistakes in the first place. Unfortunately, I’m not one of them but they made a complete cock-up and a mistake, I do try and look back and learn probably the best I can. We’re going to wrap up the podcast part of the show it’s gone quickly. Are you okay to continue to discuss for another 10 minutes? I know you’ve got a hard break, but you got another 10.
Steven: Yeah, yeah, and for sure. Let’s, let’s, let’s talk about some of the most common ways
Jonathon: We need to talk about some of the plugins, some of the things that you need to do on your WordPress website for yourself or for clients. So you’ll be able to see this bonus content and the whole interview on the WP tonic YouTube channel normally published to you tube channel, the quickest classes. There are other videos on there. We’re big getting a lot more subscribers to the YouTube channel it’s growing rapidly. So go over there and you’ll be able to see us discussing the subject security, but also the bonus content. So Steven how can people find out more about you, your company, and maybe if you’ve got some resources on your site about security?
Steven: Head over to zipfish.io, you can run a speed test there. See how much faster we can make your website. And there’s a chat icon. You can ask us any questions. So if you’re concerned about any security issues on your site, or want to learn more about how to make it fast, you can schedule a one-on-one meeting with me and I’ll review your site for you. And we’ll talk about how we can make it fast and more secure.
Jonathon: And also there’s a load of resources on Kinsta to about this and like Steven I believe what Steven says 100%. And also Kinsta as well. So they are both two great resources and Kinsta has got some great things about security on their blog area. So we’ll be closing the show. Like I say, if you really want to support the show, there’s two things go over to the WP Tonic, YouTube channel and subscribe that really helps with the channel. And the second thing, if you’re feeling really generous is go over to iTunes and leave us a review. It does really help the show. We’ll see you next week. We’ve got another great internal discussion between me and Steven, or we have another great guest. We’ll see you soon folks. Bye
Every Friday at 8:30am PST we have a great and hard-hitting round-table show with a group of WordPress developers, online business owners and WordPress junkies where we discuss the latest and most interesting WordPress and online articles/stories of the week. You can also watch the show LIVE every Friday at 8:30am PST on our Facebook WP-Tonic Show page. https://www.facebook.com/wptonic/