Episode 232: Security for SMBs
In this podcast, Rob Cairns and Ryan Waterbury talk about agencies and security.
- Backups and More Backups.
- Phishing schemes.
- WordPress security.
Hey everybody, Rob Cairns here.
Today I’m here with Ryan Waterbury and we’re going to talk all things security.
How are you today, Ryan?
I’m not doing too bad.
Yeah, I thought this month we talk about security and we’ll probably end up touching on privacy a little bit.
But first I wanted to sort of touch on.
Security in general and we all know the weak link is passwords.
So are you still seeing a lot with passwords where people are using passwords that they should never use?
Uh, a little bit.
It really depends, you know.
Uh, had a recent discussion on, you know what to use for passwords, and you know a lot of the password generators you know put out the string of 32 characters that are odd and randomized that you can never remember so.
Uh, you know, I’ve talked to a lot of people and some people are good about it, and some people aren’t.
But get a password manager and then use those long string character passwords.
That way you have to remember one and make sure it’s.
A good one.
Uh, and then you’re set.
Which is your password manager or choice these days run?
For me personally, I’ve been using bitwarden.
LastPass is good one password actually is one that I have a couple of clients using that are really happy with it, but honestly, they’re all pretty good.
Those are probably my top three.
Uhm, but I just get one and use it and it saves so much time and it ensures that you’re using secure pass.
Uhm, you don’t have to remember those unique passwords for every site, and then you’re done.
It’s it’s a lot of security in and a lot of these all in one shot.
I I would agree with you.
I’m also a bit warding user, have been for a couple years.
Before that I used LastPass.
I made a switch and it wasn’t a money switch.
It was a functionality switch, so that’s why I did that.
I find bit worn on a mobile phone works really well actually, so I I think it’s a little better than LastPass.
But yeah, it’s it’s the old story.
It’s the one that you use and no well.
That I think you do really well with and and that’s my response.
Get a password manager if you can’t remember and I actually use bitwarden to generate my passwords, so that’s I can’t even tell you beyond my email password and my password.
For UM, belt warden.
Don’t ask me what any of them are.
If you can believe that so.
Uhm, do you have a thought?
While we’re talking passwords of.
Using two step authentication and where do?
You stand with that.
So I I like 2 factor authentication and I I think it’s great the there are a lot of tools out there, a lot of sites that.
Work with Google.
It’s a key generator.
It’s a nice a nice tool to use.
You know, even even just getting an email with the code for two factor is is great.
I think that’s another security step that you have to have in place, and if you’re not using two factor, there’s another hole getting text messages, some will.
Argue that they can be intercepted.
It’s a low likelihood, but it’s possible, but just using two factor in general ensures that if your password is ever compromised that you have that extra layer of security that you have to have that code generated from from the app.
To log into whatever site you’re logging into.
I will I will.
I’m in the camp where I actually argue that if I can avoid text messaging for my second factor, don’t do it.
But it’s really interesting because.
Bank only does text message.
The Government of Canada only does text messaging and it’s like guys like give us an option here.
Uhm, I tend to lean towards and I might have told you this.
I I lean towards I use a new bookie.
I don’t even use an authenticator app.
Now the only thing is, if you’re going to go to a smart team, make sure you.
Purchase a couple.
Love them because if you lose your smart key, your solu without a leg to stand on.
I mean, there’s some really good apps.
Google has one Microsoft as one.
There’s several of them, so I would say choose one and give yourself a fighting chance.
I mean, Google is free open source to use and I mean as much hate as we put on Google.
They’ve done a lot of really good things for security, and one of them was their authenticator app, the.
You know one of the other ones is. They’re they’re pushed for secure Internet and keeping a TLS or SSL cert’s up-to-date. So I gotta give him a little little kudos there.
No, I I would agree I’m I’m not in the Google Hater department.
You just have to understand what they do and and how they do it.
Uhm, and as we’re talking like small.
Businesses and I, I think one of the biggest things.
That dumb we should talk about is small businesses don’t do backups enough and I just see it all the time and one of the things I always say to a small business is if you’re not gonna do manual backups, go get yourselves a service to do it that runs in the background.
Does it for you and then you don’t have to think about it.
I you know it’s kind of funny that you said they they aren’t very good about it well.
Some of them don’t do it at all and and they don’t realize that they need to do it.
You know, so I I saw a quote that said, hey, if you’re making a backup, you are preparing to fail.
Well, now you’re you’re preparing for the worst case scenario, and it’s not just a security thing.
I fudge data and broken things and said, Oops, I should probably restore from my backup.
And there there again I’m, you know, on the the Google policy of the 321 policy, 3 copies of my backup data in at least two different locations.
For for my servers I have a copy in the cloud and I also have a backup copy on a local raid attached to my file server.
Yeah, and the the online service I really like these days is the service called the I Drive which is well known.
But you know, it’s not just about getting hacked, it’s about mechanical failure.
Uh, I tell the story a lot.
In the hospital for three weeks.
Some 13 years ago with a diabetic crash, I came home. I turned on my desktop that had been on for 2 1/2 weeks and all I heard was Co chunk chunk chunk.
And for those who don’t know, that’s the sound of the spinning hard drive saying it hates you.
So, uh, you know.
We do have failures, so backups are are really important and then the last kind of thing I want to touch on quickly and I just went through it with a client.
Please don’t let the Microsoft guy into your computer, no matter how much they call and say, oh we’re from Microsoft.
Microsoft doesn’t call people.
Computer companies don’t call people for help.
Uhm, don’t let them in because before you know what you’re gonna have malware and the cost of that is gonna be excruciating.
And guess what?
They also don’t email you, so that’s another one that that people aren’t aware of when you get text messages, you get emails you don’t know who it’s from.
Don’t open it.
Don’t click on the attachment because it’s a link.
No, if you are absolutely not absolutely sure that the email is from a trusted source.
Then don’t open it, delete it.
And and if you’re and if you’re concerned that you’re.
Password has been hacked.
There’s a really good website out there called if you’ve been pawned and if you put your email address in, it will tell you where your email showing up and what words been compromised, so that’s worth taking a look at as.
Well, it’s a.
Really good site.
Uhm, let’s jump.
Onto WordPress security ’cause you and I both spend a lot of time in the website world way too much.
And as you know, security is a big Forte to what I do, and a big part of what you do.
What’s your take on website security?
Do people do enough?
I you know there’s not anything that’s perfectly secure.
There are steps that we can take to.
Prevent and mitigate hacking malware attempts, and, uh, you know breaks.
So I myself manage the the the servers that I I do hosting for my clients so security for me starts at the server level and.
You know that’s first and foremost making sure that your host is doing server level security and locking as much down as possible.
That’s number one.
Find yourself a good hosting partner.
Number two, I don’t like to say securing WordPress.
I mean we talk about hardening it and making it harder for people to access their.
There are a number of things that going that go into that.
One security through obscurity.
I usually move the login page because.
Uh, that gets hit, uh.
WP Dash login dot PHP gets hit so hard by bots, scanners and some people will tell me that that’s ludicrous.
They can still break into the login page, but I can tell you from experience that the.
Uhm, break attempts go down by a factor of nine.
When we move the login page like simple things like that, but making sure that your.
SSL certificate is up to date.
You know, and it making sure that you’re running of a web application firewall.
I we do that at the server level for each of our web applications.
Although the the plugins from Jeff Starr Bucue the.
The Ng firewalls are awesome.
He does a great job with keeping those updated.
To block common queries I themes uses parts of that in their security tool set.
I think you’re in I themes fan as well.
I’m in more.
With these days with I things in Patch Stack.
It’s kind of.
Frame I’ve, I know I did, that’s the trust of them.
There’s a certain security.
His name I will not mention on this podcast because it is well known that I have a big distaste for and due to multiple reasons.
Which I’ll save for another day, but I think a lot of security is based on who you trust, where you get your support.
I think some simple things that really help is keeping your website up to date that hardens.
It a little bit.
Uhm and and I should have touched on this earlier when we talked backups in the regular world, but we’ll tell, I’ll touch on it now.
If you’re taking backups, do a restore once in a while to a dummy site and actually make sure they work.
I mean, I find a lot of people say I have a backup and I said really, do you?
Does it doesn’t work?
Yeah, absolutely, and that’s something that.
We go through annually and test every single backup and then we test our process quarterly to make sure that the backup from the web application works.
We use updraft plus and put that on our local storage as well as on.
Google Cloud to make sure that it restores from both locations and the application works when it’s up.
Uh, we also take a hosting level backup daily and and we do a restore from there and make sure that that works when it comes back up.
You know your backups are worthless if you can’t.
Restore from them.
Yeah, and the other big suggestion.
I always had the people and people say I’m crazy.
In other agencies, I keep three months of backups, three days a week offline.
And the answer is, why do you do that?
I have seen over the years time and time again a piece of malware that gets injected and it sits there for two months before the payload is invoked.
I have seen it happen over and over and over again.
Yeah, and so I I keep backups daily. Full backups for 46 days and then we’ll do incremental backups to touch back past that at 6180.
And that’s as far back as as we’re usually keeping our updraftplus backups.
But it’s, uh, it’s cheap.
CIA storage isn’t as expensive as it used to be, and if you’re not keeping backups, as long as you possibly.
And reasonably, economically, can you’re asking for trouble in my opinion.
No, I I I so heartedly agree with that.
And then let’s go back to two FA.
What do you think about 2?
FA on websites.
I think 2 factor authentication is.
A great way to secure your website, especially if you’re doing ecommerce and you have a lot of users logging in I.
I I don’t do it on all my sites, but the ones that see a lot more traffic.
Generally we’ll have the discussion with the client, you know and it really depends on on their feelings.
I recommend it, but I certainly I don’t.
Require it up I think.
Doing some of the other security hardening, you’re already in a good step, but at at some point I I I don’t think we’re going to be able to avoid two factor authentication on every single WordPress website.
No, I I would agree.
And frankly, you know it’s funny you talked to the WordPress haters out there and they say WordPress is insecure and I would disagree with that.
I would say it has to do with a a trust factor says that you’re saying you don’t trust the WordPress ecosystem that’s.
Different and you and my argument always is Microsoft, which is the biggest operating system in the world.
Uhm, they patched security holes every month and I would rather software manufacturers.
Those are people that make themes and make plugins and all that stuff take a reasonable patching their software and care about their users because.
I don’t think you can avoid vulnerabilities anymore.
So WordPress got a bad rap for security.
Because a lot of users that wanted to do cheap DIY route and over the years and this, this really isn’t the case anymore, but a lot of them thought it was a set it and forget it kind of deal where you know.
I use a trusted stack of plugins.
That I know are in active development and we keep our plugins updated because there are security holes that pop up and good developers close them and push out an update and they alert their clients.
That there’s a security problem and that you should update why WordPress got a bad ramp.
People didn’t log into their websites, they didn’t update to close security holes, so there were exploits, and so we’re going to press as a whole core the number of security.
Holes that have been patched has gone down over the past couple of years considerably.
It’s it’s, uh, from a core standpoint.
It’s gotten very secure.
It’s the the plugin developers that are catching up these days and you know this kind of goes back to 2020 where people had a lot of time to spend to try and find exploits and vulnerabilities because they had the time to do it.
Which also means the hackers have more time on their hands and we’re seeing an increase in attacks because of COVID.
We’re seeing an increase of attacks because of what’s going on in the Ukraine, and it’s a never ending battle.
If you, if you know where I’m coming from, right so?
Oh yeah, security never stops and it’s a.
You know, you think about your phone and you know I kind of talked about the lack of updates where your phone gets updates in the background all the time and you know what you pay for the service, you know.
And that’s part of the service where you know I talked about WordPress being DIY.
You’re the service you’re responsible for.
Uh, hitting the update button and managing those updates so you know that’s kind of where the bad rap came in and if.
And if you’re not comfortable with with performing updates, again, there’s what we call managed hosting or Web care, which you and I both offer where we can still have that awesome custom website, but we manage that that security and those updates.
For our clients to make sure that they’re not going to get hacked, that we have multiple levels of backups in case they make a mistake and break their site, it happens.
And memory and the reality of it all is.
I’ve seen it too much.
I was sharing with you a story a couple weeks ago where I got picked up a new client, logged into the dashboard.
59 plugins, which is way too much for my liking, 10 being used and then how many of the ones not being used were not updated.
All of them, and that’s just a recipe for disaster.
And because the reality is, clients don’t log in to log into their dashboard and.
And you know when clients don’t log into your dashboard, you’re gonna have that problem, because frankly clients don’t have time, they’re not in the business of website maintenance or in the business of running their business.
And that’s what they forget and they try and DIY everything.
And then when they get caught it’s so well.
I didn’t know now one of the options is with WordPress now was you can turn on automatic plugin updates, but I’m not a big fan of that either because I like to have a backup before I do an update.
I don’t want one just to kind of go if you know what.
I mean, that’s the beauty of WordPress and the wonderful platform that we work with is that it’s immensely flexible.
And because it’s immensely flexible, you know themes and more so plugins now, have, you know, commoditized some of the development that one plugin may cause a conflict with another one, and your site may stop working.
Uh, if you just randomly update and leave those updates turned on, I don’t mean to throw a big scare out there, but that’s also why we we do incremental updates before our or incremental backups.
Before we run an update simply.
For the fact that we we test most of our updates in a staging environment and when things look good we we update online.
Sometimes there there are things that you don’t catch and turning on auto updates without allowing that that auto incremental backup before you do it.
That’s a recipe for disaster.
No, there’s no question, and I think one of the things.
And I know I jump on them pretty quick when a WordPress what we call a core update.
Version a WordPress version?
Not so much.
A plugin theme.
I pretty well jump on those, especially after security.
In the update, because the minute the update comes out then the security fix or issue is out in the wild and that just leaves you vulnerable.
And I’m not a big fan of that.
Yeah, the you know like we’re at 5.9 dot three right now, the the the dot 1.2 and .3 updates I I took a brief look at the security notes, updated my site and I run the same stack on my site.
As I do most of my client site, make sure that everything works and nothing is broken and usually those are security updates.
So you want to get them out as soon as possible.
The full, the full updates you know like 60 is coming out.
Soon when it introduces new features, that’s where you want to step back and.
Do some testing before you roll that that that baby out.
Yeah, I I usually.
I usually roll those babies out a little faster than most people, but I’m also, I think.
More in tune with some of what’s going.
On than most people so.
I think you gotta do it as a comfort level on what works for you and what doesn’t come.
I also think we gotta be really careful with certain.
Issues like we went through the free miss problem a couple months ago and that was 5000, not 5500 or so plugins because they all use the same SDK. I know when Elementor typically has problems, it usually impacts their whole library.
Because they all use the same back end library.
Things like that actually concern me more than you know more than not because then somebody is not going to.
Update necessarily a back end library and that’s a bit of an issue.
Yeah, that that’s when it becomes a problem.
When I, I mean and.
That’s when you’re developing.
You want to.
Really step back and think about when you’re running your software, especially when you’re looking at library dependency is, you know, not just like the freemium is is.
Uh, uh, nice.
I used to.
I used to think about it as a nice marketplace.
Uh, you know to look at at premium plugins.
But you know the the the whole that they had in their development kit, just, uh.
A lot of the plugin authors didn’t.
They weren’t snappy with getting things updated and there are still some that aren’t updated after how long it had been out two months, three months.
Once and I think there’s still at the under the stove, around 200 of those plugins have not been patched.
I think it’s sad high.
So you know I talked about using a stack of plugins and I usually use my agency site to test out First off, I.
I make sure that when I look at different toolkits and plugin authors out there that they’re going to maintain active development.
It’s a healthy company.
They have good development practices that their code is clean and they come out with regular updates.
You know, so you know.
Choosing your software stack also has a little bit to do with, you know your security, and knowing that the code is going to be maintained going forward.
Yeah, and the other thing I would suggest is if you have an interest in security.
The security newsletters from some of the different vendors.
I think I think is one of the most comprehensive ones out there as well.
No, I know I spend time reading WP scan, usually quite a bit ’cause automatic owns them and they’re pretty in tune.
I tend to read the Patch Stack newsletter.
There’s a there’s a couple others out there.
I would I would read those more than I would read and I know places like search engine journal like to publish the odd security article, but I wouldn’t waste my time on search engine journals, not a security company.
No, and you know that’s a different market, but you know the the first one.
You touch on the ITHEMES newsletter.
I think that’s a really good one for everyday users DIY users to get on because they they do a weekly roundup and it was last summer I think.
In their July issue where, uh, June or July, when they started going from a monthly.
To a biweekly to a weekly because they had like 70 some vulnerabilities that they had reported, and it was the highest that they had ever seen.
So they they now do a weekly report and you know some of the ones are are the same that hit the weekly report, but there’s a lot of different ones and.
I think as a uh.
You know a DIY user.
It’s a quick scan to go down the list and and just say do I use any of these plugins?
Yeah, as you as you know it’s one of my favorite sources and I go down.
It’s a little bit of.
That was ten say, do I use any of those plugins every every Wednesday?
So like it’s to me it’s a it’s a must read.
It’s not the only read.
But I think it’s it’s a really good one.
I yeah and the looking at different sources for security advice is always A plus.
You can’t just look at one source.
Different security people look at different aspects of the ecosystem.
When we talk about WordPress, and I think it’s good too.
Keep your ear to the ground.
That’s one of the highlights that I I like to talk about in my biweekly newsletter.
I have a a security slot in there and talk about any major vulnerabilities.
This last week it was the Elementor one because it affects so many so many people.
It’s just such a wildly popular plugin.
So yeah, just.
Getting getting your information from trusted sources and not just one is is.
Yeah, I I agree.
I I don’t know how much to say.
Don’t use just one source because you get pigeonholed and I think multiple sources is actually better for you.
Not not worse and frankly spend some time paying attention to what?
Some of the real sources, not just the people who kind of fly off the handle every time something goes wrong, but there’s.
There’s all kinds of people out there to help you, and we’ll get back to you.
And you know, several.
If you don’t want to do what you’ve done.
Build something. There’s several security companies, including Patch Stack that actually have free plans to get you started. I think if I recall right patch tax free plan is up to 100 sites, so you know if you’ve got a couple sites you might wanna look into stuff like that and just.
And give yourself a bit of a fighting chance because.
I’ve had this saying for years.
It’s not if you’ve, if you’ll ever be hacked, it’s when, where, how, and how do you recover from that hack attempt.
Yeah yeah, I and.
I think it’s probably half a dozen of my Web care clients over the past year have been referrals that.
Uh, one of my clients had somebody reach out who takes your website.
It’s always up and it works.
My mind is not working and doing stuff.
Those sites that I take over, you know, have.
They’re out of date.
And it’s just kind of surprising.
Well, I mean, it doesn’t surprise me and now it’s seeing some of the things that I’ve seen, but.
Yeah, yeah, it’s a it’s.
It’s a matter of when and I think we’ve all had to deal with it.
We try and mitigate it, but you and I are in better positions because.
Uh, I think one piece of malware that stuck on to my agency site.
I was able to rollback when I was aware of it.
The next day.
With an alert from a security group and rolled the backup.
Uh, spotted and did the spot check for any files and did a few scans and made sure things were cleaned.
But yeah, I mean, it even happens to us it’s.
Uh, Touchwood, I haven’t had a piece of malware on my agency site in probably five years and now and now that I’ve said it, you know what’s gonna happen so?
Yeah, no, it’s like why did I go there?
Put it back.
But I but and I do want to stress and it’s something you said earlier.
Your hosting company is your partner in this?
I given an example, uhm.
I used to be involved with the Ontario Police Memorial Foundation in Toronto and come every time.
That ceremony goes on.
It’s a ceremony where they honor fallen police officers.
I watched the website during this ceremony and I watched not the front end of the site.
I’m watching tools to watch the back end.
Of the site.
Last time I was involved with just a couple of years ago that WordPress blog that they used to live stream, this site took over 20,000 bot attacks.
In an hour.
And if your hosting companies, not your partner in it, all your sites not staying up, it’s very simple.
Oh yeah, it if.
Yeah, if if you’re not prepared to handle that level of attack.
You haven’t found yourself a good hosting partner, and I mean even even good hosting partners will.
It can potentially struggle with attacks of that magnitude because it.
I mean, that’s a big shot at one one time.
Yeah, and that’s a targeted shot because you know the ceremony is going on.
It’s not what we typically see where bots are scrolling or crawling the Internet, trying to find something.
This is more a.
You know, let’s go after this.
’cause this is going on and I’ve seen that over and over and over when the event happens and you get a massive target.
So it’s something people need to be.
Aware of as well.
Oh exactly it hackers are looking for time to exploit when they think they can get in unnoticed, and that’s it’s convenient for them.
And you know, we’ve talked about this at WordPress meetups.
Uhm, why do they want to hack your site?
Well, a lot of them need the processing power and.
They they want to use your site to transmit messages and relay.
They might want your IP because it’s clean and they can get into other sites where they can monetize it.
Uhm, they’re all multitude of reasons, but.
Uh, yeah, you’re.
You’re there’s not a good time you know to get hacked, but it.
It’s always when you’re not looking.
That’s that’s been really some good advice.
I hope some people.
Listen to this and and really start to understand.
I know I’ve been beating this drum like a broken record for the last two years I think, and sometimes somebody says again and I said well, if people start getting the message, I wouldn’t have to beat the drum and you wouldn’t either.
You know it might make life a little simpler, but I I don’t know and that’s just the nature of the beast.
It would be something else down the road if this wasn’t working, so thanks for joining me today, Ryan, if somebody wants to get ahold of you, how’s the best way?
I you know on all major social media platforms at onedogsolutions is a good way.
I’m probably most active on Twitter these days.
If you want to check out my website, it’s https://onedog.solutions/ and you can email me at ryan.waterbury at onedog.solutions.
Have a great day.