Episode 282: Security For WordPress Forms

Show Summary

Rob Cairns sits down with Bill West Founder/CEO at Ellipsis Technologies Inc and talks about security in WordPress Forms.

Show Highlights:

  1. What does security within forms matter.
  2. What is contact form spam.\
  3. Ellipsis Technologies solution to contact form spam.

Show Notes

Hey everybody, Rob Cairns here. In today’s podcast I’ve got Bill West with me, who’s the CEO and Founder of Ellipsis Technology, based in South Carolina. How are you today, Bill?

Good Rob, how are you?

Now doing great and great to have you today. So one of the things I like to jump in to is how did you get where you are and kind of what’s the origin story behind your company and what you’re doing now?

Uh, well I was in telecom for a lot of my career, but after we sold the company. I was, uh, I guess when I would get on websites or buy something on an e-commerce site I would just gripe about that squiggly little captcha thing that you had to try to solve. You know with the squiggly little letters and everything, and one night I was having a a social conversation with a friend of mine who had an e-commerce site and pretty large she did. About 500 million a year, and. He was saying that his wife took his reading glasses with her to go shopping and he was trying to buy something for his own company for the last half hour and couldn’t solve the little capture. So that’s how we started thinking about this and he said, could you help me find an alternative? We capture that maybe is easier or people don’t fail, so when we did the research, we found that. You know 3. To 4% of his customers were dropping off as soon as they saw the captcha and he was getting up to 30% failing on the first attack. And so he said, my goodness, I spend a fortune getting these people to my website and now I’m losing them over something like that. So I I searched around for an alternative, you know, and I found that a lot of them were just as annoying and probably had the same drop off rates. You know, complete the phrase, complete the advertising, which picture has a stop sign? Things like that. So we we have the exact opposite approach. Instead of trying to find a bot like all the current methods, we’re trying to identify a human. And we assume everybody else is suspicious. So what we do is as somebody is browsing through a website, we collect the timing and movement behavioral events length of a keystroke down, keystroke up time between keystrokes, touches mouse movements, swipes everything. And then we built. Proprietary algorithms and we can detect whether that person is behaving like a human. If the range of his movement is within human ranges. And now we have, you know, after being in this a few years we have database of billions of. Sessions and so we can bang that particular session against all the previous sessions as well and find out if they’re in the human range. So that was our original product. We just had straight captured. Displacement and. Then our customers started telling us that. Uh, they have. It’s more than capture that’s one problem, but the other problem they have is spam bots and spam bots can get around the CAPTCHA somehow and. Men so. Uh, they said this costs us real money because now I have customers trying to read a product review and they have to get past all these spam entries and they have to have a paid employee every afternoon, sit and clean it out, clean out all the bad entries so they said this is not. Only an annoyance to my customers. Potential customers, but it’s costing me real money to have somebody do. This so we. Protect forms from form spam and that really changed the game dramatically, and we’ve since and I’ll tell you about it as we go on. I we’ve added other features as well as we just learn from our customers what they need so, but that’s how we got into it. Just it was originally going to be a captured displacement, but then we took the exact opposite approach of being. You know, searching for humans rather than trying to? Trick a bot.

Yeah, that’s a really good idea. I mean, I know from my point of view, as a user captures are like the bane of my existence. I just I despise them.

Yeah, and they cost they cost.

But if the web browser.

Me your real money and customers and you know so.

And that, but as a web designer, I understand wholeheartedly. And the other thing that’s changed the whole capture game is oh, hottie captures don’t work well on mobile. Interestingly enough, so we all know 50% of the searches plus are done on a tablet or on the smartphone. Right?

Yep, and yeah the bots have figured out how to beat it too. They can beat it with amazing accuracy right now so. But they can’t beat us.

Yeah, I I I would love some of these bot manufacturers to take the artificial intelligence, AI, AI and the bots and harness it into something good instead of all this garbage they’re feeding us.

Right, right?

Some of that AI is actually pretty amazing when you think about it, right so.

Oh yeah, for sure.

So in terms of CAPTCHA plugins and you’ve just had, I believe in upgrade tiers recently that came out in the last month or so. What new is in the cloud?

Yeah, it’s it’s. It’s coming out now as we as we beta tested it with a few WordPress and WooCommerce users. We’ve added other things and made things simpler, but you know, we had the basic well. We launched originally on WordPress, just as a simple capture displacement and and spam. Action form spam detection. We also launched at the same time on Shopify. We’ve since enhanced to Shopify to include checkout protection and checkout protection was for checkout bots or what were called sneaker bots. If you’re familiar with that term, rub it started with Michael Jordan sneakers. You know 20-30 years ago where the latest pair of. Michael Jordan sneakers came out. You could buy them instantly and resell them for quite a markup as people just wanted these newest items. Uhm, it’s now any collectible items or or short small inventory items are bought by by checkout bots, but they’re still called sneaker bots from the original days and they can do hundreds if not 1000 checkouts a minute now so they can wipe out your inventory. In no time and for years the the ecommerce companies were saying who cares? I mean we sold everything in 5 minutes. It’s a pretty good deal. But now what they’re finding is that. Uhm, human traffic is coming down because you’re always sold out at a good stuff and humans tend to put more than one thing in their cart where the bots just buy one thing and they’re gone so they know they had to do something. So we came up with the first solution for checkout protection on Shopify. We did we’re doing extraordinarily. Well with that. And that’s what we’re introducing in the in the WordPress Woo commerce world in about 2 weeks. Now three weeks and and we have a very. Very high-powered rules engine that the the the users can set rules on when they want to cancel order or if they want to review an order or if they should put it back in inventory. You know, you know, all that kind of thing. There’s tons and tons of rules that they can set the parameters for themselves, and that’s what we really had. A lot of customer input on. What, what exactly? They wanted to monitor what they wanted to cancel, so we’ve we’ve been enhancing that for the last few weeks, but we’re ready to roll it out. And probably mid-october is what we’re hoping.

Oh, that’s really cool. Uhm, it’s really an exciting time. I was saying to you before we went to record to be in the Woo commerce space right now with everything that’s going on between the hosting offerings. The new plugins, the mergers and things like this. It just makes it a really great time and I think you know. More and more businesses are are starting in the pandemic. We certainly saw an uptake in woo sites and I think more and more businesses are starting to go that way, and part of the reason is I was saying to somebody other day. If I had a choice of doing an order online or walking into a store and getting what I call crappy service, which seems to be a trend these days. Uhm, I’d rather just do the order online. And be done with it.

I think more and more people. I’m certainly like that, and I think more and more people are like that too, so. Actually, I I walk through the mall about a month ago or so and I’m I’m really wondering how they stay in business. A lot of the stores there so. There were three 4-5 people in every store. Uh, incredible to me, so I don’t know how that math works. But yeah, we’re very excited to be in WordPress and Woo and the the customers there.

Now I.

The user support they give us is incredible. We really like it so. We’re excited about bringing a full power. The other thing we’re working on, which will probably be at the beginning next year and again. This is driven by WordPress and WooCommerce users telling us our, uh, karting protection if you’re familiar with a karting problem and.

No way.

Yeah, and so you know, somebody steals 10 million credit cards. They check them on small stores ’cause the big stores will catch them and then they find out OK. These 1000 are still haven’t been reported and are closed down and they go buy something big somewhere else. We’re going to come up with a protection for that. We have it all designed and we’re we’re developing it as we speak, so I think that’ll be very important for the the Woo commerce merchants as well.

Yeah, I’m I’m pretty familiar with with things like that. I I didn’t share this with you, but for many years, Toronto police used to have a social media fraud working group, which was a combination of big players from big companies and people in the web, social media, and. In the know. And people in the community, and I know, and we used to sit down and talk about fraud issues and people don’t understand. With with credit cards that they’ll often test in a smaller location and then then they go and they try and buy that 10,000 or $5000 purchase like it’s crazy.

Yep, but check it out on the small store that doesn’t have any protection, so that’s why we’re hoping to offer protection. ’cause it it seems to be something that’s increasing really rapidly now too. I mean, you know we we got one or two mentions of it as recently as you know, nine months ago now we’re getting quite a few. Or something?

Yeah, and and with all the stealing of credit card numbers and the skimming and the and all of that side of it. I mean, you know I walked into about five years ago. I walked into an ATM in a branch. And I took one look at the ATM and said I’m not using this ATM. I and I walked into the branch and I said, oh, give me the branch manager and give me the branch manager now. Know like what’s wrong I said. Have you guys even checked your HTML front and I said yeah and I said you didn’t notice the skimming device that’s sitting on the front. Of my bike. And it it turned out that somebody had installed the skimming device right in the branch. ATM this kind of stuff. And then these credit card numbers get shared all over the place, and there’s. Out there of. You know of. Of of credit card numbers to be sold, and that’s how they’re usually bought, sold and traded right, so?

Yeah, it’s that incredible incredible. Yeah, yeah, yeah, you’re right, it seemed more blatant out in the open than we would have guessed when we looked into it.

And ish. Yep, and I and I’ve shared this pretty publicly.

Very strange.

I’ve gone through bank fraud in the last two years and how that happened. Who knows. And and along and not show as I had somebody. Uhm, do a deposit through somewhere in China into my account and then try and take it out on the back. You know, really? And I’ve been through that. I’ve been through personally, I’ve been through my credit card last year. I thought it was used in Japan of all places and I am nowhere near Japan, so. Broad is becoming a big issue, so I’m glad your company is jumping in there. Bill, that’s a big deal.

Yeah, it, but it’s you know you asked about the origin story. It’s been interesting how we’ve drifted from a a pure capture displacement to form spam to checkout protection to karting protection where we’re. Uh, and there are probably other things that we had over time. ’cause you know, two years ago, I don’t think we would have thought of parting protection. So yeah, it’s been an interesting ride and we’re excited about the future as well.

Yeah, what does your capture plugin run at? Cost wise typically.

It’s just a straight app. And we have different pricing all over, you know on Shopify it’s 499 a month? Uh, for WordPress we’re going to have annual pricing, ’cause that’s what the user said. They’re more accustomed to over there, so you know it’s going to be something like $49.00 a month, $69 a month on depending what features you add to it a year. Rather, excuse me.


And then with woo commerce, it’ll probably be higher as we had checkout protection and carding. But not much.

Yeah, that would sounds, which sounds like a good option. Typically it’s interesting Shopify. Typically people prefer monthly subscription in the WordPress world. People typically prefer yearly subscriptions or jeans.

That’s what we got right? So that’s why we’re going yearly. You’re exactly right, and we’re we’re monthly with Shopify and. And with a couple of other things, we’re also available on Drupal and Magento one and and then we’re looking at a number of other platforms in 2023. We’ve Jones.

Did James is? Is Drupal and Magento still a big part of your business or is it more WordPress and?


Not, not really, not really.

Simplify these.

It seems like the you know, we’ve done very well with Shopify, Shopify, plus, and we’ve done fine with our WordPress form spam app and and we’re really enjoying our relationship, talking to the Woo commerce. Users, merchants, as we’re as we’re building this piece, so we think there’s a tremendous opportunity there.

Yeah, womb wood developers and designers and business owners are a a pretty passionate group. Sometimes they they know what they want. They know what they’d like. There’s been a lot of changes in that space with the the way WooCommerce sells. Add on some plugins and you know with the hosts now all jumping into that and that is just kind of complicated the issue a little bit I think, and instead of streamlining it.

Right, thank you right. Thank you right?

Yeah, it’s it’s crazy there was, you know, it was interesting that we I don’t know if you caught the interview that Matt Mullenweg did on this week in Google on Leo Ports network last week, but he did a a show where he he took questions for an hour and he’s he’s pretty passionate about building woo. As it is now an automatic product, so I think we’re gonna see some really interesting things coming on there so.

Yeah, well, we’d like to, uh, we have talked to a few people are automatic and, uh, they’re building. They’ve built an amazing business. It’s it’s been fun to watch, and they’ve made a couple of acquisitions recently, which I think are true. I just there just have a strong offering all over.

Yeah, they’re they’re kind of all over this space. I mean, they own everything from pocket casts to Tumblr, and dumb is certainly in the security space they own. WP scan in the middle and a few other things I think.


Woo Commerce is bought a few things and they they even bought Mailpoet sometime ago which is a self hosted plugin for doing mailing lists to try and build some of that integration into woo. So there’s all kinds of like really amazing stuff going on there with builders and. And people in that space. So it’s kinda crazy.


Uhm, how do you think about all these plugins? Are they kind of? Uhm, are they page builder based or they block based or they other based like where do you think they’re going in terms of that?

I’m not exactly sure how to answer that. You know we’re. There’s a couple of things. It’s a different type of user, the Shopify. I, uh, ’cause. We’re often speaking to the merchants who built the site themselves and manage it themselves so they have a whole different approach with WordPress and woo. We’re speaking to developers almost exclusively. It’s very rarely the merchant that’s doing it themselves, so. It’s fascinating, it’s just a whole different approach, and we had to really adjust for that. Uh, the way they’re coming into our system versus, you know, it’s a different skill set, different person, different server needs. The merchant truly understands how they lose money with CAPTCHA and how they lose money with checkout. Uh, it’s it’s been. It’s been an interesting ride from that perspective as well.

Yeah, I’m sure and and it’s just and it gets more interesting the I think Shopify is more a. I don’t know. I think there’s more DIY people in the Shopify space in. In a word, press space. Not that there’s not. In a word press space, but I think.

Yeah, there’s some, but for the most part we’re speaking directly to the merchants on when we talked to Shopify. Users where we’re talking to developers that have, you know which?

Yep, it’s a totally different.

I think that’s what drives the pricing to the merchants say, yeah, just Bill monthly. The developers are saying, you know, yeah, just we. We don’t want to think about this. Again, just put it on for a year.

Yeah, uhm where you think your company is going to go after these two products are released.

Well, I think we’ll. Keep adding more channels. We’re looking at a big commerce and web flow and a host of others. In 2023 we’ve changed the way we deliver our technology and that’s the big change we have where previously. You know, we originally started as an enterprise sale, so we were selling it to to corporations, but the sales cycle is ridiculous. The closed ratio is low and it’s just a lot of time and expense to to make a few sales, so we switched totally to an app focus, but we were still designed as an enterprise. So for every channel we had to rewrite our technology. So Shopify we rewrote near format and Drupal and Magento. We wrote NAR formats. Uh, so now we’ve changed that delivery where we have a, uh, a decentralized technology. Our core technology and we can do API hooks to every new channel. So instead of the development time, and I think you can appreciate this Rob instead of development time being six or seven months to open new. Channel now it’s just, uh, we just have to build the front end with API hooks and it could be a couple. Of weeks so. That’s going to be a game changer for us to get out into into more channels. And then the other is something I’m working on, which is is different. Totally not at the you know the. Human presence, built business, and, uh, you know. By the way, yeah, the app on WordPress is called human presence. It’s in the WordPress apps. Or with the checkout protection and ultimately carding protection and with spam control and everything else, we’re going to be launching on woo as shop protector, because that’s what it does, protects your shop. Uhm and so, but the other idea I have beyond this is if we and we’re working on that and we put a team together. If we collect the timing and movement behavioral events like we do on on our apps, and instead of sending it to an algorithm, we just. Collect that day. ETA for each session and put it in a time series. So if you were on a on a site today, we collect your timing and movement behavioral events and two days from now and then a week later and into a month later we collect that and neuroscientists are going to be studying that to see if they can build an algorithm to see if you’re having. Any cognitive decline, so it be an early warning system for Alzheimer’s or concussion or traumatic brain injury or whatever. Be an early warning system saying you know we’re not telling you have a problem, but you should probably get in and get checked.

Yeah, that’s such. That’s such a cool idea and and a really helpful idea for a lot of people.

Yeah, so we’re we’re going to be. We have a a financial partner that’s helping fund that. Right now we have a a number of high high end concussion and neuroscience at university study groups that will be helping us. We have some participants from college football teams. And the military. In a hospital group and we’re going to test it and build our algorithms over the next probably 18 months and then be able to launch that, so that’s the offshoot. But on the human presence side, the bot detection and and spam control and checkout protection will. The game is. Just to be. Rolling out on more channels, we’ll have more integration with other form builders. Perhaps some other hosting companies have an opt in integration and things like that, so we’ll be expanding. I guess horizontally as as we build each channel and then as we venture on this other business called human health because.

And the the. Human health side’s really interesting and. You know when you think about it, a lot of big players have jumped in that space, including Google in the last couple of years with their purchase of Fitbit, right, and? I think the only big concern there is what happens with all that data because. I know when Google bought Fitbit there was a lot of discussion kicking around that. Uh, Google would be selling some of that data. Often the insurance companies and you know you know what an uproar that cost, I’m sure.

Right, right? No, the data privacy is going to be the the big issue, and we’ve hired some people in that area or or have some people that were going to be contracted to help us with that. But that’s a huge, especially in the hospital environment there’s HIPAA requirements and everything else, but we’re going to make that one of our. As part of our mission statement that will have data will only be given anyone in a totally anonymous form, so. Uhm, no, you’re.

Now, I agree. Let’s see.

Exactly right, it’s one of our first thoughts that we have some serious data here, but it’ll be totally anonymous for the for the algorithm developers and everyone else, yeah.

Yeah it it’s funny, you know we all talk about David privacy online and the Internet is actually built on the fact that there’s no privacy and people don’t understand that when they say that and they say well.

Right, right?

But I care about my privacy and I’m like. OK, so maybe it’s time you move to the moon. Get a bubble, have no phone connection, no Internet connection, no nothing connection, no TV, no. And I know I’m being facetious, but Yeah, it’s almost that you have to do that now.

You really do you really do, uh? Yeah, I I think of all the things that. You know, just just. Your browser history and yeah, Oh yeah, but now this would be keystrokes. Yeah, let me tell you about the I wonder key applications. Rob, I think you’d be interested is the the military. Uh, you know if if if someone gets traumatic brain injury, brain injury from shooting a weapon on their shoulder that used to be they’re wall mounted or tank mounted. They’re a young young person that’s going to have problems for the next 50 years, so. But if they can detect that early and not let it exacerbate. Uh, they’re very, very interested in that, so they can also have somebody you know. Just do some keystrokes, type, uh, report or type paragraph, or, you know, give a daily diary or something every night and be collecting data on a regular basis. And you know the objective is to identify it early and say. We’re noticing a slight decline in your cognitive reactions. We’ve got to get you out of there. So they could person out before it gets too before it gets worse. A huge expense, huge, you know. I mean, they have really played with people’s lives from the age of 19 to 70, you know so.

Yeah it is, and the effects of.

We’re really excited about that one.

And the effects of what happens when they’re deployed is just. It goes on for years and it’s everything from concussions to harm issues to. PTDY believe it or not, I. Mean I know a lot of people in emergency services and PDVSA big deal now and starting to be recognized like you know it’s a lot and.

Yep, Yep.

I know.

So that’s why if we can affect that, if we can impact that and and lower the number of long term traumatic brain injury incidents in the military and contribute to that, that would be a real positive things to do with our lives here. So we’re excited about that.

No, I I can understand why any and even the impacts of concussions like we’re we’re now taking. You know you were talking about some work you’re doing with football. We’re now taking the approach of concussions and helmet safety and contact sports more seriously today than we ever have before. I mean, I’ve. I’ve seen some bad ones. I’ve got a a good friend of mine who’s had three bad bike concussions in her life. Is my age and in all three cases to helmet broke, so that tells you something.

Oh my goodness yeah yeah. Yeah, I think head injuries are going to be. I think we’re excited to be in it just for, you know, doing some good for the world. But we think it’s a tremendous opportunity to.

Insurance, UM, if somebody wants to find out more about your plugins, what your company is doing, get ahold of you. How’s the best way, Bill?

You know our website is https://www.humanpresence.io/. They could certainly get on there. We have the human presence app on the WordPress App Store. Uhm, WooCommerce will be coming out soon. Isha Protector, if they’re in Shopify, it’s it’s shop protector. Also so they can look there and then we have. A second app on Shopify called Shop Protector Plus, which is the form spam and all the basic stuff but includes checkout protection as well.

Yeah, thanks for joining me. Bill and , all the best of luck with the new products and have amazing day.

You too Rob as you venture around the country, stop by the South. We’d love to talk to you.

Sure will be glad too. Bye bye for now.


Similar Posts