Episode 379: Geeking Out With WordPress With Thomas Reaf

Show Summary

Rob Cairns talks to Thomas Raef about hard-core WordPress security.

Show Highlights:

1. What to do to harden your WordPress install.

2. Why does server hardening matter?

3. Can you DIY your WordPress security?

Show Notes

Good morning, all Rob Cairns here. Today I’m here with my guest Tom, Reaf, security expert. How are you today, Tom? 


Doing well, Rob, thank you very much. 

Yeah, I’m glad to have you. I thought I followed you a long time online. We’re chatting before we came to record and I’ve watched a number of shows. You’ve done a number of videos. You’ve done one lately with Kathy Zant and you’ve done. I think you did one with Nathan Wrigley, if I recall. Right. 

Yeah, WP builds. 

Nathan’s a good friend and I thought, well, I think I needed to get you on here. So I’m glad you joined me. Thank you for. 

Sure. Thanks for the opportunity. 

You’re welcome. So I wanted to sort of jump in real quickly and and find out how you got into security. It’s always interesting and I was sharing with the story in many ways. There’s no one of the reasons I like security is because I fell in love with teachings of guys like Kevin Mitnick in the day. And we all know Steve Jobs and Wozniak. The old phone freak hackers and fell in love with those guys and I’m an old time. You and I are that far apart in age. I’m an old time computer hacker going back to BBS’s and dialing modems and all that good stuff. So how’d you start? 

I got started. I’ve been in computer industry as I tell people IBM has one month more of PC experience than I do. I think they announced the first IBM PC in September of 8081 and I started in an entree computer. Center a month later, selling, selling IBM PC’s and. You know that. Something was OK, but you know, I really wanted to. I really like getting into the nuts and bolts of it, so I started doing consulting projects just before IT. Consulting was really a thing and just kind of jumped into it. And then, you know, along comes the the Melissa virus. I love you, virus. 

Ohh yes. 

You remember that from long time ago and I was very intrigued as to like what it did, how it spread and you know, being a programmer from way back also. You know, I was just curious and so I happened to get a hold of it and, you know, trying to pick. It apart and see what it did. And why and? And then you know, as as things grew and you know, you as you mentioned, you know Wozniak and Jobs and Mitt, Nick, you know all those guys, you know hearing about them. And things that they were doing, although they were more I think on the social engineering side of things. 

Very much so, yeah, especially. 

Even before that. Was a term. But say it was just, you know, interesting. And you know my, you know, you and I talked about hockey and when I played hockey, I was always defenseman. And so, you know, I just have that that natural aptitude for defending things and. Yeah, I started looking at, you know, how can I protect people from from more viruses? And, you know, you think that the virus situation would go away? It didn’t. It just got worse and worse. So, you know, I I started leading down that path and. You know, I I had built a in. Ohh let me think now in 2005, 2006 I was working on building my own security box for small businesses. I think they called it like a unified threat management UTM’s. 

It’s like for a small business. It would filter your e-mail, you know, block viruses, control what websites you could go to, you know, yada, yada yada. Protect the inside of a small business. And in doing that, I was using the open source. Software called Privoxy, PRIVOXY, and what that allowed you to. Do is filter content coming in from websites, so I would I would it built up a block list so anytime I saw like new. JavaScript malware come out, you know. I would write a like a regular expression for it so privacy could block it to again protect my customers on the inside. You know, but in in analyzing JavaScript, it led me to a website calledbadwarebusters.org which was run by Max Weinstein Guy at Harvard and supported by Google. So when Google would send you a notification at your website, you know this this site. May harm your computer moniker on your search engine results. They would send you to Badware Busters for some free help, and Daniel said of security. He and I were the top 2 volumes. Years, so every time you’d help somebody out in this forum, they could rate you. They give you a rating and Daniel and I had, I don’t know, whatever the highest was. And you know, he and I would go back and forth. And it was a friendly competition between he and I, we both had mutual respect. And so one day I was just like, you know what? There’s so many people. Infected websites. I think I’m just gonna focus on that and that was 2007. I started, we watch your website. Never look back. 

It it’s really interesting. You talk about the early viruses and we were talking, you were talking about. I love you and I was thinking about Michelangelo’s birthday and in those days and this is when we all had small hair dress. I dreaded that day being a support guy because we all know. I would get 30 calls in a day saying I have a virus. It’s Michelangelo. And you know, and we remember that one and it would wipe. The boot sector off the hard drive. At the time and. Then the other ironic thing is the White John McAfee, who started McAfee antivirus. McAfee was a virus creator himself at one time, so he he’s an interesting and he’s another one. We’ve lost a brilliant mind, who we’ve lost way too soon, but you know, it’s funny. It’s funny as as as a guy who understands security, I have to admit. Maybe we shouldn’t admit this publicly, but I don’t want a virus checker on my computer. I never have. I I just refuse. I. I’ll do a. Scan from outside it, but I do not run away. What time the way I do scans and checks is I do them in a virtual machine and then I do it the virtual machine when I’m done so I don’t I don’t play, I don’t play. He can. 

That’s it. 

That game but. 

Yeah, I I I can’t go that. I I can’t go that route. I’m. I’m too. Too nervous. I see. You know every day. What what hackers can. Do it just I can’t. So yeah, I I run. I’m I’m a PC guy, so I run Microsoft defender. I’ve just gotten much better. I used to bash it all the. 

I know. 

Time in the forums. 

It has got, it has gotten better, no question. 

It’s gotten so much better, and then I typically run that in conjunction with malware bytes, cause malware bytes plays nicely with everything. 

Yeah, seems to, I would agree. You know, if you can do that, the other thing key to security, I think I have a little saying in my business is it’s not if you’ll get hacked, it’s when and how and how do you recover. And I really mean that. And so to give listeners and I didn’t give you an idea in the last year. I’ve had my credit card compromised five times in the last year and a half and used in places including Tokyo, Japan, where I’ve never. And I’ve had my bank account physically hacked by somebody in China. They actually put money in three years ago and tried to take money out on. The back end. And fortunately, I was in the account when it was happening and managed to freeze it all. So bye bye hacker. That, it turned out, I don’t know. People know or, you know, but the Canadian Revenue Agency in Ganda has been hacked multiple times, and that’s the only place my bank information is, so I suspect. 

I don’t know. 

The government is the weakest link, but. Well, I’ve had. 

The denominator. 

Yeah, I’ve had that happen. I’ve had numerous friends. We all get. People who don’t understand the difference between hacking A spoof, right? I mean, you know, people run around saying all my Facebook profiles been hacked. There’s a duplicate hacked. No, your profile hasn’t been hacked. Somebody created a look alike. So we we’ve got that mess running around, and then there’s so many things as a business. Do you see the problem with small businesses and backups? And that’s a a favorite topic of mine. How many small business owners do you see that never test their backups? 

Ohh a lot, but you know in the I I gotta say, you know, right now I focus primarily in the in the website world. You know that’s what we do is website security. And I gotta say that, you know, for the most part. 

Yeah. OK. 

I don’t, I don’t know numbers, but I’d say guess 9090% of websites have good backups or they. They they think they do. You know, there’s there’s the old saying. You know, I used to tell people, oh, you got, you know, two types of data, data that’s backed up and data that’s lost guess. Which one you got? And it’s it’s, you know, it sounds snotty, and I apologize, but you know, it’s. A lot of people never test their backups, so they’re thinking that OK, yeah, I’ve got backups and I’ve got backups of backups. And you know, I’ve got this and that off site and I’ve got local backups and like, have you ever tested them? No. Why? Ohh, you don’t know until you until you need it and then it’s not there so. But yeah, you know, to answer your question, you know I think a lot of small businesses, you know outside their website suffer greatly from lack of backups. But I gotta. I honestly think that the website world has gotten much better over the years. 

No, I think I think so too. I know primarily I look after on security care plans about 350 WordPress sites differ depending on what the flavor of the day is. So I’ve got a few. I know normally when I take on a new website. And somebody comes to me and says I’ve been hacked. I’m looking at one right now and I gotta tell you, if people would just warn to keep their sites up to date, that would solve half the problem. This guys running an old version of WordPress. He’s running all plugins. They haven’t been updated and he doesn’t know where he put his good backup. You’re laughing like you’ve seen this remark. What? What do you think about that in the WordPress world? 

Well, the you know I’m. I went deep dive over this past week because, you know, we have a a freemium version of our service that people can put on a web server and it checks for all website file changes, additions and modifications. It checks the we get the real time. Updates on their database and we get real time streaming of their log files, so we know exactly what’s going on. Now it doesn’t do any prevention and it doesn’t do on any automated remediation. The free version is just for monitoring. But the information that we’ve been able to gather from that points you know, a lot of people. Everybody seems like in the WordPress security world says that. Uh, you know. Majority of websites are hacked due to outdated plugins and themes. Our analysis shows that’s not the case, it’s more authentication stolen authentication than it is. Plugins cause you know, I mean you think about this year, you know the last big exploit was the essential essential element or add-ons light. Yeah, you know, caused havoc, you know. And that that was huge. But you know, since then. You know there there hasn’t really been any big plug-in exploits, you know? No, really real big Zero Day exploits released, but yet hackers are still making money off of hacking sites. So when you dive deep. And you see. You know how they’re maintaining themselves? It’s like, ohh yeah. OK, well, even if you had all your plugins. You know updated and your themes and you had two FA. Enabled on your login. You know the problem is with. With this a stolen session cookie? Yep, it totally bypasses 2FA. Because you’re authenticated, you don’t need to FA authentication because you’re already authenticated. So yeah, I mean it’s. 

That’s good. 

It it’s it’s, it’s you. 

And it’s getting to be like a big problem. I also don’t think and maybe I’m wrong, but I don’t think people are capable of DIY ING Security DIY website. They can’t DIY security, they have. They don’t understand what’s going on out there, they don’t understand. How? What’s going on? They don’t understand what to do. They have no clue about what? What exploits are major and what are not. Major, I mean. The only the only big one I know in the WordPress side we saw, we just recently saw six point 3.2 release which had all kinds of security fixes in it. And to be fair, to be fair, the only reason they. 


Put that out. Was cause six floors, like weeks away at this point? Yeah, it’s very. 

Knocking on the door, yeah. 

We’re in at. The time of this record we’re into release candidate two and release candidate three is scheduled to come out on later this week. It’s going to be delayed by day, but it’s not going to change anything so. It’s knocking on the door, so for them to do that, they must have seen something in those concerns of 6.3 point 2. But I think the average person can’t keep up to date with this stuff anymore. It’s just not possible. 

No, it’s, you know, I saw it in the. Cloud Ways Facebook group that people were complaining because they just cloud ways just enabled. Patch stack. And people were getting inundated like people weren’t. Concerned about? Updating their plugins on all their client sites. They were asking how to turn off the notifications from cloud ways that they had so many outdated plugins. So I mean it. You know, when you think about that, you’re like, OK, you’re not trying to handle the, the the real problem you’re trying to. Turn off notifications so that you’re not, you know, bugged so much. You know, what do they call it? Notification. Yep, death by notification or something like that. They’ve got some cute term for it, but. Yeah. And like I said and that’s just, you know, outdated plugins and themes and and core, you know, the other interesting thing about the the I think it was a cross site scripting. Vulnerability with. The the six point 3.2 but. Yeah, but you know, word fence came out with their announcement on that, and then they also put in there that all their customers. Are safe from that because of their. You know they have specific firewall rules for you know each individual exploit, but then they also have like General Cross site scripting and SQL injection. 

They don’t. 

Prevention rules in their firewall. While their general rules were preventing the the cross site scripting vulnerability from being successful and you know, so even if you had their free version of their of the word fence firewall, you know you were you were protected from that. So you know it it sometimes, yeah, DIY for for security. It’s it’s tough to do. You know, I always laugh when these guys on, you know from fiber or some of these other you know guru.com. Ohh yeah, I do malware removal. Do you really? I’ve seen stuff that. You’re never gonna see because it’s outside the standard. You know WordPress file system and the. I’ve seen that since like 2009. 

Yeah, it’s a bit of a. It’s you can’t do a virus removal for $28.00. I hate to tell you it’s just not to do it effectively, right? It’s a we both know it’s a time consuming process. It’s not an easy process. And I’ll bet when you see a side or I see a site, they’re usually pretty bad by that point. So you’re not kind of looking and then it’s not just doing the removal, it’s hardening the site so that you don’t have problems down the road. I mean, that’s the other problem. There’s no point. I have one quite quite ironically. I did major removal for them and they were sending out Pharmacare, spam and Bitcoin spam. Are are wonderful, are wonderful. Mess them all up and I wrote them a report of things they need to do to hurt in their site and said I can do it for the cost and they they were a nonprofit. And they’re bored. Wouldn’t approve the expenditure. So no sooner did the board turn down the expenditure than guess what happen. But they got hectic. They got hectic men because the same issues that I cleaned up, they put back in because they didn’t want to do all that extra work and then they kind of looked at me and said, how could this happen? You just cleaned it. I said, do you remember that reporter sent you that you chose? Not to do anything about it well. Guess what? 

Yeah. You you hate to be, you know, snarky at that point. But you know, when you lay it out for people and then they just choose not to. Do it. You’re like. 

OK, you know, so if you. 

Best of luck. 

Were setting up a new WordPress site today, so we do a scratch. What are the first three things you would sort of gear at to lock it down real quick? 

Well, first of all, I don’t give anybody admin rights to my WordPress site. I just don’t you know and and people are like well, you know, you asked them from us. I’m like, yeah, but. 

Thank you very much. 

I know that excuse. I mean, I know it’s not going any further and I know I’m not gonna have, you know, cookies stolen from my system. I know that the username and password is not gonna be stolen from my system because of all the security steps that I do. So yeah, the first thing. Is, yeah. I you know, SEO, some, you know SEO guy or girl. UM. Wants to. You know, help me with with SEO. That’s fine. You know, set up a staging site for you to use. But my my live site, nobody gets it. 

Why? Why do why not not to derail you? I once had an SEO guy for a client told me they had needed C panel access for a site hosted on my server and I looked at them and said no. No, no, I see. Old guy needs that kind of access and the and the the coin actually moved this website off because of and So what are you doing? I said I own my site. I said you do, but I’m not giving it to him. Because this is. A security. Issue so I. 


So while we’re talking about that, it’s worth mentioning. Need to get into this and this is what you’re doing. You’re only giving access that’s needed, so we need to get into the enterprise mode where you go to a bank and the bank teller doesn’t have access to all the financials in the bank, right? She only has what she needs. We need to start doing that with. WordPress sites, right? 

I did a YouTube video. I never got any traction because I never really promoted it at all. But it’s all about transitive trust. If I if I hire a marketing company out of, I don’t care wherever they are and they they. Farm out. You know, they they use some white label services to help them with different parts of the marketing and they they share my you know the logins I gave to them. And they share them with somebody else. And then let’s say that person contracts out for for driving traffic to websites that they’re working on. Well, you know what? Hackers make tons of money off of driving traffic to to websites. So chances are the hacker could have access to my website because of this. Transit of trust. I trusted John John, trusted Mary Mary trusted Joe. And you know on and on and on it goes. So yeah, I just I I don’t I. 

Yeah. So that’s the first. Let’s see what’s the next thing you would do. 

The next thing I do is. UM. But one of two parts I’m a firm believer, and I know from. My experience, how much blocking ranges of IP addresses? I know how effective that is because you can’t tell me that there’s any valid reason, and in 2017 I I I was the one to give a security talk at the C Panel conference down in Fort Lauder, Florida to get all these web devs in there. My God, anybody give me a valid use case. Or why a a website from Bluehost should be trying to log into my site hosted, you know where. And they’re like, ohh well. Nope. Nope, Nope. Nope, Nope. Nobody could come up with a valid reason, so why not just block by default all hosting providers, IP addresses? They all have asns. You know the autonomous system numbers. So it’s pretty well, it’s not easy, but it’s pretty direct to get those and then expand those all into IP address ranges. You know whether they be class C’s or whatever and put that into a block list but block. That at the layer 4, you know don’t block it at the website, don’t block it at the. Engine X. You know, rules or you know something at the at the application layer, you know, in a in a security plugin that’s that’s too late in the in the equation block it in like IP tables or UFW. And I mean it, it’s. We did that for one client overseas in in the UK he had a. Site that was. You know, getting attacked all the time not successfully, but it was getting attacked. So we put up our rules on there. And in one day we blocked over 21,000 attacks at the server level. He says, well, I I didn’t even notice any slowdown. Right, because it’s happening at the right stage in the communication. 

In this communications, I’ve got some political clients for political parties, and they have the same problem. The bots and the the people who hate political parties are just out there. You look at the logs. And it’s ridiculous. And I, I and it’s in the same numbers and they’re like, we don’t even see it. And I said yeah, because you take care of it at the top level. So that’s. 

Right. Yeah. And I don’t care if it’s, you know, Microsoft Azure servers attacking WordPress websites, you know, Google Cloud, Oracle Cloud, you know, pick a pick a, a cloud hosting provider. And I guarantee you, you know their servers are. Are in our lists, you know on a daily basis. 

Would be the third thing you would do. 

I would block by. This is gonna throw everybody into a tizzy. I would block by user agent. 

I like that. 

When you see an attack now, I know that the user agent is something that’s spoofable, but when you see the. Number of attacks. Coming from an IP address and like we we saw we had one yesterday. Chrome version 59. Well, the current version is like 118. 

If if. 

You’ve got somebody trying to visit. If you got a legitimate user trying to come to your site and they’re using Chrome. You know, 59 or whatever the heck. Do you really want them? You know, as a visitor to your site? No, just block it because chances are some script Kitty that’s using an old tool that they just never updated the the user agent on. And like I said, there again, it’s one of those things that we’ve tracked. It’s highly effective. So those three things would not give out my username and password, you know no admin rights to my WordPress site block. IPS. So all hosting providers around the world and set up some. Some you can set up some regular expressions. So like I’m really tight sites. What I like to do is set it so that it the IT checks to for the the Chrome Safari. Edge whatever version and it it can only be like 10 versions behind. Because most of these browsers nowadays automatically update, you know when there’s when there’s a new security update to be applied, they automatically update. So. Oh, you know, and that that’s just my hypersensitivity. So I said it so that so like right now if the current version of Chrome is 118, if you come in with anything lower than 108, you you can’t even visit my. 

Site. I don’t think you’re being over hypersensitive. I would be saying why would you add a vulnerable piece of? Software at your site. Anyway to start with right? So I think that that’s just a really good. 


In the WordPress world. People like to solve problems by plugins. You know, we’ll know with this, don’t you? 

We got, we got some big. 

Security players out there, we got word fence, we got patch stuck. Who I happen to like. I think they provide some interesting stuff. I think all over and over city and his team does a really good job. I won’t voice my opinions or weren’t fenced on this podcast because I’ve already voiced them and more ways than one. And then you’ve got people like. Solid WP, which is a stellar brand with their new rebrand which is solid backup and solid security Guild items products. And then there’s several of them that do everything from 2 FA to firewalls to you name it. How do you feel about people running some of these bargains to help themselves along the way and do some of that stuff? 

Some of them I feel are legit, you know, a number of them. I am personal friends with, you know. I met Mark Mont Monder from Wordfence. I met him at the word camp, the US and. It was funny because people would come up to, you know, I went to his booth and, you know, he and I had talked before we had a little bit of a a spat on on Twitter, but then we settled it with the phone call. And we’re like, yeah, OK and, you know, Mark said, hey, if you’re going to be at work camp, you know, let’s let’s connect. They would like like to meet you in person, so we did. And people will come up to me afterwards like. Did I see you? With your arm around Mark Monder. Yeah. Why? Like, I mean, the guys accomplished a lot, but so anyway to answer your question, the security plugins like I. Said with something like Wordfence where they have. You know whether you’re doing the paid or the the freemium version. If you do the paid when they come out with the new. When this new exploit announced then they have a firewall rule. I think they they push it out to the freemium people like 30 days. Here, but you also have to look at the fact that they like they’re generic rules for cross site scripting and SQL injection and things like that are are there for the the freemium, you know, they’re free version as well and that blocks a lot. So. You know, being dependent on. A plug in a security plugin I I could honestly say I I would never endorse that. You know you need it. You know, as you know, you know, they always tout about defense and depth. You know you need multiple layers and so you know, I don’t. I’m not saying that like blocking IP addresses and blocking user agents like we do is the end all be all you know it’s it’s another layer, but it happens early enough that there’s no drag on your system. You know, we don’t we use very little. 

I agree. 

Server resources for. That some of the others. You know when when people start saying that I saw an interview for a. A large hosting provider recently and they talked to the security guy and he was saying that 95% of all hacks are through outdated plugins and themes. A you know first thing is. You’re pulling that number out of thin air because you have no, you know, knowing what their service does. They don’t collect, they they have no way of collecting data to prove. That and the data that we’ve collected shows, you know, almost the opposite. It’s not. And you know it’s it’s not, you know 95% one way and 5% the other way you know it’s a lot more even and when you think about you know OK when there’s not a a huge you know plug in or theme or. Or vulnerability. But yet sites are still getting hacked like you think that hackers like just take a vacation when there’s no major exploits going on. Or are they finding other ways they’re finding other ways because their their income depends on it. 

No, no question. And we’ve seen during COVID hack attempts have actually gone up and not down because. They were all stuck at home with it by house and boards, so they just kind of reached out to find ways. 


Another controversial topic that I like to call is backups. Backups at the hosting level, backup at the at the site level, or both. What do you prefer? 

I say both. You know you can’t. We’ve seen numerous instances where people will will restore a backup from like a month ago. And the backup files are infected, so they really had no idea. How long they’ve been infected? And that seems to be the case more and more especially. You know, as you mentioned earlier, you know you can’t do effective malware removal for $20.00. But I think people are always looking for that. So they settle for that and then they don’t realize. That ohh something was missed and my sights been infected for actually a couple months now. And uh. Yeah. You know, so yeah, backups are critical. I I I strongly suggest you know on, you know, on site backups, you know, you see a lot of files with the extension of dot WW press. And uh, you know GZ files, zip files, things like that stored up on websites that are just backups, which is fine. But also you have to store those off off site somewhere. And whether it’s your local desktop or. Or, you know, a Amazon instant somewhere, whatever it it. Needs to be. Stored you know multiple places. How about you? Would you? What’s your thoughts on that? 

I do both. We’ve seen major web hosting companies have their backup service hacked. It happened Adobe 3 hosting in Montreal. It happened in A2 hosting in Europe. It happened to Melbourne. IT the biggest host in Australia a number of years ago. It’s happened all over the place. So I do both and I actually store my backups in the Synology Nas server and then I have another Synology Nas that’s off site at a friends that I pay for storage, and Synology has a cool sink software that sinks the two so they sink in the middle of the night. So I not. Only do I have one here. I’ve got one on site and I also keep for clients. I keep six months of weekly backups for exactly what you talked about. If you have a malware infection, I can go back and and honestly, if you’re going back more than six months, you get a bigger problem usually. But I I believe in that I also test my backups for all my clients on a regular basis on a quarterly basis. So I make sure I can restore them and they’re working properly and that’s that’s kind of the way I roll with that. When it comes to data, whether it’s my website. Like business or businesses I’ve consulted with coming. From an enterprise. Background I am a data backup ***** and I will knit that OHI. I’m working right beside me at 2:14. TB external hard drives as we as we do this call. So you know I’m I guess. You get where I’m coming from, right and. 

Yep, Yep. 

Even outside of the web world, I’ve asked for hard drives in my lifetime over mechanical failures. I’ve never lost an ounce of data, so there is a reason I do what I do and and and. Don’t count on. Cloud services like Google Drive because they’re really sync products, they’re not backup products and we need to. We need to distinguish the difference between the sink product and. The backup product. 

Mm-hmm. Yeah, I I can see. I never thought about that. But yeah, I can definitely see a a need to differentiate those two. 

Yeah, and and the. Advertiser doesn’t understand that’s the problem and I’m going to. I just went through that with the client recently where I actually have their on the outside of the website. I have their files going to a Google Drive that’s downloaded via the applet. You know, they’re on a Windows box. So. They get all their files synced down and then I have their backup software backing that directory up on purpose. It’s it’s just the way it’s gotta be. 

Yeah, I like it. Yeah. Definitely. Yeah. You can never have enough. You know, in my opinion, that’s why, you know, people ask me even today, you know, hey, so, you know, does your service provide backups? Nope. Yeah, because. It it just one of those, it’s it scares the daylights out of me, you know, to be responsible for your database being clean, you know, malware free, your files being malware free, you know, basic protections and prevention, preventative measures in place that I can handle. But man, when it comes to backups. You know, you know, if if you need a backup at 2:00 AM in the morning. Thing. Yeah, man, that just scares the the daylights out of me. So Nope, I I avoid that like the plague. 

And then the. Other thing I would tell clients is frequency matters. So if you’re on a WooCommerce site doing say $10,000 in business, so don’t, maybe you should be doing a couple backups a day, not just one. Maybe if you have a brochure site where posting A blog and a podcast site, most agency sites, unless there’s a membership component, are basically brochure sites. Let’s be fair, they’re just complicated ones. 


My I back my my personal setup once a day and then I do and then I store a weekly off-site. So you gotta kind of look at frequency, cause frequency matters with these kind. 

Oh yeah, especially with WooCommerce, you know that’s that’s such a convoluted or complicated system to begin with. And you know, you got live orders coming through. You know, how do you get everything updated? You know, if you do. 

Of as well. 

Restore back up. Now you got, you know you’re missing something. You know, you’re. Missing something or something? 

You almost you almost on the Woodside have to export the orders even on an infected site somewhere safe. Then do your restore and then the fund becomes you have to put it back together and I’ve I’ve done that recently and it’s like you just kind of come. It’s like why did they do this? And and the reason we did it recently was because some intern thought having unsafe passwords was. 

Good idea. 

Yeah, I. 

And so that looks reasonable. My next question, it’s kind of a weird pressing question, but it’s really Security question. Password managers, yes, no kind of we’re doing. 

Definitely. You know, I know you’re gonna ask which one, right? 

Ohh I know which one I use and. I’m not on. The Max, so yeah. 

And you’re better. Not better not be LastPass. Right, like with the way. 

Right, exactly. Use any password manager you want as long as. 

You know that’s. 

It’s not LastPass. 

You know, that story keeps getting worse and worse. I read the other. There was more out there. That was that they knew about and they didn’t just close and yeah. 

Oh, I know. 

So what do you use? Are you a? Bit warden guy. I have to ask her. 

May 1 pass. 

Just I I like it. You know, fell in love with it. You know, they’ve had their issues as well for the longest time. To be honest with you, I used Google’s password manager in Chrome and. 

Yep, it’s gotten better. 

People like ohh. It’s, you know, it’s unsafe. Umm, no, it was at one time. But it’s not any longer. You know, you you can’t be Googling. You know, have something inferior. It’s like, you know, when, like, you know, when I used to bash Microsoft for uh, Microsoft Defender, you know, I I remember telling myself, you know, I gotta keep on top of that because at some point Microsoft is gonna make this just an incredible product that’s totally integrated with Windows and. Here we are so. 

They did that in a big way. I’m I’m a bit wording that personally, but I mean it’s using it religiously every day. I’ve got most of my family on it. 

I have to tell you I struggled with my now 78 year old mother. She just keep her passwords in a Word document. I’m like, why? Might be a good idea if you want to print it, you can export them anyway like and and we gotta be careful passwords. We gotta make sure. 


That God forbid anything happens to you or I. But there’s a way that people can, in an emergency, getting this stuff. I’ve got an envelope in my. Safety deposit box in the house that says in case of a medical emergency openness then it basically gives the PIN codes from my PC my phone because we know Apple will not release access to an iPhone if somebody dies. We’ve we’ve had that and. People scream and say no, they they just don’t do it. So you have to put measures in place. 


Yeah, it’s good security hygiene. 

Yeah, it is. You know? But yeah, you do have to have that. You know what they call it? Hit by a bus day. You know, that day ever comes and you get hit by a bus. You know things have, you know, lots of businesses are depending on you. And you, you know, they need access to stuff so. It’s gotta be readily available, although it’s gotta be secure. 

Yeah. And then. 

Kind of the last subject I wanted to touch on is hosting providers and every time I bring this up in a conversation this everybody rolls their eyes at me and says do we got to go there? So yeah, we do and the hosting providers need to be a partner in security, not just a company that dumps on you and says, oh, we can clean it up for a. The fee I think they should be doing more proactive at their end. What do you think? About that. 

I agree we over this past year we’ve made a number of strategic partnerships as a white label Security Service, but. Yeah, it it really needs to be more because you know, you know, at the start of this you asked about, you know, how I got started. Well. And when I when when I first formed, we watch your website and we were cleaning websites I was hosting with Bluehost. At the time. I know today everyone and I rolled their eyes at me. But you know, I just I picked a hosting provider and that’s where I went and I was blogging like every day on the new infections I was finding and get a call from the guy. One day and he says, yeah, just read your blog post my boss’s website just got hit by what you described. You know perfectly to a tee. You know, what can you tell me about it? I’m pretty technical. I’m like, OK, so afraid he’s not gonna become a customer cause he. Put that disclaimer in there that he’s very technical. So I mean we talked for like an hour and a half. I told him how to clean it and everything else. So he’s like, ohh, great. Thanks. Get a call from the next day. And he’s like. Hey, I just wanna let you know that information you gave me was awesome. You were spot on. Help my boss immensely. He’s really happy. He’s like oh, yeah. And by the way, we see that you’re hosting with us. I’m. Who are? He’s like I’m Alex Lundquist. I’m a Level 3 tech here at Bluehost. My boss is Matt Heaton, the founder. You know, how do you like if we started sending customers your way and like? Yeah, I you know, I’m. I’m kind of busy. No. So. So yeah that, I mean, like, their terms of service, people were told anybody calls in with the, you know, malware issue, send them to to Tom Reef at that with like the website. And so I I was I was inundated but you know every so often I would find things that. Led me to believe. People didn’t come in cause I’ve I’ve always done root cause analysis as best I can and so even on their shared hosting accounts I’d find websites that were hacked and I like. I couldn’t identify any. Of the usual suspects, you know, like looking around looking. 

What the? 

Heck, and then you know you. Could see. The site getting reinfected almost says you’re watching. So that led me looking at Cron jobs which uncovered a whole bunch of. 

Ohh, and that’s a whole minefield in. Itself, right? 

Yeah. Yeah, it is. And even to this day, it still is. But I also found like there was a lot of symlinks. And I’m. Like where? So I started doing a deep dive on these symlinks and the one time I sent their uh their tech support people, a list of all the websites that I could see from this one SIM link on on an infected website and they were like that shouldn’t happen like I agree, but here it is. You know? How else would I get all this information? And they’re like. Oh. Oh, OK. We gotta close that hole. So they did and but. So yeah, I mean it’s but hosting providers in general. Could they do more? Yeah, but a lot of them are taking the stance that, you know, they don’t want to have to beef up their tech support people, you know, which is the, you know, cost of doing business. So they don’t want to. You know, create a a rabbit hole there so you know they’re gonna do what they can and try and make it seem as they’re doing as much as anybody else is doing. But they don’t wanna go overboard so. 

And then the other thing I sort of like to touch on is more for the agency crowded there. One of us use management tools, Main WP managed WP, stuff like that. Make sure you. Lock those tools down like a drum like we were talking about IP blocking. I mean I use main WP which is a self hosted. Cool. I actually have. My NWP set up that if it’s not TTIP. Dress coming in from my house or my laptop on the road. It will accept no connection, no matter who it is, how it is, where it is, because the problem with stuff like that is once you get into my main WP dashboard you have, you can have a field there at that point because you’re already authenticated to all those sites. And I think those management tools. Can actually be a weak link, not a, not a good link sometimes. 

Yeah, and yeah, the the whole thing, you know, I was talking earlier about stolen session cookies. The whole thing there is. You know how easy it is to avoid that. You’ll log out when you’re in your admin panel. If you log out, it immediately expires the session cookie. 

Every time. 

But most people will just go up, click the X and close the window. Well, that leaves the session cookie open and like on the WordPress the the standard. Is the session cookie will stay active for 48 hours unless if you click the Remember Me. It stays active for or is it two months? 

Two months, yes. 

You know, just log out. 

Don’t help. And then and then don’t do all the. 

Silly people things. Who? You know, as a lot of agency owners are freelancers like to go work in a coffee shop. Don’t do it. Please. Please, please, please, please. I stayed in a coffee shop one day and there was a guy. It’s an experiment. And I used one of the tools and walked over the guy and said, by the way, here’s how your credit card password for the last hour. I suggest you do something just to. Make a point. And you just looked at me, like, where did you get this data? So 111 of the things I do is I have a large data plan on my smartphone and I can use around the GTA I just tethered to my phone and I’m done and like I. Don’t worry about the stress. I go stay in a hotel. I don’t do anything stupid, and I even go to a travel router that’s got a firewall that connects to the hotel Wi-Fi, things like that would be be smart, that’s all. 

Right, yeah. The when uh, as I mentioned to you earlier, you know, my wife and I, in 2016 we went to. And we were there the entire summer. We know my wife is the data analyst, so she works remotely also. Well, at the time we had, you know, people like, oh, you know, you’re in the land of, you know, of hackers at that point. How the heck did you stay safe? And we’re like, you know, we, yeah, we tethered off our phone. Yeah, you know, we didn’t go through Wi-Fi anywhere, you know. 

I don’t like. 

Tug off your phone. You’re good to go, so. 

Yes. Hey, Tom. Hey, Tom. This conversation has been absolutely amazing and thank you. We need to, we need to do this again. No question. If somebody wants to find out about services, what you do, how you do it, what’s the best way to go and how. 

It’s been fun. And they look at our ugly and way overdue to be updated website wewatchyourwebsite.com as I’ve got. An old customer. Uh. Justin Corn from California. He’s like, yeah, his website sucks, but his services don’t. So I was going to put that as a, you know, as a. Tagline on my website. 

I will love that I love. 

Our website sucks, but our services don’t. But anyway, yeah. Or they, you know, they can find me on. 

You’re on Facebook and Twitter, and I’ll be. 

Yeah, Facebook, Twitter, Twitter were were at we watch. They can find me on Skype, you know where we watch your website. 

Right. They can e-mail me at t.f.traef@wewatchyourwebsite.com. You know, our our carrier pigeons are on strike. Otherwise they could do that. Still do smoke signals. Those are those are doing OK so. In any way possible. 

Yeah. Thanks, Tom. And I appreciate your time. You have a wonderful day. 

Thanks, rob. You as well. Thanks for the opportunity here. 

Yeah, it’s such a pleasure. 

Alright, take care. Bye. 


Similar Posts