Episode 413: Website Security With Joshua Hammer

Show Summary

Show Notes

Rob Cairns talks to Joshua Hammer from Sucuri about Website Security.

Show Highlights:

  1. What causes WordPress sites to be hacked?
  2. Things people can do to protect themselves
  3. Should you do backups at the site level or server level?

 Hey everybody, Rob Cairns here and today I’m here with my guest, Joshua Hammer, who’s the Director of Sales at Securi. How are you today, Josh?

Doing fantastic for yourself, Rob.

Doing really good. Thanks for coming on the show. Appreciate it. I was. I was like security discussions cause they’re they’re just interesting with everything going on in the world right now, right, so.

Interesting and scary, but yeah, I agree. I agree.

I what I would argue with you is knowledge helps the scary having been in that space for a while, sharing with you offline. I followed some legendary hackers when I got into the security side so. Of course, two were the founders of Apple, Steve Jobs and Wozniak. They were both phone freakers back in. OK. And the other one who just passed away recently was the legendary Kevin Mitnick, the guy who ran from the FBI. Yes. Yes. And he, I, I had the pleasure of meeting him at a conference a number of years ago. And he is. He had such a cult following in the space. It was just incredible. So anyway, I wanted to start off with how did you end up in the security business. It’s always interesting to find out how that stuff happens.

You know, I have a a very eclectic work history. I did everything from collections to door to door sales. I sold vacuums for many years and. I went to school to become a computer programmer and I kept trying to get out of sales. Just get me away from sales. I want to be in. Tech. And every time I went into a tech job, I’d end up back in sales and the last company I worked for before Subquery did phone system. And Mitel bought them out and I was laid off. So I was looking for a remote job and I came across Cory and I started as a chat agent, knowing absolutely nothing about security. And yeah, I kind of got the itch from there. So I started working with them and. I’m a huge video gamer and board games and puzzles and when I got into security I found it was just like a bigger puzzle and I just absolutely loved it. Yeah.

You mentioned video gaming. It’s funny cause that’s one of my ways. Even at my age. I’m 57 this year downline. Just playing video games and I don’t like all these new games. I’m like a classic early 80s, seventies kind of guy, so. I have a I have a space invaders original console that’s been totally. Furbished the electronics are new, but the cabinets like 79 period that and I must own 5 or 6 classic video games including Mattel and television at a calico whatever it was called. I certainly have no original Atari and a few others, so you know I I can appreciate that it seems to be common. Because people work in tech, we like video games.

Yeah, man. That old calico vision. I I grew up on that.

Yeah, yeah. Mia was facing babies. Yeah. So much fun. Security. Hot topic right now.

I remember playing games.

We are seeing a higher and higher and a higher increase in security issues in the WordPress space in the last six months. I would say, do you think AI has anything to do with that or do you think? It’s just the hackers are getting smarter and the programmers are getting. Sure.

No, no. I do think AI has a lot to do with it. And it’s programmers and and corporate America, right. Because as as eye gets smarter and is able to program, corporate America is outsourcing a lot of the programming jobs to AI. And well, if AI is writing the code, AI knows how to break the code too, so. Do you think? That has a ton to do with it.

You know, it’s funny because I was looking at some trends the other day and I think I first started an increase which when COVID hit and we were all stuck at home and couldn’t go anywhere. And I think that’s where the hackers kind of started to ramp up their game because they were all bored. So they were bored. So they decided to. Ramp up their game so I think the increase actually started before a AI became prominent, would you? How would you feel about that?

Well, I I will say during COVID we were definitely busy cleaning websites and we did see an uptick. However, after COVID it returned to pre COVID levels for us. So I did see the uptick while everybody was quarantined, but after that.


Kind of led up. We kind of went back down, but now I’m seeing another uptick again, so.

That’s interesting.

It’s just really interesting. Would you say the number one problem with people coming to you guys, it’s a Curry because you do work with Godaddy’s clients. You do work with all kinds of clients, is clients don’t have a backup. Is that pretty common?

Yes, backups would be so helpful. That’s a big issue and the other one is out of date software. I can harp on that enough. Everybody that comes to us has an out of date program.

No, I looked at a site the other day Ioffer security care plans, and that’s a big part of what I do. And I actually do I do security updates on sites now, three days a week because I don’t think one day is enough anymore. I think the time from of vulnerability to the time of exploitation is getting shorter and shorter and shorter. Do you have any theories or stats on that?

The only step I have on that is that we put up a honeypot server with default username and password. It was compromised in 15 seconds.

Wow. Wow, that that tells you a lot. And for those who don’t know, a honeypot is basically a simulated server that lets them throw a server on the network that tells the internal people on that network if they have any vulnerabilities, right. That’s really what it’s used for in layman’s terms. Yeah, yeah, yeah. So that would.

Basically a trap so that we could see how quickly it’s going to get compromised.

You know, 15 seconds. That’s gotta be a record, Josh. It’s like it’s like, it’s pretty, pretty bold to say the least.

Yeah, yeah, it it shocked us all. We figured it would take a couple hours at least, but now the the bots got it right away.


Yeah, and. And that’s what people don’t understand. Like they say other individuals doing this, a lot of these people are what we call bots or script kitties. They go out and they buy root kits. They go out and they buy software to do it. And then they basically launch those bots. And everybody says Ohh. Why would they attack my small business site? It’s not your site they want, it’s the bigger site. So they use the small business sites to attack the bigger sites and. I think there’s a lot of truth. To that, wouldn’t you agree?

Oh yeah, absolutely easily. Most attacks are non targeted and just script kitties out there homing the web for an easy target. We’ve done blog posts on why people. Hack and it it’s usually. They’re building their network of bots, they’re using those servers to, you know, it was crypto. Mining was big for a while. It’s not so much anymore, but they’ll use your server for hardware resources and use that to attack the bigger sites that aren’t targeted.

Yeah. And it’s funny because I used to be involved. I’m not anymore with an organization called the Ontario Police Memorial, so they’re a provincial nonprofit. And what they do is they honor. Phone police officers, once a year, first weekend in May in Toronto. There’s a a memorial where we honor and I can remember. One year I used to maintain the blog that they did the live streaming to, and I stood there and watched during the ceremony one year. And this website took over 10,000 bot attacks during the ceremony itself. So in that case I would they have to tell you that was a targeted attack, not a targeted, not just some bots crawling. But still, that’s pretty remarkable when you think about it. Right.

Oh yeah.

Where do you guys stand from the standpoint of security knowing the product as well as I do, I would say you, you strongly believe in software firewalls, on websites and why?

Yeah, we prefer the reverse proxies over plug-in only because. One of the more common attacks is a denial of service attack, right and plugins are very vulnerable to that type of attack, whereas the reverse proxy is better at stopping those kinds of attacks.

Yeah, there there is truth to that with your software, do you, do you typically you put I assume assume I know you put rules in so that if a new vulnerability comes out and it’s a big one, you’ll put a rule in and say stop this. Vulnerability kind of at the top level? Or do you just kind of? What? What other stuff? Take care of it?

Depends on the vulnerability, right? So we we actually unique because we have not only signatures, but some ballistic learning engines that protect specific types of websites. So when we scan your site and we find out it’s WordPress. We’re going to put up specific rules for that site. That blocks just WordPress attacks. We do have our research people, our vulnerability research, people who look at things and tweak things on a daily basis, but our last report in 93% of 0 days were blocked before we had to do anything.

So that that’s pretty good, actually, I’ll take that. That’s that’s good one. And and as we were saying before, we went to record a big a big problem with all this hacking is if we could just get small business owners to make sure they have backups of their website. And I have to tell you, I’m not a big fan of no matter who the host is and that could be GoDaddy, that could be. WP engine. It could be any of the big ones. I still believe that site owners need to make sure backups are taken at the site level as well as the host level. Do you have any thoughts on that?

Ohh no, I agree completely. I don’t care who the host is, the host is. Taking care of the host, I hate to say it, but it’s very true. Even when a host says, hey, we provide a firewall, they may provide a firewall for the server, but they’re not protecting your site, so those site level backups are huge and keep them off site. Off site site level backups.

Yeah, it’s a good idea. I actually do. When I do backup. Because I come from, I was sharing with you. I come from the healthcare background I keep, so I generally do do for my clients. They do updates typically on on Monday, Wednesday or Friday. That’s when I do because we know the time for of vulnerability being found to the time of exploitation is shrunk by the. By the year like it’s pretty. Close now, so I like to make sure we catch them and then the other thing I do is. I keep backups off site for six months for clients and you say why does Rob keep six months? We’ve all seen cases where your site was infected today, but the payload was at least.

For a month.

I’ve actually seen that happen, so sometimes you gotta go back before the payload was infected.

Absolutely, absolutely. I think the longest one I’ve seen is 3 months. So six months is usually.

Yeah, I’ve seen. That. Yeah.

And it’s it’s smarter. The hackers, I mean, because people roll back to a week ago and they’re still infected.

You’re still effective? Yeah. And that happens all the time. And the other thing I gotta stress with backups. And you know this. I know this. But for viewers and. Listeners is please. Folks test them. I’ve seen too many times where people say ohh I’ve got a back up. I’m gonna save money and I’m like OK, so which Google Drive did you throw it on? Ohh, I don’t know. Did you ever do a restore to make sure it works? No. And then you get in and the back of it’s just a disaster. And I’ve seen that happen way too many times in my career. There’s a reason. Major financial companies do disaster recovery days to make sure their backups work right, so let’s test this.

Absolute. Or you find out you’re backing up just the site and not the database, and your database is infected, or you’re backing up the database and not the site, and you go to restore and it just doesn’t restore everything.

Nice. I’m I’m sort of laughing at you, but I’m not because I think I’ve seen all these before and it’s, you know, we’re just kind of nodding our head, all, all of us who play in this space. Update so we talked about the other problem is people don’t update enough and I think I’m in the position right now. If you’re a small business owner and you’re not gonna update your site, you better pay somebody to do it for you and better still, and I don’t care who it is, just pay somebody to do it because. You’re compromising your business integrity and taking the attitude that ohh it won’t happen to me. Well, I can show you 2 cases where it’s happened where clients have moved away from me. And when they moved away from me, they didn’t have a backup and they told me a month before they didn’t need me. So I’ve seen it. Updates is a big problem, isn’t it?

Absolutely. I I always look at patch notes on these updates as a.


Basically a guide or a targeted hit list, right? So as a hacker I can look at that update and go, hey, there’s an update here and they’re vague. It’s a security update in this section. They don’t tell you exactly what the security vulnerability is, but now I know where to target my taxes in this section. So. Why wouldn’t you update? Because basic. Really, the company is telling the world, hey, this is where we have an issue.

Yeah. And I think I’m not only that since we’re talking about software. So the approach I take is even with WordPress core, so when the new version comes out. I usually pretty well update within 48 hours. I’ll usually wait 24 to make sure nothing goes wrong, but I’m pretty quick on the mark for that exact reason, because if there’s a security patch in there. And when 652 came out, there was no 651. There was major cross scripting problems in there and it was like I looked at the patch and said I’ll just has to go in, like now. Goodbye. And that’s kind of the way I work there now. I don’t like turning. Auto updates on. Do you have any preference what you would rather teach people to do or? Not to do that.

I would say it depends. If you’re on top of your stuff. Yeah, turn it off if you are. Like me, who I have a hobby website that I touch once a month. Then I’m going to turn on auto updates because I’m not in there often enough to make sure that. Updated all the time, I’m just too busy. So as a small business owner, if you’re not in there on the daily basis or three times a week to check for those updates, then auto updates better for you than not updating it. No.

Yeah, I I would agree. But then you’re at the risk of an update breaking something and I think I think a lot of that depends on. You gotta be careful of what plugins and what software you using as part of your WordPress stock. Like really, I mean it’s time people need to learn to stop going every cheap free plugin out there. Because you’ve got no support and that’s a bit of a problem in a crunch, right?

Absolutely. And for heavens sake, please, if you turn off the plugin and you’re not using it anymore, remove it. Don’t leave it there.

Things the same way. I don’t know how many times I look at a new install. Did it take over in 2021? There in 20 twenties there and ask free version Astros there and they’re not using any. Of these things. Like and, by the way.


Disabling it is not good enough cause if you disable it the code still there. You physically gotta delete it totally.

Yes, yes, because that’s still a vulnerability and chances are since it’s disabled, you’re not updating it so.

Service. So let’s move on to the other problem passwords. Oh my favorite topic. So with passwords, a lot of sites and a lot of software is now going to pass keys. We’re seeing more and more of that. I know even in the SaaS world, companies like PayPal. And Amazon have gone to Passkeys recently. Thank God. I think that’s a good move. How do you feel about passwords and even more so, two step authentication with passwords.

As a security person, I love it as an individual hate 2FA, I’m always leaving my phone in the other room. And yeah, I go to log in.

Yeah. I knew that was coming.

And it’s like. Son of A and I got to walk in the other room to grab my phone and come back, but it’s no absolutely it’s more secure. I mean, I I love the UB keys. Those are fantastic.

I have to Yep, yeah.

Yeah, absolutely love those.

I have. Yeah. If you’re gonna go to UB, you need to, because you need a backup. Refuse original. Then you’re not up a Creek without a paddle. So I actually have a a backup that I update regular that sits in a fireproof safe for that exact reason.

Yeah, I keep one with me because I do a lot of work off of my phone, so sometimes I need to plug the Dang thing into my phone to get. Past something, yeah.

What do you think of password managers like bit more than or one password?

I love them. I use LastPass myself. I know they’ve had a few compromises recently, but passwords are so encrypted that after they reported compromised, by the time I change them, there’s no way anybody’s gotten the password so.

I’ve been a bit weird in user, but I think. I mean, I would say if you’re really scared about using the password manager, one of the cool techniques is add 4 letters at the end of every password and make. I’m the same, so when you insert the password so I do that so I’ve got so say the password is. Toronto, 1234 folks, it’s not. So good luck. I’ll throw 4 letters at the end of that password. That’s not in my bit word and vote. So even if bit Warden was to get hacked, I’ve got 4 letters. That goes at the end of every password that’s not there. That’s an interesting technique and been talked about a lot.

You know, this is the first time I’ve heard it, and it’s a really good idea. That’s a really good idea.

Yeah. And then the other concern around passwords is logging out of sites because there’s been discussion in a lot of communities that would what’s creeping up is what we call cookie attacks or session cookie. The tax. So that means the cookie that keeps you logged in, somebody steals. And we’re not talking the person that goes to the Public Library, we’re talking the person at home. His home laptop gets hacked, his business laptop gets hacked with the hacker grabs. It’s nothing but the session cookie puts it on another machine. And guess what? He has access to. Are you guys seeing any increase in session cookie problems or is that just kind of sitting there in the back?

No, we definitely see an increase on it, definitely seen an increase. Most of us use a browser that as soon as you shut down and deletes all the history.


No. But yeah, those. Security is funny, right? Because the easier it is to use, the less secure it is and the more secure it is, the harder it is to use. It’s finding that balancing act.


Yeah. And it’s funny. It’s funny when you talk, when you talk about using a browser. I know when I do banking, you’re gonna laugh. I actually do banking one or two ways. I either do it off my smartphone, cause your app can Only Connect to the.

So where it’s? OK.

Link or if I’m going to do it on a PC, I do it in a virtual machine that only is used for the banking and then when I’m done I do it the the VM and start a new one. Because that’s how I annoy you.

Welcome to the security world, Sir. Yeah, I know, I know.

So if you were to have a security resides buying the product, which is a good idea if you don’t have something. If you had three quick tips to give somebody worried about a WordPress website. What would they be right off the top?

Right off the top I would say. Records your install size so that you know how big the site is. It’s an easy way to know if code has changed just looking at file sizes. It’s cheap, it’s free, so that would be 1 #2. As we said, keep it up to date, check for your updates on a daily basis. And #3 is. Don’t install plugins that aren’t invented or that you find on a oh God. This is old school aware site or a pirated site because yeah, you get it for free, but you don’t know what other codes been attached to.

It. Yeah, I I would agree with that and and the first thing I. I would suggest is. Get involved in a group or some help of people you trust, cause I think security is all based on trust, right? It’s not absolutely so. So it’s like who do you? Why do you run WordPress? Cause we trust them. The WordPress Foundation updated why do you run this plugin? Because we trust the vendor so I don’t get bent out of shape the way most people do this. The vulnerability list of 300. And they say, ohh, we have a problem with WordPress. Well, I would argue what I’m more concerned about is how many of those 300 were not updated and how many are zero days. That’s the kind of stuff I worry about, not so much. Ohh ABC plug-in. Got a vulnerability and then. It was fixed well. If it’s a major vendor and it’s fixed, then the vendor did their job right.

Yeah, there it is impossible to write software without invulnerability. I don’t care who you are. Even the AI’s out there cannot write software without vulnerability.


It’s there’s going to be an error somewhere. And it’s finding those errors and patching them. I will trust the company that shows me they fixed it. Then a company that tells me they have no errors anywhere on their software cause that just means they’re hiding the errors from them.

Or they have a history of having major vulnerabilities. So one of those plugins. To look at is contact Form 7, which is a WordPress free contact form. Do you realize how many vulnerabilities contact form 7 has had in the last three years? I just shake my two men. I mean that that almost to the point of being excessive as far as I’m concerned. I mean, and then you get stuff like anything based out of element or what? Most people don’t realize is the elements are back in. That all the plugins use is the same software kit that the primary 1 uses, so the when one gets it, they all get it. And I think the worst one we saw was it about a year and a half ago. And I and I don’t wanna pick on them because I think Volvo and his team do a really good job up at Freemium’s. But there was a vulnerability that came out in freemium. So every site that is freemium S got compromised. I think the list was like 500 or something silly like that. So you recall.

I swear they had one like 6 months ago, but I don’t know time. In the security field. Yeah. Yeah, I think it was.


Six months and it’d be a. Year and a half, but.

Yeah, I think it was year and a half, I think it was longer, but I don’t think they handled that bad. They patched it right away. It was just because it’s everywhere, it it it compromised way too many sites, right, so you know.

You know well and that’s the thing, right? The more popular the software is, the more it’s going to get hit. Yeah, I know. For the longest time, we heard all the time Apple doesn’t get viruses. Apples doesn’t get viruses.


And Apple doesn’t get used as much as PC, so of course PC’s going to be. Hitting more well. Word Press is the same way WordPress owns what like 90% of the market share. Yep. So it’s not that it’s not secure, it’s just more attacked.

  1. Yeah, it’s true. Speaking of market share, I assume security does things besides WordPress. What other platforms secrets cover?

We are completely platform agnostic, so we’ll work with anything, even custom PHP sites or. Any coded site that you build, we do have specific rules for Drupal, Magento, even some of their older software that doesn’t exist anymore.

  1. So from the.

I can understand. Every time they update those systems man moving from. One to two was a pain with those other software. I will say that is great about WordPress. The ease of updates.

No, no, no question on that one. And I think less and less people are using like triple triples is in big enterprise solutions, but even a lot of universities have moved to WordPress in the last couple of years. You know we always stopped famously the two sites are White House. Gov and Taylor Swift cannot get through a conversation. Our latest website is actually based on WordPress with cadence. Believe it or not, so people forget about that. So the swifties can all relax and say we’re press is taking care. Of their their girl. So. If somebody was looking at a security solution, what are the the three big highlights of the security that you guys provided other people do? Or do better.

Well, I’m going to tell you that you want to ask around and find what’s right for you, but some of the questions that I like to ask are when you’re doing a cleanup on malware. Unfortunately, most people are responsive, right? They don’t get security until something’s happened. When you do that. Make sure that whatever solution you’re. Getting is not just automated. Because there’s a lot of bait and switch in this area, unfortunately, where they charge you for an automated cleanup and then they come back. And tell you. Well, the system can’t get everything you need a manual cleanup. Let’s charge you more. And that is one thing that I am so utterly against. I hate the vaping.


Switch. So do I.

The second thing is find out exactly what the security platform does for you. No security platforms going to be 100%. For example, we offer a firewall. We offer malware removal. We offer monitoring, but we don’t do vulnerability scanning yet. So is that something you’re interested in? Then maybe you want to look at something like patch stack for vulnerability scanning. It’s really a layered approach, right?

Yep, I agree.

And. The third thing is what are you looking to avoid? Are you looking for something that’s going to give you the best scanning out there? Or are you looking for something that’s going to give you a better firewall? How many sites do you have? Are you looking for something that’s going to protect all the sites or single site? These are all questions you got to have answered before you come in, because they’re all questions that the security agents going to ask.


And I can’t tell you how many people we talked to that have no clue how many sites they have on their server. No, they don’t bounce me.

Well, I mean, that’s another thing. I mean, if you’ve got some really high volume sites for me. I would have one site per server, because then you you risk the cross contamination so they’re that high volume and that critical you should think about the type of hosting you have to going on.

Absolutely, absolutely. Posts make it fantastic that you can put 100 sites on one of those in one hosting account. Then they don’t charge you everything.

That validation.

Right. But when one of them gets hit, they all get hit because once you’re in the environment, you’re in the environment and you can do anything you want while you’re in there for less technical, I would say think of a hosting environment like your house, right? Each site in that house is a different room. Once they’re in your house. They’re in your house and have access to every. Room.

That’s true. So so. Yeah, that’s a lot for the average person to think about. Hey, Josh. This conversation’s been really great. Thank you for jumping on today. If somebody wants to find out more about security or have a conversation, how’s the best one?

Just come to our website swiri.net and hit chat. We have chat agents 24/7 that can answer any questions. If you want to talk to me, just ask for hammer. There is another Josh on there, but I’m the only hammer there. So yeah, yeah.

Thank you very much. And you have an amazing day, my friend. Be well.

You too.

Similar Posts