Episode 127: Talking Web Security With Owen Greaves

Show Notes

Episode 127 Talking Web Security with Owen Greaves

00:00

Hey everyone, Robert Cairns here with the STM show. In today’s episode, I sit down with my good friend Oleg Greaves who owns a web hosting company by the name of Billy host. And he, I should tell you, it’s my web host now, and we talk about web security and server security. So sit down, relax and enjoy this really technical discussion with a winner not

00:35

there we go. Hey, y’all. Robert Cairns. Here I’m here with my friend Mr. Owen Greaves, another fellow Canadian. And we’re going to talk about website and WordPress security. How are you today?

00:49

Just fine. Thank you very much. Thanks for having me.

00:52

It’s always a pleasure. You and I have known each other. I know, I’ve stopped taking count for a long, long time, even before Twitter and Social Media days, several weeks.

01:03

It’s been a while. Yeah. It’s been years.

01:08

So Owen runs a web hosting company called Billy host up, I’ll preface it that way. He is my host at this point in time, reasons to be now all over Facebook. So if you want to, I’m not gonna dredge it up. But if you want to go find out why go look at my Facebook page. And I thought we talked on today and talk a little bit about server security, WordPress, security, maybe some PHP security for the nerds out there. And let’s start with PHP. Because there’s a, there’s a subject that really like PHP age is now dropped. I know I’m working for an employer that’s in the process of upgrading to PHP seven, four, and they’re having all kinds of problems with stuff breaking. That’s the nature of PHP. What do you see with PHP agents security on anything?

02:02

Well, from a security standpoint, I really haven’t studied up much on PHP, but it’s obviously going to be better than 747372. Yeah. But a lot of the third party software companies haven’t caught up yet. So that trying to implement PHP 8.0, is it going to break stuff, it’s just going to because most of the software developers haven’t upgraded, they just got seven for to work properly. And so now 8.0 comes along, and they go, Oh, we need to upgrade? Well, no, I don’t think you should do that just yet. You should probably wait a little bit until the software that you’re trying to run, especially on the server environment. Actually, what is supported by 8.0? Otherwise, you’re just breaking?

02:50

Yeah, I would agree with you. The folks up at wordfence did a really good office hours, not today, not this week, not last week to week four. And what they talked about was the changing ecosystem in WordPress with 5.7, around the corner, and RP and 5.6, and PHP eight. If anybody’s interested, you might want to go look at that talk. So let’s jump right into server security. You have a couple managed several managed web servers. Are you doing anything special without giving away anything that you show? On the security side?

03:32

No, there’s just a lot of standard stuff, best practices that take place, when you buy or lease servers, no matter what your business opportunity is that you’re trying to launch. If you’re buying managed servers, security is not something you have to know about. You have to understand you need it. But you don’t need to know how it works and how to do it. But you do need to be able to ask the question and say, is this in place is that in place, you know, otherwise, you’re just dropping to your knees and you know, cut my throat, trusting that the data centers doing everything that you expect them to do. And sometimes, you know, stuff gets missed fall through the cracks. But security on the server side, for me is Linux, it’s not windows. I haven’t used windows in years. I’m using Windows on this machine for this particular interview. But other than that, and I only use this box for planning my NHL oh nine. That’s right. But as far as this, the security on server goes like this first starts off with the operating system, lock it down there and then whenever you’re running on top of that, whether it’s wh MC panel or plastic or whatever, all that stuff has to be locked down. So I hire and pay for manage servers. So I don’t have to physically do that. I don’t have to physically administer the server. I can if I want to. But I have more important things to do than to worry about whether or not something got upgraded or not. I just I checked to see what the updates are and if they got done, and that’s all I need to worry about.

05:26

Yeah. And and we should mention, and, you know, we’ve all been there. Some of us were not part of your security solution, and part of a managed server environment, there’s also having proper backups, right?

05:40

Well, I have a separate server for backups. But it doesn’t make sense to have. If you’re running a hosting company, you’re either doing your VPS shared whatever, if you’re saving all your backups as a company on the same server sites, you’re looking for trouble, you’re just you’re going to get a huge letdown somewhere along the way. So you need a second machine that stores all that stuff. And it’s tucked away, nobody can reach it. It’s the same thing with billing software, you put it somewhere else when nobody can get to it. So you just make sure you’ve got the infrastructure in place, like say, email server, backup server, you’ve got your hosting servers, you’ve got all these other variables that you want to put in place and make sure that you’re delivering not necessarily the fastest service in the world, but you want it to be efficient, effective. And as long as people aren’t complaining, that’s a good thing. Yeah, it

06:37

really is a good thing. I mean, you know, we all know what happens in the hosting world when a hosting company goes out. Facebook, quite tough, like a drum. Twitter likes to get drunk,

06:49

right. Rob loses his mind. Yeah, well, yeah, I

06:54

have lately, but that’s besides the point. Okay, so we’ve talked about that a little bit. website security and subject that is dear to my heart, I spend a lot of time on, you know, simple little things like guys, let’s not use admin as a username. Some people still like to do that. I come across that all the time.

07:16

Well, that’s the do it yourselfer that’s doing that, right? Like, the person that’s doing that doesn’t know, they’re just go, I want to build a WordPress site. So what they do is they drop their one, one, click install, and away they go. And unfortunately, that doesn’t fly anymore, you have to, you have to have a little bit of where with all to go. If I’m going to set something up, and I know that the admin at whatever, password, then there’s bots out there 24, seven, hard to figure out your username. And if it’s admin, you just save them a lot of time. And before you know it, they’re gonna have you like it. Obviously, 18 character passwords are better than 12. Yeah, takes them longer to get there.

08:11

Is it some random passwords are better? You know, it’s funny because I use a password manager, and I can’t add tools. And I cannot tell you any of the passwords to my website, if I don’t go into those tools or that password manager anymore. That bad. I mean, I use scrambled passwords. I you know, there’s the tool kit on the cPanel you provide. I also have a main WP account. So between the two of them, I’ve I’m kind of like all over the place. And I really don’t remember website passwords. In fact,

08:50

you know, passwords are, you know, they’re, they’re a hot button as well, like a lot of web hosting companies allow you to have, they’ll let you have an easy password. And you’re going to get hacked. This just is just gonna happen. I you know, it’s It baffles me, I my servers, I don’t allow you to have an easy password.

09:13

No, I know you don’t.

09:15

You have to have our good, difficult passwords. So you need those tools to remember all those passwords.

09:23

And people need to start thinking about things like two factor authentication as well, especially the login to cPanel accounts and other things. So that makes things a lot easier. And more.

09:33

Yeah, you know, I get you. For me personally. I find that two factor really frustrating because let’s say here, it’s got to go to your phone or wherever to send you that particular Yep. passcode and sometimes you need to move faster than that. Yeah, sometimes you can’t Wait, you have to? You know, you gotta I understand. Yeah. In terms of, you know, like everybody now is really WordPress driven. Like everybody wants a WordPress site. Nobody’s building HTML websites anymore or just straight, pure PHP websites anymore. Pure PHP is a lot more secure, obviously. But everybody wants WordPress. So then you know, there’s a whole pile of security questions around that. Yeah. And cPanel has just made it easier for people to look after their WordPress sites with the website, the toolkit, WordPress toolkit Deluxe, I should say. And there’s a one click security button in that thing. And it will list off a whole pile of recommendations and things that you might want to consider to securing your WordPress install, which normally you would have no clue.

10:56

Yeah, and I, and I’m not, you know, we talk about that. And I’m not a big fan of what I call fluff. So one of the things a lot of people like to do is change the backend URL, for example, to log into WordPress, I’m personally not a big fan of that, I will do it but it’s not my favorite. The other thing people like to do is change the database prefixes I, you know that, but I’m, I consider stuff like that fluff changes, because if somebody is going to break in, they’re going to find those pretty quickly anyway, especially if they have your FTP password, and go in that way.

11:38

Right. And, and to me, those are kind of first level security one on one things. Yep. There are other things like restricting access to files and directories, configuring security keys. Again, you know, you can’t change that prefix. It’s, it’s one way but again, that’s just letters. It could be numbers, it could be anything. But you can also secure up forbidden execution of PHP scripts in the WP includes directory. In the WP content uploads directory, you can stop PHP scripts from running there, you can turn off pingbacks, you can turn off hotlinking. Or sorry, turn it on. For hotlink protection, you can disable file editing WordPress dashboard for that matter if you wanted to.

12:25

And not and that does, I, I don’t trust my host. But my response to is, if you’re going to do backups, and get your host to do it, and I don’t care who the host is, you should probably be doing backups yourself as well and do both. And, and the reason I stress that is there’s been several hosts in Europe and even in Australia that have actually had, believe it or not, their backup server taken out by hacker at the same time they took out the primary server, I’ve seen that happen.

12:59

Anything can happen though, like I agree with you. I think if you’re any kind of a technology person of any sort, or you really need to take responsibility for your site, even if you’re just you don’t know how you should either hire somebody or talk to somebody that understands it, to walk you through it. But doing your own backups is critical. That’s why a lot of these panels cPanel, for example, they have backup wizards, you can backup your entire home directory or just your databases or just your website. But and then you can download them and put them onto a disk or a stick or another computer so that you’ve got a copy of it. And you should have a what I call a scheduled routine of backing up your stuff. I backup my laptop every month. Yep, just in case, the crashes.

13:59

I agree I backed mine up more than everyone. So yeah, I’m with you on that one as well, actually. So, you know, you got to and you kind of got to look at sites and say what can I afford to lose? You know, if you’re posting a blog a week, maybe you do the backup once a week. I know with my clients. I’m now at the point where I keep three months of backups offline twice a week now, because I think the security landscape is getting so tough. And these are sites that are changing like every day. So you know,

14:40

you got all the hackers are getting smarter to not get dumber. Yeah. If you were figuring out new ways of getting your information.

14:48

Yeah, if you want some fun, some fun way. What I’d say to somebody is create a phony account. Go to discord and spend time in the hackers groups and read what took place.

15:01

Good See, this court is a fabulous tool, it’s better than slack will ever be in my opinion, Oh,

15:06

me too. I’m so there I am. So nervous slack guy. So

15:10

I get that I’m part of a DevOps group and in discord and boy, I’ll tell you what you want to talk about discussing security and containers and all that stuff is played this a really cool place.

15:27

So the other problem with security is, and I’ve run across this way too many times in my career, somebody calls you up and says they’ve been hacked. And the first thing I say to him is a, what’s your ID and password? And B, when was the last time you updated the software on your site? So there’s always this discussion with WordPress core updates, that a lot of people like to like to sit back and sort of, say the WordPress core updates, maybe we shouldn’t do that. And I’ll give you the example five, six came out about a week and a half ago now two weeks ago. And there’s a lot of people that are waiting 561. I personally take the approach. That’s a mistake. And the reason is, the minute fi six comes out, it’s known what security holes they’re plugged. Right? Then all you have to do is go to a website called build with.com. Put in the WordPress version, put in the website name, they’ll tell you what WordPress that version is running. And if you’re running feiss, if you’re not running Five, six, it’s knowing what vulnerabilities to attack.

16:39

Right, right. Now, nobody writes 100% pure, perfect software. Yeah, I haven’t seen it. Never heard of it. No, no, it’s it’s so eventually, somebody’s going to figure out a way to get in.

16:56

Yeah. And that’s the problem with waiting. And I understand people being concerned about versioning. But I also understand that people need to be concerned about two security fixes that go out in this stuff. And there’s always, it’s always a feature update plus the security fix usually so

17:15

well, as with Billy host, it’s in the terms of service, if you do not keep your WordPress install up to date, you’re in violation of Terms of Service. And the boys behind the servers will just automatically update your site to make sure the plugins are up, themes are current and the chords done. Otherwise, you’re looking for trouble. And the way security works in the hosting environment now is every, you know, in my case, every cPanel account is caged. It’s in its own little cage. So if somebody breaks into a cage or your site, that’s the only place they can go. They can’t go anywhere else. This is just playing your little sandbox, which makes it easier to clean up.

18:02

Yeah, there’s many hosts that don’t take that approach. Eg for one. I saw that wonderful name out there. across their brains, and they and they tend not to. And that’s a bit of a problem, to be honest with you. Because they don’t. They don’t well.

18:22

I can’t speak for those companies that don’t take the higher road on that they just a lot of times it’s just about money. Yeah. And they’re just they’re just all they’re trying to do is make money because they’re cash grab. They’re not actually doing the right thing. Especially when it comes to security. Yeah. I mean, I look at some of the there’s a couple of big must be hosting companies out there that are still allowing clients to run PHP 5.2. Yeah, like, really? I know, there’s a way of securing PHP 5.2 and allowing people to use it. But the optics and the perception of that is not healthy.

19:07

No, no, it’s true. And the other problem too, is in the WordPress environment. And as you know, as plugins, I mean, one of the reason plugin updates come out on a regular basis is for more often than not security vulnerabilities. All you got to do is look at either wordfriends sightings or web RX and watch your bulletins on a regular basis. I mean, I think has an amazing twice a month bulletin they put out there wordfence put some out as they come out web RX is pretty up there as well choose your poison, and you start to look at these plugin vulnerabilities. And like the one that woke everybody up in the last two weeks was contact form seven was all over and how many millions and installs is that running? Right?

19:58

If sometimes I guess in defense of these these guys making plugins, it’s hard to keep up. Yeah. Like, it’s just really, really hard to keep up. And if somebody says, Oh, I, I like to keep up on everything. That’s a really nice idea, but I don’t think it’s possible.

20:19

No, I would agree with you. I think what you need to be more concerned is if the plugins been abandoned and not been updated in a couple years, I mean, that would concern me.

20:29

Well, and if you’re paying attention, you know, in the WordPress plugin repository, it’ll save it hasn’t been tested on your version of WordPress.

20:38

Yeah, that should be a red flag all by itself. No, no question, especially with the changing and, and everything going on. And I think, you know, from my perspective, between the core and the plugins not being updated, most people that have had hack issues or security issues, that’s usually the way in the door,

21:04

or the most common way. Yeah,

21:06

yeah. And, and people don’t realize that and I look at sites all the time. I mean, they’ve all had it. I mean, WP Bakker, one of the biggest page builders out there had a major vulnerability this summer. You know, it goes on, and it goes on, and it goes on. But to be fair, I think the proper way to do security is if you spot the plugin issue, you’ll let the manufacturer know or whoever wrote it, if they don’t respond, then you got to declare it. But if they do respond, you got to give them time to patch it to like, you got to be fair about this.

21:45

Well, if security is part of your daily routine, you probably have a checklist to do this security thing is that you want to walk through I do and make sure that everything’s cool. For myself, like, I have to go and check every day, make sure the servers have been updated, I have to make sure I can see everybody’s WordPress install. From the server end of it, I can tell if somebody is not up to date or not, I can, I can see where all the challenges are. One of the tricky things in a web hosting business is that you’ll have somebody who bought hosting from you, and then decided that they’re going to have their website over on a different host, instead of using your server. So they redirect in DNS over there, but they had already put in a WordPress install in their directory in their home and they leave it there. Well, it doesn’t get updated. Because they don’t see it. They don’t touch it. Their site’s over on a different host. And so I see it, and I update it whether they need it or not. Because one day, they’re going to have to come back. And if they cancel that other hosts, they’re going to come back and there’s going to their sites couldn’t be there. But it’s going to be the first version they ever made of it.

23:04

Yeah. Right. And what they don’t understand is having a doormen installed, there’s still a security risk if it’s not updated.

23:12

Yeah. And again, in the hosting world, there’s everything is either in cages or jails are like so sites are all quarantined, for lack of a better word. It’s

23:23

a good word.

23:25

It’s a it’s, it’s the Ark of the city industry had to do that, because servers were getting killed. With if you saw how many times a server gets hit for to be compromised, it would just boggle your mind. I have layers upon layers upon layers upon layers of security, to stop people from not just hacking the server, but also to prevent people from breaking into cages. Now, I can’t stop you from using an easy user ID and an easy password. Well, indirectly, I can challenge you on the password part. But you can still make it look complicated and still be easy. Yeah. But I can’t stop that. So if your site gets hacked, it’s not because of, you know, the company’s servers. It’s just not that way.

24:22

It’s not gonna happen. No, it’s true. I’ve helped over the years. So I’ll give you an example. I’ve helped manage a site over the years. That’s for the Ontario police Memorial. It’s a blog site they use right to livestream on and every year during the ceremony that the hack attempts on that particular website are somewhere between 60 and 200,000 hack attempts in the two hours of ceremony runs.

24:48

Oh yeah, it’s even WordPress alone. Soon as a WordPress script is executed and it’s live. It automatically has painted Have you set to on the scripts out there? right out the box out there, they went away. They know that that install is brand new. And it’s right there. So they start hitting them right away instantly.

25:12

Yeah, I know. It’s like it.

25:14

There’s no waiting. It just happens. The second that install happens. It’s just executed. Yeah,

25:20

I know. I

25:21

know. I know one case recently, where a guy ran a one button install, and his site was hacked within minutes of the one button stopping, right and it was like, and he’s like, really, and I’m like, just delete it and start over. And by the way, when you start over, secure the password and lock it down.

25:41

Don’t use the admin ID.

25:43

I know usually, when I do. I know when my security stacking, you and I have talked offline, I tend to run wordfence, I tend to run it security. Now a lot of people don’t like running them in conjunction, but I have found ways to make them work. One of the things I like with wordfence is especially the paid version, which are run on my own site, they have they have security firewall rules. So beyond the server. So that means if there’s a plug in vulnerability out there, and it’s not patched, so put in a rule to to toss the plug in. What do you think about people running like security software?

26:31

Well, it’s it’s, it’s a software firewall? Yeah. Right. Which means it’s a layer on top of another layer. So your servers, servers typically don’t get compromised, like it’s really hard to do that. And the ones that are theirs, something got missed. Like, I think that’s the simplest way to put it. But when you add a nother layer of security, you can also complicate things, too, you have to understand what it is you’re doing. Otherwise, you’re no it’s like, what’s the best way to describe it? You really one of them is not necessary.

27:14

Yeah. I mean, really, if you if you’re going to start adding letters, who really should talk to somebody who understands and lives and breathes security, and not do it yourself. And I actually believe and not not to try and make sales here. But if you’re really serious about your website, maybe you should spend a couple hours on a security consultant and get them to lock it down for you and walk you through what to do. And then maybe you need to say okay, either I pay my host I go to I manage WordPress install, or in both cases, and I have a security guy on standpoint because sites to get hacked, right. I mean, it’s,

27:53

well, a lot of people when they’re buying web hosting, they’re not asking those questions. They’re not asking the security security questions. So for a security minded person, someone who is in that business, it’s just pure business opportunity. Like so soon as somebody site is hacked, who do they contact, they contact the host, and they expect them to fix it. Well, it’s not the host hosting companies fault that you used an easy password or ID. Right? So I can’t be responsible for that I my responsibility as a hosting company is to make sure that your servers are up and running and your site is up and running. That’s right.

28:36

That’s it. And people don’t get that. And usually on a shared plan. If one sites compromised, the host, will yank the whole plan off and off while I do until you fix it.

28:49

Sure. But again, a my company’s environment is everything is caged. So if somebody gets compromised, nothing else is getting touched. Like it’s just that container that is compromised. And it’s easy to clean up a container and it is a whole server. That’s a whole different set of problems.

29:11

Yeah, a big difference.

29:15

I would just nuke the server and put up another one. Like I wouldn’t even try to clean it like it’s that’s just how

29:21

hard it can be. And you know what, sometimes it hacks and I hate to say it on the WordPress side, that’s the easiest way around it to the person’s actually kept our backups up today is to nuke the site and put up another one to eight to say,

29:35

now if you have a backup, it solves all your problems. It just does. Especially especially having a database backup, which is the most critical one, I think to me because you can always start off on the design site. But if you’ve got your database and all your contents in that database, then you’re fine.

29:52

Yeah, I would agree. The other thing you know, and it’s amazing people use secure passwords on their cPanel No account or use secure passwords under WordPress account. And then their FTP account is password 123. And I’ve actually know of two cases. One was a client of mine who shall remain nameless. And he was not on one of my servers were that was his FTP account. And he’s wondering why the hackers went right through it like, like a sponge with holes.

30:27

Well, hackers are not just searching, you know, Port 8443, Port 139. They they’re scanning them all? Where are the open doors? We want to know which door is open and then we’ll figure out how to get in.

30:41

And And believe it or not, as a host emails that concern for you, because your host email needs me being the smart soul I am refuses to manage clients emails, so they get one of two options, office 365, or Google workplaces? And I’m done. Because I don’t want to be in that security game at all.

31:05

You know, it’s interesting, outsourcing your email like that, because they have the same problem a web hosting company has? Yeah. I mean, if you’re hosting email, I could just sell email only. And that’d be it. And I could just be an email service. It’s still the same security problems. So you just have you have to isolate accounts, you have to, you know, have all the proper firewalling. And make sure your servers are up to date, you got to make sure everything’s current. Got to make sure all the the apps like Horde and squirrel and what’s the other one?

31:39

I forget the other one. But I usually use Horde. If something

31:42

went round, round, round three Round Round

31:45

cube.

31:47

You know, those three. So again, the server has to make sure that when you’re doing your updates, that software is being updated to so it’s the same set of problems with an email environment as it is for a WordPress environment. It’s the same security perimeters, it’s the same rules. If server as a server as a server. And it’s if you don’t have everything looked after, eventually, somebody’s going to find a hole.

32:13

Yeah. And and, and I hate to tell people out there, and they should get this after nine months of COVID. The hackers are all at home and bored right now. And and they’ve got more time on their hand and ever before. Yeah, they’re wrapping up. But the other problem is you now have countries and nation attacks, as we’ve seen lately in the news. So this wonderful attack called solar wind, which is no question a nation attack. So there’s a little bit of both going on, right? So

32:45

you know, there’s a new thing. It’s not new, it’s about seven years old. And it’s a thing called Docker. And it’s about, you know, in the DevOps circle, and it’s Kubernetes, all this stuff in love hosting environments are going over, over to this because it’s even more secure, and running just a stripped bare metal or, you know, shared or VPS, or all that stuff, because it’s everything is going into containerization. Now, and that’s way easier to secure than a public HTML folder.

33:24

Yeah, public HTML folders off of the secure,

33:27

you know,

33:28

oh, by the way, all the more reason somebody shouldn’t have a static HTML website anymore, frankly, is it’s hard to secure that at all.

33:37

I it’s puzzling. static HTML, x HTML. I haven’t seen just, you know, vanilla sites like that anymore. It used to be fun to make them because they were easy and you want to, you want to hack one of those sites, it’s not hard at all. php stepped it up, and it’s a lot more secure. I find PHP a little bit more fun. But at the same time, it’s also can be cumbersome. But people aren’t there. They don’t want to learn how to code and the ones that do are figureheads, they’re geeks, they’re, you know, they’re the ones the core people that want to learn how to why does this do that? Yeah. The general the, you know, the average person just wants something to work. They won’t want to know how it works. They just want it to work.

34:31

Yep. And, and frankly, and people say, oh, WordPress jack, I’ll just go use Drupal. I’ll just go use Joomla. Well, guess what guys? Drupal and, and Joomla are still based on MySQL databases. They’re still based on PHP. And if you spend any time in their forms, they have the same issues.

34:52

That’s the same thing as WordPress. That’s just another version of CMS. That’s all it is. So WordPress took one path. Joomla took another path, you know, they all take their own path and have their own way of doing things. Some some of them it’s harder and other ways to seize your WordPress is easier. It’s probably the easiest on my mind. But because you can customize it from the ground up and it’s open source.

35:18

Yeah. But it’s funny because I’m on both to Drupal and Joomla security newsletters just from an interest perspective. And WordPress, one ounce in a problem. And two days later out, they all come.

35:31

It’s like, somebody is always leading. Yeah, somebody is always following. So if you’re not paying attention to who’s our friend, and not responding to what they’re responding to, then good chance that you’re going to be making the new summers along the way.

35:48

The other thing worth mentioning, we haven’t really talked about this as people are going to like e commerce, you got to be even more careful with security, as far as I’m concerned.

36:04

e commerce is it’s not even a thought process to me anymore, because it seems to be becoming a default. It’s just automatically is becoming installed automatically by default. It’s still the same security problems. Every level, because you’re still talking about technology, you’re still talking about software. And you’re still talking about bad, badly written software.

36:34

And you’re still talking about people being involved, which are a big problem.

36:38

Yeah, well, people tend to be the weakest link. But having said that, there, they don’t intend to do that. And they’re not doing it on purpose. And that’s their, their, you know, the guys remember the bots trying to find a way to get control over your stuff. I wouldn’t want to work for a bank. I don’t care what anybody says. I’m just on a technology team. I have a friend who’s a CIO of a bank, chain of banks. And his headache. He says, All he worries about now is security. How do we stop the hackers from hitting us? Like, you can’t even redirect a hacker, you know, you can only block them. After three failed attempts of trying to compromise your cPanel, your SMTP or FTP, whatever. And then their IP gets blocked, but they just skip to another IP. Yeah. You know,

37:32

when I was in health care was one of Toronto’s biggest circles. Yeah. I used to sit with the guys who managed our firewalls. And I’d look at them and say, What do I command? And it’s a good one. And and anybody who thinks that hospitals are immune, oh, they they get attacked all the time. And believe it or not, people do get through, you just don’t hear about it. Because the media has a quasi it’s like the banks, I had a friend with one of Canada’s biggest banks. That was insecurity. And he taped people got through every day.

38:08

Well, it’s and what are you getting through to? Like, what are you reaching? Yeah, it’s one thing to get in the first door that you got to get through multiple doors. Yeah. And you got to you got to know what you’re looking for, you know, it’s like, even theft identity. You’re still the weakest link. If your identity is being stolen. It’s because you’re not being secure enough about it. You’re just freely giving your information. You just being not smart. Yeah. Yeah. So, you know, again, I keep saying that security has, you know, the same rules apply to everything. Even like, no ID security, service security, WordPress, security, you know, website security, with all the same rules still apply? They might look different, based on the environment. But yeah, you still got the same problem?

39:07

No, it’s true. And I think people just need to start to be a little more aware of how they do things and what they do.

39:15

They haven’t they don’t, they don’t want you. They just want the easy way. Well,

39:21

that’s why the easy way gets expensive one way or the other. That’s okay. And all

39:29

again, it’s an opportunity for a security company like yours to show them a better way.

39:36

You know, it’s funny, in all the years I’ve been doing this Oh, and I’ve only had one site that’s been on one of my servers or plans be compromised. And that was a client’s fault. It wasn’t my fault. I’ve had multiple sites that I’ve managed for clients on their stuff get compromised, because they don’t always do it. And frankly, backups have bailed them out more times than I can count. And

40:06

yeah, we all have those people like, it’s amazing. You’d be amazed how many people will send me an email unless I have my website with so and so would you be willing to look at it? I think I’ve been hacked and I’m going well, I can’t do anything about it. Okay, I don’t have access to the server. I can’t get into the back door kind of thing. I can’t get in using WPC Li and make sure you’re current and updated. And now with the WordPress toolkit it’s I don’t need WPC Li as much because it’s strictly WordPress but WC er allows me to do other things and just WordPress. No, no question.

40:48

Thanks for your time on as somebody who I confer hosting tell us a little bit about Billy hose how to get a hold of you and and so on.

40:58

Well, Billy host calm is the web hosting company that I run. If you just want to figure out what how much I cost just go to that domain and then right on the homepage, there’s three packages it tells you what I do. And also packages are constantly being revamped here and there as new services become available. And pricing is always is coffee money in my head so not expensive. If you want to contact me via email you can contact me through admin at Billy hose calm or Owen and Owen grieves, calm. I’m easy to find online so

41:39

that dad is true. Many conversation about tech stuff for watching football games.

41:47

I’ve been around on the social networks forever. So I can’t hide anymore. I would like to now Me neither Me neither.

41:56

Oh and Happy New Year and we’ll talk to you soon. Thank you for your time.

42:00

Happy New Year to you too. And thanks again.

42:04

Everybody. Robert Cairns again. I want Special thank you Owen Greaves for joining me on today’s episode. If you’re looking for some great hosting, go see Billy host.com at checkout Owen’s web hosting offerings, I should tell you this is not an affiliate I don’t get a commission. I just strongly believe in Billy hosts so check it out today. This podcast is dedicated to my my late father Bruce Cairns, and my wife Jill Mclean-Cairns./, I love you both very much. If you want to reach me VIP at stunning digital marketing.com check out our website stunning digital marketing comm or on Twitter at Rob Cairns. Please keep your feet on the ground. Keep reaching for the stars and make that business a year succeed. Bye for now.