Book Your Complimentary Consultation Book Your Complimentary Consultation
Home / Interviews / WordPress Security & Development for Non-Profits, Businesses and Entrepreneurs

WordPress Security & Development for Non-Profits,...


Jake Van Buschbach 0:01
Hello everybody and thank you for tuning in to the umbrella IT services podcast. Today's guest is Kevin McLeod from word site security. We're going to be discussing WordPress security and development for nonprofits, businesses and entrepreneurs. Hope you enjoy I hope everybody's having a great day today. My name is Jake from umbrella IT services and today we are going to be talking about WordPress security and design with my good friend Kevin MacLeod from word site security. So thank you so much for joining us today Kevin. If you could leave a like on this video it really helps Kevin and I out if you want to see more videos like this then please subscribe to the channel. If you have a suggestion for a future video please leave a comment below or email us at Tech Tips at umbrella it so now that that's out of the way, let's just jump into it. So today we're going to be talking about website design and security. So website design insecurity is more important than ever in today's digital world. Your website represents your organization to protect clients, employees and the rest of the world. I've had many clients call us looking for a good team of web designers after experiencing a hack, outage or other issue with their website after working with somebody that claimed to be an expert, but really just turned out to be the CEOs nephew. But thankfully today we have a true expert with us that can make sure our websites are secure, speedy and safe while providing us with some tools to make sure that our existing websites are up to spec. So again, I'd like to give Kevin A big thank you for coming on today. He's going to be talking with us about why someone would want to hack into a website, what the differences are between website security and IT security and why we have to have so many personal phone calls, trading business back and forth. Some tips for business owners that are looking to secure their website, make sure it's running properly, what you think what the right questions that you can ask website developers some tools that you can use to quickly audit your website and what to do if you think you have a security issue. So thank you again, Kevin. How's your day going so far?

Kevin McLeod 1:56
Good, man. Appreciate the intro. It's good. No worries. Think about how awesome My team is, as well. So I gotta give full credit to the team and say thanks. So then when I'm doing this, because I'm leaning on them every day

Jake Van Buschbach 2:07
100% I completely agree. I think there's a lot of parallels between it and web design and development. And the number one thing is the team behind both of us, I couldn't do anything I do without my team. And I'm glad to hear you kind of say the same thing, because a lot I know, they don't get as much credit as they should sometimes.

Kevin McLeod 2:24
Yeah, you know, I'm not here to the horn and they're sitting in the office.

Jake Van Buschbach 2:29
They're doing all the heavy lifting. Can you give us a little bit of background on yourself? So I know that obviously, you're the CEO and co founder of word sight and yardstick services. Can you tell us about a little bit about those companies and yourself?

Kevin McLeod 2:42
Sure. So I started yardstick or digital agency 14 years ago. Originally, I was just doing some strategic planning and market research and decided the web was my thing. And then years later brought on my brother who was a former eBay employee. And from that he went back to school, essentially mind has gone to bcit and I'm the one who went to business school. And then we built our team around our strengths and weaknesses. And we've now got home at full capacity 13 1213 people on that side of the business, where we build websites and do digital marketing campaigns, a fantastic decade, we were also very good about documenting best practices and researching standards. And unknowingly, we actually built a company within our company. And we spun that out in the fall and created another company called Word site security. That just does WordPress security. And we did that because of the growing need for security. But also because of the gap that we saw a lot of other agencies producing really pretty looking websites that lacked a lot of the fundamentals of building codes of web. Oh, no.

Jake Van Buschbach 3:45
Gotcha. Now, I know with the security stuff, it's a constant issue nowadays. We have a lot of clients that have a lot of internal emails get hacked and taken care of, because somebody will get access to their contact information or to their clients. Contact information through a corrupted form. I've had a lot of phone calls and things to do with ransomware and other things that cause business downtime and outages because of a poorly secured website. So I'm personally really excited. I know it's, we're not going to get into the geek stuff too much today, but I'm really excited to have a more professional, technical talk with you today. So why would you say WordPress security is important because like from my experience, I've seen again, websites get hacked, contact information gets stolen, but maybe once or twice a month, I get a phone call from potential clients about this, but this is something you see every day. So what are some of the implications that you see for small businesses that are using poor WordPress security?

Kevin McLeod 4:45
Here's the scary thing is that you know, you see it once a month. I might see it every day but in the grand scheme of things. Statistics show that's about 90 to 95,000 attempts on WordPress websites every minute globally. Wow. Holy Yeah, that's crazy reported by wordfence. wordfence is one of the leading web web application firewalls for WordPress in the world. And so when you think about that, and you think about the fact that WordPress powers 34%, or more of the entire internet, pretty big target for hackers, just because they can create one massive script or program that's trying to search the entire web, same hole. And that's what we see time and again, just these little scripts little box trying to poke holes in WordPress websites. And what people don't realize is that because WordPress is an open source product, without getting too technical, open source means you can see all the code. And so unfortunately, that that's a good thing because it's allowed the product becomes super robust and other people around the world that contribute to the development of that product over years, but it also means that bad people could see all the code and potentially playing holes and vulnerabilities. So you have to stay ahead of it and always be updating and always be Making sure it's backed up and, and secure, essentially, because there's so many new updates every month.

Jake Van Buschbach 6:06
Yeah, that makes sense. So in order to protect themselves from these exploits that are really common, it's very common for us to see the same thing as well. Someone has an outdated firewall. Someone can just breach and because hey, Cisco has an exploit, people don't know about it, your firewall is vulnerable. They have a robot scan the web, all of a sudden you have 20,000 small businesses get hacked in a week because of that. So you recommended updates for people you recommend website backups, very similar to what we do with people's other IT infrastructure. Is there anything else people can do to make sure their websites are remaining secure and, and safe?

Kevin McLeod 6:41
Yeah, well, that's like a two hour long Mars page right there. So there's like 100 things that we do to secure websites. basic thing that most agencies decent agencies will do is they'll just do backups and updates. So the click the Update button and WordPress loved it the core software and the Make sure there's a backup. And then the failure that a lot of agencies don't do is they don't check that backup to make sure it's actually viable and yeah, to be restored. So that's super important. And then also having a number of backups over the course. So we recommend at least 90 days, so you can go back in time and restore any one of those backups if you need to. And we have the capability that with a click of a mouse,

Jake Van Buschbach 7:21
yes. Yeah, that's great. We've got deadlines up again perfectly with what we offer people. So we do longer retention. But that's because again, we're dealing with financial records, direct files, these kinds of things. But it does take on average about 45 days for somebody to notice a problem on their website and to notice things with file integrity is what I've noticed. So on Microsoft's website, they recommend that it's 45 days minimum of data retention, because if something goes wrong and one of your files or something goes wrong on a piece of your infrastructure that is not actively monitored, which I would assume someone who has a small business and doesn't have someone like yourself, and corner, they're not checking their website code regularly. So it may take 45 days for them to realize, you know what that hyperlink that's supposed to download a PDF about our business that's actually spreading ransomware, or that email form that people are using to contact us. That's not going to us anymore. That's actually going out to some Russian guy who's now collecting my clients information. So I do very much like the fact that you're doing the backups and the verification of the backups. Because, again, I don't know how many times probably three to four times in the last year, we've had to come on site. People say All righty, guys done backups, we got hit by ransomware. All you got to do is restore these backups. And then we go in and say, none of these backups are verified. They're all 60% complete, and they are not secure. They're some of them are encrypted. Some of them have been hacked already. And then it's game over, you know, so I'm very glad to hear you say that you guys are also verifying backups as well. Now what why do you recommend people usually go with WordPress over things like Shopify, or Wix. So these other questions, I don't. So let's be clear about why WordPress versus another. So Shopify is a platform that we also use.

Kevin McLeod 9:11
Yeah. And we recommend for clients who have primarily ecommerce websites, and some clients who have like a WordPress website or their front end marketing machine. And then they have an e commerce store that's on a subdomain that's on Shopify. So we make different recommendations based on what we think is best for the client. Yeah. And then we do sometimes I actually sell but you know, I talked myself out of work. I did it yesterday for a startup startup. I just told them, Look, I think Wix or Squarespace might be a better option for you, just to get a nice little brochure site up, test out some assumptions as you're kind of developing your product. And then once you develop your product, and you've got a really clear idea of how you go to market, then we start to build a more robust website. That makes the reason why we choose WordPress overstate Wix or Squarespace at this point in time. It's just because they're allowed to we're able to do a lot more With that platform, not just in terms of security, yeah, we can also do a lot more in terms of just integration with CRM, grps. All sorts of cool stuff with custom software development. We have some software development partners we work with, who do some cool stuff to integrate things into WordPress. And they could bend that any way they want. Versus Wix, Squarespace Squarespace which are totally proprietary gotcha, what

Jake Van Buschbach 10:24
is what are some of the solutions you guys have put in place for people with those custom solutions?

Kevin McLeod 10:29
What sort of custom solutions?

Jake Van Buschbach 10:30
Yeah, like what what some of the websites that

Kevin McLeod 10:32
you guys have come up with? We had a client left financial sector that was showing their financial performance of various funds, yep, daily. And those would update dynamically. And that sort of functionality had to be custom built because it was pulling data from multiple sources, and then displaying a really cool looking graphs and charts. And then that was embedded in within WordPress within just a window actually was an iframe. But we were able to make it so that page still format and resized on mobile devices really nicely as well. Gotcha. With that custom software developer on that. And then we've done some other work to build bridges between programs. So we've got the website and there's a bunch of data in the website. So we're like, say, locations for a bunch of schools or something. But they have a separate database where they manage all those school information. Yeah. bridge that was built to populate the school locations and information from that database into WordPress. Gotcha. That's very good things can be done with WordPress, whereas with Wix and Squarespace, forget about it.

Jake Van Buschbach 11:29
Now as Shopify as robust and comprehensive as that as well, or is it really Shopify?

Kevin McLeod 11:35
We're big fans, and they're Canadian company, and I love them. Yeah, they've all really good supporting us and our clients. We like Shopify. for clients who have e commerce websites that are like run of the mill functionality. Yeah, you can you can go a little bit further with it. But when you start to get into the area of customization of products, and or you want to give users the ability To pick all sorts of shapes and sizes and features, and it just, it might be a little bit easier to do that within WooCommerce within WordPress versus within Shopify. And so the development cost is lower. And the ability to manage it for the client is easier with WordPress. If Shopify is even able to do it at all,

Jake Van Buschbach 12:18
that makes sense. So yeah, Shopify is kind of in that one and a half to two tier WordPress is the two to three tier. And then you have Wix and Squarespace kind of squabbling over the entry level stuff.

Kevin McLeod 12:29
Yeah. And then you've got like monster platforms like Magento, which are any e commerce website in the world are huge. Yeah. That you know, you don't use a sledge hammer to hammer at a finishing nail. So

Jake Van Buschbach 12:40
yeah, of course. And that's one of the reasons why I've always liked working with you. And then anytime that we have clients need web development stuff, I always make sure to refer them to you because you're going to be honest with people like you said, you kind of do the same thing that I do, which is we talk ourselves out of work a lot. And we just say look, you know, this isn't a good fit right now. I'm going to give you the tools you need at the time. Go ahead and get yourself set up, you're going to grow your business. I'm here to answer any questions you have, if you ever need anything and give me a show, and you know, I'll touch base with you in a year or two. And then if you're ready to work with us, that's great. And if not, then that's awesome to see you're developing anyways. So I really like the boys had that attitude. So just wanted to point out is build trust transfers hundred percent. And again, with all of these experts out there, and a lot of these people that claim to be web designers and web developers, and they're the expert, and they're dirt cheap and these kind of things. I've gotten nothing but burn from that kind of stuff. So again, it always does really, really pay off in my experience to do it once do it well, and work with someone like yourself who takes the entire picture into consideration when they're designing a solution for people's websites. And I feel the same way about you. So with the website security stuff. How do you recommend people usually get started with that? So let's say that I've either got an existing website Like my own, and it runs on WordPress, and we're going to get that revamped. Or if I'm actually going to start a brand new website from scratch, what do you usually recommend people do in either of those situations?

Kevin McLeod 14:11
The security question, I hope, in most people's minds is independent of the website development project question. Purity tends to relate to risk. And risk is an ongoing thing. It's not something you just do, set, build and forget. So we audit existing websites that have been neglected. We audit websites have been newly built, launched. And we sometimes work with existing suppliers and existing relationships, to help make sure that the product they're producing is going to achieve a certain standard for our client, and we share that client relationship. So when you do it doesn't matter. You just have to understand that your risk profile may be differently in other businesses, Joseph Campbell, a sole proprietor who just has a grocery website may not care if they're website gets hacked or goes offline for a day or two, it's not going to cause a much briefer headache. So their risk profiles fairly low. Versus say, someone in a regulated industry like law, finance or something like that, or a bigger brand or corporation whose website is essentially being hit by thousands of people a day, if it had a problem at 58, a big brand issue, reputation issue, but also loss of sales revenue. Yeah. profile for those clients is much higher. And so those are the clients that we tend to have conversations with just around. Okay, when was the last time you had your website on it for security? And have you asked these questions of your web person like about firewalls, backups? Have you scan your website for malware and viruses? All these simple things that people just take for granted consumer happening may or may not be?

Jake Van Buschbach 15:51
Yeah. And what's some of the fallout that you've noticed when people do neglect their websites and they just kind of forget about them and lay them by the wayside.

Kevin McLeod 16:00
Yeah. So

the first thing that people need to understand is the reason why websites get hacked. Like what? What's the motivation for a hacker? Typically, the kiddie hackers are just trying to cause trouble. They're just trying to see if they can do something bad, just mess around. And then there's another group of hackers that are legitimately trying to find some way to generate something, some game for them. And the gains that they want are, Hey, can I steal traffic from this website? put links on the website and essentially steal domain authority. So I've increased the rankings of my website. Can I put something reject something into the website, Leslie steal information, this trend that's moving through the website, or number four is can I take this website offline and hold it for ransom? Gotcha. over other ones, but those are the four main ones that we see. And the one that we see most commonly with WordPress, it's just they found a hole and they can inject something into the site like some unauthorized content. A bank or something that just, you don't even know it's there, it's hidden. And it's just stealing traffic or stealing domain authority. And it could be there for a long time. And that's okay. Like, it's just those little hidden ones hide in the background and help their whatever their website is doing selling something in Russia. Who knows? Yeah.

Jake Van Buschbach 17:19
And what's the most common of those for the youth, they usually usually run into?

Kevin McLeod 17:24
Yeah, the injection of a link or injection of some authorized content goes off, or is the most common one, usually, because there's an old plugin in WordPress that's been deprecated or just neglected and not updated. Yeah. And as a whole, and they could do something with that to inject some content, or link into the website.

Jake Van Buschbach 17:44
That makes sense. Now, when it comes to domain security, I have this kind of as an overlap between it and web development. So domain security essentially means for the people that aren't overly technical listening, that the site or the vendor that hosts the platform For you to build a website off of so if you buy a domain that could be umbrella it, that domain hosts an index of information that directs traffic. So if I want to send an email to Jake at umbrella, it, it's going to go look at the vendor GoDaddy, or whoever it is. And it's gonna say, okay, the email record here says, I've got to send an email to this address, and it'll direct it over using these records. So do you guys work to secure domains for people as well as the actual WordPress instance itself? A

Kevin McLeod 18:33
little bit, and then we this is where we tend to kind of overlap a little bit with it. Exactly. Yeah. And that's why we like to work with with, you know, companies like you where we can understand each other and, okay, who's gonna host the DNS and who's gonna make these changes to what records? Yeah, we try our very best to only handle the web stuff. So the cnam record for the website, which I'm getting a little technical here, but that's really the only thing we want to touch. Yeah. And we let the it supplier or internal IT person or people team handle the rest. Yeah. Wherever we get a little blurry as we sometimes want to host the DNS in a very specific place. We like using a CDN like CloudFlare to host the DNS, because we can then do all sorts of fun things within CloudFlare. With their firewall, their caching their compression, to help speed up and secure the website. And the base product of CloudFlare is free. So provides incredible value at zero price point. And they're an amazing company that has, you know, data centers all around the world. So yeah, if a business outside of say the lower mainland, you want your website to look quickly, and say South America, we use CloudFlare for that to make sure the websites cached on a server in South America. Yeah, look quickly from there. I'm not trying to pull from a local server here.

Jake Van Buschbach 19:56
Yeah, it's again, it's great that you partner with free vendors. Make sure that, like you said, doesn't matter where your clients are, they're going to be able to look at what you're doing. Look at your website, they're going to see what you're offering, what services they're doing. And your company is partnered with companies like CloudFlare. And you're able to use free solutions for people that don't compromise on security or speed. And it makes sure that when people are trying to reach your website, they're always going to reach your website. That's good to know. Um, so do you have an example of a WordPress site that you think that it has? absolutely nailed it? Like, do you have a site usually three to four people in the I would point to wordfence, because they provide one of the best firewall products in the industry for WordPress. Yeah. And obviously because they are a security conscious company that produces a plugin that we use their websites rock so it's so if you want to check out a site that's just brilliant in terms of security wordfence Yeah. See a lot of pages though, is the if they're not nothing is clearly the the industry leading sites in terms of user experience. Yeah, right. But they're incredibly serious security conscious. Gotcha. So you mentioned a couple of things are so you mentioned the firewall through word fine. So I've actually not had a lot of experience with WordPress based firewalls. So I'm kind of curious to learn about that tool. And if there's any other tools, that you guys kind of take into account for WordPress that people might not know exist. And then they can make sure that they have a checklist that they can bring to their web developers just to make sure that everything is up to snuff. What other tools do you recommend people use this as like a fundamental thing I know you've mentioned backups, firewalls, and having just general updates. Is there anything else?

Kevin McLeod 21:41
Lots. So wordfence is a great firewall, but it's on your server. So we use wordfence as well as CloudFlare. Yeah, you know, different configurations for both and best practices. backups are really important, but the backup should be backed up off of your server. So we have a product that allows us to store the backups. AWS Amazon. And that way, they're completely separate. So if the server and the whole hosting company blows up, we've got the backups over here for say, yeah, the five minute refund the whole time to live. So the DNS updates really quickly at CloudFlare. We could move that anywhere else and get the site live in real time.

Jake Van Buschbach 22:16
Yeah, that that ties into our three to one backup policies. Well, again, there's so much overlap that happens between the it and the web stuff. So I'm glad to hear you're following. But

Kevin McLeod 22:27
you made a good point, though, because, like, I don't know much about the firewalls that you guys manage younger people in terms of really kind of, like different trades. Yes. So you know, I would consider web designers to be more like a painter person, the drywallers of the homes. Yeah. Like the plumbers and the electricians. Right. Yeah, I agree. If we, you know, you all different trades, same house. And so some of the other tools that we use include things like uptime robot, so we can see if there's downtime for a site and we've got our sensitivity set to Think it's two minutes. Yep. We can do it shorter. But if we do it shorter, we just get blasted with alerts. So yeah, if it's offline for more than two minutes, we get alerted and our team can take action. There's also some really cool tools that have been pointed to that will do free penetration tests if you want to get really crazy. And those just hit your website over the course of like, six hours, and I recommend doing it at night when you're upgrading. Yep. And find every single possible hole that could be there and your website and give you a whole report.

Jake Van Buschbach 23:30
Yeah. Do you want to give people a quick summary of what a penetration tester is? I know you gave a brief description. Okay, so totally.

Kevin McLeod 23:37
So a penetration test is basically just this program that hits your website, and there's other applications that hit other other areas of it, but it just hits your website with every single possible vulnerability. It's just like trying to find a hole. Yeah, it hammers your site constantly for like, three to six hours.

Jake Van Buschbach 23:55
Yeah. So if your website's a bucket, it's basically pouring water. And with all of the Known ways that websites can be hacked. And it says, Hey, we found a leak, I found another leak, we found another leak.

Kevin McLeod 24:07
And it's very burdensome on the resources on the server. Of course, if we do that we do that night. But it's, you know, I don't commonly do them. But it is something that's cool for people who are working at higher risk sort of companies.

Jake Van Buschbach 24:22
Yeah. So you guys don't only maintain and manage the websites, you're monitoring them. You're actually having responsive teams there. Yeah. That's fantastic.

Kevin McLeod 24:32
We don't want to get that call for clients that that says our site's been down for three hours. Yeah, we be alert that said, the site's been down for like two minutes. We're taking action responding and letting the client know, hey, we resolve this thing. Just so you know. Don't worry, it's dealt with. Yeah, way better. Yeah. The one thing thing that I always talk about is like DDoS attacks. So I don't know some of the hold swallow. Some companies are not great in terms of their plans, like the $3 $5 web hosts. Yeah. You know, it's it's, you know, it's not a lot of resources if the analogy would be. I like an apartment building in a city like Tokyo or Singapore, very small sparse footage on a very big tower. And you could have one noisy neighbor that's sucking up all the resources on that server and your site's gonna slow down. Yeah. Be very cognizant of a really good hosting and DDoS

Jake Van Buschbach 25:22
is denial of service Distributed Denial of Service again, for those who don't know, so it's buddy hours and distributed denial of service

Kevin McLeod 25:32
like that get by, like 20,000 visitors in one second.

Jake Van Buschbach 25:35
Exactly. The server's like, I can't handle that many requests and it just crashes. Yeah, exactly. So this this actually happened. Did you hear Did you hear about this, this topical news story with Facebook and t mobile and a number of these other companies that just got hit, I believe three days ago.

Kevin McLeod 25:55
There is one day going Forbes? Yeah.

Jake Van Buschbach 25:57
So yeah, yeah. So I think about the 80% of American infrastructure went down. So it was this crazy denial of service attack. So like Kevin just said, somebody hijacked dozens of hundreds of thousands of millions of computers somehow. And they targeted them all to go to Facebook, they target them all to go to T Mobile, they target to the mall to crash these computers that are hosting the services for these giant corporations. And what do you guys do usually to protect people? Because obviously, again, if Facebook is going down, no offense, but I don't think yardstick is going to be able to say that, you know, if Cisco is getting attacked, my Kobe's gonna be our

Kevin McLeod 26:38
best in class products like CloudFlare. Yes.

And if you've got things set up properly with CloudFlare, and again, the free plan only does so much so you may have to get a paid plan if you're really concerned about this. Yeah. You know, they are probably the best in the world at handling DDoS attacks is up other players mess with the CDN space. Yeah. But if you're not using a CDN and You don't have a firewall, you're at a high risk for those kinds of problems.

Jake Van Buschbach 27:05
That makes a lot of sense.

Kevin McLeod 27:06
But, again, taking risk in consideration the likelihood of a DDoS attack happening on a very small business website.

Jake Van Buschbach 27:16
Oh, but if it does happen, you guys have the infrastructure in place to recognize it, respond to it, and prevent it from happening lasting, or at least, you know, we can log into CloudFlare and go, I'm under attack. And then the CloudFlare does internally as a district shutting down access to the website from certain places, just blocking like tons of people.

Kevin McLeod 27:35
Yeah, that's gonna protect the website until the attack is over.

Jake Van Buschbach 27:39
And does it also do you guys have a system in place where let's say that there's an extended attack going on, or CloudFlare? were to have an outage? Do you guys have some sort of business continuity solution in place where you can go, there you go. We're now swapped over to our backup server, and you're going to run out with that temporarily.

Kevin McLeod 27:55
We're working on that one. Yeah. I mean, we'll talk to you about that because we're increasing Trying to figure out if we could have more than one web host set up and have a failover sort of server system. We don't have that presently. But we're we're researching it right now. Yeah.

Jake Van Buschbach 28:11
Yeah, I know. It's it's really brand new and the IT sector for servers, right. So it's hard for web,

Kevin McLeod 28:17
because the way DNS records work in

Jake Van Buschbach 28:19
exactly. Knowing. Yeah, so I was gonna say it's brand new for us. So I can imagine you guys are probably a year to two years behind in that sector, because there's two free ones, because there already has the capability to do it. Oh, really?

Kevin McLeod 28:34
popular does have it. It's on a paid plan. You have to have paid for it. It's based on bandwidth, I believe. And then you have to have your whole failover server set up. It's a little complicated. We're getting there. Huh.

Jake Van Buschbach 28:46
That's great. That's good to know. It's in the works. So stuff like that is, again, I've I think I've had to use it maybe once in the last five years. But when it's there, that's great. And then right and again, I think it's it's Kind of different as well, because, like with us, it's 65. But I guess it really depends on the website, because for us, it would be something like 65 100 people, they're not able to access their files, their computers aren't working, like that's devastating for a business. But if a website goes down for an hour, and like you said, It's Mr. Small entrepreneur who's doing his consulting company, and he's got five clients, it's not, it's not as urgent. But if you're a multi million dollar ecommerce

Kevin McLeod 29:29
company that's doing sales in multiple areas around the world, and or if they're in a regulated industry, or they're publicly traded.

Jake Van Buschbach 29:35
Yes. Yeah. Gotcha. Are there any regulations or standards that you put in place for publicly traded companies or these highly regulated ones?

Kevin McLeod 29:44
We don't have any publicly traded companies. clients. Yeah. You have a few clients are in regulated industries. We rely on their to their internal IT departments to dictate which standards they have to adhere to. Yep. The one that we most commonly bumped into is GDPR. Yep. Trying to do business in Europe. We try to steer clear clients that have, you know, sock one sock two sort of compliance issues, because they actually tend to have internal web departments, yes, as an internal web company. But otherwise, it's really just about them telling us what their standards are. Because we're sure there's not a lot of building who is regulations for web?

Jake Van Buschbach 30:24
That makes sense. So same thing as us. So do you guys have an auditing procedure that I know about? It's again, very similar to ours, it's kind of like the you set the electrician to the drywall. So when you're doing these audits, what are some really common mistakes that you see people kind of just make happen to be there? They're quite quite often quite frequent mistakes.

Kevin McLeod 30:44
And that reminds me that I hadn't answered your previous question of yours to hold on to in terms of best practices. Password strength. It's so silly man. But how many times do I see a login that's like admin is the username and they're like, Kids birthdays or something. It's just their password.

Jake Van Buschbach 31:02
Yeah, I've seen password as the password many too many times. He is crazy.

Kevin McLeod 31:08
Yeah. And anyone out there who's listening like, That's not good. You know what the overlapping is? Because it's like it is laughable when you use those kind of logins because there are literally lists of logins most common logins that hackers know about and they just go through them and get your website looking for Yeah, and plus this login admin plus this login Yeah, and when they want a brute force attack is when they're doing that they're just testing logins, as many as they can. Yeah, that's one that I hate. And when I see that I really have to educate the clients a little bit Yeah, do factor authentication is huge. And you can actually set it up for the admin login for WordPress should be two FA now as well. Yeah. Was any other system in your your business that is vital to your business? To FA is huge. And then we use LastPass. I'm sure you have some other solutions as well for password storage and sharing. Yeah, who is LastPass And currently, the Our own luggage is shared with our team. So all of our technicians working on any project or website, only star star star with a logging in. Yeah, so last exposure is minimized as much as possible.

Jake Van Buschbach 32:12
And I really like LastPass because they were one of the first companies to begin salting and hashing their passwords. So what that means for folks at home is, normally when you have a database like LastPass, where it's a list of websites, a list of usernames, and a list of passwords, you think about it like an Excel sheet, where you have those three columns with all the different rows. And what LastPass did was not only did they jumble them up using encryption, and the way I usually explain encryption is those old serial toys that you get where it's like a CD in a circle, and then 12345 and a circle and you can rotate them along and then B is two and three is C, but they do that hundreds of times over and each instance that they do have the encryption is unique. So if you crash The code for one of those encryption keys, you don't have the key to all of the other instances of encryption. So LastPass has done a fantastic job of securing stuff like that, like you mentioned, the employees that are accessing their websites, they don't get to see their passwords. So we don't use LastPass. Internally, we have our own solution that we've custom created. But again, LastPass is a great solution, especially for people in your field there. So we've we're kind of touching on some tools here. So what other tools do you use yourself? What do you recommend people use themselves?

Kevin McLeod 33:34
Interesting. Let me go through my little list here.

Jake Van Buschbach 33:36
I know you probably got a whole list like I do.

Kevin McLeod 33:41
Most of our tools are tactical tools. We have some auditing tools for us that aren't gonna be insightful, but I'm gonna give you the name of a couple. If someone wants to scan their website. Just I wonder if my website secure. What can I do? There's two that are really good that I use all the time. The first one is up guard. Up GU ar d They have a free website security scan. And maybe afterwards I'll post a link somewhere for everyone to see.

Jake Van Buschbach 34:08
Yeah, I'll put that in the description down below. I don't know what's

Kevin McLeod 34:11
gonna have no relationship with them. But I just love that it's free. And it just clicks get my free score and they give you a number, which is kind of gives you a benchmark about how secure your website is. Yeah. And then the other one that I use from time to time is security su c u ri. I checked security dotnet. And that one does a nice little scan that tells you if you're using the latest version of Linux, Apache, MySQL, PHP, latest version of WordPress, do you have a firewall? Yeah, is your monitor just kind of basic things. And this is gonna, at the very least provide the layman with some ideas about what they should ask their web developer. So it's like a checklist. It basically tells

Jake Van Buschbach 34:53
them hey, what you're missing updates. Are they missing a firewall? You're missing this stuff,

Kevin McLeod 34:58
right. The only downside Inside of these tools as they can only scan what they see publicly being very rudimentary scans. So if you really want to find out more information, it's like kind of like getting a home inspection before you buy a house, you can only see so much by looking at the outside of the house, when you give the inspector the keys to the house. And they go in, they look around and look inside everything put down in the crawlspace look up in the attic, then you get a really good idea. Okay, what kind of problems does this house have? And so that's what you need to do. If you really want to get an idea of how secure your website is. And we do that for clients. We'll go give us the keys to that house for a couple hours. We'll go look around and we'll give you a whole affordable we'll be fine.

Jake Van Buschbach 35:36
Yeah, yeah, we do the same thing. We do the audit, we do the assessment. We've we call it something a little bit friendlier the discovery meeting but nobody seems to like the term of audit anymore. But it's so important being discovery. Yeah, it's great because it's your because like you said you do have to go digging through the dumps and going through the plumbing and you have to look at everything right because Because that a lot of these companies, unfortunately, they trust people that have either gotten lazy or they're gotten overwhelmed, or they've got another agenda going on. And it's not most of the time is no fault of the IT guy we're taking over from or the vendor that we're working with. They're simply too busy. Or they're just uninformed. Because as you and I both know, again, our teams are the ones that are keeping up to date with all this stuff, because I do my best to keep up to date with as much stuff as possible. But I only have so many hours in the day. And if I need to keep up with cloud services, and networks and servers, and workstations and hardware and CPUs, and Wi Fi, and all these other factors that go into a business, I'm not going to be able to do any work because I'm going to be glued to my screen learning all day. So that's why I've now kind of come to the conclusion that I have some vendors that are contractors that I like to work with as part of our team. But when it comes to doing some real work, like getting a website done for somebody, I just defer to experts with firms like yourself, because you've got Have an experienced track record, you got a great team of people that can do the job. And honestly, it's not worth the hassle anymore, to not work with a team of people. Because when I talk to a team, you'll go, Oh, you know, I didn't know about this, this outage that half of the DDoS attack, and then half your team goes, we heard about that. We tried telling Kevin about it, but he was busy learning something else. And that's how things go in my office, as people are always just constantly saying, hey, Microsoft is coming out with a new piece of software, you should do a video on it, or, Hey, did you know that there's a new update to our PSA tool or, oh, the monitoring software we use is getting a big update and it becomes unmanageable. So what I would like to do for people then is to take the tools that you mentioned, I'll throw them in the description down below. They can kind of give themselves a free checkup on their site. And if they're interested in getting something a little bit more in depth done, they can reach out to you. Again in the link in the description. We'll have your contact info. Do you have any influencers or market leaders that you usually recommend? to people. So I know we're staring heavily into the security side

Kevin McLeod 38:04
now. But you know, what I've noticed about security people is the ones that are really good. Yeah. Like, not show their faces too much. Yes. Right. So I tend to read the blogs of the best security companies. Mm hmm. And I think that teams, so team members within those companies are contributing content to those blogs is outstanding. And so again, wordfence, wordfence, security, there might be a few other ones that I could pull up and share with you after but their blogs are incredible. And they are the ones that are more forensic right. about getting the lines of code within plugins, and finding the holes and announcing to the world. And, you know, the the there was one recently, like, maybe three, four weeks ago about the WooCommerce. scraping, I think it was Yeah. And that was a big issue, and I think it was, don't quote me on this for security. Defense have found that Before today, and the reason why that's a big issue is because it's a plugin that's used for e commerce for, you know you, every single WordPress website does e commerce probably uses WooCommerce. Yeah, so yeah, so those sorts of companies and their blogs are the best ones.

Jake Van Buschbach 39:16
Gotcha. Yeah, I'll definitely grab a list of those companies and list those tools. We'll throw them in the description. Now I have one that I actually use fairly often. I probably check her blog once every two weeks. You've probably heard of her actually Taylor Swift. So there's a person online, I don't know who they are. But they call it swift security. And they have a large number of tips online that are actually fantastic. So I've already developed our own system the way that you have and it's actually again come into where I've realized I've actually actually accidentally created an audit system here we have a checklist of best practices and maybe one day that will turn into a secondary company as well but reviewing the swift security website, which is Apparently read by Taylor Swift. They have a ton of great tips on basic computer security. And I think they actually have a couple of really basic website ones. So we'll double check that out and see if it's good. But if people find the security stuff boring, and you do kind of want it presented to you in a funny way, that swift security thing is just straight to the point very brief blogs. And they kind of break things down in a way where they'll explain things like if they say, oh, DNS does this, they'll explain that DNS is actually when you take the words Facebook calm, and you tie that to the string of numbers when you're actually visiting the

Kevin McLeod 40:41
IP that is a good, good recommendation, because the ones that I read are like, technical. Yeah, please sleep technical.

Jake Van Buschbach 40:47
Yeah. So there's always the intermediaries right and but what I've noticed as well nowadays is people are kind of catching on to that they will have like web routes or malware bytes and these big firms will come out and say we call it as a zero day exploit that uses the SSL encryption blah, blah or what we found a zero day with us whenever. And they'll just have someone else write a blog about it. And it'll say, Well, you see, when you have, again, the serial code thing that I like to use as an example, and you'll find some Twitter guy who spends his days breaking all that down with 10,000 followers. So there's a lot of good people out there, I've noticed, but I'll definitely throw your recommendations down below there for folks.

Kevin McLeod 41:30
Sure. So you mentioned something that reminded me to say something about SSL. This is another tip for everyone who has a website. Go your website, just visit your URL, check it out and look at the browser if especially if you're using Chrome. Yeah. And if you look at the top left hand side of that browser window where it says about your website address, if it says, not secure for you guys to be over here, not secure, right there. That means your website's not encrypted. And it's a very simple thing. You just type your website and it just shows up. It's not secure, right in Chrome.

Jake Van Buschbach 42:03
So what are the implications of not having a secure web?

Kevin McLeod 42:06
Yeah. So there's two big implications number one, but data that's moving from your server to you, is visible by third parties that they were intercept that data, they can actually see everything that's moving. So

Jake Van Buschbach 42:19
what kind of data would people be sending across

Kevin McLeod 42:22
the house? Oh, sure. You're just browsing the web. And it's just images and words. But if you actually submitted a form and said, Kevin MacLeod email address, phone number here, I want some information about this service. I've had a problem, blah, blah, blah. So that's kind of person. So submit, and that's getting set through the web, and could be intercepted by a third party. For anyone that's in a regulated industry or sensitive industry. That is vital. Yeah. The reason why encryption is important. It's actually a ranking factor for Google. websites that are encrypted with SSL get ranked higher than those that aren't all things being equal. Yeah, it's a no brainer these days to get your site encrypted. And it's like turn key most lead post can do it. If they can't you're not in a good web post. Yeah. And then SSL certificates are some free ones. And even the better ones are like 520 bucks, not much.

Jake Van Buschbach 43:12
Yeah. And that that actually answers one of the questions I was going to ask you and kind of turns me in another direction. So the original question I was gonna ask you was, when you focus on security, do you sacrifice speed? And do you focus? Do you sacrifice stability, but after talking, you really right now I've realized that actually adding in these secure platforms, you're boosting performance, you're making sure you're gonna be faster, you're distributed all over the planet, you're gonna have more cash servers. So that answers that. So now my question would be, what tangible benefits can business owners see from using proper hosting? So we've already mentioned the faster loading speeds and this kind of stuff but for somebody like myself, if I were to go change my website right now, which is an absolute disaster, and work with somebody like yourself, What kind of benefits what i what i really experienced?

Kevin McLeod 44:03
It's the same thing is asking the question, what benefits you get from driving a well maintained car? Or even better, What benefits do you get from driving a well maintained helicopter, right. helicopters are designed to fall into the sky. Yeah, a bad web servers are essentially designed to crash.

Jake Van Buschbach 44:20
Yeah. Oh,

Kevin McLeod 44:23
a good web server will not only be maintained well in terms of the software and the hardware, so the physical stuff, but it's also the team that supports that are very responsive. And that put together is what makes a great web hosting company. That's huge. There's going to be a time no matter what, where you are going to need to call that web host up or get on the live chat at 3am. solve problem. Yeah. And if they're only taking email tickets and responding 48 hours later, not good enough.

Jake Van Buschbach 44:50
Also really quickly to touch on that. There's a VPN provider. So we recommend a lot of our clients they use the wrong private VPN, but for some residential clients, we do recommend They use a service like Private Internet access, we'll put a little link to the description in there for anyone who wants to check that out. But we recommend people use a VPN, which is you're creating a tunnel from your device to a secure server. And then it goes out to whatever you're doing. So if you want to go look at your Facebook, or you want to check your email, it's encrypting your data so that no one can see what you're doing. It checks out your Facebook or your email, and it brings it back. Now one of those providers, I believe it was Nord VPN, I could be wrong here. They had a vendor and an employee inside of their company that was running one of the databases they were using, they leak data. So they actually had a true winner. I heard about that. It was Nord. Okay. Yeah. So they had a tremendous amount of their clients data, just be completely exposed online. And again, like you mentioned, using a proper hosting company like CloudFlare really does mean that you're not going to be bitten mass by implications that, okay, I'm using a professional company. I'm using GoDaddy. I'm using Nord VPN, nothing bad can happen to me, it's still so important to make sure that you're using security as a comprehensive tool, not just that you don't want to use a Cheeto to lock your door, you want to make sure that you're using tools all over the place, multiple layers of security backups, etc. So that's interesting.

Kevin McLeod 46:21
I will defend or because I have used them for a while, but not bad. Yeah. There's no such thing as 100% security. So

Jake Van Buschbach 46:29
my issue with them, and my issue with them is they took too long they took I believe, six months to report it. Yeah, no. Yeah. Yeah. So like, like you mentioned, it's the vendor policies, right. That's why we always recommend Private Internet access to people is, I believe they were hacked about four years ago. And it was two days later, they were like this happened. We've dealt with it. It's been resolved. We have the same sort of issue. Whoever, right. Yeah, like you mentioned, it's cat and mouse. That's the truth. When it comes to Security, I made sure that all my clients understand that we're coming in to look at your house of cards to build our own house of cards. And I like to make sure that people understand it in that way. Because I've seen a lot of tech companies come in, myself included. Well, I've never done this, but I've seen a lot of tech companies come in, and they'll say, this is garbage. This is trash. Can you believe this? And I go, Well, from this guy's perspective, this is great. This he's doing everything he can with what he's been given. So you know, I'd rather focus on my solution instead of ragging on this issue, because give it a year, maybe I'm gonna have an oversight. Thankfully, nothing's happened yet, but maybe I'm gonna have an oversight one day where someone goes, Hey, you forgot to have double redundant backups. And you forgot to verify that one week that you got hacked. And then what am I going to do? You know, so yeah, I think it's important to think of security as a house of cards or a game of cat and mouse. And right. It's important to make sure you have experts on it like yourself and your team that can come up to you and say, Hey, No, we've been using this solution for three years. Unfortunately, they did a bit of an ethics slip, we're no longer comfortable using them, we found another vendor that are just as good. And we're going to use their solution for it from now on. If there's whatever the change is, you'll be able to overview those details with them.

Kevin McLeod 48:16
Back to your comment about VPN, because there's for people who don't know, there's a difference between SSL encryption and VPN, yes. Okay. The SSL encryption is the website doing its job to encrypt the information between the user and the website. But the VPN is the user doing their job to encrypt all the information that they're getting through the web and hide it. So both need to happen, right, you should be doing both. I'm not right now, because I didn't want to have some performance issues here. But you should be doing both. And then that way, you're you as a user are secure and your website secure.

Jake Van Buschbach 48:52
Absolutely. And again, that comes down to the comprehensive approach, right. You want to make sure you're using multiple layers. So you want to make sure your cloud service Whether that's CloudFlare, or GoDaddy or whoever is locked down and secure, you want to make sure your device is secure. You want to make sure your server is secure. You want to make sure your networks are secure. And again, that's why it's so important that companies like ours work together. So we're going to be able to give people total packages and make sure that they're safe on all aspects. Do you want to talk about the development side at all like just a little bit? Or do you want to do a little bit of a deep dive into it? We're about

Kevin McLeod 49:29
our trip outside my door. So we should probably add is for 22 here. So we should probably kind of slide into some sort of conclusion to this chat. Perfect.

Jake Van Buschbach 49:37
Sounds good. We're coming up on the 45 minute mark. That's great. Yeah, really quickly, then. Do you have anything that you would like to promote in the meantime?

Kevin McLeod 49:47
Well, if anyone has any, any issues with their website security, like if your world's on fire, just call me right now. Or insight, or we'll put our number in here somewhere. Word site comm is our website. Just call me I'm happy to help Oh, don't panic, right? The first thing you do, we can certainly help you. And then if you want to learn more like you're in a position where you're like, Okay, I want to assess my risk. And I want to make sure that we're doing our best to make sure this this asset website that we've invested in is not at risk, then yeah, we can certainly help you out. And we can start with a basic audit, or we can do a comprehensive audit, or we can get to just jump right into remediation, and clean things up for you know, anyone we're happy to talk to you about.

Jake Van Buschbach 50:27
That's awesome. Great. Thank you, Kevin. So I think that about does it for today's interview everybody. So I hope this gives everybody a good foundation to start upgrading their websites and making sure that you're secure. I hope this answered any basic questions people have about WordPress development and security and the kind of differences between the platforms that are out there. So please do make sure to check out Kevin's website, words and yardstick services. We've got the links to both of those in the description down below. And like you said, if your house is on fire, call him now. He'll help you out right away. Stay calm, there's a captain to the show. And if you could please leave a like on the video it really helps us out. If you want to see more videos like this then please subscribe if you know someone that you think would like to be interviewed, and kind of provide some value for our community that seems to be growing fairly rapidly now, thank you all for the support. Please feel free to refer them to me at Tech Tips at umbrella it and if you have a suggestion for a topic you'd like to see covered, also, feel free to leave a comment below or email me directly. Please have a great day. And we'll see you all soon. Thank you. Thanks, Jake. No worries Kevin. Thanks for coming on.