Why Hackers Target Small Businesses and What You Can Do About It

5:30PM Jun 5, 2024

Speakers:

Nathan Ingram

Kathy Zant

Keywords:

security

site

hackers

wordpress site

hosting provider

password

kathy

updates

plugin

business

wordpress

logging

solid

website

server

file

vulnerability

password manager

firewall

link

All about why in the world hackers care about websites and why they want to attack them. I think he's got a great presentation for us today to help us understand those things. Welcome, welcome, everybody. Good to see Sue is here. Chris is here. Felipe. Welcome Deborah Barney David. Welcome, everybody. Glad you're all here. Just finishing getting the captions all connected. We'll have that going shortly. All right, that should all be working for everybody. If you want to turn on captions. You're welcome to do so. Glad you're all here. I will be starting in about five minutes from now Kathy Zant is with us talking all about why hackers target small business websites. folks joining in from around the world. Let's see good to see Andreas from Germany. Tanya from Finland Kay from Sweden. Derek, welcome from New York. Good to see everybody coming in as you join us. I'm going to drop a once again our link bundle into the chat. There in you will find the today's slides as well as links to Kathy's next live stream coming up on July 17. All about security audits and also Kathy's YouTube link. If you can't get enough of Kathy Zant here on solid Academy you can find her on YouTube. Hey John, welcome from Chicago. Richard from Cape Town. Glad you're here. Welcome everybody. Join in the chat there in the Zoom chat. Say hi, tell us where you're logging in from today. We'll be getting officially started here in just a few minutes from now. If you'd like to view the captions, they are active and working. And generally pretty good.

Here we go. Something odd happened in the last or No, I don't know. Kathy, can you see that? It's like it's at least on my screen. The links are odd in the chat. I'm not sure if that's me or zoom. Can everybody see those links? Okay. Welcome Niles from Faroe Islands. Glad you're here. Good to me. Um you know, issues. I'm able to click again, welcome, everybody. If you're just joining us, we'll be getting started in about four minutes from now a little less than four minutes. Kathy is going to hear talking with us about how and why hackers target small business websites. Yeah, that's odd. Sometimes these zoom links are just weird in the chat and I apologize for that. Zoom webinars for whatever reason, treat the chat differently than zoom meetings have yet to understand why that's the case. Yeah. So Catholics target small business websites. Is that really a thing?

Ah, just a little bit. Unfortunately, indeed.

So again, if you're just joining us in zoom, welcome, we're glad you're here. We have a few minutes to go before we get started officially, if you're just joining us there in zoom, open up Potat. Say hi. Tell us where you're logging in from today. Let's let's do a quick poll in the chat. How many of you feel comfortable talking to your clients who are small business owners about hackers? And why your clients should be concerned about security? Give me a one to 10 there. How would you rate your skill at talking to your clients about how, how and why hackers even care about their website. Give us a one to 10 there in the chat. Oh, good, high ratings. Nice.

Very good.

So I think you'll have some more ammunition after this live stream today. And also, maybe some ways to describe things that are maybe a little different than what you do now. I always benefit from Kathy's explanation of security issues. He's really great at making these complicated things simple and easy to understand. So that's what we're looking forward to today. We got about two minutes to go if you're just joining us in zoom, open up the chat and say hello, I'm going to drop one more time and here are link bundle that has the link to download today's slides. Also the replay link this is being recorded. We'll have the replay up at about an hour after we finish at the link that's there in the bundle. Kathy's next live stream is there for you as well. If you haven't signed up for that one, join us about security audits coming up on July 17. And finally, Kathy's YouTube channel if you can't get enough of her here. You can always find her there on YouTube. she publishes content quite frequently. How do you do all the things Kathy?

I have help. And last week I didn't get anything done because I was working with my chainsaw chopping trees that fall so last week, nothing happened.

Oh, tell me there's video of Kathy with a chainsaw.

I actually brought I do a podcast with with Shell for fat WP motivate and I was in the mood the other day when we recorded last weekend. I brought the chainsaw to cuz it's just in that kind of mood. It's been it's been a little bit rough but taking down taking down trees and taking down hackers. I guess that's my new branding. There

you go. Kathy's new logo with a chainsaw? Yeah. So hey, Vern. Welcome Joan from Uganda. Welcome, Colin from Liverpool. Welcome, everybody. We're just about to get started. 30 seconds to go. If you're just joining us in zoom, open up the chat and say hi, we'll get started here in just a moment. Links are in the chat for today's slides as well as some other helpful links. They're waiting on you. They're in the Zoom chat if you're just now getting into zoom. We're just about ready to get started talking all about why hackers target small business websites. All right, I've got three minutes after so I'm going to start the recording officially and we will dive right in. We'll get back to unit three everybody welcome to another solid Academy live stream or good evening. Good morning wherever you happen to be around the world. We're so glad you decided to join us for this educational live stream all about why hackers target small business websites with us again is my friend Kathy Zant. Security experts podcaster extraordinaire, YouTuber extraordinaire. Many things Kathy Welcome back. How are you today?

I'm doing great. Good to see you, Nathan. Absolutely.

So this is a great topic today. And it's something that a lot of folks don't understand. Why in the world would a hacker care about my website, right?

I hear it a lot. Like my site's just insignificant. It's just my cat blog. Why would a hacker I don't need to take extra steps to secure it. Who cares? It's just my blog. But hackers will target it. And we're going to find out why and what you can do about it.

Indeed, it's going to be a great hour or so here and let me just invite everyone if you haven't done so already, to open up the Zoom chat, say hi and tell us where you're logging in from we have folks from around the world logging into this live stream today. Really glad you're all here. I'll drop in our link bundle again in just a minute. When Kathy get started you'll be able to download today's slides. Also this is being recorded. So if you want to go back and rewatch any of this or share it with a friend you can do so at the link that will be in that link bundle. It will have also that link will have the replay the the slide downloads or the transcript all those things will be there waiting on you. Also, we will have a time of q&a after Cathy wraps up I would invite you to open up the q&a in zoom. Please ask your questions in the q&a rather than in the chat. You can just mouse over the shared screen, click the q&a link. Just keep that open throughout the live stream. If you want to ask a question you can do that at any time. But even more importantly, that will also allow you to see the questions of others and upvote them and we'll take those questions in the order of upvotes when we get to the time of q&a. So with that I will disappear and Kathy let's get started. This is going to be good

one. Awesome. Yeah, so small business websites. Every business needs a website right? We've got corners stores, we've got all sorts of brick and mortar businesses. You know, if you don't have a website, you don't have a business card, you don't have a way for for potential customers to find you. You need to have a website. But as soon as you put it up, guess who comes knocking? It's not just customers. It's not just prospects. It's not just people kicking the tires, hackers and their bots are also looking for your website and ways to exploit it. So today that's what we're talking about. If you have a small business and you've got a website, what are hackers looking for? We're going to talk about ways that you can protect yourself I am a security experts. I just what is a security expert, a security expert is someone who got hacked a very long time ago and has helped other people recover from hacks many times. I am a former developer, I do better speaking and helping people understand sometimes complex topics. But my first security incident was in 1999. I inherited a server from the technical person that was supposed to be set up right it wasn't it got hacked. And ever since then, I have been cleaning hack sites and helping other people understand security I've been to DEF CON a couple of times. says I'm Director of Marketing at Kadence I forgot to update that I used to be I'm doing other things now. I have clean many sites. I've given many security talks Kadence is still an amazing theme even though I am not marketing there anymore. Who are these hackers who is attacking you? These attackers are not necessarily a guy sitting in the basement on his mom's computer attacking you and just saying hey, I wanted to Sally's cat blog. These are people who are building bot networks on command and control systems where they take over numerous sites and kind of get them all together with a command and control network and target any site that is on the internet if your site is up and freely available to be browsed. It's probably going to receive some attacks from hackers. Why? That's the big question. Why do hackers want my insignificant site? There's nothing there. It's just cat pictures. It's just my blog. It's my wedding site. Hackers wants your site because they want your server resources. They want your squeaky clean domain reputation when they take those things the resources of your server and your domain or IP address which is behind your domain. Those rabbit that reputation and you put those things together makes it very easy for hackers to send out spam mailings to fish credentials from people putting up a phishing kit and then sending out emails to unsuspecting people who click on the link and then type in their password and then these phishing kits, send the credentials to a hacker so that they can log in malware. They'll put malware redirects on your site that will redirect to another site that installs malware on a person's computer. But with all of these indicators of a compromise, they will also put backdoors so that once you find the spammy links or once you find the phishing cat and take all of that out, they'll put a backdoor in there so that they can get back in and take advantage of your domains reputation and your server resources. Why

they want to make a profit. There is a profit motive behind all of this. These are thieves looking to steal people's credit card information, thieves who are looking to steal your customers information. They are trying to make money understanding the profit motive that we're doing that that hackers are after helps you understand what they're doing and understand that your site is a valuable resource not just to your business, but to hackers as well. So why are they targeting small businesses? Well, if you think about it, there's a lot of different businesses that use WordPress. The New York Times uses WordPress, The Rolling Rolling Stone, tons of very large businesses use WordPress. They're also on incredibly robust hosting they may even self host with the security operations team that is taking a look at every single request that's coming in looking for hackers that might be probing looking for vulnerabilities and they take action before anything happens. They target small businesses because they know you probably don't have a security operations team. They know you're probably not even looking at your log files. They know you might not even have a security plugin or a firewall in front of your WordPress site. They know that if they can take over 100 sites of people who aren't paying attention to security, it's just as good as taking over one large site with a lot of traffic. So these are economies of scale, meaning that they are going to target your site because they expect luck security. They expect you to not be paying attention and unfortunately, in a lot of cases, that is how it is a lot of smaller businesses don't think they're a target so they don't take action. Now how are they getting in? What are they looking for? They are looking for first of all the easiest way and they are looking for reused passwords. They are trying to brute force bad passwords. They are looking for software vulnerabilities. They are looking for vulnerabilities and plugins most likely themes core they are looking for once test site that you spun up just to test something out that's in the same cPanel hosting configuration as your main site. And you forgot about that test site and didn't update anything there. And so there's still a vulnerability there. You forget about it, a hacker discovers it and compromises the whole hosting account. So that is what they're really looking for. They're looking for authentication ways to get into your site through a poor authentication, and they're looking for vulnerabilities. So they attack your site they get in you restore from a backup. Who cares? It happens all the time. Right? Any risks to you? Well, the laws have changed a lot in the last I'd say decade. Privacy laws. The fact that you are now liable if you are doing commerce and you are storing all of your customers personally identifiable information, their name their email address, even their IP address is considered PII or personally identifiable information, the transaction their address their home address that you're shipping to if you're doing commerce, if you're running an LMS like LearnDash and you have student information in there all of that information is also personally identifiable information. You have to let those people know that a breach has happened that someone has gotten into the site, even if all they're doing is adding you know spam links. Still, your systems have been compromised and you're required by law in many jurisdictions to notify your customers that there's been a breach as well. If you are running a commerce system, and they put in a JavaScript card skimmer on the checkout page and they are pulling all of that credit card information and sending it off to the hacker so they can go buy expensive things and resell them on Craigslist or whatever. That is also a concern as well. So the statistic that we see is that 60% of small companies go out of business within six months after they have a data breach or cyber attack. If your credit card information processing, if a customer's credit card information is somehow gotten by an attacker, you run the risk of losing your credit card processing capability. That means e commerce is not going to be an option for you. So there are some pretty significant risks and those legal risks and those compliance risks keep increasing as privacy concerns become more and more at the forefront. Now According this statistic comes from AT and T they did a study on enterprise level security. They found that those companies that have better security, more proactive policies, they're doing incident response planning, they are doing all sorts of things with firewalls, they are being compliant. They have plans in place of what to do if anything like this happens. They found that these businesses have higher growth. They have 24% sales growth over three years and 20% profit margins if they pay attention to security. And on the downside companies that are just like that security, whatever, we'll just restore from the backup. Those companies tend to not have good sales growth. Now, I didn't draw any correlations. But here's my theory. And you can you can quote me on this, but my theory is that businesses that pay attention to security that are more proactive about securing their assets, also are more proactive in other areas of their business. So going through the exercise of thinking about security of putting an incident response plan in place all of this stuff helps the mindset of the people who are leading the business. So if you're an agency and you need any sort of little oomph to get that sale versus one of your competitors, you can talk to them about security. You can use security as a differentiator and you can go and say, hey, you know, security is important, but it also helps you grow your business and I'm going to help you grow your business because I'm going to help you think through all of these things. Because I'll tell you what, after doing a ton of security marketing in my career, nobody wants to talk about security. They're like yeah, whatever. We'll deal with it whenever nobody wants to talk about security systems on their house until their neighbor gets broken into right so what if but you know, if you say okay, I my uncle's website got hacked into and now I'm concerned, then they'll want to talk about it right? As long as like it's happening as long as there's a story. They will make those kinds of decisions. But if you can give them some kind of tie to show that security and profitability have some kind of correlation. Executives are much more open to talking about that. Well, tell me a little more. Tell me more about this profitability. And I'd love to hear that. But that's really what this is all about. Security really is a mindset. It is a mindset of how you look at your business. It's a mindset of how you look at your WordPress site. It's not just a WordPress site. It's not just a website. It is an asset. It is something that drives business for you. It is something that brings in leads, it is something that puts forth your unique selling proposition to your prospects. It is something that helps your business grow. If you think about your business, and you think about your website in that way. And as agencies if you help your customers think about their website in that way, and you communicate and underscore everything in your proposals, in your maintenance, contracts, everything that you're doing with your customers, talking about security as a mindset that helps grow a business, it changes the conversation. You then become a partner in protecting an asset and helping to use an asset and leverage that asset and to growing a business. And I think that is really the goal of all of this is to think about our WordPress sites think about our websites differently rather than it just being an insignificant thing. Start thinking about it as an asset. When you start thinking about it that way. It changes the entire conversation. It changes how you think about everything associated with your digital marketing.

So what can we do about these hackers because they're going to target you no matter what they're going to target your WordPress site. Even you spin up I don't know if you've ever spun up a WordPress website and like five minutes later, you're already seeing bot traffic coming and it's just a nature of the beast. It is the background noise of the internet. Now who's responsible who's responsible for this security? I would argue that a lot of people are responsible, but ultimately, whoever, whoever owns that business. Well I was wanting to say whoever owns that domain name. Sometimes agencies on that, but whoever owns that business, whoever is receiving remuneration from that website, whoever's making money off of it, it's your ultimately your responsibility. Because if you're making money off of your website, if your website's driving business and bringing in new customers or just like helping to support your business whatsoever, then you need to take responsibility for it. Now this doesn't mean that you know if there's a problem with your hosting provider or whatever, that it's your responsibility, you know, you contract with these companies with your agency with your hosting provider with whoever is working on your website, you, you know there's a shared responsibility, but ultimately, it's your responsibility to prioritize security and to prioritize thinking about your site as a digital asset. So we're gonna talk about what can be done and how hard is this really, as we get into second half of this? So first of all, the most important thing is to really consider being prepared incident response planning, planning for a hack. Don't think of it as something that might happen. Think of hax as something that will happen, something that is going to happen, and we're going to plan for what happens. Who's responsible? Who do we need to communicate to, and what do we do and who's responsible for each little element of recovering from a hack and figuring out what happened and sort of informing that entire process. Doing security audits, making sure that that's happening, and making sure you're doing backups off server being prepared and just kind of having this mindset of, alright, it's under attack. It's going to be under attack always and eventually, we are going to be hacked. Typically, if you think that way of like we are going to be hacked you are going to start taking steps towards protecting yourself and lessen the probability lessen the risk you want to uncover and patch things problems before hackers find them. So security auditing, that would be something that you might want to do every three months, depending on what you're doing. Whenever you change something. You should probably do an audit and just look at all of your systems. The session that we're going to be doing in July and July 17 is going to be about security, audit, auditing, backups, making sure testing your backups because a backup that's taken but not tested is not really a backup if you have not never trusted a restore of your backup process. That is a problem that should be done along with your security auditing as well. So preparing yourself. It's really important to know and think about your website and all of the different access points around your site. Now if you're a small business, typically you think about WP admin, my login just I should just protect my I know what I'll do. I'll just hide my login. My site will be safe. They'll never discover any other ways to get in your website. has a number of different ways that information can be can be read. Okay, so you have WP admin of course, there's a username and password that can log in, but there's also something called XML RPC, which is a programmatic way. That brute force attacks can happen. It's a programmatic way that information can be exchanged if you use Jetpack, and jetpack has, you know a ton of different tools that you know a lot of people use it because it integrates with WooCommerce and being able to do like shipping calculations. I'm not exactly sure but XML RPC and jetpack. It's how the jetpack servers and your website communicate to each other can also be used maliciously. The REST API, which is another way of communicating to your website is another way. PHP myadmin there's a database and files that are behind your WordPress site. PHP myadmin is a programmatic way to look at the database alone and not look at necessarily the files but you can see all of the different tables in the database which are kind of like integrated spreadsheets that talk to each other. So PHP myadmin. If that's not secured, that could be an entry point into into your WordPress site. Um, your hosting panel has a file manager and if somebody's got access to your hosting panel, that could also be an intrusion factor. There's SSH and FTP which is ways of looking at the file system. And of course HTTP and of course HTTP s have secured Hypertext Transfer Protocol, all of these different protocols. It's not just WP admin, your website is this thing with all of these other ways of taking care of it. So being able to consider all of those different things. The server in a data center that your site is on also is another thing to consider. I included this OSI model because it it talks about like all of the different things that go into like application security. WordPress is an application. And there's tons of different ways that things get communicated to and sessions are, are maintained between a user logging into the site. There's just so much here. And all of these things can have vulnerabilities associated with it, which is why you choose a really great hosting provider that understands all of this and you partner with them so that they take care of a lot of this for you. But there's some things that are just ultimately going to be your responsibility. If you give access to someone to WP admin and they were like, Oh, that passwords wait too long. I'm never gonna remember that. And they change it to you know, Scooter 95 Because that's when they had a scooter that they liked. And 9095 And of course, I'm gonna remember that I use it for everything. Then now we've got a problem, right? Because that if they're using it for everything, it's definitely in breach. So lots of things that go into making a website accessible on the internet, and all of these things have to be secured. It's not to just you know, protecting your site from scooter 95. But that is important as well protecting authentication. You want to make sure that everyone that you are giving access to post things contributors, editors, all of these people, you need to make sure that they are using strong, unique passwords that they are using an actual password manager that is encrypted to take a conversation recently with someone's like, oh, I don't keep my passwords in a password manager because hackers are going to know that all the passwords are in the password manager so why would I want to put them in there and I had a twitch or two and then I said it's this thing called encryption. Encryption. Yeah, we don't do it in a Google spreadsheet.

Anyway, that I might have some PTSD from that. Use a password manager. If you don't trust a password manager and you think the hackers gonna know that's where all your passwords are. You can try the blind password strategy. That is the way where you have a password that's entered in at one site. Part of the password is in the Password Manager and then there's like a four digit code that you just kind of keep in your head 1234 I'm so I've got my password and my password manager but I don't trust it. So I'm gonna put in that password that's in the Password Manager into the site and then I type 1234 So all of your passwords everywhere are stored in the Password Manager with this blind password strategy and you just add 1234 At the end of it when you're typing it into a system. That's your way around not trusting password managers but honestly other than the debacle with LastPass most of the password managers out there are pretty good. There are a few that I prefer over others but trust your password managers encryption is our friend. Two factor authentication, requiring that of everyone on your site using solid security for that, making sure that people have their password because you never know when someone's going to change it to scooter 95. And making sure they're using two factor authentication as that extra layer of security for their authentication and using an authenticator. app rather than SMS Of course. I have learned so much about SMS security in the past few weeks. There's a video up on my YouTube channel about signal signaling system seven and just how insecure This is And it underscores all of our phone calls all of SMS, use your authenticator apps. And then solid security has been the innovator in the WordPress space using pass keys and pass keys are pretty nifty. It is passwordless logging in. I might still use that maybe as a second factor for some people but it is a really cool tool. We're gonna see more and more of the big tech companies using that. And then the principle of least privilege. And this is a principle in security, which says only give access to something so that the people you've hired to do a job can do that job. So you don't give someone access to the WordPress site. There's no like admin access each individual user gets their own login. So and and if you have someone who all they're doing is posting blog posts, they're not updating plugins. They only need editor access, or maybe you have someone who they're just contributing articles, but you want to check them out before they go live. They can have contributor access. So really being judicious about the access that you're giving to your WordPress site and applying the principle of least privilege this is something not just for word processes for everything. If wherever possible, use delegation of access. So it's like okay, well I will grant you access to the hosting panel through my hosting provider, rather than sharing that password for the hosting account that type of thing. So that you can then just turn off access for that person. And then also, if you have somebody who's just working on your WordPress site for, you know, maybe they're an SEO person and they're just going to go tweak some things, making sure that you eliminate their access. Once they are done doing that job. least privilege is the principle we are applying here. And then of course protecting your software critically important to making sure that all software is updated. plugins, themes core the FTP application on your computer, your browsers, Chrome this year alone has had eight zero days. That means a vulnerability that hackers discovered and played with before it got patched. So making sure that your browser's that you are accessing websites and especially your WordPress site that making sure that that's updated making sure your computer is updated on there have been many cases reported of info stealers getting on someone's computer and that affecting WordPress sites. So making sure that all software when an update is available that you do update it and then if you're not using a piece of software, especially like a plugin, don't just deactivate it. No, I might use that again later. On. Make sure that you remove that plugin. There was a plugin a while back called File Manager. It's kind of nifty it's it's a great little utility that allows you to seal the file system of your WordPress site right there in WP admin. Very handy. This plugin was installed and I think of course somebody's calling me and my phone's buzzing Excuse me. The File Manager plugin, like 800,000 users at the time and lots of people had it just there and deactivated and just it was so vulnerable. The vulnerability that was discovered by the hacker was still exploitable even though the plugin wasn't active. It just needed to be installed. So as a general rule, if you are not using a piece of plugin, if it is not required for the front end operation of your website, remove that plugin you can always reinstall like if the file manager thing I could see why people would be like Oh yeah, I'm just gonna leave it there because it's handy to have around. You can always reinstall it if you need to do something duplicator plugins, all of those types of things that you're just using every once in a while. Install them, use them, do what you need to do and then deactivate and uninstall them. Functional isolation one site per server based user one site for each function. I am not a big fan of guess WordPress can do everything but I'm not a big fan of doing the Commerce and the LMS and the membership site all on word one WordPress site like if you have multiple functions of your business, isolating them because it isolates a problem and and not putting like 30 sites in a sea panel. I know this is a popular thing. I know there are tons of people on YouTube saying this is a great way to save money. You do not want to do this because if one site gets hacked, then they all get hacked and you have to gather all of them cleaned. And that can be costly, and it can be time consuming. I've seen it happen too many times. Because once the hacker gets access to one site, if all of those sites are running on the same PHP based user and that's what a cpanel does, then they are all vulnerable and you're going to have to clean them all at the same time. Making sure that your backups are off of the server. You can take your backup, and that's nice and nice and tight and it's stored someplace else. Here's the thing if that site or that server is ever compromised, and those backups are there, you're going to have to assume that those backups were tampered with and that malware is within them you cannot trust them unless they are isolated. So is another reason why you do not want to have you do not want to have you don't want to try to clean the site with like a plugin, like you install a plugin and it does the malware scanning because it's running within the same environment as the site that has been attacked or hacked. So also just test those backups as well. Cloudflare is not just for performance, they have tons of firewall opportunity firewall tools in there. They have something called turnstyle which is more privacy focused captcha and you can use that to prevent things like spam submissions on forms carding attacks which are attacks that basically find like a WooCommerce installation and they have a list of credit cards that they've stolen from someone and they go and test and see if those credit cards are valid. It's very annoying to have to try to clean up that stuff. So you want to make sure that you have some kind of cloud based firewall in place and some protections for those bot actions that are coming at your site.

And something to consider also, if you detect a hacker on your site, you want to take action immediately. The faster you can detach that malicious activity is happening on your site, the faster you can stop them, the faster you can shut it down. The faster you can get back up and running in the less damage that an attacker can do. So you want to make sure that you can you have some kind of scanning that's happening now tons of hosting providers have scanning capabilities for file changes. Solid security also will do this. If files have changed, it will let you know that. You want to make sure that there's your hosting provider has good network monitoring, and make sure that you just have some kind of some kind of system in place that is going to tell you hey, something's changed, or someone's logged in some kind of indication that a compromise is happening or a compromise has happened. Because the faster you get that notification, the faster you can take action to make sure that your site is protected. And if you're an agency I mean that's the last thing you want to hear my customer just called and let me know that there's a problem on the site. You don't want those kinds of calls, right? You would rather detect Hey, there's a problem. Let's investigate and see if there's something that we need to do. Really important to tune your alerts out if any of you have done anything with WordPress had any kind of alerting system in place. You can get something called alert fatigue, where it's just like, Alright, there's the daily security digest. I'm guilty of deleting. Like I have him on test sites though. So then it really puts me into alert fatigue where now I get it on my primary site that are my site that is running an LMS I'm like on it right away, but my test sites security, digest, whatever, I don't look at them. And it gets you in this habit of okay, that's not important, but there could be very important data in those. So if you find yourself deleting security digests, take a step back and fix the alerts, fix the alert fatigue so that you do get fast detection and fat and that enables your fast response. And that's it. Follow me on YouTube. That is where I'm posting so I'm really focusing I am doing some WordPress stuff, but mostly I'm focusing on general security types of things. And I do have a checklist if you go to that.com forward slash solid hyphen checklist. And if you haven't gotten that checklist, that is the security audit process that I go through. And it's got a checklist and it also goes through each individual item and explains what that is, you know, what am I looking for when I'm looking at isolated sites, what is what are the determinants that go in there so it gives you sort of an idea of, of what to do there. So that's all I got for ya. And I am open for questions Nathan.

All right. Thank you Kathy. My Webcam died at some point during this live stream so I am audio only for the duration today. All right. Great information today, folks. Hopefully you also had you picked up some really helpful ways to explain the security issues to your clients. The link bundle is once again in the chat if you want to download the slide deck. That link is there the link to download the audit checklist you see on your screen also there. First follow Kathy on YouTube at that link. Also. Several questions are here in the chat. And if you have a question to ask and you haven't done so, I'd invite you to go ahead and do that. Now just open up the zoom q&a by mousing over the shared screen and clicking the q&a icon. You can also look at the questions that have been asked there and upvote the questions of others. All right. So the first question comes from an anonymous attendee they are asking I have sold security Pro on my WordPress website. I get notifications that files are updated, but I don't know how to evaluate if these were just automatic updates or the results of hacking. I'm not sure how to evaluate the log seems very manual. can you advise a non programmer how they can evaluate logs efficiently?

Yes, okay. So you have to understand what's going on on your website. So when I get those types of things, first of all, I know when I have a schedule of when I do plug in updates, because when you do plug in updates, then you know Okay, I just updated Kadence blocks, so of course some files changed. If you have automatic updates and it makes it a lot harder to determine what has changed. You're going to have to go look at the change log for that particular plugin and say okay, did they was there an automatic update and that correlates with the timestamp of when this file changed. Then if you have any kind of I know like some of the Pay Pal things have like logs so you'll see like a file that says like gibberish and then dot ello G or if you have a caching plugin on your site, you'll see like Gibberish Gibberish dot HTML if you have like WW three total cash. I know does that I think there's some other plugins that have like caching files that change what other things happen? Those would be like regular types of things. Some other people might have other those are the ones I can remember. Now, here's when things look funky. When you get something on like the root of your WordPress site, and it's or WP config changed, like I that shouldn't have changed. That's that file is pretty static. That has all of your you know, your database password, your where your database is your salts, all of that. But hackers know that there's stuff in there that you know that file doesn't get the same kind of file comparison. So they love to put like a backdoor at the top of that file. So if WP config has changed, I would be suspicious of that. If there are files that just look weird and different or if there's a new file that have shown that has shown up those types of things would be things that you would want to investigate and you can do like security's site check like it's a it's a remote scanner. So it's not going to find like backdoors like that are buried in your wp content folder. But it will tell you, your site's redirecting to a bad neighborhood or their spam links. It'll tell you the indicators of compromise because hackers are going to put backdoors but they're also going to do something forward facing with your site. They're gonna do something that's like a malicious redirect. They're going to do something like a phishing kit. Make sure that your site is also signed up to Google Search Console. Because if anything is going wrong with your site, Google is going to be like we're not sending our customers to your site. And search console is going to let you know that there is a problem as well. So you want to have as many as many different monitoring capabilities as possible. The reason why you really want solid security is it's going to tell it's it's on the server, right? It's there and it's looking for anything that is different. So that would be the reason why you want that but I would also leverage some of these other tools as well. But anything that just like like hackers named files like weird things, or like gibberish dot php, and those type of things like ah, there's a new file here that doesn't look, it doesn't make sense. Those types of things. Would, would be things that would be alarming. Yeah,

great information. And I'll just reiterate the importance of doing updates on a schedule. Because that way, you know, if you get a file, notice file change notification, and it was during the window that you were running your updates, then you can pretty well be sure that it was your actions and not something else. Right,

right. Yeah, yeah. I'm not a big fan of auto updates now in the apps world and where you're taking care of servers and patching things. There's something called Automated updates and attended updates. And this is the same type of thing, right? I want to be attended if I'm doing an update, I want to see okay, that update went just fine. There's no incompatibilities. Everything looks okay. There's some my test sites they're all in automated updates. I don't really you know, because I can just wipe those up. But for things that are important, I do attended updates and I do them on staging servers. first. You go on your staging server, you have a complete replica of your public server. And on your staging server you go through a process of updating everything. And when you do that, then and everything looks okay. Then you can go to your, your primary site, your live site and do your updates there. So that's that's the way I do updates. And that's every successful WordPress user should

do. I can't agree more. I'm nodding my head up and down as though people can see me but that's not possible right now. Yes. Okay. Great question here from Felipe. So Kathy, you mentioned different password managers. What password manager do you trust? And do you know anything about RoboForm?

RoboForm. I had I did evaluate that last year but it didn't. I heard people talking positively about it, but I'm not going to because I don't know anything about it. i So yea or nay? I'm right in the middle on that. bit word and I love for people because it is super easy to use. It is super easy to get started. It's $10 a year you have no excuse, right? It's open source. You have the option of doing it using their encryption and storing it you know, on the cloud. So then you also have it on your phone as well that type of thing. Or you can do it self hosted as well. If you want to set up a Linux thing and do all of that fun absi stuff. It has that as an option. So I love that word and for that one password. I love them because they have sort of like three factors that go into the encryption of it. I love it for teams, but it is pricier so but if you have a team you can set up like the marketing vault and like you know Twitter, you got to share a password for Twitter. You can't delegate on that, that I know of yet. So that goes into the marketing vault and then you can just add people to the marketing vault and take them out when they leave and of course change those passwords because you never know what somebody is going to do with stuff once they have access. Keeper Nathan I know you love that one.

We love keeper that's what we use in my agency. Awesome. Well,

Nord passes also I've got a relationship with them and they are great. I did see one person complaining about their their browser extension not being now that great but I don't use the browser extensions because I have seen some vulnerabilities and a few of the browser extensions and figure if I can't click the Copy button and pace. I've got a problem. So yeah,

it's good question from Derek. Kathy. What are your opinion? What's your opinion of one time passwords via email? Is that a good idea?

One time passwords via email. Oh, like so you're logging in you put in your email address and then it sends you like a six digit code and boom you're in? I'm Yeah. I kind of like those. But of course that you know, then you have the dependency of the email, right? You're making an assumption that the email is secured, which sometimes it's not, you know, everybody assumes like their email is all super secure and they're not using good passwords on their email either. Which is like if you're going to use a good password and two factor and all of the all of the things do have your email address. But yeah, I mean, I don't, I don't see a problem with those. It does get rid of the password reuse problem because those one time passwords they typically only last for like 30 seconds or maybe longer for some of those but but yeah, I think that I like those. I use a lot of systems now that that are doing that.

Yeah, I've noticed a lot of corporate websites have gone to a one time passcode by email or a magic link in an email rather than a password at all and I guess some ways it is a little more secure than just a single password. But yeah, again, you're you're depending on your the security of your email. So yes, I ultimately would you say that the future is past keys.

Yeah, well, there's been a few debates with other security eyes about passed. I love pass keys. I've used pass keys I've played with pass keys. I am a big believer in what it can do, but the adoption just hasn't been there. There have been complaints about how pass keys are you know, like if you store something in your apple keychain or whatever. And it's cool because I could do on my Mac. I can do like a passkey on safari and then now it's like open and I can get it in my Chrome because I go back and forth between browsers. All the time. So I can do that. But like if I am traveling, and something's going on and I need to I know when my friends Windows machine, I need to access something. I'm kind of out of luck, right? Because you have this vendor lock in with passkey. So there's a lot of people who complain about that. But the alternative is so many people get fished out of their credentials, passwords or brute force there is a password problem. So I really like Stripe, for example, uses past keys as a second factor, which I think is great. I am hoping that big tech gets things together because I think pass keys can be helpful, but I've had some debates with a few security guys about it.

Interesting. Interesting. Let's see. I'm scanning through here several questions. Alright. This isn't specifically a security issue. Sherry's question is about some traffic she's seeing from a source called Facebook external hit which I've seen that too. I think it's just Facebook. Yeah. Slurp bot. How do you stop that sort of aggressive social traffic?

Yeah, I've had some conversations with folks who are like, you know, I don't want my content scraped by AI. And supposedly, these kinds of bots are supposed to obey whatever you put into the robots dot txt file, but I've seen so much stuff that doesn't right like you say, okay, disallow everything and you know, this, this folder and it's not obeyed by a lot of the scrapers and stuff like that. Really, the only thing you can do is is blocked by IP block by IP range those types of things. Yeah, Stacy. supposed to. Yeah, they're supposed to obey your directives. But it's just been kind of like a free for all. So you're just going to have to you can do an htaccess block, I'm sure StackOverflow or some AI bot knows the answer better and I can come up with off the top of my head but you can do those kinds of blocks by IP.

Yeah, in Cloudflare has a really nice setting. If you're using Cloudflare for the DNS of the site, you can address the throttle or you can throttle back those social scrapers to you know, one request per second, I think is that yeah, or 10 requests every 10 seconds, and it'll it'll throttle them until the next timeframe comes around. Nice.

But yeah, I would put Cloudflare in front of everything at this point. I mean, I know you know, they're it's a big company right and, and they're in it to make money but they do have a free service where you can use them for DNS. And I found first of all, when you need to move a site from host a to host B, which as WordPress users, we do this right, you know, we move from host to host as as hosting providers, reliability changes, and the DNS updates and propagates so quickly with Cloudflare. So there's one benefit but from a security standpoint, you know, they have that under attack button, right. If you are under attack, wouldn't it be better to have it already set up so that you can stop the onslaught coming to your server? It's better to have the DNS in a very manageable fast updating place so that you can say, Okay, I'm under attack this DDoS attack, let's get that off the server. So just from a security standpoint, just having that setup so that you have the flexibility and freedom to take action. Should you ever be under that kind of attack. Makes sense?

Yeah, indeed. Ah, let's see. I'm just scrolling through the correct questions. And folks, if I would love to take your opinions on these, open up the q&a and upvote the questions you would like to see answered. Derek would like to know which to FA app you prefer.

Like the phone app on your phone, or the one on WordPress,

because I guess it's like the authenticator app is what he's asking. Okay,

um, I have like four. So I use Google Authenticator. I have got a couple of things on Aussie still. And then a couple of couple of other ones but I have a video on my WordPress or on my should be on WordPress, right. I have a video on my YouTube site about it's something like 500,000 people are using these rogue to have a apps. This security researcher found all of these authenticator apps the joke is with the real authenticator app, please stand up because they all look like, you know, real authenticator apps, and some of them are phoning your salt tome. Some of them are charging you 40 bucks a month. So you have to be really judicious about your authenticator apps. I'm just using Google right now. There's somebody was talking about another one that was like more privacy focused and less big tech. I'm kind of leaning into the less big tech stuff lately. So Stacy says she likes to FAS so. Yeah. And I would also like to put in a pitch for core to include to FA as a part of core when the

yes, I've seen some discussions in the make WordPress slack about that. There are a number of advocates for bringing two factor authentication into core. Yep, yeah, that would be let's see, here's a question from an anonymous attendee. I run multiple sites and manage them through main WP can solid security be managed through main WP or something similar also, can you speak on solid security patch stack integration? I'm happy to take that Kathy or anything you want to to dive into with that?

Yeah, I will just say that when you are using a system like that like main WP to manage all of your sites that is a single point of failure, you need to make sure to FA is up on that you need to make sure that you know you secure that I have seen stolen session cookies for happen. I've heard stories of that happening where people have stolen session cookies for those types of management services. And so you just have to make sure whatever you're logging into, to FA on it just secure that saying all the eggs are in one basket. But yeah, I'll let you talk to the solid security. I love patch stack though. I will definitely vouch for Oliver and his team at patch tech

100% And sorry folks at my camera has died during this live stream and I don't know why. But I'm not gonna be able to fix it. So you'll just hear a disembodied voice for the moment. So Solid security. Two if you're using solid security on multiple WordPress sites, and you want to manage all those in one spot. I can't say much about that at the moment other than I think you'll like what is coming to solid central very soon and that's all I'll say about that. That's a little teaser. Just watch for news coming very soon about that. What I will also say about patch stack integration. That is the killer feature. For solid security patch stack. We use the patch stack scan to look at all of your themes and plugins that are on your site that runs twice a day. If a vulnerability is discovered based on what's listed there in the patch stack database. There's a wonderful feature in solid security called version management that will automatically apply the patch without you having to do anything. So as soon as a vulnerability is discovered and there is a patch released, or that in other words, the plugin or theme developer has released the next version that fixes the problem. Solid security Pro will automatically apply that patch which is just wonderful when you're managing lots of sites. So that patch deck integration especially the patch deck firewall, that even if that patch hasn't been released yet by the developer, if patch stack has identified the vulnerability the patch stack firewall will prevent a bad actor or a hacker from accessing that vulnerability. So it's an incredibly powerful feature. monta Yes, you can get the in the note. Solid security has very granular settings on the notifications. You can decide who gets notifications about what and one of those is when an automatic update has been applied. You can get an alert to let you know that's happened. Yes. All right. Great question. Thanks for asking that. Let's see. Here's a good question from Joan Kathy is comment spam that has not yet been approved dangerous to a website security,

it can be um, there is a type of vulnerability, cross site request forgery that a an attacker can as my daughter sorry an attacker can craft a link, put it into a comment. And if you click on that link, it might even be a link to your own site with just maybe some query string on it, you know, question mark and some stuff at the end of it. And that can exploit a vulnerability and a plugin or theme that has a cross site request forgery. So it is that type of vulnerability can only be exploited if they trick you a site administrator or anybody approving comments to click on one of those links. So I always say do not click on links in comments, or even in emails, especially if it looks like it's going to your own site that could be could be exploiting a vulnerability that you might not even know is on your site. It might be a zero day you're you might have all of your plugins updated and it looks like your site is perfect and fine. Everything's cool. All right, there might be a zero day vulnerability that is a CSRF. And that could be exploited through one of these specially crafted links. Yeah,

that's a really good point. And that's something that we don't talk about a lot as a potential vulnerability.

Yeah, yeah, I would be it is and and it's, you know, people don't people talk about cross site scripting all the time, because it's like, oh, unauthenticated cross site scripting. Well, an attacker has just gotten in. These CSRF require you to be tricked into doing something but it's pretty easy to trick people. But humans are the weakest link in security, unfortunately. So in the general area. Yeah. So general rule, just don't click on any links and comments. Yeah.

Let's see another question from an anonymous attendee. They use blue house, Blue House Blue Host cloud, as opposed to Bluehost shared it doesn't allow third party firewalls. Do you have any recommendations?

Um, yeah, if it doesn't allow you to manage your own firewall then I would strongly quiz your hosting provider, and what firewalls they have in front of your site, because with these cloud based services, or these managed services, these hosting providers are like, don't you worry about a thing, we'll take care of everything. You don't have to think about firewalls because here's what we got going on for you. And I would quiz them on what they got going on for you if they are taking on that additional responsibility and charging you more for it. And you should ask them for more details about what that service actually entails. It might be awesome. I am not aware. I don't know. Yep,

indeed. You should definitely know what your hosting provider is providing period, right? Like, what's, what security practices do they have in place? You know, how do they update all of the server software that you're trusting them to maintain? Whether it's a Managed WordPress host or a standard VPS? You know, are they keeping the patches applied to Apache or NGINX, or whatever web hosting platform they're using? That those are questions we need to ask?

Yes, ultimately, well, that's one of the reasons why I had that like the OSI model and look at all the different ways you can get into WordPress, because I want you to consider all of this because ultimately, it's your responsibility to make sure it's your site. It's your responsibility to make sure all of those things are taken care of. So if your hosting provider, you know you have a partnership with them you are contracting them to do all of these things and take care of it. So you don't have to think about it. But you are ultimately still responsible for that to be taken care of. So you're responsible to ask the right questions of your partner and hosting.

Yeah, absolutely. And that's a great place to stop, folks. I've dropped the link bundle and again in the chat, if you want to download today's slides. If you missed that earlier, you can do so. There's also the link for Cathy's Audit Checklist and next month on coming up on July the 17th. Cathy is going to be talking about WordPress security audits. That's gonna be a great live stream and the link to join that to sign up Bri is there in the chat. Finally the link to follow Kathy on YouTube is there for you as well. I will have this replay up in about an hour again, link there in the bundle in the chat. You can rewatch this or share it with a friend and we hope you do so. Kathy, any final words as we're wrapping up.

Now I'm just really grateful to be here. And thank you everyone for coming. Stay safe out there.

Absolutely. Well, folks, thanks for hanging out with us for the last hour. Hopefully you've picked up a few things and maybe some new ways to talk about security with those who need some education. I'm back tomorrow for members with Office Hours here on solid Academy where we go further together.