MTM Ep#15: How to build a moat around your site with fortified website security with Dave Brong

« More Insights

Welcome back to another episode of More Than Marketing. I’m your host, Arsham Mirshah. Our CTO, Dave Brong, will be discussing everything that can go wrong when your website security gets compromised and how to prevent that. We’ll mention tools and techniques you can use to prevent hacks, breaches, and employees from sharing sensitive data that can damage your company’s reputation.


– [Dave] Security is not just about breaches. It’s not about just getting that information lost or stolen. It’s about what can actually happen to it. Can you go in and change a record? What’s gonna happen to it?

– Hey everyone, Arsham Mirshah your host, More Than Marketing, we’re back. Today I’m with Dave Brong, Dave Brong’s a CTO here at WebMechanix. We’re gonna talk about security. It’s More Than Marketing, true to the name, we gotta talk about security. Right Dave, you’re a CTO here, you see it.

– Yeah, it’s war stories, it’s horror stories, it’s everything that can go on when you’re not thinking about what’s going on. It’s going down to locking your door at your house at night.

– We promise not to make this very fearmongering, we’re talkin’ before this where we’re like should we drive fear into their hearts? But the answer’s no, let’s not do that. Instead, let’s get some practical tips, let’s discuss the topic a little bit and get some practical tips, so that’s what we’ll do. Alright, so gettin’ started Dave, you’re a CTO here at WebMechanix Digital Agency, so you see a lot of websites. You manage a lotta websites, you host a lotta websites, right?

– Yep, we maintain somewhere around 100, 110 different websites.

– So you know the different complexities of them, the different content management systems, mostly WordPress in our case, and how vulnerable is WordPress?

– WordPress itself, as a product is very secure. It has the community around it that open source product, very, very secure, very quickly updated also, if there is an issue. It’s the plugin ecosystem you have to worry about, because there are so many plugins available, that nobody maintains well, anybody can write it, anybody can publish a plugin.

– I see that too, just because you know, my friends kinda know I’m a tech guy, I’m whatever guy, and some of ’em run blogs and are like hey, help me out with my blog. And so I’m like okay, give me admin access. So they give it to me, I go to the WordPress blog, what do I see?

– 50 plugins.

– That was the exact number I was gonna use, exact number. 50 plugins dude.

– 30 active and a lotta inactive ones.

– Inactive, how many are out of date, right? And it’s just like well no wonder your thing is slow, your site is busted, this and that, right? Nah I get it, that’s kinda the. Also the benefit of WordPress is someone who doesn’t have–

– It’s so extensible, you can add stuff in so quickly when you need to. The consideration on the backend side of it is what are you actually doing in the first place? Are you just trying to solve an issue quickly, or really think about the long-term benefit of your site?

– And I think that’s the thing, I think that’s the problem is the plugin is like okay, quick fix, right? It’s like instant messenger, I got a quick kinda.

– Just want it done so I can move on to my next task.

– Yeah, so I can move on to the next thing. And then the problem with that is plugin goes out of date, or has a security vulnerability, and then what happens?

– And then, sooner or later, your website’s reputation gets damaged. Search engines start removing you from the indexes. Even worst case scenario, adding you to their malware list. Throwing up that big red screen, don’t visit me.

– Yeah, careful on this site. If you ever seen it where if a site’s been hacked you’ll see, especially in the Chrome browser you’ll see a big red screen, careful, this site has malware. You don’t want that, and I wouldn’t call that the worst case. That’s the worst case as it pertains to a marketer’s organic search traffic, or not even organic search traffic, more than organic. All your channels are infected then–

– That’s the start of it, and then it cascades out. So it starts with maybe Google blocking you, or throwing up a warning, and then it goes to other systems. McAfee, anti-virus systems, then they start blocking their home users at the home networks too. Comcast and Verizon don’t want that traffic on their networks, they stop it completely.

– Yeah, so not only do you have to prevent it, and then if it happens you have a remediation plan in place. So I think the best thing to do is prevent it, right?

– Yeah, easiest thing is to prevent it.

– Yeah, so how can someone prevent it?

– Just having someone accountable to your website, to keeping it updated. Doesn’t have to be every day, it doesn’t have to be within 48 hours. Just someone that is aware of what’s happening to your website, what plugins are you used, you know? It’s just your website uses 10 plugins, let’s say. Put in a Google Alert and say advanced custom fields, vulnerability, you get notified when Google searches something like that or indexes it.

– No, actually I like that, I didn’t know what you were gonna answer, and I like that. Someone accountable to it, right? So now the question is, who should that be?

– Yeah, that’s the hard part.

– That’s the hard part. So in our world we manage our client websites, but we don’t always get paid. There’s not a line item that says, sometimes there’s line item that says there’s website security, but sometimes hey, you built our site, you host our site, I’m gonna assume that you’re kinda keepin’ it secure.

– Yeah, that’s the accountable side of it, you know? As developers, or as marketers, we’re always working with that website. So it takes us less time and involvement just to stay on top of what it’s doing than it would be to actually fix an issue later.

– Right, so we wanna prevent it.

– Yeah.

– Yeah, so we’re going to prevent it. But let’s say someone is not workin’ with the agency, or the agency they’re workin’ with doesn’t have development chops or hosts. Do they go to their host?

– They could go to their host depending on where their host is. A lotta hosts nowadays call themselves managed web hosts. So the managed part of it is they have a help desk system, or a ticketing system that you can ask for help when you need it. Some of them, the better ones actually have managed services that help prevent issues in your website.

– And that’s what you’re lookin’ for.

– They’re not just protecting themselves, they’re trying to protect you as their customer.

– Okay, so what do I look for? What do I Google, or do you know, I dunno.

– Based on the CMS system you’re on you can just Google for managed hosting WordPress, or managed hosting Drupal. You’ll find some top hits there. You’ll find articles that compare them together, like GoDaddy versus WP Engine, versus Pantheon or whatever case may be. You can see what community thinks of that.

– And expect to pay more?

– Expect to pay the business side of hosting. Not a personal website, personally I can only afford $5 a month. As a business, you know, $30, $50 a month, that’s minimum.

– And I’d say that’s nothing.

– It really is nothing, it’s lunch.

– And it’s not even lunch a month, 50 bucks a month, that’s like nothing.

– One day of lunch really.

– Yeah, right? So I think that that’s a really good advice because it’s kinda like insurance, right? You pay a little bit for insurance. Actually it’s not exactly like insurance. Insurance says hey, if something happens we’ll give you the money to fix it or whatever, right?

– Maybe.

– Maybe we’ll give you the money to fix it, yeah, exactly. Whereas I dunno, this is a preventative plan. I don’t know what it’s akin to, but it’s basically saying it’s like a layer on top of your car, so if someone dings it it won’t ding, right?

– Yeah, it’s tryin’ to give the end-user some peace of mind. Peace of mind as to why it costs this much, or why I should go here versus there, you know? If I’m with GoDaddy for example, GoDaddy’s the big name, everybody’s heard of GoDaddy before. If I’m with GoDaddy and I start having issues, now you start questioning where do I go next, what do I do? Do I contact GoDaddy and pay them more money? Is that gonna solve my issue?

– Depends on what the issue is.

– Is it an infrastructure issue? The actual servers that they’re running, or is it the human element that’s the issue? When I have an issue I put a ticket in to GoDaddy, they don’t respond for X number of hours. Is that good enough for me as a business owner? Do I need to go somewhere else that has live chat?

– Yeah, that’s good, yeah, so it depends on your needs. You have to evaluate your needs. And I think first and foremost, ’cause you said the worst case that can happen, and if we’re talkin’ to marketers out there yeah, maybe the worst case for you is all the traffic sources not be able to come to your site, or gets shown an error, not a error but a warning message coming to your site.

– The worst case might be the hidden stuff that you don’t know about, you know? Injecting pharma links into your website that don’t appear for six months down the line. It’s been there for so long at that point, your site’s been starting to cause issues. The smart hackers, they come in, they find your vulnerability, they leave a small trace, and then they come back a year later when you can’t track down who did it, how they did it.

– Right, right, right, yeah. And right now we’ve been talkin’ about websites this whole time, we haven’t even touched CRM.

– Yeah, everything, it’s the internet just in general, everything.

– And so CRM I’m scared of because that’s where a lotta PII is stored. Personal identifiable information, PII. And now marketers more than ever are responsible for more and more touch points with the customer, so now you have things like sales enablement, so you have the marketers in the CRM helping the salespeople, and so what does that mean? They have access, they have admin access to CRM.

– Right, they could see everything. They could see all your contacts in there, all of their responses, not just name and email address, or mailing address, they could see what pages they visited. What stuff they’ve done on your website.

– Email correspondence.

– Yeah, yeah, phone call conversations too sometimes.

– Phone call conversations recorded, sure, yeah. So all that is–

– Personal notes from your employees, talking about a client or a prospect too. That’s important, because you don’t wanna damage your own reputation as a business.

– So what do we do man? What is CMO to do, what’s a marketer to do?

– Well, there’s a lot to do about it actually. The first part of it is just being aware of what information is flowing, and what you’re collecting. Do you really need to collect certain questions on your regular contact form of your website? Do you have to ask them their birthday? No.

– No, you don’t need that.

– Ask them the least that you can. Conversion trends say that smaller form is, the more conversions you get. Might not be high quality, but it starts the conversation.

– It does, and that’s yes, that’s right.

– So being aware of what you’re collecting, good first step. Being aware of who can look at that information later, that’s the hard part, you know? Marketing department, does every employee in marketing need access? Or just the marketing managers need access?

– I think one of the challenges though, as marketers we wanna move fast, right? And this sounds like hey, we gotta slow down and think about stuff.

– Slowing down, that’s a good way to put this, because marketing moves so fast nowadays. It’s always I have an instant need, it has to be done tomorrow, how do I do this and then move on to my next thing?

– Exactly, yeah. It’s unfortunate that marketers wanna move fast, and this is kinda like hey, slow down. But again, it’s that preventative measure, right? I think it’s kinda like stretching, right, before you go do a hard workout or somethin’ like that. I dunno, I don’t know what it’s akin to.

– I always bring it back to the house. I mean you have a house, it has windows, and doors, and your garage door sometimes. You go out for a run, what do you take with you? You take your keys, your garage door opener, or do you just let your house unlocked?

– Yeah, that, whoa.

– I’ll be back in a half hour, I’ll take the risk.

– I had my bike stolen three weeks ago, so I lock everything now, you know? Once you get hit you’re like oh wow, it could happen.

– And that’s the unfortunate nature about security in the internet, you don’t think about it until it actually happens.

– Until it happens to you, that’s exactly right. And then it’s too late, you know? So I think, you said this before we started this is number one is be paranoid, right?

– Just be cautious.

– Be cautious, yeah. Paranoid maybe is a little strong, but cautious, definitely. Who has access to your site? What level of access do they have? Who has access to your CRM, what level of access?

– Where are you exporting the data to? You take all your contacts, and all their form fills and information, you export that to a CSV file and it’s stored on your laptop. What happens to your laptop? Who can access that laptop?

– Or you email it to somebody.

– Yeah, or you import it into another third party system, are you sending it every piece of information, or just what that system needs?

– Right, that’s exactly right. So yeah, so access is definitely one, and then what about the disgruntled employee?

– Oh that’s the tough one. You never know when someone is just gonna have a bad day and hit that delete button. Security is not just about breaching. It’s not about just getting that information lost or stolen. It’s about what can actually happen to it. Can you go in and change a record? Can you change somebody’s name, or write a note on there as I don’t like talkin’ to this person, you know? What’s gonna happen to that?

– Yeah yeah, yeah, yeah. So a little bit you need to be conscious, or cautious, paranoid would be end of the spectrum. But I think tip number two would be what? Consult an IT, right? There’s people that can help.

– There are a lotta people that can help, yeah, yeah. If you have an IT department in your organization, that’s a great first step. Your vendors, your developer of your website, who made the website for you in the first place. Ask them the questions. You’re going in there and doing what I tell you to do, but are you doing anything else for me? Are you keeping your plugins updated? If you wrote a piece of code six months ago that turns out to be vulnerable when you reuse that somewhere else, are you as an individual aware that you should tell your other clients what happened? Should you go in and fix it?

– I think just simply asking what are we doing, for the person who developed your site, or maintains it, or your host, what are we doing about security? Blanket, open-ended statement.

– That’s a great first start. And if they say nothing, then you have a worry. But if they can tell you in conversation a couple things that they’re doin’ for you. Like I read news every day, I hear about vulnerabilities in WordPress because I stay on top of it, it’s part of my job, yeah. How much further does that person go, just reading the news. Do they actually follow through on what’s happened?

– Yeah, and take some action, right. Take some action, right. But there are systems out there that you could use also, like MainWP, Sucuri, there are solutions is the point.

– There’s some big names around WordPress because of the nature of what WordPress is, that ecosystem of developers, and marketers, and everybody using it, it powers so much of the internet that you get these big players that come in and say we will protect your website. They do a good job at protecting you from the automated stuff.

– Right, brute force.

– Brute force, scanners, bots. You put a WordPress website up nowadays, and as soon as Google or a search engine knows about it, so do those hackers. They’re scannin’ it, they’re lookin’ for vulnerabilities on day one.

– Yeah, right. I’ve noticed that, that’s fun. You’re like wait a second, I just published this site.

– I’m popular all of a sudden.

– I’m popular, yeah, the server logs are like bing, bing, you’re like what, how is this happenin’? It’s like it’s already in, the dark web knows already.

– You can actually use search engines to look for vulnerabilities in your website.

– How do you do that?

– Just by looking for file names specifically.

– Oh, really?

– So WordPress has a security audit log plugin. And there was a vulnerability back in around October, that the log files it saves within the website were actually viewable to the public. So Google would find this stuff just by hitting it and searching it, and then show it in search results for your website. So all your security audit logs were being showed in Google’s cache down this point.

– Dang, dang, you gotta robots that, for instance. That’s one way to do it, but that plugin adds a vulnerability.

– Yeah, that plugin itself had a vulnerability in the way it stored the information.

– Does MainWP tell you when there’s vulnerabilities?

– So MainWP’s a centralized management system. There’s a handful of those out there, like iThemeSync.

– Only really makes sense if you have many WordPress websites, right?

– Yeah, if you have more than five I’d say. It’s hard to jump between a number of websites every single day to update it to see what’s goin’ on. So the centralized systems allow you to every day, or however many hours you choose to, it’ll go through, check every site within your network and see is there a plugin update available?

– Right, so it kinda automates that portion.

– Yeah, so it’ll tell you what’s available.

– So in the morning, eight a.m. you come in, you say what’s my report for the day? I have six websites that need to update WordFence, or six websites that need to update YogsSDO for example. Some of the good ones go a step further and do security audits, you know? Do I have a robots.txt that’s blocking certain things? Or do I have directory transversal where you can see those files, and read everything that’s not in WordPress itself, but what’s in the operating system side.

– What about blocking IPs that are brute forcing?

– Yeah, like WordFence has a network, iThemes has a network. So just like Gmail for example. Spam’s coming in, you get email, spam, how does it know that it’s spam? Gmail’s so large, if they get the same email message over 1,000 different people, it could be spam. Same thing with WordFence and all that.

– They’re using their database.

– Yeah, yeah, they’re using the network of what’s happening on the other sites we monitor, so.

– Yeah, they’re saying we have access to these, whatever, 100,000,000 sites, and we see these IP addresses hitting them all and not doing anything productive, so we’re gonna block ’em from all.

– Or obviously they’re changing letters in every URL. A, A, B, A, B, C, looking for stuff just by scanning.

– So they’re brute forcing basically. So those plugins, so hopefully, we’re just tryin’ to give you some tips to say kinda what’s possible out there. What’s happening, what’s possible. I think the biggest fear that I have as it pertains to security is that PII breaches, stolen information, ’cause that’s where you can get hit with fines.

– Yeah, the PII side of it, we’ve ran across a few times where we inherit a website that you’re collecting information, the PII. You know, name, email address, but you’re sending it off into your third party tools, like Google Analytics, or a Facebook system or wherever. So it’s not really public information at that point, but you’re starting to send it around and you’re not aware of what’s happening.

– Or it’s like in the query string, and now when it’s in the query string, now it’s in your Facebook Analytics and it’s in your Google Analytics. And so now anyone with access to those can see.

– And what happens there, just like how Google could block your website for malware, now Analytics, or Facebook or whatever could block your entire account.

– Right, that’s crazy because if you actually rely on, in this case Facebook, or Google Ads. If you rely on ads to drive business, especially eCommerce or you get a lotta leads from those channels, and they shut you down, that’s a major business impact, major business impact. So okay, so the fines are maybe the worst case, that’s probably the worst cases is–

– The revenue impacting is, for most people, the worst case.

– Or again, eCommerce site, you got WooCommerce or whatever, and now your site is blocked by Google because there’s malware, you can’t make sales, like O-M-G, you know?

– Well that’s all stuff that you would find out about. Some stuff you don’t even find out about. Like eCommerce for example, Amazon has a huge issue with fake products.

– Oh wow, I didn’t know that.

– How do some of those fake products get on there? An individual could go through and just list it, oh you know, I found somethin’ on the street, I’m gonna sell it and I’m gonna say it’s authentic, okay? Or your website gets hacked, and it changes your product sync that goes into Amazon and just reroutes stuff, or changes names on stuff, makes it different.

– Oh wow.

– And that reflects back to your reputation as a business. It’s rare, it’s still rare.

– But it’s possible.

– Hackers, malware, all that stuff, it’s an umbrella term. It could be automated, it could be a bot that’s just doing the stuff, looking to get in to spread itself, or it could be that disgruntled person that you alienated and now they’re attacking you personally.

– Yeah, that’s the problem. So okay, there’s bots, there’s hackers, they’re goin’ from the outside. But you also gotta worry about kind of the inside out. So let’s give some tips on that real quick, on the inside out. I think first, look at yourself, right? So if I’m lookin’ at myself, I have admin to a lotta systems, what am I doing, what should I be doing Dave?

– Right, two-factor authentication. Number one thing you can do. Two-factor authentication, have it send a code to your cell phone, or use an authenticator app that gives you special randomized codes that change.

– And let me touch on that real quick, because a lot of us work maybe remote, or work from places where there’s unsecure wifi. This actually happened to Chris, my partner. And we were in Indonesia, and unsecure wifi, logged into his Gmail and what happened the next week? All of his contacts got hit with an email.

– Funny enough, we had a client have the same thing happen. She has access under her business account, that she can only get into that email when she’s in the office, okay? She needed to manage her website when she was on the road. So she added her personal email account in there as an admin, well that got hacked. They got into the website, they started makin’ changes.

– Oh, scary stuff, scary stuff. So why use two factors? Because you can sleep better at night when you know that hey, okay, even if someone has my password, my username and my password they still need another layer of–

– My cell phone, my thumbprint to get into my phone, or my passcode, or whatever.

– So they really have to have everything with two-factor in order to kinda get into your stuff.

– Yeah, now I mean two-factor’s not.

– Failsafe, right.

– Yeah, failsafe, right? Text messages aren’t even failsafe, but it’s a good start. It helps, it’ll cut you down from 100% vulnerable, or 95% vulnerable to 10% or whatever.

– That’s a big cut, that’s a great cut. No, I agree with that, that’s really, really good. What else?

– So single sign on, that’s another thing too. Try to not have passwords for every site if you don’t need it. ‘Cause now you have to remember the passwords, or you typed them in every time you go there. Single sign on helps because you protect, and really lock down one account, and then use that to jump into other services.

– Yeah, well could one say though like okay, well what if they get access to that one account?

– Yeah, sure, right, but they would have to know where that account is also used. I mean if it’s an email account they could just check your email and see what you’ve logged into before.

– But I think you said it well, it’s like okay, lock that down, be really secure about that.

– Yeah, that main account, having two-factor on that one, and then using that as single sign on to go out to everything else, that’s a great.

– Yeah, that’s nice and safe. And then on that note, tip number three would be change your passwords.

– Change ’em, yes. Use a password manager that can automate the changes too. There’s some popular ones, LastPass, 1Password, the big systems out there, Facebook and all that, you can just tell your password manager change these. Change ’em every three months. Don’t tell me about it because it doesn’t matter to me, because I know my one password to get into everything else.

– Yeah, and then don’t write that one password down, right? Or don’t give that to anyone. And with passwords it’s kinda fun. I have fun coming up with passwords, you know? Like I’ll be like let me into this account, or let me through, or somethin’ like that, but I’ll spell it with zeroes, and with an exclamation point.

– So people actually say the passphrases are better and more secure because in your mind, you can remember them. So my Yahoo account, for example. Yahoo is an old service that 1, 2, 3, 4, 5 or whatever, I don’t know, just saying an example. But it kinda clicks in your head, it’s one of those memory triggers that you can help. And now you have a password that’s different and unique for every system.

– Yeah, exactly, no, that’s good stuff. So alright, this is what you gotta do. First off, you gotta know that this is a thing, right? That security is an issue. That famous Gardener report where the CMO’s gonna spend more than the CIO in 2020, I think there was one for 2017. It was trending, and then 2020. I don’t really know the numbers, it doesn’t matter, but the marketers are spending more and more on technology. They’re responsible for customer touch points. So CRM, point of sale, and they wanna move fast. So you gotta be careful not to bite yourself in the butt. ‘Cause that’s really gonna hurt if that happens, right? So be paranoid, check with IT, lock down your own first, and be careful who has access to what, and what else?

– Yeah, a little prevention right now goes a very long way.

– Very, very long way. Ask your host, what are we doing about security?

– Yeah, just asking the questions. Not making assumptions that you’re okay, just ask questions. Draft up an email with five questions, send that off to everybody that works on your website.

– Yeah, reach out to us, we’ll help you out with what those questions might be. We’ll help you out, we care about this stuff. We don’t wanna see you get in trouble.

– Yeah, we see it from a very large angle. All of our clients, all of the past clients we’ve had, and then all those websites. We see different ways of things happening, and how you can prevent it.

– And we’ve seen it happen before, and we don’t like it. It’s no fun for everyone. No fun for us havin’ to remediate it, no fun for the client havin’ to put the business on pause, no one wants to do that. So Dave, thanks so much for bein’ here man, appreciate it. For all of y’all out there, if you like it, like it. Comment, share it, do whatever you wanna do. Reach out to us if you have any questions, happy to help.

– Yep.

– Cheers, see you next time.

Dave Brong

Dave BrongChief Technology Officer

Arsham Mirshah

Arsham MirshahCEO & Co-Founder

Podcasts Info:
Data + Tech
News + Business

Most newsletters suck...

So while we technically have to call this a daily newsletter so people know what it is, it's anything but.

You won't find any 'industry standards' or 'guru best practices' here - only the real stuff that actually moves the needle.