Security Matters: Safeguarding Your Website

12/06/2024 27 min Temporada 8
Security Matters: Safeguarding Your Website

Listen "Security Matters: Safeguarding Your Website"

Episode Synopsis


Security Matters: Safeguarding Your Website
 
[00:00:00] Introduction to Website Security
[00:01:03] The importance of updates for WordPress, themes, and plugins
[00:02:29] Advanced security options: URL changes and security plugins
[00:06:14] Implementing two-factor authentication and strong passwords
[00:09:57] Updating PHP and the importance of SSL certificates
[00:18:38] Security considerations for e-commerce
[00:24:27] Regular backups and managing them effectively
 
[00:00:00] Speaker: Time for Geek Speak. And this today we are talking about website security obviously we're going to be talking a lot about WordPress because it's generally one that while it's very open, it also means that it's more open to vulnerabilities and other issues. But I think a lot of the principles that we're going to talk about today with WordPress is going to transcend to pretty much whatever platform you're on.
[00:00:25] Speaker: And, but yeah, WordPress is is a good one to use as a jumping off point. Anyway, [00:00:30] my name is Phelan at Seymour digital media.
[00:00:32] Speaker 2: And I'm Greg McKinnon with Original72 Creative.
[00:00:36] Speaker: I think once a year, we're pretty much talking about this cause there's always different parts of security.
[00:00:41] Speaker: And it's one that I know you and I have run into with clients. There's always some sort of security issue with some client. And I would say the first place to get started with that, talking about that is the making sure your plugins are up to date. I think that is a big one that tackles like a lot of [00:01:00] the issues that you're going to run into.
[00:01:03] Speaker 2: Yeah, it's pretty much I would say 85 to 90%, maybe even higher. that someone gets hacks your site or is able to get in through some vulnerability by un patched theme or plugin or WordPress itself. Top of the list obviously is to keep your [00:01:30] WordPress up to date, keep your themes up to date and keep your plugins up to date if you do that simple process.
[00:01:37] Speaker 2: You will be doing yourself a big favor by keeping yourself already at that 90 percent safety level, just in that simple process.
[00:01:48] Speaker: Oh yeah, I absolutely like most of because most people that do have a website like you're not going to be individually targeted, which is a much more difficult situation to be in is if a person is going [00:02:00] after your website specifically, like that's a much tougher has many different aspects that you have to deal with.
[00:02:05] Speaker: But most people, they're just one URL on a big Spreadsheet that the hackers are just trying to go your domain slash WP at login or admin to just try to like, see if your WordPress website, that's the first one. So most people, it's just, you're just getting swept up in a net. And most of those attacks can be solved by just keeping your plugins up to date.
[00:02:29] Speaker: If you want to get, [00:02:30] fancier, you could do something like the, get the word fence. And I, we have certain clients that they've changed the The WP login to some other some other name just so that, if they go sweep through, they just get counted as not being WordPress and so they get left alone.
[00:02:46] Speaker 2: And yeah, that is definitely a good one. I don't do it on a lot of sites because I find people get really tripped up on like, where do I go? Even though it's just go here. Like you [00:03:00] everybody. Everybody in the world just knows to go to WP dash admin. And when you change that on someone, they, for some reason really get tripped up over it.
[00:03:09] Speaker 2: Yeah. So I get questions all the time with people like that. What was my login again? So I have to tell them over and over again, like, why can't you just bookmark this, please? It's not difficult.
[00:03:22] Speaker: Yeah. Yeah. It's definitely one. Yeah. Clients get really weird if you change a little bit in their user flow that they just. Fritz out and just [00:03:30] have the
[00:03:30] Speaker 2: other thing. Along with changing the default login, which is highly recommended because then, because that's like every person trying to get into a WordPress site knows the admin is that WP dash admin. So you type that after your domain, you'll find it. So if you eliminate that, that's huge.
[00:03:49] Speaker 2: The other thing is changing the default admin. user that gets created in in WordPress, because probably [00:04:00] first or second after, the finding the login is them trying the default admin user that typically always gets created for a WordPress site. So eliminating that as well will will help with people just trying Find that and try to, brute force a password to get access to your site.
[00:04:26] Speaker: And that also leads me to another one. It's like having [00:04:30] a word, like WordFence, a plugin or something like that, that limits the number of attempts that people can make before there's a lockout. I know there's some hosting like we have some clients on flywheel, which is part of WP engine And so they by default limit the number of times you can try which also helps with those brute force attacks where they're just basically like slamming it a million times and If you just say three times and then you're locked out, it goes a long way.
[00:04:54] Speaker 2: There's a really good plugin for WordPress that does just that. If you don't [00:05:00] have a security plugin, like we might get into in a little bit specific to doing a bunch of these things. There's one called Limit Login Attempts, and that will basically take care of the amount of times that people are able to attempt to log in and ban them if they go over that.
[00:05:20] Speaker 2: So yeah, if you have nothing else, at least use that, but they're in the other plugins that we get into [00:05:30] for more heavy duty security, they have all of these things and that's one of them, but limit login attempts is just for that.
[00:05:38] Speaker: Yeah. Yeah. And it's definitely one I've seen on a couple of our clients websites and super helpful especially if they do run into like people brute forcing and, you It's just going to save you so much headache in the long run.
[00:05:54] Speaker: It's to do these kind of basic setups that just. Break down what people are [00:06:00] doing. Another one I wanted to talk about, we talked about in our prep was making, if you can set up two factor authentication, do set it up. It can be a bit annoying, but annoying things mean that it's harder for hackers to get around them.
[00:06:14] Speaker: or people trying to take advantage of your website. That little bit of inconvenience for you is a big inconvenience for them. And also if you can do it with an app on your phone as the authentication do that. Google has a really good one, Google Authenticator. I use it for [00:06:30] all my major, any of the really critical systems definitely have it that set up that way.
[00:06:35] Speaker: Those are really, they're nigh impossible to break because basically you would need to break into Google. Oh, which actually reminds me, Google is the only one of the major tech companies that never has had a hack. It's a weird, fun fact about theirs and it's because everyone that works there has to carry a physical like USB.
[00:06:55] Speaker: And so you have to plug that into the computer you're working on and then log in from that [00:07:00] computer and you need both of the, both your login and that physical dongle and you can't, and it's not the same as an RFID, so you can't scan it because that's how other people do it like companies will have people physically break into the building by finding out where people go for lunch, sitting next to them, scan their card, key card that's just hanging there, and then break into the building physically that way.
[00:07:21] Speaker: And so there's yeah. But you can't do that with a USB keyboard. Key. So it's
[00:07:25] Speaker 2: yeah. I wonder how many headaches they have every day. People, I lost my [00:07:30] dongle.
[00:07:30] Speaker: Oh yeah, no, absolutely. There's probably yeah. Annoying for them, but secure. Yeah, exactly. Like when you have a track record, like they do that, you can say yes, this is annoying, but look at our track record.
[00:07:43] Speaker: And then. It shuts everyone up to the security risks. But yeah, it's definitely a two factor authentication strongly could not recommend more
[00:07:52] Speaker 2: yeah, for sure. Two factor authentication as well as enabling hardened passwords. So people can't [00:08:00] use the password, for instance, yeah.
[00:08:02] Speaker 2: It has to require an uppercase, a lowercase, a digit a symbol, and it has to be a certain length, that as well I was saying off the top, like the things that we've gone over, you've already gotten to probably 98 percent security of your WordPress site just by doing, and they're not difficult things to do.
[00:08:23] Speaker 2: There's really no excuse for people not to do these things. I did want to [00:08:30] mention outside of WordPress and the software and updating the themes and things it's also really important to make sure that your PHP would be up to date to, the most recommended version if you're running outdated PHP.
[00:08:48] Speaker 2: Versions of PHP. There could also be exploits. Just from that, outside of getting in through your WordPress site there would be other ways that you might be exploited. [00:09:00]
[00:09:00] Speaker: I would even go further than there could be vulnerabilities. There will be vulnerabilities if you have. Yeah, there will be, yeah, for sure.
[00:09:09] Speaker: And I only joke about that because PHP is notoriously a language that is both very simple to learn and very simple to hack. It's it's got
[00:09:17] Speaker 2: the reason why I said it the way I did it was because you could be on not the current version and have had a security update done to it. It's only out of [00:09:30] life, PHP versions.
[00:09:32] Speaker 2: That wouldn't be getting these security updates. So once your PHP version is out of life, at least make sure you're, at a version that is still being maintained and updated. Versus being on the bleeding edge or the current version. Just make sure you're on a version that is not out of life and not getting any up security updates anymore.
[00:09:57] Speaker: No, I totally agree with you. I was just being a little, [00:10:00] reminding people that PHP, while it's very useful as a coding language, it's also very vulnerable and has a lot of well known security issues that it has to deal with as like just coding language in general. So it's definitely one that.
[00:10:15] Speaker: That's why there's so many updates for it is cause that, yeah, it, it really likes telling the world what your database says. Like it's quite insistent on sql injections if you let it [00:10:30] Yeah
[00:10:31] Speaker 2: So on top of all of those basic things that do get you to that high level. There are other smaller things To get you the rest of the way and typically these things are easiestly easiest to be done through A security plugin.
[00:10:49] Speaker 2: The two security plugins that there's one that I use, but there's two that are at the forefront of what people use for security. The one I use is a solid [00:11:00] security. Formerly called iThemes security. They've re iThemes rebranded to solid. So now all of their products are solid security, solid backups, solid central, all these kinds of things.
[00:11:14] Speaker 2: The second one is a word front word fence which is I think probably the most used because solid security is a. There's a free and a paid, but I think WordFence is probably the [00:11:30] best known and most used.
[00:11:33] Speaker: I think when I looked it up, it was like the most installed of any of the security plugins.
[00:11:38] Speaker: Yeah. It's yeah, it's really well known. It's definitely has a lot of. Even if you just have the free tier, it still does a lot, just like without activating the license. So it's well worth it to just install.
[00:11:50] Speaker 2: Yeah. So again, both of them have free, both of them have pro paid versions, but oftentimes the free version.
[00:11:59] Speaker 2: [00:12:00] Does probably up to 99 percent of what you might need. And some of the things that you're going to find in these security plugins are basically an easy way to do and set up a lot of the things we've already talked about, hiding the WP admin at a different address setting so that all of your passwords need to be difficult doing the two factor, basically everything we've gone over.
[00:12:26] Speaker 2: They all will allow you to set them up very [00:12:30] easily. Some of the additional things that you can do in there, which I would recommend are disabling the XML RPC protocol. If you're not going to use that, then you might as well just disable it. And most people don't use it. Another thing
[00:12:50] Speaker: is Just a quick what, which one is the XML RPC?
[00:12:54] Speaker: What, when would people be using that? Just so we're clear for that.
[00:12:58] Speaker 2: Yeah, basically it's a [00:13:00] protocol that will extend and allow for third party connections to your site so that, so you'd be able to use maybe some interface on your phone to connect to WordPress and do things. It's used for. Hooks oftentimes like for pulling real time shipping rates from a shipping provider, if you're running WooCommerce they [00:13:30] will have hooks and the XMLRPC allows for the connection to your site to be able to, inject the information for that third party software.
[00:13:41] Speaker 2: So that's the function that has.
[00:13:45] Speaker: Yeah. Okay. I just, I wanted just to clarify it just so that people, in the audience, if they're like, do I know if I need to do this or not? Yes or no. Yeah, for sure.
[00:13:55] Speaker 2: You could disable it. And if something you're trying to do on your site, all of [00:14:00] a sudden isn't available anymore, you can disable it.
[00:14:05] Speaker 2: But for the most part, if you have just a basic WordPress site, brochure site you can disable it. And you, most people don't need it. It's a, it's, it is a more advanced thing for more complex sites. Yeah. Makes sense. Something else that it does very easily is it will harden and take away the ability [00:14:30] to access files or write to files like your WP config.
[00:14:35] Speaker 2: So you can secure essential files that often get exploited. So that can't happen. I don't know how many people know. Or notice this, but there is a way in WordPress. If you get access to WordPress, you can go and. Look at the theme files and actually change the theme files right within [00:15:00] an editor in the admin.
[00:15:02] Speaker 2: And often times that is a highly suggested item to disable. So both of these security plugins have check boxes and sections like you want to secure this. Do you want to secure that? Check this off, check that off. And these are a lot of those things that it goes through and takes away the ability To be used.
[00:15:25] Speaker: I will say that I use that editor feature a fair bit for some of my clients that have we've [00:15:30] got a custom coded theme and I put my head in my hands and go. Great. It's the editor to just quickly look over the files, but yeah, definitely.
[00:15:38] Speaker 2: It's so dangerous because you make one typo.
[00:15:43] Speaker 2: Like for coding typo in a file and save it and you could, the site could be down and now assuming that most people do that because they don't have FTP access to the server files or something [00:16:00] along those lines. If that happens, all of a sudden you're like, Oh, it's down. And now I have absolutely no way to recover this quickly.
[00:16:10] Speaker: A little backups are your friend. That's another thing is always having a backup of the website. But yes I've may or may not have done that by accident a few times. Or I went, what happens if I remove this snippet? And then the Oh, that broke the page. Okay. Just going to put that little snippet back in there. Actually. It got me thinking like a little Proustian referee of talking about people writing [00:16:30] stuff to the database. Oh, it's one of the first hacks of a website. I don't know if you've ever seen it, the Japanese Car Part Hack? So what happens is through your contact form, they inject themselves they do a SQL injection and I guess get logins and then write to your database, a little PHP file.
[00:16:47] Speaker: And so the website goes down, like as soon as it loads, it goes down and it's replaced by this like Japanese parts importer. It's all in Japanese. It's pink and it has car parts all over it. It was, it was like, Almost [00:17:00] 10 years ago that I dealt with that. But yeah, it was it was definitely a fun one to make you go through each file and figure out like, why is this happening?
[00:17:07] Speaker: And then I figured it out and they wrote a PHP file in it and said, when the page loads, load this instead of the website. And yeah, that's why secure. Oh, that also reminds me, we forgot the most basic thing for this as well. Make sure you have an SSL certificate for your website. Yeah. Sorry, it's just so basic that I was like and I'm right now in the middle of actually [00:17:30] generating one and on a website that's hosted on AWS.
[00:17:34] Speaker: And so I'm having to go through that. And so it's, it just came back to me that I'm like, yep, make sure you have your secure and your website, because if you log in and you're not secure, that means your username and password are flowing across the internet that anyone can go find. C because it's on the
[00:17:50] Speaker 2: cryptic.
[00:17:51] Speaker 2: It's not that I forget, I always remember, but I also sometimes think who doesn't have an SSL these days? Like everybody, like it's [00:18:00] been such a standard for so long ever since Google was like, we're going to show Yeah. A warning. If you don't have an SSL and your site is not going to show and stuff like it really forced everybody to be like, why am I getting this?
[00:18:14] Speaker 2: Okay. I'll put an SSL on there. So every site pretty much has. And if you don't have an SSL, it's basically because you've put up a site maybe on your own and you just, you don't [00:18:30] know. And you think I don't have anything secure. So like, why do I need to bother with this? But. Yeah,
[00:18:37] Speaker: it's famous last words.
[00:18:38] Speaker 2: Yeah.
[00:18:39] Speaker: And I will say a big shout out to electronic frontier foundation and Mozilla foundation who were instrumental in creating let's encrypt, which is the free service that they paired with Google to then get it for everyone. So big shout outs to them too. Thinking about the end user and getting this free service that everyone can use to generate SSL certificates.
[00:18:59] Speaker: Cause it used to [00:19:00] be a big moneymaker for. Not a big money maker, but it was still like, they charge you a hundred bucks to do it. And
[00:19:06] Speaker 2: Oh man, I remember back when I first started, we did SSLs. They were SSL certificates were like three to $500. Like they were expensive.
[00:19:17] Speaker: Yeah. And for something that generally is like not , like there's a reason why Mozilla and EFF were able to do it for free.
[00:19:24] Speaker: And it was because it actually wasn't that as complicated if you just ran this. Like you had a [00:19:30] special surfer and it ran like a hashing code for you. And then yeah, so it's definitely, yeah, it's, we're living in a much more secure landscape than I think we've ever have which is good for most end users that it's super easy for you to secure your website by just doing some basic, basic steps.
[00:19:47] Speaker: So I think that's 2024 to have it. A much better frontier for all these things, I think is good for, average people that are starting a website and getting out there.
[00:19:59] Speaker 2: And [00:20:00] on top of having the SSL, make sure it's enforced, don't, because there are some sites that have SSLs, but you can still go to the non SSL.
[00:20:10] Speaker 2: So there, there's a way that you can force the loading of the SSL so that nobody can actually get to the non SSL version of your site. Yeah. And I believe, I can't remember the plugin name. For that, but there is a plugin to to do [00:20:30] that. I'll try to
[00:20:32] Speaker: force HTTPS. I remember I did that. It was the plug in.
[00:20:36] Speaker: Yeah. Yeah. And there's force SSL as well. So there's
[00:20:39] Speaker 2: yeah, maybe it might be force SSL that I was thinking, but there's probably a couple of them, but there, there are plugins that will do that for you. Again, if you go with these security plugins, like solid or work fence, they have the option in there to easily turn the.
[00:20:58] Speaker 2: The auto [00:21:00] SSL or the force SSL on some of the other things that you'll find in the additional stuff that you'll find in these plugins is things like scanning periodic scans of your site, you'll be able to set that kind of stuff up. You can set up firewalls to ban IPs and things like that.
[00:21:19] Speaker 2: Obviously the network brute force, which we talked about could be set up. And there are over, I think I mentioned some of these already, but some [00:21:30] of the system tweaks Aside from, hardening your some of your, the important files, you can limit the fact that PHP can't be executed in certain directories, which is another big one, because a lot of times when sites get hacked PHP files get hacked.
[00:21:50] Speaker 2: Placed in random places where CSS is or JavaScript files get placed in certain places. Eliminating the ability for [00:22:00] those files to even be able to execute in certain directories is another easy way to do. Yeah,
[00:22:13] Speaker: I think that's that's a big one as well. Yeah, just make sure that it's limited in its scope and where it can act and where it can do certain things, I think, is definitely a smart play.
[00:22:24] Speaker: I had a Deep and meaningful thought that has now evaded me. I obviously it wasn't that deep and meaningful, [00:22:30] but I was thinking, because the other one that we were talking about when we were starting this is like people who really should be concerned about need to take the security the most serious.
[00:22:38] Speaker: I think when we were talking, it was e commerce companies. So that's very dangerous to not be secure in getting access to the back end. Because when I worked at Shopify, I saw, Someone who, they were not very secure, someone got a hold of their passwords and they went into their website and the only thing they did was change the Stripe account number.
[00:22:55] Speaker: And so the website was making money, but it wasn't making money for the store owner. [00:23:00] And it just went directly to whoever had hacked the website. And No, I don't know what resulted in that part of it. But it's definitely, simple changes like that can be huge impacts on your business because that's anything that involves money, anything that involves the payment to just tweak it so it goes over to someone else's account, that's going to be huge.
[00:23:19] Speaker: And so definitely the one group of people who need to take it this, the most seriously are in e commerce.
[00:23:27] Speaker 2: I feel like at the end of this, I'm [00:23:30] thinking. One of the topics I Come up with to follow up on this was a topic of how to clean up or take care of a hacked site. And it might try to throw that in at some point, because I think people would probably like to see or know about the basic things that you could the steps you could take to unhack yourself.
[00:23:56] Speaker 2: Yeah. Yeah. Yeah, there's. The easiest [00:24:00] way would be to have a backup plugin and maybe we'll end on the backup note with this. Basically there's a couple of backup plugins and it's recommended to use a backup plugin to keep backups on your site. Because if something does happen and you have a backup, you could easily restore from a clean version of a backup to easily fix that.
[00:24:27] Speaker 2: Whatever problem might've come up, [00:24:30] whether it's the entire site or if it's only. Certain files or a certain plugin that when arrived, having backups of the entire thing to restore or even just a small section is worthwhile. And that would be your easiest solution to a major hack site is to basically just pull one of your backups and throw it back in place, and then make sure you update and take care of whatever it was that was exploited so that it can't be done [00:25:00] again.
[00:25:00] Speaker: Yeah, no definitely big thumbs up for me for getting a, backup. Plugin like updraft is the one I use very simple to get started very simple to get set up. And has Saved my bacon, more than a few times on when you know Something goes an update was not supposed to happen or when it did happen it broke everything, stuff like that Even if it's not necessarily a hacked website, but you make a major change to the website, and then it turns out that it wasn't quite configured properly and [00:25:30] the website's down, at least you can then revert back to one where it was working, and so that's definitely a big recommendation on my part for security, because even if you lose control of your hosting, or whatever, then at least you have the files, you can go to start a new account, Get it up, reconnect the domain.
[00:25:47] Speaker: At least you have the ability to get back up relatively quickly. You may be down for a day, but at least like you have something to work with where you can, you're not completely hosed.
[00:25:58] Speaker 2: Yeah like you say it's one [00:26:00] thing to have a backup plug in and backups being created. It's another thing to make sure you're storing those backups offsite.
[00:26:08] Speaker 2: Because in that situation you just came up with, if you if you lost access to the server or the server went away completely and you were storing backups on that server, Oh, your backups are gone too. So you're still out of luck.
[00:26:21] Speaker: Yeah. Yeah. So the
[00:26:22] Speaker 2: importance of storing the backups offsite is important for sure.
[00:26:27] Speaker: Yeah. And I, like when I do updraft, I just connected to my [00:26:30] Google drive account. And it's like a couple gigs that are sitting on there, but because most websites aren't really that big and then, yeah, it's super easy. And you've got Google again, going back to, they're super secure, and that Google's not going away.
[00:26:44] Speaker: And then, if anything does happen for your server instance, then you just switch over to the new one and then load it in and then point the domain there, boom, you're ready to go. And so it's definitely Yeah. Another aspect of security that you backing up and updating things is the, I'd say the TLDR of [00:27:00] this whole thing was, just make sure you have a backup and make sure you, everything's up to date.
[00:27:05] Speaker 2: Yeah. That was everything. So we got through it all pretty nice. Yeah,
[00:27:12] Speaker: I, I was a little surprised that we managed to cover so much ground. And the question of course, cause I was so prepared what are we doing next?
[00:27:23] Speaker 2: Yeah, good question.
[00:27:26] Speaker: Ai for ai for your marketing. What are you doing?
[00:27:29] Speaker 2: And [00:27:30] that's going to be with myself and
[00:27:31] Speaker: pip cool. Look forward to that. Yeah. Yeah, it should be very interesting And yeah, and then we will see you guys then. Find us in Cyberpunk Marketing Mixer group. If you have any more questions, want to continue the conversation. My name is Phelan. And I'm Greg.
[00:27:51] Speaker: Thanks for joining us.
[00:27:53] Speaker 3: Bye.