In 2009, two laptop-wielding guys, Chris Mechanic and Arsham Mirshah, understood the art and science behind SEO. Clients wanted more sales, not just traffic, which prompted them to hire and train the best digital marketing talent in the Baltimore-Washington DC area. WebMechanix, a full service digital marketing agency, founded by Chris and Arsham delivers unparalleled user experiences to convert traffic into buyers and brand evangelists.
Dave Brong, CTO of WebMechanix, manages their 100+ website properties (some sites created by them, others inherited). But in one way or another they’ve all been vulnerable mostly due to the complacency behind site ownership. On one hand, as Dave sees it, agencies don’t want to be webmasters, because it’s stressful and often leads to a sliding scope of work. On the other, website owners don’t want to have to worry about updating their websites and potentially breaking functionality.
But what happens when a website gets hacked? The answer - chaos.
Prior to 2014, most security news about WordPress was related to TimThumb or Revolution Slider. That all changed around March of 2015 when the massively popular WordPress SEO disclosed its SQL injection vulnerability. From there, the WordPress ecosystem continued to experience security issues. Drupal similarly followed suit, with a highly critical security update in October of 2014, and then later a handful of critical updates throughout 2015.
Hackers put two and two together. They could target some of the most widely-used systems on the internet with similar attacks. This was very bad news for site owners, especially ones who didn’t actively maintain their websites.
Due to the increase in automated attacks, WebMechanix decided to create their own security service for peace of mind on the websites they managed.
But between March and June of 2015 - every other day like clockwork - WebMechanix kept uncovering security issues for several of their clients’ websites. Some would go offline while others would redirect to pharma sites or embed client-side malware. Others would silently send mass-email out without a single change to the public website. Dave recalls it being so widespread that it was hard to pinpoint the exact same hack on every site.
The problems ranged from redirect issues to embedded spam links to a good old-fashioned 500 Internal Server Error (if websites had a Blue Screen of Death - that would be it). Scrambling to patch every website they had control over, they couldn’t fix the sites fast enough.
We had to patch, or restore, and get them online as quickly as possible and move onto the next client. This caused reinfection in some sites since the hackers would modify files and sit on them for months before triggering the real hack.
Throughout that spring and summer, more and more vulnerabilities in popular plugins were disclosed, such as Gravity Forms and JetPack. The web community became increasingly aware of the security situation, fixing issues in their code. However, this recurring cadence of disclose-and-get-hacked was becoming problematic. They needed a better solution for our agency.
Dave, who developed a seasoned background in web hosting, security, and forensics throughout almost two decades of being a web programmer, knew what he needed but just didn’t know it existed in a mass-market solution yet: an all-in-one firewall protection system.
I’ve always kept an eye on WordPress-related news, and the name Sucuri kept popping up - everywhere. I had read reviews but never had an in-depth understanding of what Sucuri did for smaller websites. Once I visited their site and dissected the technical information (all of which was relevant to my situation), I decided to give it a try.
After researching solutions and different approaches, WebMechanix landed with Sucuri because of its website firewall which runs on top of the website, on any server and in any environment. This was most important to them.
Today, though the majority of WebMechanix core website services are based around WordPress, the rest of their clients’ environments couldn’t be more varied. Some are on do-it-yourself web hosting services, while others are in shared environments on budget web hosts offering “business” hosting. The higher traffic sites are in their own VPS environments with dedicated resources, while the most vulnerable sites are with the most secure web hosts, such as WP Engine.
The Sucuri CloudProxy* and Antivirus products have proven to be tremendously beneficial for us because we only need to focus on one protection platform. From a management perspective, this greatly simplifies our day-to-day IT tasks relating to fine-tuning, reviewing, and adjusting security settings.
*CloudProxy refers to our Sucuri Firewall product.
After the infections were remedied, Dave knew the next steps to put in place - educate clients to change how they think about their websites.
Websites are not a 'build it and forget it' tool for a business. You don’t just make a website and expect visitors to come to it -- you need to continuously promote the website with a marketing campaign for driving traffic and results. Well, business owners need to understand the same situation applies to the website itself -- you need a constantly-running security campaign to keep that website up to date and free from the clutches of hackers.
Step 1: Starting the Website Security Conversation
WebMechanix enlisted Customer Success Managers to reach out and discuss the current state of each client’s website. All of the discussions revolved around ownership, i.e. who is responsible for maintaining the website, so that this put the site owner on full responsibility for the health of the website - from updates, to hacks, and even to reading log files proactively.
Business owners see their website as 'online' and assume that’s how it’ll always be. At least until the website gets hacked. Or until it’s suddenly 'offline'. Or until it’s sending out a million spam emails and getting their email domain blacklisted. It’s only when disaster strikes that they start asking who’s responsible for the website’s health.
Step 2: Lifting the Website Maintenance Burden With New Security Services
Next, WebMechanix created the Website Health and Security Monitoring service for their clients - essentially insurance for their website.
Our clients spend thousands of dollars a month with us on their marketing campaigns. So relating security services back to their campaigns was easy -- 'Do you want to risk getting your site hacked, losing all of the hard work we did marketing the site over the past 6 months?' The answer is a fast 'No.'
The service combines ownership with management and human interaction. Though not a completely automated solution, Dave and team wanted to manually review the wellbeing of their clients’ websites on a weekly basis, ensuring their trust and partnership.
By using a combination of automated health checks such as server uptime, keyword checking, and WordPress management systems, we’re able to focus our efforts on server logs -- the hidden gold mine of web servers. Using the server logs, we know exactly what’s going on, where traffic is heading, and what errors occur. By manually reviewing (through some highly-tuned shell scripts and reporting systems) we can identify and prevent additional attacks, before they happen.
There was still a missing piece of the puzzle. What about the attack patterns they didn’t know about?
We’re not a specialized team of highly-skilled forensic analysis after all. Enter Sucuri CloudProxy*. The CloudProxy* system lets us sleep well at night. It combines expert research from the security gurus with mass-pattern recognition and CVE.
Needless to say, the full package of what WebMechanix is providing its clientele is constantly evolving to keep up with the market trends in security.
Outsmarting attackers and hackers and vulnerabilities is not the moral of this story. It’s website ownership. Someone has to step up and maintain the websites. If not, not even a hundred layers of protection will keep the site safe for long.
Prior to implementing the Sucuri Firewall, many of their sites would undergo hundreds, if not thousands, of different bot attacks on a weekly basis. These attacks ranged from DDoS, to brute force login attempts, to xmlrpc, or even direct plugin access. Security plugins inside of WordPress itself were not robust enough to handle all vectors of attacks; attacks can come through channels that plugins simply can’t cover.
A reverse-proxy firewall system, such as CloudProxy*, covers more angles than software can. It handles all traffic, regardless of its file path destination or execution point. It reads the actual network packets to determine if the data being transmitted should be allowed or denied.
After implementing the Sucuri Firewall, the automated attacks dropped instantly. Dave gives the credit to Sucuri for managing to prevent at least 95% of all attacks from ever reaching the web server.
By implementing the Sucuri Firewall, we’re better able to look out for our client’s long term marketing goals. Hundreds of thousands of dollars from marketing campaigns could be wasted overnight if your website gets hacked. It’s not worth the risk.
The key determining factor that made WebMechanix choose Sucuri:
They’re the definitive industry leader for website security solutions. And there are certain things in life that you should not choose a runner-up with and security is absolutely one of those things.
Because WebMechanix uses very popular and widely-used CMS systems, the Sucuri Antivirus and Firewall provide them top-of-the-line security that revolves around known and unknown vulnerabilities for those popular systems.
What really solidified our decision was the ease of implementation of the Sucuri system. A couple clicks of a button and a DNS change are all that is required.
As programmers and technologists, the WebMechanix team appreciates the amount of options available to fine-tune the firewall as well. From caching to whitelisting to HTTP/2, they like that they can optimize each website to its specific needs.
CloudProxy* can be a set-it-and-forget it tool, but we don’t use it that way. We constantly review the audit logs and reports to make sure each website is running to its peak performance level.
WebMechanix considers API access a bonus feature. With that, they’re able to connect to the Sucuri Dashboard and pull in reports to display on their own internal dashboard that displays in office. If an alarm or certain report triggers, it allows them to easily take action immediately.
I find myself relating website security back to a car. You put your seatbelt on when driving to a grocery store... when you think things are safe and get hacked again.