FireChat: Reactive and Proactive Protection for Web Agencies
Date aired: Feb 12, 2018
In this fire chat, we’re looking to find answers to some of the questions web agencies have been asking us for years, in hopes of shedding more light into how you, as an agency, need to respond to security threats your customers face…..
Victor is an Account Executive for Sucuri. A technology enthusiast focused on expanding his knowledge of online security. When away from the keyboard, going out for long runs or watching sports with his family.
Questions & Answers
Question #1: Is Toni reselling the hosting to her clients? If yes, does she just roll in the cost of Sucuri into her hosting price to her clients?
Answer From Tonie:My clients are set up on monthly recurring plans for security/backup/updates. It’s not a part of hosting, but you could definitely include it in your hosting costs.”
Question #2: Can we emphasis on the “”level”” of security when we say “”A secure website”” or “”Implement security”” . is it as simple as having a FW, update the core WP and Plugins, having backups and a disaster recovery plan in place, OR are we talking about more advanced stuff such as hosting servers security and that kind of stuff!
Answer from Victor: It’s not as simple as all that. Even with everything in place, there will still be opportunities to hijack weak passwords or leverage cross site contamination if there are other vulnerable/forgotten software within the same environment your site is hosted. Security isn’t a static state, it’s always changing and important to keep up with strong security practices and be prepared for the worst.
Question #3: How does Sucuri proactively secure a website?
Answer From Victor:The basis of our Protection Platform is that we’re a cloud-based Firewall/CDN. Activated with A record change so that we can validate the web traffic before it reaches your website assets. We have other tools to help monitor the site as well and respond to any potential incidents.
Question #4: When you say clean it up, it makes more sense to roll back to a previous backup OR try to clean the infected version of the site itself? Or it is case by case and there’s no “”best option””?”/p>
Answer from Victor:I wouldn’t say there’s “”no best option”” but what option makes sense for you? Backups can be valuable to bring the site right back but if it keeps recurring, either cleaning to find vulnerability or leaning on someone to protect those vulnerability will be key.”
Answer from Toni:Sometimes reverting to earlier versions/backups will not clean the site. Hackers might have introduced the hacks months ago and are waiting until all of your backups are infected.
See all Questions & AnswersExpand
Val: In this fire chat, we’re looking to find answers to some of the questions web agencies have been asking us for years in hopes of shedding more light into how you, as an agency, need to respond to security threats your customers face. Introducing website security early on in your relationship with customers is the first step, and we can help guide the way through that conversation starting today. Now I’m pleased to introduce our speakers, Toni Taylor, Bob Dunn and Victor Santoyo. I will let them, of course, introduce themselves and we’ll start right after. Toni, would you like to start by introducing yourself and maybe tell us about what you’re doing?
Toni Taylor: Sure. My name’s Toni Taylor. I am a freelance agency owner and marketing director and I build websites and grow companies online. A huge part of that is ensuring that they are secure from attacks.
Val: Perfect, thank you so much, Toni. Bob, would you take the next one?
Bob Dunn:I’m Bob. People know me as Bob WB. Currently, I blog and podcast over on my site basically on WordPress eCommerce and content marketing, but the last seven, eight, nine years I’ve done, had my own agency, did website design and I also coach and trained on WordPress for about eight of those years as well.
Val:Lots of experience there. And Victor?
Victor Santoyo:As Val mentioned, my name is Victor, I’m an account executive over at Sucuri, website security, it’s what we do and I help create and maintain relationships with agencies and then other providers I like about providing an effective way of addressing those security needs.
Val:Great. Thank you guys. Today, we have these major T’s, let’s say, at the table. We have agencies on one side and customers, people going to agencies, on the other side. Of course, there’s a lot of questions. We’ve got some questions from people who saw our ads about the fire chat. I know you have each in your respective experience, you have a lot of things that you can say. You can talk and share.
If we start discussing why security is important for websites and especially inside agencies, of course, any of you who wants to take the questions, go right at it, for anybody listening, if you have questions, please feel free to post them in the Q&A tab as we mentioned. At the moment we feel we have that question, there’s no restriction. I’ll try to pick them as they come and ask our speakers. Let’s go back, why security is important for websites when we talk about an agency discussing this subject with customers? Who wants to take the first step?
Toni Taylor:I’m going to defer to Victor here in just a second, but I get this question a lot in my agency where people ask me, “Do I really need security for my website?” My response is always, “Absolutely, unequivocally, yes.” Would you buy a house without insurance? Of course, you wouldn’t because if it burns down or whatever happens, you got to protect that investment. I always let my clients know that security is of the utmost importance and Victor will probably everything into detail as to why, but you don’t want to be in a situation where you spend thousands of dollars on a website only to find out that you’re blocklisted or that it’s been hacked and that you’ve lost a lot of that and you have to pay somebody all over again to rebuild that. The lost time and money, while it’s down, the cost can be pretty serious, so it’s important because you don’t want to put yourself in a situation where you’ve lost everything that you’ve invested in. Victor … we use you for all of our sites, so I’m going to defer to you.
Victor Santoyo:Yeah, and I would echo that exact sentiment and on top of that, coming from the standpoint of the agency, it’s also maintaining that trust with your clients, knowing that when you start off building that project, you know that you’ve addressed that topic seriously enough, where you don’t want not only your client to feel those ramifications of getting blocklisted, killing your ranking, money in that being driven in, because the host has suspended your account, which happens very frequently, but also finding yourself within … the clients may find themselves questioning why didn’t the agency do something about this or bring this to my attention if this was a possibility.
Victor Santoyo:It’s not just the relationship of the client and the base and the people they want, the audience they’re trying to address, but also the relationship from the agency to that client. That often, sometimes ends up being the most important.
Bob Dunn:Yeah, and I think exactly that. I found that a lot of the people I’ve worked with over the years were a lot of beginners, so they were new to the WordPress space and what I discovered, is that a lot of my clients, a lot of people didn’t even ask about security. They just made the assumption that you’re putting online, I’m secure, so I had to be proactive of, most of the time, and bring that up in the very beginning of the conversation, like you already touched on and say, “Hey, we got to also look at security and you need to know what you can to and how you can get help out there.”
Val: So you kind of led into the second question, actually, which was about exactly that, so what’s the right, what’s the appropriate time to introduce the topic of website security to customers. I don’t know how agencies usually do that. Do you put that first, do you also include maybe not through the most important items in the conversation or like Bob mentioned, maybe the customers never even ask, so you would try to bring that into the conversation.
Toni Taylor:I agree with Bob. A lot of times your clients, they just don’t know and they’re counting on us to be the expert to make sure that they are secure and it’s a part of our conversation from the very beginning. It’s actually not an option, it’s a standard way of how I do business, so when I have those conversations with them, it’s an expectation that I keep their site secure, but I address it early on.
I think that if you wait to the end, you’ve put it as a secondary or as an option and that it’s not as important and it is. It needs to be a part of that original conversation.
Bob Dunn:I agree, and when I was doing it, it was interesting, because when I was doing design, it was right up front, but when I’m doing coaching and training, it always was, kind of a variable because it would really depend on the situation, so it was educating of the … process of educating and finding out where they stood and where they were at, at that particular time and how security played into it.
I can’t make the assumption that they’re already covered, even if they came to me and they already had a site, but, building that site, yeah, I think it’s critical and that plays a big part in the hosting they’re going to choose, different things, and what’s covered there and their understanding of what they’re going to need to do.
Val:So, we would agree that the earliest you can, or it is possible, the topic should be discussed.
Val:… go into details about that. What would, let’s say in the event that something does happen, what do you think is the responsibility of the agency or what should the agency already have in place, either a third party solution provider or guides, resources, maybe stuff available, what do you think is the best option, or, at least, from your experience, when something happened in the past that you can share.
Toni Taylor:I can share a situation with a client that early on in my timeframe of a designer and working with, as a contractor for other agencies, especially a big agency, I’m freelancing now, but at the time, I was contracting and this agency, there wasn’t a week that went by that we didn’t have a situation where someone who didn’t have some sort of security in place that had gotten hacked or blocklisted. It’s not a matter of if it’s going to happen, it’s a matter of when.
If you’ve gone years without it happening lucky you, but it’s going happen. There’s just too much stuff out there. In this particular situation, they had no security in place. When I found it and we addressed it, as soon as we addressed it, in less than six hours, the website was completely down. Apparently, we’d upset a hacker and they were able to take the site down. In doing so, unfortunately the client had switched computers or whatever had happened, and didn’t have some of the old content, the content that was used on the site.
Unfortunately this agency didn’t have a process in place for maintaining web assets and literally had to start from scratch. Weeks without this website being up. Is that person now secured now? Absolutely, but the amount of time … the money that they lost for that website being down was pretty significant. As an agency, Bob had alluded to earlier that when you’re building websites, you want to start from the beginning and include it early on, but if you’re educating people and they come to you and they’ve already got a website, you can’t assume that they have it, so you’re actually having a conversation with them after they’ve been online, and sometimes reacting to a potential breach.
I think as an agency, for me, when I build a website or I encounter any potential client, I need to find out if they’re secure and if they’re not, I need to get them secure. If I build a website, I want them to be secure, and a lot of that comes down to the fact that I put my name, my reputation on the line every time I work with a client. It’s important to me that I maintain their online reputation as well as my reputation as an agency providing that kind of service.
Victor Santoyo:I think it’s interesting too, because a lot of times, a situation like yours is common. They get caught because they kind of skate by and they don’t necessarily have a specific workflow in place, like okay, the site gets hacked, you don’t have a back up or whatever. I think establishing some kind of a disaster recovery plan, whatever form that is, which is either establishing expectations at the beginning, do you have security? Great. If you don’t, let me get it. If you don’t want it or you don’t want to invest in it, either you … like you do Toni, it’s either mandated, or if an agency leaves it optional, establishing the expectation as well, I can only do so much.
Inevitably, it’s going to happen and if it does happen, just know that there are going to be these options waiting for you and they may require money, or they might require time, and at least when it does happen, people aren’t caught off guard of the idea of, I wasn’t expecting this, or this was never explained to me.
I think just establishing expectations in terms of what steps will inevitably follow, if and when there’s an incident, I think it’s probably the first thing beyond figuring out what kind of pricing you try to roll it into or anything like that.
Bob Dunn: Yeah, and I have a real interesting experience that just happened a matter of a few days ago. This reflects on all of this conversation. A site I’d built for somebody, I’d say in 2010, 2011, she blogs occasionally and basically what my job is to keep her site updated and post her blogs. That’s it. That’s what I’ve done for the last seven, eight years and three, four days ago, I got this email, “Ah, my site is down. My host says it’s been hacked,” the typical, the fan type of thing.
I was like, “Oh, okay,” and I’m at that point where I’m not really doing much support with her besides the basics, like I was saying, keeping it updated and everything, and I told her, “First contact your host, find out what’s going on,” and she did contact the host.
The host had a partnership with a security agency. They got everything fixed, found out it somehow happened through her comments, which she didn’t want to moderate, which we had to end up moderating, but it was that whole thing of … this went on a long time and I was doing … she wasn’t investing a lot of time or money into her site and I’m not sure what that site’s going to do in the future, but the fact that, yeah, after that long of a time, it finally happened. For me, it was a question of just … to me, it’s never, “Oh I’m going to go in and fix things,” it’s like, “Get somebody in there,” and that was what they were doing. “You need to get this fixed.” Now she does have more security in place, but you just never know when it’s going to hit you and where it’s going to hit you.
Val: So, if the customer is getting hacked and they are in a relationship with you as an agency or freelance or anything, web shop, whatever, this also casts a shadow on you as an agency. As Toni was talking about reputation, I think they would maybe associate the fact that they’ve been hacked, of course, starting their conversation with you, so I’m like, “Oh, so why didn’t you tell me? Why haven’t you warned me in any way?”
I also see conversations happening in the chat, so please feel free, anybody listening to ask questions. Thank you Toni for getting to them in real time. If we move on a little bit and talk about also the customers, Bob you do a lot of education. You do podcasting, you have many guests. I’ve watched many of your shows coming in. We had Toni with you talking about website security and why this is important. To what extent you think that education, generic education or also specific website security education would help customers in their negotiations or discussions with an agency?
Bob Dunn: Yeah, it’s huge, but it’s one of those things that you can pound it into their brain till it’s mush. Sometime down the road it levels out and things are not … for example, you can say, I would say I’m going to educate them on the basics. This is what you’re going to do. You want to keep things updated. You want to update your password. Some of the simpler things in security that maybe they can do or they have their virtual assistant or somebody doing on a constant basis.
Having that … my education was, you need something in there solid. You can do these basics. You can have somebody doing these basic … but you need something deeper than that. Something to monitor your site all the time, be on top of things, because I even have all that stuff place and my site’s been hacked once.
I thought everything was perfect, but it happened. I think it’s an education process of giving them the options out there, how much they’re going to do, don’t expect … I always told my clients, “Likely you’re not going to be doing it all yourself, that’s for sure. You’ve got to have help because there’s just too much stuff to do. You can do the basic stuff.” Also, it’s a long term, ongoing thing. Don’t just think once on it, but the problem is a lot of these people aren’t in there all the time and they’re not thinking of their site all the time, and those things, you almost have to continue to educate them and check in and say, “Have you changed your password? Have you done this lately?”
It can be daunting for both you and the client, but it’s not a one time education. It’s a constant education.
Victor Santoyo: I think also, too, people fail to realize just how much the landscape changes month to month sometimes. What people know as a common vulnerability today or yesterday, will not be that next week. Knowing how much that changes means you just have to maintain some kind of constant visibility, doesn’t necessarily mean you’re the one in there patching vulnerabilities, hardening your server or anything like that, but just understand that if … I think Bob really nailed it in terms of just know that you’re going to need help. What form that help takes is entirely up to the conversation you have with your agency about whether, “Maybe they work with me to address any code vulnerabilities, maybe we just outsource it,” or anything like that, so maintaining visibility to what’s going on and just knowing that, “Hey, I want to make sure that if I’m going to install a dozen plug ins that’ll serve a bunch of different functions, that I’m up to date on those things.” If I’m not up to date, I should know about it at the very least. It doesn’t linger in there and then inevitably it gets exploited for whatever reason.
Just understanding there’s issues is always something that keeps being brought up to me whenever I have these conversations like, “Well, I’m maintaining a VPS with about 15 separate WordPress installations or Drupal installations and we let a couple of components or plugins not get updated after a month because one of our developers forgot or overlooked it. Sometimes that ends up being the one domino that just wreaks havoc afterward.
Val: We have a live question that’s very interesting and I’m happy to have any of you go at it. Question is asking can we emphasize on the level of security when we say a secure website or implement security, is it just as simple as having a fire wall or a core or WordPress plugins updated, having a back up, disaster recovery in place, or are we talking about more advanced stuff to the customers such as maybe hosting service, security and other stuff like that? What’s the extent would you …
Victor Santoyo: I think it has to do more with what you expect, how much you expect your client to have an engagement with you on. The client’s going to be ultimately responsible for passwords, at the very minimum, proving access. Some agencies inherit clients that do their own hosting. That client should know what their hosting is doing on a security basis, both for how their server’s set up, are they on a shared server, is it a dedicated environment and then, imagine that. If the agency the client signs up with, if you’re pivoting, we’re going to provide you hosting, we’re going to provide you design, we’re going to provide you maintenance on a retainer basis, we’re going to be doing all the updates, you kind of establish an expectation that you’re just going to take care of it. If that’s the case, agencies should take care of it and then establish expectations.
We’re going to be doing this for your website, but also consider there’s going to be some security aspects we need you to be aware of, like Bob mentioned. Just make sure that while we’ll be doing a lot of technical changes, make sure you’re resetting your password and make sure you’re not allowing people that shouldn’t have access to certain backend, access to the website or anything like that. It ultimately depends on the role of the client, but if it’s something where we should open that conversation, just say, “Hey look, we’re going to have some security measures in place for your website,” or “We want to make sure we have it, but are there any aspects of security that maybe you have questions about?”
That might open up something you didn’t even consider and it will at least allow everyone to be on the same page, ultimately.
Val:Toni, what would you answer to a customer saying, “Do I really need security for my website?”
Toni Taylor: Well, yeah, I’m just going to expand on what Victor just said and we’re going to answer the question too that, all of the above, fire wall, update … I take care of all the updates, the plugins, the core, any themes, but I 150% rely on security for everything else and I have the full suite. There is no one thing or the other … I do it all. They do the server side scanning and everything for me. Like Victor said, I have that conversation with my clients and if the situation arises, it’s going to be taken care of, not one or the other, but all of it. We do it all, thank God, Victor, thank you.
Bob Dunn: I’m sorry Toni …
Toni Taylor: No, go ahead.
Bob Dunn: I was just going to say, it’s interesting because for me it was always … I could tell them the minimum, but it was like, I need to hand you over to somebody, like I said, I would outsource this, security. Hand you over to the professionals, because they will tell you what to do. I like to use the analogy of, if you have your house, when you have the house built, and when you have locks installed, alarm system, all the security stuff, you don’t go around and do it yourself. You don’t think about, “Oh, I need a camera over here, I need this.”
The pros come in, they know what to do, then it’s your job to turn on the security, to turn the latch on the key … the latch on the door and lock it, because those smaller parts that, yeah … but you didn’t actually put that whole plan into place yourself. You reached out to those people that know what they’re doing and you had them do it, and then you can do the small stuff.
If you don’t lock the door and somebody walks in and shoots you, then, guess what, that’s was your small responsibility.
Toni Taylor: I’ve seen agencies that will basically send their client directly to security and say, “Sign up for this plan.” I’m a little bit different. I have retainer fees. It’s provided for my clients because most of my clients don’t want to mess with the technicalities of that. They don’t even want to know. They just want to know that it’s done.
I don’t send my clients somewhere, I take care of it. When I say I take care of it, Victor and everybody at support team takes care of it. That’s the beauty of this is that I can provide a service on a retainer basis, where I’m making a profit off of this, and they’re secure and security is taken care of. Everything that I need them to take care of, my clients are happy. My integrity is still intact if something was to happen.
Val: So then as an agency or as a service provider, do you explain in the conversation to the customer, what’s the relationship between you and the services you provide and maybe the hosting provider, because maybe some of the customers think, “Hey, my hosting is going to take care of me. They’re going to protect my server, my site.” Do you step into that conversation explaining maybe what the hosting …
Toni Taylor: Absolutely. Yeah. It’s not uncommon for a client to ask me if their hosting provider covers that. Most hosting providers have some level of security, but you don’t typically have control over it or access to it and they tend to be basic at best. That’s been my experience. I am with Securi, because Securi is the best in the market. They are. Unfortunately, security scans are performed too infrequently with some of these hosting companies, obviously leaving you vulnerable. Besides that, there’s a lot more that goes into keeping a website secure from malware and hackers. You have to harden the site, perform updates and security scans regularly.
You have to know what to do to fix it. If I was to be 100% honest, I don’t know what the hell to do to fix it. That’s why I utilize Securi. I’m serious. When I knew that … when I was doing the research and looking for security that I could offer, there’s a lot of plugins out there. There’s a lot of other services out there, but none of them provide the level of security and peace of mind for both me and my clients that Securi offers.
They ask those questions, but I definitely get in front of it and let them know that, “If you’re going with a hosting provider, you’re not going to get the level of security that you’re going to get with Securi.”
Val: Thank you Toni. What would be the role that the client has or should have in protecting their own website. We talked about what the agency tells them or what an agency should educate a customer on regarding security, then we talked about how some of the customers have maybe not very correct or full information about what the hosting provider does, and what security actually means. Can any of us maybe shed more light into what exactly is their responsibility? Because, maybe there is much more than they think.
Bob Dunn: All’s quiet.
Val: I would actually go with Victor. Can we say that the customer should do nothing and just …
Victor Santoyo: I would say that, I think with the customer, they have to really consider that when you’re putting your presence online, think about the audience you’re looking to reach. A conversation I used to have is, yes, you’re trying to go … say you have a business going on. You’re trying to go to market as quickly as possible, or a blog, you want to get your content out as quickly as possible and you’re doing it so fast trying to get someone to build a site for you, maybe spin it up yourself, whatever it is, and then you don’t consider the audience and accidentally reaching.
What kind of plugins are you using or looking to use that not necessarily are more vulnerable, but making sure that you’re on top of, to ensure that the site remains safe. I think when you talk, when the agencies talk to the clients, they have to understand the client is as much responsible for the sustenance of that website, of being online and staying online, as the agency themselves and as in some parts, the host.
The host has a role, sure. I think you talked a little bit about what the responsibility of the host is to keep the site secure. Toni mentioned that sometimes … every host has different priorities. It’s not to say that they all think security isn’t important, but the way they do it, just may not necessarily work for you.
If you really need your presence online, if it’s that important for you to have your content available, then being able to have something … understand, “Okay, what’s it going to take for that to happen,” not just, let’s say, optimizing performance or anything like that, but understanding, “Okay, I know because everyone reads news, that hacks are a thing. Target gets hacked. A lot of other web properties get hacked, so it’s important that people understand that my web properties can also get hacked, so what can I do to prevent that. Is that a conversation with both my host and my agency? Do I need to talk to my agency about asking the questions, okay great, you’re going to be hosting my site,” just asking, “Hey do you know what my host is doing while we’re all working together on this project.”
Education, I think, is the recurring thing here. Educating yourself, and making sure that the client stays educated on the fact that it will happen. What should be your role in it will ultimately depend on how important you think it is to stay online. Some people get blocklisted and they’re like, “Oh, whatever, it was just a landing page for my grandmother’s knitting project, it can stay offline for a couple of days, I’ll figure it out.”
If you’re a business, you’re an online business trying to stay online, got to think about worst case scenarios, ultimately. If the site dies, what do I do? What should I have done? You can’t be pointing the finger at other people, ultimately it’s your online presence. It seems harsh, but hackers don’t differentiate, they don’t care. Your site’s going to get impacted one way or the other. For me, I think you just understanding that if the website’s that important to you and if you’re getting on top of your agency, “Oh, when the site’s going to go online, when is it going to go live,” you should know that security should be just as important too then, when we’re talking about a site going offline randomly.
Bob Dunn: And then I … go ahead Toni.
Toni Taylor: Go ahead.
Bob Dunn: I was just going to add that when I was doing even coaching and consulting and you have the long term clients, I would always make it … I’d be on a retainer and I’d tell them, a lot of them are do it yourselfers, so once I handed it to them, they’d do a lot of the stuff themselves, but I was always there for them, but I said, for example, “If you’re going to add a plugin, let me know first. Just send me, tell me what the plug in is, because I want to go in and make sure it hasn’t been not updated for four years or something like that.” Small little things like that I would try to get ingrained in their brains to just reach out to me, ask me. It won’t take hardly any of my time, any of your money. I’ll say, “Yeah, go for it, go ahead and install, it’s a good plug in or let’s look at this a little bit deeper.” Just those kind of small things.
The client will … they have to play that role in reaching out and making sure they’re doing things, especially when you’re putting it more into their hands.
Val: That’s actually an excellent example of a proactive approach from an agency towards the customer. Little things like checking to see what plugins they install, I think that’s a great example. When was the last time they were updated? This, of course, if we’re talking WordPress, but there’s a lot of CMS on there, but anyway, the approach would be, I think, favorable to the customer. The agency takes care of them like that.
Because, sometimes the customer just asks, “Can I just do my own updates and security. Why would I need a security company or security services. Do I really need that level of assistance?”
Victor Santoyo: Sometimes I think, just updating and just, let’s say, updating your core, your themes, updating your password, those are a very good foundation, but ultimately, it’s the unknowns that people can’t anticipate. People think, “Okay, I’ve updated my WordPress core, I’ve got all my themes and plugins set up, I’ve got my password I’ve just reset two days ago.”
But then, I keep hearing about people getting reinfected. But why? There’s so many other factors that play into it, like, your specific website is updated, that’s great, but is it living in a hosted space among other websites that aren’t getting updated, that are acting as possible entry points that can allow attackers to come in and then just attack your website anyway, make adjustments as they see fit.
Customizing their own code, invariably somehow end up accidentally adjusting a directory to 777, so then all of a sudden anybody can modify or execute anything, despite the fact that everything’s updated. How could that have happened?
You could try to do some of it yourself, but just going back to the unknown thing, invariably, you cannot keep up with all the newest common vulnerabilities that are out there and you can try and keep up, but sometimes you’re going to want to take vacation. You’re going to end up being away from your keyboard somewhere and it’s going to be in those weekends … I had a lady who I spoke with two years ago who had an online couture business. She went away on Fourth of July weekend and for five years that she’s been online, she’s always bent on the fact that she always met a certain quota every weekend, so she felt good leaving that weekend, taking a five day vacation somewhere in the Bahamas.
She ended up in contact with me because then the site goes down the day she flies out. The site gets suspended by the host, and so she’s actually spending two and a half days out of her hotel room, trying to fix the problem, and that’s despite the fact that she said that she all her stuff updated and everything. It ended up being a WordPress installation she stashed away in a sub folder somewhere that she completely forgot about. Visibility again, not having that visibility and knowing what was there.
You could try it, but at some point you’re going to need some help at minimum to just know what’s going on within your file structure.
Toni Taylor: I have clients ask me this question. Not too long ago I had a client ask me this question. And look, the updates, sure. If you’re comfortable going in there and updating them and you’re not worried about any kind of incompatibility, sure you can do that, but I always like to ask my clients, “Do you know how to install a fire wall? Do you know how to manage the DNS?” Really. You start asking these, “Do you know how to shore up any back doors?” They don’t. They don’t.
“Do you know how to prevent cross site contamination?” There is so much more. Properly taking care of security requires a tremendous of research and experience, and it’s best to leave those types of things to the people that are experts at it.
Bob Dunn: Exactly yeah. It’s very minimalist what the client role really is. They can take on exactly everything that’s been said, but when it really comes down to it, no matter your DIYer or you have an agency help you, whatever. You do need that extra … you need some help in there and you need somebody watching it all the time, and that’s basically what I did. It’s like, “Okay, we can do this.” I can even only do so much, but we need to make sure we have the right people in there helping you on a continuing basis.
Toni Taylor: At the end of the day, if you’re a business owner, you’re already wearing a ton of hats. Do you really want to wear that one too?
Bob Dunn: Most don’t.
Toni Taylor: Yeah. It’s best just to leave it to the experts, people that are already experienced in it. I had a website where, when it got hacked, oddly enough, I was just on this website the day before, and when I went to log in to make some updates, I found this period, just a punctuation, a period in some strange spot that it shouldn’t have been and I thought that was really odd, but when I went to hover over it, I realized there was a link attached. Come to find out, and Victor’s nodding, come to find out, there were 30 random periods throughout this entire site that I went through and found.
I don’t know how it happened and the client, of course, we thought, the client thought, that they were updated and they were secure. Obviously, we got to call in security to take care of these types of things, but anyway, the point is, is that you think it’s secure, and it’s not as secure as you think it is unless you’re employing some expert services to ensure that it is.
Victor Santoyo: It’s punctuation, how harmful could it be?
Toni Taylor: Right? This helps me when I tell you, you don’t need two periods at the end of a sentence. It’s not good.
Val: Actually, that’s one of the questions that showed up very often in the conversations with customers because many say, “Why would I pay the extra price now for security added to the services that you’re already providing as an agency, maybe design, maybe developing the website, putting it online.” Some agencies also do hosting, some will employ a third party. Would you advise customers into let’s say, be smart about investing early on in the security and also we have a question here that’s a similar asking.
If I pay all my P’s and I do everything right and my site is set up correctly and I have a security solution, I think Victor you said something about it early on, so maybe you can jump in if you want. The person’s asking here, what if I am on the same server as somebody else gets hacked because their CMS is five versions backwards, or something.
Victor Santoyo: Wow. I mean. We get that all the time and I think sometimes it’s understanding that if it’s that much of a concern, already you’re hearing the hesitation like, “I know I’m good, but my roommate, not so much.” Sometimes you should invest in not necessarily having … you should have a full security plan in place just in the even that even on your own something goes wrong, but then consider isolating that website into it’s own C panel or something, keeping that away from any potential … the more risk you introduce, the more those things can occur and how much faster they can happen.
Toni mentioned, do you want to wear more hats. Do you also want to carry on more risk. I think that person’s already identifying a red flag and if your gut’s telling you something’s not right about the way I’m set up, action it. Do something. Whether that’s isolating yourself, migrating to a different host, or finding a different, just a different work flow altogether, but if something doesn’t sit well, that’s for a reason. That’s what I recommend there.
Val: So, is there a 100% security or guarantee that after a certain point, if they do all the proper set up, they’ll never get hacked again?
Victor Santoyo: Heavens no. I’ll jump right on that one. I tell people all the time. Security’s about reducing the risk. You’ll never eliminate it and risk exists because risk will never be zero in this space. What you think you know today is not what’s going to happen tomorrow. You can do everything right. I do everything right.
I help manage a website for a family member, but stuff can still go wrong and ultimately it’s more about having the assurance and the comfort knowing that if something goes wrong, I know exactly what I need to do to get it fixed. Car insurance is probably the better example. I can do everything right driving the roads, putting on my indicator, putting on my seatbelt, but I cannot control outside factors that will inevitably get me into a car accident, but if something happens, I invested in car insurance to ensure that whatever, front bender got screwed up. I’ll take it to a shop, I can rent a car afterwards in the meantime, and I’ll still be fine. I’ll get to where I need to go.
The approach to web application security issues would be very similar, just have something in place. Don’t be shocked if something happens, but at least know that if something does, you have a solid work in place to ensure that your site gets back to where it should be. That’s ultimately what you need.
Toni Taylor:You’d mentioned this earlier, Victor, that whatever may be a threat today may not be a threat next week, or that threat could’ve evolved into a different threat, so you can’t guarantee it because they’re constantly … hackers are constantly trying to come up with new ways to get your information or to piggy back off of your success or whatever. You can’t guarantee that nobody’ll be hacked, but using a monitoring services with preventative measures in place, it’s damn near bulletproof. I’ve not had any instances with anybody that’s been secure. It’s not to say that it couldn’t happen, but like Victor said, there’s plan in place, that if something does happen, that we can get it addressed and cleaned up really quickly with little to no impact to the business.
Victor Santoyo: Yeah. I’m reminded sometimes … it’s an extended reach, but at the end of Batman Begins if you’ve both seen that movie, Gordon talks about escalation. People start carrying semi-automatics, okay, fine, they just buy automatics. We start wearing Kevlar, and they start buying armor piercing rounds. It’s very similar. You’re going to put yourself in a position to address today. They’re going to figure a way around that eventually.
Just keep that in mind. You can’t always feel like you’re the smartest person in the room with this stuff, because there’s going to be somewhere else, someone somewhere else, who will find a work around for that.
Val: To take the example even further. Would you say, you Victor or anybody who wants to jump in this one, would you say that agencies or web shops, service providers, anyways, do they stand out in a way, in front of the customers when they also have this component into the conversation of website security and what’s going to happen after you actually deploy and put the website online? They think that’s making the customers have an extra reason to go towards your direction instead of somebody else?
Victor Santoyo: I think sometimes security should just be something that … I think when it comes to the client trying to make a decision on whether they need it, invest in it, or there’s lining between different agencies, an example, you should see it as a really good benefit. Don’t be hesitant to invest in it, because if someone … I think one way to look at, and Toni, Bob, you guys can jump in on this idea, but if someone’s at least making an effort to suggest that security’s important for this website, even if the cost is more than they expected, the client should ultimately realize that that means you’re doing everything in their best interest.
That should factor in. The relationship, that you’re like, “Well, it’s more than I wanted, but ultimately I think it means that this agency is going to do what they need to do for me. That should, but itself, carry its own value, and that client should budget for that, the knowing of this agency will look out for me, when stuff hits the fan.
Bob Dunn: I think that it can be kind of a detraction for an agency to say, “Yes, this is something we offer,” but on the other hand, don’t … how can I say it, don’t put all your eggs in one basket, because a lot of people don’t, still, and there’s a lot of people that are entering this space, wanting a site, they see security, it almost fogs over. It’s like, “Okay, just another thing.” They might come into it more as an assumption that, “Yeah, anybody I hire should be doing what I need be done.” They don’t really think of security as a specific arm of that whole design process, or building process of a site.
They just … it becomes an assumption, and so it goes back to the education, letting people know, “You need to be aware of this and the needs, you need to go to agencies that understand this, but I still don’t think everybody will look at that as a bullet point on the site that, “Oh, okay, they offer security.” It’s weird. Human nature’s weird and I just think of clients … they gravitate toward other things and in a sense it could at some point even be like, “Oh is that another thing I need to do?” Where almost like Victor said, it needs to be built in already. It needs to be part of the whole strategy, so I’m not sure if it’s a real carrot you’re waving in front of somebody.
Victor Santoyo: So we need to do much more education and awareness so when they actually go as a customer to an agency or the service provider, they know exactly that the topic of security should be on the list of things to discuss.
Toni Taylor:Yeah. I think Victor touched on it when he said that it’s a part of that relationship. Back in December, I think it was, Victor, there was these ongoing huge brute force attacks that were happening on WordPress sites and I saw a lot of these security plugins writing blog posts on it and displaying graphs of thousands upon thousands of sites that were being hit.
I wrote a blog post on it, or a newsletter on it and sent it out to all my clients and some clients that responded, “Hey, can I assume that I have the appropriate safeguards in place? If not, please let me know.” That’s because I have a relationship with my clients. They’re trusting me. They don’t care how it’s happening in the background, I do, that’s why I have security, but that relationship means that they rely on me to make sure that they have that information and they’re secure.
It’s important that when you’re establishing that relationship with your clients, that you’re including as part of the conversation and that it’s an expectation that you have it. If you’re going to be an agency that takes care of your clients 110%, this should definitely … yeah, take care of your clients.
I feel like as an agency, if I did a website and didn’t discuss security at all or, in my particular case, there’s not really an option with me, it’s expected that you have it, but if I don’t bring it up, then I feel like I’m doing my clients a disservice, because I’m not giving them all the facts. The facts are, there are threats out there and you’ve got to be prepared for them.
Val: Victor, you were about to say something?
Victor Santoyo: Nope, I’m good.
Val: Okay. We’re almost one hour after starting and we’re still getting questions. I think we’re definitely going to have to do a round two of this one. I’m going to put up a poll in a few seconds here, but I just wanted to have a last question, if possible. Don’t worry anybody else who submitted questions, I see that Victor, Toni, have been already answering. We will be sending answers to all of you. As we said, actual webinar will be available online later on, hopefully this week as a recording.
Going back to let’s say, a possible final question here, in terms of … we talked about education. We talked about awareness, why the customer needs to know what happens in the system or in the process of getting online. We talked about cost, how it’s important to invest initially then be sorry later, or something of that. Do you think that out there, let’s say in the agencies realm, is there enough awareness among your colleagues, peers, about website security in general, specifically of what happens when customers get hacked? Would an agency normally say, “Okay, I’m going to jump in, I’m going to help you,” or just take their hands off and say, “I gave you the guidelines or guide.” What do you think is the level of maturity for agencies right now out there in terms of website security for customers?
Toni Taylor: I think there’s a lot of information out there. Like anything on the web, there’s probably too much to the point of information overload or overwhelm. I found myself in that situation early on when I started researching this and knowing that it needed to be addressed and I needed to have something in place, but again, that’s why I reached out to the experts.
I looked at a lot of different options and at the end of the day, I chose the one that was the best for me and I’m a little biased. I think it’s the best in the industry. There’s a lot of information out there, but I know that I have colleagues that have reached out to me and asked me questions about it because they’re on information overload.
I think there’s information out there, I just think it’s hard for them to discern what’s the best option. And then, I think there’s others that, just like their clients, it’s out of sight, out of mind and they don’t really consider until it’s a reactive situation. Unfortunately, some freelancers or agencies are more on a reactive basis instead of a proactive basis. I choose to be proactive.
Val:Definitely. That’s the smart thing.
Toni Taylor:It’s better for my agency and it’s better for my clients and at the end of the day, that’s who I work for is my clients, so their best interests is top of mine for me at all times.
Bob Dunn:I think for me, probably the people that are colleagues that I’m closest to, I think they have a fairly good understanding, probably most of them are proactive. There might be some that are … as far as the entire landscape, I don’t know if it’s improved and it’s hard to say, I can go back to years of consulting and how many people came to me and had a site built and eventually it got hacked or they had no idea of security or they said, “Bob, somebody installed this plug in and I’m getting notices that billions of people are trying to break into my site and it’s freaking me out.”
There was a lot of them put in this spot that supposedly they thought they were secure but they weren’t, and they’d send me their emails and say, “Look at all these emails, what’s happening?” Then, I’d be put in the position to try to become the expert, which I wasn’t and I would have to try to explain to them a little bit and at least put them in the right direction, but I don’t know. I think there’s still, it’s an ongoing struggle and I think there’s going to be agencies that are on top of it, agencies, like Toni said, that are a bit overwhelmed, need to reach out and then there’s some that just kind of, becomes out of sight, out of mind, like she said.
Toni Taylor:I’ve had … there’s some plugins that you can install on a WordPress site, obviously you can’t install this on every type of site, but there’s some plugins out there that will track just the attempts of someone trying to log into your WordPress site. Maybe I should be ashamed to say this and admit it out loud, but I’ve actually installed this plugin on some client websites who didn’t think they needed the security. Just in the course of an eight hour day, the sheer number of attempts of someone just to log into … that’s, to me, is the least of their concerns compared to some of the stuff that I’ve seen and encountered, but when they realize that this is just one aspect of a way that a hacker could try to access them, they realize how serious this is.
I’ve seen this happen on sites that have just gone live. They don’t have to be online for long periods of time. So, it’s important that they realize that this is serious.
Val:This would be a great topic for a future webinar. How hackers find sites and how they try to log in. Unfortunately, we have to stop for today. I’m going to launch the poll, so anybody who wants to respond, please go ahead, but I want to take a few seconds and thank Toni, Bob, Victor for their time. Thanks everyone who joined, asked questions, got answers. Of course, if you have more questions, you can still hit us up either on Twitter or just send us an email.
I’m sure we did not, let’s say, complete the topic here. I know there’s a lot to talk about and we try to gain an understanding of what exactly is and you need to learn and what we want to find out and we will come back with more fire chats, more talks about agencies and customers and so on. I want to give you a few seconds guys if you want to say goodbye or something, but for my side, thank you so much for joining, thank you for accepting our invitation and for everybody at home, thank you for being with us.
Victor Santoyo: Same here. Thanks. Thank you.
Val: Have a great week. Thank you guys. Bye bye.
See Full TranscriptExpand
Similar Past Webinars
In the website security community, our name is known for fast site hack cleanup and responsible vulnerability disclosure. As thought leaders in website security, we are committed to sharing what we know. Follow our concise and helpful website security guides and tutorials so you can learn how to clean and secure your website.
Webinar – Virtual Patching Webinar
All software has bugs – but some bugs can lead to serious security vulnerabilities that can impact your website and traffic. In this webinar, we dive into the steps you can take to migrate risk from infection and virtually patch known vulnerabilities in your website’s environment.
Webinar – Hacked Website Threat Report 2021
The threat landscape is constantly shifting. As attackers continue to hone their tools and exploit new vulnerabilities, our team works diligently to identify and analyze threats posed to webmasters. Join us on July 6th as we cover the latest findings from our Hacked Website Threat Report for 2021.
Webinar – Logs: Understanding Them to Better Manage Your WordPress Site
In this webinar we will highlight the various activity, access, and error logs WordPress site administrators have at their fingertips. Plus, learn how logs can best be used to manage, troubleshoot, and most importantly, secure your sites.
Webinar – Personal Online Privacy
In our latest webinar, we'll describe action items that can improve the security state of internet-connected devices we all use every day. These devices will include common household staples such as: WiFi Routers, iOS/Android devices, and personal computers.
Webinar – Why Do Hackers Hack?
Join us as we delve into the minds of hackers to explain targeted attacks, random attack, and SEO attacks. Find out why bad actors target websites.
Webinar – WAF (Firewall) and CDN Feature Benefit Guide
A feature benefit guide for our agencies and end users. Why use our firewall? What kind of protection does it offer? How does it affect the efficiency and speed of my site? Will it affect my server's resources? Find out the answers to these questions and more in our webinar…..
Webinar – Preventing Cross-Site Contamination for Beginners
Cross-site contamination happens when one hacked site infects other sites on a shared server. This webinar is for beginners and web professionals to understand cross-site contamination and how to prevent it…..
Webinar – Getting Started with Sucuri!
If you're considering security for your site or are new to our services, this webinar will guide you through Sucuri's simple setup processes. Potential notifications, support options for various scenarios, and ways that you can also work to keep your site malware-free will be discussed…..
Webinar – How to Account for Security with Customer Projects
Learn how you or your agency can account for security with your client projects. Presented by Sucuri Co-Founder, Dre Armeda, this webinar shows how you can get involved and help clients who are not aware of some of the security risks involved with managing a website…..
Webinar – Is SSL Enough to Secure Your Website?
It's a move we've seen coming since early 2017. Chrome HTTP sites are now officially being marked as 'not secure'. With Chrome dominating 62.85% of the browser market space as of last month means that even small changes can have a big impact on website owners if ignored…..