Website Security Primer for Digital Marketers

Date aired: October 31, 2018

During this webinar, Alycia explains how marketing professionals can easily add security to their diverse toolkit. This skill helps organizations prepare for incidents and prevent others.

Alycia Mitchell

Digital Marketing Manager

Alycia is the Digital Marketing Manager at Sucuri. She's passionate about teaching cyber security best practices and fond of open-source, analytics, and malware. A nature and wilderness lover, she has deduced that they are strangely enough a lot like the internet.

Questions & Answers

Question #1: Can Google analytics be used to identify malicious traffic?

Answer: You can definitely spot some things, but it’s not a replacement for proper monitoring and protection. You can identify if there have been traffic spikes from common attack countries (Indonesia, Korea, Russia, China, Turkey, etc) or look at the Service Providers in the Technology section. Sometimes you can see strange URL requests like LFI and XSS attacks. I have another webinar where I go into this a bit: Defending Your Google Brand Reputation and Analytics Reports.

Question #2: Does a compromised website lose rankings in search engines? If so, can they be recovered?

Answer: Yes, a hacked website can suffer lost rankings if Google thinks the malicious changes to content or SEO metadata are intentional. If changes from SEO spam last long enough, it can take months to recover after cleaning it up.

Question #3: What sources do you recommend to keep informed about cyber security topics?

Answer: The Sucuri Blog and newsletter is a great start for website security specifically. I highly recommend checking out forums and email lists related to your CMS. For general cyber security news, I look at Reddit’s /r/netsec and journalistic publications like Ars Technica, Threatpost, and Hacker News.. It’s a good idea to follow cyber security professionals on Twitter - it’s the fastest way to get news.

Question #4: About multi factor - I will lose passwords often. How hard is it to find lost passwords?

Answer: Use a password manager like LastPass or Keepass so you don’t need to remember them. You can also use them with a password generator to make longer, stronger passwords that you don’t have to remember.

Question #5: What is an app for the phone for 2FA?

Answer: Google Authenticator. Here’s a link for the Play Store for Android and App Store for iOS. There’s a great website at twofactorauth.org you can use to see which online accounts have 2FA available, and you can send messages to the companies that don’t.

See all Questions & Answers

Expand

Transcript

Name: Alycia Mitchell - Title: Digital Marketing Manager

Hi everybody. As Val said my name's Alycia, and I'm the Digital Marketing Manager here at Sucuri. I've been in role for about four years. As Val said, it's a Halloween-themed webinar, so I don't dress like this every day, and if you're watching the replay that's why you'll see these slides that are coming up are Halloween-themed. So big props to AJ, one of the designers on our team, for putting those together. I hope you guys enjoy what we're gonna go over.

Little bit about me. I've been working in the cybersecurity space for about nine years now. I previously before Sucuri worked for a company that sold an antivirus product. I'm working in marketing, specifically SEO for about seven years, and I live in Canada on the west coast. So that's all you probably want to know about me.

And what we're going to learn today is what you're really here for. So first of all I really wanna explain why I think marketers are in a great position to add security to their toolkit. And then I wanna go over some really high level basic security principles to get you primed to learn more about cybersecurity, and champion it within your organization, or to take the steps you need to protect your web assets.

So first let's start with an agreement here. Maybe you don't agree with this statement, but we generally like to say content is king as marketers. And so you have to ask yourself what are you doing to protect that king? Whose responsibility is it in your organization to make sure that your web assets and web content are protected? If there's downtime on the website, anything like that, it affects marketing.

And marketers, we have a broad range of skills. So many of you know about the T-shaped marketer, and if you've read the recent blog post that I've put on blog.sucuri.net you'll already have seen this image. This is from Moz, by Rand Fishkin, and he talks about that we have such a broad range of skills, and we maybe go deeper in some more than others. So I'm not asking to go deep with website security or security knowledge, but just to add it to your toolkit so that you can be a champion for security in your organization, and so you can be aware of these things before they impact your business.

So Jono from Yoast, which Yoast is a really good friend of ours here at Sucuri, he actually spoke at MozCon, which is an annual conference for SEO, and he actually had a different take on this, where he used sort of a Venn diagram to explain the t-shaped marketer. And one thing really stood out to me in his slides there. So I really wanna talk about how we can as marketers include security in this big wheel of skills that we have.

Let's talk about some reasons why this should be important to you as a marketer. So imagine some nightmare scenarios for a second and how they would affect marketing. One of the examples we talk about in this slides is say you're installing a random plugin to help you with something like SEO. If you don't vet that plugin for security, if you're not sure how well the developers are supporting it, is it from a trusted source, are you trying to get a free plugin or something like that that's not in the official repository, what happens if that developer suddenly stops working on that plugin and there's vulnerabilities. Or if the abandon that project and the domain that they use for some of their third-party scripts gets picked up by a black hat hacker. All of a sudden any website that's using that plugin is going to be used for malicious purposes. So by having security in mind you can make better decisions, like choosing trusted sources.

Oops. Wrong way.

Also downtime. We know that downtime is a terrible thing for marketing. It not only affects the trust of your users, but you're gonna have to do a lot of cleanup in terms of the social media response. So just your denial of service attacks are something that are becoming more and more common. These are easy for attackers to do because you can just get DDoS for hire services that are actually fairly cheap. Whether it's somebody who disagrees with your message, or it could be a competitor, or it could just be DDoS for ransom, where they're actually trying to extort money out of you. This is an issue that affects more and more websites, and basically what a DDoS attack is, if you're not familiar, is your website gets flooded with so much fake traffic that real visitors can't actually get in and it looks like your website's down.

Blacklist warnings. So as a marketing, especially in SEO, we probably know a lot about Google penalties. If you do spammy things Google will rank your websites lower, and it's very hard to come back from that. The same happens if your website is compromised. Google will actually black list your website, so if somebody clicks your link in search and goes to the site you'll see a big red warning page. I'm sure a lot of this have come across this. It's not just Google who'll do that. It's any of the major search engines, and the antivirus vendors who wanna protect their users by making sure that their users can't visit dangerous sites.

We know about redirects. We use them all the time in SEO, but a malicious redirect is when a hacker will attack your site and send some of your traffic to an attack site. We see this often with mobile visitors being sent to porn apps or something like that. It could just be affecting visitors in a certain location. So these kinds of conditional redirects can be very difficult to diagnose if you're only browsing your website on desktop from your location.

This is just scratching the surface. There's tons of other types of malware. We're more familiar with malvertising, obviously, like popups and stuff like that, is kinda what you would think of, or drive by downloads, where somebody goes to the website and an application is downloaded, a virus that infects the visitors computer. But phishing is another huge deal that's getting bigger and bigger according to Google's transparency report. Phishing is essentially a fake page that looks very real. So if you're in a commerce site and you have a checkout page, imagine if an attacker gets into your site and puts up an identical-looking checkout page, but all of the credit card details will be going to them. So not only are you losing sales but you're also violating PCI compliance, because these visitors are getting their credit card details stolen. And you might not even notice because they might only send one in every four transactions to a fake checkout page. And I've actually seen stuff like this and written about it before. So it's really, really bad and you want to make sure you're protected against that.

Probably the most visible example for marketers is SEO spam. It's also the popular form of malware that we clean up, because we clean up 400, 500 sites a day, maybe even more now. And when your site is hacked with SEO spam maybe they'll inject pages, like this screenshot here, but they could also just change your titles and descriptions. So that it could be Viagra. It could be porn. It could be cheap fashion brands and stuff like that. But this can actually long- term, if you don't fix it, can affect your rankings, and it can be very difficult to recover from that.

One last thing here. Marketers are already really familiar with a lot of technical concepts that are necessary for cybersecurity analysis. We know a lot about web dev languages, even if it's just a little bit of HTML and CSS. We understand how bots and crawlers search through the internet. So we can really understand the automation side of web attacks. We know about SSL because Google's told us we need SSL. Maybe we don't know exactly what it is, and I'll go into that in a second, but we know we need the HTTPS. We know how to do 301 redirects. We know how to read our referral traffic in Google Analytics. We are familiar with IP networking and logs and all that stuff. All this will help you to be in a good place to understand a lot of what's going on in the world of cybersecurity.

We also have black hats and white hats. I've always found this interesting, this crossroads where I live, where I'm familiar with cybersecurity and marketing, and I don't know any other industry that talks about black hats and white hats. And maybe correct me by posting a comment or a question if I'm wrong here, but when it comes to black hat hackers, those are the folks who are exploiting security weaknesses in order to take advantage, get money or notoriety, or to be an elite hacker or whatever. And black hat marketers are just bullies who are trying to scare people suing fear, uncertainty and doubt to sell their products.

On the other side we have white hat hackers. So hackers are not all bad. We have some really good hackers on our team here at Sucuri who are actually out there trying to identify issues to they can be patched. I don't know if there are white hat marketers who are trying to actually solve a problem and provide useful information to people. So it's interesting to me that there's that dichotomy that we can kind of understand as marketers and cybersecurity professionals.

One last thing here is the privacy and compliance laws. So I mean I'm sure we've all heard enough about GDPR at this point. CAN-SPAM in the U.S. and CASL in Canada. These are spam laws that require you to document things and to put in place processes and technology. And so that's very similar to what goes on in the security world. If you're familiar with e-commerce you should know about the PCI DSS. That's the Payment Card Industry Data Security Standards, and those are a set of standards that are created and maintained by the major credit card companies. If for some reason your website is found in violation of PCI, and that's resulted in identity theft for your customers, you're getting really huge fines, and you can even be shut down and not be able to take credit card payments if they find you at fault. So it's worth looking into, and if you're curious about this and you have an e-commerce, even if you have an external payment gateway, 'cause, like I said, a hacker can get into your site and start sending some traffic to their own payment gateway, you need to know about e- commerce and PCI compliance. And Rianna on our marketing team has created an awesome email course that you can find to learn more about that. It's all free of course.

And you probably know about the not secure warnings that came out in, I know, one of the recent versions of Chrome over the Summer. This now shows not secure in the address bar next to your web address if you don't have HTTPS, aka SSL. We also have known since 2014 that SSL is a ranking signal in Google search that'll help you rank higher.

So about SSL. Real big caveat. We all talk about not secure and all that kinda stuff, but SSL actually doesn't protect the website from being attacked. So your visitors could still get impacted because your website's dangerous, because it's been compromised. What SSL actually does is it encrypts the communication in transit between the visitors browser and your web server. So when they're sending their passwords, credit card data, when they're filling in a form on your website, all of that is being sent securely, scrambled through encryption to your server. And the same goes for if your server has to send something sensitive back to the visitor. So SSL, to be clear, encrypts data in transit. It's awesome. Hurray for things like Let's Encrypt it, make it easy. We even have a guide on sucuri.net/guides. If you wanna learn how to install a certificate using Let's Encrypt, and it'll explain some of the different types of certificates. But in the end SSL just protects the traffic in transit. It doesn't protect the data at rest.

Only a website application firewall can really do that. Obviously there's things you can do to lock down access, harden your server and stuff like that. So it's not the only thing, but it's one of the most effective ways to protect your website, because what'll end up happening, as you can see from the diagram, is the traffic will go to your website, but first it hits the firewall and it has to be filtered there. And the way we do this for our Sucuri firewall, is we do application profiling, so we will know exactly what your website looks like, if you're running WordPress and specific programs, and we know what types of attacks are common against those. So we can block them out of the box. Then we look for specific signatures that we know are bad. There are certain things that normal visitors just won't be trying to access your website this way, and so we'll block those visitors. You can even block certain geographies. If you know you only need visitors in a certain location you can block people from visiting them from other places as well.

For heuristics, that's just behavior that doesn't look quite right, and we use that with our correlation engine across our network to see what kinds of attacks are emerging, even on other platforms, and we can write rules to make it even more tight so only the good traffic ends up hitting your server and everybody else sees and block page.

We'll talk more about that later. And I don't wanna say that Google's not doing anything about protecting sites and making sure that sites are safe. They care about that too. In fact in their safe browsing transparency report their web spam team produces and keeps it up to date. I just pulled this graph pretty recently. This just shows how many sites that Google safe browsing finds are attack sites. So these were actually sites that were created specifically malicious, versus compromised sites that were legitimate sites that were hacked, and then they were used for nefarious purposes by the attackers. So as you can see it's much more lucrative for an attacker to automate attacks and say, "Oh, hey. There's this vulnerable plugin, and we know that a ton of sites probably haven't patched it yet. So let's automate an attack to find every IP that runs this version of WordPress with this plugin. And then once we have a list of 1,000 or 10,000 websites let's automate the attack phase." So they can literally run a script, go get a coffee and come back and have a bunch of sites under their control.

It's really scary. The way they use it brings bots and all that kind of stuff. Just to let you know, this is a big problem, and according to hostingfacts.org, I believe, 50,000 sites a day are hacked. So it is a big problem and it's going to get worse, because the internet is going to get more complex.

Gartner released a report that says that by 2020 they believe the majority of attacks on web applications are gonna via APIs, and the folks on our vulnerability research, I just spoke with them last week, and they say that's pretty much already the case. We also know that bots have outnumbering real humans on the internet for a number of years now, and I would be really surprised if that number's not gonna double soon. There's more and more plugins and extensions all the time for different CMSs and applications. We always love to add scripts, especially as marketers. Our tracking scripts, our Google tag managers and stuff, and those just make it really complex and increase the attack surface of the websites as we move into the future. So we need a solution to future proof our websites essentially.

We can't just sit around hoping that the white hat hackers are gonna be the ones who find the vulnerabilities and patch it. Even if they do can we patch fast enough? There's certain things that we can do as marketers, as IT professionals to prevent a compromise from happening and prevent your web assets and your web content from being damaged.

So we said SSL isn't website security. What is website security? At Sucuri we've always thought of it as detection, protection and response. So making sure you don't get hacked, but if you do that you get alerted right away and you know exactly what you're gonna do to clean it up. So I'm gonna give you a quick overview of how I think you can go about this.

First of all monitor and audit your web properties. We already know as marketers we get Google alerts. We do social monitoring. We know it's important to respond quickly. I just want you to apply those same concepts to your website integrity. First step, verify your domain ownership. It's all free. Go to Google Search Console, then Webmaster Tools, then Yandex Webmaster Tools. These are all major search engines. And they would love to alert you if they see anything weird on your site. But they can't do that unless you're registered and you verify that own the domain. So what that might look like, for example here, is if you have a security issue you'll get an email. This is actually for our tool, Site Check, which is a free [inaudible 00:16:27] scanner. So we actually will scan websites for free, and we'll show the payload. And so the payload is what's being flagged here by Google Search Console. They don't blacklist us 'cause they know that we're just trying to help, but they still flag this kind of stuff.

Site Check here, you can go to sitecheck.sucuri.net and you can scan your site. It'll let you know if the site's outdated. It will let you know if we detect specific malware, and you can click more details to actually find the specific payload and where it's located so you can clean it up. And we'll also scan the nine blacklists here to see if you're on any of them. Just a quick note, remote scanners like Site Check, we can only do the same thing that Google safe browsing bots do. We scan externally by clicking link to link on your website, trying to find anything that looks obviously malicious to us. We'll pretend to be a visitor from Japan on a mobile device, a bunch of different types of conditional cases, in order to find hidden malware. But if there's a phishing page hidden somewhere on your site, let's say it looks like a bank page, and the attackers are sending people through an email campaign to your website, to this page, it's not visible by clicking links on your site, but it's there. Only a server-side detection system will find that. So it's really important that you kind of keep that in mind that a remote scanner is limited in what it can see, but it should detect most stuff.

Another thing you wanna for monitoring oddities, audit user access. So this is a screenshot of one of my old Microsoft accounts, and you can see that there's weird logins happening at weird times from Korea and Indonesia, and I have not been there. So do you know if anybody on your team is logging in at a weird time from a weird location. You can probably get a tool in place to make sure you're staying on top of that, or that your IT team is staying on top of that. We do for WordPress have a plugin that'll do this. It'll have auditing for user activity. It'll check your file integrity for your core files, let you know if anything's amiss there. It'll remote scan just like Site Check. There's one-click hardening options to help secure your site, and also some post attack recommendations. It also integrates with our firewall if you're a customer. And Pilar on our team wrote a really awesome guide on how to use the WordPress security plugin that you can find at sucuri.net/guides. So if you use WordPress, great option.

And if you don't, if you go to the features on our website and go to detection you can read all about our server-side detection, and it includes remote and server-side monitoring. We have all our awesome research team behind this. They're constantly adding new things to it. We clean tons of hacked sites, and those mediation team members will escalate stuff that they're like, "This is weird." They'll send that to research, and then we can make our server-side monitoring better. We can make our website application firewall better. We also can detect a bunch of different stuff with our detection system, like have your DNS records, have your SSL certificate changed at all. And you can get alerted a number of different ways. We can do Slack. We can do text messages, or if you have a custom integration system we can post to that as well.

The thing everybody really wants to know is how do I stop myself from getting hacked in the first place. Well, there's really only two ways that your website's gonna get attacked at a really high level, if we need to speak like that. There's software vulnerabilities. So it's actually a flaw in code in one of the plugins or themes that you use that's allowing an attacker to get in. Or it's because somebody on your team has a really bad password or something. Some for of user control that's not working out, some form of access control.

Let's first talk about access control. Number one way to stay protected is to enforce passwords. I'm talking about stronger passwords than you think you really need. It's really not enough to just do something like replace the letter O with the number 0, or the letter I with a number 1, because hackers have already done that. They've taken dictionary words. They've taken all the words they can find and scan for on the internet and they've put them into these lists, and they've had computers go ahead and create a number of different of permutations. There's been a number of data breaches where people's passwords have been stolen, and attackers are looking at those lists and multiplying them and learning from them.

So you need to have very long, very complex, very unique passwords, and I highly recommend a password manager to do this for you. It's way easier, at least for me, to have one master password that I know is super crazy complex and that I can update very regularly, and then have it generate passwords for me that are 20 characters long and a bunch of random stuff. Much, much harder to crack.

Beyond that, two-factor or multi-factorial authentication is very important. Anywhere you can activate 2FA please do it. So what this means is that after you type in your password you have to get out your device and open Google authenticator or some app like that, and there's a time-based code that'll expire after 30 seconds or 60 seconds. You have to enter that code in immediately after entering that password. Otherwise you can't get in. So not only would an attacker need to have your password but they'd also need to have your device.

Quick note as well on SMS-based 2FA, it really isn't that good because hackers can spoof mobile phones as well. So they can pretend to have your phone number and get a code, and then get into your account. This is something our CTO Daniel Cid wrote about years and years ago. It's just not as good as using an authenticator app on your device.

And lastly we have the principal of least privilege. Gerson on the marketing team, who is also on the development team now, has actually written an article about the principle of least privilege that you can find on our blog, and this basically means that you grant the level of access that is needed only for as long as it's needed. Don't make everybody an admin. I have people on my team who'd love to have admin to blog, but we only need to grant it for when they need it, and then we take it away. And that just means there's less attack surface. Use your roles and responsibilities really wisely within your organization.

Preventing vulnerabilities exploitation. This is kind of a big one. Applying updates is probably the best thing that you can do on your own, but this requires you to be a step ahead of the black hats. So a great example of this is Drupalgeddon. This was a couple years ago now, but when Drupalgeddon happened system admins only had seven hours to patch their sites. If they had not patched within seven hours their site was compromised. Every Drupal site was compromised in seven hours if they didn't have the patch. So if you're sleeping during that time what are you gonna do, right? So that just tells you how fast it is. Hackers will take the old code and the new code, and they'll run the diff check, and they'll see, "Oh, this is the difference, and obviously there's a security hole there. So I'm just gonna start automating an attack against everything that runs this kind of software. So it can be literally that scary and that fast. You wanna make sure to apply updates automatically. That's why things like automatic updates to your host are really, really valuable.

But beyond that you can also activate the web application firewall. So that'll block attack, even zero days. The latest reports fro the Sucuri firewall have us at 96 or 98% of zero days. And a zero day, just if you're not aware, means a vulnerability that's not actually disclosed yet and it hasn't been patched. So the developers don't even know it's there but the attackers are using it. So our firewall will actually block a lot of those right out of the box. It also mitigates DDoS attacks. So it'll stop those fake traffic attempts from blocking up the pipe into your website so real visitors can get in. We even have emergency DDoS protection, which will admittedly mess up your analytics for a little bit, but if you just need to enable it when you need it in order to make sure your website doesn't look like it's down for everybody it's totally worth it.

The nice thing about that application firewall is it's backed by real security researchers who spend all their time trying to make sure that they're a step ahead of the black hats. And you might think that because the traffic's going to the firewall first and then to your host that it slows things down, but most web application firewalls, including ours, have a content delivery network that actually speeds things up. I'm always surprised logging into customer sites, 'cause sometimes it can be 8,000% faster. I mean, we advertise that it's 70-80% faster, but most smaller sites depending on your architecture have a crazy, crazy change in page speed, which I know marketers love.

All right. The last thing here is creating an incident response plan. So I'll go over backups a little bit in a bit 'cause there's some complications there. But you wanna make sure you documented an emergency response. You know whose role and responsibility it is to recover after a hack, and that you also check out any vendors that you're gonna be working with before you have an issue.

So using the backup to reverse a hacked site. There are some issues there. First of all, which backups, I just wanna quickly say they need to be automatic. You don't wanna be taking those manually. You don't wanna have to think about it. Make sure they're off site. If you store your backups on the same server as your website, all an attacker needs to do is wait until that backup gets outdated, and has some vulnerability in it that you haven't patched, because, I mean, who updates their backups, right? They get into your backup on the same server, get your server configuration file, which allows them to hack your production site. Not good. You also want redundant copies of backups to make sure that if some backup is corrupted that you have other copies available in other locations, and that you've proven and tested the recovery method. I personally have used some WordPress plugins for backups that I found very difficult to actually recover the site. So make sure you've actually tested that process, or that the IT team you work has tested on a test site how to recover if you need to.

Also be aware that 71% of hacked websites contain back doors, and black hats are really tricksy. They will attack a site, put a bunch of back doors in it, and you won't even noticed for a few months that you've been hacked because they haven't put the payload on. And so let's say you get hacked and you're like, "Oh, let's restore our backup from a week ago, and we'll just lose the content we've made in the last week. No big deal." So you restore that backup, but that backup has back doors in it, and there's been back doors in it for maybe weeks or months. So you take all this time to restore your site and then you get reinfected again 'cause the hacker's left a way to get back in.

Really sucks. If possible get your site cleaned is the best way to recover from a hack, but in a pinch you might wanna try it and it might work out for you, and it's always good to have backups just in case you have custom files that are corrupted so badly that you need to clean those as well and restore them.

Make sure you know who your IT team is gonna go to in the event of an incident. Is there people in your IT team who can identify the latest PHP and JavaScript malware? Are they familiar? Are they gonna wanna take responsibility if the site is hacked? How are you as a marketer gonna deal with downtime or scared customers? We have some do it yourself guides on sucuri.net/guides about how to clean hacked websites. We have one specific to each of the major open source CMSs. We have one on how to remove a Google blacklist warning. I recommend checking those out, 'cause it's quite a complex process, especially when it gets to identifying the back doors and that kind of part. So just make sure that it's something that you're willing to take on, or find somebody like us at Sucuri who can be there for you in a pinch.

Just a quick note, because I know a lot of us already work in Google Search Console, this is what it would look like if you're requesting a review for a blacklist. So you have to wait until you're completely to request a review, otherwise it's just gonna add more delays. Once you submit this request it takes about a day or two for Google to get back to it, depending on how busy their teams are. If you go through Sucuri for malware removal, we actually do this step for you. So we have our own Google account that we verify your site temporarily. We submit it, and so Google sees us submitting 400 a day or something, so we generally see them lifted pretty quickly.

So now you're in the security club, but you're not alone. Maybe you're not alone if you run your own brand, if you're the person who's responsible for everything, but if you have team members, IT folks that you can lean on for this, definitely go talk to them about this. Try to see if you can increase the security posture of your brand. You should also talk to your business development teams, because this is part of business continuity. This is part of disaster recovery. Make sure that these get prioritized, and you can be one of those voices for it.

In conclusion, security isn't just the responsibility of your IT team. We each need to take steps to secure our own accounts, and to promote that whenever it comes up within our organization. Secure development, whatever it is. In marketing, if we lose the trust of our visitors, that's it. We're done. They're not gonna buy from is. They're not gonna come back. They're not gonna trust us. It's done. So we need people who are marketers, people like us, who are used to raising awareness. It's our job to create demand, and we can be those people within our organizations.

We're also resourceful. I know that we're in a great position to make the internet a better place as a whole, and what greater mission is there than that?

So we definitely have some time for questions. Thanks so much for joining me, and I look forward to any of your comments.

See Full Transcript

Expand

Similar Past Webinars

In the website security community, our name is known for fast site hack cleanup and responsible vulnerability disclosure. As thought leaders in website security, we are committed to sharing what we know. Follow our concise and helpful website security guides and tutorials so you can learn how to clean and secure your website.

Webinar - Getting Started with Sucuri!

If you're considering security for your site or are new to our services, this webinar will guide you through Sucuri's simple setup processes. Potential notifications, support options for various scenarios, and ways that you can also work to keep your site malware-free will be discussed.....

Webinar - Security for Web Agencies

Website security is challenging, especially with a large network of sites. We want to help you understand how you can create a security plan and reduce the risk of a hack or security incident. In this session Dana covers the implications of a security breach and why security should be important to your agency. Dana shows you a tiered approach to we....

Webinar - Fire Chat: Reactive and Proactive Protection for Web Agencies

In this fire chat, we're looking to find answers to some of the questions web agencies have been asking us for years, in hopes of shedding more light into how you, as an agency, need to respond to security threats your customers face.....

Webinar - Is SSL Enough to Secure Your Website?

It's a move we've seen coming since early 2017. Chrome HTTP sites are now officially being marked as 'not secure'. With Chrome dominating 62.85% of the browser market space as of last month means that even small changes can have a big impact on website owners if ignored.....