 Hi, guys. Good afternoon. We're here for our next presentation. With us here we have Jamie Schmidt. She specializes in content strategy and information architecture. She's the community evangelist at Sightloch. And she's here to talk to you about making security make sense. Thank you. So my name is Jamie Schmidt. I'm the community evangelist at Sightloch. I'm also a freelancer and I've been doing freelance for almost 10 years now. With agencies doing contract work at enterprise level all the way down to building pro bono websites for nonprofits. So I kind of work in websites on every scale. And I've seen the pain points of all of them. And every single one has pain points. And I'm passionate about WordPress and Drupal and content enthusiasts. I love to do content strategy. I'm very vague about planning things out before I implement them. And security is one thing that I like to plan out before hacks websites get implemented under my care. So this fits in totally with everything that I believe in. I'm also a crowd cat mom in Portland, Oregon. So we're going to cover kind of a bunch of stuff today. But it's not going to be so info heavy that you're going to feel overwhelmed. I'm trying to do the talking in a sort of way where you're going to come out with more of a holistic understanding. And hopefully inspiration on putting some sort of a security strategy in place on your sites. So we're going to talk about securing your own site, your client sites, the benefits of all of those things. And then some security best practices, just very sort of like baseline best practices. And then some strategies for actually integrating that security part into your overall web development phase. So just really quickly, who in here builds websites for people? That's what I figured. Also, who has ever either had their own site hack or had to fix a hack site? Yeah, it sucks. It sucks to have to happen to you and have to hire someone to fix it. And it also sucks to be the person that has to fix it because hack sites are almost never predictable. It's a lot of times is never the same thing twice with new clients. Sometimes it is the same thing twice with existing clients if you're only steps to fixing a hack site or to restore backup because that doesn't actually fix the vulnerability. So we even move on to the benefits of securing your site. It seems like these are kind of obvious that there are benefits of securing the site. But the first one is pretty much own your reputation. Website hacks happen all day, every day. I think it's like four to four attacks are attempted on your website, any website, every day. Whether or not they get in really has to do with how lockdown and how secure the site is. But it's especially important when you are the person that is providing the website services. A lot of times clients have an idea that since you're the one that built their site, that it's completely secure, it's just sort of assumed that it's not going to get hacked. And it's assumed, usually by the client, that you're the person that is in charge of making sure it doesn't get hacked. That's not necessarily the way that it goes. So a successful attack on the site can make you look bad to your client. If your own site is hacked as developers and someone tries to go to it and Google pops up the notification that it's not a trusted site, that doesn't look good for you. And people aren't going to call you for that. They're going to be like, well, this person's site is hacked, I'm going to go look for someone else. So obviously you don't want your site, your own personal site to be hacked. And yeah, so having your own site hacked is looked bad. So on your reputation, being the first point of a successfully secured site is the best place to start. But then the second thing, the second reason is getting the client familiar with security best practices, getting yourself familiar with security best practices. So that's a part of your sales pitch so that it becomes an ingrained part of what you watch out for, what you're concerned about, what you tell the client about at the beginning of the project. All those things are going to help both you and the client be able to start thinking security from the beginning. So sometimes it's hard to sell that to a client because it's a weird thing where if your site is not hacked, you think, why would I spend money on security services when your site isn't hacked? And I know a lot of times we end up getting new clients because they have a hacked site and they need someone to fix it and the original developer is nowhere to be found. So at that point, yes, they know they need website security and they're probably going to be more open to putting security measures in place after that happens. But you don't want the client to get to the point where their site's hacked in order to convince them that it's important to put the security measures in place. We want to avoid it from the beginning. And then just in general, it's protecting your business. It's protecting your business and your client's business. And you have a lot of goals as being a website provider. You want to make a beautiful site. You want to make a site that's got all the coolest technology, web technology on it. You want it to be able to do really cool things, manage the content. But if the security isn't addressed, none of that really is going to end up mattering because all the clients are going to remember is they built me a site that got hacked. The benefits of securing your client's sites sort of covered that. It's sort of obvious. It's in your best interest to secure the sites that you build. You don't want the client to come back to you with a hacked site and you suddenly don't look professional. But especially when you're inheriting websites developed by someone else and I learned this the first time this happened a couple of years ago to me, I inherited a site from a client who's a WooCommerce site and we're talking about how she wanted to update her payment process saying, okay, and then it eventually comes out that the way her payment processing works is through a custom form that a developer built for her and the reason it had to be custom was because she specifically asked him when this credit card payment is processed, can you email me the customer's credit card number? So she was giving all these credit card numbers emailed in to her. And that was a huge red flag for me, obviously because that's a very obvious security issue right there. But just, you know, another thing that that means is her previous developer didn't care about security or maybe he didn't know about it. So what else did he do or she do that could have been really badly implemented? And the thing is, you don't always find out about these things. The clients doesn't necessarily know that there's been bad security practices put into place when their site was built. A lot of times you get inherited a site that's super out of date and maybe plugins haven't been updated in ages. Maybe the last developer had a commercial theme that they edited the code directly and they instructed the client, never ever update your theme because it'll break. So like those kind of things, they happen when you inherit a site. They happen when you're not the person that created the site. Hopefully you're not doing those things, if you don't do those things, you are. But also, interest because hacked sites and calls from clients never come at a convenient time. It'll come like while you're away on the weekend or on a Friday night at like nine o'clock at night and a frantic customer that whose site is down or who's just got an email from their hosting company saying that their site has been taken down isn't something you can ignore. You can't just be like, all right, I'll get to it on Monday because that's like super unprofessional and it's leaving out a vulnerability like that up is going to open them to even further attacks. So if they don't happen in the first place, you can avoid all of that and then it just kind of generally is peace of mind. Just doing a review when you inherit a site, doing a review of the security. Is there any security in place? Are the plugins updated? Has core code been edited? That happens sometimes. Looking at all these kind of things, finding them when you first take on a project because these days there's a lot of sites that are already existing. There's new companies coming out all the time that we're building sites from beginning to end from scratch but a lot of times we do get those old sites that have been inherited and it's just really important to take a look at security measures that are in place and if they're not in place then you can be that awesome new developer that they've hired that is thinking about things that their previous developer didn't think of. So the more things that you're like, oh wow, they don't have this in place. That really should be in place. Now suddenly that client is thinking, wow this person really knows their stuff. My last developer didn't say anything about security. So it gives you peace of mind and just makes you look good. So the business benefits. In general, making the internet a safer place for everyone is sort of our responsibility as developers because clients don't know this. They shouldn't necessarily know it if they've never had a website or if nobody has ever told them. As the developers though, we know these things. We know how often it happens. We know how easily it happens. So for us to be like the main first point making sure that the sites that you put up are secure is the best way to kind of get the ball rolling to make sure that the client knows to make sure that they're making good decisions moving forward. So I kind of have a little analogy here. I like analogies. I think a lot of times in web development we like to use analogies because sometimes explaining more technical things to clients is hard for them to grasp. So if you can sort of abstract that into an understandable thing it can help them to understand. So who is responsible for security? Yes it is your responsibility to know about it and to tell the clients, but you the client or the web host depending on which of these people you are you would probably think it's the responsibility to gather two. But the truth is it's all three but ultimately it comes down to the client. So the analogy here is an apartment complex. The client lives in an apartment in a big apartment complex. You build the apartment complex and you sold it and that's cool. You built it with locks on the doors. You built it so the windows can't easily be... You built it in order to be somewhat secure. So on the web host they're kind of like the maintenance person in the apartment. They make sure that the locks work if you use them. They make sure that maybe there's a locked lobby that everything that the builder put in place works. And then there's the client who is responsible it is to lock their doors. If they have locks on the door and they're not using them and they get their house broken into you're not going to blame the person that built the house and you're not going to blame the maintenance person because the locks are fully functioning you're just not using them. So being able to use that analogy with clients makes them sort of understand yes, the web host has responsibility. Their responsibility is to making their servers secure. So they want to make sure that they're hosting their database and the files in two separate places. They don't want to take on an infected site and suddenly have that site infect all the other websites on the hosting. So they're protecting themselves and then if they do see that your site is compromised they pull it down to make sure that it can infect any of their websites. But the client ultimately is the one that will get in trouble if their site gets hacked and for example credit card numbers is stolen or any of those things. So it's kind of everybody's responsibility. But it can really set your business apart and increase your value by coming up with things that maybe other developers haven't really thought of or they don't want to deal with. So I was a freelancer for about ten years. I eventually learned about a lot of different facets of building an entire website from project management, design, development, security, all those things. And you kind of realize pretty easily the better you get at things the less time you have to spend on each one of those if you want to do a really good job. And as a single freelancer it's not always practical for you to try to do absolutely every single thing. So a lot of freelancers don't talk about security. They don't talk or think about SEO. They don't talk about maintenance packages. So who in here offers a maintenance package to their clients? That's probably maybe a half to a third of everybody who builds websites. That's actually pretty high. But that's because we're awesome developers that go to work camps, right? But a lot of people don't even have those in place because maintenance is kind of a pain in the butt. Sometimes when you're working on a project, you're like, oh my God, thank God it's done. Go, leave me alone. I don't want to see you ever again. This is a nightmare. And you don't really necessarily want to support it anymore because you want to be done with it. But adding the maintenance and the security maintenance in with it can actually give you additional revenue. So I know it's a freelancer for me. It was always hard. There's always a concern that once this project is done, what's my next project? And if you're only going both project to project and lining up the projects without any sort of recurring revenue in place, then yeah, it can get a little bit scary if you don't have clients lined up. That's the whole freelance or feast or famine. Right after you get paid, you're super rich. And then at the end of the project, you don't have a new project coming in and you're sort of poor and you've got to wait until the next one comes up. Adding in these security services and the maintenance services can give you this residual income. And so maybe now instead of just going big project to big project, you do a big project, so then you also need five clients who you're doing maintenance for and maybe each of those clients brings in $150 a month. So right there, that's like $750 bucks that wasn't coming in. And really, most maintenance that you do really isn't all that hard. It's making sure you're keeping things updated, making sure you're checking any kind of security reports. And a lot of that, if there's no issues, a lot of that can be done 10 minutes a month, maybe, for each client. But you're sitting there, again, you're sitting there watching it, so you're catching things instead of fixing them after they get hacked. So the benefits of communicating the need for security. Why would you bring it up with a client in the first place? It's sort of obvious, but we want to sort of communicate three things. A lot of times when you try to start talking, technical things with clients, they tune out or they start to feel overwhelmed or they start to feel like they're not, they don't understand enough to make a decision about things. So if you break it down into some security best practices, each section of it, just kind of break it down in an easy to understand chunk. You can sell those little chunks a little bit better. So one of the first questions is why do people hack websites? One of them is just because they wanted to face the site. They want to take down your site in its place, be Haxor was here, cool, yeah, you did it, right? And those were happening for a long time in the 90s and the 2000s, but nowadays you don't see that so much. And the reason is because right now it's mainly a lot of bots that are automating these attacks. And so you don't have someone like this kid sitting in his parent's basement that's like trying to hack the planet. That doesn't really happen anymore. But the biggest reason is for a financial gain. So they're trying to automate some kind of an injection into your site or maybe a redirect to another site where they're going to try to direct people to a fake version of your bank so you can log in and they get your information. Or they're going to try to weasel in into your server and try to look at whatever you have saved in your database, maybe you have some client information, all those things. So it's mainly for financial gain and it's not often someone just literally sitting there trying different passwords. Like that flat out doesn't really ever happen. So the word malware actually stands for malicious software. It's like software, it's not like people. It's automated malware that is being scanned. Your website is being scanned for any sort of vulnerabilities. And if they see this vulnerability they automate something that was built just to pop in through that vulnerability. Which is the reason that pretty much the number one and best thing that you can do to secure your site is to keep it updated. Wordpress being completely open source. When we release patches to security patches we most of the time will immediately publish that and tell them oh yeah there was this vulnerability. So now that that vulnerability is known spam or hackers malware malware bots they know exactly what that vulnerability is. A lot of time they can even put that vulnerability into Google and return with a list of websites that have it. So they immediately see everybody that has that vulnerability in. One thing that Wordpress did in the past few years was automated updating. And this is very important and it's very good that they did this because when updating was not automated people would leave their sites forever never update and they would miss all those security patches. So Wordpress sort of has a reputation for being insecure and it's not true Wordpress isn't insecure but the people who own the websites aren't maintaining it properly for it to be secure. Yes, Wordpress version 1.3 is insecure nobody's running it because everybody's upgraded. So keeping things updated number one thing but when are these attacks happening? The answer is literally all the time it's not just happening to small businesses or it's not just happening to enterprise level it's anyone. If they can do a scan a search through all the websites on Google and find this one vulnerability and find all the sites that could be someone as big as CNN it could be someone as small as Jones flour shop they literally don't care they will attack every single site that comes up. So I'm going to just quickly show you this Norse antivirus thing if you go to this Norse antivirus.com or something this is a little bit of a live data visualization they have created and it's just a small example of site attacks that are happening constantly so these are all live and this actually isn't all the sites that are all the attacks that are being attempted if we were to try to show them all my computer would crash like we would consume the bandwidth of this entire Wi-Fi because there's so many so they sort of average it down and this isn't actually just people's hacked sites this is just a small portion of honey pots that Norton has set up to try to attract these automated these automated malware bots and they created just an idea of how many things are being attacked there's no vulnerability here because they created it up it's sort of like that T-Shell bait car where they put the car in place to get it stolen and then as soon as someone takes off they turn the car off it's sort of like this it's not real websites but it's it's things that have vulnerabilities that do exist in other websites and it's happening constantly so not a question of when does it happen because it's literally always happening so five simple web security best practices if you can go through these five and get the clients to understand all these things and to implement all these things and if you can implement all these things you're going to mitigate most of the attacks that are going to be happening on your website and it sounds like that's a little bit oversimplified but it is it's true so the first one is backups this isn't really a security measure it's more of a recovery measure creating backups to your files and your databases to make sure that if something does happen you can backup and you can restore previous version of your backup while that backup is working you can then take the hack site you can trace back to find the vulnerability stressing though that just restoring backup is not going to fix your site because that backup probably still has a vulnerability in it too so once you restore backup you have to go and you have to figure out what was wrong fix it and then push those changes live but having the backup on hand all the time is going to be the number one thing that will help you get a grasp on what's going on and be able to start fixing things really quickly so updates technically this is number one this is the number one thing that you can do to make sure that the most basic reasons you would possibly have hacked are mitigated so it's not just WordPress core so like I said WordPress core just do automated updates but a lot of those updates that core does means that the way plugins and themes work they have to also update process things so a lot of big issues come because maybe you do have WordPress up to date but you don't have your plugins up to date so that vulnerability could still be inside of one of the plugins so it's important to update the plugins the themes if you have a commercial theme or any kind of a theme that's not custom made and core if your theme is custom made hopefully the person who created it has good security knowledge also not going to want a custom development but keep everything updated strong passwords unique passwords so in general the number one security fail across everywhere is the it's on the human end of things it's not on the software writing very insecure passwords like the word password like the password 1111 all those that's basically leaving your door unlocked and if you're locking your door if they do get past the gates, if they do get past the locked lobby your door can also try to stop them there's a website it looks up it looks up your email and your associated passwords and it lets you know if that those passwords have been discovered anywhere so you can kind of take a look login with your whatever user accounts you use and see if they know your password, if they do know your password you probably can do it so firewalls and CDNs now we're getting into services it's not practical for you to go out and build a firewall or a CDN so these are service things firewall it acts sort of as a big gate around your apartment complex so a lot of things are being stopped before they even get to your apartment because they hit that firewall and they just bounce back they can't get in and all so there's so many things that can be stopped by just having a good firewall there's options there's a free firewall that you can download in the plugins directory I don't remember exactly a lot of security software plugins offer a firewall so that's a really good number one thing CDNs, so CDN is a content delivery network that means that it takes all of your files instead of sitting on your own hosting wherever your hosting is it takes those files it duplicates them onto a CDN and so now those files are hosted and they're being accessed at someone else's server it can speed up your site too because the CDNs are typically they have 100 different servers around the world so instead of pulling it from one place it's pulling them from a lot of places but those two things go a really long way towards starting to protect your website and then continuous monitoring so this basically means if Google detects there's some sort of malware on your website it's going to affect your SEO ranking it's going to show a little notification that hey this site is suspicious do you want to continue and it basically exists as blacklisting you you don't want that to happen so you want to be able to have an automated website scanner that is constantly looking at your files and checking to see if anything's changed so if you're updating a plugin obviously the files are going to change if you're just updating your content on your website it's probably just staying in the database but checking out the files, if the files are changing without your knowledge and it's not because of an update that means that someone got in and is making changes maybe they've written a script that is sending out crazy amounts of emails maybe they've written something that is spying on what you do there's so many different things but being able to monitor when those files change and being able to get that file out of there when it does change or restore it to a better version can stop it before any attack happens as a result of that being in there security in the project scope so this is sort of all leading to this part right here including in the scope right away it's a thing who includes security considerations when they create their RFP so okay that's like not many, that was like four people using their hands to forget it's an easy thing to not include in there but including in your project scope from the beginning and saying hey this is a priority we need to address these things it's part of the project it's part of the work that I do for you I don't build a website unless it has these security measures in place because I'm smart that sets the stage for now you don't really compromise on that it's not going to be like nah I don't want the security it's not a question you say it's a part of the process and then you maybe build that in with your existing scope or you set it out as maybe it costs X amount of money to implement something so including the scope just makes you look more professional it makes your client trust you more one thing that when I was doing a lot of freelance one thing that I've had project managers say to me is that they really appreciate how honest I am with them and that makes them trust the things that I say and do a lot of times I know as developers we get this sort of imposter syndrome where we're like okay we can't let everybody know we don't know how to do something because people immediately think we're a failure we don't belong here blah blah and that's really not true especially in my experience with clients if there's something that I don't know how to do or I've never done it before I tell them I've never done this before so I'm just going to let you know that I'm sort of estimating it's going to be this but the further we get we might find out it's actually this so like that amount of transparency makes them assume that you're telling the truth about all the other things also so having that trust with the client they're going to trust you when you say you need a firewall they're going to trust you when you say know your password can't be the word password to keep them informed from the beginning I guarantee you they're not thinking about security probably not thinking about security unless they were just hacked because if you think about that old cartoon from the the oatmeal where they're like at the beginning of the website project beautiful project and everyone's excited and the design is beautiful and everyone's like it's going to soar like an eagle in the sky it's going to be amazing and gorgeous and then as the project breaks down everyone's just super depressed and they just want it to get over with in the beginning of the project you're just thinking all really good things and cool things that you're going to do like if you're doing a redesign and they're existing site looks really crappy you're just like oh my god this is better this is going to look so good in my portfolio they're using whatever manual system that they're using in order to do reservations or blah blah once I automated this with WordPress and saved them so much time so you're thinking about all the good things that you're going to do and all the positive ways that you are going to affect their business you're not really thinking about the security because you're not thinking about bad things that can happen so if you include it as part of the beginning and you say to them this is an important factor in building this website then it's already set the stage for them to be thinking about it okay so quickly backups one very important thing is to host backups on a different server so personal experience story time again I had to migrate a WooConner site this was just a last year and we were migrating from some smaller host to site ground and and it wasn't a big site you know they had maybe 200 products and so I went to try to migrate the site and I was looking and it said the site was like 90 gigabytes and I'm like why is your site so big oh we have a lot of products I'm like okay alright you know a lot of times people are uploading huge images I was like possible okay that's feasible so we moved them over my bad for not taking a look into that more deeply we moved them over and we realized that we were at such a high level posting that was kind of a cost of money and I'm like okay I should go in and look at this what are we doing here where we got here and the files look pretty normal at first and I was like nothing here is like really suspicious but then there was the one folder I don't remember what they were using for backups but it had its own separate folder and I loved and they had backups of their site in that site folder since like 2009 so and posting backups on a different server is important for that reason right because it's like ridiculously huge but if somebody gets into your site and they're looking maybe through FTP or whatever and they're looking for your files there is a lot of like the database will be stored in there a lot of times and they literally have access to absolutely everything once they have one of your full site backups so make sure that your backups are being hosted not on your websites most web hosts will have if they have automated backups they will usually have them on a separate server just make sure that you're not saving them under the same server so backups you can get them through your host a lot of times hosting companies will try to make their backups more efficient to save time and space etc so they won't actually do a fully restorable backup they'll do a backup that is sort of like for certain parts and then like they kind of get their little tentacles in the rest of the backup and it's like kind of useless if you want to migrate it someplace else a lot of good amount of hosts do this not all of them but just make sure that your backup is fully restorable also make sure that you actually have access to the backup some hosts make backups but it's only for their own access in case technical support needs to do something for you that you just paid them money for so even though they're doing all these backups you might not even be able to use them at all in case your site goes down unless you give them money sometimes it's a slainly higher hosting level sometimes you have to go in and manually do it yourself just make sure that if there is backups happening make sure you understand what kind of backups they are and make sure you have access to them because if they're not restorable and if you don't have access to them it's basically like you don't have backups at all there's WordPress plugins that you can actually use to do these automated backups WellPress, BackupBuddy, Uptrop Plus all of them have paid versions I think they all have free versions WellPress is automatic the company automatic and they can all be automated so that it's automatically making backups and they can also you can customize where those backups are being saved so not on your not on your files you're saving them someplace else email, you know, wherever you can also automate with a backup script this is advanced developer-y things or you can do manual backups manual backups kind of stuff you don't really want to have to do that if you're going through an FTP program downloading files it takes forever so you can go into your PHP MyAdmin and get a zip of your database save all that together it's fine but when you have when you have to do this once a month and maybe you have 5 clients you don't be wasting time on that you want something that's going to be automated in a pinch though you can do a manual backup so benefits including security as a service when you mention in the beginning and then when you mention it again in the scope it sort of sets you up to be able to demand a higher price for your services because you're going to be giving them more than they would otherwise get if you would now that you're starting to include the security it makes sense that now your services are more valuable so maintenance plans I recommend if you want to do maintenance plans have maybe three levels at the most maybe via so maybe the first level is I will literally just have something watching your site and telling me if a file to do this right or you can go all the way to something that's much more in depth and be like I will make sure I'm watching your site if anything happens I will pull it out I will manage the file you can do whatever you think you have time for whatever you think you want to do you can offer it at different services and then list them on your website you can even type a monthly subscription one thing that's awesome is recurring billing like having recurring billing coming in as a part of your income is super awesome you know every month on next day of the month you need to give a file a cash and that you would normally be having that if you didn't have the maintenance packages you didn't have the security packages so you can even be doing that setting up the recurring billing if they are paying you on your website easy digital downloads like a membership pro can all do that PayPal payments pro automate the billing so you are not just chasing down clients and creating a new invoice sending a new invoice waiting to get back to you so if you can automate it why not or you can just have it as an add on service so one time cleanup of a hacked site initial setup just getting them set up with that firewall getting them set up with the file monitoring or just an evaluation and review which is what I should have done with the client that was emailing you know credit card information tell them I can take a look at it and I'll review it and if I see things we can discuss and then I can quote the fix as well or just sort of read the consultation okay so the benefits of automating those things obvious kind of like what I said with automating your backups being able to automate these things means that you're not constantly just going in logging into every single website are there updates yes update update update update and if you have to do that with 5-10 websites a week that's going to take a lot of time so there are services out there managed WP infinite WP my company site lock also has a thing where you have a dashboard that you can take a look at all of your sites adding lamps and then all of these lists out all the websites that you might have and it can tell you this was affected it can tell you which sites have plugins that need to be updated so having all your sites managed and accessed to one place you can see where the problems are you can do those updates I recommend doing updates on staging not online for obvious reasons right but use the schedule so once you start doing this having a schedule to remind you like oh this day I have to do these maintenance tasks makes it so that you're not sitting there at the end of the month spending way more time than you thought you were going to be or worse that you completely forgot to do it because having a client paying you for things that you're not doing is bad and then password management this is a really cool thing that you can just tell the client about and start using yourself things like last pass and one password are their repositories that save your all your passwords encrypted I use last pass it has a browser extension when you go to a website it can be like hey I see you're on this website fill the login and password and doing that means you don't have to try to memorize passwords so you can have those ridiculous uppercase R lowercase c password because you don't have to memorize them and getting a client set up with something like this means that they're creating passwords that they don't have to memorize either so even just getting set up with this is a super big help just to summary your site and your client's site included in the scope best practices maintenance and reporting that's the end I wanted to go back to something you mentioned about being honest with your clients I was wondering if you could talk to my wife about that because she yells at me I mean I'm serious we have a client who is also a friend of hers and she keeps telling me that you don't know this she thinks that you mean you don't know it at all she doesn't know that you don't know the latest version of whatever I wanted to kind of yes so that's a matter of saying that you don't know something in the right way something about being in a job interview and they're like what are your worst attributes what is the worst thing about yourself you're like oh I'm late to everything I never finish in a job you know like I don't get along with anyone like I pretty much just stop like you don't say that even if it's partially true maybe you're gonna say I've never worked with it in this capacity I've never worked with it on this hosting I've never worked with it with this third party service on this budget so make sure you say I've never worked on this exactly but and then you say yeah pieces of excited in a way that is a positive um just like in the job interviews like you know you know I'm late to you know I'm late sometimes but then I'll stay in extra two hours every night be clearly there yeah be clearly there was there anything else on what was the I've been password domain again thing that you could check oh this one no yeah oh oh boy what was that that's okay oh there halivanpwn.com you can just google that but it is halivanpwn it's pwned.com slash passwords most famous in spain the recurring revenue slide okay so the recurring revenue slide oh yeah these are just three examples of how you can do that there's a lot more out there ebd and ultimate worship or work trust plugins that ultimate worship is a membership plugin you don't necessarily have to have a membership site in order to use it but it sort of it sort of makes sense that each one of your clients that's using that would be a member of that service and then easy digital download is pain and processing and sales for digital files so but they do automated billing there's an add on for it so I wanted to ask about breach so it's better happening our sites might get hacked or some of our data might get out there on the left and you're up there using law that requires people to ethically disclose when you get breached and then you ask them not to talk about law yet that might happen but I wanted to know how you talk to a client or talk to a website owner about this conversation how do you tell your users that they may have been hacked or something may have happened or how do you tell your client that may have happened and if you even thought so so unfortunately I've never had to tell a client that they now have to tell all of their customers that they have lost all of their content or their information has been breached I don't have the answer on how to say that to people but I have it has happened where a site that I built has been hacked and you know if you have these processes in place then that's sort of easy it's like oh they got through on XXY because this update wasn't updated if it's literally your fault then it's your fault maybe the issue happened and you weren't due to check the updates for another two weeks a way to sort of mitigate that is to try to be aware of updates that all your plugins have coming in you can get a mailing list once you have these different plugins they'll usually email you when a new version comes out or if a big security vulnerability is happening in core you can assume that your plugins are going to be updated after that if it happened as a result of them saying no to the security thing that's pretty easy you're like well I told you that'll be $500 nice to fix it is it's actually kind of a big deal because under this new law GDPR you as a website agency could be considered a data processor beyond just the controller rights so you can carry some legal possibilities potentially if you're dealing with your data yes so the GDPR is a big thing that's coming down and the funny thing is it's not just if you're living in Europe it's if anybody that comes to one of your client sites lives in Europe they're protected everyone's protected I don't have the answer to that it's a big discussion right now I don't think anybody has a great answer for it it's easier like you're in Europe automatically you have to do these things it's harder to be doing it in other countries where we don't have that law we don't have to do it I don't have an answer for that and I think that in the coming months and years it'll probably be worked out a lot better maybe we will adopt our own version of it maybe I don't know shameless blunt we are doing a panel at work camp orange county about GDPR and I can tell you security is going to be a major part of what we're talking about awesome well I will be there so he said that at work camp orange county they're doing a big panel on the GDPR and security is a big part so if you can make it up to that that would be cool tickets are still on sale thank you thank you