 Thank you Megan appreciate it. Hi everybody. Oh, thank you. That's so kind Who's having a great word camp this weekend? I am Thanks for having me. Thanks for coming to this session Making security makes sense to users and clients So I'd like to start just by getting to know you a little bit. How many of you are actively building sites for clients? Okay, most of you good How many of you are managing those sites in an ongoing basis via a maintenance plan or program? Okay, cool. So this talk is for you My intention is to provide some useful tips for you for growing your freelance or agency business and providing extra value to your clients so a Little bit about who I am. My name is Adam Warner. I'm the open source community manager for site lock I co-founded a plug-in business named foo plugins and I'm passionate about website security I'm going to tell you exactly why I am in just a few minutes. I'm a fan of fractals proud dad these other things I can be found on Twitter at WP modder. Feel free to tweet me anytime I go back and forth of my preferred social channels and right now it's Twitter So what we're going to cover today today's focus is to Show how to communicate the importance of security to your clients We're going to cover all these things how to build security into your projects from day one Some simple security best practices that don't take long to set up But they can make the world of difference for your site and your client sites And again my goal is to make your job easier more secure With the sites that you build and ultimately more profitable for your freelancer agency business So let's start with Securing your own site. I'd like to talk about why securing your own site is a good first step in terms of being a web Development provider. We all know it's important to a secure our sites But it's really important to secure it if you're actively building client sites The first reason is reputation So website hacks happen all day and every day and I'll talk more about the why and the how of that in a few minutes But security becomes especially important when you're providing that service a successful attack on your own site Could directly impact your revenue Tarnish your reputation and degrade customer loyalty and what I mean by that is What if I'm looking for? Website design or web development in Asheville and I get to your site and it has been hacked I See a message from Google that says or from Chrome that Google Chrome that says this site may be unsafe Maybe you don't know that well what's gonna happen to me as a potential customer I'm gonna immediately associate your brand with a negative thought and I'm not going to send you a contact I'm not gonna fill out your form I'm not gonna make a phone call and worst case scenario I'm going to tell other people in my business network that oh, yeah, I went to that provider and their site was hacked So, you know not cool, right? So reputation protection is one of the main reasons for protecting your own site and monitoring that on an ongoing basis to make Sure, nothing bad has happened The next reason is to become familiar familiar with security best practices. I Like to say I never recommend something to my clients that I haven't used myself never Except what I really mean is I would never do that again, right? So I Failed clients before because I didn't do my due diligence on the products and services that I was recommending to them and then building into their own sites I've since learned my lesson So in terms of becoming familiar with security best practices, it's about eating our own dog food Right securing your own site gives you that practice that familiarity with what it takes to secure a website and monitor that website and an ongoing basis Number three is protecting your business. It's pretty clear, right? If you have a site. That's not hacked Your business is better by default and here is the story about why I became passionate about website security Is anybody not familiar with WordPress multi site? Raise your hand. It's okay if you're not, okay So WordPress multi site is in short an installation of WordPress where you can run multiple WordPress instances under the one installation of that software in 2006 2007 I started a WordPress multi site platform for artists and creatives of all types it was called indie lab where you could come if you were a painter or a Musician and you could sign up for your own WordPress powered website. It wasn't marketed as WordPress It was just come get your own website and blog and it was pretty successful I was working a day job at the time for an audiobook publisher. I had found WordPress in 2005 So I had been experimenting for a couple years with what I could do with it And this was my first attempt at an online business It got pretty popular. I had several hundred users and then I took a cue from others in the space And I started adding features in the way of adding additional plugins and then making those features available to paid Users so they could upgrade for ten bucks a month or twenty bucks a month and get access to additional features It was going so well That I was about two weeks away from putting in my two weeks notice at my day job And I thought wow I'm a tech entrepreneur. I'm so cool ego took over a little bit and Then I woke up one morning to a bunch a bunch of emails in my inbox and guess what those emails Were about they were about my site is down. Can you help? Why is your site down? Can you help? Can you help fix it? the site got hacked and At that time I hadn't even given a thought to website security in any meaningful way So I tried to fix it At the time WordPress multi-site was a separate thing from WordPress and there was a separate forums area It was and so I were reached out to there and there was a couple in Canada named Ron and Andrea Renick if you're in the space You probably know who they are And they were helping me figure out what was going on teaching me how to look for things how to look for hacks Because I'm not a developer. I'm a straight-up implementer I can I can put stuff together and make it work, but if you throw some code at me It's not going to go well So I was able to fix it Reply to all the people who were Anxious and upset that their sites were down, especially the paying ones In a couple of days and then the next week it happened again and Then the next week it happened again And now we've gone from frustration to anger to bad customer service because people are paying for something They're not getting So long story short I ended up closing that business because I didn't have the skills and there were no Services to come and clean up the hack and protect the site at least not that I was aware of So I closed it I refunded everybody's money and I shut it down and then can anybody guess what happened after that I Kept my day job for sure. I certainly did. I narrowly escaped that one. Yes Well, they did that's true people still kept coming, but what happened is I got pretty depressed Right. I mean it wasn't severe, but I was pretty down in the dumps for a while The silver lining is I understood how important website security can be especially if you're running a business online So that's what started my journey with website security And I'm you know, I never like to use the word expert because I'm certainly no expert at website security But I'm very familiar with the best practices and what it means specifically for your business So with that in mind I'd like to talk about the benefits of securing your client sites Let's assume you've got your secured. You're good. You put in the best practices, which I'll talk about in a few minutes So what about your client sites? Are you actively in implementing basic security best practices before you hand over those sites? That's the question. I'd like I'd like to you to remember Are am I doing something for my clients as part of my business before I hand it over? So I'd like to talk about why securing your client sites is important to your both your immediate and your long-term business and This one's pretty obvious Has anyone ever received an email or a phone call from a client at midnight on a Saturday? Maybe during the after-party last night And they've said I have an emergency my site is down My customers are saying my site is redirecting to a Viagra pharmacy site or any number of adult sites So that can and does happen. Has anybody ever experienced a support call at an inopportune time, okay? So I'm not alone good So I feel that it's our responsibility because of that past experience as the technical Contact for our client to make sure that we can fix whatever problem. They're experiencing Securing your client sites before the handoff will save you time money and headaches and even if it's out of the project scope as Providers I believe it's our very Important responsibility to at least educate our clients about website security about malicious software and what can be done with it and Even if they don't they don't want you to do any of that. They say it's not important Then the onus is on them peace of mind obviously peace of mind for you and your clients But let's talk about education The bit the business benefits of educating clients about security So there's a lot of benefits to that. It's benefit to your business It's about spreading awareness too, and that's another reason why I why I talk about this topic is because I want to spread awareness of website security as it relates specifically to people entrepreneurial types like all of you to your business Awareness is important that makes the internet a safer place ultimately for you for me for anyone It's an incredible tool for communication connecting with others and building a business. Does anybody Remember when There was no internet as we know it today Okay, pretty good portion of us I Bought my first computer in 1994. I had had video games and stuff before that But my very own first computer in 1994 from Radio Shack It was a Tandy sensation. It had four megabytes of memory or Space one of the two and it cost $1,700 And that was the beginning of when I started getting bad credit in college, but that's a different story so The internet I've seen the the growth like many of us have of of the communication tool of course for connecting with others, but the the Incredibly wide scope of businesses that you can build and then WordPress powering now 30 plus percent of the internet Is the tool that we've all chosen to use to do that So making the internet a safer place is super important for all of us here in business But also for the human race as a whole During the keynote if anybody saw that the picture of what the internet actually is and cables underground and stuff It's it's a pretty fragile thing. So if we can make one part of it safer I'd like to Spread that awareness for that So then the question becomes when you're talking to clients about website security The question always is well, who's responsible for that Does anybody have the answer to this question or an opinion on it? Just yell it out. Yes Good answer you win the golden nugget Yes, so ultimately every person associated With a website at any level is responsible for little pieces of it and the security of it So I like to think a bit like this your web host is The one that has built the apartment complex your web host is primarily responsible for making sure that the gate closes that The key cards work that the The lights in the parking lot are always on and working right if they're Responsible primarily for the environment where the apartment building lives as freelancers agency owners Website development providers. It's our responsibility To secure those buildings within that complex and the building is that website? We have to make sure that we build it and everything is up to code We have to make sure that the walls aren't going to fall down and there's no exposed wires And in other words, you know, make sure that that that site is as secure as it can be from the very beginning And then the website owner and this is part of that education and feel free to use this analogy with your clients because it I find that it It works pretty well The website owner isn't responsible for the individual apartment within that building within that complex Right, so you don't leave your house and leave the doors unlocked and the windows open just like a client shouldn't leave their website unattended and Insecure and not have some best practices in they need to lock their doors just as well as the building and apartment complex does So another benefit of educating your clients on security is to set your business apart and increase your value Excuse me So if you're educating your clients from the very first phone call the very first email contact it becomes much easier at the very end to have them understand the importance of security and Buy into that within your maintenance plans So you can expand that into educating what website security is as it pertains to their particular business goals And you can quickly position yourself as an expert to become more valuable to your client, right? So if there's a Web agency and be web agency and I'm going to both of them as a potential client and one is talking about everything that This one's talking about but they're including security as it relates to their business goals and they're using that analogy I Personally I'm going to tend to look at that company or that individual as someone who cares more about Partnering in the growth of my business rather than just selling me on a recurring maintenance plan because they can So it does start with the first contact The other benefit to education is additional revenue, right? You can demand higher prices if you've positioned yourself and differentiated yourself from other freelancers and agencies in Terms of talking about and educating security You can demand that higher initial price or that higher recurring fee in turn in the in the way of residual income Even if they don't buy in To your maintenance plan at least they know exactly where you stand So if something bad does happen Maybe they'll remember that and come back to you and then you can convert them to a customer of yours You can go from you know a five hundred thousand dollar minimum job To ten or fifty grand depending on how you communicate the value of working with you and security is part of that So communicating the need for security Effectively how many people have talked to clients and clients go. I don't I don't understand what you're talking about I don't want to hear anything about that or they say well my cat blog really you know Isn't at risk. I don't need website security so Many clients have an averse reaction to talking about website security because a I think it's just a misunderstood thing There's assumptions that are made that it's too difficult for most people, but it's not So how do you explain the subject of website security into terms that your clients will easily digest and want to understand? It comes down to three things If we break it down into these three things it becomes much easier to continue that Conversation and the first is why? Why websites get hacked? Why malware exists? even if it's a Two or three or five page brochure type site why is security important for that kind of site and the answer is Every website on the internet has a potential open door and a potential vulnerability Based on a bunch of different variables So if you put it to your clients like that and then continue with why sites get hacked You'll have a much better time. So one of the hacking Why websites get hacked that I? Recommend communicating is known as the defacement because this is what most people are familiar with It's not the most popular hack, but it's the most visible one to a lot of people If anybody remembers we did have a presidential election a couple of years ago and during that election And I'm not getting political one of the candidates Campaign sites was hacked and they had a big hero image a big banner with their slogan on it and That slogan due to a hack could be changed to whatever you wanted it to say I Like turtles was one of the most tame Ones that was seen but that was seen by millions of people. That's a defacement So that's what most clients think of that. It's like that. Well, why would anybody want to do that to my site? You explain that it's not that really that's not what they want. They want to use your resources They want to hack your site so they can use your website your visitors your server resources to continue to spread Their malicious software and why does malicious software exists? What's the point because a lot of it is designed to make that person who's released that money? There are companies companies there are places out there that pay per click So if I hack a site that has a hundred visitors per month and then that site is on the same Server as another one of my sites that has a hundred thousand visits a month and then goes to multiple websites you can see the extrapolation of Potential right even if I'm earning a half a penny per click There's a lot of money to be made in malicious software and hacking and that's why primarily most of it happens It's a bunch of other reasons religious or political ideals Messages that sort of thing but by far It's financial gain so the why of websites get hacked And that's why a five-page site doesn't matter because it's a potential door. It's in in to the rest of the internet So who and how are hacking? Well when we think of hackers we think stereotypically that it's some angsty Super smart teenager and a hoodie in the mom's basement right angry at someone and targeting individuals But that's that's that's the rare that's the rare case, right? It's it's these automated scripts that people are someone has written them originally But they go to black hat sites or the dark web and they find these scripts and they change it up a little bit Maybe to put their little their name on there so it's about 15 minutes of fame for people who are What are known as script kiddies where they take something and change it around and get a little fame say look what I did but Primarily, it's someone who's wants to take a shortcut to a financial gain So how do website compromises happen well they happen in a lot of ways But in the interest of keeping it simple and I've said this before it comes down to vulnerabilities found at various access points So acts access points can include your local machine It can include outdated software on your server WordPress plugins themes any other software that you may have Installed on that server that needs to be updated weak passwords is a big one And I'll talk a little more about that in a minute And newly discovered vulnerabilities and already up-to-date software. We've all seen WordPress have updates that includes security patches That's why and Then you tell them when and when hacks happen and I've already said this but hacks happen all day every day And in the big scheme of thing we did a quarterly security report internally Which is is public now and then the average website receives 44 attacks per day or 16,000 hack attempts every year And this is alive. I thought it was behind me. This is just a few seconds of a live View of hack attempts that are happening around the world. I Couldn't make that one loop. Sorry. That's why I keep switching back and forth. That's from North security So when you show them something like this, it really helps to get the visual and understand More about security and why it's important and then you can communicate these so you've got your three things the what the how the why and then you can communicate these best practices and then as you are talking about this from the very beginning You're talking about this in your project proposal. You're talking about this I'm sorry in the scope then in the proposal and then at the very end in the contract backups We all know backups are important. Is there anyone here who isn't super familiar with what backups are and what's getting backed up If you're not familiar, that's fine. I can okay, so Backups regular backups having a backup schedule is something that you would typically put in your maintenance program All of this is Software updates It's critical WordPress core plugins themes and again any other software that you have running on the server I don't know about you guys and gals, but I'm a shiny object guy I see a new plug-in and I go who or I go to script delicious and I go, ah This is a cool little application. Let's try that and then it gets installed on my server and I forget about it And that's software. That's code that's just sitting there ripe to be exploited. So updates and Having regular updates is super important If you have your laptop out, I I welcome you to go to this URL To see it. I'll show you an example of what that is in a minute, but strong passwords and unique passwords how many of us are using Super strong passwords for every single login we have Great good so This is something you can communicate to your clients as well as being super important Strong and unique passwords everywhere and they're gonna say there's no way I can remember that and then you tell them about password managers and you tell them about last pass and one pass and Key pass and dash lane But then the question becomes well, what if that password manager service gets hacked? It happened it happens So when you think about security, I like to think about it as a radius a big circle And there's no such thing as 100% security in life or on the internet it's about reducing that attack surface and Making those open doors Closing as many of those open doors as possible to mitigate risk Has anybody gone to that URL yet? No, okay. Well when you go there You can put in a password that you have used Before or that you reuse and it will tell you if that password has been seen in a compromised Hack in anywhere So this is one of my passwords that I used to use Did it come from the Equifax hack of a hundred and forty million? Americans and people abroad who knows I don't know Did it come from my laptop did I go to a site and there was a drive-by download of a keylogger software and they found out my password I don't know So the only way to really combat this is to have strong and unique passwords everywhere and then number four best practice is to Utilize a firewall and CDN Yes, sir Yep, thank you for mentioning that and bringing that up What he was saying for the benefit of the video if you didn't hear him There is a plug-in that will check that same service. Have I been pawned? And it will check your WordPress installation and all your users and the passwords to make sure that none in there are Our have been compromised That's in the repo yeah, Julian, okay, so if you search the plug-in repo for that perfect Perfect good advice. Thank you so if you're Is there anyone that's not familiar with what a firewall is there's two different types of firewalls I Just like to tell the difference between the two there's a network firewall and there's a web application firewall And this is probably maybe should be moved up to number one Because firewalls are super important and they can do a lot to protect your site network firewalls are typically used by hosts To protect their internal network of servers a web application firewall is used by Individuals and individual websites and what it is. It's a hardware and software solution That sits between someone over here with their browser loading your domain name It goes through the firewall first and then it gets to your web server to retrieve the files needed to display your site That web application firewall is designed to recognize and automatically stop bad internet traffic aka automated bots malicious software I Had a site when I first used a firewall I used to write WordPress tutorials and stuff as part of that journey And I thought I was pretty popular and again ego check I installed a firewall and I found out that most of that traffic was non-human Right so prepare yourself for that But it's super important because you're stopping it before it even has a chance to get to your your service Server or your software and a CDN is usually comes with a firewall. It's a content delivery network It helps to speed up your website by making copies of it around the world But there's some intrinsic security in a CDN to a Number five best practice is continuous monitoring And what I mean by continuous monitoring are a few things one You want to employ some type of regular security scan of your site or your client sites There's a bunch out there. You can search malware scanner WordPress or just malware scanner. You'll find them But what those scanners will do Typically they will a they will recognize that something is wrong They will recognize there's malicious software in there and two they will report that to you so you can take action and Three there are some out there that will automatically Remove that malware so you don't have to do anything to it But having continuous monitoring on your sites and and having reporting come to you is better than Finding out it was hacked and then taking steps to remediate it So including security in the project scope, and I'll probably speed up a little bit here Just like discussing security in the first client contact including the importance and or Requirement of security best practices within that scope can benefit again your reputation and your positioning yourself the trust the the growth partner in their business By including that stuff all along the way it can provide a more professional image Feel like I'm repeating myself a little bit so I'll go faster with that That should be pretty clear including to focus on security along every step Positions yourself better as a professional it builds that trust which means that they're more likely to To buy into your long-term recurring revenue plan Aka the maintenance programs and it's an opportunity for more money for sure So you can include security as a service within your maintenance plans But what happens if your client just simply refuses well You have two choices at that point and this is about this is your personal decision about your business Again, you can require it as part of working with you that your clients must do these things And when I've seen people do that and it's working pretty well for them It kind of helps That the kind of clients that you want for your business Maybe you like to take everybody and help everybody out. Maybe you only want Clients that are going to be X number of dollars Initial and recurring It's up to you. The other option if they simply refuse is to perhaps Offer add-on services and in the way of security so you can make these suggestions You can say go get a web application firewall They maybe do it and then they come back to you because it's a bit technical to set up You have to change DNS basically to reroute your your traffic But maybe that's a setup service that you offer Maybe go here by this and I'll set it up for X number of dollars Maybe it's the one-time setup of monitoring and scanning some scanners You can simply put in the domain name some do kind of a deep scan on the inside out And you have to connect your site via SFTP or FTP or SSH And maybe your clients don't want to do that or don't know how Excuse me Or if the worst happens You could offer a one-time cleanup service And there are many security companies out there that will offer you that and then you offset the cost to your clients So of course if you're offering monthly maintenance or security You want to make sure that you still have time into in your day to do what you do and not get mired down into the nitty gritty So if you're not already there are a couple of maintenance and reporting tools That I've used that people I know use and these will probably come as no surprise at least the first one And that's managed WP Is there anyone that doesn't know that Name managed WP Everybody knows it Okay, a couple people don't know it. So I just want to explain briefly what it is Managed WP is a service where you connect multiple single WordPress installations Into one unified dashboard Administrator view so you can run software updates plugin updates core updates across multiple sites at the same time It really is a big time-saver huge time-saver. There's other ones out there Infinite WP is another one different business models This was one I learned of Just in last January at a Joomla conference It's called watchful or watchful Lee dot li and they are very similar to manage WP In the in the sense of doing the same thing with WordPress, but they also Support Joomla sites. So maybe maybe some of you are not strictly WordPress I welcome you to not be strictly WordPress is open-source software in general. We're all in this together fighting for the open web Watchful might be one to check out Finally, I'd like to talk about the benefits of a summary of a presentation And that is the main thing I really wanted to to to communicate here is the growth of your business as a freelancer as an agency owner or participant And these are the things that I feel are the most important securing your own site learning the why and the how and the What of website security and malicious software? So you can then communicate the business benefits of that to your clients or potential clients Because you want to keep including that in the project scope You want to talk about it all the way through and then you want them to buy into your monthly maintenance program your software updates Your security everything because it's peace of mind for you. It's peace of mind for them It's more revenue for your business aka higher growth So at this point, I just want to point out that URL that is a series of blog posts that I wrote that has all of this information Plus some expanded content on some of the individual subjects It's on it's on there's I think there's five posts in that So I welcome you to visit that if you wanted to learn more and now if anyone has any questions I've got about seven minutes Feel free to ask. Yes, sir The question is if I've ever utilized word fence. Yes, for sure. I've utilized word fence security Sightlock obviously There's everyone who's doing anything security wise in the space Including Steven. I don't know if he's still here, but he's got a security plug-in that he's working on to anyone who's doing security In the WordPress space or open source space adds value, right? So but every one of those Plugins or cloud-based services does it a little bit differently So I would welcome you to kind of look at each one of those and the pros and cons as it relates to your particular business But also your your individual clients and what they what they can afford Yes, ma'am. Mmm. Good question of all the and you talking about security specifically Are there any products or services related to security that I specifically avoid? I don't think I have an answer to that In terms of a specific product or service, but what I can tell you that I do do do that I do is Pay attention to the businesses that primarily hosts who Have disallowed plugins in one way or another So there are hosts out there that really do a really good job of monitoring their web server resources And if they identify a plug-in security or otherwise That is using more resources than they're comfortable with that would be a good a good place to start So whoever your host is Look for disallowed plugins. Maybe contact them and get their recommendation Is that does that help okay good any other questions? Yes, sir The question is what host am I using? I just went from SiteGround who I was very happy with for a number of years over to Kinsta for my personal site For my plug-in business site. We're still on SiteGround I've been I'm in the community a lot and have been for years and I've heard rumblings about Kinsta for the last several years and And they happen to be a sponsor here, by the way, and I and I've been paying attention It's more developer level stuff at first, but I'm very again implementer. I'm not developer level So I'm really interested in customer service and the onboarding flow And if you haven't checked out Kinsta, they are incredible in terms of the onboarding the migration of an existing site That whole process was great. They they were immediately faster than my previous host and had a wide range of Helpful docs and articles about optimizing the speed of that site Does that help? The question is what would what would cause someone to go through all those best practices instead of just using a better host In terms of security Sure. Mm-hmm. Yeah, good question. So All the hosts that you mentioned I shouldn't just single out Kinsta There's a lot of great hosts WP engine blue host does a ton of stuff in the WordPress space why would people want to take these extra steps because ultimately your host is responsible for certain areas of security and WP engine specifically has had a really large focus on that They are one of the ones that I was mentioning disallowed plugins They're one of the ones that has probably the most disallowed loud plugins I've ever seen with a host but ultimately the again The analogy the the website is really the website owners responsibility. It's the application level So a host can do tons of things for building insecurity from the beginning and making sure the site is secure doing automatic updates and all that But if I'm using username Adam and password one two three four That my host can't control that, you know, it's an open door still and those malicious scripts Still can hit a website any website on any host That's my opinion on that. Okay, any other questions we got about one minute or two minutes left Okay, well, I'll be around if you have any additional questions come see me or You want to tell me something? I don't know. Please. I like to learn and thanks so much for coming to my session. I appreciate it