 This session is called Making Security Makes Sense to Users and Clients. So first I have a question for everybody. How many of you are actively building sites for clients? How many of you have your clients on monthly care or maintenance update programs? Awesome. So the intention of this talk is to provide useful tips for helping to grow your business in your monthly revenue by including security in your client projects and in your main event and more specifically how to make users and clients understand the importance of security and why it matters. So my name is Adam Warner. I am the open source community manager for SiteLock. I have all these other things. If you know what 42 is, come see me and we'll have a chat. So what we're going to cover today is securing your own sites, securing your client sites the benefits for your business and those of your clients communicating security benefits efficiently including security in the project scope and kind of the core of this with the clients as the communication and the security best practices, maintenance programs, pricing and reporting options. So first I want to talk about the benefits of securing your own site, right? It's kind of a foregone conclusion. Everybody knows that's important but if you're providing sites for clients it becomes especially important because your reputation can be affected if your site isn't secure and you're not taking steps. Website hacks happen all the time, every day. I'll talk more about the why and how of that in a little bit. But if your site gets hacked and I'm googling Portland Main Web Development or Portland Main Web Design and I see your brand and I go to your site and Chrome tells me that the site may not be safe or I see links to Viagra or other pharmacy shops. I'm immediately going to associate your brand with a negative connotation, I'm going to leave and I'm going to tell my friends about it probably, other business owners, other people who need sites. So it's really important to protect your own site first because of that reputation but also so you become familiar with security best practices. I like to say now tongue in cheek that I never recommend something to my clients that I haven't used myself but really what I mean is I will never do that again. So if you're using any kind of security plug-in or product or cloud-based security you are going to be familiar with what it is you're recommending to your clients the pros and cons of all of that. So I really strongly suggest eating our own dog food to become familiar as familiar as you can so when you start this conversation about security with your clients it's obvious that they will know what you're talking about. And also it's about protecting your business. If your site is hacked, especially if you're selling a different kind of product depending on any kind of revenue from your site on a daily basis if you suffer a hack and let's say you get cleaned up in 24 hours you still lost the day of revenue. This is especially near and dear to my heart because I had a business that was ruined by a security hack. Back in 2006, 2007, I started a company called IndyLab and I used WordPress Multisite. Does anybody not know what Multisite is? I can quickly explain. Everybody knows what Multisite is. So people can come and sign up for free sites. So it was geared toward artists of all kinds to give them free blogs and websites and then I started to upsell them on different features if you could turn on with a network-activated plugin, that sort of thing and I started to make a pretty good revenue. I was working full-time at the time. I was about two weeks away from putting in my two-week notice because I was earning enough monthly that I thought, hey, I'm an internet entrepreneur and I've done this and look at me and my chest was out and then one morning I woke up to a bunch of emails, hundreds of emails from hundreds of different users of my platform asking why I had put Viagra ads in their content. Obviously I hadn't done that. So I jumped on to the forums at the time, the Multisite forums because it was before it was again included in the WordPress core it was a different download and I started to get help from a couple of people named Andrea and Ron Renwick out of Canada. They were giving me tips on what to do, how to clean up the hack because I couldn't go to some service and just say, can you clean this up because it didn't exist. So that went on for a few days. I fixed things. Everything was hunky-dory. I replied to all the emails, sorry for the trouble. There's a free month of services and then it happened again. And then it happened again because there were backdoors on the server that I couldn't find that no one else was finding and I didn't know enough about website security. It was my first ever experience with website security in hacks and I just didn't know anything. So I ended up just shutting down the business because again I was working full-time, had family to take care of and the stress was overwhelming. Refunded everybody's money and then I got depressed. Not clinically depressed but pretty down in the dumps that I had failed, right? So it's about protecting your business, becoming familiar with security. So the benefits of securing your client's sites, I know they're pretty obvious one, right? So how many of you are actively implementing basic security when you build a client's site? Plug-ins or otherwise? That's good. So securing your client's sites is in your best interest, right? Has anyone here ever received a frantic email or a phone call on a Saturday night at 11 o'clock? I'm sure we all have, right? It's in your best interest to not get those kind of contacts from your clients. In order to find that work-life balance that we probably as internet people all struggle with, at some point, right? Now, imagine that email says, my site is hacked, my site is redirecting to adult sites. It's our responsibility as the website provider, as the technical provider to fix whatever problem that they're experiencing, right? So if we do that proactively as much as we can before we hand over a site, it'll be better for everybody and it'll give you peace of mind and your client's peace of mind. So let's get into how you do that. How do you secure a client's site? How do you make them understand it's important? And how do you use that to increase your monthly revenue? It's all about education. Educating the clients on security. What it is, what the threats are without being, what's the word? Without being a fear monger, mongerer. It's about education, but more importantly, it's also about spreading awareness. Making the internet a safer place for everybody, right? How often do we, on the news, hear a story of some major hack, right? Equifax, Facebook. Millions and millions of people are affected. So in my mind, security is not just the right thing to do, it's also the right thing to do for the internet as a whole. So just like walking through a city alone at night, having an awareness every day of internet security and with our personal information is super important. So who's responsible for security? You, the client, or the web host? Anybody? All the way, exactly. To varying degrees, right? So this is the analogy we like to use at work, which helps people kind of put all that stuff in perspective. Because if you go on to any Facebook group or anywhere online and say, what's the best web host? You're going to get an answer for every single web host that exists out there. And in those answers, you're going to hear people say, this host is insecure. This host purposely hacked my site and they can sell me on security from whatever they do. But the short answer is that it is all three people. So you can think of a web host as an apartment complex. So they own the property, they own all of the individual buildings within that complex. So a host is primarily responsible for the security of their network, of all those servers in their complex. And their best interest to keep that complex, right? The application level WordPress, or any other platform that you install on one of those servers, is the responsibility of you as a website provider, but ultimately your client, the website owner. So the host makes sure that the lights or parking lot lights are on, the snow is shoveled, the sidewalks are clear. And as the developer, we are the ones building the buildings. We have to make sure in terms of setting the site up for security success, we have to make sure that we are doing all the wiring right, that we're putting up the plaster in the way that it's supposed to be done. We're following codes. And then the website owner is the one that, when they leave that individual apartment in that building, in that complex, that they have to lock their door. They have to close their windows. So just like a brick-and-mortar store, an owner wouldn't be done for the day and just walk away and leave the door open and windows open, right? You have to secure your website just like it's your home. So setting your business apart, educating your clients on security can be back up. So that analogy is something that you can start to use in your conversation with your clients, right? And so when do you start talking about security with your clients? From the very first email, the very first phone call, mention that that is part of your core value in your business, is to create sites that are not only designed to grow their business, but also to secure that business along the way. So you can start to set yourself apart by talking about that. So if I'm going to three different agencies and asking for quotes on things, the one that talks about security, the one that talks to me about being a partner and the growth of my business, to me personally, is the one that's going to get more of my attention rather than just giving me a quote on a bill. So you can expand that initial conversation into educating them about website security as it pertains to their business. And I'll show you how to do that. The last benefit of educating your clients presents additional revenue opportunities, right? So you can demand higher prices if you're setting yourself apart by talking about security. Well, agency B wants to charge me 10 grand, but you want to charge me 18,000 or 25,000? Why? You're providing the same line items. But my line item has security in it. And because we are experts at security, that's one of our focuses. So you can demand higher prices when you start to set yourself apart. And of course the residual income comes in the form of the maintenance plan when you include security as a line item there. So the benefits of communicating the need for security effectively, this is kind of the core information I want to share with you today. Many, if not most clients, have an adverse reaction when we mentioned security. We were talking about this earlier. So when you talk to someone, a new client, or a distant client that you want to, that includes security, they're going to have one of two reactions. They're going to say, wait a minute, my cat log is not important enough. Why would anybody want to hack it? I don't need security. Or they're going to say, security is way too technical. They're glazing over it. I don't even want to know about it. I'll just deal with it when it happens. So how do you communicate to those people that security is important for everybody? One of the ways to do that is to communicate three things. So you can break down website security into some basic questions. And it's much easier for people who are non-technical to understand what it is, why it's important. First, you explain the why. Second, why websites get hacked. Most websites are not targeting for hacking. There's a few exceptions. We had a presidential election in 2016 and one of the candidate's sites was definitely targeted for hacking. It was a matter of putting in a special string of characters in the URL and you could change the slogan on the main page. There are a lot of examples of that. If you do some Googling, what's I like turtles? If there were some that were a little nastier than that. So that is a targeted hack, but most hacks are automated. Tell your client that most hacks are automated because it's true. They're from automated scripts and bots. And it's not a matter of some really smart manner of woman that is sitting down writing new scripts every day. There are people who do that, but then what are known as script kitties or people who want to be hackers go and download these scripts and then they change a few things and then they release them out in the wild. Why do automated scripts happen? Why do website hacks happen? Sometimes it's a religious or political ideology, but by and large the majority of hacks happen because there is some kind of financial problem. So as an example, this is something you can share on why websites get hacked and why your catalog is still susceptible. One, because every internet, every website on the internet is a target for an automated bot. The financial part comes in when I sign up for some service which pays me half a penny or a penny per click. Not per conversion, but per click. And then I write a script that has my affiliate ID and I search and find a way in, excuse me, and I get one, I compromise one website. And then that allows me to compromise five websites. A hundred, a thousand, a hundred thousand. Now imagine how much money I'm making from this automated script on affiliate commissions until someone gets wise and shuts me down. That's why, it's about money. Personal information. That is something that we all know, right? People want our identities. People want our social security numbers in order to commit fraud. But by and large, it's all financial work. So who is hacking and how are they hacking? I just covered some of that. It's not the stereotypical angst and teen and a hoodie in their parent's basement. It's people who want to take shortcuts, money in an easy way. Or they want some kind of 15 minutes of fame to be able to tell other people and their friends that they're a hacker, right? So website compromises happen in a bunch of different ways. And to put it simply hacks, automated scripts, even if it's someone manually targeting you, they're looking for an open door. And an open door can come in the form of weak passwords. It can come in the form of outdated software. There's all kinds of ways that people can get in. So I mentioned this before when the hacks happen. This is just a quick gift of a security company called Norse. And this is a real time picture of hacks. Now some of these are state players. Many of these are automated bots. So when you're educating your clients about why hacks happen, you've made the analogy of why it's your responsibility as a web host and how you're there to partner with them and help them. Then you can get into this. These five simple website security best practices. It is pretty simple once you break it down how to secure a site. Now I want to back up just a little bit. I should have started this whole session with there is no such thing as 100% security. Not in life, not when you're walking down the street and not on websites. But what you're doing is you're looking at this big attack radius and you're trying to reduce it. You're trying to reduce the chances that something bad will happen. So number one are backups. We probably all know this. If we've been building sites for a while that are more important, you want to back up your database and your files at least weekly, probably daily if you have a larger site. And what's important with backups is that you don't store the backup on the same server that your website lives on because if your site gets hacked so do your backups. So you want to store that offsite, Amazon S3, Dropbox, Google Drive, something like that. And you also using a, I would say not for a catalog but for an e-commerce site that's making a good amount of revenue, you'll probably want to test those backups as well on some secure environment, some staging environment to make sure that if something bad happens then you're not reinstalling a database or the files that have already been hacked. So if something bad happens, test those backups, keep them for a while. Number two, updates. This is also probably something that you're all very familiar with. Updating WordPress core is super important. Updating your plugins is super important. And updating your themes is super important. But I also want to talk about shiny objects in the room for a second because I have it. When I go into the control panel of any number of my sites, I like to look through all the software applications that are there. I especially like to look at new stuff that like Fantastico and other services put in there. And I install it on my server to play with it. And then what happens? I forget about it and it's still software that's sitting on my server. That probably there are not a lot of them that have the same software update mechanisms that WordPress has. So it's sitting there on my server. It's code. It's exposed. It probably won't get updated. So if there's anything that's on your server that is not directly related to the site of yours or your clients, get rid of it. That includes unused plugins as well. If you deactivate a plugin, that code is still in a directory on your server and it may not be updated. So updating all the software that you use is important. And we've all heard of the Equifax that I mentioned. That was due to outdated server software in part that they knew about four months prior to the hack happening. It wasn't updated. It could have been patched. It could have saved 143 million people's information from getting hacked or potentially. Number three, strong passwords and unique passwords. If you have your laptop open, I really suggest going to have-i-been-pwned or pond.com for such passwords. This is a site by a guy named Tony Hunt. He is a security analyst from Microsoft. And what you'll do when you go there is you put in a password that you use regularly and then it'll tell you that this password has been seen two times before in a previous day of reach. That's pretty cool. It's not cool because this actually was a password that I used to reuse. But it is cool because now I don't use that password anymore anywhere. And this service there are actually plugins in the repo now. If you search pond passwords I believe in the repo there's probably two or three of them now. When you're using this for your WordPress site it'll check against this guy's database. So, strong and unique passwords and then you tell your clients that. You tell your non-technical client that you need a strong and unique password for every single login for their home Wi-Fi for their local machine for their WordPress site for any login that they have Facebook, Twitter, whatever it is and they're going to look at you how do we keep track of strong passwords and unique passwords for every site and if you're into passwords or if you've been on the internet for any length of time you're probably aware of password managers. So, there are several really great password managers. They're specifically designed to create strong passwords and allow you to save and organize all of those logins. Last pass is a really good one. One password is good Dashlane is good and KeyPass is also good. I think KeyPass is open source as well. So, now if you're thinking ahead now you're going to go, well what happens if that password service gets hacked? Reducing the radius Password services both one password and last pass have been hacked before but I'd rather put my information in the hands of someone whose core business is security, is password management because I feel better knowing that if something happens that they're going to move as quick as they can to mitigate the risk. But again, 100% security it's not possible. Firewalls and CDNs if you aren't familiar with what a firewall is there's two types of firewalls. There is a network firewall and a web application firewall. And a network firewall is designed and primarily used by hosts to protect the traffic that moves between the servers in their network. The web application firewall is what I always suggest that you include as part of your client bill and a web application firewall is really designed to protect the application of the WordPress as the application. So what happens is when Sally over here loads her browser and requests this domain over here on this web server that request goes through a web application firewall first. It's a hardware and software solution because it's designed to identify malicious traffic before it gets to the web server. So if you think about automated malware strips, then you get stopped before they even get to the web server to do any damage or to look for vulnerabilities on your website. So, super important I think, web application firewall is probably, I should probably move that up to number one or two because when I first started using a WAF as it's known in WAF before that I thought it was a bit more popular than I found out I was because when I saw the traffic drop and saw how much traffic my analytics and other tools were picking up, it was a lot of automated script traffic. CDN is a content delivery network. CDNs are designed not primarily for security although they include some level of security by default. CDN is basically a copy of your site or your client's site distributed different servers all throughout the world and they're designed to reduce latency when someone from Ireland is loading your site and they're going to hit a server or copy of that site in Ireland rather than going all the way to Chicago to get to it. So the mix of firewalls and CDNs are pretty good at reducing automated malicious traffic. And number five of the simple website security tips is continuous monitoring. Some kind of a regular website security scanner and there's different types of scanners there's scanners that scan your site looking at it as a browser would. So from the outside in there's scanners which you can connect to your server via FTP or SSH that will scan the actual files on your server looking for malicious software and other hacks but some kind of continuous monitoring. So if you just google security scanner you're going to find a bunch of different options there's no one that's better than the other because I don't know the technical aspects of each one but as long as you're doing some kind of continuous monitoring you can be alerted to anything bad that might be happening on the site. So including security in the project scope again this goes right back to talking about security from the very beginning the first email, the first phone call you can also continue that conversation of that education you've given if you include security as a line item in the project scope process. It gives you a more professional image in my opinion that you are then continuing that conversation you're positioning yourself as someone who cares about security but also you're building trust with your client because they will by default through this process know that you actually give a damn about their business. You're not just there to take their money and then send them on their way you're there to grow their business which then will grow yours so it's about building trust as well. You can also include security as a service as I mentioned earlier focusing on security from the first contact and then in the project scope but you can also offer it into your maintenance plans as I mentioned so it looked like a number of you are doing monthly care plans for your clients. If you're not I highly recommend offering that service to your existing clients and your new clients and what maintenance plans mean practically it's pretty simple for us to do. We go in and push buttons update core, update plugins update themes. Until one of them breaks we'll be pushed back. Well that's true but make sure you mitigate that risk as well update always on staging site, right? So maintenance plan you can also offer security as a data on service so what if a client's budget simply just doesn't allow for any kind of maintenance plan whether it's two fifty a month or a hundred bucks a month they just can't pay and they're starting out you can offer one-time security services so maybe their site was hacked maybe it is a catalog and they come to you and go hey can you fix this then you can use a service to clean it up and then charge them with an extra percentage so you can do a one-time hack clean up excuse me you can do a one-time monitoring or scanning for them to give them maybe a report maybe six months every month you can set up the web application firewall for them if they've decided that that's important to them and they're paying for that through a cloud player or whatever other service you can be the technical person so there's a couple of ways to automate the maintenance and reporting and if you're already doing that possibly you already are using some of the tools that I'm going to show you here is ManageWP and if you're not familiar with ManageWP it's basically a unified dashboard where you can connect multiple individual single WordPress installations and you get a really good overview so in terms of client work I've got 50 clients I can see every single site on there I can see what site has what software updates and then I can bulk update I can bulk update plugins I can bulk update themes ManageWP also comes with some security scanning included and what's really cool about that service and others like InfiniteWP and this one Watchful the URL they all come with some reporting included and then if you pay whatever cost you can brand that reporting so you can automate this whole maintenance system for your clients where you're going in you're literally spending an hour every month and let's say you have 50 clients and you're charging them 100 bucks a piece it's pretty easy money but it's also a really good way to make sure that your client sites are as protected as they can be so let's talk about the benefits of a summary of a presentation so I'd like you to just try and remember these things to grow your business these are the bullet points secure your own site first build that trust make sure that that image is professional make sure that you're not pushing clients away by mistake from their very first visit learn the why, how, who and when of website security and that is basically why websites get hacked who's hacking them and why Sally and Bob's again their catalog are being targeted communicate the business benefits effectively and that is talking to your clients about security in terms that they understand that their business really depends on that portal it's like a brick and mortar store it's just having to be on the internet include that talk of security from the beginning all the way through to the project scope and if it doesn't work out for maintenance plans you can offer it as an optional service and I didn't mention this but you can even offer security as a required service or a requirement to work even that's another way to set yourself apart you might lose a few clients but you're going to make a higher you're going to be able to demand higher project costs and then finally automate that maintenance and reporting as much as you can to save you time so you can get more clients so that's what I have for you today does anyone have any questions yes ma'am so when I have the conversation with my clients about security and open websites I don't specialize in WordPress I don't even do the other websites anymore so I need to show you what's that php so I have to have a conversation with them and then they go I don't want to have a website in WordPress so I don't have a good counter argument to why you don't want to have a website the other way except for well then you can be able to update the content so what are other people using as an argument are you saying that because the clients have heard that WordPress is insecure or that there's something wrong with it well what I communicate to people who have that opinion is that it does power over 30% of all sites on the internet and there's a reason for that and because it powers so many sites it's an obvious target just like Equifax is a target for personal information it's something that's unavoidable but the good part of that that I try to explain is that because it's so popular there's so many thousands of people around the world focused on and depending on the software that there's businesses that are to make sure that your site is secure so WordPress isn't less secure than anything else WordPress isn't less secure than a hosting service like Wix or Spurspace or People or Joomla that's just so obvious it's the number two security vulnerability of all the CMS so the point is and what I try to communicate is that if they think WordPress is more insecure than anything else I try to let them know that that's just not the truth yeah you were talking about automating the maintenance portion and the updates I'm curious how much how much do you automate the updating of plugins for example I understand WordPress 4 can be automated pretty easily to update are you still going in physically hitting update for the plugins either via a different board or on the website for the remaining clients that I have I only have about five or six left because I don't do client work anymore I go into Managed to VP every week every Saturday morning and I look for whatever updates there are whether it's core or plugins I'm doing that every week so you are actually physically updating you're not using a script or a service to run the update automatically on some sort of fixed interval I'm actually going in and pressing the button and for I was confused I wanted to ask because WordPress you can automate the core software updates where you don't have to push a button but plugins I'm going in and physically doing that going in and physically doing that in each website well I use Managed to VP for doing that but one must say at a time oh my god I do it in bulk I tick all the things I want updated or check all and I press a button and I wait and then I go look at those sites well first I run backups and then I look at those sites and make sure they're not broken and eventually he is as quick restore so you can do that so yeah back to the slide for the passwords the one right there the one right before that you're welcome well I'll be around the rest of the day thanks everybody for coming to my session I really appreciate it, yes or no question about this site I mean we can trust that we do see the attacker he could be collecting passwords from everybody there's a text file out there that has 70 million when hacks happen well yes sorry I didn't make that point when the website hacks happen every second of the day every day all year long do you know if there's any statistics around hacks and WordPress I don't know that I don't know that I know the W3 text is it they're the ones that come out with a report usage yeah it's probably probably around there or built with it's another service where you can try to find some data that might there might be something in there okay well thanks for coming everybody thank you