 Good afternoon everybody. Is that way too loud? So it's 2.20. We're going to go ahead and get started. First of all, thank you for coming to this session. It is called Making Security Makes Sense to Your Users and Your Plans. So I do have a quick question for all of you. How many of you are actively building WordPress-powered websites for clients? Ooh, that's a good show of hands. And how many of you are putting all of your clients or most of them on monthly recurring maintenance programs? A good portion of you. Okay, that's great. So my intention with this talk is to provide you with useful tips for growing your business and providing extra value to your clients in regard to security for yourself and for them. So a little bit about me. My name is Adam Warner. I am the open source community manager for Site Lock. It just so happens we offer security services. I'm also the co-founder of a company called Foo Plugins, which as you can probably guess what we make. And I'm also passionate about website security and there's a very specific reason, business reason why I am that way. And I'll share that with you in a few minutes. I'm a fan of Fractals, a proud dad, and if anybody wants to discuss the number 42, I'm happy to do that. So today's focus again is going to be to communicate the importance of security to your clients. Why you want to do that, how to do that, and how to have your clients grasp an understanding of a somewhat technical topic in easy terms. And how to build security into your projects from day one. So I'm going to cover a lot of these things. And again, my goal is to make your job as a freelancer or an agency owner more streamlined and more profitable. So starting with securing your site, the benefits of securing your own site. I think all of us who build sites can agree that website security is an important subject. It's something that we should all be doing as a baseline. And it all comes down to reputation. This is the first reason to secure your own site. So website attacks happen all day, every single day. And I'll talk more about the why and the how in just a few minutes. And security becomes especially important when you're the one providing the website building service. A successful attack on your site could directly impact your revenue, tarnish your reputation, and degrade your customer loyalty. So imagine this for a second. I'm on Google and I search web development in Boston. And I come across your site and I get the chrome warning that this site may be unsafe or this site may be hacked. What is that going to do to my reputation as a web development provider? And what kind of impression am I going to have as a user who's looking for a provider? It's not a good first impression. The answer is obvious. I'm going to leave your site immediately and move on to the next one. I don't send you a contact. You don't have the opportunity to even give me a proposal. Or even worse, I'm going to associate your brand forevermore with a negative thought. So they build websites, theirs is hacked. They must be really great. So if you're not already, I urge you to invest some time in implementing even the most basic website security best practices for your own site. Not only for your reputation, but so you can become familiar with those best practices so you can then educate and provide those to others. Pardon me one moment. So with that, I never recommend anything to my clients that I haven't used myself. Or a better way to put it is I would never do that again. I've failed clients before because of not doing proper due diligence on the plugins, the themes or the services that I'm recommending to clients. I've learned my lesson so when I talk about becoming familiar with security best practices and products and services, I'm talking about eating our own dog food before we start offering or suggesting those services to other people. And finally, securing your own site protects your business as I mentioned. And I have that very specific story for you. About 11 years ago, 10, 11 years ago now, I was working full-time but I created a site called IndyLab and it was a WordPress multi-site installation and if you're not familiar with multi-site, it's basically a WordPress installation where you can have sub-sites underneath individual sub-sites. Like WordPress.com. You can go there and sign up for a free website. That is on a version of WordPress multi-site. So this site was for creatives. It was for musicians, photographers, artists of all kinds who come and get their free site, their free blog. And then I monetized that site with offering specific features for X amount of dollars per month. It was going really well and it continued to go really well and so well in fact that I was probably a few weeks away and maybe a month away from quitting my full-time job and going full-force into this one. Until, and you can probably see where this is going. I woke up one morning and had an inbox full of emails from my customers, free and paid, wondering why their site was showing adult stuff. I don't know why. I assumed why. So I started digging in. At the time that this happened, there were separate forums for WordPress multi-site called WPMU and there were no security companies that could just come in and clean up a hacked WordPress install. At least I didn't know of any. So I got on the forums, got some advice, was told what to do in very specific steps, did those, everything was great. Two days later, everything was cleaned up. E-mailed back all of those people who had emailed me. Everything was good to go. Don't worry about it. It's a temporary thing. Things happen. Two days later, same thing. And then I continued on for weeks, literally weeks, trying to figure out where that backdoor was that I had missed. I couldn't figure it out. So working full-time, managing other things. I called it quits. I refunded everybody their money and I closed the business. And then I got really depressed, right? Because I failed. But, so overlining, I then became very aware, acutely aware of website security and the importance of it to protecting my business that I was trying to build. I wasn't doing really freelancer agency work, but it was an online business that needed to be protected just like every single website on the internet. So now let's talk about the benefits of securing your client sites. You've got your own site secured. Awesome. Now what about those client sites? Are you now actively implementing basic website security steps? Anybody when you build a client site, are you including security steps in there, whatever they may be? Awesome. Kudos. So let's talk about why securing your client sites is important to your media and your long-term business. One, it's in your best interest. Pretty obvious, right? Has anybody ever received a frantic phone call or email at midnight on a Saturday from a client saying something's wrong with my site, it's showing Viagra ads? I think we've all probably experienced some version of that, right? The inopportune support request. So I feel that it's our responsibility to have technical contact, the one who built the site, the one who knows how the internet works to fix whatever problem they're experiencing, right? So that means we get up in the middle of the night, we start digging in, we start troubleshooting. Now that's not sustainable, especially if you have a spouse or kids who want to lead any kind of normal schedule. So securing your client sites before the handoff and whatever steps you take can save you time, money, and headaches. And even if it's out of the project scope as providers, it's our responsibility to at the very least educate our clients or potential clients and urge them to take the basic steps in security. So another pretty obvious one that gives us all peace of mind. So it gives you peace of mind knowing that you can sleep through the night on a weekend. It gives your clients a peace of mind and their site is going to be secure. And if the worst happens, there's a plan. So I mentioned educating clients. Let's talk about that for a second. This is the hard turn. Educating your clients and potential clients, it isn't just the right thing to do for your business. It's the right thing to do, period, in my opinion. It's all about spreading awareness, right, and making the internet a safer place. When I said it was the right thing to do, I'm speaking from a global human race perspective, right? The internet is such an incredible tool that we have the luxury of living with, connecting with others and building businesses. But just like walking through a dark city at night, it's critical that we all become more aware of our surroundings and the potential threats that lurk in the shadows, right? So our responsibility, again, is the ones who know how the internet works and know what the risks are. We're going to learn those at a word camp or a word press meetup or on our own to spread that awareness as much as possible. So who's responsible for security? How many of you think it's you only? No one good? How many of you think it's the client? Okay, no one? How many of you think it's the web host? Okay, few of you? Well, the short answer is you're all right. It's all three, to varying degrees. You're responsible, the client is responsible, and the web host is responsible. So you can think of website security and who's responsible by thinking of it as an apartment complex. Your website host is the infrastructure of the website complex. They are responsible for making sure that the parking lot lights are on, that the gate is working and not broken, that the security guard is at his posts, that the sidewalks are shoveled in the winter, that sort of thing. The buildings of that apartment complex are what we as website builders, freelancers, and agency owners build for our clients. We're making sure that those sites adhere to all the building codes. We make sure that they have SSL. We make sure that it's a good user interface. We make sure that the navigation has good structure for SEO. We make sure that the content is structured as it should be. The individual website owner, on the other hand, is the person that owns an apartment in that building within that complex. And it's that person's responsibility as the website owner to make sure that their doors are locked when they leave, their windows are locked when they leave. So the short answer again is all three. We're all responsible for the security of a website. And your clients need to understand that as well. So if you're educating your clients from the first phone call or email, as I suggest, you're already starting to set yourself apart, which then can increase your value. So you can expand that into educating what website security is as it pertains to the business goals of your clients. And you can quickly position yourself as an expert and become a partner again in that business and more valuable to your client. Security, education, and awareness does start. And I urge you to do this from the very first contact, whether you get a contact via a form on your site or a phone call, this reply should include something about securing the website. Whatever that is. So ensuring that even if you don't move forward with a proposal, they know that security is important to you, so if they have a bad experience somewhere else, or if they do get hacked sometime in the future, that they will keep you in mind. Next is additional revenue. So the last benefit of educating your clients is that it presents these additional revenue opportunities. You can demand higher prices or residual income. You can demand higher prices because you've already started to position yourself as the go-to and recommended resource, the one who cares about the business growth of your clients and the security of their site. And the key here is to provide immense value that no one else in your competition space is providing. And then to communicate that value proposition to that potential client in order to make an impact. And when I talk about residual income, that's where monthly maintenance programs come in and even add-on services in regard to security. So a monthly maintenance plan an example would be daily security scans. And then at the end of the month you report what has been found, what hasn't been found, how many scans were done, that sort of thing. If you're talking about add-on services, that could be a one-time malware clean. If they come to you with an act site, you can clean that site up or get a service to do that for you. There's many out there, but there's a few out there that are really something I would recommend. So you can do the one-time clean. You can even set up services which I'll get to in a little bit. You can offer, you can make residual income from affiliate commissions. If you want to handle any management of any security service dashboard for your clients, you can simply refer people and make a commission on them. So the benefits of communicating the need for security effectively. This is the nuts and bolts of this talk and what I really want to communicate to you all today, because if you take nothing away from this, please take this part away and use it in your own businesses to communicate to your clients. This is a diverse reaction to any mention of security. Their eyes glaze over, they recoil and disgust because they think it's too technical or they think it's too expensive or they think it's not needed for Mama Joe's cat blog, which is not true. So how do you explain the subject of website security in terms that your clients will easily digest and understand, and that's where you can use that apartment complex analogy or you can communicate these three things more both. So if you break website security down into its most basic questions then it's much easier to understand. It makes it simpler to communicate the importance to business owners and the concepts that are more familiar to them. So the first of these three things is why. Why websites get hacked. Hackers don't discriminate between the types of websites they attack, even if it's just a simple five-page cat blog it's still an attractive target. And why is that? It's because if your site is compromised it can be used as the open door for the attacker to spread their malware across other sites on that same network and then of course spreading it to the internet as a whole. So the first hacking tactic that may come to mind is known as defacement. We had a presidential election here in 2016 and there was one candidate whose campaign site was hacked and it was a defacement hack and there was a big banner with that person's slogan in it and you could put a query string in the top of that site and you could change that banner, that slogan to say whatever you wanted to. And if you look at presidential election campaign hack examples you'll find quite a few of them some tame, some not so tame. But defasements are not the most popular hack that happens. What usually happens is why websites get hacked is because it's for some sort of financial gain. So hacks can be as serious as aquifax. Anybody remember that one? 143 million Americans and people from other countries all of their data taken. And do you know why that happened as an aside? Because the server the software on the server that that site was hosted on was out of date. They'd know it for four months and they didn't update the software. So it was vulnerable. So financial gain. That's one example of financial gain. The other is that a hacker could run a script on your site that redirects all your visitors to some other paid site that includes their affiliate ID. So imagine I release a script into the wild and I get to Rich's site and I redirect his visitors redirect and then I get 10 more visits from my affiliate ID and then from there I get a thousand and someone makes a purchase and I make easy money. Or they don't even have to make a purchase they just get paid per click. So really financial gain is the real reason. And when you tell that to a client who doesn't know about website hacks or how they happen it usually starts to turn on the light bulb. And the second thing to communicate is the who and the how of hacking. So when we think of hackers there's some angsty anti-social team in the basement who's mad at his parents and has a hoodie on and he just wants to do it to get back at someone. But although there probably are those types of hackers out there the overwhelming majority of website attacks and successful hacks are performed by automated bots or scripts. So in other words the term malware comes from the words malicious and software, so malware. It's scripts that are designed to go out and find vulnerabilities. Website compromises can happen in many ways so to keep it simple it all comes down again to those vulnerabilities in various access points. Access points can include outdated software, weak passwords or newly discovered vulnerabilities in already up to date software that have been matched yet. So when do website attacks happen? Again, all day every day. There's an average of 44 attacks per day or 16,000 attacks on the average website per year according to our security report that we recently did. And this was supposed to oh there it is, it's animated. So this is an example from North Security a real-time representation of attacks that are happening. You can see, all day, every day. So the benefits of implementing those five simple website security best practices that I mentioned. So after you've communicated the why, the who, the how and the when it's time to start building security into your project proposals and your costs and continue to educate your clients. Or both really. So at the core of a 360 website security plan are these five things. And they're not to implement. And many of you maybe all of you are already doing all these things. One are taking regular backups. Regular backups means your files, your database weekly, monthly and storing those backups off site in more than one place. Ideally two, ideally three, depending on how important your site and your data is. And make sure you have clean versions of those backups. You can test those backups on staging sites. Number two, updates. Keeping the software up to date is critical. This includes WordPress core software. It includes the plugins you use. It includes the themes. And if you're anything like me, I have a little bit of shiny object syndrome where I have installed everything under the sun in terms of applications from my web hosting provider if they made them available and then I let them sit on my server and never use them. All those files, all that code is sitting there ready to be exploited. So if you have anything on your web hosting account, on your server that you're not using, get rid of it. And that comes, that applies to plugins and themes too. I recommend at least a month of doing an audit of the plugins that you're using and that you're not using and deactivate anything you're not using and delete anything that you're not using. Number three, strong passwords and unique passwords. If anybody has their laptop open, I welcome you to go to have I been honed.com forward slash passwords. So I know passwords are not easy to come up with, especially strong and unique ones and they're not at all easy to remember multiple strong and unique passwords but this really goes for any single account you have online and even offline. Your local Wi-Fi in your house your local machine strong and unique password any single login you have online should have a different and unique password from anything else. And now we say, well how do we keep track of all those things? Password managers one password last pass, key pass dash lane, there's a bunch out there. So did anybody put their password into have I been honed? Anybody? Anybody? Okay, well this is what happened when I put mine in. I put my password in that I used to reuse and says that this password's been seen two times before previously appeared in the data breach. So that's an example of why it's important to have unique and strong passwords for every single login. I could have just as well kept using the same password for all my sites but now it's out there for the world to see. Okay, back to those five simple security best practices number four firewalls and CDNs. If you're not familiar with what a firewall is there's two versions of a firewall or two explanations of a firewall. There are network firewalls which is typically what your host employs to keep their network of computers safe from each other and also from the outside world and then there are web application firewalls. And basically a web application firewall there are several out there to choose from. It puts a layer of physical and virtual security meaning the traffic that's headed to your web server and your actual web server over here. It needs to go through the web application firewall first and what a web application firewall or WAF does, that's hard to say three times faster. It blocks automated mock traffic immediately before it gets to your web server so it's a really good layer of protection right off the bat. And all you have to do is set it up once and you're good to go. And what you have to do is track this as continuous monitoring of your site or your client's sites and when we talk about continuous monitoring if your site is hacked and you're not aware of it for X number of days or weeks a Google could detect that it is hacked and then blacklist you from their search engines. It happens all the time they want to protect their product so the sooner you know that something's wrong with your site or your client's site or you can get it corrected to keep other bad things from happening to that business that you're partnering with or to your own. Let's talk about the benefits including security and the project scope. Just like discussing security from that first client contact including that conversation and the importance of security through the project scope with individual line items can benefit your reputation in that of your business. That professional image including that focus or even requiring security to be built into all of your products can go a long way in building that reputation that professional image and also trust. It can build trust in your company and your brand if they know you're not committed to just doing one job passing it on and moving on to the next but again that partnering that growth of their own business you're going to be considered a trusted partner by doing this which brings me to the next section. Including security as a service we talk briefly about this focusing on that first contact and the talk of security in your project scope all the way through the proposal sets you up to demand that higher price for the initial project. It also sets you up for those ongoing maintenance plans and it makes those conversations easier. We've already answered this question how many of you are doing maintenance plan that look like the majority of you? Some of you are including security as part of that plan I urge you to include at least the five best practices before you hand over a site and if you're not you can easily roll security under the umbrella of backups and updates or call out again those specific levels of security that you'll be including. Add-on services again can include the one-time malware cleanup if they come to you with a hack you can get that done for them one-time monitoring or scanning you can do a risk assessment score through a scan you can do a site check up through a scan again there's a few different options so I'm not going to name one or the other just search WordPress security scan and you'll find what you need or you can do the setup of a web application firewall let's say they go out to any firewall provider and secure the account and then they say well I'm not quite sure how to change DNS I don't know what that means to route my traffic through here you can offer that as part of your setup too or an option in your project proposal so the benefits of automating maintenance and reporting it looks like most of you probably if you're already offering monthly maintenance programs you probably have some kind of streamlined system so you're probably already familiar with manageWP anybody use manageWP or something similar, infiniteWP others so if you don't know what manageWP is, I highly recommend this service or others like it it basically allows you as a freelancer agency owner to manage individual WordPress installs all from one unified dashboard and that means running software core WordPress software updates across 10, 50, 100 thousand sites at the same time plugin updates team updates, backups all kinds of stuff I highly recommend that service there's another one that's kind of new and I actually learned about this at a Joomla conference it's called Watchful and they do the similar thing to what manageWP does but they do it for WordPress and Joomla and I believe the last I checked on them they were working version 2 so because I'm a lover of open source I'm cross platform finally let's talk about the benefits of a summary of a presentation so my advice and my hope is that you'll remember these things to grow your business secure your own site first for your reputation management to build trust give yourself peace of mind learn the why or remember the why, how, who website security how websites get hacked who's hacking and why they're hacking communicate those business benefits effectively and I'm talking about the business benefits to your clients to their business about why they should know about security we talked about website security don't worry I'm not going to talk to your office it's only going to take 5 minutes but did you know and the benefits of that will lead you to including them in your project scope offering higher price or demanding higher prices or offering additional services and then if you're not automating your maintenance and reporting to your clients I strongly suggest that you do that and that's what I have for you so if you have any questions I'm happy to answer those we have about 10 minutes left before the break so if you do have a question what kind of backup the question was what kind of backup software do I recommend I've used a plethora of backup options in the WordPress world there is backup budding which is a very long standing and mature product if you search the plugins repository so in admin plugins add new search if you search for backup there's updraft plus is a good one another one is called backwp any other popular ones that anybody wants to throw at them but those would be mine yeah those three I've used those successfully and backup buddy is premium only it's a paid product and then the other two are free in the repository but they have paid versions depending on what you want to do with them any other questions yes sir so the question is which site or norton blacklist your site which one is more important so my answer to that is and I think there may be either confusion on my part but norton is a security software that's for your local machine so google is a search engine bing is a search engine yahoo sort of but so they're two different things because I don't think that norton can be blacklist a site on the internet people will still find it but on your local machine if it's detected as having malicious software it will probably blacklist your site so it's they're probably just as important because if you're people visiting your site are using norton then your site is going to be blocked oh norton site check I'm not familiar with is that a service is that something that's okay I'll google it yeah I'll have to look at that norton site check good question we'll all learn something new okay I wasn't aware they were offering website scans now it sounds like they're probably so it would make sense right because they're protecting your local machines and those of their users so if they detect it has malware on it which could be downloading software in the background when someone visits the site like a key logger or something to your local machine good question and thank you for further information yes sir so you're doing a good question so this question was if I put all those security measures best practices in place and I passed it on and everything's been updated and I'm doing my job of the maintenance program and the site still gets hacked what do you do as the provider right what kind of guarantee is that the question that's a good question and I think that comes down to the individual nature of your business but in the world of the internet the world of walking down the street security unfortunately isn't something that's 100% attainable all the time and my advice would be to also communicate that to your clients it's really about imagine this is your attack radius these are all the ways in which someone could come at you to attack you and putting basic security measures in place reduces that attack radius or cuts up that pie so it reduces your chance of something bad happening just like walking down the street I put my wallet in my front pocket and on it when I'm walking through a downtown or a shady area that reduces the chance that a pickpocket will come and pull my wallet out of my pocket that would be my best advice it really would come down to how you want to approach that but I would communicate at least that part to your clients and then maybe have a guarantee you know if it's if you find that it's a cost benefit and it's a value add if your site is hacked we will fix it for free and then you need the cost to get a one-time malware cleanup good question thank you yes sir are there any monitoring tools that you can use to see what's hitting your site yeah the question was are there any monitoring tools that you can use to see what's happening with your site there are a bunch of them I work for a company that offers one but I'm not here to talk about that I would search WordPress site scanner and you will come across several options in Google and site scanners what they do some of them look at your site from the outside and as a browser would see it or as a user would see your site and some of them you connect to your actual web server so they can scan the actual files on your server looking for malware that maybe nested or hidden in there and then can remove that when you're looking for site scanners WordPress I would look for deep scan or inside out scan or just scanners in general yes ma'am yeah the question is do I know anything about wordfence I do wordfence is a great product and just like us they're doing great things in the security space and I use wordfence on several sites so wordfence provides a lot of immediate reporting right to you within your WP admin dashboard which is great so knowing what I know as a user and I know several of the people within the company all quality in my opinion yes ma'am yeah the question is my hosting provider provides me with site log service and that happens because we do have a lot of partnerships with a lot of global web hosts and the question was is there different levels of service there certainly is so you could have what you call a light scan which just does the outside scan on your site which looks for things like SQL injections and cross site scripting or redirects things like that or you could have a higher level which includes that deep scan or you could have an enterprise site instead of us scanning 10 pages on your site 100,000 pages and you could do a monthly scan, you could do a daily scan you could do what they call the infinity scan which gets done and then it just scans again so the answer is yes there's different levels and depending on the host and the partnership it depends on what they offer their customers any other questions alright well thanks again for everybody for coming I appreciate it enjoy the rest of the week