 started around 11 or three or 11 or four, just give a few minutes for people to join in into the live stream. So Anand, where are you this time? I'm back to Delhi now. So, come on, stable internet connection. Stable internet connection. So for those of you who just heard Anand say that this is a stable internet connection, history is that a few weeks back, we tried to do a very similar session with Anand and he was in the hills. We were really jealous of the place he was in, but definitely not jealous of the internet connection that he was on. So because frames were dropping, sound was not coming out well, we decided to do another session with him because it was full of very useful information last time when we were chatting. It was quite interesting. Unfortunately, network issues was the thing that prevented us from hearing everything Anand had to say. So Anand, have you tweaked your presentation this time? Yeah, so I think listening to the feedback and all the questions that were coming in, so I've tailored this presentation down more to the content folks who run content-based websites using CMSs and really looking forward to helping them secure their websites. All right, and how was your stay in the hills? Are you happy being back? No, so my co-founder actually never liked Delhi and I never understood why, but now I do after staying outside Delhi for a month. So I might just end up in the hills like in some time once again. Yeah, I don't know how, I really love the hills, but I can't imagine myself being long-term there. That's also a problem. It's like I like going there very frequently, but can't imagine not having the energy of a city in that. So after some point of time, the laid-back space and everything being so perfect and nice starts getting to my nerves that how can the world be so perfect? So then I need some little bit of chaos in the life as well, I guess. Yeah, chaos, I guess. Right, how was the pandemic over there? Was there like a lot of rules, restrictions and stuff? Not actually, like first of all, they want too many people, luckily, and whoever was there, the locals, everyone was taking precautions. So it was really nice, like there weren't many cases or anything, like we came back fine. I was hoping like there would be like slightly stringent checks, but nothing of that sort like when we went last month, I guess. And last time when I asked, you were there to complete a project. I hope it actually, you had managed to ship it? Oh yeah, so we were actually, we made like really good progress over there and we'll probably be shipping out like end of this month. So, I mean, like it was really good to actually get together with the team and work on that. All right, so it's 11 or three. Let's start with the conversation for today and with a general round of introductions. So firstly, hi, I'm Sovik, I run Merange, which is a strategic web design and development studio in New Delhi, along with Hasgeek and other volunteers. I've been running Content Web, which is a series of freewheeling chats that we do every Saturday for people who create or maintain content-based websites. By that, I mean websites that are publishing heavy, typically driven by a content management system, could be a marketing site, could be a media site, could be an e-commerce site, et cetera. In the Content Web series, we want to cover topics from the three important practices that come together to build websites. One is in the content stream, which is for content teams, content strategies, and copywriters. The other is the design stream for people who are doing graphic design, visual design, or just UI UX web design work. Also developers, both frontend as well as backend. There's also another pillar, which is website owners. So want to make the topics also relevant for people who are running their own websites, could be individuals, businesses, or publishers. So that's broadly the target audience that we have in mind for the Content Web series. Today, we have Anand to give a very interesting session. So Anand, would you like to introduce yourself? Yes, perfect. Thanks, Orvik. So hi, my name's Anand. I'm one of the co-founders and CTO at Astra Security. So we're basically like a security suite with a focus on CMSs and other technologies. So the promise that we give customers is that the best security with zero programming knowledge and it's really easy to use. So we work with a lot of small and medium business owners, like you guys, and to help them secure their website and help them out if they're already hacked. So in my day-to-day activity, like I work with like a lot of hacked websites and like help companies actually secure their websites. So a little bit about me in a bit. So typically in this talk, what I'm gonna talk about is how you can actually secure your WordPress website, like or any content-based website, like WordPress, Joomla, Drupal against hackers. So like all you guys know how to set a website but security is something which is typically like more on the, like a very specialized skill set where we often tend to neglect. So there's this like really famous code which I use quite a bit, that there are like two types of companies, like one who have been hacked and those who don't know yet. So many of the times people only get to know that their websites hacked. When they see any visual symptom, like there's a pop-up on your website, it's redirecting somewhere or something. So, but typically- Anand, before you proceed in the presentation, I'm sorry to cut you. I do want to give a few instructions to the audience before you proceed with this presentation. But can you just quickly summarize what you would be talking about in the presentation in a line? Sure. I'll be talking about how as a small business owner, you can secure your website from hackers to make sure it doesn't get hacked and how to keep it secure enough that no one is able to target you. Like real simple steps you can follow. Right. And who do you think should pay attention to this conversation of ours? Who do you think it should benefit the most? I think like content website owners, like anyone who's using like a CMS, like WordPress, Drupal, Open Guard, Magento and hosting it on like a C-Panel or some other service or like a design agency who's building out websites for customers. So it could be relevant to like non-tech people looking, hosting their own websites. Okay. So a wide range of audience. Thanks a lot for that quick introduction, quick instructions for people who are joining in. For the first 15 to 20 minutes, Anand will be giving a presentation. Once the presentation is done, we'll have a QS session for about 45 minutes to an hour. If you are joining in from YouTube, please post your questions on YouTube live chat and someone from the Hasgeek team will pass on the questions to us. If you're joining in Zoom, you can ask your questions directly in the chat window. Excuse me. And if you're in Zoom, you can also probably directly have a conversation with Anand and ask your questions directly. With that instructions, Anand, over to you. Please complete your presentation. Perfect. Thanks, Arvind. So correct. So moving on to this. So one request I have from all of you guys is make no assumptions. Because in the security field, the thing is that if you make any assumption... Like if you make any assumption, it will be a challenge, just like Murphy's law. So always keep that in mind and always think like a hacker, so I would say. So now what would be the agenda of this talk? So I'm primarily gonna cover like three aspects. One would, why would anyone hack me? Second would be like, what are the common malware attacks which do happen on websites? Like and how can you actually super secure your WordPress website? So these would be the three things and jumping right in. So these are some of the lies we keep telling ourselves, right? Like, hey, like I have SSL on my website. It's called a 256-bit encryption and I've paid like 700 rupees for it a year. So no one can hack my website, it's encrypted. The other lie we tell ourselves is I have the best hosting out there and like my hosting company takes care of security. They're on top of everything. So I don't need to worry about it. Sometimes people also think that I'm too small to be hacked. Like I don't have anything valuable that someone would want to hack me. And typically like a new developer, like, hey, it's working fine. So I don't want to make changes to it. Let it just run the way it is. I don't think it's hacked. Like it's absolutely fine. So these are some of the lies I've been seeing like in the last five, six years that I mean, these don't hold true like with security at least. So now the question comes like why would someone hack me, right? So even though you might be like a small business owner or like a digital marketing agency building out like a website like 10, 20, 30 pages and you might think that, okay, I'm not like a Facebooker. I'm not a Google or some really big giant that someone will like some hackers will be trying to be after my website. But the thing is your website is valuable. So your website might have like any personally identifiable information. It might have, it might be like a small e-commerce store which has information of customers. And so that information is valuable. Now, the other thing why people do hack is for SEO gains like to basically hijack your SEO. So there are some attacks like Japanese SEO spam or like other redirection malware where people like hackers try and infect your site to boost their own SEO or put some malicious code in your site so that it takes your website visitors to like hacker controlled websites which download more malware. So there could be like multiple reasons or just to like use your server resources to mine bitcoins for all I know. So there could be like multiple ways why your website would actually get hacked. So now looking at some examples. So this is one of those vulnerabilities which like if any of you have like hosted like a WordPress website, like if you manage websites at some point you would have faced some issue or the other. So in this example, I'm going to show you one of the most common ones. And I think in the last, yesterday itself like there's been like a campaign out there where like tons of website WordPress websites are redirecting. So this is an example, one of the example videos of how it looks. So you can see that this is like a website for customer like a business content website. And out of nowhere there's like a small pop up at the bottom right saying flash player update available. So like any typical like your website visitor might not be super tech savvy and he'll think that, hey, like maybe in order to access this website I need to install flash. So he'll probably click on this or like click anywhere. And the next thing that happens is suddenly it's a completely different website and like it's redirecting to multiple places. And it says, hey, add this extension to continue at this extension. And what happens is like malware gets installed on your website, on your customer's website. So like this could be one reason. Similarly, like I was talking about Japanese SEO spam. This is again like one of those things like and I'm sure like a lot of you are very particular about SEO and have invested like many years and actually building that SEO, focusing on the page and domain authority and like all those metrics. And suddenly you see like a hack like this that when someone puts in your site name in Google, you see like some Japanese text and when you like open your Google search console and like try to access your website, you see that your homepage is not your homepage anymore. Like this was supposed to be some law, like law firm website, but now it's selling like some Japanese sweaters or cardigans, I guess. So things like these happen. So that's why security of your website would be super important. So if you have any questions on like how this would happen, please feel free to drop it in the comments and like we can take it up like later on. So similarly, like another like really common example which we've been seeing with WooCommerce, Magento and opening our websites is hackers add a fake payment method to your website. So typically you'd use like a solution like Stripe or Razor Pay or like a similar gateways where you say that, hey, I don't wanna take the burden of like being PCI compliant. So I'll just pay one of these services to like I'll just get Razor Pay or something and they'll handle the whole payments for me. So you think that, hey, I'm completely secure, nothing can happen. But hackers have tried to bypass that too by injecting code that on the checkout page, suddenly there's like a new page which accepts card information and your customer will never know that, hey, he wouldn't know that he was supposed to be redirected somewhere. So typically like people enter their card details and this is sent to hackers for them to steal. Now the question comes like, how do I actually secure this? Like these are the typical vulnerabilities which my website could face. Now let's talk a little about how to actually secure these sites. So like the first and foremost rule would be never used a null theme or a plugin. Like I know that it's very tempting like initially when starting out businesses or like putting out a new website that I'm finding this theme for free online, let me just download it and use it. So that would be like the most important rule that never do that because all these free stuff actually has back doors and malicious code inside it. So most of the null themes are known to have this malware called WPVCD, which is kind of adware. So what that typically does is when you use a null theme, so randomly when your website visitors open it, it opens like popups, like ads or something on your website. And it also gives hackers like a back door to access your website and like remotely control it. So it would be totally worth it to actually pay that $49 to get a license. Now, second and foremost like the second most common reason for someone to actually get hacked is that people don't update their word like CMS website or themes or plugins. So typically what happens is like if you like with updates people do fix like a lot of security vulnerabilities. So like your website will always stay patched. But if you don't update your website, what hackers do is they see that, okay, hey, this plugin has XYZ vulnerability. So there are like a lot of tools in like Python and stuff where which allow like hackers. So they'll basically check if they have like a list of 10,000 WordPress websites, they'll check for that particular vulnerability in all these websites. And if your site is vulnerable, if you have like a plugin which is vulnerable to that attack the hacker will exploit it. So simple things like basic practices like just having like a routine of like maybe like every alternate day or weekly once update your site. So key backups like make sure that you have something like an updraft or some other hosting provider backup where like worst case, even if you get hacked you should always have like a restore point saying that, hey, you're facing an issue. You can always quickly restore to a backup because lot of the time people don't have backups and it becomes like really difficult for them to get back to a state where the websites not hacked. So yeah, so that would again be very essential. So now once you have like the system updated and like system updated and you have like a good hosting. Now what typically happens is like most of the people you'll not only host one website, right? Like you'll always having multiple websites and most of us like get tempted that just to say some server costs people tend to put like multiple websites just because like your hosting provider allows you to have unlimited websites on a C panel account doesn't mean that you should actually have unlimited websites because the way these servers are like just specifically talking about some of these like C panels and stuff would be that cross-site infection. Like so let's say one of your website gets infected. It's very, very, very likely that the infection would spread on the server and actually infect all your other websites. So suddenly you'll find yourself in a situation that like one day you like wake up and like all your 15 websites are hacked. So that's typically because of the file and folder like ownership structure. So it would be good practice to either get like a WHM type of hosting where you can have a different C panel for each of the websites you have. And it's also good for security when you have to share access to the website to your customers. So now that you have all this in place there would also be like other vulnerabilities where which you don't already know out of the box or like something called like a zero day. So it actually helps to have like a firewall and a malware scanning service which would actually keep your website protected. So now firewalls are something which have been there for like so many years and we think that, hey, my hosting company has a firewall. So what typically tends to happen is the firewall that your hosting company is providing is typically like is more on the server side. It would protect against like network level attacks server level attacks and some application level attacks. But most of this is not tailored to your application. So when hackers hacks, they will look at very CMS specific like vulnerabilities and attacks and so you need something which is actually looking at all those vulnerabilities and hardening the CMS that you have. So, and in this also there would be two aspects. So one would be the firewall which is detecting stopping, like detecting all your requests or visitors and it only blocks the bad guys and lets the good guys access your website. So that is what a firewall would do and what a malware scanner would do is actually go through each of your files like on the website, all PHP files, CSS files, JS files, your database and see that is there any malicious content already. So checks like this would help you stay on top of your website and if anything's wrong, stuff like this would get flagged. So, so now moving on to the next couple of like recommendations and my last few recommendations would be with what people always talk about like use strong passwords. So typically like people try to brute force like admin credentials a lot and because people tend to use weak passwords, your account gets compromised. So always use strong passwords or 2FA and like not just your WordPress admin but also for your hosting account, Cpanel, SSH, SFTP and all these services. And like last one or the least, when sharing access with like someone else make sure that you have a backup and you only give the person access to the website which they actually need. So I think these would be like in general like at a high level all the big security practices you can take as like a web admin and like happy to answer any specific questions that you might have in the comments. And if you actually want to like learn a little bit more on how you can secure it, we actually went ahead and like built like a absolutely 100% free WordPress security course. So it's like a email course where you can subscribe every couple of days you'll get a new lesson on some actionable steps which you can actually take to secure your website. And at the end of it, there's like a security checklist and like a quiz which you can take. And like that's about it. Thank you so much for listening to me and looking forward to your questions. Thanks a lot, Anand. That was a very crisp set of recommendations. I have a few set of questions at my end and anyone in the live audience if you would like to ask questions just a quick reminder that you can post your questions on the YouTube live comments or in Zoom. And if you come in Zoom, you could also have a quick chat with Anand and ask your questions directly with him. With that, let me start with the bunch of questions that I have collected during this conversation, Anand. And a few things even beyond this conversations. My first question is, why is this talk focused on WordPress websites? Is WordPress especially a bad thing or alternately how relevant are the things that you've said in non-WordPress websites as well? Amazing question. So the thing is WordPress is popular, you know? Like I think before the lockdown, there were around 30 million websites, if I remember correctly, 30 million websites powered by WordPress. And I think like towards the end, like about a couple of months ago when I read the start, there were like 38 million or more websites powered by WordPress. So I mean, that's why hackers would target such a platform, right? So all those security recommendations and the vulnerabilities which I talk about are applicable to any CMS or any web application out there. But it's surely because of popularity because look at it from a hacker's point of view that if he finds a vulnerability in one plugin, which is used by a million people, he's hacked a million people. So WordPress is safe. Like the WordPress core has like a really strong security team. I think there are like some 50, 60 people who are actively just thinking about how to keep WordPress secure and they're doing like a really good job at it. But lot of the times while such vulnerabilities do come in because of the plugins, the themes and like other third party stuff that we do. So like that would be the only reason why we keep hearing about WordPress being targeted. Right. So I think this is a good point that you've made that WordPress popularity is strengthened once in one way if you see it and also a weakness in the other way because then you get to be targeted more. Just like at a certain point of time, Windows had a crazy popularity and all viruses were made for Windows mostly. At a certain point of time. And that is always going to be the downside of being a popular platform. But do you also believe that WordPress has taken certain architectural decisions, but in architectural decisions, especially around the fact that it wants to be so backward compatible with PHP and even technologies that have gone out of date in order to remain also a very popular platform in a way. Do you feel those things are factors that are negatively impacting WordPress from a security point of view? Yes and no, I would say. So given the size, the sheer size of the WordPress community, you need to be backward compatible because there are a lot of non-tech people who are out there who just set up a WordPress and using it. So if they're taking a drastic step like that, people's websites will start breaking, people won't be able to upgrade, like all kinds of things happen. But in the last year or so, I have seen WordPress take some bold and important tech decisions that I think they bumped up their minimum PHP version requirement to seven, I think a couple of months ago. And even things like, even if they had to remove jQuery UI, like a really outdated thing, they have done it. So I see that changing. But yes, I do agree that because of some such decisions like that, they have been exposed to some level of security loopholes. But I do see that changing. I think even the beefing up, like the plugin review standards, theme review standards, to make sure that even plugin developers are adherent to the security aspect of things. And I think they're even like, I even heard talks of like using React and other like stuff for WordPress. So like I see good things coming with WordPress. All right, okay. So if there's one thing to take away from this first two questions, I would say is that WordPress inherently is not a bad CMS from a security standpoint. There are factors beyond their control and they have to take a balanced decision in terms of making sure that they have a large reach. And for that reason, there may be some compromises out there, but then all softwares are a bunch of compromises and you have to pick the right one that fits you, that floats your boat in a way. So the future questions that we are going to discuss, even if we are discussing WordPress or using the word WordPress, I think it would be fair to just say at this point of time, it's also relevant for other CMSs as well. Not as specific to WordPress sites, only the conversation that we are going to have as we proceed. If you do ask any questions about any other CMS, like maybe you might be using Kraft, PrestoShop, Nijento, yeah. Sure, sure, sure. As I go through this, if there are any questions that pop in my mind, I will. But on that note, since you asked this, do you have any opinion about if someone is conscious of security, would you recommend any CMS specifically? That would typically depend on the type of website you're building, but one CMS which is really popular with governments and big companies would be Drupal. So Drupal has that image of being that CMS which takes security very seriously and you would see more, like, lot of proper military government, all these other stuff built in Drupal. But all the security recommendations hold true even there. Like, even if sometimes, like a couple of years ago, there was like a crypto mining attack which target Drupal quite a bit. But I would pick Drupal for now. But the thing is, like, what I personally think is irrespective of what framework, platform, technology, like somehow people, sometimes people think that, hey, PHP is vulnerable. Let me just use Python and it'll be safe or it'll be optimized or something. That's not true. Like, each framework, each language has a set of things and it can be secured. Like, it just needs some conscious effort and some thought and some focus in it and you should be able to secure whatever framework or technology. Yeah, in fact, with the Drupal point, I do want to mention from my personal experience as well that it's a CMS that is very forward-looking in terms of making sure that they're getting rid of legacy code, legacy aspects. A new version of Drupal will stop supporting old versions of PHP. The minimum version of PHP and other things will keep, they'll keep raising the bar all the time. What this also means, there's a lot of developer time that goes in, in order to implement a Drupal website. If what you can achieve with a significantly lower developer effort and developer cost in WordPress, this equivalent website on Drupal would take significantly more developer effort and developer cost. So if you would actually invest as much on WordPress, I believe you can also secure WordPress to as much degree of security as what Drupal would offer. So another aspect to look over here is, like if you're getting a freelancer or an agency to do it, you'll find a lot more people building on WordPress rather than Drupal or even Joomla for that matter. So and even the whole plugin ecosystem, like in my opinion, like WordPress plugin ecosystem is focused with simplicity at mind, like keeping it simple, having a GUI, like rapid prototyping, but you'll find like a lot more tech, like you need some tech knowledge even to use the admin area for some of the other CMS. Yeah, yeah, absolutely. And that, I have added another question based on this, but we are digressing a bit, so let me get back to our conversation. So you started off with saying make no assumptions. The challenge of what people will have is, and let me take it two ways in a way, and I'll connect it to the question also in a way. What are the typical assumptions that you believe a website owner or a person who's looking to get a website made? What are the assumptions that they might carry? And what are the assumptions that a developer might carry in their mind? Because often enough, if you don't call out an assumption, it'll not be, it's not easy to get rid of your biases and assumptions, right? You don't even know that they exist. So what are the common such assumptions that you would flag out, both as someone who is out there to get a website built and as someone who builds a website herself or himself? What are the assumptions they make, which are things that you would say, be mindful of these? So typically, I'll answer the answer from the business owner first, someone who's actually getting the website built. So they typically think that, hey, I'm getting this popular developer or this highly recommended developer. So I'm sure he builds a secure website or I'm using state of the art CMS and I'm secure. Or just because when purchasing their domain, they're prompted to buy some really cheap security solution and they, oh, you have privacy guard on this. So or like complete website, some security. And like people don't actually see what they're buying and they feel that because I have purchased security, I am secure. So they just assume that, but typically like unfortunately what's happened is because of that, people like just sell some solution which does like one bit of security because security is best done in layers. Like you need to look at like multiple aspects. Like is your server secure? Is your CMS secure? Is your FTP secured? Is your developer trusted? Like there are like a lot of aspects which you need to look at when securing a website. So that assumption which people make is incorrect. So I would say that people should actually, like business owners should actually look at what security is required for their infrastructure and maybe like get a solution appropriate for that. That and then again, so now coming to the developer side of things. So I mean like not to generalize of course, but like a lot of the times since developers also don't have like formal training or anything in first hand experience of security, they think that just because they've written like good code which works and they've installed an SSL certificate and they've installed some plugin or like they've made some small one tweak that it is secure. So the same logic, security is best done in layers. So just installing an SSL certificate isn't going to solve all your communication. Like it makes sure that from your website visitor to your server, everything's encrypted. That no one in the middle like your ISP or someone on the network is a, your, like someone trying to hack into your hosting account. Like what about that or your code. So that's typically some of the assumptions that they take and like even with plugins and things like that. So what they don't realize is that if let's say you forget to do input validation or if you, let's say you don't like check that, okay, if a form accepts like a first name field, it should only have alpha numeric characters. It should not have like, let's say some HTML coordinate or some PHP coordinate. So they think that this isn't like, I mean, like I've written that it's supposed to be like first name and it should be like, and like just to add to that, one of the most common things I've seen with this is they will add input validation because they've heard in some security talk like this that add input validation, check that the data is there. So they add validation in JavaScript. Like in HTML, they'll put a validation, but in their actual PHP or like backend code, it's missing. So I mean, and then like websites get hacked. So, but I think this is like one of those questions which needs a session in itself because there's so much more like depth which we can go to for developers. Yeah, yeah, absolutely. Anil, would you like to stop sharing your screen as well? I think I'll get to see you better in that case. Okay, so I just wanted to add to this thing that you just said, first name should only accept alphanumeric characters. What do you do with Elon Musk and his child? So all these exceptions will keep coming up and all recommendations to be taken with a pinch of salt because you might come across exceptional clients and exceptional needs. But yeah, I think the key thing to understand is that security happens in layers and there are so many layers that, and I think one analogy we can quickly take is that of securing your own homes. Like even the Fattest Lock cannot prevent money stolen from your home and in fact, as of date, someone who wants to steal money would just need to send you an SMS and ask for an OTP and your money is gone and you don't, it doesn't matter whether you have a lock in the home or not. I mean, so what people tend to do is they'll put the strongest door, like they'll have like an iron gate with like, I don't know, 10 locks on it and like fortify it but they forget to secure their windows, like window and someone can just like break that glass window and come inside. So as a website owner or someone, you need to look at all aspects of security. Like every loophole you have to like fortify but like as a security researcher or like a hacker or like someone with malicious intent, they just need that one vulnerability to like get into a website or like cause damage. So that mindset, like that understanding needs to be there when you have money. But you know, what you're recommending is not easy because for a business owner who doesn't understand this in a way and it's not really, and this is why so many people are getting scammed through OTPs and money getting stolen because you don't understand the technology and how is that working? But you might actually be physically be able to see a door and a window and know that, oh, you're able to imagine this is a traditional way in which people can intrude into your houses but you don't know what is a traditional way in which people can intrude into your website and things like that. So far from that point of view, what you probably need to do is figure out who's the right developer. So do you have any recommendations in how can a person who doesn't have a great technical background or understanding of security evaluate a developer and say that, okay, this developer knows this aspect as well. Oh, that's a tricky question, you know, and there's no, I mean, like, there's no straight answer. There may not be an easy answer for this. It could also be a higher concerted. I don't know, but what are your thoughts about this? So one is typically like always speak to the person, like don't randomly get any developer on the internet to work on your project. That would be like one of the guiding principles, I would say that get someone who's recommended, get someone like do a background check basically, like see that they've worked with good companies, maybe speak to some of their customers, see, like talk to them, ask them their methodology on how they build the website and like how they maintain it. Like building a website is one thing, but maintaining it is a different challenge altogether. So look at someone who also has experience with maintaining it. Maybe you can ask the developer some questions if he's managed a website which has been hacked before and like what are the steps he has taken and maybe like just ask who is him on what security measures he takes. From this talk, if you've heard me, like if you've stayed on this far, if they say that SSL is the only thing that they take to security website, run away. So basic things like that. And like if you're using a content-based website, like those couple of three, four points which I mentioned was get your hosting right, like it might cost a few dollars more per month, but take like a managed solution, like maybe just because some hosting is cheaper might not, it might not be secure or something. Secondly, like things like the hosting being one and like updates and installing plugins from trusted sources and only, not like not giving everyone access to everything. Like you don't have to give that plugin developer or someone to make a small change. You don't have to give them your whole server access. So just doing these few things will save you headache from like a lot of security issues. So even getting these basic hygiene things would be really good. So yeah, those would be some basic things, but again, like always have- No right answers over here, but I think if I may add a small point to this, just as how Anand said that don't go for the most inexpensive developer out in the internet, people in person you don't know, at the same point of time, I would say that don't get a developer who trivializes the point of security or simply commits to you that the website will be secure, don't worry about it. So if the developer has tremendous confidence in the security or is trying to trivialize that point that don't worry about it completely and not like equal view that yes, it can happen and we are taking these measures at itself shows a level of awareness. And even as a business owner, you can go online, you can search for some security resources and you yourself, like if you spend like half an hour on it, you will get a fair understanding of what can be done. And so when you speak to the developer on security, he should be able to explain a lot of these things and you'll know that, okay, does this person actually know or he's just like saying it for the sake of- For a sale, for a sale to happen, yes. Yeah, for a sale to happen. Right, so I do want to know how does a website owner understand or realize their website is hacked? How do they even find out? Because in cases where your homepage has been completely destroyed or something it's redirecting to some other site, you might be able to make out, oh yes, my site is hacked. But like from a recent example, if I can add is that a client contacted us firstly, this is a case in which the same server was used to host two different sites, okay? And this is a case wherein one site getting hacked started impacting the other site in this case. But when the client reached out to us, they said that the other site is not working. But that is because any link they would click on this other site would stop working. But they still did not realize at that point of time they would put the thing that the website, there's something wrong with the site, rather than realizing- Call the developer, no, call the developer. This is not working. The site is not working, but you don't even realize until the developer come in and starts intervening and say, oh shit, your other website is hacked and that hasn't impacted this. You don't even realize that the website, it's a hack. So how do you feel, do you have any thoughts around this? How do you understand that you're actually attacked in some way? So before I answer that, another point came to my mind. So another assumption, like another mistake which happens is lot of time business owner thinks the developer is already taking care of security. The developer thinks that the hosting provider is taking care of security. And the hosting provider says we have a shared responsibility model that like we're taking care of this, you take care of that. So people don't talk about it. So things do come in because a lot of people like who do reach out say that, hey, like I thought you were taking care of security. And the developer's like, boss, but I just sold you this package, but like, you know, this is not my expertise and whatever. So a lot of like conflict and bad blood comes at that time. But now we're coming back to your question that like how does one know? So typically like it is like some visible sign itself, like people. So if you don't have a security solution, if you don't have that malware scanner, if you don't have that firewall, if you don't have monitoring basically, you won't like really get to know it's had. Unless there's a visual sign like either website, suddenly it starts throwing like an error or you open your website, it's redirecting somewhere, there are pop-ups, your customers are complaining that like your card details are, there's the cards are being hacked or like this suddenly your hosting provider suspends your account. Like a lot of times that happens too, that you open your website and you see like my account suspended page. And you're like, what happened? Like, I mean, if there was something wrong, you tell me before, like you don't suspend my website, you know? So or like some CPU usage is high or stuff like that. But there are like a lot of other early signs as well that typically like if you're a developer and you log in, you might just see like some random files or like some on like files with like random gibberish names or like some core CMS files are modified and stuff like that. So those would also be some signs where you can say that, okay, my websites have, but the most reliable predictable way is to actually have some monitoring, some setup to tell you about it. Okay, so let me connect this and the question that Ellen just asked right now, which is how do you set up a monitoring on your site, whether that is hacked or not? Can you name a few tools for us and all and connecting that to the question that Ellen asked, which is are there ways or tools that can check if the website is secure or does one need to always ask a developer to do that? And Ellen, if you would want to have a quick chat with Anand on this question, feel free to unmute yourself and add more to the question. Hey, hello. Hi, Anand. Hi, so thank you so much for the interesting talk. So I'm really interested in WordPress because of the possibilities that it has. So to give some background, my parents have a shop, I mean, I'm from Bangalore, originally from Europe and they have a shop in clothes. And because of the corona, like what so many people had to do, we had to set up a website very quickly and we wanted more as a catalog. So what we have done, had to be up and running very fast. We've gone with, it's a kind of a Wix website. It's not from Wix, it's a local website. It's called your web, so you can check it after this call. This website is up and running. They take care of everything like the SSL certificates, the like your payment gateway, you just, it's basically very easy to set it up. But obviously while using it, we're feeling it, we're also constrained and are thinking of moving the entire thing to WordPress. The thing is the reason we had set it up ourselves was the speed because the developers, at least in Europe said, we need a month, we need two months. But now we're thinking of moving to the entire site to WordPress. And the only thing that held us a bit back is that, yeah, what about the security? Do we need to go to a developer like if there is a hack, if there needs to be a backup, we know some basics like how to set up the WordPress, how to do the menus, how to upload it. But then, see, once you start up and running and something happens, is there things like plugins, like a word fence we have to use? So the question is basically in our case, is it then better, like, okay, you give some good tips on if you have a developer, like what you have to ask and all that. But sometimes in like on the ground which has really happened in our case and is happening today, sometimes we need to change the site completely very, very fast. So that's why we had taken it in our own hands. So as a business owner, what can you basically, what would you suggest to do in these specific cases? First of all, thank you so much for the question. I completely understand what you're saying. And this is like a very typical scenario where business owners find themselves in and then again, like, there's no one clear answer to this. There are like multiple ways you can go ahead with this. So one is like, when you're with a hosted solution or typically let's say VIX or something like Shopify or something, these platforms take care of security themselves. So they have like a very restricted ecosystem even for plugins in that manner, from a security standpoint, all of it is thoroughly tested before it goes. So from an application standpoint, you don't have to worry about a lot of things like firewalls, security configuration, backups and other stuff. In those contexts, you'll have to look at things like, let's say, using a strong password in an account not giving access to your Shopify VIX account to some developer or having to a fair and stuff like that. But now the thing comes like you mentioned it, hey, but I am restricted, like I'm not able to do a lot in VIX so I need the flexibility. So now you need to look at it this way that when you're using a solution like WordPress, you are taking things in matters in your own hand. Like now you are responsible for hosting it. You are responsible for backups. You are responsible for the encryption. You are like responsible for all that stuff. So yeah, so you will need a solution, like a WordPress specific securities solution. And I would recommend that in like, don't wait for the site to get hacked. Like be proactive with security that like from day one if you have, if you follow these security recommendations that I talked about in this talk, you should be fine. So if you've already identified a developer or someone like just have a chat with the developer, make sure like maybe you can get your developer to enroll in the WordPress code. So we do have like a lot of actionable tips on like once you have the WordPress site, how to actually secure it. So that would be helpful. So if you haven't already moved to like WordPress already, you might consider like something like a Shopify or some other solution, which is like solely like focused for e-commerce. So then you wouldn't have to, you would still be able to like rapidly prototype, but like you can focus on your business while someone does this for you. But then again, like cost is something which you will have to look at, but because the things and plugins might not be like so cheap. Yeah, we actually looked at sort of the Shopify, but the reason that we said WordPress and can take it offline as needed is because of a certain customization that we wanted and with a certain plugin, a paid plugin in the WordPress, because we set, we tried to set it up in the Shopify as well. So it's a specific thing on the site. So there's specific reason why we wanted to go with WordPress. So I'm not go with Shopify this thing, but yeah. Why do you do this? So I'll probably drop in my email address in the chat or like happy to like connect with you offline and maybe like help you all. Okay, that's nice, thank you. Yeah, I can probably add one thing to what you had asked, Erin. I think one of the things that business owners need to clearly understand is that there is a clear difference between a managed website, a managed hosted solution and the solution like WordPress that we are discussing right now. If you are in the managed space then you have to think about security significantly less, managed space being like Wix or Shopify and all. And if you are not in that space and obviously it'll have its own set of restrictions, the restrictions by the way are directly helping in security as well. Yes, you cannot make changes quickly, but because you can't make changes quickly that those are also certain security mechanisms so that the platform cannot be easily hacked because if they would have made things very simple for you, then it would have become simple for someone with an intention which is not good to hack the site as well to do something wrong with the site. On the flip side, if you go into the hosted solution which is something like a WordPress CMS and all, I think one of the steps should also be to evaluate different options out there because as we talked in the beginning, WordPress is not the only CMS out there which helps you sell. Drupal is one of the CMS that Anand talked about. Then there is Magento, then there are Open Cards and many other things depending on, and there are also different solutions whether you want to do e-commerce versus only do a catalog which is only available. So do check out multiple CMSs and the reason people say WordPress as the first option is also the same thing that we discussed right at the beginning what Anand said, WordPress is hugely popular. But is WordPress always the right solution? That also you should question. And when you're, and doesn't matter whether you're going for WordPress or any of the other solutions, in each of the cases, you have to take similar precautions from a security point of view. Correct, like if you're hosting, like, like, if you're hosting the website on your own servers and then you have to take care of all of this. So typically what I've seen people do is they'll start off with a managed solution or something and as their needs increase, they might either start with something like WooCommerce or OpenCard or something and then maybe if the need arises, they might switch to something like a Magento or something like, but then again, if you do plan to use some of this, you'll need a really good development partner with you. Yeah, a good development partner. Because WordPress and even these other CMSs might make it easy to make it more customizable, but in no way does it mean that it will be fast. Look at it the other way. Like if there's a plugin already there in Shopify, you pay that $100, enable it and you have something which 100% works and is secure. But that plugin that you might not always work with the theme that you have. So that dev time, what we expect and what the dev time we predict and it actually takes two different things altogether. So just keep that in mind while evaluating this. Okay, thank you. It's very useful. All right, thanks for your question, Ellen. So Anand, I had asked this question also that do you recommend any monitoring tools to detect that your website has been hacked or exploited or to get alerted faster than you can observe it? Correct. So like actually we do build, like at ASTRO we do build some of this software as well. So like the firewall, the malware scanning and like website hardening is something which we do look at. So right now we're supporting CMSs like WordPress, Magento, OpenCard, Drupal, and like maybe even if you're like a developer using like a framework like Laravel or Coordinator, even those would be supported. So we have like solutions for this and like very tailor made to each of these solutions. Typically in WordPress there are like, of course there are more players like WordPress and others as like Ellen also mentioned. So like you can like look at the other options that you guys have. So... Got it. Okay, so the next question I have listed in my thing is that you talked about why will a hacker hack my site? And one of the first reasons you gave is for data. Now I know that most people fear losing money but why should you fear losing data? So think that you're an e-commerce store and you have like a niche e-commerce store and you have like I don't know 100,000 customers and you have everyone's email address. So I know 100,000 people who want to buy let's say car covers for example. So some hacker who has access to this information can like easily reach out to those people. So like especially for e-commerce I've seen that a lot of people do targeted attacks for this. So your data is very valuable. So let's say someone gets this data and is selling the same stuff for like much significantly cheaper. That would be one. The second reason would actually be like people tend to reuse passwords unfortunately. So let's say I hack, get access to whatever website and I get like less of 100 users with their hash passwords. So if the correct hashing techniques are not used the password hash student database might be cracked. So if I get to know your password on one side hackers will try it out on multiple sites. So that's like really important. And yeah, and depending on the business need like you might have like a lot of data which you don't even know that you might be capturing like e-commerce stores might actually capture credit card information, you know? So or your Stripe API key. So things like that could like do play a really big factor. Okay, so if data is stolen from your website is it, are you legally liable or is it just an ethical and a moral responsibility to keep your website safe? Both. Depends on the country where you're incorporated like where your company is there. So especially in like Europe and all like with GDPR and like other regulations coming in. So it is like a legal requirement as well for you to not just inform your customers but also to the authorities. So you will have to notify people tell them that hey, like there was one so breach. This was what happened. These are the steps you've taken and this is what you should do. So do check, like do speak to your legal consultant like lawyer or someone who would be able to guide you on such matters. Okay, two small questions that I had noted in between. So you'd said that null themes or free themes have malicious code in them or can have malicious code in them but it often implies that a paid code will not have. So can you just correct or tell us what the real thing is and is a free code always bad? That also, so I wanted to- So another clarification here. So when I meant free, so I didn't click mean free. So I didn't mean open source. So when I meant free, like I just meant like null themes that let's say a theme costs like let's say $100. Okay, what's a null theme? What's a null theme? Please explain that also. So null theme is like a pirated theme, that pirated software which we use. So typically, let's say some theme is for like $100 and you'll search that download whatever theme name space download free or cracked or nulled or something. So you'll find some shady website with like links, like 10 links, two links to Zippy share, someone to like mega.nz and stuff and they'll give you that zip. So when you're trying to get something which is paid for free, that typically has malware because that is how hackers spread malware but they feel free to use open source stuff which are like open source and free otherwise. So those can definitely be trusted. Now the question is very interesting and just because it's paid also doesn't mean that it's backed or free as well. So just because you're paying $10 doesn't mean that it's safe also. So you really need to check the reputation of the thing just because someone has some premium themes, whatever.com, I don't know if it's a website or not but I'm just saying that like just because there's some website and it has like a good website and the gateway doesn't mean you paid might just be like a phishing page to steal your card details. So typically look out for like community signals that check their Facebook page, check their profile on like a trusted platform like a theme forest or how many stars they have on like the WordPress repository and stuff. So that would be like a good indicator about that. Now there are also some really sophisticated attacks as well that sometimes like malicious people like buy open source or like buy free software companies and like after many months they'll inject that small malware or some small paid link but those are like very sophisticated attacks like they do happen but like I mean you're like it won't keep you up at night but like but that too does happen. All right, also can you quickly explain us what is a backdoor? So backdoor is essentially like some code like typically in the server side programming language. So if using PHP it'll be some PHP code or some Python code or something which hackers put on your like either they exploit a vulnerability and put that code on your server or put it like pre-install it in a theme or something. So that backdoor code will allow the hacker to access your website. So when I say access I mean that at a later date he might send like some specially crafted URL like in your website URL he'll put some additional code which will trigger that backdoor and the backdoor will let's say run a command. So like if you open your PC terminal and you write shutdown it will shut down. So maybe the hacker might run some commands or take some actions. So he can like he can install let's say like a file manager or some database admin tool like admin or something and access your database. So typically malicious code is like a broad term for like malicious code. Got it, got it. Okay, one more suggestion you had given was keeping WordPress updated and I extend that to keeping your CMS updated whatever CMS you might be using. Keeping your CMS update is a lot of work because the rate at which updates come in is crazy high these days. At the same point of time sometimes updates break your website or break your business logic or things like that. So generally as like one of the practices we follow that is that we don't turn on auto updates but we do updates under a controlled observation by the developer and do it periodically which is not as fast as every two days which you just suggested. So we are crazy. So what should be the ideal period and what are your good guidelines in keeping software updated and how do you balance the hard work of keeping our software updated because that's also work. So I look like, I'll tell you my point of view like maybe I'm paranoid but the thing is like when you're updating like let's say 30 plugins at one go, okay. Things will break like it will break, okay. But if you're updating frequently daily or like every couple of hours like I actually update every couple of hours but like I said alternative but the thing is like when you're only updating like one or two plugins at a time even if anything breaks you know like what caused it. So there are like especially for WordPress there are some popular plugins to roll back your WordPress plugin. So let's say that one plugin update broke you can just roll that back and just maybe look at the plugin change log or something on the WordPress repository that was it a security upgrade or not. If it did break it you roll it back and then get your developer to look at it. And that has worked out fine for me like for me personally it has worked out but like but of course I do understand that it's not always possible to do it that often. So like even like a weekly schedule should be okay in most cases but always do keep a backup of not just your website files but also the database. Yeah, so and don't store the backups on the server itself. Like if you're taking a backup please download it or link it to like a Google Drive or something. I would say like downloaded to your PC because typically like let's say like your WordPress site is compromised and it has auto backups to let's say drive or something. Those encryption keys would also be technically needed so if the hacker is motivated enough like that might be compromised as well. Typically it doesn't happen but you can never be too careful. So that would be my We can have a complete DevOps geek out session on these things on some other day but we're reaching nearly the end of the time and I want to quickly touch upon if you have experienced a hack and you find out eventually either through a monitoring tool or you suddenly see your homepage wiped out or junk content on your homepage or anything like that what are the immediate next steps to do? So we've worked like with like a lot of hacked customers so what you're talking is like what I do between like breakfast and tea or like tea and snacks. So like, so this is something which does happen so the number one step would be to probably get like a maintenance page up because you don't want like let's say some card deep credit card stuff is there. You don't want your customers to get like compromised. So typically the first step would be to get like a monitoring page up. Call your developer, call your hosting company, speak to like someone who has a tech idea because typically people tend to like save some dollars and try to do it themselves but it will get reinfected. So it is worth the like that money for your peace of mind to actually get a professional to work on it because like, because we do this day in and day out so we would be able to resolve like the hack and let's say a couple of hours versus like a couple of days for yourself. The second would be like try and see if you have a backup restore that backup and most of the times even the backup would be infected. Like you're seeing the symptoms today but the hack might have happened before. Now the next step would be to actually analyze like go through like a user tool like Astra or WordFence or any other tool which would give you like a malware scanner to actually see if your website to like basically analyze the damage which is already done. So first analyze the damage, fix the damage and secure the site so that it doesn't get hacked again. So like in like a very high level this would be my go-to plan and notify customers. So depending on who it is like please do tell people that like this, it's like hacks do happen there's nothing to be ashamed about it but you'll actually do like good karma when you tell people about it and also tell them like how you secured it and I'm sure your customers will appreciate it. Yeah, it's almost sounds like being hacked is like a fungal infection. You'll keep getting reinfected. It doesn't happen. Yeah, it does happen. But once you're hacked, like you're on the radar of hackers, right? So they know that you are being infected and you're an easy target. So it'll start with one hack, then it will be like I gave you like five slides of five different hacks. I've seen sites where like I've seen all those five in one set also. So I mean, yeah, it's a trick. But just to set realistic expectations if you're hacked, how much time do you think your website? I mean, the challenge that happens with customers is how soon can we get it up? Correct. Now, is it a good idea to rush through it? So typically if you get like a professional solution, it will like typically companies will promise you like four to 12, 24 hours. Typically like it would take less than an hour like the correct tool set. It is possible to get the site back up like in the hour or so as well. So it will also depend on the hack, but like it is a tool we're building are like sophisticated enough to like fix sites quickly. But that would be like, but you will build like there are always things like access and like a lot of other factors. So it's a, you can save to say like four to, four to 10 hours I'd say. Got it. So in my mind, to weed out the issue to be very clear that yeah, there are no back doors or maybe you have to set up a completely new server or things like that. I would assume that it would take more time. This sounds very fast for me. So any thoughts on that? I'm just probing. Yeah, correct. So it actually depends on your setup. So let's say you're using like a VPS or like you're managing your own server. So then you don't know like to what extent the infection of like your server was infected. So you would want to set up a new server, set up a new CMS and stuff. But typically with most of the people who are like non tech people who are using like a managed hosting solution. So those do take a lot of the, they do have restrictions. Like let's say on your C panel account, you can't access like your bar folder or something. Like you're only locked into your home slash whatever you use a name folder, right? So it's typically quicker to clean such sites. So yeah, so that's it. So there can be a range in a way that sometimes it can be fast, sometimes it can get slower. But let the developer on the other side, at least for this thing, let them dictate how much time they'll take and not force a shorter time. I mean, it's a fine balance of like 100% trusting and also like being aware of what is being done. So I would say like be involved in the process as well just to see because like no two minds think alike. Like the way I would, my approach to security would be different from your approach to security. And both would be correct. So more minds is always good. I guess like more of the barriers. All right. Thanks a lot for answering all these questions. We have almost run out of time. I do want to ask you a very last question. Realizing how paranoid you are about security, how do you feel about having this conversation over Zoom? It's okay. Like I don't mind. Like I think a lot of it was like bad PR these guys had to suffer similar stuff with WordPress, like with popularity, like there are people who talk about it. A lot of the times in the security industry have seen that like really small things are blown out of proportion. Sure, like Zoom might be capturing, like having a link something, I think social media pixel or something, but like that's true with every website you visit. So there are many things let's not get into like Zoom bashing. I just wanted to ask a fun question to end the thing. So thanks a lot, Anand. Thanks for giving your time on a Saturday morning and everyone else, Alan who asked us the question and anyone who's joining in from YouTube and other channels. So content web is a weekly set of conversations that we keep doing. If anyone has suggestion about what are the subject areas or topics we should keep taking up under this umbrella, please go to hasgeek.com slash content web and drop in a suggestion or a proposal. If you want to speak about a topic that's welcome, if you would want to suggest a speaker or a subject that also is welcome. It'll give us ideas about how do we schedule our future sessions. Right in the next coming up two weeks that we have, we will have a couple of design oriented sessions by Hamsa mostly to do around typography for the web. And then probably we'll take a weekend or two off for the new years and return back in the next year with some planning some e-commerce conversation at that point of time. So yeah, thanks a lot, Anand and everyone else who joined in for this conversation. Perfectly, thank you so much for all your questions and having me on content web. It was fun. Yeah, same here. Thanks, bye. Thank you.