IT and web security has always been an interest of mine. Given that it was time for me to personally learn more about WordPress website security I decided to do a presentation for the Las Lajas WordPress meetup group.
Website security is obviously relevant to the world of small biz and creative entrepreneurship, so this episode is based on my presentation. I also have the outside perspective of Beto Rubio, Founder of Servidores Rapidos, a Panama based web hosting company. Dealing with managing WordPress hosting, operations development and many other things IT related, Beto knows a thing or two about website security.
In this conversation we discuss commonly overlooked practices, the top 5 WordPress security issues, common hacking attempts that use stolen passwords, hosting considerations and much more.
Mentioned in this Episode
This is the morning tempo podcast. I’m your host, Robonzo. On this podcast, I have conversations with business owners and the entrepreneurial with the slant toward creativity. It’s an opportunity for you to learn, with me, from people who are finding success in the business world, all intended to make your entrepreneurial journey a little bit easier. This episode is about WordPress website security. But don’t let that scare you. It’s relevant, I promise. But before we get there, how are you? How are things in your part of the world? I hope you and yours are well. Let me know. Send me a note. All of my contact info is at morningtempo.com, and I really would love to hear from you.
Yeah, again, this episode is about WordPress website security. It’s relevant to the world of small business and creative entrepreneurship because most of you have or will have a website for your business, or you should. It’s based on a presentation I did to my WordPress Meetup group earlier this year. Doing the presentation and this podcast episode was a way for me to learn more about WordPress website security. And for this presentation, or for the presentation I learned through research. In this conversation I learned from my guest, who is Beto Rubio. He is the principal of Servicious Rapidos, a Panama based company that does web hosting, managed WordPress web hosting, and they have DevOps, dev ops plans as well. I stumbled on that because I know so little about DevOps. That’s funny. It’s funny to me. In my head. He is a… Beto is also an operations developer and all around IT nerd. Some of the stuff we talked about that I didn’t include in this conversation just goes deep man. I invited him on to provide some outside perspective on security topics. For you the business owner, the creative entrepreneur, I want to make sure you’re aware that there are a number of considerations that fall into the area of security, especially for business websites. This is not a scare tactic episode by any means. It’s intended to give you some of the vocabulary you need as you plan your new website, or plan to audit your existing website. Yes, there’s some technical jargon in our conversation, but bear with me. Hou don’t need to understand all of the technical details you need only wrap your head around the idea that you need to be conscious of security requirements and concerns for business websites. At the end of our conversation, I’m going to tell you how you can get a website security checklist for free. You can use this checklist to have a chat with your web slash IT administrator or perhaps with the person or company or thinking of hiring to build your next website. Okay, let’s get on with the show. Here is me and Beto Rubio Talking about WordPress website security.
Hey Beto, thanks for taking time out of your Friday to speak with me today about WordPress security. I appreciate it.
Beto Rubio 3:09
Thank you very much Roberto for inviting me. It’s a pleasure.
Of course, I’ve been looking forward to this. Two things. I’ve been looking forward to talking about it for my business podcast, and I was looking forward to have a chance to get to know you just a little bit better. So that’s a double bonus for me.
Beto Rubio 3:24
Yep. Likewise, likewise.
Cool. So before we started recording here, you had, I gave you my presentation on how to secure your WordPress website, which was put together for a meetup, a WordPress meetup that I started earlier this year with the help of WordPress and another meetup that you’re part of in Panama City. [Yep.] And you were discussing with me quite you said something like, quite frankly a lot of this stuff on here, you know, it’s pretty technical. Why don’t I/you talk about some of the day-to-day things that we as a hosting company, you know, we would advise our clients to do, which I think is great. And I say all this just to tell people who are listening, as we talk about things that are technical, we’re not going to get super deep in them, but I think they’re worth mentioning. Because no matter whether you’ve ever set up a WordPress site before, or you have technical expertise way beyond either Beto or myself, or you’re just paying somebody to do your website for you, I think mentioning these things is good because it will give you some perspective, possibly on the different types of security risks that are out there, so that you can have you can have the conversation with whomever you’re hiring or working with to find out if everything you needs to be is getting done. And I’m going to help you with that, if you’re listening, by providing a checklist, like a security checklist, so that you can have those conversations. So how does that sound Beto?
Beto Rubio 4:59
That’s, that’s actually interesting and important because one other thing is that since security, you know threats and problems have become more common on an everyday news and news outlets and blogs, it is important for business owners, especially those who have run a WordPress website to be aware of those and have at least the terminology, you know, warm in their heads. Because if if you their webmaster or either the person that takes care of your website or if you’re doing it yourself, but let’s say if you’re paying for it, and that this person comes to you with all of this, it might sound like they’re trying to scare you to get money out of you to put all of the security things but it’s pretty real. And just by knowing the terms you can also take advantage, even if your WordPress, your website is not WordPress, you can take advantage from this information because all websites in many ways behave the same. So and the attacks are pretty much the same. They just vary a little bit from from type of website to type of website. So yeah, just just getting getting curious about it, investigating a little bit can save you, you know, time and money, and especially when you have a website and it’s hacked, it mostly affects the trust of your clients. So it’s important to keep, you know, our website safe of those things that can affect our reputation as a business and as a brand.
That’s a good, good points. So, I guess, a great place to start. We’ll just kind of start going down down the list here. And oh, you reminded me one thing I want to say to people who are listening. If you’re thinking about designing your site yourself for your business, I wholeheartedly encourage you to do so with WordPress. It’s great. [Yes.] Now, if you’re not sure, and maybe this, listening to this frightens you, I just want you to know that no matter what platform you’re on, there can be security risks. So, but we all know about, I like to say the Squarespaces of the world, or Wix, or if you’re a musician, like Bandzoogle. And these are companies that provide they fully manage WordPress websites, and they, they’re very well known. They take care of a lot of this stuff for you. But there’s still some things you need to be aware of. And I know that Beto your company does, it sounds like they probably do some managed WordPress website services that host, one of the hosts that I’ve used for many years does the same. So if you’re, I guess the good point is, is if you’re paying a consultant, like myself, I design websites for small businesses on occasion. And if you’re paying a consultant to do that, you know, I suppose one thing that you want to look for is what are they going to do in the long term to help [Yes.] maintain and keep your site safe. So for example [Yes], you might pay me a flat fee to design it. But I’m also going to tell you that you have the option which you’re strongly encouraged to take advantage of to have annual like a maintenance plan, which just means the site’s going to be backed up. It’s going to be updated. I’m going to help you with small updates. And if any kind of weird security things happen, I’m, you know, it’ll be, that’s what it’s for to keep those things from happening.
Beto Rubio 8:08
Yeah. And if I may interrupt for a second, I would say if you’re going to hire someone who’s going to build your website for you, just make sure that person is security aware, because the way that website is designed, and the selection of the tools and the mechanisms that are going to be used to build your website, especially with WordPress, those can effect positively or negatively on the security side of it. So coming up with a you know, getting or selecting a consultant, or a web or web designer that is security aware and has good practices, practices in security matters. It will make a big difference. So this is also good so that we create the, you know, security thingie awareness on possible clients, so you know how to select, you know, who’s going to work on your website, not just on the design and the looks, but on the security part of it.
Exactly. Good point. Okay, so the thing that I did at this presentation, probably about two slides in was I, I mentioned the top five WordPress security issues. And this list alone can be frightening for a lot of people. And in fact, you know, I’ve been working with WordPress sites for a while. And these are, this is the list that you mentioned when we talked before we were recording Beto. You can get quite technical and I’ll confess to you, as I confess to our listeners, that many of these things I don’t know that much about. So what I did was find out well how do I how do I mitigate the risk of running into these things? On top of knowing that they exist, so that if I can’t figure out how to mitigate it, I know how to, I know what kind of things to ask when I go looking for advice. So those those top five security issues again, these are for some of us kind of scary, but one of them is brute force attacks. And this is, and fact check me or correct me if I’m wrong on explaining any of the ones that I do try to explain, but brute force attacks are commonly done with what most of you probably know is bots that are just programs run to just automatically non stop, look for vulnerabilities on websites, and they hammer all day all night until they find something they can get into. So, the next one is file inclusion exploits. When I wrote the presentation. I read what that meant. Today, it’s been a few weeks, I couldn’t even tell you, but we will talk a little bit about do you know about this one?
Beto Rubio 10:33
Yeah, well, mostly is when when someone finds a vulnerability in your website, like a little hole, and they inject a file or let’s say, you get a picture from a free pictures website because it’s nice and it’s free, and you’re gonna put it in your website. But then this file is contaminated as let’s say as a, you know, the Trojan horse story. So it’s contaminated, and once it’s in there in your website, it’s included, it just calls home, it calls home. And then it allows the person who injected the file, either directly or indirectly into your server to control your server or your website and to exploit the resources that you have, either take your contact list or credit card information, or if it’s just a WordPress site, they might use one to get in the server to you know, use the the hardware and all the server resources, or just the connection to hide themselves and use you as a front to to present themselves as you, and do bad things. So basically, it’s just to, you know, inject a little file with little poison on it, and then try to control you from it, yeah.
So let’s talk about free image sites. So I very frequently use like, Pexels and Pixabay, which are reputable sites, as far as I know, but the more I learn, I also somewhat recently took a freelance writing gig with Forbes.com? And so they kind of walk walk you through their image usage policy and for sure 100% do not, they do not let me use any of the kind of stuff that I’ve been using, like on my own website, which are, are licensed for use for commercial use. But their thing is just like, we don’t even know if those guys are actually accurately looking at all that stuff. But are there some sites that are better than others to your knowledge that for getting free stock photography?
Beto Rubio 12:27
Well, if like you said, if it’s a reputable brand, like Stock Unlimited, like Pexels, like Pixabay, those are great. But even if you get it from a reputable site, and you pay for it, and we, I’m pretty sure we’re going to talk about it later. There are a few plugins that you can put on your WordPress site that scan every file on your WordPress site and it’s never, you know, it’s never bad to just scan the file, even if it comes from a safe place. But the rule of thumb is, you know, if it’s if it’s repeatable. If it’s serious website it has all the licensing and all the information is clear, there is a big chance it’s okay. If it’s, if it’s just a looks shady or, you know, even if it’s a great picture and it’s free, just don’t take the risk, because pictures are one of the easiest type of files to inject malware on. And it’s super easy.
And one of my early early interviews on the Unstarving Musician was with a professional photographer from who did the bulk of his work with music artists in the 80s. And today, so his business as he knew it has kind of died, right? If you think about it, because back then there were all these magazines, and photographers. Being a photographer was kind of hard. It’s very accessible now, anyone can get into it. Magazines are dead. So the money the you know, the money that was there wasn’t there, but he spends his time now looking for people that illegally publish his photos of say like Van Halen, or Aerosmith or something, and then he goes and sues them. So, yeah, not related to security, but you must be careful about the photos you use on your website.
Beto Rubio 14:12
Yes. And I would say, that’s where you have to be aware that if you’re a web consultant or web designer does it, you do need to check on the content of your website because he might be shortcutting by doing that, you know, for you maybe know when a bad intention, but he might shortcut it, be sure cutting but in the end it all of the legal responsibility comes to you. It’s so easy to just put a picture on the Google picture search, and it will find it everywhere. So you have a huge list of people you can just sue if you want to. It’s It’s It’s actually pretty easy to do, you know, to commit that sin and have a picture in your website that you shouldn’t.
Yeah. Okay, and the next one. I’m going to mention two at once and if you have anything that you want to share quickly, let me know and then we’ll get down the lesson. So the next two are SQL injections which we kind of sort of talked about with the file injections and cross site scripting. And then the last one is malware. So I know that with SQL injections, we start talking about getting into the database, which is back sh… actually like a vast amount of the information that is your website. [Yeah] So you don’t want that messed up. And then [Exactly] tell me [except] right on this with the cross site scripting, this would be, I’m probably going to butcher the explanation, but this would be where maybe they’re actually, I’m not even going to try I was about to go one place. I’m like, no, no, that’s when there’s a shared server hosting environment and somebody goes with a script, a malicious script on one server, and then just goes across multiple websites and servers with that, but I don’t know if that’s accurate. Do you know much about these, this…?
Beto Rubio 15:47
It is, it is pretty close. It is pretty close. It’s actually when you, when you start hopping, if I want to say, from one from one site to another because they/their environments are close like you have a shared hosting or in a shared hosting company, and then yes, it’s exactly what it is. So a one site is let’s say get it gets infected, and it’s some sort of a master site. But what it does is that it infects other websites and use them as, as, as a front or as a cover to do to do things that that shouldn’t shouldn’t happen, right? [Yeah.] I’m not gonna go into it technically, but either either that one and the third one, the both of them the SQL injections and cross site scripting. They’re both pretty technical. And to go deep into them is not really worth it. What it what I do want to say is that there are very easy ways to mitigate them. There’s very, very easy ways to cover yourself from those.
Okay, good. We’ll talk about some of those. So your company does hosting, Servidores Rapidos, which means fast servers, right? That’s what you do. [Yeah.] It’s funny because when I we were talking that my Spanish in the technical realm gets weaker and weaker as I start talking about things like websites in Spanish, but when I saw “servidores,” I didn’t realize that was servers. I was thinking services. Why is that spelt like that? And anyway, so. So I, what about VPS virtual private servers? Is that what that stands for virtual private servers because I use a VPS set up, are are the resources with some of those such that if you’re not doing all the right things to mitigate a problem, like the one we just talked about, that, that there’s a great risk of this sort of cross site, you know, hopping different sites and servers.
Beto Rubio 17:39
Well, they you might have a virtual private server that for you know, those who are listening in there are not too technical. The differences like when you use a shared hosting is like you’re renting, let’s say an apartment in a big building, right? And a VPS would be something like a small Villa, but the difference is you’re not sharing the hallways or elevator is there anything, you just have your small Villa which is yours. And it’s completely separate. That’s the same in the server world is just a small piece of a server that is dedicated to yourself and acts as a server itself, individual server itself. The thing is, the cross site scripting might still happen, because your website might be in, in the net in the same network as the other websites. But it is least, uh the word in English… Ah, least keen to happen, I would say or less possible that it will happen. Because there are some sort of physical limits, in the middle are some more limits or isolation that you would have in a shared hosting. But so it’s not the same concern as if you were in a shared hosting, but it’s still a concern.
Okay, good to know. Good to know. And then malware I mean, the best way I describe that it’s sort of like, if you just think about your computer when you maybe you get an email with an attachment and someone had some sort of, I don’t know, script in there some sort of little tiny bit of code that creates havoc on your system, or we see a lot of malware in our browsing environments and on websites, right. So it comes in all different flavors. But basically, you know, someone’s taking some time to create, like with a lot of these things, to create a little piece of something that’s going to go in and cause nuisance most often times, just nuisance type problems, but problems that you absolutely don’t want on your website.
Beto Rubio 19:31
Exactly. For example, you can inject malware in a website, because this website has a plugin that sends emails through the, you know, the online form that most websites have the contact form. So where you’re trying to do is take control of such plugin and such email sending mechanism, because you’re going to use it to send spam. And then spam, when it’s detected by the anti spam servers and anti virus it’s not going to point to the A bad guy, you know doing the thing, it’s just going to point to Robonzo’s website, right? And then they’re gonna blame you. Let’s say if we would say like that right, just to keep it simple. And the other thing that malware does a lot is it tries to take control of the hardware which is behind the scenes of your website, because they you know, bad guys might use it to do cryptocurrency mining, and a lot of those things that require heavy hardware resources and they’re just trying to use everyone’s computer server for free. That’s mainly what it is. In some, in some very very sparse cases, malware is used to try and pull credit card information and contact information which for most websites, especially built on WordPress, is not stored in the in the same place where the, where the WordPress site is because most of us would just use like, third party you know, ecommerce solutions and those guys keep all their data on their sites. So in a real day by day, you know risk for WordPress website malware is mostly to try and control your email sending capabilities and try to hijack your providers servers on the on the, on the background just to try and, you know, abuse them. Mostly. The thing is that it makes you look bad, right? It brings your website down, the antivirus bangs every time someone comes in, and then people lose kind of, you know, respect and credibility and trust, I would say, with your brand. This is the worst part of it.
Yeah. And then depending on the nature of the, or the extent of the infection, if I can call it that, sometimes your host is going to send you a message that says, hey, you need to fix this or your website.
Beto Rubio 21:52
Yes, yes, yes. And sometimes, and it’s for the good when it happens. Sometimes the hosting company might just suspend your website temporarily, which is better, because the suspended website will not affect people, it will just look like it’s down. And then you know, you can always say, you know, we had a technical problem. The problem is when the host doesn’t act that fast, and then it stays on for a few days. And then you have the pressure of the host and your clients and, and that’s when you call the experts. Right. But, but well, we don’t want to scare people, right? There are easy ways to mitigate it. But yeah, it might it might happen. It’s very possible. We see it on a daily basis.
Right, right. Okay, so stolen passwords or you know, when I, one of the first things I did when I was putting this presentation together was I tried to get some com… I want to say community peers to weigh in on what are some common oversights when it comes to WordPress website security, and one of them was… I actually really liked the way this guy said it. He said, “Using terrible passwords or on on top of that, keeping old developers or user accounts active.” Like, for instance, you know, you had somebody working on your website, and he says, “You’d like to think everyone is chill, they are not.” That was from a free web, freelance web designer, but so some of the things that happened was stolen passwords. You know, I, there’s probably a much longer list, but common ones are, they will work on trying to get into your WordPress admin area, which so that they can just get into the site and wreak havoc, get into FTP accounts, which is another way for them to wreak havoc on kind of the back end, if you don’t know what FTP is, but it’s a way of transferring files and pretty much seeing all the files on your website. And maybe, you know, maybe things that aren’t even exactly part of the website. Also hacking into the database of your website. Getting into your hosting account, which could be terrible. What are they going to do you basically have your credit card there, your hosting account and what are they going to do? Maybe just spending your money or whatever? [Yeah.] Maybe canceling things, who knows. And then this one was kind of interesting to me custom email addresses. And what I assumed they meant by this is so for instance, if I on mine, Robonzo.com, my music artists website, so I have an email address, Roberto at robonzoo.com. So we’re talking about things like that, where I might use something like Google’s G Suite, or maybe I’m using my hosts email service, but I’ve got these customized email addresses, and they might want to get in there and exploit those is that what that refers to?
Beto Rubio 24:27
Yeah, and also, the fact that when you have a customized email account and you use it as a password, there is a big chance because most people have a you know, single password, and they use it for every website, every service. If you have a custom email, let’s say Roberto at robonzo.com. Then very much likely that’s the same email you use for Netflix or for Facebook. And then if they if your Netflix password he’s exposed, because some guys have nothing to do with their lives, but try Hack Netflix, right? So they have. Yeah, so they come up with your password, then everywhere where you have that email there, it’s likely that you’re going to have the same password. Right? Yeah. So So having a custom email instead of a user a is a way to pair things up. Like if you don’t have a user, I mostly use email. So that’s a good practice. But the thing is, you put your email in there, you’re already giving them half the information, right? Like, ah, this guy is using it somewhere else. So I may try and hack somewhere else when he’s using his email and then I’m just going to get his password or maybe they just got it from a list you know, those that aren’t get published on Twitter all the time, where your email is, and if you have the same password, well, it’s pretty easy to to just go into your WordPress site. They just follow the domain robonzo.com and there’s a website in there. There might be, and then they have the they have the password. So it’s, you know, just make it easier for them.
Yeah, if I was a hacker I do that. I do that a lot. A lot because I want to know Oh, they like someone might send me in there, send me an email. And I can see they have a domain of their own. And but they didn’t put a website in their signature line. So I will go copy the downside of their email just to go see what it is. You know, I wish I wish I was as skilled as a lot of what we call hackers now just not to do malicious things, but I know that there’s a lot of skill involved in and that that can actually be used for good things. But so And just a quick comment for those of you that are listening to this and already like, Yeah, man, this is way too technical, if it is, the the presentation, which I’ll make available with a link in the show notes for this episode includes links to articles that I use to get this information. And these are from sources that are regularly updated, so they stay on top of stuff. So if you want to actually learn more, or you’re listening to us and go, I wish they would have said more about that, then that’s a way for you to do so. Now that hosting this ought to be your favorite areas. So I think that the things that I listed on hosting, so we talked a little bit about shared, hosting plans. And and then in my presentation I also mentioned managed WordPress hosting. Do you want to say anything on either one of those two areas?
Beto Rubio 27:13
Well, I think we already explain a little bit of the difference. But in a shared hosting service, mostly you share a server with a lot of people just like if you were sharing a hotel room or a little apartment, right? So instead of having all the cost on your back, well, you’re just splitting the cost among a lot of tenants. So this services tend to be cheaper, which is good as a starting point. The thing is, you need to manage your WordPress site in full. So you depend a lot on your own technical skills on the tools you happen to gather or find out about and on a managed WordPress service. You have experts that are taking care of all the backend of your WordPress site, so you mostly only have to worry about you’re designing and your content, this tends to be a little bit more expensive than shared hosting. But if you’re at that point that you’re making a decision to start a business and using WordPress, I would say if you’re, you know, if you’re serious about business, and you have a little bit of resources, which is not that much, go with a managed service, because in the end, it would allow you to focus on your business. And then most of this security problems and issues are going to be mitigated by the platform administrator, you would still have some responsibility with your users and passwords and other things. But the managed service is it’s mostly like a catered service. So you don’t have to worry about you know, doing dishwashing and tablecloth and know that the plates and everything you just go and eat basically, it’s pretty much the same basically. You just host and eat your website and consume it with your clients and do your business, focus on your business. The difference in the pricing is worth it. Unless you have some skills or you hired someone like Roberto to handle it for you.
It’s good advice and even, I think you alluded to this, but if you’re a consultant that’s, you know, trying to get a legitimate business going that even you using or recommending managed WordPress hosting has value because then instead of focusing on doing updates or making sure things are working for all your clients, someone is helping you taking much of the load for you on that. [Exactly.] I think, you know, my favorite one in here, which may be one of yours too, is to choose your hosting provider wisely. [Yes.] I hear sometimes, not a lot, I think like in the United States, sadly, you know, go Go Daddy’s a great service. I was about to say sadly most people go to GoDaddy, but it’s because they are a reputable service. And it’s because they they advertise a lot and they have great brand recognition. And if you’re with GoDaddy, don’t let my comment about sadly most people go with GoDaddy that by, when I say that, it’s only because it’s mostly just carry over from when they first started, when they when they first started out. I really did not like the way they modeled the, the, the part where you go in there and manage an account either for yourself or someone else, but it’s getting better, that is even getting better and better all the time. But there are a lot of great hosting companies out there. And domain regist… places, places where you can register domains, places where you can get security certificates and various other things related to your website. So don’t always look for the cheapest price, I guess is a goo kind of rule of thumb.
Beto Rubio 30:30
If I, if I may have a saying in here, then have you mind please, but we do hosting. So you know, out of being ethical and serious and because that’s the way we are. We don’t we don’t say bad things about other providers. But this is this is this is what I would say be my advice. Not every hosting company services you the same way. So try to to have like an honest introspection of what you really know and don’t know about what your skills are, and then try and find the host that would have that level of service that would match your level of skills. For example, if you’re a skilled web consultant or web designer, or you’re just a hobbyist, but with a lot of knowledge, then you can you can buy a good service that you don’t really mind, because it’s cheap, if you’re going to have like, you know, like next hour support or like a super staff on the back, that is us answering your your questions right away, because you know what you’re doing, right? But But if you’re if your argument is you know, I’m, I’m starting a business, this is my first website and let’s let’s find cheap, let’s find a cheap hosting service, most likely the service, their support service is not going to be that fast or that involved. They’re going to send you to forums to read on their help documents, which is not wrong, because you’re, you know, you’re paying little little money for their service. So I would say if you ,if you want to match a service that gives you the quality of service that you’re expecting price is not really a criteria. Just go and try their support service. There’s always a service tab before you buy. So try and chat with the guy, see how helpful they are, how willing they are to answer your questions, and see if you really need their help that much. And then go from there. For example, GoDaddy is a perfect place to start. And you know, I have a hosting company, I shouldn’t be saying GoDaddy is perfect, but they are. Right? They’re cheap, and they’re good and they’re fast. To start if your website goes past a certain level of usage, then not so much. Then there are other companies I don’t want to promote them for free in your in your podcast, but there are other companies that are awesome. If you’re pretty technical. For example, we we try to to keep a non technical approach and a lot of our clients are small businesses that need a little bit of hand holding, you know, people that need to be guided and you know, advised, and sometimes even helped to get plugins installed and things like that. Even if it’s a shared service, we, we do a little bit of hand holding, because that’s the market that we selected. And we do have a lot of super technical clients that just pay the bill and never show up, right? never asked for support or anything. So I would say, if you want to save yourself from frustration, you just just try to recognize how skilled you are. And sometimes the more expensive the service is, like those managed services, those are better match for you, because those are going to keep all the trouble on their side, and you just run your business and run your website and be happier all day.
Yep. And you know, I have some technical skills, but I’m not a developer. I’m, I’m more of a designer. Do I have some developer skills? Sure, but I wouldn’t call myself a developer, but I’ll tell you. I like being able to get on chat with a host and have them helped me resolve a problem for the time that it saves me. And I don’t, I love learning about this stuff, but I know like sometimes I’m just not up for spending 10,15, 20, 30 minutes on researching a problem when I know that they can help me while I’m working on something else at the same time. So that’s another another upside. So yeah, thanks for sharing that. That’s good.
Beto Rubio 34:21
Exactly. Just dedicate yourself to running your business. You don’t necessarily need to run the website that deep if you have, you know, close support, or a good consultant that is going to do support for you.
Exactly. Okay. So some security things we can do to, well on top of choosing the right host and the right type of hosting, type of hosting service. Some other things we can do are make sure that we have a good backup solution in place or that your consultant or your service provider is providing a level of backup that you need. That, if you’re, you know, designing your site or you had someone design for you that maybe you think could be a little bit of a newbie to make sure that they have appropriate security tools and plug, or in the WordPress world we call plugins for helping to safeguard you or mitigate, we keep using that word mitigate, which is a good one to use here. But I’d like to help safeguard your website. And then also now something that’s really become a requirement to move your site to an SSL or HTTPS environment, which gives you a secure security certificate. In the old days or in not too long ago. These were used for e commerce transactions and certain types of websites and many websites didn’t have it. But now, I know that Google is even kind of down ranking your site for not having it and it’s kind of just a requirement, right?
Beto Rubio 35:53
Yes, and most hosts already offer it for free. Yeah, so the certificate is included. It, it is it is pretty much a basic thing in this days. But sometimes people forget that the certificate itself is not, it’s not… the certificate is not going to install itself. You just start your website and you don’t realize it’s not there until you know it shows an unsecure and not secure website, you know banner on your on your on your client screen. And that scares them like, Oh, this website is not safe. So I think yeah, it’s important that if you don’t have the knowledge on how to do it, just go through your host there, they will install it for you and make sure it works, or just your consultant. But yeah, it’s pretty basic, specially not really for security, but for matters of reputation. Yeah, it’s because you’re going, going into the website and seeing you know, not secure. People are scared with all the news and all the things so you don’t want that there. And it’s pretty easy to handle.
Right, right. And I guess it’s worth saying that those these certificates don’t automatically renew themselves. Even Depending they may be automatically renewing for you because someone is taking care of that for you, your host [Yes.], or your consultant, but they can expire. So just be aware of that and make sure that they’re being [Yes.], send it to. [Yes.] Okay, so let’s see here, some kind of a long list that follows. But there are many things that can be done to help protect your password on the on the WordPress site itself. Google offers a and separate from that Google offers a great service called reCAPTCHA. Which is a great way to keep you know, some of the malicious I guess, bots from off your website. And then there’s a shortlist of technical stuff here unless you unless there’s something that you’re really passionate about. I’m not even going to mention but it’s going to be in the in the checklist. For those of you that that are interested in learning a little bit more. It will be available for you.
Beto Rubio 37:56
I wanted to mention one thing that we left behind really quick which is common practices and it’s very important. You mentioned removing other user’s accounts from your website. It is pretty common in WordPress, that when you have someone create your website, you give them a user and a password and you give it to someone else was going to have a look of the on the text, or you know, all of the content, would you say the content, the copywriting and the content and then you might just give it to a friend who’s gonna come in and check out the security. And then you’re going to, you know, call Robonzo, he’s gonna go in and do some other things. And then at some point, you have 10 users in your website that are no longer taking 10 account user accounts that are not being used. It’s like having people have a copy of the keys to your house and not live there anymore or not come in very often, they might just lose it and someone might come in. So trying to do some cleaning up of that. And the same with plugins and themes, when if you’re not using it on your WordPress just on your website, just clean it up. Just scrub it out, because all of those things become little security hazards little possible; Well in security terms we call it, it enhances the surface of attack, which means there are more points that can get can be vulneray. That’s the word in English vulner? [Vulnerable.] Vulnerable, that’s the word. The more points that can be vulnerable and where you can be attacked through, so cleaning up the old users and changing your password in a you know, in a certain cycle like on a periodic way, like every three months or every six months you go and change your password. Just add a nice another number you know, just change it for one to two and then from two to one. Just change it, just to… just to make sure you know you you keep your user accounts clean and your your own account. Well maintained. That’s all.
Yeah, and I know a lot of people really hate this whole password thing, but to me, if you’re listening it’s never been easier to manage your passwords with some of the tools that Google Chrome, Firefox, you know, Safari, all the browser’s have available to us. And then there are also other apps, you can use that, you don’t even have to remember them anymore. You just have to remember how to, to go copy paste it without even looking at it in some cases, and in many cases, it’ll be automatically filled out for you just have to make sure your device is password protected or secure, you know, secure and then you’re good usually.
Beto Rubio 40:28
Yeah, and my two cents about passwords would be, it’s actually safer if you use a password like for example, dog automobile rocket, and then you put a dot in the end, and you put a couple capital letters in there, but just dog automobile rocket and a dot is going to give you more security, and it’s a much more complex password to be broken by a computer program that if you put like A W 1 and asterisk and all of those you know things that you’re never going to remember. So if you put together three words, three random words that you can remember, because you have them in front of you in your office, like a fan, a desk, and I don’t know, on the ceiling, you just put the fan desk ceiling and a dot. That’s a great password, a couple of capital letters, and they’re, let’s say, the first of every word, that’s a great password. And it’s going to give you more entropy, which is how we call it in the security computer security world, which is just complexity, right? It’s just going to protect you better than a crazy password that you can never remember. So you don’t really need to have this crazy passwords.
Well, I I’m a fan of that. But it’s so funny. I’ve heard different arguments about it. So after our conversation today, in the coming days or weeks, I would love to talk more about that. And I would love to actually ask some other people too, just to see what people think. Like secure like, yeah, air quotes security people. Yeah, well, they know this is what they say because I’ve heard two different things.
Beto Rubio 41:58
The good thing is that if you Google password entropy tool, or do you just put password entropy checker, it will give you five or six online tools that you could use to check and actually score your your password entropy or complexity, which means how hard it is for a computer to break it not a human being, but a computer to break it. You’ll be surprised what results you get when you use random words combined with one or let’s say one number and one symbol, which are pretty easy to remember, like one and a dollar sign like one dollar, which is pretty easy to remember. You’ll be surprised the scores you get. So it actually doesn’t go that much into opinions. It’s just a matter of going into the tool and, you know, letting it help you calculate. But yeah, it’s a pretty intense debate with security people.
That’s cool. Thanks for the tip. I knew that today. No matter what, you know, what you were trying to tell me the first time I asked you to do this. You said, “Well I’m not really a security expert bla bla bla,” but I knew I was going to learn something. So thanks. And so let me end with the quote that is at the end of my presentation I actually did and that was from Ryan Holliday, who has written many great books, but this one comes from The Daily Stoic: 366 Meditations of Wisdom, Perseverance and the Art of Living. And the quote is, “Remember: Even what we get for free has a cost, if only in what we pay to store it in our garages and in our minds.” I thought that was pretty good.
Beto Rubio 43:30
Absolutely down downloading, especially for us who are you know, people from the computer world, I tend to do a process called download, which is download downloading stuff from my mind, I just write it down and put it into documents or something because we keep so many pieces of information in our brains these days, like phone numbers and passwords and users for all these tools and websites. And like you said, they are pretty nice, pretty nice apps like One Password and LastPass and a couple others. That we can just start putting the responsibility of remembering all those things on, you know, on those apps and taking that away from our day to day lives. We don’t need that anymore.
I love it. So, do want to take a couple of minutes to talk about the hosting service that you are part of. And I’m correct in saying that it’s based in Panama here in Central America, right? [Yes.] Okay. Yeah. For anyone who’s listening that can use something like that.
Beto Rubio 44:31
I appreciate I appreciate the opportunity Roberto. So we don’t have our servers based in Panama because Panama is not such a great place to have servers. Just to start with that. We have our servers abroad in Europe and The States, right? But what we do is we do have a big a client base here in Panama in Latin America and there is a reason why we our services in Spanish. Servidores Rapidos, you can see there is not an English page. It’s because most of the local clients and people from Latin America had to go to the states to buy their hosting services. And then we were trying to bring a service to them that was going to feel closer, more kind of, I don’t want to say intimate, but I don’t know that word in English, just closer, more like, you know, like the next door guy hosting service. And what we do is we focus, like I said, on small business as mostly startups or people who have like small shops, not necessarily in the technical world, we have hotels, we have shoe stores and doctors and pretty much everyone who wants to have a website, we do have a couple of corporate clients who have selected us because we do come with a big, like, vast experience in the corporate world about websites and stuff. We still do cloud services on AWS and other complex things as part of another business activity we have. But we we wanted to bring this service that was close. That was, I would say near to the clients and we mostly specialize in WordPress, because WordPress is in our minds and in our way of thinking things is, it’s just the easiest way to get online if you, if you have an idea to communicate, like if you’re a writer, if you’re a musician, if you are a small business owner, if you’re a big company, whatever you’re trying to say to your clients or to put out there for people to read. WordPress, WordPress is the right tool. And now that WordPress has like a great ecommerce platform, which is WooCommerce and it’s integrated with everything. We are also helping a lot of clients with their online e commerce. I would say adventures or endeavors. [Yeah, good word.] It’s now that Yeah, now now that I know that the you know, the pandemic came in and COVID is killing businesses, a new breed of businesses is has raised, which is you know, online selling and online delivery and everything is online. So so we we are pretty much devoted to that market, the small and mid sized business market is the market where we serve, we’re happy to advise. We have a lot of clients that come to us just to get advice. We don’t charge for that. If you host with us, we’re super happy. If you don’t, and you get something out of talking to us or listen, listening to our, you know, video conferences and webinars that we give every now and then we participate with the WordPress, WordPress community in Panama a lot with the Panama City group. [Yeah. Now with mine.] Now with your group, with you and your group, which is also great. The Las Lajas group is great. It’s just a different flavor of the same sauce, which is awesome. And we try to keep you know, to be very near. We’re very technical people, we just try to keep the conversation not technical in Spanish. With a very handholding, I would say support. And that’s what we do. And we try to keep the prices low. Because that’s that’s the market we serve. Now, if you have a big project and you want to talk WordPress the big way, we’re also ready for that. We just don’t promote it in our website yet. [Cool.] We have another brand, we have another brand for that, just to not to scare people with the tech, with the technical talk.
Well, you know, I suspected as much, that you did, so it’s really good to know because you’re neighbor, so very good to know. Well, thanks again for coming on to talk on the Morning Tempo podcast. This is going to be great for some of the people that I serve. And it’s just good content, I think to put out there to help people out.
Beto Rubio 48:46
Thank you. Thank you very much for for having me. It’s It’s been a pleasure. It’s actually it’s the first time I in a podcast. I’ve been to webinars and stuff like that, never a podcast. That’s pretty cool.
Well, I predicted growing guest appearances, in podcasts. I’ve launched many podcast guest careers here. [Laughs]
Beto Rubio 49:04
Oh, wow. That’s, that’s nice.
Yeah. Well, now you’re going to be more interested in it. You’re going to start asking around and so yeah, it’s great. You did you did a good job, by the way.
Beto Rubio 49:14
Thank you. Thank you. I was a bit nervous about it.
Wow, I thought this was a great conversation. I hope that you got something from it yourself. At the top of the episode I promised to tell you how to get a website security checklist for free. Like I said, you can use this checklist to have a chat with your web administrator or IT administrator or perhaps with the person or company you’re thinking of hiring to build your next website. To get your security checklist for free. Just go to morning tempo.com/secure.
This episode was powered by ConvertKit more than just an email marketing company ConvertKit is focused on landing pages two giving beginner creators everything they need to start building an email list. I’ve been using ConvertKit Since early 2016. Their new free plan allows creators to make unlimited landing pages and forms. You can choose from multiple templates, add personalization, add design, include an incentive email, create a thank you page, manage subscribers and to send broadcast emails. The support and educational resources at ConvertKit are top notch and that is important to me. It should be to you too. Learn how ConvertKit can help you connect with your audience so that you can make a living doing the work that you love. Go to MorningTempo.com/convert or the Show Notes for this episode.
Thanks again for listening. This podcast is made possible by the support of listeners like you. To learn about the different ways that you can support the podcast visit MorningTempo.com/CrowdSponsor. There you can also join the Morning Tempo email list for insiders who want to know what I’m learning from the business owners and entrepreneurs that I speak with and work with, including those you hear on this podcast. Morning Tempo insiders get an occasional email from me, with business insights, recommendations, hacks and anything else I come across that could help you in your creative entrepreneurial journey, and it’s free. And you can unsubscribe at any time.
If you enjoyed today’s episode, please subscribe wherever you listen to your favorites, with a whole lot of love to my good friend and former bandmate Frank Salazar, who wrote and performed the morning tempo, podcast theme song. Frank, you rock. Ciao for now.
Support this Podcast
The Morning Tempo podcast exists solely through the generosity of its listeners, and we gladly accept support in a variety of ways. Please visit our Crowd Sponsor page to learn more.
Learn how to support this podcast.
ConvertKit for Email Marketing – Email marketing the way it should be.
[…] WordPress Security Begins With Understanding Common Vulnerabilities – Beto Rubio (Ep 34) […]