Transcript β
In this episode of the Post Status Happiness Hour, host Michelle Frechette interviews Robert Abela from Melapress to discuss WordPress security. They emphasize the importance of adopting security best practices, the challenges faced by website administrators, and the critical role of user training in preventing breaches. Robert shares insights from a survey by Mala Press, revealing common security issues and misconceptions. They explore authentication methods like two-factor authentication (2FA) and passkeys, stressing the need for continuous education and awareness. The episode underscores that human error often contributes to vulnerabilities, highlighting the necessity of proactive security measures.
Top Takeaways:
- Use Password Managers for Stronger Security: Both emphasize the importance of strong, unique passwords across different platforms. Using a password manager simplifies thisΒ process, generating and securely storing passwords, which helps users avoid the common mistake of reusing passwords across multiple accounts.
- Auto-Updates Are Essential but Need Careful Implementation: Auto-updates in WordPress, especially for minor updates, are crucial for keeping websites secure. However, using a staging environment to test updates before applying them to a live site is a best practice. It ensures that any potential issues can be resolved without affecting the live site.
- Backups Are a Must-Have: Regular backups are vital for website security and recovery. Although backups are not always seen as part of security, they play a crucial role in recovering from incidents like hacking or failed updates. Many web hosts offer backup services, making it easy to implement.
- Outsourcing Security Can Be Beneficial for Non-Technical Users: Businesses without technical expertise (e.g., small shops or bakeries) may benefit from outsourcing website management to agencies. These agencies have experience with hundreds of websites and can handle security updates and maintenance more efficiently, reducing the risk of security breaches.
- Proactive Security Measures Are Key: The conversation stresses the importance of proactive security practices. Having security solutions, policies, and a recovery plan in place before a security breach occurs is critical. Waiting until after a breach happens can result in higher costs, operational downtime, and damage to reputation.
Mentioned In The Show:
- WordCamp
- WordPress
- Kathy ZantΒ
- Nathan IngramΒ
- Black Hat
- Give WP
- Liquid Web
- WP Accessibility Day
- Topher DeRosia
- Cate DeRosia
- Hero Press
π Sponsor: A2 Hosting
A2Hosting offers solutions for WordPress and WooCommerce that are both blazing fast and ultra-reliable. WordPress can be easily deployed on ANY web hosting plan from A2: Shared, VPS, or Dedicated. A2 also offers Managed WordPress and WooCommerce Hosting. Take a look at a2hosting.com today!
π¦ You can follow Post Status and our guests on Twitter:
- Robert Abela (Founder,Β Melapress)
- Michelle FrechetteΒ (Director of Community Relations,Β Post Status)
- Olivia BissetΒ (Intern,Β Post Status)
The Post Status podcast is geared toward WordPress professionals, with interviews, news, and deep analysis. π
Browse our archives, and donβt forget to subscribe via iTunes, Google Podcasts, YouTube, Stitcher, Simplecast, or RSS. π§
Transcript
Michelle Frechette 00:00:00 Welcome to this week’s Post Status Happiness Hour. And today my guest is Robert Abela. I hope I say your name right. I should have checked with you beforehand.
Robert Abela 00:00:10 It’s fine. Thanks. Thanks for having me Michelle.
Michelle Frechette 00:00:12 Okay. It’s good to have you here from Melapress. And you do a huge survey every year. We’re going to talk about that in a little bit. But first, tell us a little bit about yourself and what you do with WordPress.
Robert Abela 00:00:22 Sure. I’m Robert, I am originally from Malta, but I am based in the Netherlands. I started with WordPress, I think back in 2012. I think I was working for a software company. We needed a blog back then, and WordPress was the most popular solution. So yeah, and like many other WordPress people, I ended up, you know, like experimenting plugin here and there, having a hobby and yeah, slowly, slowly within the years, it became a full time job basically. Yeah. That’s that’s how I discovered purpose.
Robert Abela 00:00:53 And now, of course, yeah. We have a company called Melapress and we develop a number of, of WordPress security and user management plugins.
Michelle Frechette 00:01:01 That’s awesome. Security. You can’t underestimate security enough. You must invest in the security infrastructure. I have learned that the hard way over the years and I am much better prepared today.
Robert Abela 00:01:13 So good. Yeah, I think I think it’s very good to to be informed even if like I mean, you don’t have to be a security expert per se. But it’s good to keep yourself informed because, yeah, security. Like even like a CEO, it’s a, a ever changing task. So it’s not like, okay, my hopes are secure today. It doesn’t mean it’s going to be secure tomorrow. If your website is performing good on SEO today, doesn’t mean it will perform good tomorrow. So it’s just you have to kind of like stay up to date and keep things well optimized and running.
Michelle Frechette 00:01:43 Just like physical locks there are there are the older locks are easier to pick, so they build better locks.
Michelle Frechette 00:01:48 And then people figure out how to use those ones. And then you have to build better locks. And the same thing is true for security on your websites.
Robert Abela 00:01:55 Yeah. And the same happens with almost everything. Credit cards, RFID readers, you know, like almost on a daily basis, you hear about something you’re like, you can almost go crazy if you have to. Okay, this I don’t know, these type of credit cards now are outdated. So everything is progressing every day, you know. So yeah, it’s very important. And with websites is the same actually I think internet in general is one of the fastest based industries because in general, like things are moving very fast. So and I think we’re still at the cusp of the internet. So hopefully within the next few years we’ll see much more advancements.
Michelle Frechette 00:02:29 My security horror story and you can cringe. It’s okay. And you could even like, you know, wave your hands at me. Whatever I’ve learned, I learned from this very, very difficult.
Michelle Frechette 00:02:39 I was driving to WordCamp Montreal from Rochester, New York, which is about a 6.5 hour drive, and started getting phone calls from clients that their sites were down. So I was like, as soon as I get there, I can look into it. I had several sites, I think 12 sites, all in the same shared hosting plan and not divide it up in any particular way. And so one was injected with malware, which then found its way into all of the others. I spent the entire night before the next morning when I was to speak, cleaning up code because I didn’t have appropriate backups I had from when I first built the site, but not since then. And this is before backups were just included in most hosting and the next. And I and I finally got it all cleaned up. My hosting company said, yes, everything’s fine. We will turn your sites back on by the end of the next day. It was all done again. And because the one thing I didn’t know to check was that they had created user admin users on every one of those sites.
Michelle Frechette 00:03:41 I had checked all of the code and fix that. I hadn’t checked that one little thing, and so I had to do it all again. And then from and then on that Monday, I put everybody on their own hosting. I put more security and everything, and I tell everybody, let my mistake be a lesson for you, so that you better prepare your clients and your sites for security.
Robert Abela 00:04:03 So yes, these these things can happen. I, I think what’s very important as well, like, as you said, like, they created a user and you’re like many people think that their website was hacked. For example, there is not a backup more often than not, just if you just restore the website, it will be hacked again, like case in point, like what happened to you, but also like even let’s say we restore the backup and you deleted the username. Most probably they managed to create a username in your website by exploiting a vulnerability. So when you restore the backup, they maybe, I don’t know, maybe it’s an outdated plugin, outdated team or whatever, some custom code that they exploited.
Robert Abela 00:04:39 And so when you restore the backup, the vulnerability is still there. So they can still exploit it again. And yeah. And recreate the user and take over again. So it’s, it’s very important I think to when, when these things happen, restoring the backup is very important so you can restore the website and its functionality. But it’s very important, of course, to try to look at logs and do some sort of forensic work to try to identify, like what’s the source of the problem from where it all happened from. It started, you know, so close that door. You know.
Michelle Frechette 00:05:12 In marketing we say that it it’s, it’s less money to keep a customer than it is to acquire a new customer. And in security, I discovered that it’s easier to protect your site than to fix a hacked site. So you know that prevention is better than, you know, having to fix things at the back end.
Robert Abela 00:05:29 Yes, yes. But it’s also still a bit difficult, like when you think about it.
Robert Abela 00:05:35 Hackers or malicious users only need to find one, one mistake in your website where you have to like, I don’t know if you have 20 plugins, so much functionality, team, etc. You have to make sure that all of them are up to date. Everything is secure. However, all they need to do is just find one to exploit the rest.. So.
Michelle Frechette: You have to be diligent.
Robert Abela: But so it’s still easier. Yeah, I still agree with you. It’s still easier to have a secure website and keep it running and keep it secure then cleaning websites. But yeah, they also have an advantage because yeah, you have to make sure everything is closed while they only have to find one hole to go.
Michelle Frechette 00:06:12 Yes. So exactly. So let’s I’m going to bring up your survey on our screen so we can talk through some of your findings. Because this was and I know I think you do this every year, but this was a little eye opening for me to discover some of the things that are on here, specifically some of the statistics and some of these are things that I’ve heard very recently and absolutely agree with all of them.
Michelle Frechette 00:06:31 But, you know, that many administrators fail to implement security best practices that address their primary concerns. And so tell us a little bit about about some of these points that are on the screen.
Robert Abela 00:06:43 Sure. yeah. For the first. So first of all, yeah, we run the survey, we do it, online and also at World Camps at our booth. Yeah. Like the first one. It’s like we talked to a lot of people. Sometimes it happens to all of us, even including myself. So I’m like, you know, like, you hear about something I don’t know about some security, best practice or whatever. And yeah, like, okay, I really don’t know much to do list. I’ll implement it. Maybe it’s not intelligent. Whatever. and yeah, somehow it ends up on the back burner. It’s never done. Or, you know, life happens sometimes some other things take priority. So it’s a very common, I think, it’s just human nature. I think we see it with even, like, normal day to day problems sometimes until something hits us really in the face, it’s like, oh, then maybe sometimes it’s too late.
Robert Abela 00:07:31 But so we’ve, we’ve noticed that a lot. And as I said, happens even to us where because as you were saying, like security is not just one thing and this one, you have to, you know, like best practices, policies and stuff like that. So so I don’t know, we learn about a new policy or we’ve seen a new feature in some software like, okay, let’s we need to implement this. We need to start doing it this way or whatever, but yeah, like, it’s like other things are the things get in the way. So, so even though people are aware of some things, people are aware that, oh, listen, there are these dangers or there are these tools that you can use sometimes. Yeah, they they just don’t implement them. I, I think I see it a bit like an insurance kind of thing, like many people like maybe sometimes they risk to, I don’t know, travel to a exotic, dangerous place without insurance.
Robert Abela 00:08:19 Like because insurance like is it worth risking, I don’t know, $200 right now. We’re like, oh no, I won’t need it. But once you need it, then it needs to be there. And this is the same, you know, like we say, yeah, let’s we’ll do it next week. We’ll do it next week. We’re doing this. So in especially in the last few years, there’s definitely much more awareness, even not just for technical people, even like the normal users nowadays. They’re much more aware, you know, about having I don’t know, like using a password manager, not sharing the same password between services, you know, making sure if you connect at least, Avoid public Wi-Fi or, if you connect, at least use a VPN. So nowadays there’s much more awareness, even like the non-technical user. But still, for some reason, I think it’s also a question of productivity versus security. Like not always, but of course, to improve security, like, in fact, like there’s a like when you add to for you’re kind of adding an extra step in the process.
Robert Abela 00:09:18 So many people are like, you know, it’s too much work. We have thousand users, you know, like it slows them down. Some people maybe, I don’t know, they’re not that technical. They they get confused when they’re using the mobile. So it does somehow sometimes hinder a bit productivity, you know. So sometimes it’s very difficult to, to find, to find that balance. So yeah, so many, many from what we’ve learned, not just from this, from the survey, we’ve learned a lot of course, but even like from talking to people. And so there is definitely much more awareness. Like we can see it even in talks in WordCamps. There’s much more talks about security and what’s happening. But yeah, somehow people are still not actively they are actively implementing more but still not enough. So they definitely most people that we’ve talked to, know about more things that they can do, but they’re upset, but they’re still not doing it. Doing it.
Michelle Frechette 00:10:11 Yeah. I, I, I’m curious to what you think about 2FA versus Passkeys.
Michelle Frechette 00:10:18 And what if you prefer one over the other? And I know there’s more than one way to do 2FA as well. Right? So, like, for some of my sites, I get an email. I mean, that sites I build, websites that I, that I have to enter a code in and some I have to pull up a, an authenticator app to do.
Robert Abela 00:10:35 Yeah. Yes. They’re quite like passkeys to be honest. It’s something we are looking. In fact, we are already looking into supporting our plugin as well. Passkeys are very convenient, because, they are 2FA as well, but it’s transparent to the user, as you said, like like usually you have to get a code from an app or whatever when you have passkeys. Yeah, it’s totally transparent to the user. So the user doesn’t know. Of course, the setup is a bit more different like the first few steps. So somehow, especially for the non-technical users with vendors in general, like like we they need to kind of like make the process easier for generating a passkey and storing it in a secure place, making sure it’s unique, etc.
Robert Abela 00:11:17 And but yeah, it does it. It doesn’t slow down the process as the traditional to afraid us because right, the user doesn’t have to get the mobile or whatever, you know. But yes, in regards to 2FA the traditional multi-factor or two factor authentication, there are several different methods. The most popular are, the authenticator app getting an email, or in some code. And also they’re quite popular, hierarchies where you can actually buy, like a token, like a USB stick. Usually it is. and then you introduce a password and then you just enter the key. You usually have like a touch, like a touchpad, whether you just touch the pad. And that’s what it is. This step even easier because you just have to put in the.
Michelle Frechette 00:12:01 Just put it in.
Robert Abela 00:12:02 Yeah, yeah. One of the problems of course, like the more too many, especially people who maybe are not that familiar with 2FA, many people are, scared or afraid of implementing it because they get scared of getting locked out.
Robert Abela 00:12:16 But then of course other like there are what we call for example backup codes. So when you configure a 2FA for example which with the mobile app you can also download like ten offline backup codes. So just in case I don’t know, like maybe your, your mobile battery ran out or for some reason you don’t have access to the mobile, or you’re charging them whatever. Like, you can get a backup code to log in, you know? And of course, there are also between the different methods. There are different, like, they have different security levels. Let’s say, some of them are more secure, like a SMS nowadays. It’s almost I wouldn’t say it’s phased out, but it seems like it’s getting phased out in some places because it’s easy to clone, mobile SIM cards.
Michelle Frechette: Okay.
Robert Abela: So yeah, so of course, like, if they know your mobile number and I know, like, you have a website where it sends you on a SMS, I can try to clone your mobile card and get that SMS, emails, email, based on my experience.
Robert Abela 00:13:17 From what you see, even in support of the plugin image is a bit of a problem because, the plugin or WordPress itself, we can only do so much. Like we can only say, okay, tell WordPress, please send this email with this code. But you like emails. I wouldn’t say email as such if there’s a good setup there. Very reliable. But from what we’ve learned, yeah. Like not everyone has their email working on WordPress. And of course it depends on the spam filters. It depends the DNS records are set up properly SPF. There’s so many factors that can affect email deliveries. In fact, I was just to be honest, I was looking. At some of the plugins lately on the WordPress.org, directory and most of them in the FAQ section. The first question is like, listen, what happens if I don’t receive the email with the code? Because it’s such it’s such a common problem. I was at WordCamp Europe. I forgot which email plugin I was, the vendor I was talking to, a vendor who they develop a new plugin and while talking they told me like they actually they started building a forms plugin, but they told me actually we found out that the problem is not the forms like email delivery.
Robert Abela 00:14:26 So they also build an email delivery, plugin because yeah, email delivery is a big problem. So having email using to for email if you if your email is set up properly and kind of like you know it’s it’s efficient but clearly based on my experience and as I said, like I’ve seen this focus effects on other plugins. It can be a problem. It’s also like if someone has access to your email hacked into your email, it becomes a step easier. So I think the most secure I would go for the either hardware key or yeah, your, your mobile app because the mobile is always with you. Unless of course then mobile is stolen. I mean but but yeah, you can, you can only do so much kind of thing, you know.
Michelle Frechette 00:15:10 FOr sure. Yeah, absolutely.
Robert Abela 00:15:11 But definitely there are different methods. But also the mobile app is the most reliable. Definitely because there’s the mobile. The only problems we’ve seen which are known, like when you use a mobile app, if the time on the mobile or on the web server is not in sync, not in sync with the time servers, then of course, because they use it’s a time based code.
Speaker 3 00:15:33 It’ll timeout.
Robert Abela 00:15:34 Yeah it will timeout. So it might not work. But as long as as the web server is syncs with the time server, with the proper time server and its time zone and the mobile is as well, then everything should work fine.
Michelle Frechette 00:15:45 I, I have been locked out of Facebook twice when I’ve traveled, so when I was in Europe and when I was in, in, Portland. No, I don’t know why. Traveling suddenly like some set up, some. I didn’t get logged out of my phone, but, it kept telling me to check my authenticator app, which I don’t ever remember setting up, so I don’t have an authenticator app for it. And the the alternate way would be to get a text message, and I requested the text message. I checked to check the phone number ten times, and I never got a text message until I got home and tried it again and I was like, this is very frustrating, so I need to figure out how to change my Facebook, which is not your problem.
Robert Abela 00:16:25 Unfortunately, the problem is it’s it’s very familiar with, with a lot of people because. Yeah, like, as I said, like security kind of sometimes there’s like, you can secure things, but I don’t know, maybe we’re abroad. The provider was in support. You were because you were roaming, the provider wasn’t supporting, for example, I don’t know, some message from America, you know. So yeah, like it’s secure. But sometimes, especially nowadays, I mean, like back 30 years ago, people used to work from the office. Like, nowadays, lots of people work from home. A lot of people travel much more travel for work. So it it becomes a bit more. Yeah, a bit more of a challenge to, to develop a solution that that hopefully works for everyone without hindering their, their, their performance. You know. So yeah.
Michelle Frechette 00:17:14 Yes. And WordPress.org itself. Now if you are a plugin developer, a theme developer requires you to have two factor authentication, which I did set up properly for that.
Michelle Frechette 00:17:23 So I can log into I can like.
Speaker 3 00:17:25
Robert Abela 00:17:26 Yeah. And one one thing that I like is that they force you to create the backup codes because many people, again, based on my personal experience and also of other vendors, yeah, they just set up. They’re too afraid to the backup codes. Yeah. We will never get locked out. And then they got locked. I was like, oh, what can we do? You know? Then you have to yeah, you have to manually deactivate the plugin, you know. So so yes. Some sometimes like. Yeah. Like having policies in place to I know people don’t like being forced to do something but yeah it it helps. It’s better for everyone. And that’s one thing I noticed because I, I just did mine a few weeks ago. And yeah, like they do force you to download a copy of the backup codes. So if you’re stuck. Yeah. And anyway at the end of the day it’s, it’s if you really if this account is important for you, you should do everything in your power to, to make sure that if something happens, you still can get access to it.
Robert Abela 00:18:15 Otherwise you lose the account. You know.
Michelle Frechette 00:18:17 You put things in a bank that are important. You lock your doors when you leave your home, you lock your car. Why are you not protecting your other asset, which is your website as well?
Robert Abela 00:18:27 Exactly. And and yeah. Like and it’s like in, in many cases if it’s a business website. Yeah. It’s, it’s your shop to the world quite frankly. Because that’s, you know, like it’s your, your store. It’s not brick and mortar, but that’s your store. That’s where customers come in, see what you have, what you’re selling, learn about your products and buy from. So yeah, it’s very important to to to keep it secure. Make sure. Yeah you give them like they have a secure, safe experience.
Michelle Frechette 00:18:56 Absolutely. Yeah I see that. And what I’ve heard, I talked to, Kathy Zandt and Nathan Ingram a few weeks ago about their, their new security training for agencies to be able to help their customers understand security.
Michelle Frechette 00:19:15 Which brings me to your next point, which is failing to train team members, which also would be your customers. If you are an agency, building sites for others on best security best practices significantly increases the likelihood of a security breach. Coming right back to the fact that humans are their own worst enemies.
Robert Abela 00:19:33 I agree 100 percent are used. Like 15 years ago, I used to work for a security company. We used to develop, a web scanner. And I traveled a couple of times some conferences in the US, and, yeah, I was traveling with, some of our sales team and nothing against the sales team, but the sales team most like they are the sales engineers, which usually are technical, but more sales team. The traditional sales person is not technical. All they want to do anyway, it’s their job quite frankly. And I remember like where at Black Hat which is a security conference. They found the public computer, they check their email from there and they left like without even logging out. They’re like like, what are you doing? Like, yeah.
Robert Abela 00:20:13 As if someone wants to see my emails, like. Like you’re at Black Hat, you work for security company, like, like.
Michelle Frechette 00:20:20 Hello.
Robert Abela 00:20:20 It’s the perfect recipe for disaster. And again, they didn’t do it because they were bad people. It’s just they were not aware of. Of what what can happen like this is the same like I have the same discussion with with with my mom for example. Like who would want to hack my email. It’s I’m pretty sure they’re not interested specifically in your. What’s the content of your email? But like even with websites like many people are like, okay, I just have a hobby website about I don’t know all the cars about my garage. There’s there are no forms, there’s no payment gateway, nothing. But when websites are hacked, usually like of course there are some specific targeted attacks. For example, if someone wants to target a company usually. But in general, yeah. Just malicious users are just running scanners and they’re just scanning wide ranges of websites, and if they find a vulnerability, exploit it.
Robert Abela 00:21:10 They don’t care if it’s a flower shop or a online business or in e-commerce. They just hack what they find. They just get a list of, okay, this website has a vulnerability, this has this vulnerability and this exploit it. So that’s why I believe that that’s yeah, a bit when you have a website, you don’t have to be a security guru, but you need to learn a bit about like at least the basics, the basic possibilities. And especially as a business. Business, I mean, you have all you have a wide range of of people with a wide range of skills. You are going to have different aspects. Let’s look at it as like we’re a software development company, but we have the technical people developers, but you also have people who take care of the stuff. Yeah. Or content, you know. So so they’re not necessarily into it especially they’re not into the IT security. So again, they don’t mean no harm but they’re not aware what what can happen by okay.
Robert Abela 00:22:07 Oh we’re traveling. Oh there’s a computer. There’s a computer in the hotel reception. Let’s check our email like you need you. It’s very important to, to at least, have some basic, very basic. You don’t need to outsource it, but at least some basic training. Some, I don’t know, maybe some employee manual where you have at least 10, 12, 15 best practices. Listen, please make sure that when you travel don’t connect here. Or if you or everyone or install a VPN on everyone’s computer. So when you travel, please make sure you switch on the VPN. You know, it’s just just just this basic stuff. And you’d be surprised. Just, of course, security can be very complex, but by just taking care of the very basics, like, I don’t like using secure password implementing to phase, for example, using VPN when you’re traveling, keeping software up to date, just those four, you’re already like way ahead of of of the curve. You know, like already like pretty much. Secure, you know, kind of thing.
Michelle Frechette 00:23:02 And I’m constantly telling people, everybody does not have to be an admin. You could there’s reasons that we have different levels of access to our websites as well.
Robert Abela 00:23:11 That’s. Yeah. And I understand where it’s coming from. Yeah. I use my my first job, I used to be a systems engineer. And I used to be a system engineer for software company. So of course I had a lot of technical people as well. I also deal with a lot of technical people. That’s where I’ve learned most of the things I know, to be honest. But yes, like many people, Especially when there’s there’s a lot of pressure like, yeah, just as an admin because you know, like we don’t have time to say, okay, what permissions do you need. We try. Oh sorry. It doesn’t work. We don’t have time for that back and forth. So people are like okay, give me admin access. And then with that admin access.
Robert Abela 00:23:49 So yeah, it’s I agree 100% with you. Not everyone is. But I think it’s very important to invest, especially when you’re setting up the website when a new employee joins, when a new user joins, whatever, or you’re setting up a new role, it’s very important to spend a few minutes or a few hours to make sure, okay, we’re building a marketing team. They need this access. We see it with our own website. Sometimes you install a plugin, they need access to it, but they have to be admin. So you have I think custom roles for example, are in WordPress are extremely important. Extremely important because people.
Robert Abela 00:24:23 Yeah like we’re we’re lucky. Like WordPress is already good because it has a number of built-in roles. But of course there’s enough. But the fact that it supports this that feature like roles and privileges. It’s very great because. And there are plugins which you can use even for free. There are some very good ones. Free ones. Yeah. To to create custom rolls and and give a.
Robert Abela 00:24:43 Yeah. There is this principle of least privilege where. So basically every user should have the least possible privileges. Nothing personal against that users. Just like that’s the safest way. Because even if something is hacked, if a user account is hacked, they can only go as much as, as as far as so many privileges there are, you know, they cannot go any further. So if they have this much privileges, you are still containing can containing the attack within that, that those privileges, you know. So it’s like even this is very important.
Michelle Frechette 00:25:15 That’s right. Even a cashier at a store handles money, but they don’t have the bank account information. So you have to right. I’m good with metaphors. I’m good with metaphors. We have, Brian Henry is in the comments. And I think you have, a number one fan here. So, Brian says, looking at your features mandate WordPress password reset on the first login. Very nice. Should be in core. Admin notices manager. I think I’m in love.
Michelle Frechette 00:25:39 And, also lovely onboarding. So you’ve got, some positive feedback there for sure from.
Robert Abela 00:25:47 Thanks. Yeah. Admin manager is a small it’s a small free plugin actually. It’s a small hobby of us between developers team. It basically manages the the admin notices you get on WordPress. But yeah, it’s just yeah.
Michelle Frechette 00:25:56 By the way. I did hit this part and I was like, I’m subscribing. So you have a new subscriber now from reading here. So tell us some of the other things that you that you found. So what are some of the findings from your survey.
Robert Abela 00:26:09 Yes, I just I think, one of one of the most interesting findings is that, yeah, two phase is gaining more popularity. It’s I think year on year, we’ve seen it getting bigger and bigger, but clearly now, like, it’s kind of, it’s becoming maybe not more popular than, than the firewalls, but yeah, it is. It’s on the same level, like people are, are more aware of it, like everyone like kind of expects it.
Robert Abela 00:26:35 No one is no, no one is surprised. And more like, oh, I don’t want to have this code. You know, it’s everyone is kind of like used to it and accepts it’s part of the norm, you know.
Michelle Frechette 00:26:44 I mean you’ve got like almost 40%. So that’s actually quite a change from what we’ve seen in the past I think.
Robert Abela 00:26:51 Yes, yes. So yeah, no, it is becoming popular. And yeah. And as you said, like I think not just WordPress itself but everything like, yeah, online banking has become really popular. And all of these have some sort of 2FA have a biometric authentication. I think, companies like Google and Facebook really helps because they pushed a lot with, with these things like to have and now they’re pushing a lot with passkeys, which is again, it’s.
Robert Abela 00:27:17 An even. An easier step. The problem with Passkeys, of course, is when you have different devices and copy, but sure, we’ll get there as well. It’s not an issue.
Robert Abela 00:27:25 It’s more about, to be honest, the technology is there. It is just a question of like like everything is like how to present it to the user to make sure it’s easy to use.
Michelle Frechette 00:27:35 I logged into an app earlier today, which is the dot my doctor’s office, and I could set it up to do facial recognition through my phone. So unless you have my face, you’re not accessing that, right? So which is pretty cool.
Robert Abela 00:27:48 Nice. Yeah. That’s some sort of passkey technology as well. So it’s very it’s an interesting. Yeah. Yeah. The facial recognition. Yeah. Yes. Yeah. Password policies. It’s it’s nice to see actually that people are enforcing passwords because, many people think like if you have to have fear, you don’t need the password. I mean, you can do it an easier-ish password kind of thing. But I think the, the practice, like the fact that you are you get used to using, more difficult passwords is better because not every website you’re going to access, not every service you have access to has to have free.
Robert Abela 00:28:24 So it’s very important to, yeah, to have some sort of password policies and you get used. And anyway nowadays it’s not difficult. You don’t have to write it down. You just use a password manager. So you have to remember one password. Most of today’s password managers, they like tasting between your computer online, your mobile, your other devices, your tablets. So there is no excuse, you know, like. And there are free ones, and the commercial ones, which are a bit better, like have more features and they’re still very affordable, you know, so, so there’s no excuse for not using like kind of like very strong passwords, you know, and they also help, you know, like one of the biggest problems with one of the biggest problems is very common. Like people sharing password like the same password for their email address. I don’t know, their, their local council accounts, their doctors offices or whatever. So at least by using, yeah, some sort of password manager, you avoid this problem as well, you know?
Michelle Frechette 00:29:22 Right. One of my biggest pains in the rear end. And yet I appreciate it so much. Is that at work, our email we have a forced password reset. After however many days it is 90 days or something like that. So you’re constantly it feels like constantly. Maybe it’s four times a year, right? But you feel like you’re constantly changing your password. But having those password managers, really helps in those cases so that you don’t have to think of a password. You can generate a password, save it, and then if you need to access it, you can.
Robert Abela 00:29:52 Exactly. Yeah. And especially password. Yeah. Especially if you have some strict policies on how long should the password be and what characters. Password managers are great because okay so just password you you specify how it needs to be this long. It needs to have special characters. You get it copy and paste it saves it and you’re done. You don’t have to hassle. So the process has become pretty much easy you know.
Michelle Frechette 00:30:13 Yeah, absolutely.
Robert Abela 00:30:15 The next one is auto updates. It’s yeah it’s interesting I mean it’s I, I personally how long I forgot when auto updates were introduced in WordPress. It’s been a few years now.
Michelle Frechette 00:30:25 I think. I think that, like two years, maybe?
Robert Abela 00:30:28 Yeah, it.
Michelle Frechette 00:30:28 Could be longer. Time is irrelevant.
Robert Abela 00:30:30 Yeah, but it’s good. I’m quite disappointed. Still 30%, to be honest. Especially, at least, like, the way I see it. Nowadays everyone have, everyone has a staging website. Not everyone, but the majority of people like even more web hosts. They have functionality out of the box functionality for staging websites. So it’s very easy to test. At least have have the auto updates, enabled on the staging websites. It was very important. Also, like we have an advantage because you can actually specify if you can, auto update minor updates and then of course, major updates of plugins and stuff and usually minor updates. I think most people are concerned about the updates because the website might crash or something.
Robert Abela 00:31:14 But, you know, there are sometimes these things happen. I mean, it’s software, that the end of the day. I’m we and almost every other vendor I speak to. We many people do a lot of testing before there is. But things can happen, you know, and but with minor updates usually is is pretty much safe because with minor updates you’re just bug fixes and small bits and bobs here and there. You know which major updates I will be a bit more, of course, cautious. That’s why there is a staging website installed on the staging website. Run some tests, make sure it works properly, and then of course update the live site. But but yeah, minor, minor and minor updates. Why not? And also like you can actually choose which plugins update yes or no. So like some plugins you can. It depends on the robot. Some plugins like okay typically display different different vendors and how often they update. So you can fine tune your updates policy and and and make it work for you you know.
Michelle Frechette 00:32:08 So and some of them will give you notifications and say before you click update make sure you’ve run a backup first. Right. So extra covers is one of those ones. So don’t auto update things that tell you that you absolutely have to backup first. Maybe set a reminder for yourself.
Robert Abela00:32:21 Or I would. Yeah, I think by the backup is.
Robert Abela 00:32:26 It’s not seen as part of security by many people. But I see it as part maybe not of security, but it’s it’s a best practice. It’s a must have if you have a website for security or not. It’s a must have because it doesn’t just help in security. But as you’re saying, like auto updates. Listen, something went wrong. Restore the backup. Go back to the staging. Do something.
Michelle Frechette 00:32:45 Letβs roll it back.
Robert Abela 00:32:46 Yeah, yeah. But like, especially nowadays, mostweb host yeah they offer is out of the box. Or there are also a lot of online affordable online services. A lot of and most of them like maybe not real time, but they’re like hourly basis and stuff.
Robert Abela 00:33:03 So it’s pretty much safe. So I think backups are, are kind of like, not I mean, not nowadays. Many people are using that, but still, like we need we need to like to make it highlight how important they are. They’re very, very important. And they should.
Michelle Frechette 00:33:18 Be part of your process. If they’re not technically part of your, your security, they should at least be part of your process when you’re.
Robert Abela 00:33:25 Or not. They should be there because let’s face it, especially as the website, this happens to us, to ourselves as well. more people are working on the websites, you know, you get some, the editor is content you can easily fix. Maybe sometimes because it’s okay, it’s just retype something, but it’s not the first time. Oh, I enabled setting like last week. I don’t know what happened. Now it makes life much easier. It can save you a lot of headaches, you know?
Michelle Frechette 00:33:50 Absolutely. Yeah. Where does the buck stop?
Robert Abela 00:33:57 Yeah. This is quite interesting, actually.
Robert Abela 00:34:00 Itβs interesting because, it really depends what type of business you are. Most probably. We don’t have much information on the actual businesses and how they replied, but we can clearly see that those who outsource usually have, less problems. And security issues, I think mainly because typically from what is just my assumption. But I’m presuming people who are not so technical, I don’t know a bakery, they have a small, small website, whatever. Most probably they don’t. They feel they don’t have the time and they don’t have the expertise to to maintain their website. So usually they outsources and in this case I think it’s always better to outsource because you have someone. Yeah who’s completely responsible for these things. So most probably because they a service typically manages or an agency they manage, I don’t know like hundreds or thousands of websites. Even it’s even better because they have much more experience than you. Okay, there’s this update which costs problems already on hundreds of websites.
Robert Abela 00:35:07 They have much more, not just the security point of view, but also the admin part. I think if you don’t have experience, if you not just WordPress, you know, I think if you don’t have experience managing a website, like when you outsource these things are. Yeah. You can save yourself a lot of headaches.
Robert Abela 00:35:23 I think. Sorry.
Michelle Frechette 00:35:25 Go ahead. Finish what you’re saying.
Robert Abela 00:35:26 Okay. I think one of the biggest problems of WordPress, WordPress is sold as not sold as is, is advertised as is very easy to setup, which is, quite frankly, it’s very easy to set up. But unfortunately, like people who have absolutely no experience what it takes to have a website like, okay, just setup, click, click, click and have a website, right. They don’t realize like.
Michelle Frechette 00:35:49 The maintenance.
Robert Abela 00:35:50 Maintenance and you have to keep it going, you know. So so and that’s why outsourcing sometimes works better you know.
Michelle Frechette 00:35:56 Yeah.When I was freelancing.
Michelle Frechette 00:35:57 So back before I started with Give WP and and Liquid Web, I, I would have customers come to me and apologize that they couldn’t build their own website. And first of all, well, I make money because you don’t build your own website, so don’t apologize. Right? But secondly, like I had an electrician that I built a website for and he was like, I feel bad that I, you know, I should have time. I should be able to figure this out myself. I said, I’ll tell you what, I won’t do my own electrical work and end up in the emergency room if you don’t build your own website.
Robert Abela 00:36:25 So yeah. And that’s exactly
Michelle Frechette: We have core competencies.
Robert Abela 00:36:32 Yeah. That’s what it’s exactly like. We’re in a way it’s like it’s advertised as easy to use. And I think for technical people it’s very easy to use. And it’s it’s so expandable, so flexible and there’s so many options. But yeah, just someone has a shop, a small shop, I don’t know, doing, selling some crafts, whatever.
Robert Abela 00:36:49 Oh, WordPress is easy to use. Let’s install it. But they don’t realize, I mean, it’s getting easier and easier, but still, like excluding the building the website process, but maintaining the website in terms of security, even like managing it backups, you know, web host it’s it’s still yeah, it’s there’s still a lot that needs to be learned, you know, so so not everyone the same as you said, like you don’t, install a new socket in your room just because. Yeah. Okay. This is why you need electrician. You know, and they say maybe.
Robert Abela 00:37:19 You can change a block or something, but you cannot install a whole room, you know, sockets all over the room and new wiring, you know. So and it’s the same with websites. Maybe you can easily install WordPress and go to the wizard, maybe install a team, change some text and some images. But that doesn’t make you exactly qualified to to to manage a website. You know, unless you you learn from your own experience, you get hacked, you learn, you get hacked.
Robert Abela 00:37:43 You know, it keeps it keeps going.
Michelle Frechette 00:37:46 Yeah. And then you decide you’re going into marketing and let other people build the websites.
Rober Abela 00:37:50 Exactly. Yeah, exactly. Yeah.
Michelle Frechette 00:37:52 At least that’s what I did.
Robert Abela 00:37:53 Let them do it for you. Yeah.
Michelle Frechette 00:37:56 Those who manage the WordPress security in-house are 22% more likely to have a breach recovery plan, which is also important, right?
Robert Abela 00:38:03 Yes, I, I think, again, that because those who manage the security in-house usually have a technical team or a technical business. So there this goes back to hand in hand to like training your team. So most, people who manage their own websites in-house, they have a technical team who typically have more awareness, more experience, and more knowhow of how things work. So obviously by nature, since most probably they have built websites themselves already maintain some of their websites, they know that a recovery plan is important, and that’s why it’s important. Going back to the bakery, okay, if they have a website, most probably it doesn’t even cross their mind that they need to have.
Robert Abela 00:38:42 They don’t even know what’s a recovery plan unless you experience them, you know. So yeah. So this is kind of like almost expected. You know but yeah. Again 22% is not very high to be honest. But yeah I think recovery plan back from my old days when I was an engineer. Is, is something one of those things that yes, we’ll do it one day and you know, it will never happen to us. That’s the thing. It’s it’s these things will never happen to us. And then once that happens, like, oops, in fact, most people we see.
Michelle Frechette 00:39:21 I don’t know if I just lost it or not. No. If you are watching.
Robert Abela: Hello.
Michelle Frechette: Sorry. One of us. One of us cut out. I was like, I don’t know if it’s me or you. Oh. You’re back. Yeah. We’re back. Yeah.
Robert Abela 00:39:40 Yeah. One of the biggest problems I’ve, I’ve, I’ve like, I used to do a lot of support in my previous, jobs.
Robert Abela 00:39:45 I was I still look at support emails. And one of the biggest problems we see always throughout my. I’ve been working in I.T. for 22 years and in security industry. Yeah. Like, people usually come wants to buy a solution and any security solution or whatever or service after they’ve been hacked. Not. And that’s the idea of like it never happens to us, but then they get hacked like, oh, we need this, we need this, we need that, you know? So yeah, again, training is very important actually.
Robert Abela 00:40:15 Ideally you should have the recovery plan, should have the security products, you should have the the policies, the best practices in place before you get after that, because that is way more expensive usually. And it costs not just financially even, you know, like operations time wise in general reputation. So ideally you should start working on those things before you get hacked.
Michelle Frechette 00:40:41 Absolutely. What else have we got here? Teamwork makes the dream work.
Robert Abela 00:40:47 It’s exactly what we’re talking about. Yeah. It’s just it’s just about the more knowledgeable people are your team. Your team are the people you work with who manage your website. It’s. Yeah, the better it is. Basically, because we’ve seen it like those who have trained people or technical people, they have recovery plan. They’ve been hacked less times or never hacked or maybe had just minor issues. They typically have auto updates enabled. They have backups in place, you know. So yeah. So just just and just teaching people even when they travel, you know, like I don’t know, share a small email before they travel. These small small things make a big difference.
Michelle Frechette 00:41:24 And 72% have reported at least one security breach. So it’s not infrequent that these things happen.
Robert Abela 00:41:32 No it’s not, it’s not I mean, considering how many apps, how many WordPress websites that are around the world, I mean, I would I wouldn’t be surprised. You know, it’s it’s it’s kind of expected, you know.
Michelle Frechette 00:41:43 Yeah, absolutely.
Robert Abela 00:41:44 Most probably it will go down with time, but it will always happen. I mean, there are always coming like, I’ve been in this in this for 20 years, but there are people who are coming in in the industry. There are people. So they’re still learning. And mostly like I’ve had in the past. They will have a hacked website. Their website will be hacked, they will learn something so it can happen. You know, it will happen. So it’s part of the learning process.
Michelle Frechette 00:42:09 So I like once bitten twice shy.
Michelle Frechette 00:42:13 If you’ve had a breach, what have you learned? You’ve learned to give. Put some security in place. Absolutely.
Robert Abela 00:42:19 And percentage of responders with a breach recovery plan because yeah once. Then once they get breached then they start investing. And exactly what we’re talking just a few minutes ago like ideally should invest before. But yeah, I mean I understand I mean, it’s easier said than done because I understand of course, business, especially when you’re a small business, and you have limited budget, limited time, even in terms of resources, time and and manpower.
Robert Abela 00:42:44 Yeah. You need to find the right balance between investing and growing to have a more stable business, you know, and, and security, like where where does the money go? You know, like like, should I spend more on a, on a firewall or like pay this premium subscription or, or maybe we should go for Google Ads or some AdWords tool to help bring in more sales. You know, so I understand it’s not easy, but yeah, hopefully, like, with more awareness, at least. and as I said, like with some basic best practices, you’ll be quite secure. So hopefully. Yeah, with some more basic awareness about basic best practices, we’ll see this. we’ll see more people.
Robert Abela 00:43:25 Not necessarily buying premium products just by just taking, making, taking some basic steps, implementing some basic security practices before. Yeah. Before they get hacked. You know.
Michelle Frechette 00:43:34 I think this is human nature. I think more people who have had a fire in their house now have fire extinguishers in their homes as well.
Michelle Frechette 00:43:40 Right? So you, you we learn the hard way. We’ve been broken into. So we put better we put better locks in our house or we’ve had a kitchen fire. So now we have, you know, fire extinguishers in our homes. So this is the same idea, like, oh, we got hacked. Now what do we do to make sure that doesn’t happen again?
Robert Abela 00:43:56 Exactly. Yeah, yeah, I’ve seen I’ve seen a lot like I do a lot of cycling as well. and yeah, I do a lot of mountain biking and stuff like the same with helmets. So it’s not. But once they, once they fall like, oh okay. Because you know, like you need a helmet. So yes, I think I think it’s human nature because I think we’re with that in everything, to be honest.
Michelle Frechette 00:44:14 But yeah, I agree. Absolutely. I think so, and I’m not sure how this applies entirely. But like, schools have fire drills for students, but more fires happen in the home that happened at school.
Michelle Frechette 00:44:29 And we don’t train children how to get out of their home if there’s a fire. So it’s it’s kind of like along the same way it’s all that somebody else is having. They’ll learn that someplace else. But you really have to bring it in home and in-house to your own team.
Robert Abela 00:44:42 Yeah, I agree, but again, it’s. The, the, theI think it’s the thought that it never happens to us. It’s always.
Michelle Frechette 00:44:46 Right. It’s always somebody else. It’s always somebody else. Yes.
Robert Abela 00:44:49 You see the news. It’s somewhere else, you know. In fact, I think some people it hits some people in the news when you hear, I don’t know of, of, of of something that happened in your community like, oh it’s like it can happen here as well. Only then it, it hits you like, oh okay. Yeah. If it’s in another country, another state. But they’re like okay. It’s it’s just there.
Michelle Frechette 00:45:08 It’s when it’s close to home. Yeah. Absolutely. Yeah.
Michelle Frechette 00:45:11 So so you have here the missing link between concerns and implemented measures. And what’s the outcome there.
Robert Abela 00:45:17 Yes. so so basically, it’s definitely we’ve we’ve come a long way. Things are improving as you said, like to a Facebook has become normalized. Security in general. People even like people who are not security, who are not technically they’re also practicing some best practices and stuff like that. Have an idea of what’s a what’s the password manager use strong passwords. But yeah, the missing link, it goes back to those two main points. Training. Training for people is very important. And implementing what they should as I said like people are aware like oh we should do this and this. I said I’m not blaming anyone, I’m just pointing fingers. It happens to us as well. We’ll do that. We’ll do that. But other things come in the way budget time. Where should we invest right now? The time and manpower and yeah, but definitely people are definitely more informed.
Robert Abela 00:46:13 But we need to start taking more action.
Michelle 00:46:15 Absolutely.
Robert Abela 00:46:17 Because we know much more now nowadays. But we’re still we improve overall, but we still can do more. So we know what we need to do. But it’s not. Not enough is being done.
Speaker 3 00:46:28
Michelle Frechette 00:46:28 Yeah.And Melapress has has this whole all of this. I see Joel wrote this up for you. Has all of this on their website. Let me pull up my banners here. So if you want to look more in depth. So I know we just scrolled past everything really quickly, you can go to Melapress.com/ WP-security-statistics. It is on the screen. It’s also in the chat and we will have it in the show notes as well. So that anybody who is, visiting the website for our website, Post Status for this will absolutely be able to click that and click through to that. What didn’t I ask you or what would you like to talk about that I haven’t brought up yet?
Robert Abela 00:47:05 Nothing specific, to be honest.
Robert Abela 00:47:09 I think yeah, exactly. What what what was highlighted in the survey. Like, I think training is very important. And yeah, trying to find time or resources to at least implement what you know, you don’t you and I, many people kind of like, now it’s changing. But whereas in the early days, I think like ten years ago had this, this, name of an insecure CMS, however, and as I said, like, it’s because it’s very easy to use. So people install it, they have no idea how to manage a website and they get hacked. But nowadays there’s there much more resources. There’s much more information. People are much more, are much more informed. So yeah, it’s just a question of like, yeah, sometimes it’s only takes in a day to set up the website a day just to get things going. I don’t know. Right. Prepare some reminders what you should check every so often, etc.. Stop staging websites on the web host, make sure you have a backup.
Robert Abela 00:48:04 if it’s really critical. For example, you have your web host backups, but getting a third party online service. So at least not everything. Just in case something happens to that web post and you still have another point of failure. Not everything goes down one place. So yeah, that’s about it. Training people and taking action. Taking action is very important because people know much more nowadays. But we’re still yeah, finding it difficult. I understand why, but yeah we’re still finding it difficult to allocate resources to do what we need to do basically.
Michelle Frechette 00:48:36 Absolutely. Well, I know it’s very late where you are compared to where I am. It’s so it’s going on 5 p.m. here. I think it’s going at 11 maybe.
Robert Abela 00:48:43 Yes. 10 to 11. Yes.
Michelle Frechette 00:48:45 Yes. So I want to thank you, number one, for taking the time this evening, to share on our live stream here in the Post Status Happiness Hour. And, for sending me the information so that I could review it and say, hey, I think we should talk about this.
Michelle Frechette 00:48:58 I think that’s great. And it was really good to meet you. I think we probably our paths have probably crossed, but to have a conversation with you like this, it’s been very nice.
Robert Abela 00:49:04 Likewise. Thanks a lot for having me Michelle. And hopefully I’ll see you at some WordCamp.
Michelle Frechette 00:49:08 Absolutely. And for anybody listening, we will not have an episode, a show next week. Next week is, WP Accessibility Day, which starts and runs October 9th to 10th. So we are not going to interrupt that, which I’m an organizer for. So it’s most important for me. But in two weeks, we’re going to have Topher and Kate DeRosa here to celebrate ten years of Hero Press. Hard to believe Hero Press has been around for ten years already, but we’re going to have them here to talk about what they do with Hero Press. So thank you again, Robert. I appreciate you taking the time here. And for everybody who took the time to, to comment today and to be here to talk about security.
Michelle Frechette 00:49:44 And I hope that everybody that’s listening to this takes a look at their own security and maybe heightens their little, their resources a little bit and learns a little bit more on ways to make their own sites secure, but also those of their customers. So thank you so much, Robert, for being here.
Robert Abela 00:49:57 Thanks. Thanks, Michelle. Thanks.
Michelle Frechette 00:49:59 Yeah.We’ll see everybody in two weeks. Bye.