Website security is super fun, right? Yeah I don’t think so either.

If you’re like me, security is not naturally in the forefront of your mind when you’re designing and launching websites. But it is super, super, super duper important…

I found this out the hard way years ago when my work started getting hacked before I started my maintenance plan and taking security seriously.

So to help “peel the first few layers off the security onion,” I’m excited to bring on Dan Cook of to the podcast who shares the basics of website security and the most important things you need to know in regards to keeping your website designs as safe and secure as possible to prevent hacks, breaches or other vulnerabilities.

I’m excited to help empower you with the basics of security in this chat but we’re only scratching the surface so if you’re ready for a more in-depth look at security, Dan is doing a live training in my web design club shortly after this episode’s release!

You can join the club and get access to this live or watch the replay at

For now, grab a lock and enjoy getting to know about some important vulnerabilities to help keep your websites safe!

In this episode:

00:00 – Introduction
03:19 – Greeting to Dan
05:49 – Accidental security
06:55 – Unintentional threats
08:10 – Domain vulnerabilities
09:44 – Holes in websites
12:04 – Using old tools
14:32 – 3 tier external backups
16:16 – Password issues
19:54 – Password management
24:53 – Limit users access on sites
26:05 – Plugin management
28:45 – Automatic updates or manual
30:00 – Other vulnerabilities
32:44 – Collecting data on forms
35:35 – Privacy & accessibility
37:58 – Selling the security onion
39:31 – Licenses
41:12 – Suggested tools
43:55 – Secure headers
48:32 – Doing a risk assessment
55:11 – Why security is needed

This Episode Sponsored by the Josh Hall Web Design Coaching Community

Connect with Dan:

Featured links mentioned:

Episode #216 Full Transcription

[00:00:00] Josh: Hello friends. Welcome into the podcast. This is episode 216. Well, we are gonna take a deep dive into what I can only assume is your favorite aspect of web design. And of course, I’m talking about website security. Now in all seriousness, when I became a web designer, the last thing on my mind, unfortunately, was security, perhaps because it’s because I came from a design background and just kind of worked my way into web design. I was not developer first, so I didn’t really have a mind for what’s behind websites often like clients often, do they need help understanding that a website is not just a pretty design that’s flat on the internet, there is a lot behind it.

[00:00:46] Josh: And security, as we’ll hear in this episode is a lot like an onion. There’s kind of multiple layers to it. And what I wanted to do specifically in this episode is scratch the scratch off the first couple layers of website security. So we’re gonna talk about the basics of website security. We’re gonna talk about the most known and most important vulnerabilities that you should be aware of as a web designer for your site, your clients and your business. So you reduce, uh, this scary L word called liabilities for your business.

[00:01:19] Josh: So for this episode, I’m so excited to bring on one of my web design students. This is Dan cook, who I’ve got to know over, uh, quite a few months as a member in my web design club. And I got to know Dan as a solid entrepreneur, a great web designer, but I also found out that he knows a lot about web website security. So I encouraged him to really. Take the, take the lead in offering some more resources to kinda share what he knows about website security.

[00:01:45] Josh: And I’m excited because Dan has a brand new brand called risk and buddy is with an I. So I’d highly recommend you check that out after this episode. And we’ll have that linked in the show slash two 16. Uh, but Dan’s got a lot of great resources right now. And ahead for you in regards to website security.

[00:02:06] Josh: And in this episode, we’re gonna cover the basics. We also heads up do get into some of the more intermediate and a couple advanced things when it comes to security. Um, some of you will love that some of you might like myself. You might be a little confused or daunted. We do cover a lot of links. So all those links and resources are gonna be at the show notes at Josh hall dot slash two 16.

[00:02:28] Josh: They’ll be available for you, but I. My goal. And I think the goal of this episode is to empower you with at least the basics and the most important things in regards to website security. So I’m really excited to hear how this helps you. And last thing I wanted to know, Dan is actually, if you’re listening to this, when it comes out gonna be doing a live training in my web design club, uh, that’s more visual and more in depth on security.

[00:02:52] Josh: And even if you don’t catch this before he does the training, you can watch the replay. When you join my web design club, you can go to Josh hall, doco slash coaching for more information on that to get access to the club. And you can watch this training live. If you’re here in this episode right now, or you can catch the replay if you’re here in this later on, but for right now, here’s Dan let’s talk the basics of website security.

[00:03:19] Josh: Dan welcome on to the podcast, man. Thanks for taking some time to chat today. Hey

[00:03:25] Dan: Josh. Great to find to be on here.

[00:03:27] Josh: It’s great to have you on man. You’ve been in the web design club for a little while and I’ve, it’s been really cool to get to know you and to see what you’ve done in your business. And I feel like the past handful of months there is you made it aware to me that, uh, you actually have kind of this hidden gem of knowledge about website security.

[00:03:44] Josh: And it’s something that you have a lot of interest in. And I was like, dude, we need to explore that. And. I think a lot of web designers are like me today, where website security is one of the last things we tend to think about. There’s, you know, and the grand scheme of all web design, if you’re not security minded, it can be like the last thing you think about, which is definitely the category that I fall into.

[00:04:05] Josh: So I’m so excited to pick your brain about this man. Um, I’m kind of curious before we dive in, do you wanna let everyone know first off where you’re based out of, and then, um, I’m gonna ask you the same question. I I’ve been asking a lot of guests recently when somebody asks you what you do, what do you tell them?

[00:04:20] Dan: Yeah, so I’m based, I Buly in the UK, which is this small town near Birmingham. Um, so probably a couple of hours ride from London, cuz obviously it doesn’t take very long to travel around the UK. Um, my answer in a nutshell is I, I help people design and maintain their websites. Um, but obviously to the club, I also help a bit of security now as well.

[00:04:41] Josh: Yeah, it is, like I said, it’s an untapped big need, uh, security. I mean. Look, I will just, we’ll start this podcast out with a, uh, what I even call it. It’s it shows how non-security minded I am. Uh, and this is something I really, when I became a web design person and a web design business owner, I had to get really serious about, but it’s not natural to me.

[00:05:05] Josh: And I’ll share this story a little embarrassing, but it’s true years ago when I was younger, I was in a phone store, like a Verizon store and I was waiting and I logged into because I, my old phone was broken or something. I logged into my Facebook to check something on a phone there and then played around with it and I completely forgot to log out.

[00:05:25] Josh: So like my Facebook account was just opened for whoever and somebody thankfully was kind enough and decent enough to say, Hey, uh, do you know, you log into your Facebook and left it open? Uh, and then I change the password so on, but I say that to say security again is not like the natural thing for me. So what. What’s the most important thing to, to focus on for people like me who tend to think of security as like the last thing we, we end up thinking about.

[00:05:49] Dan: So I think what often gets overlooked is the people side of it. So in that case, Devon, well, the threat, sorry, in that case was actually, it was an accidental threat. You know, you just left yourself, logged in. It’s a bit like going out and leaving your, your door unlocked, you know, it happens. Um, so everyone always thinks, oh, hackers are gonna get in, but actually you can leave frets in place like that.

[00:06:13] Josh: Oh, that’s a good point.

[00:06:15] Dan: See, I definitely think the people side is something that’s well worth considering and thinking about, cuz it often gets overlooked. It’s very easy to think. Okay. Security. How can I approach that? Well, is there a plugin I could install? Yeah, there certainly is. But a plugin’s not gonna stop your end users having bad passwords.

[00:06:32] Josh: That’s a good point. I like that analogy of like, kind of leaving the door open literally for the, the threats to come in, which is probably unintentionally what we’re, what a lot of either web designers are doing. But especially the, the client side of things that they have access to their website, let’s just dive right into the website side of things, Dan, like what have you found are, what are the unintentional threats like that, that are common?

[00:06:55] Dan: Yeah. So a good question. I’ve seen it a few times with domains. So I think we need to go back a step and think what is security? So we’re trying to protect assets from harm. I don’t think there’s such fingers are truly secure website. There’s always gonna be little holes which are called vulnerabilities. Um, but yeah, the, the main thing that I’ve seen a few times is from client sites is when they look after their own domains, sometimes they get a few emails saying it’s time to renew your domain, but they’ll forget to do.

[00:07:24] Dan: And then the website goes down now, security there’s free aspects of it. There’s confidentiality, which is, you know, some things we wanna keep secret there’s integrity, which is I’ve had some orders come through on ERs. I need the addresses to be saved properly. Otherwise they’re not gonna receive things, but then there’s also availability.

[00:07:41] Dan: So if I’ve got a website, it needs to actually be live and accessible. And if your client forgets to renew their domain, your website’s gonna go down. And that’s something that you can’t control if you don’t manage their domain.

[00:07:52] Josh: Now, would that be what, what would be the security vulnerabilities for a domain? Cuz there’s the onsite stuff, but then there’s actually yeah, like domain registrants and things like that. Are those two things separate? Do you view like domain management and email separate from, well obviously, probably then the actual website and the onsite vulnerabilities.

[00:08:10] Dan: Yeah. So it depends who manages it. Let’s say the client manages it in this case. Cuz I think a lot of people feel like they’ve gotta protect their domains, which is understandable. You know, if us, as a web designer manage their domains, we could always hold it back from them. That’s how a client sees it. Um, so you need to consider their login to their domain registrar.

[00:08:28] Dan: So let’s say they’ve brought the domain on say GoDaddy warranty, free edge, Amazon web services. Um, you’ve gotta consider what password they’ve got there. If they’ve used a really bad password and someone gets it and they can just pull down their website and their email.

[00:08:43] Josh: Yeah. That’s a good point. Even from like the, I mean that’s like the top level of everything without even drilling into the actual website is yeah like where you are. So, so is, is that first lesson where you’re hosting the domain name should be a good password and as secure as possible.

[00:08:59] Dan: Yeah. And two factual authentication is a great control. If you can do that as well. So really encourage your clients to use a good password and two factual authentication on there.

[00:09:07] Josh: Yeah, that’s good. And I’m sure for web designers it’s even equally, or maybe more important with you’re managing multiple domain names to have the utmost security you can on that top level, because yeah, look like email could get hacked separately. A website could get hacked, but if you want to bring a whole presence down, it starts with the domain.

[00:09:24] Josh: So that’s, I didn’t think about it like that, but that’s like the top layer. Yeah. So that makes a lot of sense. What, what about the most common vulnerabilities on the actual website side of things? Dan, this is where we could probably spend eight hours talking about this, but what have you seen are like the most typical vulnerable vulnerabilities for just websites, whether they’re WordPress or different platforms?

[00:09:44] Dan: Well, plugins are always the one that people talk about because security’s easy to sell because. Let let’s keep our plugins up to date, but here’s one for you. Let’s say you’ve installed a plugin from a small company. Who’s decided they no longer wanna support the plugin anymore. So after say two years, they stop working on it, they stop updating it.

[00:10:04] Dan: There’s gonna be some vulnerabilities that get found at some point with that in the code. So let’s say they, haven’t not dated it for two years. It’s on your website. Someone finds a vulnerability and they can exploit it. Let’s say cross site scripting, um, which is where you can inject nasty scripts into your website, um, which is how it gets redirected to dodgy websites and, you know, nasty things pop up, basically.

[00:10:27] Dan: Um, yeah, the issue there is, there’s never gonna be an update for that if it’s not supported anymore. Gotcha. Whilst yes, updates are important. We should also be looking out for other actual vulnerabilities on our. Yeah. Are some of these plugins not maintained anymore.

[00:10:42] Josh: That is a biggie. I’m so glad you brought that up because I do think particularly people early in their journeys may not realize that yeah. If you, even if it’s, if you purchase a plugin or whether you get a free plugin, this is more common with free plugins. Yeah. Especially with free plugins, because there’s really no incentive for the person, unless they’re monetizing it to keep going. This is actually, I’m so glad you mentioned this, Dan, because this is a like 1 0 1 lesson with website security for web designers.

[00:11:09] Josh: Beware of free plugins because they will likely not be supported for that long. And if they are, they’re hopefully gonna have an upgrade or a premium account, that’s why it’s so worthwhile supporting people whose tools are used, because yeah, if you don’t support them, they’re not gonna be in business.

[00:11:23] Josh: And then you’re gonna have a dodgy plugin, as you mentioned. So that’s a great lesson because they can go out of date. And then, I mean, what, what happens in that case? Like if a plugin is unsupported, I have famously used the plugin velvet blues for like URL, um, changes. If you need to replace old URLs with the new URLs, I don’t think that’s been updated in quite a few years.

[00:11:44] Josh: What I’ve done though, is I install it, use it and then take it off right away. So it doesn’t sit on my. Updated. Yeah. Um, is that a okay practice? I mean, obviously I guess the ideal practice would be not to use it at all, but if it is something that is like so worthwhile and you’re just used to that tool, is that an okay practice?

[00:12:04] Dan: I suppose there’s T sides to that. There’s there’s one, which is what does it actually do? Cuz if it’s something like that, it might only be as few lines of code. So it’s probably quite hard to be vulnerable. I dunno, I haven’t looked at it, but there are some plugins that barely actually do anything under the surface.

[00:12:18] Dan: Mm-hmm the chances of images using are quite low. But then the other side of it is if you deactivate a plugin, it’s changes in the database, might still be there. Um, if you delete it at. Any back doors, it sort of introduces not on the database, but in, in WordPress itself, if you delete the plugin, not deactivate it, that removes some of those vulnerabilities.

[00:12:41] Dan: Yeah. That makes sense. There is a big difference between deactivating something and then deleting because deactivating means, yeah, it may not be active on the site, but it’s still there. Right? Like the plugin is still in your, in the case of WordPress, it’s still in your content folder. Um, oh, here’s a detailed question.

[00:12:57] Dan: I don’t wanna take us too far in the weeds right away, but I’m curious about this. Let’s say I’m backing up my website every week. And the previous update had a bad plugin. It was deactivated, but I didn’t delete it. And then in the new update, I do delete that plugin, but that plugin, the old version will still be in like an old, a backup on my site that could be stored on my server. Is that still a vulnerability? When basically if you’re backing up outdated plugins, uh, even if you delete ’em in future, would that still be a vulnerability.

[00:13:29] Dan: Now you should be okay, because it’s not like that’s running live on your web server. It shouldn’t be accessible by anyone else. One thing that is worth mentioning with backups is to not update onto the server that your site lives on reason being I’ve just picked up a client who lost a 300 page website because the backups running on the same server as the website itself. So when the hosting issue, when a hit hosting issue came up with that, everyone was gone. Irre recover.

[00:13:53] Josh: Mm. Yeah.

[00:13:55] Dan: Whereas if it was backed up to another server, for example, Amazon web services or Google drive, even, um, or it’s stored on old fashioned pen drive, you know, a USB stick.

[00:14:04] Josh: Yep.

[00:14:05] Dan: That wouldn’t happened.

[00:14:05] Josh: What, what a valuable lesson. I mean, I’ve always said in the, in the case of backups, two is one and one is none. So yeah. Yeah. If you’re storing all of your backups on your hosting server or whatever, and that goes down case in point that’s what happens, uh, what are you using for backups right now, Dan? Uh, I’ve I love managed WPS external backups, but unfortunately they, uh, stopped doing that feature. Um, but updraft plus is a great option. What are you using for backups for external backups?

[00:14:32] Dan: So there’s two sides to that as well. I like the idea of server level backups, so not using a plugin if you can avoid it. So I currently use a system called spin up WP for hosting, and that allows me to manage, um, servers that I actually rent off digital solution. So it’s just like a third party tool that helps me sort of maintain my servers. Okay. And that allows me to do automatic daily backups to another cloud provider.

[00:14:58] Dan: So in my case, they go to Amazon web services into an S3, into S3 buckets. Um, but then there’s also in the it world, this thing called the three tier one backup strategy. And within that, it’s just a print. It’s like, well, it’s a strategy. So you wanna have free coffees. Every bit of data, your life site is one of them. Um, your daily backup to another cloud is another, but then you also want a copy on another form of media, you know, an external hard drive or something.

[00:15:26] Josh: Yeah, so three, so three levels. I like that. That’s probably, that’s probably the best way to go outside of even two different levels instead of just having server side and then an external side. Um, I guess in a way I had three with my agency. I always had the manage WP backups, and then we would go, uh, the external backups that at that time to Dropbox, but you could use drive or, or whatever and, and server.

[00:15:48] Josh: So it was like the three, three different levels. Yeah. Um, yeah, so that makes a lot of sense. I love man. The backup thing is crucial. I mean, I, I figured we would talk about backups at some point here because yeah, it it’s the backup in case your security is vulnerable, but getting back to some of the vulnerabilities on the websites. Probably everyone’s top of mind thought is passwords. So yeah, I, I probably don’t even need to ask this, but like what have you seen with the problems with, with passwords from the client side and web design side?

[00:16:16] Dan: Well, again, this goes back to people. You can have all the best systems in the world, but if someone’s got password as a password, or I love GoDaddy, you know, these are all common passwords that are on lists that get attempted daily on your site. We are recently installed a plugin that shows me, who’s trying to get in through the login form and, and there’s thousands of attempts every day, which just random passwords,

[00:16:41] Josh: so random passwords. So there are lists out there of like common passwords that are getting targeted and archived somehow.

[00:16:49] Dan: Yeah. So when, when a hosting setup gets breached, one of the main things they wanna steal. The, uh, password list. Now what should be in place is some proper password storage. So they should be stored in an encrypted form. So hash insulted, for example, so that you can’t reverse it. So the way hashing works is you take your password. For example, wanted free goad your, pass it through this algorithm called a hash, and you add a bit of random stuff in it called a salt as well. That gets stored in GoBoard goop in your database.

[00:17:25] Dan: There’s no way of reverting it back to the password. So it’s a one way function, a bit like a maps. When you add the little function box and you put one thing in it and something else comes out, it’s a one way function. So that only the person who types in the right password can get a match. Cuz then you’ll get two gobbly goop sentences that match. And that shows that you’ve got the password.

[00:17:44] Josh: Right. Gotcha. That’s interesting. What’s your favorite, uh, pass password, uh, platform right now or tool.

[00:17:51] Dan: So I don’t like recommending these because I can’t trust any of them fully. Um, I personally use something called KeyPass, which runs locally on my laptop, uh, spelt K w E pass. Um, I don’t quite like the idea of having ’em all set in the cloud. I just, some of these big companies have had a bit of a history.

[00:18:11] Josh: Well, last pass, unfortunately, which is who I use. Just how to breach recently. Yeah. I just got a notification that they had some sort of breach and I don’t know of if they only email people who were compromised. I haven’t had an issue. Knock on wood. Yeah. Um, but yeah, it’s like, those can get breached.

[00:18:28] Dan: I tell you as their first as well.

[00:18:29] Josh: Yeah. All right. Now I’m switching. All right. I knew, I knew I was gonna be either getting into some new tools or switching some things around. So, uh, what about, I mean, so what about some of the other ones, like one password or some of the others that are, uh, shoot what’s the other biggie there’s last pass one password and then, uh, I’m trying to remember.

[00:18:50] Dan: There’s quite a few of them. I mean, apple do their own one. Google Chrome has its own one in the browser. Um, I mean, passwords are just annoying really? Aren’t they? Because you, you best off having a separate one for each website. Yeah. I mean, how you ever gonna remember them all, you do need a tool like that dash lane.

[00:19:07] Josh: That’s what I was just thinking about. I just did a quick Google Dashlane is the other one that I tried up. I didn’t love the interface. Um, but yeah, I mean, these are all just like you said in the beginning, Dan, like you can’t technically have a 100% secure website and I don’t think they claim to be that either. No one can technically cuz you can always, there’s always somebody who could find a way in, but that’s yeah. That’s the danger of some of these aren’t they,

[00:19:29] Dan: and let’s face it. Samani manages passwords is a great target for an attacker. Mm. You know, a church website is probably less of an interesting target, but something with always passwords.

[00:19:42] Josh: That’s a really good point. Okay. Well, girl, now we’re terrified. So what’s the, what’s the best option for in your mind? What’s the best off option for password management. And then maybe we’ll talk about some on stuff.

[00:19:54] Dan: I suppose it is using a password manager, try and find one that you can trust. I mean, for me, it’s key pass, um, because it runs locally and it’s open source.

[00:20:03] Josh: Okay. Okay. So it’s over source of local. Is that for windows and Mac or does it matter?

[00:20:06] Dan: Yeah. Yeah, you can get it. I think I use something called I use Mac pass, which is like an abstraction of it. Okay. But something that’s more important is using two factual authentication where possible. So what that effectively means is you’ve got two different factors, um, to authenticate you, which is obviously in the name.

[00:20:28] Dan: But what I’m trying to get at is it’s not just having two passwords. So you have two, you have, for example, something, you know, which is your password. And it’s something you possess, which is your phone, which can give you a code. Um, and that is a one time code as well.

[00:20:44] Josh: So, and that’s really important, like in this case, if you’re using a, a local password manager, if your laptop gets stolen, they could potentially have access to all your passwords, unless that is logged in with the two, two, uh, two factor authentication, right?

[00:21:02] Dan: Yeah. I mean, I don’t think you can use it with key pass currently, but there’s a master password on that and it’s an encrypted file as well. So without the master password and gotcha. You, you can’t get in basically.

[00:21:13] Josh: Okay. Gotcha. Now obviously the actual passwords themselves for websites is key too. Like I love go daddy or 1, 2, 3, 4, some of these, you know, common, probably super easy targeted passwords. Um, do you have a favorite password generating site?

[00:21:31] Dan: No. Um, I actually prefer stringing together. Lots of random words. To make, you know, say four or five words together is a password reason being then I can, if you have to give a password to somebody through verbal communication, say on the phone, at least then you’re not reading out 10 random letters, numbers, characters. Um, there’s plenty of entropy in that as well, because you know, it’s four or five random words. It’s not, I love GoDaddy by the way. It’s, you know? Oh yeah. I dunno.

[00:22:01] Josh: What about the, what about the passwords that require a number and a, and a, you know, exclamation point or something like that? Or, or any sort of figure.

[00:22:09] Dan: Yeah. And they’re all just trying to make sure you’re not using a bad password, but the problem is when it starts getting into random letters and numbers, it’s very hard to remember, obviously, unless she’s an passer manager.

[00:22:18] Josh: Mm-hmm oh, totally. My gosh. I mean, at the height of the agency, I think I was managing oh, hundreds, maybe even well, over a thousand between like all the websites, all the tools, all their other stuff. I mean, that’s why last pass was key for me personally. Yeah. Um, yeah. To able to manage all.

[00:22:37] Dan: Yeah. And I suppose if you’re using a password manager, it generates it for you anyway. Mm-hmm so I’d probably just go with what that provides. That’s

[00:22:44] Josh: cool. What about, is there, I’ve seen a bunch of different thoughts in, I, I guess, opinions on like the perfect amount of password letters or numbers I’ve heard, like 11 is a strong password. Is that true? Or what are your thoughts

[00:23:00] Dan: on that? Yeah, it’s down to entropy, which is how long it takes to BR force it effectively. So more the better really. That’s why I got annoyed. When I think it was Microsoft had a limit of 16. I wanted to go longer in 16. I couldn’t because they just got some silly limit in place.

[00:23:15] Josh: Gotcha. So longer the better that’s an easy lesson to remember. Yeah. Again, I don’t know. I, I had, I forget who said like 11 seems to be a, uh, a, a trusted, a trusted amount of, of figures for, for a password, but.

[00:23:33] Dan: I mean, some password managers set their own defaults, I think, but you can normally override it as well. And if you don’t have to look at the password, you might as well make it as long as you can get away with.

[00:23:41] Josh: Gotcha. So that’s on our end as web designers, but bringing the client in here for projects. That’s interesting, right? Yeah. Like we can empower them as much as possible, but what I’m gathering so far is kind of what I feel like you’ve been hinting at is that if you, like, no matter what security system, for example, you have on your house, you get have the top, not stuff. But if you forget to turn it on and keep your door unlocked, then you are acceptable. It’s kinda like that with clients, right? Yeah.

[00:24:07] Dan: Especially if you give admin, when all they’re gonna do is upload a blog post. Right? So, cause its very easy to give full access because it solves your headaches as a designer. You know, there’s no questions at all. I can’t do this. I can’t do

[00:24:18] Josh: that. There’s a great lesson, especially for folks early on, give your clients like editor access or moderator, whatever the term is that doesn’t give them complete full access. Now they could still, or they wanna move on from you at any point in the future.

[00:24:32] Josh: They could, you could have in your agreement that they get, they will get access to their entire website. If they, you know, for whatever reason move on. But for right now, don’t give them full access because yeah, that’s, that can be absolutely detrimental, especially if they start changing passwords and, or, or adding new users, right? Like adding new users as admins with terrible passwords. What if

[00:24:53] Dan: they insist on having an admin account, which some might do, you know, they want full control, suggest having two accounts, you know, one that they use day to day for logging in and adding blog posts and then admin for when they really actually need it.

[00:25:05] Josh: Oh, okay. That’s cool. Yeah. I could see that being tricky for clients to remember, but I guess if you were to stress the security yeah. End of it, maybe that would help them realize, like, this is why, because admin accounts are much more acceptable to being hacked if you don’t protect them. Yeah. Yeah. I like that.

[00:25:22] Josh: So there’s the passwords. There’s the, the plugins there’s active verse. Uh deactive and then obviously deleted. Ideally what about the plugins that like, it comes out that there is a vulnerability and there is a, an option to patch it, to do an upgrade. I mean, this is the importance of, well, I mean, you’re in the web design club, this is something that’s brought up often.

[00:25:45] Josh: It’s like, Hey, we found a, you know, of vulnerability in one of these plugins, everyone using it, make sure you update. Um, where’s the importance of that and how much time, I guess, probably sooner the better, but how mu I guess my question would be like how much time is there typically between somebody found a, uh, a vulnerability and, and needing to update that before something could potentially happen.

[00:26:05] Dan: Yeah. So that’s called a zero day vulnerability. There’s what effectively means is you’ve got zero days to fix the thing. Um, so let’s say an attacker finds a little issue in an image optimization plugin. Well, if there are good hack, you can get ethical hackers, which are people who try and break it to report it and you know, do the right thing.

[00:26:24] Dan: Um, but let’s say it’s a bad guy. He’s fine. A problem in it. Okay. He can start exploiting it on any website that has that plugin. And no one knows about the issue. It’s not a known vulnerability at this point, not known now. As soon as that development team find out about it, they’ve technically got zero days to fix it, hence to name.

[00:26:42] Dan: Then you just get a fix out as soon as possible. Obviously in WordPress, if you haven’t got automatic updates enabled, which is another interesting topic, um, you’ve gotta get, you gotta get in there and patch it yourself,

[00:26:54] Josh: or what, what would be the, the plan B for that? Would it be to roll a backup before the vulnerability and then just update it or what would be the best cause of action there?

[00:27:05] Dan: Well, it depends if you know about vulnerability and there’s no updates, you probably better off delete the plugin itself. Mm. Um, and you probably need to consider that with your clients and your care plans. You know, what happens if this is a key plugin and it’s vulnerable, what, how do we move forwards? Um, cuz you don’t wanna be spending two or three days rebuilding something right. With

[00:27:25] Josh: different, right? Yeah. With a different plugin. Exactly. Okay. So yeah, that makes sense. Uh, you mentioned it, Dan, let’s dive into automatic updates. Now I personally have had a couple really bad experiences with automatic updates, particularly if things don’t play nicely together, if there’s a lot of different plugins at play, I mean, in an ideal world, it sounds amazing.

[00:27:45] Josh: Yeah. It sounds great that yeah, just everything updates automatically. And as long I found, as long as you’re using good tools that are known to work well together and they’re typically premium, that typically is an issue. But of course, there’s gonna be times where you need to do a little bit of testing, especially if you’re running like a WooCommerce or e-commerce shop and then there’s a bunch of different tools at play. So yeah. What’s your thoughts on automatic and yeah, hit me, hit me with your thoughts.

[00:28:11] Dan: So some of the premium plugins these days allow to choose what, um, updates you want. You know, they’re allowed to say none. Or, or some of them have a third option, which is really useful, which is security ones only. Cause some updates might be aesthetic things or extra features that they’ve implemented, which funnily enough could bring in extra vulnerabilities cuz that’s just development for you.

[00:28:35] Dan: So yeah, I, it is a tricky one. Isn’t it? Especially when you’ve got cashing as well. Cuz if your cash doesn’t get cleared, when an update happens, stuff starts to just break. Right. Um, it, it’s a hard one to answer really, really. It’s just getting things up to date as soon as possible, especially if it’s a security issue.

[00:28:55] Josh: yeah, that’s, that’s what I’ve talked about. My maintenance plan course is that you wanna have weekly, regular plugin updates and then ideally daily checks or at least scans. Um, yeah. And then as, as many places you feel comfortable in being in as far as forums or communities where people will use the same tools you use, and then you’re gonna generally get to know pretty quickly.

[00:29:16] Josh: I mean, sometimes you’ll hear about stuff in like a Facebook group before the company sends out an official email. Yeah. Uh, so it’s like, oh shoot, yeah. Update this or roll that back right now. Kind of thing. Yeah. Yeah. So that definitely makes a lot of sense. I feel like. Plugins security backups. What are the other security vulnerabilities and websites?

[00:29:39] Josh: Um, actually here, before we get to that, Dan, I’m kind of curious. What about, so like my side has a lot of users on it, a ton of use thousands of on it. So I don’t even know if I wanna ask this question, but what, uh, what’s the vulnerabilities of like those people creating their accounts and passwords or because they are in a customer role in the site? Is it that much of vulnerability? To me

[00:30:00] Dan: it’s probably not a massive one to you. It depends on what plugins you’ve got and how they can interact with your website. So you are about to say, what other sort of vulnerabilities can you get in a website? A big one is user input. Um, and that’s got multiple parts to it, but plugin should sanitize your data when it’s uploaded.

[00:30:19] Dan: So let’s say you’ve got a comments box on a blog post. I shouldn’t be able to inject nasty code in. In theory. Mm. But some plugins don’t properly sanitize data and that’s how you get cross site scripting and that sort of attack. Um, so it depends on whether you accept user data. If you’re using forms for example, but allowing me to upload files, perhaps you should limit what sort of files I can upload because word Excel, PowerPoint files, et cetera. I can do macro attacks where I can open calculators and all sorts on your computer.

[00:30:54] Josh: That’s interesting. I never even thought about that. Of course my mind is racing with the forms that I have on my current site right now. Typically it’s mainly just pictures. Like I’m thinking about like my podcast guest forum. Yeah. Yeah. Which is, I think you’ve sold, you’ve filled out by this point. Uh, yeah. Only accepts JPEGs pings. I think that’s it. So yeah. Yeah. You can’t even send over a PDF or a doc or an Excel file or anything.

[00:31:19] Josh: However, that’s really common for my gosh, depending on how people are collecting content. I got tested a great, a great heads up and maybe a reason why you’d wanna use like content snare or something that’s built for that kind of thing. That way you’re not potentially opening yourself up to yeah. Taking in a form that could have any sort of, would that be malware? Forgive my ignorance, but what would, what would be, what would be malicious that people would send over? Like what is that? I don’t even know what that would be called.

[00:31:44] Dan: So in some cases you can actually do, what’s called a mind sniffing attack. This is quite a technical thing, but. Let’s say I’ve got a PHP file and PHP is what WordPress is built under. So you could put in some nasty code that makes your website do stuff it’s not supposed to. That’s called malicious code. Now, if I upload an a file called I dunno,, you’d assume it’s an image, right.

[00:32:11] Dan: But I could have just changed a PHP file to an image name. Gotcha. Now, if I upload that and open it in an old version of an Explorer, an Explorer tries to be clever and goes, you told me that’s an image, but I can see it’s actually PHP. So I’m gonna give you the PHP side of it and then bad stuff happens.

[00:32:28] Josh: I see. Gosh, that’s terrifying. This is terrifying. So, uh, I’m trying to keep this like stripped down to some recommendations to help folks as well. Yeah. Including myself. So limit file. Yeah. Acceptance, right? Like limit what type of files you could take in,

[00:32:44] Dan: Limit what files you’re taking in and with contact forms, at least the ones I’ve looked at, including premium ones. Be really careful what data you collect on. People just assume it could become public at some point. Yeah. Um, so don’t go collecting sensitive things or confidential things on WordPress forms.

[00:33:02] Josh: So what about, what would be the next level back from that, particularly when it comes to like collecting content and sensitive data for, for clients? I mean, I don’t think there’s any reason why web designers would need like a social security number or anything like that. Yeah, exactly. Or I, yeah. Even like an EIN or any sort of business number, but like what about what would be the next level back just choosing a platform that is built for like yeah, exactly. Sensitive. Some sort of sensitive document.

[00:33:28] Dan: I mean, heck even paper based in that form might be better than, certainly than putting it on a WordPress website. Yeah. Uh, I just think it’s a good approach to take. If you just assume that anything that goes on there could become public at some point, you know, let’s say a host is a bit dodgy.

[00:33:45] Dan: Um, I’m not gonna name any names here, but I’m sure you’ve got someone in mind. um, let say they managed to get in the database. That’s all UN encrypted stuff. Gotcha. So if you’ve got a coach therapist site and they’ve got massive forms full of sensitive data that can all just be read in your database without a key or anything.

[00:34:04] Josh: Yeah. Cause it’s easy to forget that if somebody fills out a form that we have set. You might think about it for a few days, but that info stays on your site until it is potentially deleted as an entry or something. So yeah, you do that over years. You could have a lot of sensitive data on there, which is very, very vulnerable. And there’s probably a lot of liabilities with that too. If you were to get hacked and then a bunch of emails or just sensitive info gets out. Right.

[00:34:29] Dan: The context matters as well. So some websites, for example, a web design club or your website, um, we’re probably less fit less like for victim to the social engineering attack to say somebody got my contact number from your website for some reason and phone me. Okay. That’s not Josh cooling me. Go away. Ah, yeah. But let’s say it’s a charity dealing with some vulnerable people. Um, and then their phone numbers get leaked. Like I say, hello, I’m here from charity X. Um, I’m looking to help you with this and they’re probably just full victim to it. Gotcha. The context of what the data’s relevant to is sort of important there

[00:35:09] Josh: as well. That’s a good point. Well, I’ll tell you this. We sold our house earlier this year and I don’t, I mean, I got so many call. I don’t know how those real estate networks work, but my God. Yeah. I don’t know if something was leaked or that’s just the way it is in real estate that once a property goes out, uh, they find, they find your number and you get hit up like left and right.

[00:35:27] Dan: I mean, that’s what these sort of privacy laws like GDPR, et cetera, are trying to help with, but I don’t think anyone’s fully GDPR compliant, et cetera.

[00:35:35] Josh: Well, I was just thinking, it reminds me a lot of both privacy, like security reminds me a lot of privacy and accessibility. Those are two topics. Yeah. I don’t have like, unfortunately I just, I, I, I need to dive into this, especially for my audience as a whole I want to try to empower everyone with all the options and make sense of all this stuff.

[00:35:56] Josh: It reminds me so much of those two things. Hans and, and, and Donata, and everyone at, um, aged and have told me the same thing. You’re never gonna be like 100% privacy compliant. Like there’s always, there’s updates and things are changing, which is why I love that tool because it’s automated as a privacy policy.

[00:36:14] Josh: But the same thing with accessibility, those in the accessibility world, I’ve talked to said the same thing. You’re never gonna ha have a 100% accessible website, same thing with security. Like you, you do the best you can to get to as much. I mean, I guess that’s the way we need to frame it to clients too. Right? Like we do, we do our best. We keep up on things and we’re gonna, you know, I don’t know if anyone is to make there’s a hundred percent guarantee, but yes, definitely. No,

[00:36:39] Dan: I would never say that. And I’d also say there’s always room to make a bit of money in security as well. You know, if you find out about a new control and you, you sort of risk assess the client’s site and think that would be really useful to them, there’s no harm in mention it to them.

[00:36:53] Josh: Good point and look, quite honestly, that’s when I started my maintenance plan and my secure, I called it my maintenance and security plan because I had sites getting hacked and my site got hacked when, while I was on my honeymoon, like I had terrible experiences with security probably because I’m not super security minded and I didn’t have all the measures in place in the first place, but still, uh, that really became a big thing for me.

[00:37:15] Josh: And then, yeah, I mean, I don’t wanna say I capitalized on it, but I certainly was like, I wanna offer security and it, this is a, this is a value add, this is a product I’m gonna do. And that’s, it was one of the major things that led me to start my maintenance and security plan. So you’re 100%, right? Dan, like a lot of this stuff probably seems overwhelming, but you can make a service out of it or add it to your, to your packages and, and charge for it.

[00:37:39] Josh: And clients here. I’m kind of curious, how do you sell security? Because, uh, I’ve I talk about this in my maintenance plan course, but I wanna hear it from, from your perspective, like clients who are specifically not security minded, they’re not gonna understand any of this. So how do we frame it to them and help sell them from the ground up or even ongoing?

[00:37:58] Dan: Um, I normally use analogy and sorry, analogy of an onion. So an onion’s got loads of layers and that’s how you wanna approach security. So the main thing you’re trying to protect in that center is the data. And you just can have loads of layers of controls, you know, that could be some extra plugins at help enhance your security could be hardening your hosting, set up a bit more, you know, using a better host is a good one for that as well. Um, that’s very important. Do,

[00:38:23] Josh: uh, do CDNs like CloudFlare, any these, do those help with security at all? Or is that unrelated?

[00:38:29] Dan: Yeah. So security, one part of that is the availability of your site. So especially in the case of an eCommerce site or political site or something like that, denial service attacks, or where people try and pull down your site by hitting the server too many times, that can also happen with the DNS as well, which is what, what you are, what serves your website through the domain.

[00:38:50] Dan: So services like CloudFlare and general CDNs help with availability. So it helps you make, you become a bit more resilient to denial service attacks.

[00:39:02] Josh: That makes sense. And are there any other vulnerabilities that maybe are like onsite related that we haven’t glanced over to this point, Dan? I mean, we talk passwords, we talk plugins, obviously themes and the actual, you know, builders and the tools. the same thing. Like that’s why I update divvy as long as I feel comfortable, particularly if it’s a smaller update, if it’s a bigger update, I’ll wait to see if there’s any bugs that need passed and then update that. Um, I don’t know any thoughts on that or is there anything else on the on site side of things?

[00:39:31] Dan: Yeah, one that would be very easy to glance over is your licenses. So let’s say you taking out a premium license for a plugin, but you decide either you don’t want it anymore, or you just forgot to renew it. Well, say you’ve missed a few emails, you know, you’ve got a busy inbox. Well, you’re no longer getting update for that premium plugin. If they don’t allow to update, when you haven’t got a valid license.

[00:39:53] Josh: Ah, I see. Oh, that’s a great, that’s a great, uh, great heads up on that. Yeah. Cuz yeah, you could potentially, depending on their automations, if you have like 30 days to renew and you don’t renew and then it goes away, you’re on your own completely, unless you manually or intentionally look up, uh, updates or, you know, remember you’re renewal,

[00:40:13] Dan: but you might not be able to update it. You know, you might be stuck at the version that you, you got to until your payment expired and they won’t give you those future versions.

[00:40:21] Josh: That’s good. But a great point. So themes, anything else on site?

[00:40:27] Dan: I’d probably say it is a constantly changing landscape, really. So, you know what we could say in this conversation today, it could change in a month, a year, two, three years. I mean, you didn’t used to get automatic updates for WordPress unless use a third party plugin. So that’s something that had changed and you know, it is an improving for the small sites. It obviously it’s a pain point for eCommerce and the bigger sites are more complex.

[00:40:53] Josh: Yeah. Speaking of that, speaking of WordPress theme, plugin management, what tools are you comfortable with? Uh, I, I like managed WP. I’ve used that since 2016. Uh, but do you have any tools for, for. Updates backups, anything like that, other than what you’ve already talked about.

[00:41:12] Dan: Um, so I like having something that looks vulnerabilities in my plugins. Um, but I also, then I use this thing called spin at WP to manage my server and that allows me to do backups and, um, updates through that.

[00:41:24] Josh: Okay. You can do updates through that too.

[00:41:26] Dan: Yeah, I do my updates through that. It’ll take a backup when I do it, and then it’ll clear the CDN after, sorry, the catch very cool. Um, my issue of managed WP is it has admin access to every website, right? So if your account gets breached or something goes wrong with managed WP, they’ve got admin. And so all your websites that are managed through it. So I’m a bit wary of it.

[00:41:50] Josh: Gotcha. Yeah, no, I, I, that makes sense. That thought crossed my mind back then, for sure. That’s one reason. Uh, we do have, well, um, with the agency, like we have multiple two-factor, uh, and actually Eric, just recently, it’s funny just recently, uh, requested that on my end for those sites that I turned that on for myself as well, just to make sure everyone has two factor identification before logging in, because yeah, that manages WP.

[00:42:15] Josh: The, I love that from the web design aspect. Cause I don’t need to remember passwords. I can just go in there, go to the site and we’re off. Um, but yeah, there’s the, I, I guess one lesson I’m kind of pulling from this is that if things are super easy from a user perspective, it’s probably more vulnerable so

[00:42:32] Dan: two fat, authentication’s a great example. It makes life a lot more tricky to log in, but it does make it a lot more secure. .

[00:42:38] Josh: Do you think we’re ever gonna find a happy medium to where things are super secure and not such a pain in the gas imagine?

[00:42:43] Dan: Yeah. Yeah. Um, passwords are hopefully gonna be a finger to pass in the future. Mm.

[00:42:49] Josh: What would like touch? I like touch ID and stuff.

[00:42:51] Dan: Well also just passwordless logins one time passwords. So you might have noticed things like Airbnb have an option to just log in through a code, to type in your email and it’ll send you a code. Cause the thing is, if you’ve got a password to a website, you can always just click reset password and you’ll get a signin link to set a new password. So why don’t we just remove a password and send the sign in link with a one time code or something?

[00:43:16] Josh: I know that is nice. Like we’re recording this on Riverside right now. I just started using, and I can just log in as long as I’m logged in through my Gmail, which, uh, is, is through my Google workspace. That’s how I get in. That’s how I get into this. It doesn’t, I don’t even need to go through email and a password. Yeah.

[00:43:32] Dan: That’s a good, which is just nice things to, you know, you still got security there, but it’s just a bit easier to work

[00:43:37] Josh: with. And I love your analogy of the onion, uh, how it’s like, well, I mean, I feel like we’re glancing over the top few layers. What’s uh, I don’t know how deep we want to go into this, cuz I’ll probably get confused, but what are the deep levels of security past and everything we’ve talked about, tribute from websites.

[00:43:55] Dan: So something that I’ve looked at, the, the sort of key security plugins and guides and stuff online, nothing seems to mention security, HT, DP, headers. And I dunno why, so these are something we don’t

[00:44:09] Josh: have to name the company, but is that what you showed me recently in the web design club? When, how you were able to like, uh, just for everyone’s reference Dan, you’re a good hacker. You’re a good guy. So, but Dan basically showed me like how he could break into a couple of these, uh, really well known tools, uh yeah. With this header, this header kind of thing. Yeah.

[00:44:26] Dan: So these days browsers are trying to help you out. They’re trying to help secure. Your experience on the web, but they’re only gonna do that in some cases, if you tell them what to do. So there is these things called security headers, which allow to tell the browser don’t allow cross site scripting.

[00:44:45] Dan: If you can detect it only serve a page in HT. DPSS use an SSL, don’t allow HTD P anymore. Um, don’t I click jacking, which is what me and Josh were just talking about. Um, and also have a content security policy. This is all very in, you know, technical stuff with controls, but a content security policy can basically say, allow Google fonts allow images from Josh’s website.

[00:45:09] Dan: Don’t allow anything else. So if gotcha. A dodgy plugin gets in there and starts trying to redirect you to something even more dodgy. Your browsers should step in and help because it’s been told to.

[00:45:21] Josh: And how do you implement these measures? Is this like custom code? Is this a tool that, that does this?

[00:45:26] Dan: So I think the best way of doing it is on the hosting itself. So they’re sent by your server to say they’re called HGP response editors. So when you make a request, say to Josh, your server responds with a page and says, these are some extra headers, please respect them. And hopefully a brows will, you know respect them.

[00:45:48] Josh: How do you actually do that through hosting? Is that something like, I have no idea on that end? Is that something that you have to like talk to your hosting about, or, or just be like the header, like code you put in your header kind of situation.

[00:46:00] Dan: It’s probably best to talk to your host about that sort of thing. It’s very hard to say without knowing who you live. Yeah. Some run on Apache, somewhere, engine X, um, and the way you do, it’s slightly different. So in my case, I put it in the engine X files, which is a bit messy and hard to do, but it adds a good layer of security.

[00:46:16] Josh: And that would alleviate the issue of like, uh, an update, right? Like if you update WordPress of it, overriding that code.

[00:46:24] Dan: Yes, exactly. And also I could have all the greatest plugins in the world, but if I get on the hosting and just delete the folder, the plugins are gone. Mm-hmm . Yeah. And so I can just suddenly do all this bad stuff on your site. Whereas if it’s done at the server level, at least there’s an extra layer there.

[00:46:43] Josh: Okay. Yeah. That makes sense.

[00:46:44] Dan: So your users, can’t, your users can’t break it then as well.

[00:46:48] Josh: Is there a resource for that Dan? That we could, like I’m keeping track of all the links that we’ve talked about? Um, the response headers and all that stuff, is there like. Is there a resource on that? That would be good to add into the show notes that people could check out if they decide to, to really take the deep me.

[00:47:03] Josh: And by the way, I’d say it is a deep measure. This is something that you could do as a extreme value, add in security for anyone who’s like, I’m never gonna do that. Like you could pay, you could charge for it. If, if, you know, if you’re running like a really important e-commerce site, that’s doing, you know, like a lot of money, then maybe it’s really important to do something like this.

[00:47:21] Dan: Yeah. It’s probably not a quick control to implement, probably gonna take a few hours well worth doing on staging and testing on lots of browsers, because it could stop parts of your site working properly if you don’t do it. Right. Um, but a great there’s two tools. So there’s one to scan security headers, and that’s written by a guy called Scott helm.

[00:47:39] Dan: The tool is called security So you can scan your site. Um, you might wanna click hard results, so you don’t show up in the, the hall of fame or the hall of shame. Okay. Um, but yeah, Scott, Helm’s got some great resources on security headers in general. So it’s worth looking at his blog. Um, he doesn’t show how to add them to WordPress. So I think you need to work with your host on that, cuz it is gonna be quite specific to, to, you know, their hosting environment. Gotcha.

[00:48:07] Josh: So result. Okay. Scott Helms. Okay, cool. Cool. So we’ll have that linked. I know we’re covering a lot of different links, but I’m keeping track of all this. So, uh, my awesome VA Kam can, uh, link these in the, the show notes for everybody for this episode.

[00:48:19] Josh: But yeah. What about like, uh, I don’t wanna take a, too far of a tangent Dan in the deep stuff, but what are like the headers is a big one, I guess. Is there anything like that? We’ve we haven’t talked about. That is a huge deal as far as security.

[00:48:32] Dan: Yeah. So this is more of a high level strategy thing that I think gets missed in the website world. So if I was to start a baking business and make some nice cakes, I’d have to do a risk assessment and I’d have to consider what could go wrong and what I’m gonna do to try and avoid it going wrong. You know, allergens. Food poisoning, all that nasty stuff. Um, and also get inspected. You know, someone’s come to check my kitchen out and check, you know, it’s a clean place.

[00:49:00] Dan: There’s not rats running ground everywhere, et cetera. Within a web world, we don’t really get told to do that. So I’d say before, considering all these controls, you know, secure your head as two fat to all that sort of stuff, just do a risk assessment, consider what you’re trying to protect. So people’s, data’s domain one, but also things like your reputation.

[00:49:21] Dan: That’s an asset. Mm-hmm, your, money’s an asset. Um, yeah. So consider your assets, do a risk assessment where you consider, you know, what possible vulnerabilities have we got? What threats have we got? And the way to imagine that, you know, the game, gender mm-hmm , but you’ve got always bricks, say you’re halfway through the game and someone’s remove on of the bottom bricks.

[00:49:42] Dan: That’s your vulnerability is the thing can now top over that’s your weakness in the, the tower your fret could be, um, Let’s have a thing. Fret wise, you could have a natural one. Let’s say you could have an earthquake that’s sort of at your hands. Mm. But you could have an intentional one. Let’s say I’m playing against Josh and Josh kicks the tape.

[00:50:04] Dan: Josh kicks the table leg that causes it to sway on my go. And I lose. There could also be unintentional. For example, I make a mistake. I pull one out and the whole tower falls over. So there’s different types of threats. There’s also likelihood, you know, is it actually going to happen to me? So you have to think in terms of risk, is this actually a risk that could happen? And what would the impact be on me if it does happen?

[00:50:29] Josh: Gotcha. Do you have, do you have this as a resource, Dan? This, uh, Dan’s risk assessment, uh, recommendation. Yeah,

[00:50:37] Dan: I do. So that’s a new service I’ll be launching in the coming months. It’s called risk and it’s just gonna help people establish that basic risk assessment to, to know how to move forward really

[00:50:49] Josh: Awesome is that, is there anything live right now or is that just all in the works? Uh, it’s

[00:50:53] Dan: very much in the works, but it’s just gonna help people raise awareness really of just basic security stuff that they can add in.

[00:51:00] Josh: I love the name, risk That’s great.

[00:51:04] Dan: Um, it’s felt with an I, so that’s buddy.

[00:51:07] Josh: Okay. Not buddy.

[00:51:08] Dan: Why got it. Yeah.

[00:51:10] Josh: Super cool. Well, as soon as we have that available, one out to the show notes, I know we’re recording this before you do the training in, in the web design club, but, um, but you are doing a training for the club here. Yeah. I think this will go live shortly after that, which, uh, the replay will be available for anyone who joins after this, this chat, but I’m really excited to see you kind of take a deeper dive into security and help web designers and clients.

[00:51:33] Josh: I mean, like I said, I think most people are probably along the lines of how I feel about this stuff, where we get into web design to help clients grow and learn design. We don’t necessarily get into it to be a developer and to. Security person. So exactly. Um, we need help, like, you know, this is why I’m so glad to have folks like you and in my corner, Dan, to kinda help educate me on some of the stuff that, I mean, some of it’s pretty 1 0 1 in elementary that are just good to have reminders of, but some of it is like, I didn’t know a thing about the whole header access, stuff like that. Yeah. Is beyond what I even was aware of. So, um,

[00:52:09] Dan: that’s why I think awareness is a big thing. So even if you haven’t got a control in place for it, at least, you know, that there’s a possible.

[00:52:17] Josh: Solution there, when I like the idea of like the tiered kind of like the onion, like the tiered security that you could potentially sell and offer, which you could roll in the maintenance plans. For sure. Yeah. Like you could have the level one, which is just strong passwords, two factor, basic stuff, level two, maybe like more intentional, uh, frequent backups, different security measures for websites. And then the top tier could be the header stuff or like really advanced, maybe more CDN kind of stuff.

[00:52:42] Josh: Like, you know, you could really, really take this to a whole nother level. Do you have any plans of doing any consulting on this or doing actual, like work on this or is, I’m just kind of curious for, for, for where you see your, uh, your security help stuff go on. Dan, do you feel like you’ll just do more courses or yeah. What what’s what do you have in mind moving forward? This might be a great time to, yeah. Talk about what the vision for, for you with this stuff.

[00:53:04] Dan: Yes, it’s still early days. I, I’m sort of seeing it as a software platform where you can just pay each month, have your risk assessment and then learn a bit about the controls and how they can help you and your clients. And obviously you can make money by charging. Yeah. You can pass on the cost to your client. I just think awareness is such a big thing. Um, and also having a strategy in place and know what to do next. So at least then every month you can make a little change to your websites that over time it can compound and really help with your security.

[00:53:35] Josh: I love that idea. I think like a community aspect backed behind that can be great too, because, uh, security is definitely something that is, uh, not fun to go alone in, especially if you’re not terribly versed in it. So, uh, yeah. I, I love where you’re headed with that stuff band. I

[00:53:50] Dan: think that’s, in some ways I think imposter syndrome is born in security world. It’s full of people in black suits who, you know, oh my God, you don’t know that? Well, no so I think it’s just good to, to take complex things and just make them simple and sort of help show how it can make us site more secure. And in terms of vulnerabilities and threats, if I told you about ClickJacking you’d, it would just pass over your head because you can’t visualize it.

[00:54:19] Dan: Right. Whereas when I showed you about demo of me doing it to a website, suddenly you can see how it can happen and how that could be exploited in the world.

[00:54:30] Josh: No, that makes total sense. And I’m definitely gonna recommend that we send people to risk buddy with an because, uh, it looks like you got, uh, a basic mailing list that you could sign up for. So we could keep up to date on what’s going on there. Um, I, before I have a final question for you, Dan, I’m kind of curious, I meant to ask this earlier, what is the big benefit for hackers? Like are, are a lot of people hacking into websites I’ve heard this talked about for years, especially when I had sites getting hacked and stuff.

[00:54:58] Josh: Um, are they logging, are they, are they breaking into them just to kinda like build a portfolio of their hackability skills or is there actually financial gain in the form of like the, the list and the data and stuff

[00:55:11] Dan: depends very much on the reason for it. You could even have company a attack company B because then company B gets a bad reputation and company a looks amazing. Ah, gotcha. I mean, that’s in the corporate world more, I think, um, you get targeted attacks. Um, let’s say you’ve got an eCommerce store, you know, as loads of water data there, that’s quite useful. We’ll have some of that. um, then you get people just doing it because they can mm-hmm um, so yeah, it varies really?

[00:55:42] Josh: Yeah. I had heard somebody say that like a lot of people are, are potentially like up and coming hackers who just do it to show like, Hey, I hack into this site, hack into this site and they kind of build a portfolio for, cause I’m sure, obviously it’s a whole industry in itself. So, uh, yeah. I

[00:55:57] Dan: have no interest when you get organizations just out there trying to hack people, you know, when you combine several people, it becomes quite powerful.

[00:56:03] Josh: Yeah. What about, uh, real quick before we wrap this up, Squarespace, Wix, some of these like self hosted platforms, where’s the security vulnerabilities. Now I meant to ask this earlier, but uh, I wanna make sure we don’t glance over that cause I’m sure a lot of people who don’t use WordPress are probably like, well, what about me? Uh, where this, this audience now is, is, is very diverse out even outside of WordPress. So yeah. What about the self-hosted platforms?

[00:56:27] Dan: That’s why I tried to avoid talking just about WordPress vulnerabilities and things. I mean, passwords that affects everybody domains that affects everybody, um, with WordPress. The nice thing about it is we can see what’s going on underneath a bonnet so we can see where the issues lie. Um, with things like whi square space, Shopify, you don’t see so much of that because it’s all buying closed doors. So don’t just assume so insecure because you can’t see what’s going on. And you know, I’m, WordPress gets a very bad reputation for security, but it is possible to harden it up fairly well.

[00:57:01] Josh: Well, I mean, it, I think with anything open source that is, I feel like a tool that’s open source that gives the, the user so much power. Inevitably. You’re gonna open yourself up to, you know, more vulnerabilities because you’re giving people the option to do that. Plus, I mean, what’s WordPress like 30, almost 40% of the internet right now.

[00:57:19] Josh: Yeah. Something like that. So it’s, you know, of course it’s gonna get much more heat than somebody’s other platforms. Um, but yeah. What about the self-hosted like, where’s the vulnerabilities in those because they often patch their own plugins and stuff. Is the vulnerability in like, you know, the square space server, like the server service side of things and the, and the like what’s controlling everything else.

[00:57:40] Dan: Yeah. Um, you’ve, you’ve got the basic things like login, um, which you’re never gonna get passed really. And two fat authentication helps with that, but there’s always a risk of, you know, us developers like to, well, we don’t like to, but we make mistakes and that’s where most vulnerability seems come from.

[00:57:57] Dan: It’s basic mistakes things get missed. A change gets made on a Friday afternoon, just for everyone goes to the pub. Um, these are the sort of things that happen in every company really. Um, and so that’s how the vulnerabilities creep in, um, how long it takes ’em to realize and patch well, that’s gonna vary.

[00:58:15] Josh: Gotcha. Yeah, that makes a whole lot of sense. It kind of reminds me of manage WP two to where like the scary thing about a square space or something like that is like, if the, if the main channel gets breached, then that could you, you’re all of your websites and work could be potentially at risk without you even knowing or doing a thing about it. So I guess it’s a lot like hosting, I guess, that could apply to a lot of different things, but that, oh

[00:58:41] Dan: yeah. I mentioned the contact forms. I can see that most of them in WordPress don’t encrypt the data. So it’s just stored there for everyone to read, but you dunno, what’s going on in Squarespace, you know, here’s vulnerability. How about a phone up Squarespace? And let’s say you’ve got a website there. I’ll phone ’em off and pretend to be you.

[00:58:58] Dan: Now, if I can social engineer them, I can say, oh, well I’ve only got an hour. I need to be really quick and make this change. I might get done for copyright or something like that. They might let me in. Ah, gotcha. Or they might give me a bit of data that’s useful for me to then get in later. So, you know, they’re still, it all boils down to people still. Really? Yeah. You know, people have bad passwords. If there’s bad security training in there, they’re not aware of fishing attacks, social engineering. Yeah,

[00:59:26] Josh: well, thank God. There’s good hackers. Like you Dan, who know a lot about this and are, uh, doing good things in the world to help people. Uh, my gosh. Yeah, this has been great, man. This has been really fascinating for me. I appreciate you being really open to asking or an answering a lot of questions that I have about security and I, I hope this has helped others.

[00:59:43] Josh: We’ve talked about a load of resources that I’ve got ready for, to be bookmarked, uh, or to be, uh, to, to be linked up in the show notes for this episode. Where would you like people to, to go Dan, to find out more about you? Um, do you want them to go to risk, buddy? Is, is that the best resource?

[00:59:57] Dan: Yeah, I, that’s a risk buddy. You’ll find out a bit more about me, my story, and. You know how we can work together to help you just get more awareness about security.

[01:00:04] Josh: Awesome. And that’s risk buddy with an I R I S K B U D D Uh, that’s the one you got a free sign up there to, to stay in the know of, of what you have coming down the road. I would’ve loved to have had this conversation when you had everything ready to go, but I couldn’t help, but I wanted to talk about security particularly, um, around the time you’ll be presenting, uh, in my web design club with a training on this, which again will be as, as a replay for anyone who joins after, uh, Dan presents in the club.

[01:00:30] Josh: So when you join, you’ll get access to that, to that training as well. Uh, but yeah, Dan, thanks for your time, man. This has been eyeopening terrifying, but also fun and empowering too. So I, I feel, yeah, I feel much better about, especially this like idea of like. Even just awareness, risk assessment. Yeah. Like, okay.

[01:00:48] Josh: Here’s what I have. Where are the risks? What can we do to chip away at, at protecting ourself as much as possible? I love that.

[01:00:54] Dan: Brilliant. Thanks a lot.

[01:00:56] Josh: Thanks Dan.


My coaching community (Web Design Club) is open now!

Subscribe wherever you get your podcasts: