Unmute Presents Securing Your Website

In this conversation, we stress the importance of securing your organization’s web presence. We discuss the significance of having a domain name for verification and business integration. We provide tips for maintaining control over your domain, such as enabling two-factor authentication and locking transfers. We also highlight the need for choosing a reputable hosting company that prioritizes security and keeping WordPress software up to date. We emphasize the importance of user management, backups, and making smart choices for website security. Listener feedback and suggestions are welcomed. Stay tuned for more news updates in the next episode.

Read transcript


00:06.090 –> 00:31.350
Thanks for tuning in to this week’s Thursday. This month’s. Thursday unmute Security Episode I’m joined, like I am normally with Damasi Michael here, and we’re going to talk about keeping your organization or company’s web presence secure. And and let’s start with talking about domain names. Damasi, why do I want to consider security of my domain name?

00:31.500 –> 02:02.498
Well, your domain name is largely your presence online. Like, people are known or people are going to look for your website. So my website, for example, Bedrockinnovations.com well, that’s my website, and that’s my domain. But also tied to my domain is email. Tied to my domain is verification for a lot of different online services where I’m able to verify by adding DNS records that either the emails came from my mail server or the emails came from a service that I’ve allowed to email on my behalf or even just verifying that. Hey. On this particular service, such as GitHub, the company Bedrock Innovations is actually verified. This isn’t somebody pretending to be Bedrock Innovations, LLC. So your domain online really ties a lot of things together that make your business run but also verifies your business. So if somebody was able to access my DNS, for example, which is the records that you add to your domain, those records are how you point things to different places. They could redirect my website. Instead of you landing on my website and being able to get in touch with me, you could be on somebody else’s website who is either using malicious tactics to access your computer or just trying to trick you out of money. And if you feel like Bedrock Innovations, my company has a good reputation. You may not question the things that they ask you to do or buttons they tell you to click.

02:02.664 –> 02:16.710
Yeah. And you got to be aware of what you’re doing, even as the end user. But as a small business or organization owner, what should I do to ensure that I keep control of my domain name?

02:16.860 –> 04:15.054
There’s a couple of things you could do. First and foremost, make sure that the place that you register your domain that you turn on, two factor. That is one primary thing that will protect you. So even if your password is leaked, there’s that extra little barrier to try to hopefully prevent somebody from gaining access. Another thing that you should do at your registrar level is lock transfers or your domain, unless you are intending to transfer your domain. So think of locking your domain transfers sort of like locking your credit report. Unless you’re going to be actively applying for credit somewhere, it’s good practice to freeze your credit report so that nobody can apply for credit on your behalf. Same with your domain. People could potentially attempt to social engineer their way into transferring your domain away so they have that control of where people go and where things get sent from. But if you have locked transfers, you’re going to be the person that receives that email to verify you want to unlock, regardless of what else they may try to do. And I would also say a final well, not maybe necessarily a final thing, but one very important thing to do too is make sure that the email address associated with your domain registrar is not a part of your domain. So, for example, my email that I register domains with, that I sign into my account that registers my domains is not a bedrockinnovations.com email address. It is a completely separate address that doesn’t even have I mean, use a Gmail account if you want to use a Icloud or Outlook account, use something that is not a part of your domain. For sure though, because if you’re ever locked out of your domain for some reason, whether you forgot to renew it or anything else worse than that, you’re not going to be able to get the emails to tell you what you need to do to fix the problem. If you’re using email on the domain that is having the issue, So once.

04:15.092 –> 04:28.110
You’Ve made sure that your domain registering your domain is secure by locking it and using two factor authentication, what would you recommend doing for your web hosting on top of two FA to keep it secure?

04:28.270 –> 06:12.482
So first you want to make sure you’re hosting with a reputable company and you want to make sure that that hosting company also takes security of their environment seriously because you can do all of the things that you can to protect your website and protect your account. And if they’re lackadaisical on the security of their servers where your site is actually being run from, well guess what, somebody’s still going to gain access to your site and take it over and add malicious malware and start mining bitcoin when people visit your site. So you want to make sure you’re dealing with a reputable company first off, and look at their security policies or practices or reach out to their support. If it’s not somewhere clearly stated on the website, it’s not always there because people will use the kind of buzzworthy marketing terms to say, we provide secure hosting or we take security seriously. And there’s no more detail than that. So reach out, don’t hesitate to reach out and ask what do you do to secure my sites? And they should be able to tell you. And if they’re not willing to share that information, they might not give you details down to the lower levels of we’re using XYZ hashing mechanisms or something like that. But they should better tell you things like, well, each website that is hosted, or each account is isolated from other accounts, or your site is hosted on its own virtual server, which has complete separation from any other virtual server. Things of that nature, the type of things that you’re looking to hear, it should not be possible for a user with the same hosting company that you’re with to poke into your account, and you shouldn’t be able to poke into their space.

06:12.616 –> 06:22.390
So that isolation could make a huge difference in making sure that you’re secure because then you can control what’s actually going on in your web hosting account.

06:22.540 –> 07:14.790
Exactly. And it also protects you from if someone else that is maybe not as careful with their website. And again, you want to make sure you secure your site the best way that you can as well, depending on what platform you’re hosting on, whether that’s WordPress or anything like that, but in a kind of shared environment, which a lot of hosting, especially for smaller businesses and organizations. And when you’re starting up and building, you’re on essentially a shared platform regardless of who you’re hosting with. If site A is doing everything right, but site B is a little lackadaisical and doing their WordPress updates for example, or keeping their plugins up to date and they get a virus that should not be able to hop across that virtual space and also infect your site and I’ve seen that happen in some cases. So you want to make sure that you’re protected against things like that and.

07:14.860 –> 07:30.710
You kind of brought it up. So we will transition into it because it’s what you and I both know. So WordPress, which is a content management system, is something you also want to make sure is secure. So what are some plugins or tools that you would use to keep your WordPress site secure?

07:30.870 –> 09:08.710
So the most basic thing that you can do is keep your software up to date. That means keeping WordPress up to date, that means keeping any theme that you’re using up to date, keeping plugins up to date, that is the first line right there. That is the most basic thing that anybody can do to help prevent malicious attacks on their website is make sure that things are up to date. WordPress itself, the core of WordPress is pretty robust at this point because it is a high value target because so much of the internet runs on it. And getting your themes or plugins from reputable sources also helps because you can ensure that you’re not having backdoors in the code or even to the point of dealing with sloppy coding where it’s not even an intentional thing that the developer has done, just they don’t have experience. If you can’t investigate the code yourself, you maybe shouldn’t be downloading plugins off of GitHub for example, just because somebody threw up a cool thing. You want to deal with the WordPress repository for your themes and plugins or from reputable companies that sell themes or plugins. One of the most popular plugins that we use is Gravity Forms. It’s a big company, they got a lot of developers, they are invested, heavily invested in securing their plugin and the add ons that they use because if they fail that, then they’d lose a whole lot of business. So you want to make sure that you’re also using plugins and things from reputable sources. Don’t just go out here and start pirating stuff and doing things like that because you’re opening yourself up to potential vulnerabilities.

09:08.790 –> 09:11.610
What about shared user accounts on WordPress? Is that okay?

09:11.760 –> 10:53.598
Nope, not at all. If you’re doing that right now, stop, pause and go. Stop that, like, immediately. No. No shared users. Because here’s the thing. WordPress has the ability for multiple user accounts. I do understand for the person that’s sitting there frowning right now that there are some services online that your business may require that does not offer team accounts or the team account level is crazy expensive because it’s targeting enterprise level people. I understand, I have the same issue, but when it comes to WordPress specifically, there’s a structure in place for having multiple users easily. You just go add a new user, put their email address in, they get their own password, they set their password. You also have the ability, I would also tell people to be mindful of how many admins you have on a WordPress site. Not everybody needs to be an admin. Everybody may want to be an admin, but not everybody needs to be an admin. And you may have to spend a little time kind of figuring out what role, as you’re called in WordPress, somebody needs to have. And the default ones are admin editor, contributor, author, and subscriber. And depending on plugins you may install, such as WooCommerce, for example, it creates a customer role. Well, that role is specifically designed for only customers. You don’t need a customer that’s buying on your site to be an admin or any other role. They’re a customer. The same thing goes for people who help publish content to your site. They don’t necessarily need admin access to be able to publish a blog post or edit a page. So be mindful of giving people the least amount of privilege that they need to get their job done.

10:53.764 –> 11:19.366
And before we wrap it up, I have two more prompts for you. Feel like I’m prompting GPT in some instances, and that is, what about two FA on WordPress? Can you recommend a plugin for decent two FA? I’m sorry, let’s take a second back. Two factor authentication so that way people can also secure their WordPress sites. And I forgot the other one that I had, so it’ll come to me after you answer that one.

11:19.468 –> 11:51.600
I am a large language model. Mine. I’m able to make such recommendations to anybody. So one plugin. So I would say, look at the plugins you’re using. Sometimes there are plugins that offer two FA that may also do other features. I know a lot of people are very fond of Word Fence as a security plugin, but there’s also one that is run and operated by the WordPress core team that is called two factor. And I believe that’s spelled TW.

11:53.330 –> 11:53.694

11:53.732 –> 13:16.838
If you look for it in the adding new plugin screen in WordPress search for two factor, spell it out like that though I’m pretty sure it’s spelled out that way. You should see the one that is from WordPress. That one is good. It’s been around for several years at this point now. It started off as a project that was being run by some people who volunteer and contribute back to WordPress core as a whole and then it ended up getting brought up under the overall WordPress core team to be run. And I feel know and the goal there with that plugin, one of the reasons I really like that one is because ultimately and maybe we’ll get here one day, maybe we won’t. Ultimately they really built this plugin to really be integrated with the core WordPress so it would just be there out of the box. We haven’t gotten to that point yet, so you still have to install the plugin. But I really like that one. It gives you several options for two factor. So you have your traditional TOTP that’s where you scan a QR code with an app such as Google Authenticator and you’re able to type in the six digit code. It also offers email codes and there’s one other option there too, Ubikeys or hardware security keys as well as giving you backup codes. So that is the one that I recommend and use the most in scenarios on WordPress where we need to implement two factor.

13:17.014 –> 13:33.918
Perfect. And the last question I have for you today is security is good, but if security isn’t good enough, sometimes you need to back your website up. What tools do you recommend for that and would you encourage people to always have a backup?

13:34.094 –> 16:14.958
Always have a backup, always do your own backups. A lot of hosting companies provide backups and that’s great, that’s awesome. Except in very specific situations which I think are probably out of the scope of this specific conversation. Always do your own backups. I don’t care who you’re hosting with, always do your own backups. And what I recommend and what I use is updraft. There’s a free version and it will get you a lot of what you need to backup your site. But yes, you definitely should have backups and you should do backups as often as makes sense. That is going to be different for different sites. If your site is more of a brochure style site where you just have information up and that’s kind of it. There’s not a lot of dynamic content, a lot of things being changed, a lot you can get away with backing up a little less than other people would, maybe weekly instead of daily for example, because not a lot changes on your site. But you do want to make sure you have backups. And the beautiful thing about Updraft and there are other plugins too that are good. I just like that one because it will perform a backup before it allows you to update if you turn that setting on. And it also will backup not just the database of your website, which is the place where all your content lives, but it would also backup files and you can kind of go through and make sure your uploads folder, for example, is being backed up so you don’t lose all your images and PDFs or whatever. If you’re running a more high traffic type site where there’s a lot of changes, such as an ecommerce type site or you’re taking payments or people are submitting forms a lot, you probably want to do those backups at least nightly, if not more. So this kind of depends on the traffic. So that is one of those things that is how often you do it is going to be dependent on the type of site you’re running on WordPress, but you absolutely want to be doing your own backups. Not that your host backups aren’t good, but they’re not going to back up as much as you would, especially if you’re paranoid like me and want to make sure you can always recover to the most recent point that you possibly can. And who knows if they’re going to have a recent backup if something happens. If you’re backing up your site every day, they may be backing it up every week or once a month and they may drop backups. So I’ve seen this happen with websites where you recover from one backup that was very recent and that still had the malicious software there. You go back a couple of weeks and you’re able to pull a backup that is clean of that issue and you can start to figure out how it happened. Your host, in most cases is not going to do that level of detailed backups and hold on to them for 30 days, 60 days, 90 days.

16:15.144 –> 16:38.010
Well, perfect. This has been fun and I hope people who are managing websites for small businesses or organizations take security into consideration. And everything we talk about these monthly security segments, a lot of times it comes down to you doing your own due diligence and making smart choices. That’s it.

16:38.080 –> 16:44.560
That’s the best you can do is make smart choices, do your own research, and make the decisions that make sense for you.

16:45.250 –> 17:27.970
Thanks for joining me, Damasi. And if you have any feedback or want us to talk about something specific for security in your life, send an email over to feedback at unmute show and we’ll be back next time. Did you know on the Unmute podcast network, every Friday, Lynn sits down chats about three tech news stories that caught her attention over the last week. If you’re interested in a quick recap of stories you may not have heard, check out Friday Finds with Lynn. Every Friday, find Unmute in your favorite podcast app and send us an email to feedback at Unmute show with stories you think Lynn should check out. Stay abreast with this week’s news updates.