Skip to content

Today’s Online eCommerce Security Issues and Risks with Dre Armeda

episdoe-32-wp-ecommerce-show

Today’s Online eCommerce Security Issues and Risks with Dre Armeda
WP eCommerce Show

 
 
00:00 / 36:16
 
1X

Episode 32 is the first of four shows in a series on Online eCommerce Security. In this show, we talk with Dre Armeda, co-founder of Sucuri.net, who is the sponsor for this series.

Dre gives us a holistic view of what is going on in the world of security and the solutions, as well as the the prominent issues he is seeing these days.

We chatted about:

  • The bigger issues we are seeing with online security and why
  • The reasons behind both the small and large hacks
  • The perception out there that WordPress, as an open-source software, is a security risk in itself
  • Why, as a small website owner, you are not safe from the big hacks
  • An example of a recent hack that really put things in perspective
  • Dre’s top three tips to keeping your site and information secure online

Thanks to Our Podcast Sponsor: Sucuri


Transcript

Bob Dunn: Hey everyone, welcome to our show. Bob Dunn here, also known as BobWP on the Web. Today is not only episode 32, but it is a first part of a four part series we have started on the WP eCommerce Show. This is where, for four consecutive Mondays, we will be talking with a special expert and sponsor about an important aspect of running a e-commerce site. What better subject to start off with than security? Today we welcome our sponsor, sucuri.net. My good friend Dre Armeda as our special guest. Hey Dre, welcome to the show.

Dre Armeda: Hey, thanks Bob. Great to be chatting with you. How’s it going?

Bob Dunn: Good, good. Finally we got the tables turned. I’ve been on your podcast before three times. Now I get to sit back and ask the questions, which is so cool.

Dre Armeda: I can dig it. Should I throw my voice and pretend I’m you? That might work out better.

Bob Dunn: Yeah, yeah. Just lower it down a couple octaves, and they won’t even know. Before we dive into the guts of online security, for those that don’t know who you are, and don’t know Sucuri, tell us a bit about yourself, what you do there, and who Sucuri is.

Dre Armeda: Sure. Thank you. For one, thanks for having me on the show. Really excited to chat security, and hopefully provide some value to the audience. My name is Dre Armeda. I’ve been around WordPress specifically since right around 2004, where I found it online looking for a means to create a portfolio website. Excitingly enough, I settled on WordPress, created my first theme around 2004, 2005. Things progressively changed significantly throughout the years, starting at that point. We still in the military at the time. I spent 12 years in the U.S. Navy and got out, fortunately, in to the information security space. At the same time I was really passionate about web stuff, and that really converged at some point in 2000s with buddy of mine named Daniel Cid, and then Tony Perez, as you guys know, is the CEO of Sucuri.

We founded Sucuri in the early 2010s. We started figuring a way to monitor website remotely, figure out a way to understand and determine when security things, anomalies, were happening, and how we can alert against that. That quickly translated into, “wow! We’re- We’re able to do this really, uh, successfully. How can we now remediate those issues?” That was the birth of Sucuri. We really looked at finding a way to alert to security issues and then remediating that. I spent the first four and a half years of the company as the founding CEO. We built the company, at that time, about 35 employees world wide. We were cleaning hundreds of websites every day.

Then I stepped down as CEO. Tony, who is also my brother in law, took over as a CEO, and has continued to scale the company with Daniel to an exciting place now. We’re not only offering that detection and response, the remediation capabilities to professional support services, we also offer protection. I think it’s an important thing to understand, from a website administration standpoint, that it’s not good to be reactive alone. We need to really be proactive in the way that we measure security and our risk floor, our security posture. Having some type of protective capabilities is important. Now that’s really what Sucuri is. We clean and protect your websites. We offer a website security stack that offers protection, detection, and response. That’s through various service and web application firewall, as well as monitoring and inventory management of your websites. We have a full incident response team that offers remediation services when something is discovered.

I came back onboard to Sucuri here over the last few months. I stepped into the agency space for a couple of years, and the WordPress space, which was a great time. Got to learn a lot and was in a marketing role while in that endeavor. I’m back at Sucuri now, really helping engage with special projects around business development as well as sales and marketing. Very excited to be back at the company, which is now at close to 100 employees in 26 different countries. We’re really passionate about helping folks think through security more strategically, more holistically.

Bob Dunn: Cool. I’m so glad to see you back there. Everybody is excellent there. I love Tony, but it’s good to see Dre’s face back on the security horizon.

Dre Armeda: I appreciate that Bob. It’s good to be back.

Bob Dunn: Now as I’ve mentioned this is part one of four, and today we want to just do an overview of the state of online security. Then in the remaining three shows, for the next three Mondays, we’ll be focusing more on the topic of eCommerce. With that said, let’s talk big picture here, in general online security. What are some of the biggest issues we’re seeing more these days? Even more importantly, why are we seeing them?

Dre Armeda: Oh wow. Good question. It’s a very broad question. I don’t think the landscape will ever completely change. What I mean by that is certainly it’s evolving, and there’s new attacks, or a higher amount of specific types of attacks, but we still got same issues from before: outdated software, poor credentials, and all that fun stuff that lead to a myriad of attacks. What we’re seeing a lot of are things like reflective attacks. That term reflective isn’t really official. We’re thinking through how to best describe that, but in essence we’re talking about attacks that compromise websites without really compromising them. What I mean by that, and to put it into perspective, think about the ability to hack a website by hacking a website’s DNS, for instance. Control the DNS, control the user sees. It’s very different than what we were seeing with, “Hey, look all of a sudden you’ve got, you know, the result spam SEO, because someone’s, eh, uh, injected this cruddy code through a known vulnerability.”

A little bit different. They’re changing their entire user experience from that DNS level. Or think about the ability to attack an ad network that many websites use, and using that to penetrate a website’s defenses. You’ve probably heard it. Over the years [there’s this mountain of advertising. Still exists. That’s a tactic that’s been around for a long time. It’s continuing to grow. They’re attacking through less obvious opportunity. I think we’re also seeing this shift in which attackers move from only targeting a website owner’s audience to targeting the website owner and their infrastructure. As we talk about security in general over the next four weeks, we’ll start to realize this trend of, “wow! Like, it’s not just the application layer.” We need to really think about the entire stack. What are those components? I’m sure we’ll get into that a bit more.

More and more we’re seeing server level scripts added to web servers, and pushing them into these botnets, or IRC bots, and other nefarious actions are happening there that allow abuse to the web server resources. I think that that is where they’re harnessing some really strong opportunities for bigger picture attacks. They opt sometimes for not even injecting a payload. They’re just wanting to use those resources on the server, and that’s super crazy, really. I’m not sure if you read them, but we’ve put out some quarterly reports where we talk about some of these trends, in fact, and they’re over at our blog at blog.sucuri.net. We’ve put out a couple this year. The most recent one here over the last couple weeks. It’s got a lot of really strong information around these trends. Not just in WordPress, but the webscape in general. Super interesting content there.

I think another area that we’re seeing a lot of, it’s an interesting trend that’s continued to rise, is on the SCO spam side. Currently 38% of the infected websites we work with are being infected by it. That’s a pretty big number, man. They’re taking over this stuff, and this is been something that’s been going on for four, five, six years at least since we’ve been in business. If you think back to the day of, jeez, what was that photo-manipulation script … TimThumb, attacks that were happening there. They were server-side. They were able to penetrate through this script, and they were arbitrarily executing PHP. Though that, they were able to do all sorts of fun stuff. Some of the outcome of that was SCO spam. They’re injecting all this cruddy code into the code base that you have on your server. Next thing you know, you’re serving adds for viva Viagra.

That hasn’t changed. It’s just growing. It’s a trend that I think we’re going to see on the rise. I think what’s interesting about these attacks, is that unlike any other malware distribution, they are not always detected. That’s really challenging when you start to get in to those conditional approaches that these attackers are taking, we’re like, hey, geographically connected distribution of this. If you’re in, let’s say, South America, whatever, and you’re coming to see the site. We might serve that spam every two or three requests. It might be that only through Google, when you’re actually searching the SERPs, and you get your search engine results, you’re coming in, and we’re going to serve you the ads that way. It’s really targeted, it’s very specific, so it’s really, really interesting.

Bob Dunn: Wow.

Dre Armeda: Yeah. In that report we also shared that only about 18% of the infected websites we are working on are being blacklisted. That, that itself, is another major issue. I digress. We could probably do an entire show about that, man. We could be here for hours.

Bob Dunn: Yeah. This made me think of another question off this. I don’t know if you have an answer, or anybody has answer, and I’m sure people … This is one that hangs in the back of their mind. Are these attacks done for a specific reason? Monetary, espionage? That’s getting weird. Or is it, “I just wanna raise hell on the web.” Is there any way of knowing, is there really a method behind the madness, I guess?

Dre Armeda: All of the above, but the percentages change based on what you just said. Yeah, certainly there is these script kiddies out here, coming and trying to cause problems. That’s very minute, very small. Espionage and politically targeted campaigns, absolutely they happen, but they’re, again, politically targeted. It’s going to be a very small, I think, surface on the web. Sure, they’re going to attack big media sites, or, jeez, political campaigns or associations, what have you. When you talk about the masses, you’re talking about opportunistic attacks. You’re talking about automated attacks. You’re talking about “Infect, infect as many as possible, because I have a non-monetary connection to this attack. And the more, uh, I spread this, this, this attack,” and again, we get back to these botnets and stuff. “Like, hell, if I can take over, you know, these hundreds and hundreds of servers, and have this powerful attack, where I can take down, um, you know, whatever network with some type of distributed dial-denial of service attack, I get paid XYZ versus, you know, this-this, this lower amount. So that the bigger the attack surface, the more I get paid. I, I want to attack in, in numbers.”

It’s an interesting trend when you start thinking about that, right? Those types of attacks are happening more and more. There’s a barrage of attacks happening on the availability of websites specifically. I think that that’s an important note, because we see that on a rise. The types of attacks, let’s say DDOS specifically, it’s increasing in the size of attack. How important is that? Think about it. Bob, your website right now is down for a day, or a whole week, or even a month, what would that be worth to you? Now, take that and apply that to all website owners, specifically those with eCommerce site. Their bottom dollar comes based on all the products or services, what have you, that they’re selling on their site. That’s a huge issue. Availability is, and has been, an important tenant of security for a long time. I think that’s coming full circle with website owners in a big way.

In the last week, I’m not sure if you’ve seen it, but there’s been some large attacks, DDOS attacks. One specifically that targeted Brian Krebs, who’s a big security figure. Has put out a lot of stuff over the years. The guy is really valuable, really neat guy actually to listen to and check out his blog. They attacked him in a way so big that they completely censored him for days. It was this huge attack. We’re talking 600 plus gigabit per second attack, sustained for multiple days. They completely nailed him and took his whole availability away. That was the purpose.

It’s a huge distribution mechanism for taking out people, and it’s happening more often than you think.

Bob Dunn: Oh yeah, wow. Crazy stuff. Let’s focus a bit on WordPress here, since we’re talking WordPress. A lot of people are reluctant to use WordPress because they think it’s a security risk, all the articles that come out. Now we’re really talking about WordPress as an open source software, or are we not addressing all the variables that make it supposedly less secure that have really nothing to do with the software itself?

Dre Armeda: Man, this has been a topic for a long time. We can talk about open source, we can talk about WordPress and its inherent security issues as what people perceive that to be. This is all rubbish. We’ve known for years that this is a consistent issue, a consistent theme. That people talk about about WordPress in its perceived security problems. Back in 2012 Tony wrote an article on the real vulnerability. Lo and behold, it wasn’t the code, it wasn’t WordPress, and it’s still something that I will continue to agree with Tony on. It’s the people. It is opportunity. People are the biggest, I think, vulnerability, or issue, that we deal with in security as a whole. That’s not even just information security. Think about physical security and everything we do.

It’s great, you have this bitchin’ alarm system, and cameras, and the whole nine. You don’t turn them on, it’s not going to work. Who is it up to turn them on? It’s up to the people. That’s the biggest problem. It’s a known fact in the infosec domain. It’s like the pyramid, people. People, process, and technology make up a strong approach to security. It’s integral to have all three of those in marriage, to have your strongest security posture. Without one of them, like the rest of that pyramid, or circle of life, if you will, without them it dies. It just will not work. It cannot continue.

In the WordPress ecosystem, and I would say for pretty much any other open source CMS out there, or community, we fail to remember this more often than not. We target the software, and that’s great, but maybe it’s something else? I think this is very thematic across all of those communities. It’s the people. It’s supposed to be simple for us, but it’s not. It’s a little bit deeper rooted than that. In fact, actually, Tony wrote another article on the challenges he’s been seeing and speaks to some of that stuff, and how as a community we can do a lot better about communicating security, and can easily be forcing the quality of how we think about and talk to these things and evangelize to overall communities. That’s on Torque Magazine. He wrote it this summer, sometime in July, but a really, really thoughtful, thought-provoking discussion around how we communicate security and how there’s a bigger systematic issue beyond just the software. It’s the people and how we educate them.

How many times have you heard this same regurgitated top-ten tips list of how you secure a website? It does nothing. And like, “hh, awesome! That’s great. I haven’t heard that since Dre spoke about it 2009.” It’s the same stuff. We’re never going to increase our security posture and be more thoughtful and strategic around security as administrators and a community if we just keep regurgitating the same crap. We need to take a more holistic approach. That’s the reality, man.

Bob Dunn: Yeah, good advice. There’s too many variables, and it is a people. Their site gets hacked, and then they think, “Oh, maybe I should have been doing a better password,” or something like that.

Dre Armeda: Yeah, certainly. I think another area that considers, like, “Hey, we, we focus so much on, uh, WordPress, WordPress, WordPress,” or, “the application, the application.” Holy crap, it’s terrible. It’s insecure, but what about the rest of the stack? Let’s think about the entire server. If we’re going to really talk about the technology, and it’s inherent security issues, we cannot stop at the application layer. We’ve got to break down a considerable amount of area. We need to really be thinking about, and talking about, in terms of the entire stack if we want to blame any specific piece of the technology. Think about where it starts at the bottom layer. We’re talking infrastructure. Actually, let’s step back a second. What’s your environment? What’s your local machine or your local network look like? How are you treating your local user credentials and environment? That’s a big deal. Then we step in to infrastructure.

The actual application is going to sit somewhere. It’s going to sit on a physical server. There’s going to be switches and routers. How are those things secured? Are they being attacked? Again, we’ve got confidentiality, we’ve got the integrity of that information as well as availability. If those switches and routers are taken offline because of a DDOS attack, well shoot. Availability is gone. One leg of the security triad is gone. The physical server, is that being attacked? Is there rootkits or things going on there that we are not considering? There’s software that’s underlying to your actual application like the operating system. The actual web server engine that you’re running. The stack in terms of the server-side languages that are being used. How are they being accessed? FTP, SSH. There’s well more things that we need to be considering beyond just the application. We haven’t even talked about the hosting provider yet, and how they segment stuff. Are you in a shared environment? Are you in a dedicated machine?

There’s a lot of other things that we need to be considering. The [attack service 00:20:26] is a lot bigger than just the application layer.

Bob Dunn: Right, and even in the application layer there’s all the themes and plugins.

Dre Armeda: Oh, it’s game on. It’s third party stuff! We haven’t even talked about that!

Bob Dunn: Yeah, oh yeah. Oh jeez. Yup. It’s never-ending. When it comes to online security, we know we’re making ourselves more vulnerable by being out there shopping, and on social platforms, and anywhere else we give out all our information, create passwords. When we’re on our own site, I think some people fall in to the safety net and think, “Hey, I’m not a big site. Nobody really cares about me. I’m never going to get attacked.” What do you say to those people?

Dre Armeda: I say, hackers like cupcakes too. What I mean by that is that your cupcake website is just as big a target, or at risk, as the next person out there. Again, let’s step back in the conversation where we talked about the difference between targeted and opportunistic attacks. Certainly politically targeted, or charged, attacks happen. Monetarily-based attacks against a specific journalist, for example Krebs again, happen. But man, opportunity is out there, and these attacks, in a lot of ways, or in most ways, are automated. They’re looking for what’s out there and easy to grab, make part of that network that they’re building. If this was a true thing, we’d be out of business. Let’s be realistic. Everybody’s a target out there. Most of today’s attacks are automated, and they go after the low hanging fruit. That’s the reality of it. There is no one there sitting there thinking, “Man, I really wanna talk- I wanna attack Bob, cuz Bob, man, like that guy’s …” Maybe there is, but the likelihood of that is probably not high. We’re all just another number.

They’re going to scan ports, they’re going to scan different layers of the stack to see if there is vulnerabilities, and if it’s there, boom, they inject it. There was a  big attack on Drupal here over the last couple of years, where they were targeting Drupal, and they’ve got this automated attack to go, “Hey, this vulnerability exists.” You know what they were doing? They weren’t even attacking just Drupal. They were attacking everything. They didn’t care if it was WordPress, Joomla, Drupal, what have you. They had this vulnerability, they would scan everything and throw it over the fence, and see if it would penetrate. They don’t care. We’re all just another number.

Everyone thinks they’re too small until they’re not.

Bob Dunn: Yeah. For everybody, be safe out there, right?

Dre Armeda: Indeed.

Bob Dunn: Now we hear about attacks all the time, and a lot of times we don’t maybe know they’re going on. Some of them, like you said, I think before, there’s a lot of them you may never find. They’re not detected, and they’re not stopped. Can you an example of attack that really puts things into perspective as far as that we don’t know everything that’s going on?

Dre Armeda: I think that Krebs attack here, over the last couple weeks, is pretty interesting. It’s a attack on availability. This is denial of service attack, or distributed denial of service attack, and what they did … Are you familiar with IOT, the Internet of all Things? Everything is automated and connected to internet today. They used a specific botnet that leverages those types of devices to construct this attack. We’re talking amount of traffic that’s reached over the capacity, or the known threshold of denial of service attacks by going over 600 gigabytes per second, for sustained amount of days. That’s happening. It took him offline. In fact, he was on Akamai, the content distribution network. They’ve got low caching capability, all this fun stuff.

They’re one of the big ones in the world. They said, “Sorry, we can’t, we can’t, we can’t, uh, keep you here anymore.” In fact, he’s moved on to Google for his site to be back online. That’s a big deal. There’s a lot of them like this, Bob. The list could go on. We’ve written, actually, a considerable amount. Our researchers write articles all the time about these types of issues. We put out a great article that illustrates some of our points on the 19th, actually, of this month, in which we talk how WordPress sites are being hacked via poorly managed servers. Where attackers are moving laterally, once penetrating the defenses. This is a common occurrence. In fact, years ago Tony coined the phrase, I think I coined it, but he tells me he coined it, the term “soup kitchen servers.” We’ve talked about it for years. It’s still an ongoing issue. We’ve got that up on our blog, you should go check that out.

In essence, website owners forget they have other sites and other stuff on their server, they’re storing backups or what have you, or even developers hosting for their customers have all this stuff on their servers, and the attacks find them, and boom. That access to product environments. They’ve got access to all their stuff. This is happening all the time. I think that’s a very relevant thing that, maybe it’s not a huge attack that finds its way to the media, but it’s an ongoing occurrence, and it’s very relevant to anybody having a site, an eCommerce site, what have you, online today.

We ran another one here earlier in the month where an attacker was generating spam via customers’ website, using WP page dot PHP file. The file is regenerating itself via an injection. Now this is funny. The injection was in theme header files, but this is where it gets crazy. Every time the website owner would delete it, on load it again it would regenerate and the customer’s going nuts. Going like, “How the hell, like … I just removed this thing.” As soon as you’d refresh, boom, nail them again. Again, it’s that infection’s there, and it’s continually attacking.

Talking attacks, again, think availability directly. That’s that Krebs article. We wrote about it, and there’s a couple of them out there. He’s exceeding 650 gigabytes per second. That’s just a ridiculously huge attack. That’s more on the denial of service; it’s not so much spam or malware, but it is an attack that can take down, not just you, but entire network. Like big portions of networks.

Earlier I mentioned reflective attacks. We wrote an article on that where fake free DNS was being used to malicious redirect users. That’s an interesting one. Hey, all of a sudden my DNS records were modified and my site’s pointing somewhere completely else. They never penetrated the website, but they attacked it through other means that could actually affect the website and the user experience. These are all high level, maybe things that we’re seeing in the wild, that I think are really important, maybe people aren’t considering. That whole DNS thing is kind of a big deal. The DDOS attacks are certainly a huge deal, and growing problem, but these … Bob’s site, the cupcake website, these are all very small in the grand scheme of things. But think about some of the big players that had been attacked and had issues over the last, probably, two, three years.

We’ve seen attacks that have nailed Target corporation, with more than 70 million credit, debit card accounts being exposed. Ebay, they were breached; poisoned a huge portion of their dataset and history for all their account. It’s something like 145 million records. Starbucks, last year, had, I think it was last year, they were hacked twice. Their app was hacked twice within a couple months. Dude, all sorts of information was put out there based on that attack. They were using these Starbucks accounts to access customer credit cards. That’s a problem. That is a very, very real problem. Lastly, in terms of examples, think of Zappos. They were nailed not too long ago either. Same thing with something like 24 million users’ accounts were exposed.

These are all real problems. We’re talking DDOS attacks. We’re talking these account exposures, which is a major challenge. And again, the DNS stuff. That redirect one, I think that that’s a really important one people should be focusing on. Okay, great, you’re doing awesome stuff to secure your stack; how are you sure that your DNS stuff is squared away? Does it sit at are your registrar? Is that in your hosting environment? Where are your DNS zones and how are you protecting those?

Bob Dunn: Yeah, that redirect. Yeah, that’s crazy. Who knows where you’d be shot off to. Lots of good examples there. I shouldn’t say good examples, but solid examples, let’s say that.

Dre Armeda: Yeah, all of those.

Bob Dunn: Yeah, really. Okay, lastly, you talked about those horrible ten top tips, and oh yeah, I know what you talk about. I’m going to ask you, even though I’m sure you have tons of tips, what are your two very top tips every single person online can do to tighten up their site and keep their information secure?

Dre Armeda: Bob, I’ll give you my top ten list! No, I’m not. I really feel that we’re getting to a point where the application-based utilities that we’re using out there are something that people are depending on. Security utilities, plugins, and things like that on the server. One of my biggest tips is don’t stop there thinking that these are going to give you all of the security you need, because that is a false sense of security. In a lot of ways, they’re becoming obsolete, because these attacks aren’t just happening on the server. They will not stop these vulnerabilities from being exploited in a lot of cases. You need to start thinking at the edge, because these things are really giving you a false sense of security. They’re becoming obsolete. That’s fine. I know that these things are, they’re good business, and these plugins are awesome, and they do help a lot of people in certain capacities. They are not the end-all.

It’s time to really think about cloud-based solutions, and thinking to the edge. This is a more effective approach to effectively mitigating external attacks. We’re talking brute force, we’re talking DDOS. We’re talking virtually patching these vulnerabilities, known vulnerabilities, at the edge, so when these attacks come in, they never make it into your network. Therefor, they don’t have the opportunity to inject anything, or penetrate into your site. That’s where people get that misconception of, “Hey, I’ve got these plugins on my server. This is awesome.” If you’ve got a known vulnerability there, and it’s not patched, that’s wrap. It’s too late. They’re already on your server.

I think defense adept is really the approach they write. Think about those server-side tools you’re using, or those application-based tools, but also marry that with some type of cloud-based solution to make sure that you have a really aggressive and overlapping security solution or setup. That will absolutely help your risk posture, your security posture considerably.

This is probably my biggest thing, because stuff happens. Your site goes down, files disappear, they’re completely damaged, is the importance of backups that just hasn’t changed. If anything, in any catastrophic event, they’re online. You have a backup. I tell you, there’s a number of times where we seen compromises, and it completely destroyed our client’s websites. The only, literally, the only thing that saved them was having a backup. Have your backups. Have backups of your backups. Have backups at home, on CD. I don’t care if it’s on a server, just not the same one as your production environment. Keep it offline. Keep it in a remote environment. Keep it in a cloud. Have a bunch of them, it’s awesome.

Backups for your backups, baby. I’m telling you, that’s a big deal. You need to keep considering that it’s not a matter of if, it’s a matter of when, and you need to have some type of contingency plan. If you don’t have up-to-date backups, how much does your data mean to you? What is the value that you put behind your website being down an hour, two hours, ten, or longer? So have backups that you can recover as quickly as possible.

Lastly, Bob, I’ll leave you with one last tip, because I can never leave without not talking about passwords. Honestly, it’s annoying still having this conversation. We’re still having this conversation.

Bob Dunn: I know, it’s amazing, huh?

Dre Armeda: Holy cow, but it needs to happen. I’d prefer to recommend folks start leveraging some form of multi-factor authentication, because two-factor authentication is where they need to go. Some tech that allows them to force a user to confirm that they are, in fact, trying to log in. Even in the case that they have a bad password, they’ve got two different things that they need to do to measure and make sure that they’re the right folks to be logging in. Two-form authentication. Multi-factor authentication is, I think, super important. So one, think about marrying your application-based utilities with some type of cloud-based solution, web application, firewalls, or something at the edge. Two, let’s not even consider backups, it needs to happen. It just should be already part of your process from day one. Three, passwords, yes, we’re still having this conversation, let’s really start thinking about multi-factor authentication.

Bob Dunn: Yup, all three of them. Yup. I can’t tell you how many times I’ve talked about all three of those. Especially the passwords and the backups. I feel like-

Dre Armeda: No doubt.

Bob Dunn: Yeah. We can have a drinking, and every time you say password and backup, take a shot.

Dre Armeda: Oh my gosh, we’d be destroyed.

Bob Dunn: Yeah. There you have it in a nutshell. The bird’s-eye view of online security, and as I mentioned next Monday we will be diving into the eCommerce side of things. What can we expect to hear next Monday, Dre?

Dre Armeda: You’re just going to have to tune in, I think. For your audience there we’ve got a lot of cool stuff going on in terms of security, and I think getting a little more deeper-rooted around security in general. Beyond just this high level discussion that we had about today’s online threats.

Bob Dunn: Yeah, very cool. Thanks again, Dre, for taking the time.

Dre Armeda: It’s my pleasure. I’m glad that we were able to hook up and certainly enjoy being on this side of the microphone.

Bob Dunn: Cool. I enjoy being on this side too. Everyone, do mark your calendars and make sure you tune in for our next show. Also, if you’re wanting to prepare your site for optimal online security, or if unfortunately it’s too late, and you’ve been hacked, check out sucuri.net. I would recommend, highly, to subscribe to their blog. He’s referred to a lot of blog posts. I’ll try to get some of those in the transcript, but they have a ton of information over there. I know I’ve sent a lot of people their way myself, a lot of clients, a lot of colleagues, and they always come back happy campers.

It’s good stuff. Until next week, stay safe and tune in for more security tips on the WP eCommerce Show.