This, Episode 34, is the second of four shows in a series on Online eCommerce Security. We talk with Dre Armeda, co-founder of Sucuri.net, who is the sponsor for this series. In the first episode, we looked at the big picture of the state of online security and the risks.
In this show, we dive deeper into the eCommerce and WordPress side of things. Although online security is an issue with all sites, when you start mixing in eCommerce and WordPress, it can inherently bring in some other challenges. Dre takes us through those and gives us a deeper understanding of how we can be more prepared for online risks when securing our online stores.
We chatted about:
- The motivations behind taking down eCommerce sites
- The importance of the PCI (Payment Card Industry) and a brief introduction to its background
- What a person should be looking for when they are choosing the right host for their eCommerce site
- How the security plugins for WordPress play into this and what they are doing right and wrong
- A CDN (Content Delivery Network): how it not only improves site speed but also plays a role in the security of your site
- How the PCI focuses on cardholder data environments and not enough on eCommerce deployment and integration
Thanks to Our Podcast Sponsor: Sucuri.net
Bob Dunn: Hey. Everyone welcome to our show. Bob Dunn here also known as Bob WP on the web. Today we bring you episode 34, but also the second part of a 4 part series on security and eCommerce. Last week we heard from our guest, Dre Armeda via our sponsor, Sucuri.net, on the overall state of online security and some of the risks that we are seeing in today’s world. If you didn’t get the chance to listen to that one, make sure you do. In our show today, we are going to focus down on security and eCommerce and start exploring the overall picture of keeping your online store secure. As we move into the last 2 shows after this, we will even dig deeper into navigating the payment card industry data security standard in the next show and then online payments and their security implications on show 4. Welcome to the show again and how are you doing today, Dre?
Dre Armeda: I’m doing wonderful. Thanks for having me back. I can’t believe you allowed me to get on the air with you one more time.
Bob Dunn: I know. It’s just going to be a 4 time thing. We will never know. Everybody will have to tune in to see if Dre or if we talk to somebody else. You’d never know.
Dre Armeda: You never know.
Bob Dunn: Let’s dive right into this because I know we have a lot to cover. We want to make sure and get all that good information out of you. First question, obviously it’s important to keep your site secure, but we know when it comes to online stores, there are some very obvious vulnerabilities they have. I’m sure we’ll be diving more into each one either today or in the future show, but can you give me a list, I know you don’t like list, but let’s say a checkpoint of getting your online site securely locked down.
Dre Armeda: You know how I feel about lists, Bob. Come on, big guy. It’s a good question, but I don’t know that it’s entirely accurate in terms of how we want to think about it. It’s not a matter of having more or less obvious vulnerabilities. I think vulnerabilities are all the same. The biggest probably difference is around the motivation in the attack, the attack vector. When it comes to online eCommerce, the motivation is pretty clear. 99.9999% of the time it’s access to sensitive information like PII, personal identifiable data. That’s what people are looking for. PAN, primary account data. They want your card info. They want all the stuff around your credit cards, the expiration date, security code, things of that nature, because that’s what they’re seeing the most value out of.
They’re using that elsewhere to A, charge up Bitcoins or whatever that they’re doing with it, but that’s really what they’re looking for. In eCommerce, this is really the Holy Grail. This is the biggest attack vector that we’re seeing. The people want to come in and nail all the credit card information, all of your personal data. This kind of compromise is known as data exfiltration and it’s the action or objection that perhaps the most different when you compare it to things like blog and regular website instances or attacks. Unless you’re a large organization let’s say in the healthcare industry where you’re seeing a lot of that personal health data and this is obviously the biggest probably value in that world. Again, it’s that personal data.
It’s very important to the consumer. Obviously, they want their information protected. It certainly is something of value and importance to the website owner and of course, attackers alike. It’s extremely valuable to them. Really to address this what we’ve seen happen over the year versus a standard creator, the credit card industry actually got together and developed, like you noted, the payment card industry data security standard, PCI DSS. That is really what I want to drive home at least for those who don’t understand or aren’t familiar with it and are looking to get into the eCommerce space. This is of utmost importance. This standard was developed in collaboration with Visa, MasterCard, American Express, Discover and JCB. All the big titles that you think are from a creditor perspective in terms of credit cards.
The hope was to combat the general online distrust with online commerce which is something that we don’t like and that’s why we’re talking about it because it happens. People are gaining value out of credit cards and transactional information, so they’re attacking it. The idea is really for the credit card industry to figure out a way to help protect this information and protect the credit card industry and reputation while at the same time providing some type of framework for organizations to work from to improve their overall security. I think that that’s really where we need to focus in terms of vulnerabilities and the standards behind protecting our eCommerce website. As organizations move between content only based sites which we see these brochure sites and these marketing websites out there into eCommerce sites or variations thereof of having transactional capabilities on their site, it’s very, very important that the owners and administrations, all the users and staff become very familiar with PCI and its intricacies because that’s really what they’re going to use as a basis to protect themselves, their data, their user’s data.
When you think of PCI, it’s not a law. This isn’t something that’s federally mandated, but it is enforceable by the credit card issuers. While they can’t make you do it, they can block you from using their card. Imagine if your online site was unable to use Visa, MasterCard or American Express. That cupcake site we talked about in episode 1. You’re selling these awesome cupcakes. A lot of people are ordering. All of a sudden you get audited in some capacity and they find out you’re not PCI compliant. Well, hey, we’re going to stop letting you use these credit cards on your site. How are you going to process payments now? That’s an issue. It will affect you. Now what you’re seeing or what we’ve seen under this standard is they can impose daily fines for lack of compliance especially if you’re found to be out of compliance and contributing to say data that’s being stolen or in essence, any situation where you’re putting cardholders at risk.
These fines, I’ll tell you, Bob, they can get really expensive really fast into the thousands, tens of thousands of dollars per day and can result in a full blacklisting if it’s not remedied. They’re really nailing you. This to me is a huge, huge risk. They’re taking this very seriously in terms of protecting credit card data, protecting your customer transactional information. With this in mind, when thinking about going and building a site, online commerce, the real focus comes down to the card data environment, CDE. That’s a term you should become familiar with. How is your credit card information flowing through the environment? That’s something that you’ve got to really be mindful of and are there protection points to safeguard that information as it’s flowing through your entire staff. We’ll get into a little bit more in terms of hosting and those things because everybody’s got a piece of this and a responsibility to protect this information. This really speaks I think to another important aspect to PCI compliance is really clearly defining your scope. What is your role here?
It become essentially important as you scale up. Hey, maybe not that big a deal when you’re selling 2 or 3 cupcakes a week, but as you get bigger man, you’re going to have a lot more transactional things happening and you’re going to need to make sure that all of this information is safeguarded. You got to be always be thinking about this. Assuming that you’re following all of our recommendations to ensure your WordPress instance is secure, if you think back to episode 1, you’ll want to place a lot of emphasis on how to capture, transmit and store all of your credit card data. How is that processing? That is of the utmost importance. The real big key here is you don’t, at any cost, you don’t want to be storing any of this card information data locally. You don’t want to be managing this locally. There are services that do it and help you with that. They’ve got requirements in terms of the PCI standard. I can’t stress this enough. This is integral to I think moving forward and being successful as you scale. Of course, you need to use SSL search.
That’s a huge part of it in terms of where that transactional data is flowing and making sure that that’s encrypted. That’s a whole conversation in and of itself. We could spend hours talking about how that all works and some of the intricacies there. The exciting thing at least for us in the WordPress world is unlike other applications maybe that are doing third party integrations or self-made and proprietary eCommerce platforms, it’s a little bit easier because we got plugins that help us do these things like WooCommerce. They’ve made this process seriously straightforward. It integrates seamlessly with gateways and processors. Really very little reason for us to even be thinking about storing credit card data locally. It just doesn’t need to happen. We have options. I think hosting pages is where I’m heading with that and you’ve got great options. Think of Cart66. Think about payment gateways that are very popular like PayPal, even other ones for like recurring payments like Recurly. They make it really easy to make this happen.
There’s some options there. I think those are the main areas we need to be thinking about for following PCI, that compliance standard. It really enables us to minimize the risk for all by a standard that the entire payment industry is using. We’ve written some content around that, navigating PCI, self-assessments, things of that nature. It’s on our blog back from June of 2016. I’ll shoot you the link for that. Ultimately the key with security and eCommerce is that you have an obligation to be compliant with PCI, so really consider that. The exact level is going to really be determined by a number of factors I think when you consider where you’re at in that whole process of commerce, but you’ll need to be familiar with self-assessment questionnaires which is something that you should be doing regularly. Maybe next week we could spend a little bit more time talking about that and some of the controls that you can put in place.
Bob Dunn: Everything you’ve said so far I think everybody better tune in next week. Actually when you said the PCI DSS, I’m like, “Huh,” because I, of course, I’m not huge into eCommerce. That’s why I bring people on like you, but wow, that’s big. It’s going to be interesting to hear more about that in the next show. You talked a little bit about hosting now. We’re going to talk about it probably in various parts, but for somebody that is right now saying, “Okay. I’m planning through this whole process of starting my eCommerce site. I’m going to be using WordPress,” are there some really basic tips you can give them as they start looking for hosting for their online store?
Dre Armeda: Come on. Has anything been basic with me yet?
Bob Dunn: I keep throwing that word in just as a hope. No, I’m just kidding.
Dre Armeda: Look, my whole objective through these discussions, Bob, is for people to be thinking bigger picture. It’s not just as simple as compliance and small controls, passwords and access control. It’s a lot bigger than that. That’s a really big question and a very good question. Hosting is super important. That’s home. That is where you’re housing this. This is where everything is going to happen. Everything revolves around that. It’s really important to be very strong and direct about how you’re driving decisions as to where you’re site’s going to be, as to where your visitors are going to be interacting with you, purchasing stuff and so on. With a hosting provider, you have to have a very frank conversation with your hosting provider and understand what their real approach to eCommerce is. That’s part of this whole vetting thing that we’ll get into I think a bit more here as we talk today. How do they account for PCI? I was saying earlier, not only the storefront has some standards that they have to follow, so does the service providers. They’ve got to meet PCI compliance as well.
They’re on the ball for this as well because they have the same potential fines and implications from the industry and the standard as you do as a storefront owner. This becomes even more important if they’re allowing you to store and process card information locally. Again, getting back to that whole thing. I find it hard to justify for most commerce sites out there that they need to store their information locally. It’s a way of old. It doesn’t need to happen in most cases. The direction you take really from a hosting perspective, a hosting provider perspective, is really dependent on that response. Where is it that they value PCI and commerce in their environment? One of the things I like to think about when I’m considering a new project, something that’s got transactional capabilities, an eCommerce site that’s going to have people purchasing stuff, is what are the expectations that I have and the hosting provider have and then overall my customer. That’s pretty common. They want their information secure. They want to know that when they purchase stuff they’re not being exploited and their credit card information is not being stolen.
What is it that the hosting provider is going to do and what is my expectation of what they’re going to do? That needs to absolutely be aligned. You got to remember and it really comes back down to the key point that we made last week is that all of our websites, no matter the cupcake site or the site that’s got 10,000 SKUs and a million hits a day, what have you, is that we’re all a target. Your website is a target no matter where it’s hosted because attacks are automated and opportunistic. We’ve got to keep that in mind any time we’re putting a site, any site up online. If you remember from the first show, again, that most attacks are automated and opportunistic. You’ve got that in mind. You need to have an idea of how you value your site and your customers and your overall business. We’ve established this. Does the hosting company that you’re looking at align with those things? Are they valuing the same things that you’re valuing? Here’s a few things that I consider when choosing a host.
This is probably your biggest one because most everything will group out of this is do your research and vetting. Do your research and vetting. Take your time. You don’t need to rush it. What’s that old adage? 80% planning, 20% execution?
Bob Dunn: Yeah.
Dre Armeda: Stick with that. You need to make sure that you’re planning ahead, that you’re architecting an environment that’s going to not only be protected from the beginning, is aligned with your expectations, but it’s also going to scale with you and your business as it continues to grow. You might start out with 2 SKUs and end up at 10,000. How does that look? You want to avoid having to move homes. I was in the military for a long time and we’re moving every 2 years. What a pain, man. It’s like, “All right. What do we do now,” and you got to go through that whole process again. It’s really, really challenging. Minimize that. Make sure that you’re planning for the future. Probably my biggest key takeaway is you can go online and search for eCommerce and a lot of the ads are going to say, “Hey, you can have eCommerce online for 20 bucks a month.” Awesome. Cheap does not mean secure. Again, what do you value, what are the expectations. I would not expect the most concrete security.
I would not expect the best feature set and capabilities, support and even overall security stance and response from a company that’s marketing me a $20 a month hosting environment for my eCommerce site. Don’t think of it that way. At the end of the day, you’re going to be making pretty good money. Maybe not right away, but at the end. You’ve got to maybe calculate that into your total operating expense and really budget for having something that makes a lot of sense and aligns with your requirement, not your wallet because at the end of the day, it’s going to cost you a lot more money. It’s going to cost you a lot more brand equity and issue and loss of customer base when you get hacked because your hosting provider sucked. Take your time. Cheap doesn’t always mean secure. All right. One of the things that I do when I’m looking for these hosting environments is I start to read reviews, again, and align with my requirements like how do they hit all those areas and how are people publicly talking about them. Are they getting blasted for really sucky support response or overall response time?
That’s a big deal. Have they had a breach in the last couple months or year, what have you? How did they handle that? Things happen. We know they happen. They happen everywhere. We’ve established that everybody’s a target, but it’s how we get through those things that’s really important and the controls that are put in place to minimize the risks of those things happening again. What are their overall security and security response policies? Do they align with yours? What are their requirements around updates and storing things on the server? If there is a type of breach, how did they handle that? Again, have they had major breaches? I think that’s an important one. Lastly, and again what we started this whole section with is are they PCI compliant? How do they treat that and what is their guidance on that? I think at the end of the day is you can’t make assumptions. You really can’t depend on a thought that, “Hey, this is what I think they do.” No.
You have to do your part and you have to have real expectations about what your home should be and what their responsibilities as opposed to yours. There needs to be a clear delineation. This needs to be black and white. Document it so that there isn’t no ambiguity later on when something does happen because it does happen. I can’t tell you how many times I’ve seen a client hacked and they put the blame on their host one, for allowing these things to happen, their site to get hacked and two, not having the ability to clean up the issue. Did you determine that that was their responsibility versus yours? Where is that document? It’s your responsibility unless it’s explicitly included in your plan and it’s got to be documented somewhere. In most cases it’s not included. Did you know that? Maybe you didn’t, but you should be researching that. We need to educate folks in that aspect I think. Make sure you fully understand every feature and service included with your hosting plan and what your responsibilities are versus the hosting provider.
If you had that knocked out upfront, you’re going to minimize a lot of issue and downtime later on. For me, I personally find it useful to use a host and WordPress provider for my sites. In most cases, there hasn’t been really any major case where I’ve needed to steer from that. Some things that I’ve created or been a part of applications and so on, we’ve created our own environment, our own infrastructure. Started off with some VPS’ into data centers. It just depends on what we were building. In most cases for a WordPress site which is what I use especially when it comes to eCommerce, a host of WordPress providers work really well. Again, have some that are, but that’s certainly my preference. They take the heavy lifting out of the equation, but at the same time I still understand what my duties and responsibilities are. I don’t go in to anything blind. I take out all assumptions and I make sure that everything’s clearly documented. That to me is probably one of the greatest risk reduction tools later on is we don’t get caught with our pants down. Everybody knows what they’re responsible for.
Don’t be afraid to ask either. If you don’t know, make a phone call, drop an email, open a support ticket. They’ll help you understand what they will do versus what you’re responsible for.
Bob Dunn: I always use the analogy when somebody comes to me and have an eCommerce site they’re starting and they’re looking for hosting and of course, a lot of people that come to me are looking to the cheapest place and I say, “Well, think of it this way. If you are opening a steak house restaurant and it was a brick and mortar and you were going to get really cheap property, but you find it in the industrial area and there are 16 slaughterhouses or you have to spend some more money and go closer to downtown where it’s a little bit nicer. Think about it.”
Dre Armeda: That’s exactly it. If you compare if to a regular business brick and mortar, that’s a good way to think about I think.
Bob Dunn: Excellent stuff there. Good list for people to go down for sure. It is a list and it’s a list that you did. I’m going to remember that.
Dre Armeda: Oh, boy. We’re fighting.
Bob Dunn: Okay. With eCommerce sites, there’s a lot of products. Some people have tens of thousands. I know in the past when I’ve done a little bit into it, it’s always recommended to use a CDN or a content delivery network that helps the performance and speed of loading the images and all this stuff, but also, from what I understand, that also plays a role in security. Is that the case and if so, why?
Dre Armeda: This is a good question and something that affects a lot of things on the internet from performance and the way that people view and get the request that they’re asking for from your websites all the way to SEO and the way that you might get ranked because of Google’s algorithm and how your site’s performing. Really important beyond even the scope of security which is where I like to focus on because I think that that’s a really important point. One of the biggest concerns with security implementations is always the impact to the website’s performance and we know that. What’s funny to me is that sites will have security implications and a high risk of performance issues. That’s going to happen if you get attacked and all that fun stuff especially when you don’t have a CDN, a content delivery network, or some type of caching capabilities enabled preferably at the edge because that’s really where you’re going to see some gains as you serve this information to those requesting from wherever in the world. I definitely recommend using a caching layer source like a CDN for your static content to be served from.
We’re caching on the site or through these CDNs is super important. What ends up happening is these CDN networks, they grab a copy of your static content and have copies across their network globally, so they get served that closest instance of this requested content whether that’s images, what have you, to the location nearest where the request is coming from. The distance traveled is less. You see this cache, so that request comes a lot faster. You see a huge improvement, a significant improvement. In fact, in some cases 50% faster. It’s just loading ridiculous quick. Definitely recommend the CDN. Depending on how WordPress is configured, you could see gain speeds 2 to 3 times faster. That’s pretty slick. Something that’s important here is a load and bandwidth utilized by your server infrastructure because now everything is being served from this network versus your server. You see less impact to your bandwidth, to your environment. There’s I think a myriad of benefits to using CDNs beyond just the performance. That’s certainly one of them. The other one is taking that load off of your server and environment for sure.
The other one I think is really protecting your original server, your origin server, your environment. That to me is probably the biggest positive impact of having a strong CDN. It’s the easiest way probably to mitigate external attacks because the availability of your site is super important. That’s one of those sections or legs of the triad we talked about last week, confidentiality, integrity, availability. Often times attacks like DDoS, a distributed denial of service attack, it will take down your availability. Having these CDNs and these cache assets around the world mitigates that pretty well because now your site maybe getting attacked, but this stuff’s cached. It’s still there. It reduces the risk of your site going down if you have the CDNs enabled. We have a service. At Sucuri, we offer a web application firewall, a CDN capable firewall and it’s at the edge. It acts in this function. It proxies all your traffic through it at the edge, so it’s not your server, so that any malicious or let’s say nefarious traffic that’s trying to attack your site is thwarted before it ever reaches the network.
It never penetrates your environment. We stop it. We throw it out. Only good request come through. It has some pretty cool features. One of them I think that’s pretty neat especially when you start thinking about all those folks out there that don’t update their websites regularly which you should be, if you’re running an old version, you should really be asking yourself why and get it updated. If you don’t, we’ve built in some mechanisms to help with that as well. Some of these services out there do this. This is one thing that we lead with because we’re more of a security product, a web application firewall with a performance increase as a byproduct. This CDN capability we’ve built in to the security protection layer that we’ve built. Let’s say you are writing an old version of WordPress with a known vulnerability. The firewall’s going to recognize it. This is going to stop any attempts coming in to try to attack that vulnerability at the edge. It will never reach your WordPress instance. What we’ve done is we’ve created this application profiling engine that’s adjustable which is pretty neat.
It knows good request. Let’s say, “Hey, you’re running WordPress. The firewall knows you’re running WordPress. WordPress has all of these files. Requested these files. This is the interaction. It’s normal with WordPress. These are the calls that you see happening. These are the files that should be initiating, “and so on. Our firewall knows that. If any request comes in that’s beyond that or it’s going something that doesn’t match that application profile, we spit it out. It just never reaches your site. It doesn’t execute, therefore protecting from that. We have all these known vulnerabilities already mapped into our signature base. We take a really holistic view of all those versions of WordPress, those known vulnerabilities and we’re able to stop any type if injection that is trying to attack that vulnerability. That is how we’re protecting at the edge and a good firewall CDN integration should allow for that. Again, the performance boost is super important and it’s a byproduct, but we have a caching layer that enables us to speed up performance of sites and serve your visitors with those requests closest to them.
We’re going to respond from the servers and the environments closest to them because we’ve got points of presence now, jeez, in 6 different data centers across the world plus our CDN points of presence which are spread out beyond that. It’s become a pretty big network to help improve performance. Again, I certainly recommend it. The best CDNs, again, I think are one’s that function as a firewall, not just this performance optimization. I think that today’s threats are much more than just attacks against your availability, so it’s important to really protect all of those pieces. Imagine for a moment like again, the impact to your business if you’re website went down during the checkout process or a user was unable to purchase your products because the site was down. Now imagine if it was down like that for an hour or a week, a month because of some type of attack to availability. CDNs I think help you with that.
It’s an important layer and I definitely recommend adding a web application firewall with that CDN. I think they go hand in hand. It’ll definitely improve your site performance and could help with sales and such. You won’t regret it.
Bob Dunn: Wonderful explanation. In a nutshell, performance equals security. Right?
Dre Armeda: I think to an extent. Right? There are some CDNs out there and products that are just CDNs and do not offer as robust a web application firewall that we offer or that’s available out there. I think it’s important to really approach your performance with security in mind. If you can attack both of those, if you can implement a solution that gives you a strong security and protection at the edge as well as those performance increases, you’re winning. Your clients are winning. Your bank roll’s probably going to win.
Bob Dunn: Yup. Good stuff. I haven’t heard it quite explained to that extent and that’s good because I have one on my site through my hosting. This will even give me more to think about. Cool stuff. Let’s pull WordPress back into the mix.
Dre Armeda: Oh, yeah.
Bob Dunn: We talked about all the so called issues around WordPress and tips and even created some list against your will. Let’s chat about security plugins. I know we could talk a long time on this, but let’s just touch on it. I know that when I’ve had clients came to me because they were being notified, “Oh, my site’s being attacked. I’m getting all these emails,” something was turned on and they were just freaking out. They were thinking it’s constantly happening which it was maybe in a sense, but it was being protected, so I’d have to try to talk them though that. Anyway, there was that part of it that often they would get in there and turn on these things automatically and start freaking out. What’s your take on those? Where do they play into the whole scheme of things with security as far as if you should do it? I know it’s an open wide thing, but just some bit of Dre insight here.
Dre Armeda: Oh, boy. Oh boy, boy. Yeah. It’s a seriously interesting question and I think it’s one that plagues the entire WordPress ecosystem. One of the powers of WordPress in my opinion has always been … It’s fairly straightforward to get a site up and running. When you compare it to that name your platform, it’s just super easy. The world famous 5 minute install. That’s bitching. That fosters and encourages this do it yourself mindset which is I think great, but it sometimes traverses into other domains it probably shouldn’t. I think security is one of those things. I think the problem today is that it’s impossible to differentiate the noises associated with a security plugin. What is real, what is not. We’re riddled with a lot of organizations out there and say plugin providers, service providers of all sizes, that are flooding the space with the misinformation. It’s really frustrating. Snake oil. FUD. FUD is a known a word in the industry since well before WordPress. It pisses me off. You’ve hit a sore point with me here because I think that … We’ll talk about it.
There’s certainly value in plugins that are for security reasons, but there’s a lot of issues that they go along with that. They’re really trying to over simply things and provide it with what I call really a false sense of security. At the same time a false sense of insecurity and I’ll explain it in a second. There’s a lot of great tools out there and then some not so good ones. They’re all a little different and designed to answer very specific questions. Just because they answer that one question though, it doesn’t make them the foremost expert on the subject. In fact, it’s the complete opposite. To the untrained eye, that’s, “Hey, look. These guys are really trying to help me.” They don’t know any better. Really take into consideration your favorite application plugin designed to do back end integrity checks or malware scans. They notify a user that there’s a problem and that’s great. They have these blaring sirens and flags. All of a sudden there’s all these alerts and crazy things going on in WordPress. I’m obviously exaggerating a little bit, but they tell the user something that’s wrong.
The user goes, “Holy cow,” and they freak out. They go to the forums. They go to support forums or whatever support services is associated this. They check it out and they go like, “All right. I need to buy this product.” They go out. They go to social, what have you. They spend hours and hours debugging, looking for the problem. “What the heck is going on here? These alerts are telling me that I’m infected or I’ve got these issues going on.” It turns out that it’s a false alarm. It flagged a theme let’s say an encoded file or annotated a potential issue, not an active issue and the end user is freaking out. That’s pretty crappy. Now the website owner’s completely exhausted from going through this whole drill and now they have this new found hate for security in general. It’s WordPress’ fault. This is baloney. That’s terrible. To me, that’s that false sense of security. “Oh, my gosh. It’s really trying to help me, but in essence it’s really a mechanism that doesn’t provide much values except being completely alarming.”
In the other instance they downplay other services or products that really have value and that’s where I get into the whole false sense of insecurity. That’s a funny statement. The idea of being that maybe the end user was secure, but because of your let’s say marketing tactics, you’ve now moved them away from a product that’s actually doing something legitimately of value, something that is helping them secure their environment. They’ve moved away from it because of your blatant disregard for that and sales tactics. That to me is pretty serious. There’s some serious problems here. The most frustrating aspect that I think is that a good percentage of the security plugins are employing these tactics to sell, to market their products. In my opinion that’s doing more harm than good to the community. Now that’s not just saying that they don’t have their place, but I do think that they are creating problems especially in a market that’s growing faster than we can keep up at least from an education perspective. Jeez, 25% of the market is WordPress today. I think WooCommerce alone is 33% of all eCommerce driven websites out there.
It’s challenging to educate everybody especially when it comes to security because again you run into these issues and it’s like, “Oh.” One term that I’ve heard over the years is it’s not information protection, it’s information prevention. You’re not letting me do anything. This is a challenge. That’s the side that I’m irked about. I think that we need to do a better job of educating folks and that’s the key. Now security plugins can be very useful tools to administrators to reduce risks or to respond to potential issues, again, this alerting mechanism and overall, to gain better visibility to some of the things going on with their websites. It’s not at all a loss by any means. I just think that we need to do better in terms of how we market, sell and educate. That said, there are never going to be the end all to website security and should not be considered a smoking gun. It’s just not a reality. They’re sitting in the environment. The big thing to remember is I think plugins can’t protect you completely. We just had the conversation about CDNs and protection web application firewalls at the edge.
Always remember that plugins sit in a very specific part of the technology stack. They are on your server. They’re connected to WordPress. Everything there has to initiate first. You’ve got PHP in the web server. All of that stuff’s running through. The request are coming through your environment from, jeez, their router’s on in. Then they get to the actual server where your IP’s at, the associate DNS, all this fun stuff. WordPress initiates. Everything else initiates and then what? Then the plugin. They can’t protect you against things like DDoS because it’s already in your server. Everything else is loaded, so that traffic’s already penetrated your environment. It’s not a smoking gun for all types of attacks. I think that plugins that are used to do things like a check failed log ins in WordPress are super useful. I like the recording and reporting of events. Things like, “Hey, you had 50 people tried to log in with admin over the last hour.” That’s important to understand why is that happening. There’s plugins that do that and I think that’s super useful. There’s a lot of value in understanding what version of software you’re running.
That’s a plus. Think about plugins that tell you out of your 50 plugins, 25 of them are out of date. Well, now that’s actionable. I can go and fix those things. That plugin has helped me. That’s valuable. I like alerting in general like I mentioned. If these things are happening, the plugin’s out of date, people are trying to log in in my environment that shouldn’t be logging in my environment, I think that there’s other techniques like whitelisting of the VP admin and stuff that we could do. If you’re not doing that, alerting is really good. What if I receive an email or a text when these are happening, I think that’s super cool. I think that’s helpful. I think there’s plugins out there that do a good job around hardening your WordPress installations which is important. Not allowing PHP execution specific directories and things of that nature. That’s important. Ultimately with the plugins, with services, with everything, the idea is defense in depth. Layered security is the most appropriate approach to managing your security. Extend to the edge. I think that’s a more reliable approach outside of your environment. Use a cloud-based firewall.
We need to think security. Again, I know I said this ad nauseam, but from a holistic standpoint, I think relying on plugins alone is just not going to cut it. We throw this on the able because I think this is an important note no matter if you’re using a plugin, a service, it doesn’t matter. If you have ninjas at your beck and call, you need to properly configure, you need to properly set up and manage these security controls. If they’re not configured correctly, if you’re not managing them, if you’re not taking action when there’s reported issues or you’ve been alerted this stuff, they’re completely useless. It does you no good if you’re not using them correctly. That I think is probably one of the bigger takeaways right under defense in depth. Make sure that you’re using some type of layered approach.
Bob Dunn: When somebody comes to me, I get a lot of the do it yourself. When I was doing more coaching and that kind of stuff, they would ask about security plugins. My take was this, I said to them, “Okay. First of all,” just what you said. I said, “If you’re going to install the security plugin, make sure you install it correctly because if you install incorrectly, it’s either going to be worthless or it’s going to cost more harm than good.” Then I said, “Do you really want to deal with that? Is that part of what you want your life to be based around because you’ve got all this other crap going on? You need to be dealing with that.” I always told them, “I think security plugins are great for those people who create, build, manage several sites. They know what they’re doing with that security plugin. They’re using it for a tool to tell them other things they should or should not be doing, not just relying on it. They know the way to use it and what to do next if something happens.”
That was my play to the do it yourself where it’s like this is another piece you’re putting in that. Maybe you don’t want to have to deal with and then I would just send them a link to sucuri.net.
Dre Armeda: There you go.
Bob Dunn: That too.
Dre Armeda: Look, we’ve got new folks jumping in to the, “Hey, I can install, run, administer and work with WordPress,” space everyday. We can’t blame them for the lack of understanding and knowledge of these inherent security things, administrative functions that need to happen and so on because they’re new to the space. It’s our job as a community, as folks in the business of WordPress, to educate folks as to best practices and such. I will put the blame on service providers. I will put the blame on plugin providers because if we’re sitting here creating this ridiculous false sense of security or insecurity, we are causing more harm than good. We need to be responsible stewards of the products that we’re putting out and these people that are coming in unknowingly using WordPress in an insecure way. I think that that is just bad business and we need to be more responsible community members. We really need to take the ownest off of WordPress because it’s not WordPress’ fault. It’s not these people’s fault that are coming in and using these products.
We, as developers, as service providers, as plugin authors, need to do a better job of not letting our marketing and sales tactics get in the way of educating people and allowing them to have a proper experience with WordPress. Period.
Bob Dunn: Yup. Exactly. Yup. We are going to hit with number 5 question, the closing question. I’m going to let you take it in whatever direction you want to wrap this up.
Dre Armeda: That’s scary.
Bob Dunn: Yeah. I’m like, “Hey, Dre.” I made it fairly generic. When your site gets hacked, it’s never good. When your online store gets hacked, hey, we’re talking another whole issue that could damage your store. Earlier we talked about we will be mentioning payment gateways more in depth in another show. Protecting customer information is huge. Beyond those customer information, payment gateways and you may have touched a little bit on this and you may find a good direction to go with it, what are other areas we’re looking for specifically at eCommerce sites when it comes to security?
Dre Armeda: It’s a good question. That’s a very good question actually. I think one of the biggest issues with guidelines that have been maybe set forth with PCI is that it only focuses on the CDE, cardholder data environments. It doesn’t really place much emphasis on today’s eCommerce deployments in terms of how is this deployed and integrated. I think that that’s an interesting distinction to make. I think that attackers aren’t stupid. They’re not dumb. I think we need to take that to the forefront and think through that a second. Attackers are not dumb. If they can’t intercept your flow, your data flow, so all of that transactional information that’s moving from point A to point B, they’re just going to move to another place in that whole security stack, that whole security chain and figure out another way to infiltrate and attack and to get this information or to lure users into giving them their information. When an attacker starts focusing on the integration point itself, I think that we’ve really got to consider this as a big threat.
Instead of intercepting say data from point A to point B, you’ve got things like SSL and stuff in place. Great. They go in and they try to own, hack, exploit a WooCommerce instance for example, by adding say scripts into areas that redirect users at checkout. From there, maybe they use a means to redirect them to a place where the users still thinks that they’re on your site processing their information, but maybe their not. Some type of phishing checkout page. That’s an issue that we’ve seen growing and I think is again important to make the distinction because it’s very different than stealing that data as it’s happening on your site, a fake page for your users, for your buyers, to enter their credit card information on. We wrote an article actually not too long ago, I think it was at the end of December, Denis, Unmasked Parasites, from our team who’s just brilliant, and to put it into perspective. His post really, really engages around phishing attacks targeting eCommerce checkout pages. That I think is extremely useful to understand that scenario.
In this specific instance, the attackers actually infected the checkout page with malware that would redirect the users to the attacker’s actual hosted page. It was on a completely different environment, different server. The visitors had no idea. What the attackers did is they scraped all the elements from the existing site, make it look identical. Exactly the same. The only difference was the domain. It was on a different domain. So the kicker here is that usually on these hosted pages they have their own subdomain. The average user just isn’t going to see that it’s that obvious. Even the site owners may take awhile for them to figure this out. eCommerce business is losing money everyday in this specific attack and then when they realize what happened, obviously the website owner did the right thing. They fixed it and they went and got everything cleaned up. Ultimately they were doing everything they could on their site to be mindful of protecting their client and customer data. They still got nailed. They were focused again on the cardholder data environment, CDE, and not the application environment and that’s where they got nailed.
Those are two very distinctive I think areas we need to consider when we’re thinking about eCommerce. You got the application environment, but then also where your cardholder data is stored. Something to think about. They failed to notice that someone had logged into their site and modified their checkout page. At the of the day, their clients are the ones that suffered.
Bob Dunn: That’s a good point and that’s interesting because it does. It’s another whole piece into it and with all the different eCommerce plugins and people trying to get into those. Yup. Well, wow. That’s a lot of information to digest, Dre. A lot of good stuff.
Dre Armeda: Help me help you, Bob. That’s what I’m here for.
Bob Dunn: Wow. I’m hoping our listeners have the time to actually … First of all, if you haven’t listened to the first show, go back and listen to that and then listen to this one. Keep all of this into consideration what Dre’s recommending, what actions you need to take. Just remember when you have a brick and mortar shop, there’s nothing worst than getting robbed, but hey, I’m looking at security hacks into your online store can be just as paralyzing and in a lot of cases even worst. That’s why I’m bringing experts like Dre in to help you secure your site and make sure it’s safe. As I mentioned at the beginning of the show, we will be talking even more about PCI DDS next Monday, so you’ll want to make sure and tune in for that. I just want to thank you again, Dre, for coming on today’s show.
Dre Armeda: Hey, it’s my pleasure. Always excited to talk about this. My whole life is this since early on. Security days in the military to help people protect themselves, protect their assets, protect each other. Anytime I can come in and help educated, I’m all for it, man.
Bob Dunn: You know I’ll take advantage of that offer all day. Love it. Also if you want to prepare your site for optimal online security or if unfortunately it’s too late and you have been hacked, check out Sucuri.net. That’s sucuri.net. Make sure and subscribe to their blog because they have tons of information there. Until next week, keep secure and tune in to our next WP eCommerce Show.