Episode 9 – Protect Your WordPress with Regina Smola

Regina dropped additional nuggets of sales and marketing goodness in the EXTENDED Interview. Be sure to click here to access all of our great extended interviews, transcripts and more within our Insider's Club.

You can try it for the entire month for only $1.00!


Expert Insights on Protecting Your WordPress


Click Here To Learn More!

Regina Smola, “the hacker attacker,” is the web’s leading WordPress Security Expert and server specialist.” Clients who work with Regina know their WordPress website is safer, leaving them to work on their business, add value for their customers and clients, and make more money.

Podcast Transcription

Brian Basilico: Hi, welcome everybody and thanks for joining us today at Mymarketingmagnet.com, I am super excited to have our guest expert, Regina Smola who is a real-life geek and she works on protecting WordPress sites. Welcome, Regina.

Regina Smola: Well, thank you so much for having me, Brian.

Brian: Regina, why don't you tell us a little bit about yourself and how did you get into WordPress security?

» Expand To View More - Click Here

Regina: All right. Well, first off I'm a proud mother of two wonderful boys who are grown, and I'm an empty nester, and I have two cuddly Golden Retrievers at home that keep me entertained while I'm working in my home office. I have a passion of helping others, and I'm a geek at heart so hence the niche that I'm in is where my heart belongs. I've been an online entrepreneur for a little since 1999, and I started in affiliate marketing. And in 2004, my mother and I started our own coupon site trying to earn some commission online and after spending $3,000 on a custom PHP website. It got hacked.

Brian: Oh.

Regina: So I was a victim. It took me three weeks to clean it. I asked my host, “What happened?” when I first started seeing these Viagra ads on the homepage of my website and I wanted to know what they did about it. What they did – they said they didn't do anything about it. It was hacked and I didn't know what that meant. I immediately went online and started researching and figuring out ways to clean my site, and ways to keep my site secure. There was not much detail back in 2004 on it but I spent years studying and I still continue to do so.

I think it was in 2006, my friend, Kelly Claypool, she asked me to speak at her teleseminar because she knew I had several people online cleaning up their websites as my mission continued. The feedback was so great that I decided that I needed to help these people and stop worrying about affiliate commissions on coupons. So I closed down the site and I started my own business as strictly with security focusing on WordPress because after spending $3,000 on a custom PHP site, I realized, “Hey, the developer's gone, the code is custom, nobody else knows how to update it” and one of the things I had to do is make sure stayed updated. So I switched to WordPress and I absolutely love it.

Brian: Answer this question – I know the answer too but maybe some other people out there don't – why do hackers hack? What's the point?

Regina: Well, the simple answer is because they can. It's a challenge for them. They like to brag about it – political, religious reasons, revenge. I've seen hackers for hire on the internet. They get paid to hack people. But ultimately, they are trying to steal content, identities and people's money.

Brian: Wow. Yes, that's the scary part about it. It all boils down to they're looking for contact info, for Social Security numbers, for credit card info and all that kind of stuff. So what happens when a site gets hacked? I mean, literally, how do they get in there? What are they doing to it and why?

Regina: Well, many times people don't even know they've been hacked until somebody tells them about it. They'll get a Facebook message or a Twitter message that says, “Your site is sending me somewhere.” Or they'll be checking their goal rankings and they'll search for their site on Google and notice that their title and their description is all spammy. It's not even what anything to do with their website but the site looks normal. People get hacked, they panick, they cry, they feel lost, their site's been defaced, it redirects or their hosting company sends them an email and says, “Hey, we've shut your site down due to malware distribution or distribution of computer viruses.” Because that's one of the bad things about this, Brian, is when they hack your site with malware, they'll upload a file to your site unbeknownst to you that when somebody comes and visits, they can even set it up where it's only if they come from Bing, or only if they come from Google, or only if they're on a cellphone, and if they do that, it will immediately try downloading the virus to that computer and if that computer or phone is unprotected, then they can get a virus and they can break into that person's computer, or completely wipe out their files.

Brian: Wow. That's scary.

Regina: And another scary thing to is I've seen phishing sites. Are you familiar with phishing sites?

Brian: Yup. Capital PH.

Regina: Yup, capital PH. I've seen people receive emails. They've sent me the emails that they're getting from some official, authorities that are telling them that if they don't see some cease and desist immediately, that they could face penalties or jail time, and/or jail time. They're like, “I'm not a phishing site, I don't understand.” Then I go in and I look and inside of a directory folder – some people call them folders, inside of directory, inside of another directory, inside of another directory – there's another directory that has these files and when you open and look at them, it looks like you're at the Bank of America. They'll build another website on a domain that's close to the bank's real domain and they'll iFrame it from your site, on there so that it's actually coming from where your files are. So people don't even know it's happening and it's just very deep within.

Brian: Yes, that's crazy. So what's some of the best ways that people can protect themselves from these kinds of stuff?

Regina: Well, first off it starts with you in being proactive. Being proactive – security is not sexy but you have to make smart choices to help keep your website and your visitors' computers safe. So having a clean and protected computer yourself is the first start and only using secured internet connections is important as well. Another thing that's really important is having a backup in case you get hacked so you have something to restore to. Having good usernames and passwords, or strong usernames and passwords, registering your site with Google webmaster tools and using a good email.

Google webmaster tools – I don't know, there's a lot of people out there they haven't even heard of it or just don't do it. I see it happen a lot. If you go in there and register your site, it only takes about three to five minutes to register and verify your site. If your site looks suspicious, Google will send you an email and tell you so that you have an idea that it is happening before it's too late. But a lot of people that do do it use email they never check so they miss it. So it's really important to have a good email and being registered with Google webmaster tools.

And really important is keeping your site up-to-date, everything up-to-date, using a good hosting company and check to make sure they're doing their updates on their end; and one of the big things that you should have is an SSL certificate for your domain. It's not the one that comes with your hosting account, it's just one for your domain online.

Brian: Good stuff.

So Regina, what are some of the most basic common mistakes that people make with WordPress security?

Regina: Well, they all set it and forget it. They just put it up there, keep on going, adding content, don't even pay attention to that big gigantic – there's an update at the top of the page. They think their site will update itself. Using some crazy password or password, even if it is crazy, on multiple sites. They've got the same one for Twitter, Facebook, their email, their website and that could end up being a catastrophe because you can get everything hacked.

Sharing passwords in an email. So you share a password with somebody you hired over at Fiverr.com and their computer's infected and they're reading their emails. Now they have your password. Or something even crazier is going over to WordPress.org and saying, “Hi, I'm working on my client's website and I can't get into the back end. Can you try?” And they'll actually put the website, the username and the password publicly on the website asking someone else to check to see if it works.

Brian: That's bad.

Regina: Crazy stuff.

And one last thing, Brian, thinking that the host is responsible for their site content and their back ups. They're responsible to host your site. If they're a good hosting company, they'll keep a backup but what happens if that backup is corrupted? What happens if you have too many files and they can't backup your site? You're ultimately responsible.

Brian: Great point. So what kind of plugins and things do you recommend that people use to keep their websites up-to-date and stuff?

Regina: I'm going to recommend some products from iThemes. I don't work for iThemes but I do know the developer of my favorite plugin right now and that is the iThemes Security Pro plugin. That plugin does a lot to help protect your website and Chris Wiegman is the developer of that plugin and I worked with him for years. I'm helping to make it better. I've contributed a little bit and he's just really a smart guy and I trust his code. So iThemes Security Pro is an excellent one to start with.

BackupBuddy is a great backup tool. They also have some free backup plugins over at WordPress.org that you could give a try. Then, for automatic backups I would recommend iThemes Sync. iTheme Sync is a plugin that you can take and install on your website and you can go into one location, update your site, multiple sites in one location. I know, Brian, you said you used something for your updates?

Brian: Yes. I use ManageWP which is a paid for platform but it does the same thing. It updates your plugins, it'll give you backups and all those things so it helps automate that stuff.

Regina: It's really nice to login some place and see what you need to work on, isn't it?

Brian: Yes, it is and it emails you too and says, “Hey, this website needs an update.” So it's nice that you don't have to login to it just by remembering to do it because lord knows we all have ADD. Right? You're off doing this and that so it's nice to have something that least alert you to what's happening.

Regina: Absolutely. I have two more plugins I want to recommend.

Brian: Oh, Go ahead.

Regina: WP-Optimize, really a great plugin for keeping your database optimized and getting rid of the extra junk that WordPress doesn't delete on its own. For those of you that want to use a SSL Certificate, I highly recommend it. WordPress HTTPS is the name of the plugin and that helps you to secure your plugins or your images. You know when you go to a website and there will be a little warning message on the HTTPS because some of the data is not over SSL? That plugin will help you take care of those.

Brian: Cool.

So what are some of the more advanced ways you would suggest to maybe protect your WordPress?

Regina: Well, I have some key points. One would be at least doing daily malware scannings on your website and also having up-to-date anti-virus software on your computer that runs 24/7 so it's always on when you go somewhere online or opening an email, and then that scans your computer at least once a day. Using a password management system, I use LastPass.com, it's free or you can pay $12 a year and have some extra features like using it on your phone and use a unique and strong passwords, that helps you do that. Unique meaning a different password, a crazy password for every login that you use online.

Brute force protection is important. We were talking about how they break in and one of the things that you want to do is block people from continuing to guess your username and password so like after five or six attempts, you want that IP address to be blocked for a specific amount of time. One of the key things to hide your username is to change your – go into your database, it's kind of techie but you can go into “PHP My Admin” from your “cPanel” and go to the user's table, and just by adding in your “user_nicename” to something different than your login name or vice versa so that on the outside, the username is not going to be exposed.

You guys can check this for yourselves, go to your website, so domain.com/?author=1, that would be the ID of the user and try ?author=2 and ?author=3, whatever ID numbers that you have. It will actually show your username up in the address bar. Also, if you click on any post and right-click on it and view the source, in the body code, the opening body tag you can see your username. By changing the username_nicename to something different than your login is going to hide that from the public. That's half the combination.

Brian: That's fabulous stuff. Anything else?

Regina: Well, I know that you and I tested your websites for this before we did this podcast and we found that one of yours was protected and the other wasn't and within a couple clicks you were all fixed.

Brian: Yes, it's a beautiful thing and you showed me something really cool which is one of the plugins that I use which is Wordfence which is similar to your IP security one that you mentioned. As I was able to go in and look at live users, so I could see people downloading the podcast and I could see where it was getting hacked, and I actually found just by using that tool that my podcast is being shared over in Germany so which is pretty cool.

Regina: Absolutely.

Brian: So there's a lot of information that you could learn from that stuff so this is all fabulous great stuff and I think people are really going to appreciate the level of detail that you put into this.

Regina: All right, so one of the things that you should do is do a “WordPress file comparison scan.” We only download WordPress from WordPress.org, we download plugins from WordPress.org or install them from the dashboard, and the same with themes. Any files that you've received or gotten over there, you can do a file comparison to make sure they match, they need to match, and that's one of the thing hackers do is they break in and they alter those with their own malicious code and their scanning tools to do that so I think Security Pro does it and Wordfence does it. So both of those are great tools to use. One of the things you were talking about with me was the fact that you let someone have a free website and it infected everything on the server?

Brian: Yes.

Regina: Okay, that's really important that people don't host multiple domains, they're called “addon domains” in the same hosting account. Each should have their own cPanel and it's very simple to do, all you need is dedicated or VPS hosting and if anyone ever needs help with that, there's lots of information online or I'd be happy to answer those questions for anyone.

You should also periodically check your server permissions. Put together a monthly checklist of the things you want to check at the first of every month. These things that I'm mentioning here and just follow them or hire someone to do that for you. Like for instance disabling PHP execution in uploads. One of the major targets hackers do is they go in and upload a PHP file by finding a back door from an outdated plugin or vulnerable plugin and they'll upload a file in your uploads directory buried from like three years ago and you don't even know it's there and they'll name the file, let's say you have a picture called Brian.jpeg, they'll name it Brian.php and you wouldn't even notice it and that's just hacker because I call them trigger files, the ones that distribute this malware and it will spread all over so disabling that and both of those plugins, I believe, help with disabling the PHP execution.

And two more things: activate SSL on your entire website so your website will be HTTPS for every single page and every single post. It's not going to hurt your SEO. I changed both my sites over to HTTPS and Google's loving it. They're indexing my pages with HTTPS. What the means is anytime you're inputting username and password, it's encrypted. So you're over an encrypted connection when you're entering information into fields. Last but not least, build a team that you can trust and make them follow your security procedures. You really need to have people that you can trust working on your websites.

Brian: Very good point and that's making sure that when you do move people from your team, that you delete their username and password so they can't get in there later and don't use the same one for very person that shows up, right?

Regina: Absolutely. Good point.

Brian: Good. Well, thanks.

Hey, Regina, this is fabulous stuff. I really appreciate you taking the time and giving so much great detail. So one of the thing I know, that you have a system that you use to help people do this. Can you describe that to us a little bit?

Regina: Sure. We offer monthly security package as where every month you pay us a fee and we take care of your site – monthly, weekly and daily. So let's say that you have a plugin that we have been alerted that contains a backdoor for hackers to get into and it happens quite often, we have an entire team that go through and check these things on a daily basis. If you have that plugin, we are aware of it. We go over and take care of it, patch it right away or disable and delete it, and let you know, “Hey, we've taken this off.” So we have that available as well as taking care of all your backups, all of your security so that you can concentrate on your content, your SEO, your traffic and basically making money. We also clean malware-infected websites and we also do a WordPress repair in case you break your website.

Brian: That's awesome. It's always nice to have a service that you know that you can trust and that's especially with this so I honestly don't know many people do what you do so that's fabulous.

So anyways, what is the best way to get a hold of you? How can people contact you?

Regina: Okay, the best way to get a hold of me is by visiting our website. It's Wpsecuritylock.com and we have a highly-trained team that work around the clock. We're available with live chat, secured ticket system over the telephone, over Skype.

Brian: That's awesome. I mean, you've got a lot of way to support people and I'm sure they're going to appreciate that. So Regina, thank you so much for joining us. Man, there are so many nuts and crannies to this stuff that you've really got to make sure that you batten down the hatches and control your own destiny and protect yourself from hackers. So again, Regina, thank you so much for your expertise and insight.

Regina: Well, thank you so much for having me, Brian.

Brian: So that's this week's Mymarketingmagnet.com. Man, that was a lot of stuff. Make sure you listen again. Check us out on iTunes, give us a rating, tell your friends and whatever you do, show up next week for our next Expert Interview.


» Close View More - Click Here

No comments yet.

Leave a Reply

Insider Log-In

Powered by WishList Member - Membership Software