Securing B2B Tech Websites Webinar With WP Engine
Webinar Summary
The Securing B2B Tech Websites webinar is co-presented by Jeremy Balius, Co-Founder and Managing Director of Filament, and Ricky Blacker, Head of Technical Services APAC at WP Engine.
In this webinar, Jeremy and Ricky discuss the importance of website security for B2B technology companies. They highlight three key reasons why website security is important: ransomware protection, reputation and trust, and search engine performance.
The conversation then focuses on five risks that websites face: non-secure hosting, no disaster recovery plan, encryption threats, vulnerable code and plugins, and website access controls.
They provide insights and strategies for mitigating these risks and emphasize the need for a managed website solution.
Key Webinar Takeaways
- Website security is crucial for B2B technology companies due to the increasing prevalence of ransomware attacks.
- A secure website builds trust and reputation with customers and partners.
- Search engines prioritize websites that are always accessible and have fast loading times.
- Non-secure hosting poses a significant risk to websites and should be carefully considered when choosing a hosting provider.
- Having a disaster recovery plan is essential to ensure website uptime in the event of a data center outage or other catastrophic events.
- Encryption is important for website security and can improve search engine rankings.
- Vulnerable code and plugins are common entry points for hackers, and regular updates are necessary to mitigate this risk.
- Implementing website access controls, such as limiting login attempts and using multi-factor authentication, can prevent unauthorized access and protect against malicious activities.
Read the Webinar Transcript
Jeremy Balius: Hi, welcome to our webinar Securing B2B Tech Websites. I’m Jeremy Balius, co-founder and Managing Director of Filament, the digital marketing agency for B2B tech companies.
I’m joined by Ricky Blacker, Head of Technical Services, APAC at WP Engine. Hey, Ricky, thanks for co-presenting on such an important topic with me today.
Ricky Blacker: Thanks for inviting me along, Jeremy. It’s a very important topic and I’m glad we’re discussing it.
Jeremy Balius: We’re here talking about website security for B2B technology companies. And so whether you’re an ISV, a Cloud or Infrastructure-as-a-Service provider, an MSP, an MSSP, SI, a VAR, a Distie, or even a B2B SaaS platform, this webinar is particularly relevant for you.
And I wanted to start with why is website security so important?
There’s a number of reasons, but we want to start with three in particular. And the first one is ransomware protection.
Ricky, when we consider today’s cyber threat landscape, why is it so important to protect our websites against ransomware attacks?
Ricky Blacker: It’s like anything, you need protection from it. With our websites, with ransomware, it’s getting all these hacking attacks, attacks, wanting to hack. Bitcoin ransoms, they’re becoming more prolific.
They’re usually organized crime doing this. It’s very organized and very succinct. But the thing is that like a locked door, criminals will go past a locked door and look for the unlocked door.
They look for an easy access point. So making sure that your website is secure, safe and secure, will at least deter majority of those attacks.
Jeremy Balius: That I think is incredibly relevant in today’s world. Second risk we want to talk about is reputation and trust. And we believe your website as a B2B technology company is the most important asset in your marketing mix.
And depending on your company type, it might also have an integral role to your partner program, to your customer purchasing, or even to your service delivery, and there’s an expectation that your websites are always on. Downtime’s unacceptable today and your brand reputation is at risk if a company can’t keep their website up.
What does that say about your products and services and what might be inferred when your website can’t be accessed? So it’s real important to ensure that your website’s secure at all times. The third we’d like to highlight here is search engines and performance. Ricky, why do search engines need to see uptime on the website?
What does it need to be on all the time?
Ricky Blacker: It needs to be on all the time because you don’t know when that crawl is going to hit your site. And if your site’s not up, it’s going to impact negatively on your score. And the performance as well. We all know that Google ranks on how fast your site loads, as well as how good the content is.
Jeremy Balius: Yeah, that’s exactly right. That performance has a real user experience impact. Which again, impacts reputation, but search engines, not being able to access your site, we see rapid declines in search engine optimization and, and even rankings, the longer there’s doubt times. You’re absolutely right. It’s critical.
The website’s up. That’s a great segue for us to really get into why we’re here today talking about securing websites. And in order for us to understand website security, I think it’s important for us to focus on those risks that websites face. And we’ve got five that we’re going to talk through today.
If we’re looking at the first risk a website might face, let’s start with non secure hosting. Ricky, why is Non secure hosting such a key risk to websites.
Ricky Blacker: This is a really interesting one because it’s one of the things a lot of people don’t even consider when you’re looking for a host. We look at the price, we look at what specs they might have, some inclusions, whether you like the company, but very rarely we ask if they’re secure.
What kind of security measures they’re taking. And there are a lot of hosts out there who don’t take the necessary security protocols in, put them in place to make sure that your website will remain secure. There’s a lot of things that need to be done running the most, the updated software. So there’s a lot of software that runs on the server to allow your website to, to basically work.
Especially if WordPress, if you’re using WordPress websites, you need PHP, you need Apache. You need MySQL and Linux, all of those separate softwares and all of those, there’s multiple versions of those softwares that could be out of date. So making sure they’re up to date, the most recent stable up to date versions.
Cause all the old versions do not get security updates, which makes them vulnerable. They, people know the vulnerabilities and can hack those very easily. So it makes your website very easy to hack. The other thing is there’s a lot of things that a hosting company can do. Have they hardened the infrastructure?
Have they blocked off any access ports that don’t need to be open? Are they following the best practices at minimum? There’s a lot of best practices for security. And more importantly, do they have any security credentials? So there’s a lot of credentials out there. there that you can attain where you are held to a high standard of security.
A company will audit you and make sure that your security standards are very high with WP Engine. We have the ISO 27001 accreditation as well as SOC 2 compliance. And they’re very important because That holds us, we get audited on those every year and we have to maintain a very high level of security across our entire platform and it extends to how we hire people, how, what access we give out our staff, how we treat your website, how we keep it secure.
So checking whether your host has that kind of security. in mind if they keep their platform secure is very important.
Jeremy Balius: I agree. I think there’s going to be an increased focus on this B2B tech company. Business leaders are aware of regulatory and compliance that they need to adhere to both for themselves as well as for their clients and extending that to their website as well as where it’s hosted is going to be increasingly important.
Let’s move on to the, uh, second risk here. No disaster recovery plan. What’s going on with no DR plans, Ricky?
Ricky Blacker: Yeah. And these can be called various things. Uh, disaster recovery plan, uh, business continuity plan. There’s a lot of words that we can throw around and letterings to describe this, but basically it boils down to how.
We are going to get your website up if a worst case scenario happens. Uh, no matter whether you’re using cloud or dedicated infrastructure, it all resides on a computer somewhere. And what happens if that computer goes down? If an entire data center goes down? And it could be down for some considerable times.
Maybe it’s a, there’s been an earthquake in that region. Something’s happened. How are you going to get your website back up? So good hosting companies will have a disaster recovery plan so that if the worst case scenario happens, they have a way of getting that back up. And with us, like with WP Engine, for example, we keep all of our backups.
We back up on a daily basis. Sorry about that. We back up our sites on a daily basis. We can bring those backups to cloud hosted across various data centers. So we’re not relying on one data center to host that backup. And it’s away from the server that your website’s on. So that means even if your entire data center goes down, we can grab that back up, go to another data center and bring your website back up.
It will take a little bit of time, but it’s not going to be, if you don’t have that disaster recovery plan in place, the chances are your site could be down for days rather than maybe an hour or two.
Jeremy Balius: I think this is a really interesting point you’re making because executives aren’t necessarily thinking about the impact of downtime when it comes to their website.
They might be thinking about downtime when it comes to operational, um, infrastructure and what happens if we can’t, um, Um, have our staff interacting with applications or being able to send an email, but the impact of not being able to purchase on your website or to interact with what your stakeholders need to be interacting with has an impact as well.
And it needs to be factored into their disaster recovery is, uh, 3rd risk, we’d like to highlight today’s encryption threats. What can you tell us about this particular threat? Ricky?
Ricky Blacker: This is a really good question, and honestly, if you were to go back, I’d say 10 years ago, the idea of encryption on websites was something that only big e commerce sites would have any interest in.
Interestingly enough, about 8 years ago, 9 years ago, Google actually made encryption a ranking feature. So apart from keeping your website safe, encryption is also good for your ranking because it shows to Google and the rest, any other search engine that you take your website seriously and you want to make sure that it’s encrypted.
And when we’re talking about encryption, the most basic one is what we call an SSL or when you see the HTTPS. And back in the old days, Google would, if Google Chrome would actually show a little green padlock if you had an SSL certificate, which would show to the world that you were encrypted. And the idea is it’s when you visit a website from a browser, the interaction between your browser and the server that holds your, the website, uh, is on, if it’s unencrypted, people can hack into that code.
Uh, and for example, if you were uploading data, maybe adding your data, you know, your personal information to a contact form, somebody could intercept that data and steal it basically. With SSL’s encryption, it encrypts it like on our telephones. I know mobile phones, there’s an encryption on that. So people can’t listen in on your calls.
So we have this encryption, the SSL. Encryption, which is most hosts will actually give to you for free these days. There’s no reason not to have it. There was a time where you had to buy one and it was quite a laborious task to get one set up. And now most hosts like WP Engine, you click a button. In fact, at the moment, the SSLs are added automatically without you having to even do anything these days.
The other thing too, with encryption is your data can be encrypted at rest. In other words, when it’s on the hard drive, there’s encryption that can happen there to further safeguard your data and your website. So that’s something else we do is encryption at rest.
Jeremy Balius: I think as a WP Engine partner, what I also benefit from is the flexibility that WP Engine offers when it comes to the SSL certificates, either being able to offer our clients that it’s automatically deployed through the global edge security, or if the clients have particularly self deployed certificates that they need, that those can be brought into WP Engine pretty seamlessly, fourth risk we’re talking about today is vulnerable code and plugins.
This is probably the most known let’s dive in.
Ricky Blacker: Yeah, and this is probably, when we talk about security risks, this is probably the big one. This is the one, and it’s the easiest one to solve too. Security every year put out a report on the top three CMSs, which are Drupal, Joomla, and WordPress usually ranks.
at 96%, has 96 percent of the hacks, basically, and a lot of people look at that and say, Oh, WordPress is very insecure. Unfortunately, the reason why it’s at 96 percent is because WordPress is at about 40%, 44 percent of the web. So it’s by volume, much more secure. Larger than Drupal and Joomla, which is only about 1%.
But the interesting thing about that report is that the majority of those hacks come from plugins or themes or code that hasn’t been updated or was insecure. So with WordPress, especially you have plugins and themes and WordPress core itself, which are constantly updated. Whenever there is a vulnerability found.
That we, the powers that be will jump on that and make sure that the code is updated and then an update is released. So keeping your plugins and themes updated and the code, making sure you don’t, if you do write some custom code yourself, you need to make sure that it’s kept secure. And that’s why we have agencies that.
That do all that for you to make sure that the code is safe and secure. But that’s probably the main reason people do get hacked is they don’t manage the updates on the plugins and themes, especially, and also going back to my original, the first question there, when we’re talking about secure hosting, once again, those that software, the lamp stack, any software, any infrastructure running, if it’s running software that needs to be kept up to date as well, it suffers the same problem.
If it puts out a date, the there’s vulnerabilities that can be exposed.
Jeremy Balius: Thank you for the detail on there. I think this is, this is such an important and critical topic as leaders are thinking about in what ways does their website actually need a managed service layer to it, to ensure constant protection is very important.
Let’s move on to our final risk, website access controls. What does that mean, Ricky?
Ricky Blacker: That’s a good question. And once again, this is one of the most common ways that, that Sites can be hacked or made vulnerable. Access controls. When we have a website, a lot of times we need to get into the back end of the website to make changes.
All people may be creating content or even customers. If you have an e commerce site, they have a certain level of access to the website to become a member of a website. You an e com store, you become a member so you can check out faster and get more. A personalized shopping experience. Every time somebody accesses a part of the website, it exposes it to potential corruption or, or hacks happening.
So how can we limit that? And there’s lots of ways we can secure websites at a very basic level. We’ll try and what they call brute force access into a website. And that’s where they will just, if you have no limits on how many times somebody can try and log in, they can. Basically run, especially if they get access to a username, they can run a whole heap of different passwords until they find the right one.
It does take time, but if you don’t limit, so one of the easiest ways that you can stop that is to limit the login attempts. So if you try to log in five times and it fails, it’ll block you out for 20 minutes. And if you do it again after 20 minutes and it fails after five times, it might lock you out for an hour.
So things like that will deter because a lot of these hackers, happen for a person sitting at a computer trying to hack in. It’s a, it’s software that scans the web, the internet looking for insecure websites. If they, once again, if they hit a hurdle, they’ll move along to the next one that might be easier.
So having a limit of logging, logging attempts, which we do at a WPinch and out of the box is probably one of the first ways to do that. The other thing that I see a lot of, Issues with people will get a website, they’ll get the login and they, there might be 10 people in the company and they’ll say, Hey, here’s the login for the website.
And they’ll share that login with 10 people. There’s two reasons you really shouldn’t do that. While it is the easy way to do things, that means that you’ve got 10 people who. potentially, you know, can cause problems on the website and it’s also very hard if there is a problem to identify who caused the problem.
If everybody’s logging on under the same login, also if you’re creating content, uh, you can’t have. Two people in the same login creating content you need that it’s WordPress is very clever in the way that if two people. If you are trying to create content on the same page, it knows that they’re doing that and it’ll let you know.
But if you’re using the same login, it just assumes it’s the same person and you could actually overwrite somebody’s content without knowing it. The other thing too is when you’re setting up those, so setting up super separate users is really important. So everybody has their own login, but also setting up roles.
So you, like when you think you can have a super admin or, and then admins, and then you can have content creators and, and customers, for example, you don’t want to give customers full access to your website. You, you lock them down to a very basic amount of information. Setting roles, and you know, there’s plugins out there that you can get that can set, you can create roles with, or there’s ways you can do it in WordPress.
So limiting how much somebody can access is very important. On top of that, probably the easiest way to really make it secure is to have multi factor authentication, and you can get plugins for that. Multi factor means that even though you might have the username and password, it’s, you might need to use your mobile phone to do an extra.
It’s a standard thing to log in, or maybe you have to use an authentication program or something like that. Having two steps means that even if somebody, because one of the ways that people can hack in is just walking through an office and people will have a sticky note with their username and password and somebody can just easily walk through, take a photo of that for their phone and next thing they’re hacking into your computer system.
So having the two factor stops that kind of thing as well.
Jeremy Balius: or malicious and having these websites. Access controls helps you mitigate these risks as you’re controlling who is able to access the website and in what way and for what reason. So that the way that you’ve structured that I think is fantastic.
Even
Ricky Blacker: further to that too, if you want to go to the next step, single sign on software is another way, especially if you have a company of a lot of employees and they all need access to say your website, but also other software, uh, single sign on software. If you can integrate your website into that as well, it allows you to give people access to what they need.
It also allows you a way to control if somebody does leave the company, you can cut them off from that software very easily. And then if you want to take things to the absolute extreme, the other ways you can do really limit access to your website, there is a, you can change the login page for WordPress, for example.
So it’s very well known what the login page URLs are. So some people will actually change that URL. So it’s not as easy to find people who know what the URL is, can find it. And even more extreme is if you whitelist your IPs to the login so that You have to be on a certain IP address to log in as well, and any IP address trying to log in will be blocked, although that can cause problems if you’re trying to log in from home and not on the company network, that can stop you from logging in, but there’s ways around that as well, even with a company with VPNs and so forth, but access, obviously, very important, accessing the website on the internet as somebody visiting the site, you want people to be able to get that To that as easily as possible, but for people trying to log in, having access to the backend where they could do malicious damage to your website, limiting that to as much as you can is very important.
Jeremy Balius: Thank you for articulating that so clearly. I think that’s going to make sense to, to everyone today. So those are the five risks. Facing websites and how to mitigate them. Thank you for watching and listening today. If you’d like to discuss what a managed website solution could look like, please get in touch.
Our agency offers a managed website service powered by WP Engine. We’d be happy to talk about your needs in the context of these risks and the security options and opportunities available to you. Thank you so much.