Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Episode 70: Customer Education and Agency Resiliency with Jon Bius

This entry was posted in Podcasts on March 14, 2020 by Kathy Zant   0 Replies

We chat with Jon Bius, a web developer at Biz Tools One, an agency in Fayetteville, NC, about how they use customer education to build relationships and differentiate their business. Jon has been helping customers build websites for over two decades, and he talks about how WordPress helps him empower his customers.

In the news, we cover two plugins with vulnerabilities, more cancelled WordCamps, some hackers taking advantage of the fear surrounding COVID-19, the rise of remote work, and what’s coming with full screen editing on by default in WordPress 5.4.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
1:05 Vulnerabilities Patched in Popup Builder Plugin Affecting over 100,000 Sites
2:18 Vulnerability Patched in Import Export WordPress Users
3:47 More WordCamp cancellations due to COVID-19
4:07 Coronavirus Maps containing malware infecting PCs to steal passwords
8:05 Remote work skyrocketing
9:27 Full screen editing mode on by default in WordPress 5.4
12:54 Interview with Jon Bius from Biz Tools One

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Have a story you’d like us to cover or someone you’d like to interview? Let us know! Contact us at press@wordfence.com!

Episode 70 Transcript

Jon Bius:
You’re talking about somebody who’s from the accounting department at a local real estate company, and their whole reason for being here is they were the ones that when the boss said, “Who wants to handle the website,” they were the first ones to make eye contact.

Kathy Zant:
Hello, my WordPress friends. Welcome to episode 70 of Think Like a Hacker. Today we have some news items as well as an interview with Jon Bius. Jon is a developer at Biz Tools One, an agency in Fayetteville, North Carolina. Jon has been developing sites and retaining customers for 20 years. He has a great perspective on what makes an agency successful. So I asked him some of those questions. In the news today, we have a couple of plugin vulnerabilities, as usual. We have some hackers taking advantage of coronavirus fears, news that remote work is skyrocketing, and full-screen mode editing coming in WordPress 5.4.

Kathy:
First vulnerability is patched in Popup Builder plugin installed on over a hundred thousand sites. One of our quality assurance analyst, Ram Gall found this one, and he worked with the developer in order to get it fixed. As for the vulnerabilities, one allowed an unauthenticated attacker, that means basically anyone, to inject malicious JavaScript into any published popup, which then could be executed whenever the popup loaded. The other vulnerability allowed an authenticated logged-in user, even with minimal permission such as subscriber, to export a list of all newsletter subscribers, export system configuration information, as well as grant themselves access to various features of the plugin. This has been recently patched. Make sure you upgrade to version 3.64.1 immediately.

Now, Wordfence premium customers got their firewall rule on March 5th to protect against exploits targeting these vulnerabilities, and those of you still using the Wordfence free version for the community will receive the rule after 30 days, April 4th, 2020. So if you are using this plugin, make sure you are updated.

Next up, we have a vulnerability discovered by Chloe Chamberland. This affected the Import Export WordPress Users plugin installed on over 30,000 sites. The flaw she discovered allowed anybody with subscriber level access or above to import new users via a CSV file or a comma-separated values file, and that meant they could import administrative level users.

So worst case scenario, someone has their WordPress installation set to allow anyone to register as a subscriber. An attacker can then upload administrative users using CSV. Pretty slick. Now, this plugin is primarily set to work for WooCommerce. But it also works if you have a vanilla WordPress install. There’s a method of checking capabilities for WooCommerce called Manage WooCommerce. But this plugin didn’t check for capabilities for a vanilla WordPress installation. But that functionality was still there.

There are some other plugins by the same developer with missing capabilities checks, similar missing capabilities, checks, and these plugins are all linked on the blog post, which is in the show notes. They’re much smaller install bases, but if you’re using any of them, definitely make sure you update so you have the patch. I’m not going to read off these plugins because I will say Import, Export, WooCommerce too much. No one wants to hear that repeated six times, and I don’t know if my mouth could take it.

Next up, coronavirus. Obviously, our world is in a bit of disarray as this virus sweeps across the country. More and more WordCamps have been canceled, and a recommendation came from WordCamp Central that all WordCamps up until June consider canceling or postponing their events. Now, The Hacker News is reporting that hackers have created a downloadable .exe, executable file of the coronavirus map. Johns Hopkins University has created a map basically showing the total confirmed cases, and you can zoom in and look at specific cases around the world by geography. It’s basically a map and shows you where the coronavirus is having the greatest effect.

This was discovered by MalwareHunterTeam last week, and it has been analyzed by Shai Alfasi, a cybersecurity researcher at Reason Labs. Now, this malware looks to be stealing information. Alfasi presented a detailed account of how he dissected the malware on the Reason Security blog. It’s basically looking to steal passwords. It appears to be making specific calls in an attempt to steal login data from online accounts such as Telegram and Steam.

Now, I wanted to cover the story because of something that I’ve noticed in the world. Whenever there is fear, your mind can process information, and it only can perceive and process, they say, seven plus or minus two bits of information at any given time. That’s when you are not under stress. When you are under stress, when you are in a fearful state, when your mind is preoccupied, your ability to process information and to perceive information goes down dramatically. So your plus or minus seven bits might be at one plus or minus two. I don’t know what a negative bit of being able to process information looks like, but I think we all realize that when we are a stressful situation, when we are in fear states, our ability to make good decisions goes down dramatically. That applies to those of us in security as well as those of us in the greater society.

But those of us listening to this podcast, those of us who are aware of security, we’re aware how hackers operate. We’re aware that hackers target the most vulnerable first. They target the most vulnerable systems first and the most vulnerable people first. Now, we are going to be better set to perceive these types of threats coming. But our parents, our grandparents, our kids, they might not. Everyone facing this crisis is having their ability to perceive and process threats compromised somewhat because of all of the fear in the world. It’s up to us, those of us in security, those of us who are aware, to educate and inform and protect the most vulnerable.

So my personal advice, talk to your parents about how hackers target those of us in fearful states. Talk to them about how they’re using this fear to exploit weakness. The vulnerability and weakness is in each and every one of us. It’s in all of our family members, and the weaknesses in our minds. It’s in our emotions. We can use antivirus on our computers as a first line of defense. But these attackers will take to other methods, whether it’s the telephone, SMS, or email to prey upon our fear.

I wrote a blog post on my personal site on zant.com about managing our mental security in the face of these types of crises. See, I’m old. I’ve been through both personal and societal stress before in my life. So I have methods of sort of managing that fear state by redefining what is most important to me, redefining my definition of what is secure and staying secure with that so that I can manage my own mental vulnerabilities. But that’s a whole ‘nother can of worms. Maybe I’ll write more about that later.

On to our next story, also related, remote work is skyrocketing. This article from Vox was posted on March 11th. Microsoft, Google, and Zoom are just trying to keep up with demand for their now free work from home software. All of us who have been working from home for quite some time are sharing our knowledge in various platforms, whether on Facebook or Twitter to help others who haven’t get used to sort of a new world of work, working from home or working from wherever you are. Microsoft’s Teams saw a 500% increase in meetings, calls, and conference usage in China since the end of January.

Zoom wouldn’t comment specifically on their growth in usership, but they said that at the end of January, if you took the run rate of our minutes usage at that point we were on a run rate of 100 billion annual meeting minutes, and that’s up significantly since then. Those of us working in WordPress are probably more adapted to working from anywhere. I think this is going to provide greater opportunity to help others who haven’t been in that situation adapt. We’re in a place of being able to help.

Our final news story is about WordPress 5.4 coming pretty soon. It is going to ship with the editor in full-screen mode by default. I read about this on make.wordpress.org. But I also read the article and WP Tavern about this, and they noted that while some form of full-screen or distraction-free writing has existed for years, this is the first time that it is the default experience. And make.wordpress.org, Matt Mullenweg posted, he said that, “This is on me as release lead. I’ve been meaning to get this in for a while.” He says he’s comfortable with this decision to have full screen on by default given user testing and other qualitative feedback, which he says is similar to what folks at GoDaddy have found in their testing and that the coaching is minimal. So if during the month of March they need to revert it, it shouldn’t be a problem. It’s going to definitely be a different experience.

Now, the comment on make.wordpress.org right underneath Matt’s comment says, “Nice. Very nice. I like it. But what can we do to confuse my grandma even more? She already started paying me for maintaining Gutenberg because she is in trouble with that, and I really would love to press even more money out of this old lady.” Okay. That’s hilarious. But it brings another point in. We have users across the spectrum. We have highly technical people using WordPress, and we have grandparents and moms and kids using WordPress. So having this be the default experience from the get-go may cause some confusion for users. I think that the editing experience might be perhaps easier, but once they get there, and if they’re not sure exactly how to get out of the editor once it is full screen. I haven’t played with it yet. I’m interested to see what it looks like.

Obviously, this will become a very contentious issue. What should that editor look like? What do you think it should look like? Leave your comments in the blog notes on wordfence.com. It’d be interesting to see what you think about full-screen editing coming. Now, all joking aside: yes, as WordPress users, as agencies, as people who are sort of influencers in the WordPress world, we will now have to teach other people how to navigate around a new change in WordPress. I would like to posit a different way of looking at this. Rather than looking at it as more work that you have to do, let’s look at this as a gift, as an opportunity, as a way of being of service to someone else, as a way to develop stronger relationships with your customers.

You have an opportunity, to be of service, you have an opportunity to make someone’s life easier. Let’s see what we can do with that and with me preaching at you, how you should perceive a change in WordPress. Let’s call that the news. Thanks for listening. Up next, we have our interview with Jon Bius from Biz Tools One. Enjoy.

Hi, everyone. I am here with Jon Bius. He is with Biz Tools One. It is a digital agency in Fayetteville, North Carolina. They are one of our larger customers using Wordfence for their customers. Jon and I have had a number of conversations about some of the unique things that their agency does. I thought it would be a great way to bring some knowledge about agency processes and other things to us. So Jon, thanks for joining me today.

Jon:
Thank you for having me, Kathy. I appreciate it.

Kathy:
Yeah, no problem. So give me the lowdown about Biz Tools One and what you do there.

Jon:
Yeah. We’re based in Fayetteville, North Carolina. Here in Southeast North Carolina, we’re one of the larger developers in the area, and we work mostly with local businesses in this area, everything from community colleges to plumbers to real estate agents. We do have a few websites, a few customers around the country, but most of it is located here locally. So we get to have plenty of face-to-face interaction with the clients and make sure their needs are taken care of. We tell them we’re in the handholding business, and we try to make sure that they’re squared away with their website.

Kathy:
That’s great. Now, how many customers or how many websites are you actually managing for customers?

Jon:
Right now, we’re managing close to 500 websites. About 350 of those are WordPress. We’ve still got some old holdouts from the days when we were still developing just in what I call plain HTML. But most of them now are WordPress. We also do the local school system, which is a WordPress multi-site install, and it has about 150 installations on that.

Kathy:
That’s incredible. Obviously, you have all these customers who have different business needs. How does WordPress help you meet those types of business needs with… Do you have certain plugins that are your go-to or certain themes that are your go-to tools?

Jon:
Yeah. Well, one of the things that I think really… When I got here, they were not doing WordPress. I got to this company in 2010 that I’m at now, Biz Tools One, and I had been using it. I started saying, “We might want to look at this. We might want to look at this.” As we started migrating to it, I started showing that the ability to re-theme a website, to have backups through the database, to start off with a fairly stable platform from the very beginning that allowed us to train clients to handle their own sites. Previously, we had been working with clients and training them on a program called Adobe Contribute, which required them to purchase some software, and there was a whole lot of hoops you had to jump through to get that hooked up.

When I started showing my boss, the company owner, “Hey, here’s what you can do with WordPress,” the benefits all around worked for us. He saw it immediately, and we begun moving customers onto it because the speed with which we can deploy a very robust platform where the content development can be focused on was immediately apparent. Also, we don’t buy themes and use those for clients. Everything we do is custom built. I’ve never been a fan of taking an existing theme and modifying it even with child themes because every client we’ve ever tried that for, they said, “Yeah, but I want this, and I want that, and I want this.” By the time we put in the development, we’ve spent enough hours that we could just say, “Okay. Let’s just write our own theme for it.” So everything we do for the most part is custom made.

Also, you’d mentioned plugins. I am paranoid about security. So I try to really limit the number of plugins we use. We do have a default set that I like, Wordfence being one of them. But I try to limit the number of plugins we have so that it reduces, I guess you’d say the attack vectors that we have to worry about because stability and security are the two biggest things in my mind when we’re setting up a website for a customer.

Yeah, definitely. Now, I would imagine that having to custom-theme everything takes more time. Doesn’t it?

Jon:
Not really. Because for instance, we can show a customer a theme, and they can say, “Yeah, I like this. But I want to add this over here, and I want to take this away over here, and I want to slide this round over here, and oh yeah, I need this functionality built in. So we need these custom posts built in, and we need some other things.” By the time we end up modifying an existing theme and putting in all the plugins that it takes to get what they want, we’ve found that we’re just as well off to get them exactly what they want. By not having to use so many plugins or existing themes, I think it reduces the vulnerability overall.

It’s worked for us because when… We’ve had clients that have come to us from other places. They would pay just huge sums of money, and they would not be happy with, say the agency they’re working with because they weren’t getting the kind of attention they wanted, and they would come to us, and they would go, “I paid $10,000 for this 12,000, 15,000, 20,000 dollars for this.” We would look at it, and we would kind of laugh and go… They bought an off-the-shelf theme for $90 and did a child theme that took a couple of hours. But the client wasn’t happy with the site, and it wasn’t unique for them. Now, the client’s unhappy because they’ve spent a lot of money. That’s not what they want.

Here in Fayetteville, if we told people… if we quoted Atlanta prices, Charlotte prices, those kinds of things, they would have a heart attack, and we can do development for a lot less, deliver them a custom-built website. We’ve been around for 19 years, and we’ve been having growth every single year. So it’s kind of a formula that we found works, and we stick with it. And we have tried. Let’s get some off-the-shelf themes and work with those. They look okay. But I mean, literally every single time, the client goes, “Well, we also want to do this. We want to do this.” We continue to develop, and we have to start tweaking on it. At some point, we realized, “We’re putting in enough hours that just doing it custom works well.”

Now, when I say we do it custom, it’s not like we start off in Notepad every time with a blank page and just start coding PHP. There’s already some framework that we have that we use. I guess in a way, it’s almost taking our own theme that we’ve developed and doing a child theme of it in WordPress terms. So we’re not just starting from absolute zero each time. But we do find that just let’s give people a custom design, and they really like it.

Kathy:
It sounds like that custom design gives you greater flexibility in the long run and that that flexibility is what actually ends up working better, not only for your customers but for you, too?

Jon:
Oh, yeah. Yeah. We’ve had customers come to us that an existing developer would have done their site for them and used the method that most folks do. I understand why most folks do it. But they would take a pre-built theme. They would do a child theme, and the customer would come to us and go, “Look, I’ve been asking him for this and for this and for this.” Clients had told us that either their agency would say, “That’s not possible. We can’t do that.” Or they would try to do it, and it didn’t work out. We want to be able, when somebody comes to us and says, “Well, I want to do this, and I want to do this, and I want to do this,” to go, “All right, not a problem.”

What I tell clients is the only two limitations there are as time and money. Sometimes people ask us for something, and we go, “Yeah, that’s going to be 25 hours, and here’s how much that’s going to cost.” They’ll go, “Oh, that’s a little more than I wanted for that functionality.” But then we’re usually able to go, “Okay. 25 hours might get you the 100% solution. Here’s a 90% solution for 10 hours. Then here’s something you can use native to WordPress to get you a 70% solution, but it’s already baked in, and you can do it yourself.”

So it gives us a lot of flexibility, and because we know the underlying code, we know exactly how the site is built and what it’s going to take to change it and make it do what we want. Clients love that.

Kathy:
Yeah, I bet. Now, does WordPress give you a competitive advantage in the market?

Jon:
Oh, absolutely. When a client comes in, so I think they come in, and they say, “I just need a simple shopping cart.” They want to get up and selling quickly. We can get them into a custom look with WordPress and get them exactly what they want. I’ve used other CMS platforms. I don’t do it as much anymore, but when I used to get into the developer forums a lot, and I would see all the arguments between WordPress and all the other platforms that compete with it, I’d always come back and go, “You can say what you want, but WordPress just beats the pants off of them.” The rate of development, the richness of the community that’s out there, the richness of the ecosystem that supports it and all of that gives us the ability to deliver a website that a client can manage.

Because a lot of the agencies that we’ve dealt with, when clients bring us a site, a lot of times I think, and this is one of the weaknesses in our industry is people tend to think in terms of, “Okay, if I’m going to do it for this business, it’s going to be someone who’s familiar with the web that’s going to be handling it.” But in our experience, it’s Sally from accounting or Bob from purchasing, and they’re not happy with Microsoft Word. They hate using that. So when I can bring them in and train them and show them, “Look, you can manage your website, we make it as simple as possible.” We use pages like crazy so that they know that, okay, this block on their home page, you just go to a page and edit that, and it changes the text.

It gives us the ability to deliver something. I’m sitting in the room, we train in, and I bring people in this room, and I’ll point them to the big screen, and they’ve told me dozens of times, “Well, I don’t know anything about computers, I’m scared of this.” I’m like, “Don’t worry about it.” By the end of the class, they go, “This isn’t hard at all.” We don’t advertise. Everything we get is word of mouth, and the thing that that keeps driving it is that customer service, that we not only build them a website, we train them how to use it, and that’s one of the differentiators, I think, for our business.

Kathy:
That’s really brilliant actually. So do you feel training people using Gutenberg is becoming easier now?

Jon:
Yeah. It’s definitely becoming easier because the old way, I had it down. I mean, even to the stupid jokes that I made in the middle of a training session, it was always the same. When I started doing Gutenberg, I kind of sat by myself one time and gave an imaginary training session, as crazy as that sounded. But I wanted to go, “Okay, how am I going to train this?” The first few times I started doing it, especially because it was constantly evolving, there were some periods that I would find myself saying, “Okay, now to do this, you do this.” Then I would go, “Wait a minute. It’s changed in the interface. It’s moved. It’s been relabeled.”

Now that it seems to be a little more stable and I’ve done it more often and I’m using it, I think what’s helped is I’m using it in my own personal use of WordPress. I’m now able to say, “Okay, let me take all the tasks that I used to train people on in the old system, focus on the tasks and ignore the interface.” That has seemed to be the path to success because nobody sits here and looks at it and says, “Well, that doesn’t look like Microsoft Word. I just tell them, “Here’s something you’ve never seen before. Here’s how you do it.” I finally did one the other day, and I got finished. The two questions I always ask people, I say, “Do you have any questions about anything I’ve covered, or did you come in with questions that I have not answered?”

The client that I was training, they said, “Nope. Nope. You’ve covered it all, and this seems real easy.” Inside I said, “Yes. Okay. Now, just remember what you did and repeat this every time.”

Kathy:
Yeah. Exactly. It sounds like training and really kind of being sort of the IT and WordPress specialist for your customers is what makes Biz Tools One successful.

Jon:
Yeah. Yeah. I hear my boss when he’s doing sales calls, he tells people, “We’re in the handholding business.” Because I don’t know anything about real estate. I don’t know about plumbing. I don’t know about being an educator or a dentist or any of those things. That’s why I go to those people. They come to us because they want a website. When we ask people, “Well, what do you want on your website?” Nine times out of 10, they go, “I have no idea.” So everything from helping them decide what needs to go on the website to working with them on the basic verbiage to training them, setting up emails.

There’ve been plenty of times that I’ve sat in here with clients and essentially given them a condensed marketing plan for how you use your website to generate revenue either directly or indirectly and how you tie it into your social media campaigns and how you tie it into this and how you do that. Because most of them don’t know. We try to give them the straight scoop.

Kathy:
Talk to me again about… We talked a little bit about security. How does security and sort of using Wordfence, how does that help your agency?

Jon:
Yeah. Well, one of the things that I think helps with our security is I’m paranoid. I come from a military background. So thinking in terms of security is not new to me. Understanding that there’s always a threat out there and having seen it real-world, it’s easy to translate it into the digital world. Plus at a previous job I had, I worked with a guy who is, in my opinion, the best IT professional I’ve ever worked with, and he taught me so much about security and showed me, “Okay, here’s 20 different ways you can get into a web server that…” He wasn’t doing it illegally.

I mean, we would just set up a testing environment. He would show, “Okay, lock it down, and let me show you what you can do.” When I started seeing how vulnerable systems are, even when people think they’re doing a really good job with doing those, securing those, how vulnerable they can be, when we started getting into WordPress and we started early on seeing some security issues, that’s first when we found Wordfence, and we immediately saw the benefits that it had. But we translated it into everything we do.

When clients say, “Hey, we want to use this plugin,” we examined the plugin. If it doesn’t meet a certain criteria that we think is going to make sure that it’s secure, it’s being continually developed, it’s got a good user base, we tell them, “Look, we’re not able to do it.” Now, we’ll give them an alternative.” We’ll say, “Hey, we can bake it into the theme this way.” But every single thing we do has to pass the security test. Even the hosting platforms that we’re on, we try to make sure we’re really on some good stable platforms.

I will say this. You would expect me on a podcast like this to brag on Wordfence, but I say it truthfully. We had for the longest time been using the free version, and it worked well. But you remember, we had some issues with some sites that there was an exploit that came in that if you were on the free version, you didn’t immediately get all of the updates to protect against it. It really created some issues for us. I went to my boss, and he didn’t argue with me. I said, “We need to get paid licenses for everybody.” I think we bought like 200 at one time. But that has been a great, great benefit to us.

Now, from an agency standpoint, it’s easy to pass that cost along. You can roll that into a security package. It can include SSL and the hosting that you’re on, assuming you’re on some good secure hosting. But Wordfence and then just a very strict stance on security has helped us be as secure as possible. But we also recognize you’re never absolutely secure. I’m always paranoid whenever a client contacts me and says, “Hey, something’s weird about my website.” It may just be that they put in a photo wrong, and it’s stretching out the page or something. But I go in and I go, “Well, let me make sure nothing weird is going on.” So it’s baked into our DNA on everything we do.

Kathy:
Yeah. Well it sounds like the whole attitude that you guys have of let’s make sure that this website works for this customer, and if that means we have to educate this customer and teach them and go the extra mile and handholding them, we’re going to make sure this website works for them and then that security, sort of like the piece of or the cherry on top of the cake of that customer attention that you’re giving of just making sure that… Because nobody expects that their site is going to get hacked. Yet there’s hackers out there all the time targeting it. It’s up to agencies like you and security professionals like me to make sure that those people who don’t know are educated and that they do know that there are risks out there, but that we’ve got their back, right?

Jon:
Yeah. That’s one of the things that I love about Wordfence is sometimes clients will say, “Well, you’ve got this annual security fee that we pay. What does that really do?” All I show them is the log of who’s trying to hack into their site.

Kathy:
Really?

Jon:
I just go, “Look at this. Do you see this? Do you see how many intrusion attempts there were today?” They go, “You’re kidding me.” What people don’t understand is when they think hacking, they think Hollywood. They think, “Why would anybody hack into my website as a real estate agent or as a dentist?” One of the things we train them on is why sites are hacked. I tell people, “Look, we love you as a client, but the hackers don’t care about you. They don’t care about what you’re doing. They’re not trying to get your stuff. They’re trying to use your platform, and they’re looking for vulnerabilities. Because a lot of times people think, “Well, I don’t need this because who would hack me?”

Well, it’s not YOU they’re hacking. It’s the machine. They want to use the machine. When we start educating them on what happens, and after a while they either get it or they go, “Well, I don’t understand this, but I trust you then.” Then that’s longterm. They know we’re looking out for me. We do it in more than just, say with Wordfence and other software. When we set up emails for people, we pound into their head about secure passwords. When people leave a company, we talk to them about, “Okay. You might want to consider changing your passwords.” If they say, “Well, we want three people to share our account on WordPress.” “No, no. You need three different accounts.”

We don’t give people administrator access. We give them the minimum rights necessary to do just what they need to do. They see that in everything we do. It’s sometimes just kind of funny. I’ll have clients call me up, and they’ll go, “Hey, I need to change the password on my email or my WordPress site.” I always ask them, “Well, what would you like it to be?” I had one the other day that they mentioned the street that their business is located on and then one, two, three, four. I have known him long enough, and I said, “Are you really bringing that password to me?” They kind of laughed. They said, “I’m sorry. Is that not a good one.” I said, “If you ever asked for a password like that again, I’m going to give you a 256 character password.”

But I try to educate them on what makes a good password. Again, it gets to that service thing. But as a small business, I mean, there’s only three of us here. There’s three of us that manage 500 websites, 350 or so are WordPress. We can’t afford for things to go wrong. So I want them to think about secure passwords, to think about these things because it helps our platform to be more stable and reduces the number of phone calls that I get and problems we have. Because if you’ve ever seen a place get bad hacked, I mean, just files being deleted from the server, it’s ugly.

Kathy:
Yeah. I’ve been there.

Jon:
It’s a helpless feeling. We were talking to one of our clients, and I won’t go into too much detail about who they were, but they were a large entity, and their entire network was hacked, I mean, to the point they were having to buy new computers. It wasn’t anything we did. I mean, it was an internal thing. But just to watch the meltdown they had, it was awful. So we really try to get people to understand this is important stuff. This is not something that is just in the movies or doesn’t apply to you because you’re a small business. Security is a big deal.

Kathy:
It is. One of the benefits that I think you have that I’m sort of jealous about because I get to talk on these broad strokes of like, use two-factor authentication, use strong passwords, and it’s very general, and it’s just good security advice. But you get to contextually walk a customer through, “Hey, you’re doing this right now.” You get sort of those natural consequences. I mean, you could tell your kids, “Say no drugs.” But wait till you’ve got a kid who is having a challenge at school right then and there, and it’s like you have a very contextual learning experience that you get to show your customers, “Here’s a security issue right here, right now that we’re going through, and I’m going to help you through that.” So you get the benefit of them really having a positive learning experience with you that they’re going to remember.

Jon:
Yeah. Yeah. I’ve told a few people, and I’ve said, “Understand, if we run into security issues,” to put it in the terms you just used, “You’re going to have a negative learning experience, and then you’re going to have a positive learning experience.” Because there are times when we will find a problem, and we’ll go through it, and we’ll get it resolved, and then we’ll kind of do an after-action report to see what happened. There’ve been a few times that a customer would go, “Okay, what happened?” I’d say, “Well, you know your password that you changed three weeks ago, even though WordPress accepted it, you didn’t go all green. If it’s not all green, it’s not all good, and somebody would think of that password.”

Or somebody would use the same password on all of their stuff. When you demonstrate to them what can happen and show them and can give them real world experience, I mean, this is not WordPress related, but ransomware, a few years ago, it was huge and were still problems with it. We’ve talked to clients about email security and ransomware. We actually had one client that called up and said, “Well, how do I…” The first question they said was, “What’s Bitcoin?” I said, “Why are you asking about Bitcoin?” They said, “Well, how would I know if I got this ransomware stuff?” I talked to them and come to find out they had gotten hit.

So I started asking them some questions about backups and things like that, and they were talking about, “My computer’s locked up.” They said, “I know it must’ve been from this one email I got because I forwarded it to one of my coworkers, and her machine’s locked up now, too.”

Kathy:
Oh, no.

Jon:
So I can, I can talk to customers, and a few of them will call me and go, “Okay, Jon. You’ve gotten me paranoid enough that I got this email in, and I’m not touching it.” I’ll ask them some questions about it, and I teach them because they’ve heard those stories, and they know how devastating it can be to their business. But if they just take a few simple steps. It’s the same way with using WordPress, and Wordfence is one of those simple steps. How hard is it to install the plugin? Yeah. You got to pay the license fee, but how much more does it cost to get hacked and have to deal with that and potentially lose the client rather than, “Okay, we’ve got something here that works.”

Kathy:
Because of that and because of these new threats and because of the ransomware and the phishing and everything, it is a constant battle to just educate everyone that you can that these threats do exist and how to identify them and protect themselves because it’s really the weakest link in any security is going to be, it’s going to have a heartbeat rather than a plug. It’s always the humans.

Jon:
Right there on the front lines, y’all are on the front lines of it, but the agencies have to be right there shoulder to shoulder with you because again… But for obvious reasons, I sound like I’m tooting our horn, but I think we do a good job. When we take over websites from other agencies, and these are not fly-by-night kind of agencies. We had one recently that we took over, and if you go to look at the agency’s website, it’s all bright and happy, and man, they had taco Tuesday, and you know, they leave early on Friday, and they’ve got the ping-pong room, and everybody’s got these creative names for their job titles and all of this stuff.

When we made a copy of their site, put it on our server for analysis to see whether we could use it or whether we had rebuilt it or whatever, it was several versions outdated. WordPress was several versions outdated. There were 56 plugins installed on it. Some were active, some were not. Some had been out of date for two and three years, no longer in development. We had to look at it and just basically say, “You know what, we’re going to mimic the design because we had the rights to do so. We’re going to mimic the design, but we’re just going to basically rebuild the whole house and just make it look like the old one.” It was from an agency that if you looked at it, and you read their stuff, you would think, “Man, they should know what they’re doing.”

But sometimes people get lazy about security, and they’re more focused on, “Okay, let’s get this one done. It looks good. We can put in our portfolio and move onto the next one.” But the way we try to approach it is if that website still isn’t performing for the customer, and if the customer isn’t happy with it two years later, then we’ve failed.” On time my boss asked me, he said, “Have you ever been happy with any website we’ve taken over?” I had to tell him, “Not so far.” It’s been dozens and dozens and dozens. But it’s just simple stuff that we have to pay attention to for the client because they don’t know this stuff. When it comes down to just something as simple as saying, “Okay. They need this functionality. A plugin is appropriate for it. Here’s this plugin that we could use, and here’s this other plugin that we could use. Which one is the most secure, and which one is more actively developed?”

If it means telling the client, “Yeah. We could use that free plugin you suggested, but you’re going to get a safer, better experience if we spend $39 on this other one,” then we need to insist on that for their behalf.

Kathy:
Well you are sort of the tour guide for WordPress for the customer, and they rely on that expertise. So for them to have… I think if I was going to develop a website or hire an agency to develop a website because I don’t have the bandwidth for that, I would talk to you guys because you’re definitely covering not only the security bases but the SEO bases and the foundations that any small business needs in order to be successful so that they can focus on growing their business in the real world, and you guys kind of take care of that online world and make that easier for them.

Jon:
Yeah. Yeah. Because, well, there’s so many voices competing. I mean, we get people in all the time, and they say, “Well, I see this thing from this hosting company that I can do this for 3.99 a month, or I can do this for free. Why would I pay you several thousand dollars to do it?” We can go through and show them all of these things. I mean, a list of things as long as your arm, here’s what we’re doing. There have been a few times that people would say, “That all looks really good, but I’m going to go off, and I’m going to do this myself for $3.99 a month because the guy that I talked to on the phone that’s trying to sell me a domain name and cheap hosting said it’s easy and anybody can do it.”

Quite often, we hear from them six months later, and they go, “It just isn’t working.” Because the analogy I use, it’s kind of like modern cars. You no longer have shadetree mechanic like I used to see when I was growing up. You’d pull up your car, and some guy with a greasy hat on would dig up under it and say, “Well, it’s your carburetor there, bud.” Now, car repair is an IT job. They do all these computer diagnostics, and I tell people you wouldn’t go buy some off-the-shelf piece of software that says for $3.99, you can diagnose and fix your car. You wouldn’t do it. Your website is as complicated as your car’s engine. If you want to do this, understand the job of web developer is a real job that requires real knowledge and real experience.

We feel like we can… Between my boss and I, we’ve got close to 45 years experience. I’ve worked on, built, developed, managed, whatever you want to call it, over 2000 websites. He’s probably done as many. So when somebody says, “Well, I think I can do it myself for 3.99,” he’s more of a diplomat. He’ll continue talking about, “Well, here’s the advantages we bring to the table. If I’m to him, I just go, “All right. Hope it works out for you.” Because I don’t know what else to say.

Kathy:
Yeah. Yeah. That is definitely a tough one. But it sounds like being able to educate them and get them to the point where they can let go of the places where they’re not experts and let the experts do what the experts need to do and be better off for it, sounds like you guys are perfectly set up to do that kind of education and training. So that’s always a positive.

Jon:
Yeah, absolutely. It’s what we’ve built the business on really because we’ve… My boss, he’s owned this business for 19 years, and I came along 10 years ago. So he had built that foundation. The experience I brought in and bringing in, let’s focus on WordPress and security and some other things, it’s just really been a good combination. But it could be replicated anywhere. We’re not doing anything… I think part of the reason that I don’t see it as often is it’s not something that’s flashy or sexy or has a cool title to it. But just bringing somebody in and going, “Look, here’s how you insert a gallery, and let me make sure you can do it. If you continue having problems, call me, and I’ll talk you through it on the phone. I’ll send you some screenshots in email.”

Jon:
That’s the hard work down in the trenches day-to-day that keeps people with you for year, after year, after year, and they tell their friends about it. People call us up and go, “Hey, so-and-so told us about you. What can we do for you?” Because I feel like if we can get in front of somebody and show them what we bring to the table, we can get anybody’s business. It also means, at the same time, knowing when it’s too big for you, when it’s too much for you. That’s a thing that I see some agencies do that we try to avoid. We’ve had clients come to us, and they would say, “Here’s this really big project.” Yeah, there could be a lot of money in it, but we would go, “You know what, that’s not the core business we focus on.” We’ve told people, “You know what, we appreciate you thinking of us, but we’re not going to bid on this because here’s why.” They appreciate that.

Kathy:
Yeah. Yeah. It’s important to know your capabilities and your limits and what you can handle.

Jon:
Yeah. To quote that great philosopher Dirty Harry, “A man’s got to know his limitations.”

Kathy:
Definitely. It’s looking like we’ve hit our limitation of an hour. But Jon, I’m so grateful that you took an hour out of your day to talk to me today about what Biz Tools One is doing and all of the knowledge you’ve picked up over the years. I think a lot of people who are in the WordPress world helping other clients or helping their clients develop WordPress websites can learn a lot from this. So thank you so much. If somebody wanted to connect with you, where could they find you online?

Jon:
Yeah. If you just go to biztoolsone.com, we’re right there, biztoolsone.com. Like I said, we focus locally, but we’ve got clients across the country. So if anybody does want to talk either from a, “Hey, they want to engage us for something like that.” Or if somebody just wanted to contact us and ask for me and say, “Hey, we’re considering Wordfence. What do you think of it?” I’ll tell them all about it.

Kathy:
Awesome. Well, appreciate that. Thank you so much.

Jon:
Thank you for having me. I appreciate it.

Kathy:
We hope you enjoyed this episode 70 from Think Like a Hacker. We would love to have a review from you. If this podcast has helped you in any area of your life, any area of your business, has helped you understand WordPress security or innovation in a new way, leave us a review wherever you’re listening to Think Like a Hacker. Contact me on Twitter @Kathyzant or kathy@wordfence.com. We’d love to hear from you, and we will talk to you next week. Thanks for listening.

Did you enjoy this post? Share it!

No Comments on "Episode 70: Customer Education and Agency Resiliency with Jon Bius"

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates