Episode 71: Hackers Targeting COVID-19 Fears

With many of us under either lockdown or shelter-in-place orders due to the COVID-19/Corona virus, fear and stress are rampant. This additional stress lowers our critical thinking capabilities and increases our vulnerability. Hackers targeting these human vulnerabilities are using the global pandemic to attempt exploitation through numerous scams and phishing campaigns. We also cover plugin vulnerabilities affecting tens of thousands of sites as well as a new product from Wordfence, Fast or Slow, a global website speed profiler.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
2:05 Coronavirus scams found and explained
4:48 HHS.gov open redirect used by coronavirus phishing to spread malware
8:00 Vulnerabilities patched in the Data Tables Generator by Supsystic Plugin
9:52 Vulnerability in WPvivid Backup Plugin can lead To database leak
10:29 Wordfence launches Fast or Slow, a website profiling tool measuring site performance from major global locations

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Have a story you’d like us to cover or someone you’d like to interview? Let us know! Contact us at press AT wordfence.com!

Episode 71 Transcript

Hi, and welcome to episode 71 of Think Like a Hacker. This is the podcast about WordPress, security, and innovation.

It is the end of March 2020, and we’re going through a lot worldwide. We’re not going to have an interview this week with so much going on. We are under shelter-in -place or lockdowns around the world as public health officials strive to keep as many people safe from coronavirus infection as possible. With death tolls rising around the world, it feels like we’re in a new era of humanity.

Obviously, we’re all under some elevated stress, and that elevated stress and the requisite fear is making us susceptible to making poor decisions. As I talked about last week, scientists say that when we are under no stress whatsoever, we can handle about seven, plus or minus two, bits of information at any given time, that means what we can can perceive, and when we’re under stress or when we’re in a fear state, which is basically a stress state, that makes us even more susceptible to perceiving less. It makes us vulnerable.

I woke up this morning to a news story that a man here in the Phoenix area had died from taking an aquarium cleaning substance that he thought would protect him from coronavirus. When we’re in fear, we’re not thinking our best. It’s really time for us now to slow down, to put a buffer zone between the stimulus of this stressful environment that we are all now in, and our response to that environment. It’s important now for us to really get good data and make good decisions.

With that, our first story today is from MalwareBytes, and they went through some of the coronavirus scams that have been coming online. In their blog post, they noted that a Twitter user had published a web tracker finding that 3,600 host names came online in just 24 hours that were related to coronavirus or COVID-19, and Risk IQ reported that they had tracked more than 13,000 suspicious coronavirus related domains over the course of a weekend, and on the very next day, more than 35,000 domains. All of these links are going to be in the show notes.

What does this tell us? It tells us that hackers are detecting vulnerability. They’re not detecting necessarily vulnerability in our systems, but they know that there’s vulnerability where there is fear, and they are targeting the weakest link. Most of these are phishing campaigns. They also detail a story that we’ve covered in the podcast a couple of episodes ago about an email phishing campaign sent by threat actors that were impersonating the World Health Organization with the intent of stealing credentials, usernames and passwords. They detail some incidents where threat actors are attempting to install malicious payloads on systems.

Now obviously, this shows that there’s going to be a growing threat, and this threat is not targeting our computers, it’s targeting us, and it’s targeting us because we are in vulnerable states, and what do we do when we’re in vulnerable states? The best thing you can do is to take care of yourself, not only your physical health and obviously boosting your immune system, getting decent sleep, getting decent exercise, but taking care of your mental health. Your mental health ends up being that which alleviates the vulnerability of fear and stress. It alleviates the vulnerability that hackers are attempting to target right now. Whether it is meditation, deep breathing, yoga, whatever you need to do in order to take care of yourself and your mental health is going to sort of be that firewall for your life, not just your mind, not just your email, but it’s going to help you make better decisions for you, for your family, everyone around you.

Our second article is an open redirect that’s being used. It is on the Health and Human Services (HHS.gov), domain and this is being used by malicious attackers to spread coronavirus phishing malware. So basically, emails are being sent out through this open redirect on one of their web addresses, and open redirect basically automatically redirects users between a source website and a target site, and malicious actors use these to target phishing landing pages or deliver malware payloads, because they can do so under the guise of a legitimate service, and with everybody attuned to wanting to get the latest information about coronavirus, having an open redirect on the hhs.gov Health and Human Services website, that is definitely something dangerous. So the open redirect is in the article on BleepingComputer using it to send out a malicious attachment containing a coronavirus.doc.lnk file that unpacks obfuscated VBScript that executes a raccoon information stealer malware payload that’s coming from an IP address also detailed in that blog post.

Now, one of the things that coronavirus is really exposing, to me, is how as a society, we are not equipped well, in many ways, to care for our elders. Obviously, this virus is targeting the most vulnerable, those of our parents and grandparents, and it’s much like what’s happening with phishing and other scams like this. Obviously, we all get phishing emails, but those who are most vulnerable to these are the most trusting, and those of our parents and our grandparents, who often find themselves victims of these types of scams, whether it’s coming through an email or it’s on a phone call or an SMS message.

I would like to posit that it is our responsibility as security professionals, and even if you don’t think of yourself as a security professional, the fact that you’re listening to this podcast means that you are aware of security, and we have a responsibility to take care of the most vulnerable in our communities, whether that be the WordPress community or our communities at home. So talk to your parents, obviously, with social distancing at this time, but talk to them about these types of threats. Make sure that they are aware. Use antivirus on their computers if you can, and support them and educate them. Obviously, our first line of defense is going to be educating anyone who’s using the internet to realize that these types of threats exist.

On to some stories in the WordPress world, we have a couple of plugin vulnerabilities to cover. First of all, Chloe Chamberland, one of our Threat Analysts here at Wordfence, found vulnerabilities in the Data Tables Generator by Supsystic [plugin]. She did find some vulnerabilities in the pricing table by Supsystic plugin and worked with them and both of these plugins. Now, the Data Tables Generator plugin is a WordPress plugin installed on over 30,000 sites. These flaws were quite similar, allowed attackers to execute AJAX actions that could inject malicious JavaScript and forge requests on behalf of authenticated site users.

Wordfence premium users received firewall rules against this vulnerability’s exploit on January 21, 2020, and free received that rule on February 20th, so even though we hadn’t disclosed this because it was still being patched, you’ve been protected, if you’re using Wordfence, for quite some time. With all of the crazy stuff that’s happening in the world right now, the last thing you want to think about is updating plugins immediately, or even writing blog posts. There’s a lot of other things that are demanding our attention. So these are the times when it’s really good to have a firewall, because firewalls buy you time. Even though a vulnerability might exist in the world, you don’t even have to be aware of it. Your firewall is blocking malicious attacks, and as we’re seeing, hackers and malicious actors are much more active in times of great fear and vulnerability. So now’s the best time to make sure that everything is protected, including your WordPress site.

Our next story is a vulnerability that was patched in the WPvivid Backup plugin. This could lead to a database leak. This plugin was installed on over 30,000 sites as of a few weeks ago, and the issue has been fixed in version 0.9.36. It was another AJAX action that didn’t have an authorization check, so make sure that if you’re using that plugin that you have that patched.

Our final story. I saved the best for last, because there’s no fear associated with this. It’s not even a vulnerability. Wordfence is really happy to announce that we have a new product. This product, all free. It’s called Fast or Slow. You can find it fastorslow.com. This tool helps you measure your WordPress — or other — sites performance from various locations around the world. Now, if you’re interested in site performance, you’ve probably used various tools in order to measure whether an at your site was performing well for your users.

This tool is unique in that it looks at performance globally. So if you have a product or a service that is relevant to anyone in the world, say for example, software that you are selling online, and you would like to ensure that users in Australia, even though you’re based in, let’s say Kansas, that your users in Australia are having a good experience with your website. You can use Fast or Slow to see how Australians are experiencing your site, to see how South Americans are experiencing your site, how Europeans are. It’s a really neat tool. It’s free. You can put in your website, see how it’s performing, and we really recommend signing up for monitoring.

What this will do is run reports over time. So if your hosting provider, for example, is having an issue or you’re seeing degraded performance over time, Fast or Slow will let you know when a problem like that exists. It’s horrible to have those types of experiences sneak up on you, and you realize that your server is overloaded and not performing well, especially for a location where you have no visual experience. Fast or Slow will monitor this for you, let you know when your site might be having a problem, give you some relevant data that you can take to your developers, that you can take to your hosting provider, that you can take to heart and make better decisions in order to make sure that your site is serving your users.

With that, that is podcast episode 71 of Think Like a Hacker. Thanks for listening. If there is anything that Wordfence can do in order to support you during these very strange and different times, please, please reach out and let us know what we can do in order to be of service. We have been a remote team since our inception. All of us have our methodologies and procedures in place in order to be of service from where we’re at, and if things are shifting for you, please let us know how we can be of service, we’re here for you, and I just want to underscore again how important it is to take time during this experience to take care of your mental health. Your mental health is your firewall for your life. It’s going to allow you to really ascertain what you need to do for yourself, what you need to do for your family, what you need to do for your business in order to not only survive these troubled times, but to succeed within them.

If there’s anything I personally can do, reach out to me, Kathy [AT] wordfence.com. If there is someone that you would like me to bring on the podcast, let me know. And with that, we will wrap it up. Next week, we will have another episode, and hopefully even more good news to report.

Thanks for listening!

The post Episode 71: Hackers Targeting COVID-19 Fears appeared first on Wordfence.

Vulnerabilities Patched in IMPress for IDX Broker

On February 28, 2020, the Wordfence Threat Intelligence team became aware of a newly patched stored Cross-Site Scripting (XSS) vulnerability in IMPress for IDX Broker, a WordPress plugin with over 10,000 installations. Although all Wordfence users, including those still using the free version of Wordfence, were already protected from this vulnerability by the Web Application Firewall’s built-in XSS protection, we investigated the plugin further and discovered an additional stored XSS vulnerability. We also found a flaw that would allow an authenticated attacker with minimal, subscriber-level permissions to permanently delete any page or post on the site, in addition to creating pages with arbitrary titles.

We initially reached out to the plugin’s vendor the same day, on February 28, 2020, but received no response over an extended period of time. On March 19, 2020, after notifying the WordPress plugin team, we received a response from the plugin’s developer, at which time we sent the full disclosure details. A fully patched version was released on March 23, 2020, and we recommend updating to the latest version, 2.6.2, immediately.

Wordfence Premium users received a new firewall rule on March 2nd to protect against exploits targeting these vulnerabilities. Free Wordfence users will receive this rule on April 1, 2020.


Description: Authenticated Stored Cross-Site Scripting(XSS)
Affected Plugin: IMPress for IDX Broker
Plugin Slug: idx-broker-platinum
Affected Versions: <= 2.6.1
CVE ID: Pending
CVSS Score: 7.4 (high)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Fully Patched Version: 2.6.2

The IMPress for IDX Broker plugin contains a captcha feature to prevent spam submissions. Since it uses Google’s ReCAPTCHA service, it requires an API key. Unfortunately, the AJAX action the plugin registered to update this API key did not use capability checks or nonce checks.

This made it  possible for a logged-in attacker with minimal permissions, such as a subscriber, to send a request to wp-admin/admin-ajax.php with the action parameter set to idx_update_recaptcha_key and the idx_recaptcha_site_key parameter set to a malicious JavaScript, which could then be executed in an administrator’s browser the next time they visited the plugin’s settings panel.

As with most attacks taking advantage of stored XSS in admin areas, this could be used to make use of the administrator’s session in order to create a new, malicious administrative user.

The AJAX action:

add_action( 'wp_ajax_idx_update_recaptcha_key', array( $this, 'idx_update_recaptcha_key' ) );

The vulnerable function:

	public function idx_update_recaptcha_key() {
		if ( $_POST['idx_recaptcha_site_key'] ) {
			update_option( 'idx_recaptcha_site_key', $_POST['idx_recaptcha_site_key'], false );
			echo 1;
		} else {
			delete_option( 'idx_recaptcha_site_key' );
			echo 'error';
		}
		die();
	}

Description: Authenticated Post Creation, Modification, and Deletion
Affected Plugin: IMPress for IDX Broker
Plugin Slug: idx-broker-platinum
Affected Versions: <= 2.6.1
CVE ID: CVE-2020-9514
CVSS score: 8.1(high)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Fully Patched Version: 2.6.2

One of the features included with the IDX Broker plugin is the ability to create and delete “dynamic pages,” intended to ensure that any IDX pages match the site’s style and branding.

The plugin registers 2 AJAX actions that are used to do this:

add_action( 'wp_ajax_create_dynamic_page', array( $this, 'idx_ajax_create_dynamic_page' ) );
add_action( 'wp_ajax_delete_dynamic_page', array( $this, 'idx_ajax_delete_dynamic_page' ) );

Once again, neither of the functions called by these AJAX actions used capability checks or nonce checks. As such it was possible for an authenticated attacker with minimal, subscriber-level, permissions to send a request to wp-admin/admin-ajax.php with the action parameter set to create_dynamic_page and the post_title parameter set to any arbitrary value. In return, a new dynamic page with that title would be created.

If a wrapper_page_id parameter was included and set to the ID of an existing post or page, that post or page would be replaced with a blank wrapper page:

	public function idx_ajax_create_dynamic_page() {

		// default page content
		$post_content = $this->does_theme_include_idx_tag();

		$post_title = $_POST['post_title'] ? $_POST['post_title'] : 'Properties';
		$new_post   = array(
			'post_title'   => $post_title,
			'post_name'    => $post_title,
			'post_content' => $post_content,
			'post_type'    => 'idx-wrapper',
			'post_status'  => 'publish',
		);
		if ( $_POST['wrapper_page_id'] ) {
			$new_post['ID'] = $_POST['wrapper_page_id'];
		}
		$wrapper_page_id = wp_insert_post( $new_post );
		update_option( 'idx_broker_dynamic_wrapper_page_name', $post_title, false );
		update_option( 'idx_broker_dynamic_wrapper_page_id', $wrapper_page_id, false );
		$wrapper_page_url = get_permalink( $wrapper_page_id );
		$this->idx_api->set_wrapper( 'global', $wrapper_page_url );
		update_post_meta( $wrapper_page_id, 'idx-wrapper-page', 'global' );

		die(
			json_encode(
				array(
					'wrapper_page_id'   => $wrapper_page_id,
					'wrapper_page_name' => $post_title,
				)
			)
		);
	}

Alternatively, if the attacker set the action parameter to delete_dynamic_page and sent a wrapper_page_id parameter with the ID of an existing post or page, then that post or page would be permanently deleted:

	public function idx_ajax_delete_dynamic_page() {
		if ( $_POST['wrapper_page_id'] ) {
			wp_delete_post( $_POST['wrapper_page_id'], true );
			wp_trash_post( $_POST['wrapper_page_id'] );
		}
		die();
	}

Disclosure Timeline

February 28, 2020 – Our Threat Intelligence team discovers and analyzes vulnerabilities in the IMPress for IDX Broker plugin while reviewing a recently patched vulnerability. We attempt to make contact with the plugin vendor.
March 2, 2020 – Firewall rule released for Wordfence Premium users.
March 19, 2020 – After followup with WordPress.org plugin team, plugin vendor confirms appropriate mailbox, and we provide them with full disclosure.
March 23, 2020 – Fully patched version becomes available.
April 1, 2020 – Firewall rule becomes available to Wordfence free users.

Conclusion

In today’s post, we detailed several vulnerabilities including stored XSS and Post creation, modification, and deletion found in the IMPress for IDX Broker plugin. These flaws have been patched in version 2.6.2, and we recommend that users update to the latest version available immediately. Sites running Wordfence Premium have been protected from attacks against this vulnerability since March 2, 2020. Sites running the free version of Wordfence received the firewall rule update on April 1, 2020.

The post Vulnerabilities Patched in IMPress for IDX Broker appeared first on Wordfence.

Tips for New Remote Workers

With the new pandemic hovering over our heads, the main piece of advice from most countries is stay home. Working remotely is a new reality for many people around the world, and Sucuri can help you make this new endeavor easier for you. We have been an entirely remote team since the creation of the company, more than 10 years ago.

Working from home has its perks and challenges. We asked our colleagues what recommendations they had for people who are starting to work from home as well as some advice to mitigate cybersecurity risks.

Continue reading Tips for New Remote Workers at Sucuri Blog.

Episode 70: Customer Education and Agency Resiliency with Jon Bius

We chat with Jon Bius, a web developer at Biz Tools One, an agency in Fayetteville, NC, about how they use customer education to build relationships and differentiate their business. Jon has been helping customers build websites for over two decades, and he talks about how WordPress helps him empower his customers.

In the news, we cover two plugins with vulnerabilities, more cancelled WordCamps, some hackers taking advantage of the fear surrounding COVID-19, the rise of remote work, and what’s coming with full screen editing on by default in WordPress 5.4.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
1:05 Vulnerabilities Patched in Popup Builder Plugin Affecting over 100,000 Sites
2:18 Vulnerability Patched in Import Export WordPress Users
3:47 More WordCamp cancellations due to COVID-19
4:07 Coronavirus Maps containing malware infecting PCs to steal passwords
8:05 Remote work skyrocketing
9:27 Full screen editing mode on by default in WordPress 5.4
12:54 Interview with Jon Bius from Biz Tools One

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Have a story you’d like us to cover or someone you’d like to interview? Let us know! Contact us at press@wordfence.com!

Episode 70 Transcript

Jon Bius:
You’re talking about somebody who’s from the accounting department at a local real estate company, and their whole reason for being here is they were the ones that when the boss said, “Who wants to handle the website,” they were the first ones to make eye contact.

Kathy Zant:
Hello, my WordPress friends. Welcome to episode 70 of Think Like a Hacker. Today we have some news items as well as an interview with Jon Bius. Jon is a developer at Biz Tools One, an agency in Fayetteville, North Carolina. Jon has been developing sites and retaining customers for 20 years. He has a great perspective on what makes an agency successful. So I asked him some of those questions. In the news today, we have a couple of plugin vulnerabilities, as usual. We have some hackers taking advantage of coronavirus fears, news that remote work is skyrocketing, and full-screen mode editing coming in WordPress 5.4.

Kathy:
First vulnerability is patched in Popup Builder plugin installed on over a hundred thousand sites. One of our quality assurance analyst, Ram Gall found this one, and he worked with the developer in order to get it fixed. As for the vulnerabilities, one allowed an unauthenticated attacker, that means basically anyone, to inject malicious JavaScript into any published popup, which then could be executed whenever the popup loaded. The other vulnerability allowed an authenticated logged-in user, even with minimal permission such as subscriber, to export a list of all newsletter subscribers, export system configuration information, as well as grant themselves access to various features of the plugin. This has been recently patched. Make sure you upgrade to version 3.64.1 immediately.

Now, Wordfence premium customers got their firewall rule on March 5th to protect against exploits targeting these vulnerabilities, and those of you still using the Wordfence free version for the community will receive the rule after 30 days, April 4th, 2020. So if you are using this plugin, make sure you are updated.

Next up, we have a vulnerability discovered by Chloe Chamberland. This affected the Import Export WordPress Users plugin installed on over 30,000 sites. The flaw she discovered allowed anybody with subscriber level access or above to import new users via a CSV file or a comma-separated values file, and that meant they could import administrative level users.

So worst case scenario, someone has their WordPress installation set to allow anyone to register as a subscriber. An attacker can then upload administrative users using CSV. Pretty slick. Now, this plugin is primarily set to work for WooCommerce. But it also works if you have a vanilla WordPress install. There’s a method of checking capabilities for WooCommerce called Manage WooCommerce. But this plugin didn’t check for capabilities for a vanilla WordPress installation. But that functionality was still there.

There are some other plugins by the same developer with missing capabilities checks, similar missing capabilities, checks, and these plugins are all linked on the blog post, which is in the show notes. They’re much smaller install bases, but if you’re using any of them, definitely make sure you update so you have the patch. I’m not going to read off these plugins because I will say Import, Export, WooCommerce too much. No one wants to hear that repeated six times, and I don’t know if my mouth could take it.

Next up, coronavirus. Obviously, our world is in a bit of disarray as this virus sweeps across the country. More and more WordCamps have been canceled, and a recommendation came from WordCamp Central that all WordCamps up until June consider canceling or postponing their events. Now, The Hacker News is reporting that hackers have created a downloadable .exe, executable file of the coronavirus map. Johns Hopkins University has created a map basically showing the total confirmed cases, and you can zoom in and look at specific cases around the world by geography. It’s basically a map and shows you where the coronavirus is having the greatest effect.

This was discovered by MalwareHunterTeam last week, and it has been analyzed by Shai Alfasi, a cybersecurity researcher at Reason Labs. Now, this malware looks to be stealing information. Alfasi presented a detailed account of how he dissected the malware on the Reason Security blog. It’s basically looking to steal passwords. It appears to be making specific calls in an attempt to steal login data from online accounts such as Telegram and Steam.

Now, I wanted to cover the story because of something that I’ve noticed in the world. Whenever there is fear, your mind can process information, and it only can perceive and process, they say, seven plus or minus two bits of information at any given time. That’s when you are not under stress. When you are under stress, when you are in a fearful state, when your mind is preoccupied, your ability to process information and to perceive information goes down dramatically. So your plus or minus seven bits might be at one plus or minus two. I don’t know what a negative bit of being able to process information looks like, but I think we all realize that when we are a stressful situation, when we are in fear states, our ability to make good decisions goes down dramatically. That applies to those of us in security as well as those of us in the greater society.

But those of us listening to this podcast, those of us who are aware of security, we’re aware how hackers operate. We’re aware that hackers target the most vulnerable first. They target the most vulnerable systems first and the most vulnerable people first. Now, we are going to be better set to perceive these types of threats coming. But our parents, our grandparents, our kids, they might not. Everyone facing this crisis is having their ability to perceive and process threats compromised somewhat because of all of the fear in the world. It’s up to us, those of us in security, those of us who are aware, to educate and inform and protect the most vulnerable.

So my personal advice, talk to your parents about how hackers target those of us in fearful states. Talk to them about how they’re using this fear to exploit weakness. The vulnerability and weakness is in each and every one of us. It’s in all of our family members, and the weaknesses in our minds. It’s in our emotions. We can use antivirus on our computers as a first line of defense. But these attackers will take to other methods, whether it’s the telephone, SMS, or email to prey upon our fear.

I wrote a blog post on my personal site on zant.com about managing our mental security in the face of these types of crises. See, I’m old. I’ve been through both personal and societal stress before in my life. So I have methods of sort of managing that fear state by redefining what is most important to me, redefining my definition of what is secure and staying secure with that so that I can manage my own mental vulnerabilities. But that’s a whole ‘nother can of worms. Maybe I’ll write more about that later.

On to our next story, also related, remote work is skyrocketing. This article from Vox was posted on March 11th. Microsoft, Google, and Zoom are just trying to keep up with demand for their now free work from home software. All of us who have been working from home for quite some time are sharing our knowledge in various platforms, whether on Facebook or Twitter to help others who haven’t get used to sort of a new world of work, working from home or working from wherever you are. Microsoft’s Teams saw a 500% increase in meetings, calls, and conference usage in China since the end of January.

Zoom wouldn’t comment specifically on their growth in usership, but they said that at the end of January, if you took the run rate of our minutes usage at that point we were on a run rate of 100 billion annual meeting minutes, and that’s up significantly since then. Those of us working in WordPress are probably more adapted to working from anywhere. I think this is going to provide greater opportunity to help others who haven’t been in that situation adapt. We’re in a place of being able to help.

Our final news story is about WordPress 5.4 coming pretty soon. It is going to ship with the editor in full-screen mode by default. I read about this on make.wordpress.org. But I also read the article and WP Tavern about this, and they noted that while some form of full-screen or distraction-free writing has existed for years, this is the first time that it is the default experience. And make.wordpress.org, Matt Mullenweg posted, he said that, “This is on me as release lead. I’ve been meaning to get this in for a while.” He says he’s comfortable with this decision to have full screen on by default given user testing and other qualitative feedback, which he says is similar to what folks at GoDaddy have found in their testing and that the coaching is minimal. So if during the month of March they need to revert it, it shouldn’t be a problem. It’s going to definitely be a different experience.

Now, the comment on make.wordpress.org right underneath Matt’s comment says, “Nice. Very nice. I like it. But what can we do to confuse my grandma even more? She already started paying me for maintaining Gutenberg because she is in trouble with that, and I really would love to press even more money out of this old lady.” Okay. That’s hilarious. But it brings another point in. We have users across the spectrum. We have highly technical people using WordPress, and we have grandparents and moms and kids using WordPress. So having this be the default experience from the get-go may cause some confusion for users. I think that the editing experience might be perhaps easier, but once they get there, and if they’re not sure exactly how to get out of the editor once it is full screen. I haven’t played with it yet. I’m interested to see what it looks like.

Obviously, this will become a very contentious issue. What should that editor look like? What do you think it should look like? Leave your comments in the blog notes on wordfence.com. It’d be interesting to see what you think about full-screen editing coming. Now, all joking aside: yes, as WordPress users, as agencies, as people who are sort of influencers in the WordPress world, we will now have to teach other people how to navigate around a new change in WordPress. I would like to posit a different way of looking at this. Rather than looking at it as more work that you have to do, let’s look at this as a gift, as an opportunity, as a way of being of service to someone else, as a way to develop stronger relationships with your customers.

You have an opportunity, to be of service, you have an opportunity to make someone’s life easier. Let’s see what we can do with that and with me preaching at you, how you should perceive a change in WordPress. Let’s call that the news. Thanks for listening. Up next, we have our interview with Jon Bius from Biz Tools One. Enjoy.

Hi, everyone. I am here with Jon Bius. He is with Biz Tools One. It is a digital agency in Fayetteville, North Carolina. They are one of our larger customers using Wordfence for their customers. Jon and I have had a number of conversations about some of the unique things that their agency does. I thought it would be a great way to bring some knowledge about agency processes and other things to us. So Jon, thanks for joining me today.

Jon:
Thank you for having me, Kathy. I appreciate it.

Kathy:
Yeah, no problem. So give me the lowdown about Biz Tools One and what you do there.

Jon:
Yeah. We’re based in Fayetteville, North Carolina. Here in Southeast North Carolina, we’re one of the larger developers in the area, and we work mostly with local businesses in this area, everything from community colleges to plumbers to real estate agents. We do have a few websites, a few customers around the country, but most of it is located here locally. So we get to have plenty of face-to-face interaction with the clients and make sure their needs are taken care of. We tell them we’re in the handholding business, and we try to make sure that they’re squared away with their website.

Kathy:
That’s great. Now, how many customers or how many websites are you actually managing for customers?

Jon:
Right now, we’re managing close to 500 websites. About 350 of those are WordPress. We’ve still got some old holdouts from the days when we were still developing just in what I call plain HTML. But most of them now are WordPress. We also do the local school system, which is a WordPress multi-site install, and it has about 150 installations on that.

Kathy:
That’s incredible. Obviously, you have all these customers who have different business needs. How does WordPress help you meet those types of business needs with… Do you have certain plugins that are your go-to or certain themes that are your go-to tools?

Jon:
Yeah. Well, one of the things that I think really… When I got here, they were not doing WordPress. I got to this company in 2010 that I’m at now, Biz Tools One, and I had been using it. I started saying, “We might want to look at this. We might want to look at this.” As we started migrating to it, I started showing that the ability to re-theme a website, to have backups through the database, to start off with a fairly stable platform from the very beginning that allowed us to train clients to handle their own sites. Previously, we had been working with clients and training them on a program called Adobe Contribute, which required them to purchase some software, and there was a whole lot of hoops you had to jump through to get that hooked up.

When I started showing my boss, the company owner, “Hey, here’s what you can do with WordPress,” the benefits all around worked for us. He saw it immediately, and we begun moving customers onto it because the speed with which we can deploy a very robust platform where the content development can be focused on was immediately apparent. Also, we don’t buy themes and use those for clients. Everything we do is custom built. I’ve never been a fan of taking an existing theme and modifying it even with child themes because every client we’ve ever tried that for, they said, “Yeah, but I want this, and I want that, and I want this.” By the time we put in the development, we’ve spent enough hours that we could just say, “Okay. Let’s just write our own theme for it.” So everything we do for the most part is custom made.

Also, you’d mentioned plugins. I am paranoid about security. So I try to really limit the number of plugins we use. We do have a default set that I like, Wordfence being one of them. But I try to limit the number of plugins we have so that it reduces, I guess you’d say the attack vectors that we have to worry about because stability and security are the two biggest things in my mind when we’re setting up a website for a customer.

Yeah, definitely. Now, I would imagine that having to custom-theme everything takes more time. Doesn’t it?

Jon:
Not really. Because for instance, we can show a customer a theme, and they can say, “Yeah, I like this. But I want to add this over here, and I want to take this away over here, and I want to slide this round over here, and oh yeah, I need this functionality built in. So we need these custom posts built in, and we need some other things.” By the time we end up modifying an existing theme and putting in all the plugins that it takes to get what they want, we’ve found that we’re just as well off to get them exactly what they want. By not having to use so many plugins or existing themes, I think it reduces the vulnerability overall.

It’s worked for us because when… We’ve had clients that have come to us from other places. They would pay just huge sums of money, and they would not be happy with, say the agency they’re working with because they weren’t getting the kind of attention they wanted, and they would come to us, and they would go, “I paid $10,000 for this 12,000, 15,000, 20,000 dollars for this.” We would look at it, and we would kind of laugh and go… They bought an off-the-shelf theme for $90 and did a child theme that took a couple of hours. But the client wasn’t happy with the site, and it wasn’t unique for them. Now, the client’s unhappy because they’ve spent a lot of money. That’s not what they want.

Here in Fayetteville, if we told people… if we quoted Atlanta prices, Charlotte prices, those kinds of things, they would have a heart attack, and we can do development for a lot less, deliver them a custom-built website. We’ve been around for 19 years, and we’ve been having growth every single year. So it’s kind of a formula that we found works, and we stick with it. And we have tried. Let’s get some off-the-shelf themes and work with those. They look okay. But I mean, literally every single time, the client goes, “Well, we also want to do this. We want to do this.” We continue to develop, and we have to start tweaking on it. At some point, we realized, “We’re putting in enough hours that just doing it custom works well.”

Now, when I say we do it custom, it’s not like we start off in Notepad every time with a blank page and just start coding PHP. There’s already some framework that we have that we use. I guess in a way, it’s almost taking our own theme that we’ve developed and doing a child theme of it in WordPress terms. So we’re not just starting from absolute zero each time. But we do find that just let’s give people a custom design, and they really like it.

Kathy:
It sounds like that custom design gives you greater flexibility in the long run and that that flexibility is what actually ends up working better, not only for your customers but for you, too?

Jon:
Oh, yeah. Yeah. We’ve had customers come to us that an existing developer would have done their site for them and used the method that most folks do. I understand why most folks do it. But they would take a pre-built theme. They would do a child theme, and the customer would come to us and go, “Look, I’ve been asking him for this and for this and for this.” Clients had told us that either their agency would say, “That’s not possible. We can’t do that.” Or they would try to do it, and it didn’t work out. We want to be able, when somebody comes to us and says, “Well, I want to do this, and I want to do this, and I want to do this,” to go, “All right, not a problem.”

What I tell clients is the only two limitations there are as time and money. Sometimes people ask us for something, and we go, “Yeah, that’s going to be 25 hours, and here’s how much that’s going to cost.” They’ll go, “Oh, that’s a little more than I wanted for that functionality.” But then we’re usually able to go, “Okay. 25 hours might get you the 100% solution. Here’s a 90% solution for 10 hours. Then here’s something you can use native to WordPress to get you a 70% solution, but it’s already baked in, and you can do it yourself.”

So it gives us a lot of flexibility, and because we know the underlying code, we know exactly how the site is built and what it’s going to take to change it and make it do what we want. Clients love that.

Kathy:
Yeah, I bet. Now, does WordPress give you a competitive advantage in the market?

Jon:
Oh, absolutely. When a client comes in, so I think they come in, and they say, “I just need a simple shopping cart.” They want to get up and selling quickly. We can get them into a custom look with WordPress and get them exactly what they want. I’ve used other CMS platforms. I don’t do it as much anymore, but when I used to get into the developer forums a lot, and I would see all the arguments between WordPress and all the other platforms that compete with it, I’d always come back and go, “You can say what you want, but WordPress just beats the pants off of them.” The rate of development, the richness of the community that’s out there, the richness of the ecosystem that supports it and all of that gives us the ability to deliver a website that a client can manage.

Because a lot of the agencies that we’ve dealt with, when clients bring us a site, a lot of times I think, and this is one of the weaknesses in our industry is people tend to think in terms of, “Okay, if I’m going to do it for this business, it’s going to be someone who’s familiar with the web that’s going to be handling it.” But in our experience, it’s Sally from accounting or Bob from purchasing, and they’re not happy with Microsoft Word. They hate using that. So when I can bring them in and train them and show them, “Look, you can manage your website, we make it as simple as possible.” We use pages like crazy so that they know that, okay, this block on their home page, you just go to a page and edit that, and it changes the text.

It gives us the ability to deliver something. I’m sitting in the room, we train in, and I bring people in this room, and I’ll point them to the big screen, and they’ve told me dozens of times, “Well, I don’t know anything about computers, I’m scared of this.” I’m like, “Don’t worry about it.” By the end of the class, they go, “This isn’t hard at all.” We don’t advertise. Everything we get is word of mouth, and the thing that that keeps driving it is that customer service, that we not only build them a website, we train them how to use it, and that’s one of the differentiators, I think, for our business.

Kathy:
That’s really brilliant actually. So do you feel training people using Gutenberg is becoming easier now?

Jon:
Yeah. It’s definitely becoming easier because the old way, I had it down. I mean, even to the stupid jokes that I made in the middle of a training session, it was always the same. When I started doing Gutenberg, I kind of sat by myself one time and gave an imaginary training session, as crazy as that sounded. But I wanted to go, “Okay, how am I going to train this?” The first few times I started doing it, especially because it was constantly evolving, there were some periods that I would find myself saying, “Okay, now to do this, you do this.” Then I would go, “Wait a minute. It’s changed in the interface. It’s moved. It’s been relabeled.”

Now that it seems to be a little more stable and I’ve done it more often and I’m using it, I think what’s helped is I’m using it in my own personal use of WordPress. I’m now able to say, “Okay, let me take all the tasks that I used to train people on in the old system, focus on the tasks and ignore the interface.” That has seemed to be the path to success because nobody sits here and looks at it and says, “Well, that doesn’t look like Microsoft Word. I just tell them, “Here’s something you’ve never seen before. Here’s how you do it.” I finally did one the other day, and I got finished. The two questions I always ask people, I say, “Do you have any questions about anything I’ve covered, or did you come in with questions that I have not answered?”

The client that I was training, they said, “Nope. Nope. You’ve covered it all, and this seems real easy.” Inside I said, “Yes. Okay. Now, just remember what you did and repeat this every time.”

Kathy:
Yeah. Exactly. It sounds like training and really kind of being sort of the IT and WordPress specialist for your customers is what makes Biz Tools One successful.

Jon:
Yeah. Yeah. I hear my boss when he’s doing sales calls, he tells people, “We’re in the handholding business.” Because I don’t know anything about real estate. I don’t know about plumbing. I don’t know about being an educator or a dentist or any of those things. That’s why I go to those people. They come to us because they want a website. When we ask people, “Well, what do you want on your website?” Nine times out of 10, they go, “I have no idea.” So everything from helping them decide what needs to go on the website to working with them on the basic verbiage to training them, setting up emails.

There’ve been plenty of times that I’ve sat in here with clients and essentially given them a condensed marketing plan for how you use your website to generate revenue either directly or indirectly and how you tie it into your social media campaigns and how you tie it into this and how you do that. Because most of them don’t know. We try to give them the straight scoop.

Kathy:
Talk to me again about… We talked a little bit about security. How does security and sort of using Wordfence, how does that help your agency?

Jon:
Yeah. Well, one of the things that I think helps with our security is I’m paranoid. I come from a military background. So thinking in terms of security is not new to me. Understanding that there’s always a threat out there and having seen it real-world, it’s easy to translate it into the digital world. Plus at a previous job I had, I worked with a guy who is, in my opinion, the best IT professional I’ve ever worked with, and he taught me so much about security and showed me, “Okay, here’s 20 different ways you can get into a web server that…” He wasn’t doing it illegally.

I mean, we would just set up a testing environment. He would show, “Okay, lock it down, and let me show you what you can do.” When I started seeing how vulnerable systems are, even when people think they’re doing a really good job with doing those, securing those, how vulnerable they can be, when we started getting into WordPress and we started early on seeing some security issues, that’s first when we found Wordfence, and we immediately saw the benefits that it had. But we translated it into everything we do.

When clients say, “Hey, we want to use this plugin,” we examined the plugin. If it doesn’t meet a certain criteria that we think is going to make sure that it’s secure, it’s being continually developed, it’s got a good user base, we tell them, “Look, we’re not able to do it.” Now, we’ll give them an alternative.” We’ll say, “Hey, we can bake it into the theme this way.” But every single thing we do has to pass the security test. Even the hosting platforms that we’re on, we try to make sure we’re really on some good stable platforms.

I will say this. You would expect me on a podcast like this to brag on Wordfence, but I say it truthfully. We had for the longest time been using the free version, and it worked well. But you remember, we had some issues with some sites that there was an exploit that came in that if you were on the free version, you didn’t immediately get all of the updates to protect against it. It really created some issues for us. I went to my boss, and he didn’t argue with me. I said, “We need to get paid licenses for everybody.” I think we bought like 200 at one time. But that has been a great, great benefit to us.

Now, from an agency standpoint, it’s easy to pass that cost along. You can roll that into a security package. It can include SSL and the hosting that you’re on, assuming you’re on some good secure hosting. But Wordfence and then just a very strict stance on security has helped us be as secure as possible. But we also recognize you’re never absolutely secure. I’m always paranoid whenever a client contacts me and says, “Hey, something’s weird about my website.” It may just be that they put in a photo wrong, and it’s stretching out the page or something. But I go in and I go, “Well, let me make sure nothing weird is going on.” So it’s baked into our DNA on everything we do.

Kathy:
Yeah. Well it sounds like the whole attitude that you guys have of let’s make sure that this website works for this customer, and if that means we have to educate this customer and teach them and go the extra mile and handholding them, we’re going to make sure this website works for them and then that security, sort of like the piece of or the cherry on top of the cake of that customer attention that you’re giving of just making sure that… Because nobody expects that their site is going to get hacked. Yet there’s hackers out there all the time targeting it. It’s up to agencies like you and security professionals like me to make sure that those people who don’t know are educated and that they do know that there are risks out there, but that we’ve got their back, right?

Jon:
Yeah. That’s one of the things that I love about Wordfence is sometimes clients will say, “Well, you’ve got this annual security fee that we pay. What does that really do?” All I show them is the log of who’s trying to hack into their site.

Kathy:
Really?

Jon:
I just go, “Look at this. Do you see this? Do you see how many intrusion attempts there were today?” They go, “You’re kidding me.” What people don’t understand is when they think hacking, they think Hollywood. They think, “Why would anybody hack into my website as a real estate agent or as a dentist?” One of the things we train them on is why sites are hacked. I tell people, “Look, we love you as a client, but the hackers don’t care about you. They don’t care about what you’re doing. They’re not trying to get your stuff. They’re trying to use your platform, and they’re looking for vulnerabilities. Because a lot of times people think, “Well, I don’t need this because who would hack me?”

Well, it’s not YOU they’re hacking. It’s the machine. They want to use the machine. When we start educating them on what happens, and after a while they either get it or they go, “Well, I don’t understand this, but I trust you then.” Then that’s longterm. They know we’re looking out for me. We do it in more than just, say with Wordfence and other software. When we set up emails for people, we pound into their head about secure passwords. When people leave a company, we talk to them about, “Okay. You might want to consider changing your passwords.” If they say, “Well, we want three people to share our account on WordPress.” “No, no. You need three different accounts.”

We don’t give people administrator access. We give them the minimum rights necessary to do just what they need to do. They see that in everything we do. It’s sometimes just kind of funny. I’ll have clients call me up, and they’ll go, “Hey, I need to change the password on my email or my WordPress site.” I always ask them, “Well, what would you like it to be?” I had one the other day that they mentioned the street that their business is located on and then one, two, three, four. I have known him long enough, and I said, “Are you really bringing that password to me?” They kind of laughed. They said, “I’m sorry. Is that not a good one.” I said, “If you ever asked for a password like that again, I’m going to give you a 256 character password.”

But I try to educate them on what makes a good password. Again, it gets to that service thing. But as a small business, I mean, there’s only three of us here. There’s three of us that manage 500 websites, 350 or so are WordPress. We can’t afford for things to go wrong. So I want them to think about secure passwords, to think about these things because it helps our platform to be more stable and reduces the number of phone calls that I get and problems we have. Because if you’ve ever seen a place get bad hacked, I mean, just files being deleted from the server, it’s ugly.

Kathy:
Yeah. I’ve been there.

Jon:
It’s a helpless feeling. We were talking to one of our clients, and I won’t go into too much detail about who they were, but they were a large entity, and their entire network was hacked, I mean, to the point they were having to buy new computers. It wasn’t anything we did. I mean, it was an internal thing. But just to watch the meltdown they had, it was awful. So we really try to get people to understand this is important stuff. This is not something that is just in the movies or doesn’t apply to you because you’re a small business. Security is a big deal.

Kathy:
It is. One of the benefits that I think you have that I’m sort of jealous about because I get to talk on these broad strokes of like, use two-factor authentication, use strong passwords, and it’s very general, and it’s just good security advice. But you get to contextually walk a customer through, “Hey, you’re doing this right now.” You get sort of those natural consequences. I mean, you could tell your kids, “Say no drugs.” But wait till you’ve got a kid who is having a challenge at school right then and there, and it’s like you have a very contextual learning experience that you get to show your customers, “Here’s a security issue right here, right now that we’re going through, and I’m going to help you through that.” So you get the benefit of them really having a positive learning experience with you that they’re going to remember.

Jon:
Yeah. Yeah. I’ve told a few people, and I’ve said, “Understand, if we run into security issues,” to put it in the terms you just used, “You’re going to have a negative learning experience, and then you’re going to have a positive learning experience.” Because there are times when we will find a problem, and we’ll go through it, and we’ll get it resolved, and then we’ll kind of do an after-action report to see what happened. There’ve been a few times that a customer would go, “Okay, what happened?” I’d say, “Well, you know your password that you changed three weeks ago, even though WordPress accepted it, you didn’t go all green. If it’s not all green, it’s not all good, and somebody would think of that password.”

Or somebody would use the same password on all of their stuff. When you demonstrate to them what can happen and show them and can give them real world experience, I mean, this is not WordPress related, but ransomware, a few years ago, it was huge and were still problems with it. We’ve talked to clients about email security and ransomware. We actually had one client that called up and said, “Well, how do I…” The first question they said was, “What’s Bitcoin?” I said, “Why are you asking about Bitcoin?” They said, “Well, how would I know if I got this ransomware stuff?” I talked to them and come to find out they had gotten hit.

So I started asking them some questions about backups and things like that, and they were talking about, “My computer’s locked up.” They said, “I know it must’ve been from this one email I got because I forwarded it to one of my coworkers, and her machine’s locked up now, too.”

Kathy:
Oh, no.

Jon:
So I can, I can talk to customers, and a few of them will call me and go, “Okay, Jon. You’ve gotten me paranoid enough that I got this email in, and I’m not touching it.” I’ll ask them some questions about it, and I teach them because they’ve heard those stories, and they know how devastating it can be to their business. But if they just take a few simple steps. It’s the same way with using WordPress, and Wordfence is one of those simple steps. How hard is it to install the plugin? Yeah. You got to pay the license fee, but how much more does it cost to get hacked and have to deal with that and potentially lose the client rather than, “Okay, we’ve got something here that works.”

Kathy:
Because of that and because of these new threats and because of the ransomware and the phishing and everything, it is a constant battle to just educate everyone that you can that these threats do exist and how to identify them and protect themselves because it’s really the weakest link in any security is going to be, it’s going to have a heartbeat rather than a plug. It’s always the humans.

Jon:
Right there on the front lines, y’all are on the front lines of it, but the agencies have to be right there shoulder to shoulder with you because again… But for obvious reasons, I sound like I’m tooting our horn, but I think we do a good job. When we take over websites from other agencies, and these are not fly-by-night kind of agencies. We had one recently that we took over, and if you go to look at the agency’s website, it’s all bright and happy, and man, they had taco Tuesday, and you know, they leave early on Friday, and they’ve got the ping-pong room, and everybody’s got these creative names for their job titles and all of this stuff.

When we made a copy of their site, put it on our server for analysis to see whether we could use it or whether we had rebuilt it or whatever, it was several versions outdated. WordPress was several versions outdated. There were 56 plugins installed on it. Some were active, some were not. Some had been out of date for two and three years, no longer in development. We had to look at it and just basically say, “You know what, we’re going to mimic the design because we had the rights to do so. We’re going to mimic the design, but we’re just going to basically rebuild the whole house and just make it look like the old one.” It was from an agency that if you looked at it, and you read their stuff, you would think, “Man, they should know what they’re doing.”

But sometimes people get lazy about security, and they’re more focused on, “Okay, let’s get this one done. It looks good. We can put in our portfolio and move onto the next one.” But the way we try to approach it is if that website still isn’t performing for the customer, and if the customer isn’t happy with it two years later, then we’ve failed.” On time my boss asked me, he said, “Have you ever been happy with any website we’ve taken over?” I had to tell him, “Not so far.” It’s been dozens and dozens and dozens. But it’s just simple stuff that we have to pay attention to for the client because they don’t know this stuff. When it comes down to just something as simple as saying, “Okay. They need this functionality. A plugin is appropriate for it. Here’s this plugin that we could use, and here’s this other plugin that we could use. Which one is the most secure, and which one is more actively developed?”

If it means telling the client, “Yeah. We could use that free plugin you suggested, but you’re going to get a safer, better experience if we spend $39 on this other one,” then we need to insist on that for their behalf.

Kathy:
Well you are sort of the tour guide for WordPress for the customer, and they rely on that expertise. So for them to have… I think if I was going to develop a website or hire an agency to develop a website because I don’t have the bandwidth for that, I would talk to you guys because you’re definitely covering not only the security bases but the SEO bases and the foundations that any small business needs in order to be successful so that they can focus on growing their business in the real world, and you guys kind of take care of that online world and make that easier for them.

Jon:
Yeah. Yeah. Because, well, there’s so many voices competing. I mean, we get people in all the time, and they say, “Well, I see this thing from this hosting company that I can do this for 3.99 a month, or I can do this for free. Why would I pay you several thousand dollars to do it?” We can go through and show them all of these things. I mean, a list of things as long as your arm, here’s what we’re doing. There have been a few times that people would say, “That all looks really good, but I’m going to go off, and I’m going to do this myself for $3.99 a month because the guy that I talked to on the phone that’s trying to sell me a domain name and cheap hosting said it’s easy and anybody can do it.”

Quite often, we hear from them six months later, and they go, “It just isn’t working.” Because the analogy I use, it’s kind of like modern cars. You no longer have shadetree mechanic like I used to see when I was growing up. You’d pull up your car, and some guy with a greasy hat on would dig up under it and say, “Well, it’s your carburetor there, bud.” Now, car repair is an IT job. They do all these computer diagnostics, and I tell people you wouldn’t go buy some off-the-shelf piece of software that says for $3.99, you can diagnose and fix your car. You wouldn’t do it. Your website is as complicated as your car’s engine. If you want to do this, understand the job of web developer is a real job that requires real knowledge and real experience.

We feel like we can… Between my boss and I, we’ve got close to 45 years experience. I’ve worked on, built, developed, managed, whatever you want to call it, over 2000 websites. He’s probably done as many. So when somebody says, “Well, I think I can do it myself for 3.99,” he’s more of a diplomat. He’ll continue talking about, “Well, here’s the advantages we bring to the table. If I’m to him, I just go, “All right. Hope it works out for you.” Because I don’t know what else to say.

Kathy:
Yeah. Yeah. That is definitely a tough one. But it sounds like being able to educate them and get them to the point where they can let go of the places where they’re not experts and let the experts do what the experts need to do and be better off for it, sounds like you guys are perfectly set up to do that kind of education and training. So that’s always a positive.

Jon:
Yeah, absolutely. It’s what we’ve built the business on really because we’ve… My boss, he’s owned this business for 19 years, and I came along 10 years ago. So he had built that foundation. The experience I brought in and bringing in, let’s focus on WordPress and security and some other things, it’s just really been a good combination. But it could be replicated anywhere. We’re not doing anything… I think part of the reason that I don’t see it as often is it’s not something that’s flashy or sexy or has a cool title to it. But just bringing somebody in and going, “Look, here’s how you insert a gallery, and let me make sure you can do it. If you continue having problems, call me, and I’ll talk you through it on the phone. I’ll send you some screenshots in email.”

Jon:
That’s the hard work down in the trenches day-to-day that keeps people with you for year, after year, after year, and they tell their friends about it. People call us up and go, “Hey, so-and-so told us about you. What can we do for you?” Because I feel like if we can get in front of somebody and show them what we bring to the table, we can get anybody’s business. It also means, at the same time, knowing when it’s too big for you, when it’s too much for you. That’s a thing that I see some agencies do that we try to avoid. We’ve had clients come to us, and they would say, “Here’s this really big project.” Yeah, there could be a lot of money in it, but we would go, “You know what, that’s not the core business we focus on.” We’ve told people, “You know what, we appreciate you thinking of us, but we’re not going to bid on this because here’s why.” They appreciate that.

Kathy:
Yeah. Yeah. It’s important to know your capabilities and your limits and what you can handle.

Jon:
Yeah. To quote that great philosopher Dirty Harry, “A man’s got to know his limitations.”

Kathy:
Definitely. It’s looking like we’ve hit our limitation of an hour. But Jon, I’m so grateful that you took an hour out of your day to talk to me today about what Biz Tools One is doing and all of the knowledge you’ve picked up over the years. I think a lot of people who are in the WordPress world helping other clients or helping their clients develop WordPress websites can learn a lot from this. So thank you so much. If somebody wanted to connect with you, where could they find you online?

Jon:
Yeah. If you just go to biztoolsone.com, we’re right there, biztoolsone.com. Like I said, we focus locally, but we’ve got clients across the country. So if anybody does want to talk either from a, “Hey, they want to engage us for something like that.” Or if somebody just wanted to contact us and ask for me and say, “Hey, we’re considering Wordfence. What do you think of it?” I’ll tell them all about it.

Kathy:
Awesome. Well, appreciate that. Thank you so much.

Jon:
Thank you for having me. I appreciate it.

Kathy:
We hope you enjoyed this episode 70 from Think Like a Hacker. We would love to have a review from you. If this podcast has helped you in any area of your life, any area of your business, has helped you understand WordPress security or innovation in a new way, leave us a review wherever you’re listening to Think Like a Hacker. Contact me on Twitter @Kathyzant or kathy@wordfence.com. We’d love to hear from you, and we will talk to you next week. Thanks for listening.

The post Episode 70: Customer Education and Agency Resiliency with Jon Bius appeared first on Wordfence.

Safe Browsing During a Pandemic: How to Spot COVID-19 Phishing Campaigns

Online bad actors tend to take advantage of tragedy for their own gain – and the coronavirus is no different.

While we would hope that cybercriminals would be sympathetic during a global health crisis, it already appears this may be a pipe dream. As the virus spread across the world causing shutdowns and quarantines, cybersecurity analysts began seeing coronavirus and COVID-19-themed cyberattacks in the wild. In the Czech Republic, a hospital that was a designated testing center was hit with ransomware.

Continue reading Safe Browsing During a Pandemic: How to Spot COVID-19 Phishing Campaigns at Sucuri Blog.

Pin It on Pinterest