[00:00:00] Mart: The average WordPress customer is not a super technical person. They probably have a WordPress site because it's easy and probably somebody else made it.
[00:00:12] Mart: But when there is a problem and that happens, you can tell him to just Hey, I'm gonna need you to email some guy who made a plugin five years ago. And good luck.
[00:00:21] Zach: Again, we're more hands-on. I like to call us more of an application support company that has data center and does hosting on the side.
[00:00:32] Zach: We are a hosting company, but that's just the way we treat it, is because we're not afraid to get into the weeds with a customer. Especially if for customers not technical. This is really cool for them because we're just handling it all. And we know how to talk to that support team way better than they ever will.
[00:00:50] Zach: It's definitely multiple layers, right? So we have our own data center. We own a space in data center facility. It's in, it's like the Old Sears catalog building in Chicago. On the network level, we have Magic Transit, which is like a CloudFlare DDoS product on the server itself that we place our customers, right?
[00:01:06] Zach: So like each one of our customers. Like in our match WordPress, like it's not a shared hosting. It's like they're all getting their own virtualized environment. For them with dedicated resources. It's about 50 50. Some really care. And they're proactive and they're, they're setting up two factor authentication and WordPress.
[00:01:24] Zach: There's customers that they really care about, not just like user map, access level, but like their site. They'll make sure their web, their plugins are updated. There is a good amount of customers that do just care, but there's also some customers that they just don't even, not even come to mind. Like they just don't, it's not even on their radar.
[00:01:39] Zach: And then until something happens.
[00:01:47] Mart: So like we, we live in this, obviously this age of AI where more and more companies are trying to cut out the human touch and, automate as much as possible. But some companies obviously are taking the opposite approach and BigScoots is one of those companies. So today I wanna dig into that, what it means to have a human centric approach to the hosting business with Zach from BigScoots.
[00:02:13] Mart: And another topic I wanna dig into a security. And especially proactive security. So not just reacting to threats but not proactively stopping them which is obviously a very a big topic in the WordPress space. But before we get into that, Zach, welcome. And tell me just a little bit about, in general, what BigScoots even is and how did you get involved with them and what's your background?
[00:02:42] Zach: Yeah, so BigScoots is a managed web hosting provider. Most of our customers are on WordPress, but we do host other software and platforms and things like that. And we've been around since I believe. 2010 or 11. I came on the company back in 2021, so don't quote me on that exactly.
[00:03:00] Zach: But we've been around for quite a while and basically it's started in the shared web hosting reseller sort of space back then when that was more of a popular service to sell. And then Justin and Scott solely evolved the company over time into, this big managed WordPress hosting provider and really like where we stand apart from a lot of our competitors and other hosts, in general in hosting industry is that we try to like almost not say no to the customer and just try to do the best possible. Not just be a support, not just be the person that you like, have to, contact when you have a problem, but also be their ally and their partner and making sure that like their website and their business 'cause that's what it is to them.
[00:03:41] Zach: It's not just a website, it's their business is, secure and safe and runs how it should, but also being able to support them on the application level as well with WordPress and troubleshooting things. And, we do a lot, it's hard to fit it all into one talk or one statement, but we do a lot.
[00:03:55] Zach: And then my background I started off, in the web hosting industry, so to speak, back when I was like a teenager kid, I guess you could say. And I, I was one of those people that had like a web hosting company over summer break and stuff like that where people would would always make fun of those, like summer hosts and stuff back in like the two thousands.
[00:04:10] Zach: And then I learned how to be a linuxy admin from that experience. And then I really learned how to do that and get in, into Linux and web hosting and things. When I worked at a data center I originally was hired as at a data center, in I think my senior year of high school and it's like this part-time work going there as they needed me.
[00:04:26] Zach: And I really got under the wing of some of the people that worked there and they showed me a lot of like really cool stuff with servers and Linux and managing things. I went from the guy that was like sweeping the floors and cleaning the toilets and stuff to, to more, becoming more like someone that rack servers, some that help with customer issues and tickets and things like that. So I slowly evolved in that. I was in the military for a while, for about seven years, but even during that time, kinda like on side work or for beer money or whatever, I would do stuff in like Linux SysAdmin work, and I had a few clients that I would do things for. And then I got outta the military in 2016. And then I was like in the business startup space, I had a startup, it didn't go so well. And then after a few years of trying that. I had like a small town like it web dev business from about 2018 to 2021.
[00:05:12] Zach: And that was successful. I sold the company it was just a small town company, so I'm not trying to sound like a, I'm like super, sold it for all this money and everything, but I was able to exit that and then I. I went to I got, I took a job at BigScoots and I ended up back in the hosting industry.
[00:05:30] Zach: And it's funny, I was at Cloudfest back in this in March. And like everyone that's been in the hosting industry for a while, it's you'll try to leave it, you'll try to get away from it, but you always end up back here. And it's funny 'cause it's like I started in the hosting industry way back in the two thousands and I'm back here now in my thirties.
[00:05:46] Zach: And it's comfortable. It's industry. I feel like I really fit in. That's my background.
[00:05:50] Mart: I'm understand that they're hiring children, just like other people are doing lemonade stands in the summer and then there's this guy's doing managed hosting.
[00:05:58] Zach: That was back when I was a much younger.
[00:06:00] Zach: That was, I was a kid. That was a different time. Different time. It's funny 'cause back then, if you went into a network operations center, there'd be like 10 people or 12 people. There'd be like, it'd be all these people, ma managing things. Things were more expensive.
[00:06:12] Zach: If you had a server, there is. Or a rack, it'd be a lot more expensive than it is nowadays, even with like inflation and everything because it just, there was more human, more people involved. So like back then there was a capacity to hire a guy to help rack servers or clean the bathrooms and take the trash out because there was legitimately like 50 people or 60 people in the office and they just needed somebody to do that sort of thing.
[00:06:34] Zach: I don't know if there's that same opportunity now and it just. Just because of the way so much automation, if you go to a data center now there's one or two people in the whole building, just because of the whole amount of automation. They'll have on-call techs that come in and rack a server or giep and networking things and things like that, but they're there for a couple hours and then they leave.
[00:06:51] Zach: So it's definitely a lot different from then, from now, the amount of manpower they need in those places. But, so yeah.
[00:07:00] Mart: That's I like that you went into that territory because that really, that sort of like the, man hours and the human thing is something I wanted to start off with because you and BigScoots as well.
[00:07:12] Mart: I. One thing you're very vocal about is being very human centric, quote unquote. Which can be a bit of a buzzword. So that's you can be the most evil company in the world, you, you still wanna call yourself cozy and oh, we're just cute.
[00:07:24] Mart: But but what does it human centric mean for BigScoots? What do you do it differently?
[00:07:28] Mart: Either day in and day out?
[00:07:30] Zach: So I'll state the obvious things and then go into like where we're really unique. Yeah. Obvious things is you're not gonna click on our, on your, our live chat support and get like some AI bot or something that's gonna list you, help center articles.
[00:07:41] Zach: We have our button says, talk to human you. We have multiple, like live, live chat, like sales and customer success people on the front end that you talk to us, you can get somebody like right away, right? 24 hours a day, somebody will talk to you. So there's that human element there. Same with our support tickets and like our Slack support for our bigger customers. You're not getting a bot, you're not getting some automated message. We even try to stray away from using like a macro or like a copy paste sort of snippet for support. We really try to like get in there and write.
[00:08:10] Zach: We still have some things, right? You can't. If we automate like your delivery email, like we're not gonna write that every single time. But just in general, a support issue, it's not gonna be some automated macro or snippet response or copy paste. So a human's gonna look at your issue and they're gonna type out an actual paragraph or two of what's going on and how to fix it and send it to you.
[00:08:27] Zach: And it's so it's, it's such a breath of fresh air for a lot of people that, like they go to among other hosts and it's oh, hey, I have a plugin issue. And then it's okay, they just get some help center article about how you should deactivate your plugin. Gets one by one until you find the issue.
[00:08:39] Zach: And it's seems very impersonal to the customer. 'cause they're just like almost, it's something they could have just Googled. It's it's not even really specific support to that company. It's just like this. Message from AI or an LLM or their help desk that just just throw it on their desk and they're like, oh, I don't even know what to do with this.
[00:08:54] Zach: Yeah. So our human approach just going into how we deal with customers. So again, we're more hands-on. I like to call us more of an application support company that has data center and does hosting on the side. We are a hosting company, but that's just the way we treat it, is because, we're not afraid to get into the weeds with a customer.
[00:09:12] Zach: If they have a plugin, say they have a plugin that conflicts with another plugin, we'll go in and we'll like, troubleshoot and look at the logs and we'll be like, okay, if I deact this one and keep this one activated, this error produces we'll go and we'll like. Reference lines of code for an error or an issue or something is happening on their website and instead of saying oh, you have this plugin issue with your website, just contact your plugin author like you, whoever it is, like Yo or Elementor, whoever their plugin author is, instead of telling 'em just to do that, we'd be like, oh, hey, you should contact your plugin support team and tell them, this file at this line number is producing this exact PHP fatal error. And like we give this whole statement that they can just copy and paste and submit it to their plugin support team and like they don't even have to be technical. They can just do this. And then also, like if it's a popular plugin or something like that, we're connected with all these people.
[00:10:03] Zach: We'll just say, Hey, we're reaching out to. This theme or plugin, author or so, their support team or company and gonna get an answer for you. And this, especially for customers not technical, this is really cool for them because we're just handling it all and we know how to talk to that.
[00:10:18] Zach: Support team way better than they ever will. We'll just, throw the facts out and the files and the line numbers, all the things they need to diagnose the issue. And it's just like that human hands-on, just like solving the problem for the customer no matter what. And it sounds like it's, it is labor intensive, right?
[00:10:32] Zach: We have a lot of staff. We probably have more staff per customers than other hosting companies. But that being said, if I solve a. A plugin issue with a popular plugin, and we have three or 4,000 customer like set sites on our network that are using that same plugin. I almost reduced the amount of labor now because instead of having to tell each.
[00:10:51] Zach: Thousand tickets that come through about this issue. I already told the plugin author, the plugin support team about this, and they're just gonna go and publish an update and it just gets fixed. And a majority of customers willing to run into an issue. We take this approach and it, also has just helped us grow as a company.
[00:11:05] Zach: 'cause people really like that. I think it's a breath of fresh air for the customers because they're really not used to this, like handholding or this. This, human approach to support where you're getting a real person that can solve the problem, and also we try to avoid escalations.
[00:11:19] Zach: You get a real, it's really annoying. You go to a company and you submit a support ticket or whatever, and they're like, oh, we need to escalate it. Oh, my manager needs to deal with it. Oh, we need the senior level team, blah, blah, blah. It's so frustrating to have that and like. We're very selective about who we hire and who you're talking to first is usually who's gonna solve a problem for you.
[00:11:37] Zach: And that I think a lot of customers also appreciate so that they're not getting bounced around and forth. We're just gonna do it. And even if we can like I'll be honest with you, like I'm not like a network guy, right? I don't know a lot about networking, so I may talk to my network engineer. But I'm still gonna just follow up with the customer about it.
[00:11:53] Zach: I'm not gonna tell the customer I escalated it or anything to the network guy. I'm just gonna get it done all within the ticket, track their problem and get it done. So that kind of human approach, we just try to be, just try to do the best thing for the customer. And it's hard to put into words, but if you just signed up for a couple of months and you've put in some tickets and dealt with us, I think you'd experience like you'd understand better.
[00:12:11] Zach: It's, but yeah, we're just trying to be there for them,
[00:12:13] Mart: because it's let's be honest, like the average WordPress customer is not, your super technical person. They probably have a WordPress site because it's easy and probably somebody else made it. But when there is a problem and that happens right?
[00:12:25] Mart: With so many plugins around, whether it's whether it's, security or some other issue. That's, they you can tell them to just Hey, I'm gonna need to I'm gonna need you to email some guy who made a plugin, five years ago and good luck, yep.
[00:12:39] Mart: But it's another thing that you're that's that's interesting is that sort of proactive approach, right? If you get a plugin issue fixed. It's smart thinking. Like you get a plugin fixed instead of, resolving just the support ticket and you know that by, by, extension preemptively solves like a lot of other issues for you there.
[00:12:58] Mart: That's that's business impact. That's like basically a lot of money saved. But what else would you be like because I could totally see there if, people might say that hey, you have, too much staff. Like you you're spending too much. But what other like business benefit can you bring out, of this human centered approach?
[00:13:16] Zach: So we don't do like any paid advertising. We're very strictly word of mouth business and having this approach where we just do them, absolute best thing we can do for the customer. Try to treat them like royalty almost. They it just, they tell people about us. We are in a lot of different niches of space, of people that have WordPress sites and e-commerce and food blogging and all these industries and our name just gets passed around.
[00:13:43] Zach: And we're not paying these customers. We don't pay influencer. Like it's all just us. Our word of mouth, the only thing we really pay for. And as like we go to conferences like WordCamp and Cloudfest and stuff. But it's, that's, we're not like advertising per se. We're just there to, 'cause our customers are there and we want to talk to them.
[00:13:59] Zach: So we definitely it's helped us being that hands-on with the support, the word of mouth, advertising or marketing. I think it's something that it's, it's benefited us in that regard. People just sing our praises,
[00:14:11] Mart: yeah. 'cause I think you said last time we spoke that going above and beyond is the marketing spend for you.
[00:14:19] Mart: Yeah, pretty much. Which is like a pretty, pretty good way of, explaining how word of mouth works. And that's as a marketing guy, I gotta agree that's I think that, good experience that's invaluable. If you can achieve that's like the most important thing that, that's part of brand, yeah. Yeah. Conferences though, again, last time we spoke, you do conferences a little bit differently as well? I think it was, which was it also Cloudfest, where you just basically went there and started doing support tickets?
[00:14:48] Zach: No, that was customer support tastemaker. So we were at Tastemaker which is like a big kind of food, influencer food blogger industry. I wouldn't say all of them are bloggers. Some of them are just on Instagram or TikTok or stuff like that. But we do have a large percentage of our customers that were there. So we just showed up on site. I brought my laptop and just put it down on a desk and we were just supporting customers there.
[00:15:10] Zach: We were just dealing with issues. And even if it was something I couldn't I could handle 90% of the stuff that came there, but even if they couldn't deal with it, like I was just. On the phone with my other staff members and we're just like knocking out issues for customers. And that was a really cool experience and, it was we still so like in the conferences, they have those, like one-on-one meeting rooms or whatever for these sort of things. And we like had our, had we like rented a table for the whole day, two days, like in that room. And we and then there's all these other companies there and they're mostly salespeople.
[00:15:40] Zach: Like they're selling this and they're trying to do one-on-one meetings and stuff. And I felt like a little, bad for them because the other like vendors there because like literally there's like all these couches in the room, right? And and like where people could sit to wait for them and everyone is sitting on all these couches and standing up was waiting for me.
[00:15:59] Zach: Not anyone else in the room just to come in and deal with their issue. And it, it sounds bad like all these customers have these issues and their, it's not that, it's like they were coming to me 'cause they were like, oh, I have a Google search console issue. Can you look at my Google search console property and be like, oh, what is this 404 mean?
[00:16:15] Zach: Or like, why does my WP admin. Page no index and be like it's supposed to be that way. 'cause the robots do text. And just sitting there and explaining and, a lot of these people weren't coming to me with a technical problem. 'cause like I said, we are proactive with that.
[00:16:27] Zach: It was more, more or less like them just coming to me for advice and feedback and input. Or some of them talked to a vendor and they're like, Hey, this SEO guy said I should do this, and this. And I'm like I'm not SEO, but I deal with the plugins and everything all the time. This is from a technical perspective, this is what I see. So we did a lot of that and just and it was awesome to see like all our customers next year we're gonna have more support techs there just to get through the queue faster. But it was definitely a cool experience. I was in Las Vegas back in January I definitely, that was a cool, I think anyone that really values like dealing with the customer there, and I'm not trying to like sidetrack the conversation off your question a little bit, but like also everyone at BigScoots, is customer facing at one point of or another. There's not like just people that only do support and then a tier two and a tier three or management or executive level, like pretty much everyone. Our CEO of Scott, he goes on our live chats and tickets a couple hours a day. Like I manage our performance and security team at BigScoots, but I'm in the tickets for half the day.
[00:17:24] Zach: I was, before I got on this call, I was in a meeting and then I was like doing I did 10 or 12 support tickets like this morning, we're just always have that human first approach and we try not to like. No one's too good to deal with a customer ticket or a problem at our company.
[00:17:37] Zach: We really try to like even our like COO and everyone else is always like in there dealing with a customer and it's a customer first approach for that. So I think that's also something as a company that like people value is that we're not like, there's not just some like call center somewhere that deals with the customers and then all these management people that do something else know, like everyone in the company is dealing with a customer and doing it and is, it.
[00:18:02] Zach: All levels.
[00:18:02] Mart: Yeah, it's a very startup like approach, right? Almost it's that everybody has to get their hands dirty, so there's no special sort of treatment. And it's I like the conference example because it's very much like show and tell. So if you are selling, you know that as you, I think you put it very well by saying that, it's, an application security company doing hosting.
[00:18:23] Mart: I wanted to also talk about security. 'cause what's a patch deck video with our, getting into that topic. So that's also probably, that lands on your desk quite a lot as well. And, we can talk about all aspects of it, but, uh. I, again, like keeping with this theme of being proactive.
[00:18:39] Mart: So how do you, like what kind of a security stack do you use? To proactively protect your, I, most of the WordPress customers, from all the threats that, that, potentially are out there.
[00:18:50] Zach: Yeah. So it's definitely multiple layers, right? So we have our own data center we control everything from like, all the way to, to the network switches and routers and things, and plugging the cable into the server and the racks are on.
[00:19:02] Zach: And so it's obviously like the physical security. We're in a. Like we have a, we own a space in a data center facility. It's in, it's like the Old Seas catalog building in Chicago and where they printed them and they converted data centers, Google and Amazon, all these other people, providers in that building.
[00:19:18] Zach: We have our space in there that we own and then so there's a physical security aspect to there, obviously no one can go in the data center just like. On their own free will and mess with things is security and layers there on the network level. Obviously we have we have Magic Transit, which is like a CloudFlare DDoS product.
[00:19:36] Zach: That's, every customer gets that, whether they're on, whether they're not or not, they're using CloudFlare for DNS. They get magic transit DDoS protection. There's a few other security aspects. I'm not a network guy, so don't, don't shoot the messenger here. Like I'm not trying to say I'm not like the best about network security things, we do have other things basic rules and stuff like that set up on our, on the network level to help with issues and block common IPs and that are known as malicious and things like that.
[00:20:00] Zach: Then, on the server itself that we place our customers, right? So like each one of our customers, like in our managed WordPress, like it's not a shared hosting, it's like they're all getting their own virtualized environment for them with dedicated resources. It's not really security, but like one customer can't step on another, right?
[00:20:15] Zach: So if one customer is getting a ton of traffic or is using a lot of CPU, 'cause they're making like an a, an Ajax call every time someone loads a page or something due to a bad configuration on their site or something like that. If that site's absolutely eating up CPU and memory, they won't step on the other customer.
[00:20:30] Zach: They're in their own environment on their own server. There's no way that's gonna happen there. Bring, and then one customer's not gonna bring down another customer is what I'm trying to say. And then and I know it's not. Typically security. But there's, there is a case where if it was a shared hosting environment, which is not like someone could know, oh, I could take down all these customers if I attack this one site, this, that's not the case with us.
[00:20:49] Zach: So on the web server level, we have basic securities, and it's broad because it, we have to accommodate. We have a WordPress specific security setup on the server, but still we can't control what plugins and themes and what they're using. There always be something that we never heard of that somebody wants to install, right?
[00:21:04] Zach: So we do have like a broad set of security rules on the the server level where, PHP can't run in certain directories, certain directors locked in on file ownership and things like that. Basic Linux system security. We have that going on the web website. We have rate limiting, we know that Wpm and WP login URLs.
[00:21:20] Zach: It should be rate limited. No one needs to hit the PM in 15,000 times in five seconds, right? Like we there's. Things, basic rules that we have there on the server level. And then something big that we are really known for is we're fully integrated with CloudFlare. And that's like kind of does most of our heavy lifting, security wise.
[00:21:38] Zach: I know this is a call with Patchstack, but that's what does most of our call our security like heavy lifting is CloudFlare. So we. We get all of our customers, we set up a CloudFlare account for most of our customers don't even know they're on CloudFlare 'cause our portal is like fully integrated.
[00:21:51] Zach: And they can go through and they can control like their DNS and at the security level, turn on bot fight mode, block ips, all that stuff can be controlled in our portal through the CloudFlare account. And then we also have CloudFlare Enterprise integration for like our performance and security services that also has like the advanced enterprise web application firewall and things like that and better like honeypots and things that CloudFlare does on their end to.
[00:22:11] Zach: To secure things on the enterprise level. But yeah, we have multifaceted approach. We do, every host does this. It's not, it's, it, we can get into this here, but it's not foolproof. But of course we do like malware scanning and things like that. We verify checks sums to make sure they don't have a wonky WordPress core version and things like that.
[00:22:28] Zach: So we, we do some checks and things here, but it's, it's like I said, we have to accommodate customers and, I will say. Saying it is broad spectrum and has to cover multitude customers. But if we do have a customer that has like a specific security issues that we see all the time, and I'm not talking about hashtag, I'm just talking general.
[00:22:43] Zach: We know like this one thing's happening, we will lock down that directory on the server so that the way that like it, it, so we can implement some custom rules for the customer on the server level as well. So it's not really like a, there's a multifacet approach, multiple layers. Like it's not just one thing that secures all of our websites.
[00:22:59] Zach: And then, obviously on this, on the staff level, we have all of our devices are secured that we use. You, we use multifactor authentication we're using VPNs and things like that. We, there's a lot our tunneling, there's a lot of security there that we take internally to make sure that if, even if our, one of our staff members gets compromised, it wouldn't affect our customers.
[00:23:19] Zach: And then, we have. Redundant backups. We have multi, multiple geographic locations, so like we're taking backups for our customers. We have other data centers that we store the backup in case like Chicago burned down again, like it happened like hundreds of years ago. Like we we still have like back if we still have backups in, in in another location of restore customers somewhere.
[00:23:38] Zach: So we, we have a lot of, I know I'm getting disaster recovery and things like that, but we just we take, I'm trying to say is we take like security. Keeping our websites, our customer's websites online. Seriously.
[00:23:49] Mart: So that's, I, earlier I asked about what's the the business benefit of being hands-on and, being human centric, but what's the business? Have you seen like a business benefit from being like very proactive with security. And the reason I'm asking this is that sometimes, when you're very proactive, very good with security, the customer doesn't see anything. So they don't, they never see anything is wrong because everything is taken care of them and they take that for granted maybe.
[00:24:14] Zach: Yeah. So proactive. So we do integrate all of our customers on our managed WordPress plans or WPO, they, in the portal, we integrate with the Patchstack database so that we way, we show like all the vulnerabilities for the plugins. So like we tell customers like, Hey, your this plugin should be updated to the latest version because if there's a, a, a.
[00:24:35] Zach: vulnerability spotted in Patchstack database. So we do integrate that. It's a proactive thing and how do we benefit, I'm trying to think of it. So that's something that like customers see in the portal and they value and that's all of our customers re regardless if they have pass stack on their site or a security add-on, we call it like on their site, they still have that.
[00:24:51] Zach: Vulnerability management. And that's been really valuable for some of our customers. It is hard though, like you said. We also show like the, in the ' cause we integrate with CloudFlare Enterprises all in our portal. We show like our I. The WAF analytics, like how many bots were blocked, how many malicious bots, like if they're doing any country blocking, geoblocking, anything that's like that.
[00:25:09] Zach: We show all those events in our portal so that way that the customer can see hey this is, they're taking care of these things for us. And this is like some proof of it, it's hard to you, you draw this fine line with showing like we just try to display as much information to our customers.
[00:25:25] Zach: Not trying to hide anything but there's a certain point where if you display too much information, it could, even though nothing's wrong, it could scare them. And then if you show too little information, they don't think you're doing anything at all. So it's, you have this fine line.
[00:25:38] Zach: You have to walk with the customer. You gotta keep in mind, we have a lot of novice customers, right? So as you may know, if you like, pull up any article on Google about like bot traffic or non-human traffic. 'cause there's like crawlers and stuff. Like a good chunk of the internet is non-human traffic, right?
[00:25:52] Zach: It's bots, crawlers, everything. So if somebody goes and they see like on their WAF analytics that we blocked, like all these bots or something, and they're gonna be like, oh. That's why are so many bots visiting my site. It's every website gets visited by a lot of bots. There's nothing like, you're not getting attacked, you're not going that.
[00:26:08] Zach: But if they don't know that, then they could think it's a security threat. So there. You gotta be careful of how you communicate that. And it's 'cause you don't wanna scare the customer either, right? But you wanna show 'em, you're being proactive there. So that's kinda like how we, how they're I do think a lot of our customers, because we're doing monitoring too, or we'll monitor their website and if it goes offline, we bring it back online, things like that.
[00:26:28] Zach: So that's all included in our service. I think customers do have a peace of mind, like security wise for the most part. That we're doing something. It's like you said, it's hard to, it's hard to, if somebody's website does get compromised, they think like you did something wrong.
[00:26:42] Zach: And it's hard to prove that we didn't. It's just that like you, the, this. 10-year-old plugin you're using on their website, this need needs to go. And and it's, it's time. Yeah. Yeah, so it's, it is always something, but it's, I think generally speaking, we do a decent job of communicating that we're being proactive with their security.
[00:27:00] Zach: Yeah.
[00:27:00] Mart: Because a lot of people, I think in WordPress, maybe in the past used to be more of a thing where people, take this very fear-based approach where they go oh, I wouldn't show you. All these, all that bot traffic, and I'll frame it as like a scary thing to force you to buy like a security thing, but that's not your approach.
[00:27:18] Mart: Or how do you is that a good approach or what's the alternative like, or do you sell it in a way that it's doesn't scare people, but but also, give some, a realistic right, like expectation on a realistic sense of mild urgency.
[00:27:33] Zach: Yeah. So I. Definitely just trying to guide them.
[00:27:37] Zach: Just trying to be like a more of a teacher and be like, Hey, like you have these plugins that are outdated on your site, you should update them. That would be a good thing to do. So try to be more of a teacher or like a, I dunno, guidance counselor or like a trainer rather than trying to be like a be like, like a like a.
[00:27:54] Zach: Somebody that's you need to do this right now. Try not to be strict and get in their face and that's the, but if you guide them, and I think that just works with, I think the security, I think that works with everything in life, right? Whether you're teaching somebody in class or you're raising kids or any of these things.
[00:28:06] Zach: It's better to be more of a guide them along the way and show them the steps and things they need to do rather than just say try give them all this fear. Obviously there's complete red flag situations, right? Like you, if you're like, Hey, like your website's completely compromised, like we need to update this.
[00:28:19] Zach: And it, it's not like a fear, it's just if we don't do this, you're gonna have issues like immediately. And obviously there's things you need to step in and do that, just like anything in life. But generally speaking for something that's. Their site hasn't been compromised, but there's a good chance that it will just be like, Hey, we see this reported in the database.
[00:28:34] Zach: This plugin has been updated in many years. We really advise that you update this. It could lead to, issues. It could lead to like technical debt, things like this. Trying to explain these things to the customer. As a friendly like kind of teacher a trainer guide, guidance person, it, it helps them and makes them trust you more than just like instilling fear in them.
[00:28:52] Mart: And I guess. I was just guessing, if you any, in any case, have this very proactive approach to support and you're always so solving their problems, you probably also solve more like a trustworthy guy who's who you know. Yes. It's like your, you're friendly, the good neighborhood mechanic who will tell you like, hey.
[00:29:10] Mart: Thanks for coming again. But by the way, just think about it, that thread is awful thin.
[00:29:14] Zach: Yeah. Yeah. It's funny you mention that. 'cause I like, to tinker on cars and stuff is one of my hobbies. And it's funny how if you go to like certain mechanics, they'll be like, oh, you need to replace your brakes immediately.
[00:29:24] Zach: You're gonna crash and die and hit a tree. And it's yes, there is situations where that happens, but. Most of the time it's like you're gonna try, so oh, you have 30 or 40% of your brake pads left. Like you should probably consider or start budgeting to replace them here in the next few months.
[00:29:39] Zach: So and you'll probably go back to the guy that told you to, to that you should probably replace this soon and budget and it's just then the guy that's you're gonna die in an accident tomorrow. But I, that's lying about the 'cause they just wanna make the sale and like going into the hosting thing and I'm not trying to like.
[00:29:53] Zach: Call any names out. I'm not gonna say company names, but there's like certain companies that, like with SSL certificates, right? They like, SSL certificates are completely free, right? Like you can go get a let's encrypt SSL certificate. You can get a certificate from CloudFlare, let it's completely free.
[00:30:07] Zach: Whoever controls the private key of the SSL is, that's a security risk there, right? But as long as that's secure, every SSL certificate for the most part is the same. It's gonna pop out in the brow, say secure. But there is certain, companies that will call you and be like, you don't have this $250 a year SSL certificate.
[00:30:26] Zach: Your website's gonna be hacked and you don't have insurance and all this other stuff with your SSL and you running e-commerce and you upgrade to this like right now. And it's like a sales tactic they do. And like it that's like kind of I. It's funny because you hear from customers that came from that company and they're like, I really hated like ever picking up the phone from them, because half the time it was like them trying to instill fear in me and try to get me to commit to something that was very expensive that I didn't need.
[00:30:52] Zach: We, we try not to have that an image at all. We try to be like. Very friendly and proactive and not never force a customer to upgrade or do anything like that.
[00:31:01] Mart: Yeah, I mean it's, they probably appreciate it if you tell them, Hey, by the way it's just SSL, that's, that is, it's a free thing.
[00:31:07] Mart: Yes, that's,
[00:31:08] Zach: yeah.
[00:31:09] Mart: It's the honesty, right? Yeah. Yeah. Just sort curious, like how much do regular, like in your experience, like regular users care about security, like in general
[00:31:19] Zach: it's about 50 50, like some really care. And they're proactive and they're, they're setting up two-factor authentication and WordPress like your CEO said I, at Cloudfest, I do think WordPress needs to integrate two-factor authentication natively in the WordPress core.
[00:31:33] Zach: It shouldn't be like I plug in, but anyway so yes, setting up like a two-factor authentication plugin. That's, or they'll be, they'll contact us, be like, who's this admin on our site? And we'll, they, we'll be like, oh, this is your developer or whatever. So there's customers that they really care about, not just like user mat access level, but like their site.
[00:31:50] Zach: They'll make sure their web, their plugins are updated. They'll ask about PHP versions they're running and things like that. And so there's a lot of there is a good amount of customers that do just care, but there's also, some customers that they just don't even, not even come to mind. Like they just don't, it's not even on their radar.
[00:32:06] Zach: And then until something happens there is some in-between, right? But a majority, it's like they either really care or they don't, it's not even something they think about. I do think society's changing a little bit in that regard because people know that cybersecurity and identity theft and all these things are so relevant like in the world right now with everything being online. So I do think that there is. People that are generally more aware that need to be secure. I've just seen more and more customers concerned about security.
[00:32:33] Zach: So I do think it's going in a positive direction in that case. So
[00:32:37] Mart: it's going in a positive direction. 'cause it's like there's also a lot of like bite COVID stuff out there. That's it's, I think we're gonna have an interesting sort of like a reality checkup. Keeping our windows of closed is important.
[00:32:48] Zach: Yeah. I. Vibe Coating's, definitely we have like developers, we recommend our customers of people we've worked with. And it's not like an affiliate or a referral or anything, but we just know like this person puts out secure, not vibe coded garbage. Like we know that like their work is good.
[00:33:04] Zach: So we, we definitely have recommendations that for customers to work with. And we have like our own internal dev guy too, but it's hard 'cause like we do come across I've seen these plugins or like they, they just have a homemade plugin. 'cause they went and they paid somebody on Fiverr or something, five bucks to make a plugin to accomplish this.
[00:33:21] Zach: And it's really? You can go in the code and you see all the comments in there, like from the AI bot 'cause it'll put like a slash comment like every three lines and you are like, this was. Someone just plugged this into GPT for 15 minutes and came out with this plugin. There's a lot of that.
[00:33:36] Zach: We don't see a lot of that, but it's, I have seen it. It's definitely something that, I think the WordPress space generally does a good job though, because like people will research, like how many active, how many people are using this? So the v coating hasn't affected us. Yet. But I do think maybe, a year or two down the line, we may see more of it.
[00:33:54] Zach: But I've seen just a very, like small, a bit a majority of people are at least smart enough to know okay, is this actually a plugin that people use? Or they'll go on a Facebook group or Instagram or whatever, or a form or Reddit and they'll be like, oh, hey, should I use this on my site? So there is quite a bit of people that that will research things before they do it and also it, it depends. But yeah, there's, the oddball case where they just threw together like a Fiverr plugin that was put together with Chad GBT in 15 minutes and now their sites like a, has a huge gaping security hole, but that's fi Fiverr plugin
[00:34:24] Mart: is a terrifying it's a terrifying thought but it's talking about sort of plugins and talking about vulnerability, a.
[00:34:31] Mart: One thing I wanted to ask you is so we're on the more on the research side, so we do look into a lot of plugins code. And there's it's a mixed batch. There's a lot of interesting stuff going on under the hood. Not always positive in a positive way, but so when you vulnerabilities come up.
[00:34:47] Mart: That's one, one sort of big risk in WordPress. It's what do you see on your end? Because you, you are in, in the trenches and when a new vulnerability, like a big one gets announced, like what does that look like from your seat? What, like the beginning of a big attack on look like?
[00:35:02] Zach: Like a popular plugin. So we'll start seeing we know something's up because we have tens of thou. We have it's in the six, like 10 hundreds of thousands of websites we're hosting and we'll start to see, like a customer will be like, Hey, my website seemed it's redirecting to some weird site or something.
[00:35:18] Zach: And we'll see like a handful of sites. Have issues and then we're like this is interesting, but it's like not enough to put together a pattern, and then all of a sudden you guys will put out like a vulnerability. And I'm not saying you don't catch things early either, but I'm just saying like we, we see a lot of sites you guys put out like a vulnerability and be like, oh wow.
[00:35:35] Zach: This plugin, this major plugin that like almost every site's using has this comp, this, this duplicate page plugin or something has this issue and then there's a hundred thousand sites using it. And we'll see that. And it's a mad dash, it depends on their, on how, what plan they have.
[00:35:50] Zach: 'cause we have like our mad hosting, like our shared hosting plans, DOI, we don't touch their sites, but like our manage hosting will if we think it's enough of security threat and we know that the plugin author has, patched it, then we'll just do a mass update across all.
[00:36:04] Zach: We'll send up an email and be like doing a mass update and things like that, but, oh, like a forest. It is
[00:36:08] Mart: like a forest update, basically a forest
[00:36:10] Zach: update, because we're like, Hey, like you're gonna be compromised if you don't do this. So we don't do that all the time. It just depends on the.
[00:36:16] Zach: I don't claim to be like a cybersecurity definition person, but I dunno, what is it like the area or the surface area of the attack? Like how big is it gonna be? Or like that, that, that kind of has the how many sites, because we, we have control over infrastructure and everything, so we can run a few commands and be like, oh what is, how many sites are running?
[00:36:35] Zach: But yeah there's definitely, or we can also do a security rule, right? We, 'cause like I said, we do some security. We have every, all our customers are on CloudFlare, right? So we could do a WF rule on all their CloudFlare accounts. It's something we prefer to do, rather than a mass update.
[00:36:48] Zach: We'd rather do a WF rule. So that's something that we can do there. Also on the web server level we can I implement if we know like it's this. Directory or whatever, like this thing, we can put a rule in engine X that we're running to, to box certain things. So it depends, like there every situation's a little different, but I do think, it it's definitely not a fun situation if a customer does get hacked or compromised, it's, yeah.
[00:37:10] Mart: Yeah, because that's I imagine depending on the scale of issue, like that's a lot of support tickets that, that suddenly need to, we dealt with, but we were talking there, we were talking about vulnerabilities and I think what the what sort of the attack looks like. Yeah.
[00:37:25] Mart: Actually another thing I wanted to ask is, like, how do you deal with the vulnerabilities as they come in general? Because I know you use Patchstack obviously as one thing but not for all customers. So what's the process there?
[00:37:38] Zach: So we sell Patchstack as a security add-on, right?
[00:37:44] Zach: So it's like a performance and security plan and, our customers, they come to us and they may have a vulnerable plugin. And some customers are just proactive. They're like, oh, security, I want that. They just sign up for it and they have no questions about it. But we do have a good amount of customers that they have a plugin that they can't update because like it has a certain functionality that their entire business runs on. And they got a quote from a developer to, to make a new, a proper developer, not a vibe code, a proper developer to replace the plugin functionality. It was like $30,000 or something, which is completely outta their budget, or like they just need to save up and do it in the future.
[00:38:20] Zach: Or there's something there that they can't just fix it right away. Yeah. And they can't, they don't wanna just wanna turn the lights off on their business and not make money, right? Or do this. That's a situation where we will tell them like, Hey, maybe you did get Patchstack.
[00:38:32] Zach: It'll patch this plugin that's a few years old and a security threat, and at least you can run it. We still recommend you update it when you can, but at least there is something in place there. So Patch Deck has really helped with that for a lot of our customers.
[00:38:47] Mart: Yeah. But for those that don't have it yet you know yet, obviously what's what's the best way to to, mitigate the vulnerabilities?
[00:38:55] Zach: Update, keep your stuff updated remove plugins that aren't that aren't being u used or deactivated. Yeah, that's, that, that's why we have it in our dashboard, in our portal that says, Hey, update. There's a threat found. You should update that. It is, they can contact us and be like, Hey, you can you update?
[00:39:12] Zach: We don't, so we don't update plugins automatically for customers just because some of them. There's more customers that don't want us to do this than customers that do, but if somebody submits a support ticket, we will totally do it for them. There is some customers that they just contact us and we just update it for 'em, keep it updated.
[00:39:28] Zach: And we do have some customers on these, like bigger customers that are on these, like maintenance plans and stuff where we do before and afters and plug in changes and things like that. But yeah there's vulnerability. It's hard. It's yeah. If there's one thing I'll say update your plugins, update your themes.
[00:39:41] Zach: Get rid of stuff that's not being maintained. Get rid of stuff that's deactivated and check your user, your users on your site. Does your developer from eight years ago still need been an admin on your site? Probably not. Like things like that. Just those sort of things is how we tell customers that aren't using any sort of security product, like what they should do.
[00:39:58] Zach: And that's just, I think that goes for WordPress in general. That's pretty common sense. So
[00:40:03] Mart: yeah, updating is that's always a good security tip, but it's so also to do it frequently. 'cause as we've seen, it's sometimes the attacks are like pretty fast. So I think the record we've seen this year was like two hours from the disclosure of a vulnerability to like mass attack going out.
[00:40:19] Mart: Whoa.
[00:40:21] Zach: And it's funny is that some of these, some customers, we get stuck in this, like every web post says they do like vulnerability. They do scanning, they do like malware scanning, right? Yeah. But they're the, even if they say, oh, we update everything every 30 days or stuff. We've seen so much stuff that like it's not even 12 hours old and it's hitting sites and it's no malware scanner's going to be updated with rules to find that.
[00:40:44] Zach: We have a some people, there's a lot of people that think security is just like back in the day with McAfee or whatever, antivirus back in like 2002. You got like a, a downloaded a stupid like map hack or something for your game. And now your web, your computer's compromised.
[00:40:58] Zach: So you download like McAfee or something and it scans it and it finds the files and deletes them and then everything's fixed. Everything's good. Ah, every everything's solved. That's not like how. Things are, and there's a lot of people that think that's like what we're doing. They think what?
[00:41:10] Zach: We're just like, run this scanner and it finds this file and deletes it, and then everyone's happy and it's there's so things are so much more intricate nowadays with all these vulnerabilities and everything that, like the malware scanning's still good to do, but the idea that it will catch, it'll catch.
[00:41:27] Zach: It's like a baseline thing you do, but it's like you're not, it's, I, it really doesn't catch a lot. Malware and also like when you scan a site with a malware scanner usually like the damage has already been done. If it's found something like it's already been, the site's already compromised.
[00:41:43] Zach: There have visitors that have been redirected to some fake chrome to download or something like that. There's a lot of, things like that, that people don't. So Patchstack allows customers to be more like, fix your site, if it'll be patch, if they're using it, or we'll see in our vulnerability database like that.
[00:42:02] Zach: So yeah.
[00:42:05] Mart: I would tend to say 30 days is way, way too slow. That's yeah. 'cause it, it is an arms race and, definitely the both the good guys and the bad guys are evolving and, oftentimes bad guys are evolving faster. Yeah. Yeah. Just to wrap this up with something I don't want to say fun.
[00:42:22] Mart: But I do want to say interesting. I do, I did wanna ask you, 'cause again you have a lot of experience just being very like, hands-on and that's super cool. And I wanted to ask you like, what's been like in recent memory or like what comes to mind as a really interesting example of a very, messy malware infection you, that you had to clean up or what's been like a very memorable case where you go ha, clever.
[00:42:43] Zach: Yeah. It is, so there's a lot, right? But it's it becomes like a blur. But our, let me think. Our website like our websites that we've seen, so we had this case where there was this malware and it was, it would inject like JS code in the head of the site and redirect the visitor.
[00:43:02] Zach: Really common. I'm sure you guys have, that's like almost every Yeah. Thing's trying to do right nowadays. So they were smart enough to like, they made this like IP list and I don't think we're special. I think they probably took every web hosting provider's ip. They're like, support ips and everything from VPNs and stuff like that, and office ips.
[00:43:22] Zach: And they made it in this like geo list where like the the JS wouldn't be injected in the head and stuff if somebody visited that site for that. So like a customer would say, Hey, whenever I go to my website, I'm getting redirected. It's hacked, it's compromised. And then I would just pull it up and it, everything was fine.
[00:43:39] Zach: There's no as a, as like a hosting support person, and like obviously like we believe the cost. Like we're not just gonna be like, oh, I don't see it. Good luck. But if they don't have that
[00:43:47] Mart: it works on my machines. That's it
[00:43:48] Zach: works on my machine. Yeah. If they don't have if they're somewhere else where they don't have the same level of support we do, that's probably a response they may get from their web hosting support company like somewhere else.
[00:43:57] Zach: Obviously we have some, we have customers, we're a US-based company and most of our staff are US-based, but we have people that are like digital nomads or they work in other countries and all those other things. So we have a lot of people that they do have to bounce around on VPNs depending on what country they're in and stuff like that.
[00:44:08] Zach: So some of our other staff are like, I definitely see the issue, right? 'cause they're not like on a hosting defined ip. So like from our VPN or office or tunnels or anything like that. So we're like, oh, like what? What's going on here? And so that was an interesting situation where the attacker, the malicious party knew to like block web hosting support ips because it would make the customer site like, go more undetected.
[00:44:31] Zach: Like from, 'cause they knew they would submit a support ticket and be like, oh hey. And yeah. Like I said it's what I've also seen other cases where they know if you've. Seen it once or you refresh the page a few times to block you. But yeah, that's something that was memorable that I remember seeing.
[00:44:44] Zach: And like I said, I don't think it was special, the BigScoots, I think it was just probably got a list of GoDaddy and all these other coasting companies out there and just put 'em on a list to block their ips. I'm trying to think of anything else. Yeah, that's a big, that's a big one.
[00:44:57] Zach: Other memorable stuff. There's a few big plugins. I don't wanna name any names, but it really sucks when a SEO plugin or something has a big compromise and then you see, like we were talking earlier, like you see a hundred thousand sites are affected or something like that.
[00:45:08] Zach: That's just never a fun time. And we're scrambling, like you sit in our war room or like Slack, but like our war room and trying to figure out like, what the best way to address this so we have customers don't go offline. So yeah, it just depends. There's, every situation's also situations I've seen is not trying to beat up Fiverr.
[00:45:25] Zach: 'cause I, it's funny, I have run into a couple good people there, but but somebody will like, hire the same a hundred customers end up hiring the same developer. From some freelance site or whatever. And this developer has decided that they're gonna use the, for the past 10 years on every WordPress site, they use the same email and the same password as their like admin, username, password.
[00:45:46] Zach: And so the developer themselves had ill intention, but when they did that, they just didn't, they just they, and then all of a sudden that gets leaked. And then and then you have all these customers with the same developer account or admin account on their website that just gets the compromise and, they go and inject things into the content.
[00:46:03] Zach: That's where it gets really messy. If somebody goes in and starts editing posts and like updating affiliate links and stuff. 'cause some, there's a lot of there's, some. Some malicious parties will be, I wouldn't say stupid, but they just go and they have a chrome, like a redirect and download a chrome and installs a key logger, and then you're, they steal your identity or information from that but there's also like other.
[00:46:27] Zach: Malicious parties that'd be like, oh, that'll be easily detected. Because everyone's gonna see this fake redirect and they're like, all right, what if I go into the post? 'cause I have admin access and I just update all the Amazon affiliate links to be Maya Amazon account instead of the website owners thing.
[00:46:41] Zach: And it could go be like months before. This gets detected. So that's something that's scary that like I've seen that once or twice. And it's, that is way more like the redirect in js. No one wants their site to be compromised, but like. It happens for a few hours, it gets fixed and then things are good.
[00:46:57] Zach: But like knowing that like you lost all this affiliate revenue or something like
[00:47:03] Mart: some poor marketing guy probably got the blame for that. It's like, why is the affiliate program not working? But at the same time, some got some guy RN room, it's just like living.
[00:47:14] Zach: Yeah, exactly. So there's, and or then they'll be subtle, like they're not, they know if they know if they update all hundred affiliate links on the site.
[00:47:22] Zach: There's thousands usually, but just example, what if we just do 20, then for them it'll just look like a little drop off of affiliate revenue. But it's oh, that was just natural. And then it, so there's there's some tricky, tricky trick, tricky people out there that will do things like that.
[00:47:37] Zach: And that's almost like the worst type of site compromise, because if you can't detect it easily and they just let it, and it just sits under the radar. It's like office space, the movie where their idea is we're just gonna take a center or two out of every check or something like that and it won't get detected.
[00:47:52] Zach: So like that's like that sort of attack is almost worse because it may take months until until it gets detected or caught, yeah,
[00:48:00] Mart: That's super annoying as well, to fix that and to be on the receiving end of that. Yeah. Zach, so we're at time. Thank you so much for sharing, all of your insights and the fun stories at the end.
[00:48:13] Mart: Not fun stories, the educational stories, let's put it that way. Yeah, I think it's I really enjoyed talking more about this sort of this. Why, why we should, keep that human centric approach, I think alive. And I think you made some really good points about there is value in that.
[00:48:29] Mart: So it's, yes, it's, I think, we should keep it up. Thank you Zach once again. And so everybody watching have a great day.
