Making Your WordPress Site Secure with Dre Armeda

Joe Casabona: This episode is brought to you by our great sponsors.

If you need to buy a domain, look no further than hover.com. With hundreds of domain extensions, no heavy-handed upselling, and best-in-class support, Hover makes it easy to spend less time on your domains and more time on your big idea. I use Hover for all of my domains and I couldn’t be happier with the process from start to finish. And now you can use the offer code ‘buildsomething’ for 10% off your first purchase. That’s ‘buildsomething’, all one word, no spaces. Head over to build podcast.net/hover today. That’s built podcast.net/hover. 

Project Panorama is a WordPress project management plugin that visually communicates project progress to your clients and teams. At a glance, your clients can see exactly how close the project is to completion, what has been done and what will be done next. Panorama is meticulously designed to impress your clients and save you time, allowing you to build more. Check it out at build podcast.net/pm. And for a limited time, you can use the offer code ‘howibuiltit’ for 20% off. That’s ‘howibuiltit’, all in one word for 20% off.

And now, on with the show.

Hey, everybody. Welcome to How I Built It, the podcast that asks “How did you build that?” Today, I am honored to have my good friend and awesome dude all around, Dre Armeda. Dre, how are you doing today?

Dre Armeda: What’s going on, my man? Great day. Great to be here. Appreciate you having me.

Joe Casabona: Hey, no problem. Thanks for being on the show. We are going to talk about security, Sucuri, and how you kind of built up a company that focuses on not just WordPress security, right? But, general online security.

Dre Armeda: Absolutely. Awesome. Sounds good man.

Joe Casabona: Cool. Awesome. So let’s jump right into it. Why don’t you tell us a little bit about you, and Sucuri, and how you came up with the idea?

Dre Armeda: Sure. So, well, like you said, my name’s Jeremy. I am actually, I was, I spent a long time in the late nineties in the early two thousand working through security while I was in the military, and different aspects of security, right? 

So, the physical security domain, InfoSec, Crypto, the whole nine, but really the idea for Sucuri came well after that. But, ultimately in the beginning stages of my navy career, I got involved with the internet and it was almost by accident, really?  My chief warrant officer at-a squadron, I was in VFA  47, had said, “Hey, look, you’re the resident geek here. You do all of our networking stuff.” It was a windows NT windows, 2000 mixed boat network of about 220 computers, laptops, and such. And as a deployable unit, we’d have to take that whole network down and bring it back up on an onboarding ship, integrated with their network. In any event, he said, “Hey look. You’re the resident geek. We need an intranet site.” This is like 1999 or so. And he goes,  you know, “here’s our Adobe Photoshop 4.5 and a Microsoft front page. You are, you got two weeks to get this rock out.” So I, you know, I went and started reading some stuff.  I figured it out on some really terrible CSS with an HTML using, you know, a front-page and a bunch of rollover images. No sprites, no nothing, man. It was crazy, but we got it done. So that was kind of my introduction to web stuff. And this was again 99. Got excited about it and kind of moved on from there really doing a lot of design stuff, running UI things, really got excited about designing stuff. But, it means to an end,  finding a way to showcase all this work online.

And so in 2004, so by then I was working on my portfolio site that was like, you know, HTML with a bunch of iFrames and all this crap for all my portfolio items. And using the steps I figured out I needed a more intuitive way to kind of manage these things. So I found WordPress, in about 2004 created my first theme in 2004, 2005. So it wasn’t too long after the project had kicked off. Then all the while I was in the military and I was doing blood about InfoSec stuff. 

So in 2007, I actually got out of the military and then went to work for an InfoSec company in the Chicago land area. A great experience there. They got acquired and eventually I made my way back to California. But some of the relationships that I built there,  especially one with Daniel Miessler, who was the founder of OSA kids, a host intrusion detection system that was open source. And that the company I was working for was trying to figure out a way to integrate into their network solution to be able to manage InfoSec at the network level.

Well, I left that company obviously. Daniel was working at Trend Micro at the time while he was doing this project. And, you know, we kept in touch. And one of the things he was thinking about was like, “Look, if we can look at the integrity of, or portions of a network using something like a host intrusion detection system, why couldn’t we remotely do that For websites?” And I said, “That’s an interesting question.”

At the time, you know, I had all my websites and stuff going on and going up and, you know, there was a lot of the internet was blowing up open source content management systems were kind of in that fight to see who was going to gain mass space and stuff. I had chosen WordPress there at the time, and it was an interesting place where we set out to kind of figure out How to do that, and sure as hell man, he’s, Dani is a genius. Right? So he figured out a way to kind of tune definitions, and remotely check the output, and the behavior of a website to see if it had any matches to, you know, known exploits or known issues, right? So things like outages, things like, you know, defacement, server errors. We were able to catalog these things with signatures, and definitions, and push a response to the end users saying, “Hey look. We’ve matched this to something. Something’s not right. You need to take action.” And that’s kind of the initial to market with Sucuri.

And we were baiting 2008, 2009 and we launched. We had already kind of sold a few in service plans, but the company became a company in roughly February 2010. And at the time, Daniel, poor Daniel in his beautiful design skills, I mean, this guy’s a guy you put in a dungeon with a green screen, right? Like, and he’ll code like, you know, the next, next big thing for sure. But the design skills weren’t amazing. And that was really where I came in to play. I was always different in terms of helping engage the audience, bring the product to market, the marketing side of it, and business development things of that nature. So with his backend capabilities, his development genius, and then my ability to kind of put a face to it in terms of the front end and so on, we launched in February of 2010. 

Now that was the initial stages. And we quickly saw that “Wow! this is crazy.” We were still working, you know, full-time at our regular jobs. But there were a couple of big exploits that happened that year. One notable one, it’s actually still a Wikipedia round GoDaddy and some infrastructure issues that they have where, you know, there was lateral movement, not just across a shared environment. So for example, you’ve got 50 shirts sites on one,  or 50 sites on one shared hosting account. Now we’re talking, they were moving across multiple hosting accounts, right. So it was like a big deal. So what we found though, is that alerting us to these issues was not very actionable, right? It’s very reactive. And we’re saying, “Hey, you’ve got a problem.” But then what, like what does the end-user do?” So we instituted an incident response process that we developed and said, “Look, this is how we’re going to help folks. We’re going to make this actionable. We’re going to be able to not only alert them that there’s an issue, or if someone has an issue. They can come to us and we can come in and remediate these problems.” And that’s really where things shook up, man, in 2010. I mean, we got to the point where we were cleaning hundreds of websites a day and it was really just Daniel and me initially. And then what we saw was like, “Wow! We were having a hard time, not understanding really the business side of things or how to really manage this growth. We need someone that can help us kind of operationally come in and really help shape this into something that if we decide we want to do it full time, we have the means to do that.” So that’s where Tony Perez, who’s now our CEO, came into play. So it was really the three of us throughout the rest of 2010. And it was growing, right? So like month over month, everything was moving in terms of like the business, like financially and such. And we were seeing so many people targeted in so many issues that we got up to the point, like by the beginning of 2011, where, I mean, we were literally, all of us cleaning up hundreds of websites a day,  just through the remediation process.

So we brought in another person to help initially just part-time doing the incident response stuff. And it actually, the week before WordCamp, San Diego, 2011. I was employee number one. So I went full-time. We say, “Look, we’ve sustained this growth for a matter of time. Now we’ve got the financial backing to make this happen where maybe I’m not taking such a huge, you know,  pay cut where my quality of living changes. We think we could do it. Let’s try this out for six months and see what happens” And then, but by the end of 2011, Daniel, myself, and Tony were full-time. So that was kind of the initial stages. 

And again, you know, we saw that the alerting and the monitoring piece was super interesting and it was helpful, but it was only remote. So you’re only seeing the output of that website, right? There are conditional things that make that, you know, not a hundred percent accurate. And the reality is remote monitoring can’t detect everything. It’s not seeing all the files that aren’t served on every page pool requests, right. So the only real way to kind of get a more holistic view of what’s going on with your site is to do remote and server-side scanning. So, you know, that was one of the adaptations that we made along the way to give people a more granular look as to what was going on with a higher level of accuracy. It’s still reactive though, right? This is going to tell you when something has already occurred. So, well, what if we are able to thwart this activity, this traffic before it ever reaches the environment. And around that time, we set out to build exactly that. So a perimeter defense that is more proactive. It’s something that we’re now putting in front of the site in between the site and the internet or where these commands, these requests are coming in, this malicious traffic coming in. And we’re giving you the ability to stop it before it ever hits the environment. 

And that was the advent of our firewall product, which was the cloud proxy, which was the initial name, but the Sucuri website firewall, which today is alive and kicking and growing. We’ve built the whole infrastructure and network around,  being able to grow that. So that’s at a high level. That’s the three products that we really offer, and how it initially started, and how we grew into thinking, “Look, you know, we need to be a little bit more proactive. We need people to be more proactive about Security.”

Joe Casabona: Nice. And that’s great. We have like, kind of the whole history of the company here. And so now you’ve got three projects, products, reactive, and then kind of preventative. So in this next question, you know, usually I like to ask what research was done before the company was founded? But in this case, I’d actually like to kind of pivot that question and ask, what kind of research do you and your company do regularly to stay on top of vulnerabilities and kind of new threats that are coming out? Like what does that kind of look like?

Dre Armeda: It’s a really interesting question and a very broad question, right? Because there’s so many moving parts to that. So many. So for example, there’s places out there that say, “Hey, they are disclosing zero days. They’re disclosing vulnerabilities that have been found, that have been disclosed and have been targeted in some cases.” In some cases, maybe not so much, you know, it depends on the severity. But we’re able to take those sources, you know, validate them certainly.

But what we’ve done is we’ve built a whole research team that just does this all day long. They are looking for new issues that have stemmed up so we can catalog them, we can test them, and make sure that they’re legitimate. And if they are, what we’ve done is we’ve built a model within our firewall network where we’re able to tune that based on these new issues. And what it does for the entire client base is it gives us the opportunity to block these things at the edge. So for example, the latest version of WordPress, vulnerabilities discovered, okay. Let’s say it’s pretty big and it’s, let’s say, you’ve got privilege escalation or something like that, right? And we know that these are going to be targeted. There’s going to be automated attacks against these things. So what we’ll do is we’ll put it into our firewall where we blocked this at the edge. So it’s almost like virtual patching. And although we’re very strong on the stance of making sure that you update your software as quickly as possible to mitigate the risk of some type of vulnerability being exploited, it’s not always realistic to do that in production, right? And we get that. So what we’ve done is we’ve built this at the edge so that, “Hey, all right, this latest version of WordPress and the vulnerability that’s being exploited, we stopped that at the edge. So now when those requests come in to try to, you know, and again, so 95% of attacks that happened out there today are not targeted. They’re opportunistic attacks. They’re automated attacks. They’re scanning different layers of your stack and figuring out ways to, you know, what can I throw over the fence that’s going to stick. And maybe, you know, infect these folks. So we stopped right at the edge Now. 

So we have constant research going on with an entire team of researchers that are looking at, and again, known sources that test, you know, potential vulnerabilities. We’ve discovered some and disclosed them. We’ve worked, you know, smartly with the folks that, you know, the developers and authors of these plugin themes and so on to help, you know, fix these problems.

But it’s a constant thing, right. And I think that that’s where people get maybe a little behind, right? Like, “Hey, we put a plugin in. you know, on the server and, you know, great, it’s going to stop all this stuff.” It’s not so simple, right? It is a constant changing landscape and we have put, you know, resources around figuring out what these things are so we can catalog them and get in front of them as quickly as possible.

Joe Casabona: Yeah. I mean, that makes a lot of sense, right? It’s almost like, you know, you can get vaccinations, but you can’t get a vaccine against something you don’t know exists yet.

Dre Armeda: So yeah. You don’t know what you don’t know, right,

Joe Casabona: Right. Yeah, exactly. So there’s a couple of things that you said that I want to kind of like parse out a little bit more. And the first is that you mentioned that these attacks are opportunistic, right? I think a lot of people, especially if they’re like running their own blog or something, they’re going to say, well, I’m not big enough to be hacked, right? Nobody’s gonna go after my data. But that’s a bit of a myth, is that right?

Dre Armeda: That’s a hundred percent a myth, right? Because to be honest, the attackers don’t give two hoots. Let’s take an example. That’s maybe relevant right now because of the potential, you know, the huge growth that we’re seeing, the saying, The Internet of all Things. Everything is interconnected, right?

We’re talking about cameras and the DVRs that connect to your security cameras at home. Your routers and the state that they come from, right. So I know I’m diverting from the question a little bit, but it shows the severity, and why it’s important for every single connected device, including websites to be taken seriously in terms of the security and the upkeep of that. These thousands and thousands, millions of devices all over the world that come in all shapes and forms from best buy to, you name it, you buy it on Amazon. Got a great deal on that latest Linksys router. They all come with default credentials. Okay. They all come in some cases with no credentials and attackers know this. So what they’ve done is they’ve automated attacks to potentially infiltrate as many of these devices across the world as possible. And that ended up itself is not that big a deal. They’re not doing too much to, let’s say, take over your cameras in the sense of, “Hey, look, we’re watching your video” though that is a possibility. Their idea is to gain control of all of those devices as a means to take out the availability of a known target at any given time. So in the incidents of your actual device, your website, no, it’s certainly not the target, but it is used in the grand scheme of things in the bigger botnet to attack other sites.

So what we had with Dani here recently, which is a DNS provider, is that millions of these devices were infiltrated. And then they were pointed to, you know, the den services at a single time. Like each one of these devices may be sending out one or two, you know, signals or requests to the site, but, or the service. But what ends up happening when you get millions of those all at the same time is you explode, you know, it’s bandwidth, right?

So multiple layers on the attack. It was layer three, layer four, and layer seven, which are all fundamentally different. I don’t think we need to get into it in this show, but ultimately they attacked multiple layers. And what it ended up doing is inundating the service and taking it out. And what ended up happening there is, there were a lot of large services and social platforms like Twitter and such that were using Dyn for their DNS. And next thing you know, they’re down for two days. So stepping this back to the website, figure your website is the same in the same capacity as one of those routers. The site is vulnerable, attackers are going to automate attacks to infiltrate those vulnerabilities to exploit those vulnerabilities. And what they might do is just drop a command and control script on there for the time being as a backdoor of some sorts, so they can use the site whenever they want. It’s no problem. It doesn’t come up infected. It stays like that for a while, but now they want to go do an attack or they want it to do some type of campaign to, for monetary gain. Maybe that’s redirecting your website to a specific pharmaceutical company or popups. What have you and the click-throughs get the money? Well, when they’re ready to do that, they go ahead. And with that command and control capability, they come in and now they drop that malware script in there. Or what have you done to take that over or to use it, to attack another site, like in the case of Dyn and the IoT attacks from a month ago, the distributed denial of service, as an example. 

So at the end of the day, these guys don’t care if you’re selling cupcakes or if you’re making, you know, a million of revenue a month with your awesome e-commerce site. At the end of the day, they’re looking for the path of least resistance. If it’s vulnerable, they’re going to try to take control of it. They’re going to try to explore it and go on from there again. Again, Over 95% of attacks are opportunistic, automated attacks. They’re not targeted.

Joe Casabona: Gotcha I think, well, I think that was a really great description of a lot of things. I was going to ask you about than later, glad that we covered it now. Cause that was a big thing that happened a while ago and it really liked the entire internet, anything connected to the internet was involved in that. So that’s a lot of great information. 

The other thing I want to ask you about is, and this is, I guess this kind of gets into the question of it’s ‘How did you build it?” You know, you have this firewall,  you have a team dedicated to research,  and you mentioned zero-day vulnerabilities. Maybe you can talk about kind of how the process of finding and alerting let’s say a plugin of a vulnerability works. And then how you kind of integrate it into your service, right? Because you don’t just find a vulnerability and then tell the internet about it, right. Or at least that’s not what you’re supposed to do. 

Dre Armeda: Yeah, and there’s probably a couple of different things there, right? So what we’ve done in terms of the firewall, we also not only have our research team, but we also have a full, dedicated firewall team, which is not just tuning, but helping continue to develop the platform and the network, right? Cause there’s a lot of moving parts there. It’s not just a little piece of software that sits on a server. I mean, we’ve got now six points of presence, six data centers that are strictly the firewall network, right? It’s this huge anycast configuration so that we can help protect. And also at the same time kind of help websites with their, you know, speed and how they’re cashing all of their static files, right? So we’ve built this performance layer into this. So it’s a huge team.

Now, the one-piece, and it’s specific to the vulnerability. So let’s say we find a plugin that has a vulnerability. We’re going to go and test that out. We want to make sure that we can reproduce that. And that we learn everything about that. And we’re going to go find out to see if it’s been released anywhere. We’re going to figure out kind of what’s going on there. And two twofold: One to, disclose that responsibly with the plugin author. “All right. Look, you’ve got some issues here. You need to get this fixed” like, and there’s a whole process built around how that disclosure and stuff happens, how we work with them, requirements for them to make sure that they’re patching this and disclosing it efficiently, right?  Because it’s their responsibility to do so as well.

And we’ve done this quite a bit, even since the beginning days. But at the same time, our research team is working on figuring out ways to stop attacks against that so that we can put it into our network. So they’re testing that in our environments to see kind of what the impacts are, how those could be reduced, how we can stop any automated attack from infiltrating the website through our firewall network.

And then we pushed that into our network. The details around the disclosures, they’re all a little bit different. But certainly one of the first things we were going to do is go reach out to the author to figure that out. You know, in the instance of WordPress, it may be different than Joomla or anything else. Again, we’re platform agnostic because those processes differ by project.

Joe Casabona: Gotcha. Cool. So that’s again, really interesting stuff. And I guess another aspect of your business, right? Besides preventing and then mitigating hacking or attacks, you also do a lot of webinars, right? You educate your customers and anybody with these free webinars to kind of take their own measures. Is that right?

Dre Armeda:  We do it. You know, Joe, when we started the company, again, you know, it’s been seven years now and, from the beginning, you know, I can count, we’ve done it over the years. But I can probably count on, you know, the back of both hands how many times we’ve put on like a real ad or anything like that, right. Or, you know, and we’ve started to do some of that stuff. But we’ve grown I think because of, obviously, it serves a really strong, focused, and needed area. But certainly, we have grown because we’ve helped educate people. We’ve grown organically. We’ve grown through our content of being able to empower people to make better decisions around their security. 

And I left Sucuri for a while for a couple of years and went back into the agency space and it was one of the coming back. What’s exciting is that that premise is still the same, right? Like the whole idea behind us offering Sucuri and these services is to really help folks. And I think that you know, you see that over time, it’s been proven that we’ve had the opportunity to come in and help folks, educate folks, and we’ve done so.

And I think that we’ve had a large part, I think maybe a hand in maybe shaping, at least in the WordPress space, how people maybe think about their security and that’s due to us coming out there, doing webinars, speaking at events, writing a lot of content if you know, content@blog.security.net. We’ve got, I mean, years and hundreds and thousands of posts that, you know, really just come to help educate people about the latest threats, steps in how-to guide on how to fix things. We put out new guides over the last month, as well as some white papers kind of help people, understand, you know, the threat escape out there. You know, we’ve been putting out a quarterly report now that talks to, you know, different open-source platforms and kind of the things that we should be considering. New trends that are up and coming,  or old ones that are starting to grow. Again, because it’s this constant shift. But that was, you know, that’s always been the idea, right. Is to help educate folks and help them understand that they inherit risks that they’re dealing with. I don’t see that changing anytime soon. 

Joe Casabona: Yeah, absolutely. I mean, there’s an adage about kind of the weakest link in a security chain is the people, right? And that’s usually said by engineers who are like, kind of being mean about it. But the way to strengthen that chain is to educate.

Dre Armeda: It’s your risk. Yeah.

Joe Casabona: So maybe with a, you know, we are, this was kind of a really fast half-hour, but, we’re coming up. We have a few minutes left and I would love to kind of ask you, instead of in lieu of a trade secret, what are some things that people can do to be more proactive about the security of their website?

Dre Armeda: Oh, that’s a fabulous question. I think that when we start thinking about security and especially let’s take WordPress specifically. We start digging about the next application layer, you know, connector that we can add, right. A plugin. So we put all these plugins into place thinking that it’s going to give us this stronger, security stance. But in essence, we don’t really know that for sure. Sometimes we’re actually introducing more insecurities than anything else. These crazy alarms and, you know, warnings and things that are going off and most of them are unfounded, right. So the idea is to think outside of that, right. 

One, we need to take a layered security approach to any website that we put up on that. So it’s great to have application-level plugins, and such to help kind of figure out the integrity of the files and things that are going on the site. Maybe do some hardening and things of that nature.  but I think that those need to be, I think, paired with something on the perimeter. So again, a layered security approach, defensive depth is really what people need to be thinking about. Great. You’ve had a couple of plugins on your site. Now, what are you doing to protect on the edge, right? How are you stopping people from, let’s say reaching your WP admin, right? So that’s an interesting thing. 

So there’s a lot of little techniques and things that happen there. But I think that the biggest takeaway that I want folks to take from this discussion and this specific question is that it’s time for people to start thinking beyond the application. Okay. WordPress alone is not the only attack factor. It’s the surface, the tax surface is well bigger than that, right. So let’s take it just even to the hosting level. What do you have sitting on your server? Okay. You’ve got that application, certainly, if you’re using WordPress and the plugins, third-party integration points that are sitting there at the application layer, what’s under that, right? You’ve got some type of server-side language or languages, right. Those need to be maintained. You’ve got some database or multiple databases, maybe that they need to be protected. And we haven’t even gotten to the web servers software yet, right. So that’s something to consider. There’s multiple, multiple areas in the stack that we need to be considering. 

So, well, we want to be proactive. I mean, I think we want some type of perimeter firewall, super important, you know, to kind of help stop those attacks. But we want to make sure that we’re thinking about the entire stack, not just the platform that we’re using to serve our actual web pages. Then let’s extend beyond that. right? How are you logging in at, I mean, is your machine secure? Are we on networks that maybe are not secure? Right. So we’ve got to think well beyond just the platform and do a better job of holistically approaching security as a whole.

Joe Casabona: Gotcha. That’s great advice, right? You know, it sounds like we, as a, maybe as a WordPress community, or maybe just websites in general, maybe it’s more than just WordPress. We’ve got got the guards inside the castle, protecting our castle. Now it’s time to think about the moat around the castle right? Now, It’s time to think about safely transporting our people from the castle to other places. If I think I’m stretching this analogy a little bit, but…

Dre Armeda: I think it’s dead on. I mean, it’d be…

Joe Casabona: Awesome. Yeah. So yeah, we need to think kind of beyond our WordPress install, our castle, so awesome. We didn’t talk a whole lot about business and we’re at the end of time. But do you have like maybe like 30 secs of business advice that you would give to somebody who wants to start a WordPress company? You know you’ve, you’ve been a part of a couple of big ones, now it’s Sucuri. And then the agency work that you did. So, what advice can we give people there to kind of end-on?

Dre Armeda: Build a bridge with partners, right? Like you can try to pick up as many freaking bricks to build it on your own. But, obviously having extra hands stairs is super helpful. The best advice I ever got when I was first starting is don’t go at it alone. Find someone that you can trust that compliments the things that you’re good at and go at it together. You have a better chance of succeeding together, you know, than going at it alone.

Joe Casabona: Awesome. That’s great. And, that’s the perfect way to end on. Dre, thank you so much for joining me.

Dre Armeda: My pleasure, my man. And I look forward to seeing you here at WordCamp US. A few guys that if anybody said…Actually, I don’t even know when this is airing, so you might have to cut this out.

Joe Casabona: That’s all right. This is coming out in January. So, I’m really glad we got to see each other at WordCamp US. 

Dre Armeda: You want a great time seeing you at WordCamp US, man. That cigar was amazing.

Joe Casabona: Right. Awesome. Awesome. All right. Thank you for joining me. Thank you to everybody for listening and until next time. And get out there and build something.

Thanks so much for listening, and thanks to our great guests and fantastic sponsors. If you liked the show, please rate it and subscribe on iTunes in Google play or at Spotify or whatever your podcast app of choice is.

If you have any questions, be sure to reach out at streamlined.fm. And finally, until next week. Get out there and build something.