On this episode of WPwatercooler we will be continuing our discussion from Securing WordPress: Bots and Hackers but this time talking about how you can secure your WordPress site from people you know such as developers, contractors building the site, and your users if they are logging into the site at any point. There is a lot to talk about in this episode!
- Terminated Employee Deleted Client Websites [PA]
- Web Designer Strikes Back at Fitness SF, Hijacks Their Site [Update]
- Stream – WordPress plugin | WordPress.org
- They Told Their Therapists Everything. Hackers Leaked It All
- Expire Users – WordPress plugin | WordPress.org
- Jason Tucker – jasontucker.blog
- Steve Zehngut – zeek.com
- Sé Reed – sereedmedia.com
- Jason Cosper – jasoncosper.com
LOFT provides support for WordPress sites — including disaster preparedness, patches, maintenance and plugin management, content updates, and more — all for a flat monthly fee. Right now they’re offering a free trial. Check them out at https://poweredbyloft.com
Are You Looking For Brand Awareness?
You could be a show sponsor. Let people know you’re still in business and supporting your products. Supporting podcasts is a great way to repurpose your in-person conference budget.
We have been sponsored by big brands such as Kinsta and Cloudways. Why not get your audience in front of the thousands of people who download this show every month?
Yes, WPwatercooler has thousands of downloads every month. We’re not just a YouTube Show.
Jason Tucker: [00:00:00] Users end devs brought to you by serverpress.com speakers. DesktopServer they make local WordPress development, easy. Check it out at serverpress.com
Our friends over at LOFT provides support for WordPress sites, including disaster preparedness, patches, maintenance, and plugin management. Content updates and more all for a flat monthly fee. Right now they’re offering a free trial. Check them out at poweredbyloft.com
I am Jason Tucker. Find me at Jason Tucker on Twitter.
Steve Zehngut: [00:00:45] I’m Steve Zehngut I’m the founder of Zeek interactive and I run the OC WordPress meetup.
Jason Cosper: [00:01:01] Jason Cosper. And I got friends in low places.
Jason Tucker: [00:01:09] Go hit us up over on apple podcasts, Google podcasts, and Spotify, and leave us a review. We would appreciate that and join us for on our discord. Go today. Pur Corp com slash discord, where you can come hang out with Cosper and I, and all the folks that are hanging out with us.
Se Reed: [00:01:25] Me too. I’ll be there eventually when I get my life together, I’m going to
Jason Tucker: [00:01:30] So he has to figure out how to download it up.
Se Reed: [00:01:34] That’s not the problem, we’ll get there.
Jason Tucker: [00:01:37] Cell we’re talking about security. Last episode, on three 88, we talked about security but more in the form of I was like outside security sort of thing. And this stuff’s more like insight, security sort of thing, like dealing with the actual folks that already have access to your website.
Steve wrote it on. Yeah. And Steve wrote about it on Twitter saying that it’s when the devs go rogue, which I think is actually a pretty good a pretty good way of describing it. We’ve seen plenty of these things where somebody goes and gets into their site and maybe they own money.
We’ve seen those types of things where they owe money and now they’re in there messing with stuff. It’s a mess. And so we’re going to discuss this a little bit.
Steve Zehngut: [00:02:18] The client, the classic example from several years ago was that San Francisco, a fitness website where they got no money dispute. And the dev decided to put up his own page, the, in place of their website, a nicely designed page that said they owed me money. And so I’ve taken down their website.
Se Reed: [00:02:37] did they suit whatever happened with that? Like I would, they would Sue him.
Steve Zehngut: [00:02:41] I don’t remember. Was it fitness SF has that seems to ring a bell.
Jason Tucker: [00:02:45] That
Se Reed: [00:02:45] I don’t know. Deep recollection of that. What is essentially a meme? To me. Somebody’s life, but to me it’s a meme. I don’t know, but yeah, basically, that was the thing they didn’t get paid. So that’s one of the main problems. And we were talking about an example of someone local to California that we know who did similar tactics.
So it’s not just, random, urban legend that this happens. This is a real thing. This is why I tell all my clients, you need to have the keys to your own
Steve Zehngut: [00:03:14] But yeah, th this happens more often than not, and more often than you’d think. And essentially the The dispute kind of looks like this. And the way I, ah, no, it looks like this I’ve always, I was I was starting to spell it out, but my hands were too low.
And what I educate all my clients about when we first start the relationship is that Zeke we are a work for hire shop. So we are building a work product that the client owns. And that the reason I said that is because that tends to be what’s in dispute. Is there, there are developers that are of the belief that.
Even though they’re getting paid as a work for hire, they own the work product, or they have some sort of ownership stake in the work product that they’re building
Se Reed: [00:03:56] I would not be stealing to take down someone’s website where or disruptive, because they feel ownership of it.
Steve Zehngut: [00:04:05] And I’ll tell you where there’s a gray area, because there is a
Se Reed: [00:04:07] If they haven’t beat them yet, then is it worth prior?
Steve Zehngut: [00:04:11] Again, it depends on your contracts, right? It depends. It really depends on what’s in your contract. But there’s a little bit of a gray area and here’s how we distinguish it because there, there is. Intellectual property, IP that we use and reuse over and over on lots of different clients sites that we’ve built and we’ve grown over time.
But once we use it with the client’s site, it then becomes an, that site becomes an iteration of that intellectual property. And the iteration is actually what’s owned by the by our clients. And so that’s, that tends to be the crossover. So if it D if a dev, if you, as the client, haven’t.
Made that distinction with the dev that you own this iteration, then the dev actually may have some belief that they own part of the work product, even if it wasn’t work for him. Yeah.
Se Reed: [00:04:56] the twist though, or the twisty question I suppose, is what about if the dad is inside the house,
Steve Zehngut: [00:05:05] Yup.
Jason Tucker: [00:05:05] right.
Steve Zehngut: [00:05:06] it inside the house and gets.
Se Reed: [00:05:09] the business?
Steve Zehngut: [00:05:10] and I’m assuming what we’re talking about is somebody who’s inside the house and becomes disgruntled for some reason.
Se Reed: [00:05:16] Yeah. I would hope that you don’t like, there’s a different type of protection you need from devs who are just, not trying to hurt things but do that’s a different show.
Steve Zehngut: [00:05:25] but the same the same idea still applies with in-house devs, even if I’m working in house, What I’m building is owned by the company that is paying me to build it. It’s owned by the entity that I’m working for. And that is it. I make that distinction, on purpose because a lot of devs don’t understand that.
And I think there’s a sort of a belief system that, oh, I built this it’s mine. Even if I was paid to build it, it’s mine and that’s not true.
Se Reed: [00:05:52] Technically not technically, but. Anecdotally on the flip side, I have come across a lot of clients who are a lot of business owners in general, not necessarily my clients who feel like they don’t actually own their website. They are so distanced from it that they feel like it is we’ve hit on this a couple of times with the whole devs hosting their client’s site.
And so like really who does own it at that point, right?
Steve Zehngut: [00:06:15] so let’s talk about the things you can own. So there, there are things you can own, so that this doesn’t happen to you. So there, even if somebody does become disgruntled, they don’t have the ability to go rogue.
Se Reed: [00:06:27] Or to rogue
Steve Zehngut: [00:06:28] Yeah. And so I think the first thing, and we have talked about this many times is your domain name, right?
If you are running a website, you need to own and control your own domain main name.
Se Reed: [00:06:39] Period. End of sentence. End of story. And the statement, just do it.
Steve Zehngut: [00:06:44] Yes. If what I’m saying is foreign is a foreign concept to you and you’re listening to this podcast. You need to Google this. You need to understand what a registrar is and you need to own this. So whether it’s GoDaddy or Namecheap or network solutions, or is a whole bunch of them you need to have that account and it needs to be it.
Those are that. That’s an account that is yours and you need to maintain control of it. Right now, what I like about what GoDaddy does is if you are working with GoDaddy, you can delegate access from your account to your dev so that they can make changes on your domain name. And then you can then revoke that access.
So you’re not giving away.
Se Reed: [00:07:22] Has that too. They have a lot of dev access where you can give access to everything for billing, or you can give access to different components. So that, that’s,
Steve Zehngut: [00:07:29] And that’s on the hosting side. So yes you, the reason I bring this up is that delegate access. You want that in built into all of the tools that you use, and the reason is do not give away your login and password for these things. Don’t give away your credentials to your registrar. It’s a bad idea.
Jason Tucker: [00:07:48] I could see even taking essentially pointing the, the name pointing over the domain name to something like CloudFlare and giving them access to CloudFlare and then going from there. But yeah the domain itself, there’s so many things that could go wrong if it, if they get in there and start messing with things,
Steve Zehngut: [00:08:05] And so I’d say in general, right? If you’re working with an outside dev or I don’t know how this would happen the inside, but if you’re working with outside dev or an agency that bought your domain name and runs your hosting, then you need to change that right now. Your depths did not your
Se Reed: [00:08:23] and you own your clients domain name. I am judging you and I think you are wrong.
Steve Zehngut: [00:08:29] And you should be judged. I’m would say on this
Se Reed: [00:08:31] Yeah, we’re judging you. And we think that you’re doing it wrong pastime doing, and I honestly do not feel bad about saying that whatsoever.
Steve Zehngut: [00:08:38] I would go, I go even further and say, if it’s that, if that’s happening, if you’re dev and you own your client’s domain name, that’s being done with malicious intent.
Se Reed: [00:08:46] Yeah, I would say,
Jason Tucker: [00:08:48] No,
Se Reed: [00:08:49] you were
Jason Tucker: [00:08:49] it’s really difficult. It’s really difficult to decouple that because it’s if you wanted to no longer use that developer. That developer essentially owns that domain name. They own the hosting for it. Like all those things should be separated. I usually tell people don’t even make, make sure that your web host isn’t the place that you buy your domain name from, buy it someplace else.
And then you get the web hosting to make sure all the things are separated out a little bit. That way you won’t have to worry about these sorts of things down the road.
Se Reed: [00:09:16] I want to talk a little bit more. Of the it’s coming from inside the house.
Jason Tucker: [00:09:22] Yeah.
Se Reed: [00:09:23] it’s one thing for the devs that you hire to go rogue. The outside contractors that you hired to go row. But what we touched on a little earlier the devs that are and I think this is what started sparked this entire security conversation for us is people who work for a company who cause problems.
So the work for an agency, like if one of these people decided to use their access to. Copy databases or mess up databases or put things in there. Cause they’re leaving and they’re mad at Steve. For some reason, I don’t know why anyone would
Steve Zehngut: [00:09:55] never, that would never happen.
Se Reed: [00:09:57] never happened. No one can get mad at, cancer, sun science.
Jason Tucker: [00:10:01] Yeah. I remember when we were discussing this, the idea came to me, was that the way that I approach things at work, being the it director that I am is like, I want to make sure that I can revoke access as quickly as possible. And I’ve worked in situations where I get an email or a phone call or something from HR saying, Hey, in 20 minutes, we’re going to be escorting so-and-so out.
I don’t know what they’re going to end up doing. As I go to their desk, I’m going to send you a text message and I just need you to just start turning off stuff. And I’m like, okay, no problem. And I go in there and I turn off one thing, and then they just they’re disconnected from their homework.
>Their phone gets disconnected from the wifi, their laptop no longer works. they’re no longer able to login what’s that.
Se Reed: [00:10:46] that’s pretty
Jason Tucker: [00:10:48] Yeah. Yeah. We use radius for that. And so you can just tell it, say username, password, use your user name, password. It’s not a shared password. So anytime you can make it not be a shared password, the better with it hub with any of those places.
Steve Zehngut: [00:11:01] I, we have a similar process to what Jason just said, I’m going to take it a step further speaking on the on the HR side. Anybody that you. Part ways with right. You need to go through this process, right? You can’t do it for one and not for the other thinking, oh, you know what, this person’s not going to do anything bad or malicious.
Cause it’s those people that actually are usually the ones that. That the, that are the worst. So this policy goes for anybody that you’re parting ways with or firing or, or terminating or quit or whatever. I don’t care what the, I don’t care how amicable it is. Go through this process with everybody that leaves the company.
Se Reed: [00:11:38] I would also say you’re leaving a client. Or if you’re a freelancer or contractor or an agency, whatever, leaving a client and the same thing goes not just disconnect your client’s connection, but I disconnect. I’m like, I don’t want any of your stuff, which I already. Try to keep it all in their folders and on their stuff when they’re giving me assets.
But basically it’s like, all right, we’re done. I’m literally deleting everything that I’ve ever had of yours. Your last pass connections, your, your assets. Cause I don’t want that liability. I want my hard drive space back, but also I don’t want the liability. And I also, I’ve never had this problem, but it’s occurred to me a lot that.
A lot of times after you leave a company, for whatever reason, even if it was just their website was done and they’re just running their lives. When something breaks later, they’re like, what broke? Assuming that even if I haven’t touched their site for like years, they’re like, oh, you must’ve done something.
I’m like, Nope. Not logging into your site. Not responsible for your site. Like it’s your site. I don’t have access to it.
Jason Cosper: [00:12:41] The last job that I quit I told them that I was going, I was at a hosting company and I told them I was going to work for another hosting company. And I wanted to put in my notice and they said, that’s okay. We don’t want you to taking anything to the next hosting company. And I said, that’s fair.
I’m not going to, but that’s fair. And the minute I got out of that meeting my company issued laptop, stopped working and every bit of information that I had pertaining to the company, they basically used what was built in to Macko S an iCloud at the time and Newt. My laptop from orbit. And I was a little annoyed by that, but at the same time, I was like, I absolutely get why they did it waited for the box to show up and shipped it back.
And then I was like, I’m done with this job. I have nothing else connecting me to this job. And like I said, I was a little annoyed at the time. Cause I’m like, man, I think I had one or two things that I have like personally grabbed on there that I wish that I had saved, but honestly you shouldn’t do that on your company machine.
Se Reed: [00:13:52] and for that reason, right? Because anything, all that work stuff, like I worked so hard and it’s such a pain. But I worked so hard to keep those boundaries between at least for my employees to keep it separate. Here’s the work stuff do not email me from your personal to not whatever.
Like it’s in the slack. It’s on the email servers. It’s in our Google drive. Like I don’t want any shared documents from anyone else’s anyone else’s Google, whatever email accounts done.
Steve Zehngut: [00:14:20] So we also have a disengagement process when we part ways with a client, and we let the client know, Hey, we’ve disengaged. We don’t have any of your access anymore. We’ve destroyed. We’ve taken this all out of our one password and our tools are now disconnected from your site. Right?
And so for the same reason to say, we don’t want the liability. But we also want to let them know. It’s just it’s part of our process because like Cassper said that we are wiping your hands and if they want to reengage at some point, no problem. We have a re-engagement process as well is we’re not saying goodbye forever.
We’re just saying, we’re not liable for anything that happens after we parted ways.
Se Reed: [00:14:53] I think that can be really confusing for people in general. And I think that and I know for a fact, for me, less so now, because I really try to implement really strong practices, just general I’ve learned so much over the years, but when I first started, I had a lot of. Those accesses that were just there, and I didn’t know so much to disconnect and they didn’t disconnect me. And so I couldn’t have gone in and, access people’s, servers and done whatever I wanted to do. I did not, cause that’s not my bud, but I could have, and. Just it’s scary in terms of liability, but also scary in terms of like just people just leaving their doors open and they don’t even know that the door is open.
That’s really, are there any I had asked y’all as a group about, some forms of security obfuscation, but are there any programs that you know of that check for Access like that manage access like that. What do you guys use to manage those? Is it just Google single sign on or, I know there are programs, but what do you use?
Jason Tucker: [00:15:56] Yeah, for me it’s single sign on, but it’s tied to, w Microsoft shop as well. So we have all Microsoft products. We don’t use my previous shop that I worked at. It was all apple stuff. So I could pull off the types of things that Cassper was talking about. But yeah, it’s like when you have someone who’s that rogue employee that’s working for you, you want to be able to use, essentially need to treat everyone as the rogue employee or a potential road rogue employee.
And if you do that, Then you can quickly and easily just just go, all right, I’m thinking this out of here, I’m taking this thing away and the less buttons I could do it in the faster I can get it done. So yeah, there, there is that.
Steve Zehngut: [00:16:32] A simple thing that you can do this isn’t foolproof, but you can add an activity log monitor inside of WordPress. It does add some extra load on your server and on your database, but at least you can see who’s doing what within your WordPress site. If let’s say somebody still has extra shored WordPress site and they decided to modify a post or a paid. Delete a bunch of posts, just log in. That’s right. And so there are activity logging, plugins that are re you, just install them and turn them on. And they it looks at everything. So anything that you do inside of WordPress is being logged to that activity log again, there
Se Reed: [00:17:06] of those.
Steve Zehngut: [00:17:06] There’s a bunch of them. But those are, that’s a good practice. Because like I said you might want to just see if somebody is still accessing your website. And so I, I think it’s important to talk about, what might happen if your employee or a contractor goes rogue?
Like what, what can they do to your site or your server or your business?
Jason Tucker: [00:17:25] Right.
Se Reed: [00:17:27] before you know it, because then they really, before you cut off their access, how do you track that?
Steve Zehngut: [00:17:34] Good
Jason Cosper: [00:17:34] Ooh. Yeah. no, I was gonna say I I, I think I sent something from Reddit to our group. I posted it in the chat already. If Jason wants to pull that up it was from Our slash legal advice. And it said this employee was hired as a web developer and SEO, digital marketing person. He was always pushing blame on others, not following directions and overall just being a subpar employee.
Thus, he was fired. We joked, we should change all the passwords and info from him to keep him from messing things up. But he figured we would, he wouldn’t be able to do anything if he were no longer in our office, we were wrong. The employee secretly kept personal records of all of our clients and read all this havoc from home.
Half our clients sites are completely wiped. Some are half ruined while others remain untouched because we made it just in time to stop him. And they’re like, what is my legal repercussions on this? When like you’re too late when you’re writing a post to Reddit about the legal
Steve Zehngut: [00:18:36] Guaranteed. Yeah.
Jason Tucker: [00:18:38] Tale is what it turns me.
Steve Zehngut: [00:18:39] again, and sure they can pursue legal action, but the damage is done and there’s no way you’re going to be able to recoup the damage that’s been done. But they’re there
Se Reed: [00:18:47] Mean.
Steve Zehngut: [00:18:48] and that, to me, that’s, to me, that’s the extreme, right?
The extreme is they wipe your site, they delete the database, they delete, all of your files. They delete the code. You delete your backups. So they.
Se Reed: [00:18:58] they’ve been there is the
Steve Zehngut: [00:18:59] Yeah. So they go in and they delete everything on the site. And if you don’t have a if you don’t have a remote backup or a local backup, you’re, you are hosed at
Jason Tucker: [00:19:06] My approach from the security.
Steve Zehngut: [00:19:09] that.
Jason Tucker: [00:19:10] My approach from the security point of view is I only give people access that they need, and then it’s annoying, but they have to keep asking you for access. So I give them the minimum amount that they need to do it. So for instance, do they necessarily need the SQL server login in order to be able to get into the production SQL server?
Yeah. Probably not. If you’re using like a build process or something like that thing’s going to take care of all of that. Do they need access to the developer one? Sure. Here’s the development one. Here’s all the stuff to be able to do it here, or we’ll give you that. So I give them just enough, but not too much.
And then as they need more, I slowly but surely give them more. For instance do they need an FTP access to the S to any of the servers? If they’re using a build process? No, they don’t need any of that. All they need is to be able to have access to that, of that system. That’s going to do the building and pushing the code up.
And so when you do that, you can now remove some of those some of those pieces from them being able to go and make a quick change to the site and then push it to production and then blow the whole thing out of the water. So if you pretend that they don’t need everything, you’re not going to have to deal with much of this because you’re only giving them enough, enough string to, Slowly, but surely
Steve Zehngut: [00:20:21] but you but you know what you’re doing? And so
Jason Tucker: [00:20:25] But if you were hiring me, you’re hiring me because I know what I’m doing. Just like they hire you the same way.
Steve Zehngut: [00:20:30] But if you’re a small shop and you’re running your own WordPress site, and you hire a developer to come work on this, or you have somebody in house working on this and you have to part ways then you could be hosed.
One of the, one of the, a couple, there’s a couple types of plugins that I strip out of every site that we inherit. One of them is any sort of database backup plugin that’s accessible within the WordPress dashboard. So I don’t like database backups that are there and the ability to make a backup and download a backup.
They’re right there in the dashboard I use.
Se Reed: [00:20:57] what about a plugin bulk edit, where you can bulk delete all of the content out of the thing. Cause I have a client I’m here for changing it, but like that I’m like, why is this even installed in the first place?
Steve Zehngut: [00:21:13] And one of the other plug-ins that I strip out and I have found a lot lately is WP file manager, or those types of plugins where you actually have access to the code through the WordPress dashboard. WordPress used to have a theme editor in as part of the basic dashboard. Is it still there? I
Jason Cosper: [00:21:33] You have to wake up. Yeah.
Se Reed: [00:21:36] Yeah.
Steve Zehngut: [00:21:37] And so it used to be enabled by default, but any, any anywhere within the dashboard that you can edit the code. I just, I stripped those out and it goes, those things are just security concerns, right? And maybe those things, somebody might not be doing something maliciously, they may just go in and screw up the website because they don’t know what they’re doing. And those plugins allow you to really screw up the website.
Se Reed: [00:21:58] Really screwed up anything that writes the database. I wanted to mention real quick. So I just read this really interesting story that I posted here in wired about this mental health company in Finland. And so it’s not just. The moral of the story here is basically that it’s not just about the website, right?
Because you also have to think about what is your clients like data? So this company in Finland was a mental health company and they were logging all of their patient records into their server. So like taking all these notes, but long story read the article. There’s a lot of variants around it, but basically the security folks that they hired to do it erased the initial ransom notice.
And now all of these therapy records have been breached and they are all available online. And so it’s like devastating a good portion of Finland because basically all of their mental health records, which is, a big deal is now available online. So it’s and of course it’s had huge catastrophic company issues, but in the company’s dissolving and all that, but the key thing is you might be like, oh, the websites.
Okay. But what about the info? What about the actual content, the actual data that, of what your client does? It’s easy to forget about that stuff when you’re a desk, because that’s just the data that’s moving through, but that could be valuable to someone and, whether that’s an in-house person, like it’s, it seems like it might’ve been an in-house person in this particular half, but yeah.
Steve Zehngut: [00:23:26] one of our rules that and again we changed this on sites that we inherit is. Don’t store sensitive information on your web server. It’s just a rule of ours. You can’t get hacked if it’s not there. And we literally will inherit sites with personal data, that completely violates GDPR.
We’ve inherited sites with credit card data in them. I’m not kidding.
Se Reed: [00:23:46] Why do you even keep that in there anymore?
Steve Zehngut: [00:23:48] I’m
Jason Tucker: [00:23:48] I had one where the guy backed up his entire computer to the server and no joke. There were tax records sitting in there. There was all sorts of fun stuff and I’m looking at it. I’m like, okay, I’m going to put my gloves on here. And I’m going to grab this little stick and I’m going to move a few of those items.
And I’m going to say. Client, you need to fix this. I don’t know what you got going on in here, but but you know that your web host is not the place to store this
Steve Zehngut: [00:24:13] we’ve inherited sites with passwords and API keys, just sitting in a text file on, on, on the, like in the root of the server. I wish I was
Se Reed: [00:24:20] Keep that something there in the first place.
Jason Cosper: [00:24:22] Wait,
Steve Zehngut: [00:24:23] I was kidding about this stuff.
Jason Cosper: [00:24:25] I shouldn’t be doing that.
Se Reed: [00:24:45] All of this anxiety, like it’s I feel like building websites in 10 years ago, let alone 20 years ago was such a different experience. And the idea that we, you know, just easy to build a website and you can build a WordPress website it’s so easy or whatever, when nowadays there’s so much more to it than just building a website.
And I think. That’s really a problem that gets, even with all of these access things with in-house people and whatever, but just like just the idea that even everybody should be able to do this. It doesn’t educate anyone on the idea that of security of protecting your data. Everyone’s so obsessed with the front end of the website, but no, one’s even really thinking about all of this information in the backend.
And they’re like, oh, I’m not using password as my password. So that’s secure. It’s done.
Jason Tucker: [00:25:34] this is why auditing is important.
Steve Zehngut: [00:25:35] Okay.
Jason Cosper: [00:25:36] Absolutely. Now when going back to that Reddit posts it, not, you’re not, always just dealing with a disgruntled employee. Sometimes you’re dealing with a grunt old employee who is perfectly fine with things and just screws up. We all make mistakes. And
Steve Zehngut: [00:25:56] not anybody on this call
Jason Cosper: [00:25:57] No, I make mistakes. I make mistakes all the time.
Se Reed: [00:26:02] you.
Jason Cosper: [00:26:02] I’m tethered from my phone right now because I couldn’t manage to get my internet running before the. show started. Like I tried. But just network, however even with that like I, I hammer this home again and again on this show and have if you’re going to take a backup, I know your host keeps backups in any good web host keeps backups, but keep your own backup because.
There’s a lie I live by, which is one is none. And two is one. So if you have a backup that if you have a backup that fails, you’ll have a backup Of the backup. And I don’t mean, to get like all X to the Z exhibit here with yeah. W with this, but put it back up in your backup. So then you.
have a backup.
Steve Zehngut: [00:26:54] And do not store your backups on your production server.
Jason Cosper: [00:26:57] No.
Se Reed: [00:26:58] By the way
Jason Tucker: [00:26:59] Okay.
Se Reed: [00:27:00] with your managed WordPress hosts. Because if, for example, your credit card gets hacked or something and you have to cancel it. And then suddenly the billing doesn’t come through. There are a few websites that are like, oh, sorry, you haven’t paid us in two weeks. We’re taking down everything, including your backups.
And then you’re like oh shoot. I didn’t realize that was happening. I think I have to build a whole entire new website for my client. For instance,
Steve Zehngut: [00:27:21] I’m going through that. I’m going through that right now. We had a fraud event on, on, on our corporate card and I’ve had to change it on all the sites and do the automatic billing. And SendGrid just shut us down because I didn’t get the emails. Like they just go into junk. So I went in and literally not only they shut us down, they deleted all my data.
Jason Tucker: [00:27:39] and you can say, and you can send it email cause you’re using Singrid. So there you go,
Se Reed: [00:27:43] I’m so glad that we, maybe happens at my friend’s
Steve Zehngut: [00:27:46] yeah. One thing, one more thing I want to get in on this show is if you’re using SendGrid switched a mail gun right now,
Se Reed: [00:27:53] he’s mad.
Steve Zehngut: [00:27:54] cause they suck.
Jason Tucker: [00:27:59] Sponsored by or
Steve Zehngut: [00:28:01] Yeah.
Jason Tucker: [00:28:01] sponsored by
Steve Zehngut: [00:28:02] SendGrid a sponsor? Oh sh*t. And they will be, they won’t be anytime soon.
Jason Tucker: [00:28:08] All right, folks. That’s it for today. I want to say thank you very much for coming and hanging out with us. I do wanna let you know that next week we’re going to be doing a dev branch and we’ll be talking about dev type things as we usually do. We’ll see how that goes. We’ll see how that goes. Talk to you later.
You have a good one.
Bye bye. Subscribe to us on our different places where you can download a podcast. We’re all over the place. Just so you know, we’re on apple podcasts, Google podcasts, Stitcher, Spotify and as well as YouTube. So if you’re listening to this, go into Travis, talk to y’all later. Bye. Bye.