Teaser

Oliver Sild: I honestly believe vulnerability management and vulnerability protection are very important things to cover nowadays when, you know, as I mentioned, nearly 8,000 vulnerabilities are being found in a single year.

Jesse Friedman: A hosting company can get behind on updating the stack. They can get behind on updating core and other things. They can let their customers make these decisions. And then all of a sudden, you know, a year or two later, they have tens of thousands, hundreds of thousands of sites with vulnerabilities and that’s not good for the ecosystem.

Oliver Sild: It’s unrealistic to think that every hosting company is going to solve every customer security problem.

Jesse Friedman: Because WordPress itself is open source and free, we get a little hesitant around the idea of having to pay for something or pushing something that is an upsell.

Introduction

Jesse Friedman: Welcome to Impressive Hosting where we seek to uncover the core tenets of great WordPress hosting. I’m your host Jesse Friedman, and with me today is Oliver Sild.

We are continuing from our last episode where we had a great conversation about hosting company’s responsibility to security, the way in which end customers think about security for their sites, what makes a site vulnerable, and all the things that we have to do to keep our WordPress websites secure.

We had such a great conversation that we ran out of time, and so now we’re gonna pick up where we left off and we’re gonna try and stay a little bit more on track here because I still got so many more questions and I think that we got into some great deep conversations in the last episode.

Not to say that we went off track, but rather that we went deep into a few things and it was very fruitful. But I did want to jump into something that we were talking about. We were mentioning the idea of the way in which a hosting company represents the level of security that they’re offering.

And, you know, you had mentioned something along the lines of like, you know, a hosting company will say that they do managed WordPress.

What is managed security?

Jesse Friedman: We had an episode of this podcast with Jessica Frick from Pressable, where we said, you know what? The frick is managed WordPress hosting because it is a vague term that everybody has kind of latched onto, but it doesn’t necessarily have a definition on the other side of it.

And so that goes a little bit deeper. What is managed security and what is a host supposed to be doing when they say that they offer managed security? I think there are some basic things that every single host should be offering. SSL certificates are one. Some kind of vulnerability database makes sense to me. A firewall. What do you think a hosting company should be including and offering if they’re saying that they’re offering managed security?

Oliver Sild: That’s a really good question because again, this is something that we’ve had a lot of internal discussions as well, and it’s exactly the same when someone tells me about managed hosting or managed, especially managed WordPress hosting. Then my question is like, what is that that you are actually managing? Why does it need management? Right? So it’s almost like a term that became popular and now we’re just using it because it gets traction. But it’s like, have we kind of lost actual meaning behind that? Like why does it need that management and what is it that we are actually managing?

Managed hosting makes sense because managed hosting means that you are managing the infrastructure, you’re managing the server, you’re managing all of that around it. But what does then managed WordPress hosting mean? Like what is the difference between managed hosting and managed WordPress hosting? And I think when it comes to managed WordPress hosting, we should kind of think about like what can we manage as the WordPress experience for that user? So it feels more like a managed service, right? And how can we even offer managed WordPress hosting if we don’t cover the basics, which is maintenance of it? Making sure that the backups are basically around there for the WordPress application, not just like the server stuff and things like that. And overall, like what are the things that require maintenance or management on those WordPress installs? And in most, the biggest one actually is management of plugins and management of updates and, you know, the overall maintenance.

And to be honest, what is also called vulnerability management, right. So I think as we go forward, this is like a place where hosting companies probably need to start making this separation as well, which is something we discussed in the last episode about like the responsibility. I think this is kind of the same topic about like what is managed on hosting side and what is managed for the WordPress experience.

What layers of security should good managed WordPress hosts offer?

Oliver Sild: And when I think about what a good managed WordPress host for example should look like, is that it needs to cover those three layers that I also mentioned in the previous episode about network level—

Jesse Friedman: Mm-hmm.

Oliver Sild: You know, all the traffic that comes in, like, everyone knows your address. Doesn’t mean that they need to kind of be able to get and step into your room, right? So you want to basically cover, you know, DDoS protection, DNS kind of firewall stuff like filter out trash traffic, basically on that DNS level through like Cloudflare or whatever, uh, a WAF that you can put in front of it.

Jesse Friedman: Before you move on, I wanna highlight one thing. So as we go through these layers, does that require any user intervention?

Oliver Sild: Absolutely not.

Jesse Friedman: Let’s ask that question with each one. So, no, the user doesn’t have to do anything. It all works behind the scenes. They just operate their website. So now the next layer.

Oliver Sild: Yeah, so the next layer is actually server security, and this is where basically all the backups, malware scanning, all that kind of stuff needs to happen because this needs to be a safe environment to, first of all, control backups, but also it needs to be clean and safe environment where, for example, malware scanning, and kind of like potential intrusion, kind of like checks are, you know, being made.

And this is a place where I think user needs to take some of the action, for example, enabling backups in case that is not part of like a base plan. Honestly, I would hope that we are moving in this direction where backups is something that is covered on most of the hosting plans. And if you’re providing WordPress kind of like a hosting service, then I think backups should be like essential thing.

Something that I truly believe also is that what is important should not be optional. Because everything that is optional doesn’t feel important. So I’m like a big advocate of that. Like when we make something optional, we are also communicating that to the user that this is maybe not as important that it should be. Right. So, yeah, malware scanning definitely on the server level. You know, also the backups and I think there needs to be some level of interaction from the user, but I think this needs to be also covered by default for them and enabled on all WordPress installations.

Jesse Friedman: Is there another layer there?

Oliver Sild: And then yes, the application layer, which is, you know, the WordPress application itself.

And I think, I honestly believe vulnerability management and vulnerability protection are very important things to cover nowadays when, you know, as I mentioned, like nearly 8,000 vulnerabilities are being found in a single year. And this is something that requires more user interaction because you need to basically install something to their controlled environment, which is the WordPress website that they set up and manage. But they need to know what the vulnerabilities are there that require attention. So they need to be able to, you know, enable some level of protection there. And then the other thing is protecting the actual users of that application, like having two-factor identification, protecting the session cookies, even having your internal kind of like cyber hygiene in place so your devices are not compromised to for someone to just take over the, you know, session cookies or steal your passwords and stuff like that. So this is the kind of like the final layer that needs to be attention as well.

And I think hosting companies need to think in the sense of those layers and offer something on each of them as well if you want to really provide managed WordPress hosting experience.

Jesse Friedman: And I wanna touch on something that you mentioned before. I really like the way you worded it. I’m gonna butcher it, but I think you said something along the lines of if it’s vital, it’s not optional, I think that’s a super important thing for a hosting company to be thinking about.

Why should hosts offer better security to customers?

Jesse Friedman: You know, one of the things that we do and focus on at WP Cloud is around bringing this cloud platform to hosting companies, making it accessible to them so that they can offer enterprise-level hosting to their end customers. And so we manage everything from performance, security, all of that underneath that.

And the reason that we’re doing that is because we know that hosting companies have the opportunity to attract more customers in, and we want to give them the ability to differentiate themselves and what they can focus on. So we see this happening all the time. Existing hosting companies out there have been around for quite a long time, and they provide, you know, very specific solutions. But we’re seeing more and more that plugin developers, theme developers, other people who are providing marketing services, things like that want to provide hosting because they want to understand and own that experience end to end. And so a customer might come to you and buy a theme, then all of a sudden they can just get hosting alongside of it. And so in the old days, there was, you know, or still today, there’s reselling, right? And so you can have some modicum of control over the hosting that you’re offering through reselling programs. But what WP Cloud does is it allows you to provide enterprise-level hosting with vertical scaling, real-time failover, all these security features that you mentioned and everything else, and not be a hosting expert.

Right. The only thing you have to do is figure out how you’re gonna charge for it. And so one of the things that we’ve actually implemented as well, which I think might be interesting from your point of view is that we have the ability to take some of the awesome power that you might see in something like WordPress multi-site, where you can have single control over a single set of plugins and themes and distributed across a whole network, but without having to have a multi-site. So what we do is we symlink plugin and theme files across your managed WP Cloud offering. And so a hosting company who, you know, whether you’re an experienced hosting company who wants to get into this, or you’re an inexperienced hosting company, you can still have security as an accessible feature in a sense.

And you can mark certain plugins as symlinked, and you know that they’re gonna be high-end, high-quality plugins, and you want to control the upgrading of it, and you wanna make sure that they’re on every single one of your sites. And so then you can instantaneously update that one plugin across your entire network.

And it’s things like that that, you know, we strive for to build for hosting companies to give them the freedom and the time to go back and invest in providing a better experience for their end customers. And I think that’s really where we’re gonna start to see, I think more and more happening with hosting companies is that they’re gonna focus on the niche solution that they’re trying to solve. And that the underlying infrastructure is gonna be managed.

Oliver Sild: That’s a really good example of the difference between managed hosting and managed WordPress hosting because what you are talking about is managing in a better way, the WordPress application itself that requires management, not just the hosting environment where you’re just making sure that the servers are running and, you know, that they’re running like the correct PHP, like the underlying kind of like thing. Right. So that is a very important—

What is the difference between managed hosting and managed WordPress hosting?

Oliver Sild: Like, I think this is a very important point to make, is that there is a big difference between managed hosting and managed WordPress hosting. And I don’t think that a lot of people realize that, but that is exactly that. What needs to be managed about WordPress versus what needs to be managed about hosting. And this is also where the responsibility is kind of like divided between like what the, you know, where usually people, or like hosting responsibilities basically given over to the end user and that in the managed hosting world, the responsibility is given over immediately to the end user as soon as the user is installing something in that hosting environment. So I think that’s like a very good way of doing it is to basically look into like in a much deeper level of how can we actually bring that managed hosting experience into managing WordPress or the application that is actually getting hosted there.

Jesse Friedman: Yeah, for sure. Especially since you know, you’ve run into issues where we talked about this in the last episode. A hosting company can get behind on updating the stack. They can get behind on updating core and other things. They can let their customers make these decisions. And then all of a sudden, you know, a year or two later, they have tens of thousands, hundreds of thousands of sites with vulnerabilities and that’s not good for the ecosystem. It’s not good for the end customer, but for the hosting company itself, it’s also a major security vulnerability for themselves. And it impacts their revenue as a company. So it’s super important that they’re taking this stuff seriously.

And you know, the other thing too to think about is that hosting companies are very focused on advertising as a way to attract customers, but it’s very hard in those moments to compete on security because an end customer who’s making a decision to go with you as a hosting company is gonna evaluate a variety of things. And we already talked about the fact that while security is more top of mind, it is more prevalent as a thing that you need to consider. It is still, in my opinion, taking a backseat to things like performance marketing. How successful is my business gonna be? How much money am I gonna bring in? Yes, I know that I need to secure my site, but is it as important as making that first few dollars with my e-commerce platform, or is it as important as getting a thousand followers on my newsletter? You know, it’s hard to say that that’s gonna take a front seat. And then the problem that exists there is that if a hosting company isn’t competing on security, then they don’t have an incentive to improve it and to be the best out there. And if they’re not comparing themselves on the level of security that they’re offering, then they’re not going to continue trying to one-up each other. And so then we end up into a situation where the bare minimum becomes the foundational layer.

So, you know, it’s an interesting thing that maybe it’s folks like yourself, people at like Automattic and Jetpack, other companies out there, maybe it’s a little bit more of our responsibility to help hosting companies understand how they can build higher standard for security and implement these things, and so they don’t have to think about it. This is very similar to the conversation we’re having with WP Cloud. Every time we talk to a hosting company is that we’re gonna take care of this stuff for you because we wanna provide a higher level of security. We want to provide a higher standard. And then, you know, maybe it’s time consuming, costly, whatever it might be, but if we handle it for you, we know that it’s gonna be done right. You know it’s gonna be done right. And then you don’t have to worry about it later. But there is a little bit of a sacrifice there. Some of the things that we ask for is that we have to put up some guardrails there. There are things like, you know, certain aspects of performance, for example, like we handle the caching and the CDN. So do you have the freedom to go out and choose anything you want? No, but it’s also because we’re fine-tuning everything top to bottom. We offer live backups, real-time automatic failover. Can you install your own backup solution on top of WP Cloud? Absolutely. But we’re going to make the decisions about where those backups and those things are gonna live.

And so in doing that, we’re giving them a little bit extra freedom. Anyways. Long story short, I’m curious what you think the way in which a hosting company needs to evaluate. How do they go about understanding their level of security and how they should start communicating that to end customers? How should they be competing a little bit stronger in that area?

Oliver Sild: I think very important thing is and this is something that you mentioned as well, and that’s something that we see a lot is that with most of the solutions that are being offered, like let’s say performance and all these things, it’s very often focused on like, we solve it for you so you don’t need to think about it. And with security, is probably the only thing where you should not do that. Because as soon as you are basically taking whatever you do, and even if you do a lot and if you tell the users that we are providing you like a secure solution. So you don’t need to think about that. This is essentially just basically making sure that there is going to be something happening in the long term. Because as soon as you take that responsibility away from that people and not think about security at all, then they think this is like solved forever. And this is just basically building up like very poor security practices internally for their personal hygiene and things like that.

Then they start losing what is actually covered for their security and what is not, because they’re not putting out attention to this topic at all anymore. So this is something that we’ve always focused on as well, is that when we talk about security, then security is—

What is “security hygiene” and why is important?

Oliver Sild: Process security is like an ongoing thing that we always do. It’s like brushing your teeth every morning. We don’t have solutions out there where I give you like this drug that you’re swallowing and then you never need to brush your teeth anymore and you never need to even look into your mouth because if you don’t look into your mouth, there’s no problem, even though maybe you don’t have teeth anymore. But that’s the kind of a problem which we have with security that we need to find a balance between customers and solutions where the security problems are actually getting solved.

But we need to talk to them about it, because we need to make sure that they are part of that process. And they understand that when it comes to security, there’s never a hundred percent, there’s not possible to secure anything a hundred percent ever again, ever. And then you need to understand that this is like, just like an ongoing process. And this is kind of like a, you know, hygiene kind of a thing, right?

Jesse Friedman: I like that. The idea of security hygiene.

Oliver Sild: I think this is something that we need to also think about from the hosting perspective. We’ve seen a hosting company basically run ads on YouTube where they’re saying protect your business with our hosting, because we provide the secure hosting, you know, experience for WordPress. And then in the end, what they’re actually offering is SSL certificates, which the end user might not even understand what the SSL certificate is. They just want their website to be up there and run an e-commerce shop and sell stuff.

And, but for them, the promise that they get is that, oh, if they host their website there, then they’re safe and they’re like never getting hacked and things like that. And then ultimately, this is making them not put the attention on security anymore, which will actually introduce even more and more poor security practices. Including the fact that they’re most likely setting up a WordPress website there, which they will never update because they will not care about it because they think that the hosting is covering all of that for them because their promise is that it’s a secure host WordPress hosting or whatever. So we really need to think about when we are like promoting security and when we are like promoting WordPress securities, or like secure hosting and stuff like that, that we are not actually shooting ourselves in the leg, because everyone is now talking about security, then we’re just use the bare minimum of like, you know, like SSL and then we can also say that we now have secure hosting and shift our core messaging in that direction. While we’re actually not doing much at all, which will ultimately make the customers feel pain in the future, but also this will cause unwanted support, overhead, customer dissatisfaction, all these kind of problems down the line.

Jesse Friedman: Yeah, you mentioned pain. So if you think about your analogy, right? You mentioned before brushing your teeth when you were a kid. You grew up knowing to brush your teeth because your mom would stand over you. She would do it for you at first, and then eventually you started doing it yourself, and then eventually you’re an adult and you, you know, to brush your teeth every day.

But if you get behind on it. You’re gonna feel some pain because you’re gonna get a cavity. Your teeth are gonna change color, whatever it might be, and so that’s gonna be problematic for you when we apply that to security. It seems very much like what you’re saying is that a hosting company has some level of responsibility to making sure that your foundation is done right, that they should be holding your hand maybe a little bit to make sure that you’re understanding the things that are important to security and the ways in which your site should be maintained and kept up. But then over time though, like that hosting company can’t be responsible for every single aspect of it as a customer, you have to take on some level of responsibility yourself. And if you let that go, you might get hacked, which would be the equivalent of a root canal or a cavity. Something that you have to get done. And we know how painful that is. And I’ll tell you, as someone who’s worked in this field for a long time and we’re talking to customers, it is so stressful on both sides because when their site is hacked, it is so stressful for them.

And then they’re trying to figure out. How do I, how do I solve this? And so the first thing they’re gonna do is call your support, which as you mentioned, is gonna increase your support load, which increases your costs. And so the more vulnerable they are, the more likely it’s going to cost that hosting company money and whether or not they’re benevolent hosting company or not. Money speaks volumes, right? So, that’s another way to think about it, is that if you, if you put these foundations in place, but then you need to really kind of hold their hand through it and help them to understand. And so maybe the hosting company has some level of responsibility to providing some kind of awareness of the state of your site, whether that’s surfacing vulnerabilities or letting them know that they haven’t had a scan in a while, or there’s no backups running on your site. And I think a lot of times, especially in the WordPress industry, because WordPress itself is open source and free, we get a little hesitant around the idea of having to pay for something, or pushing something that is an upsell.

But at the end of the day, these customers are going to want to pay out $5 here or $10 there a month, to not have to worry about it. And if you can’t keep the lights on, you’re not gonna provide a good service anyway. I think it’s an ecosystem we have to be a little bit more comfortable with helping them to understand where the gaps are.

And so maybe that’s something like, you know, and we talk about the core tenets of great WordPress hosting. Maybe a core tenant of that is a weekly or a monthly security report that helps you to understand the state of what’s going on with your site, all the steps you should be taking, give it a grade or something along those lines, and help them to understand exactly where they need to be applying more attention.

What does top-of-line vulnerability management look like?

Oliver Sild: I think it’s unrealistic to think that every hosting company is going to solve every customer security problem. And I think hosting companies are realizing that even if they are have, like we’ve had conversations with hosts where they’re like, yeah, but like the customer is coming to us and they want, you know, everything to be done for them. They don’t want to worry about that. Or like, you know, like they expect us to basically do all of it for them. And you know, we need to think about like, where is it realistic? And like, when it comes to security specifically, you don’t necessarily need to do all of it for them.

But that also doesn’t mean that we cannot do a lot of the things for them. But what we need to make sure is that when we do security. We do it together with them and not like, we are doing something on the background. Don’t worry about security anymore.

And then, when stuff goes bad and they feel bad, you take the responsibility for something that you we’re not supposed to be responsible of. And also that the customers are actually not also learning from this or anything like that. So I think honestly. Vulnerabilities or having vulnerability management part of the hosting experience, when we again ask, talk about what is managed WordPress hosting and big part of that is plugins and themes and security vulnerabilities in them and like making sure that you don’t have, you know, that you’re not exposed to those vulnerabilities.

Then I think. Surfacing vulnerabilities to customers, notifying them when the applications that they built are vulnerable. I think this shows care. I think hosting companies can earn a lot of trust from the customers, but the customers also understand where their responsibility lies. They understand that they built the website, they installed those plugins. They were the ones that didn’t update them, and they have the full control over going and updating. So this is the point where, first of all, they start to constantly think about security, which is good for them, but it’s also good for the hosting. And ultimately they may opt in to actually getting a security solution that they install on their website. And then hosting wins, customer wins. The entire open web wins because, you know, vulnerable and, you know—

Jesse Friedman: That’s the key. The last part there.

Oliver Sild: Then, the less resources hackers have to basically host malware, phishing pages, whatever on the websites because every website is a resource after.

Jesse Friedman: Right.

Community Questions

Jesse Friedman: Okay. So, everyone listening at home, this is the first time we’re gonna be doing this every time that we’re recording episodes, now, I’m gonna be going out to the community and asking if there’s any questions from the community. And the reason I’m transitioning into this is because the first question that we had for you, Oliver, was how much should you rely on your host for security and how much should you still do yourself? And I think we just answered that question, but is there anything else that you want to add around that perspective? Because I think we touched on that one pretty well, but maybe, maybe there’s one last point you wanna make there, or are we good?

Oliver Sild: I think really like, don’t give away the responsibility of your own website. I mean, don’t believe in security solutions that they’re like silver bullets where you’re like, oh, I’m gonna something and then my website is secure. Like. Look into what it does. Try to learn from those security solutions to understand what they’re doing, what problems they’re solving, and always be part of that process. I think that is super important. I think that is the most important thing, is to be part of that process because security itself is a process, not something that you can click a button and fix.

Jesse Friedman: That’s great. ‘Cause it’s always evolving and attack vectors are always coming from a new place. And as hard as we are working to harden security, the people out there are, malicious actors are trying their best to figure out ways around it. All right, cool. So one other question.

This one’s not a super serious security one, but, does he always wear a cap because secretly his hair is patched at green.

Oliver Sild: Nobody knows. It has a simpler answer to that because as soon as I turned 30, I started losing hair. So I just got used to wearing a cap now, so I’m still getting used to losing hair. So.

Jesse Friedman: That’s nice. All right, so if you’re listening at home, be on the lookout. I’m on LinkedIn and different areas in the community trying to ask questions. So, if you want to ask a question of the podcast, you can do that or you can go to impressive host. That’s all we got for community questions today.

CloudFest and Closing Remarks

Jesse Friedman: The last thing I want to touch on with you, Oliver, is, just real quick, how was CloudFest? Because I, I went to CloudFest. I was there for WP Day. I moderated a panel on WordPress in AI. And, then unfortunately I got some news that, I had a close family member pass away and I had to return home very quickly. So I don’t, I don’t want to drag the podcast down, but I do want to know like, what did I miss out on? How did it go for you this year?

Oliver Sild: For us, it was very good because we were also one of the sponsors of the CloudFest Hackathon. And we were basically sponsoring an idea behind there for improving the supply chain security of WordPress ecosystem. And when we came up with something called SBOMinator, which you can read about in our blog as well, the idea of it was like, if we think about the website as a cake. And then if you think about the cake, then you want to know what you’re eating. So what are the ingredients so you know where they’re coming from and things like that. So we need to actually do the same thing with websites. We need to understand what they are made of and like, you know, things like that.

And this is a completely other topic, but like in, uh, end of last year there was a, a new law passed in Europe, which is like equivalent to GDPR, which is like the data protection law. But now it’s applied to software security, which is called Cyber Resilience Act. And this is going to affect WordPress ecosystem and you know, the entire open source ecosystem a lot. And it requires essentially, you know, again, more responsibility, but also record management is becoming mandatory and things like that. So this is something that. Uh, I covered a little bit on the main stage at CloudFest, on, on the, on the middle. I think it was on Wednesday of the conference day. And then I also, on the WordPress day, I was talking a little bit about those layers that we were talking about in this podcast as well. What to do on which layers and what makes sense on which layer and what doesn’t make sense on another one. And this year we had, first time the booth.

Many, many great discussions. I’m very happy that you see that there’s so much more. Kind of like WordPress ecosystem spilling over into the CloudFest. Like there’s so just more and more WordPress people lurking around there and just happy to see like, so many familiar faces. It was great event.

Jesse Friedman: Yeah, well, WordPress does power a large part of the internet, so I think, all hosting companies are always looking for a way to improve their WordPress hosting or get more customers. That’s great. All right. Well, thank you so much for being on the podcast. It was a really great conversation. We had so much to talk about. We broke it into two episodes. I hope you have a great rest of the year and hopefully, you know, maybe you come on again in the future when we have more security things to talk about.

Oliver Sild: Thank you and be happy to join in the future as well.

Jesse Friedman: Awesome. All right. Take care. Thanks for joining us on another episode of Impressive Hosting, where we uncover the core tenets of great WordPress hosting. Do you have a follow-up question for today’s guest thought or comment on anything? We talked about a future guest suggestion, a hosting horror story. What do you think makes great WordPress hosting all your comments? Shape the show. Drop them on impressive dot host. We also appreciate you following us on social media and subscribing to the podcast on your favorite platform. Finally, do check out our list of open source projects that need support at impressive dot host. Whether it’s code, community, or cash, you can make a difference. See you next time.