Welcome to another episode of LMScast with Chris Badgett of LifterLMS. Today we discuss professional security and backups for course creators with Akshat Choudhary of BlogVault and MalCare. Chris and Akshat talk about security, backups, and taking proper care of your online business.
Security and backups for your website are like purchasing an insurance plan to protect your online assets. Many people underestimate the importance of website security and don’t take enough precautionary measures. Having backups for your site is important, because if your site is attacked and you don’t have backups, you could lose all of your site data and have to start over from scratch.
BlogVault is one of the companies Akshat founded, and they work to back up your site and encrypt the site’s sensitive details. They have backed up sites up to 800GB in size, so they do some serious security work. They have some great features, like daily automatic backups and one-click migration where you can make changes to your backup on a staging site and then migrate the pieces you want to your current site.
It is important to understand that there is no such thing as absolute security. Akshat makes the analogy that online security is just like real life. To protect your house, you can build a fence, install security cameras, and install door locks. But it is still possible for thieves to break in, although much less likely.
MalCare is a complete WordPress security solution. The most important piece of MalCare is its ability to identify malware that no other company can. MalCare has learning algorithms that analyze data from over 250,000 sites and detect if any are hacked or vulnerable. Not only can MalCare detect hacks, but it has a built-in auto-cleaner to clean up your site with the click of a button.
Identifying the needs of the customer is key to developing products that suit their needs. This is why Akshat and Chris like to spend a lot of time in customer support within their businesses. Good course creators and membership site owners engage with their students, so they can continuously improve as educators.
Head over to BlogVault.net and MalCare.com to learn about some of the best WordPress security systems, and you can find Akshat Choudhary on Twitter at @AkshatC.
Head over to LifterLMS.com and check out all of the awesome things we have going on over there, and subscribe to our newsletter for updates, developments, and future episodes of LMScast. Thank you for joining us!
Episode Transcript
Chris Badgett: Hello, and welcome back to another episode of LMScast. My name is Chris Badgett, and in this episode we have a special guest, Akshat Choudhary of BlogVault and MalCare. And we’re gonna be talking about security, backups, taking proper care and insuring your business is really secure. And for the education entrepreneur out there, these are issues that some people overlook and sometimes find out the hard way that they should have had a plan in place or had better security and backup, things of that nature.
But first, Akshat, thanks for coming on the show.
Akshat Choudhary: Hi Chris. Thanks for having me. I’m happy to be here.
Chris Badgett: It’s great to reconnect with you. For the listener out there who hasn’t met you yet, how did you get into security? Why is this an important issue for you?
Akshat Choudhary: As you mentioned, we have two products. BlogVault and MalCare. BlogVault is our WordPress backup service, and MalCare is our security service. We started with BlogVault about seven years ago. And we realized that one of the big reasons why people restore their sites is when their sites would get hacked. So they would be like, “Okay, my site’s hacked. Helped me restore and that will get rid of the hack.”
Now there are many things wrong with restoring when your site gets hacked, because that’s not the right answer. But that’s a separate discussion. What we would realize is that sites would get hacked for months before customers would realize that their sites had been hacked. And they would use a plethora of systems and plugins out there. Everything that we can think of and would realize that they just were not doing the job that was needed to inform the customer and help the customer recover and protect the sites. That’s what got us into taking up the problem.
We knew that it was a tough problem, and being a small team, a lot of us WordPress entrepreneurs, we had very limited resources. But nonetheless we thought, “Let’s take up this problem.” And little did we realize that it’s gonna take us three years to really figure out how to solve the problem correctly because dealing with hackers and finding malware is a tough nut to crack. So that’s how we got into security, just to help our customers … Like our customers told us they were having a problem, and it is a difficult market to get into. But nonetheless we are here, with security.
Chris Badgett: That’s fantastic. And just for the listener out there, what is the difference between backups and security? How do you see those as different things in your mind?
Akshat Choudhary: If you think about it, backups is a very, very important piece of security. You can think of security in terms of layers, and backup is the most important piece of it. Why is it the most important piece of security? Because when shit hits the fan and everything blows up, you can rely on the backups. That’s the worst case situation. Does it mean you should recover from a backup when things go bad and you get hacked? That’s not necessarily the true answer. But backups are very related to security, backups serve other purposes even when it is not dealing with security. Because, again as the primary audience here, we are running businesses essentially on WordPress. We are creating a lot of important content, and we need that safety. Suppose we have a server crash. Suppose …
If you ask me, one of the things is, “How often would you need backups? Maybe once in blue moon when things really go wrong.” And when we started the service we thought the same, but that’s not really true. We see that people really need backups a lot more often than I would have ever guessed. And things do go wrong. We have seen storms and hurricanes hit and take down data centers, and that is one of our busiest weekends. I think that was a hurricane a few years back in New York, I don’t remember which one, and it took down quite a few data centers. So even hurricanes will take down your site, and you will require a backup in that case. You’ll forget to renew your hosting and require a backup in that case and all of these happen. Your hosting will shut you down one fine day, for whatever stupid reason. And I think we can have a separate talk when it comes to using hosting providers, but …
Chris Badgett: Those are really good points, and … If you have a house and it burns down or gets torn apart by a hurricane, you’re gonna want your house back. You can’t really have a backup of a house, I mean you can have an insurance policy, and you can get your house rebuild, which is kind of like a backup. But when it comes to digital properties, the backup is some ways a lot easier than rebuilding a house, but you have to have that system in place.
Akshat Choudhary: I agree. That’s one of the advantages we have. We are selling insurance, but fortunately we don’t have to deal with rebuilding a house.
Chris Badgett: So it’s a backup and then the restore, that’s the rebuilding. And luckily in the online space, restoring is not that big of a deal as long as you have the backup.
Akshat Choudhary: True. To a great extent that’s true. Restoring is a lot easier when you have a good backup in place. There are some challenges associated with it, but overall we think having backups is key. And I would advise it even if I was not running BlogVault.
Chris Badgett: You said backups are a layer, and a very important layer, in security. But what do you see security as? Help people understand what security is all about. What does that mean? Is that strong passwords? Is that … What is it?
Akshat Choudhary: Security … and again, I’ll try and keep it in context of WordPress. And WordPress really does unfortunately have a really poor reputation around security. Some of it is unfounded, but there is some truth to it at some level. Software security is … WordPress security is one aspect of it, software security also in the recent past has gotten a lot more visibility with big systems blowing up, it’s appearing in news big time. People fortunately have started taking security … Giving it more … spending more time and effort looking into it.
So when it comes to WordPress security, strong passwords is definitely a very, very important piece of it. It’s not only for WordPress, but anywhere. Any computer, any system you are using, there are malicious people trying to get into that system. From your phone to your desktop, laptop, to your WordPress site. Each of these systems people are trying to get in because you have precious information in there. Your website can be exploited in many, many ways by hackers. So people are always trying to get in. And you need to protect yourself. If you are a regular store owner or a site owner you have to understand that security cannot … There’s no such thing as absolute security. You just need to take steps one step at … You need to just keep adding layers of security. I think some of you might have heard that term too, right? Security is … You need to add layers of security. Which is why I said that backups is the most important core of security. On top of this you just keep adding layers to make … Add more protection to yourself.
It’s like having a house, building a fence, putting a lock, putting a door, having a video camera, a surveillance camera, having a dog, staying awake all night in a paranoid manner, it’s just different levels of security you have. In a similar manner, for your website also you need to add different layers of security. And even then, you might still get robbed. So you’ll still have an insurance policy in place. Because all things said and done, no one can guarantee that you’re not going to get robbed. You’re only going to put in-
Chris Badgett: So if you have an online course or a membership site, these are important considerations. And before we get into more details of backup and security, let’s talk about some of the hacks that are out there. I want to know what you’re seeing as the most popular hacks that people have to deal with, or malware or whatever. And before you go I just want to tell a story.
Several years ago for one of my online course websites I got hacked by something, it was putting ads with links to pharmaceuticals on my site. And it was actually smart in that if I was logged in as a WordPress administrator, I would never see it. So it actually existed for a long time before I became aware of it. And not only would it not show itself if the WordPress admin was logged in, it also [inaudible 00:10:36] on desktop or laptops. It only showed itself on mobile phones. It was a very sneaky hack, and then I was able to get it cleaned up. But that was a hack that I had to deal with, and that was several years ago.
What are the popular hacks or malware that you see happening here in 2017, 2018?
Akshat Choudhary: What you went though, the pharma-hack, that’s still quite prominent. We do still see quite a bit of that. And hackers are very sneaky. And they’re getting sneakier by the day. So you will see hacks being disguised as fully functioning plugins. And you will be like, “Okay, that looks fine. The filenames look like plugin filenames,” and you might even think that you might have installed the plugin yourself in your … It might be one of your ten regular plugins. They do stuff like that. They will modify … One of the core things when it comes to hacks, that we have seen, is the first thing the hacker tries and does is installs a backdoor. This is something that we have seen consistently across all the hacks that we see. And these backdoors come in different shapes and forms. They can come in forms of a plugin, a fully functioning plugin, to something which is more obvious where they modify a core WordPress file, which is now much, much easier to spot. It can go from one extreme to the other.
Recently we saw another customer getting hacked, and … their site got fully encrypted by the hackers. They had to pay a ransom. And again you think, “Okay, this cannot happen to me.” But a perfectly normal person running a decently popular blog, and it got hacked. Fortunately he had a backup and he could recover from it. But it was ransomware hack an then entire site got encrypted. You have hacks where you’re talking about … Not of dirty malware like just showing popups to visitors on phones where they’re just advertising that your site … phone might be compromised, and there are enough visitors who fall for stuff like that. Especially if it comes from a trusted website. So we are seeing a lot of those thing happening.
The newest one that is getting a lot of noise recently is your bitcoin or cryptocurrency mining hacks. We do see a few of it, but I think it sounds a lot more newsworthy today, so you’ll hear a lot more about it than you’ll see it in practice. A lot of malware we see is in the form of backdoors, where people use your site to attack other sites and to send out spam emails. Those are the two most prominent ones that we see. While these other ones sound … They make news … These two are actually quite common. And they’re the ones who will really cause your site to get suspended by your web host. Obviously SEO spam related hacks will get you suspended by google, so those are again quite common. These are the top three categories I would say: email spam, attacks toward the websites, and SEO spam.
Chris Badgett: Can you talk to the online course entrepreneurs out there, the membership site owners … What is the difference between a human doing a hack live, versus a bot or some kind of a program that’s hacking your site? How much of hacking is an actual person behind another computer somewhere, versus some computer program that’s cut loose on the internet?
Akshat Choudhary: If you ask me, almost the majority, for 99.99% of us, it’s all automated. People are scanning nonstop, all the time. They are looking on top 10 million, 100 million sites, and it doesn’t take very much … It sounds like a very large number, but if you think about it, it does not take any resources whatsoever. A couple of computers running, and they will map out the internet, with all the plugins and themes running on your WordPress site, with the exact version of plugins and themes running. They might run the scan once a month, and then it’s very easy to attack the sites that they want to attack. It’s not a human being going after it, they’re just running automated bots attacking sites which they know are running WordPress. So it’s actually a lot, lot easier to do this today. And they are not targeting a specific person.
Most often it is being done in an automated manner, which I why we say that you should never think that you are too insignificant on the internet that somebody will take their time to attack you. You’re just getting attacked automatically by bots running 24/7. And possibly another computer which has been compromised is one of the bots which is attacking you.
Chris Badgett: Thanks for clearing that up. I think that there’s this popular image that there’s somebody wearing a ski mask behind another computer that’s going against you directly. But that’s not really how it usually works. It’s way more large scale and automated like you’re talking about. And I find in my experience, it’s kind of hard and almost a waste of time to try and figure out why are they doing this to me. It’s confusing, it’s not worth getting into it. It’s more worthy focusing your efforts on hardening your security, having your backup system in place, and just accepting that the world and the internet is … That’s just part of the internet. There are hackers out there, and they’re looking for vulnerabilities, so just focus on hardening thins up, and having backups.
Akshat Choudhary: That’s true. Just imagine your home. If you did not have police and government, etc. and if you did not have a fence in place, or a door, people are always looking in. Even with all this in place, there are people always looking into your home. So there are passersby, there are windows, always looking into your home. If they see an opening … Fortunately you have government etc. keeping a check, but nonetheless they will get in. It’s just the nature of how if you have something valuable, and especially if you have a valuable site, with good ranking on the internet or good server resources, then you are valuable to somebody.
Chris Badgett: And I also just to make the point on value there, that as an online course creator, entrepreneur, membership site owner, websites are important. But if your website is the business, or an important part of the business, where you’re actually making money with the site, it’s not just a brochure website for your other business, your website is the business so you need to give it the respect it deserves, and invest in the security of it and it’s a big deal if you lose it. The internet and WordPress and using plugins like [inaudible 00:18:47] or Commerce and building a real business on the internet, it’s amazing what’s at your fingertips, but you also need to protect that asset.
It’s become so easy to build websites, we forget sometimes … And it’s kind of intangible, it’s just behind a computer screen somewhere, but we need to protect that asset we’ve created. Sometimes having invested many years and a lot of money into it.
Akshat Choudhary: Absolutely. Protecting the asset is the best way to look at it because a lot of sweat has gone into it and we are talking about significant amounts of money over here. Sometimes the value of the website to you is a lot, lot higher than the value to a miscreant-
Chris Badgett: That’s a good point. Can you tell us about BlogVault and Malcare? What do they do to help people who want to level up their security and their backups and just protect the asset?
Akshat Choudhary: BlogVault is a WordPress backup service. As any website owner fortunately in the WordPress ecosystem, we have spent a lot of energies to … The ecosystem itself has ensured that people are aware of backups to a great extent. There are situations where people do take it lightly, but overall I think the education level for backups is definitely very high. We are a complete WordPress backup service. So what we do is, we are a one-stop solution so you do not need to go to ten different places to ensure that you have perfect backups. Backups, all WordPress backups, it involves doing a lot of things correctly.
The simplest one, for example, is doing daily automated backups. At least for a course creator this might not be sufficient, you might want something more regular, maybe even to the extent of real-time backups. But that’s a separate thing. But at least daily automated backups is one mechanism. And there are a lot of plugins that let you do that. Obviously this is one of those. You’re talking about offsite backups, you never want to store your backups on your own server. With a lot of plugins out there, you have to configure this and use a lot of additional services like Dropbox or maybe your own Amazon S3 account, and there are challenges with setting those up and running them and using them. What we do is, [inaudible 00:21:31] one stop service, so you install our plugin and we take care of everything else automatically. We will do the best practice that you have, the best things you can do for your backup.
We’ll ensure that it’s encrypted. We’ll ensure that it’s safe. We’ll ensure that it’s running all the time. Also, because our technology lets you backup a site of any size … So we have backed up a site of 800GB in size … If you’re running a site even a couple of GB in size, you’ll start seeing that the backups fail. We are able to ensure that the backups are always working. And all of this comes in a single package.
Chris Badgett: And for those of you listening, check this out at BlogVault.net. And I was just looking over your site there and I was looking at the daily automatic backups, the on-demand backups … If you’re just getting ready to update a bunch of stuff, or for whatever reason you want to do a backup when you choose in addition to the on-demand … One-click auto restore, one-click staging setup. [inaudible 00:22:42] These are amazing features, you know it’s a complete backup package.
Akshat Choudhary: Right. Staging are one of those things we are very, very proud of. I think it’s one of our unique selling propositions. And I think especially for course content creators it can be quite interesting because we are able to … When we do the back up, we let you restore the backup onto our own test service, our staging service with a click of a button. So you don’t have to go running around trying to figure out how to create a separate domain for staging. I really recommend never putting your staging server on another WordPress install in your same hosting environment, in the same … If you have a shared hosting environment, putting another one. It’s a terrible security stance. So all of this is happening with a click on our systems. We’ll give you a safety key access you can access WP admin. So if you want you can update plugins and themes and test it. You can even change PHP version for example.
[crosstalk 00:23:53]
Or hand it over to your developer. And then with the click of a button you can migrate it back to your live environment.
Chris Badgett: You also have One-click migrate. Am I understanding you correctly, the backups are happening automatically or when I tell it to, and if I wanna restore backup I can check out the restore in staging, and then when I’m happy with it … If I’m happy with it or I do some things to it and then I’m happy with it, I can then migrate it back to my main site.
Akshat Choudhary: That’s correct.
Chris Badgett: Awesome.
Akshat Choudhary: And we’ll actually show you the difference between your main site and your staging environment.
Chris Badgett: What do you mean by difference?
Akshat Choudhary: Suppose you update a plugin. We’ll show you that this plugin was updated from this version to this version. Or if you added a new file, or if you’d given it to a developer. Because your other site might be moving forwards. This is a perfect example of how a course creator needs to think about it, if you’re running an [inaudible 00:24:58] system. You want to make some changes to your site, right? And if it’s a five-minutes work, maybe you test it on a staging environment and replicate it and do it again. But it might be something more complex. Maybe you’re tweaking your theme in a way. Now, when you are ready, after a week’s work, if you want to bring it back to your live environment you might have gotten new subscribers, you might have gotten new content in there. So we will show you the difference between the live and the staging environment. We’ll let you select the tables and the files that you want to move. So you might have updated a plugin on your live environment, so you don’t want to overwrite that. And we let you select, and we show you the changes that have been made.
Chris Badgett: I just want to emphasize how cool this is because you could use five different plugins to achieve this, but to have a unified solution, to have this staging environment happen, migrate only the pieces you want, because while you were messing with your side or testing things or fixing something you don’t want the orders that came in, and the new users to lose that data when you bring your staging over. So you only move over what you want, the parts that you wanna move over, which makes complete sense. As you describe how it all works, it’s really amazing to me. One of my favorite terms, or words, is integration.
There’s a lot of pieces here that I’ve seen other plugins do individually, or hosting companies and stuff. But you’ve actually integrated the full picture of what that person who wants to have a backup system and staging and be able to migrate and restore and all this … You’ve rolled that into one solution. That’s beautiful.
Akshat Choudhary: Thank you. And integration is actually one of the things which is very important, especially when you’re offering a service like ours. Because there’s so much complexity you’re dealing with. And-
Chris Badgett: I just wanna add a note there, too. A lot of the people using [inaudible 00:27:09] for example, they may not be highly technical users. So they’re counting on the tools to handle that. So, keep going!
Akshat Choudhary: Thanks. And that’s our goal. It’s again, always everything is a work in progress, and basically we are doing … A lot of what we are building is what our customers are asking us for.
Chris Badgett: You’re in good company in terms of having customers involved in the conversation of what they need, and completing the loop of the solution they’re looking for, the problem that they’re dealing with. Let’s talk about security a little bit. Thank you for painting the picture on what’s possible with BlogVault. And again, that’s at BlogVault.net.
Tell us more about what you offer in terms of security? What’s Malcare All about?
Akshat Choudhary: Malcare is a complete WordPress security solution. What it lets you do is … I think the most important piece of Malcare is it’s able to identify malware which no one else can. So we are able to scan your site every day automatically with very, very complex algorithms. And we have data from over 250,000 sites. So we are learning from over 250,000 sites that we have backed up. And we use that learning to tell you whether your site is hacked or not.
Chris Badgett: I just wanna say how beautiful that is. Because like in my story that I told earlier, I was probably hacked for months before I realized I had a problem. I didn’t even believe my customers when they first told me about it. I thought they were on the wrong website or something. But to have it running in the background, and have that kind of machine learning, having it get smarter as time goes on is so cool.
Akshat Choudhary: Right. I think again we are very uniquely positioned to solve some problems like this because of the amount of data we see normally. And we can use the learnings from all sites that we have to improve security stance. And all of this is happening on our servers. So without putting any load on your server. So everything happens, all the scanning, all these algorithms are run on our servers to figure out hacks, to figure out if your site is hacked.
If your site is hacked, we’ll inform you with, at least what we believe is very high accuracy. And for us, one of the biggest challenges was false positives, which we have fought a lot. Having false positives is one of the biggest problems when it comes to security. Because we can go tone deaf very, very soon. You’ll cry wolf once, you’ll cry wolf second time, and the third time you’re like, “Okay, this guy’s just bothering me for no reason.” So we’ve spent a lot-
Chris Badgett: Can you describe a false positive in more detail?
Akshat Choudhary: Again, I don’t want to shit on other plugins out there, I think that some of them are great. But a lot of them tend to create this noise, saying that something is wrong with your site, that something is going on, some file has been modified. And if you’re a content creator, if you’re a store owner, the first time you’ll be like, “Okay, something is really going on.” You’ll contact your developer to figure out what the hell happened. And your developer will come back, “No, nothing really happened. It’s a normal plugin update.”
Or like I said, there are people always looking into your site, trying to attack it. They’re always peeking in. So getting alarm for minor issues is … I think your security solution should just take care of it. The other part about false positives is, because of the technology of the ways many of these plugins work, these create a false alarm. They are unable to identify when a site is really hacked and when it is not. So they look for certain keywords, if that keyword is present they’ll send you an alarm. But those keywords are present in many normal cases.
The other way also works. Malware is so complex that they just are not able to find that kind of malware. Because hackers are trying to keep one step ahead of … And when you have your code out in the open, the hackers know exactly how you work. So they will know how a popular security plugin works and they can very easily circumvent that system.
So a combination of these things leads to false positives, which basically you’ll pay attention to it once, you’ll pay attention to it twice, but the third time you are just going to ignore it. The crying wolf story really holds true in this case. I’ve seen this enough number of times. So we have paid an extreme attention to making sure that we only alarm you when we are very certain that there is malware on your site.
Beyond that, suppose we find malware on your site. That’s only part of the job. You can clean it with a click of a button. We have built an auto-cleaner, which you click on a button and your site gets cleaned automatically. So you do not have to wait for hours to get it clean, or figure out how the hell to get it cleaned, share credentials and going back and forth. None of that you have to do, everything happens automatically.
Chris Badgett: You know what I love about entrepreneurs, is I have done or experimented with a lot of backups and malware and firewall security stuff, and you’re talking directly to pain points that I have experienced when I have used tools before in terms of false positives, or I have to do a bunch of work before I can get the malware cleaned up. Or notifications that aren’t helpful, or it says something happening but nothing’s really actually wrong. I love how you have kept your ear to the ground and paid attention to what the customers need and are just evolving. Tools get better over time, and like you said, you’re pulling data from all these different sites and it’s just getting smarter and evolving with the attackers. It’s not something you can ever rest. It’s a mission that you have to stay on forever, and you’re inspiring a lot of confidence there. So thank you for your leadership.
Akshat Choudhary: No, thank you. And frankly like you said, it’s just about paying attention to what your customers are saying. So even today a lot of my time goes into customer support. In fact, I find it very difficult to understand if you think about it … If a seasoned entrepreneur were to talk to me, they’d be like, “Okay, stop doing customer support so much.” But that’s the only way we are able to understand exactly what is going on. So I’m quite conflicted about it, because you want to grow your business and spending so much time doing customer support is not productive, but at the same time that’s the only way we are really understanding what’s going on, what the customers need.
Chris Badgett: I 100% relate to you, and have felt the same way, and get comments sometimes about how much time I spend in support or taking presales calls and things. But I think it’s actually one of my biggest strengths, because I have my finger on the pulse. And some people call that a frontline obsession, I’m obsessed with our customers, or I’m just obsessed with being in touch with what they need, and what they’re looking for and what their problems are. And that’s how we innovate. It’s actually really simple.
Akshat Choudhary: Yeah, I can totally relate to what you are saying there. There’s no right answer. You’re always feel guilty about it at the end of it, if you ask me. I can totally imagine a course creator also, how much time do you spend marketing the course, versus creating it, to listening to your … Hanging out in your forums.
Chris Badgett: Good course creators and membership site people, they engage with their students. If you just automate everything, and delegate everything and walk away, that’s not the best strategy for continuous improvement.
Akshat, I want to thank you very much for coming on the show. For those of you who are interested in MalCare, that’s at MalCare.com. Where else can people find out about you?
Akshat Choudhary: I am on Twitter, though I don’t really … I’m too much of a developer to be on Twitter. I don’t know, I don’t think that’s fair, because a lot of good developers are … I’m too antisocial to be on Twitter I would say. Let’s put it that way. And-
Chris Badgett: You’re too busy helping your customers at BlogVault and MalCare and your team, I’m sure.
Akshat Choudhary: Yeah, so I’m not the most social. But I do attend a few WordCamps, so I think WordCamp US and WordCamp Europe, those are the two big WordCamps I definitely try and attend.
Chris Badgett: That’s awesome. Well, thank you so much for coming on the show, and I just wanna just thank you for sharing so much insight into the situation with backups, security, what hacking really is, what malware is, and your mission to protect against those things with your products BlogVault and MalCare. Thank you so much, we really appreciate it.
Akshat Choudhary: Thank you Chris. Thank you again for having me, and thank you everyone for your time.