now moving on to the next session this session is about agencies i mean if there are any agencies in on this on this call if there are any agency owners listening to listening to this session I would suggest that you stick around for this one as well because uh this session is about how to make sure that you secure your web agencies it’s about enforcing zero trust architecture for client websites i know this might sound a little technical but we have two amazing panelists who are going to take us through this this amazing topic so first of all I would like to introduce Tessa i would like to introduce Tessa Crystal tessa thank you so much for being here today with us i’m so delighted and honored for you to be here and you know enlighten us with your knowledge and wisdom about security uh for those of you for for for those of you who uh who wonder or don’t know who who Tresa is so Tessa if you can give us a short introduction about yourself and enlighten us on on what you are up to nowadays yeah absolutely so I am a developer by trade started in Jumla so a similar open-source platform to WordPress shifted into WordPress over time um throughout my career I have eventually shifted over to what is called developer relations uh and that’s working more with companies and products and helping developers find success within those products um today I am running my own business where I serve a variety of different clients uh in this space um and actually have two clients that fall into the zero trust um sort of world so pretty excited about uh chatting about that today perfect and we’re excited to have you with us today Treser and our next guest uh for this panel discussion is Orurelio World he’s a good friend of mine i’ve met him a couple of times in different word camps and I’m excited for Oral to be here orio uh if you wouldn’t mind if you can just you know give us a short introduction about yourself and your company WP Umbrella of course nice to nice to see you nice to to be with you Tissa as well so I’m Ourelio i’m the CEO and co-ounders of WP Umbrella which is a WordPress management tool for agencies so they can easily manage many many websites including like safe updates backup uptime monitoring security monitoring from one place and based on all what they do with the WP umbrella we automatically send white label care report to their client so they can prove the value of WordPress maintenance and I’m here because I’m not a tech expert like but I’m speaking with agencies every day and I can see so many things that are going wrong uh on the most basic level layer as well of security perfect so u Tresa and Orurelio I will be taking you through uh a list of questions around this topic and uh I’m sure our audience would love to know your inputs on on those on those topics as well so I would like to start off with zero trust and zero trust obviously is a widely used security framework right I mean many agencies might not fully understand it and it’s and it’s understandable as well because many agency owners are not technical right and how would you but how would you define it in a simple non-technical way I mean we have a lot of agency owners on the call over here as well I’m sure there are a lot of fans of Aurelio who are on this call listening to him at this at this moment so how would you define zero trust to to these users who are not familiar with with this term Uh Chessa if you can you know take us take us off with this one yeah for sure um it was really interesting because when I started getting into the space I was like zero trust like that makes no sense why are we saying zero trust don’t we want like a 100% trust but the idea of zero trust right is that we are never trusting anything and so we are constantly verifying everything um and so that’s how we think about zero trust right it’s this idea of um constantly double-checking to make sure that maybe our doors are locked or maybe it’s a system that we have in our home security maybe we have Apple Home right and we’re like “Hey every 30 minutes just make sure the doors are locked.” It’s just a level of never trusting that everything is where it needs to be and always verifying to make sure that things are working as it should all right perfect orurelio do you have uh an opinion on this one do you have another definition no I mean very close to to to what you just said Tissa um actually when I was trying to figure out how to explain this to people I was I couldn’t help but thinking about climbing i’m a climber and when you climb you put your life in the end of your climbing partner and the first basic rule of security in climbing is to never trust the people who is blay delaying you uh so you always double check you know I have made those knots thousands of time and I can do them with my eyes closed but I never trust me and I ask the person with who I’m climbing to never trust me as well and that’s what zero policy is about because human we make mistakes all the time uh and that’s the beauty of what we are um if I can say and we need to have like basic easy to follow policies to make sure that we mitigate the errors that we are doing on a daily basis and this very complex and frightening term like zero trust policy it’s just like to put in place some very easy mechanism to make sure that things are under control all right i mean it’s it’s hard enough to understand them what zero trust is and I can imagine how hard it must be for agency owners or small businesses to explain or to define or to elaborate the importance of having zero trust so my next question is on the same line i mean how do you convince your clients especially small businesses that implementing zero trust is worth the effort and investment i mean really if you can answer this one uh so the first thing to do is to remove the burden for them of implementing the zero trust policy you know I mean if you force them if you force them to activate two fas on the raccoons if you don’t give them the right to some extent to add plugins or to do mistakes then you have done 80% of the job and I think nowadays with like banking apps for instance where you have like MFA every single time you want to do something people are more used to to these kind of things and so the agency she needs to it’s kind of security by design you know you have to deliver a project with the trust policy by itself as much as possible all right Tessa do you have a similar opinion on this one or um well I mean yes i think that that’s really super important i think sort of the maybe like a flip side to think about from this conversation is also you know like showcasing what can happen if they don’t have this in place right and so thinking about sort of that downtime cost the days of lost revenue liability risk getting sued that type of thing of um you know there’s just all that goes into this where if someone can get into your site get data get customer data get financial data right like that’s catastrophic and so instead I like to sort of think about like not like the fear factor but a little bit of fear factor like if you don’t think about it these are the things that can happen if you don’t actually put these policies in place and I feel like that’s um a strong place to come from obviously um just being able to you know explain that and really just talking about hey how can we how can we eliminate uh some of those different risks so yeah I loved how both of your answers were were were on how you two operate on in in normal circumstances so Orurelio said that he would want to remove the burden of implementing zero trust because he he works in that line of you know where where he wants to make it easier for his clients to to you know to implement not just zero trust but anything that that they want to on their website so that’s exactly what this tool does and you saying that you know you have to make sure that you completely translate and communicate the importance of it by telling them what happens if it’s not implemented right so loved how contrasting these two responses were you were saying something before I started yeah like because with zero trust policy it’s not just a oneoff actually so you need to design it in my opinion by I mean by default and then it’s a constant reminder hey uh don’t open your laptop don’t type your password if someone is taking picture in the background you know like I was at work compia uh last month and everybody was working and it was like so many photographers i’m a bit paranoia uh but as I should be and and I could see people doing some confidential stuff or not really confidential but with like private data on users on people and this is the kind of things that you cannot design with processes and you and I agree with you Tissa you need to scare people and I’m not into the fear business to be honest but you need to remind them hey this is a basic thing like don’t do is because even if you don’t have the intention something bad might happen yeah yeah i I think I think both of ways both both the ways are if not equally effective are effective in ways and depends on what the client is and who and how how how the client actually operates right I mean it it also varies from client to client how you communicate these things to to them so moving on to the next question and it’s more about you know security blind spots i mean what are some security common security blind spots that agencies have when handling multiple client websites and I’m sure you work with you know agencies that you know are have hundreds or 200s of different clients right and and how does zero trust help eliminate them I mean how does zero trust policy helps agency owners who have multiple clients or you know a number of clients help them secure help them remove those blind spots you know exam the more you in the end it’s all about the value you deliver to your clients and the trust you build along the way so I mean there is client client acquisition of course but there is also client retention and the root trust policy is a good way actually to keep your clients because at one point if the website is hacked even though act pardon even though you have nothing to do about it as an agency because the flow was coming from your client then somehow you are liable even though if it’s not a contract liability you know and the client will be peace and at some point he will leave so having a strong security by design uh zero trust policy implemented training your clients uh it’s the best way actually to keep them and on this uh as a CPO of WP umbrella uh there is something that’s always like buzz me we have like 2FA on on our application and we have not made it mandatory but when people log to WPM umbrella we put like a giant red warnings and I’m sure that if there is like WP umbrella users in the room they have seen this warning and yet so many people they don’t activate MFA on their WP umbrella account and they are agency and they know why security matter they know better than their clients and this is like something we really need to keep training people at and a I should do that with our agencies And agencies should do that as well with their clients because I mean security it’s the core of everything we do i mean if your website is compromised uh like what Tisa said it’s G yeah yeah just to kind of add to that too like it you know when I was prepping for this and looking through the questions I kind of had a couple different sessions where I laughed a little bit because I spent a great deal of time in agency life right building websites and I remember that we had a shared password across our company that if you couldn’t get into something try the shared password that was sort of the common password and it’s like oh like I couldn’t even imagine like if I were to come into an agency now I’d be like oh my gosh are you crazy why are you doing this but then right it was like we we weren’t in sort of these like more advanced days of really realizing and understanding and obviously you evolve and maybe there’s still agencies that are doing that right because you’re you’re moving fast things are shifting fast and you just need to make sure that everyone has access so they can get work done i think another thing that is a really good highlight is like overly permissive access right so bringing in a contractor and just saying “Hey you’re a super admin do what you need to do.” Does that person actually need super admin access can they work locally with a copy of the database do they really need access to the live you know WordPress instance or site instance whatever it is that you’re working in um also like thinking about unmonitored thirdparty plugins right and so what does that look like do you have plugins that are unmonitored um one of the clients that I’m working with is actually in software signature space and so that’s actually um a future advancement that I’m really looking forward to is starting to see in package managers where open source software actually has this software signing process so you know exactly where that code came from who that’s associated to and I think that’s valuable obviously we’re not there in sort of the WordPress and all the website world but I I am excited for that world where we’ve got software signing from developers from people committing code um and I think that thinking about sort of these thirdparty plugins and whatever code you’re bringing into your website or or downloading etc how can we automate that right how can we automate the update process how can we um build different types of pipelines using CI/CD just a variety of other things that can come in um and again I’m I’m unfortunately uh Ariel I’m not familiar with your your product but it sounds like your product helps with a lot of this stuff too so um those would be the things that I would immediately check um and then obviously real-time detection just a lot of the things that Umbrella is offering um allowing you to kind of see what’s into your space and just understand what’s going on and just never assume that someone needs that full access that right access that super admin access whatever that might be um yesterday I was like attending um a talk made by Oliver from Patch I think and he’s speaking tomorrow and he was saying to the crow like hey guys do you realize that when you install a plug-in you are just adding 20,000 line of code to the website and you have no clue about what you are doing and it was very um critical to some extent I mean it was not critical but you know what I mean And I think it’s very like it’s what it is with plugins and when you install a plug-in you must check like who is doing the code who is behind and there is like a wall business of hackers buying like out non-maintained plugins uh to exploit height h ax so yeah I mean I couldn’t agree more yeah absolutely uh so before I move on to the next question I just want to take a stroll in the comments comments section i want to see what people are talking about what questions do they have so we do have a question though it’s from Anto and they asked that what are the biggest challenges businesses face when adopting a zero trust security model uh Tessa do you like to would you like to take this one yeah sure i can start and I you know obviously can jump in and add to that yeah um I think the things that I talked about right is like that shared those shared pre credentials are there weak passwords is it overly permissive access are you not monitoring your code what’s what’s coming in there and I think that you know when we talk about those biggest challenges it’s really a matter of sort of shifting your mindset right it isn’t that oh I’m going to retroactively fix things or I’m going to go back and adjust this it’s like you need to change how you operate fundamentally there needs to be you know 2FA right there needs to all of sort of these zero trust things we’re talking about and so it is this idea of like taking a step back looking at what you have going on how many clients do you have from years and years ago i remember having so many old client sites from that agency and I could still get in with that master password yet I saw employees come through that company and leave again so that means that essentially the owner is trusting those old employees to never come in and sabotage what’s happening and that’s just on the admin side right that’s not even talking about the user side how many bad users have been registered how many what access did they have did can they get into the admin to give themselves access um and so I think really like your first step is just kind of take a step back what is that process for which you have that security think about uh zero trust right never having access and constantly having to reverify access can you bring in like a single sign on type of an architecture where if an employee is cut their access is cut across the board so anytime that you’re actually getting into that admin or that important side of that site can they can they even get access um and then code obviously that’s a whole another way to look at that too but thinking about sort of how are you where are you putting those code repositories are they private who has access to that who can write and some of those things so um I’ve definitely lots of things to answer to this but really just take that step back and think about that mindset shift and what things you need to start to adjust and change inside of your agency that’s awesome orurelio you want to add anything to this i think everything has been said it’s all about mindset because in the end you know enforcing like MFA cleaning up admin rights cleaning up users having like an internal policy paper enforcing like password management app it’s not burdensome you know in the list of all the time consuming tasks uh an agency is performing every day implementing like zero trust policy is actually very easy and it just requires like a bit of discipline in the early days and for this you might want to scare people to circle back um at what I was to to what Tissa was telling before like at WP umbrella we are very like agile company and we are just like six seven people based on the job offer that are around but in the on boarding I do as a CEO I spend like 20 minutes reviewing our tiny security policy you know just so the new employees they realize okay like those people they they pay attention to security because this is if it’s if this is just burden one one pager that’s like left in the back of the room yeah what’s the value you know and you need to make people realize that security is and should be a ma a major concern in your company and if you think about it as an agency how do you look like if you don’t speak about security at all you know days and if you come and say hey here these are our processes and they must be because this is how we should be working there is value and you can build trust actually with your clients awesome that’s very insightful Aurelio u now I want to talk about e-commerce and membership based size right i mean u there are completely different dynamics i mean they are different differently in terms of managing they are difficult to manage they have more security concerns especially e-commerce size right because they have people coming in leaving their credit card information and addresses and other personal information over there as well so I think it’s more crucial for e-commerce and uh membership based sites to have to have more you know solid security so how can they implement zero trust without negatively impacting the user experience because specifically with e-commerce it’s very important to maintain that that good user experience to ensure that the sales don’t get affected right I mean a lot of e-commerce owners they’re concerned with making sure that the checkout process is simple that you know the add toart process is simple and to add that zero trust policy without negatively impacting you know the user experience how can they do that so Tessa if you can start off with that one yeah for sure um obviously there’s a a lot that goes into that right like you’re capturing and collecting a lot of private information memberbased sites obviously um can have communities and and different private spaces right where folks are actually talking and engaging and sharing information and e-commerce sites have credit card information and financial information so it’s incredibly important and I can’t reiterate this that those sites are taking very seriously and that you have you know platforms like Umbrella and others that are coming in and actually helping aid in that process right because they’re so important um I think when it comes to user experience right like zero trust that that sort of the grunt of the the difficulty there usually should fall on sort of that agency and the builder and the creator and the and the management side right but when you’re looking at that user experience there’s a few different things that you can think about and so thinking about sort of adaptive authentication right when do they need to actually reauthenticate versus when they don’t need to reauthenticate session monitoring right are they doing something different or strange or outside of sort of their normal um types of behavior like can that raise a flag versus saying “Hey you’ve been on here for an hour we’re just going to make you relog in.” um and really kind of diving into sort of like what is it at which that we are monitoring for that does require that prompt for that authentication or that security layer um granular access control also so just thinking about sort of who has access to what and can you associate that through different user accounts just ensuring you’ve got sort of that access there um there’s obviously a variety of things that can go into this in general um user experience we obviously want it to be frictionless we want them to be able to smoothly get through what they’re getting through but at the same time when we can offer things that ensure that that customer also realizes and sees that their information is secure I think that’s really key and so thinking about sort of like two-factor authentication or magic um magicless passwords right where you just go into your email you validate and you go back in and again coming back to single sign on it isn’t always necessarily a use case that everyone can use it tends to have some pretty sticky um expensive price tags behind it when you want to bring in a lot of these higher single sign on platforms um but there is a variety of different opportunities there and so when you bring in single sign on for the user experience side then again you can sort of revoke where you need to um and make sure that you’re kind of covering what needs to be done there and those usually bring in a layer of security too do you have an authenticator app are you using two-factor authentication i know that sometimes we can get a little annoyed by those but how do we bring those together so that it’s a great experience but yet they are again being verified when we need to verify because we are zero trust right we never want to trust but we want to ensure that we know that everything is still in its right place it’s I want to like share you know deep examples here but it is one of those things of like you really have to be like sort of in the scenario to do it um but I do think I’ve seen a number of of um e-commerce sites that use like octa or that use you know some of these other authentication platforms and seen a a massive change in what that can actually do for for their platform so yeah I’m sorry alo would you like to add something to this uh to this response i mean that was very comprehensive and and I think I’m not an expert in uh WooCommerce or e-commerce website and conversion you know but zero tr I mean showing that your website is safe actually I think it’s a good thing you know I mean it depend of course on the value of your baskets and and the you know but it reflect on your brand as well like just like SSL certificates you know like if you have an expired one you it looks bad and if you can just like buy things like as a users there is something that’s terrifying me it’s like on 95% of the websites when I pay my bank my bank parent ask ask for confirmation and on few websites it’s not happening because they are not up to date and when this take place I’m so scared to go back on this website again to make a purchase you know the zero trust policy shouldn’t be seen as burdensome it’s a good way to actually build trust yep i agree awesome so I would like to dive into the comments again before moving on to the next question and we have uh a question from Danish who asks that enforcing multiple security layers strengthens protection but it can also frustrate users which is understandable how can agencies strike the right balance between security and user usability for client websites aurelia do you want to take this one i mean it’s a matter of balance uh of course and um do we lose time every morning when we close our door yes do we still do it yes and I think when it come to digital agencies they have like a key role to play in education and I think and it’s it goes way beyond security because it applies also to WordPress smartness for instance agencies that don’t take the time I mean not all of them of course but they should take the time when they build a website to go way beyond than just building a website you know because they’re working for people whose job is not to build websites and they’re working for people who have not necessarily knowledge or will to investigate in uh invest time in this digital knowledge landscape thing and it’s their role as agency to explain them and the earlier in the process the better regardless of the topic can be WordPress maintenance it can be security uh it can be the things that will come with the contract as well renewing domain how it’s going to work etc the sooner in the process they need to educate their users Because once again it’s about the value you add to the people that are paying for your services and everybody actually like to be taught uh Tessa anything you want to add to this i don’t think so i think that was a great answer um I think um you know when it comes to like the usability right I I had spoke to that a little bit ago right so how can you verify you know should they still be in the same situation right can we do some type of monitoring for activity like is there abnormal activity for a user is it based on a timeline of login um sort of looking at some of those so that you aren’t bugging people with those constant like really annoying captures like oh my gosh the puzzles drive me crazy can you instead find ways right to authenticate that user and use some different technology to validate um on that side so yeah perfect um so moving on to the next the next question and I would like Orurelio to sort of uh weigh in on that one uh so many agencies you know manage multiple clients from a single dashboard i mean obviously you you know you manage your your tool is basically used to to sort of manage clients for agencies right and many agencies manage multiple clients on a single dashboard how can how can centralized security platforms like WWB umbrella help enforce zero trust across all sites i mean it’s not what we do you know like we can allow agencies we can warn them when they have like an updated plugin we can allow them to keep all their websites up to date but once again it means that they are selling a care packages to their client and that they have educate them from the very beginning on the stakes of why do you need to update plugin and what is WordPress security and why I a better person as an agency to do this over you and it’s way worth the few bucks or dozen of bucks or hundred of bucks you are having to spend every month to keep your website fast updated up and running and safe um so I mean I think zero trust policy it’s something so easy to do and it’s very linked to education to have just a few processes in place and if your agency doesn’t have processes when it come to security to teaching security to your clients and I mean when I mean processes it can be a five item checklist did I tell my did I tell my clients to use unique password did I tell my clients to activate MFA did I install a 2FA admin plug-in on the WordPress website you know like very like basic things you don’t need like to overly complexify the situation uh and that’s it and of course with WPA you can mitigate and improve the safety and the security of the of the websites and with WPA you can update everything in one click and and we prevent like website from going down and where when you have a visibility etc etc but I think in this session it’s not necessarily about like the right tech tool that can help you to add on your security it’s really about adopting the right mindset and the future item to check when you on board a client to make sure that zero trust policy is implemented perfect really insightful Aurelio my next question Tessa is is for you specifically because uh it’s it’s a scenario based question so let’s say an agency you know they suspect a compromised account on a client website right can you like show us what a step-by-step process would look like if they were to respond in a zero trust framework yeah um obviously immediately lock down that user right like where where did that user account come from can you identify who that user account was can you restrict that access can you do a force log out that’s really super important um I think some sometimes people like don’t think about that right we can be logged in from our phone or from another device but we need to actually force them to log out of all devices and then revoke that access um then we want to investigate that breach right what happened we want to understand what exactly happened so looking through different log files both inside of WordPress log files on your server just any um form of sort of logs or any reporting that you might have to figure out hey what actually happened in this situation uh from there we obviously want to mitigate and secure so once we understand what has happened in the breach or what may have happened in this compromised scenario what caused that and how do we go and actually address that and mitigate that um I think in in most cases like I was kind of laughing someone uh whoever NK Tally is he had he had replied back to my comment about I was working in an agency and there was a shared password right where it was just constantly shared around and it you know sharing how like scary that is right and so thinking about what are those different things that have happened inside of that to make that happen and how do we mitigate that so uh platforms like umbrella and otherwise where you can bring a bunch of sites into a single dashboard is really key for that right to be able to go through and be able to mitigate and resecure hear things like that because it is really super important um revoke permissions right does someone have a permission that they shouldn’t have i I would hope that folks will leave this uh panel and leave the security boot camp um being more proactive on these types of things versus reactive but you know we’re talking about the scenario here so in the reactive uh space right do we have to set reset other passwords as we’re looking through that log file is there some type of a situation if somebody got in and got access to a user account they can likely get in and get access to super admin accounts or other types of accounts um maybe even the database right if they got in enough and they can go get the credentials and they can figure out how to get into that database then they have all the data of everything they could ever want um and so really just thinking about that enforcing multifactor authentication so you know just like Ariela was saying you know with umbrella um and just really again addressing whatever it is that that took place and happening and then securing that um after that it’s deploying like this continuous monitoring process right and so I had shared earlier about you know automating your your plug-in updates I think that’s really key especially in WordPress honestly that is one of the biggest things that you can do to sort of deflect these scenarios is by actually having these updates um constantly being automated Um outside of that right it’s like continuous monitoring can you start to monitor for unusual login can you monitor for what you have what you actually um saw but the biggest thing about it is really understanding and and knowing where to go to get the information do you know where those log files are do you know where that those bits of details of trails so that you can actually figure out what has happened in the site i know that oftentimes in an agency the person who gets that call is like the account manager or the project manager whoever’s like on that actual client account and so they have to be able to be like “Okay let’s have a conversation let’s kind of calm that person down let’s figure out what’s going on.” And so I think it’s really important to not only have your technical team understand all of this but also have your front of the sort of agency world understand this what are the things that they can check for make sure that they understand the security measures in order to really truly have a zero trust uh infrastructure inside of your agency everyone has to be bought in and everyone has to be on board and everyone has to realize how serious it is because it is somewhat annoying to be like “Okay let me pick up my phone and get into my authenticator app.” But at the end of the day it means that all of your clients are going to have a safer environment and so it is really incredibly important on that specific specifically on that admin side for sure i think that’s that’s everything i had like a couple little things I wrote down yeah I think I mentioned everything so IP Yeah IP addresses looking at that right if you’ve never actually tracked down like a user to their IP address that’s another thing too because you can very frequently say “Hey this user is is constantly logging in from this location versus oh wow they’ve actually logged in from a different location.” That’s obviously concerning so anyways I’ll digress there but perfect that was uh that was very insightful so my next question is for both of you actually u so some common vulnerabilities that agencies should check for right now on their client’s website i mean I I’m sure a lot of agency owners are listening to this right now what are some of the common vulnerabilities that they should check for right now on their client website and how can they address them immediately i mean if you can uh start off start us off with this one i mean I would start not even on the client side thing but on their own uh critical stack just to check with like punp password.com if they have been compromised and just to review internally like do I have a proper unique password policy for the tool I use and I think they should start with this this said when it comes to clients The the first things to do obviously is to review who has access an existing access to the WP admin review the user maybe you have former employees maybe there are people you don’t even know and like Tisa said check the log uh where are the visitor coming from because if you have uh if you are operating a website in Portugal and if you have a very suspicious connection from another like continent or another country this might give you this might gives you a clue and also to review like your stack of plug-in you know like very basic things actually that can make everything a bit safer um and and I will tackle this later sorry no worries you can you can continue really um it’s somehow unrelated but also they should review their zero trust policy regarding backups okay how do they make backups where are the backups stored are the backup encrypted uh and by doing so they will first thing first realize that many backups plugging in WordPress leave so much trash on their server which is bad for performance but also that they might have like plugin with vulnerabilities on the backup they can have like so many things that can go wrong actually about your backup policy and when it come to managing your backups you should have the same kind of security policy than when it comes to manage your when it comes to managing your websites and I just wanted I wanted to just something I wanted to add i think backup can be a critical security flow because in the end you have all the data of the website in the backup and this need to be thoroughly fought and please opt for like encrypted backup solution first thing first all right Tessa anything that you would like to add to Orilu’s answer yeah I mean he had a great answer i just have a quick list here so I’ll just kind of run through it so if anyone’s kind of taking notes then they can sort of jot this down unused or outdated plugins and themes right take them out if you’re not using a theme and you shift it over you built a custom theme take out the old themes because something can happen with those old themes especially if they’re not the WordPress core ones if they’re owned by a different developer right let’s say they stop supporting the theme and someone hacks into that actual repository and is able to update a theme and then take out all the sites that have that theme on it so make sure you take out anything that’s outdated um not being used not activated it doesn’t need to be in there if it’s not being turned on uh weak admin passwords right so checking for the actual weakness of the admin passwords if you’ve got sites that are really old WordPress didn’t have that requirement um to change those passwords right you could put in one two three four five and be and you’re good to go and so looking at what those passwords are um a lack of multifactor authentication two you know two-factor authentication depending on how you look at it um on those admin accounts get that turned on right away um publicly accessible admin panel so as we know it it’s wp-admin change that redirect that don’t make it the WP-admin URL so that it is harder yet to even find where you go and access that admin panel um on the up on the backups right already mentioned there but I had the same thing like where are those backups going they should be automated and they should be offsite in a very highly secure location that has zero trust integrated into that um we talked about shared passwords so we’re talking about not even just weak passwords shared passwords do not use shared passwords like cannot say that enough um and then just constantly checking that access right like I had a little note on here to mention the contractor thing and I know I already mentioned it earlier but it’s it is so important because it’s so easy for you to bring a developer in um or a designer anyone in right into a project where you’re trying to push forward and give them all the access because you’re in a rush but then making sure that that person doesn’t have access later um so I think those are some of the the very high level key things someone did add Yeah passwords and emails woof that’s a rough one um someone did use like a one password or um gosh I can’t remember the other one lastpass right if you’re going to actually share passwords with clients utilize some of these password management tools so that you can yet again revoke that through that password management tool or reset it through that tool and then your company can constantly work within sort of a vault of passwords and revoke access accordingly um so that’s kind of another addition i did add and answer someone in the chat kind of talking about these like outofdate plugins or not not utilizing plugins actually I do agree with you on Last Pass they got they had their own security problems all in theirelves so good call out JW um but long story short so I did share in the chat about how I look at automatic updates and I do think that they are key but when you do update things right there’s a whole another level of security there too we can’t just automatically update plugins in your live production site and so just really thinking about are you utilizing an environment that has sort of this dev environment this testing environment alongside of your live environment you shouldn’t be messing with things inside of your live environment you should be updating in your dev environment publishing to your test environment and allowing that validation process to happen there making sure your site is what it needs to be when you update and then push all of that up right to your actual live or production servers so and there’s a whole bunch that goes into that and that looks at sort of your servers and your hosting companies and things so as you’re looking for different hosting partners definitely look for those partners that have these security processes in place that already have this ability to sort of automate the updates of plugins if it’s not necessarily your technical specialty all right uh moving on to the next question there is something that obviously it’s the talk of the town nowadays which is AI of course and uh since there is uh there are AI powered threats becoming more you know they be they’re becoming more sophisticated I mean they’re becoming more human uh the the because in the previous session we were discussing about bots and how AI bots are you know behaving more like humans so apart from apart from bots I mean there are other threats that AI possesses in terms of website security so how do you see the future of zero trust evolving for digital agencies i mean uh or if you can answer this one i mean that’s that’s the easiest one it’s going to be more and more important uh to give you a quick example you can replicate the landing p the front end of the landing page of WP umbrella with like v0ero in like one prompt and then you have a fake landing page and then you start to do some Google ads uh on our domain which is something that happened to us which is why we’ve tried to enforce 2FA MFA p across multiple accounts and then you can steal credential to people and you ends up having like access to many many websites and it happened was it happened to manage WP everybody can make like super credible fake landing page in like one minutes with AI and we have like smart boats and and actually security the more complex uh are the technical challenges of security the more important the zero trust policy become because in the end the flow is always almost always the human one all right Tessa anything to add i wouldn’t say that there’s anything sort of like you know monumentally like insightful to add there um I will say though is like I’ve had a lot of different like AI types of clients recently been diving into sort of the AI and ML space and it is absolutely wild to see what artificial intelligence can do and how it continues to advance every single day um I mean like there’s it can build like act like like infrastructure for us right like complete software solutions in some cases i’m not saying they’re good but they can they can do wild things and so I think this is really just this key time if you are not thinking about zero trust and you are not you know having this zero trust mindset inside of your agency like now is absolutely the time obviously the time was yesterday but we are we are here and we are in the world that we are in today um but just really thinking about that because they can get in and they can change and shift and they’re computers right they’re going to be able to operate and do things a lot quicker than we can and identify things a lot faster than we can and so they’ll just have one barrier and then they’ll get past it and have another and they’ll get right past it um and the thing about thinking of that too is that I know oftentimes in agencies they you can start to think like oh well we just have small clients they’re just marketing websites they’re just here for information it doesn’t matter because if that marketing website goes down and that’s a part of their revenue flow or how they operate or how they exist with their customers it it’s still just as um fragile and needs just the same approach as a e-commerce or a membership site or a site that’s for Disney.com right like it’s it all matters um and so bringing in zero trust is like so incredibly important in today’s world with AI for sure perfect that was awesome Tessa oh yeah you were saying something pardon and it’s easy like don’t make yourself something so big out of it because it’s so easy to implement you just need to switch your mindset mhm perfect so uh folks final question from from both of you uh from on this panel so if an agency could take just one step today to move towards zero trust security what should it be up o this is a loaded question because it depends on the scenario at which they’re in right if you’re still using a shared password that’s probably a good start but um I mean I think that there’s a variety of things depending on sort of what level you’re at excuse me i think really it’s that mindset shift how can you as an entire team sit down and have a conversation about what it would take to reach a zero trust state right and so we’ve shared a lot of different things throughout this conversation but I think the biggest thing is actually getting everybody on board because if everyone is not on board I could very well see where there’s like a UX designer that’s working with the QA tester that’s like “Oh hey here’s the password.” And it’s like “No no no no no we just don’t even do that even though they are on the same team and they are right next to you what if that QA person gets terminated at the end of the day because of something that happened right there just can’t be this level of sort of sharing and just being kind to your employee to each other right and so it really needs to be we all need to go zero trust and we all need to take these steps to protect ourselves and to protect our clients perfect last thoughts I I agree very much I would just say two thing uh set up a meeting tomorrow yeah to discuss your security policy and show your people that it’s not something nice to have it’s a red line and it shouldn’t be crossed first thing first and then it can be like actually easy to implement like force MFA and force the usage of a password management tab so people will have like unique password because people are lazy and if they can just create like unique password in one click then they will do so you know yeah it’s just like basic things that must be implemented and that must be implemented like thoroughly and strongly like security is not like something nice to have yeah it’s a must it’s a necessity um all right i would just again uh take a take a look at in the comment section i think we do have a couple of questions before I wrap up this this this session i want to take questions from the audience so Joshua Ezekiel has a question what about in browser password managers like are they are they safe like should we use them yeah Patessa anyone can take this one i was going to say I started I actually started typing an answer um password managers are absolutely not zero trust so let me reiterate that i mentioned password managers because somebody was sharing a password in an email and I was like at least utilize a password manager when you’re doing that but when you think about a password manager right they have vaults and you can have internal company vaults and you can have employee vaults and all the sort of things and you can have a team set up but at the end of the day unless you are consistently revoking access to things in a zero trust mindset password managers are not considered zero trust um and so I do think that yes they are more secure it is a important tactic on a personal side of your own password right if you have access into something or if you need to share something that is a one kind of password um but it is absolutely not a zero trust technique and so that’s what I really want to reiterate is if you’re going for zero trust a password manager is more of a more of a support right so thinking about more on the single sign on is going to be more along the lines of that zero trust because if you do that right with a single sign on you’re giving say one employee access to a variety of different things maybe social account maybe their website maybe whatever it is that you’re bringing into sort of that single sign on um and that’s a better process but at the same time in agency life we all know that we’re scrappy we’re moving fast we have all these different things and so really what needs to be done is having a conversation around what is the password manager doing for us and is this truly zero trust and the answer is likely it’s not uh but what can we do and how can we alleviate this and shift outside of that world so um kind of a a deeper wider conversation there but that’s my answer perfect orio do you think uh on the same lines 100% perfect uh so there is another question on password sharing as well so Matt has asked about you know one password and last part last pass so like are they pointless like do they use do we use them to some extent or should we just abandon these password sharing tools i wouldn’t say abandon them because I use them on my personal level because I make sure that I am frequently adjusting my passwords so the nice thing about a password manager is like on your individual level right when you’re going into a site we want to constantly be creating extremely complicated passwords right something that somebody can’t guess and that’s what those password managers are helpful for and so I think there’s a difference between managing your own passwords and then sharing passwords password managers are amazing for managing your own passwords when they are secure when they are trustworthy when they are used correctly versus utilizing them as a oh hey let me just share the super admin password for the website right not what you want to be utilizing them for i I would water down a bit i mean you need like unique password and from time to time you need to share a password and actually like this kind of a shared vault they are in the philosophy of zero trust policy because you need to have access to the dedicated vault so it must be like compartmentalized if this word exists in English like separated so not everyone should have access to every password and you would need the password to access the password and so in the end it’s way better to have this than nothing and from time to time you know you are paying just one license for a tool and you need to share the password what is important is to make sure that the the people that can access this shared password have the right to access this shared password and so that that they identify before having access to the vault uh that’s what I that’s what I think i think we are saying somehow the same thing uh but just like um at least there is some kind of verification and it’s way better than the pizza I called it like the pizza password posted on your office you know um so yeah all right thank you uh thank you thank you Desa and thank you Aurelio i think uh this panel discussion was extremely insightful and I hope that agency owners who are listening to this would have learned a thing or two about managing and managing their security for themselves and and for their and for their clients as well u as for you folks uh I would like to thank every one of you who have been here throughout this day listening to our sessions and commenting and asking questions i would again like to thank Tess and Orurelio for being here today and with that I would also like to give a shout out to WP umbrella who have been our partner and supporters throughout this event and making sure that this event uh you know takes place successfully i think this is pretty much it from from the panel discussion thank you thank you Tessa uh I wish you all the best for your current and future projects and until then we will see you later