[IDEA] Cyber Security for WordPress

[Hitch-hiker]

Hi all,

I have a business/side hustle idea about implementing cyber security for WordPress websites and I'd like to hear your opinion about it.

I freelance as a WordPress developer/maintenee for Cyber Security company where I got to know that WordPress by default has a lot of security vulnerabilities, which bad guys use to easily hack the WP websites.
The company offers the WP security package for 450usd which takes me 1h to accomplish, so I was just thinking... why wouldn't I try to get the clients myself...

I know Python pretty well, so I created lead generation script which extracts thousands of WordPress websites which have security vulnerabilities and I could help them to fix that!

And here is the question - how to sell?
Together with domain names I of course have emails (scrapped from the websites) - that's why I was thinking about cold emailing.
I could create email generator in Python which sends personalized emails to prospects about the vulnerabilities they have on the websites - that would be already added value - free website security audit.

I don't know nothing about email marketing, so If I go for it which option would be better?
A: Sending email with PDF (security audit) as an attachment
B: Sending email with security audit as an HTML
C: Sending email with raw text

How to actually increase chances of success with email marketing?
What websites/clients should I target?
How much should I charge?
Should I use GMAIL account to send the emails?
What are your thoughts?

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[ChewingCandy]

so I created lead generation script which extracts thousands of WordPress websites which have security vulnerabilities

I would consider it as illegal hacking rather than lead generation.

Audit website without permission is illegal, so you'd better send an email first to confirm that they want you to audit and fix vulnerabilities on their website before you even scan a single port.

 

[Hitch-hiker]

I would consider it as illegal hacking rather than lead generation.

Ok, didn't expect that answer, but I'll explain:
1. Hacking - the gaining of unauthorized access to data in a system or computer.
2. Most of the websites in the internet have this page called /robots.txt - even this forum has:

https://www.thefastlaneforum.com/robots.txt

It tells you if you can and/or what you can crawl from the given website. My crawler goes only to "/" (homepage) to get the info, so in every case it is not only 100% legal but I also have website owner permission to do it - instead of using crawlers you can also search the website by clicking on Inspect in your browser.

Audit website without permission is illegal, so you'd better send an email first to confirm that they want you to audit and fix vulnerabilities on their website before you even scan a single port.

I only check WordPress level vulnerabilities (not servers ones) so I use the same technique as above to audit the website.

 

[Jobless]

How does the Cyber Security company get customers currently?

I'd wait with the mass email marketing until I have some testimonials and know what would be a good offer. Consider how you can establish trust with potential clients. Are they likely to open a random email and trust you to help them with security?

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Mammoth]

And here is the question - how to sell?

Take that little black rectangle out of your pocket and start dialing.
Get an answer today instead of hoping and praying someone responds to your cold email.

 

[ChewingCandy]

Ok, didn't expect that answer, but I'll explain:
1. Hacking - the gaining of unauthorized access to data in a system or computer.
2. Most of the websites in the internet have this page called /robots.txt - even this forum has:

https://www.thefastlaneforum.com/robots.txt

It tells you if you can and/or what you can crawl from the given website. My crawler goes only to "/" (homepage) to get the info, so in every case it is not only 100% legal but I also have website owner permission to do it - instead of using crawlers you can also search the website by clicking on Inspect in your browser.


I only check WordPress level vulnerabilities (not servers ones) so I use the same technique as above to audit the website.

You can parse urls listed in the robots.txt file, that is 100% legal.

The infomation you can guess from the contents of robots.txt file though, is that whether it is a wordpress site or not.

Not too familier with Wordpress security, but as I know, checking "wordpress level" vulnerabilities is by knowing versions of wordpress and installed plugins, and that might be considered as hacking, it's all depends on how the company you are auditing looks at it.

And,
not only gaining access is considered as hacking, but scaning ports, knowing versions of softwares installed on the server are also considered as hacking.

No means to offend or scare you, just want to make sure that you know what you are doing.

 

[AlfaStream]

I've been intimately involved with the world of Information Security for a while, scanning/port scanning does NOT violate the CFAA. However acting on any vulnerability IS a very serious violation of the computer fraud, and abuse act.

If scanning was illegal businesses like shodan would be in a heap of dog shit. However "Mass mailing" as everyone seems to put it could be a violation of the CAN SPAM act of 2003. Cold emailing large amounts of consumers with commercial spam where they didn't opt in for express permission, or opt in to a service which has transferable rights such as "Allow third parties to email you" aka lists with transferable rights could be a violation.

Businesses are particularly sensitive to the thought of someone scanning for vulnerabilities, or any form of interaction with their servers/websites due to the damages that breaches can cause such as class action lawsuits.

However I hope anyone reading this with an opposing viewpoint considers the following, if someone with malicious intent scans your website, and exploits it. Would you have rather it been found by someone who wanted to alert you ahead of time? If a malicious actor gets hold of that information your business reputation could suffer severe damages, as well as the potential of massive legal implications such as lawsuits.

Now back to a business perspective, shopping around for a cheap audit, having a developer on retainer to fix the issues, and keeping data breach liability insurance is a great move. I even think berkshire hathaway offers it for relatively cheap per month. Its a great risk management move IMO.

NOTE: The following is not legal advice.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Dr_B]

Hey @Hitch-hiker,
Sounds like an interesting idea. Here is my thoughts and feedback:

Only one way to find out..... start by actually contacting some of these companies. Pick some located locally in Poland and give them a call. Try and find the right person to speak to, say responsible for maintaining the company web site. Tell them what you have identified and ask them how you can help them to fix it!

Contact some others by email. If you have 1000’s of sites in your list, you could try a smaller number and see what response you get!

Just start contacting these companies today and try and help them fix their issues. Find out if this is of value to them, and how you can best help them.

I created lead generation script which extracts thousands of WordPress websites which have security vulnerabilities and I could help them to fix that!

An email scraped from the site may not be the right person to speak to, and a high chance it will just be ignored or deleted. But give it a try. Try and find the right person on LinkedIn and work out their email address, or send them a message. Contact the CEO or managing director directly saying Their version of WordPress is out of date and you have found some serious security vulnerabilities in their web site which need to be fixed, you would like to send them full details, but who is the best person in their organisation to speak to.

I don't know nothing about email marketing, so If I go for it which option would be better?
A: Sending email with PDF (security audit) as an attachment
B: Sending email with security audit as an HTML
C: Sending email with raw text

As you speak to people on the phone, ask them what they would prefer. There is free software that will track email opens, link clicks and even tell you which people have read the report you send them and for how long! You can easily learn the basics of Email Marketing if you need to.

How to actually increase chances of success with email marketing?
What websites/clients should I target?
How much should I charge?
Should I use GMAIL account to send the emails?

Send well written emails to the right people. Track interaction and follow up.
If people do not fix the issues - keep contacting them. If people do fix the issues contact them and ask how they got on.

Target easiest websites first that you think you can help the most. The ones who are most at risk / danger or ones in a market or industry you have some experience with or know more about.

What to charge!? That depends what you do for them – Send them a one-off vulnerability report – FREE (if they agree you can use their email address to contact them in the future). Send them a monthly vulnerability report $2.99 / month. One off fix - $299-899 depending on the number of vulnerabilities they have. Monthly maintenance service updating plugins, WordPress Version and patching all vulnerabilities within 24 hours of identification $29.99-$59.99/month (different levels of Monthly maintenance – Gold, Silver, Bronze for different amounts).

You could do some for very low cost just to get some testimonials.
You could see what others are charging in this type of business, then offer more and better and charge a little more.
You could pick an hourly rate you want to get, say $150 and then see how long each of the things above would take you.
What is the cost to your customers of not fixing this thing, how important is this to them and charge accordingly?
Charge each new customer 10% more until you stop getting any more customers!
You can always change your prices later, they are not fixed in stone. Offer people a one off 80% off special offer if they initially say no!

Your own domain appears much more professional, but I would start with Gmail. Once you have some paying clients, buy a domain, web page etc.

Hope this helps.

 

[Oso]

The idea itself isn't bad at all, especially as people/companies continue realizing they need to have a strong sense of cyber security. Since WordPress has been slowly dying over the years, I'd encourage you to figure out your process with WordPress, and then consider branching out to the other CMSs available.

If you wish to go a different direction, but still within the realm of cyber security, I'd say get into pen testing. It's rather mind-numbing work, but there's essentially no cap on your ROI. It also helps that there aren't many companies/people doing it, sans individuals that are employed somewhere, so obtaining/maintaining clients wouldn't be overly complicated once you prove you have the knowledge and capability to provide value.

 

[Mister]

The numbers of people that use WordPress are in the millions, so there are more enough people that you could target.

The question is who really need that service ?
The first group that came to my mind are SEO's that own content sides or run a portfolio.

There are some bigger players in SEO Twitter, there you can potentially tweet them or send them direct massage.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[ChewingCandy]

I've been intimately involved with the world of Information Security for a while, scanning/port scanning does NOT violate the CFAA. However acting on any vulnerability IS a very serious violation of the computer fraud, and abuse act.

If scanning was illegal businesses like shodan would be in a heap of dog shit. However "Mass mailing" as everyone seems to put it could be a violation of the CAN SPAM act of 2003. Cold emailing large amounts of consumers with commercial spam where they didn't opt in for express permission, or opt in to a service which has transferable rights such as "Allow third parties to email you" aka lists with transferable rights could be a violation.

Businesses are particularly sensitive to the thought of someone scanning for vulnerabilities, or any form of interaction with their servers/websites due to the damages that breaches can cause such as class action lawsuits.

However I hope anyone reading this with an opposing viewpoint considers the following, if someone with malicious intent scans your website, and exploits it. Would you have rather it been found by someone who wanted to alert you ahead of time? If a malicious actor gets hold of that information your business reputation could suffer severe damages, as well as the potential of massive legal implications such as lawsuits.

Now back to a business perspective, shopping around for a cheap audit, having a developer on retainer to fix the issues, and keeping data breach liability insurance is a great move. I even think berkshire hathaway offers it for relatively cheap per month. Its a great risk management move IMO.

NOTE: The following is not legal advice.

Thanks for the detailed explanation.

As you said, the point is, what is illegal is the action, not the tool.

And what OP is going to do is not just make a TCP connection to a port to see if the port is opened, but to find out if the software running on the port is vulnerable. This action is dangrous.

However I hope anyone reading this with an opposing viewpoint considers the following, if someone with malicious intent scans your website, and exploits it. Would you have rather it been found by someone who wanted to alert you ahead of time? If a malicious actor gets hold of that information your business reputation could suffer severe damages, as well as the potential of massive legal implications such as lawsuits.

From the company's point of view, they can't know if you are malicious or not just by receiving an email which is telling them someone on the internet would patch the vulnerabilities on their website, for money. They might also think that you would sell the infomation to bad guys if they refuse to pay you to fix their bugs. And this is why Bug Bounty program exists.

 

[AlfaStream]

And what OP is going to do is not just make a TCP connection to a port to see if the port is opened, but to find out if the software running on the port is vulnerable. This action is dangrous.

Using something like WPScan is hardly illegal. There are browsie plugins that analyze what a site is running. This is very misguided. Disregard this advice. Its not whats said, but how its said.

I reccommend you take a course on pentesting before giving advice on something you know nothing about.

 

[ChewingCandy]

Using something like WPScan is hardly illegal. There are browsie plugins that analyze what a site is running. This is very misguided. Disregard this advice. Its not whats said, but how its said.

I reccommend you take a course on pentesting before giving advice on something you know nothing about.

I'm not good at express myself in English, so if I misguided anything, I apology for that.

And you are right, no one would care if I use wpscan to scan a few random sites or crawl the entire Internet with shodan. But if I loopup the software version of a specific site, and check if the version is vulnerable, and email the owner to tell them I found some security holes on their site, that is another story. It's basically telling them, "I audited your website without your consent, and willing to fix your bugs if you pay me". And if this is okay with every single company, then Bug Bounty platforms and programs shouldn't exists at the first place.

It is not about nine out of ten companies that thinks this procedure is okay, it is about the one company that thinks this is not okay.

I admit that I should not giving advice on something that I know nothing, so I will stop here. What I said are only based on what I know, and don't take anything I said on this thread as legal advice.

Again, apology for misguided information.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[AlfaStream]

I'm not good at express myself in English, so if I misguided anything, I apology for that.

And you are right, no one would care if I use wpscan to scan a few random sites or crawl the entire Internet with shodan. But if I loopup the software version of a specific site, and check if the version is vulnerable, and email the owner to tell them I found some security holes on their site, that is another story. It's basically telling them, "I audited your website without your consent, and willing to fix your bugs if you pay me". And if this is okay with every single company, then Bug Bounty platforms and programs shouldn't exists at the first place.

It is not about nine out of ten companies that thinks this procedure is okay, it is about the one company that thinks this is not okay.

I admit that I should not giving advice on something that I know nothing, so I will stop here. What I said are only based on what I know, and don't take anything I said on this thread as legal advice.

Again, apology for misguided information.

Really don't think much of it, afterall we're all in the same boat. Its just misinformation could discourage someone from trying, hesitation will only delay action further, developing a habit of this is counter-productive. If there's something wrong with his business model he should tweak it.