SafetyDetectives spoke with Ian Loew, CEO, CFO, and Head of Business Development for Lform, about cybersecurity challenges facing web developers, must-have security features for e-commerce sites, how AI will affect the future of online marketing, and more.
Can you tell me a little bit about your background and your current role at Lform?
Prior to founding Lform, I began my career by earning my degree from Carnegie Mellon, where I majored in industrial design and minored in English. I began my long journey to becoming a web entrepreneur and inbound marketing expert after graduation in 1999, and then I officially began working in web design in 2000. My first role in the world of web design was working as part of the Toysrus.com in-house web design team, and in 2001, I took the next step in my career by joining the MGT Design team. In this role, I worked with clients in a wide range of industries, including Bed Bath & Beyond, Chubb Insurance, Keyspan Energy, Sony, and Toysrus.com. After four years of helping Fortune 500 companies, I began my freelance career, working at agencies like UP Design and Smith Design before finally establishing Lform in 2006.
Immediately after the company’s launch, Lform began working with clients on a variety of projects, many of which included collateral like business cards, brochures, and websites for small businesses and nonprofits. After creating a solid foundation with many successful projects, in 2013, Lform began specializing in helping B2B manufacturers, including clients like Hockmeyer Equipment Corp., Applechem, and Atlantic Equipment Engineers.
I grew up in Glen Ridge, NJ, with my sister; mother, a special education teacher; and father, who worked in the manufacturing industry. My father’s company, Satesa, was the first website I created before beginning my career in web design and marketing. The website, Satesa.com (still preserved in nearly identical form to how it looked in 2000), highlighted the company’s work in research and development, specializing in electrostatic discharge and cleanroom products.
What are the primary services that Lform offers?
Our primary services are custom web design, custom web development, SEO (off and on-site content generation), and web hosting. We provide UX prototyping, website strategy, UI design, branding, wireframing, and high-fidelity mock-ups in web design. For web development, we provide PHP coding, custom API integrations, eCommerce, and MySQL. For SEO, we provide off-site content (article submissions for backlinks) and on-site content generation (blogs, long-form copywriting for evergreen pages). Are hosting is with Linode, but we manage the server software remotely. Thus we have complete control over our environments.
What are some of the biggest cybersecurity challenges your web development and web hosting teams have faced, and what steps do you take to secure a client’s website or apps?
Due to WordPress’s popularity, unfortunately, it is more prone to hackers finding vulnerabilities, especially with third-party plug-ins. Thus we take a two-pronged approach. We lock down the hosting and vet all third-party plugins.
Servers are firewalled using iptables so that only SSH access (port 22) and web access are available (port 80 for HTTP & 443 for HTTPS).
Remote users can only gain direct access to the server via SSH using an SSH key added to the server. Servers are running Ubuntu Linux and are fully locked down so that only Lform employees with a valid SSH key can access the server. We do not allow outside entities to access a server unless they have a dedicated VPS and the client has been cleared by Lform staff.
By default, WordPress exposes all site files to public access. The default WordPress directory structure is not used, preventing automated WordPress vulnerability scanners from identifying common points of attack on the site. Only files necessary for the website to function properly, such as the WordPress core code, site assets that drive the look & feel, and uploaded media assets, are accessible via URL.
Bad actors who use these vulnerability-detection tools to search for vulnerable plugins, triggering missing-page (404) requests, are auto-banned after 10 missing-page requests. Banned users are then shown a screen indicating they’ve been locked out. They cannot access any part of the site until the ban expires.
The default WordPress admin URL (wp-admin) is blocked from access. Users who try to access the “wp-admin” URL are banned after 5 attempts.
The website administrative panel will lockout an admin account for an hour after five failed login attempts.
Each failed login attempt adds a one-second delay in processing to subsequent attempts up to a 5-second delay. This acts as additional protection against brute-forcing of logins.
The admin passwords are 20 characters in length and are impossible to brute-force with current technology.
From a data security perspective, do you have a preferred CMS for your B2B clients?
Ultimately, if we had a choice, we would prefer a Laravel-based CMS like Statamic.
94% of the websites hacked are running WordPress. It is the most targeted and vulnerable CMS on the market. Statamic’s team maintains all of the fundamental features most websites need. Thus you don’t need 50 plugins by 50 authors of questionable quality to build your site.
Statamic is built on Laravel, widely regarded as the most secure and well-maintained PHP framework today. WordPress utilizes an ancient code base.
What are the three must have security features for an e-commerce site?
- Secure Sockets Layer (SSL) Encryption: SSL encryption is a security protocol that encrypts data transmitted between a customer’s browser and the website’s server. This ensures that hackers or other third parties cannot intercept sensitive information, such as credit card details.
- Payment Card Industry (PCI) Compliance: PCI compliance is a set of security standards established by major credit card companies to ensure that merchants securely handle and store credit card information. Compliance with these standards helps to reduce the risk of data breaches and fraud.
- Two-Factor Authentication (2FA): 2FA is an additional layer of security that requires users to provide two forms of identification to access their accounts. This can include a password and a verification code sent via SMS or email. 2FA can help prevent unauthorized access to customer accounts and protect against fraudulent transactions.
As AI continues to become more mainstream, how do you see It affecting the online marketing industry?
AI is going to revolutionize online marketing. My team is already using it daily.
Copywriting will become more and more effortless. It can create product descriptions, social media posts, and blog posts. Languages can be translated with ease. We already utilize Grammarly to edit and proofread our correspondence and articles.
AI can quickly analyze vast amounts of data, providing insights into customer behavior and trends. Marketers can now find new opportunities and develop more effective marketing strategies.
AI-powered chatbots can improve customer service by responding instantly to customer questions and complaints. This can help businesses save time and money while improving the customer experience.