Again, welcome. If you're just joining us, it's disaster week 2024. We have Kathy Zant here. She's going to be talking about the state of WordPress security in our first hour and then we have an excellent lineup of security experts and a panel that is coming right up. We're going to be getting things underway here momentarily. The links I posted in the chat just a minute ago are not correct. I'll get that straightened out in just a minute. Oddly, that should have been working but hey, it's Tuesday. Again, welcome everybody. It's good to see folks logging in from across the country and around the world. Hi, Kay. Sue is here. Barney. Welcome. Thomas Byrne. Paul class, Doug. Good to see everybody today. We'll have the links up for you in just a moment.
Again, welcome. We'll be getting started officially at about three minutes after the hour. So glad you're here just a bit early. We'd love to hear from you in the chat where you're logging in from and here are the correct links. There we go. This is of course being recorded the replays available at the link that I just posted. You can also download Cathy's slide deck link is also there in the chat. Really glad everybody's here today. Welcome. Welcome. Dan. Good to see you, Rob. Great to see everybody logging in today. Hi, Tina from South Africa. Welcome. Welcome, Marie. Welcome from Massachusetts. All right, folks. Good to see everybody coming in. Hey Stacey. We're about three minutes away three and a half minutes away from getting started with disaster week for 2024 This has been an annual event here with solid WP formerly I themes for many years. We always enjoy bringing some great experts on this topic to give you the lowdown on what you need to know as you're managing your own WordPress site or perhaps even managing sites for clients. So welcome, everybody. We have a lot. Lots to talk about today. Great panel of experts plenty of time for questions. The world of WordPress security is much more complicated today than it has been in the past. And Kathy is going to unpack a lot of that for us here in just a little bit. Oh Sue, that's great. Welcome everybody. Just about three minutes away from getting started. Kathy Zant is here where she's going to be talking about the state of WordPress security to get disaster week going. I really glad to have everybody here. Welcome to folks across the US and around the world. If you're just logging in to zoom, open up the chat and say hello. The slide link bundle is in the chat you will have today's slide deck is there. Also the replay if you want to go back and rewatch this live stream you can do that at the link there in the chat. Share that with anyone as well. Those links will be available. Hey Michael, good to see you. Melissa, welcome from France. Great to see everybody. Hi, Frank. Melanie. And I am using the wrong microphone. Wow. All right, that should be considerably better audio than it was before. I thank you so much for that. Little tip. Melanie, I appreciate that. Yes, yes. Yes. All right. Welcome, everybody. We are just about two minutes away from getting started with disaster week. The link bundle is there in the chat. You can download today's slide deck that Kathy has on her screen now and follow along if you'd like I think there's some helpful links in there. as well. Also, the replay of today's event will be at the link there posted in the chat as well. You'll be able to share that video out. The chat log and transcript for this event will also be there. At that link. Niles welcome Hey, Charlie, welcome back. Mateus. Welcome. Good to see everybody there in the chat. We're about a minute away now from getting started with disaster week. Kathy Zant is going to kick us off talking about the state of WordPress security. Our two today is going to be a star studded panel of security experts will be here to talk about some of the current issues in WordPress security in the next hour. And of course have plenty of time to answer your questions as well. Welcome, George. Glad you're here. Folks, if you're coming in to zoom, we invite you to open the chat say hi and tell us where you're logging in from if you'd like to chat with others during the live stream, make sure that you've dropped down the little blue drop down above where you type in your chat to everyone, not just hosts and panelists. It does default the host and panelists for some reason, but if you'd like to chat with everyone, just make sure you make that change. Once again, if you're just joining us attendee number is ticking up the link bundle is there in the chat. You can download today's slides that you're seeing there on the screen with Kathy state of WordPress security. Also the replay link is there for you. Hey Rob Vera, welcome. Glad you're all here. Just about ready to get started Kathy ready to light this candle.
I am ready to kick this off the fun. Well, let's get started.
Well, good afternoon. Good evening. Good morning, wherever you happen to be around the world. Welcome to disaster week. 2024 here on the solid Academy. This has been an event that we've done for many years here at solid formerly I themes as we talk about the state of WordPress security and give you tips from experts as you seek to make your WordPress site safer and protect the sites of the clients that you are helping as well. I'm joined today in our first hour by Kathy Zant. Kathy, it's so great to have you back. Kathy is an internationally recognized expert on security and marketing, data driven website development. She's spoken at countless events worldwide, and is a frequent guest on all sorts of podcasts about WordPress and other emerging technologies. Kathy, welcome back. How are you?
I'm so happy to be here. It feels like like coming home to the to the gang and I'm so happy to be here. Thanks for having me back.
Absolutely. So a lot of folks are saying hi to you there in the chat. You got a lot of fans here in in the attendee group today. We're talking about WordPress security and the things that you need to know here in this first hour. Kathy, let's just talk for a minute about how you got interested in WordPress security. When did you start this and how did it happen?
Yeah, well, I got interested in security back when before WordPress, I inherited a server, a web server from the technical people. I was the marketing person and that server got hacked and so I was thrown into the depths of learning about security in the early days of the Internet and learned how to spoof emails and do all sorts of things. So that was way before WordPress and then when I when I first started like migrating some of the sites I was developing, you know, coding myself and migrating things over to WordPress just because it was easier to manage. WordPress Tim thumb vulnerability, my husband's site of all things got hacked. So that was an adventure. You got me on this WordPress stuff. You better fix it. Yeah. Okay. Hon, I'm on it. I mean, it's so got involved then and you know, you know, I mean, then then hacks happened, help friends and everything. And then a company put out a call for people to clean hack sites and I was basically helping my husband run his business and I was a little bit bored. So I'm like clean hack sites. I've done that before. Let me see if I can do this. So I was just cleaning hack sites sitting next to my daughter who was homeschooling and I got sucked in. And no, look at me. I'm giving the state of WordPress security almost sounds like I'm a security politician. No politics here though. Promise.
Oh, well. We have a lot to talk about. Because the state of WordPress security is always evolving. And if you follow security news and we do a monthly news roundup here on solid Academy, and we're always talking about new and trending security issues. We also have a regular webinar at least every quarter with Thomas Rafe and we watch your website, giving us really scaring us to death, quite frankly, with some of the things that are happening. On the cutting edge of the things that hackers are doing. So we have a lot to talk about today. Folks. Let me give a couple of bits of housekeeping details and I'm going to disappear and let Kathy start speaking here. But if you're just joining us in zoom, we're grateful that you're here. Hopefully this will be a good investment of your time today. I'm dropping in once again into the chat, the link bundle for today, which includes today's slide deck, and also the link to the replay. We'll have the video of today's two hours posted by around four o'clock central time. That will also have our transcript and the chat log. So a lot of times during the live stream the chats will have some good information so we save all that it'll be available for you on the replay link that is there in the chat now. Also, let me just invite you to go ahead and open up the zoom q&a You'll find that link as an icon under Kathy shared screen. If you mouse over the shared screen, you'll see the q&a icon. That is the place to ask your questions. So if you have a question for Kathy, or anything related to WordPress security, please use the q&a and not the chat because the q&a chat may go on past and we might miss that question. But if you use the q&a, it'll be there. And also we invite you to keep that open simply because if you see someone else who has asked a question that you also have, you can click the thumbs up icon. And we'll take the questions in the order of upvotes. Now likely what we're going to do today is Kathy is going to speak and sort of set the table for us with all the current issues with WordPress security, then we're going to take a break so no questions immediately. After Kathy's talk today. We'll take about a 10 minute break and get our panel in place. And we'll take all the questions toward the end of today's panel discussion. So very important that you up vote the questions that are asked is likely we won't get to all the questions but we'll take the questions that do have those up the most number of up votes. So with that, I'm going to disappear and Kathy let's talk about the state of WordPress security.
Shouldn't there be like a band playing or something? I guess I'll just imagine that you know, Pomp and Circumstance playing as we talk about the state of WordPress security. Now when I first first started cleaning, hacked WordPress sites, WordPress security was a little, a little different, a little more simple, but some things some things haven't changed. And I want to talk about some things that haven't changed and some things that will continue to kind of be sort of this undercurrent of WordPress security threats. But I want to talk about what is changing some of the things that we're seeing that trends that you should be aware of, of where we're going. I'll talk about some recent attacks that we've seen that are very interesting for somebody who's into security, maybe a little bit scary. If you're not into this, then I'm going to pull out my crystal ball. And I'm going to make some predictions about some things that I see in the great greater security space. That will come toward presidentially, and then I have some thoughts about the WordPress security community WordPress as a community as an open source community. I fully believe that WordPress wouldn't be what it is today, without you, without the community without all of us helping each other to have some thoughts about how security plays into that. So that is that's the little teaser, is there going to be drama, maybe stick around. Alright, so what hasn't changed? hackers want to make money with your site. They want to take your server resources, your sparkly clean domain reputation and they want to use it for their profits. So they're going to put spam on any site that they can hack. They're going to use phishing malware backdoors to get back into the server. They're going to do all sorts of crazy things with your asset. WordPress is an asset and if you start thinking about your WordPress site as an asset, the same way you think about your bank account, your cryptocurrency, your home, your car, the shed in your backyard, all of these things that you want protected from malicious attackers and thieves. If you start thinking about WordPress, that way things will make sense because that is something that hasn't changed the profit motive, and that's the reason why they come after WordPress. WordPress is also powering more than 40% of the internet and they target WordPress because they expect smaller sites like yours in many cases and larger sites but mostly sites like yours, they expect it to not have as much security. Now the New York Times in the Rolling Stone Rolling stone.com use WordPress in order to present their content, but those major sites have security operations teams looking at every log file, they have security professionals looking at every login, but you are busy running your business. In many cases, small businesses just do not have the resources to watch security so they expect less security on your site. So if they can hack into 100 WordPress sites, it's the equivalent of getting into one larger site that has a ton of traffic. Plus, it's just your resources that they're after. Now historically, what hackers have done if they've exploited weakness now that could be weakness in the people who are running the site who just don't know any better and are doing things like reusing passwords, or it could be a weakness in software vulnerabilities. Typically over the past few years, decade. We've seen this in software packages primarily and plugins and themes. There have been a few core vulnerabilities that have been significant, but in recent years, we haven't seen that so much. But we're still seeing plugins that have vulnerabilities. We're still seeing some themes that have vulnerabilities and sometimes those come under attack rather quickly. So software vulnerabilities and authentication issues are still going to be a problem. This is a problem in the wider space, not just word processing hole, but it is historically how we have seen attacks coming at WordPress, the game of security and one of the reasons why I love it so much is you know some of you people do crossword puzzles and other things to keep your mind active. I like to see what hackers are up to my friend Thomas Ray who will be in our panel later. He likes to share the stuff he finds he finds the most amazing malware and the amazing attack vectors, an intrusion vectors. I find it fascinating what the mice are up to in order to get the cheese. It's constantly a challenge because you have security professionals who are trying to protect sites and then we have security professionals, security Blackhat professionals who are trying to get into those things. So the constant cat and mouse game of sometimes the mice are getting in and sometimes the Cat's got everything locked down. That challenge to me is exciting. And that's never going to change that's how security works. You have security protections and hackers. Just that hacker mindset that playful. Let's break out of these defined boundaries. It makes it interesting. So I find that very interesting and this is never going to change we are never going to stop hackers activity we are just going to be able to slow them down. They are always going to be looking for vulnerabilities that they could possibly exploit so that cat and mouse game is going to continue for forever. But what is changing is that these hackers are getting more clever. The attacks are maturing, they're not just looking for plugin vulnerabilities because we are seeing many plugin developers really up their security game a few years ago, saw a lot of plugin developers that were using is admin a function in WordPress they were using that wrong is admin as a function will tell you are you on an admin page or not? Is this person an administrator and so we saw a bunch of different plugins that were using that function and inappropriately and causing vulnerabilities. We're not really seeing that kind of thing. But we are seeing vulnerabilities still but attackers are having to become more sophisticated. The mice want the cheese and so they have to get around the cat's defenses and they have to try new things, new creative things. We just have to be aware of what's going on. What we're seeing is some of the general attacks on computing on computers. Those general attacks are also targeting WordPress. Why? Because WordPress is an asset your WordPress site is of value. Even if it's just your hobby blog, just the resources of your computing power of that website is an asset that hackers are after. So we're seeing some of these general security attacks now aiming at WordPress. Now Tomas last year, he started sharing with us some of the attacks that he was seeing and he was seeing that many hacks were coming in. And it was almost as if you look over the log files and you would be you know user coming in working in WP admin and then all of a sudden that same users cookie was being used, but it's like coming from some weird site someplace else and you know, Malta or some someplace where you know, that user that administrative user isn't. These were stolen session cookies. And on January 3, it's in the links that Nathan shared in the chat. Thomas's research he published on January 3 of showing what he found over 2023. And he found that 60% of WordPress hacks were coming from authentication problems and there's a whole section in there about these stolen cookies. And then if you look at the general security press, Trevor Hilla gas who was a former FBI digital crime expert, uh, he said that last year, he had seen more new advances in info stealers than any year previously. So Thomas put two and two together, Trevor is putting two and two together in terms of these attackers, basically assuming the role of an administrator. Now how exactly does this work? Well, info stealer is malware that's distributed through phishing emails, malicious links, and infected attachments like a PDF with an info stealer embedded in it compromised. websites that you might visit and then end up clicking on a link that download something, a malvertising which is advertising that is actually malicious. So all of these things are not targeting WordPress directly. They're targeting your computer and if you have access to a WordPress website, and you're logged into that WordPress website, then they try to get into that asset. Now, have you noticed that your bank let's say you go to pay a bill and then you go make a cup of coffee and you come back and you're logged out automatically? This is what the banking industry is doing. They're closing those session cookies rather quickly. Because those session cookies if they are ever stolen, basically give attackers the ability to basically impersonate you and that's what these info stealers are allowing people to do. So how does it work? It basically takes that session cookie from your browser, and then they take those cookies, put them on their device or more likely just embed them in their scripts as they are attacking many different things. And then they access your WP admin as if it's you. It bypasses firewalls, it bypasses to FA basically then just becomes you they have a script that just gets into WP admin so the log files will look like oh, there's people doing all this editing and then boom, this weird IP address that now is doing malicious things using those session cookies. So Thomas's research is showing that this is being used to target WordPress and yeah, so kind of scary, but obviously info stealers aren't existing just for the sole purpose of getting into WordPress, but this broader problem in security is affecting WordPress and this is one of the trends that we're seeing. So these types of info stealers that exist can be in email, FTP, credentials, clipboard, you know, you copy something, copy a password out of your password manager. Um, if you have an info stealer it can get onto your clipboard and take things key loggers, form grabbers, browser hijackers, so there's a lot of different kinds of info stealers that are out there that can have an impact on your WordPress site. So what can we do about things like that? Well, obviously it's most important that you protect your devices and protect your computer's making sure that just like with WP admin, you log in and update all of your plugins and your theme. You got to make sure that your operating system make sure your browser Chrome, I've seen so many chrome vulnerabilities. Chrome's the most popular browser, you know, so attackers are going after vulnerabilities in Chrome. So if you see that your chrome needs an update, make sure you are updating your browsers. Make sure you're very judicious about the types of extensions you install into your browser just the same way you would with plugins that you're installing and WordPress or the apps that you put on your phone, just being making sure that they are coming from reputable sources. And then you know a lot of us who use MAC's have lived this sheltered life thinking that we don't need any kind of protection on our Max Max don't get viruses right? Except that they do. So you need to make sure that you have some kind of malware scanner like any kind of antivirus Avast is a great one. Um, there's other ones that you can use Malwarebytes, things like that. But Jason, just make sure that you're downloading signatures regularly and scanning your machine regularly. So making sure that you're doing those general protections for your computer and your devices. And, again, think about those assets, your banking accounts, cryptocurrency accounts, crypto wallets, Amazon, but you don't think your Amazon account is an asset. While it is I helped someone last year who got their Amazon account hacked, and they bought the attackers used the credit cards that were stored in it was a debit card, actually that was stored in Amazon into that Amazon account and bought gift cards, sent them to themselves and then archived those orders. Make sure you've got protection for that because your Amazon account can be hacked and can drain a debit card or bank account, kind of blog post on my site about that and of course WordPress consider WordPress and asset as well. Making sure that you protect your credentials, strong unique passwords everywhere that Amazon hack actually we traced it back and it went back to the LastPass breach that happened and that person had not changed their password out of LastPass. And they actually had one of their I think it was SendGrid their SendGrid account had two FA on it, but somebody was trying to log into that as well. So we kind of traced it back to that last pass breach. So making sure that you protect your credentials, strong unique passwords. If you have past keys available like you do in solid security use those two factor authentication just needs to be everywhere according to Verizon, only 28% of people are using to FA and at this point we we all need to be using it and there's many places even your Amazon account, make sure you have to FA and that as well. Don't open links in emails. You probably heard this before SMS smishing. They call it it's like phishing except it's coming over SMS don't open attachments. If you are unsure what an attachment is all about. An attachment that comes through that says that you're part of a class action lawsuit and somebody wants to send you money. Be suspicious of those types of things. Go through fishing education, test yourself. Do you really have the knowledge and the foresight to defend yourself against phishing attacks? You know, Gmail and a lot of the email services are great at filtering out a lot of these attacks. But really the buck stops with you. These are just tools they're trying to help you but every once in a while that mouse gets a piece of cheese so
Okay, so what can we do about WordPress and defending WordPress against info stealers? How long is that WordPress session when you log in? It lasts for 48 hours but if you clicked remember me your session cookie is going to last for 14 days. This is why WordPress gets targeted rather than you know there's plenty of people are like oh, well if this was really a thing, then your bank accounts would all be drained. But you notice your bank account logged out pretty quickly these days. Right? WordPress does not have that WordPress will last for 48 hours. That cookie it does not log you out automatically. And remember he will last 14 days so those session cookies stay in your browser. They will be in perpetuity until you click logout or until the cookie expires. So if you want to protect yourself and protect your WordPress site, from the possibility of an info stealers ending up on your computer, usually it's the kids they're downloading everything off the internet. Let's just blame them. But you want to log out when you log out. You kill the session cookie so you don't have to go through I've had people ask me oh, do I need to go clean up all my cookies out of my browser now not necessarily. You can if you want to, but that's a lot of work. Just logout if you click Log out that session. Variable that session cookie goes away. Solid security also has a trusted devices protection which I haven't even had a chance to play with yet but this is something hopefully you can talk about that in the panel a little bit because trusted devices is addressing this. So one of the reasons why I love solid security and the team especially Timothy amazing, is because if he's on top of all of this he pays attention to what's going on is your plugin vendor or your security vendor paying attention to all of the things that security researchers are finding out. All right, another really fit this one was fascinating. I got to tell you about this so Sucuri found this malware. This is malware that actually uses a site visitors browser to attack other WordPress sites. Crazy, right? I'm like reading all of this. It's a little bit like a crypto miner and we saw crypto miners like in 2017 when there was there was this JavaScript thing you can put on your website and have it just like mine cryptocurrency on people's browsers. Well attackers loved that right because profit motive, of course, but that all kind of went away. I think it's gonna come back but we'll talk about that and my predictions. But this is very similar. So you have a hacked site, and a person visits that hack site, and then maybe their CPU starts going through the roof or something is happening because their browser is getting instructions from the hacked website to go attack other WordPress websites. brute force attacks. So this is just I find this incredibly fascinating. It's not it's not it's not infecting the browser, but it is using the computing resource of the browser to go off and attack other WordPress sites. So if you are a site owner, and these weird attacks are coming from just like somebody's home IP address, like is that a malicious IP address? No, it's just some guy who doesn't even know that his browser is attacking you. He's visiting some malicious site and that malicious site is telling his browser to be malicious. So we have plenty of brute force protections that are out there that are like okay, here are all the malicious IPs that we're seeing malicious traffic from this to kind of throws a wrench in that a little bit because now we're seeing, you know, Joe down the street is attacking WordPress sites. You would not expect that but it's a brute force attacks. So the same principles of brute force attack prevention apply here. Strong, unique passwords, two factor authentication, but you can't just say block all the malicious IPs and set it and forget it. No, you have to consider that any IP address could be malicious. You just don't know. One thing that you could do if you really if you if you know your IP address your wherever you're logging into your WP admin. You can block all of the IP addresses in the world except your own whitelist your IP address, so your IP address can always log into WP admin, but just block everybody else that type of thing. And that can cut down from it, but it's not necessarily going to stop attacks like this, but pretty clever, huh? Another thing, zero day vulnerabilities. Now the bricks bold builder vulnerability wasn't necessarily a zero day, but I think there's this was just so interesting. So on February 13, Calvin Alcon he Well, he actually found a vulnerability a pretty severe vulnerability. It was an unauthenticated remote code execution vulnerability, which means anybody could use this attack to basically take over a WordPress site, worked with patch stack to communicate with the bricks builder team to make sure that this vulnerability was patched. So February 13, The announcement comes out that there's a patch within five hours started seeing attacks five hours this kind of new to me I haven't seen it happen like quite this fast. I've seen you know, vulnerability, you know, zero days happening and then the attacks are are happening and then a patch comes out. I've seen like crazy things, but this was responsible disclosure. This was security vendors working with the brookstein bricks team have gone through like in the past month, they've gone through so much in terms of like hardening that application. They're doing great. But it just happened so fast. The bricks community was just like, you know the dog with the hair. On it was crazy for a while because it was just such an easily exploitable vulnerability. So we're just going to see these types of attacks are going to happen very, very quickly. So that if that happens, you know when there's a very very sensitive vulnerability, a very critical vulnerability, we'll see stuff like this happen, but I was kind of shocked at how fast that how fast that all happened. Um, this is something malvertising I just saw this yesterday on Twitter. One of the guys who runs WP umbrella which is like a management tool for managing a lot of different websites, WP umbrella and you can see on the screenshot that he shared on Twitter WP hyphen umbrella that info is actually a malicious domain, and it is sponsored their real domain is down below that but that malicious domain malvertising so people would click on that if they searched for WP umbrella, they could click on that and maybe give up their username and password. So he was very concerned about that. Lots of people were reporting it to Google and everything but just a reminder, don't go searching for sites and trust the search results all the time. They can be malicious at times. So make sure you bookmark things that are important to you and to always use two factor authentication. In case you accidentally give up your password to someone. So predictions of What's Next there's the crystal ball. So I think we're still going to see vulnerabilities found by researchers and attackers. Sometimes there's going to be zero day vulnerabilities that the attackers find first and there's going to be zero day attacks that the attackers are doing and everyone's going to have to defend against those types of things. But the thing that I'm really excited about seeing is that there are more and more security companies that are managing managing vulnerabilities for plugins patch stack is doing this that are also working with security researchers and it's much more organized now than it was like five or six years ago, so that's very encouraging. A Bitcoin uncle bitcoin is doing better he's recovered from his illness and Uncle bitcoin is you know, increasing in value. As we see that happening. We're gonna probably see some kind of crypto mining attacks happening. I'm not quite sure what yet, but I that's one of my predictions that's gonna happen. We're gonna see more attempts to exploit the weakest link in all security to humans. That's going to be in the form of social engineering attacks. People are going to get tricked out of their passwords, either through phishing, through phone calls, through emails, all sorts of things. We're going to see malvertising like we saw just yesterday with WPM Rolla we're gonna see sim swapping attacks and sim swapping attacks
have been typically I you know, when I first learned about that this was even a thing many years ago and it was in the crypto space and I read an article and it's in the links. I recommend everyone go read it, it's on medium you might need an account to like log in and read it but it goes through how the sim swap attack happened sky. At night his phone's just not connecting to the tower and he's like, Yeah, I'll fix it in the morning. By the morning he had lost $100,000 Basically, an attacker takes over your SIM card takes over your phone number. They can do all sorts of things like resetting passwords on your email account, resetting passwords on your bank accounts, all of those types of things because they've got your phone number. And so those codes, those SMS codes are coming to that number of the new phone rather than your phone. So I don't know I haven't heard of any stories of WordPress sites being affected by a sim swap attack. But my prediction is I think it's going to happen one of these days. Anyway, we'll see. Maybe next year, I'll come back and we'll see what actually has happened or not there have been there's a recent story of a person who was on the inside at self provider and was working with criminals to some SWAT people, which is just lovely. Anyway, do not use SMS based two factor authentication as your backup because when you are using Google Authenticator and you using the time based codes, those are something that they can't take if they've got your cell phone number, they can't add get that code for your sonicator accounts and whatnot. There is a recent article about acoustic attacks that was in bleeping computer just recently. I found this interesting, just by listening to whatever you're typing in on your keyboard. They can guess what you're typing, like passwords. That could be interesting. That could happen. I think it's gonna happen somewhere. It might not happen to WordPress first, but it's just research right now. security researchers are always looking for these types of things in order to protect against attackers finding things first. But that could happen. And then I've seen some research. It's just very high level research right now about AI and large language models. Basically forming some attacks so I can't wait to see what happens. It's exciting. And WordPress is an asset. So eventually it's gonna, it's gonna happen. So here's the stuff about sim swapping attacks. It's not not targeting WordPress now, but basically how it works. They they're not using it to like get your two factor codes. They're doing it to like reset passwords on your email account, and take out those types of accounts and drain whatever asset that they're after. Let's talk about what I see as the need for what we need for WordPress security. We have a bunch of companies that are selling security products, security services, cleaning up packed sites, there's plugins, there's firewalls, there's all sorts of services that are here to help you secure your WordPress site. They all have their profit motives, but we are also in a open source community and collaboration and communication are key. Now when a researcher like Calvin finds a vulnerability, communication between that security researcher and the plugin vendor needs to happen and security vendors or have like patch stack was instrumental in ensuring that Calvin Brooks and the communication flow between researcher and developer happened but we need greater community collaboration and communication throughout the entire community. We need communication between developers and users. Better communication about what vulnerabilities are happening and why. We need better communication between security vendors if one's if patch stack knows that this vulnerability is happening, let's communicate with the other security vendors so that they can protect their customers as well. Those types of things, security and software is all about trust. And I think that if our security community community can work together better, kind of like how solid actually solid and patched at having an integration have communication, they work together as well. We I would like to see more of that. There have been some security debates. And you know, obviously conflict can be good. We learn from each other with differing viewpoints. But I would like the safety of the community to be put forefront the safety of the users remember why we're here that's who we're here to serve. I would also like all of us to have a better security mindset. We can't just install a plug in and set and forget it. We need to understand how that plugin works. We need to understand what it's trying to do. We need to understand how to use that tool. You can't build the house just like by buying a hammer you have to understand how that hammer works. So I think we need better education and better knowledge not just in that this is this is not just for WordPress this is across the board was helping my daughter's she rides horses and it was helping her the barn people with their website on Squarespace. And just the password hygiene might have a little PTSD from that is this is a worldwide problem. That the cat and mouse game is not just after WordPress, it's after anything that can be profitable. So heightening security education. I think it can happen in WordPress and then everyone who learns in WordPress and the people that you build sites for helping them up level their knowledge and being able to run recognize a phishing attack recognize social engineering, recognizing malware when they come across those types of things. They can teach their family and so on and so on. So I think we as we take responsibility for our own security and up up leveling everyone around us, so I feel like that's my mission. That's what I'm here to do. So I would like everybody to become just more vigilant. Some more advice just locking down your device with your provider to protect against sim swap attacks. Although that one guy he was an inside job kind of person. But if you can't lock it down, do don't use your public. You know, you give out your email address, right you go to the storage would you like your receipt emailed to you sure, of course and you give out via email address. Don't use that for your WordPress. Don't use that for your bank. Have a separate private email that you use for things that are sensitive, reduce your online footprint. I know we all like to celebrate our birthdays on Facebook and whatnot. I do too. But reducing the amount of information that you share can also force attackers because when they're doing social engineering they gather information, and then they use that against you. One thing that I've seen recently is like a lot of people who do online presentations and have like their voice out there. They can do AI voice mimicking and there's these calls, they call mom up and say hey, I'm in Nigeria and I needed $1,000 to get home please help me but it's your voice right? So those types of tricks I get played. So reducing your online footprint, having a safe word with mom so that you know mom call me back and make sure that I you know if we say the word you know strawberry, then it's really me asking for help. And then for critical accounts, you know, I highly recommend using password managers. But we did have that LastPass breach that happened use an offline password manager for your critical accounts. You know security is a continuum. The most secure computers buried in the ground in Casten says meant and no one can access it and the most open thing is anybody can get to it. So where where is your bank account? You know, it's more buried in ground right and maybe a test site, password 123 Who cares? So you have to make a judgment of security for each individual asset that you are trying to secure and then auditing your site. Lots of people don't do this very regularly unless they're afraid of something but I would audit you know, every quarter just go take a look. I can't tell you I went to one of my test sites. And there was WP config, that PHP dash old which basically turned that into a text field. Not exactly a good security practice because you're taking that PHP file away from the parsing. of PHP and turning it into a text file. So I didn't know that was there. My hosting provider on that particular account had done that lovely. Audit your site's just go poke around, go look at the files, go look around are all of the users who have admin access. should they all be there if you need a checklist? of auditing things, I can get you a checklist. I do have one of all of the things I look at when I'm auditing a site just maybe I can give this to Nathan, I'll find it and we'll have it in the second half. I didn't think to bring it
no your developers would that brings vulnerability if you were on the bricks list, you would have gotten notified within those first five hours you would have been able to take action quickly. Get you know develop relationships with the people who are developing the software that you are committed to using and use the plugins like solid security plugin to help you make good decisions through application security. So one of the more forward thinking Timothy is just so brilliant and he watches all of this stuff and acts very quickly when he sees that there's something that he can do to help you protect yourself. Software is all about trust. So make sure you know who is helping you. Secure your things and remember who you're up against. So after the cheese, you got to be the cat. You have to protect your cheese. Because, you know, you know how these guys are they're just going to try anything and everything at all. So anyway, there's my little about thing. You guys know me we've been we've hung out before, but yeah, I've been doing this for a while. I like to when I see stuff, I like to put it up on YouTube. Go subscribe to me. On YouTube. You can also get on my newsletter because if I see something that really needs action, I will send it to the newsletter. I will put it on YouTube. I am here for education first so and I'm so happy that I get to share all this with you.
Thank you Kathy. This has been excellent, really good overview of the landscape of all the things that are happening in WordPress security right now and there's a lot we have to be aware of. So excellent material here. I'm going to drop in once again if you came in late and you missed the link bundle. It is now back in the chat that has today's slide deck as well as the replay link that you can go back and rewatch or share this live stream with someone else. I also dropped the link in just before we have Kathy you've agreed to come back and do several live streams on security with us over the next few months. So we're super excited about that. And that link to those upcoming live streams is there in the chat. I'm noticing that there's a problem with the last one for July. We'll get that wrapped up and fix here in the next couple of hours. But there are several that are out there and waiting. If you'd like to go sign up. They're all free. And join Kathy for more security conversations. I Katherine we've got just a few minutes here before we're going to take a break prior to the panel and there's a couple of questions that came in throughout your talk that I think it'll be a good time to pose to you if you're open to that. Yeah, of course. So Savannah has just a great comment here. And it's something I've heard also from other people that are just even considering WordPress as a platform at all. Savannah says it really put me off having a WordPress site because I'm supposed to be attending to business and not spending all my time on security, which I can't keep up with. How do you respond to that?
Well, yeah, sure you can have a straight HTML website. But if your FTP application is using reused password, if your hosting account panel is using a reused password, and there are so many other ways beyond just you know, vulnerabilities and plugins and all of this other stuff. The great thing is, you know, we there's so many vendors, and there's so many tools out there for you to pay attention to this stuff. And honestly, by doing that, I mean as a small business owner, you're you're running your business, you don't have a lot of time to pay attention to stuff but you have to be aware of I know of one business that, you know, they did the whole Hey, I'm the CEO at email. It was a it was a phishing email. Hey, I'm the CEO you need to send money to this company pay this invoice right now. And the person fell for it and $42,000 later, those types of things, if you can get rid of WordPress, but those types of things are still a threat to your business. So by being in the WordPress space by being in this community that is so security focused and is security aware and being connected with events like this and educators like me, we are here to help you uplevel everything it's so I don't think that you know saying goodbye to WordPress is necessarily going to help you it might make you less aware of other things that are a threat.
Yeah, 100%. There there. The security landscape is so broad now and hackers are so clever with their social engineering attempts and very, very smart ways to separate people from their money. Now when it comes to WordPress, the issue of WordPress security is something that it's one of the criticisms that most many people have about WordPress. And honestly that's why solid security pro exists. Our security plugin which we believe is a very intelligent approach to WordPress security, and by giving it a little time and setting that up on your website. It does the hard work of keeping WordPress secure does a big chunk of that WordPress security. We're going to be talking especially tomorrow Timothy Jacobs the lead developer of solid WP is going to be with us talking through the settings in our security plugin that help you reduce your security risk to almost zero. And so Timothy will be in the panel in the next hour but also with us tomorrow for a full hour talking about those very important settings that can let you take your mind off of security and focus more on your business like you're talking about Samantha i It's really that really is a you're not the only one who has that challenge. Here's another quick question from Chris. Chris is just wondering, when are we going to maybe see a better approach to security from core WordPress, is there something that core should be doing in your opinion, that maybe they're not focused on?
I would like to have a to be a part of core I think at this juncture, it just makes sense. It just makes sense at this point. So I would like that to be a part of core. But you know, with most development the innovations happen with a plugin like Timothy like Timothy, I think of all I mean, I watched the security landscape especially with WordPress quite a bit and Timothy is always like he pays attention to what's going on past keys. He was like the first one to bring past keys to WordPress. So the innovation is going to happen with people like Timothy with developers like solids team. So they're courted when there's a vulnerability core has been very, very responsive. The File Manager vulnerability in 2019 was just so long ago seems like yesterday, but that was like a very easy to exploit. You didn't even have to have file manager activated. You could just have it installed on your site not active and it could still be exploited. And I think that was one where the core was like you know what, let's just push out the patch. And so core has been very, very acutely aware of security concerns as they arise and I think they respond very quickly. I'm always more curious. There's one thing I think that personally I don't think it's a big deal, but I would like to know more when a patch to a security vulnerability is applied, but they are more they explain more of what's going on. So security researchers like those a few of them that will go through and like okay, this is what could have happened with that. I want to understand what is happening. I like the education after the patch type of thing. But they kind of keep that close. To the best to keep, you know, people from poking around too much but that's just me. Yeah,
it's a great it's a great answer. And you know, the, what? This whole subject is one that comes up in lots of different areas like what should be core and what should be a plug in and start. It's a hard debate among the core developers on what ought to be core and what ought to be an extension and a plug in. I think we're going to continue to see that debate raging on. Well, Kathy, this has been great. There's a lot of thank yous there in the chat for a really good overview presentation of the current landscape of WordPress security and gazing into your crystal ball. Kathy's crystal ball. So that's gonna wrap it up for this hour, folks. We're going to press pause on the recording and pause our cameras and mics. We'll be back at two o'clock Central that's about eight and a half minutes from now with our two which is our panel of security experts. And I hope you'll join us for that. In the meantime, if you'd like to open up the q&a and zoom, look at the questions that have been asked by others and upvote the ones that you would also like to hear answered. We'll be taking your questions toward the end of our security panel and we want to get those in the order of boats. So thanks for hanging out with us the last hour we'll see you back here and just about eight minutes. From now.
All right, folks, this is your One Minute Warning. We are back in one minute from now.
Welcome back, everybody, we're back for our two of disaster. Week for 2024. We have our panel of security experts who will be shortly turning on their mics and cameras and popping in here. Good to see everybody back with us. Hopefully during the break, you've had a chance to open up the zoom q&a and either ask your questions or also upload the questions of others. We're waiting on our other panelists to jump in here. Hopefully you can all join us Timothy is here Kathy is here. And Thomas, we don't have your camera. Hey, there he is. All right. Well, thanks. Yeah, thanks for being with us, everybody. We've got a lot of great questions that are stacked up from our viewers today, as well as a number that I've put together for each of you based on your background. So folks, welcome our security experts today. Let me just go around and introduce everybody. First of all, we have Thomas race. Thomas is the founder of we watch your website. Thomas and his team have been removing malware from millions of WordPress sites since 2007. Currently, they monitor over 13 million WordPress sites. Thomas is a he loves data and is on the cutting edge of the latest that all the malware folks are involved in. Kathy Zant Of course, we enjoy Kathy's presentation on the state of WordPress security in the last hour. Excellent stuff. She is an internationally recognized expert on security, marketing and website development. She's spoken events everywhere, all over podcast. You can find her everywhere. Kathy thanks for coming back for the panel. Timothy Jacobs is with us. He is the lead developer for solid WP he is a WordPress Core committer and a component maintainer for the WordPress REST API. And last but certainly not least, David Johnson the product owner for solid WP David has hidden and has been involved in the WordPress community since 2007. He comes from an agency background where he managed hundreds of WordPress websites. So again, thanks everybody for being with us today.
Thank you for the opportunity. Absolutely.
Well, Thomas, let's start with you. So one of the things that we've had you on a number of different live streams over the last several months, and we've all we're we have scheduled now at least a quarterly at WordPress security roundup with you going forward into 2024, which is excellent. We always benefit from your cutting edge knowledge of the latest things that the bad guys are doing. I've heard you talk about this concept of defense in depth or layers. of security. Can you talk about kind of what that means? Why it's important, you know, what practically is involved in that particularly? What should I as a WordPress agency owner be aware of when it comes to layers of security and defense in depth?
Okay, yes. Defense in depth goes back pretty far in the whole cybersecurity world, not just websites. But basically what you have to do is you have to look at the other various attack vectors that hackers use to get into your your website. So it could be we talked about stolen passwords, stolen session cookies, vulnerable plugins and themes, things like that. Each of those is like a different layer of security and you can't just rely on you know, like, for instance, for plugins, themes and core, you know, a great layer of defense is patch stack. You know, they do an awesome job they focus on and their niche you know, which is protecting those providing updates letting you know when you're you know, when you're vulnerable in some in any one of those three areas. You know, malware removal is is one part of defense although that's a that's a reactive you know, layer of defense. Blocking, you know, attack vectors. I look at outdated user agents, blocking various ranges of IP addresses. And these aren't meant to be like, you know, the the end all be all to to your security. It's just another layer in in the defense in depth strategy. And, you know, one of my friends Calvin Elkins has used the he's the first one I heard it from, because it's like, like Swiss cheese. You know, Swiss cheese has holes in it. And all depends on how you stack those slices of cheese will determine if a hole goes all the way through or not. So, each defense each layer of defense is like another slice of cheese and you stack them all together. If the holes don't line up, you're secure. So you need but you need your protection. And then you also need you know, early notification. So if something does happen, you can action can be taken. Yeah,
very good. So David Timothy, either one of you can chime in here but in this concept of defense in depth or layers of protection are really like the holes in the Swiss cheese quite frankly I can that's I can grab that. Where does solid security fit into that strategy?
Yeah, so I think solid security helps with two big ones, which is user accounts rich. You got to do the bare minimum right if your clients are still using a terrible, terrible password it's not going to protect you for very long. And I'm really proud of our integration with patch stack. So patch stack does it an excellent job of I think they had 5000 vulnerabilities reported through them last year. They've created 1000s and 1000s of virtual patches. And I think our integration with patch stack works really excellently to bring that first of data into your site so you don't have to worry about Okay, let's keep track of all the vulnerabilities ourselves. Let's make sure we're on top of every single update and letting those two pieces come into play. And then services like Thomas said, do an excellent job at being reactive and cleaning up when there's an issue and making sure that happens automatically for you and they all kind of piece together.
Yeah, very good. Very good. Kathy, so you've done lots of different things in the WordPress space. You've worked on WordPress security from the plugin product side. You've also worked on the agency side. So you your position, you have an understanding of things that a lot of people don't have. So you can relate to a lot of the folks I would imagine who are in the audience today. They either have their own website WordPress site or they're they work for an agency managing multiple sites are there an agency owner? That's busy work, right? We stay busy. How in the world? Can you stay educated about all these things that you're talking about? While you're busy serving clients? How do you stay on track with all these things?
Well, you know, with open source, you have a lot of you own your site, you own everything you're working with and with that power and that freedom and that flexibility comes a bit of responsibility. It's kind of like you own a car. I know I don't necessarily want to go get my husband used to do that for me take care of the tire pressure and there's just so much to deal with. If I want to have a car I've got some responsibilities to take care of it. Unfortunately, same thing with a website. But same thing with your business. You get like lots of different things right? But I think that being up to date with everything is it's good practice because it makes you more security aware for other things that could come into your life and attacks that that might not even be related to your WordPress site that something that comes through SMS message, something that's coming through, you just have this heightened security awareness. So unlike, you know, taking care of my car, there's no benefit to me whatsoever with dealing with that other than than, you know, not being abandoned on the side of the road. Taking care of my site educates me about so much else that's happening in the world and makes me a better digital citizen. It makes me more able to like tell my daughter go there's an update for your phone you need to go update it now and busy and Tic Tac Toe update your phone. You know, I mean there's like being security aware has a number of different benefits to it. So I think it's just it's one of the responsibility. You're either going to get hacked and figure out how much of a benefit it is to be security aware, or you're going to be proactive. And you know, actually at&t did a study and they found that businesses that are more security aware have better business outcomes. They often have better sales numbers than those who aren't. Of course, they're selling network security to enterprise right. But I mean, people who are more proactive about things in their life tend to have more proactive, like people who work out they tend to have you know better food choices, those types of things. They kind of just go together. So being proactive in your business for security can also be helping you be proactive in your business but with other things.
Yeah, very good. Anybody else want to speak to that topic? Or David maybe what are some things that solid WP helps bring? To keep agency owners and site owners educated to the most important issues and security?
Well, I'll say one thing that that Kathy mentioned in in her first session is true advantage of working with solid security and it's Timothy so we're gonna we're just going to have a Timothy session today. I don't know. But Timothy, by virtue of introducing pass keys when he did into the product, and this was before long before I joined the team became the first WordPress security solution to offer pass keys and I'm confident that that introduced the idea of pass keys to a lot of people who hadn't maybe not yet heard of it. And it remains arguably the most secure login authentication method available. And that's just one example. And so as we continue to think about ways for solid security to improve over time and to adapt to the changing landscape, you're going to continue to see us introduce new features and new solutions for the security issues that you're facing. And that's one way that using solid security can can help you become a better digital citizen all the way around.
Yeah, there's this like this content the solid WP Academy and going into Nathan's webinars every month, and our roundups with Thomas like this content is like an excellent place to keep up to date and share with others. If this is your first time joining us. We do lots of these types of things.
Absolutely. So all of our content here on solid Academy is geared specifically for people who are building and managing WordPress sites for clients. So if that's you, you can stay up to date with WordPress security news with our monthly news roundup where there's a section on security news, and we basically look at what's out there the most important things that I as an agency owner think you as an agency owner will benefit from. Also we do a weekly email that talks about vulnerabilities and the top issues in WordPress security as well. So make sure you're signed up for those solid updates. Thomas I think I interrupted you earlier. Was this something you wanted to add here?
No. I was just gonna say that. Yeah, the work that solid WP has done. Thanks to Timothy, with the past keys. And also like you said, I'm still a fan of the trusted devices. It's it's just, it's amazing and it's it's a great layer or several layers, you know, in the defense in depth strategy.
It's another Swiss cheese that's just gonna have a task to do this is you know, I update my cheese board
now I'm getting hungry. crackers and cheese. So, Timothy, let's move over to you. So we just talked about past keys and how solid security was the first WordPress plugin to bring pass keys as an authentication method to WordPress. It has to be incredibly complicated to develop a security plugin that is both usable for people like actual people. And stable and staying up to date with all the things that are happening in security. How in the world to get do that.
Yeah, it's absolutely the hardest part. And I'd say there's kind of like two aspects to it, one of which that we're gonna touch on a little bit later. But the other is we do things that I think a lot of WordPress plugin developers do, who are really on top of their game, we write lots and lots of tests. We have automated checks that happen for basically all the security features in the plugin. We don't want to be thinking every single time there's a WordPress release or a plugin update or something. Okay, we have to check all 500 features and security by hand and where every day that something might break. So part of that is just like following good development practices. I see there's a question in the chat about like the uptick in security vulnerabilities over the past year and whether that's in some way part of you know, WordPress developers not following all of those things. So that's part of it. The other side is that we don't jump on everything. We jump on the things that we do think are going to have a big impact. And we try and really think through what the user experiences for those features. There are past years. I think integration is a great example where we saw that this was the feature that a lot of the big tech players, Apple, Google, Microsoft all uniting on and are really pushing as the next big thing. And we've seen over the past year and a half or so as more and more websites adopt this is we're seeing pretty early on then. Okay, this is a place that we want to be this is a feature that is worth as developing, as opposed to a feature that, you know, might stick around for a little bit, you know, 5% of your users might use and it's a little bit harder to justify. So we try to be really careful about what features we do adopt and making sure we're only adopting the amount of like settings that we need. We could easily add dozens and dozens and dozens of more checkboxes in security that let you do everything. But all of those mean more code for us to maintain. It's more complicated for y'all to understand how to use it. So I'd say that is like a big part of the balance. The other side of this is partnerships, which we're going to talk about a little bit later.
Yeah, absolutely. And so, Timothy tomorrow, your session, which begins at one o'clock Central is going to be focused on looking at some of those settings in solid security and how people can reduce their security risk to almost zero. talk just a little bit about what you're going to cover tomorrow as we get into the details of the plugin. Yeah,
we're gonna be doing a tour of some of my favorite features in solid security. We're gonna be learning about vulnerability management, virtual patches with patch stack, two factor still a good thing to be using and enforcing for your sites, and also look at past keys. So we're gonna be taking a kind of high level overview of a lot of different features. And these are also all things that we have a lot of good content in the bank for. So if you want to see a whole hour about trusted devices, we got that like two weeks ago. We did a whole hour about passkey as a couple of times, so there's lots of back catalogue stuff but this one is going to be a kind of an overview of some of my favorite features in solid security.
Yeah, very good. So that's coming up the first hour tomorrow one o'clock central time. And David let me bring you in on something as well. You got a really cool title which is product owner at solid WP right. So your role is kind of translate users to developers, right? Like how, how do we create product? How do we interface with the actual users of our product and our development team? So talk just a little bit about how people even folks in the audience today can contribute to the ongoing development of solid security?
Absolutely, I mean, the most there are two two key ways I'll mention the most important of which is just to reach out. We want feedback. And of course, we get feedback in the form of support tickets. You know, when there's something broken or there's an issue, so we hear about those, but we also want to hear from you with Feature Ideas. Now, we've already surfaced one during Kathy session, you know, like, Hey, here's a here's an idea for solid security. And so those are the kinds of things we want to hear from you. It's important for us to know that we're building what you use what you want to use, what meets your needs, and and so we want to hear all the things but the second way that I'll mention aside from just reaching out, and you can do that I should mention you can do that lots of ways and we'll share my email address. You can just hit me up that way. as well. It's David at solid wp.com. So just write me. If you have a support issue, talk to support they can help you much faster than I will but if you have a feature requests or feedback or whatever, I want to hear from you directly. That's one way to do that. But the other way that I mentioned is that we rolled out something that we call opt in data sharing, and it's about your usage data. This released in solid security in January. It's also in solid backups. And if you enable that it allows us to understand a little bit more about your site, we don't collect any personally identifiable information. What we do is gather lots of details about your hosting environment and so forth. And we do take a look at some of the features you've got enabled and that sort of stuff, but we don't again, we don't see any sensitive information. What that does is allows us to understand what features are being adopted, what features may not be as well adopted. And it also gives us a measuring stick to know like if we release a feature that drastically improves site security, and no one turns it on. Then we've got work to do. And so there are lots of ways that that helps us. And so I would encourage you if you've not yet enabled usage, data sharing, it is an opt in. And so it's purely your choice, but we would invite you to do that because it does allow us to learn a lot. It's
a way to vote without having to actually contact you it's like automatically. Yes, yes. Excellent. So David, follow with you. Let me just ask you this your background prior to coming to solid and doing some other things you were with a large agency. You're managing hundreds of WordPress sites. What did you learn in that experience that could be helpful to smaller agencies or solopreneurs as you're thinking about maybe scaling up or doing what they're doing better?
Sure. So I went on the journey from being the owner of what was effectively an agency with five people to being inside the web team and later and near the top of the web team for a 250 person agency. And so that scale was kind of staggering. And one of the things that I quickly learned was that especially where security is concerned, since we're focusing on security for today, I will say that some of the basics still applied. You know, you have to clarify in your agreements, who's responsible when when something goes wrong with a site, you know, do your clients know that that security is partly their responsibility? And, you know, one of the issues that we would run into when I was completely in charge and it was my business, if I hadn't properly educated clients on the need to patch plugins or to use better passwords. Or whatever, then I always felt like there was some responsibility that I needed to take on when a site got compromised. But at scale when you have a team of dozens of support staff and you're managing hundreds of sites and something goes down, you know we would scramble to get sites back up but then the question became like, is this work billable or not? And if so, you know, why did we create code that was faulty that our that our web build team developed custom stuff, you know, so there was a lot of there were a lot of gray areas around responsibility. So one of the things that I will urge anyone watching this is, if you maintain sites for clients or you build sites for clients, is to be super clear about the risks involved and the security issues that your clients will have to face and what your responsibility is and what their responsibilities are and the clearer you can you can make that better. And that applies at any size. But one of the things that got incredibly complex that I didn't really fully appreciate until I was in the middle of it was that we had to do quite a bit of work around that scale around managing roles and responsibilities, and making sure that our protocols and our procedures were actually being followed. Things like you know, in a 250 person agency, knowing which of our 250 people needed access to a given website. That was that was a big deal and what happens when you off board and employee, do you have the ability to kill all of that employees access to every website that they were connected to all at once? Or do you have to go through hundreds of sites and check? You know, so there were a lot of systems and ways that we had to scale but there was one other piece that sort of became clear for me, which was when we were a larger agency, we attracted bigger brands. And so our SEO team, for example, might land a big account where our corporate headquarters is overseas, and they have hundreds of staff that need access to a WordPress site. And so the complexity of and the the amount of leverage we did or didn't have to institute policies or do things the way that we did them. That all got really difficult to manage really quickly. And so it really requires some thinking through and if you can put some solid procedures if you'll excuse the intentional solid pun, if you can put some procedures in place at a smaller size and really think through those processes. Then it will help you a lot when you do scale up and land bigger accounts or have more and more, you know, sites to manage that scale. And so those are just a few quick thoughts about about managing things that with larger volume that you know, weren't necessarily obvious until I was in the middle of it. Yeah,
it's really great insights. And, folks, if you're serving clients, that's gonna be the focus of our second hour tomorrow. I'll be talking about how do you talk to clients about security? And really, how can you leverage WordPress security as a service so that you can build your recurring revenue in your agency. It's really important and I'm looking forward to that conversation tomorrow. And again, that's in the second hour starting at 2pm Central. And
I'll just add just one quick thought on that needed is that offering security as a separate part of your care package, you know, as an add on or whatever with a clearly defined offering is one simple way to make it clear to clients that there are things that are not included in juice your basic support. Yeah, yeah, very good.
So let's turn our attention to a story that really made a lot of headlines make created a lot of conversation in the WordPress security space last month, and that is the vulnerability at the bricks plugin. And I want to be real careful here like I'm not trying to disparage bricks because a vulnerability can happen to anybody. Right. But it's, it's in our recent thoughts, and I think it's instructive. They're never waste a bad situation. Right. So what can we learn from this vulnerability that happened that we can take away from so first, Kathy let me just ask you. If you're a solopreneur and agency owner, and you know, there's just vulnerabilities vulnerabilities that happen, how do you again it kind of goes back to how in the world do we stay informed on these things when we're just trying to do our work?
Yeah, that will happen so quickly. And so quickly. Crazy. Calvin Alcon who was the one that found the vulnerability like had messaged me and invited me into the BRICS group on Facebook and the conversation was just like, it was crazy. And there was a lot of interesting advice that was being given to people of what to do to fix their space and what was happening. There was a lot of misinformation that was flying around. I think it's, I've thought about this a lot. And I think it's really important. If you are committed to using a tool. If you are using solid security, make sure you're on the solid security list. If you are using bricks, get on the bricks list. embed yourself in the community of and this isn't just for for security vulnerabilities. This is for new features that are coming software to me has really become a especially in the WordPress space. It's community driven, you know, all of David you watch what people are talking about, about the product about what's happening in security and and you kind of shape where the products going. It's not just like, Oh, this guy over here is creating this product. It's not like no this is embed yourself with the community with the team so that the people who are creating these products, understand what you need so that you can be informed of what features are coming. You can be informed of. Maybe I should wait on this very large update that's coming from WooCommerce. Just like those types of things. Just being embedded in the community of the products that you've chosen for your stack, I think is just incredibly important. You just you want to be the first to know what's going on when it's going to impact your business.
That's such great advice and we'll talk a little bit about some of that sketchy advice in just a minute. But others how, what would you say to agency owners solopreneurs that are building sites for clients about staying engaged with a development community. How do you get informed about these issues?
So this is something to be touching on tomorrow. But I think this is one of the places where tools like patch stack and virtual patching become key. You can we saw exploits for bricks happening within 24 hours of the fix actually being published. I imagine you were on vacation when this happened. It's gonna be a problem. So this is one of those places where tools like patch that can virtual patching can be so helpful, because they will automatically push out a fix for your site that is laser targeted just to kind of prevent this vulnerability from being exploited. You don't have to worry about okay, do we need to test this update? Do we have a process in place? Are we on the plane right now? Or is it 1am And I'm sleeping when this vulnerability drops. They'll be there to protect you much faster. So I think that's where adding in additional tools is really helpful for protecting your site's security, particularly once you have hundreds of sites that you need to manage.
Yeah. Great. Anybody else?
Yeah, one of the comments that Kathy had touched on earlier was the communication between vendors. And, you know, I think of you know, had Calvin worked with somebody other than patchstick and the whole responsible reporting procedure and so forth. You know, wouldn't have had, you know, what had had a worst impact, you know, would have would, more people have been vulnerable. So, yeah, the communication that Kathy talked about in the previous hour, I think is is real key. Hi, how you make that happen? That I have no idea but you know, it definitely needs to be especially when it comes to the patching. Years ago when I first heard people talking about virtual patching. I'm like, Why? Why virtually patch why not just patch, you know, reality patch shield, let's let's call it we got virtual patching and read reality patching, but you know, I mean, something like patch deck, where you can't, you can't stay on top of it by yourself. You need something like patch deck and I think the the integration that solid WP is done with patch tech, to me was just amazing. So I'll leave it at that.
Yeah, I remember when this which I think, at least for me, I think it was like 2016 or something where there was this huge group of vulnerability. And it was at the time where people were saying, Hey, if you had did an update, within eight hours, you should consider that your site has been compromised. And I feel like at least in my mind, that is when things like really started switches like attackers are moving very, very fast now, and just updating you know, the next day, or two days later, or if you say, Hey, we apply updates every Monday it'll be fine. Let's just wait until then. It's not enough anymore. Well,
if I could add one other things might be a little controversial, but I'll put it out there. We actually saw some attacks happening to that API endpoint in BRICS and February 7. But we didn't know what it was, you know, we monitor the database. We monitor the files, the access logs, so we could see the traffic and then we see changes in the database and the in the files, and we're like, you know, how is that happening? And before we, at that point, we did not have a procedure for bringing somebody else in, you know, had I known what was happening or had I realized what was happening? Nobody reached out to Kelvin at that moment. Now. There were things going on in the the WordPress community. questions being asked about themes that include embedded code and so forth. So was that a tip off? I don't know. But you I mean, if from the time information was asked in the communities until the time we started seeing that traffic was less than six hours, and then once it was announced, yeah, I mean, it was like I think Kathy mentioned in her previous talk, like five hours from the time the patch was announced until you know, all hell broke loose.
Yeah, it things are moving so quickly these days. It's you have to have a tool that's doing these things for you unless you just don't want to sleep ever. Right, which is not sustainable. So let's go back to something that Kathy mentioned at the very beginning of this conversation, which is, you know, some of the social media channels were talking about that this exploit there was a lot there's advice that was being given that was not the best. So I'll just open this up. Whoever wants to jump in. At what point should you try to fix a problem yourself versus bring in an expert why don't we start with Thomas Thomas is a little biased on this.
But, you know, I mean, I we've been, you know, working on WordPress websites since 2007. So, you know, Nathan, I've known you for years and years. So there are people out there that have a good strategy. And they're aware enough of what their shortcomings are. To be able to tackle it on their own, you know, so in a in a DIY, do it yourself scenario, some of those places and some of the large agencies have, you know, staffs of people that focus on you know, malware remediation, and that you know, I have no problem with that at all. There's obviously gazillions of websites out there, but the done for you, when people are asking, you know, hey, what, you know, what steps can I do to know my sites are hacked and especially with this I mean, this was, you know, they were adding admin users they were embedding code depends on what hacker group was attacking at the time they were dumping Perl scripts outside of the WordPress folder structure. So there's stuff that you can't explain to people because they're gonna start deleting stuff and like, oh, you gave me bad, bad information, and now my site doesn't work. I had to restore and now I gotta rebuild the site and you know, blah, blah, blah. So, you know, the the DIY versus the done for you, the d f y has to be carefully examined, and you know, people that are asking like, you know, what steps should I do to clean my site? Well, you know, if you're asking those questions, you should probably have somebody do it for you. That's just that's my opinion.
Yeah, good. Who else would like champion on this?
It's been a lot perfect for me, is that you know, if you're if you need to, you need to ask the question. You can't afford it. If you need to ask the question on, you know how to do the cleanup. I think it makes sense to use an expert. I think it's great to learn and practice, you know, maybe on your own personal blog or something like that. Install an old version of bricks and let your site get hacked and try cleaning it up. I would never do that. Though. For a client site. Right. I would be working with an expert to make sure that that site is getting repaired it's so easy to miss just one thing and you miss just one thing and it's what it's way worse to tell a client is okay, I thought I cleaned up your site yesterday. It turns out got hacked again. is one thing. Okay, your site got hacked. We fixed it. Day three, it got hacked again. Day five. It got hacked again, day seven. That's when things like really become a problem.
And we weren't getting Oh god.
I don't fix my car. I'll clean a hicksite But I won't fix my car. Know your limits. And can I just say that I was shocked to see that people are still putting like 550 sites in a cpanel that's still happening. I thought. So yeah, that still happened. So one site once he panel, I just, that'll be my mantra for the rest of
the day like a shirt. Yeah. Yeah,
exactly. Yeah,
it's a lot like the car analogy is great though. Because there was a time when you could just climb inside the hood. You know, you open the hood you climb inside the engine compartment. There was room to maneuver and now you can't even fit a hand anywhere. And there's you know, technology has changed but we sort of all started well, many of us I don't know Timothy might be too young for this. But we started at a time when it was possible to just dig in you know, Tim thumb you Kathy. You mentioned Tim thumb. I found the first YouTube video I ever uploaded about WordPress was in August of 2011 when I had found a Tim thumb vulnerability on my woo themes, sites, and you know, had to head to that that's how we all learned. And so, today though the complexity of the attacks and the in the sophistication of code malware that gets uploaded, if once a site gets compromised, it can be nearly impossible for someone that is not a pro to find all the ways in which a site got compromised. It's just a different world.
And I'll say that, even today, we're getting people who are infected with the bricks vulnerability coming to us because their sites as Timothy mentioned, they get hacked one day, another day, another day another day. And you know until you find it all and get rid of it. It's just going to keep happening.
Absolutely. Well, let's turn our attention to some of the q&a that's come in from folks in the audience and what and we'll wrap up today if it's alright with you all though, or the discussion about the collaboration topic. I think that'll be a good way to end our panel. We have a bunch of questions that have come in they're 20 Questions open right now. I folks, if you haven't done that yet, please open the zoom q&a. Take a look at the questions that are there. Up vote the ones that you would most like to hear the answers to because we're going to take these in the order of upvotes. And of course, if you have a question, just drop it in there. Let's start with the first question from Kay. There are plugins that allow you to add code snippets to WordPress there's a bunch of different ones are those risky to use on a WordPress site? Or maybe we could say Are they more risky than other types of plugins? Timothy, you want to start with that answer then we'll open it up. Sure,
I'd say more risky is the thing to identify risk isn't binary. So it's thinking through what the threat model is. I would say one thing that's very important if you try and submit a plugin to.org And maybe this is a bad thing. I think it's a good thing though. If you try and submit a plug into.org today that is duplicating the functionality of code snippets, they'll tell you know, they'll say that, hey, we already have a plug in the directory that does this. This is an extremely important thing to get right so you don't open up a huge vulnerability on your site. They're confident that hey, that plugin works. Well. That's it the barn door is shut on new plugins being added to.org that do this. So I'd say code snippets is a plugin that I use. And I use frequently on sites when I just want to have some simple snippets available and turn them on and turn them off. You might get code snippets from plugin developers that say, Hey, we have this filter that you can use. We're not going to the checkbox, but you can use the code snippets to manage that for you it's I think code snippets is a fine plugin. The thing to think through is like the attack vector, if you say that code snippet is a securely developed plugin, and doesn't have any known vulnerabilities, and if their vulnerabilities come up, they'll fix them promptly. And the thing to that think about it is what would oh the impact of having that plugin installed on my site B. And I think the thing that most people would think of is that oh, this means that there's a really simple way for someone to just get into my site and add php code. And that's true. But unless your site is already locking down, for instance, or plugins from being installed, they can simply just install a plugin that has whatever malware and malicious content they want to include. So I would say think through what your attack vector is, is always like the important thing to conceptualize. And if you are a person who says hey, we locked down all plugins on our site, they're all managed by Git. Let's say we do a git deploy. And part of that is for being able to say this is exactly what the content on that site, but it is also a security benefit if you are locking down the file system from being modified. In that case note, I would say that then installing a plugin like code snippets is opening up a new kind of vulnerability so to speak in your site because you've taken an extra step or detached to protect your site. But I'd say in most cases, plugins like that are fine to use just use the reputable ones not the one that was $5 and Code Canyon.
This risk is not binary. I really That's That's great. Yeah, I love that too. That's awesome. Yeah. Anybody else want to weigh in on that question? What do you think about code snippets as a whole that there's a plug in called code snippets, but as a category, the code snippets?
I think personally, it's it's one of those that goes, as Timothy mentioned, you know, if for the knowledgeable devs you know, could be a good thing. But same time, I think that some of these things get passed around too much. Talk to people all the time and like, Oh, my dev said that somebody on one of these forums recommended this. And so we put it in, and you know, like, Okay, well, that's how your site's getting infected. So, you know, maybe considered you know, do you really need that? So, yeah, it's, they have their place but again, that's for the for the more experienced, di wires, not the, not the newbies.
Yeah. Good. Thank you, Thomas. Okay, here's a great question from Dan, and we get this from time to time during the news roundup, because every month we look at the solid vulnerability report, we see the numbers of plugins that are vulnerable, the ones that have been fixed, the ones that are still vulnerable, and it used to be I clearly remember even last year, there were 30 plugins that were vulnerable this month or whatever. And I actually used to read those one by one. Right. Now there's routinely 150 to 200 plugin vulnerabilities each month. So Dan's question is, I've never seen as many vulnerable plugins that I've seen in the last six months is this from not enough people knowing how to properly build plugins and make them safe or what is at play in this? It's like a hockey stick of vulnerabilities that have just that have come about. I have a
lot of opinions on this one. Jump right try and keep it short. Because there's a talk that I've been ruminating over for a long time about writing secure WordPress code. But I'll say this one thing I this is kind of a measurement sample issue, I would say, I don't think plugins have become more insecure in the last year. I don't think that you know, suddenly, we knew how to write secure software five years ago and now all of a sudden we stopped. What's happened is that there are programs from companies like patch stack from wordfence others I think Trend Micro might have them. There are a lot of organizations out there that are offering bug bounties for security researchers to find vulnerabilities in WordPress plugins, submit them and get paid for them. Not even from the vendor liquidweb for instance, or kind of parent company, they have a bug bounty program and you can go over there if you find a vulnerability, submit it to them. And they'll go through that bug bounty process but a lot of WordPress plugins that are just maintained by single individuals or small teams, they might not have the resources like that. So I think that's been a huge uptick here is that security researchers are now incentivized monetarily to find these problems. And I think that's been one of the great things that companies like patch stack have done in the past year is creating these open bug bounty programs to reward security researchers for doing something that previously you had to kind of look into finding a plugin that had this bug bounty program set up and do all those conversations about it. So I think that is a huge, huge beneficiary. Huge beneficial thing that we've seen in the past year and a big reason for part of the uptick. The part that I'm not going to dive too much into is I do think there is a there is a issue with how we write about writing secure code. And there was a vulnerability I think wordfence talked about it yesterday in a plug in where a plug in author was applying escape HTML and escape attribute to liberally they escaped something twice and that second escaping caused an issue. And part of the reason why that second escaping was probably there. It might have been flagged by tools that say hey, you need to add extra escaping here and so I'll find for instance, lots of vulnerabilities, not naming names, but plugins that will have specific fixes in place to let's say, sanitize some code, and they call a sanitize function in WordPress, but that isn't the correct thing to sanitize there or sanitizing. It isn't even the actual attack factor. So I think we don't do a great job about talking about how to write code securely. And a lot of times the things that we say are just well
write escape H attribute every single place that you're writing any piece of code and that'll fix the problem for you. And but that that's a thing for a talk or a blog post or something. But I will also just say it's hard. It's hard to write secure code. But I do think there there are things we can do as the WordPress community to make it
easier. Yeah, really good. Anybody else want to weigh in on that? I
think there's too many people. Along those same lines as some of the sudden they think they get an idea for a plugin, like oh, yeah, this one sell millions. And they you know, jump in download some, you know, watch some YouTube videos on how to create your own WordPress plugin, and start writing code and then put it out there and people like, oh, yeah, this is greatest thing since sliced bread and so on, so forth. And it just goes from there sliced
Swiss cheese. Boom.
Yeah, they just asked Chet GPT to write the code for them, package it all up and boom, yeah.
Yeah, there's a long time when, and it was really just by the actions of like a couple, I think even just one person, where if you went into Stack Overflow, and you were like, how to write some PHP code to do something, it would just have SQL injection vulnerability attacks and or you're just have encryption implemented in a completely wrong way. And there's been lots of people just writing content about how to do this thing. That and you Google that and you'd come across something that was insecure. For the most part, those have now been fixed on sites like Stack Overflow through the hard work of like dedicated volunteers to like going through every single php answer about how to insert database, insert data into a database when someone submits a form, or how to implement a login process securely. But it's still very easy to make a mistake.
Missing anybody else on that topic? All right. Next question up is from Jean. This is a really practical question. So what would you all recommend as a good reliable way of passing secure information to and from clients, assuming they don't have a secure password? app installed? And maybe they're not tech savvy. Kathy, why don't we start with you on that one?
I would set up like if you had to do that, and then they like absolutely refused to use password managers and whatnot. Well for setting up WP admin, they shouldn't be sending it. They should be setting up an account for you and then having you set your own password. But for like FTP, and things like that, you can do forms that do that encrypt and send it via PGP. So that you can get an email with those credentials and then just decrypt that with your PGP. PGP key. So that would be my recommendation of people transmitting. But I would Yeah, that's part of our job is to educate everyone that they should be using some method of secure password storage, like one password or bit or all of the major password managers allow you to share credentials, those types of things. So I would strongly encourage that they do that.
Good. I get a lot of people we get a lot of people who obviously have to share their credentials with us. And it's always amazed me that so many people that just Oh, yeah, what's what's your email address? And they just send them to it, you know? And that's what I what I encourage people to do is, if you're gonna do that, because it's easy for you and you just want to wash your hands of this and put it in our hands, that's fine. But when you know, once we've started what we need to do, go back in and change your password. You know, cut that it's like you know, logging out of your WP admin session to kill the cookies. You know, just cut it off at the at the knees right there. And we'll take care of our stuff is very secure, I'm sure of that. And so, just change the password and you're done.
You could get them to just take a picture of the password written on the sticky note on their monitor and just text it to you, right.
Absolutely. posted on Twitter. Actually, that'd be a great way to get Twitter tag. We do. Right? We do sometimes recommend using a tool like one time secret.com which is which is a great way to encrypt something and prevent it from lasting long. But one one recommendation I always make to people is even if you're going to do that, like do we know who's running that server? Do we know that they don't keep that data, separate the lock from the key so send me a username and an email and send me only the password using one time secret.com With no context whatsoever, you know what I mean? So at least you know us a little bit of wisdom and Pig Latin. Yes, please do that also.
One of the things Kathy mentioned I think is really another one to highlight which is i It's been a long time since I've done this type of client work, but I would hate it if a client sent me their stripe username and password. Invite me to your Stripe account. There are so many tools that just allow you natively to invite a developer invite a user and I so much prefer that just invite me to your WP Engine or Nexus account. Don't give me your Nexus hosting credentials. If you don't need to use the tools built into the platform like WordPress to create a WordPress user for your developer. Don't just send them your WordPress admin username and password.
Very good. delegated access. The worst was when I sat down next to someone at a meet up and they're like oh, here's my password. I use it for everything. My my
Yeah, my favorite password. Yeah. How many times I've heard that from clients. I can't change that. It's my favorite one. I'd have to change it everywhere. Yeah. All right. So a great question here from Chris. Chris is wondering so talking about the stolen session cookies issue. Thomas, you've written extensively about this, and you had a great live stream with us several weeks ago about it. That just frankly terrified me to the core. But thank you for that. Is there any movement with browser developers can can this problem be solved at the browser level of taking dealing with a stolen session cookie compromise?
I think it probably could. But I don't see I know at one point the case from Mozilla, we're working on some different things. But then they had some this this goes back even a couple years ago. They had some some shake up over there. And things changed and people got moved around and it just kind of got dropped but I know that they were looking at it, some different forms of encrypting the cookies, you know, and encrypting the messages and so forth to so that it couldn't be so widely used. But you know, even to this day, though you know, short offshoot here. We're still getting customers that have hacked usernames and passwords. You know, it all has to do with, you know, the, the various layers of Swiss cheese. And one of those layers is your local, you know, device that you have to protect. I don't care if your Mac I don't care, you know, maybe Linux, you don't have to worry about too much. But any any platform that you're using to log in to sites. It's got to be secured.
Yeah. And circling back to something we mentioned in the last hour, which is the importance of the trusted devices feature in solid security. It's one of the only WordPress ways to deal with that exploit. And Timothy and David did a great livestream with us a few weeks ago just about this where Timothy hacked himself it was quite something. For Timothy hack David actually,
you can you can watch Timothy hacked my website in real time and I was crazy enough to install a browser extension that he sent me to facilitate this. So Thomas you if you haven't seen that it's worth watching. But the one thing I'll say is that do take the time if you're if you're concerned about stolen session cookies and protecting yourself, take the time to either watch that webinar or thoroughly understand how to implement the feature because you can enable trusted devices. And if you if you don't enable it all the way so to speak, it won't stop stolen session cookie attacks from working there. There are a couple of layers there and we just want to make sure that you're that you're really thoroughly understanding what's involved. So that was the that was the big impetus behind that webinar and behind me allowing Timothy to hack me in real time.
That to be fair, he did have you opt in to the hack. It was it
was an opt in hack that is true, and I appreciated that but also I sandbox that extension when I got it just because you know
Timothy is just there looking sly he's not saying a word.
He's like there's still I still have access David
he's yeah he exfiltrated all my all my credit card numbers and everything.
Oh goodness. Yeah. So the link for that live stream is there in the chat if you didn't see that. It's really, really quite good. Back to the questions here. Another question from Chris. Chris says he's a WordPress developer who serves numerous clients. In my experience, the weakest link in security is always the user. Absolutely. What can you recommend as far as resources that we can share with our clients to get them to take security seriously, without scaring them to death? And I'll just kind of add it like, is there? Maybe that'd be scare tactics aren't always bad, but maybe a little scare isn't so bad in this case? What do you think Kathy? Wanna start with you?
My YouTube channel. Kathy, it's just it's just education, right? It's being aware like it's just being aware really, that that opportunity. Hackers are opportunistic. They're gonna look for vulnerabilities. And it's just it's education. There's a bunch of us, there's tons of educational opportunities on YouTube. And I would, if you're an agency, I would assemble sort of as a part of an onboarding like, here's a new client. Here's how we do things. Here's how we transfer credentials. Here's how you're going to only have an editor access if you feel like that's, you know, whatever your protocols and procedures are for onboarding a new client, build security awareness into that. And if they have any kind of, you know, pushback whatsoever. I mean, it's bringing
it's a red flag.
True, but it's, you know, it's the ones who nobody wants to learn when I was doing security, marketing, nobody wants to hear about it. Nobody wants to hear about security until they hear that their neighbor got broken into then everybody wants the security system on their house. Same thing with WordPress. When that breaks vulnerability happen. Everybody wants to know about how do I protect myself? What's the best thing I should be doing? I want to know about all you know, lots of bad advice on Facebook, that's for sure. But it's I would just I would really make security education. It's gonna differentiate you I mean, at agency work. I know is incredibly competitive. When you start building security into not just the onboarding process, but also into the sales process that you take it seriously. They're going to be like, Oh, well, why isn't that other agency talking about any of this stuff? Is there something out there? They don't know about? And they'll ask questions. So build security into your processes.
Really good. Anybody else have advice? thumbs it up. Good. Well, folks, we're coming right up to the top of the hour at the end of our live stream today. But I do want to circle back to something Kathy that you mentioned in your presentation, which is the importance of collaboration between companies and users in the WordPress space to make everybody more secure. So there seems to be and I've kind of noticed this as well this trend in WordPress security. Where you know, some companies are resistant to collaboration. How can WordPress Kathy and your opinion you can kind of start here and others can chime in? How can WordPress security vendors work together to improve the safety of everyone in the WordPress ecosystem?
Well, there's some that are looking at what salad and patch stack are doing. They're exhibiting sort of good stewards of WordPress security by the fact that there's collaboration happening. Patch deck is really great at some things. Solid security is really great at some things and they're cross pollinating information. There's communications happening there's sharing of information, security. All security is is communication. A security researcher finds a vulnerability come meet finds it to the secure channels communicate to the developer to communicate the proof of concept to the developer that communication has to happen. Collaboration has to happen. Collaboration is the undercurrent of good security. So I mean, there's some companies that work better together I think than others which are more cloistered and have their way of doing things in their way of communicating and but I'm I'm seeing some that work really well together. You know them not to get a biblical but you know them by their fruits. Right. You can see you can tell what's going on, you can see the actions that people are taking, make good judgment as a WordPress user and choose to work with the companies that are collaborative, that are putting the needs of users ahead of competition. When you go to a word camp. You've got hosting companies lining up the hallways of the sponsor, everybody is there. You don't have GoDaddy doing pot shots at liquid what maybe you do but everybody knows each other. They support each other our community is collaborative, we work together, and security needs to be a part of that. And the security teams and all of the security vendors and security educators and they need to be collaborative as well. It's what makes WordPress strong.
Excellent. Who else wants to weigh in on that? Yeah, Cathy's Mic drop. Yeah.
I echo everything Kathy said and to touch on it from the lens of the questions you were asking earlier. Nathan, I think it's what allows us to work on cool features at solid security as well as being able to partner with under other vendors. Patch stack is treated 1000s and 1000s of virtual patches. That's work that then only had to be done once and could be shared to patch stack users and our users and lets us work on other features like trusted devices or pasties and things like that. So I think the developing those key partnerships and open communication between different services let us build tools that help protect site owners more than they could if we were all operating 100% independently and we had to build the same thing. 15 times.
Yeah. Great. Anybody else we wrap this up? Great information. Yes. I really appreciate each one of you and your expertise and the flavor you've brought to this conversation. Really, really appreciate the all the great advice. There's a lot of thank yous happening there in the chat as well. Let's see. Timothy, you're back tomorrow to start things off, walking through solid security. So we're looking forward to that and
bring your security solid security questions. Do I know is there a couple of solid security questions in the chat that are specific to our plugin? And I'm gonna have plenty of time to answer those tomorrow.
Yes. So yes, absolutely. I will walk through all those settings and in the second hour tomorrow, I'll be talking about the client side of this and how do you talk to your clients about security, for education for information also Pat, you know, how can you as an agency owner or solopreneur package security into the services you offer to build recurring revenue so it's gonna be a good day tomorrow as well. Kathy Thomas, especially thank you both for being with us today. David, your expertise has been excellent as well. Kathy Thomas, let's wrap up with how Kathy if they want to get more of you, where do they find you?
I'm everywhere.
Literally, you are.
Kathy Zant. I am fast faster than the other Kathy Zant is out there. So I grabbed my My name is everywhere. So just follow me. I'm really trying to put out more security content on YouTube because that's kind of a fun thing. But LinkedIn, Facebook, I'm still in the Kadence community and still very much a fan there. So hit me up. There.
Very good. And Thomas just dropped the URL for we watch your website in the chat. Quickly. You offer a free service to anyone who wants to sign up for monitoring for malware any bad things happen to the website you want to talk briefly about that?
Yes. It's free. It's, you can think of it as a free intrusion detection system. We don't protect anything on the free plan, obviously, but we monitor your database, your files, the processes, you know, if you're on a server, we can do it live. If you're not on a server, you have forgotten a shared hosting plan. We do it once an hour. It's
very good. And one of the great things especially if you're an agency owner solopreneur. You have your own server, or account where all of your clients are hosted. We want your website offers a single price to cover that whole server all the sites on that server. So it's really quite good. And if you want to learn more about that we watch your website.com So thanks again, Thomas for being with us today.
You bet.
Alright folks, that is gonna do it for us. We are back tomorrow. Again 1pm Central for a walkthrough of solid security and until then have a great rest of the evening. We'll see you back tomorrow on solid Academy where we go further together.