Again, welcome everybody. We are getting things set up and going for our live stream talking about some really interesting new information about how hackers hacked WordPress sites in 2023. A lot of data that just might reveal something you don't expect about this should be a really good conversation with Tom ray from we watch your website. And we're really looking forward to this one today. So as you come in to zoom, say hi, tell us where you're logging into right there in the chat. I'm going to drop in once again, our link bundle which is there and ready for you to download the slides. If you haven't. If you don't know anything about Thomas and we watch your website like that final link it we watch your website.com you can learn more about him. Hey, Jennifer, glad you're here. Hey Ken All right. Glad everybody's here. We are just now about six minutes away from getting started officially a lot of fun. stuff to talk about, about how hackers hacked WordPress websites last year. A lot of good data that Thomas is going to bring to the table today and help us to understand some things maybe we haven't thought about before and WordPress security should be a lot of fun, very eye opening and of course plenty of time for your questions and answers along the way. So as we are waiting to get started, how about a check in question? Let's see check in question today. How are let's what most concerns you about WordPress security today. What is your biggest concern when it comes to securing your WordPress sites today? Let me hear from you. They're in the chat. In the meantime, if you're just joining us the link bundle is there in the in the chat for today's slides and the replay. As well as more information about Thomasson we watch your website, our PayPal vulnerability reports I did they stop? My understanding is they're going to continue they may have paused over the holiday perhaps. Yeah, they might have paused those over the holiday. I'm not aware that those are going to stop. I haven't heard anything. One just one just came out today.
Oh did it okay. Yeah, WP Yes.
So I met Paul they may have just press pause over the holidays to let let the hard work and people inside the solid world get a little rest Yeah, that's Chris certainly there's just no more vulnerabilities that's that's the deal. Yeah. No, no more vulnerabilities and WordPress. It's all fixed. Yeah, money. Yes. Yes. But good question. I didn't realize that. Yeah. So we're talking also about what's your greatest concern when it comes to WordPress security. Bonnie says impacting customer relations, then losing trust in us as as a service provider. Maybe in WordPress in general. Sue, let's see. Not saving edited schedules. So what are we talking about there? Are you talking about solid backups? Again, welcome. If you're just joining us in zoom, we're about three and a half minutes away from getting started with how hackers hacked WordPress websites. In 2023 Thomas Wraith we watch your website is here. Really glad to have him with us today. I guess some great data to share with us and of course plenty of time for questions about anything WordPress security. If you are just now joining us in the room, open up the chat and say hello. There in you will find the link to today's slides and the replay link as well. Oh, well. That's good news. Okay, yeah. So the several folks having some issues with solid backups and fix was just released. So that's always good news. Hey, Bg. Welcome. Glad you're here. Three minutes to go folks as we are going to dive into some really interesting WordPress security topics very very soon
glad everybody's here. So the only place to be worse. That was what are you working on today
shoring up our, our infrastructure so that we can take on even more websites. You know, and in December we took on like we added like close to 1.6 million in December in December alone. Like so we've got some strategic partnerships going and a couple of them were like, Yeah, we love your value proposition. Let's go like, okay, and like, you know, send me a list and here's what we need to do and blah, blah, blah. And they're like, Okay, they sent it to me the next day. I'm like we're one and a half million websites on here and they're like, yeah, how long it will take and like, I don't know, end of the year. They're like, okay.
That's amazing. That's amazing. Good for you. That's super exciting. Yeah,
it's exciting until you get into it and then you're like, holy cow, you know, and then you're adding servers, you know, in their data centers to, you know, shore up things and my goodness, yeah, I love it because, you know, all the data that we were able to collect this year, but yeah, it was a whirlwind. I can't
imagine. So folks, if you're just joining us, we have not officially started yet. We're about a minute away from actually getting going here on today's topic, which is how hackers hacked WordPress websites in 2023. Thomas Wright is here with us from we watch your website we were just talking about how they have grown quite a bit in the last month, adding a million and a half websites that they're watching, which really gives you some great data. And that's that's really where we're headed today on some things that you have noticed some trends that are important for us to know those of us that build Manage websites for clients. So folks glad you're here today. I'm going to drop in once again, the link bundle for today. The slide link is there. You can download the slides you'll see on your screen there from the Google Drive link, as well as the replay and replay link with the transcript and chat log. It'll be available about an hour after we wrap up today. So we are now three minutes after so I'm going to start our recording and we will officially begin well welcome to another solid Academy livestream. My name is Nathan Ingram. I'm the host here at solid Academy and today we have the privilege of hearing once again from Thomas Rafe our friend from we watch your website. Welcome back. Thomas. Glad you're here.
Thank you glad to be here. That's some great information to share today. So yeah,
I When. When you and I started talking about this a couple of weeks ago and you were sharing just sort of the big the big picture. I it's something I haven't considered before really to be as big of a problem as it is. And we have a lot to talk about there. And now in the pre show banter you kind of dropped a little bomb of your business is growing exponentially and you are watching a lot of websites. So tell us a little bit about we watch your website and what you're doing to help WordPress site owners. Okay,
so basically what we started to do, really a year ago, was focusing on what we call strategic partnerships. So we'll reach out to places and I'm going to drop some names, but it doesn't mean that they're part of of our strategic partnership program yet, but you know, places like DigitalOcean Linode, you know, people that offer these servers. We start reaching out to them because one of the things that we've noticed is when when we see a web when we see attacks on websites that we're watching, we report those to the IP address owner. So in in one week of December, we re reported 147 servers that were infected attacking sites that were watching 147 to one provider, I should say, I won't say who but when they were like, you know, how are you seeing all this information? You know, where are you getting this and so, you know, we started explaining stuff and they're like, oh, yeah, well, can you put that on our servers to like, oh, yeah, you know, and so it just, and it wasn't my intention. My intention was to start taking digital assets out of the inventory of hackers. You know, every time we stop the website from attacking other sites, you know, we look at that as a victory in the fact that, you know, we took a digital asset out away from the hackers, we took one of their weapons away, and, you know, it's just, you know, you can do it one at a time. But, you know, it's, it's all we can do. So anyways, so yeah, we started reaching out to all these server providers, perfect during WordCamp. Us and a lot of them were just like yeah, yeah. Yeah. Like I may have overextended ourselves here. But because you know, they start with our free service, which just does monitoring. But it monitors database monitors, your processes, your files, you know everything about your your site. And, and gives us in this insight into all these trends. And it just, and it's still going now, you don't I mean, yeah, we've got to put people on a schedule now because before they they'd say, Yeah, okay, you know, we get to the data. Can you start, you know, installing it tomorrow. I'm like, Yeah, but now we're, we're about three weeks out and doing any new installs. So
that's amazing. So if somebody is here today and they've never heard of, we want your website just give you a quick pitch for who you are and what it is that you do. For WordPress site owners.
Okay. Yep. We what we do is we monitor for we monitor and remediate malware, basically. And so we offer web WordPress website security services and we don't do it. A lot of them a lot of companies do it through a plugin we don't. I've never been a big fan of plugins, they can get bloated they can get, they can start to slow your site's down. And so it forced me to think of other ways of providing our services. And so even on like a shared hosting account, like a cpanel or something like that direct admin. We do it off off site. So we'll monitor your site, you know, once every hour or two hours. I think we're down to now for any file changes, and any database changes, and then we analyze those on our servers and see if there's any indicators of compromise. And we remediated from there. So, uh, but we also do a lot to prevent hackers which something I don't ever really don't talk about much. You know, some people say, Oh, I didn't know you guys did any kind of prevention, you know, or protection, like, oh, yeah, we do. But, you know, the, I guess the proud part of our services, the malware remediation, because you have to identify it, you have to remove it safely, etc, etc. And then determine how it happened so that we can set up procedures to stop it from happening again and again. Definitely.
So today, you're monitoring roughly how many WordPress sites
as of the end of December, just under nine and a half million. So
nine and a half million websites you are watching and you have a lot of data collected from that that helps you extrapolate where hackers are heading and their strategies and what they're doing to infect WordPress sites. That really leads us into the conversation today, which is sort of a wrap up of what you see hackers doing in the last year. Right? Correct. All right. Well, let's dive into that. And folks, let me invite you as we go. If you have questions along the way to open up the chat, click the chat icon there and zoom and just keep that window open. You can ask questions as we go. And also, if just keep that window open and if somebody else asked a question that you also have, just click the thumbs up icon underneath. We'll have a good time of q&a with Tom when he finishes up here. So Tom, I'm going to turn it over to you and disappear let's talk about how hackers hack.
Sounds good. So as I mentioned, you know we were adding servers to our to our services in incredible speeds. And what that gave us was inside, like we collect log,
like the access logs and servers, we do it live. So every time somebody visits your site, there's entries created in your access logs and those each entry is streamed to our servers for analysis. And so this report that we did, we analyzed at over 850 billion log entries and you know, see line one here during 2023 We added over 5 million websites to our watching plan or watching plan is free. And you know, I encourage everybody to use it. You know, if you're on any kind of server you have your own run cloud grid pane cyberpanel, any of them other than cloudways. We can't quite put our stuff on cloudways Because they don't allow us access to install our stuff yet. Anyway. That's a whole different story but so anyway, our watching plane is free again, but it does allow us because we're not doing any prevention with our watching plan. We're just watching. But like I said before we watch your files. We watch the database, and we watch the processes that are running on your server and the ports because some of the interesting things that we saw this year, hackers will upload a file that isn't even in the you know, like in your normal WordPress folder structure it'll be outside of that more into the server area. And they run it and they open up a port and they just send commands to that port and that port that would what that file does is it allows them to attack other websites from your server. So and that's what our system does that picks up on that stuff. So you see an item number two here, of those newly added sites 331 Were already infected before we on boarded them. So, you know, most of the sites obviously were clean. We're just watching them. But we had 331,000 that were already infected. So we jump on those because one of the things that we do when we onboard new servers, is we scan all the sites for malware, because we want to know, you know, we can't assume that they're clean we'd like to but we don't. So anyway, in what we found over the course of the year, this might be misleading, but the 1.2 million were infected due to authentication. Compromise. And we got the breakdown there, you know, a million Oh 92 were from stolen session cookies. And 131,000 were from username password compromise. So you know what we see? Well, we saw a lot in this this past year, and even in December alone, there was a two week period where brute force attacks, brute forces attack is where they have a list of usernames and passwords and they just bombard your, your site. You know, with with all sorts of different combinations. Now, a lot of people say well, I just use failed to ban and it takes care of that. No, because failed to ban in order for it to be effective and not getting getting your way. It says okay, like if if there's a failed login attempt from the same IP address within 10 minutes, or you can set the variables then it blocks that IP address. I'm trying anything else on your site. But hackers have access to so many servers that the over the course of looks at the this two week period that that we looked at in December? Not once did they use the same IP address twice. So that's how many but yet they were launching attacks. A lot of these attacks were from GoDaddy websites. A lot of them were from, you know, Bluehost but I mean, there really wasn't a provider out there that was on totally unscathed. So yeah, brute force attacks are getting much more complex to evade to evade blocking, you know, so like so they they know how failed to ban works. They know that a lot of people are using failed to ban so they work around that and I had to throw this in here, just because it's always been a source spot with me, but people spend more on website security than they do on their local device security. You know, we'll have people you know, onboard, you know, 10s or 20s 10 or 20 servers, and I asked him you know about okay, you know, let's talk about what kind of antivirus program do you have running on your on your local computer? And it's always gonna throw up some some flags here but up like I don't have antivirus. I'm on a Mac. And like so, like I said, something you have to understand if you listen to me, you've heard me before. Hackers are very, very good at human behavior. You know, they're not just good technically, they know human behavior. So when people tell me that they're, they're on a Mac, and they don't have any antivirus program. I just cringe because I know hackers know that too. And hackers, you know, they're writing malware for Macs just as much as they are for PCs. So you know, you really need something. So yeah, hackers know people's behaviors. And that's why, like over the course of this year, in 2023, one of the things that came apparent was the the number of websites that were infected due to authentication compromise. You know, before this, I had heard from other people in our industry, that you know, 95% of WordPress sites are hacked due to vulnerable plugins or themes. And I was like, how that just sounds like too big of a number to me because we're we're not seeing it, you know, I mean, I would see things in the logs, as we wrote about before with the Elementor essential element or add on vulnerability, you know, there we were seeing attacks on that, that plugin, you know, you see it in the log files. You know, there's people from server IP addresses, launching traffic toward that essential element. Or add on plugin folder. So you know, that that's, that's what that is. But, you know, so the hackers were shifting their focus because of things like patch stack, you know, which is now part of you know, solid incorporated into solid WP I don't want to indicate that they were bought out by solid WP with solid WP has incorporated patch tech services into their, into their panel and so forth. And, you know, there's other companies, you know, wordfence now has a bounty program as well. There's WP scan. So there's companies that are out there that are paying people to find vulnerabilities in plugins and themes, and core and those are being actively blocked. There's a whole process, you know, fine, you know, notifying the plugin authors. And then, you know, helping them write code that's going to, you know, prevent this exploit from being or prevent the vulnerability from being exploited. And so there's, there's, you know, there's like a, an industry within WordPress security that focuses on preventing websites from getting hacked to to plug in or theme or core vulnerabilities. Well, hackers aren't going to give up right? You know, that's their, that's their job. They know that this is how they make money is hacking. So what do they do? They, they shifted focus and it became very apparent based on you know, our information that for the hackers are, have have already shifted their focus and not just on vulnerable plugins and themes and core but you know, now they're, they're going after session cookies, and username and password compromising. So the last line here defense in depth must be adopted. You know, you have to take a look at naturist using something like solid WP with special with the fact that it's incorporating patch tech and it gives you a great panel. But you also have to look at, you know, protecting your authentication methods. So it's just defense in depth can't be overemphasized. So, understanding the problem. Hackers are using infected websites to launch exploit kits that attack other websites. With with us having so many websites being watched we see site when sites are attacked from these exploit kits. So we can you know, there's a number of years one exploit kit called Red Line actually red lines and info stealer. But there's exploit kits that hackers sell and on the dark web
that allow pretty much anybody to do load that up on you. In fact, somebody's website, you loaded up on the on the server and start launching attacks. And I mean, it's the the interface that the hackers have built for these things is pretty interesting. You know, they're they're very creative people. But like I said, that's one of the things that we see a lot in our log file analysis is there's there's no reason why a website or an IP address owned by GoDaddy should be trying to log into your WordPress sites. None. Sorry, it doesn't exist. So but yeah, you know, we see sometimes 1000s and 1000s of attacks, just like that. And it's these exploit kits that hackers have uploaded and they hide them very well. So it's not just a matter of running a malware scan or running mail det on your on your server and saying well you mail that didn't find anything so I must be clean that but so hackers are using exploit kits to try and infect other websites. And the purpose of infecting other websites is not just to use them to also, you know, use their exploit kits on but what they're trying to do is install info stealers on end user devices. So they might pop up something you know, and an infected website. So anybody go in there? You know, it might say, Oh, your Chrome browser is out of date, click here. To update it now. You have to protect yourself and some of them will have some very convincing messages. And yeah, I mean, we can all sit here and say I never fall for something like that, but at the same time you know, the enough people will that it'll give hackers the ability to install these info stealers. And the thing is with these info stealers is I think I covered this on one of the other slides but by you clicking on OK to install that file. You're basically bypassing in many times you're bypassing your anti virus program because you're probably logged in as an administrator on your own PC or your own. Mac, whatever your local device. And so you're basically telling the antivirus program, you know, no, I know what I'm doing. And I'm going to, I want this installed in my system. So then that just bypasses your antivirus. So that's part of why I wanted to present today was to inform everybody and let everybody you know, know, you know, don't click on things I was reading. I live here in Knoxville, Tennessee and one of the local areas has a has a Facebook group and somebody posted a thing about a missing dog. And you know Click here for you know for detailed pictures. And the one guy posted that goes yeah, he says, he says it's all fake. He's like, I clicked on the link, and he said it. I forget what his exact words were bait, but basically, he fell for it hook, line and sinker. So he he saw the image wanted to find out more information about this missing dog and clicked on it and installed the I'm sure it installed something on his system. And but you know, I mean they're they're always trying to get into your, your desktop, computer or laptop computer. And so what these info stealers do is they once it's on your on your local device. It steals login links, usernames and passwords. So, you know people that say, Well, you know, I hide the WP admin, when you have a plugin that hides WP admin so that people can't get to it. Well, maybe you know, somebody just trying to log into your system can't get to it, but these info stealers collect the login link. So it knows like you know if you have it set instead of going to WP admin. You've got it set up for you know, Joe's secret, hiding place, whatever I don't know and so it collects that so it knows, like, when when you go to this xyz.com website, you know they've hidden WP admin and here's the real path to it. And then oh yeah, by the way, here's the username and password as well. Now, for that particular scenario, the best thing you can do is set up to FA or pass keys, like solid WP offers that'll prevent that from being successful. Because they they still have to get around the the two factor authentication. But what these info stealers also do is they collect authentication cookies, which allow them to bypass WordPress logins, even with two FA setup. So, and you know, that's one of the things that we see in the log files all the time. Is you know, somebody goes to like the user edit user dot php, which is in the WP admin folder. But yet, that IP address there's no previous login. There's no previous traffic, it just goes right to that file. And then if it returns a 200 response means it was successful. That means that you know, they have a set a session cookie that's valid, and they just basically bypassed your authentication on your, on your WordPress site. And now they're now they're in as administrator and they can do whatever the heck they want. So, so this whole thing was stolen. session IDs. I know sometimes they use authentication cookies, and sometimes they call them session cookies. They're the same thing. So they're stealing those and using them. And it doesn't matter, you know that you're in Knoxville, Tennessee, and they're in, you know, Outer Mongolia. It doesn't track it by IP address. So there's all sorts of reasons why but so, these exploit kits and info stealers. You know, I had a long conversation with Oliver from patch deck, and he was constantly talking about, you know, going down these rabbit holes. So I had to put that in here because we had a great conversation. But that and you know, in some of the Facebook groups that we were posting, or others were posting our report people Oh, yeah, well, you know, they still session cookies by cross site scripting. And but the way the cookie said WordPress issues, have a flag in there called HTTP only equals true. And what that does is that prevents session cookies from being stolen through cross site scripting. I mean, it's just Hill Kelvin. Elgin is one of my good friends. And I consider him to be an expert when it comes to authentication, and WordPress. And you know, he and I talked about this at length. I'm like, Yeah, you can't know WordPress is not vulnerable to cross site scripting attacks to steal session cookies. So But still they're they're being stolen but not with cross site scripting, but with info stealers. So hackers will install an info stealer on various PCs and it steals the information sends it to the hackers their system and the hacker systems are so automated, you know, when they get a session cookie from one of their info stealers. It automatically tries it logs in and sets up a bogus admin user does whatever, all sorts of things. So but yeah, like I said, you know if, if you're interested, you know, going down these rabbit holes as Oliver likes to call them. You can just Google exploit kits.
And then Google info stealers. And the information you'll see on there is just incredible. Like I said before, you know, many of you are using antivirus programs, even on Macs, when you click on an infected file, your antivirus program is useless because you the user, probably an administrator user, you authorized it. So and we talked to this one company in Israel, that tracks info Steelers, and they said A recent analysis of 100,000 compromised devices real reveal that 88% of the devices had different antivirus software. That was all bypassed by the info stealer. So it's just you know, you can't you know, it takes as for you to the actor, but he's like it's it's in the gray matter. So info Steelers are on the rise. Three of the we looked at some statistics from low malware variants in the wild, and three of the top six are info Steelers. So the other three are malware used to install info Steelers. So I mean, you know, you got the little gray cells, right. So yeah, Macs PCs, that doesn't matter. You're susceptible, you know, and they just put some different yellow. They can send you a phishing email. You know, a lot of people there was a lot of talk a couple of months ago, about that email going around telling people that WordPress had had found a vulnerability in this plugin, and click here to install the update and so on so forth. Anyway, they you know, they do that with you know, like fishing, you know, they'll send you to a website that looks official, you know, might look like somebody's official plugin website, but it's not. So. Info stealers. Or you know, they're populated by phishing info stealer actually, this should have been by the exploit kits. Trojan, a rat are at in uppercase like that is a remote access Trojan. So the hackers can install something on your site that seem to be on your local device that gives them remote access to it so they can launch attacks from your local device. They can you know, steal your, your session cookies, username, password, etc. And also we're seeing a lot more in ransomware where people will steal your your logins and so forth. They won't tell you which ones and then tell you that okay, you send them you know, whatever $500 And they won't use any of your compromised credentials. So
now, how can you prevent these login credentials from being abused on your site? One of the easiest ways is to log out. If you log out, you log in as administrator. You know you update some posts to make a new post, I'll do whatever. But most of you will close that, that browser window. You'll just close that tab. That's it. And that that leaves the session cookie validated so it can be stolen. If you log out. It kills that session cookie. So you log out and then your your cookie, your session cookie is stolen. It can't be used. So no, but do that. And we've got on here, we've seen session cookies stolen and used during a legitimate login session. There's been a number of times in the past month even in December. Oh, we're adding all these websites that we would see like a legitimate login. So you see this the session cookie, and then out of nowhere, we're seeing bogus plugins being installed on some of these sites are like wait, how? What how can that be? And then we look in the bogus plugins are being installed but from a different the traffic is coming from a different IP address than the than the legitimate login session was. So like, the hackers stole it while you're logged in and doing your maintenance work doing whatever, they steal it and their system just goes right in because there's not going to be any login record. Anything else is it's It's bizarre. Now we've also seen some instances where the hackers were hacking through the admins computer. So while we while the admin was logged in, as an administrator doing maintenance work on their WordPress site, all of a sudden we start to see traffic from the same IP address showing where they're installing a bogus plugin over and over again. It was like there was some some malware on the administrator system that notified the hackers every time or the way the malware did, you know, detected when they were logged into a WordPress site and would automatically install this plugin even if the plug in was already there. It was a bogus plugin. So it was you know it was malware. So, you know, even logging out just logging out doesn't necessarily get rid of this problem. But it is still a good habit to get into now and Kelvin just posted. Love to see if I can get Nathan when he comes back and to post the link to Kelvins write up and session cookies and authentication for WordPress sites. He just posted it today. But four characters of your password or in your or in the authentication cookie, just four characters because they figured I think it's like characters eight through 12 I believe it is. But that ensures that it's impossible to retrieve your your password from the cookie. It's only got four the character so hopefully your password is more than four characters. But so it'll take four characters and it hashes them and then buries that into the cookie as so when you go and validate that your your cookie is still current. It checks the password like I've gotten here some people say that WordPress authentication cookies can be stolen with cross site scripting. However, WordPress implements HTTP only equals true and the cookies less preventing any cross site scripting and the copy this from somewhere online. Java Script modification is not allowed. So site scripting. Can that steal your session cookies but changing your password can because for those characters in your cookie are taken from your password, you change your password. Now that cookie cannot be validated. But you know you don't want to change your password every time you log out because you're going to be going crazy. But yeah, this slide I just wanted to show you you know these are some of the things in a in a session cookie. And you can see over here under HTTP only. It's checked. So for the WordPress security cookie authentication cookie, it's using HTTP only so it is not vulnerable to cross site scripting. So to kind of wrap this up, I know it's a lot to throw it to at one time but hackers methods are changing constantly. And you got to stay updated with their latest attack methods because I said this year alone. You know, hackers changed their, their attack vector from focusing on just just waiting for the next big vulnerability plugin or plugin vulnerability to be announced. You know, hackers still like to eat. So you know, somebody's gotta be buying them all that soda and pizza that everyone thinks that they eat all the time, but so they like to eat, so they need to still make money. So by shifting gears in in this past year, for sure, it's obvious and focusing more on authentication compromises. You know, they're able to still continue to work and move on with life. So so that kind of wraps that up. Here's some contact information for me, you know, you can reach me at T Raif. And we watch your website.com and Skype, I'm here on Facebook, I mean, you know, tab, a few other Facebook groups. There's our website, and this is our new logo. So there's new sidled which will be should be ready in the next five days. will look more like this than it does currently. I know Jen Harris. She cringes every time I send her a new post to get her insight and she's like oh, can you turn off that green? Like, okay.
Well, that was thanks so much for this information. It's it's eye opening because, you know, truly for for the last few years, the issue has been out of date. themes and plugins, and that is still very important. But hackers are smart people and they have they've changed their tactics. So before we get into a lot of these questions and answers, and there are many by the way, folks, if you have not looked at the q&a box yet, pop that open in zoom, scroll down through those questions. And if you want to hear that question answered, click the thumbs up icon and we'll take those questions in the order of up votes. But in the meantime, just for a minute here, Thomas, tell us a little bit about the service that you provide. There's a free level for we watch your website and you monitor both the server as a whole or an individual website if it's on some sort of managed WordPress platform, right? Correct.
Yeah, with some with managed WordPress sites, you know, if you're on cPanel direct admin, you know, some of those shared hosting platforms. We don't, we don't have enough access to the core to be able to monitor it in real time. So we monitored once every, like one or two hours. We're working on changing that. So we check for any database changes. And we also check for any file changes in that one to two hour period. But if you're on the server, we can do all the sites on a server. You know, we've got some people with over 100 websites on a single server and we monitor them all. You know even if you go with a paid plan it's still you know, we don't believe in charging per website it's all basically the same it's more traffic but basically the same car but yeah, on a on a free plans that will monitor every one or two hours on a shared hosting account. And on the server VPS dedicated server, whatever. We can monitor in real time. So we'll see the instant there's an indication of compromise.
Very good. So if folks want more information, they can look there we watch the website.com or they can email you right there at T Raif. Which is fear spelled backwards. We watch your website.com
Alright, Nathan, did you look through through my slide anytime I use WordPress, the P was capitalized. I see
that's very, very important. The capital T very important because that phishing attack does not use the
capital T you're right. It does. Yeah.
All right. So let's turn our attention to some q&a here. Starting first of all with Sherry, I several folks had the same question. What would you recommend as a good I mean, if we need a an antivirus solution for the Mac, which we do, what would you recommend as a as your first choice for a solution? Um,
one of the best ones that I found is by Sophos SOP H OS. And they have a free one for I think they prefer that it's like if it's a home use Mac, but you know, they have no way of knowing for sure. But it's it's very, it's real good.
Yeah, that's what on your advice, we started running Sophos on all all our families, computers, as well as all the agency computers. It's quite good. So and this this wasn't asked, but what about the PC side?
What would you recommend? PC side, you know, I used to hate Windows Defender because it was so ineffective, but that was six, seven years ago, in the last couple of years. I love it. I run it on mine. So Windows Defender, just keep it updated. And, and then I'll, I'll team that with Malwarebytes because on a PC, those two play together nicely. Sometimes when you're on a PC when you're combining antivirus programs one of them will think the other antivirus program is a virus in start blocking it or locking it up and just causing problems. So
yeah, very good. Okay, I'm keeping on with the questions here. Paul would like to know how effective is changing the salts on a regular basis in this whole session stealing issues.
Kelvin and I just went over this today. In fact, he's writing up a new article about that.
It's it's used to validate a session cookie. So by changing it, you are invalidating
any previously created session cookies, but I mean, there's ways around it so yeah, it's not really effective. What you're better off doing is going into the database into the WP I think it's underscore user underscore meta. And that's where the server side session cookies are saved. And you're better off finding the cookies in there and clearing them out from the database. Which obviously is not for the faint of heart. But yeah, indeed, it's more effective.
Let's see here. So Yan has a question. If if it's related, do we watch your website if he has a domain with subdomains with different WordPress and subdomains on the same is let me let me ask the question this way, is the best way to think about the way that you watch sites that every kind of container needs its own account. So if you have a Managed WordPress installation, and there's a site there that's going to need an account, but if you have a server where all your sites that's one you can get one login and have access to all those things. Am I saying that clearly?
Yep. Yes, yes, you are. And it's it's hard to put into words you know, on a website, but yeah, you know, if like for a shared hosting, every site that we can hit with one FTP account. Is is you know that we consider that one account on a server, in any site on that server is covered under that account? Yes.
And so Ben has a good question here. And I'm gonna phrase it slightly differently if you were to what is one if there's one thing that the typical WordPress user can do to help protect themselves from the session hijacking cookie hijacking issue, what would it be?
Don't open files. You I mean, the the Yeah. Because you never know which file you know, I got a message, quote unquote, from my my older brother. But somebody had hacked into his Facebook account and send me a message on Messenger and had I opened it. He's like tea, you know, just see this. And I was like, oh, and I was like, No, don't don't open it. And I didn't download it at separately analyze it. Sure enough, it was a virus contacted my brother. But I mean, you know, just just don't open files. Don't. Don't click on things. It's
so what we mentioned two factor. If if every if we started getting clients to use two factor authentication is a bear. It's just very, very difficult. However, if we could get our clients to start using two FA regularly is that going to protect them from this latest threat?
No. It will if their username and password is stolen. You know, like you said that hackers are looking for two different things when they infect your local device. They want username, passwords and a login link, or they want the session cookies. And so to FA will help with the first one, you know, still stolen username and password because then it still invokes the to FA but stolen session cookie. It just you're already authenticated. So it doesn't need to have a
interesting yeah. That's That's terrifying. Thomas. I don't know what to say about that.
Trust me, I know I know. Right? And we had an instance real quick. We had an instance late last year with one of the management console companies. Somebody hackers were actually stealing looking for and stealing authentication cookies for the server running the admin panel. So like, and I'm not sure I don't remember which one it was. But you'll say you'll you've got this thing set up on your on a separate server to manage all your WordPress sites. Will hackers would log in they stole a session cookie to log into that admin server. And then they can infect all your sites and people like well, but no, there's only a handful of my sites that were infected, right? Hackers don't want to set off alarm saying, hey, we'll give all my sites got infected. It must be this you know, they don't want to give you clues. They're incredibly intelligent people. I hate to give him credit, but they're intelligent. Absolutely are.
Wow, okay. Doug's question here does an info stealer app need to be present on my local machine for a hacker to access my session cookies?
Some type of info stealer Yes. But they also do things like because they they know people are gonna start running scans. So their info stealers will evade detection by antivirus programs too. So you know, and a lot of times what in reading going down those rabbit holes that Oliver talked about. They'll steal your session cookie, and then they remove their info stealer off your off your system, but they know how to get right back in right back in.
So still, it's I don't know guys. I don't have all the answers just maybe just more questions.
So next month when you come back you'll you'll have the answers right that's that's how this is gonna work. Wow, this is definitely the cutting edge threat that we all need to be aware of. Sure. John has a question here if most malware I've read about uses PowerShell to run scripts. I've configured PowerShell to require elevation to the info stealers you're talking about us PowerShell
many of them do, but not all of them. Like there's some that you know, embed themselves in DLLs. And you know, I don't want to go too down too deep down the piece you know the windows infection vectors, but a lot of them do. But not all of them.
So is that I'm just trying to think about this in the big picture is the takeaway from this time that we need to we really need for those of us that are working with clients and managing multiple websites. Is our real takeaway here that we need to maybe up our education game for our clients on watching out for these sneaky links. Yep,
big time. No, I mean, that's one of the best things you can do to help your clients protect themselves. We'll help your clients help themselves is education. You know, let them know that you know about these info stealers. And I'm going to be writing up a lot more information about info stealers and what people can do to to keep them off their systems and have a regular weekly column on our website on our new website, about you know, new info stealers that we're seeing in the wild. So, yeah, but yeah, and one of the one of the attack vectors is they said they, you know, they like to launch their attacks where they're trying to inject info stealers they launch those attacks from infected websites. So yeah, I mean, it does kind of all trickle back to, you know the word for keeping the WordPress website clean because if, you know, if, hopefully, someday in my lifetime, I'll see it where there's no infected WordPress websites on the planet anywhere. Then they're going to shift focus, you know, and start launching attacks from people's PCs. But, you know, we can only you know, attack when one attack vector at a time so,
yeah, wow. All right, Sherry's asked me a question that you and I chatted about in pre show conversation. Does a VPN help in this situation at all?
No. And Nathan and I were discussing this, you know, when you think about the technology of a VPN, it's just giving the hackers a, an encrypted tunnel, between your your computer and the destination. It's not really filtering anything. It's just providing a like sending an encrypted tunnel. So no. VPN is really don't do anything. Yeah. Tanya
is asking in order to steal a session cookie during login. What does the hacker have to have access to is it like they have to have access to a this computer that's being used to log in, and then they can hijack the cookies, a physical text file on the computer, right? Correct. They're grabbing that data. Yep.
Yeah, they need access to your computer. So that's, that's the scary part. You know, I mean, yeah, here we are talking, you know, WordPress security. But, you know, it all trickles down somewhere. And in this case, that trickles down to the end user devices, the local devices,
Link. Yeah. Yep. All right. How about Stacy's question here. Any thoughts on Bitdefender? And another question, how about clean my Mac? Any thoughts on those software products?
Um, Bitdefender is awesome. Some people are scared away by the price tag of it. I don't remember the pricing right. Now but it's very good at detecting info Steelers. Clean my Mac I've heard of it. But I honestly I don't have much experience with it. So I couldn't say But real quick. When you're running these antivirus programs, the scenario is that you'll say they find a new info stealer today. Well, they'll write the description, your signature for it, and then push it out to everybody's computer. That prevents it from that point forward. If you already have the info stealer on your computer, it won't find it until you run the next full system scan. So run full system scans. Every day. People like oh, it slows down my computer. Right? Do it. You know overnight? Yeah, you're going upstairs to go to bed or you know, go make dinner, whatever. They'll eat dinner. fire off a full system scan. For sure.
Let's see. Can I scroll down through some of these? Jean is asking just deleting the cookies removed the hackers access to your computer. Or they've actually already stolen it. Right.
Right. They've already stolen it. It doesn't prevent you if I'm reading a question you're hearing the question correctly. She wants to know if it keeps them off your computer. No it doesn't. They'll just set up there and wait for you to log in. And then steal the session cookie but it will deleting the the session cookies off your off your local computer will keep them even if they do steal it. They can't use it. Well, they can't steal it because it's not there. But logging out will invalidate the cookie on your computer. So even if they do steal it. They can't use it because it's no longer validated.
Let's see. Are you seeing commerce? Are you seeing hackers using things like Facebook ads to use to information stealing? Yes,
they're using in effect we just had a customer contact us yesterday. He runs ads. Very knowledgeable computer guy. He was running ads and some of the ads were popping up like a fake Norton warning. And is because the ads he was running through an ad network. The ads were infected. So yeah, yeah, that's it ads can be just as infectious as anything else.
So they're willing to invest the money in running the ads because they know it's going to repay off right? Yep, yep. Big time. Yeah. Let's see. There's a lot of these questions we've answered already. Paul would like to know you mentioned there's kind of your your backlog the bit with getting new, new customers added. Does that pertain if somebody buys a plan? Is there still going to be a three week lag to get them set up?
No, no. The three week lag is in working with our strategic partners delay so you know they'll come you know with like I don't know, 234 500,000 websites, you know, on any number of servers and they're like, Okay, you know, get get the setup next and one o'clock. So, and like I said, you know, we have to build the infrastructure because our, our system collects log files and I've stated this before, you know, we are our main log file collector collects 20 million log entries per second, like 1.7 trillion a day. But so as we're adding more and more of these websites, we have to add more and more of those clusters of servers
self right, quite a job. And just to review, the PC solution you mentioned was just using Windows Defender which is gotten to be quite good and the even the free version of Malwarebytes
Correct. Yep. Right. Yeah. So young people that are it'll cost conscious defender comes with with Microsoft, and you can use the free version of Malwarebytes. But I believe with the free version of Malwarebytes. You have to tell it to scan. Yes, right. You can't you can't set up an automated scan. So make sure that again, you run full system scans every day. This
is you know, security. Some of the things that you want to spend money on security software for your computer is probably one of those right and they're there. It's not terribly expensive for the value you're going to get out of it.
So years ago, before PCs came out, I used to sell copiers and I had somebody telling me that no copiers, you know, it's it's it's one of those non glamorous things in the office. It's an it's a necessary evil. And you know, now here I am in the security world and security is a necessary evil self. It
is that's just the world we live in. We'll do one more quick question here from Tanya to get this got it. This is along the lines of some thinking I'm doing I wonder, is it I guess it wouldn't even matter because the way the WordPress session cookie works as long as there's some activity happening, but you could set it to timeout that like you have a very simple snippet. You could say timeout the cookie after an hour. Like if there's no inactivity. You could it would close that connection. But if you're as Tonya was mentioning here in your question, if you're working on a site all day, that session stays open. You know until you're idle for whatever time you have, and it's I think it's 48 hours by default is the WordPress logout cookie. So
if you hit the remember me it's two weeks. Yes.
Yeah, so don't remember me. That's not a good thing. Roxxon
Yes,
exactly. Remember Me and her follow up here is it let's just say a session cookie gets compromised. Is this automated to the extent that right then it's going to start doing its thing if they grabbed the cookie?
Yep. It's the info stealer sends it to the hackers servers, the servers just sitting there waiting, and it logs in. Now, typically, what it'll try to do is install like a bogus plug in bogus theme, or create a new admin user. You want us to extend its longevity somehow. So it's going to do some things that we see you know, all the time. But yeah, it said a lot of times while you're working in your session, yet, we'll open up a new session with the same authentication cookie and
with just our batch of things it's going to try to accomplish Yep,
wonderful. So everyone's gonna sleep good tonight
All right. So let's start to wrap this up. Tom. Really appreciate your information and expertise. This is really good detail that comes from excellent data that you've been able to collect by watching millions of WordPress websites. So any final thoughts as we're wrapping up?
That really said, Yeah, well, it's, you know, I wish I had better answers. But yeah, you know, I mean, it's part of your maintenance plans, you know, with your customers. People may want to start looking at you know, a security educational section. And, you know, make sure that all your customers participate in it, read it. No, I don't know. Do they? Yeah,
and that's, that's the world. Right? It's a very good point, especially even in your contract. It needs to say something along the lines of, if you're going to log into your website with a computer, then you are set. You know, you are contractually obligated to have appropriate security software and maybe even go through some training and so forth. That's a really good thought I need to think about myself too.
Yeah. I mean, I don't know how else to do it. You know, we thought about offering like virtual PCs, like a PC in the cloud, that everybody could log into, and then that way, you know, you could lock the IP address to only come from there, but people are gonna log into
that simple login somewhere, right? Yeah, yeah, exactly. My goodness. So Thomas, thanks for your work and keeping all these websites say thanks for your expertise today. Thanks, everybody, for joining us for the last hour or so hopefully, you've learned some things and have some good takeaways from today. I'm going to drop in once again, right before we stop here, the link bundle if you happen to have missed that you'll find today's slides. And we'll have this replay up in about an hour after we wrap up just now. And you're welcome to rewatch or share that link with whomever you'd like. Well, thanks again, Tom, for being with us. We'll see everybody else back here members tomorrow for office hours. On solid Academy where we go further together.