WordPress Disaster Week: Session 1 - How the Worst Hacks Happen in Simple Ways
9:28PM Mar 8, +0000
Speakers:
Nathan Ingram
Kathy Zant
Keywords:
site
vulnerability
themes
security
wordpress
hacker
password
server
plugin
user
hacks
question
cpanel
patched
breach
factor authentication
people
malware
intrusion
compromised
Well, good afternoon and welcome to another live AI themes training webinar. It is disaster week, sponsored by theme security Pro. My name is Nathan Ingram. I'm the host here at AI themes training and over the next three days we'll be hearing from our group of experts on WordPress security. We'll be talking about how hacks happen and how to respond using I think security pro in your WordPress security strategy, and also how to provide security as part of a website care plan for clients. Now, today, we're focused especially on hacks, and I'm excited to welcome our first presenter Kathy Zandt. Kathy has been working with WordPress for over a decade. She has both technical and marketing experience and has worked with a number of brands in the WordPress space. Kathy has helped to organize both WordCamp Phoenix and WordCamp. Us and she lives outside of Denton, Texas, where you can find her walking Golden Retrievers are hanging out in the horse barns. Hey, Kathy, how are things in your world today?
Things are cold here in Texas. It's not supposed to be cold in March in Texas, is it?
You know it? We have weird weather down here in in Birmingham, Alabama as well. I think we're going to be 20 degrees this weekend, which is just bizarre. It's been 80.
Yeah, just absolutely crazy. This year. It's good to talk to you, Nathan,
you too. So I'm looking forward to what you're going to talk about today. Give us just a quick overview of what we're going to cover over the next couple hours.
Yeah, for the first hour, we're going to talk about some of the worst hacks that I've seen in my life working with WordPress security. And in our second hour, we're going to talk about incident response planning, how to prepare for when your site gets hacked, not F.
Got it. So we have a lot of fun things to talk about today. Kathy has a lot of experience in the WordPress security space. And I'm looking forward to some firsthand tips from her over the next couple of hours. As we're getting started today. Let me invite those of you who are just joining us in Go To Webinar to head over to our chat room at i themes.com. Forward slash chat I think.com. Forward slash chat. That is the spot to ask your questions as we go today. And this again, this is live training. It's not recorded unless of course you're watching it on the replay, in which case it is recorded. But if you're here live with us now, Kathy is here and she is going to be presenting and she'll be taking your questions at the end of each hour today. If you have questions, I would invite you to put those in the chat room and I themes.com forward slash chat. If you do ask a question. I would appreciate it if you put the word question and I'll uppercase at the beginning of your question that just helps us to pick out the questions more easily, especially if some resources or conversation is being shared there in the chat room. And if you do ask a question, please just keep an eye on the chat room for the next minute or two in case I have a follow up question. Because I want to give Kathy some good answerable questions. And we want to make sure we answer exactly the questions that you have as we go today. So if you want to follow along with today's slides, you can do that using the link I just dropped in the chat. And you should be seeing seeing Kathy screen shared as well. If you're not seeing that it's probably hidden behind some other open windows on your computer. So with that, Kathy, I'm gonna turn it over to you. Let's get started.
Great. Thanks so much, Nathan, and thanks for that great introduction. Welcome to disaster week, everyone. Sounds pretty scary. But we're going to try to have some fun with WordPress security. WordPress, Security does not have to be boring. It doesn't have to be scary. And so the next couple of hours, we're going to try to have some fun with this while we're learning things and hopefully learning from other people's bad experiences. So that if you have to deal with a hack, or rather when you have to deal with a hack or an intrusion or a data breach, it's not so difficult for you. So a little bit about me. Obviously, Nathan gave you kind of an overview of where I am right now. But I have been working in tech since well, I'm old. I have been around for a while. I was working in the internet space before WordPress. I was actually working with Database Driven websites very long time ago. And then when WordPress showed up, it was using the same database class I was using and I'm like, Oh, well this is a better way of blogging than Movable Type. I decided to start my blog up on WordPress and as more plugins came into the space just kind of made it my way of developing WordPress or developing any sites. No more diving into the code for me because there are so many useful plugins in the WordPress space and so much innovation that happens here. About five or six years ago, I dove into remediation and incident response and many, many hacked sites. I was dealing with about six hacked sites a day At the peak, probably 2016 2017 saw a lot of vulnerabilities exploited saw a lot of horrible hacks. And I'm going to go over some of those nightmares with you so that you can learn from them. Currently I am on the light side of WordPress working with Kadence WP, there is so much innovation that is happening with Kadence right now. And Kadence blocks. Kadence changed my relationship with WordPress and Gutenberg. And it's amazing. So if you haven't checked out Kadence, I highly recommend that you play with Kadence, and Kadence blacks as much as possible. It is loads of fun. But let's go into the dark side. Hey, I have seen some things. Yes,
I'm sorry to interrupt you. There's one thing I forgot to mention in my introduction, and I had a note and everything. And I forgot. We are now featuring a live transcription feature here on our webinars, you can find that below the chatroom, just click that blue button. If you're having trouble understanding what's being said, Follow along with that live transcript. And that should help you out a lot. Sorry about that.
No problem gives us some more time to check out Laya diving away from the malware spam and malicious redirects. I have seen some things and so I'm going to share what I've seen. And there's going to be a commonality that you're going to see and some of the worst hacks that I've seen in my career as a security analyst. And if you notice this pattern, I'm going to ask at the end and see if anybody gets it right. So we're going to use Star Wars as kind of our inspiration here. Who's attacking you who is attacking WordPress, a lot of people think well, this is just you know, some guy in a hoodie attacking my site. But it's not a guy in a hoodie. It is more like Darth Vader in a hoodie with a lot of Stormtroopers an army of bots, it isn't just one person who saying you know what I'm gonna go after this person's blog. It is one person, maybe with an army, going after a blog. It's not just, you know, a single bad guy. Um, and the reasons why they use bots is because they are trying to attack as many sites as as possible. Why are you getting attacked? Why is WordPress even a target? Well, WordPress is powering over 40% of the internet. It is powering very large sites. But it's also powering a lot of smaller sites. And hackers understand economy of scales. And now if they're going to attack, let's say the New York Times, which also uses WordPress, they're going to be up against a team of security analysts who are going to be watching that traffic coming at them. There are lots of defenses, there's a lot of intrusion, intrusion detection that's happening, there are security forces defending those large sites. However, if you take 100 sites, and attack all of them, the probability of finding an unpatched vulnerability, a bad password, or a site with lowered security defenses is much higher. So if they want to have a malicious redirect, for example, say they have a site that has malware download on it, and they want to direct as much traffic as possible to that site, they can have the same effect of attacking the New York Times by attacking, you know, and being successful at attacking 100 site is and being successful in intruding on, let's say 30 sites, or even 20 sites. So they expect smaller sites like yours, to have less security. And in a lot of cases, they're right. A lot of site owners don't think that they have anything of value. And so they don't secure their sites. So this is why your site is under attack. Your site might seem insignificant in the grand scheme of things to you, but to a hacker who has an army of bots going after WordPress, your site is just as valuable as the New York Times and we need to start treating our sites as that valuable. Why do they want to do this? Well, there's a number of reasons but the number one reason that underscores all of this is money. Well, sometimes there are defacement contests. So hackers will have a contest to see if they can just break into sites and deface them so they'll put up like a little, a little flag that says, you know, one of my favorite phasers was Bala sniper. He had like music that played and everything so he would come in and just deface the site. He wouldn't necessarily place any malware anywhere, but he would put up a page that just showed that he was Successful in exploiting a vulnerability on that site and taking it over. But most of the time, these hackers have the motivation of money. Either they're trying to use your servers resources for spam mailings, or maybe they're trying to improve the SEO on one of their Viagra sites. By putting spam links to these pharmaceutical sites. Maybe they're trying to fish, maybe they put a fishing kit somewhere hidden in your wp content folder somewhere. And they are driving traffic via email to that fishing kit in order to gain someone's credentials. Maybe they have malicious redirects, and they're trying to get people to visit a site with malware on it so that they can take over people's computers. Crypto mining has also been a major motivator. So they all have a profit motive, it is $1. I often wonder like how these how much money do these hackers actually make?
There's a lot of money in defending our sites, as well. So there are white hat hackers that work very hard to make sure that your site stays safe, and to give you the tools in order to do that. And that's pretty much what we're going to do today, we are going to teach you some Jedi tricks, key ways to keep your site safe. And I'm going to teach you some teach you about some of these tricks by talking about some of the hacks that I've seen how they were successful, so that you can guard against these things. So let's go to Jedi Trick number one, the first thing that you need to start doing and this is going to be useful, not just for your WordPress site, this is gonna be useful in all aspects of your life. Use a unique password everywhere. There is a site called have I been poned. Just type in have I been poned calm and go and put your email address in there and see if you have been in a data breach. Here's what happens. So you go buy shoes and a small site somewhere, maybe your teenager is requesting a special kind of shoe. And you can only get it from one particular retailer. So you go and you use the same password that you're using everywhere with your email address, and you buy the shoes, so your teenager leaves you alone. And your password that you use everywhere. Or that maybe you just use on things that you sites that you buy things on, on that password is now in the system of that small retailer. And that small retail has a vulnerability or maybe they're reusing passwords. And hacker a malicious actor gets into that database gets your password and ends up in a data dump and haven't been poned is a great service that tells you basically it keeps track of all of these breaches. And you can track whether or not your password has been in a breach. So not only can you track if your email has been in a breach, but you can also there's also a forum on there where you can put in you know like if you're reusing passwords, put your password in there and see if it's ever been in a breach. This is a great tool. Actually I themes is integrated here. So I themes will tell you if you have a breached password, it will prevent you from using a breached password like if if it will do so for any of your your users. So if your user, let's say you have an editor on your WordPress site that wants to use a password that's been in a breach, I theme security will prevent you your user from making a bad decision and using a breach password. These breaches end up being sold to other malicious actors. And then this data ends up in brute force bots that then try to log into WordPress sites and try to log into bank accounts and other things. So you have these databases of passwords that basically end up in a script with a bot testing passwords that are known to have been used somewhere to see if they are being reused elsewhere. So let's talk about the horror story of something I lived through and a number of people lived through quite some years ago. But this is a story about a reused password. So we were working incident response and we start seeing a number of
a number of sites coming in that have been breached. But looking over the log files and looking over all of the evidence, there was no vulnerability and there was no evidence of anybody logging into the site. It was just like automagically malware was showing up in the form of a post plugin that had been installed on the site. And it was really, it was very confusing to us as security analysts, because there was no evidence of any intrusion on the site whatsoever. However, after seeing a few of these, we found a pattern. And that pattern was they were all connected sites, they all had jetpack. And they were all connected to wordpress.com. And the person who had that wordpress.com account was reusing a password. And they were reusing those passwords on wordpress.com. And that was where the brute force attempt was, was successful. So on wordpress.com, if you have your site connected to Jetpack, you can install a plugin from wordpress.com to your site that might be hosted at liquidweb, or Nexus or anywhere else, it could be hosted anywhere, as long as it's connected to wordpress.com. Through Jetpack, that plugin can get installed. So one thing that hackers who target WordPress like to do is to create a little zip file that has things in it looks like a plugin walks like a public plugin, but it has PHP files in it that are backdoors. And so once that was installed on the site, they could then go into that backdoor, and then compromise the entire site. So that was what was happening there. And the folks over@wordpress.com pushed forth an effort to get everybody to use two factor authentication. And that that stopped it. So very important that you don't reuse passwords, any anywhere at all, it's just gotten to the point where your passwords are just not, you know, username password combination is not the end all be all at once was yours two years ago. I mean, you remember back in the day when we could use reuse passwords everywhere, or we could use our dog's name as a password. And these will be tales that we tell our children and they won't believe us. But back in the day, we could do those types of things, just like we walked to school, you know, in the snow. It'll be like old timers secrets. But anyway, jet pack numbered or Jedi Trick number two, that we learned from jet pack example is that we need to use two factor authentication wherever possible. We want to ensure that we're using two factor authentication to protect those passwords, because we never know when a password is going to end up in a dump. I mean, you could even have a situation where you have a long, very secure password, but somebody else, you know, has randomly generated that as well. And that ends up into one of these data dumps and gets used. So it's always good to have another layer of security that two factor authentication offers. Obviously, there's two factor authentication in both the free and the Pro versions of I theme security. And you can even control what user groups are required to use to FA and I theme security, which is awesome. Also, the trusted devices and iteams is wonderful as well, because you're not even using a password there you can just, you know, obviously, using another layer of security and having to get an authenticator app adds another, you know, complexity of getting into a system that trusted devices tool in I themes is wonderful so that it takes away that friction of users logging into your WordPress space. But we're also going to talk a little bit about why we want to use these authenticator apps like Authy google authenticator, LastPass, or one password. Instead of using SMS for a long time SMS was generally accepted as another layer, that that second factor of security, but there is there's an article that I really suggest that you read.
Just not even as WordPress the I shared this with as many people as I possibly can, because this story that you can find on medium.com. Um, if you just do a Google search for the most expensive lesson of my life, and symport Attack hack, this story of symport hack that happened to an individual in the cryptocurrency space is chilling. You will never use you will never use your cell phone as another factor for security ever again after you read this. And it's also a really good story to look at because he walks through everything that happened like he was getting ready to go to sleep and he checked his email one time and couldn't log in but was just tired and was ready to go to bed and felt like he could just deal with that in the morning. So he was having signs very early on that there was a problem with his cell phone. And as he unpacked it found out that his SIM card on his cell phone had been compromised at his cell phone service. And that allowed them to get into his email, allowed them to get into his cryptocurrency account and allowed them to take $100,000 from him. It's a very, very telling story, something that I hope that you read, and that you can learn from and share with other people as well. Two factor authentication is a part of our life right now. But it's really important that we make good decisions about how we're using to FA. Alright, let's talk about another horror story. And again, this started with a reused password. And this gets pretty ugly. Alright, so this is a major site with 1000s of users. And one of the administrators was reusing a password. And he was reusing his password. And he was reusing, he was using the same email address as his domain name. So let's say no, let's say my, my personal website is att.com. And I have kathy@zant.com, let's say, you know, for confidentiality sake, this is similar to what was happening. So he was using the same domain name on his email is the website, the WordPress website. So this hacker targeted saw this in a breach and said, Hmm, I see this business name here, I'm going to try this password and see if I can get in. And the hacker was able to get in. There was no two factor authentication to protect that user's account. And it was a multi site installation with 1000, over 1000 sites in it. Pa, he did not he had administrator access. And he was able to see that PHP exec plugin was installed, he didn't have the capability of installing plugins, but he was able to turn it on. So he turned that on, which gave him the capability of putting PHP code into any post. So he did that. And then brands started running some tests, he noticed that the server itself had not been patched and he was able to escalate, this hacker was able to escalate into the network environment, and pull all sorts of customer information, and then put ransomware up on the front of the of the site. And it ended up really destroying the company to whom this happened. It, it was pretty horrific. So part of the problem was they were hosting WordPress, on the same network as all sorts of other situate other sites and other applications. So they were able to pivot off of the web server into other areas of the business. And it was pretty, pretty horrific what they had to go through. From this particular case, we learned a lesson about functional isolation. This philosophy of security is that whatever is happening with your WordPress site, it is functionally isolated from everything else. And not just WordPress, but any other application that you have. If you have plugins and themes on your WordPress site that you're not using on a regular basis, remove them, don't just deactivate them, because you can have a deactivated plugin with a vulnerability that can still be exploited.
So if you're not using it, you're just leaving that vulnerability to be discovered by a hacker, even if you're, you know, you think something is on one of your servers. And you think, oh, nobody's gonna even notice this is here, it's deactivated, it's not being used, that code base is still there. So it's good to not only deactivate, but to remove it. Also isolate functions of your business and isolate sites from each other. So I've seen a number of situations where people put like five WordPress sites, all on the same server in order to save money on hosting. Those sites are all intermingled, they're all using the same server user. So if there's a vulnerability in one site, all of those sites basically are at risk and then isolating functions of your business. You know, WordPress does a lot of different things. Do you want all of those things to be installed? And the same WordPress installation? Do you want your ecommerce site to be the same site as your learning management system? Isolating all of these things? isolates what a hacker do if they do get in, we want to make sure that if there is ever any type of intrusion, that that hacker is limited in what they can do. version management in iteams also is going to check to ensure if you have outdated WordPress on the same server. And this brings up another point, sometimes I've seen hackers able to get in and do certain things. And they will upload an old version of WordPress with a known vulnerability. So you'll see like a version like a 2.7, or something, I don't even know if there's a what's vulnerable in that particular version. But they'll often upload an old version of WordPress with a known vulnerability. And it's not necessarily activated, but there might be a file within there that can be exploited. So those types of things can happen as well. And I think it will detect if you have outdated WordPress on the same server of the site that you have it installed on. So another benefit that I theme security has for you. Speaking of functional isolation, here's another horror story for me for you. This took me an entire data clean this, this site comes in with an intrusion. And there's just one site who guys just wants one site cleaned. And so I look start looking around. And I noticed that there's 30 sites in the cPanel. And every single site is infected with the same malicious JavaScript that's redirecting site visitors to all 30 sites, to a bad neighborhood of the internet. So cleaning that up was like not that big a deal. It was basically like a giant like over 2000, file search replace type of situation. But then you have to find out which one of those sites actually caused the problem here, and it ended up being one user. So it was an agency in South America that had this 30 sites in a cPanel. And he had given admin access to all of his customers, so that they could go update whatever they needed to update, one of his customers was reusing a password again. And that password had been compromised. And the hacker had gotten in and went to the for four page for that particular site, and edited that particular 404 page, so that he had a backdoor PHP backdoor, and was able then to run a script that basically appended this JavaScript to the end of every single JavaScript file that was on the server. So all 30 sites were compromised from just that single JavaScript file. What would have helped this person? Well, obviously, functional isolation, putting only one site in each cPanel. And people are getting better about this, I think and hosting providers are helping people make better decisions about isolating those, those particular sites,
better credentials, obviously, using a better password, two factor authentication would have helped that particular user the principle of least privilege, did he need to give every single client admin access? Or would they have been okay with editor access. And then also limiting editing access, you can put this line of code in your WP config file, if you want to do that, that will disallow file editing. So that would have stopped them from being able to overwrite the 4054 file of that theme to put a backdoor there. But if you don't want to get into your WP config file, I themes has brute force protection. And it also has temporary privilege escalation so you can prevent it. Let's say if you have an agency and you have somebody who needs to get into an admin area of the site temporarily, you can give them temporary privilege escalation. And there's also advanced settings for turning off file editing. So I theme security has you covered as well. You know, I think security is great because it gives you the cable. If you're noticing a pattern here, most of the security problems, the worst hacks I've ever seen in my life, come down to people. And the security solution that you need is not necessarily going to stop all of the vulnerabilities in the world because you know, vulnerabilities are always going to be there. But some of the worst hacks I've seen have been because of people. And so giving you tools that help people make better decisions is going to help you keep your sites safe. In the long run. So Jedi trick trick number four is Jedi trick. So I would just say today, Jedi Trick number four, take a layered security approach. So we might think you know, because we've had all of these situations happen with bad passwords, or users reusing passwords, or just brute force attacks, people think, well, if I have the best password, that's enough. There are numbers of ways to protect your site. By just layering your security, you're going to want to have intrusion detection and prevention in a number of different ways. So you want to know as soon as possible, when a vulnerability exists on your site, as soon as a security researcher has reported that's vulnerable, there's a vulnerability you need to know as soon as possible. So you can patch that thing before the hacker discovers it. So I themes has wonderful logging capabilities, so that you can see if intrusion attempts are beginning to happen if an intrusion is successful. It's great for vulnerability scanning, because it's going to let you know as soon as I think it knows that there's a vulnerability, it's going to let you know, you're gonna want to do things like blacking common attacks, you know, a lot of these bots that are just kind of spraying the internet looking for any kind of vulnerability out there. This is really great to do off server services like CloudFlare, and other cloud based websites, where they are blocking this kind of generic malicious activity at the network level. So it's not using your server resources. These are wonderful things. malware scanning, you can have scanners running on your server, a lot of hosting providers are doing this already and will let you know if they see malware, these indications of compromise. So you know, you can rely on your hosting provider to let you know this. There are other malware scanners that exist out there. There's even malware scanners, I believe Sucuri has a malware scanner that you can actually point at your server or at your site to look for indications of compromised without even being on your server. And then also, backups. Believe it or not, backups are a wonderful security approach. Because if an intrusion happens, let's say an intrusion happened 10 minutes ago, and you just got notification that an intrusion happened, and you have a backup for an hour from an hour ago, restoring from that backup, and then finding whatever vulnerability as fast as possible, gets you back up and running as fast as possible. So layered security approach is definitely the way to go. We have to assume that something is going to go wrong everywhere. Whether it's passwords and users or vulnerabilities, or
hackers just spraying the internet, assume that something's going to go wrong and prepare yourself. Make sure you're backing up everything daily. And also, I highly recommend backing up your log files, I have seen a number of cases where hackers especially in targeted targeted cases where they have gone after a site specifically, where they will actually go and manipulate the log files on the server to cover their tracks. They'll do this a lot if they have zero day. And a zero day vulnerability is something that hackers know about. But security researchers haven't figured it out and it hasn't been patched. So they know about it. And they want to cover their tracks so they can use it elsewhere. So you want to make sure that you're backing that up not only your site as much as possible. And if you're if you have a lot of users coming into your site, say like if you have a commerce site, and you have transactions being logged every hour, maybe you should be backing up every hour. Think about where those restoration points are for you and make sure that you have a backup available, a bit of tested backup as well. You want to test your backups and make sure that they're working because there's nothing like that false sense of security and knowing that you need a backup and then finding out that your backup process isn't working properly. Another thing that you can do is harden WordPress. There is a page on wordpress.org hardening WordPress, you can just Google hardening WordPress, it's going to come up right away. And that will give you some more ideas of tightening up security on your WordPress site. You know, this isn't just about WordPress, right? There are breaches that we hear about pretty much all the time these days. In 2013 target was the victim of a very widespread breach. And this happened and it was escalated from a very small intrusion vector. It was an H back vendor that had access to Target's network. And their laptop got compromised. And it led, it was escalated by hackers who investigate. Once they got access, they started poking around, and they didn't let themselves be known until they got all of the cash registers across the country and affected Target. Target survived. And glad they did. They have great, great stuff. But targets survived. And they are definitely a cautionary tale of what can happen with these types of of breaches. And what can happen. You might just think, Oh, well, it's just a reused password. But that reused password, that small decision that someone made, can escalate into something that's very, very detrimental to a business. So you are now ready to be a security Jedi, you understand the importance of unique passwords, you understand how important it is to use two factor authentication, as many places as possible, but especially on your WordPress site, you understand the importance of functional isolation, and a layered security approach. So don't ever assume that, you know, just because I've gone through these experiences of incident response with all of these WordPress sites that I know more about security than you do. You know, I got into security way before WordPress, I inherited a server that someone else had set up. And I made the assumption that that person was, you know, much more technical than me, they know more about security than me. They it was wide open. And I had no idea I made the assumption that I didn't know. And that they knew better than me. And I found out later that it's everyone's responsibility to know about security. And it's everyone's responsibility to not necessarily trust that everyone else who you think knows more about security? has it all figured out. Security is your responsibility. It's my responsibility, because it was you seen as the number one pattern through all of this. I didn't talk about any vulnerabilities here. I talked about the worst tax I've ever seen all started with the human element. So it's your responsibility. And luckily, you have i theme security Pro, and I think the security team behind you, to give you the tools that you need in order to make better security decisions, because it's all going to start with you. And that's all I've got. If we've got some questions, I'm happy to answer them.
Absolutely. So great stuff, Kathy. And this is a really, really good overview of practical security vulnerabilities and things we need to be considering several questions that popped up in the chat room during the presentation. If you have a question you haven't asked yet, I'd invite you to drop that in there. And I themes comm forward slash chat. Once again, we do have the live transcript going the blue button for the link is down below the chat room. Also the replay, they've been a couple of questions about replays throughout the presentation as well. There's a green button there for watching the replays. We'll have those up about an hour after we wrap up today. Alright, so let's get started. First of all, with just something I want to reinforce that you said that I think is super important, because it's a major. It's a major misconception among a lot of WordPress users. And that's when you talk about the fact that just disabling a vulnerable theme or plugin does not solved the vulnerability. Can you just re underline that again, Kathy?
Oh, definitely, um, let's see. This happened. 2019, I believe. So there's a plugin called File Manager. It's really cool. It's great. It allows you to basically within your WordPress installation, basically see all of the files on your server, instead of vulnerability
looks like the old school Windows Explorer File Manager, right?
It does. And it's really helpful when you need to get into the file system and you know, do something, delete something, change something, look for an image name. And you don't want to get into FTP, because it's like, where's my FTP password anymore anyway? Or you don't want to go into your cPanel or whatever. It's right there. And it's really handy and helpful. And it's a utility plugin that a lot of people use, it's has tons of installs. And a lot of people deactivate it once they're done using it, but they keep it there because it's it's really handy and it's really helpful. It had a vulnerability that was easily was discovered and it was a zero day and it was easily exploited, whether you had it installed and activated or installed and deactivated. Just that code being on your on your server meant that a hacker could have exploit this vulnerability, obviously, as soon as people, as soon as hackers learned that the zero day existed, it spread like wildfire, and people really jumped on it. And, you know, it caused a lot of harm to a lot of sites. He was 2020. When that happened, I can't remember exactly. It was like the font September of recent memory years. But yeah, that was exploited, exploitable, it was on just had to be just had to be on the server didn't have to be active.
Yeah, absolutely. So as long as that code exists, and it's vulnerable, it's vulnerable.
All right, exactly. So if delete key, you know, just keep everything tidy, delete things that aren't in active use.
Alright, so you mentioned one of the the functional separation slide provoked a lot of discussion in the chat, we'll just say that. So a lot of questions came up about best practices of, hey, I've got a server that uses cPanel. Are you saying that I shouldn't have more than one WordPress site in a cPanel?
I am saying that, yep, I will, that's a hill I'm willing to die on. Um, see. The thing is, is because all of those sites are running under the same Linux based user, it within one cPanel. So you have let's say you have 10 clients, and you know, you want to save some money on hosting Don't we all. And so you put them all in there. If one of those sites becomes vulnerable, they are all vulnerable. And if you have to assume that anything that's exploited, anything that has been compromised, that all of the sites in that cPanel have been compromised. So you want to definitely have those those isolated. Now I could see like if it's just your business, and you're going to take the risk, and you're going to do backups all the time, and you're you have a WooCommerce site, and then you've got, you know, a LearnDash site. And you want to have these both within the same cPanel, maybe some stuff with some subdomains, and you want to do that, it's a risk that you're taking. If one of those sites does indeed get compromised, all of those sites have to be you have to assume that they are all infected and look at all of them when you're going through incident response. And the other thing, I would say, you know, because I've gotten into this debate with a lot of people when I've talked to them about this, because this is this is sort of like their ammo. A lot of people do this. And I'm so I'll say if you are going to do this, you are putting all of your eggs in one basket, and you you need to pay attention and watch those eggs very carefully. And you should attend the next session, which will be about incident response. Because it you're, you're increasing your probability of a widespread hack affecting you if you are putting all of your eggs in that basket.
Great answer. And so Joe had a follow up question in the chat room, I'm going to go ahead and drop in here. And that is, if we have our WordPress sites and different cPanel accounts. What about using something like I theme sync or you know, a dashboard tool that lets me get into all my websites? Does that create a vulnerability?
Again, you that's something that you're going to want to secure. Um, I've always been nervous about those types of things. Because you're you're basically granting access every time I grant access to like, Twitter or, or, you know, a gene, a Google service, it makes me nervous because you're granting access, you know, like, Zoom granting access to your Google Calendar, those types of things you're granting access, if there's a vulnerability that happens in zoom, as my Google account going to be affected how what's happening there. So you are granting access to a number of WordPress sites? Just make sure that your sync account is also extremely well secured.
Absolutely. Let's see here. Also, in that same vein, what about folks who have managed WordPress hosting like with Nexus? Beth was asking, you know, she has the 10 site plan on Nexus does is that okay?
I believe that those, one of my test things is a Nexus. And I believe that those are all functionally isolated and using different Linux based users. So like on a Linux system, you have users, you have groups. And so you'll be in a group. You want to make a beat to be isolated by users, because the PHP applications are going to be owned by the user. And that particular hosting account, so as long as they're separated by users, you're fine and almost positive. That's what Noxus does. But you can always double check and ask your hosting provider.
Yeah, exactly. And I think that's the answer to Marins question as well, she's on a hosting platform where she has a reseller account, and each site has its own direct admin does that she's asking does that count is isolated?
direct admin. I haven't worked with that. And so long, but I believe that that is, so you have a reseller account, and then you're creating multiple sites. Yeah, like cPanel has that same type of setup. So, um, I believe when you're setting up a site like that, that it creates a new user on the Linux system, and so that that is functionally isolated. So when I'm talking about shared, when you're putting cPanel allows you to do these add on domains. And so all of the sites then end up within the same public html folder in your file manager. That's where you're, they're all running under the same user. But if you have can't remember the name of it, but like a cpanel reseller type of thing, where you have access to a number of different C panels within that, that those are all the cPanel is where the actual user is generated. I hope that's clear.
Great. Let's see here. Sal has a follow up question on that as well. So asks, he says my web host says they have cage Fs, Cage cage Fs, between cPanel accounts, so they're isolated. I've never heard of that. He says, is that enough? Or do I need a VPS?
Hmm, Cage Fs, I've not, I've not heard of that. But as long as they are not, the sites are not thrown into a cPanel. public HTML. It's like public underscore html folder. That's where we see the problem, because those are all running under the same Linux user. So the permissions for one site are the same for all of the sites within that public html within that cPanel account.
Right. And I yeah, just quick Google on cage Fs, I'd never heard of it, either. It's apparently like a virtualized file system. So it does isolate users. And that's the issue.
Yeah, exactly. Yeah. So you're fine. Yeah.
Okay, let's see, Linda's has a question here at Linda says, I'm nervous about testing backups. Since I have to lose my current live site to test other words, she doesn't have like a staging environment, how would you suggest testing a backup when you only really have a live site? In your hosting?
Hmm. Okay, um, I would take a backup. And then I would, you know, get that backup off server. That's another recommendation. Basically, if a server gets hacked, this is ancillary. But if you're, if your site gets hacked, and you have backups on the server, assume that your backups are corrupted and compromised as well, everything on the server under that user should be as long as the hacker hasn't escalated out of that user, just everything there. assume it's compromised. So you'll want to make sure your backup is off server, I would download it to my local. And I would just start poking around, does it look like what I have on the server? Are? Is the are the plugin files all there? Does the file count? Have everything under your public HTML or whatever? Does that equal what I have on the server? The database? Is the database been backed up? Do I would unpack that and see are all of the tables that I have when I look at PHP myadmin and the server? Do those all show up? When I unpack the database on my just on my computer, so every all of the files in the database and everything that's on the server is should be in the backup? And you should be able to see all of those when you download them.
Here good. Let's see. John has a question here. He says how exactly do I know if I have a vulnerability? How does a hacker gain access through a vulnerable plugin?
Good question. Um, so vulnerabilities. When they are discovered by security researchers. They will be reported to the plugin or that basically the developer plugin theme core, whatever, responsibly disclosed, and then once that's patched because we are in the open source world, once that's patched they usually security researchers give that some time but then they'll publish the results of what they found. And they need to do that in order to keep their certifications they have to publish their research. So eventually the and even when stuff gets patched there's a lot of people who will like go look in the change log and see what they can find. And, you know, the proof of concept will be developed. And once that proof of concept becomes public, then hackers kind of start going to town looking for what they can find. And so to know that you have just keep everything updated. Check the change logs for all of your plugins for WordPress Core, pay attention to the research that I theme security and other security vendors Publish. And just if you keep everything updated, you're going to be fine. The security community in the WordPress space is extremely responsive, extremely responsible. So it's really the space has really matured, especially in the past few years. So you might have a vulnerability right now that nobody knows about us. Vulnerabilities are being discovered all the time. And it's just our job as users to be aware of this, to get information from security researchers and to keep everything patched.
Yeah, very good. And I'll follow up with just a couple of things there. And then we'll take a break here, John, it's a great question to ask. And I would point you also to the i themes, vulnerability Roundup, it's a weekly post on the the I themes blog, where plugins and themes that have been found vulnerable, we mentioned those and talk about the exploit a little bit. Also, each month in my WordPress news roundup webinar, I kind of cluster all of those vulnerability reports together, and talk about the security space and what's gotten affected. But really the most important thing that you can do, it's a very simple thing, not maybe not most important, but very simple thing you can do is using I think security, I think security pros scans your site twice a day for vulnerable themes and plugins. And using the version management feature, it will actually automatically patch vulnerable themes and plugins if the patch exists. So you don't have to do anything. And I think security will watch your site twice a day and patch those themes and plugins and have an issue. So it's good stuff. Kathy, this has been great. We're about ready for a break here. Any any wrap up before we move to a break.
No, thanks, everybody, for attending. Thanks for all those questions. And yeah, I theme security has got your back. Thanks for covering all of that and looking forward for the next session and
tell us what you're going to cover in the next session.
In the next session, we are going to be looking at Incident Response what to do when your site gets hacked. That if
very good, and by the way, Sal, I did get your question in the chat. That's a question I'm going to I'm going to put a pin in and we'll come back to that tomorrow when we do more i theme security specific training with Michael and Timothy. So it is about three minutes until two o'clock Central. So we're going to take about an eight minute break. We'll be back at five after the hour so 205 Central Time, and we'll be quiet until then.