Hunter was misbehaving earlier so hopefully it will not give me a problem as we're starting this we'll have the transcript going momentarily for you if you'd like to follow along there as well
alright, right captions should now be working for everybody. Cybernetics welcome Mark from Jamaica Glad you're here. Bonnie's saying missing something that the bad guy did let last week and she wasn't notified Ah, interesting. So Barney has had a challenge recently. Mark's biggest challenge is file changes how to know if they're good or malicious. Christian how to avoid code injection and WordPress that is a big problem for sure. Oh, not really good. Okay, so not recently, Barney, but just in case. Got it. So again, welcome. If you're just now joining us in zoom, I see your attendee count has ticked up significantly. Glad to see everybody coming in. If you would like to download the slides for today, open up the chat. And I've just dropped in our link bundle once again there. It has the link to today's slides as well as the replay link that you can go back and review or share out after we're done. We'd like to do that. Check in question for everybody is what's your biggest concern in WordPress security? I glad you're here we have Thomas Wraith, an expert in the topic. All ready to talk to us about the three dimensional strategy for WordPress security. Yeah, so Milan's greatest concern is which hosting providers who has the best security. So we may not be talking about brands in particular, but we will be talking about some things to look for. So if you have concerns, you can talk to your individual web host about that. So we're just about ready to get started. With this live stream, we'll get kicked off here in just about 10 seconds. In glad you're all here welcome. dropping our link bundle once again, if you're just joining us there in the chat, you can download the slides and it's three minutes after so let me start the recording and we'll dive right in. Good afternoon. Good evening. Good morning. wherever you happen to be across the world. Welcome to another Live I iThemes Training live stream today we're talking about WordPress security and we have an expert in the field with us to talk about the three dimensional strategy for WordPress security. My name is Nathan Ingram. I'm the host of iThemes Training and I'm joined today by my friend Thomas, Rafe, the founder of we watch your website. Welcome, Thomas. Glad you're here with us today.
Yes, I appreciate the opportunity. So it's always fun talking about website security,
without a doubt. And as I was just thinking, Thomas, I think you and I had our first contact it's probably been almost 10 years ago. Now. I reached out to Thomas because in my early WordPress days, probably more than 10 years ago, in my early WordPress days I made a fundamental error by having many many WordPress installs all in the same cPanel and one of them got hacked and I had about 50 hacked websites. I had no idea I didn't know any better than and so I found Thomas and Thomas came in and save the day had me all cleaned up in about 24 hours with all those websites. And we've kept in contact ever since. So Thomas really glad you're here with us. Tell us a little bit about we watch your website and what you do there.
I started we watched your website in 2007. It was the result of originally started working on like a security box that I would sell to small businesses in the Chicago area where I lived at at the time. And the box would prevent small businesses from being hacked. And that led me down this path of de obfuscating, like decoding JavaScript and PHP code that hackers were doing and I was like, You know what, this is kind of cool and I think I could automate this process. So off I went. And so obviously, since 2007, we have removed malware from over five and a half million websites. Wow. Yeah. People ask how is that possible? Well, you know, early on we had Bluehost, and Hostmonster. Just hosts HostGator a whole handful of the big popular ones back then. They were had told all their tech support people. Anybody calls in with a malware issue, send them to time. Sounds like ah, so I automated as much as I could and we just kept going from there.
Amazing. And today you're watching over 6 million WordPress websites
get over 6.2 million as of today. And so what that involves is analyzing the logs, doing file monitoring in real time, any files that are changed or added get analyzed by our system. So that's yeah, that's what we're doing today gives us a lot of insight as to what the hackers are doing.
For sure. All right, so we're talking today specifically about this three dimensional strategy for WordPress security. Can you kind of give us an overview of where we're headed over the next hour or so?
Yeah, basically, the three dimensions. You know, somebody had mentioned in the q&a at the start there. You know, hosting what's a good hosting provider. Hosting does play a role in WordPress security. We're not going to be talking about specific companies or brands just you know what to look for. So hosting is one of the dimensions. User Management is another you know, whether it's passwords who gets access to admin, you know, to FA all sorts of, you know, user oriented topics there and also want to talk about the keeping your site itself safe and secure things that you can do to your site to help lock it down. So those are really the three dimensions for in this particular presentation.
Yeah, excellent. So we have a lot to talk about over the next several minutes together. And I'm just I'm really happy Thomas to have you on with us today. So let me give a couple of housekeeping details and we'll turn it over to you. If you're just joining us in zoom, welcome. We're glad you're here, pop up in the chat and say hi, tell us where you are logging in from. We'd love to greet you also, in the in the chat you'll find the link bundle, which includes a few things first, today's slides so if you'd like to have a copy of the slides, you're viewing on the screen, you can download those with that Google Drive link there. Also with this is being recorded. And so we'll have a replay of this event ready about a half hour 45 minutes after we finished today. At the link that is there in the link bundle. That's a public link and if you want to rewatch yourself or share with someone else, you're welcome to do that. And last of all i iThemes is in the process of becoming solid WP and so that rebrand in public is happening. So a month or so six weeks away, you'll start to see I think security becoming solid security, and Backup Buddy will be solid backups. I theme Sync will become solid Central. And so this rebranding public is happening and we're excited about that. You can learn more about that at solid WP or our YouTube channel. One final thing, this is a live webinar if you're watching with us live now, and that we'd encourage you to take advantage of all of the expertise that is in the head of Tom race. So we're going to be talking about a lot of things. But if you have security questions, you're welcome to ask those. And so the best way to do that is not in the chat, but instead in the zoom q&a. So if you mouse over the shared screen, a little row of icons will appear you can click the q&a icon and that will open up or that'll open up the q&a window. And I would just encourage you to keep that open throughout today's webinar. You can ask questions there. Or if you see someone else's question appear that you also have you can click the thumbs up icon to upvote that question and we'll take those questions in the order of upvotes when we get to the end of the presentation today. So with that I'm gonna disappear Thomas take it away.
All right. So primarily today, besides the three dimensions, your the whole gist of this the whole angle is prevention. And that's why I use you know, this quote from Benjamin Franklin. An ounce of prevention is worth a pound of cure. Because if you can lock down your site as much as possible. I know people say well, if nobody got hacked, you wouldn't you wouldn't have a business well, I'm sure I'd be doing something else. But regardless, you know, today's world is what it is. So, but yeah, this whole thing is going to be centered around prevention. So first want to talk about like the hackers attack surfaces you know, there's just got six different things laid out here outdated WordPress, which really isn't as big a thing as it used to be. But it is still a thing. Vulnerable plugins, vulnerable themes. You know, keep in mind themes use different libraries. And when those libraries are updated, it becomes a problem. It could be a point of entry for the hackers commonly used passwords. And that that that opens up a whole can of worms itself. stolen credentials. We're seeing a lot more in the news about info stealers. And when hackers use info stealers, they infect your local device, put an info stealer on there and grabs all sorts of information. So that's they'll fall under stolen credentials. And then we also have cross site credentials, you know, as Nathan had indicated, you know, when he and I first met, he had a shared hosting account. And it had I don't know if it was 50 or not, but there was a lot of websites on there. And the problem with that is that all those websites share the same file system. So it means the same permissions. So a hacker gets into one and they can infect all 50. So we'll get into that a little bit more in a minute here. Now outdated WordPress, as I said, it's rare in today's world, but it does happen. And there's, you know, I, frequently when I talk with people, agencies and so forth, you know, they say, Oh, we're, you know, we try and combat that as best as possible because you know, we're at least once a week we were scheduled to update everyone's you know, check for WordPress updates and apply, you know, a week you know, I mean, that means if you if a new update comes out on Monday and you don't update until the following Sunday, you know, in today's world that gives hackers an eternity to find your site and infect it. So really needs to be something more than just a once a week utility plugin incompatible incompatibility, you know, there a lot of times people say, there used to be you know, I don't want to update WordPress automatically because, you know, if it's, if I have plugins that are incompatible, you know, it makes the site all look all wonky. But, you know, same thing with theme and compatibility. That the problem with that is, is that, you know, you've got, you're gonna have two choices. You can have a site that you have to attend to right away, because it's, you know, it doesn't look right. You know, it's all wonky. Or you can have an infected website, you know, sorry to say, but those are your choices. So you need something that's going to help you. A you have to be notified when there's a WordPress update and be you have to take steps, you'll do a backup, update it, check the site, make sure everything's fine, and then move along from there. And I've gotten number four on here waiting too long. Sometimes people they even that week. That some that people do it as part of their normal maintenance for their clients. That's just waiting too long. And have number five on their head to be honest, I came across some people even recently that are running like their WordPress hasn't been the WordPress Core hasn't been updated in probably a year. And they're wondering how their site got infected. Like there's only one answer, you know, you're lazy, you waited too long. And you know, and all your lazy so so outdated WordPress is one of the attack surfaces for for hackers because not everybody is you know, on top of things, they're vulnerable plugins. This is a put right up number one this one has an easy remedy. keep them updated. Uh, don't wait. You know, things like it's one of the things like with a theme security, integrating, you know, their system or service that monitors your your plugins. Let you know, hey, there's an update for this one. You know, if you don't update now, you're going to be vulnerable and it's got reminders and so forth. So that's something that's easy to implement. Now. That will take you off the you know, the low hanging fruit for the hackers attacks. And also under vulnerable plugins I've got go to the source. I to be honest with you, out of the all the sites that we've cleaned, there's probably only a handful, that that I know have been infected through, as they call Nolde plugins, you know, somebody makes a plugin for and they charge for it, or somebody else. The copies that plug in modifies the code slightly. So that it's no longer you know, paid. You don't have to pay the original author and you know, they sell it, you know, for a lot less. And the problem with that is they don't keep up, you know, the plugin code updated so it could be could make it vulnerable. Right off the bat. So, you know, put it number five on there, you find it valuable, just pay for it. You know, don't don't look for ways of getting around it. You know, or encourage you if you hire outside developers, make sure your developers are, are are following sound practices. You know if there's a plugin that they think would make your site still number one in the category, you know, and it's a paid plugin, make sure that you're paying for it and a the author deserves it if you find it valuable, and be it's going to provide you with updates and so forth. And as far as vulnerable plugins go, it all depends on the you know, the time, the timing, you know, we recently worked with Kelvin Aiken from snicko, and you know, how sites were infected over a 60 day period. And it was nearly 150,000 websites over a 60 day period. And it was because of the Elementor add on plugin vulnerability. So you know, right now there isn't any major massive plugin vulnerabilities like that one. Although if you read the I iThemes report that just came out today I forget the number I should have had that. Sorry. But I think it was like 90 plugins have vulnerabilities and again, I should look it up. But there's like 60 of them that haven't been updated yet. So you know, in a case like that you gotta jump in. You got to take a look at this for your customers and say, Hey, did you know is this a must have plugin? If so, you know, should we contact the author? What can we do to to nullify? You know this, this problem until the author creates a an update for it. So you know, you can't one thing that's going to hopefully come across today is that WordPress security is not a set it and forget it. Part of the part of the business. So vulnerable themes. As I said before, themes use libraries. Like for example, Tim thumb, you know, some of you who have been in this business for a while. Know, you know, you probably remember the Tim thumb, I think was one of the biggest exploits ever. It was was huge. Yeah, okay. did create a lot of business for us. But, you know, it was a library that was included in a lot of themes and people just never realized it until it was too late. So, you know, themes use child themes, so you don't have to worry too much about breaking a theme if you do update it. But update early update often.
You know that that's kind of a play on terms we used to use for voting in Chicago. Vote early vote often because there's always voting scandals in Chicago. Anyway, I digress. And it's an easy solution because you know, you can use a child theme, keep it updated. You know, check at all times for any any updates in any libraries. You really need to be on top of this. And by you know, if you if you have the iteam security plugin. It does a lot of this work for you by keeping you up to date on Hey, you've got a an outdated plugin, hey, this plugin is vulnerable. There is an update for you haven't done it yet. You know, so look at the tools that are available to you and make sure that you use those and implement them. And one of the hackers attack surfaces is commonly used passwords. And number one same username, same password different sites. And this is one of the things I really enjoy about I theme security is the refuse compromised passwords. Part of it. So there's a site called have I been pawned? And it's spelled just like that except blonde is Pw ned.com. And what that guy has done is he takes he finds the databases of stolen user accounts that the hackers are selling in the dark market and compiles all that information. So you can go to that site. You can plug in your email address or addresses. And it'll tell you if that email address has been compromised in a data breach with some website and it'll tell you what website it was. So I mean, there's a lot of information there. But you know, the key part of this is that this is also part of ITM security, it will refuse to let you use a compromised password. So because a lot of times what people do is okay, yeah, you know, I don't want to remember all these, I don't want to use a password manager. So I'm just going to use the same password. You know, with my email address across all my logins that way, I only have one to remember. Problem is soon as that gets compromised somewhere. Hackers add it to their database, then they start brute forcing all sorts of sites. And eventually they'll get hit sign some and hopefully it's not your bank site. Hopefully it's not a you know, WordPress admin login that you have access to, because they're going to regardless of what it is, they're going to take advantage of it. So, you know, I frequently tell people to use password managers. And Kathy Zant, who's on I believe, on the on this webinar here. She just did a YouTube video. And, like, if you use Chrome, as your password manager, you have to be careful of the extensions. And it's very critical that you're not just downloading and installing you know, 1520 different extensions, and you have no idea. You know, you've never used them. So but you just you don't want to have to remove them. So you just leave them on there. Well, those extensions can become vulnerable. And if you're using Chrome as your password manager you're going to risk getting getting things stolen, so you could use like, you know, one pass the key pass there's there's a bunch of password managers. But the I wanted to focus on this for this slide, because like I said, the one part of I theme security that I really enjoy really like is that you can refuse compromised passwords. So their their system checks that database and sees if you're trying to use a password that's already been compromised somewhere. stolen credentials. This particular one could possibly be the biggest sleeper in the bunch here. So a few keys here. First one is you have to make sure that everyone gets their own login account and make their own. If you're if you're handing out admin accounts, to your work to WordPress sites, make sure that everybody has their own account. And this probably doesn't have as much to do with prevention as it does cure for this particular part. But too often we see where you know, somebody doesn't want to create a admin account for everybody. Each developer, you know, you got an SEO guy, maybe you got a graphic designer who needs access to your site. So you just kind of give everybody the same one well, if somebody isn't careful on their local computer, and that admin account gets stolen by an info stealer then you have no idea whose computer is is vulnerable, you know, whose computer has been infected and has it you know, is getting the credential stolen. If everybody has their own, then we can see in the database or you know through a theme security, user activity, you can see who logged in. And then you can just look at the the IP address. And if you know that, you know, Sharon in Tallahassee, Florida is normally logging in from down there and all of a sudden you know, there's somebody from I don't know, Siberia, even even though Siberia has IP addresses, maybe I'll have to check on that. Anyway. So maybe she you know, somebody use her account and login from Siberia. Now you know that okay, something's wrong here. You know, unless she's doing remote work from Siberia. You know, it's probably her username and password has been compromised. If everybody's using the same one or you have a bunch of people using the same account. Now you don't know if it's her. If it's George in Seattle. If it's you know, Fred, up in Quebec, Canada, you have no idea where they're at. So make sure everybody gets their own account. It's a hassle, but just make sure you do it. And again with a iThemes you can set it so that it'll remind you to delete that account. So though the account will actually expire after a certain amount. So if you give it to some developer, and then you know, Georgia and Seattle, and you only you know, he's only gonna need it for like, two weeks set it for a two week expiration, and then you don't have to worry about it. And all this has to do with the fact that info stealers are on the rise. You know, hackers are stealing everything. You know, some people say, Well, you know, what I do is I hide the user login, you know, the WP admin or WP login dot PHP. I hate it. So it's something different. Mille never guessed that. Well, here's the problem with that. I mean, it's good to have layers of defense. But the problem with that as its as the sole strategy, is that typically these info stealers Are there more than just a keyboard logger. They actually know what site you're using those stolen those credentials. And so it gives them the URL, the username and the password and it sends it to them. And we can tell from activity logs. It takes them about six to eight seconds once they steal credentials, so it sends it to the hacker servers, their servers are set up to just automatically use those credentials and that login URL, login, create a bogus admin account and maybe drop some backdoor shell scripts on the site and then move on to you know, record it and then move on to the next site. I mean, that's how automated the hackers are. And it takes like so it's normally about six to eight seconds from the best we can analyze the information that takes them about six to eight seconds from the time it's stolen until the time it's used. And also people logging in and an open Wi Fi, you know, you go to your coffee shop. And I used to do this years ago when I lived up in Chicago, I you know, talk to the local coffee shop and like hey, you know, I do I do security? You know, can we do a little demo here in your in your store? I set up a fake, you know, Wi Fi Access Point name at the store name. And but I knew that I had like a stronger beacon than they did. So people would log into mind and they I could show them on my screen everything that they're looking at, you know, and a lot of times I could add the inbound like stuff to their browser. I could change words so I set it up so that I could search for every time
the word cubs lost cubs lose that I could change it to Cubs win. And so everybody in the store there that was connected to it to my Wi Fi access point. When they go to see the Cubs score, it's a no Cubs win, when in fact they didn't. So you know, that that's how much control a hacker can have no yesterday that's a whole different scenario because the hack would have to be locally have to be local, but there are people who steal those login credentials through open Wi Fi and then sell them to the hackers on the black market. So you've stolen credentials is huge. Two FA helps with that and we'll get into that a little bit later. But two FA helps. But it's not the end all be all for this. The big thing is you have to keep your local computers all local computers with the contractor, employee whoever they have to be safe. And then we get into cross site credentials. Number one I just put on there shared hosting equals potential disaster. As Nathan said, that's how he and I met years ago. He had a shared hosting account in one once I got infected it's all the same system user for all 50 accounts. So you know the hackers get in on one and you know they have they have access to everything on that account. And what we used to see a lot was hackers would play games. Sure wasn't just us but I like I'd like playing their games for a while. So they would come in let's say if there's 50 websites, they would come in on let's say website number 10. And they would infect that. Now they have access to all 50 But they just say they found a an opening and 10 now suddenly realize hey, we have access to 50 sites. Okay, so we're going to, we're going to infect the sites 1020 3040 and 50. So they in fact, though, so, you know, somebody like us, you know, we're scurrying to try and get those those sites cleaned, and then they they reinfect them again as soon as we get it. Soon as we get them cleaned again because we never found their original point of entry. And it just goes on and on like that. And then they're like, Okay, you know what, now we're going to mess them up. Now we're going to do all odd numbered in increments of five, so like 510 1520 2530, whatever. We're going to infect those sites, and they just keep going back and forth. So on a shared hosting account, you have to make sure every site is buttoned down. Every site has, you know, good user management on there because, you know, stuff like the first 10 sites, you've got, you know, this Georgia and Seattle as the developer on there, and then for 10 through 20. You've got the lady down in Tallahassee. You know, you have to make sure that everyone involved is locked down as tight as possible because on a shared hosting account, it's you really have no control. When we're actually considering like not offering it and shared hosting account, offering our service anymore and shared hosting accounts because it is so doggone difficult. So, you typically you know, what's the you know the solution to this part? Is each hosting account should have its own file system user. So, like in the cPanel world you know, if you're, if you're into that, you know who am so that you've got you know, like a VPS or a reseller account where every site would have its own cPanel user. That way, is more expensive, sure, but you're safer too. Because that way, heck, if hackers get into one of your sites, that's the only site they have access to, unless again, you're using the same username and password across all of your cPanel accounts then, and then we go back a few slides and you can read that over again. But everybody has to have their own file system space. So that's the best way to protect it. And that's, you know, whether you've got your own cloud server, you know, through digital ocean Linode VULTR, whoever it doesn't matter, but you have to make sure that every website has its own file system.
So, some solutions here. I put this this one number one because a lot of people in my industry
feel this that blocking user agents is a waste of time. Because you can I don't I don't know how many of you people know, each browser, each version etc. has its own user agent string that's recorded by the access logs. In being the fact that we ingest so many access logs every second every every day. You know, we see the user agents coming from not nice IP addresses and blocking user agent is is an extremely effective way of blocking bots. Like for instance, today I was while I was going over these slides to prepare for today. I was looking at at some low logs and every out of 100,000 logs that I was analyzing at the moment. That was 97% of the ones that came from bad IP addresses. Also had a user agent string that could have easily been blocked. Now when I refer to the user agent string, you know, they're in a user agent string. I believe the current version of Chrome right now is 115. So if you've got a user agent string that has chrome version 54 Well, I'm sorry, but if I have a user coming to my site, and they're using a browser that's that outdated? Am I gonna mind blocking them? Probably not. Because, you know, are they are they going to be a good customer? Are they going to be a good visitor to my site? You know, being the fact that they're so outdated on their browser. You know, it just doesn't make sense. So, you can block by by user agent and it is extremely effective. As I mentioned earlier, two factor authentication is a great step to take. And you can do that through a theme security. Because it, it, it adds another layer of complexity to the login part. Now some people say oh, it's a pain in the in the rear end, well, that's fine. So is, you know, having a hacker log into your site with an admin. You know, that that's been compromised and messing your site up really bad. So, you know, you got to choose your poisons there. But two factor authentication is a good step in layering your cyber defenses. As we, as I talked about earlier, privilege escalation with the expiration date. So you can give somebody admin rights to your site, but make sure that through the iThemes Security System, you set an expiration date on there as well. user logging, you know, what are your what are the users do when they log in? What are they doing? We just had a situation where hackers had stolen the admin credentials from a devs. local computer, and they were logging in, they would upload a plugin, because we could see it in the logs. They were uploading a plugin, running it and then they would delete the plugin. So you go to look for the plugin you're like, it's not even there. But yet, you can see in the in the logs that somebody had uploaded it, activated it, access that and then deleted it. So without, without user logging, again, a nice feature of I iThemes. Without the logins you know, you're just guessing other guy name because there's no evidence. And I have last night here, protect your endpoints. There's, you know, you have to make sure that all your devs anybody who's logging into your, your site with admin rights, has good strong antivirus on their local computer. Even Max, I know. I know. So I'm getting lots of eye rolls right now from people like oh, no, no Mac's are safe. I've had a Mac for years and it's never been infected. Well, you know, it's like, people who have carbon monoxide in their house, like God never knew. Do you have any carbon monoxide detectors? No. Then how would you know? So if you don't have anything to detect the virus and you know, you don't have a virus? You can say well, you know, my system isn't doing anything funny. years ago, years and years ago, used to be hackers would do stuff like, open your, your CD tray, you know, on your computer, just to let you know that they were in and they were just messing with you. But hackers don't do that anymore. They want to lay low. So everybody needs good antivirus for Mac. A good one is like Sophos S O P H. O S, they have a free version for Mac users. You have there's some compatibility issues with an SB like a certain version of the Mac OS or iOS. OS, anyway. But you get something and run it, you know, make sure that it's running. Well, because the way that these antivirus programs work, is let's say you just ran a full scan and it's Wednesday. Now, tomorrow, hackers release a new virus. So just for the sake of argument, let's say the anti virus companies pick it up on Friday. So they create a signature boom, they push that signature out to all their users. So from Friday forward, you're protected from that new virus. If you already have the virus on your computer, it's not going to be detected until you run another full scan. So that's why it's critically important that you run daily full system scans of your local devices. And I saw you might have been in Kyle's group cab somebody was asking about, you're putting together like a scenario where they would have all their he would have all his people do a virus scan, like every day and then upload the screenshot of it or something like that. And there's some there are some solutions there. Some we've I've been looking at endorsing or you know, recommending supporting. But not quite there yet, but I'm not looking for an affiliate link and just you know, if I'm going to recommend something, I want to make sure that it's it's good product that I can vouch for so anyway, make sure that everybody's running a full system scan. And sometimes people tell me takes forever. No, set it up to run at the end of the day or something you know, I don't know lunchtime. Pick a time. It's going to take some time but you know, cleaning out a hacked website takes time too. So again, pick your poisons. So
you may be some of you know, blam. But then I want to open this up to for questions and answers. I'm sure. Hopefully there's a lot of questions. I started focusing on website security in 2007. And real quick story, some of you are heard this already at that point, I was blogging like every day about new infections that that I was seeing. And so one day I get a phone call from a guy and he's like, Hey, I'm very technical. I saw this blog post you wrote yesterday. my boss's personal blog just got hit. Sounds like from the same thing. What can you tell me about it? I need to help them. So I spent a good hour or so on the phone with a guy and he we finish up and he's like, Alright, thanks, appreciate, appreciate the help. Next day calls back and he's like, Hey, that. Just want to let you know that information you gave me was spot on. Help my, you know, my bosses, WordPress say site, and we got everything cleaned up. Because yeah, that was awesome. And he says, I see that you host with us. Mike, are you? He's like, I'm Alex Lundqvist. I'm a level three tech here at Bluehost my bosses Matt Heaton, the founder, how'd you like if we started sending you some business? So that's what got me really, you know, was my springboard and it just kind of went on from there now. Bluehost eventually was acquired by a large conglomerate who also happened to be connected to a competitor. So we got kicked out but that momentum stayed with us. We have so we have removed malware from over five and a half million websites. And some people say well, that would be so many bla bla bla bla a day times 360 I don't care what the math is. I just know how many we've done. So yeah. We actively monitor 6.2 million websites. Monitor you know, we're looking at file changes, any files that have been added or modified. And we're also grabbing their access logs, and a few others sometimes. We also grabbed the error logs just so we can see what hackers are trying and failing miserably in our system, ingests again, I get pushback on this some sometimes too, but I don't care. Facts are facts, our system ingest 20 million log entries per second, per second. So that's a lot to access logs. we're analyzing this information in as near real time as, as humanly or computer computing li possible. But that boils down to 1.7 to 8 trillion log entries per day that are analyzed. So we see trends. We see a lot of things that now I'm not saying that. You know, we have 6.2 million websites that are on our paid plan. You know, that's, as some people will say well, then you should just buy an island somewhere. But I have no interest in buying an island. The internet connectivity is probably terrible. But we also have our freemium plan, which we put will will monitor your, your server, your web server, but we don't tell you, you know, if you have a website that's attacking other websites will tell you, hey, this website is attacking other websites. But we're not going to tell you where the infection is. what files have changed. We're just going to tell you that, yeah, that's sites that sites infected. And you need to either restore from backup or go on our paid plan so that we can remediate it for you.
Let me jump in here, Tom. Just to mention everybody in the chat have dropped in a little bit more information about we watch your website and their pricing page, a couple of different or three different options there. And I would strongly recommend you check this out, especially if you are managing a server on which you have many client websites. There's an annual plan that protects all the sites on the server for a flat cost and so good information there. We watch your website.com and I'd strongly recommend that you take a look at that and let Tom and his team go to work for you not have to worry about the file level issues. So Tom, we have a bunch of questions stacked up here and let me just invite everybody if you don't, if you haven't already opened up the zoom q&a, do that and just kind of scan down that list of questions and press the thumbs up icon for any questions that you would like to have the answers to and we'll start to go through those questions. Now. Again, make sure you take a look there we watch your website.com I can't recommend Tom and his team more Thank you, Nathan.
All right. So
first question is from an anonymous attendee, just a question about that freemium plan. It's does it use different tools than I think security does? Could you use both together?
Yes, and yes, we do. This one of the things why? One of the reasons why I've always liked I iThemes, is that they don't conflict with us. We don't conflict with them. They offer things at the application level that we don't you know, we were looking at, you know, we're looking at protecting the server or the hosting account from a different angle from using different methods. So it really is a nice, harmonious way of protecting your site is using both services.
Yeah, and that's that kind of folds right into the structure of the talk today the the three dimensions of WordPress security being the server level, WordPress application level and WordPress user level. You know, that we want your website works really great at the server level and it's it's watching all the actual files, whereas I think security in the patch stack scan is looking at your installed themes and plugins and doing things like you know, if a theme or plugin is vulnerable, it'll let you know even if you haven't been hacked. I think security will let you know that that's a vulnerable theme and plugin and in the pro version, if the the patches available, it will actually immediately audit in an automated way patch that theme or plugin for you as it scans your site, your site twice a day. So they work really well hand in hand. I think security also does great user security, including integrating past keys. Let me just drop this link in the chat. There is an upcoming webinar with Timothy Jacobs, the lead developer for a solid solid WP. We'll be talking about the passkey implementation with solid security. I think security. We were the first WordPress plugin to integrate that and it works really, really well. So take a look at that. That's upcoming next week next Tuesday at the same time. Moving on to our next question here from the line the same goes that security should be at the server level not inside WordPress. What do you think about that?
I believe in defense in depth, which means you need to approach it from every level. I chose to go at the at the server level because that's my comfort area. I'm a server guy from way back. So I chose to go that route, but you do also need it at the application level. Where it's doing things like user logging and, you know, adding additional layers of protection at that level, you know, from a server level, we can see what plugins there are. And people have often asked me why don't you just think, you know, write your own stuff. That works like patch stack? Well, because patch stack and the i iThemes integration works so well. Why Why bother, you know just just use those tools and I don't have to worry about it. You know, we do what we're good at. Let others do what they're good at. And we all live harmoniously.
Absolutely. Yeah. And again, the the way I think security implements security goes hand in hand with the server level security that we watch your website offers. It's it's a great it's a great team. That's a couple of questions here from Elizabeth that Elizabeth has a bunch of sites hosted on Nexus which is another one of our liquid web companies that does manage WordPress. And she's wondering if the if they share the same file system and Elizabeth I'll just jump in and say in most Managed WordPress, you'll want to make sure with the actual provider, but I can tell you for sure, that next s they're separate. It's as though they're in separate walled gardens of their own. Some managed WordPress hosts may not do it that way. So if you're not with Nexus, you may want to just talk to your host and make sure of that, but in your specific question, Nexus, they do have separate file systems. Yeah. Best question here. I have a potential client whose website is flagged as having malware by the Malwarebytes app. Other malware tools tested, don't show a problem on the website. Is it a false positive? How do you deal with that, you know, what are your what's your advice about that?
Malwarebytes does from time to time have false positives, what I would do is go to a site called virus total.com. That'll check that web you could plug in there's a, you'd have to pick the URL option on their front of their screen there and plug in the URL and let it go at it. It'll check that website against 90 Different antivirus companies. Interesting.
That is a great resource.
Yeah, and I think I'm pretty sure Google bought them a couple years ago. VirusTotal. So but yeah, it's a great resource. Again, it won't tell you where it's infected. It'll just tell you that you know, these sites are these antivirus companies have detected something malicious on there. Interesting. Other than that, you know, ping me, you know, outside of here, you've got my email address there. And I'll scan I'll scan the files for free. Just let you know, you know, is there an infection or not?
Do you Yeah, thanks for that resource. That's a good one. Okay, question from Stacy and Stacy. I'm having a little trouble deciphering what you're asking here so I'm going to take my best shot at it. Stacy has a client who logs into the admin the WordPress admin panel from the hosting account so in this hosting account there's like a quick link to log into WordPress Admin right. He apparently because her admin account was set up first that's the account that the it select the quick link to log in. Is that a risk
know other than the fact that you know, again, going back to these info Steelers info Steelers. We see a lot of hosting accounts in cPanel there's a file in the root of every cPanel account call its period last login. And so it records I think it's the last 20 logins into that cPanel account. And if you open that file, you can just read it like a text file. It'll give you the date and the IP address. So you know, we've seen a number of times where hackers have stolen the username and password to the hosting account. And at that point the ad then they have access to L logging in as an admin, all sorts of, you know, bad things from there. So if Stacy's asking like if she her sharing that first account is a bad thing, I would say yes, I would encourage her to create a separate account that only she will use and not have it be the one that's used from the hosting account. Yeah, makes sense.
Yeah, it sounds like Stacey that this situation is like I would encourage the client not to log into WordPress through the web host because at that point you've got like the world revolves around that web hosting credential, right? So that gets exploited somehow now they got your host they got your WordPress, they got all the things to you. Yeah, and you know, probably a client shouldn't be logging in. Typical clients shouldn't be logging in with an WordPress admin account anyway, so I would, you know, make it easier for him to log in at the WordPress level. But yeah, yeah.
I think says the magic link, right.
Yeah. passwordless login would be great for this situation. Yeah. All right. Move. We have a ton of questions here. Moving to the next one from Milan does a VPN gives you a security advantage when logging into your site? Is it good to use a VPN? No.
Next question, no, I don't believe I never have believed in VPNs basically what it's given you, and if you're infected, it also gives the hacker a encrypted channel right to whatever you're logging into. You know, it doesn't it doesn't block out. The fact that you know, you're still you still got to use credentials to log in. And the problem is, is that if they're stealing, if they've infected your local computer, it all comes back to that. If they're if they've infected your local computer, they have keys to the kingdom, so they could actually log in through your VPN from your computer. And you'd never know. Yeah, I don't know. I've never been a big fan of VPNs. I understand a lot of people love them and use them mostly to hide their IP address, but it's I just don't believe in him. I'm sorry.
Interesting. Yeah. Okay, so John has a question about protecting small business owners from these info stealers, and actually shared a link that is completely terrifying that we shared the story on our news roundup here last month, about this new tack that this new attack, it's an acoustic attack, that people can actually listen to the sound of your keyboard and with 95% accuracy, reproduce what you typed. That's just terrifying, right? What would you say? You know, and again, we could do a whole live stream on just this. If you'd like to wrap up a good piece of advice for small business owners about being protected from info stealers. What would you say?
Again, have you ever really, really good antivirus programs? And I'll take it one step further. If you're on a Windows system. It's easy to combine two different antivirus programs. So my my typical go twos are the free version of Malwarebytes and you can pick like Avira, Avast, AVG Bitdefender but any of those will play nicely with the free version of Malwarebytes. So, typically, and that's, that's what I run on my Windows boxes. Is like Bitdefender and Malwarebytes. Because one doesn't catch, the other one's probably gonna get an iMac, it's it's different, because the Mac doesn't like sharing responsibilities like like virus protection, so it's a lot more difficult to do on a Mac, but on a Windows box, you know, make sure that they've got good, strong antivirus. And I would also go so far, because phishing attacks are becoming much more sophisticated, that whatever they're using for email is you know, if it's Google, or, you know, 365 by Microsoft, that they somebody look into amping up their their phishing detection, because hackers will. They're very smart. They're very good. At what they do their life depends on it. So they're gonna try every trick in the book and fishing is one of the big ones,
for sure. All right, we have a couple of questions about user agents that are stacked up first, Stacey, I've just dropped the link in the chat from the iThemes Help Center on how you can use I think security to block various user agents. So there's a link there that'll answer your question. And Sarah has a question Tom, just if you could give a simple definition of what is a user agent.
A user agent is a string that is sent from the from the browser to the website, identifying what what browser you're using, what operating system, you know, are your windows or your Mac person and you can you can Google user agent strings to make it easy, and you'll see a whole a whole list of them you know, the first one that comes up here is desktop user agents. How can I drop this in the chat?
Ah, you can type in the chat. I don't think it'll let you drop a file or you could put a link in there.
Like what let's see here. Sorry.
There's there's a user agent. Can you see that?
There we go. I just dropped it out to everyone. Okay, there we go. Yeah, so that's saying it's, it's that's basically Firefox, right? It's Mozilla five. It looks for a bunch of different user agents. Yeah.
Yeah. But you see, this one's identifies it as Chrome 42. Yeah. So this way outdated version of Chrome. Yeah, it's
essentially it's the the software or app through which someone is visiting a
website. Right.
All right. So hopefully that helps yet. Let's see. Beth has a question here. How would you say Tom that managed WordPress, like cloudways is different than shared or VPN or dedicated server in terms of security?
Probably she probably doesn't mean VPN, probably VPS VPS.
Yeah, I may have mispronounced okay.
So if she's mentioning cloudways, in particular, or you know people like cloudways, grid pain cyberpanel, run cloud, you know, take your pick. They try and do that. I shouldn't say try that sounds bad. They work to provide a certain standard level of security to protect your website. If you're getting your own VPS or dedicated server like from Digital Ocean or voltar. You know, you can install WordPress on there. You can install the Maria DB or MySQL database. You can set up everything yourself but all the basic standard stuff is left up to you to to protect. So like disabling PHP in the uploads folder, you know, various things like that a lot of the common best practices are going to be left up to you so you know, unless you're really strong at the server level, I would suggest that you look at you know, some some service, like the aforementioned and stay away from, you know, doing the server stuff yourself.
Yeah, good. All right, we'll just start wrapping things up here. I'm gonna there's a couple more questions. I'm going to pick from the list. We're not gonna be able to get to all these questions, folks. I apologize for that. If you're a member. I'm back of course for office hours tomorrow and happy to get into some of these questions. But, Tom, there's a couple of questions here just in comparing We want your website to other services like security, or immune OSI 360. How would you say what you're doing is different than those folks?
Okay, I'll take a unified 3/61 The install a lot on your server. So they're using server resources to you know, to analyze things, collect data, things like that. We put very minimal stuff on your server. In basically, you know, we're only using standard Linux programs. We just configure them our way to get us the information we need. And then we grabbed the you know, a case in point some of the recent malware we've been seeing the backdoors has is heavily heavily commented with junk you know, non standard characters in the in the comments, comments placed, you know, in between variable names and I mean, it just, it's a mess. And that itself has been that particular one has been flying by. So far. Every malware scanner that we've we've tested it against because just when you think you've got a pattern for it it's it's different than the next version. So in order to to analyze a file like that, you've got to consume server resources, which I refuse to do. So. Will we detect a file has been added or changed on your site. We grab that file, analyze it on our servers, and then we can make 100% decision, you know, negative or positive, is it malicious or not? And then we take steps from there. So that's one of the big differences. Unify, I know I've known Eiger, Igor for for years. In fact, we were at a cpanel conference together down in Fort Lauderdale, Florida, but we have mutual respect. So you know the the strategic differences he he does malware scanning differently than we do, except we do it offline. They do it right there on the server. The way he goes about protecting things, you know, my big thing is blocking bots. And that can be done effectively with the IP addresses that we block and the user agents. So, but we don't we have a lot of customers who use us both. So one doesn't block the other by any stretch. Yeah.
Well, thanks, Tom, so much for your time today for your expertise for answering a bunch of these questions. If they want to reach out to you they're talking to you just one more. One more explanation of how they can get in touch with you and how you can help them.
You can email me at T Raif. T R A E F. We watch your website.com and just to see everybody knows my last name, Rafe is fear spelled backwards. Yeah.
That's fantastic. Well, folks, I can personally recommend Tom and his service. If you email that address, you will get him and he does a great job at watching your website. So Tom, thanks once again. Folks. We'll have this replay up in about a half hour 45 minutes from now if you want to go back and rewatch any of this, or share with someone else, the URL. Let me just drop that one more time in the chat. The link is the second one there for the replay. So Tom, thanks again. Thank you all for being with us as well. We'll see you back here tomorrow for members for office hours with me here on I iThemes Training where we go further together.