WordPress Disaster Week: Session Four - Power Up iThemes Security

9:52PM Mar 9, 2022

Speakers:

Nathan Ingram

Michael Moore

Timothy Jacobs

Keywords:

security

wp cli

site

theme

user

woocommerce

recommend

factor

lockout

log

hacked

run

question

plugin

cron

wp

check

enable

link

timothy

Welcome back to our two of day two of disaster week here on AI themes training sponsored by theme security Pro. We've had a great hour of training just before this, lots of great questions and answers to Michael Moore in this hour. Our presenter is Timothy Jacobs. Timothy is the lead developer for I think, security. He's also a WordPress Core contributor and a maintainer of the WordPress REST API. Welcome, Timothy, really excited to have you here today.

Awesome. Thank you. I'm glad to be here.

Absolutely. Well give us just a quick overview of what the next hour will cover.

Yeah, so I'm going to go over kind of at a high level, we're not going to get super into the weeds in terms of talking about actual code and functions and filters and hooks and things like that. But hopefully give you some examples of some cool things that you can do with ICM security that you might not have known about, that I would hazard to guess you probably don't know about. And there are code samples. And of course, the slides are available in the chat. So you can grab those later if you want to, and do some digging. But we're not going to be going super over like this is this function. And these are these classes and these PHP things. But just more show you some cool examples of things that you can do with I theme security. Very good. So

if you can count on the more technical side of things. Yeah. So if you can copy and paste code into your functions, dot php, or a custom functions plugin, you can use this.

Yeah, and actually, one of that's one of the things that I'll be mentioning in a slide is a plugin that I really recommend is the snippets plugin on wordpress.org. I believe it's called code snippets. And I have a link in one of my slides here. But it's a really great way for managing collections of snippets. And you can give them tags and things like that, to help keep them organized and turn them on, turn them off, stuff like that.

Yeah, very good. All right. So the live captioning is backup work and working same link as the first hour, we did not change those links this time. So you can access the live transcript, if you would like using that blue button down below the chat. I just verified that's working and typing as I speak. Also, the link for de to our two slides is there in the chat room as well. I'm going to drop that in once again. And ask your questions as normal. Timothy will have a good Ask Me Anything at the end of this as well, if you're up for it. Absolutely. Yeah. So anything security related, whether or not it's part of this particular topic or not? You have the opportunity to ask your WordPress security questions from a real expert in the field. So Timothy, let me turn it over to you. And let's get started.

Alright, yeah, so this is getting the most out of I think security, you could say in parentheses here for power users. I'm going to link off to a couple of things first. This is a help article that we have about editing your WP config dot php file. And this is something that I'm not going to like cover how you go about doing but we have a couple of different articles on the Help Center. And this is one of them. And we have some other places that you can look it up and work my story. There's lots of places, if you google how to edit my web config file, you'll find a number of resources to help you do that. I'm not going to show it but there are a couple of things these first few which require you to edit your web config file if you want to use them. So the first thing we're going to talk about is feature flags, we have a way and I theme security that allows us to send out new features on a more experimental basis that users were interested in testing the latest and greatest thing before it's 100% production ready can do so. Um, we don't use this feature. Often though, it's something we're going to be using more often going forward. And the way you do this is you enable it with the IT SEC show feature flags constant. And that's one of those constants that you need to set in your WP config file. And when you do that, well, that is not the right screenshot. When you do that, instead of seeing the hide back end, if you look a little on the right there, there's a tab that says feature flags. And I guess I took a screenshot of the hide back end settings. But you'll see a feature flags page there, which does in fact, have a list of experimental features that you can enable. There aren't any in I theme security right now. But this is something that Michael wanted me to tell you all about, because it's something we'll probably be using more often going forward. And we'll write about them when they become available and if they become available, things like that. The other feature they wanted to tell you all about that you also this one you probably might have heard with if you've talked with some of our helpful support, folks, is debug mode. So this is a mode and I think security that'll let you get some more diagnostic information about how I theme security is running. There are troubleshooting and testing tools that you can use some that are a little more advanced than the ones that we show you in The Tools page in the ICM security user interface, you can view and edit Raw Settings data from this screen, which can sometimes be helpful when you're trying to diagnose more advanced and difficult things. And you enable this one with the IT SEC debug constant in your WP config file as well. And so that'll show you this screen here. So you can see under security, we have this new menu item called debug. And up at the top of the screen here, we have this system info box that provides a whole bunch of like detailed information about your site's configuration, how security is set up, things like that. And then we have this settings editing interface that I talked about. And so I've selected the global module here. And if you wanted to, you would be able to go through here, you can see all the setting values as we store them in the database. And this includes some things that we don't even expose in the user interface. And you can go ahead and make edits here. And this is one of those things where I, it's probably possible that you'll have a hard time breaking, I think security from this page, though it does look scary. We do the same kind of validation that we do when you interact with ICM security through the UI as if you're interacting with it through this page. But it would be I would exercise caution. But this can be a helpful thing. Sometimes you just need to bypass the UI and get to something really quickly. Or other times when you have some other hidden settings that you want to be able to edit are ones that might not necessarily be exposed to you right now, depending on how your site is configured. And then we also get this section here. That's the scheduler. So there are lots of things that happen in I theme security on a schedule, like flushing files, checking for outdated software, running the security check pro scans, clearing up tokens, things like this purging lockouts. And from this screen, you can run those manually if you need to. And again, this is a kind of more debugging thing, sometimes you're experimenting with different features, you want to be able to do that. Now you can do that. And you can even completely reset the scheduling system of IBM Security from this page. And that can be helpful. Sometimes things get confused. And scheduled events go away, particularly if you are migrating things between servers and things like that doesn't happen all the time. But sometimes it does. And this is a place where you can reset that information.

So yeah, next is code snippets. And this is what I was talking about. This is a really awesome plugin on wordpress.org. And for the next couple of code snippets that I'm gonna be providing, this is probably the way I would recommend using it. And also you can go in, if you have a child theme set up, you can use functions that PHP, if you have a site specific code plug in already set up, you can do that as well. But if you're not comfortable that this is a user interface based way that you can kind of make those changes and keep everything organized. Okay, so let's get to one of them. The first one I want to talk about is the lockout screen. So this is the lockout screen that you get by default and I theme security. And there are a couple of actions and filters that let us make some customizations. The first one is adding custom actions, we have this IPsec lockout action links filter that you can use. And you can use this to add additional actions or additional buttons to the IBM Security lockout page. And so I have this one setup is that I'm using a mail to link that is pointing to let's say, for instance, my support URL for my company. And I'm giving it a label of contact support. And then when a user gets locked out, they'll see the screen and they'll get a nice contact support link. And they can click on that link to get more help with their site. If they got locked out, or if they have users that got locked out, you can imagine how this might be helpful in certain circumstances. And you can also get more advanced with it. So I'm not going to dive into all what this code means. But we can say we get information about the lockout that occurred that caused I think security lock up the user. And we can say, okay, that's only show the support link. So if it was an admin user that got locked out, and that's what's happening in this code snippet here is we're saying okay, if this isn't a user that can manage the option to the site, don't show them this information. But for clients let their client get locked out, we can provide an action link on the lockout screen, that gives them an easy place to hit email, or we could send it to our contact form, whatever. We can also render completely custom content on the lockout page. And so in this example, I have a YouTube video that I included in here. For me, this is just one of my favorite clips from the IT Crowd but for you, it might be a tutorial on what to do if your site gets locked out. You might want to just have a lot more text point to some other places maybe even embed a help form that you have through like Zendesk or something like that. All those options are available to you You can render essentially, whatever you want here. The next thing I wanted to talk about was the security dashboard. So Michael did a great webinar about the security dashboard last year, I believe, called maximizing your I theme security dashboard. And one of the things that he goes over is setting up client dashboards. So you set up an i theme security dashboard, that is for your clients, and your clients can only see what's on that dashboard. And you would typically hide I theme security from them. But sometimes you might not be able to have that option, where you can just say to your client, Hey, you don't have any access, I think security, sometimes they want to see it. But sometimes you want them to see the dashboard and you happen to see a dashboard, you don't want them to see all the cards that are available in the dashboard. And so you can use this filter the IPsec dashboard cards filter to remove certain dashboard cards from the list. So in this case, I'm removing the fingerprinting dashboard, which is also known as trusted devices. And you can see now the trusted devices dashboard, excuse me, the trusted dash trusted devices Dashboard Card no longer shows up in the Edit cards interface. And so you can exclude any of those cards using that filters if you wanted to. Like I said I would recommend my preferred way to set up i theme security for clients is to if you need to give them administrator access to the site, but hide I theme security from them and set them up with a security dashboard. And you can check out Michael's talk here about how you can go about doing that. There's some other cool things that you can do as well, we have this framework called the highlighted logs framework. And this lets you

give a little spot on the dashboard where you can have important log items get highlighted for you. And it'll show you the most recent time that this happened. So this is a code snippet that is registering a highlight. that'll say whenever someone overrides two factor using a theme sync, let's populate a notice for it. And so that'll show up in the security admin messages right there for you. And let's say two factor sync override, I'll give you a description. And if you see that little three dots on the side there, you can click that. And that'll bring you to the full details in the log for that log item. And you can see all the information about it. And so that's a quick and easy way that if you want to highlight a particular log so that you see it all the time, you can do with that little code snippet. Another example that might be interesting is highlighting all the times when your clients login. So you can highlight the most recent time that any of these users have logged in, I have this array here called clients with admin in it. And you could add the user names, if any of your client users or new users that you want to monitor. And we're registering a highlight for them that says when is the last time this user logged in. And then it will show up in the dashboard like this. And so you can say user logging the admin logged in, this happened March 9, two hours ago. You might be wondering how you can kind of like figure out that information about user logging in the user dash log dash in su Yes, it would need the exact username for your client in that pre configured code snippet. And so the way that you would get that information about the module or the code is you can look at the raw Details section of logs. And you can see here the module and you can see where I select it in the code, it's set to user logging. And the code is user dash log dash in. And what I'm using is instead of replacing the one, I'm replacing it with the user ID of user one check out. Another example, and this is one that we have a help article about is limiting the allowed two factor methods. Something that happens occasionally for people is that they have they want their users to be able to set up two factor. But they get confused with setting up the mobile two factor method where you have an app and Authy code and things like that. And you want to keep that two factor method available to you. And maybe it's your clients that you can teach how to use Authy and Google Authenticator securely. But for the rest of the users of your site, you only want them to use the two factor email method. And so this isn't a setting that we expose in user interface. Because we think for most people, it isn't necessary. But if you did want this kind of behavior, you could use this. Use this code snippet. So we're saying here are the allowed providers for this user. And if the user doesn't have permissions to manage options, they don't have permission to edit the site, they're not an administrator, then the only two factor method they're allowed to use is the two factor email method. And that'll hopefully, let them set up two factor used to factor without getting themselves confused with using Authy or some of these more complex things. And you can see that an example here, I have this subscriber user that I've set up on my site And the only two factor method that they now have available is email, even though the mobile methods and backup codes are available for everyone else. Another cool thing is reCAPTCHA. So we try and integrate reCAPTCHA with a whole suite of popular plugins, like WooCommerce out of the box. But we don't have support for everything. And we won't have support or if you have custom functionality in your site that you might want to protect with a reCAPTCHA. But what we do provide is a really cool API that makes it super simple to integrate with our reCAPTCHA API, you just call the display function and say whatever action you're protecting, and then you call the validate function with whatever action you're protecting. And I think security will take care of everything else for you. And you'll be able to confidently say, Okay, this custom form I have on my site, this custom email, signup, or whatever, is protected by theme security, google recaptcha. And this is just a couple of lines of code. But you can check out the Help Center article that I've linked there to see way more details about how this works. So you wouldn't need to change any I theme security settings with this reCAPTCHA snippet. The only thing you need to make sure that you do is to include the API keys and set it up as normal. You don't need to do anything else. Beyond that you can just use this snippets anywhere. And to enable it in WooCommerce, you just need to check the checkbox on the theme security page.

So last part that I want to get into is WP CLI. WP CLI is one of my favorite features of WordPress. And it is very cool if you're more technical user for being able to move more quickly, especially when you're managing dozens or even hundreds of sites. WP cli.org is an example is one of the documentation sites for WP CLI and it'll link off to wordpress.org documentation and some other bits of information about it. And this is a WordPress TV talk that talked about WP CLI recently, that I think is really excellent. I'm not going to dive into kind of the more cool things of setting up WP CLI in general or how you can integrate it with other things. I'm just going to kind of show you some of the cool WP CLI commands that exist and I think security. But I would really if this seems interesting to I'd really check it out. One of the things that's cool about it is that you can set up a WP CLI command and a WP CLI environment and have it run that command on all of the sites that you list. So if you manage 100 sites, you can have WP CLI automatically run that command over 100 different sites, and different cool features like that for automating things and scripting things together. And I'm not going to like I said dive into how that works. But if that sounds interesting, you I would check out that talk. That's the wp.me link. And I would check out WP cli.org for some more general information. The other thing is that WP CLI comes with built in help for everything. So if you run the WP command, with help, and then the name of the command after it that will give you essentially information about how that command works. And so if you ever are at a point where like, oh, what does this do exactly, you can run Web Help and whatever command you're trying out, and it'll give you help for that. The first one that I wanted to talk about is not one that's built into i theme security and actually, but as part of all of our products at AI themes, which is the AI theme is licensing, activate and deactivate commands. This lets you automatically license with the eye themes license or your site without needing to go into the user interface. So if you have a site for instance, that might be deployed with some special thing with get deployment or things like that, and you want to script your setup process. You can do that using the AI themes licensing command to activate or deactivate your AI license. i Here is a list of a bunch of the commands that are existing I theme security. And the way I was able to generate this is again by using that WP HELP command from before so WP help it sec and it'll spit out this list of commands for you. And I'm going to take a look at a couple of them with you here. The first along that thought process of setting up a new site with IBM Security is the import and export commands. So if you didn't know and I think security seminar though, that we released just recently, there is a completely new revamp import export feature. And one of the things that it comes with is a whole suite of WP CLI commands. And it's one of those is for creating a new export. So we can run this WP IPsec import export, export create. It's a bit of a mouthful. But you can copy and paste that to create a new export. So you can see that example Here, we're creating a new export, we're giving it a title called security template. We're including the specific sources, and we're saving it to an expert that JSON file. And then when we set up a new site, we can pass it the path to that expert dot JSON file. And so that can if you're setting up new sites really frequently, and that's something that you're already scripted part of your setup process. You've already using WP core install things like that. And you want to figure out hey, how can I set up i theme security for this new sites, you can do it using these two commands. There's further steps you can then do, you can enroll that site in network brute force. And so that's our network of all the sites that are running I theme security that band together to prevent attackers from getting into your sites, and they share a list of banned IPs. And you can enroll into that with just one WP CLI command and get that site set up with it.

Another cool feature and something that I have used actually kind of recently, with WP CLI and I theme security is you can use it for kind of getting detailed information about what just happened to your site. Maybe you suspect that there was a hack going on. Maybe you suspect there is an unauthorized login, something like that. You can quickly go through the log items through WP CLI. And this is one of those features. That is why we recommend that you always store your I think security logs in the database, at least you can store them in the database and in files, I would recommend storing them in the database at minimum, because then you can do this kind of advanced searching to figure out what's going on. So here I'm searching for all the times that a user has logged in and user logging module. And if I was looking at this list, I can notice immediately that something was off. There's this log I'm down here that says oh, that's an IP address that I didn't recognize. Maybe I should dig in more there search more based on that IP address. I could also scroll through and see all of the recent lockouts that happened and so this is beyond just a list of active lockouts that you'd see on the security dashboard. But this would show you the most recent 10 lockouts that happened. And if you wanted, there are other WP CLI commands that you can run to show more show last filter by dates, things like that. And those are again, you can find those in the Help for log the log command. And you can lastly go and dive into way more detail. So I'm now getting log information about this particular log item that I found. And I can see that it was a brute force attack, I can see what information they provided, how they tried to log in, I think it kind of just like detailed information. At the tip of my fingers. If I'm an advanced WP CLI user, that can help me when I'm trying to go quickly and recover from maybe a hack that just happened on my site. You can even integrate with the geolocation services that are built into theme security, particularly if you're using trusted devices. So we might have gone that IP address that looked a little bit suspicious. I can type WP IPsec, Geo and locate and that IP address and it will tell me the latitude and longitude of that IP address. And it'll give me a label associated with that IP address. And so it's saying that this is an IP address that exists in Singapore. I can also look through recent bands that happened. So maybe I want to check that is this a band that I think his degree was able to do automatically. I can see okay, these are the last bands that happened in the last week or so for my site. And I can review those I can see how they were created, when they were created, where they're stored. And if I wanted to I could even create a band myself from this interface by saying band create giving it the host name. And I can even get a comment that says why added this band IP. And I can integrate with lockouts as well. So I can see let's say, my client says hey, I can't get into my site right now. You ask them what their IP addresses. And then you can look through the list of lockouts filtering by their IP address, you can say, oh, that's that IP address. This is the lockout ID, Let's release it right at the command line. And I don't even have to log into my site. Digging through the user interface, I can just quickly SSH into it. Again, with kind of like look into your site recovering after a hack, you can run the site scanner from I theme security. And so in this first example, it's saying there's a clean, there's nothing wrong. But you could see in a second example that it tells you that there's vulnerable software, and then you can know that you can dig in with the log commands to figure out what's going on in more detail if you want to get more information. But you can get a quick high level overview and initialize and your scan immediately from the command line. You can do the same thing with file change. For instance, you can run the file change scan, and it will give you helpful progress as it says okay, this is what seven meant. Now this is what step I meant now it's only and so forth. And this is a great use case for WP CLI. Because your site won't timeout usually over WP CLI, your went into running as VP Slidell, it can run this process for minutes and minutes and minutes without there being an issue. But we have to do all sorts of complexities to make sure that it doesn't timeout over when you're doing it through the user interface.

You can also interact with kind of general features, and I think security. So if I wanted to activate the backup module, I can do that from the command line by running modules activate backup, I can edit certain settings. So I see the interval setting is listed as three days. And maybe I want to check that to only backup once a week, I could do that quickly from the command line. And I can even do some cool things with two factor. So I can say let's remind the user that they need to set up two factor and give it the user ID to send them an email to I can manually enable two factor methods for that user without needing to log into the site or log in as their user, I can just set it for them from the command line. And I can even reconfigure a two factor method from the command line. So let's say my client comes and tells me Hey, I'm out of backup codes. I ignored all the warnings, I didn't generate new ones, can you send me new backup codes, you now know how to do it by just running this WP CLI command. And you don't have to figure out their username logins, their site, things like that. And you can just run a WP CLI command to get it for you. And lastly, we have a suite of tools. So these are the tools that we populate in the advanced section of I theme security. But you can also run these via the WP CLI command line as well. And you can see all the different tools that we have listed there. And if we wanted to, for instance, regenerate this server config rules, we can do that by just running tool, server config rules, and we'll regenerate everything for you. And so that's it for me. This was kind of like a quick overview of some of the more cool and advanced things that you can do with I theme security. And I hope it was interesting, maybe get your heads spinning us like, hey, maybe this is something that I could do with theme security, or new, I could send my workflow particularly those of you that have dozens and dozens of sites that you're managing. And I think learning WP CLI and learning some of these more advanced features of it is one of the best ways that you can take your skills to the next level, and really accelerate how you work.

Alright, very good. Interesting stuff in this hour. Look, I was muted. I'm having trouble with the mute button today. I apologize, folks, great stuff in this last hour, Timothy. So we have plenty of time for q&a here. And that can be about anything that we just talked about here in this last hour or any other security related questions that you have just dropped those in the chat room at i think.com. Forward slash chat, we will remind you of that great special that's on your screen there. Take advantage of those deals on the plugin suite. And on the individual I themes. Plugins also want to remind you, before we get to q&a, tomorrow, day three, I'll be talking about how to leverage all the stuff you've just learned over the last two days regarding WordPress security, and how to put WordPress care plans together and explain to clients why that's important. So if you are in business doing WordPress things, we'll be talking all about that tomorrow. And I'd encourage you to attend 123 pm central here, same link that you've been using to sign on all this week. Alright, Timothy, we got a bunch of questions stacked up here, the first one from Casey X you? What is the role of hosting providers and security? Should we really look to them to be the gatekeepers? Is there is it better to have a VPS or shared hosting? What would you recommend for hosting.

So both, I would recommend a Managed WordPress host, of course that I themes we recommend and really believe in nexuses manage WordPress hosting. But there are a lot of different managed WordPress hosting providers that you can use. But manage WordPress hosting is the big thing that you want to be looking for. You don't want to be using to $3 a month shared hosting in terms of a VPS. I would say there are a lot of people who use a VPS that maybe shouldn't be using a VPS, I really wouldn't recommend using a VPS. Unless you are a technical user, I would recommend using managed hosting. Because they can help you a lot with configuration and things like that. We do sometimes have people that come into support, who have a managed VPS. But they don't really understand how it functions. And when something like their open SSL version is too old and they don't know how to update it and things break. They don't know what to do. Whereas if you're using a Managed WordPress provider, they'll take care of that for you. And if those things I just said have an open SSL version and things like that. You don't know what that is. I would say I would recommend being a Managed WordPress. hosted user in terms of what falls to the plug in what falls to the host, I think it's a partnership between the two, you want the solid foundations, if your host is completely insecure, and they're not properly securing your network, there's nothing that I theme security can do to really protect you at that point, if just your actual hosting platform is insecure, and can easily be compromised. But there are some things that I think security will do much better than your hosting provider. Things like being able to provide monitoring features in your dashboard, two factor, saying these are specific software that I want to have updated, update these plugins at this time. Those are things that we think were great in the plugin level. But of course, you want your host to be secure as well.

Great, great answer. Great question. Let's see another question here from John M. John would like to know if there's a way we can view security incidents through sync.

So I think you could set up i theme sync reports to send you a certain security reports. But I don't think we have as detailed in user interface on the sync side of things, for getting that information. So you'd really want to go through the logs. Inside of my theme security itself. What you can do is you can use I theme security is one click or excuse me, I theme syncs one click logins. So you can go into a theme sync, and you can just click the admin button and you'll be straightaway taken into the admin area without needing to log in. And then you can dive into the logs there. But we don't have yet the same interface that exists and I think security on IBM sync.

Right. Let's see. William has a question here. Do the automated actions that you talked about earlier? Do they do those work off of the server cron or the WP Cron?

So we use actually two methods. We prefer to use the WordPress Cron. And so that was what's showing the it SEC schedule there. Cron. So we try and use a WordPress con. If we detect that it's unreliable, we kind of have our own backup cron, but you really want it to be using WordPress as Cron. And then this is one of those things where if you're using managers, they probably take care of it for you, you probably want to turn off WordPress is automatic cron and trigger it from a cron file. And most hosts will do that either at every one minute or every five minutes or something like that. And I'll do that for you. If you're managing your own VPS. This is something you'd have to configure yourself. And there are some like articles on the web that you can find that will do that, to switch WP cron to being fired by the system cron, but you do want to do, but again, it's one of those reasons why I'd recommend using managed wordpress hosts because almost all of them will take care of that for you.

All right. Sal had a question when you were showing the snippet regarding limiting two factor methods for certain users. What if you're using a third party plugin for two factor such as duo? Does that snippet work with third party plugins?

No, it doesn't. It only works for theme security. And that's one of those reasons that I would recommend if you're using a theme security to use the two factor methods built into theme security is you can take into account all of I theme security ecosystem. And so you can integrate it with user groups and user logging, and those kind of advanced filters and the dashboard and things like that. And you can't do that if you're using a third party plugin for two factor. That only is possible if you're using the built in two factor security methods. And I think security. All right. I would say that those two factor methods are now available, and I think security free as well. So you don't need to be a pro user to get the base level of I think security two factor.

All right. Again, if you have a question you haven't asked yet, we invite you over to the chat room and I think.com forward slash chat. Ask any security related question you have for Timothy here. Next question is from roxo. roxo is asking about WooCommerce support for with I think security. He said there's rocla says there's not a any sort of checkbox or anything for reCAPTCHA. Regarding WooCommerce Is there any integration for WooCommerce with I think security,

yeah, so for recapture the checkbox that you need to enable is just what places you want to protect. So if you want to protect the login page or the registration page, I think the really the only two, I guess also the last password page that apply to WooCommerce. And then if we have if we detect that WooCommerce is enabled, will provide those checkboxes and that same set of settings for WooCommerce. So just work out of the box, you just need to make sure that you check whatever checkboxes for the features that you want. And and you should be good to go.

Wanna If needed, you can hand over to me I can share my screen and show. So yeah, we do have built an integration with WooCommerce. If you do have WooCommerce enabled you can take advantage of our passos login feature and you have to click a special enable for that flow, but in general, you can just go to reCAPTCHA. And then go to this, go to settings and then just enable on these pages that you want to use it for. So these registration login, just like Timothy was talking about, and that will include on there, or if using version three, you can actually have it. Use it on all pages. So

Alright, there you go. So even though it doesn't specifically reference WooCommerce, those settings do work to protect those WooCommerce sections. Great.

Yeah, basically, the automated protections that we have if we want WooCommerce to always work. So we didn't have that integration, when you logged in with WooCommerce, you get an error. So just automatically happens. But if you want to show that additional password, this login flow, we don't know if that's something that you necessarily want to have enabled or not to make it an option. But yeah, for reCAPTCHA, you just check the boxes and organization, mandatory. We let you enable it if you want to, we're not

very good. Let's see. William has a question here, I'm trying to figure out how to get my customers who use a support ticketing system on my WordPress site to migrate to two factor, how dangerous is a subscriber role for accessing your site that's not protected by two factor.

So for subscriber users the most level of permissions, it's not a huge problem for your personal site security. I would say if you have subscribers that are not public, you don't have public registration turned on. But these are approved users, there have been a number of security vulnerabilities that require any logged in user. As long as it's a logged in user at all. They're able to exploit some issues and certain plugins and themes things like that. And so if you are manually approving users, then it is a security benefit to require those users to have two factor and it will help protect your site. If you have public registration enabled, then that is less important. One of the cases where I would say having to factor is important for subscriber users, even with public registration is if you are running a site like on BuddyPress, that might be a social networking site, have forums have personal messaging, where there's user data at stake, even WooCommerce, where your users might be inputting credit card information, and their address and their orders, things that might be sensitive, I would really encourage your users to have two factors that they're protected and their personal information doesn't get leaked, because they were using a bad password or things like that. So I my always comment on this is that two factor is important for everyone. In it's really important for your site's own security for users that are privileged to do things. But it's something that I would recommend to all users to always enable for all their accounts. Not just if they're an administrator on a site.

Yeah, very good. And in regard to two factor that's supported by I think security. Suman has a question about whether we could use Okta for two factor. And I think security and maybe we could just show what, what two factor apps are supported.

So AKA, I believe, is a custom kind of two factor. Flow. It's not like Authy, or Google Authenticator. And so those aren't things that you can use out of the box with a theme security. And you could use it separately, I theme security and have it run alongside and if you do make sure to disable the two factor module that exists and I theme security, but just know that you're not going to get that deep level of integration. If you are using aqua, I would say that we highly recommend using Authy or Google Authenticator with the go through the methods that exist and I think security, they're very secure. But if you do want to use something like Octo, just make sure that you disable the two factor module and I think security.

Alright, there you go. Sumant. Hopefully that answers your question. Let's see. Tom has a question here. Well, I think security helped me after my WordPress installation has been hacked to repair the installation. Or has it? Let's see. Yeah, basically because I theme security help cleaning up a hack.

So there are a number of sites if you had I think security installed already. They'll kind of help you to figure out what was going on. Those are kind of some of the things we talked about. In those WP CLI command sections to checking and saying okay, what Logon Attempts were there what lockouts happened, things like that. So we're gonna help in that regard and can also help with things like file change to say hey, these are changes to files that shouldn't be there. They're unexpected and point you into that direction for cleaning it up. I would say if your site does get hacked, we would recommend using a professional WordPress security site cleaning service. And not try and do it yourself. It's very easy. And I've seen many people do it where they think they cleaned up their site, because they went in, they deleted the user, they maybe saw there was this plugin that was created, and they didn't recognize it. So they deleted it. And they said, okay, I'm good. And then their site get hacked again. And that could be because one, you didn't find the root cause the actual reason why your site got hacked this security vulnerability that attackers are able to exploit. And so they're just able to do it again, which is a massive problem. And oftentimes, people don't fully clean up a hack. They say, Oh, here are a couple of files here and there, but they don't catch everything. And massive sites gets hacked. It's something that happens a lot these days. And I think customers can probably forgive you getting hacked once. But if your site gets hacked again, and again, and again, and again, because you didn't have it properly cleaned up by a professional. That is more of a problem. And so I would always recommend unless this is something you have done dozens and dozens and dozens of times, and you're a professional at it, I would recommend going to a service that is professional security, after repair.

Robin is asking if there's any particular company you might recommend.

Michael, I might know this, I believe we have a particular company that we recommend that I'm forgetting off the top my head.

We're Sue said in the chat, we watch your website. There we go. Yeah.

I've recommended them several times as well. Thomas over it, we watch your website calm is excellent. He's helped me multiple times. Good, folks. Let's see. While on the subject of two factor su just asked a question. She has a membership site that's using the ultimate member and members are view only do we need to have two factor for them. They're basically subscribers, but can't even get to the dashboard.

Yeah, so basically, what I said before, there have been hacks that just require any logged in user. And and if there is a logged in user on your site, they're able to exploit it. And those hacks do exist there. Really probably about as common, I would say, these days as hacks that require more privileges, there's a lot of attacks that just say, as long as you have a logged in user, you're able to exploit this. And so I would recommend it. And I would recommend it, particularly for things like members and just from a being recommending good security hygiene to your members to be able to okay, you can comfortably talk about sensitive topics and your membership or provide sensitive information like your home address or parts, your credit card number. And that if you're going to do that type of thing that you should use two factor as well so that an attacker can't log into your site and get that personal information about you. So I would really the only case where I would say that it really doesn't matter is you just have site public site registration. And the only thing that users can do on your site is leave comments on public posts, then it would say, Okay, it's all public information anyway. And if it's public registration, and attacker can register their own account. But really in all other cases, I would highly recommend it. Is it required? No, but I would highly recommend

good stuff. All right. I have one final question here. So if you have a question you haven't asked yet, and you were waiting to the last minute, it's the last minute so ask your question there in the chat room that I think comm forward slash chat. Williams question, Timothy, is there a certain certain system requirements that I think security pro requires to run effectively on a server,

a PHP seven Oh, and I would say just being able to run WordPress comfortably. We don't publish any particular like RAM requirements and memory requirements, say probably like 64 megabytes of RAM is probably fine. I seem security isn't a super heavy plugin. The most heavy thing about it is the file change module. And so if you are running on a more resource light environment, I would just disable file change. And besides that, you should be good to go in pretty much all environments as long as you're running PHP seven or later, but we do recommend PHP 7.4.

All right. I believe that brings us to the end of our questions. Anything from either of you guys that you want to say as we're wrapping up?

I don't have anything now.

All right, one question coming in. Heather, if you've got it, type it quickly. Okay, it's coming in parts. I have had an issue with a theme, dot dot dot

The theme has been flagged by theme. So I'm assuming there's a vulnerability perhaps. But there's nothing wrong with it. She says, Okay, any idea about that?

What do you mean?

I would say reach out to, if a developer says they fix everything they need to reach out to WP scan and tell them about it. They try and keep it up to date. But it's a difficult process. So if your theme developer says they fix the problem, then they need to reach out to WP scan. Beyond that, we can't really help with that. We source the data from WP scan. If your developer is saying there's nothing in fact wrong with it, and they didn't make any changes. I would be a little bit worried. WP scan is usually pretty reputable in terms of only having vulnerabilities that are real. If DB scan hasn't updated the database, you just need to ask your theme developer to reach out to them. I know with the recent hacks in or excuse me the recent security vulnerabilities and in what's that library that just got attacked Freemius Freemius Freemius Yes, with the Freemius vulnerabilities that they're like managing like 500 or something like plugins and themes that were vulnerable. So they might be getting in. I think a lot of things coming their way. But yeah, and there's nothing we can really do on our end to have that permanently changed. What you can always do is you can always mute the vulnerability if you have double check and triple check that it's no longer a thing. You can mute the vulnerability in the team Security Report. Well, yeah,

so I'm trying to post a link to the help center, and I post the wrong link to Help site scan to show how to mute the vulnerability. Chat. There we go. There's a section there how to mute.

Ah, very good. Yeah, and this is very much a thing like, triple check, quadruple check. Yeah, 100% Confident. And

this is the thing disagreeing with what constitutes habitability. The theme developer is probably wrong, but with more information, it's hard to make any conclusions.

Indeed. All right. Great. Great question. Great answer. Yes. Let's see. There was another question. Here is one more question here. What php extensions, Timothy, would you recommend to disable for security purposes? Are there any PHP extensions?

I don't have a list of particular PHP extensions that I'd recommend disabling as long as a, your a PHP distro is up to date. You should be fine. There aren't any particular ones that say No, you shouldn't be running this, just make sure that all of them are up to date. And again, another reason why I'd recommend using a Managed WordPress host because they'll keep your PHP installation secure and all of your other software secure. And if the PHP version on your site isn't secure, I think it won't be able to help you. So please use a Managed WordPress host. And let them keep PHP up to date. If you're going to do it yourself. You just need to make sure you're always on top of having an up to date, but there are no particular extensions. I would say hey, you shouldn't be running that. Anything that is like on pickle, I think you're fine.

All right. One last question regarding muting those security alerts. Paul asks, Is that forever on that plugin or theme or just that version?

is for that particular vulnerability? Yeah. So if there is a new vulnerability that happens in that plug in or theme, you'll still be alerted to it. It's just that particular vulnerability.

Right? Yeah. So each of those gets a number in the WP scan database. So it's just that number that's being flagged is that right?

Yeah, that number that version? Yeah. Yeah. Very good.

All right. Well, I believe that wraps us up. Thanks again, guys. Really great. Great talk today. Great answers. And, folks, we'll be back tomorrow, same time, one o'clock to three o'clock central time. I'll be talking about taking all the things that we've learned over the last couple of days about security and building WordPress care plans for your clients based around AI themes products. I did mention in the chat a couple times here as during the q&a. If you love I think security and you'd like to give a testimonial about I think security, you can email us at updates at i themes.com updates at i themes.com. Send your testimonial and we'll send you some swag as a Thanks. One more reminder if you don't have licenses for some themes, plugins and you would like those or I think security Pro or Backup Buddy or I think sync or Backup Buddy stash a great deals going on right now. 35% off those individual plugins, their direct purchase links over there in the sidebar beside the chat room. And also if you want all the things you can get the plug and sweet 40% off using that code disaster 40 as well those deals are good through the end of this week well thanks everybody again for joining us today I'll see you back here tomorrow when pm central for our final day of disaster week here on I think training where we go further together