I'm here with the pre show 100% My fault glad you're all here we have Tom Ray for we watch your website here with us again for a security round up here on solid Academy. Glad you're with us as you are coming into zoom pop up in the chat and say hi, tell us where you're logging in from. We are there is no slide link today. This is just going to be a conversation with Tom and I finishing up getting the captions connected. Those should all be working now for you if you'd like to enable those Hey, Doug Lizabeth. Welcome glad y'all are here.
Hey Stacy.
Again, welcome welcome
everybody. We're here to talk about WordPress security today. We have an expert in the field once again Tom ray from we watch your website lots of there we say scary things to talk about today. It is Halloween after all. That's a great day for a security round up.
Yeah. Oh goodness.
Let's see. No slides today. Again, folks is just going to be a conversation
should be a good one
as there's always something to talk about with WordPress security and the creativity of hackers.
It's amazing. It really really is.
John, am I a Googler? A goblin. That's a good question I got to ask my wife about that. Depends on the day.
Okay, Doug has
a joke. Why did the website get a lot of trick or treaters? Why it had too many cookies. Yeah, there it is. Right. Thank you, dog dog.
Wow, like that. That's actually good dog.
Wow. I was gonna use a different adjective. But thank you, Doug. It's all uphill from here. That's all I can say. So we're just about ready to start glad everybody's here. We're talking WordPress security. I'm gonna go and get the recording started. I get the recording started. We'll dive right in. Well, good afternoon. Good. Morning. Good evening, everybody wherever you happen to be. Welcome to another Live stream here on solid Academy. It is the WordPress security roundup with our friend Tom ray from we watch your website. Tom. So glad you're here once again to talk about WordPress security. How's things in your world today?
Oh, they're pretty good. We're actually I'm in Knoxville and it's actually kind of chilly today. But it is that time of year so we'll take Yeah,
I woke up here in Birmingham. It was in the 40s. They don't usually get that until a bit later. It's kind of nice. Usually walking outside so it is Halloween. It is October 31. And in that in the scary theme of the day, we're talking WordPress security and many things that hackers continue to do to exploit our favorite CMS. So Tom, let's just talk just a minute. For those of you that aren't familiar with you tell us a little bit about yourself and what you do it we watched your website.
Okay. I started we watch your website in 2007 and to address the growing demand by hackers of protecting websites. We don't do just WordPress but you know this or any other website or any websites ever made made without WordPress anymore, I doubt it. But we cover Joomla and all sorts of different platforms. But what we do, especially with the WordPress community moving more and more to servers, you know, the Digital Ocean voltar, OVA, H Hetzner, etc. Is we install our software on the server so that we can stream your log files, various database actions, and file changes. We stream all that to our server. So the the resource usage on on the server is minimal. But we're still able to gather basically everything that happens to your server we know about and we can watch
Yeah, so that's the name
we want your website. Yeah. How approximately how many websites are you watching right now?
We're watching over 7.5 million.
So one or two? Yeah, just a few websites. And with that much data, it's easy to see trends that are happening. And some of the tactics that are being employed out of the gate by by folks are trying to exploit WordPress and other platforms. Yeah,
it's it's alarming to see. Sometimes we see new things and you kind of scratch your head like why would they be doing that and then you dig through some more. And some of this is manual analysis, but you dig through it some more and you're like, Ah, no, I see. And then you can write a rule to look for that. And Bill and then identify it and you're like, Wow, this happens. A lot. So yeah, it's fascinating.
Yeah, absolutely interesting. So folks, this is just gonna be a conversation today. It's not a presentation. There's no slides. And so Tom, Tom and I were talking in the pre show just about some of the emerging trends that he's seeing as they're monitoring millions of websites. So we're going to talk through some of those. It's an open forum. So if you have questions, I invite you to use the q&a there in zoom, just mouse over the shared screen, click the q&a button, and I would encourage you just to keep that open throughout both to ask a question that you might have along the way or if someone else asks a question, you can upload it using the thumbs up icon that will appear right there under their question. We'll just keep that open and watch and we'll be watching those questions and sort of doing an integrated q&a throughout. I'll try to keep the questions roughly in the same vein as the conversation at that moment. And then we'll do kind of a wrap up q&a at the end. Your questions can be about anything related to WordPress security, so we'll do our best to get those answered. So Tom, what's what's on the what's on the plate today? What are you seeing happening across the website security landscape?
Well, what we started to do last week was
gather all the
information from log files for this year. And that came out to a total of 302 billion log entries. With billion with a b Yes, it's, it's a lot of data. And we are going to start pruning that will gather information off of off the log entries and it will start pruning it because otherwise it gets cost prohibitive to store that much. So, but one of the things that led me down this path was I hear various people in the WordPress security community use superlatives like, you know, 95% of all sites are infected due to plugins, outdated plugins, or, you know, just things like that, you know, or people will say the majority of sites are infected every month due to outdated plugins and themes and so forth. And I was just kind of like, Well, is it really, you know, we've got the data. So we we went on to this deep dive, and you know, because when you think about the reality of of hackers, you're the last big exploit was the essential Elementor add ons late exploit, which had a lot of people we wrote about that. But that's been the last big one. Now every month, you know, people like wordfence and patch stack and WP scan and, you know, variety of companies out there, report on new vulnerabilities, but none of them have the, the impact that's noticeable like the essential elementary add ons was, but doesn't mean that, you know, hackers go on vacation, you know, when there's no major exploit, you know, hackers just go on vacation and like, oh, yeah, okay, let's go to the sunny beaches of the Black Sea and, you know, dip our toes in the water now you know, I mean, they're, they're always looking for ways and but part of the problem is, is that these other companies aren't looking at log files. Because they don't have you know, if you're a plugin you don't necessarily have access to the access logs. Depends on the, you know, on the setup, but most of them don't have access to the access logs. And it would be too much to try and analyze them, you know, on your site because there's there's a lot of analysis to do. So, like I said, in one of the scenarios that we look at, with stolen session cookies, and Nathan, please stop. You know, when I start rambling like this, I'll start throwing out terms that maybe not everybody is, is familiar with. So if you hear me say something, you know, just stop me and ask me to, to describe it better.
Yeah, we'll circle back around to that. Okay. So
they're using a stolen session cookie that means that they stole it from somebody who is logged in previously, and had a virus on their computer or whatever. And it stole the session cookie sent it to the hackers. And now the hackers are trying to use it to authenticate onto your WordPress website. So when we see that somebody has used the stolen session cookie, to like install a plugin, edit a theme, whatever the case might be. We need to then backtrack and see in the log entries for that website. Was somebody did somebody legitimately log in? Prior to that, and like with with WordPress, a session cookie, authentication cookie is normally valid for 48 hours, unless you click on the remember me, checkbox when you're logging in, then it keeps the session cookie alive for two weeks. I may have mentioned before two months, but no, it's two weeks. So then we have to backtrack for the last two weeks of data to see who logged in legitimately. And is it within that two week or 48 hour window? So that we know that? Yes, this was definitely a stolen session cookie.
Yeah. So let's let's pause there to circle back for a minute because this is this is a new trend that you're you're seeing in WordPress exploits. And so, a session let's just talk for a minute about what is a session cookie.
Okay, a session cookie. Once you log in, it creates a session cookie. WordPress does and what that does is so that like when you're logged in as an admin you can bounce around from your settings in your in the in the WP admin dashboard to, you know, pages posts any of those other options on the on the left hand side without having to re authenticate over and over again.
Yeah, so basically, this is a text file that WordPress drops into your browser into your browser storage in some way. And it contains some details including a timestamp of when you actually authenticated. And as long as that cookie is there, then you can it's that is what we call being logged in. Right? You have a valid session cookie in your browser, right? So this is why for example, if you are logged in in Chrome and you start using Firefox, you have to log in again because there's not a valid session cookie for that browser. Right on that. Yep. Yep. And so what you're saying is there's actually malware that people maybe their browser gets infected or their operating system gets infected by some vulnerability. They can steal those cookies, and therefore, be you. I mean that they basically stolen your identity in some way. To be able to access that site.
Correct. And, you know, if you need validation of that, you can Google the term info stealer. And you'll see like, I think the last time I looked there was like over 3 million search engine results for the term info stealer. And if you just read a few of them, you'll see how prevalent they are in the hacker world. And it's basically a virus that gets on your system. And when we go on the dark web to do some investigation, excuse me, typically we'll see something where they'll advertise an info stealer and the listed as Fudd FUD which to many people is fear, uncertainty and doubt. But in the hacker world, it's fully undetectable so the hackers will sell these info stealers. And they'll give you a guarantee that it'll be fully undetectable for a certain period of time. So it flies under the radar. And what they do is they check it with virustotal.com which is now owned by Google. To so that, they can check it their their info stealer against like 90 Different antivirus companies. And it'll show zero out of 90. And so then they know and if, if you if you buy one of these info stealers, not that anybody in this group will, but if somebody buys an info stealer from these hackers on the dark web, and it is deemed to be you know, suddenly it's detectable. Then the hackers will, like re rehash it recompile it
and, and then
get you know, get you the new version. And you can check that one and it'll be on fully undetectable.
They're modifying the file a bit. So the heuristics are something like VirusTotal or whatever, can't it's not the same as it was before. So it's a new variant that has not yet been detected.
Right. So like I said, it flies under the radar gets on your system, and you have no way of knowing that it's there. But it's stealing. You know, and the big thing with
with the this
session cookies is that, you know, a website browsing is a, it's a session lists, protocol, you know, HTTP, so that's why you need something like session cookies in order to stay logged in, as you mentioned. Nathan during your your WP admin session, yeah. So, so they steal that and it sends it off to the to the hackers. And they, you know, if they use it within that 48 hours, bam, they're in, they can create a new user because that's not you basically, right. Yeah. Yeah, it's it is you. It'll
be howdy Nathan right across the top, and you can install plugins, because I'm an admin, they can do anything I can
do. Right, exactly. And they don't even have to go to the login page, which is why like analyzing the logs is so critical because like, they could just, you know, out of the blue if they have the session cookie installed on their system. They can just go to, you know, install plugin dot PHP in the WP admin folder and give it the parameters and boom, guess what it installs in plugins.
Yeah. And it's probably not going to be some guy in front of his computer typing the stuff in it's going to be automated.
Exactly. The the whole info stealer you know, it'll send send the session cookie to the hacker servers. Where they're just sitting there waiting for the session cookies, and bam, it just logs in, that has like instructions that the hackers have already loaded up like here's what to do. And it installs you know, installs a plugin, which is typically a backdoor. It adds a new admin user does whatever the hackers have told their server to do. And then reports back to the hacker like yeah, okay. We're good now. And
that's terrifying.
It's, but it's that like said I hate to give hackers credit, but they are some of the smartest people in the world.
If only they would use their powers for good and not for evil. Yeah, so let's talk a little bit. So a lot of the folks that are listening to this are doing WordPress things with clients. So how does a person get there? I mean, we talked about malware or something on the computer that allows a hacker to steal a session cookie. What does that look like? Is it is it vulnerable? What kinds of vulnerabilities would allow a hacker to steal a session cookie? It's
a lot of it comes comes from phishing. And Pah, this Yes, yes.
Yes. So they'll send you
an email, and I'll have to see if I can dig up the one because I was my wife is has been in computers for a long time as well. She's a data analyst. And I was reading her this email and she's like, wow, that sounds really official. And it was all about the fact that I've they're happy that I have decided to stay with them. via my paid subscription for the next two years. And I mean, it was, it was perfect English. And I had to, like, do a double take, I don't remember resubscribing to some, especially for two years because you know, two years is nobody subscribes to things for two years, but so I was like, wow, this is and then at the end at the bottom, it was like, you know, here's, here's the new benefits you can anticipate over the next two years. And it was a PDF so you know, obviously, I wasn't born yesterday. So I didn't open it, but I did download it and then I ran it through an analyzer and sure enough, it's it's an info stealer.
So Oh, gosh. So this actually takes me a slight step over in my mind because one of the big things that is, to me, the biggest issue in the LastPass exploit last year, was how website names and email addresses were stored in plain text in your LastPass Vault. So and all of those have been compromised. If we were like me, I was a LastPass customer. So they have in plain text, all the websites in the email address I used on those. And so it would be so easy to email me at that address posing as that company that I have a relationship with, and dropping in an info stealer
and asking you to change your password. You know, I mean, the there's a site have I been poned? Yes. And in there, if you put your email address, it'll tell you that maybe you want to put that link up. It'll tell you what websites, your IP address has been
breached. And, yeah, there it is.
It's a great way to tell like we checked out frequently when we anticipate when we suspect that a site's been infected due to stolen username and password, because still a lot of people use the same email address and password across multiple sites,
but it's their favorite password. It's their puppy's name, yeah, letters and numbers. And the e's are replaced with threes, right.
All the T's are plus signs and Yeah. But you know, I mean, you can check on that site. You can plug your email address in there, and it'll tell you what what sites have been breached. And your email address was part of that breach. So now the hackers use that. send you an email from looking like it's from that website, one of those websites that that breached your email address and say, hey, please log in. here and change your password. We just went through a success successful breach or a bad breach. And you know, we need you need to update your your information. And so you're like, I'm not going to do that. I'll just go to the real website, but a lot of people will just click on that link, where that link takes you you have no idea could be, you know, to gather what your new password is going to be. It could try and download an info stealer onto your onto your system. I mean, it's just
not even necessarily Oh, I've got an out of date browser version, or I've got some chrome extension that's, you know, vulnerable or whatever. It's, it's a phishing attack.
It's great interest
in the like said this last one that I saw. I mean, it was no i if i i know me and I know I don't subscribe to that many things. So you know, for this one to say you just recently updated the resubscribed re upped whatever renewed and for two years I like no way well, let's they offered me like some really good deal but I don't remember that. So
So on this on on the conversation of info stealers. Doug just dropped into an interesting question in the q&a. He's running the immune fi 360s on Who am platform that comes part of that. I'm unified notified in this morning about detecting malicious files located on his server and this sounds really similar to what you and I talked about before we went live. He said the affected file was located in route etc shadow. It was malicious code trying to hack mail accounts info stealer. The bad code has been sitting there since September of 2020. But just discovered today, is there something he should be proactively doing to trigger a more efficient search? Yeah, I
would. I I'm not that familiar with the settings and I'm unified 360 But I would check on there to see I mean, it could be that they just updated it. Last time I checked out and unify and I have mad respect for was it Igor is alecky? I think that's the guy in charge of unify anyway. But I'm pretty sure they base their stuff off of like their malware detection off of signatures only because their whole system resides on your server. So it's not like they could do like a bunch of analysis is to determine if it was malicious or not. So they're depending on malware signatures, and it could be they just got the malware signature on that. And it's been sitting there since 2020. But never detected because they never had a signature for it.
Yeah. Interesting, but that what a great example of some of the things like this that hackers are doing there. Yeah.
Yeah. And, you know, look at the path that he said, you know, where that file was found. It's totally outside, though you know, as he said it was doing something with the email.
It seemed like it was scanning email accounts or exploit email accounts. Okay.
Now, it could be two there was that
not ioncube
Oh, yeah. The round something. Yeah. Round cube. Yeah. Oh, now by exploit. Yeah. Yep. So I know a lot of hackers were looking for that round cube. Yeah, there you go.
I bet that's what it was. If I had to guess. Yeah.
It'd be. Yeah, interesting. So yeah, I
mean, they, they're always trying to get in. And, like I said, and the type of analysis that we run on the log files, again, that's not something you know, a plugin could do now. You know, could a plug in handle it in other ways? Sure. But just with all the backtracking and everything that's, that's necessary. I talked to one guy and he's like, Oh, that's regression analysis. Like I'm gonna stay away from that term. I you know, it's that sound. It's, you know, you are regressing to the logs. But I, as I recall from statistics from many, many, many moons ago, regression analysis was something different but
so what other types of exploits are you seeing? surfacing?
We're seeing a lot of attacks. And part of the whole session cookie thing is they can also attack the
the WordPress API
and diving down that hole and looking for stuff on the dark web. Yeah, I mean, it's like, you know, hackers have known about attacking the WordPress API for since it became available. Like, I'm just finding out about it. But you know, that's another situation where they can just, you know, with the, with the stolen session cookie, they can just send a command right to the API. And it'll create a user. It'll install a plugin. It'll install bogus themes, all sorts of stuff, just one shot
and we're talking about the REST API here, right?
Correct. Yes. So like, one of the things I was looking at here in my notes was slash WP dash JSON slash WP slash V to slash users slash you know, and then there's their command. So
yeah, it's and,
you know, keep in mind, all of this is different than when hackers steal usernames and passwords which they still do. You know, a lot of the info stealers will steal the login URL, the username and password and it sends that as a as a tuple form of data to the hackers and contains everything they need. So I still think that people should consider hiding the WP admin login you know, it's a it's not a bad thing to do. It's a good step, just to keep the script kiddies away. But keep in mind, you know when the way the hackers are working now it doesn't really matter. So but, you know, when when you log into a site, one of the first things that you'll see in the log files is it'll it accesses from the WP admin folder, load dash styles dot php. So you'll see that so you see the you know the hit on WP login dot PHP. And then one of the first things you'll see is load styles because it's loading the styles for the for the dashboard. Whereas when you see an attack with session cookies, you don't see them say that. It's just here's the Camille, here's my thing. I'm already authenticated. Here's my command, just do it. And the other thing about stolen session cookies is it bypasses to FA, what's to fail because you're already logged in, right? To FA is a it's an authentication, you know, it's like an additional step and authentication. You already authenticated. So it bypasses to FA
interesting. So yeah, that's their
mind is going in many directions here. Part of me is fascinated by how they're doing this part of me is terrified and the other part is okay, how do we practically deal with this? So you know, I am I know a little about WordPress security, I would never call myself a WordPress security expert.
You know, what?
Yeah, so Elizabeth is suggesting you're changing salts and yeah, so the salt is you the WordPress salt is used and right to to generate the session cookie. Correct? Right. Yep. So wouldn't affect it. Let me I think what Elizabeth is after here, maybe it wasn't effective strategy be changing the default duration of the session cookie. So maybe it only is good for 30 minutes or whatever. That's a possibility.
How would you suggest I How do you deal with this?
You guys are gonna love this.
Log out. Who logs out?
That's so 1984 Come on, Tom. works. Yeah, I mean, seriously,
it totally it instantly expires the session cookie.
I have to say I'd never ever log out. Okay, poll poll in the chat. How many of you routinely I just want to hear yeses if you do that you actually I'm gonna assume that you don't because you're like me and Lacey. Who Okay, who actually logs out Elizabeth Tammy. Okay. A few people. Really? Okay. All right. Um, okay. It's just me. I'm the laziest I cannot tell you that unless I'm testing something. I cannot remember ever just logging out. What a terrible thing.
Let's do quote a song from the 70s You've got to change your evil ways, baby.
100% Okay, that's yeah, all right. Logout instantly expires the session cookie.
It's so simple. I mean, yeah, it requires breaking a bad habit. I totally agree with that. But I mean, then it then it's done. It's gone.
Yeah. And really, it's,
I'm gonna guess that those of
us who are listening to this conversation are okay, I am probably not going to be as likely to fall for a phishing scheme is perhaps my client who would fall for anything, right. And those clients are never going to log out. So, you know, I'm just, that's a broad brush. But it's a broad brush for a reason. Right. So I know that there are plugins that will allow you to specify a different length of time is that I mean, is that a decent mitigation?
Yes, it is. Because you're, you're taking it out of the hands of the user.
And I don't, if I stop me if I'm going off in an area that not acceptable here, Nathan but
Kelvin, Elkins
fortress handles this perfectly.
Because about that. You can set a session time on there. So you know like if you're not you're working along, as long as you're doing things in that in that session. You're fine. You don't have to log in again. Once you log out, or you know, once you close that window, and there's no more activity, it automatically it forces the Logout automatically and he's building other stuff into that so that you can
prevent the
he and I talk all the time about it go so your What if a hacker gets this or that, you know, and this and that happens then, and then something out of the blue happens and, you know, what, what can be done to stop that? You know, so we chat all the time about it and yeah, I think it's I think he's onto something. You know, that could, I won't say save the world. But could do a lot here. So yeah, like I said, you know, they got the whole when you look at all the complexity of the info stealers getting info stealer on your device, and then stealing the session cookie and using it within a you know, a timely manner so that it doesn't expire and all this other stuff, and then you think, oh, all you have to
do is log out and plug in salt
pill, I mean instantly expires the cookie. So, yeah, and yeah, you can also clear cookies Well, I think that the clear cookies in Chrome only clears them off your system. It doesn't expire them as I recall, but I mean, so yeah, if you cleared all the cookies off your system after finishing up a WP admin session, that would get rid of them so the hackers can steal them off your system. But but like I said these stolen session cookies are also what's used and they and some of the
WordPress management services.
So you know, you log into, you know, manage WP WP main WP elements. There's a bunch of them I know solid has theirs as well. But if hackers steal that now they have access to all your websites, because they can log in to the management council. Do what they want, you know, push out a bogus plugin to all your sites, and
then they're done. Yeah, that's
yes. 100% and that's worth looking at your you know, what is the security level of those services? Asking questions of support. I just dropped in to the chat, the plugin that we use on a couple of sites that where you can set the default WordPress logged in time to sync we have the one there. These are high security, their sites for companies that exist in the security world. I think we have those set for four hours currently. So even if there was a session stealing attempt there that would only be good for four hours, Max. Right. So that's better than nothing but still.
Yeah, some of them that we've seen. Like, you know, in the log files, we'll see where somebody has legitimately logged in like said, you know, we know where this you know, this website owner is and they legitimately logged in to their WordPress did some you can see in the log files, they did this they did that sign updated plugins so on so forth. And when they when they finish their session because there's no more you know, they didn't log out, but because you would see the Logout you know, in the log files, but so you don't see any more activity from them. And then within 1520 minutes, you see an IP address from Outer Mongolia. You know, do the plugin installed that PHP with a bogus plugin name, and you're like, wow, that didn't take long. So and the other thing too, I mean, you figure Okay, when when hackers install an info stealer, they basically have control of your local device. We've had a few cases in the past 30 days, where an L legitimate admin is logged in. And he's in this particular these two particular cases, specifically, while he was logged in, bogus plugins were being installed from his IP address. Oh, they piggybacked the session and were from his device while he was logged in. They were installing bogus plugins on his site happened. Well, because they that's how much control they have over your device, when they if they can install an undetectable info stealer they can install you know, remote control programs, and they just kind of temporarily take over your butt. I mean, because I hit him on chat while I was cleaning the site. I'm like, you know, I'm looking through the logs. I'm like, Why did you install that plug in? He goes, I didn't. Normally. It's right there and he goes, I swear to you I did not install it. So when I what? And then yeah, so we finally had him do it. Basically rebuild his his computer before ever logging in again. And it never happened again.
Wow. All right. So let's talk about I mean, now that we've terrified everybody,
myself included.
Let's let's talk about prevention. So it sounds like first obviously don't click on stupid links. That goes without saying but what kind of what can Stacy says she's ready to retire.
Okay, so at the
let's just talk first from the operating system level, your Windows machine, your Mac, your whatever you're running. What what kind, what do you recommend as far as security software exam would detect these info stealers? Right if they've been detected,
right? The
you know, if you did a Google search on me and you look back, I don't know. 678 years. You'd see like, numerous times I tell people how, how bad Microsoft defender was at detecting anything Ill like, I could create, like a sample virus on the spot and run it through Microsoft defender and it wouldn't catch it. Now. You know, it's like Microsoft, you know, listened to the community and Microsoft defender is now one of the best antivirus. The levels of protection you could get for a PC. Now, I still recommend a PC that you would pair that with. Excuse me. Malwarebytes Malwarebytes plays nice with everything. And there has been times where what defender doesn't pick up Malwarebytes will and vice versa. So running two of those in combination is good. works works out really well. And it doesn't, you know, real quick because I don't want to run too much time here. But, you know, the the way the antivirus companies work, you know, say I just ran a full system scan and, you know, defender or whatever I'm using found nothing. So, now I open up a phishing file and a download something onto my system that defender hasn't seen yet. So it doesn't detect it coming into my system now. It won't find that again until the next full system scan. So that's why it's important to run full system scans with your antivirus every day. Because during that time, Microsoft found it and they wrote a signature for it or a way to identify it. And now before you go to run your next full scan, you update all your your signatures your update your virus database. Now it'll detect it and remove it. So one, you know, use on PCs use to good antivirus programs, and then every day run full system scans.
Yeah. That used to be that that recommendation used to be not recommend like run one pick one. Antivirus software security software because they would buttheads
right. And not to name names but McAfee and Norton
that's the naming Yeah. commercialized ones.
Yeah, exactly. But they were known for that, like they would detect other antivirus programs as viruses and remove them. And, but and those are two of the biggest. Yeah, Stacy says Norton was horrible. It was I mean, it was the it was bloated, you know, tried to do way too much. And rather than just being a good antivirus program, yeah. It got way out of hand. A lot of people were just removing it after a while. So now in in the world of Mac. The one I like to recommend is Sophos SOP HLS. And they have a free version. It's free for home users. However you want to do it that's up to you, but that's exceptionally well, that identifying info stealers. Now they use a lot of heuristics to identify things. So you know, for those who aren't familiar with the term heuristics, basically if it walks like a duck and talks like a duck, it's a duck. And so it just identifies it and shoots it basically. start mining with free cycles. And yes. I forgot who posted that. Last comment there. But
yes, yeah, very good. That's,
that's kind of our base. level, we need to make sure our operating system stays clean. The now moving up a level will kind of put the top level at WordPress, even though these info stealers are operating. I mean, there's really not a a WordPress security solution that is going to help with the info stealer issue, right because we're because you're logged in. Because Am I Am I stating that right?
Yep. Yeah, it's not really. No again. If you look up Kelvins fortress you know, his website is snicko A San i cco.io. Look up his fortress. She has ways of even if it's a stolen session cookie. There's things that he can do. You know that fortress does to prevent that from being successful. So it's an awesome it's an awesome program. Yeah, he's, he's, he's a good kid. You know, he's what? 24 years old. incredibly smart programmer.
Yeah, so it's important to have a security plugin like solid security that's running your user security and bouncing users off of that have I been poned database and denying logins if that username password combination has been compromised, and keeping plugins up to date and letting you know what the patch stack scans and if you're using Pro putting the patch stack, automatic patching that's critical, but there's still this middle level so that you know you got your your, your computer itself you got WordPress and in the middle is your server. And what do you recommend? For making sure the server stays secure?
One of the things that we did to help keep a server secure, we do two things. We have a large block of IP address and so on a server like a vaulter, Hetzner, OneCloud, DigitalOcean, etc. If we have full access to the server, we can install our block lists because again, you know, nobody's ever been able to come up with a good use case for why the WordPress site on godaddy should be trying to log into my WordPress. No, so why not just block it? I mean, you kill the brute force attack right there on the spot. And doing it the way we do it. It's at the I don't want to get too technical, but it set the layer for, you know, the ISO model. So it's at the network layer. So we can block, you know, a few 100,000 IP addresses, and you'll never see a blip in the Gt metrics scores, you know, have a slowing you down. Because it happens so fast. For those who are programmers that does like a Patricia tree with hashes.
Sounds really awesome.
But the other thing we do, too, is that it's highly effective. A lot of people will argue with me, but I've got numbers to show it is blocking by user agent. So like right now, the current user agent for Chrome is 118. Right? Well, if you had a way to check, to see
like put a rule in nobody with
Chrome version 108 or lower can access your site because we the browser's all nowadays, they all automatically update right. But yet, like I was talking to somebody earlier, you know, we see user agents touting chrome version 59 Just yesterday. Now if you got like, well, that could be legit. Okay, if it is legit, you want somebody with that? You know, a browser that far outdated? Do you really think that they're going to be a valuable visitor to your website unless they're looking up how to update Chrome.
But interesting,
so and it's highly effective, you know, now, a user agent is easily spoofed. But you know, kind of understand to that the level of these some of these hackers their script kiddies, they're just looking to make some money. So they buy an exploit kit, you know, off the dark web. And that exploit kit was created years ago, and it's still showing chrome version 59 They're not going to change it. They just run it
into itself. It's highly effective.
Yeah. So Tom, talk a little bit about where your service comes into play here. You would be watching the website for these sorts of exploits, and where they're showing up. Yeah.
So we have a paid service. We have a free service. And if you're if you guys are on it, or on a server, I highly recommend you at least sign up for our free service. Because that's where we see all this information. You know, that's where we got the 302 billion log entries. And because we're collecting we stream all of your, all of your logs live to our servers, and they're being analyzed in real time. But we also monitor your your, your file system. So if a file is changed, even on the free service file is changed or added to your WordPress site. Our system sees that detects it grabs the file and analyzes it offline off of your server. Be like so we use three engines we've got signature engine like everybody else does. We've also got behavior engine, we've got a anomaly detection engine. So those types of engines. I don't want to install on your servers because then it's really going to slow down your server because we got some massive servers running this stuff. So our system will grab that file that's changed or added analyze it and then notify you that yeah, there's there's an infection and you need to deal with now we're not going to tell you where the infection is because then all you're going to do is go and remove that one file or edit that one file and think that you're clean and you're not, you know, so it's never just one file, right? Never. So,
Tom, you have a free plan that includes all the monitoring and if if something comes up, you know, suspect you'll let the person know. And they can even upgrade at that point if they want to a yearly plan, right if you're running a server, for example, if you're doing what like I have recommended and you've got a dedicated server, a VPS or wherever, where all of your client sites live, it's 299 a year for all total for your whole server. Now if you have multiple servers, it's 299 per server per year, but 299 for single server is I think, just a really good price for what the service that you're offering.
We've got a lot of people with, you know, many multiple sites I'm, you know, we've got a guy with over over in the UK. He's got 154 sites on one server, and it's still the 299. So Tammy wants
to know if you'll fire her as a client, if you find out how little she actually understands.
No, I actually like very much like clients like Tammy because then they're like, Okay, you take care of this, and just let me know what I need to know and be done with it. Too often we get we get stuck in scenarios where you know, people want to know everything, you know, and that's why we hesitate.
Your peace of mind. Yep.
We hesitate telling people too much in the notifications because first thing they're going to do is, you know, contact us what file was it? You know, what was it a plugin? Was it this was at that. And, you know, our freemium service doesn't provide that kind of information. We're just going to tell you that yes, the site we guarantee is infected. And one of the other things that we do too, we monitor outgoing
traffic.
So again, in my scenario with why would a GoDaddy WordPress site and the WordPress site and GoDaddy servers want to be trying to log into mine? Well, why would my server want to be trying to log into your WordPress site? So we monitor outgoing port 80 and port 443 traffic? Because that's an early indication of compromise.
Interesting, Tom, this as always has been granted one last question from Elizabeth in regard to these virus scanners. Any thoughts on Bitdefender or local
Bitdefender is very
good. Yeah, that's a great one. You know, I always look at trying to suggest free or inexpensive solutions that are effective, but yeah. Bitdefender you know, if you're looking for a paid solution, great choice.
Yeah. Excellent. And just one more little we just a couple minutes left here and I think it's important to kind of tie the loop around this. For those of us that are working with clients. I think it's super important that in if we are in a website care plan, going to provide some level of security service for our clients, which is typically you know, configuring and monitoring a WordPress security plugin like solid security, maybe providing a server level security plan like Tom is offering. We also the client has responsibilities and website security, like we were talking about, you know, and so in your contract and your service agreement, the client needs to say I'm going to make sure all of my software's update locally. Any computer that's going to log into the website needs to have an updated version of security software on it to catch these things. Otherwise, like we're leaving the
front door open. Great. Yep. Good point. Great point.
So for those of you doing client work, circle back around to that and make sure your agreements are worded Well, if you're a monster contracts user, it's in there. But also, we need to continually remind our clients of this so if you're communicating with your clients and an email every now and then or whatever, just remind them, hey, it's important to keep your stuff updated. Because if you don't, people can hijack your session cookie and do all kinds of other things. You don't understand. So, yeah, and we can't protect you if you're leaving your front door open. Okay. Interesting. All right, Tom, any final thoughts as we're starting to wrap up here?
Not really, I think, you know, my brain is spinning right now. So
this has been great. A really fun conversation, terrifying for Halloween. These things that we didn't know existed in the session, Cookie theft. It makes sense though. I see why they do it and how they're doing it. We just have to be smart and stay one step ahead of the bad guys.
I'm not one to push, you know the fear, uncertainty and doubt that wasn't my purpose in presenting this information. I just feel that you know, people in the WordPress community, you can better protect yourselves if you have some additional knowledge. So I'm not trying to scare anybody, even though it's Halloween. But just trying to educate people that's all.
Exactly. And that's our goal here. We need to be aware of these things. And they do exist and we need to understand how to mitigate them and how to put good structures in place to keep ourselves safe and our clients safe. Yeah. Thanks again, Tom. Great stuff, folks. We had no live stream tomorrow, but we will be back on Thursday for office hours for members. Have a great rest of the week. I'll see members back then on here on solid Academy where we go further together.