New with iThemes Security: Blocking Bots with Zero Friction and Better Privacy
6:30PM Jan 25, +0000
Speakers:
Nathan Ingram
Timothy Jacobs
Keywords:
cloudflare
passkey
captcha
security
turnstile
google
question
user
site
logging
recaptcha
support
password
plugins
timothy
form
account
woocommerce
capture
key
earlier and hopefully that is going to work but again welcome everybody glad you're here
all right, I believe it's working which is fantastic
There we go. All right, captions should be working for everybody. Now we're just about three and a half minutes out from getting started. If you're just joining us in zoom, open up the chat and tell us Hi, where are you logging in from today? Let me greet you. Good to see. I'm hola from Sri Lanka. Welcome Michael from Calgary Stacey from Colorado Sue welcome. No snow for Sue Jory from Amsterdam. Welcome. Class from Arkansas. Good to see everybody three minutes out. Three minutes before we get ready to go. The slides are there waiting on you in the chat as well as the replay link. If you want to share this later or go back and review anything it'll be there for you. Welcome Elizabeth from Atlanta.
So we're here with Timothy Jacobs we're talking all about the new Cloudflare turnstile and H CAPTCHA additions to I think security 7.3. Welcome gentlemen from Uganda. Good to see everybody today.
Plenty of time as well for just general security questions. In addition to anything else you'd like to talk to Timothy about what I theme security will be able to take those questions today. You're talking directly to the lead developer himself in this webinar. So it's a great opportunity to ask your questions, have some suggestions, whatever you'd like to talk to Timothy about. We'll have time for that today. Just a couple of minutes. Now before we get started. Glad everybody's here today. Attendee count is ticking up and as you get in, pop up in that chat, say hi tell us where you're logging in from welcome Stacey from Washington. Slide link and replay link or they're waiting on you there in the chat. Hey Melanie from Georgia. Welcome Deborah. Hey Ben from the UK. Jean from Vancouver, Ronnie from North Carolina. As you're chatting make sure you have the little drop down beside the to flop over to everyone and not just hosting panelists so everybody can see you when you chat. Zoom seems to default to hosts and panelists. For some people. Me for example, I don't know why but it does. Zoom just kind of does what it wants. Hey, welcome Tom from San Francisco. Deborah from Texas. Less than a minute to go before we get started with this webinar all about the new features and I theme security seven, three, with Cloudflare turnstile, and H CAPTCHA. Some really good google recaptcha replacement options very happy about that. Dawn from Okay, Don what is in EPA. Welcome John from Florida. Oh, northeastern Pennsylvania. Okay. I have not heard that one yet. Don. Glad you're here. Just about ready to get started everybody. If you're just joining us in zoom, open up the chat. You'll find the link to today's slides. They're waiting on you. Also pop up in that q&a. That's the spot to ask your questions as we go. Hey, Beth Livingston. It is now three minutes after we're going to start the recording and dive right into this. Talking about turnstyle and H capture with Timothy. Well, good afternoon, everybody. Welcome to another Live I iThemes Training event. My name is Nathan Ingram. I'm the host here at iThemes Training and I'm joined by Timothy Jacobs who is the lead developer for I iThemes Security. And Timothy is going to be talking to us today about some new features that are rolling out that include the new Cloudflare turnstyle and H capture options is just another way to deal with that capture rather than Google. So Timothy, welcome. Glad you're here with us today.
Thanks for having me, Nathan. Absolutely. So
wow, some new things coming for I iThemes. Security seven. Why would a person want to use turnstile or H CAPTCHA rather than the google recaptcha that we've had in iThemes Security for a while.
So the big the big theme is privacy. And then we're gonna touch on that a little bit our slides today. But if you have been a little bit nervous or a little bit uncomfortable with having your users loading up data from Google, these are good alternatives that you might want to consider. We've seen kind of like the things you want with Google fonts and stuff like that, with regard to like GDPR and your prevent European privacy rules and things like that. So if this was somebody that concerns that you might have, these are great things to consider in Cloudflare turnstyle. Also kind of just takes things to the next level. Great option that even if it isn't a concern for you, I would consider moving over.
Yeah, yeah, we were starting to use turnstyle on a few sites right now on in the agency side of things and love it. It's fantastic. Yeah. A few bits of housekeeping before I turn it over to Timothy. First of all, I It's a short presentation today. So they'll be plenty of time for q&a. So make sure you pop up in the q&a window there and zoom that's the spot to ask your questions. We encourage that. There's also just even if you don't plan to ask a question, keep it open. And if you see a question somebody else asks that you would like to have answered, press the little thumbs up icon right below it and we'll take the questions in the order of the upvotes they receive when we get to that point, also. Yeah, like I say we'll leave plenty of time for q&a. Not just about turnstile and H captcha, but anything WordPress security related. Timothy's an expert on all these things, and a great teacher and explainer of complicated things where even I can understand them. So that's a really good thing. Also there in the chat one more time, I'm going to drop the link for today's slides. You can download those and follow along. There's also the link for the replay, which contains the chat log, anything that comes up in the webinar chat. I will have there as a txt file to download so if somebody shares some resources or things you can, you'll be able to have access to that after the webinar is over, as well as the transcript which someone has also reminded us contains an audio version of the webinar that you can play and skip forward. It's pretty cool. So all those links will be there on the replay page about an hour or so after we wrap up today. So with that, again, keep that q&a Open ask questions as they come up and I'm gonna turn things over to Timothy. Let's get started.
Awesome. Yeah, so we're gonna be talking about Cloudflare turnstile and H capture. These are new features that we launched iThemes Security 7.3 point oh, so if you haven't already to your members panel, you can grab the latest version there makes your license and you won't be able to update it from your WordPress dashboard. This update went out just yesterday. So you should have it available if you want to try it. out right now. You also head over to ithemes.com You can check out a blog post and there's a link from this slide to that blog post as well. So if you're following along with the slide link, you'll be able to take it over there. You can see a little bit more details. So talking about captures why would you want to use captures in the first place I capture those are great they and I think security they help us protect the login forms, registration forms, commenting forms and password resets. The big thing that captures can do is that they can significantly slow down attackers or even stop attackers in their tracks every single time that they want to try logging in or try submitting a comment. Or try registering a new user. They need to complete some kind of interactive challenge that would slow them down and keep them from spending 1000s and 1000s of requests in a minute. And it can move them way way down. In some cases it can even stop them completely, because they're automated devices that can't complete any of these challenges in the first place. The big thing though, is that we want them to be easy for humans to use. If it takes our visitors an extra 30 seconds to login or an extra 60 seconds to login or do anything like that. That's that's a real bummer. So the big thing with CAPTCHA solutions for the past few years has been how do we make them as least intrusive as possible? No longer is it like well, is that is that an answer? Is that a T or is that a cue or what is that letter? I don't know. We have better technology these days. So google recaptcha. This is what we supported and I theme security only up until yesterday. But google recaptcha is one of the longest services in the space. So that means that it has really broad support. It has compatibility with tons of different plugins at this point. It's pretty easy to use. The ones here with invisible and the v3 reCAPTCHA kind of completely fades into the background for a lot of cases. But the problem with google recaptcha is that a lot of users are worried about privacy. Google at the end of the day is an ad tech company. I think Cloudflare kind of says this best in their blog post announcing their turnstyle alternative is that one of the signals that security researchers were able to determine that Google uses to decide whether or not you're a malicious use or not, is if you have a cookie from a Google first party surface. Google says that they don't use this information for ad targeting. But at the end of the day, Google is an ad sales company. So it's hard to tell what is happening there and how that data is being treated. And they haven't been very, very clear. About how that process works. It also is a concern for Google lock in. captcha, google recaptcha works best if you're using Google services. If you're using Gmail, if you're using YouTube, if you're not using those services, it may be more difficult for you to complete the challenge and so I think it's right for site owners to be a little bit concerned about that. I do want to note something about privacy with all of these capture providers in general, though, is that all of these different capture solutions, they do load third party JavaScript. So that means that your user is grabbing scripts that are coming from another domain. It's not something that is on your domain. So this means it is something that you need to disclose in your privacy policy. For instance, we make this easy WordPress has a privacy policy generator that IBM security ties right into. But so it means that the differentiator you should look at is what are these companies privacy is policies and what are their business models. Google is an ad tech company, but Cloudflare and H capture they aren't. So that might be a good pause for you to say, Okay, we know that we're going to be sending some of our user data to these third party services, but at least let's send it to one that isn't an ad sales company. Another thing that you can do and that we recommend using across all of our different reCAPTCHA providers are CAPTCHA providers excuse me is to use I theme security opt in feature. We launched this way back in 2018. I think when the GDPR rules were coming into effect. This gives you this little nice notice before loading the service from Google or Cloudflare and one other that prompts the user to accept their terms of service before loading this code. And then the user can make the decision on their own, hey, I'm not going to visit this site if they don't want to if they don't want to contact those services, and they can say okay, without that JavaScript being forced upon them, so we really recommend using this feature. You click it with one button, and it lowers the challenge immediately. So it doesn't add a lot of user friction, but can be a helpful privacy tool. So what does each capture each capture is a cool service. They've been kind of the for a long time, they've been the leading privacy focused alternative. to google recaptcha. You can find details about it at h capture.com. One of the things that I find really cool about how H capture works, I kind of technology between all of these captures is that they have you tag images, they're saying like, please find images that look like a sunflower. And when Google did reCAPTCHA it was like, Please figure out what this text says. So we can digitize books. And so Google was kind of doing that on their own and maybe making some money from it and things like that with H capture their image tagging services, they actually pay you which I think is really cool. So you do this work as a human to tag all these different images, but as a site owner, you kind of can accumulate a little bit of money every single time someone at your site completes one of these capture tools. If you want, they also have an option in there to just donate it to a charity. I think it goes right now to the Wikimedia Foundation, which is of course doing great work. And so I found that a very novel take on their business model. They also let you customize the difficulty so you can select how much a user should be burdened by the challenge. If this is just like, hey, protecting comments, maybe you don't want a super high difficulty. But if it's something else, like creating an account, and that's where you can be using it you want something of a more difficulty. They also have higher level plans. Where you actually pay to get started, it's just free. But if you want to use one of their pro plans, they let you customize the difficulty and the appearance even further, which is really great. Cloudflare turnstile is the other option that we've introduced in I think security. I think Cloudflare turnstile is a great option regardless but one thing that's really cool about it is that you might already be using Cloudflare to protect your WordPress site to begin with. If you're not I would highly recommend taking it taking a look at it at least and say, Hey, maybe Cloudflare is something for me to use to protect my site. It's a great tool that again, starts for free. Something that's really unique about Cloudflare turnstyle is that it doesn't ever force visitors to solve this kind of puzzle. It takes everything into the background into consideration. It may have views or click on the little checkbox, but it shouldn't present them with like, hey, here are 15 images that you need to choose or something like that. Cloudflare turnstile is also a pioneer in the web privacy space, and they've worked with Apple and I think they're gonna be working with other providers to use something called private access tokens, which minimize the data collection that they need to determine whether or not a visitor is a human or a bot. This is a really cool technology where your actual Mac or iOS device is able to securely and privately tell Cloudflare that this is a real human who is using this device. Without them they need to send out all of your information. Your personal information isn't leaving your device but Apple already knows that you're logged in and you're human and you're a real person and so can provide this information to help Cloudflare assist in its process of determining whether or not this is a human user or not. So at the end of the day, our recommendation is to use Cloudflare turnstyle. Um, it is a great new service that launched a couple of months ago. There are some reasons that you might not want to if you're already using google recaptcha and you have some plugins, for instance, maybe other form plugins or things like that, that have different capture offerings and they don't yet support Cloudflare turnstyle. I would say you don't get a huge benefit from loading both Cloudflare turnstyle for I iThemes Security and google recaptcha for your other form plugins or things like that, or your MailChimp or mail opt ins, things like that. So if you're in a spot where you don't have all of the providers yet and all the plugins that you use on your site using Cloudflare turnstyle I would say you don't need to necessarily move over to it immediately. But if you are in a position and more and more plugins are supporting Cloudflare turnstyle where that is an option for you. I would definitely recommend using Cloudflare turnstyle even if you aren't necessarily someone who's super concerned about Google's privacy policy and things like that. So I'm going to break for a demo now we're going to take a look at how you can set up Cloudflare turnstyle. And I think security so I'm going to change over my screen sharing bear with me a second
here we go. So this is the blog post that we just published yesterday talking about the new turnstile each capture support and I think security so you can take a look at that. If you want to see some more details. I'm going to head on over into my Nexus WordPress site that I have here. And I'm going to navigate to the settings and we're going to talk about our capture module. So this used to be called reCAPTCHA. And I think security 7.3 point oh, it's been retitled to just catch up because we have different providers now. But your Google settings and stuff are all still in there. So when we navigate into settings, you'll see by default, the provider that we have is Google, but you can switch on over to Cloudflare so I'm gonna go into Cloudflare and you'll see a new section in the Cloudflare dashboard called turnstile. So I'm gonna add a site. I'm going to copy over my domain and we'll call this nexus demo. We're going to put in that domain oops Oh, did I need to register this? Oh, let me see. Can I do this I got a little bit of a demo fail
Yeah, that's what I want to do. What am I need to do here? Oh, here we go. Nope. So I wanted to set up a completely fresh new site for demoing this, but I don't think I'm going to be able to do that very well. Okay, that's unfortunate. So I have a demo site here for my testing site of theme security. So I'm just going to show you kind of like what this looks like here. I seem security has a section for entering in the domain, which is the Cloudflare domain that needs to be registered. You can choose what kind of widget type that you want to use. So you can use either the Manage widget where Cloudflare essentially gets to decide and say, Hey, how much of a blocker do we want to put in front of this user? You can also say that you just only want a non interactive challenge Cloudflare is kind of UI will still appear there. But it won't force the user to complete anything interactive. Lastly, you can use the invisible challenge mode and so when you use the invisible Challenge Mode Cloudflare completely disappears into the background and you don't need to do anything. So what I'm gonna do instead Cloudflare has test keys that we can use to demo this. I'm going to head on over to see that
as an FAQ, here we go. So I'm going to grab this site key and I'm going to grab this secret key and add them in so normally you would grab this from your Cloudflare dashboard for your particular site. And in this case, for this demo, I'm just going to use this demo site key in this demo secret key. I'm gonna say we want to protect the login form for sure new user registration. We can protect the Reset Password form and the comments form. There's some other options here. You can switch to the Cloudflare appearances mode. I kind of like to like to show the free Cloudflare and you can choose a different size if you want. This is the Enable GDPR opt in option that I mentioned earlier. And so this will make the user accept the fact that they want to use Cloudflare turnstile in their privacy policy before it shows up. And then we also have this option for the on page opt in. And so this works in 99% of cases, but depending on your theme, you might have difficulty so you should keep this turned on. But it's available to turn off if you need to. And we'll just hit save. So now when I go to the login page, I'm gonna say use my passkey I'm gonna say I agree to these terms. And you can see that this little Cloudflare challenge pops up and lets me continue. I'm going to add in my username here, hit use my passkey and I'll log in and it's just that simple. That's how the Cloudflare process works. There's not a whole lot to demo to show you the process but that is Cloudflare turnstile and I think security. So I think at this point we can kind of open it up to questions and things like that, or if people have any particular questions about Cloudflare or anything in general.
Yeah, sure. So a couple things. I think maybe the one I don't know if there's a way to see this because I think the error we hit was you can't add a subdomain into Cloudflare as an account. Yeah, it has to be the root domain. Is there a way we can I think you had a test account up there. Where was the place where you where you actually grabbed the site key and the secret key in Cloudflare?
Absolutely. So you're gonna see this turnstile option over here. And so you'll see all these sites that you've added. So typically, you'll hit Add site, and you'll select the domain there. So this domain is my secure data test domain. And so when you click into it, you get this analytics. But if you hit on Settings, you'll see this site key that's here. And then there's this secret key here. You click this little button, it'll show up and you can copy it. And that's the only thing that you need is to grab this site key and to grab the secret key. And it's completely free to use I think for up to like a million challenges or something so you can be on a completely free Cloudflare plan and you'll see this option here. But unfortunately, this can't add my Nexus test site, which I guess I I should have gone through that part of the demo. First. I want to be like, here's the whole setup process of what you need to do. But unfortunately, yeah, that is a little bit of a bit of a demo fail. I mean, you know, I do so many of those eventually it happens for sure.
So, Stacy has a question there in the chat. And just to clarify, yeah. The current style will support subdomains you just can't add a subdomain as like the Cloudflare account. So
yeah, if you don't want me to be like making global rules and Cloudflare for all of nexuses, like tests like domains and stuff like that. And so when you have like a Nexus host, for instance, you get this kind of demo domain that you can use before you register a domain for this. But next time I'll have to just actually register a domain name for tests
it so the when you set up the turnstile keys that would work on the primary domain and all the subdomains with the same key. Right?
Right. Yeah, that should work with everything there that you have in your Cloudflare account. Yeah,
very good. So it's, we actually set this up to deal with some WooCommerce spam that was happening to one of our clients a couple of weeks ago, and it works as turnstile is fantastic, easy to set up. It just it just works. So if you have a question, please use the q&a button there on the Zoom toolbar. We have several stacked up here. Also, just pop that q&a window open and look at some of the questions others have asked and upvote the ones that you would like to see answered. And we're going to turn to our time of q&a now. So the first one goodness, this is a common problem from Joan, what's the best way to prevent massive spam comments, and then I iThemes has a module to mitigate it but it seems not to be working for us.
Yeah. So the best recommendation that I have is to enable captcha and to use it on the comments form. So that'll force users to complete an interactive challenge. We kind of have a believer time of the setting in WordPress tweaks. I think we remove this though. Yeah. Make sure you're on the latest version of I iThemes. Security because yeah, that comment form reduction it was for it prevented very naive spam. I would say back when I theme security to develop that feature like six or so years ago, and these days, it just wasn't providing enough protection out of the bucks. So that's why I'm a big fan of using instead a tool like CAPTCHA to really slow the user down and prevent them from actually doing it. The kinds of other things are more like tricks that kind of work for bots that weren't very sophisticated. But spammers are much more sophisticated these days. And using something like Cloudflare turnstyle really actually forces them to slow way down.
Yeah, for sure. If they kind of have to pass through that layer before they get to your website. Right.
Exactly. Yeah. And I mean, even to begin with, right, you can set up Cloudflare to protect your site as just a step one too. So you can have Cloudflare in the box, just protecting users from getting to your website or their bots and then you can have further protection with Cloudflare turnstile for the more important actions on your site.
Yeah. Okay, question from Stacey is turnstyle active right now and I think security she says she can't find it in her settings. So make
sure you're on 7.3 Dotto. You're going to head on over into Configure. And this is a lockout module. And it's this force option here called CAPTCHA you can also a really cool thing is you can always search for things and I think security so if you're looking for CAPTCHA you can just type it in or if you wanted to say like Cloudflare or something like that. It'll pop up there and bring you right to the page. Always make sure that you're licensed. We give you a warning if you're not and make sure that your licensing is set up inside of I think security. It should say you're licensed and that will make sure that your update appears.
Very good. Okay, question from Don. He says somewhat related to capture options. Is there a contact form service that you prefer? Gravity Forms ninja forms, happy forms for those of us who need to be cost sensitive?
Oh, that's a great question. Most of Gravity Forms is paid I do think it is quite a good option. Um, my kind of preferred one for a non paid solution, I think is still ninja forms. But there are a lot of great options. Nathan could probably do a better job of answering that. But yeah, there's a lot of good options out there.
Yeah, Ninja forms is great. WP forms is great. Yes, forms is great. They have decent free versions. Yeah. And of course, if you're using Kadence, the new Kadence form is fantastic. Yeah.
Kadence also just added support for Cloudflare turnstyle, as well. So if you're a Kadence user, you can use that as well. Yeah.
Oh, here's a good question from Melanie. Timothy. You and I were actually talking about this earlier. Melanie would like to know if Cloudflare turnstyle will work on and Melanie I'm assuming WooCommerce checkout forms.
Yeah. So right now the way I think security handles preventing attackers into like a WooCommerce shock is by protecting login and registration. We don't yet have the option specifically for making sure every single time a user completes a purchase that they need to complete a challenge. It'd be possible to do we do have a kind of CAPTCHA API that you could integrate with if you're a developer, but it is something on our short term roadmap that we're looking at building a comprehensive solution to looking at security and ecommerce, but right now it is not specifically a built in feature for checkouts Exactly. But it will protect users from registering and logging in. So I would recommend, for instance, turning off guest checkout, even though it adds friction, making sure that users have an email and they have to create an account really does help cut down on credit card spam and credit card attacks.
Yeah. Ah, let's see. John. I think John's question was similar. Do the WooCommerce and Stripe for WooCommerce plugin support Cloudflare turnstyle?
That's a great question. I don't know about those plugins specifically. If they're on the.org repo, it's always great to in the support forum for that plug in to ask and be like, hey, this would be an awesome feature to add. It is something that is definitely supportable by pretty much any service I can think of I can't think of a reason why service can't move over to it. One of the reasons why we added support for Cloudflare and H cash in this release is the big lift for us was just how do we offer multiple different CAPTCHA providers. We don't want to just kill Google and completely switch over to Cloudflare. So once we were able to say like, Hey, we can now support multiple, we can support tons so if you want to use CloudFlare, you can use Cloudflare if you want to use h CAPTCHA for some of their enterprise features or you want to donate to the Wikimedia Foundation, you can do that. The big lift for these providers is just like make sure that they can support multiple once they do if they're already supporting multiple versions. You're like, hey, I really want Cloudflare and vote.
Yeah, absolutely. Yeah. And John WooCommerce actually sells an official add on for reCAPTCHA to add reCAPTCHA to the WooCommerce checkout process for $29. Which just makes me shake my head every time I think about that. But that's the it is unlikely they're going to add that to their plugins because they're offering a paid version to do that with reCAPTCHA. Now we'll see but yeah, I would look for a different alternative. Okay, Thomas, is there a cost to use Cloudflare turnstyle. I use Cloudflare for my clients, but the free accounts
are a great question. So it is free, I believe for the first million. So unless you're getting tons and tons and tons of attacks, you should be free to go. I'm not sure their pricing plans gets a little bit confusing. But if we look at turnstyle it should say somewhere but I believe the number is a million requests. So you're probably fine if you're already using the free account on Cloudflare to just continue using the free account and using that pricing option.
Very good. Let's see here. John's question. He says what do I need to if let me just paraphrase your question here, John. John is currently using reCAPTCHA and he would if he's going to switch to turnstyle. What does he need to do to undo the settings for reCAPTCHA and add turnstyle?
Great question. So you shouldn't need to do much of anything. If you're only using a theme security for CAPTCHA. When you upgrade to 7.3 point out, you'll be here with Google the reCAPTCHA type as whatever one you're using and the site key and the secret key. When you switch on over to Cloudflare you just change the provider and add in your API keys and the Cloudflare turns out dashboard and we had a convenient little links there to grab your right to it. And that should all be all you need to do. All of the rest of your settings stay the same. The update process is similar. They all kind of work the same way. So if you're using a reCAPTCHA right now Thrive theme security. You should be just good to go to just change providers. If you're using multiple different plugins that each have their own reCAPTCHA integration. At the same time, I would also go through those and see if they offer Cloudflare CloudFlare, turnstile and reCAPTCHA shouldn't conflict the way that I theme security has developed integration. It's possible but it shouldn't happen. So you should be fine too. If you want to move over to Cloudflare. Turns out even though all of your different plugins might not support it yet, you can't. But you are still downloading kind of like two challenges and two services. So I wouldn't say you get a huge amount of benefit from doing that. Generally, it'd be great to move everyone over at once. But that may not always be possible. So you should be good from a site functionality point of view to start on that transition whenever you're comfortable.
Very good. Okay, Ben has a question here. Ben. I think I know what you're asking. And if I'm wrong, just quickly, correct me in the chat. Okay. So Ben is saying, does the client domain need to be signed up to Cloudflare? Or can you add all client domains under your own Cloudflare account? I think what he's after there is can I use the same Can I add? This is just for the turnstile keys. Can you stack those up under an account? Or do you have Yeah,
you should be able to, um, your client should be able to your client can add you as a user to their Cloudflare account as well. So that's kind of the way that I recommend always doing all of these things is to have the client create their own Cloudflare account their own hover or GoDaddy or wherever you're getting your DNS from having create their own version, so follow that and add you into their account. So as a developer, you kind of get developer access to their account, and then you can set things up for them. That's my recommendation for doing it. But yeah, you should be good to go with whatever setup that you use in Cloudflare already.
Yeah, and the way we've chosen to do this is for our clients, most of whom are non technical, and they're not going to set up a Cloudflare account and we anyway, we are stacking client accounts. So there's multiple domains within our agency account and if at some point we part ways where they they want to separate it out, there's a process for migrating a domain out of Cloudflare and into a separate standalone Cloudflare account, if it comes to that, but it gets really complicated if you're trying to move client clients into Cloudflare to try to get them involved in setting up that account. It's complicated, but there's a way out if you need to. Okay, let's see Jory Jordy when using Kadence. Is it better to use CAPTCHA from I iThemes or Kadence? And also does i iThemes capture cover forms like Gravity Forms?
Yeah, so two questions there on the second one, which is easier to answer we don't have specific integrations with like Gravity Forms and things like that. We kind of recommend using the providers like built in integrations, because they know their products best. If there are some really popular ones that you'd like you can always reach out to the support team be like, hey, we'd love to see this feature, and letting us know that does impact what features we develop. But we don't have specific integrations for them, but they should be able to run side by side perfectly fine. With Kadence. Um, if you, you can, again, do either one that you want to if you're using the CAPTCHA is through IBM Security, it does mean that it will work into like our logging system and mock outs and stuff like that. Whereas in the Kadence system, it is just tied into Kadence. It's not telling I theme security about the fact that this visitor failed a CAPTCHA test or anything like that. So you'll kind of get a deeper integration when you're using the iThemes Security version. But you can of course, set it up with Kadence as well and use them side by side Kadence offers protection a couple of other different places as well that I think security doesn't right now. So you can definitely use the two together
very cool. i Let's see Bobby's question is up next. I have Kadence forms up and I don't see how to add turnstyle to it and Bobby I just dropped in a link in the chat. That is the blog post on Kadence wp.com. That goes through that whole process. So take a look at that link, Bobby. And if that doesn't answer your question, just ping me in chat and we'll try to clarify just a little bit more. Let's see Sherry would like to know how do you know if your website supports the use of turnstyle.
So all websites should, I would say try it out. If you have certain themes. The one that's coming to mind is Divi has some kind of form stuff that doesn't integrate with any of the native WordPress API's. Um, and so in those kinds of cases, you might not be able to use I think security's capture module at all, because the way they do logins just doesn't work through any of those systems. So most sites for the most part should be totally compatible. But it is possible if you have like some some of the more custom not doing things that WordPress way themes that are out there. You may have a little bit of trouble
for sure. Let's see money. I have a question for you in chat, please. Just to clarify what you're asking. Eric would like to know, Timothy if you can demo H CAPTCHA.
So each CAPTCHA doesn't provide a way to change out secret keys or reset secret keys. And the secret key is are not just tied to a single test domain. It's for everything everywhere all at once. So I wanted to demo it but unfortunately, it is not very easy. I would say the setup process is pretty simple. If you go to the H capture option here and we give you a link out to that site dashboard. And so you can see my sites that are available here. And when I click on a site, you'll actually see this is for my security that test site, you'll see the site key which I'm not so worried about. But then up over here in the profile account settings there is a secret key that you need to copy and tie theme security as well. And so we give you the links to both of them the account settings and a site dashboard. So it's just a matter of copy and paste. But unfortunately, doing a live demo with H CAPTCHA is a little bit difficult due to how they've implemented their secret key handling but it is pretty much the exact same setup process for Cloudflare. You just point to a different place to copy your API keys.
There you go. All right. Alvin would like to know, Timothy, are you familiar with quick cloud from the Lightspeed folks okay? It's kind of like a CDN. Is there any any issue you can think of that turnstile might have working in that scenario?
I don't think so. If it's configured properly, so any of if your forms already working, then you should be fine. You'll want to make sure that it isn't trying to do any caching of the Cloudflare JavaScript, it gets loaded, which it shouldn't. So you should be good to go. I can't think of an immediate reason why it just wouldn't work completely. There might be some like possible weird caching settings going on. But no, I don't think so. Yeah, I think you'd be fine. The best thing to do, you know, try it out. If you do see problems, report it to us. And we can see if we can fix it if there's something to adjust on our end and I think security, but I don't anticipate there being an issue there. Yeah.
Let's see. Bobby would like to know if you're aware if he says this. I'm assuming he means recap. Um, excuse me turnstile, just turnstile work with Gravity Forms.
I don't believe Gravity Forms is announced support for that
yeah, not yet. Um, but you know, it looks like they have a feature request tracker that you can take a look at and vote it up.
Yeah, I think this turnstile is gonna become more and more popular this year. That's one of the things we're gonna see growing adoption is going to grow. I mean, I'm prognosticating here, but yeah, I think that
was just announced in September and kind of almost announced also in beta. It's been very stable for us so far. But it is very new compared to the alternatives. So you give some people some time, but I think it's popular and you know, tell people that something that you're interested in
Yeah, very good. Okay, here's a question from Eric. Eric says I think I have malware in my who am account is capture site specific or how can I block malware from my who am account?
Yeah, so captures is specific to each site. This is kind of one of the risks of having like one centralized VPS or something like that where all of your WordPress sites live, particularly if they aren't segmented from each other properly. It can mean that if an attacker is able to gain access to one of your WordPress sites, they might be able to move from one target into another target. So really, my recommendation is to not set up WordPress site hosting that way. If you are going to use a VPS make sure that each WordPress site is completely segmented from each other. They should have a different PHP user. They should have a different database, user all of those different things so that you don't get this cross contamination. Otherwise, you have to be super vigilant across all of your sites. The big ways that we say we see sites getting hacked is through users that have weaker insecure passwords. If you're using iThemes Security. You can enable strong passwords and force your clients which is kind of the big one, where we as developers might be like, Yeah, we were using the hardcore strong password. We've got it saved in one password. Hopefully it's not saved in LastPass anymore. And you're like, Okay, we're great to go but your client is over there logging with admin 123 or something like that. And then that gets site gets hacked and goes everywhere else. We do have a really cool feature that we do have a webinar for a couple of times called PASS keys. So pass keys are kind of like the future of passwords, and they give a really great path for this login experience to get into your WordPress site. So you kind of saw this when I logged in immediately with my site here. We have this use your passkey option and when I do this and put in my email address all I'm needing to do is authenticate and I get logged in immediately. Um, so that's a really great option for still letting your clients have strong passwords, but not needing to remember them or use them because you're using a passkey instead. So check out our webinar for that where we did a whole bunch of deep dives into it. But yeah, the CAPTCHA support will help protect your login form. But it's for each site. And if they have a still a very, very weak password, that's just the name of their site.com or something. Like that. CAPTCHA won't stop that either.
Password one exclamation point. Yes, exactly. Sue has a good question here. If you only use turnstyle and nothing else from Cloudflare Are there any DNS changes you need to bet to make on the domain?
No, no. So I have it set up. You shouldn't need to move it into like a Managed DNS or anything like that, but it has to be part of your account.
Let's see question from Tom here. WP Engine has stopped supporting the htaccess file. Is there documentation to enable the I iThemes modifications to their web rules?
So we have an article about this. Um Let's see. I think if I search for WP Engine Yes. So we have these settings and I think security which use the htaccess file. The thing to keep in mind is that I think security will enforce as many of these as possible inside of PHP as well. So you're not you're certainly not not protected. When WP Engine makes this change. So you really shouldn't have to do anything with that regard. Let me say that bands and lockouts will still be executed. Things like disabling PHP in the upload plugins and themes. I believe that's something that is just part of how WP Engine has configured their site as well with like things like directory browsing. And system files. So because of how WP Engine is set up their hosting these features really shouldn't be necessary to begin with. So the main thing is taking a look at bands and lockouts and I theme security enforces bands and lockouts. If you have htaccess supported or you don't, so you shouldn't have to make any changes as a user. But yeah, we have this help document over here that kind of gives you an overview of what we do use htaccess for the hacker pair blacklist that's a good nod. I would say the hacker pair blacklist in general is something that is becoming less necessary. These days. It's a kind of nice like, you know, get you going type of feature. But the way it works is it has a long list of kind of like user agents and things like that the reasons we say hey, let's just block those. But more sophisticated attackers can just change their user agent. So it is kind of like a nice get you going list but I wouldn't consider it critical to your site security. We are kind of like talking with it with Jim Walker and things like that about whether it makes sense to keep that option inside of I think security and begin with. It was really great in kind of pioneering work in earlier days of WordPress security. But it's a little bit less relevant these days. Yeah.
All right question from Melanie will you do plans to add integration to popular float form plugins within I theme security,
we don't have immediate plans but if there are form plugins and that would be a feature that'd be really important to you reach out to the iThemes Help Center and say, Hey, have a feature request, and we keep track of all of them. And it's a big part in what shapes our roadmap. So if that is something that be important to you, absolutely. Let us know. There's a lot of form plugins out there and a lot of different options so we kind of have to be judicious with it. But let us know.
Yeah, for sure. Just if you've always can imagine what it would be like to figure out all these form plugins that exist. And what if they change things and trying to manage all of those integrations could be a bit of a nightmare. So yeah, that's, it's Yeah. Thanks, Tim. Thanks. Eric is trying to learn a little bit more about AI themes does I think security clean malware from sites in addition to providing CAPTCHA?
We don't have a malware cleaning removal tool. We have a recommendation for kind of partners to do. I would say in general, it's not something that I advise unless you've done it countless times. To try yourself. It's very easy to catch 9095 99% of the ways that attacker left their trails throughout your website, but they're very good and very sneaky about hiding things that automated tools can't detect. So my recommendation really is to get a professional to do it. You also want to make sure that they determine what the root cause was that they know how the attacker got into your website. And that can also be really hard for someone to do if that's not your expertise. So my recommendation is always to reach out to a hacker we're cleaning service, I think we have some links from ithemes.com somewhere. But that really is my recommendation so that you, you don't wind up with Hey, client, I cleaned your site and then it's back the next day. I've seen it happen when I was first getting started like cleaning up sites and doing things like that. I'm like, Oh, I thought I got everything. But no, there was something over there.
For sure. Let's see. John would like to know if there's a resource you're aware of. That explains setting up Cloudflare for a website.
Have we done a guide on that? I feel like we probably have take a look at the iThemes blog and let's see
how to use Cloudflare with WordPress This is an old 120 16 Yeah, we also Dan has published a great article on website firewalls and things like that that kind of talks about Cloudflare but I'll do is I'll make a note that it would be great for us to have a specific article written up about all the steps that you need to do to set up a Cloudflare with your WordPress account. I don't know if you've done a training on that Nathan
now I was just thinking we might need to do that. Yeah. We can probably fit that in in the next few weeks. So watch the training calendar. And we'll we'll see if we can schedule a training. And that might actually feed the content for one of these blog articles as well. Thank you, John for that suggestion. Eric. What is an example alternative to shared hosting also does I think is have a possible solution to
Yeah, so I iThemes is part of the liquid web Family of Brands. And so the hosting that this test site is running on is Nexus. It's also what powers I ithemes.com And so that is a great way to get non shared hosting. That is there are security risks using shared hosting and performance implementations and impacts and things like that. So Nexus is of course our number one recommendation but there are a lot of WordPress hosts out there. I think security works great with all of them that we know of.
Yeah, very good. Let's see. Okay, I'm not sure if you'd be able to comment on this Timothy. But man, his question here is he'd like to understand blockchain in terms of security, and how Metaverse is being used on web 3.0.
I know I don't really have an answer for that. And it'd be an interesting potential topic. But no, I think security doesn't really have much to do with that.
All right, so we have a few minutes left Timothy, can I pick your brain please? About ESPYS? Where, where, where do we stand in terms of past keys that say just bet taking a step back? Yeah. Some of the people on the webinar along with me might have developed a little bit of frustration over the last few weeks in the realm of passwords. Yes. It's possible that a major password company was you know, somehow, you know, some some passwords may have gotten stolen and perhaps they might be at risk and we're changing in my case. 1800 passwords. Yeah, I hate. I hate passwords. I've grown to hate them even more in the process of having to change passwords with all these companies. And I would love to see passwords die a painful death. So where are we in terms of past keys?
Yeah, so pasties are making really excellent progress. When we kind of launched this back in September of I guess it's last year talking about right 2022 last year. They were working really great on Apple devices, initially on iOS with the latest iOS version. It is now on the latest Mac OS version, so it's available for everyone. Make sure you're up to date. You don't even actually I think need to get the latest Mac OS version if you're just on the latest Mac OS of your particular version, like 12 I don't I can't remember what the one before venture is. But if you're on the latest Safari, you should be able to just use it right away. Google has also announced that they're kind of like concrete plans for how it's going to work on Android. It's working even better in Google Chrome. I can kind of show an example. I'm gonna have to change up how I share my screen for a second. Um, let's see. Better up, up, up up up up. portion of a screen so hopefully I can see my browser now. I'm gonna go ahead and log out so I can show one of these examples here. So I'm going to log in as Timothy I think slack COMM And I'm going to say instead, I want to use a different device. So this is the kind of like, more official now flow for using a different device with passcode as well. So this is something that was kind of like in beta when we first did our demo, but so I'm now logging in on my iPhone. using iCloud into Google, just by positioning my phone at that little pop up there. And if you remember earlier that used to say like, Hey, if you want to use an Android phone, you can do this though, but now it works with everything. So there's been a lot of that progression on setting up passkey is another kind of great way this works let me pause my sharing for a second today
so this is another change that we snuck in to the soundpoint 3.0 release is discoverable past us. So I'm going to create a Cloudflare and what's cool now is I don't even need to type in my username. I can just hit use my passkey and I found already knows who I am so I don't even have to type anything anymore. I can just click one click. And I mean with past use, you don't even have to make any changes on your site to get advantage of this. This is just popping right in there immediately. It's making the process a lot simpler. So passkey is are getting better and better browser support and better and better support in iOS and Android and they're working on new extra climates. I am setting up on all my WordPress sites anywhere that I can. I do think it is kind of the time to start switching over and it's getting easy enough for clients to really understand.
Can you pretend that I'm a you know, fifth grader? I mean, explain to me what is a passkey and how does it work?
Absolutely. So I'm gonna head on over into my user profile. And so I have a kind of list of past keys that I have here. And so pasties are a kind of a different way of thinking about a password, instead of a password being something that you need to remember, a past key is kind of like a key you could think of that you just use and it's simple to use and as long as you have it with you, you can get into a site. So pasties are kind of a way of remembering who you are on a WordPress site or any other site that's built into your computer. So your computer doesn't forget about it. You don't need to remember it and it's a way of securely authorizing you with every service that you're providing without you need to memorize anything. And my Mac for instance, knows that hey, Timothy is logged in. I can log into any of these services without needing to prompt him for password or anything like that. So that's what makes the flow so simple. When you're using things like your mobile device, for instance, it's often integrated with things like face ID or touch ID so it can give you strong secure authentication, but it's basically another way of getting into a website where you don't need to remember a password. Your browser, your computer stores a passkey for you.
That's really interesting. So our past key and Eric and c are both asking similar questions here. Are they specific to each device that you have? Or and like can you try it like get if you get a new phone? Can you transfer the past key to your new phone? Yeah,
that's a great question. So it depends on the different browser implementations. So for Apple and they're kind of like leading the way in this regard, is when you use iCloud, it syncs across all of your devices so your passkey gets stored in your iCloud account. So if you look over here, I have my kind of list of past keys here. I have one for Google Chrome, and I have one for iCloud and it's my iCloud passkey. I can use Safari on my Mac on my tablet on my laptop on my phone anywhere and I don't need to worry about like moving them around. Google is doing something similar. So if you have a Google account, Google is going to store those past keys in your Google account and sync them between your Android devices, Google Chrome everywhere. That's the part that's still in progress being launched for Google. But that is their goal as well. So you're just going to have your passkey and you don't need to worry about what device you're using as long as you're able to sign into Google, you're able to use it. There are some other different implementations. So you saw with how I logged into Google before, let me actually show that again. I'm gonna get a pop up Ooh, doo doo doo doo doo doo doo. When I click Use your passkey. And y'all should see this. This is authenticating with my Mac using my Apple watch. So if you had Touch ID work there as well. So when Google Chrome is doing this right now, if you're using Google Chrome it is saving your passkey to your device. But in the future, these plants that Google launched, where it's going to tie into your Google account and will sync it everywhere. Notably, Google doesn't get more personal information about your apples and collecting more personal information about you. The sites you're logging in with don't know about your Google account or anything like that. They just see some like secret hidden data. That is kind of like calvess A story but nothing about it is like sending your fingerprint or whatever to the services. you're logging into. Nothing like that. But yeah, right now your passkey is in the Apple ecosystem. They sync everywhere in Google that's coming soon. And for the more advanced users, you can save things to devices. I for instance, have like a little YubiKey device, which I really like and so some of my passwords are stored on here and anywhere. I can plug this in, I can log in with my passkey. But for most users, they shouldn't need to do that. Windows also has built in integration if you have Windows Hello support. And that I believe is also kind of tied into your device when you're using Windows Hello. So you'll you're probably will have more than one passkey if you're a multi ecosystem person, if you're just a apple ecosystem person or just an Android ecosystem person, you'll probably only ever need one passkey that you're just registered when you set up your account. You're good to go.
Yeah, so the several questions that kind of floated through along this line of you know, let's say you're using a Google account or you have an Apple account and whatnot, and your your passkey is shared across your devices using that cloud based service. How do we know these people aren't tracking us? Are they tracking us?
Yeah, that's a great question. So the past views themselves don't contain any user identifiable identifiable data. So it actually makes it harder. To do that kind of tracking. One of the one of the issues with passwords is that if you put your password into a site and the site gets hacked, and your passwords leaked, and if you're one of the, I'd say majority of people who have all their passwords kind of follow a similar pattern or something like that, it means that you could get hacked across multiple different services. With passkey is there is nothing really there to hack. There's no personal information or anything like that. Your browser of course, knows what sites you're logging into the same way he knows what sites you're visiting and things like that. So that same level of data transfer is kind of already there. But it's not introducing anything new. And it's kind of working off of the functionality that we already have with things like iCloud Keychain, which is kind of the built in password manager in your Mac or in your iOS device and the same as Google. So it is more privacy preserving than passwords are just to begin with. And they're not they're not able to get any more information than they kind of already do. Which is that when you go to a website and Google Chrome, Google Chrome knows you've gone to that website. Yeah.
So this is interesting, you know, especially with like, just this is me for example, I you know the really strong password. On my Google account, but I have in the past. It's better now but in the past I've had a more weak password on my Apple ID because you have to type it in, you know, for purchases and stuff right? So that's I've changed that now. But that's dangerous, right? Like how secure are things behind my Apple ID?
Yeah, so your Apple ID is your key to the Kingdom essentially. And so it is important to set up a strong password. Apple though, I believe has I think they've claimed it's the highest penetration of two factor. So when you log into your Apple account, if you're doing it from a different device, you've probably seen these pop books where it says on your phone or on your Mac. Here's a map of where someone is trying to log in with your Apple ID. You click Allow, but even that's not enough. It shows you six numbers that you have to type in, which is a two factor code. So Apple adds tons and tons of security protections that are operating in the background to protect your account beyond just your password. I'm reminded of something that Facebook has said a while ago that Facebook box millions of attacks I think a day on accounts that their password is compromised but because Facebook is able to tell who's usually logging in, they're able to add additional kind of like two factor like security protections, and Apple is a similar thing. It's not just your actual password that is protecting your Apple account. It's having two factor within another device, which I think is I don't even know if you can get away with having an Apple account without that two factor set up the status is very much part of it. Apple also recently announced even stronger security features. It's not something that 99.99% of users should use. But if you are for instance, like a journalist operating in a regime that is less than friendly to journalists, they have even stronger security protections that you can put on your iCloud account. So it is important that you set up a strong iCloud password. But you are protected by being in that ecosystem. And it's the same with Google. Google has those two factor and things like that as well. So they are important in accounts, but you can keep them safe and these these providers were really good job of that. I would also say to kind of address a little bit of Barney's question. The pasties themselves aren't really possible to crack. There is not like a password or whatever that has to be remembered or things like that. They're random data. It uses kind of what's called public and private keys which is the same thing that protects for instance, HTTPS when you go to your banking website, so that anyone else who's on your network can't see you typing your passwords into your banking account, and so is that same level of protection. So it is very, very strong and is architecturally different than what you kind of see with what happened to LastPass and others where there's a treasure trove that can kind of be hacked there. It's very different in how that works.
Very interesting. All right. There's a lot of questions still here. Many are very specific in nature. Thomas wanted to know the past keys work on Windows and Chrome. I know they work with Windows. Hello, right?
Yeah, yeah, they're working on Windows working Chrome. Yep.
Let's see doesn't matter if you're using one email address for your iCloud or Google account where the past keys are saved versus the website that you log into?
No, no, not at all. You can kind of see in the example that I gave with Safari with the new 7.3 features. You don't need to put in your username. So it doesn't care what your Google account is. The website that is using passkey doesn't know anything about your Google account. All it knows is that hey, there's this little bit of random data.
Yeah, Ronnie's got a good question about how to get started with past keys and running. I just dropped in the chat the link to the webinar we did mid October of last year that walks through how past keys are implemented with I think security so I'd recommend you watch that and get those questions answered. I think we're gonna wrap it up here Timothy. This has been really really good. I knew this passkey is discussion would be fun and right here at the end. Absolutely. Thanks for all your wisdom. Any final thoughts as we're wrapping up here?
Um, I think Cloudflare turnstile is a really awesome feature. If you're able to move to it, I would definitely strongly consider it and it is even more of a ease of use workflows and google recaptcha, things like that. And it's even more privacy preserving. So I think it's a really great tool. Cloudflare is a great, a great service that provides a lot for free. And they're really kind of stewards of the open web in that regard. And so if you aren't using Cloudflare already, I would consider using as well just to protect your entire group, so
very good. Alright folks, there is great demand for that Cloudflare webinar, and I'm actually looking at the schedule for next week. I think I can fit one in on Wednesday. So I will get that scheduled later today. So if you will go back to training that I think.com. Me put that in the link for those turnarounds. Right. So check later this afternoon. Give me an hour or two to get that webinar scheduled. It will be next Wednesday, February the first at 1pm Central time we'll do a training on adding sites to Cloudflare and that'll be that'd be a lot of fun. So Timothy once again, great stuff today. Thanks, everybody for great questions. Yeah, really, really good webinar. I learned several really important things. So I will have the replay up in about an hour or so that link is just above in the chat. It's kind of cycled off. There's also the great article, if you want to go back and just digest this information in a written form with screenshots. The blog article from iThemes is there linked above as well. Feel free to share that replay link out with others that didn't make it or if you'd like to know somebody that might like to attend it. It will be there again in about an hour. So thanks again for hanging out with us today. We'll see you back here tomorrow. Members have office hours 1pm With me here on iThemes Training where we go further together.