Introducing Solid Security: The Next Chapter in WordPress Protection
5:30PM Jul 11, +0000
Speakers:
Nathan Ingram
Timothy Jacobs
Matt Cromwell
Keywords:
security
solid
site
wp
patch
timothy
update
functionality
plugin
users
vulnerability
wordpress
feature
firewall
continue
stack
running
question
today
woocommerce
Just a moment to get that going. How are you guys doing today? Tim? Matt?
I'm doing good. It's almost 90 degrees here in New York City. Summer is you know, officially up and running. So I'm embracing the heat. You can see it say that that's my current state of mind. There you go. If I pass out from heat exhaustion you don't know why
90 degrees. We call that a brisk fall day here in Alabama. So yeah, it's just
I got no AC here. Oh, lights you know it's
that is brutal. Well, welcome again, everybody. If you're just joining us in zoom, we're about a minute and a half away from officially starting talking about the new solid security the next evolution of I think security, super excited to show you some of the screens that have been worked on and some of the new functionality that's included Timothy Jacobs, the lead developer is going to walk us through all that and of course, we have Matt Cromwell with us from the solid WP team talking all about that brand transition, the rebrand and public that we have been working on for some months now. So again, as you are just joining us in zoom, pop up in the chat, say hello and tell us where you're logging in from today. It's good to see folks who are logging in from around the world. Hey, Barb from Idaho. Good to see you, Barb Barney from Virginia Ken from the Philippines. Welcome. Stacey from Washington Richard from Tampa, Jeffrey from Guatemala. Welcome. Shauna from Michigan. Alright folks, about 30 seconds away from getting started. We got a lot of fun things to show you today with the new solid security plugin not quite ready to launch yet. But it is well on the way and Timothy is going to talk all about that. We'll have plenty of time also to answer your questions about anything that you have questions about with the change of I themes from solid WP, the transition of I iThemes Security to solid security and Timothy of course is security guru. So any other security related questions that you have, we can try to take those on as well. All right, it's officially three minutes after so I'm gonna be quiet for a minute and start the recording and we will be underway.
Good afternoon. Good evening. Good morning wherever you happen to be around the world. Welcome to another Live AI iThemes Training event. My name is Nathan Ingram. I'm the host here at iThemes Training and I'm joined today by Timothy Jacobs and Matt Cromwell from the solid web team. Good to see everybody here Timothy is the lead developer for I think security, which is becoming solid security. He's also a core contributor to WordPress and one of the maintainers of the WordPress REST API. Matt is the man of I always forget your title. It's a distinguished title you are the what is your title?
Do whatever Timothy and others want. Now, my title did just change recently. So I am now senior director of customer experience at stellar WP. So that's Yeah,
so the mat is focused on making sure that everybody that interacts with stellar WP has a great experience across all the brands and customer support. And that's a super important role. So Matt, good to see you, Timothy. Glad you're here. Guys, Timothy. Tell us a little bit of what we're going to see in solid WP in a few minutes.
Yeah, so we're gonna be taking a tour of some of our changes and a whole bunch of new screens new functionality to our currently named I iThemes Security product, but soon to be released as solid security. So this isn't going to be like a tutorial we're not going to be showing you know, the ADC setup process and all the nitty gritty, different features that solid Security offers. But we're going to take kind of like an overview and overall tours y'all can see some of the changes that we've been working on for gosh, the past six months now.
Yeah, it's very good. We're gonna start out today just giving you an update on the rebrand and public process as well as I themes is evolving into solid WP and Matt's going to talk about that in just a minute. For those of you that are just joining us, we're so excited that you've decided to spend about an hour with us today. And hopefully it'll be a great investment of your time as we show some really cool things about the new solid security. If you're just joining us in zoom pop up in the chat and say hello folks. logging in from around the world today. I also keep the q&a box open if you have questions as we go drop those in the zoom q&a. And it's good to have that open because if you see a question that someone else has asked that you also have, just press that little thumbs up icon and we'll take those questions in the order of up votes they received. When we get to that time of q&a. So let's get started just with kind of an update, Matt about where things are. In the process of rebranding I themes has been around the WordPress space for many years, and it's quite a journey to rebrand and become solid WP
sews journey and I've been super excited for you to be bringing us on and being able to talk with everybody about it. It's been a long road getting from here to there. I'm gonna sing don't make me sing any Star Trek fans? I hope not. Let's see. But what I really am excited about today is that I've been showing basically concepts for the most part in the past. And Timothy is going to be showing the real deal in terms of actual live environment well, you know, live ish environment. So that's really exciting. We also have just started basically building the building blocks of how we're posting pushing content to the new Sal WP website. The website project in and of itself is honestly like a huge endeavor, tons of organization and resources going into how we are migrating i ithemes.com over the solid wp.com and all of that content we are looking at our tutorials and our ebooks which are becoming the solid guides and refreshing them so any of you who have been paying attention to our tutorials and our ebooks that have been available for so long those are getting a refresh, which I'm really excited about. We also have been doing some fun work on what we call the member panel. If you are a customer then you are familiar with the member panel and have logged in there and that's where you access your your license keys and your downloads and things like that. That's getting a refresh, of course, that's going to be located eventually at my dot stop solid wp.com. And we're doing a cool thing which actually was a bit tricky, but the checkout has been updated to be able to have what we call guest checkout you're not going to be forced to create a login when you go through the checkout area. So all of these small tweaks and improvements are things we've been working on continually and also just the way in which that we refresh our content out to solid WP has been a big focus as well. And of course all of the products that we've been working on as well there's actually some I just learned today Tim Timothy's in the know more than I am but I just learned about some cool Backup Buddy work that we're doing, which I'm really excited about as well. So everything that you know about IBM's dot com and the products that you love are all getting touched and refreshed and rebranded and improved. Slowly but surely and eventually we're gonna have a nice really big reveal that everybody's going to enjoy. So
yeah, looking forward to that webinar that live stream that's gonna be a lot of fun to show once those things are ready. And if you haven't seen folks go to solid wp.com Even right now and as you scroll down the page, there's a really helpful FAQ that catches most of the questions you will probably have about the transition from iThemes to solid WP I including the one that Barbara just asked in the chat about if I have currently and I think is membership am I going to have am I going to lose that? Am I going to have to repurchase anything, it's solid? And the answer is no if you don't want to so everything if you are a current member with a current toolkit or some sort of package that you like, you can continue paying that same rate and as long as you keep that, that plan alive, it will continue with you. You'll be grandfathered in. So lots of other good q&a there on solid mep.com And I'd encourage you to take a look at that if you haven't already. There's also a link there on the solid WP page where there's a couple of video embeds. Clicking that will allow you to clicking one of those embeds will allow you to join the solid WP YouTube channel and there's lots of content that's being pushed out there. Just to talk about the process as solid WP is becoming I themes. Now what you're all here to see is the new solid security plugin. So we're going to turn things over to Timothy here in just a minute. And one thing I do want to mention as Timothy and I were looking at some of the screens beforehand, we won't really be able to zoom in so it's going to some of the text may be a little small like around some of the settings and if you're having trouble on your screen seeing that large enough you can mouse over the zoom window, the shared screen, and there's a green bar that will appear at the top with a view options drop down and that will allow you to zoom into a higher level for yourself. If you want to zoom in on parts of the screen. You can do that or just wait for the replay and zoom in on the video window there if you'd like to do that. So with that, Timothy, I'm gonna turn it over to you. Let's take a look at solid security.
Awesome. And yeah, to add to some of our early caveats here. We don't have dates to announce yet. But I can comfortably say we're still at least a month out from release. So there's still a lot of development to go while we have a whole lot of screens here and fingers, all the fingers crossed that this demo is gonna go well. There may be bugs, we might run into some snack foods. We'll see. We'll see what happens and we'll we'll get those all cleaned up before the final release. But we're still a bit away from that. But hopefully at this point, now you have seen our new solid security dashboard. So we have launched the iThemes Security dashboard. Gosh at this point, I think almost five years ago and it's a great place to get a visual overview of your site security and the security dashboard and solid security has also been kind of uplifted, overall, providing more clarity on some information that's actually important to you. We've got a whole bunch of new cards here that I'm gonna take a brief look at. But I think it's a great way to get a visual overview of the security of your site in just one clickable one quick glance. We have that with this security summary card up here. And this security summary is like the one stop shop. If there's only one thing you're going to look at on your solid security dashboard should be the security summary card. And I'll give you an overview of the latest solid security news. So this is what we're covering over currently on ithemes.com Soon to be solid wp.com The last WordPress vulnerability report from just a week ago, if you haven't signed up for those you absolutely should 70 Total vulnerabilities were published last week, which is absolutely crazy. The numbers are up on the rise. We'll also see here that I currently have a vulnerability installed that solid security is telling you about and we're going to take a deeper look at that and some of the new screens that we have as well. But all the other information that you're used to is still here. You can see the updates that have been done in your site. You can look through all of the lockouts and if you want to release some of them and say hey, this actually turns out it was me. I'm gonna go ahead and release that lockout so they can get back to their site. You can see a visual overview of the threats that have been blocked. This is a kind of dev site. It's not really out there exposed anyone. And so I put together some sample data so you can kind of see what's going on here. But you can see us on my personal site with these these numbers get up high. It's kind of crazy, but solid security is there to block those threats and make sure that hey, your site's protected. We get our overview again of our lockout, our banned users or latest site scans. And we have this new vulnerable software card, which is powered by our integration in partnership with patch stack. So patch sack is a great WordPress and kind of general web security company. You can see them over at patch stack.com. They publish great articles. And since January of this year, we've been integrated with patch stack for our vulnerability database. And so that's when you get that email from IBM Security today that says hey, you have this vulnerable software on your site. Make sure to update it to this latest version or activate it or deactivate it. Do what you need to do to keep yourself safe. And it's we've taken that experience and we've made it and given the importance that it really deserves. So that takes us to this vulnerabilities page that we have in solid security. So this is going to be your one stop shop for seeing all the information that you need to know about any vulnerable software that you have in your site. So we can see here that I have counted up six vulnerabilities and WooCommerce and that's because earlier today installed a very old version of WooCommerce you absolutely shouldn't do that if using the latest and greatest WooCommerce you won't have any of these vulnerabilities affecting your site. But we can see these details over here the different severity levels. We have one that looks like it's particularly bad. We can take a look at it because this one it says that it's actually been mitigated by solid security for us automatically and so this is a vulnerability that has been automatically patch by patch stack. And so what that means is patch stack is not only do they keep track of vulnerabilities that affect your site, but they also do is they have great security engineers over there. And what they do is they figure out hey, what is this bug that's affecting this piece? of software? And how can we protect your site? If you don't have the ability to update yet? You know, a lot of people we manage maybe 10s dozens of different sites we say okay, we have updates, let's say that are scheduled every Tuesday. And that's when we do the updates on this site. Maybe it's a live ecommerce site and you don't want to automatically update WooCommerce every time you might have been like me and try that a couple of times. You see some bugs like okay, this isn't the thing to do. And it's what pest sack lets us do with these virtual patches is they say okay, how can this vulnerability to be exploited? And how can we push to your website, a virtual patch that will help keep your site protected until you're able to update? So as always updating the plugin is the best thing to do. If you're able to update to a version that actually fixes the vulnerability that's the best protection that you can get. And so we highlight that for you here we can say hey, well we need to do is update the WooCommerce plugins the latest available version at least 5.5 dot one, and I can do that right now and just hit update plugin and it'll take care of it for me. But patch stack has provided this patch automatically to me. I didn't have to do anything. All I needed to do is enable this feature and solid security and patch that has my back. You'll get emails that are telling you hey you have these different abilities. We've automatically applied patches, these are things that you need to do so stay in the loop and know what's happening. But for the most part, you can kind of set it and forget it and let solid security and patch that take care of you if you do happen to have vulnerable software on your site.
And one of the things I'm really excited about just the opportunity to partner with patch tech and the way in which we're able to leverage them in such actionable ways. It's super cool.
Yeah, it's absolutely huge. I think we've heard from a lot of our IP security users who've been asking you about firewall functionality. And we're really excited to be able to really dive headfirst into that with partnering with patch stack. I think this is going to be a great improvement for your site security patch that takes a really great approach where we only deliver virtual patches to your site. If you need them. So if you already have the patched version of WooCommerce, you no longer have this firewall rule that needs to take some extra time to process if you don't have a site that's vulnerable to Tim thumb. We won't have firewall rules on here that are protecting you against him some vulnerability from years and years ago. So we only deliver the rules that you actually need to your site. And so that means that we can make our firewall and firewall run faster, and not worry about, Hey, there's this theoretical attack but let them hit. Nothing bad's gonna happen. There's no vulnerability there. So I think patch cycles are takes a really great approach. In defining their vulnerability rules. We have talked about and this is kind of one of those things that is going to differ for solid security customers and current I think security pro customers. Pasternak is an integration that's going to require you to upgrade to a solid security plan. All of the other functionality that I'm going to demo today is going to be available for you. If you're an existing I iThemes Security pro customer and you have an existing license, you'll be able to use all of this and all this new functionality. But the actual virtual patches functionality is something that's gonna be available as part of our solid security plan. And so we're going to make sure that there's really easy way for you all to update to that plan via the member panel that Matt has been talking so much about the work that's going into that. So that is going to be a feature that is a solid security core feature that you're going to get kind of need to update for. But everything else that we're going to talk about is available for existing I think security pro customers. So we can take a look now at our firewall screen. We've talked a little bit about this. And so this is our place to take a visual kind of look at all the different firewall related tasks that I theme security has been doing for you. And previously this is kind of part of the dashboard and different cards but we wanted to really give a very forward and very direct place where you can see all a good overview of all this information and all these different firewall, firewall like actions that solid security is protecting you from and so this page is currently using some mocked up data. Just to be clear about that. That's why this date says June 25, when today is in fact July 11. But this is going to show you an overview of threats that have been blocked different logs and different actions that have taken you'll be able to see hey, here are top IP addresses that have been blocked, top blocked requests, different things that we're doing to protect your site while you sleep. We also have this Rules page. And so we can see here that we have a firewall rule that has been added for us automatically from patch stack, because we're running that outdated version of WooCommerce. And if we determined let's say, hey, it turns out, actually our site isn't vulnerable to this. It only affects some sort of small amounts. Maybe the rule is causing issues for your site. In particular, you have some weird custom code, you can deactivate this rule, and that will make sure that hey, we're no longer to apply this firewall rule. So if you're confident Hey, we figured out actually this is causing an issue with this site and that rare case you can deactivate it, but it's right here for you to reactivate if you ever need it again. But this page is going to have those firewall rules that automatically get applied to your site. But again, that happens in the background for you you're not gonna need to do it manually. Another new screen that we've introduced is this site scan screen. So this site scan screen provides a visual overview of a lot of the different scans that I theme security has been doing for you and centralizes them into one awesome location where you can kind of see an overview of here are different things that I need to know about the security of my site. So right now it's scanning through rogue installs is looking for any vulnerable plugins vulnerable versions of themes, different versions of WordPress. We're going to see already that we've found an issue. We have a rogue install scanner that's determined that hey, it looks like there's an old version of a WordPress site that I have running WordPress 5.9 that I need to take care of. And if I take a look at these details, it's going to tell me that hey, if this site isn't used anymore, a lot of the times no, you might have a server up there and you have tons of old WordPress sites that are sitting there. You might not know but if those sites are still accessible to the web, they can be places that hackers are able to get into your site and cause your vulnerability. WordPress pushes out automatic updates and automatic security updates all the time. And so it's really important that you keep those sites up to date and if they're not used anymore, you can just remove them and they can be difficult to find you may forget about them and the rogue installs feature brings that front of mind for you. But you can also see some other issues that the solid security sitespinner has flagged for us. We see that Bertrand has administrator capabilities but doesn't have a strong password, as well as Darryl and golden. And so we have different options here. The best way to accomplish this is to enforce strong passwords and enforcing strong passwords. It's an option that's available inside the solid security settings page. So we're going to take a look at that. So this is the new redesigned solid security settings page. We did a redesign almost two years ago at this point. But this page has been the subject of a lot of attention in this latest release. Not only have we been adding a new pages, but we've been taking a look at some of our existing functionality and making sure that way easier for users to understand and be able to find the things that you're looking for. So when we get to the solid Security Settings page, we see an overview right away with some of the global settings that we need to think about and care about. We don't need to go hunting or burning in any menus. We also have the New Features tab. And so this features tab kind of combines what was previously two screens and I think security needs to kind of like toggle back and forth between them to get what you were trying to do. But this combines both the enabling and disabling of features, for instance to factor as well as the actual settings right here so I don't need to go hunting for another page. I can just see an easy list of all the different security features that are available for me on my site. And I can browse through them figure out the ones that I want to configure, for instance, maybe I want to change some firewall configuration. Or maybe I want to disable the magic links feature or enable the new capture feature. If you didn't check it out. We launched support for Cloudflare and H capture earlier this year. Check it out. It's a great, great new feature. And so we've made this process a lot simpler for you to get to the features you need and make the configuration changes that you need to do without needing to dive and bury and switch between different menus, which is little bit confusing. We still have our user groups functionality, but again, it's received a new fresh paint to show you an easier way hey here are the different features that you have available. Go between the different groups. We can see here for instance, our administrator users and we don't have the strong passwords enforcement enabled. But with a click I can enable strong passwords. We also have refused compromised password attribute is a feature that I always recommend that will prevent any user from using a password that might have shown up in a data breach. And so if I want to enable that for administrators, I just need to check those two boxes. Hit Save, and we've updated our user group settings right away. We have our notifications as well. So we have the ability to say hey, don't by default will email all administrators. But actually, it turns out, we don't want you to email all of these people just email me and the person who cares about security for this site. And we can go ahead and do that through our default recipients and we can still make all those great changes to all of our different notifications, for instance, disabling the site lockout. So if you don't want to be emailed every time a user gets locked out of your site, you can do that right here.
I like that setting a lot and I would prefer all my sites just email Timothy and not.
Is that Yeah. Is that our solid
security super feature? Just add my email address.
Do you want to email Timothy? Yes.
But yeah, that's a great place where you can make some of these different adjustments and find all the settings that were that you're looking for. We've also taken out some other functionality that was best served and other pages for instance, the Tools page. So previously, this was kind of hidden as part of the advanced section of the settings page. But we have elevated tools to it being its own admin page, we can focus specifically on using a different kind of suite of solid security tools. And these are as it says advanced tools to help manage your site security. These aren't things that you should be going about using day to day. You don't need to sell it security really handles everything for you. But you can see these different tools here. Take a look at for instance the server config rules that are being sent to our site. If you're on an nginx host. You might need to do some extra setup for that. See WordPress config rules. So I have disallowed file edit turned on. You can change WordPress salts if your site's been compromised. This is a feature that you might want to use. Don't do this every day. Some people say hey, rotate your WordPress salts every week. Don't do it and make all your users log in again, you don't need to. But this provides a convenient way to gain access to all that functionality. And of course also our import and export features. So if you haven't taken a look at it, import and export is a great way for making a security profile of your site and being able to import it into another site that you manage. So you can see here if we want to include all the active features that we have, if you want to migrate over any users that we've banned on this site to another one, we can also migrate user groups, the security dashboards itself, as well as we can customize the list of settings that are available. So by default will migrate all the modules over but if you want to say hey, actually, all of these by capture, we're not gonna use cash on that site. You can prepare an export right from the Tools page and use that to help speed up your process when you install solid security next. The last page that I want to touch on is our user security page. So there's kind of two big aspects to your site security. One is if you're running vulnerable software if you're running vulnerable versions of plugins WordPress core itself, themes that's a really easy way for attackers to be able to compromise your site. The other thing that's important though, is still user security. So you want to make sure that users are not using bad passwords if an administrator user as a weak password and attacker is able to compromise it in a couple of guesses. Maybe because it appeared in a passwords breach. You need to be aware of that. So the user security page provides an overview of the different security levels of all of the users of your site. By default, we're showing administrator users, but this page is actually filterable. So if I wanted to I could see across all the users on my site, I could find everyone who's using a very weak or a weak password. And I can do all this different filtering through this Filters pane on the user security page. It also has some really cool functionality built in as well. So let's say we have this very weak user, maybe this other user that has a weak password. We have these quick actions for editing multiple users at once. In this case, we could delete those accounts right away, hey, maybe they're not used anymore. And we just want to get them off of our site. We can use this delete accounts button it will delete the sites, delete those users from your site automatically in the background, but we have other options as well. We can add users to user groups, we can send them an email to Hey, reset your password, please take care of this. We can force them to log out we can send them two factor reminder emails. And so this is also one of these places that we're gonna look to add a whole bunch of new functionality as well. If there are things that you do with your users all the time you're like, Oh, I wish there was a way that I could do this across all my site, let us know. And it's a feature that we'll be adding to this user security page. But this is kind of your home base for thinking and seeing an overview of how are users on my site doing? Do I need to make any changes do I need to talk to some people what are my options? So that is the kind of 20 foot overview of what the new solid security product is looking like. It's really exciting. I'm really excited and looking forward to all of y'all being able to play with it. It's we're still we're still a bit away from release. But someday soon, you all have your hands on this.
Timothy, what are the next big items that you're working on and before release?
So we have a whole we have a month plus scheduled for defect checking, and we're going to be doing lots of testing with manual and automated tests to make sure that hey, this is a stable release update. The other thing is that we're doing before release if you look at this, it looks almost done. We have next to do is our onboarding. So I think the security currently has an onboarding sequence that we're gonna be also giving a fresh coat of pain and focusing and figuring out Hey, where are the places where we really want you to pay attention to. And so revamping that onboarding process, as well as our imports process as part of that onboarding feature, or the last thing is that we really have to do with solid security before launch. So we're getting really close. Excellent. Now they're good.
Yeah, very good. We've had a lot of great questions come in Timothy while you've been walking through solid security, and there's some things here that I just absolutely love. The firewall section is amazing. The dashboard is so much better. This user security and multiple actions is really going to be helpful. This is really great work. Congratulations.
Yeah, excited about it.
One thing I wanted to back up on just a little bit. There's been some conversations in the web. That about the different ways in which security different approaches to security and I think one thing that maybe not everyone really pays attention to all that much as I theme security and solid security's unique perspective on WordPress website security. Timothy, can you go into just a little bit of detail about what makes our approach unique and different from other options?
Sure. So there's a couple of different aspects to keeping your site secure. And so part of that is making sure that you're not running vulnerable software on your site. Once an attacker has compromised some software, you've got a kind of long road ahead of you of making sure your site is completely clean. So what we're really focused on with vulnerable software detection in our partnership with patch stack is prevention is making sure that attackers aren't able to exploit your site and figure out hey, there's this vulnerable vulnerability here, vulnerability there. WooCommerce had a critical vulnerability. It was released 12 hours ago, we figured out a tax for it. And your site's already been compromised, and you haven't even woken up for the day yet. We want to really prevent your site from being compromised in that fashion. The other thing is a lot of our user security features users are the have to use your website. If we're able to say hey, we have a website. We updated it in 2015 and we haven't touched it since no one needs to log in. Maybe be a different story, but on a lot of WordPress sites. We're using WordPress because it's one of the best if not the best CMS in the world. And we want users to be able to get in there and interact with it, update content make changes to their site. And so that means users are logging into your site constantly. And we really want to make sure that users are using the best password security practices, the best two factor practices to keep their account secure and really as we move into the future with passkey is seeing passwords just kind of being fading out into the background entirely. And so those are kind of like the two avenues that we really want to help your site stay protected. But with making sure that you're not running vulnerable software, and if you do we have your back until you're able to update it and making sure that your users aren't unwittingly letting attackers in through the front door.
Yeah, the whole concept of firewall, we've actually had a lot of conversations about it. And that one analogy I heard recently that I really love is that with a firewall, it's kind of like you don't want you want to build a fence around your house, not inside your house. And so sometimes there are there are ways in which a plugin might say they have firewall features, but they're dependent on WordPress itself, whereas a firewall really has to kind of exist outside of WordPress. In some ways. And so the what patch stack offers us is actually a mixture of both in some ways. Can you speak to that a little bit? Or am I hitting a miss?
Sure. So the way patch stack works is that patch stack delivers us a set of virtual patches that come through, and so we say hey, we've detected we have our site scanner feature. It runs currently twice. Today, we're thinking maybe opening that to 468 times a day before we release and we say hey, what vulnerable software do you have on your site? And then we're able to do is patch access? Okay, we've determined that you're running this version and it's subject to these vulnerabilities. So packstack has done the hard work of figuring out okay, these are all the different particular vulnerabilities that you're subjected to in here, kind of firewall rules patch that uses the term virtual patches that can protect your site. And the way these work is their lasers kind of targeted and they say specifically, okay, we see this in the request and we see this in the request blanket. If there isn't this WordPress related functionality also going on there, block it, maybe we allow it if it's actually a proper administrator user, and we run this code pretty early. We run it as an must use plugin in WordPress. And so what that means is before most of your other plugins have had a chance to run the patch stack firewall is able to say okay, let's take a look at this incoming request. Is it safe? If so, we'll let it continue on to the rest of WordPress, but if it's not safe, we'll stop it right at the gate. We'll stop it before plugins are able to load before the vulnerability actually has a chance to get exploited. And of course, we ran a firewall you know, all the way before we're right before we're sending the response back to the user. They might have already compromised your site. So knapsacks firewall and solid security runs as what's called a must use plugin. And so we're really having a tool as part of solid security that will automatically set up that must use plug in for you.
Nice, have it cool. Those are my biggest questions and we have some really good questions. There's a couple ones here about pricing two that I think are really
important. Yeah, let's have three questions save that kind of relate to the transition into solid WP from current I think security licenses and how that's all gonna work transitioning and maybe we start there, then we'll get into some of those really, these other really good security related questions. So first, Sadie had a question in the chat just a bit ago about the situation for current AI themes toolkit members. She says she just renewed her toolkit on the basis she would have everything with solid WP if I theme security Pro is being replaced with solid security. How is all that licensing going to work?
Yeah, so when you update in a few months from now, you're gonna get an update in your dashboard like you would any other plugin update and you'll be able to update from my theme security Pro to solid security directly. So you're not going to need to relicense you're not going to need to go to solid wp.com and get a new account. And you're gonna see this user interface, you're gonna see this features, you're gonna see this functionality. The only thing that you're not going to have access to immediately is the patch stack integration. So that's our virtual patches technology that we've been talking about, where when we detect that there are vulnerabilities on this site, we automatically provide patches or virtual patches to your site without you needing to do anything, that's gonna be a feature that's going to require actually changing your subscription. And Matt can probably talk a little bit more about what that process is. going to look like.
Yeah, we're working on the details of what that looks like. But just for general context, you know, with this rebrand and Publix of we're trying to be as transparent about everything as we possibly can. But essentially we are going to be paying for every single person that you leverages patch stack through i theme security through solid security I'm never gonna I'm never gonna get over the all the name James's
years of name history.
So, so we are we are incurring a cost there and so we are going to definitely don't need to compensate for that in one form or another. But we do, of course, have a really great partnership with patch tech, which enables us to be able to do this at a much larger scale than most other folks would be able to do. So we're able to do it and a great offer the exactly the way in which like the really fine details of how existing I theme security Pro users will be able to upgrade to solid security with patch deck. We're still trying to nail in those exact details because we want that experience to be as seamless as possible for you. And also as as as fair and reasonable as possible. But it's there's going to be a really clear onboarding path. It's going to be really clear. I will say as a heads up to that cost is basically going we're planning that that cost is absorbed into new customers. So if you have folks who are considering iThemes in any way, we're planning that the patch that cost is built into solid security going forward as much as possible. So
yes, we're gonna have solid security on wordpress.org and solid security through solid wp.com But it's not gonna be three versions. That you
know, exactly. So our task is really to help all of you all did I already have saltstick that I theme security Pro, to be able to get up to solid security with patch deck enabled. And all of the free folks that are having basically like some basic firewall rules is what I understand Timothy depends on timing. But yeah, yeah. That that will, there'll be able to upgrade into solid security. And that will have patched that can automatically we're calling it right now solid security by itself and I theme security, free. Version is going to be called solid security basic. So that's the differentiation that we're making there. So so the ICC real quick, the price the toolkit is going up. toolkit itself is a specific bundle that is not going to exist anymore going forward. All of you that have toolkit you're gonna be I don't know if there's a better term for grandfathered in, but essentially, you'll be able to continue to renew that just as you always have. But, but we're not going to be continuing to sell toolkit as a as a specific set. We are selling the solid suite going forward, which is solid security, solid backups and solid Central and solid secure solids. We will include any and any other solid products that we happen to build as well, which is a little foreshadowing for you. But yeah, that's the plan and that's the intention. We are on the FAQ that we posted Nathan posted earlier. There's a section there about products that are going forward and products that aren't and in the next I would say within the next three to four weeks. We are going to be sending out communications about any individual products that are being sunset in any way. So heads up for that communication. So and we do have alternatives in mind for those as well. So yeah,
very good. Gary had a question related to his Nexus hosting plan, which also includes currently I think security Pro. How does that path going to work?
sames Yeah, so when you use a Nexus plan, you should get automatically licensed to use I theme security pro Currently, there's a little Amande merrier we can say hey, what plugins do you want? And you'll be able to choose that and the process should yeah, continuous normally you'll see an update, you know the will update to it.
Good, good. And Kay has a question that just popped in the chat. The current item sync and current ipmns Backup Buddy are also going forward with the brand evolution. Matt, you want to talk about that just briefly. Yeah, absolutely.
As I mentioned, where each of them are getting their own refresh. And so going forward, solid WP is really going to be focused almost exclusively on the foundational aspects of your website, which right now for us that includes solid security, what we're calling solid backups. I think you can figure out that's backup ready. And then solid Central, which is what is today I think, I think they're all getting their own evolution as well. And all of the investment that we're putting into those products already currently and you'll see releases coming out over the next weeks. Those are all in order to get us prepped and ready for the solid launch as well. And of course, going strong forward as well. So in some ways, like there are like, again, like full transparency. There's one one thing that we're patching up right now is the ability for Backup Buddy folks to restore backups. It really hasn't been functioning super well for a little while, and that one's coming out soon. So these types of like being able to just shore up little tiny things that have been a problem for a while on some of the i iThemes products or things we're really doubling down on and making sure that everything that gets out the door is really really solid. Pun intended. So watch for that stuff.
Yeah, very good. All right, let's turn to some. We have a bunch of questions stacked up in the q&a about security specifically and let me just invite anyone, if you haven't, if you're in the chat and you have questions, please use the zoom q&a button there. And that will stack questions up and you can upvote the questions of others as well. So if you're not watching those q&a items there, pop that open and upvote questions that you would like to see answered. First question that I have here is from anonymous. Will the dashboard panels, Timothy, will they be actionable? Can you click on those and go to the right spot to do something about them?
Yeah, exactly. So we have for instance, this vulnerabilities here. This fixed Boehner abilities link takes us directly to the vulnerabilities page. You can create a backup for instance directly from this card by just clicking this button. You saw earlier releasing lockout declaring lockouts. Those have since expired since the start of our webinar today, adding banned view and Governability is forcing password changes for some people to lock out all of the functionality that is part of the dashboard so it's not just a read only view. It's an interactive place to see an overview of your site's security and it refreshes by itself in the background also, like every two minutes or so, you'll see new data flow into your dashboard. Very cool.
Timothy Vernon would like to know if you go to patch that.com And you look at their pricing tier they have some tiered pricing at which level or you could say that which level of patch stack is being integrated into solid security.
So I don't think it's a directly analogous to any of patch stacks existing plans, but the functionality that we're integrating is both their vulnerability database which we integrated back in January and it's available for both our pro customers as well as our free users on wordpress.org. And then we're gonna be integrating virtual patches. So virtual patches will come to your site if you are a solid security with patch stack customer. So those are the two bits of functionality specifically they were integrating. I don't think it maps exactly to a patch that clan. Yeah.
Good question from Bob, trusted devices that's been flagged as beta for a while is that going to be enabled in the new version?
So trusted devices isn't able to use we have a beta label on it because I'm personally not super happy with the user experience. I think it needs more fine tuning and refinement to be what I would consider a solid recommendation, I guess you could say so that's why it kind of still retains the beta label. It is safe to use and does work well. But I think we want to make some more UX refinements to make that experience a lot nicer. Currently, it's still a little bit clunky around its edges. And frankly, it hasn't been a huge priority with a lot of some other new great features that we've launched recently. For instance, I would almost always recommend using past keys. Using past keys means that your login can't be fished. And that kind of functionality makes things like trusted devices, almost not necessary anymore. So our focus is a lot more on those features, but we may see updates from trusted devices.
That's that's some a lot of the stuff I was alluding to earlier about our unique perspective on security, like the really strong focus on user password security, I think is really unique. I mean, they still talk a ton about how user credentials is still the number one way that folks get access unauthorized access to your site and things like that. Being able to tighten things up on that front I think is super important.
Yeah. Here's a good question from Vern. We addressed this sort of a little bit earlier, but maybe a direct answer would be helpful. When I think security becomes solid WP, how's that gonna look at in the plugin directory on wordpress.org/plugins.
So you're gonna get a whole lot of new functionality. So we haven't actually removed functionality I think ever from the free version and put it into the pro version of solid securities. Previously, I think security we've never done that. And at least as far as I've been on I theme security six, six years, something like that. I mean, we're gonna iThemes Security. I don't know it's we've never actually taken functionality from the free user product and put into the pro product. And that's going to continue with this release as well. You're gonna gain access to a lot of new features, a lot of these different pages. You're gonna have all the UI updates, all those types of things, but you won't have access to patch stack integrations. For instance. Without a being able to be a solid security customer. But no, I think solid security will continue to be a great free option for users who aren't ready to take that commitment.
Right. And you'll see for example, if someone is looking for the plugin, it's going to be listed in the directory as solid secure solid security now correct.
It'll be solid security basic. Yeah,
basic. Yep. Got it. Yeah, just weird detail. of.org like the, the way you find it in the URL that unfortunately cannot change and it has not changed for I iThemes. Security in a long time. If you do see that URL. It says better WP Security right now. That's going to continue, but the title on the page and the branding and the cover and the icon and all the content, it's all going to be updated to reflect it correctly. Just a nuance of the way.org works. So
you'll see that as well in solid security. And the for now at least the directory is going to retain ICM security Pro. We have an extensive suite of WP CLI commands. If you've built those into your process, you won't need to update them to use a new name if you're using any of our actions. And filters, all of those are going to be maintained. So the update process should be fairly seamless.
That's good to hear all that's being thought about in the context of this whole rebranding process. Let's see Genesis services if a host is like if you're using a host like WP Engine that provides its own firewall, would you still recommend using patch stack? Would there be potential conflicts?
So with multiple security solutions, there's always the potential for conflicts. I would say that the way that solid security and patch stacks firewall work, I'd say it's less likely for you to wind up in a scenario where a your site becomes unaccessible. You might have extra layers of protection in place. And so that is a possibility. But I would say if you're currently running I theme security on your WP Engine site that you should still continue to be able to run a theme security on WP Engine even if there's a little bit of overlap and functionality.
Here good. Let's see been wanting to know if the Cloudflare turnstile functionality is carrying over to solid security.
Yeah, so if you missed out in our release in January of this year, we added support for both H captcha and Cloudflare turnstile as additional CAPTCHA providers. So we've had Google for a long time, but you can also use Cloudflare turnstile, which is a really excellent option and the one I would recommend first, as well as h CAPTCHA so yes, you can get that functionality. Now if your current IBM Security pro customer, make sure you're on the latest version. But yes, it will be part of our solid security launch as well.
Let's see. Bob would like to know if there's any integration plan between sync or what will become solid Central and patch that will any of that data be surfaced in sync?
So for release, probably not. But the continuing to provide great features in solid central that work with all of our products like solid security and solid backups is continued and even more over priority. Going into the future. So for our initial release, probably not, but providing a centralized place to see hey, more information beyond just lockouts, which is where you can kind of currently see in sync are all things that we really want to add in the next few months after release. Yeah,
I will say I've mentioned this actually on our last webinar, that Devin Walker and I see a lot of really positive potential with Central and we're really interested in seeing all the ways in which we can make it more influential and important not only for solid but for all of stellar WP. So what we can do there, we're gonna see we and I mentioned this last time, too, we just actually brought on a full time hire that's going to be dedicated to the central, really excited about that. So we're we're just starting the beginnings of really seeing how we can make this more and more important and in central to everything central net. It's another been central to solid. So
I just got lost. Yeah. Let's see anonymous question here. Currently, I think security Pro includes vulnerability updates. Well, those were the vulnerability updates like patch patch plugin if if the patch exists, if there's a vulnerability, is that functionality going to be included in the non patch stack version?
Yes, I think yes, you will not lose any current functionality. So this is a feature I love. We have version management. I've actually looked at this panel since we redesign this page, but it lets you set up custom on right. Turns out it's not working. But lets you set up custom updates for plugins to automatically update but we also have this really awesome feature called Auto Update if it fixes a vulnerability. So if you're using patch stack and version management, whenever we detect that there is a vulnerable version of software on your site, and then updates been released for it will automatically update to it even if we haven't said hey, update every version of Yoast SEO or update every version of WooCommerce.
I didn't have that one. I love
it. Yeah. So that functionality currently exists and I think security Pro and it will continue to exist as part of solid security and you will not need an additional patch stack layer to continue using that functionality. Nice.
Very good. Let's see. Jay is asking about agency pricing. That is have you thought any about what the agency pricing for folks that want to upgrade to new features like patch stack integration. Jeffrey is chiming in as well. Hundreds of sites they host how how's that going to work?
I gotta give a shout. I think this is Jay buys from San Diego. Oh my gosh, I need to connect with this guy is a good guy who I haven't talked to in a really long time. And that's a great question. We are beating up agency pricing a bit and again in all transparency. Quite honestly the multiple site licenses that I iThemes has been offering to date is a little bit difficult from a business perspective. So we're going to beat it up. We're going to do our best and make it as fair and honorable as possible. Right now I talked about this last time in terms of single site licenses. We're planning that all the pricing stays the same. It's 99. For security, it's 99 for backups, and it's 69 a year for sync all together that's 269 it's likely that we're going to probably reduce that a little bit for what will be the solid suite. So instead of 269 We'll see probably something a little bit south is there. But when it comes to like offering higher license numbers, it's probably going to be some sort of discount on a multiple of that. Right now. The plugin suite in particular is 499 for five sites. And that's basically like a 50% discount off of off of what that actually I it's actually it's actually more than a 50 It's like a 65% discount, considering all of the plugins that actually come in the plugin suite right now. from a support perspective, it's really hard to to maintain a support team with that many sites running per customer. So I'm just talking about the realities of the the numbers of what that looks like. So not planning to like blow the numbers out or anything like that, but we are beating it up. We need to make sure that we are being fair and honorable to everyone else in terms of the folks who are who are purchasing it and also in terms of being able to keep our teams running. But big giant caveat making sure that that's perfectly clear. We said this every single webinar. If you are a toolkit owner today a plugin suite owner today you have a license that you've had for years and years and years. That's going to continue no matter what you get that pricing that's fixed and locked in. Nobody's changing that. You're going to continue to keep going so highly recommendation from me to you if you have a license of any of those today. Keep it keep, make sure you keep your credit card updated. It's a really amazing deal that iThemes has been offering for a really long time. And we're going to continue to be really honest and upfront and fair. But that exact pricing I think is probably not going to stay exactly the same. So
yeah, very good. And I think this is a good time also to answer Billy's question about packages. Billy's just curious why the toolkit isn't passing forward. Maybe you can just talk a little bit about solid suite versus toolkit and that whole evolution
Yeah, it's honestly I will be perfectly honest and say it's a little bit of a rabbit hole question. It gets into the weeds of the our broader organization stellar WP a bit and then okay, there's two parts to it. One part is that we as stellar are going to continue to explore ways in which we can help lift all boats, like tons of folks if you're not perfectly familiar with stellar WP, just go to stellar wp.com. You'll see our whole family of plugins that we that we support here including I themes and saw the WP but one of them is the events calendar. Tons of nonprofit organizations use the events calendar, they should absolutely be have the ability to also power their donations with gift WP in a really easy and seamless way. Being able to like have those brands communicate more efficiently together has been a bit of a challenge. And but we are working on solving that but that's like a year long project at least before we're able to really kind of cross promote all of our brands really well. And but that is what we're hoping for. And right now the way that I iThemes has been selling different products that actually span different teams is is a little bit fragile the way in which the licensing happens and where the support goes and things like that. And we want to make sure that we're actually providing the best customer experience across the board for everyone. And and the way it is right now is is not ideal, quite honestly. So that's one side of it just from a technical business side of it. The other side of it is honestly just in terms of like a marketing and customer experience. We want solid WP solid WP to be known for doing the foundation of your website. Kadence is an amazing product and we're going to continue to promote Kadence as often as we possibly can. But when you want to purchase Kadence you should go to Kansas wp.com and restrict content pro a great membership plug in, you should absolutely get that but you should probably do that restrict content pro.com Things like that, because those are not what we would call the foundational aspects of the website. So WP needs to be known for that solid foundation. And so we're from a marketing perspective, from a customer perspective, we're focusing on that exclusively as much as possible. Again, rebranding public telling the truth as much as I possibly can say in everything that that we were talking about internally, so it's a really good question. It can go a lot deeper to honestly Yeah, definitely keep me honest. If if I'm saying anything that you think is, is off, so
and once again just this is something we've said multiple times and just to be 100% clear, if you have a lifetime deal on AI things products that will not change, right Matt?
Correct. It will not change. So yeah. And if you have a toolkit license that is, is renewing annually, a plugin suite license, it's renewing annually and Essentials Bundle that's renewing annually, keep your credit cards updated, because you'll get to continue having that it's it's not as if I'm saying that the system is going to stop working. It's going to continue working licensing is to continue to be generated but new customers going forward are going to are going to have a solid WP only experience for the most part.
Right? So like Matt said earlier if if if you want to jump in on a current I themes toolkit deal that includes for example, Kadence do it now this is the time to do it. Let's see. versa. Yeah. Timothy, let's go to Verne's question here and you mentioned this briefly earlier, but let this be good just to put an emphasis behind it with the upcoming name change will the free version of what will be solid security still be a useful plugin. That is well some are many functions of today's free version be changed to pro only.
I think we talked about one a couple of minutes ago. And yes, we're not removing any features from free and putting them in pro free is going to gain a lot of new features. They're not going to have the patch stack integration for virtual patches, but no free will continue to be a great solution for people who aren't looking to make the investment.
Very good. Let's see Elizabeth, do we is there any detailed answer Elizabeth question here? In Nexus? Well, the patch will the solid security version that will be available in the Nexus managed WordPress plan include patch stack.
I think that's the plan. But it the way that system works is also a little bit weird. But yeah, I believe that is the plan that nexus users will be able to use patch stack.
Great. And that's something to talk to the Nexus folks about I would imagine.
It will probably have communications from us about it to address before and as we approach our actual launch day.
Gotcha. Let's see. So Sadie is correct with what she just said in the chat. Matt, is that right? If she keeps her toolkit as she has it now and wants to just add the patch deck integration that's what we'll that's what she will have the option to do.
That's a fun environment to think through. Yes, that should absolutely be possible. But like I said, the exact technical details of how current solid security Pro users upgrade to the patch stack version is still under way and still working through exactly how that works. But the way toolkit is licensed, I believe it shouldn't be a problem as far as I can. But you know, there's still I'm gonna say that's our intention. And that's our plan. That's all I'm gonna say. Great. Let's
see, Vern Timothy. Is Will there be a performance hit to the new firewall actions that solid security will add?
Sure. So anything that runs on your site does take performance right we have to look at the request check if it contains these parameters, if so, do a block. So yes, there will be some kind of performance impact. The way that patch tag works that is very smart compared to how a lot of other firewalls work is that we only deliver the rules that are 100% required for your site. So we're only going to have patches running that will actually protect your site. The second you update that plugin, or deactivate or delete that plug in, those patches won't be running anymore. So when it comes to it, the trade off will be Hey, do I want my site to be hacked? Or do I want to incur the little bit of performance hit when I'm running these virtual patches? And we think the trade off lies clearly on that. Okay, we'll take a little bit of a performance hit. But the second update is available, you'll be updated to it potentially even automatically, if you configure solid security do that for you. And that patch will no longer be applied to your site. So there will be a performance penalty. There has to be for anything that we're running on your site. But it we think it's the right trade off for how the patch stack firewall
works. Right answer. Also really good transparency and something that that I think more plugin authors need to be really upfront about.
Let's see question about I theme stash which is our cloud storage that works with Backup Buddy and I think sync currently 50 gigabytes of stash storage is included in the toolkit. Will that continue?
Yeah, the plan is that we're going to maintain parity with features that we have as much as possible. Right now, like I said, with stash in particular and Central and even aspects of of Backup Buddy. We are looking into all the details of what that means to carry that all across. But we have no intention of changing any of the features. In terms of like what Timothy was saying we're not taking things away at all. As much feature parity as much as possible. If there's ever something that we feel like is gonna go away, it's not going to be for the sake of conversions or revenue or anything like that. It'll be for safety purposes only. So
yeah, there's a sprint starting in a few days on doing some awesome reliability improvements to stash live for instance. Excellent.
All right. Let's see very important issue here. Sadie is calling for Tim to get a ticket at the pay raise. Matt, can you comment on that?
We have given to him a pay raise
my title has changed since the last webinar right now I am head of Dolan for all solid to VP products. So Solid security, solid backups and solid Stach. Well deserved.
We're trying to keep him as happy as possible.
So it'd be eight years I mean I iThemes in like November depending on how
amazing y'all lots of congrats for you there in the chat, Tim. Okay, anonymous question. If I enable update or apply fixes to fix vulnerability, does that only apply to a vulnerability that hits a certain risk threat risk threshold or how does that work?
Is or not currently. This is one of these interesting points of how many bells and options do we put towards users and how many things we make just checkboxes. If that's a feature that you think would be really valuable to us, you can always reach out to our support team and we catalog tons of different feature requests and I can definitely see how that would be useful for you. Currently, it'll apply to any vulnerability. But that's something that we could, for instance, offer a UI option to configure but it's always a balance. How many UI options do we add before the interface becomes so overwhelming that people don't check any of them and don't enable any of the options?
Exactly. And Timothy again, really quickly, how folks can make a feature request like that.
Yeah, so if you head on over to i think.com. There's a link up in the top right over here called login. And when you log into your member panel, you'll see that kind of support area, and you can open up a new ticket. I think there's even an option in the drop down for a feature request. And you can send that over to our support team. And we keep track of all of them.
Very good. All right, one final question. We're a few minutes over here. One final question here from Vern, we got into the weeds on this in the last live stream talking about version numbering. Are you going to keep the current version of I think security isn't rolls forward or is this going to be solid security one Dotto?
I will say we're definitely not going to reset versioning and I we don't know if this isn't a launch is like a 75 or an eight Dotto or what have you, but we're not going to be resetting versioning I'm down to like 1.0 for instance. So it will be a new version and a version number that is larger than the current version. That exact version number I don't know. But news news to come. I guess.
I'm glad you're here because they asked that last time and I was like oh
yeah, it's an interesting thing, right, which is that we track plugins right in our plugins tag isn't gonna change. And we've had, for instance, updates in the past that are fixing a particular problem. And we start saying, hey, this affects you if you're on version 2.5 And those 2015 But then we change our version number to one doe and our plugins delegate is the same How do you know whether or not you're affected? Now the version numbers will continue to march forward. Yeah,
very good. All right, Timothy, man, this has been really, really good. Lots of excellent questions. Very good and honest answers. Timothy. Want to give us a few final words as we're wrapping up?
Oh, sure. I am super excited. We've been working on this for months and months and months. We did a couple of early previews this spring. But the whole team has been working really hard on these updates. And today we've only shown you solid security but we've been making similar hard work on our solid backups and solid Central. And so I'm really excited for you all to see these rollout over the next couple of months, something like that, and get your hands on these new features. I think it's it's a huge leap for our plugins. And yeah, I couldn't be more proud of our whole team for getting this far and soon you'll have your hands on it.
Very good, Matt, anything from you?
I'm excited that I get to continue to work with awesome folks like Timothy and that everything's coming together. I really have been amazed seeing this team really gel and get excited around this new vision. And and man, it's just gonna be up and up and up after we get launched. It's like lat launch is just the beginning and definitely not the end. So I'm excited.
Absolutely. Well folks, that's gonna wrap us up for today. I just dropped in the chat. The replay link will have that video up in less than an hour from now if you'd like to go back and rewatch any of this, or share it with someone who was not able to attend live. That video will be up there for you at the link that was in the chat. I'll drop that in one more time now. Thanks again for hanging out with us for the last hour. I've seen some really cool things I hadn't seen up to this point. I'm super excited about solid security. We are back tomorrow with the fly course for I iThemes Training members talking about building systems for your business. And of course office hours on Thursday for members as well. So that's gonna do it for us today. We'll see you back here tomorrow. On I iThemes Training where we go further together.