WordPress Disaster Week: Session Three - 7 Ways to Detect and Stop Malicious Behavior on Your Site

9:01PM Mar 9, 2022

Speakers:

Nathan Ingram

Michael Moore

Timothy Jacobs

Keywords:

security

solarwinds

site

logs

file

question

factor authentication

vulnerability

attack

breach

people

pro

malware

detect

alerted

plugin

website

hack

wordpress

database

Well, good afternoon. Good morning. Good evening wherever you happen to be across the globe. Welcome to another Live Webinar here on AI themes training. It is WordPress disaster week sponsored by I think security Pro. My name is Nathan Ingram. I'm the host here at AI things training. And this week we are hearing from our group of experts on WordPress security. Yesterday, we talked about how hacks happen and how to respond. Couple of great talks from Kathy Zahn about the big picture of website security. By the way, if you missed any part of yesterday, and you'd like to go back and rewatch those videos, or share them with someone else, you may do so using the watch replay Videos link down below the chat room. And those videos are ready to go. We'll have today's replays up about an hour ish after we wrap up today. Soon as we can get those uploaded and rendered, so you'll be able to rewatch today as well. So yesterday, a couple of great talks from Kathy Zant about the big picture of website security. Tomorrow, I'll be sharing on how to provide security services to your clients in a WordPress care plan. It's powered by themes, products, but today, we'll be hearing from Michael Moore and Timothy Jacobs in two talks that focus specifically on using I theme security Pro to protect your website. So we're gonna get started today with Michael Moore. Michael has been presenting security related topics for years here on I think straining. He began working with AI themes as a support technician focused on I think security. He's answered 1000s of questions helping people secure their WordPress sites over the years. And today, Michael is the I think his product manager and he's focused on continually improving, I think security Pro and other AI themes, products for our customers. Hey, Michael, how's it going? What's happening in your world today?

Well, I am just excited to be here. Excited to talk about the logs and continue off of Cathy's great presentations from yesterday. So yeah, it's been a good disaster week so far, hoping to continue on today.

Absolutely. So today, Michael, you're talking about seven ways you can detect and stop malicious behavior. We're going to do slides and some live demo. Right?

That is correct. We're going to talk about logging. And it's a under praised, but extremely important part of security. Good,

no, absolutely. Kathy mentioned that a bit yesterday. And so we're going to get into the practical aspects of logging. Just a couple of brief notes before Michael digs in today. If you are just joining us in GoToWebinar, we want to invite you over to our chat room, which is located at i themes.com forward slash chat. I think.com forward slash chat. That is the place to ask your questions as we go today. It's always helpful, especially in a large webinar like this one, if you have a question, to put the word question in all uppercase at the beginning that just make sure it catches my attention. And please, if you ask a question, just watch the chat room for the next minute or two. In case I need to ask you a follow up question. So we can have good clear questions for Michael to answer. As he wraps up today. A couple of additional things to mention, we do have a live transcript happening of this event as I speak. So there is a blue button below the chat room where you can watch the live transcript. And it's ready to go and working. If by some for some reason you happen to see yesterday's transcript when you click that link, just refresh the page. So you get the new link for today for this hour of webinar. It's a separate link for each hour so we can keep those transcripts separate. Also, the replays. As I mentioned earlier, the replays from yesterday are available. And there's a couple of great deals over in the sidebar beside the chatroom, a 35% off of I think security Pro as well as other AI themes, products with the code disaster 35. Or if you want all the plugins, you can get those in the plugin suite at a special deal and 40% off. And all those deals are good through March 11. That's Friday at 11:59pm. So a couple of great deals if you don't have licensing for I think his products yet and you'd like to. Alright, so with with that, Michael, let's get started. I'm looking forward to this.

All right. Well, before we hop in just give a little outline of what we are covering. Today, we're talking about why logging is so critical to your website's security. Why malware scans are not enough to detect a breach, how hackers can remain undetected after a breach. And then to utilize our to show the importance of it we're going to take a look at the SolarWinds hack that was disclosed in December of 2020. This is gonna give us a good example of the links that a hacker will go to stay undetected. Then also the importance that logging and monitoring played and finally detecting what was going on. And then we're going to talk about how to log security events and IDM security So, without further ado, let's go ahead and hop right in well, to login is going to be the first step to securing your website. And the reason why that is you can't stop attacks that you don't know about. It is crazy when I was working in ICM security support how many times someone would get I think security Pro, and then they would come into support hot, angry mad, telling us that I think security pro wasn't working. Well, what do you mean by it's not working? Well, also nice. So I think security Pro on my site is getting attacked like crazy. No, that's actually not what was happening actually, that's it, um, security pro doing his job. And it's actually now that you have a tool put into place to monitor for things like brute force attacks, it not only is tracking it, is actually stopping it. So you can't stop attacks that you don't have to think about. And without the right login monitoring in place, you're not gonna be able to do that. So it's gonna help you spot activities that can alert you to a breach, we're gonna talk about how fire is a great security company, how they were alerted to something that blew the whistle on the whole sunburst attack. And then we're also going to want to use our logs to assess the damage caused after attack. And then it's going to be able to aid in the repair of a hacked website. So if you're monitoring where people are going, or if you're able to identify the point of entry, you're gonna be able to get that stuff patched. And then again, all of that you're not going to be able to do without logging. And what else to think about when you're thinking about logging is that most breach, studies show that the average time to detect a breach is over 200 days and the amount of time that that gives an attacker or someone to modify, steal or destroy your data to today's gives him a lot of time to do that, and read a lot of havoc on your website. And so if those are, if those reasons aren't enough for you the OWI, ASP the Open Web Application Security Project, they have a top 10 list of web application security risks, and logging is on the top 10. Just because it's just so important to make sure that you have that to have this record of things going on on your site. So let's talk a little bit about why malware scans aren't enough known malware scanner can identify every single piece of malware that exists. So let's talk a little bit about malware signatures versus behavior analysis. So what our scanners do, they're great at identifying malware on your site that they know about. So it's a good thing to run your website. But it's also keep in mind that it's limited to the database of Mauer. So our signature is a series of bytes that are used to identify and know these known pieces of malware. Similar patient Mauer scanning is fast, simple. And again, we'll detect 100% known, well known pieces of malware on your website. And it's great for low level hackers. But one thing to keep in mind is that there are so many new pieces of malware being generated every single day. And that there's no way for anyone to actually keep up with that, with all the different types of malware systems are adding them to their database. And so we're seeing that people are becoming less reliant on those because they, again, there's just so many pieces of malware the end of the day, it's impossible for it to detect everything. That's why behavior analysis is becoming a little bit more important and a little bit more relied upon. So what B Everest analysis does, it checks software's actions to determine whether or not as malicious, there's a ton of different types of behavior that can be deemed suspicious or malicious. For example, either ScriptPro leverages the Google Safe Browsing API, and Google Safe Browsing API is a piece of it will check to see if you have any.

If you're redirecting any site to any of your traffic, your website's traffic to a known malicious site, I'll go and flag that and then alert both the site owner and people go into that website to maybe not go in there. And go into the website. Alright, and then I think it's there is no full proof method of detecting anything as we'll see in just a little bit. But a combination of both behavioral and malware checks will significantly lower your chance of being alerted to evidence of a security breach. And let's talk a little bit how hackers remain on tech undetected. So they can be your higher level hackers that are actually will go to great lengths to uh, to avoid your different security levels that you have in place and to make sure that they aren't detected. So let's talk about the solar wind hack. Who's a huge hack that you probably saw being covered in the news in December of 2020. And then the first few months of 2021, it was everywhere. So SolarWinds is an American company that develops software for businesses to help manage their network systems, and information technology infrastructure. And so the type of attack this was was a supply chain attack, a supply chain attack, also called a value chain, or third party attack occurs when zone infiltrates your system, through an outside partner or provider with access to your systems and data. So in this instance, a bunch of people use SolarWinds to deploy different software. And then since they are since they're the third party vendor working with big people like I have a list right here, big people like Microsoft that a bunch of like just about every single government entity that you can possibly think of. And then, so they supplied them. So all they had to do was get SolarWinds. And then down the supply chain, they were able to infect all these different fortune five country, science yourself, commission, telecommunications companies, and so on. And so the sunburst supply chain attack was designed in a very professional way with a clear focus on staying undetected as long as possible. In fact, the first, the evidence of it wasn't as close until December. But the first evidence of when they actually were able to breach SolarWinds went all the way back to September 3, September 2019. So between the time that they the point of entry to when it was this close, we're talking about over a year, over a year's time, so that exceeds that 200 day average that it takes to detect a breach. And so here's a an abridged sunburst workflow from summary. This is provided by shift left. Excuse me. So we're not going to go through all of this, there are some links in the the on slight at the end, that's going to some reference links that you can look to actually see if you want take a deeper look at the play by playing. One of them is this article by Mandiant, who this week was announced they actually got acquired by Google. for what that's worth. So we're just going to look at a couple of these different things kind of give you an idea of the links that these people went through to stay undetected. So and then this is going to illustrate why having layers of security and logging is going to be so important to make sure that you're detecting a breach. So one of the first things that they did is they after they got into the the

SolarWinds workflow, or their solar wind server is they had this DLL file that they were using to compromise. So after laterally moving to SolarWinds, they then also they studied the coding style of these different companies, if it was whether it was good or bad, they want to emulate it. So if there was something looking for checking different files for different coding standards they have it could avoid that or even a manual inspection. Okay, this looks like the either grit code that they that this company writes or it looks we're emulating the crappy code. So that gives my meaning staining the that the coding style gives an illusion of code legitimacy to conform to that of SolarWinds and the other people involved. And so the other thing it did was it laid dormant for 12 to 14 days. So after the initial dormant period, which is up to two weeks, it would retrieve and execute different commands called jobs that include the ability to transfer files, execute files, profile a system, reboot the machine and disable system services. And that's according to a fire i analysis analyst the malware masqueraded network traffic as the Orion Improvement Program protocol and stores reconnaissance result blah, blah, blah, blah. All that means is they were they they were running different tests. And they were looking at different things while making it look like they were part of the internal systems running. So they're using a DLL file that was a legitimate dll file. And that dll file, they added their a malicious payload to it. Then they stayed dormant before executing anything just to not raise any immediate flags. And then they started looking to running different checks under the guise of the Orion Improvement Program, which is a thing that actually runs on this, like supposed to be running on the SolarWinds Server. And it's in Zen they check to see if they checked it the hosts attached to the domain or whether or not the domain was on a blacklist. So what They were doing here had this backdoor it was, they were looking to determine whether or not the system was joined to an active directory domain and retrieve the domain name. And then they had the, they would cease execution if the system was on a block list. So if they were, they had these hard coded URLs they had that were SolarWinds domains that were trying to avoid. So if they happen to be in one of those directories, they would go ahead and stop it, because it would decrease the likelihood of them being detected if they didn't go ahead and execute that. And so then they would verify the different security tools and processes running on the host. And so they check to see, is this something that we worry about? Is this something that we can get away with? If it's not, is there anything that we can do to disable this software, and then they're going to verify it to see if they can, they would do a REST API command that was sent back to that was under the guise of this API SolarWinds that they had modify. So again, at first glance, it looks like everything's okay. But they would generate a domain, and then they would send a call back to their, their server, which they did, they got a bunch of different servers in New Jersey. So my automations, this was a Russian state attacks, this was a, a sanction hack from the Russian government. And so what they would do is they, instead of having them do the have a bunch of IPs, pinging the server from Russia, they got a bunch of AWS servers and New Jersey that way, seemed like a local attack. And that also meant under local, you know, federal law, the NSA can actually like sniff into those servers, because it's on US territory, and it's not overseas. So again, they went some sort of in Russian IPs, they got they rented our servers to the attack here to stay undetected.

And then, again, if you're interested in this, there's a couple articles and references a couple of good YouTube videos out there that actually go really deep into this and play by play, but we're just looking at is how they had all these different systems set in place, but a very determination, they were able to get past this. And so finally, after months, and months and months of them being in side, so someone who was a SolarWinds, customer was FireEye. And they were the first people to actually spot the hack. It wasn't gonna say, wasn't Microsoft, it wasn't SolarWinds, it was actually FireEye. And FireEye is American cybersecurity company. And they discovered the hack, because they were alerted to a new two FA device being added to an employee's account. So what does that mean is that they were monitoring and logging anytime someone added a new two FA device. And so they saw that, and this was the thing that finally got them to start investigating what was actually happening, this little thing right here, this little alert for a two FA device being added. caught their eye. And then because they had a, you know, a long history of logs, monitoring the different events they're having on the server, they able to go and look at, go further down the chain to figure out when it was penetrated, and who all affected and kind of find out that affected everyone. And so all this is just kind of show like there's no foolproof plan that you can do to stop everything. It's important to have multiple security layers. So I I know Kathy was talking about yesterday going into her party again today. There's no one, one trick to stop every attack or protect yourself from every time, it's important to have multiple security levels. So again, I want to real quick site now. So an item security Pro, Cisco, don't look at that real quick. There is a way to just change screens real quick. And then we'll just bring the site real quick. So there is a way to and the settings and the configure the level and then on logs. There's a way to set days to keep the database logs, the more you can keep it the better. Now if any of you are using the wordpress.org plugin that is designed to delete the database logs and get rid of it. One you don't need it because you can set a timeline of when you want your logs to be deleted without having to manually do them as 2022 Why are you mainly deleting your logs and beyond that? As I mentioned earlier, the initial SolarWinds hacked they, they initially gain access to the system to the system, and 2019. And they had all these different things that are these different security, they're running all these different security events, and yet, they still didn't catch it. Because as we looked at, the length of that people will go through just stay dormant, and then not. So not just blazing through it once and not noticing anything crazy, isn't good enough to just look at it, and then dismiss it, you're gonna want those histories events, because if something comes down, farther down the line, and that you're able to get something, you're gonna want that history of log logs to, again, help you not only spot the activity, assess the damage, and maybe find point of entry, and assess damage, find point of entry and then repair. So what we're gonna do is we're going to talk a little bit about how you can use I think security Pro to monitor specific security events to detect and to detect attacks and stop them from when they happen. So the first thing we're going to talk about is invalid login attempts. So the brute force is going to be your most common type of attack one, everyone knows where the wordpress login is, which isn't a bad thing, that's a ease of use kind of thing, just like everyone knows where your front door is. But everyone knows where it is. There's so many people use as WordPress uses 40% of the web. So it's just an easy thing to do. And then brute force attacks require no skill, you can literally go to there's a ton of different places where you can go whoops, link to that, they can actually just get no coding party, you can get tools with graphical user interfaces, that you just send them out, there's no code required, you don't need to have any development skills, is there's an open source, just sorry that this link of

so you can here's a top 10 list of most popular hacking tools that you can get that are going to make it easy for anyone to just go into the go into this, tell you what I want to do. And it's going to go on automate your brute force attack. And since WordPress is a popular, a lot of them are geared towards just WordPress. And so that's why it's important for you to monitor monitor invalid login attempts, because that's the Scherzer sign of a brute force attack, just like the example I was showing, told about earlier, how we had people come into support same now they're getting hacked, no, now you're actually seeing the invalid login attempts happening on your website. And then so monitoring for that is going to be able to allow you to detect a brute force attack and then also put a stop to it. If you don't know what's going on, you're not going to be able to stop it. The other thing is user devices is to track people's use of devices. So in either discuter Pro, we have the trusted devices feature, which is a trusted devices feature. So what that does is if someone logs into your site under a user, but it's using a new device, I think security Pro will restrict their capabilities until they're able to confirm the devices them. So let me show you an example of that. Here. So this is a just a sign that I have up that we can see. My user profile page has a list of my approved devices. And so we can see right here I had these IP addresses come into my log into this site as me, but I was able to deny them, which restricted the capabilities and then block their access to the site, which then also will require me to change my update my passwords, because if they're logging in, that means already have access to your password. But this is something like the fire i Two factor authentication thing where they had a new two FA device was added. And that alerted them to the whole SolarWinds hacked. And as we're alerted to them that there was a breach that happened. So monitoring the devices, especially for your admin users can come in handy because there's a new device being logged in one you can deny it, which will immediately log them out. And then also give you an opportunity to update your password to increase your security. And then that might be the triggering event that you want to use to go and look back throughout your logs to see if anything else happened. So another thing that you're wanting to monitor for is bot activity. So there's good bots and bad bots all about SSP software programs is performance a specific time bots aren't. So there's good bots that will help us perform repetitive and mundane tasks way faster than we can and save us from doing awful tedious work. So there's also various different kinds of bad bots crawling your website, some of the bots, you know, having nefarious motives, like trying to break into your website, scrape your data, you know, trying to, you know, the different list of signs that we showed, or different things that we have here. These are just brute force enabled bots. Some of them like the dictionary attacks, where they have a list of the username and passwords from database breaches. I know I saw earlier. So I mentioned in the chat they have I've been poned. I think security utilizes that, so you can prevent people from using compromised passwords, but you know, so we're looking for these different type of activities are happening. And so with reCAPTCHA version three, what we're catching version three actually allows you to do is take a look at the security settings real quick, is lockouts reCAPTCHA. So with regards to version three, if you set reversion three up, you can actually have it include script on all pages. And what this will do is allows reCAPTCHA to use it

allows reCAPTCHA to use it's different scoring technique to monitor this different activity and then decide whether or not as bind. So the more information that you're able to feed to it, the more likely it's going to be identify that as a bot and then block them out. And so with brute force attacks, the all this stuff, and to kind of track for all this stuff is going to be like right here, and your security settings of your futures, lockouts. All this stuff is gonna be here. And once you have this set up, what's great is that the theme security dashboard allows you to look at this information. So instead of having to dig through your logs for all these different types of events, the security dashboard, take some of this stuff from a better dashboard up I'm not sure. Oh, here we go. So is that have you ever been to your laws, the secure dashboard gives you all the information that you kind of need. So you can see right here is actually the dashboard of itunes.com. And we can see that March 2, we had 1100 45 attacks, right. But that's great because it shows us the frequency. But what we can see is that by monitoring the stuff, we are have, since we enabled the dashboard over 46,000 attacks have been prevented as well as 11,000 IPS have been added to the banned list right here. And so this is being user security card on the security dashboard, which you can see all the different lists of IPs that have been banned from your site. And again, these would not have made it here if we weren't monitoring for these attacks and logging them and logging the suspicious activity and getting them added over to here. So again, just wanted to show you the how they secure dashboard and give you a good summary of this kind of stuff, as well as show you your active lockouts. And then if you want to, you can release a lock out from here, which we're not going to do because they're obviously this is obviously just a dumb person trying to examine a high level thing, but they got locked down. So another thing is vulnerability. So vulnerabilities are the number one cause of most have vulnerabilities with that have a patch applied is the number one cause of most attacks. So there's the last vulnerability roundup had over 400 different plugins that were compromised in that vulnerability report. But I think security Pro is to do is enable the site scan, what that will do check your site twice a day, for if you have any known WordPress Core plugin, or theme vulnerabilities. And then using the version management integration, you can actually have it automatically update the fix if a vulnerability found. So what does all that mean? So on this site, I had a where's that I had a site scan come with a critical issue of vulnerable software. And so the I had updraft, the free version of perhaps installed had a vulnerability. However, as that was disclosed, the patch came out pretty quickly after it was disclosed. And so find my automatic updates if it fixes the vulnerability with that means as soon as that update is available, it'll get updated on my site, protecting me from the vulnerability. Again, I can't overemphasize how big of a problem vulnerabilities are on your website and why it's so important to keep trying because I'm gonna example to illustrate this is the Equifax attack happened because there's a vulnerability on the, with Apache, and Apache announced it. And I remember Chris gene who works in ion theme sounding alarms, when he found out he was immediately applying these, the patch, because thing is that Adobe, they Adobe disclosed the vulnerability. And then when they disclose visibility at the same time they released an update patching that vulnerability. And so you might be asking yourself, why would a an attacker target a vulnerability for which there's already a patch, he knows that we as this anchor knew that in this case that Equifax and a lot of other people are lazy, and they don't update their software. And so six months after the, that Apache vulnerability was disclosed, and patched, Equifax was still didn't update. And so they were able to exploit that vulnerability and hacked them and then leaked millions of people's personal financial information. So that's why it's super important to make sure that you're keeping up to date with them. And vulnerable is going to happen as soon as developers are human, or human. And unfortunately, sometimes they're going to make mistake, or they're going to be using a third party library, that

that has a vulnerability in it. For example, last week, a lot of people who were using Freemius, that they had a vulnerability, not necessarily in their own code, but in their implementation of freemium. And that's why the the vulnerability ports are big, it's because it was a shared library of sorts. And then, so they didn't introduce the the vulnerability and their own software, another library intercept vulnerability. So it's very important to make sure that you're staying up to date. And that's why, you know, having some like I think security Pro, automatically checking all your plugins and themes to make sure that they don't have any knowns because vulnerabilities. So you go and get them patched, or remove them or whatever actions you take. And then file change is the last thing that are. Second Last thing we're talking about. Monitoring. And the reason why you want to find a file or monitor different file changes is that when it comes down to a malware, it's one of three things either files are added, files are removed, or in the case of the silver one attack. Were had they initially modified that legitimate dot dll file, and they hid their malicious code in there. But they're able to add their own stuff, remove things that helped remove things that would help detect it, so they were moving different security protocols. And they are modifying files. So if you're using File change detection, and I think security Pro, which is the site check, what you can do is you can monitor unexpected changes. Now, a change of a file isn't a an automatically indicator that your site has been compromised, it just means the file has been changed. And it's might be worth doing more investigation on it. However, if you do use the compare files online, this can help quite some of the noise generated by file change detection by comparing the hashes to iteams products. So anything that is an eye enthuse product, you can compare the hash files from an update to that, at the hash files match, it's a pretty good indication that the change wasn't malicious. And it's also going to look at WordPress core files, and plugins that are in the wordpress.org repo. And so that can help add a little bit more sophistication to it. And again, it's not going to be an indication of a compromise. But again, it's just adding a layer as something else to have as a even if it doesn't immediately alert you to a breach. Having that history of change files can help maybe help after you detect a breach to see what damage was done. And even possibly give me an idea of point of entry. Another thing last thing that we're talking about is user activity is logging in different user activity like when they log in, log out. So for example, if you notice a strange login time from a strange IP address by this could be an indication of attack was unforeseen a user created or a new user register a new admin user register that you didn't expect there's been a privilege escalation vulnerabilities where if a new they change the default New User Registration from subscriber to admin, and that can give you an indication of all sudden all these new avenues are being created of a that kind of exploit. Let's talk about adding and removing plugins switching themes, changing Posts and Pages So just give me an example of what that kind of looks like in the logs, as you can see here on the training.itunes.com. Oh my goodness, look at all these different plugins that were being deleted and added by me and Nathan, we can see that, hey, those are two real people. And they were doing that I know what that is. Nathan knows that is not a cause of concern. But there was something here that could, again, adding layers, adding multiple, different giving you as big of a dataset as you possibly can to understand the health of your site. And I'm about done talking. Here's the resource page. Here is the disaster wheels again, going to say 40% of the plugin suite 35% of our security pro backup, buddy sync stash prices. So I talked a lot, and I'm done talking. I'm ready to hear your questions, and try to clarify any thing you guys need.

Alright, sorry about that. I was struggling with the mute button. Thanks, Michael. Great stuff. Yeah, a lot of great questions in the chat room over the last hour. So if you have a question you haven't asked yet, use the chat room at i think.com. Forward slash chat. And we'll get those over to Michael. All right. So Michael, we had a holdover question from yesterday from Sal. And he asked for WordPress, besides implementing, I think Security Plus Pro, is there anything he needs to manually do to better secure WordPress.

What you can do is Cloudflare has a free web application firewall plan that you can go sign up for, and for most people, it will work. And that will give you some extra protection of like against DDoS attacks and then help. Yeah, that will help protect your site even more, even with the application level of security security that you receive from anything security Pro.

Very good. Let's see. Su has a serious question. Do you keep when you're talking about logging? Do you keep logs on just the database logs? Or should we be saving logs that are in files too.

So So you do have the database in the file logs, typically, I don't mess the file logs at all. However you can. The file logs are going to be incomplete compared to the database logs. And so I recommend doing database logs. However, if you do want to clear out those logs, you can create a database export of your log file to save those more for longer. But really, it shouldn't take it shouldn't cost too much database. But by having long hair and there's nothing wrong with just increasing the time of of how long you set to keep your logs. For example, I'm going to show them we're going to take a look at it again. But if you go to your configure Global Settings, and then just do logging, you'll see that days to keep database logs, you can extend that out and the longer that you feel comfortable extending it out the better because the the longer of the history of security events that you keep. If you ever do detect a breach, the more likely you're going to be able to recover from that breach and actually find the point of entry. And so the reason why even though it was over a year before that SolarWinds attack was It was initially flat, the reason why they were able to do so much. For instance investigation on it is because they actually had that history of law, the history of security, I think that they monitor to trace back and then actually find out when this stuff really started happening to know to be able to properly assess the damage that was done. So the longer the better.

Alright, let's see Sal has some great questions here. One of the questions he asked is What do you do when you get brute force attacks my client site is getting lots of brute force attacks.

So one if you again that if you're a good thing to do would be sign up for that cloud heart because that can help mitigate some of the traffic but truthfully, the if you're seeing information if you're getting a alerted to because sometimes I think security pro isn't very humble and likes to tell you that it is doing its job there's nothing for you to do you installed it theme security Pro to automate your security for you. And so if you are getting hit a bunch guess what, I think security pros telling you that it's it's logging them all out. There's no action for you to take other than I don't know, go have a beer knowing that your site is protected. And you can sleep easy because it was curious is you know writing that stuff down?

Very good. Let's see, here's a good question from Robin, we get this from time to time does using a plugin to change the wordpress login address, changing it to something other than WP admin does that help at all.

So, we do have it in the plugin, but we don't necessarily recommend doing it. Just because it doesn't. It can have a minimal minimal minimal impact. But it's more important to rely on things like refusing compromised passwords, and then using two factor authentication. So you know, especially with your admin users, if you have your refuse compromised passwords, this chicks with the taps into they have been poned API, see as that password that they're using has been used in a database breach in their database, it won't let them use it. And then two factor authentication, according to Google, will protect against 100% of automated bot attacks, while you can change your your WP admin URL that can have a minimal impact and really should just, I would recommend doing that only for branding thing, but then you're making it more difficult. One of the great things about WordPress and the reason why has 40% penetration, it behaves the same in every single site. So just like having your front, having the front door in the same place on everybody's house is good, because then you know where to find it. So it's not that big of a deal. But having a locking your door is great. And so having two factor authentication, which is I mean, if people would just use two factor authentication, I mean, I ransomware would be cut by 90%. I'm willing to I'm willing to bet at least 90% of ransomware attacks would be stopped by if people just use two factor authentication. So anyways, that was a great question. And right, gave me an opportunity to say how great two factor authentication is. So I appreciate it. So yeah, sure.

And it's a challenge and Ellis just mentioning in the chatroom that it's so hard, even people who ought to know better, convincing them to use two factor authentication is a challenge.

Yeah, we're hardwired to take the path of least resistance and my wife married to me. And she still doesn't like using two factor authentication. My brother when I told him, I used to have two factor authentication on every account, he laughed at me. So I can I understand the struggle. Yeah. Okay.

Yeah, just just as a general thing, I'm not sure I would want to get into an argument with my spouse over two factor. But

that's Oh, I

another webinar.

Yeah, that's a whole nother webinar. And we're gonna start seeing as I believe we're gonna start seeing, it's going to be mean that a lot more places already talk with some of the bigger tech companies, when Joe Biden called them all, to the White House for that cybersecurity conference. And because we've had these high profile attacks, and that pipeline attack could have been prevented. If one, it sounds like the they had someone that they blamed on an intern and using a weak password that was something like company name. 1234. But even if they were using company 1234, had they been requiring people to use two factor authentication, that pipeline attack wouldn't happen, would have been successful. So it is a minor inconvenience, but compared to the amount of negative publicity that that company got, I think that now that like, Okay, we'll go to require two factor everywhere. And we're gonna start seeing on the consumer side a lot more as well. Yeah.

Let me jump in here. Mike, we got a ton of questions stacked up in just about 10 minutes to try to get all these in here. Let's go to lightning round quick questions, quick answers. While on the subject of two factor Sal says he uses a third party plugin for two factor and I think security is that okay? Or should you know only one plugin, what would you recommend?

I'm not sure what he means by next. Like I use I theme security Pro, but I'm using. I'm also using Authy for my two factor authentication,

and then he has a separate plugin that enables two factor. Other I think never

enable features similar features in multiple plugins, because that's always going to be a result of this just going to result in conflict nine, nine out of 10 times.

Right. Let's see. Heather has a great question here. What are the main differences? Is there a way to summarize this or is there a page maybe to point her to the main differences between I think security, the free version and I think security Pro?

I think security i think.com/security That's why go pro I think is the

Was this evil? Do a search for me?

Kristen just put it in the chat room. I think.com/security/white-go Deskpro Yeah,

okay. All right. So perfect.

There you go header. So there's a page that explains all of that. Let's see several questions about log files. Paul, Paul's first question was just looking at when we saw it when you showed I think security's dashboard. He said, How big are those log files in your database? Should you clear that out? What about the size of your HT access file? Would that slow down a site with that many lockouts?

So it really depends on your site, it shouldn't, if you are if you are running a site and as making money, spend the money to have the resources available to manage log events. And so with the how I think security works, there's two different way that this stuff is logged one is in the security logs, and one and on the security dashboard is dashboard offense. And so it will have a slimmed down kind of version of it and then shouldn't costumers bloat and it depends on how much history have as far as the HT access goes. There is if that can end up becoming an issue, if it isn't an issue of when your site's loading and the AC axis is having problems, like once it's updated the timing on your site, because it's writing all those those things out, you can actually remove some of these, and then they remove the old ones, because most likely, they've moved on to using different IPs after they've given an IP a bad name. So removing the old ones, you're probably going to be safe. All right.

Debbie has a question about log files. How long should you say the log files and I think security it defaults to 30 days right?

I think defaults to 66 is false, the 60 however, if you can increase that timeline, the longer you increase that timeline, the better

got it. Doug is asking where our I think security pro logs stored in my file system on the server

a few if you save it as a file not just as database is going to be in the wp content slash plugins slash I theme security pro slash uploads slash laws.

Yep. So buried in the i theme security folder. Let's see a couple of questions about file changes. Both Sal and John had questions regarding those those file change warnings. He says he seen a Sal says I get file change warnings. I'm not sure how to verify seems like a lot of work could be manually any tips. John follows up on that saying he gets a lot of file change warnings from a caching plugin. Any Is there a short answer to help people better deal with the file change warnings?

Okay, so the last thing you want to do is have anything become a boy who cried wolf situation. So new while even though a caching file is can be exploited just like any other file, backup and caching files are examples of file that are going to generate a lot of expected changes and can generate a lot of noise. So if you go to your will just look up file change. And then we'll look go here and then. So you can exclude your caching files over here, so you won't be alerted to change files. And that will quiet some of the noise down. And again, to answer Paul's question is that not everything's going to be worse than worth investigating. So if you know that something was, so for example, if you have another one, quite some noise, as I mentioned earlier, the online file check if you have the version management unable to do the updates, these will be known to be updated files and you won't be alerted to them. But also if these if it's a bunch of WordPress core files, and you know that WordPress is updated, you know that that was due to the WordPress updates. So you can do some tracks that way. And then not every single file things would be worthy of investigating. However, if you do notice a breach farther down the line, those file change can be those files will be in the logs that can help you then after a breach happens to access what what damage has been done. So it's not always about it can help alert you to a breach, but if it doesn't, it can be there as a resource later to help you come back from it. I hope that helps.

All right. Jill has a question about the number of emails I think security can send when a site is under attack. He said he had a client whose office 365 flagged the site as a spam sender. What would you recommend your situation?

So what I recommend is if you Look at your notification center. And then I would enable your security digest and then that will give you a summary of everything and then with you can and disable these individual site lockouts. And that will drastically reduce the amount of emails that you receive from ITM security Pro. And so this one, have you lose anything that you want not get these notifications, don't just be here in the security digest, because as I mentioned earlier, there's nothing for you to do. There's no action for you to take. If you get this site lockout notification, it's done. It's been taken care of you and go, instead of worrying about these individual site site lockouts, you can go focus on doing a revenue generating activities instead of worrying about managing this. So I always recommend that people disable this individual site lockout, and enable the security digest.

Yep, there you go. Okay, for more quick questions, and we'll take a break. Stacy asks, she has so she has a VPS. And every sites in its own cPanel, which is best practice, like we talked about yesterday. She says she gets the same IP address trying to log into all the websites on her VPS it happens several times a week, how do they find every one of these websites?

Is it the host IP? is a sign up?

At the mat? Yeah, exactly.

So there's many cases why like it could be a legitimate IP. So if you for example, you're using like, Backup Buddy with AWS.

My she said it's an IP address from other countries,

from other countries, if you're

one. Oh, here's Timothy. Yeah, Timothy Jacobs is here folks will be presenting in the next hour. Go ahead, Timothy.

So you can basically, when you have a site's URL, you can find out the IP address that that site is actually on the host IP address that Michael was talking about. And then there are a lot of services that will tell you all the domain names that have that same IP address for their DNS records. So they look at one site, they say, Okay, it's hosted this IP address, and look at that IP address, and they'll see a list of the 3040 50 different sites that you have hosted on that IP address. So simple as that is one of the reasons why it's important to put things like in different cPanel instances and things like that, though, they will still probably have the same IP address unless you're buying a dedicated IP address for each of them. But as long as your sites are individually secure, you're not, you're not running into an issue when they're able to discover that you have more sites on the Internet. If one of your sites is a does have a security vulnerability, and you have that same mistake in every single one of your sites, then it could be an entry point for them to go from attacking one site to attacking 25 sites. But as long as your center secure, shouldn't be an issue. Very

good. Let's see next question from Ben B is using the refused compromised password setting and necessity for members of a membership site, even though they have little access as a user,

that's going to be up to you. However, I would recommend doing because you could also be doing them a favor by alerting them to the fact that they are using a compromised password. As your are likely seeing there's more people are taking advantage of this. For example, Apple, if you are trying to use a password that they flagged as compromised will tell you Chrome will tell you so it just becoming kind of a standard nice thing that you could do for your clients. Because they're like using that password elsewhere. And you might save them from some future headaches down the road.

For sure. And beyond just a nice thing. If your user if one of the users of your site's accounts gets hacked on your site, they're probably going to blame you. They're not gonna hold out and the fact that they reused a password, that's all. Yeah. Oh, you said non compromised password. It kind of protects you in that sense. Yeah. Yeah.

The My dad was really, really mad at Salesforce because his account got compromised. It was the same password to use everywhere. And then once I figured out that I kind of told him, but but he didn't, he was gonna blame himself. So great point, Timothy.

Okay, two more quick questions. Chris is asking how does two factor work when you're accessing your dashboard with I think sync.

So there is actually a Timothy, Timothy help actually kind of configured this when it was a curious set up and you're logging into a site from sync with IBM Security Pro. Yes, we

have a special setup flow that happens if you're running a site with IBM Security when you have when you're trying to set it up. With a theme sync, that will essentially take you to the login page and we'll walk you through the login process and you'll authenticate with two factor. And then we'll send you back to I theme sync. And so you shouldn't have any issue setting it up as long as you're using a recent and by recent I mean, past two years maybe. Yeah. version of I think security. You shouldn't have any issues setting up. I theme security through. I seem sick. Yeah.

Awesome. All right. Final question. Interesting one from Melanie, how does i theme security work on hosts that don't use HT access files? She says I'm thinking of clients who are on WP Engine. He just decided to deprecate the HT access file for all customers.

They'll use PSP to block the IPs. There's an art we have an article about it in the Help Center. I'm trying to pull up real quick that explains how that works.

Alright, so we'll drop that in the chat, Melanie? That's interesting question. I hadn't really thought about that before, but it's time for a break. So we have Timothy Jacobs coming up in the next hour for an advanced security talk using I theme security. The first talk like this we've ever done or using getting some of the filters and hooks and actions and some fun things on the back end. So let's take a 10 minute break. We'll be back at 10 minutes after to Central Time. So 10 minutes after the hour and we're quiet until then.