WordPress Security: Understanding and Managing Threats and Vulnerabilities
6:30PM Jan 24, +0000
Speakers:
Nathan Ingram
Timothy Jacobs
Keywords:
vulnerability
site
security
solid
password
patch
wordpress
enabled
plugin
feature
device
firewall rules
user
good
update
acf
attacks
login
talked
compromised
started
now welcome or fall from Poland. Mark a from New Jersey Stephanie from Canada. Brian from Atlanta. Bonnie from Colorado Springs. Hey David Andreea from Austria. Welcome Gail from California. Good to see everybody here. We're gonna get started in about five minutes from now if Timothy Jacobs is talking all about understanding threats and vulnerabilities when it comes to your WordPress site, check in question today is what is your biggest concern when it comes to keeping your WordPress site secure? Let us know there in the chat. Also in the chat you will find the link bundle which has today's slides, as well as the replay link. We'll have it up about an hour after we finish up today. Hey, Darlene from Philly, welcome. Hey, Dave. Again. Good to see everybody here. Hey Dan. Welcome Welcome, everybody. We're just yeah just right at five minutes away from getting started officially here on this solid Academy live stream with Timothy Jacobs, the lead developer at solid WP and WordPress security expert talking all about the threats and vulnerabilities to WordPress. So glad you all are here. It's great to see everybody we'll be getting started in just a few minutes. You'll find the link bundle in the chat with today's slides if you'd like to download those and follow along. Also our check in question today. What is your biggest concern when it comes to keeping your WordPress site safe? Let us hear from you there in the chat. And hey Johan us from Germany. Darlene is see everybody here?
Is it the wrong link? It shouldn't be be double check that wouldn't be the first time I've given the wrong link. Ah, yes. No. Bonus link for you. That's yesterday's news roundup link. So you're welcome to have those slides as well but we'll get that updated here in just a second. get you the right slide link for today. Just one moment.
Note if it is correct, I just thought I'd do a repeat of what you talked about. Yeah. Yeah,
absolutely. Yes, it is, in fact the wrong link, but that should be the correct link. Sorry about that, folks. Yes, that is the correct link for today's live stream. Although the securities are the new slides from yesterday. were extraordinarily good with lots of information. So your feel free to download those as well. Three minutes away from getting started folks, glad you are here with us today. Once again, the links are there in the chat if you'd like to download today's slides, they're they're waiting on you. As well as the replay link will have the replay of today's event up about an hour after we finished today. Check in question is What is your biggest concern when it comes to keeping your WordPress site safe? We'd love to hear from you about that in the chat. Good to see everybody checking in from across the US and around the world today.
Natasha is saying her concern is standing ahead getting standard configurations across all the sites you manage and that's that's a good thing so you don't have to configure one by one. And Tasha The great thing about solid security is you can export your settings and import those right into another site. Makes it very easy to keep your settings consistent. Again, if you're just joining us in zoom, welcome, we're glad you're here today. We're just a little less than two minutes away from getting started. I'm going to drop in our link bundle. Again. They're in the chat so open up that chat you can grab the link to today's slides. The check in question today is what is your biggest concern when it comes to keeping your WordPress site safe? Sue John is saying real time malware protection. Doug Yeah, it is security getting overwhelming. It certainly can be there there are a lot of threats to WordPress. You know you're honest. Let's see apart from solids possibilities where do spammers get links to pages and posts and those sorts of things? Yeah. Yeah, so again, welcome, everybody. We're about a minute away from getting started. Glad you're all here. With us today and thank you for investing about an hour of your time today to learn more about understanding threats and vulnerabilities to WordPress. We have Timothy Jacobs, the lead developer of solid WP and WordPress security expert ready to talk about all those things as well as answer your questions about WordPress security. Andreea Yes, spam comments. They are difficult to deal with. So, as you have questions as we go today, I'll talk about this as we officially launched in just a few moments. I would recommend go ahead and open up that Zoom q&a. That's the spot to ask your questions. And we'll be taking those questions in the order of up votes at the end of Timothy's presentation. Hey Barbara. Welcome. Helens biggest concern is understanding the main weak points of WordPress. Yeah, where are the places we need to protect? And we might be talking about some of those today, in fact. All right, I've got three minutes after we're going to start the recording and dive right in. Well, good afternoon. Good evening. Good morning, wherever you happen to be around the world today. Welcome to another solid Academy livestream. My name is Nathan Ingram. I'm the host here at solid Academy and I'm joined today by Timothy Jacobs, the lead developer at solid WP and WordPress security expert. Welcome back, Timothy. How are you today?
I'm doing good. How are you doing Nathan?
I am doing well. We've got a great topic today. It's a topic that certainly provokes a lot of interest in people who are doing WordPress things. We have folks logged in today from around the world and we had our checking question about the main concerns of keeping our site secure. Lots of different concerns were raised and what are we going to be talking about today? Yeah,
so we're gonna be talking about some of the threats and vulnerabilities that affect WordPress sites, a little bit beyond WordPress, and some of the things that you can do to keep yourself safe.
Very good. So we have some some really interesting material to cover today. If you'd like to follow along in the slides, the link is there in the chat. You can download today's slides. If you're watching this on the replay, just click the Download slide link that's just right there below the replay video. Also we will have this replay available if you'd like to rewatch any part of it or share it with somebody else. You can do that the video will be up about an hour after we finish up today. So once again, we invite questions throughout please though, do use the q&a button there in zoom. You can mouse over the shared window, click that q&a icon and that will launch the q&a window. I just keep that open throughout today's webinar. And you can ask questions as we go and if you see a question pop up that you also have click that thumbs up icon and we'll take the questions in the order of up votes when we get to the q&a part of today's live stream. So with that, Timothy, I'm going to disappear and let's get going here threats and vulnerabilities.
Okey dokey. So yeah, we're gonna be talking about some of the threats and vulnerabilities that affect your WordPress website. And to start we're going to focus on the threats that come through the front door. And the main topic there is login security. So as we probably know, weak passwords lead to brute force attacks. If you've got weak passwords on your site, that's something that an attacker can compromise. And they can get into your site perform any actions that they will be able to do as if you were you. Another big attack though, is when people reuse passwords. So we see all the time now. For years at this point. This site got breached that site got breached this site got breached, and there are millions and millions and millions and millions, probably billions at this point of username and passwords that exist in these data breaches. And what attackers are able to do nowadays is they look at those breaches and they say okay, instead of just trying 5000 10,000 100,000 different variations of your password instead, I'm just gonna go through this list and say, Okay, maybe some percentage of these users are reusing the same username and reusing the same password on their site. And so these are called credential stuffing attacks. And that can be as big a risk as any if you are using a really strong password, but it is the same password that you are using on another account and that account got compromised. That's not good news for you. That's not good for your website security. Are we Nathan? Are we actually having audio issues? I
don't believe so. Okay,
cool. Awesome, obviously. And this is not just about Awesome. Thanks, everyone for confirming. And this is not just about the admins on your site. You also want to keep in mind about the reputational damage that you can have when your site gets hacked. And I say when your site gets hacked, because that's how users tend to think about it. When people are using your website and their account gets hacked because they were using a bad password or they were reusing their password. They say hey, my Facebook account was hacked. They don't say hey, I used a bad password is my fault. And we saw this play out in the news really recently with 23andme. Just late last year 23andme had millions of data that was exposed, and it ended up getting exposed because their users were not using strong passwords or they were reusing passwords. But 23andme didn't enforce two factor security. It didn't enforce that users use passwords that weren't compromised. And that tells us that people tend to make the easy choice. If you let them type in a password that's just password. They might just go ahead and do it. So mandating that the users on your site, use security best practices, it really is up to you. You can't take it for granted that they're just going to protect themselves. And when their account gets compromised, they're going to come complaining to you. And then I can be thinking about oh hey, I guess I should have been using a stronger password. From Thomas rave over at we watch your website. He is a great provider of WordPress security and did an analysis recently. We talked about it here on solid Academy just a couple of weeks ago, and he found that 7.2% of the hacked websites that he was monitoring were due to these types of account compromises either through passwords, credential, stuffing, things like that. And some point 2% is an interesting number to me. On the one hand, it's nice that that's kind of a low percentage base of attacks, but on the other hand, keeping your account password safe. That's kind of like table stakes security. That's like the basics. And really we should be seeing that number be 0% of sites. So how do we protect ourselves against this threat? Well, if you're a solid security user, enable things like brute force protection require that users use strong passwords. You can prevent users also from using those breached passwords by partnering with a service like Have I been poned. This lets us say okay, this use this password that this user is using. It turns out it was actually compromised in this data leak two years ago. prevent the user from using that even if it would otherwise be a strong password. And of course you can slow down bots further. By using captures we integrate with reCAPTCHA from Google, Cloudflare turnstile, and each CAPTCHA so you use any of those services to help protect your login page. The other thing that you want to do is use two factor. So this is some data from Google from a couple of years ago that talks about how effective two factor authentication is at preventing account takeovers if you're using a SMS code or a security key or a two factor code that can protect against 100% of automated attacks, it can prevent against like 95% plus of bulk phishing attacks. And it can even prevent a large majority of targeted attacks on your site. So you should be using two factor authentication. But more than that, you should be using passwordless login and you should be using pasties we did a talk last year about let's kill the password the future of authentication and WordPress and how you can use pasties. We're not going to spend the next 25 minutes 30 minutes talking about past keys this time but I'd highly encourage you to check that webinar out we did a deep dive into paths for this login how pasties work and how you should be using them today on your site. Next thing I want to talk about with going through the front door is access management. Here's some red flags everyone on your site. They're just an administrator. When people's responsibilities change, maybe they moved to a different team. Is there access getting updated? Do you have a proper process in place to make sure that ex employees don't still have access to your websites? How do you take care of that? So what should you do? Make liberal use of roles in WordPress? We've got administrators and editors and authors and contributors. And using plugins. You can even create custom roles if you need to make liberal use of them. You should be never giving out administrator access unless they absolutely need it. Use privilege escalation features. So in solid security, we have this great feature and we recently revamped the UI from it in a release just a couple of weeks ago. And what this lets you do is when you're giving out privileged access to your site, instead of saying okay, I'm going to create an administrator account and I'm going to try and remember to delete it when you're done. You can give them temporary administrator access or temporary admin access or temporary editor access. And in seven days or 15 days or whatever you configure, their access will automatically expire. They won't keep having access to an administrator account that's just laying around out there for you to forget about. Scan for inactive users and solid security we have the site scan feature and we will notify you as well by email if a user on your site hasn't logged in for 30 days. This is a great time to say okay, does this user still need access to my site? Or have they moved on to a different team? Or are they no longer employed here? If they moved on to another team, you don't have to go ahead and delete their account permanently. But we offer you a one click button to say okay, let's reduce them to author privileges. Keep them at a lower account level until they actually need administrator access again. And a really important thing is when you start giving out access to people start documenting it and document that then you don't want to be in a position where an employee moves on six months from now nine months from now, five years from now and you have no idea what they have access to because you never wrote it down anywhere. So as you start giving out privileged access to accounts to your websites to different teams, document that put in a spreadsheet and so you can actually have a checklist that says okay, I know for sure that I removed their access to all 75 of these sites. So those are some of the most common attacks we see just going through. I say the front door, your login page. What about going through the back door? Well, the big thing here is vulnerable software. These are vulnerabilities in WordPress core. These are vulnerabilities and the plugins that you're using even the theme that you're using can have vulnerabilities. And again from Thomas's research over the past year 33% of the hacker websites that he saw, were due to running vulnerable software. Thinking about vulnerable software, though it can be overwhelming on the sites that we scan. It ranges some weeks from 20% of sites that have vulnerable software to 50% of sites on them have vulnerabilities right now as they get scanned so you have to tell yourself and prioritize often what are the things that I need to care about? So what do you might have heard is that the of these big scary words remote code execution, cross site scripting attacks, they're not the same thing. A remote code execution attack is way more dangerous than a self cross site scripting attack. And as an industry, we came up with this concept of CBSs scores, and they range from zero to 10. And they help us indicate the severity. An issue that is a high severity issue, we'd be a 10 or a 9.8 or an 8.0 Something like that, whereas lower severity issues are a three or a two. These don't mean that you should ignore them. But it does mean that when you prioritize your vulnerabilities that you have on your site and you need to resolve, you should start with the ones that have the highest severity. They're awesome providers like patch stack that we partner with over at solid security that can help you determine that priority. So for instance, in the patch fact database, which we linked to you whenever we put a vulnerability in your site. They say right over here patch within seven days. This is a medium priority issue, and they'll classify others as patch immediately. This is a critical issue or patch in 30 days, you should get to it. But if you've got a list of 150 sites that you maintain, you might not have time to get to every single vulnerability. That's a low severity issue with admitted it comes out.
What else can we do? Well, for starters, when WordPress has a security problem that affects millions and millions, millions of sites, but the great thing is, is that WordPress pushes out security updates automatically. This is turned on by default. I see sometimes though, that people disable this you absolutely shouldn't. You should always be in a position where WordPress is able to update itself automatically for security updates. If you want to keep that disabled for major updates, you know, going from WordPress 6.3 to WordPress 6.4. That's totally fine. I understand why you'd want to do that but make sure that you keep it enabled for security updates. You should also set up automated scans to detect new vulnerabilities over at solid WP we publish a blog post every week that says you know here's the 50 vulnerabilities that were disclosed this week. And if you have a bunch of sites now you can take a look at that list. Walk down and see okay, are any of these standout? Are these any things that you need to take care of? And that's great, but it's a pretty manual process. Instead, you want to set up automated scans. So for instance, in solid security with a feature that will scan your site multiple times per day, and if it attacks, new vulnerabilities, it'll email you and we'll catalog them all for you on the vulnerabilities page so you can see exactly what vulnerabilities are affecting your site, which ones have been resolved. Which ones you need to take action on which ones have been mitigated. All of those details are available for you in one central place. This is also a great feature to enable in solid security, which is enabling auto updates for security releases, because we know the vulnerabilities that are on your site and we know which versions those vulnerabilities were fixed and we can automatically update you to that fixed version. So if you aren't comfortable with having all of your plugins auto update all the time, you can enable this option. And what this will do is when we see that update come through and we know it's fixing vulnerability that's affecting your site. We can say okay, WordPress, it's safe to auto update this this time. And lastly, virtual patching. Enable virtual patches to keep your site safe to keep your site safe. Excuse me when you cannot maybe that's because you're sleeping and this vulnerability was published in the middle of the night. Your time. Maybe this is a really complex site with tons of different WooCommerce extensions and there's a WooCommerce vulnerability and you don't know if you can update right away. Or if you have to test out on a staging environment. First, make sure that there are no conflicts. Virtual patches can keep you safe in that scenario. So what are virtual patches? This is a feature provided by patch sack. And what it lets us do is deploy targeted firewall rules to your site to block a specific attack. So this isn't a firewall rule that's only that's always running and saying okay, block any kind of traffic like this. This is firewall rules that only need to run when absolutely necessary to keep your site running fast. And they block specific tasks that are actually affecting your site. And these are able to be deployed very quickly. We've seen in the past, there's a big Drupal vulnerability that you might have heard about a couple of years ago where we said that hey, if you haven't updated within 12 hours, you should assume that your site has been compromised, attackers can jump on new severe issues immediately. So virtual patches keep you safe in those environments. But remember, these are patches, where we say in the login is that these are mitigations you still want to update to fully resolving the issue. Don't say okay, I've got my site. I've got 45 virtual patches, everything's good. Yeah, things are definitely way better than if you didn't have those virtual patches, but you should still be encouraging updates. Make sure that you get the vulnerability fully resolved. And you don't have to pay the performance penalty of having a virtual patch in place. And you can see here how we kind of report this in solid security Pro. Here's an example of where WooCommerce vulnerability and it's been patched automatically for me because I have virtual patching with patch stack enabled and that comes with all your solid Security Suite products. In our firewall page, you can see those firewall rules that are in place. And see we're protecting its multiple WooCommerce abilities in here because this demo site is running an ancient version of WooCommerce. How else do we want to manage updates? Well, you should schedule a time for updates don't make this just a okay, I happen to log into this site today. And I saw that there were updates available, make a plan for it. I'd recommend doing this at least once a week. As we've seen over the past couple of years. The percentage of vulnerabilities that get reported every week is just astronomically more this year than it was five years ago. So doing this once a month just doesn't really cut it anymore. This really should be a task that you're doing at least once a week. When you go into your site, and you're looking at the list of vulnerabilities, prioritize the ones that are high severity issues that have that high CVSS score, as in red says update me right now. Those are the ones that you should prioritize. If you can get to the other ones. That's also obviously great, but really make sure to prioritize your high severity issues. You can also work with hosts hosts like Nexus, they provide automatic updates. For you that are safe to enable, because they use visual regression tests. So kind of our fear is that hey, we have an auto update enabled for a plugin, then my site crashes or the homepage looks completely different. Setting up with a host that provides visual regression tests can give you the confidence to automatically update your plugins. And if you're a solid Suite customer, you have access to solid Central and you can apply updates across all of your sites. So you can see hey, there's this critical software vulnerability in WooCommerce, let's say and I'm managing 100 WooCommerce sites. You can say I'm going to update that do it in one place and apply it to the entire suite of flights, the fleet of sites that you maintain. And kind of the last category of tasks that I want to talk about today are attacks that are happening underneath your nose. So these are session stealing attacks. This is when malware that is installed on your device steals the actual cookies that are in your browser. These cookies then get sent to an attackers botnet or they're sold elsewhere. And with these cookies, an attacker is able to fully impersonate your user they're able to fully impersonate and gained the capabilities of whatever user they compromised. And this means that it bypasses traditional protections like brute force or two factor. There's no point when the users be prompted for a two factor code because WordPress thinks that hey, they've already authenticated. Thomas found that this was the huge majority of attacks over the past year 60% of hacks that Thomas saw were from these sessions stealing attacks, which is a huge number. So what should we do about these? Well, number one, we you need to keep your computer secure. We often talk about hey, how do I keep my website secure, but it feels like it's been a minute since we've talked about how do I just keep my device secure. Things like running a firewall using the built in antivirus tools for your computer, making sure that you don't click on trusted links, all of those things that you might see in the IT department at your corporate job that says hey, let's do all this training. Those are the things that you have to pay attention to. If your personal device gets compromised, all of the sites that you access can get compromised to don't log into your website on public or shared devices. You don't know what's going on there. Your site might use HTTPS. I absolutely hope it should. But if there's malware installed on that device, that doesn't make a difference. You can also use additional security plugins that implement controls on session management. And so we have one of these features in solid security called trusted devices. trusted devices is a feature that we launched almost six years ago at this point, and we haven't talked about it a lot recently. But trusted devices alerts users when they're logins to their account on new and unknown devices. We additionally have features called restrict capabilities. And what that does is when someone is on your site from an unknown device, it prevents them from performing sensitive actions like deleting plugins, installing plugins, creating new users until that device has been confirmed as safe and you can use session hijacking protection to help prevent against exactly this attack that Thomas was seeing. If an attacker steals your session and is suddenly logging in from Russia, instead of New York City where I'm based, we see that and we can block the attacker from using that new device. Keep in mind though security is a factor of weakest links. We all have these different features in the plugin. But if you're got weak passwords, even if you have all of your plugins up to date, just one admin account can leave your site compromised. One plugin with an unpatched critical security issue can leave your site compromised even if all of your accounts are using 64 character fully random passwords two factor authentication past use a critical vulnerability can take your site down. So what I really want to emphasize is use every tool that is available to you. We've got features in solid security and we believe in them and we want you to use each of them. Don't just use strong passwords, use two factor use passwords, login, use trusted devices, which we're gonna be talking more about in the upcoming months. Take a look at all of the features that the tools have and use them. If you don't have them enabled, we can't protect you. So that's me, talking about some of the WordPress threats and vulnerabilities that we see out there in the landscape and how you can prevent and protect yourself using solid security.
Very good. Thank you, Timothy. A great overview of all the ways that solid security can help us stay safe as we are managing our WordPress sites. Let me invite everyone to open up the q&a window here in zoom and take a look at the questions that have been asked. We're about to go into a time of q&a. If you see a question you also have click the little thumbs up icon underneath the question to upvote that question, and we'll take those in order in just a moment. And of course, if you haven't asked a question and you have one, please do so right now. I'm going to quickly drop in our links for today. The slide link is there in the chat, as well as the replay link will have the video replay of this up in about an hour after we wrap up. So Timothy, we have quite a few questions stacks up here. Quite a few. We always have a lot of questions when it comes to WordPress security. And the first one is from this all this all says solid security is a very good product. Thank you. So thank you, Timothy per se that. Can you explain a little more about firewall custom rules, as well as what are some of the most required custom rules that you would recommend? Yeah,
that's a great question. I'm pulling up a site running sod's security so I can show you all what we're talking about.
So we launched this feature in what we called firewall, phase two last year, which are custom firewall rules. The thing that I want to emphasize is that custom firewall rules are an advanced feature. I wouldn't say that there are any firewall rules that you must have. If you're using virtual patches from patch stack, make sure this virtual patching active badge is enabled. You're gonna get these rules in here from patch stack automatically. This is preventing the attacks against the known vulnerabilities that you have in your site. But if you want to take things further, you can do that with custom firewall rules. So an example here is blocking a cookie with a certain value. The way that we see these features is that if you see certain suspicious behavior that's happening on your site that you want to block, you can do it using custom firewall rules. But we don't think that you should be going, Okay, what custom firewall rules do I need? How should I put them in there? How should I figure that out? It should be Hey, I'm seeing a specific attack and I want to prevent that attack at the solid security level. So it's not something that we really think, okay, everyone should have some set number of solid firewall rules in place. If we do come up with those set of firewall rules, we'll create them for you. And we'll deploy them in haven't be as part of the plugin so it won't be something that you need to go on and do on your own. But this is more of an advanced feature for those you who say, Okay, I want to block this certain traffic pattern, and I want to do it in an easy to use interface. Very
good. Thanks, Timothy. Another question here from Vern. Vern says I thought session stealing could be fixed with IP address checking does any software or plugins verify the session cookie against the IP address constantly? Yes,
I've got great news for you solid security. So that is what trusted devices does trusted devices, ties your IP address and your geolocation to a session. And so when properties of your session change, like your IP address, or like your location, we flag that and we say, Okay, this is happening on a new device, we're going to kill that session. And further if it's happening, a new device, we can do things like restricting the capabilities. So that's one of those settings that I mentioned in our talk. If you go on over into settings, features and trusted devices, make sure that you have the Restrict capabilities and the session hijacking protection features enabled to get that protection but exactly right, you are correct. Really the only great way of preventing this is by doing an IP address check. Thomas found in his research that it takes very little time from when an attacker compromises and steals your session cookies for them to start being used maliciously. But they're often being used by an attacker controlled server in Russia or in a different data center. Not where you physically are. It's not perfect, but it's way better than nothing. To get the perfect protection. Make sure that your device doesn't have malware on it. That's the that's where you want to start. But we're gonna be talking more about trusted devices next month. Yeah, for sure to do a deep dive.
And just to know trusted devices is more than just the IP address, right? There are certain heuristic signatures about the device that solid security recognizes,
right? We take into account the browser, the versions and things like that. The primarily weighted bit though is the location. Yeah.
All right question. Here from Manu. Mani would like to know, when we're logging in from different devices, what would you recommend as the best Password Manager for Mac and Windows? There's
a lot of options out there. I personally use one password. I really liked one password, but there are plenty of great options. I think Nathan, you've y'all have done some reviews of password managers and different webinars to that you could check out in solid Academy. I'd say mine of choice is one password, but there are many great options. Yeah.
Thomas says I watched your past key webinar from a few months ago. My question is if my Windows PC gets stolen, and has a six digit login, which theoretically would then allow someone to use my past keys, right? Is that inherently not secure?
So it depends on the device. The way that devices are supposed to implement pass keys is that they're supposed to be stored in saying stored in is not entirely correct, but it's a helpful visual metaphor. I say store it in what's called the security enclave are specific security chips. And these chips are used to protect things like pass codes pass keys, and the login to your computer. And oftentimes, what device manufacturers do is they guard that access behind layers of biometric authentication. So this is things like touch ID, facial scanning, things like that. A six digit code for your home computer isn't great. I would recommend having a longer password than that. Even if you weren't using pasties when they get access to your account. If you're logged into your email. That's a big problem, right? You can reset pretty much any password that way. So you should be using a stronger password than six characters. This does infer a lot of security onto your device. But it's in a similar way to you know, using a password manager. If you guard your password manager with a six character password, that's not great, but they also do have additional protections to make sure that you can't go through it very easily. But you should be using a strong password. You want to keep your devices secure for all those same reasons. So it's kind of a security layer that we're already in of we need to trust the devices that we use to be safe. And it makes the user experience a lot better, and in a lot of cases way more secure. But you have to keep your devices safe.
That's a great answer. And it's a complicated thing. So a lot of times it's I'm experienced using passwords, even if I'm logged into my device, it might require me to re authenticate with re authenticate with a face ID or a finger or whatever, to be able to access that passkey So is that what you're describing with it being in this extra security enclave?
Exactly? Yeah, so when we test this feature, because we built pasties two years ago at this point, we had some members of our team that were using old old Macs that didn't have the security enclave features and things like that. And they weren't actually able to test these devices test past us because they didn't have a new enough computer that provided all the necessary security features. But yes, that is what I'm referring to is that they will prompt for biometric authentication often, but you still do and still want to keep your computer password just to secure. Yeah,
very good. Paul's question is with solid security Pro, can we or will we ever be able to scan a site on demand rather than waiting on the twice a day scheduled to occur?
Absolutely. So this has been possible from the dashboard for a long time. But what we've done is created this new site scans page in security. And so this will scan over pretty much everything that we see in solid security and we'll do it from one place. So I can start that site scan now and let's see what we find on this demo test site. And see what we run into. But absolutely, you can do this with a site scan feature. You can do it if you go to the vulnerabilities page. You can run it from there from the dashboard. And yes, we also do automated scans. Very good.
This is a great question from Eric will solid security allow us to mandate two factor authentication via an app only instead of just email? Absolutely.
So we can see these asset scan results coming in. But we can do this today. So if you go into the security settings, you go into features go into two factor authentication. You can select this authentication methods available to user setting. So by default, we use all methods. The reason why we recommend this is because if you want to enable two factor authentication for a user who is not yet using two factor and we don't have the two factor email method enabled, it prevents a bit of a UX friction, because they're just not gonna be logged into the site period. However, this is totally legit setting that you can use and say all accept email. And if you disable that email method, then you'll be forced to use either backup code or a mobile app where you can select specific methods and say, hey, just give me the mobile app. But again, that does affect the features there and affects the UX a little bit if we can't rely on the fact that we can always deliver a two factor authentication code to someone without them having previously gone through the setup process. We do have this kind of handy checkbox here if you are using mobile app authentication. And again, depending on your threat model and how lockdown you want things to be. You can enable this setting here called Disable on first login. And what that does is the first time an administrator logs into the site or someone who requires to use two factor authentication, we won't prompt them the first time but they won't be able to get into WPM and until they have set up two factor. So as opposed to some other plugins where I might have to go to their profile page and do it on their own. They can kind of just tap on by that requirement. We forced them to set it up. So this is another option. there if you want to enable the mobile app method only. But you still want to give a bit of a nicer onboarding experience to using two factor you can enable this setting as well.
I will say that the two factor onboarding process that solid Security uses is a lot nicer than other other two factor options that exist. Okay, here's a good question from Sherry And Sherry. I think I understand what you're asking and I'm gonna reword your question, but if I'm wrong, correct me in the chat and we'll get we'll get over to Timothy. So Sherry is concerned about logging in using a VPN. How is that going? To affect? I think she's asking essentially about the trusted devices and matching her device if she's connected through a VPN.
Yeah, so it will affect it. But it depends on your VPN provider, so a lot of them but you choose a location and choose a server where you'll have a fairly stable IP address for a period of time. But it will eventually change. So it does mean that you would more often have to say, hey, this login was me and it came from a trusted device. But hopefully if you're using like the more page slash premium VPN providers usually offer this feature to say I want to pick a specific location, a specific server, where the IP address that you're using will stay the same for a longer period of time. Yeah,
very good. All right. So Sherry, if that wasn't your question, please correct me in the chat. And folks, if you have questions, just use the zoom q&a, and we'll get those over to Timothy. Paul says the same old question that keeps coming up. How do you convince clients that the extra hassle is worth it when it comes to two factor?
That's a great question. Nathan, maybe that's something that you can answer better. My My gut reaction is that that is a very hard conversation to have. And that's why my recommendation is to move to passwordless login. It is also a thing that you kind of have to teach. But I think as opposed to two factor, which slows the user experience down quite a bit. You can these days have a better experience using past views. I now know over the past six months or so, Huskies have gotten even better than the last time we've talked about them. More sites have adopted them. And I'm using them way more often. So that's, that's really my pitch is that instead of going for, okay, you really got to use this, I swear. I know it's a crappy user experience, but you got to go for it. If you can get them onto the passwordless login game and using pasties you can deliver all the same security even better in some cases, but give them a user experience that is a bit smoother. Yeah,
it's a great answer. And the only thing I'd add to that is with a lot of the this the newer generation of password managers you mentioned one password we like keeper in my agency. A lot of those built in to the password manager a two factor app as well. So it can automatically like just like it can fill in your password, it can automatically supply the code for the two factor as well and that's that makes it a little easier for clients that might be less inclined to use two factor. Yeah, for sure. Manu is asking if you're using solid security Pro and you're getting scan vulnerabilities and email about certain plugins What do you do like when when that email comes in? Hey, you've got a vulnerable theme or plugin should you disable and remove it? Sometimes that's not practical. You talked about that earlier with a patch stack firewall. Any other thoughts?
Yeah, absolutely. Great question. So I'm going to one of the things that we do is in that email, there are two things one of them takes you to patch stack and you can take a look at the database entry and patch that directly. The other takes you to a specific page for each vulnerability in your site. And what we do there is provide tailor advice. So for this vulnerability, for instance, it's telling me that hey, you can update the plugin and it will fix this vulnerability. This is a vulnerability that has been patched you just need to update to do it. If there isn't an update available, it's going to tell me instead Hey, you should deactivate that plugin. I think we have like this fudenberg vulnerability in here that yeah, no fix has been released this vulnerability if no update is available, you should deactivate the plugin. muting the issue will exclude it from future scans. So you can hit that deactivate plug in button or hit that new issue button. So on every single vulnerability page, basically, we give you tailored instructions. I don't have a one size fits all answer for you because it depends on the specific vulnerability. But we try and provide all the answers that you need to know if you go to this actual page. If you're using a vulnerability that has been mitigated by a virtual patch, it'll say it here. So this vulnerability has been patched automatically. If we look in the Status section, it says that a virtual patch was automatically applied to mitigate this vulnerability. It's still prompting me to update because I can't update. But let's say this is a complex WooCommerce site and I need to do testing first. That's the power of patch stack and virtual patching is that it lets you have protection. While you can't yet update on your site, either because there's no update available, or there's just a million other business factors that are saying hey, we can't update this until tomorrow.
Yeah, that and that's, you know, we just talked about something in yesterday's WordPress news roundup in regard to the ACF vulnerability, that's out major issue, particularly if you've built your website using ACF and you're pushing out HTML through the the ACF shortcode. Like that's a site rebuild, to fix that if you know because the update breaks that. So would the patch stack firewall as implemented in solid security allow you to continue to run the vulnerable version until you can figure out what to do with the HTML
so it very much depends on the vulnerability. So in most cases, i Yes, the ACF vulnerability is very interesting. I don't spend a whole lot of time dumping into it, but the ACF vulnerability, the reason why ACF is moving the direction that they're moving, is that it is very hard slash near impossible for them to distinguish legitimate behavior and illegitimate behavior. What happens with ACF is that if you have fields that contain HTML, there are circumstances where depending on how you built your site, that HTML is meant to be there but you didn't actually mean this field to be updated by this particular user. And so there in those circumstances, there usually isn't things that a virtual patch can actually protect against. This varies against things like remote code execution attacks. There is a vulnerability in the File Manager plugin the premium version that was disclosed recently and fixed a couple of weeks ago, where an attacker could just upload any php file to your site and then directly execute it. That's something that a virtual patch can prevent, because you know that that is illegitimate behavior but the ACF vulnerabilities unfortunately, more complicated in that I, as I mentioned, you all talked about it yesterday. ACF also has a constant that you can enable, I believe or a filter to go back to the previous version until you fix your site so you can stay up to date, but use the previous behavior of allowing that HTML to be rendered. And there are changes that you can be made depending on which functions you're using and ACF. But yeah, there's a lot we could talk about the ACF one, really because it's very, very interesting. But we'll move on to some of these other questions. But in this case, a virtual patch can't really protect you because of the nature of what ACF is doing. Got it?
Yeah, it is a complicated vulnerability for sure. It's always something interesting going on for those of us that are doing WordPress development. Okay, my name is next question here is in regard to what software would you recommend as we're talking about session stealing cookies, and the primary way to avoid that issue is not to have a vulnerable device. So what and a virus anti malware software would you recommend for Windows and Mac computers?
So I don't have great recommendations here. But there are some basics. Windows Defender is great. Um, it is a great built in option to your computer, you should make sure it's enabled. I'm not even sure if you can disable it these days in the latest version of Windows. But using things like Windows Defender is great. On Mac OS also you have very similar protection that's built in. You can disable the firewall don't there is an option that lets you run untrusted apps, keep that turned off basically these days, if you're using a latest version of your device, the latest software, they're rolling in lots of protections. If you keep them enabled, you're going to keep yourself safe. Make sure you update you know there are Google Chrome zero days that happen every few weeks now it seems or every few months. Those auto update by default. Make sure you allow it to keep auto updating, things like that. So if you're applying best practices using secure passwords, not clicking on untrusted links, don't install random software that you got off the internet. Don't torrent you know, Photoshop, CS four or whatever. Those are kind of the security best practices that you want to keep going. But yeah,
yeah, just today there's a zero day vulnerability on Apple devices both Mac iPhone, iPad, all of the things there's a patch just waiting. So there's always always something right. Exactly. Yes, for sure. Stacy has a question. Does the do liquid web VPS accounts provide visual regression testing? No.
This is part of the Nexus manage WordPress platform. Yeah.
Let's see. So Manu has a question about cookies. Sometimes you'll see if a cookie comes up on the computer, and I accept or decline and just close it. What do you recommend?
I declined most of the time. There are some circumstances where I'll say hey, I don't mind if this site tracks me. They can use the usage data, for instance, Stack Overflow, I usually let them set whatever cookies they want. It's really up to you. It is friction that we kind of have to deal with on the web these days. But I would say letting them set cookies is not necessarily connected to security. It's more of a privacy thing. If there was for instance, if you're visiting a site that was delivering malware, they wouldn't ask your permission before they said cookies. For instance. They would just you know, set whatever tracking cookies that they needed and try and deliver whatever malware they wanted to deliver. So it's more tied to privacy and your own personal choices with how much data you want to share with the sites that you visit. Yeah,
great. Let's see a couple of questions here from the Sol Sol is wondering if creating a custom rule like blocking the URI for WP admin and only allowing certain IP addresses is that a wise thing to do? What do you recommend?
You can absolutely do that. And that is absolutely something that you could configure IP addresses change a little bit, which is why we like the trusted devices feature. Because when you enable it with geolocation, it can make things for instance me I'm in New York City. If I go from the Upper West Side to the Upper East Side, I'm gonna say Hey, this is probably the same person even though I switched cell phone towers and got a new mobile IP address. But yeah, that is absolutely an option that you can do if you are in an environment where you have a very specific set of IP addresses and no one else would ever need to access WPM and I would if I were you and I would be doing something like that. I would want to make sure that I have a VPN setup through my home router that lets me when I'm on the road, for instance VPN into my home IP address. The last thing you want is for a client to be emailing you and say, hey, my site is completely broken, but you're in a conference in Philadelphia, and you can't get into the site to fix it. So make sure that you have backup plans in case for something like that and using VPNs that let you tunnel into your home network are a great option for that. Excellent.
Folks, let me invite you to open up the zoom q&a We have continued to be questions asked and that's awesome. We love to answer questions about security here. The questions you would like to see answered if you just take a minute to do that. Before we get to our next question that will help us make sure we get the best answers that you all want to hear in the time that we have remaining. There's a good question here from an anonymous attendee that I think deserves a good answer and that is what is a virtual patch. We've talked about patch tech virtual patching. But how does that work?
Yeah, so virtual patches are a laser targeted firewall rule. So what that means is that before when a request comes into WordPress, we evaluate all the firewall rules in your site. And so we can see that in my example site here, under firewall rules, we evaluate all these rules and say, hey, does this request match this rule? And if it does, we blocked that request from being served any further so it can't be exploited? What these firewall rules are is basically a series of things of checking, hey, does the URL match this? Is there a parameter in New York for this does the user has the capability of doing this? And it's basically a series of those that we check. So we're not actually quote unquote, fixing the vulnerability in your site, but we're blocking attacks that are trying to compromise your site from proceeding past the firewall rule. Got
it? That makes a lot of sense. And this is the firewall rules are based on what patch Tech has discovered that the vulnerability involves Right
exactly. So when patch sack sees a medium or high severity issue, if it is something that can be protected by a firewall rule, they go ahead and create it and they create that based on the vulnerability. So there's not one generic firewall rule. What's very unique about Pat's tax offering is that they're creating laser targeted firewall rules. They have I think, 5000 of them. They said protecting workers from AWS, I think it's by far the most in any WordPress security offering and each one is unique to each vulnerability. And
solid security makes bringing that wealth of information right into your WordPress site. Very, very easy. Just it just happens, right? And all these 5000 Plus rules, only the ones that apply to my site are showing up here.
Exactly. That's one of the big differentiators is that some other solutions will apply 100 For instance, different firewall rules, they might be protecting against a Social Warfare attack, or a Tim thumb vulnerability. Your Site hopefully still doesn't have Social Warfare installed and doesn't have a theme from 2014 that has the Timson vulnerability. There's no reason to have this firewall rules and your site slowing them down. So with patch stack, we're only ever deploying vulnerabilities, or excuse me, we're only ever deploying firewall rules for active vulnerabilities on your site. So that's why I only have these three here and not have 5000 of them. Yeah.
All right. Next question from Paul are there simple instructions so that that typical WordPress user can set up a password list login?
So this is a great question. There is the docs on in the solid WP Help Center. What we actually talked about minor spoilers for things that we're thinking about in our product. And one of the things that we're thinking about is a way to deliver to your site's end users content that helps them use features and security. So providing more tailored help content that is meant for users of your site who don't know about cloud security whatsoever. All they know is that they see in their profile section, a section that says hey, here are my past views, and they want to learn more about them. And we want to provide better contextual help in the plugin to let them know what this means without them. needing to know what solid security is, and what the settings are. And you enable this feature in solid security and your plan was this. It will just be content that is tailor focused. For now though, our help centers, the webinars that we do the talks that we do on wordpress.tv those are those are great resources for now. Yeah, very good.
I just dropped the link in the chat for the solid Help Center regarding past keys. That's there if you'd like to take a look at that. And the song was saying that for him. Mobile to FA is not working are you is is that? So is there any kind of global issue going on there and maybe seen
that the first thing that I take a look at if someone says that there are two factors networking and using the mobile app is to make sure that your server time is up to date. So make sure if you go into settings which which one of the settings tabs that's always the trick right here we go. Make sure I have my timezone set to Tokyo because I'm testing a bug. But make sure that the time that is reported here matches what you expect it to be. If your server clock is five minutes behind. Your two factor code is never going to work because the way they work is based on the synchronizing time. The same thing is also true. Make sure whatever mobile device you're using has the correct time. That happens less often these days because most operating systems automatically sync their time correctly. But actually I had an issue with my laptop the other day I thought it was September. And boy how try using the Internet right now if your date is six months behind with Let's Encrypt, having SSL certificates renew every 30 days, every 90 days, it's like impossible. So figuring out what was going on there took a minute. So it can happen that your device somehow gets a time that is five minutes behind or in my case six months behind. But generally it's your server time is more likely the culprit. That's
a great tip. Kevin has a question regarding Cloudflare. Are there any any considerations we should make with the firewall rules and solid security versus implementations of Cloudflare?
No, it's great to have Cloudflare is graph enabled. as well. The difference is that what we're delivering with virtual patches is laser targeted to what's happening in your site. Most of the rules that Cloudflare provides are kind of general purpose OWASP protection rules. They're not taking into account the vulnerable software that you have in your site, but you shouldn't run into any issues and I haven't been testing with having both of them enabled. It's just an add another layer of having defense in depth. Yeah,
very good. Oh, this is a great question from Eric. Earlier you talked about the privilege escalation feature. Here the airs question is why would you lower someone's access to author and not no role or subscriber? Yeah.
So if a user doesn't need any permissions on your site, absolutely. That's a great move to make. We didn't want to offer a whole bunch of different options there and author to us felt the greatest balance between okay, they might still need to be able to make changes to posts and things like that. But they don't need this administrate your capabilities. If this user has completely left your company, you should definitely go ahead and delete them. And it might be a good idea to add another option there, you know, demote author and completely delete user. But basically, we're providing a shortcut for an action that you can already take in WordPress, so demote to author is the one that we went ahead with, but absolutely, if you know that they need zero access. Delete them. Good.
Question from an anonymous attendee, my firewall rules save virtual patching inactive, where do I activate it?
Great question. So on the firewall page here, we provide some updates. real time updates. An active is a version management feature, and we get a little highlight here that tells you about it. virtual patching is a feature that you get if you have purchased solid security. If you are an existing theme security pro customer. If you head on over to solid wp.com and login, there is a place where you can upgrade your license. If you go to the solid WP licensing page. You can then make sure that your site is enabled as a patch deck enabled site here so you can enter in your username, enter in your password and then authenticate with that site and say, Hey, this is a site they don't want to have patch tech on. But if you have purchased a solid suite or solid security Pro, since we did our relaunch in October, you should have that feature automatically. If you're still having trouble though, reach out to support and it will get you squared away. Yeah, definitely.
Okay, question from Jean. If a session cookie gets the password from my solid Central account, do they have access to all the sites in the dashboard?
Yeah, that's a good question. So yes, if you have your solid Central account compromised and they are able to perform the permissions that you're able to perform in solid Central, so that's again, another reason why it's really important to keep your device safe.
Yep, very good. And honestly, one of the great tips that Thomas gave us a couple of weeks ago was just log out when you're finished. Yeah, and that's I gotta say, I'm, I'm pretty lazy about that. And I've gotten a lot better about it after that live stream. So I'm pretty careful about logging out of everything. And so then that invalidates that session cookie, even if it was stolen. So they would have had to have used it between the time I logged in and when I logged out, I guess, is that correct? Yes. Yeah. All right. Wade says here's a question for an easy sale. When buying a multi site license for solid suite are staging and development environments excluded from requiring a license.
So when you're buying a multi site license, I believe no. This This changed a little bit when we did all of our plan revamping when we transition to solid, when you buy an individual license, you actually get two licenses, and that's to keep your staging site. Basically you get one for free. I believe the number of sites that you have for your site for your plan, in the current solid plans are just directly equivalent to whatever sites you have. So if you have five sites and you have a completely separate staging environment, and it's completely separate production environment I believe that is still counting as two sites. One thing that you can do is keep your keep one of those sites active and use that one for delivering plugin updates and things like that and then just sync from your production site into your development site periodically but yes, I believe if you're using like a 10 site license, for instance, that those are counted as separate sites. If you do have further questions about that, though, you can reach out to our Account Services team. So sales at solid wp.com and they can give you the 100% answer on that. I'm just giving you the I remember writing some code about that, I think six months ago, but
awesome. Thank you, Timothy. Two more quick questions, and we'll wrap things up for today. If you're like me, Timothy 30 minutes of answering questions, your brain becomes jello. So
I really appreciate it. I love all the questions.
Awesome. So Vern is asking any issues with false positives via the patch stack, firewall and patch stack? Vulnerability list?
Yeah, another great question. So that is again, one of the differentiators because patch stacks firewall rules are so laser targeted for the actual vulnerability that they're protecting, versus just generic OWASP protection rules. The chances of false positives are way, way, way way lower. I haven't seen any be reported yet. We've talked to patch deck as well and they very rarely see it to be an issue. If it is an issue for you. You can actually deactivate that rule by just clicking this deactivate button. But it's much less often going to be an issue because they're way more targeted to the specific vulnerability versus trying to prevent an entire class of attacks which fun fact we were writing a blog post I think maybe six months ago or something like that for i ithemes.com. And we're trying to write about a SQL injection vulnerability and Cloudflare wouldn't let us save the page because it had content in the page that looks like a SQL injection vulnerability so got bought by their raffle. So that's the thing. Yeah.
Wow, that's fantastic. All right. One last question from Ben. Last time I use the privilege escalation feature. I had to enable passwordless logins. Why was that?
Um, you shouldn't need you. So if you go into users profile, and I won't go to my user because I already have a max permissions but if I go to this subscriber, for instance, and go over here to privilege escalation, you can set that up if I disable password login, and yeah, privilege escalation is still there. So you shouldn't need to. If you do have password, this log info enabled. And it's enabled for that, like administrators, let's say when someone logs in, they will be prompted to set up proof, setup passwords, login through passkey use if you have that feature enabled, but you shouldn't actually need the password login module or the checkboxes or anything like that. To pause that. I mean, there's some testing effects patch settings. Let's disable passwords I'm gonna see if we find a bug. Just say what password again you users user one four. Interesting there might be a bug there. So it might mean that the module is needing to be active for some reason but that shouldn't be the case. So yeah, if you don't have a support ticket in already, go ahead and create one and we'll get that resolved. But yeah, there's no intentional combination with the two. And it's not tied to whether passwords login is enabled for that user. It looks like there's an issue when the password login is missed module is disabled, that the privilege escalation tab is not appearing.
Got it? All right. Thank you, family. Thank you, Ben. Folks, let me drop in the slide link once again for today. You can download today's slides and we'll have the replay up here and about an hour from now. Once the video renders and finishes up. What I will do is we're wrapping up is to answer Kevin's question. Kevin is asking how do we participate and know more about future solid zoom meetings? I'm going to quickly share my screen. Kevin when I invite you and everyone to do if you're not looking at it already. Is to go to the solid Academy website at Academy dot solid wp.com You can click the upcoming live streams menu link. And there you will see all of our upcoming law live streams. Some of them are premium that are reserved for our solid Academy members. Solid Academy membership is free. If you have a solid Suite account of any level. You have access to all of our premium events. But we have quite a few free live streams as well. We usually Tuesday, Wednesday, Thursday of every week we're broadcasting something at this very same time. Another simple way to do it is here on the events page, just click the calendar view and you can see everything in a calendar. You also have the ability to subscribe to the calendar here if you want to get these things on your calendar. Also, if you're on the solid WP email list, they're pretty good about sending out a weekly summary of all the things we're doing here on Academy each week. So thank you very much, Kevin for that question. It's a good opportunity for me to show folks how to use the solid Academy site. Timothy, any final thoughts as we're wrapping up today?
I know keep an eye out for a release happening. Shortly. And keep an eye out also for an invite for a chat about trusted devices next month.
Yes, we'll have the good live stream good training on trusted devices coming up in February probably sometime around the middle of the month. But thanks again everybody for hanging out with us for the last hour. We're back tomorrow for members for office hours with me here on solid Academy where we go further together.