Going in attached here just in a moment, but glad you're all here. This is our first inaugural WordPress security roundup hopefully with many more to come. This was an idea that Tom and I had been talking about and really glad to see this start to happen. So just about to get our captions connected
all right, captions should now be working for everybody. Alright, so welcome if you're just joining us in zoom, pop over on enter the chat, say hi, tell us where you're logging in from today. I invite you also to grab the slides if you'd like to do that the link bundle is there in the chat now, with today's slides along with the replay link, a link to we watch your website which we'll talk about in just a minute. And also the link to vote for us in the WP awards. If you've not done so already. We would certainly appreciate your vote in the WP learning and training resources category. So we are now just about three, four and a half minutes away from getting started with this month's WordPress security round up with the expert, calm re watch your website. We'll be talking all about new new and emerging threats in the WordPress security ecosystem and the world that's happening there. Yeah, the we're going to try this for the next couple of months. See how it goes and if you folks are enjoying this in this kind of up to date, you know, WordPress security news is important to you. We'll keep doing this session. So Tom, super lynskey in the chat as has said she's got extra m&ms lined up which means like we rate the complexity of the of the live stream by how many m&ms is consumed during the course of the presentation. And how scary it is right? Well,
more m&ms means more she's more interested or
exactly and if it's Well, it means that she is it it's so how would you describe this? Would you okay if it's, if we get something really complicated it deserves the consuming of an m&m, or if it's the consuming of the m&m has to overcome the anxiety of, of complicated content. Or security stress, right? And if it's a peanut m&m, it just got really serious. So yeah, we may have to do like an m&m rating for Su on all these live streams. Anyway, glad you're all joining us as the attendee numbers ticking up, pop up in the chat say hi, tell us where you're logging in from. Great to see folks logging in from around the world. To see Chris and Heather Sue is here, Melissa from France. Welcome BG from Germany. Welcome Manu. Good to see everybody here. I'm going to drop in our link bundle once again, if I can spell correctly. Awesome. having some trouble spelling apparently. There we go. So there's today's slides along with the replay link. If you want to go back and rewatch or share this with someone else you'll be able to do that. Also the link to vote for iThemes Training in the WP awards for 2023. And that's there for you as well. If you'd like something to do over the next couple of minutes while we're getting ready to start. We are just now about two minutes away from going live with the inaugural WordPress security roundup 2023 October edition. So glad you're all here. If you've not yet done so pop up in the chat and say hi, tell us where you're logging in from today. You can grab the slide link there as well. So Thomas, we have a lot to talk about this month several new things are popping up in the WordPress security world.
Yeah, some some interesting things for sure. It's, uh, you know, if you were to go looking for this stuff, you'd probably not even see these. But you know, yeah, it's it's really bizarre.
The, the ingenious ways that hackers try to do their hacking, it just keeps getting better and better.
So they're there, their livelihood depends on it. So they're and they're, they're very smart people, most of them you know, some of them are the term script kiddies. But you know somebody has to create the stuff that script kiddies buy and reuse. So yeah, those are the people that are super smart.
Yeah. Welcome Geoffrey from Georgia Shannon from Denver. Stacey, welcome. Good to see everybody here. Just about a minute to go before we get started. If you're just joining us in zoom, let me drop in the link bundle again in the chat. There you'll find today's slides the link to the replay. We'll have up about an hour after we finish. Also check out Thomas and his team that we watched your website there.com And the link to vote for iThemes Training and the WP awards is there as well. We're just about 30 seconds away from getting started now have a lot to talk about things glad you decided to take about an hour and spend with us live a good q&a time at the end as well if you have questions for Thomas really good opportunity to pick the brain of a WordPress security expert.
My My dad used to say that the definition of an expert is an x as a husband and a spurge as a drip under pressure.
I heard that somebody gave the definition of an expert I'm gonna probably goof this but it was a person who has made every mistake possible in a very narrow area. That's an expert. So yeah. All right, folks, it's three minutes after let's get started. Let me start the recording and we'll dive right in. Welcome everybody. Glad you decided to join us here for the inaugural WordPress security Roundup. It's October 2023. And we are joined today by my friend Thomas ray from we watch your website, a WordPress security expert. Welcome, Thomas. Glad you're back with us today.
Thank you. Thanks for having me this this would be pretty exciting, I think.
I think so too. So you were with us. Several weeks ago, we talked about some emerging threats in the WordPress security landscape. And folks really enjoyed having you here. You are an expert in this area. And we were trying to figure out a way maybe we could work you into some of our regular live streams. And now this idea of a WordPress security round up came to light maybe we'll we'll give this a try for the next couple of months and just talk about what's happening and WordPress security and see what folks think. So we're really glad you're here.
Sounds good. Yeah, I'm excited. Yeah. It's one of the things that's near and dear to my heart is helping people protect their sites. So I always enjoy talking about it.
Yeah, so you've been doing WordPress security for a long time. And am I correct that you and your company manage about six or manage the security are watching the security of about 6 million WordPress websites?
Yeah, it's it's quickly encroaching on 7 million. Just because we have our, our free plan and everybody decides not everybody but a lot of people decide to go with that. And then they're like, Well, you know, if the way if if there is a problem, then I'll sign up for your paid program like okay, but I mean, that gives us like, just tons and tons of information on a daily basis about what hackers are doing. And so, you know, some people say, Ah, you should kill that free program. You know, it's draining your resources, but I mean, it's providing us was with so much threat intelligence that I've had companies reach out, say, hey, we'd love to subscribe. If you come out with a threat intelligence feed, let us know we'd subscribe and like. Okay, one more thing to do.
Folks, if you're just joining us, we're about to get started here with the WordPress security roundup talking about emerging threats in the WordPress space. Thomas rife is with us from we watch your website. The links are in the chat. If you'd like to download today's slides, we invite you to do that. This is if you're joining us live it is live. Thomas is here you can ask your questions and we'll have a good time of q&a as we wrap up today. I would ask you please use the zoom q&a button right there on the toolbar. As you mouse over the shared screen, the toolbar will pop up, click that q&a button at the bottom. And that is where you should ask your questions rather than the chat because we'll also give you the opportunity to upload the questions of others. So you can just keep that q&a window open throughout and if somebody asks a question, you also have hit the thumbs up icon. And we'll take those questions in the order of up votes when we get to the end today. So we have a lot to talk about several new new threats in the WordPress ecosystem. So Thomas, I'll let you take it away. I'll and I'm gonna disappear. We'll come back for q&a in just a bit.
Okay, sounds great. Okay, so what we've been finding lately. One thing I want to focus on today is this new attack vectors. It's becoming more and more obvious that hackers really really know the WordPress ecosystem. They know what you guys are doing. They know how you do it. And just the way that their brains work, just like you know many of you that are designers you know, somebody throws out a topic or a niche to you and your brain starts thinking in ways of, you know, how you could make that look nice, how you could make it look accessible. You know, if you're like Jen and you know that this this the way your brain works well their brain works and it's like, okay, we know this system, we've learned all this stuff about WordPress and all these how all these agencies work. What, how could we get in to their systems and use them to to make money so they know the ecosystem very well. And they know that agencies in particular have hundreds or 1000s of websites? Maybe some of you have more I don't know but and you know, the thoughts that run through the hackers heads are you know, can and the agencies effectively monitor all those sites, you know, so there's the brain starts thinking okay, there, they must have some type of way to manage it. You know, and then they start looking into that and they see, you know, all the all the different offerings out there. And they also know that outsourcing creates opportunities for the hackers. So, you, you outsource something to somebody, because they, you know, they're maybe they're terrible at marketing, so they just want to white label their services. You know, through your agency. Well, hackers know that those opportunities are out there. And their brain starts thinking about how can we exploit the those people? And I said, yeah, in here, games that they play and they're good at it. Throughout today's thing, presentation, I'll talk about this one specific ploy that they that they do, and some of the comments that people make in the Facebook groups, about being you know, having a couple of sites hacked and so forth. And then we'll talk about some simple simple step steps. Well, to prevent this this type of attacks. The agency landscape, as we said, you've got you know, many websites many, if not all, are on maintenance plans. So that leaves you guys are agencies responsible for maintaining those websites for people. And like I said, so the responsibility falls on the agency to know what to do to keep hackers out. And hackers also know that agencies typically rely on plugins for security. And so like I said, their brain starts to think how can they compromise many sites with very little detection. And that's that's the key. There's very little with little detection. Now, something to keep in mind throughout all this. Like I said, they typically rely on plugins for security. And that's not necessarily a bad thing. But again, hackers brain start thinking, Okay, what plugins are they using? How can we exploit those? You know, once we get in once we find a way in, how can we kill that? You know, or nullify the detection because they, that's what they want. They want longevity on your websites. So, can agencies monitor all their sites? Well, they can. It's it's going to take, you know, some concerted effort. So, you know, you can, you can use something like aI theme sync, to automate the monitoring. It's, it's a very nice tool. It's got some, some great features to it that we'll we'll talk about throughout this but one of the things that hackers have realized is they can attack via the management console. So I'm gonna mention some names of other services in it's not meant to slam their programming. It's nothing to do with their coding that has to do with the opportunity. And that's what hackers are looking for. So, you know, things like main WP managed WP WP umbrella. Pick one, but they have one thing in common and that is they have a login. So, hackers, you know, you could, I've mentioned this before, you could Google the term, info stealer and you'll see like 1000s and 1000s of pages of news articles about how hackers are using info stealers to steal information. Part of the information they're stealing is authentication cookies, and usernames and passwords. You name it. But authentication cookies are perfect because you're already that that presents a credential that's shows that you're already authenticated. So it bypasses to FA without without any, any other interaction. They use that authentication cookie, bam, they're in so so but the So the big thing is, you know, the concept in security called intrusion detection systems IDs. And that, so you have to assume at some point that your site is going to be infected. And you have to determine how long is it going to take you to notice, you know, do you have plugins that are scanning for malware once a day, once every 12 hours? You know what? So you know, you need to determine what's your, what's your window of opportunity to restore a site or remediate a site that's been infected? Because like I said, you have to have the mindset of the sites are going to get infected at some point, whether they are or not, you just have to take that mindset and say, okay, these sites are super important. So we have to have your Backup Buddy running and, you know, we have to have, make sure that we've got backups, all all ready to go to restore these sites. In case they are successfully breached. And like I said, even though you know, the session, the authentication, cookies bypass to FA, it's still mandatory. You still have to have it because it's one more layer of defense, you know, they talk all the time about defense in depth. And this is mandatory. Because if they're, and we'll get into this in a minute, too, but you know, you're there's things to prevent your your authentication cookies from working itself. As I said before, outsourcing creates opportunities. Hackers know that people from all over the world are somehow involved in web development, whether they're content content writers, graphics, people, you know, web devs, whatever the case may be, your team can be anywhere in the world. Now. Not everybody has a mind toward what are the hackers doing? Some people feel that they can just fly under the radar. And nobody's gonna bother me because what am I doing? You know, I'm not working on any e commerce sites. I'm just doing some graphics. Will hackers can embed a malicious code in your graphic files. And you upload that they access the graphic file now they got a backdoor right into the website. So you know by sitting through these sessions, what Nathan and I hope to gain is help you gain is education and how hackers are working and all the different opportunities they're looking for. So when you're outsourcing to to other people, like what qualifications are required, well,
you know a few things I've got listed here create separate users for everyone with an expiration date. Part of I theme security Pro, is you can set up users with with an expiration date, and that's a great feature. So and demand, you know, drill this into everybody's head, including your own, that people log out. Not just close the tab or window, but actually log out of the WordPress admin console. Because when you do that that kills the cookie. So even if it's stolen, it can't be used. So and that goes right to point number four that I already say to FA. So if you have two factor authentication, and your guarantee, you know, you're beating into everyone's head that they need to log out and not just close the tab or window. I used to be the same way. So I'm very familiar. Yeah, just don't close the close the window and that way, you know, it's gone. I don't have to worry about it anymore. Close the tab, whatever. If I could show you my other screen, you'd see how many tabs I have open. So I should get used to closing tabs anyway, but us old dogs are hard to teach new tricks. But anyway, so even if you do even if your cookie is your authentication cookie is stolen. If you've if you've logged out, that's useless. So, because it registers that in the WordPress database that you know that cookies that's that so inlays then you're left with two FA two FA if you don't have a have to worry about authentication cookies being stolen. And you you've got to have a setup. You're miles and miles ahead of of many people. So make sure you get that to have a set up games that they play. So this was almost word for word from one of the Facebook groups recently. Somebody posted that the two of their websites had been hacked. And their feet feeling was that it couldn't have been them. Or session, you know, authentication cookie stealing stolen because if it was login credentials, then all their sites would be infected.
Sorry about that. That was the new FEMA alert just going off now?
Yeah, I think every cell phone in America is about to get a blast here in the next minute or two. Yeah.
Still, but that's not the case. What hackers do is like so they love to play games. And because, you know, obviously they think they're smarter than than everybody else. So what they do is they may have access to like in this case case, he said that. I think he's got 10 servers. And websites across all these 10 servers. So his feeling was, well, you know, if it was stolen, authentication cookies, then hackers would have infected all my sites. No, they'll infect two, possibly even from two different servers. And I say two, they may pick three or four depending on who it is, but so they'll just pick a few sites, and then they're going to watch they're going to infect those sites. And then they're just going to watch to see how you respond. And depending on how you respond will determine what they do next. You know if you've got something that as soon as the site's infected, bam, it's remediated, they're like that go now they could either think one of two things. A, it's a big challenge, and then they're gonna really step up their game, or they're gonna be like, You know what, there's other people out there. We don't have to worry about this. Let's just move on and keep going. What they decide to do, that's totally up to them. So they will play this cat and mouse game where they'll infect a couple of sites, and then the wait and see how you handle it. And if like in 24 hours, the sites are cleaned up or maybe you excuse me, maybe you restored from backup. Then they'll pick two other sites. Now this is assuming that they've got control through like a management council. And that's I don't know if I've made that clear yet. But that's pretty much the the attack vector. I'm looking at today. So they'll play cat and mouse, you know, you clean the second two or three, and then they see how you did that today take another 24 hours or has now taken 48 hours because now you're trying to figure out how they got in. So then they started infecting, you know, four or five different websites. So they play this cat and mouse with people all the time. And it to be honest with you, most of its automated So, like they may put in a list of all the websites and then you know that that they have access to and then just decide from there. You know what games they're going to play and how they're going to infect them. Now, the infection on this on the second group that they breach that they infect. It could be a totally different infection, a totally different you know, malware different motivation. Everything. So you never know, you know what they're what they're doing. And what we're seeing also, more and more of lately is the hackers will create a hidden process that's running in memory on your web server. And we've seen this with shared hosting accounts. We've seen this with the you know, the the server accounts, you know, you get server with the digital ocean or voltar LVH whoever. Their malware creates a hidden process, and then it deletes the file. So though the process is still running in memory, but the file is gone. So you run a virus scan and you're like the especially, again, hate to be to beat the horse but especially if it's a plugin malware scanner because those don't necessarily I don't know of any that are created to check the processes that are running for their website. So so the in the process could be like, typically what we see is they take instructions, so it'll open up a port, on your website or on your web server. And it just accepts instructions from the hackers. So they could say, you know, here's a list of usernames and passwords. And here's a list of WordPress login URLs. See how many you can log into with these with these credentials, and maybe none of them. But, you know, again, it's something that's automated for the hackers and but that's what those hidden processes do. And now sometimes, also, in this one Facebook, post that I was referring to earlier about the was login credentials as soon as the index file and typically some other files, but the index dot php file in the root of the WordPress site, as soon as it was cleaned. This hidden process would automatically reinfect it. So you're like, you know, and you can delete the file. You can delete the index file like through FTP, you know, SSH, however you want to do it. And you'll notice like you do a refresh like, wow, it's back already. That's because that hidden process is set so that you know usually it's called a lock 360 And it set so that it just automatically keeps you know reinfecting the files that it's told to do. So you have to kill that property or you have to get to a command line you have to kill that process. But the other thing, see number five here, perpetual Perl programs. I had to come up with something that was three Ps just to make it fun. Anyway, so what they do is they bury this Perl program, so it's no longer php file. It's a Perl file. They bury it somewhere that's not in the file system of your WordPress site. So it's not in WP admin WP includes wp content. It's not one of the, you know the files at the root level there. They hide it somewhere else on the server that they have access to. And that Perl program just continually runs and so you kill the process and think okay, now I've deleted all the malware on my website. And now I kill this process now we should be good Nope, that pro program is still running. And it checks to see you know, is there. Is the process still running? Or are these files still there? And it just automatically just keeps reinfecting. So you have to find the pro program, delete it, then kill the process and then Then clean your site and then you'll know that it's not going to come back right away. You still haven't found out how they got in but anyway so some of the solutions and obviously you know this is a theme sir security training. So focusing on and their solutions. They have a thing in a theme security pro trusted devices. So like in this case with the management councils, hackers were stealing I think authentication cookies or login credentials to the management council. So like main WP managed WP WP umbrella, you know any of the other ones you guys might be using, they steal the credentials to log into those. Now what are those? programs allow you to do? Oh, they allow you to update, you know, themes and plugins, you can install plugins, etc, etc. Well, that's what the hackers are doing. They're installing bogus plugins and running them and then they delete the files. So that again, it's running in memory you can't see it. You run a malware scan because something's Goofy's going on. Or you get a notice from voltar that you know, they're they're gonna shut down your server because it's attacking other sites and so on so forth. But with the trusted devices, concept, only trusted devices can log in, obviously with other credentials to you know, into your your websites. So the reduces the attack vector that's available to hackers. And with iThemes sync, or any of the other management consoles, you need to set up to FA and then also make sure that you are instructing all of your people. When you log into the management console, log out, do not close the window or the tab, log out. Because that then you get then you're relying on to FA to have a depending on how you set it up. Is going to put you miles ahead of what many people are are dealing with.
And the other thing is too with the I iThemes products they have like a vast I think it was like a million somewhere over a million
users of the iThemes services. So that means they're gathering information intel from a million different websites. So it's almost like a huge honeypot of websites gathering information and funneling it through so they can block by IP address based on attacks that they that they're seeing in the wild. And you got a million sites out there. You know, just like for us, we're approaching 7 million sites that we're watching. So the information that we gather from those sites is just incredible and helps us defend against other attacks, but so they can block by IP address and some people say Ah, you can't effectively block by IP well, when you've got a million sites, all funneling information into one location and then it's dispersing that you know that block list or disallowed list out to all the you know to everybody, they got this hub and spoke kind of concept going on. All the you know at the end of the spoke is although the million websites at the hub is I themes and all this informations feeding in and then they're pushing it back out to their site. So I beg to differ that you know, blocking by IP address is not effective. It's highly effective because you know, when you're working with live data like that, and same thing with user agent, you know, the combination of IP address and user agent in my experience, you know, going back to 2007 is highly effective at ad blocking hackers. Now is it 100% No, but, you know, you tell me one, one type of security that is 100% and, you know, I'll be interested but so, like in our studies for this information with the management councils one of the things that we're able to do is combine IP address and the user agent because the problem with the user agent is a lot of people in the security world will say is that, you know, you can spoof that easily. You can't spoof an IP address because of the three way handshake shake of TCP IP I'll save that for probably never. Anyway. Yeah, if you're ever interested in you know why you can't spoof an IP address just look up the three way handshake for TCP IP. Genius anyway, but the user agent can be spoofed. So like I could sit here on my Windows 10 PC using Chrome, and I can start browsing websites. But I can trick I can trick those websites into thinking I'm coming off a Mac with a super old version of Safari. And there's nothing they can do all I can say all I'm actually an Android phone, you know, coming in off of a recent version of Chrome, but yet here I am. On my Windows PC. So the user agent is this spoonable not a word. It is now so it's it's you can spoof it, but the combination of an IP address and the user agent like if I see it's an IP address that's coming from a GoDaddy IP address. And the user agent says it's you know, I theme sync and I'm like, No, probably not. But, you know, if I can verify that, it's an IP address by like manage WP, and the user agent is one that they use, then I can say, okay, yeah, I pretty sure 99.9 99% confident that that's that's legitimate traffic and let it through. So you know, there's there's blocking by IP address and user agent, I had to put that in there because I continually see people that say, you know, it's not a good way to prevent hackers and it is, it's, we constantly see attacks effect. We just saw some last week, some group out of Eastern Europe. They were attacking websites with a version of Chrome that was like a double digit right now. I think the current version is like, one 117 dot something something something. This was like, version 12 or something like that. You as the user agent. So like, Yeah, okay. If somebody is coming to my website, and they've got a browser that's that old, do I really want them as a customer or a viewer? I think I can let them go. Because hackers just like said they buy these tools. Sometimes the user agent is just built in, or the hackers just want to see how many sites they can hit. And figure nobody, nobody blocks by user agent because you can spoof it, so they don't even bother changing it. Anyway, it is an effective way of doing it. Now, some things that I wanted to put in here. Some reports that you can read is about this bunny loader. This newest malware service. When you get into the ecosystem of hackers, you know, they want to find out as much as possible about WordPress and about the users and all that. I want to find out just as much about them as they know about WordPress. So I'm I'm always digging and but this bunny loader malware really works to hide. They put bounties on and their malware and say that you know if anybody can can successfully show us that our latest malware can be detected now I'm talking about on on local devices not on websites. This is malware and and local devices, your Mac's, your PCs, etc. Tablets phones. So they'll offer a bounty if you can detect our malware with any of the current scanners out there, then we'll pay you a bounty. And so people are working feverishly to try and detect it and break it down and find out everything they possibly can about it. But so this bunny loader is some of the newest, and it's actually they call it malware as a service. So it's m a s and it's a big thing in the hacker world. People will do nothing but create the malware, and then they sell licenses for it. So like for $350 you can get a license to this bunny loader and try and infect as many devices as you want. And then then that'll send back the information to you and then you can do with it as you will look for usernames and passwords etc. And then this other one this chase malware it now is you can kind of read in the URL that now uses Google Chrome Dev Tools protocol to steal data. And it actually they've seen this it actually take screenshots of your device. So you might be logging in. And you know it's already got it's already stolen like maybe the authentication cookies, but it needs to know. Now okay, where do I use these? Well, now it's stealing screenshots, so it knows exactly where you're logging in. And I've stated this for years now. You know, people that use the, you know, hide your URL, your login URL, I've never really been a big fan of that. I guess it can be considered an extra layer of defense. It can be considered defense in depth. But I mean, come on, man. They're taking screenshots.
I mean, I yeah, I I'm pretty good at programming. Never malware, but ways of detecting it and all sorts of other things. But I mean, to figure out how to take a screenshot, I guess, you know, years ago, the big thing was, you could tell you were infected because like your your CD I know I'm going way back because some of you people may not even know remember what a CD is. But anyway, you'd have a CD tray on your, on your computer. And one of the things hackers like to do is just let you know that they're inside your computers, they'd open up your CD tray, you know, so you'd see it open, close, open, close, open, close, and that those are the games they used to play. But now they're taking screenshots like come on, nothing sacred anymore. So anyway, you get copies of the presentation here. So I encourage you some of some people may not find the whole article interesting, but just so you understand where hackers are, are going, what are they doing? The steps the how good they are with technology. Let me take a screenshot. Anyway, not that I ever have anything, you know, I mean, I might have this presentation up on one screen. I've got a blog post that I've been working on since this morning. on my other screen, but screen shots they can take off anyway so that's it Nathan. Oh, yes, I guess I should go over this. We started focusing for you guys who weren't on the last time I was with Nathan. started focusing on website security in 2007. have removed malware from over five and a half million sites. That's that's up considerably. Still haven't hit 6 million websites yet for that. Removing malware but we actively monitor almost 7 million websites now. Now, like I said, a lot of people are using our freemium service. And it's great for us for the intelligence that we can gleam off of that. Our systems still ingest just slightly over 20 million log entries per second. I like watching it sometimes just just because you know, I've got nothing better to do so watch the count of how many log entries were were taking in per second. So that equates like 1.7 to a trillion log entries per day and it's all analyzed. So that's how we can glean this information and present it to as they say down here. In the south. That's how we present it to y'all. Anyway. Mr. Stokes?
Yeah, let me invite everybody to pop up in that q&a window, take a scan down the question list. If any questions that are there you would like also to hear the answers to click that thumbs up icon and we'll get questions over to Thomas in just a minute. Thomas before we move past this when we watch your website, you talked earlier as we're getting started about a free level where they can receive monitoring how would a person what's what does that involve and what does your your paid service involve?
Okay, our free service is great. I mean, it's great for shared hosting accounts too. But primarily what we focus on is our free verse free version force web servers. So if you're going through like a grid pain or run cloud or cyberpanel, you know some of the server pilot some of those services. Then we can install our freemium service on there, and it monitors all your log files in real time. And your files, your your website files so we'll see if if a file is changed. Say you update some plugins through your management council. And our system will see that those files have been updated, and it just sends them pulls them down to our servers and analyzes them to make sure that they're not malicious. There's nothing malicious in them. And then it just goes down from there. So but you're getting your files analyzed in near real time. But your your log files are being monitored in real time for the for like shared hosting accounts accounts where we don't have root access. And unfortunately, still today, we haven't been able to get with cloudways I would love to be able to offer our our freemium service on their servers, but they don't allow you to have root access. So it would have to be something that they install. But anyway, for any any account with FTP access, we can monitor once every two hours throughout the day for log entries and for file changes. And then with our paid services.
It's automatic malware removal and, and root cause analysis. So you know, because we're we're watching everything because we're No, I hate to say it, experts, reading log files. Sounds exciting.
But our systems are you know, we can determine pretty accurately how a website was infected. Was it an outdated plugin? Was it stolen authentication cookies, Was it stolen? login credentials, we can tell the difference between all those. So anyway, so that's what our paid service does. It's automated remediation.
Excellent. And folks, I just invite you to take a look there we watch your website. It everything that Thomas and his team offer. A full server plan is 299 a year. That's that's pretty good deal covers every site on that server for $300 a year. Right. So all right, so Sue has a question to get started here. You mentioned some of the I forget the alliteration that was used but the little sneaky Perl programs that they like to hide in various spots. Does your software Thomas find those little files like that that are hiding in various places?
Yes. There's real quickly, years ago, when we were primarily doing Bluehost shared hosting accounts. We'd see where were the hackers had actually logged in to their cPanel and gone in and added a cron job. And the cron job was running from a directory that was not part of the hosting account. So we're like, wait a minute, they shouldn't even be able to see that and then we're like, we dig in further into Linux, like, ah, they can see that. So we've been monitoring that. So any file that that are in these directories that are accessible via the website that shouldn't have files in them or shouldn't have PHP or Python or Perl or Python? File files in them. You know, we're, that raises red flags with that. So yes, we can keep
Yeah, sneaky. Another question here from Sue when we see a lot of failed logins in a short time, we have to assume it's a hacker using a VPN or some other kind of IP hiding, would you block all the IP addresses? Or how would you address that a lot of failed logins in a short amount of time?
Depends I would, I would our system is set so that we would analyze those IP addresses, like is there a pattern you know, the, if they're residential IP addresses, they're harder to detect, but there again, you know, when they're just like you guys, with your million node network of sites that you guys are servicing you know, we've got 7 million we should collaborate some days. That'd be fun. The, you know, we can we create our own black lists, I should say block lists of IP, residential IP addresses that we block, and that's automatically pushed out to our servers and all of our stuff so that we know what to block. But
so, a lot of times what I recommend in that situation is just simply protecting the login form with a CAPTCHA or maybe running one of the Cloudflare rules that I recommend. Just pat mix, mix all traffic to the WordPress login page pass through a managed challenge. Does that help to defeat those sorts of you know, lots of different invalid login attempts?
Yes. And if you're if you are using the Cloudflare solutions, then deaths being handled before it gets to your website. You know, I'm always concerned about consuming website resources. And anytime you're running PHP on your site, you know, like, some type of URL challenge or you know, captcha, anything like that that's running on your site. You're consuming some resources so the hackers could effectively do a DDOS you know, and shut your site down. If it's handled up on Cloudflare you know, with the challenge the net it's not even getting to your, your website. So yeah, that's that's a great way to do it. I would not necessarily as a as an agency or a web dev. I would not try to maintain a list of blacklisted IP addresses you're, you'll spend all your time doing that because the hackers have so many available to them. So yeah, you spent all your time doing that and not have anything fun to do like eating m&m soup. Exactly.
Oh my goodness. Let's see. Next question is from Shanna Anna regarding I think security does I think security pro have a setting to automatically log out a user after a certain period of inactivity. And Shannon there's not I don't believe there is a native setting for that. I was just, I just popped open. The new beta of solid security that I'm looking at. I don't see that setting there. And it's interesting. I'm so look, Timothy is a smart guy. And if it's not in there, there's a reason and I don't know what that is, but I will find out. We'll send him a slack and figure out what's going on there. There are plugins that can change the default. The login cookie, whatever that countdown that yes, what you just said. There's snippets and things Thomas, what do you recommend on average for you? Know, a good rule of thumb for a logout period.
I would say typically, like, you know, half an hour 15 minutes to 15 to 30 minutes, you know, is about because if you got if you're inactive for that long, then you should have to log back in. You know? Yeah, and any less than that, you know, you might get lost in thought or something and you know, jump over check on something else real quick and then you come back like I lost it.
Yeah, exactly. So I just dropped the plugin that we've used on a number of sites called inactive logout that works great. It just does this thing and you can has a little UI where you can set your time. It works just fine. The I think the default WordPress setting is like 24 hours, right? Yeah. So that's not ideal. I wonder why the WordPress security team hasn't addressed that.
I don't know. I mean, it would be great if it was, you know, part of the core, but
no, less than a day, maybe three hours even in cores, right?
Yes. Two hours. Something Yeah.
Question from Shannon about your paid monitoring services. Shannon uses Nexus managed WordPress doesn't have a cPanel. It's a managed WordPress platform. Would I need to set up or pay for a separate account for each website under your pricing scenario
Nexus does things differently so it's like each account is a separate FTP account for us. So technically, yes. It would have to be, you know, separate. Depending on how many she's got if she wants to reach out, you know, we can talk we've got millions of websites so else yeah, I mean, if she, depending on how many she's talking about, you know, we can talk about, you know, some arrangement with her. So nice. Reach out.
Yeah, just reach out to the website Shannon and chat with Thomas. I'm sure that we'll figure something out for you. Let's see a question from an anonymous attendee, the free plan that you offer, does that involve a plugin or how does that what's involved with setting that up?
No, none of our services involve a plugin Sorry, guys. Sorry, I seems but I just early on do a I mean, when I first started this, I was nervous about writing a plugin because you know, how do you account for everything? You know, now I gotta learn the deep the dark, deep secrets of WordPress, you know, from from the inside out, you know, without skipping a beat. And then, you know, I remember one of the times early on, one of the big security plugins, had a had a vulnerability that was exploitable. And that's just free guy like, No, I'm never doing a plugin. So no, our stuff doesn't require plugin. That's why like on our server plan, we do need root access so we can install everything. But then, you know, unlike security plugins, hackers can't tamper with it. You know, the less we install on a on a website. The less opportunities hackers have for you know, circumventing our system and then we don't see something happen. So no no plugins. Yeah.
Really, your service is almost better. Rather than equating it to a security plugin. It's almost better equated to like an operating system level malware scanner, right.
Am I correct? Yeah. Yeah, that's, you know, and there again, we don't because of the way we analyze malware. We don't put the malware engines on your, your web server, because that would consume huge resources. So we would grab the files, any file we see edit or change on your, any of your sites we grab that gets analyzed, if it needs remediation, or you know, cleaning, deletion whatever. You know that that's handled by our system as well, but it's all automated.
question here from Manu. You mentioned earlier managed WP how secure would you say manage WP is or is that a question? You can even answer?
Yes, they're they're all very secure. You know, and like I said, this recent scenario has nothing to do at all with the coding of the services. Nothing at all. It's just hackers finding a way in and it's you know, the the weak link in this case is users not not logging out. You know, if they log out the authentication cookies dead. You got to to FA setup. Now you're, you're looking good. Yeah.
Question, Melissa. Melissa, does AI themes provide a training to best secure our websites? So Melissa, it's, we've done a number of trainings I've for example, I've given my settings on how we secure sites, well, I think security force the agency clients that we manage, I would recommend that you follow the install wizard though it depends on the scenario of the sites and how you're managing is it just your site, or are you managing sites for clients? The iThemes onboarding wizard and I think security does a really good job of helping you select the correct settings. Okay, you're managing for clients, Melissa? As Thomas answers the next question, I'll go and look for the last disaster day series that we did and drop that link in because I share a lot of tips there as I managed for clients. So give me just a minute, I'll drop that in the chat. And in the meantime, Thomas tick feel free to take as long as you want to enter this next question. Let's see. Yeah, so sue would like to know if a site is on a shared server, are there hosting companies that do allow root access?
Sorry, Nathan, but no.
Okay. Independence, I should have asked a longer question.
Yeah, no, they, you know, the people that are using shared hosting accounts are looking for ease of use and so forth. And you don't want ease of use when you're talking root access. Yeah, that's
100% True. Okay, here's a scenario described by Manu Google Analytics on some of the sites that he he's working with, shows a spike of visits, a significant spike of visits. Is that showing something he should pay attention to? And maybe if I rephrase it this way, does Matt do bots and malware? Do those show up in Google Analytics?
Yes, they show up in Google Analytics. It's to me it would be something an area of concern, you know, if he has the log files, you know, the access logs, I would try and, you know, correlate those with the what he's seeing in the Google Analytics, and probably going to see a huge spike in in bots hitting at that specific time.
Yeah, for sure. Melissa, I just dropped in the the link for disaster week from 2022. We did not do a disaster week yet this year, which I just realized that's interesting. But if you look on the replay, link at the very bottom, I believe it's sessions five and six is where I talked about the client side of security and setting up care plans and settings and so forth. So that should help you Melissa and anybody else that wants access it is right there for you. Let's see. anonymous question. We use pair networks to host our sites on a shared server. We do about 30 per shared server. What is the Do you ever have you worked with pair networks before and can you set up in their system?
I think because I don't think their VPS is I think it's it's almost like a shared hosting account. So I'd have to dig through our stuff to find out for sure. But as long as we have an FTP account, you know we can go with our or lower price model or you know, we have a freemium version of that as well. But then you only we can only scan the files and grab the logs like once every two hours. So if it's a VPS, and he has root access, then yeah, we can set up the full blown we've got some servers with 200 websites on 204 websites on them and you know, on our server plan, they're all covered. So yeah.
Money would like to know if you're using any sort of AI to analyze all these millions and millions of log entries. Definitely. You're not reading all of those times.
Sometimes,
because why not? Right.
I literally do. I'll sit here and I'll scroll, scroll, scroll. And I just I don't certain things jump out at me. I'm like, Oh, what was that? And you know, our system has already analyzed that, but I'm, like, I spent all this time learning how to read log files. I don't want to lose it. So but yeah, we are using a lot of AI. And it's, it's interesting, it's not, you know, foolproof, but it is very interesting. Some of the things that it finds and thinks is, is safe, and it's not or thinks that it's malicious and it's not. But that's all part of the machine learning process. So
very interesting. All right, well, we're coming up right to the top of the hour here. So Thomas a really great stuff. Great information. Any final thoughts as we're wrapping up?
Like I said, they'll take nothing else out of this. force everybody to log out and activate to FA wherever you can.
That's great takeaways. Force the log out and use to FA
and it's easy things to do. Yeah. Yeah, no reason not to do it.
Yeah, great point.
So please do it.
Well, Thomas, how can they find you again?
They can reach me at the T Raif. T R A. E, F. That's fear spelled backwards. And we watch your website.com or you can just go to our website, we watch your website.com and click around. It's an ugly site, but it's being worked on so Excellent.
All right, folks, that's gonna wrap it up for us today. A lot of good information about what's happening in WordPress security. Thanks again, Thomas. Thank you all for being with us. I'm back tomorrow for our members for office hours at one o'clock Central as usual. We'll see you back here tomorrow and iThemes Training where we go further together.