In this episode:
Discussion – Feeling insecure about security (Part 2)
So this is part two of our discussion of WordPress security. I think you could well listen to this episode in isolation, but it might be better if you went back to episode 140 and finish that one first? I will leave that decision to you!
A brief recap on last week though in case you don’t want to do that. We discussed:
- Non WordPress security matter: the data we keep, how we store passwords
- How we manage sites that we pass over to clients if we know that we won’t be managing them going forwards
- We talked about what we have done in the last with our WordPress website care plans and what we were promising
We start the discuss this week listing out our experiences of the security solutions that we have come into contact with. This is certainly not and exhaustive list, and is not intended as a set of preferences. It’s just what we’ve heard of and in most cases what we have tried out ourselves. I’m sure that you could add other plugins to the list and likely you have different opinions as to what works best in the environment that you have set up.
Some of the security plugins feel a bit like car insurance in that you don’t know how good they are (for you) until something goes wrong. There is a whole lot of overlap too; many have features that are already taken care of in other way (ie. database prefixes, file permissions, strong passwords).
- Wordfence – resource heavy, confusing, prone to giving false positives, but the scanner is brilliant.
- iThemes – good on preventative and light weight, but uses Sucuri’s malware scan. All in one security made for beginners.
- Malcare – brilliant for no using server resources, avoid false positive and probably best is that they will look at the problem if the one click solution does not work.
- WebARX – has a ton of fans and I see Oliver Sild being very active. I missed the AppSumo deal and regret it. Another that uses no server resources. I have started to use this more recently and have been happy to see that it’s blocking some intrusions.
- BulletProof Security – we have no idea about this one. It is complex and has a scanner.
- SecuPress – no idea. Has a scanner. Is pretty if you don’t mind them changing the WordPress look (it came out of WP Rocket).
- Sucuri – I think their selling point is their support, real humans will fix your site for a fee.
- Defender – WPMU Dev hardening offering which has a similar set of features to the hardening aspects of iThemes.
- Blackhole for Bad Bots and BBQ Pro
One of the things that comes out of this discussion is that most people (including ourselves) don’t really understand the implications of all of the options in these security solutions. We can read the help text that accompanies the check boxes or fields, but this only gives us a cursory understanding at best. As people who work with technology, I would say that non-technical website users would have even less of a clue and so that creates a problem for us.
Should we tick boxes if we don’t fully understand what we’re doing? Should we stay with the default set up as we can have some confidence that this is what the developers of the plugin think is the ‘best’ set up out of the box?
Beyond the options that we’re presented with, do we even know what the plugin is doing for us on a day to day basis? If we get no alerts, does that really mean that all is well? The opposite might also be true, do we get so many email alerts that we simply never bother to open them because the last 241 emails contained the exact same text informing us that all is well and there’s nothing to see here?
Are we deploying multiple solutions into the same website and suffering from bloat and option overlap? I’ve heard that this happens quite a lot, the thought being that more layers of defence is better, but I’m really not too sure if it is. In fact might we be compromising both plugins if they’re trying to do the same thing. Again, we’re back to the problem that we don’t really know what these solutions are doing.
Towards the end of the episode we talk about what it is that we’re actually doing in our businesses to promote security to our clients.
David’s list is as follows
- All clients are going to get the Editor role which he can modify for more capabilities if required.
- Scanning will inform the quality of the backups – whether or not an error has occurred and how far back the backups can be trusted. This scanning is going to be made up of MalCare and Wordfence
Nathan’s list is as follows
- I’m going to creating full site backups of all sites everyday. These are then stored in multiple off site locations and are never deleted. The repo just gets bigger and bigger!
- I’m going to do a daily scan with something like Wordfence each day.
- Use some hardening techniques, such as blocking multiple login attempts with IP banning.
I’m sure that your set up is quite different, and I’d be really interested to hear your thoughts on this subject. You can leave comments below, or why not head over to the WP Builds Facebook group and get in on the conversation over there?
The WP Builds podcast is brought to you this week by…
The home of Managed WordPress hosting that includes free domain, SSL, and 24/7 support. Bundle that with the Hub by GoDaddy Pro to unlock more free benefits to manage multiple sites in one place, invoice clients, and get 30% off new purchases! Find out more at go.me/wpbuilds.
Join the VIP list to be the first to know when you can get your free ticket and make huge progress in streamlining and simplifying WordPress website builds!
Join the Summit now, what are you waiting for?
We thanks them for their support of WP Builds.
Transcript (if available)
These transcripts are created using software, so apologies if there are errors in them.
Nathan Wrigley: 00:01 Welcome to the WP Builds podcast, bringing you the latest news from the WordPress community. Now welcome your host, David Waumsley, Nathan Wrigley.
Nathan Wrigley: 00:21 Hello there and welcome to the WP Builds podcast. This is episode 141 entitled feeling insecure about security part two. It was published on Thursday the 15th of August, 2019 my name is Nathan Wrigley from picture in word.co.uk, a small web development agency based in the north of England and I will be joined a little bit later by David Waumsley from David Waumsley.com so that we can have our regular discussion. We tend to sort of cycle one week and interview with a WordPress developer or something like that and then a discussion with David and I, but this is the second one in a row because it's all about the same subject. A few things before I begin. If you wouldn't mind heading over to the WP Builds.com website and there you'll find a menu at the top and the first link on that is the subscribe link, WP Builds .com forward slash subscribe, get yourself onto our newsletter.
Nathan Wrigley: 01:14 We've got two of them, one to tell you about the podcast and the WordPress weekly news that we put out on a Monday and the other one is to subscribe to an email which will tell you about any deals that we come across as soon as we hear about them on that page. And also be able to subscribe on your favorite podcast player. Join our Facebook group of over 2,100 wordpressers and you can find our content over on youtube and we'll also update you on slack and Facebook Messenger should you so wish. And other page I'd like to mention is the deals page that's over at wpbuilds.com forward slash deals and there you're going to find heaps of money off notable WordPress plugins and themes, et cetera. It's a bit like black Friday but every day of the week. So if you're in the market for some new products around the WordPress space, maybe go and check that page out and familiarize yourself with what's available.
Nathan Wrigley: 02:03 And the last one that I'm going to mention this week is WP Builds.com forward slash advertise. If you would like to have your product or service mentioned on WP Builds, we'd be happy to do that for you and get your, get your service in front of a wider audience. And somebody that's done that is David Vongries from the page builder framework. Do you use a page builder to create your website's? The page builder framework is a mobile responsive, lightening, fast WordPress theme that works with beaverbuilder elementor brizy and other page builders with its endless customization options in the WordPress customizer. It's the perfect fit for you or your agency. Go to WP dash page builder framework.com today and we thank David for his continued support of the WP Builds podcast. Okay. Last week we did episode number 140 which was all about feeling insecure about security.
Nathan Wrigley: 02:58 And this week we've got the follow up because the episode was simply too long. So we kind of chopped it into and now we've got some different content following on from last week. So it might be a good idea to go back and listen to last weeks if you didn't. This week we talk about the plugins and services, which we actually use. We discussed them in some detail where we're able to, we also talk about how we implement security in our own business and it's just a jolly nice discussion. I'm finishing off our WordPress a double weaker. So I hope you enjoy it and I hope you get something out of it. As always, leave some comments or head over to the WP Builds Facebook group to keep the conversation going.
David Waumsley: 03:37 So discussing, feeling insecure about security part two. Got It. It doesn't feel like a week has gone past, doesn't?
Nathan Wrigley: 03:44 No, it really, it feels like about six minutes maximum. But you know how strange.
David Waumsley: 03:51 Yeah. So shall we just recap on what we talked about? So we looked at the kind of areas of security. So we talked a little bit about the uh, non WordPress security things, you know, what kind of data that we keep and how we pass around passwords and that kind of stuff. Then we moved on to what we might set up or think about when we don't manage our client's sites. And then we moved on to a little bit about what we were doing with our care plans and what we were promising, but we still had lots to talk about, which is what we're going to do now, which is really what we were just talking about, changing the way that we kind of advertise our services and also, um, maybe some of our methodology, but there's more to talk about is that the, all the services we talk about,
Nathan Wrigley: 04:35 should we do that first as that seems like a nice place to jump, jump back into this, um, from last week. So yeah, kick us off.
David Waumsley: 04:43 Well, I just thought of you listing out some of the plugins because some of them I have a lot of experience with and some I don't know at all. See I'm with, I already mentioned last week that um, I'm a big fan of Wordfence but wanted to try and swap it out so I've ended up, um, shall I talk about why I quite like Wordfence
Nathan Wrigley: 05:02 yeah, that would be a nice place to begin because it's the first one on our list for no for no good reason. It's, it's made the um, made the number one spot on our list.
David Waumsley: 05:11 Yeah. Just because I use it. Um, but it's um, it's one that I'd been trying to get rid of because it's quite heavy. So the negatives first is quite confusing. They changed it actually quite recently, so you wouldn't really want to hand it over to a client I don't think to try and tick all the boxes cause there was an awful lot to work through and I don't think I know it all and it leaves a lot of stuff in the database, although you can have that removed. But it really does well. And why I think it's so essential to me is that it's got such a brilliant scanner and you could set it, if you think it's things had been hacked, it will literally go through just all of the files on all of the spaces and things, search out things that shouldn't be in your folders and tell you about it. It, it gives you a ton of false positives though when you put it in that mode. So yeah, so any spam comment has got a dodgy URL that's been saved. There will be flagged up as you know, suspicious. So you do need to have your wits about it, but for cleaning up is absolutely fabulous and for reporting
Nathan Wrigley: 06:12 quite easy to sort of get your eye in with all those um, false positives. You could kind of quickly go through the, the output and, okay. Ignore that, ignore that, ignore that.
David Waumsley: 06:24 Yeah. This is something you can open up the file and it puts in red what it thinks is suspicious in most cases. So you know, it's pretty easy to see what is and isn't. And then of course, you could just go back to say the original plugin if it's a plugin and check whether it matches up. But there isn't an easy way to do that. There isn't a simple compare like with like a system for that. Um, but I've only ever been a free user of it. So you know, for the work that I do and for what clients will pay, I could not afford that pro services, but you know, a big call out to them. Because even though it, I mean, it is the most popular, isn't it? It's one of the most popular WordPress plugins.
Nathan Wrigley: 07:03 I think they are probably one of the most ones, if not the most popular one. Yeah, certainly gets a lot of, um, it's a lot of attention largely because they, they have a sort of fabulous, um, fabulous range of ways of keeping in touch with you. You know, they've got a great, um, they've got a great video blog, um, and they produce, you know, lots of blog posts and also they, you know, they email you on a daily basis to let you know what's happened recently. And, um, whether or not that's a good thing. I don't know if you become a bit immune to what those emails tell you, but nevertheless they do that. Um, so there they're very good with their, with their PR I would say.
David Waumsley: 07:42 Yeah. You know, it's tricky when we get into plugins and that because you don't really want to promote one over the other because I'm sure they're all good for the right person. That's right. I can say I can't tell the conclusion that despite some of the negatives on Wordfence particularly how resource heavy is, um, I still, you know, use it because for free services it's fabulous for when I've had those issues and I certainly have had to clean up sites and it's been a really good tool compared to other plugins for cleaning. Yeah, quite a few
Nathan Wrigley: 08:12 sites on the, I can't remember whether it's called premium or pro or whatever, but the paid version. So we say I managed to secure a whole bunch of sites many years ago when it was considerably cheaper than it is now. And they honor that pricing going forward. And, um, and I use that because of the, the firewall. I think that's the primary reason to do it. The firewall is updated differently for the free one than it is for the paid one. And I believe that the firewall rules that go into free calm about 30 days after they go into the, the, the premium version. Um, and I think, I think there is some, some benefit in that without a, you know, that if the firewall rule is, is if there's a rule of some new vulnerability that's been discovered and that rule is added, um, immediately for pro and you get hacked and you're on the free version and you know, you know, that it could have been stopped. I think that's a difficult, difficult proposition for Wordfence. You know, it's a difficult stance to take, but obviously they need to provide something to justify that, um, that extra cost in order to, to make the plugin profitable. It's a difficult one to judge what should go in free and what shouldn't. And I know that a lot of people find that a difficult pill to swallow, but you know, business is business isn't it? You know?
David Waumsley: 09:35 Yeah, absolutely. Well, you know, I love to have the pro version of everything and it's kind of a bitten infamy on terms of costs. But if it, if it wasn't and I had the right client, I'd be buying it. You know, it's as simple as that because the free version has proved itself to me over so many years. But yeah, so anyway, that's a big plug for them. But another, another really popular one is obviously the iThemes security, which they bought and they used to be something else, better security or something before
Nathan Wrigley: 10:05 what it's called. But obviously now there's a few changes of hands here because it was bought by themes and then obviously fly know who liquid web is it that bought our, yes. So now they're the custodians and the, I don't know whether the developers are still the same guys, but nevertheless, it's gone through some change over the last year or so. Um, but it's, it has been very popular. They offered some very competitive pricing at various times. You know, themes is famous for having 40% off sales almost on a weekly basis. Um, and I've got it installed on plenty of sites. What I think it does really well is lots of, um, lots of ways of preventing things from happening. So like you said earlier, they have the capability of enforcing passwords. They have the capability, sorry, password length. They have the capability of putting capture forms on, they have the capability of blocking IP addresses. Um, and it doesn't feel to me like it slows things down all that much. I can't really speak, um, as to how heavy or light it is. But it, it certainly doesn't feel like this is slowing anything down.
David Waumsley: 11:13 Yeah. Well I changed, you know, I did a test on it recently and it's, you know, it's a lot less than Wordfence and interesting enough, as soon as you put the pro plugin on because they are separate, it's a little bit more weight, but it's still much less than say Wordfence. Well, I thought, I think, I mean I used to for a little while, I ran both Wordfence and I themes together and I'm on sites, which is really over the top because there was so much you really needed to go through all the different options and make sure you just wasn't, you know, WNL ponds. So many of them. Yes, you're right. But you're right. It's, it's preventative, but it's got one, one thing that's missing for me and I'm money reminded of it just recently and that it uses a securities, a malware scanner to check things. And on this last hack that I've had, it's been a clever hack that's hidden itself away from security, so it doesn't spot it. So I think in that case probably would have picked up on, on this recent hack.
Nathan Wrigley: 12:10 Okay. Um, yeah, I think it is very popular. I mean, both Wordfence and I themes have sort of customizable on awful components. You know, they've got their dashboard and you can go in and turn things on. So like you said, if, if, if for some reason you've decided to deploy all of these plugins that we're mentioning all at the same time, then certainly in the case of Wordfence and themes, you can, you can go in and make sure that you're not, uh, asking for two captures on the login form, you know, so you can switch things off so that there's no compatibility problems.
David Waumsley: 12:47 Yeah, I mean, what would it be an interesting to know if the hack that I've just been trying to clear recently would have actually happened if I themes would have been on in the first place in that you never know. Do you really know is because they're concentrating on different aspects and they're stronger on certain things. How you,
Nathan Wrigley: 13:04 sorry. How deep does the themes securing malware scan go? Does it, does it just taking the homepage or is it going a little bit deeper? What, what, what is it doing? Because obviously it's an external service. How, how far is it penetrating into WordPress itself? Do you know?
David Waumsley: 13:21 I have no idea at all. I just know that that, I don't think I covered this actually in the part one of our chat, but I've just been dealing with a hack which really seems quite sophisticated and no one knew it was there. It was re directing new visitors to a site to some gambling sites instead. Clearly they were making some money out of these redirections, but it was clever enough to be able to log the ip's of people who'd been to the site before so they wouldn't get served it again while they remained on the same IP. So it remained hidden from the owners of the site and and me, I just found it by accident because I move around and change IP a lot.
Nathan Wrigley: 14:01 How did that work then? Presumably there must've been a period of time where it was sitting benign Lee sucking up IP addresses because if it deployed that strategy, as soon as it infected the site, then every IP address would have been new when it, we would have redirected them to the, whatever it was, casino website or whatever. So presumably it sat there for a week or two and you know, started to log, okay, this person logs in. Okay. Let's uh, or was it people who were accessing a particular URL like WP Hyphen Admin or something? It was allowing those people in and logging their IP address.
David Waumsley: 14:41 I'm not sure. Actually. That's a very good point. Yes. Whether it's just got the people who's logged in, but I mean it was really hard too when you tested this one, didn't you discovered that last time we were chatting and it went to gambling for you but then wouldn't do it. It wouldn't do it the second time you tried it
Nathan Wrigley: 14:56 the second time it went to the correct site and then it kept going to the correct site. So bizarre. I mean, I've been down, if they were hoping that, I wonder if that, anyway, we're sort of losing track of it a little bit, but I wonder if they were just literally doing it once so that you assumed that you typed something in correctly into Google and then when you went back and tried for a second time, they were saying, okay, through your comm we've had, we've had our one shot at converting you to our casino and from now on we'll give you the sites back again.
David Waumsley: 15:25 Yeah, exactly. And I'm sure the people who put the hack in place or just getting paid for that referrals, so that's all they're worried about. But, uh, but interestingly, the Sucuris manual scanner, which is pretty good, um, didn't pick up on that. So I'm assuming that they also know the range of ips that they scans on. Yeah, I guess. Yeah. You know, uh, the site certainly didn't get black listed in, as best as we can tell him, probably has been like that for a year. Yeah. It's amazing. Absolutely amazing. Yeah. Yeah. So, yeah, it's interesting. So we've got all in one security, which I, I don't, I haven't used myself. It was actually used on this particular site was talking about, it seems to set up things really easy. It's got all this sort of beginner, intermediate and pro levels where you can set things up.
Nathan Wrigley: 16:13 Yes. I confess, I've got no experience whatsoever with this plugin. So you're on your own here?
David Waumsley: 16:18 Uh, yeah. Well there's not much I can say apart from the fact it was used on this site and it didn't pick up on the issue, but of course, you know, it was installed and obviously everything was set for beginners. So, you know, it's not really necessarily a reflection on the plugin, um, that, but uh, yeah, it's very popular one though, isn't it?
Nathan Wrigley: 16:38 I think it has got a reputation because it's been around for ages and it's got, you know, lots and lots and lots of installs.
David Waumsley: 16:45 I'm probably no way of making any money from it, I think, if I remember correctly. Yeah. So we were going through a bit of a list now aren't we? Then another one I do use, which is mal care. Okay. And that's, that's due to a, you know, um, our friends appsumo and they did a great deal on that one, which I thought, uh, get a few of those. And it's, it's been an interesting one for me. I've used it.
Nathan Wrigley: 17:12 No, not really to be honest. I do know, actually we met him at WordCamp in Europe a few weeks ago, but I'm uh, popular it widely used. And um, and I know you've used it and, and have sort of favorable things to say about it.
David Waumsley: 17:28 Yeah, well initially when I used it, it did the, I got a hack and I thought, Ooh, I'm not so sure about this because I turned, I left it with just mal on. But the, to be fair, these were sites that I didn't have a tid who had had problems before. So I wonder if it was something leftover. But recently I've started using it also with Wordfence on sites where I want the, the scan to go more regularly because actually I don't think it's well advertised, but there is a free version of Malcare which will do a daily scan for you. And it's not using up any of your server resources to do that. Okay. So I mean, you know, that's a steal really just to have that. And if you combine that with say something like Wordfence where you just leave that to, to do it every three days or something, then you can save on somebody, your, uh, resources on your server by using Malcare. So
Nathan Wrigley: 18:20 what you said a moment ago brings up an interesting conundrum and that was, you know, you, you didn't know whether it was something that bypass Malcare or if it was something that was inheriting the site from the beginning. And I think with all of these solutions, no matter how good they are, it's very difficult to get a feeling of what, what they've succeeded in doing. You know, so we've got this nice list and these are the ones that we've heard of before, but we're probably a little bit in the dark as to, as to what it, what it is that they've succeeded in doing what they've prevented. And I think that's, that's one of the reasons why I think word word fences, strategy of emailing you every day with a little roundup of how many blocks it's done. I think that keeps them front of mind and makes, makes you at least feel, oh, it's, it's doing something. It's justifying its existence.
David Waumsley: 19:04 Yeah. Well exactly. I mean, one other reason for Wordfence for me is that I can actually take the data and put it into my tool for managing the sites, which is a main WP. So I can actually produce some of their information and the client reports. So they get to feel that something has happened all the time. Yeah. Um, but now, I mean, mark has selling point, I guess is the fact that it tries to avoid those false positives. So it doesn't disturb you with stuff that isn't important and it just lets you know about what it is. I think the biggest selling point though, if you're on the pro version of why I think it's great, although I've not used this, is they promise a one click solution, which seems, you know, seems a bit incredible that you could clear things up in one click. And in fact it doesn't ness. I've tried it a few times and it has failed. But what comes up straight away is, um, that the invite to let them look at and sort it out manually. So you've got them on your side should you need it. And I think that's invaluable.
Nathan Wrigley: 20:03 So if, if, if you clicked that button in an attempt to fix things up and it doesn't, to your mind a succeed, you can then reach out to humans who will take over that responsibility. That is not right. Oh
David Waumsley: 20:17 yeah, exactly. All you need to do, I mean, to clear it up, you need to put in your FTP details anyway. So when it fails, it tells where it kind of fails some indication, but then instantly says, um, you know, put givers your FTP details and we'll go and do it. And I think that's the promise where their service, so yeah, and an interesting one. I've yet to use it in that way, but it's just, it's interesting to know that there's a free version which isn't talked about too much as well if you worried about resources. Um,
Nathan Wrigley: 20:48 but similar to this is, um, is WebARX as well, the who you've also had on the show. Yeah, WebARX, we had Oliver Sild on and um, met him again at WordCamp in, um, in Europe and uh, very, you know, very active, very, very young guy and obviously very keen in this area. He organized like, uh, uh, off his own bat, he organized a security little security evening where the, the, the topics of the day were discovered. Me, went on stage and talked about Internet security. So, you know, serious individual, um, they, they gained popularity suddenly because of a, uh, a deal that they did on appsumo. Um, and it's, it's a firewall isn't it? It's not using up your server resources. You, you connect your website to it and it, it tries to prevent the bad guys getting access.
David Waumsley: 21:41 Yeah, exactly. I need this all to scan in as well, isn't it? So, um, so it's a very similar set up. I mean I don't know how good it is. I mean I do, I really regret not getting the appsumo deal for myself on this one because they definitely have attracted a ton of fans and, and completely can see that they take it seriously.
Nathan Wrigley: 22:01 Yeah. Yeah. Well, um, I can just speak for the, for the person, Oliver. Yeah, definitely very a very energizing and interested and you know, vibrant in this space. So I think this is one to want to look out for. It's a funny subject that we're discussing here, isn't it? Because you, I definitely don't want to promote one over the other, but equally, I don't want to give anybody the, the, the false thought that if you just install one of these things you're done, you can just sort of walk away and everything will be fine. Cause that's clearly not what's happening. We're just suppose we're just letting you know about the ones that we've heard about. Really. Yeah.
David Waumsley: 22:38 Yeah. The ones we use for our own experience. I mean, it's a journey, isn't it? So, yeah, I know exactly. I mean, now we're only coming to ones that are kind of heard off, but not used for me. Bullet, bulletproof security, again, very popular. It's, it's got a ton of options. It looks really complex to use, but if you need that kind of level of control, then it seems to have it and it has a good scanner by the sounds of it. And security press that's relatively new. That's from the same company or worth on the same company that created WP rocket. So, yeah, I've, again,
Nathan Wrigley: 23:15 I have, is it secure, repress or Secupress? Uh, I think Secupress, yeah, they're not, they're not related to security, I don't think. Are they?
David Waumsley: 23:24 Oh, sorry. That's my bad. And I would say Secupress. Yeah. So really, I mean, I just thought that, and I put it on a few of my test sites, but really, I, you know, I didn't come to any conclusion. I think it's, you know, the one thing about it is that it's, it's really pretty, uh, if you don't mind the fact that it changes the look of WordPress. So it's a bit like WP rocket, you know, he puts his own style in that and it's made for humans. You know, it's, yeah, it's made to be friendly and likes like a bulletproof security or Wordfence. They're not that kind of user friendly. But yeah. So I don't know. And No, I've no experience with them whatsoever. You securely, they've got their own plugin for them for their same scanner. I'm, I'm assuming it works in the same way. It still access their external scanner.
Nathan Wrigley: 24:12 Yeah. I'm not really sure, but I do know that they, um, one of their biggest things is, is like the human interaction should things go wrong. You know, they'll actually get their hands dirty and go and fix things for you.
David Waumsley: 24:24 Yeah. That's the thing, isn't it? They re, I mean that, I guess that plugin is a lead in to their service, isn't it? And that's really what they're selling. They go and fix stuff for you. I know. No.
Nathan Wrigley: 24:33 Well who have divested the responsibility for hack sites to them. And um, you know, uh, I've heard no bad stories. They've come back, everything has been fixed. They've paid the bill, uh, to Sucuri and moved on and everything was fine. Henceforth, you know, I, my assumption is that they really, really, really know how to look at this stuff and, and have a deep understanding of what needs fixing up and have all the tools and support staff to do it.
David Waumsley: 24:59 Yeah, exactly. They've been around as long as I can remember. Not the same. I've never heard anybody say anything bad about the services. Yeah. And um, yeah. Finally, did you use use to use defender? Didn't you
Nathan Wrigley: 25:13 defender on a couple of sites? Just, I'm just always intrigued by what these guys are doing. WPMU Dev cause I think they're kind of turning a corner and becoming, becoming a company that people can trust again and their security solution. One of the eight or nine ones that they're there you that still developing going forward is defender and it's just about hardening. And I think it really does a very similar job to, to I themes, you know, you can change the, the, the capability for people to have certain passwords. You can block certain IP addresses, it'll give you a, an email reports but not a very detailed email report on the lines of Wordfence and um, and it, you know, I think it's pretty good. The, the, the, the notion of these things is to make it as as painless as possible, but there's no, there's no hint of, um, of them cleaning up as far as I know. Although if you have a subscription, I don't know if your wpm you subscription runs as far as that then fixing us. I know that they fix, um, they fix problems with your site, but I don't know if it, if it extends to fixing hacks and so on and cleaning your files up. I'm just not sure.
David Waumsley: 26:24 Yeah, no, I really don't know about those who were just showing our rig demons here. I've gone though. But I think, I think
Nathan Wrigley: 26:29 the important thing here is that we're just mentioning ones that we've heard of and you know, if you've never heard of some of these it might be a good idea to go and explore them. We'll, we'll certainly link to them all. Um, in the notes below the podcast episode, there's a couple more that I
David Waumsley: 26:44 actually put a note down book. They're not under this section, which is, I've got a, uh, not really to Paul Lacey on this because he reminded me of them. There were a couple of Jeff star lightweight plugins, one called black hole for black bots and the other one is BBQ pro, which is blocks a block, bad queries. And these are really kind of, I love these kinds of plugins where people find that I'm a really simple lightweight script that will just stop the majority of problems. It's a, there was one talked about recently with comments spam. There's a script that someone David Walsh created, which just, we talked about this I think before did. Um, yeah. Where essentially it just kind of blocks a certain type of Java script from happening. So it sort of kicks people out in the most lightweight way. And I think this is the same with Jeff Star's plugins and I've been putting them on all of my sites because they, they literally take up no resources at all, but it, it's going to going to prevent somebody kind of putting on something with or queries where it's, you know, it's kind of jam packed with just bad stuff, you know, in a sort of simple way or lightweight way.
David Waumsley: 27:56 So,
Nathan Wrigley: 27:56 okay. So let me just scan this for kind of Jibberish or you know, non-english does it, is that what's going on? And then just stick some to Dev null or something.
David Waumsley: 28:08 Yes, it stops those kind of queries being activated. And I think it does that, although having said that, you probably would again need to check these against some of the solutions mentioned because I have noticed, I think in some of these security plugins there's an overlap. So they may have their own version of, I think what Jeff came up with in the first place.
Nathan Wrigley: 28:26 Interesting. I've, I've not played with either of those so that, that's good. Nice recommendations. I will make sure to link to those in the show notes and people can go in and find that.
David Waumsley: 28:37 Yeah. Black hole for bad bots. I mean it's more about protecting, um, your server from crashing because if somebody's sending a load of traffic, ignoring, uh, the, the kind of rules on those, it blocks them off. And yet there's a, there's a little bit more complex with this one because you do need to add something to your.ht access file. But okay. I'd been watching it and you know, certainly get plenty of bad bots on my site. So it's certainly saving some of my resources for that. Again, working, but maybe it's not as much security. Okay. Hmm.
Nathan Wrigley: 29:12 Hmm. All right. Well let's talk about, um, let's go back to the top of this section, how we, how we have rationalized for our business. Um, you know, what is it that we're doing? We talked a little bit last time about some of the, the things that I do backing up and so on. But should we, should we dig into this and talk about what is, what, what is, what have you included as part of your business?
David Waumsley: 29:34 Yeah. So I'm, yeah, I've had to review this over the time. So no, pretty much everyone's going to come in on my care. So that solves things. I think just this discussion for me, assault the fact that I'm going to kick off, we've given everybody I, I'm an editor role and that's going to cut out whole bunch of issues. Yep. And so I prioritized it too. I think probably I said that already before was the fact that I've, I've put a priority on good scanning on a regular basis. So, so that I know I th well I hope I'm gonna know as soon as there is an issue, meaning that my backups will be able to come into play without that being any changes. That's, that's basically how I'm gonna deal with it.
Nathan Wrigley: 30:21 What, when you say a regular scan, how often do you, do you do that? Are you doing like a daily thing or a twice weekly?
David Waumsley: 30:28 Yeah. So I'm, I'm netting on that. Well, it's, I think it defaults naturally with Wordfence to every three days. I think you can change this, but I haven't and I've stuck in where I think it might be more urgent, um, mal care to cover dailies. Oh, I see. So
Nathan Wrigley: 30:47 yeah, you were talking about that. So the Malcare goes in on the days where Wordfence doesn't. Interesting.
David Waumsley: 30:52 Yeah. So you've got two scans going on on one day, right? It's May, maybe a little bit over the top, you see, but I certainly think I'm going to have to, in terms of rationalize, they, I, I'm gonna have to start thinking a little bit more about individual sites rather than this is my stack for all sites. Yeah. Yeah. Well, my
Nathan Wrigley: 31:11 protocol is very similar to yours. I do, I do daily backups of absolutely everything. I don't do database backup side. I figure if I'm going to do a backup, let's just do the whole thing. I then store that offsite and I keep those basically forever. I don't delete them. They just grow and grow and grow and scanning on a daily basis. I have put these hardening plugins in, whether it's ithemes or um, Wordfence or wpmu dev, whatever it might be, put some sort of hardening into to soften the ability for people to, um, to use poor passwords and to keep trying logging in without getting, uh, their IP blocked. Generally kind of block it for the default amount of time. So if somebody tries to log in on successfully or I think it's like three minutes or something and if somebody keeps accessing four oh four pages or resources, um, then the default time I use again, it's, you know, three minutes or four minutes or whatever it might be. Sometimes I ramped that up just because I figured out actually, you know what, it's pretty clear after 10 attempts that you're up to no good. Why don't just block you for like a week. But generally I leave the defaults. So yeah, backups, scanning and um, that's kind of it really. That's mostly what I do.
David Waumsley: 32:26 Yeah. It's interesting because you don't see the point in any of the sort of just backing up of the database and I do that. So I've got daily database and then I've got weekly, well that's not entirely true. If I think a site is going to get updated more, I will do a full of backups and make an exception to them. But that's been my routine. And I don't know if there's anything in this because I haven't checked this out, but that again, I did it on the basis of my fear of resources and also a little bit of costs.
Nathan Wrigley: 32:54 Yeah, don't get me wrong. The, the recent, you know, the time it takes to produce that backup is you're adding minutes to it and you're adding CPU. But I, I, I always put it at stupid o'clock when the site is probably not doing anything anyway. So, you know, like two 30 in the morning or something. Um, just to ensure that that's not really a problem. But, um, yeah, you're right. And then of course, the offsite storage of that, that, you know, it's not, it's not inconsequential. It adds up over time. I've got terabytes of these backups, but the way that my system is set up, I'm okay with that. I've got enough storage and I've got enough cloud storage to, to support all that. So I just, I just manage it that way.
David Waumsley: 33:35 Yeah. It's interesting. I mean I, partly that was costume my minds as well, the growing costs. I mean, I'm keeping now, I think it's four months, I've set it for Amazon to save. So obviously I'm paying for that storage then it's still hardly anything. It's very cheap. Yeah. Yeah. But they're all told clears away. I'm unarmed, I'm assuming here that I will need never need to go back more than four months to, you know, I'm hoping with, to found a hack before then, but of course this recent hack that I had, but I wasn't on a, yeah, yeah, yeah. We think so. Well, I think so. Only because of the fact that I just by accident went to their site to check it and the, I went to this site and never thought anything coffee, you know, so it's only coming back to it so, so much later.
Nathan Wrigley: 34:23 It would not surprise me if a, you know, if a hacker was to write a script, which would just sit there for a year doing nothing and then start to perpetrate it. It's misery just because of that, of, of what you've just said that in that most people don't keep backups for more than a handful of months. So you know, it's just going to sit there waiting, waiting, waiting, wait for six months, wait for a year, then begin, start doing your mischief because in that way there'll be more effective. I don't know if that's true or not, but it strikes me that if I was a hacker, I'd certainly be thinking about doing that.
David Waumsley: 34:58 I think that's a really good point actually. Oh my go. It
Nathan Wrigley: 35:03 wouldn't take long to, to write the code to say don't do anything for 365 days, would it? Let's be honest. It would, but I don't know if that's a, if that's typical or not. What do you do about, um, sort of keeping things up to date? Do you, I know that we're both main WP users. I, I go in every single day, whether that's the week and the week, whether I'm on holiday. Even if I'm on holiday, I still do this task. This is the only task related to work that I will do. I'll go in and just do the updates to make sure that that part of puzzle is at least being done proactively buying me. Yeah, same here. It's, it's a
David Waumsley: 35:43 daily routine and sometimes twice a day actually. Okay. Yeah. It's, but it's not done by me. It's done by my wife who's, you know, vague, capable. Now she knows. We were talking a little bit about this before. It wasn't, we, we, we approach it differently. So I go in and I'm, well my wife goes in and checks what plugins are due to be updated and it all looks fine cause we trust pretty much everything we use that she just goes and clicks the okay to all and the updates. But you do it site by site?
Nathan Wrigley: 36:14 Well I didn't realize that there was an option to do it in a different way. But yeah, basically I do it sort of site by site or just go through, have a quick visual glance and it, what I tend to do is I'll, I'll start on one site. I'll just quickly click the button which shows me what is about to be updated. I'll just make sure that all of those numbers seem okay, you know, and that the plugin itself, I trust our then click the update button, which you know for for a typical site might take 30 seconds to a minute. And I'm doing this at the beginning of the day when I'm actually sifting through my email. So what I do is I have it on one screen, click update, then go back to my emails, then go back, click scan the next one, go back and, and the whole process takes about 10 minutes and I'm doing other things at the same time. And in that way I manage it really easily. The only, I'm the only drawback is trying to do anything like that on a mobile device. It can be quite tricky. So I limit it to two desktop mostly, except as I said, when I'm, when I'm on holiday and I don't, don't really like to, uh, to get the laptop out. So I just try to try to do it on the mobile instead.
David Waumsley: 37:26 Yeah. This is exactly what we do. Yeah. It's, it's there on the mobile. Yeah. And we go away. So I'll have to, just
Nathan Wrigley: 37:32 on a sort of daily basis, I get all of these, um, themes and Wordfence emails and I have become basically immune to them in the same way that I can ignore ads in the Google search results. I now, I now suffer from a complete disinterest in the emails that come through from the security plugins that I've installed. So I'm not sure if that's something I need to revisit, maybe stop getting them sent on a daily basis and start to start to receive them on a need to know basis, which I'm sure they do. Um, I'm not entirely sure if that's true, but you know, in other words, we'll email you when something important happens. Not, we'll email you a summation of the stuff that's happened, uh, during the last 24 hours, which on the whole I don't need to know about.
David Waumsley: 38:18 Yeah. Well I think these weekly, the, I have my um, Wordfence emails come that just give me some kind of report and I delete them on bulk now. So I'm going to need to turn that off. But there is one that I do absolutely like come into and that's the one that me who's logged in and where from.
Nathan Wrigley: 38:38 Interesting. Yeah. The Wordfence one tells you if an admin or whatever role has been logged in. That's it. Yeah, that is quite good. I quite, I found that quite reassuring when I log in and then I receive an email to say that an, you know, somebody, an Admin user is logged in. That is quite nice just because it makes me, uh, gain confidence. Okay. That's working good. Um, and it's, you know, I'm, I'm, I'm happy with that cause obviously, I want a non admin user to be logging in as an admin that I've never heard of.
David Waumsley: 39:07 Yeah, exactly. And it gives me the fun of freaking out clients once in a while because it does, one of them logged in, it was then a few weeks ago and I just sent them an email and just saying, are you in Canada by any chance? Because yeah, yeah. Because it was them logging in who I recognized but it wasn't from a place I expected them to be logging in.
Nathan Wrigley: 39:32 Oh my can't, you can limit the geographical location or the IP address from which logins can be accepted. Again, all this magical stuff that we never got a chance to talk about but definitely is possible with those solutions.
David Waumsley: 39:44 Yeah. But it was just nice to be able to sort of let them, well, they may have freaked them out a little bit. The fact that I'm monitoring them logging in, but the fact that they're on holiday, but they know at least that, uh, you know, if it was suspicious, which it wasn't their case, you know, I'm, I'm onto it. So that's good.
Nathan Wrigley: 40:02 Actually. That's good. That's worked in your favor. They suddenly feel that you're taking great care of them. That's, yeah, that's, I really like that. Um, so, okay. Should we move on and talk about, um, what you've got this section called things still to solve and on gnomes?
David Waumsley: 40:20 Oh, we maybe just sold some of them. Yeah. So, well, that was just some things that I left really for our conversation. Things that I hadn't decided on. So I talked about incremental backups. I still haven't thought about that. It's not been an issue yet. None of the sites I manage are that busy that a daily backup won't solve it. Yeah. Yeah.
Nathan Wrigley: 40:42 Even on an ecommerce potentially bucking up every, every, I don't know, every half an hour or at the completion of a, of a cart process, you know, backing up that process at that moment. Yeah.
David Waumsley: 40:55 Yeah. And I was just questions really about whether I thought it was worth treating sites differently. And I think actually I've come to the conclusion talking to you. I probably will just having this conversation instead of just doing exactly the same every time I build a site, same plugins, same set up, I think I'm going to start to adjust the cord into um, the client I've got. But another interesting thing which is security related, something I haven't solved, I know a lot of people are looking at is whether it's worth converting some of that WordPress sites into html. Yeah. That's that
Nathan Wrigley: 41:28 sort of sort of big move at the moment. You've got services like Hardypress and get, and then there's things like WP 2 static, the number two, which are in a sense kind of obviating the security model entirely because they, they create a verb. You know, you've got a version of WordPress and then upon saving some new content, it then scans the whole site, um, archives the, you know, switches off the container where WordPress is and dumps the html with all the links, um, over on to a completely well for want of a better word. You know, there's no PHP going on. It's just a flat html file. And in that way you can't, there there is no particular threat model to that. I mean obviously on the server side there is, but not on the WordPress side. So that's fascinating.
David Waumsley: 42:23 Yeah. I haven't seen my solution to this yet. You mentioned one of the plugins, which was the one that converts
Nathan Wrigley: 42:29 WP 2 static.
David Waumsley: 42:31 Yeah, that's the one I tried and I had a big failed on it and just left it there. But, but I think it's, yeah, a few thoughts about doing this. Yeah.
Nathan Wrigley: 42:40 Well to be honest with you, I haven't, because I d I just wonder if for a client, um, it's just another problem to, to overcome, you know, you log in, you wait for a little bit, you have to wait for the site to be cashed upon, things saving and so on. And I just haven't, not because it's not a good idea, not because the services don't work simply because I'm just used to the way that WordPress works. Traditionally. I haven't, as we'll probably discover in a minute or two, I haven't really suffered too much from the problems that other people have had. And um, and so it's not something that I've explored, but you know, the speed benefits are unquestioned. The security benefits are on questioned, um, you know, or on questionable the, you know, that they are obvious, but I haven't, I haven't tried it.
David Waumsley: 43:29 Yeah. I'll just want to, the one thing that I used to do a couple of sites, but then I didn't do it consistently. And that was, um, the ability to be able to sort of read direct your WP login to another URL of your choosing, which I know it's certainly an I themes where you can add that very easy. I'm sure it's in some of the other ones. It's not in word fence, but I've always wondered about this because I know for sure it does work in stopping those, um, attempts to try and log into your platform. So it solves that. Yeah,
Nathan Wrigley: 44:04 I don't think it's real security is it? They call it security through obscurity and it will without a doubt stop the automated bots that are searching for, you know, WP hyphen admin or login or whatever. Um, but there to say that those, those attempts are pretty unsophisticated, is kind of stating the obvious, I suppose. You know, they're just literally finding URLs appended with this thing and then trying a username and password attack. You know, I don't know what they're going to do once they get in, but if it works, okay. I don't do it because, you know, we've got the solution of too many login attempts in our other security plugins. So I just don't bother doing that.
David Waumsley: 44:51 Yeah. That's the conclusion I came to and I tripped up as well because I just couldn't remember how to get into one of the sites when I did this. I forgot what the, I forgot what we named it. So you know, so I stay clear of it because I thought, well, and you know, again, my policies generally to try and get people used to WordPress and their sites. I don't want to kind of keep things as they would be, but yeah. Interesting one. So I, I think I've decided I'm going not going to do that. No,
Nathan Wrigley: 45:18 I wouldn't bother. It's not something I can, I can say I value too highly anyway. Goodness me. I mean, at the end, getting towards the end of this second episode, it still feels like we know nothing. You know, the, uh, the experts in the field would probably, um, be, you know, chuckling away to themselves as we talk. There's so much that we don't know. This landscape is changing all the time. It feels to me sometimes like the hackers are winning. They're able to, you know, completely shred hours and hours of, of humans endeavor in the, in the space of a few minutes. Often this stuff is done by robots that have got no interaction with human beings whatsoever. It's just bizarre, you know, in, in the same way that, you know, crime, horrible crime is bizarre. It's, it falls under the same category. I don't know why people choose to do this while I'm increasingly becoming aware of why there's money to be gained in it and presumably some sort of Q os.
Nathan Wrigley: 46:16 But the fact of the matter is it's here to stay. You know, it's a, it's an opportunity to talk to your clients and to get them to understand that there are benefits. It's an opportunity, dare I say it, for you to up sell various aspects so that when the site is handed over, you've got care plan capabilities and you've got options for ongoing work, even for cleaning things up should the worst happen. But I just think it's an ongoing battle. There's no right answer. None of those plugins will protect you from everything. All of them will protect you from something. You've just got to find what works for you, I guess.
David Waumsley: 46:51 Yeah, absolutely. Anyway, I would really, really love to hear what people do talk to their clients about because I think that's the, that's what we need to change a little bit. Don't where you, how we communicate.
Nathan Wrigley: 47:03 I think what we are finishing of this, that's what's become obvious to me as I haven't communicated. Times have moved on basically in my procedures and my schpeal hasn't. And I need to think particularly as regarding backups in my case, I think I've learned from these conversations that that I need to be more explicit about what I'm covering with the backups and that I'm potentially not covering, uh, content that was created since the vulnerability happened. Um, and yeah, and
David Waumsley: 47:30 that potentially if they want things cleaning up, uh,
Nathan Wrigley: 47:33 I might in the future be thinking more about giving that to a paid service and letting them handle it and not me.
David Waumsley: 47:41 Yeah, absolutely. And it's also, I mean, it's just how to communicate. I'm fascinated by how other people do it and how they cover it, but also when they cover it, because you know, in the journey of a client wants in a website, there are certain places when they're going to be more open to listen into this kind of stuff. That's right. Yeah.
Nathan Wrigley: 47:58 Yeah. So please leave us some comments. Tell us what your thoughts are, what it is that you do. You know, where did we go wrong? What did we not mention? What did we simply state as truth, which was absolute nonsense. I'm sure there's plenty of that and I'm, yeah, yeah. Thanks for, thanks for staying with us for two whole episodes. There we go. We finally got to the end two weeks on security. Obviously we're not experts in this field, but I hope you can appreciate we're just taking it from our own standpoint. Perhaps you've got something that you disagree with. Perhaps you agree with some of what we said. Either way, join us in the comments or go to the WP bill's Facebook group and let us know what you thought about it. The WP Builds podcast was brought to you today by WP and UP one in four of us will be directly affected by mental health related illness, WP and UP supports and promotes positive mental health within the WordPress community.
Nathan Wrigley: 48:52 This is achieved through mentorship, events, training and counseling. Please help enable WP and UP by visiting WP and UP.org forward slash give. Okay. As I always say at the end of these episodes, I hope you come back next week and listen to the podcast. They come out on a Thursday or join us on Monday. Very early in the morning, UK time. I put out the WordPress weekly news. It's about 2030 minutes or so of, of a summation of last week's WordPress news. And then at 2:00 PM UK time we do a Facebook live. Me and three other people from the WordPress community go into our Facebook group and various other places and uh, and we get a conversation going about the WordPress we can use. It's been, it's growing and it's very interesting and I'd love it if you could comment. You can comment in real time and enjoy the experience. Okay. So hopefully you'll join us for one of those. I'm going to fade in some cheesy music and it really is pretty cheesy this week and say, bye bye for now.