The WP Builds podcast is brought to you this week by…
The home of Managed WordPress hosting that includes free domain, SSL, and 24/7 support. Bundle that with the Hub by GoDaddy Pro to unlock more free benefits to manage multiple sites in one place, invoice clients, and get 30% off new purchases! Find out more at go.me/wpbuilds.
It’s like Black Friday, but every day of the year! Searchable, filterable list of WordPress products, with exclusive pricing for WP Builds listeners!
Check out the deals now…
We thanks them for their support of WP Builds.
Transcript (if available)
These transcripts are created using software, so apologies if there are errors in them.
Nathan Wrigley: [00:00:00] Welcome to the WP Builds podcast,
bringing you the latest news from the WordPress community.
Welcome your host, David Walmsley, Nathan Wrigley.
Hello there and welcome to the WP Builds podcast. Once again, you've reached episode number 239 entitled use patch stack to keep your WordPress website safe. It was published on Thursday, the 22nd of July, 2020. My name's Nathan Ridley. And as always a little bit of housekeeping just before we begin, we would love it.
If you like consuming our content, that you head over to our website and share all over the place, all about it. Probably the easiest way to keep in touch with everything that we do is go to WP Builds.com forward slash subscribe. You'll be able to find that link in the main menu and over there, you'll be able to join our mailing list.
Find our Twitter feed find our YouTube channel and so on and so forth. So that's WP Builds.com forward slash subscribe. If you enjoy listening to the podcast, please give us a five star rating on whatever platform it is that you're listening to. That always really helps. And another strange thing is that we're trying out a new social channel.
It's a WP Builds dot. So that is a URL, WP Builds.social. It's a massive stood on install, which is a free piece of open source software, which you can get and download. And it behaves a little bit like Twitter, but I'm just trying it out to see if we can have a community that's not connected to some gigantic juggernaut of a social platform.
So WP Builds.social com and sign up and wait for your approval. We'd love to have you. Yeah. Another page dimension, worth looking at each and every week at wpbuilds.com forward slash deals. It's a bit like black Friday, but every day of the week, and over there, you're going to find coupon codes for lots and lots of WordPress, plugins, themes hosting.
And so on. Honestly, if there's something that you need this week, it's worth checking it out, you can search, click the big yellow button and you can filter down and decide if anything is for you. So that's WP Builds.com forward slash D. Another one to mention would be WP Builds.com forward slash advertise.
You can use that if you're a WordPress product owner and you would like to get your message out in front of a WordPress specific audience, cut through all the noise, save money on Facebook ads and so on. Get right to an audience who just listened to WordPress content. You can do that by going to WP Builds.com forward slash advertise, filling in the form there.
And we'll be back in touch with you right away. One company that's done that AB split. Do you want to set up your AB split test in record time? The new AB split test plugin for WordPress. We'll have you up and running in a couple of minutes. Use your existing pages and test anything against anything else.
Buttons, images, headers, rows, anything. And the best part is it works with BeaverBuilder elements or, and the WordPress block editor. So you can check it out. Get a free demo at AUB split. test.com. Okie dokie episode number 239 this week. If you're trying to find that on your podcast player or in some way, searching for it.
It's 2, 3 9 that you're looking for. I'm talking today with Oliver selled from the company patch stack. It occurs to me that you may not have heard of patch stack, but I'm sure you've heard of web box and that's because web box used to be the name of the country. And they've now rebranded to patch stack.
And that's what this podcast is about. To some extent. And we talk about why they decided to rebrand what the reasons were for doing that. How successful is it? Did they alienate their existing customers? Did they bring onboard a load of new customers? Yeah. So from that angle, it's a very interesting podcast.
If you've ever rebranded before, there might be some lessons to learn in here, but we also talk about some of the new features that they've added. For example, Red team and the new plugin database where you can assist, helping people find and locate and take action against WordPress plugin vulnerabilities.
So episode 2, 3, 9, all of a selled. I hope you enjoy the podcast. Hello there. Welcome. Once again to the WP Builds podcast, you've reached an interview episode and today I am joined all the way from Astonia by Oliver silt. Hello. Hello, Nathan. Very nice to have you on the show today now, Oliver, you're probably familiar with a company that Oliver has been leading for many years now.
I would like to say, but more recently it's gone through a bit of a rebrand, a bit of a change, but let's go back. Let's wind the clock back. Tell us the original name of your company. And then we'll get into a conversation as to why you decided you wanted to move away from that to something.
Oliver Sild: [00:04:55] Uh, you probably have heard about web works. Uh, now since March, we are actually called patch tech. It's quite
Nathan Wrigley: [00:05:06] a curious thing because I follow the WordPress news fairly closely. I, I read most of the emails that come through into my inbox and scour the headlines and what have you. But this one took me quite by surprise.
Was this intentionally stealthy? Was this something that you were only letting know. After the fact, or did I just miss something?
Oliver Sild: [00:05:29] Yeah. It actually came to our radar to do that, I think in the end of the last summer. So we were planning it on the background for quite some time, but we didn't really talk about that much, beforehand.
Uh, yeah, we kind of came out with the rebrand together with, some additional kind of. Some additions to our product base and so forth. So it could have been a big update. If you would look at that from the side especially because of the database and the right team which we can force talk about as well.
But it definitely was a big update for us internally and we. Prepared for it. I think more than six months in, in full stealth mode.
Nathan Wrigley: [00:06:21] Yeah. Yeah. Okay. That's good to know because it means that I didn't miss too much. It wasn't me not paying attention. It was just you being secretive about it, which I guess in a certain sense fits very well with the nature of what you're doing.
There's a lot of clandestine stuff happening. So let's talk about the reasons why you've decided to go from web because. WebEx has been building up its reputation for many years now. We rewind the clock a number of years, and it was a new product. You were having to convince people that you had all authority and you had the credentials to do what it was that you were doing.
And reputations like that are hard, won, and easily lost. So why go through all of this? What were the reasons that web was no longer the name and the brand that you wanted to work?
Oliver Sild: [00:07:09] Yeah, actually going back in time. When we started with web barks, we um, um, maybe had a little bit of, for different product vision.
I think what we were trying to build was something that many actually in the word per cycle system, often want to do is to go or call like all in and try to build a platform that covers it. All right. You know, it should be like all in one and, The problems from all possible angles.
But over the time when we were building the company and the product and Over and over again, we're stumbling into one big issue that like eventually we realized we are the best at solving it. And which was the issue when it comes to a plugin vulnerabilities, the security issues within the plugins and themes.
And third-party code in general on your website, which, you didn't code, but you use that someone else made. And, and this really, got us into a point where we started to focus on that more and more. We, uh, happened to be in news quite a lot about our own internal findings when you know, we are monitoring, which kind of.
Plugins our customers are, let's say, using on their websites to let them know if there's any, security vulnerabilities in there. But at the same time, we have an overview of which are the ones that are getting more popular over time. And then we are, analyzing them in-house as well.
And then when we find something in those, we help that the developers of those plugins to fix them. And in some cases, These vulnerabilities ended up being covered in by news. And what happened was we cut into news quite a lot for our research as you know, we usually were the one who were finding the kind of tricky vulnerabilities or more um, more difficult ones. And then, a lot of companies actually started to reach out to us who are, building plugins in the WordPress ecosystem to help, them to find the vulnerabilities within their plugins before, even if it, even before it Reaches the customer's websites.
Uh, the developers would reach out to us to ask us to do the code review. Let's say before they, kind of released the latest version to the WordPress plugins re repo. Um, and so what happened was that we ended up actually doing a lot of those code audits and uh, most of the.
Day-to-day work was about analyzing plugins, analyzing where the vulnerabilities are within plugins, creating virtual patches for the plugins to keep our customers safe and so forth. And and slowly we started to focus, you put our focus so deeply into this one single issue that we discovered that, Hey, this is actually a problem that on the WordPress ecosystem, it's the biggest thing.
You could have. Tens, or I don't know, 20 hardening settings on your WordPress site, you could have, really good malware cleanup product as well. But if you end up having a plugin installed on your WordPress site, which allows an attacker to just, bypass anything, login as administrator and do whatever he wants with the website you know, it's not.
Much of a use of a lot of those hardening things. And when we look at statistics we are actually about to release a white paper about this hopefully within the next couple of weeks in 2020, for example, if we analyze all the security vulnerabilities in WordPress ecosystem, 95% are all from plugins and teams.
It was obvious that we need to turn to this issue and actually, focus on solving that. And, and because of that, we also were, running another. Project on the sidelines, which was called pluck bounty. And this was basically a bug bounty platform, which essentially is like a platform where, security experts come together.
They find vulnerabilities within, um, bunch of software. They report it. And then if they find something, they get paid for it. So we actually created the very first platform like this for WordPress plugins. So right now it's called the patch stack red team where basically. The, uh, researchers find issues.
We help developers to fix those issues then, and we then, reward the researchers for finding those things. So this was also something, we already ran on the background and then, yeah, then there's this third thing that we actually acquired another security company in the word Prosecco system called threat press.
So, uh, they were running. A WordPress vulnerability database since 2014 or 2015. And we connected that with our platform. And then, we had basically, three different names where barks, pluck bounty and thread press. And we decided that, okay, we need to just make it more easy.
And since they all focused on solving the same problem, which was plugging vulnerabilities We decided to go with the pitch deck.
Nathan Wrigley: [00:12:58] Yeah. It nicely sums up what you're doing. You're hopefully patching the stack that people have got with their WordPress website. Yeah. Was there anything around the sort of, I don't know the, the way that perhaps WebEx itself, just taking that singular word web, which was w E B a R X, it's a, it's kind a quirky spelling.
I just wonder if you. Potentially lost some traffic because people typed in I don't know, perhaps a more traditional spelling of arcs or something like that, was, was there problems around confusion, people not being able to find you on Google or finding the wrong thing? Yeah,
definitely. There was Oliver Sild: [00:13:39] a lot of issues like that because people ended up saying where BRX where bark, where barks there was like a lot of different combinations of how you can spell it.
Yeah. There was also even more combinations on how you can write it. And even though this is like the. Most trivial of them all, but um, well I live in Estonia, and in Estonia, when my friends ask like where to work at or some, people ask me like what I'm working on and so forth.
If I say web works it actually in direct translation. Sound's a waterpark in Estonia. So it's sometimes it's ha I've had like funny situations where I'm saying like I'm, I'm working on security and so forth. And then she's oh, really cool. Like where do you work? And they say I work in waterpark.
Wait, what, you
Nathan Wrigley: [00:14:36] know, the guy at the door, not letting people in. That's absolutely hysterical. I have to say for my part, I think the first time I ever heard of web box was actually when you were in the room with me at WordCamp Europe. So I was. It was easy for me to get it right. But I confess that if I was coming to this and I saw your name, I would assume it was web ARX or something like that.
I definitely would never have got it as WebEx. And, in a world where these things matter in a world where typing things into incur incorrectly into Google can hit your bottom line. It really doesn't make sense to keep that going. That being said, it's quite a big deal. To throw all of that under the bus to consign it to the bin of history and decide to go and rebrand everything.
So you made the decision to six months ago that you were going to go for patch stack, which I think is a really great name by the way. I'm sure they'll go along. With you what did you have to actually do? In order to, to switch over from one brand to another, I'm sure there's all the usual stuff that we can talk about, which I'd like to talk about you know, hire a designer and get people's opinion on the name and all of that, but I'm also, I'm pretty sure there's things that were unexpected along the journey.
Oliver Sild: [00:15:52] Yeah. Once you do the rebrand, like one of the things is that what you prepare in terms of the kind of soft things is you know, the brand voice, like what is going to be division, division of the company comes from each and every employee in the company and so forth. We did a lot of these workshops, where we actually got the professional involved to help us, uh, kind of do the interviews with the customer, different customer profiles.
I mean, it was a lot of work in terms of of the soft failures and even to get to the point where we started to think about the name or to think about the, how the branding should look like or stuff like that it was way deeper actually to rethink about what the company actually is. Um, when we got to the point where we actually started to think about the name, I think we had I would say hundred plus names.
How can we need it too? We had a lot of names we needed to pick from, we had like different types of logo ideas. I mean, it was really difficult actually to come up with something that would work for all like that. There is the thing that if you already have, uh, people in the team as well, like they have some sort of understanding what the company is and the name has to fit that as well.
But, and also it has to fit something that also the customers would get, but it also needs to fit. As the future for the company. So it's like really fine tuning and balancing between, what, what would still preserve the good things and what would give you room for the, for what old name didn't have room for?
But yeah, the patch tech name, actually I came to that name by myself. I think randomly pretty much. And I was like, really? So just, putting things together and was like, okay, what is that? We, what, what are we actually doing? So while we, we are patching your stack, so eventually just came to, there was like a lot of different combinations of the word stack.
There was a combination of the word patch. There was a lot of you know, we also played with the word dependence. But this was also, about to go really difficult and so forth. So eventually we realized that there was like patch, stack.com was available as well, which was already like a big deal because, try to find any dot-com domains nowadays.
So yeah, eventually it just, all kinds of makes made sense. And like the beginning was really hard, but once we got the name in place, it started to roll in right in the right direction. Yeah.
Nathan Wrigley: [00:18:55] I don't know if you've got any trace of the old website around, but. Oh, okay. You can still go. I'm not, I'm actually looking at it at the moment.
I have very strong recollection of how it all looked and my I'm no graphic designer, I, I just, I like what I like, and I can't really explain why I like it. There's just something about a particular style that, that switches me to on mode and there's other things which. Just don't like that.
I really do what you've done. I think the all the, sort of the topography that you've got, the color palettes that you've used, it, it just seems well, you've gone for green as opposed to red, and I see, I see stop when I see red and I see go, when I see green it's much softer. It feels. It just feels a little bit more welcoming.
And I don't know if that was the intention, but you've definitely, I don't know. They old symbolism was all about the fortress and the logo looked almost like the barricades of a castle or something like that. Whereas now you've got this kind of little logo made up of rectangles green rectangles with bits missing and so on.
And it's yeah, it's a really nice job just from the outside. I'd say, well done. It looks better.
Oliver Sild: [00:20:07] Yeah, we're really happy about the rebrand, to be honest. It's, uh, not just because, you know, all the good feedback we are getting for the rebrand itself, but also how it's been working in terms of the company growth and about the new kind of opportunities we've gotten into just because just because of the rebrand, the rebrand didn't only come with the rebrand.
It actually came. Revealing a lot of the stuff that we've been working on the background you know, like the uh, like for example, the product completely looks different now. We, we did like complete overhaul for the for the product itself. We also made public the database that we were keeping you know, for.
Product itself to be able to notify our customers about the vulnerabilities, but we also connected it with the, with acquisition we did earlier in this year. And we actually made it free and public for everyone. So if you go to patch that.com/database, you actually see all the latest WordPress vulnerabilities and a lot of things.
A lot of them are actually reported to us as exclusively by direct, patch stack red team, which is their plug bounty program. I was, or the program. I was mentioning, which we also run as a site project for over a year, actually. And now it's all also it's called patch stack red team, and now it's also part of the same kind of ecosystem and it's all interlinked together.
Finally. And, sometimes you say one plus one plus one equals three. In our case, it definitely calls like five plus because the value that it actually generates that we put by putting together all these three pieces, it's insane. We are being right now. We are able to protect our customers first from any plugin vulnerabilities.
Like we put patch, tech.com live In the beginning of March. And if you Google work principle Notability database, for example, we are already ranking first, which is insane. Yeah.
Nathan Wrigley: [00:22:22] That's incredible. I'm really curious about something that you just said a moment ago. You mentioned that obviously the rebranding had happened and you've now had it out the, out in the wild for a number of weeks and yeah.
Begun to transition over and understand that they've got to type in patch, stack.com instead of web box and so on. But you just sort mentioned that the business had I can't remember the exact wording, but it felt like you were saying that the rebrand itself had gained you traction. In other words, just the process of rebranding had affected the bottom line perhaps you didn't say that it brought more customers your way, but just the rebranding itself.
That's absolutely facet.
Oliver Sild: [00:23:04] Yeah. Rebranding gave some sort of fresh feeling. If, if, if you're a startup, let's say, and if you start. I dunno, three of three or four years ago, you started with a prototype. Then you know, evolved the new major learnings, fixed stuff, deleted stuff, build stuff, it's all part of the startup journey, uh, but during this process some people get excited. Some people get turned off and if you do the rebrand, then basically you are not alone. You still keep all the people who are already turned on about your product. But for the people who might not liked what they saw before, it is actually a new chance for them to look into this.
Um, and it works really well in that terms. And this is also one of the reasons why a lot of companies do rebrand. And I think rebrands are very good way to. Over, like, I think from the product vision side of things. And in general, I think it's like how the rubber and worked for us.
It's not only about how our customers see us or it isn't also about just, you changing the facade of the company. It actually changed a lot of the mindset within our whole team. It also changed a lot like uh, the way how we approach our product to that the kind of values that we have as a company.
It, it allowed us to. Really grind down to the specifics of what we really want to do. And it allowed us to take the time. If you do the rebrand, you need to go over everything. You need to go over, your brand voice what, like all your mission missions, vision, all that kind of stuff.
Yeah. But if you're like really, focused on, working for you know, Past three years or something, you usually don't take the time to step back into these things anymore. So rebrand is actually a really good way to again, you kind of take, take a step back.
Think about what you really want to say. Be really honest about yourself. If you're really doing it in a way that you want to do, and if you're really moving in the direction that you want it to go. And that makes a really big difference. And I think, if, if I'm already talking about the way, how the product.
Changed, uh, from the inside, like how we are actually solving the problem, how we connected all the three parts we made acquisition, we released the the vulnerability database for free for the whole public. And we are now building this security community behind WordPress ecosystem.
And this is happening first time in the history. All these things just help us to. Be, you know, create the brand, what we also feel that we are inside. And I think we haven't been a, we couldn't have been able to do that with, or without all brands. And if, if, if like the people inside the company are really, very, uh, specifically um, how to say on the right wipes or like really vibrating.
Right thing and understanding what we are working what are the goals that we are working towards? It just happens that the companies outside will somehow feel it. I don't know how to explain that, but, in terms of partnerships, for example the way how, how our new brand actually communicates way better, like what problem we are solving.
And how we are doing it and how we are completely different from the rest of the companies in their core system, in how we are solving this problem. It has really, really benefited a lot for us. We have trumped at least like from 10,000 to 16,000 users in just, um, within like few months.
Nathan Wrigley: [00:27:18] That's a really telling statistic, because any growth you are putting it in jeopardy, you mentioned the fact. A new brand gives you the opportunity to attract new users who at some point thought actually that's not for me but okay. Okay. There, they've had a look at everything and I'm going to once again, go back and see what it's like this time, but also I'm curious to see how you.
How you protect the, the users who were already on board, how did, how did it go with the communication of of, of all of your current the existing users, the day you switched over, I'm just wondering how you went about that. Because one of the you're in a, you're in quite a an interesting industry.
In and of itself change is probably not welcomed. You're in an industry. You're in an industry where people want to know that the thing that they're getting from you is rock solid immutable. It's not going to kind of change. It's going to be steadfast and reliable. You one day, you turn and say, hang on a minute.
We're just, we're really changing the whole lot from top to bottom. How did you communicate that and how well did it go down? Did you reach out to your existing customers and slowly alert them or was it just, Nope. We're going to throw the switch and tell you about it after.
Oliver Sild: [00:28:37] Yeah, we're still in a transition period actually.
Like we haven't pulled down any of the you know, old website or anything like that. We just have like messages up there. People like, uh, if they're, if they're logging into the product, they are being redirected. And, and yeah, it's a, it's a lot of communication. For, for our marketing team, it was of course, like really scary process, especially.
The years of SEO that we have built. You know, now if you transitioned to another domain, it sounds you know, mission impossible, but at the same time Google is pretty smart in terms of understanding if actually companies are doing rebrands. So if you're using like 3 0 1, like redirects and stuff like that for and gradually.
Gotcha. Bringing over con content. For example, if like for example, we are bringing over a blog post from a web blog to a patch tech blog, and then we are just redirecting the old one to the new one. Google actually is replacing the domain eventually and it remains some of the ranking. So it's not that bad actually, in terms of that And I mean, yeah, it's, it is a communication thing and we have really, there's been a lot of emailing.
There's been a lot of, uh, community building previously, already before the rebrand, we like told our customers that, there's a big change coming up. We kind of try to. Prepare questions that we are going to get. And then basically have these questions answered beforehand, in our community and so far.
So to be honest, once we did the rebrand, we. Of course there's some people who say that. Yeah, I like the last, the previous name better and so forth. But, we got to understand that a lot of people just don't like changes by the fact that they are changes. But overall, what we see is that the the feedback is like way better than we expected.
We thought that some people are more against this kind of changes. Which kind of means, I think we did a good job, but at the same time, I think we did it on the right time. Yeah.
Nathan Wrigley: [00:30:57] In terms of the the tool itself you mentioned, obviously I w I want to come back to the red team and the database and all of that just before we close off.
But in terms of the tool itself, was there a significant. Change in the capabilities of what whereabouts could do that patch that could do. As an example, if I was a web barks user, am I logging into your SAS interface? And I was familiar with how it all worked. Have you fiddled with the UI considerably?
Have you moved things around? Do people have a bit of a learning curve? Indeed. Maybe there's some new features that we haven't talked about that were thrown in at the moment of patch stack going. Yeah.
Oliver Sild: [00:31:38] Yeah. So actually we reworked the UI completely. We did, uh, we did use her studies. We decided to go for something that is easier to use.
Uh, we changed the core color schemes completely. We are still on a dark theme at this point, but it is way better to kind of, you know, grasp all the details. We kind of went crazy at one point with all kinds of colors. So it was like really colorful on the dashboard. And it was a bit hard to understand what is the important things that they should put my attention to and what is not.
Uh, I think, yeah, the UI is completely changed. Easier to understand more attention goes to the vulnerabilities that are being found on the website. And more attention goes to the fact that we are beautiful, patching them automatically. There are of course additions for example, how the alerts can be set up.
So you can basically all the data that you see on. Everything can basically great or everything can be turned into alerts. So you basically can can choose, let's say firewall. Or like, like, vulnerability tellers, or let's say firewall or a firewall logs. Yeah. And you can create custom uh, triggers, based on what you want to be alerted on.
So for example, you want to be alerted on if from specific IP, someone is trying to do something against your website. You can also create uh, activity logs based uh, alerts based on activity. For example, you want to get the alerts on when someone is trying to log in, who does not have your specific IP or if someone is activating a plugin while he doesn't have your specific IP also there is a kind of module management system that we reworked in a way.
If you go to the firewall view where you can see the patches module, which is managed by us center gives you the protection against the plugin vulnerabilities automatically. There, there is additional OSTP module, for example, which you can just enable across all your websites. Uh, and, and we expect we are planning to add a lot of like different modules there, which you can just.
Kind of browse our library of security modules there, and then you can enable them on your websites. And yeah, uh, the, the, the way how we notify you about the vulnerabilities, you can now directly look into the data. Like the, the information about the vulnerabilities that are being detected on your website are way more kind of detailed.
You'll see exactly which versions are affected, which plugging, what is the vulnerability about and so forth. And it allows you to, uh, uh, actually get protected against these immediately. Yeah. Yeah, there's there's a lot of changes like
Nathan Wrigley: [00:34:47] that. I really liked the old UI, but I liked the new UI.
It looks, it looks really great. Really nice. Jackie you guys have nailed UIs. I would say you've got a great team working there behind you. Let's just talk about the, the red team and finally about the vulnerability database. If you go to Patrick. Dot com forward slash red dash team. Now at the moment, at the moment I'm looking at the screen, it's an invite only process, but it may be that in the future, that's going to change.
I didn't even know that red team was a thing. I just assumed that this was some kind of wording that you've made up, a nice, fancy, dark sound. Covert thing, but it's not the case. It turns out that in the security community, this is a thing I'm curious to know. What's its purpose. And are there any barriers to entry?
Do you have any sort of process by which you've got to? I don't know, prove yourself if you want to be part of the red team.
Oliver Sild: [00:35:50] Yeah. So the red team indeed actually comes it's a term that is being used actively in cybersecurity. So there is basically our red team and blue team. So the blue team usually is on the defense side.
You can take a blue team as patch stack and our, our team who is working on. Providing you your website, the protection against the vulnerabilities within the plugins and so forth. And then the red team is like the opposite side, the offensive side. They are the guys who are poking you know, trying to find new ways to get access which they shouldn't get you know, finding the vulnerabilities and so forth.
And these guys are actually working on finding the vulnerabilities within the plugins. So that's what the hackers. And, uh, th the whole idea of the red team actually came from the fact when we started to do the code reviews for a lot of the plugin, like we've been doing panic, like it's called in cybersecurity, it's called also called penetration testing.
So we basically. Audit the code off of the plugin that you are developing and finding if there is any, potential vulnerabilities in there. So you could fix them before you put the, put this live, um, and we've been doing this for quite some time for a lot of WordPress plugin developers.
Some of them have over a half a million installations. You, you actually. Names of plugins and you're probably using a lot of them, which, in the background we have actually helped to secure fun fact. Yeah. But at the same time this is something that can only be. Affordable for plugins that actually are money because this is, it's a, it's a service that, uh, requires a lot of time especially when when it's done very thoroughly.
But at the same time work per se ecosystem, as I mentioned before, 95% of the vulnerabilities from 2020 are coming from the plugins and teams and third-party code in WordPress. I believe that all the plugins into our Prosecco system need some sort of audit like that, even if they don't earn money.
And if there are completely open source they still need to have some sort of testing to be done because they all affect the security state of the whole kind of web now. And, uh, th the idea of the red team is really to. Build a community of security researchers who then find vulnerabilities within, the plugins and teams and WordPress in general.
And then if they report them to us, we basically have created like this gamified environment where if they find a vulnerability. And they report it to us and help us, the develop, help us to reach out to developers and help them fix it. And, ultimately also protect our customers from these vulnerabilities.
We basically give these researchers a score based on, how many installations there was for this specific plugging and how severe trouble, their abilities and so forth. And in the end of every month, we basically have a leader board, and, uh, Do like a real money payouts to these researchers.
So they actually earn money for, contributing into the WordPress security. And this is like an initiative, I think. And we actually invite a lot of WordPress kind of companies. Yeah. Basically companies who are working on the WordPress ecosystem, who are plugin developers hosting companies to join us and to actually, contributing to this community building as well.
And in return we provide an API access to this database. So if someone is actually finding vulnerability, if they support the red team initiative supportive and a little bit of money into this. Kind of pool of money or the reward pool that is being paid out to these researchers who are, spending their time to secure the work per se ecosystem.
Then in return, we give them access to the latest tumor abilities that are being found through an API access. And for plugin plugin developers, we actually. Give opportunity to you know, get in front of these researchers and get these you know, vulnerabilities being found by researchers instead of hackers who might, abuse the plugin in a bad
Nathan Wrigley: [00:40:17] way.
Yeah. Yeah. It's a really nice double fronted marketplace where you've got the plugin developers on the one side who were clearly in need of some reassurance that either their code is. As far as you're aware at this point, maybe it's it's okay. It's good to go. Or you find a bunch of problems. And then on the flip side, the other side of the marketplace, you've got people who are coming along and giving their time and an exchange for finding things, depending on how it fits on the leaderboard, they can they can make a bit of extra cash on the side.
What a great idea.
Oliver Sild: [00:40:51] Yeah. And we're, you're releasing, I think in blog posts very soon now, about the about, I think the Mar the March numbers just closed and yeah, we have a lot of people actually on the red team now, but we are still on kind of invite only way. Yeah. So, uh, there's we basically uh, the, the database that we have a patch deck database, so it holds all the information.
Information about the vulnerabilities found in the WordPress ecosystem. And we basically have just taken like the top reporters that have reported directly to us previously. And right now they are the ones who are in direct team. But anyone who is you know, reporting to our database directly.
They are getting a chance to get the invitation to the red team. And then over time we are planning to make this also in a way that the current team members can start inviting friends. And it's actually a working platform. It's not just something. You know, just something that someone is reporting vulnerabilities to us on an email or something like that, but it's actually a separate platform that is working where you can, where it's a catalog of all WordPress plugins.
It has automated reporting process for the researcher. Yeah. And it's actually a pretty pretty cool system. We are excited to kind of show for the public very soon. Yeah. Yeah. It's
Nathan Wrigley: [00:42:14] Really interesting. So that's patched.dot com forward slash red dash team. And then the final thing, which you've mentioned a couple of times, I think it'd be.
Talking a little bit more about it, especially if you're into submitting vulnerabilities, there's an option to do that on this page, go to patch, stack.com forward slash database. It describes itself as a hand, curated, verified and enriched WordPress vulnerability information. So essentially you are putting up.
In an easy to digest, accessible way information about any vulnerabilities which you've come across in the recent past. Is there any, are there any sort of hidden benefits from going to this page periodically? Is this the kind of thing that you're sending out as an email, a curated email, like once a month so that people could sign up and be notified as opposed to having to come and look at all of this?
Oliver Sild: [00:43:06] This is aimed for the general public, to be honest. Um, we, we have been keeping this database for some time already for just to be able to provide our services because we need to be aware of the, of all the plugin vulnerabilities. And, and over time we have, found a lot of plugin vulnerabilities ourself.
And now the red team is submitting to I don't know, 20 plugin vulnerabilities per week or something. The numbers are pretty crazy. Yeah. All this information is being report like published there for the whole public. And, uh, you there is no no fees or anything like that. If you want to know if there's like any new vulnerabilities in the WordPress ecosystem, and if you are affected by any of them, you can just call it there and you can just look up and you can also sign up to our newsletter, which I think every week we are sending out a newsletter about.
All the new vulnerabilities that are being discovered in the word Prosecco system.
Nathan Wrigley: [00:44:07] Yeah, it's a nice it's sorry to interrupt. I was just going to say it's really nicely laid out and you can see, you'll be able to go here and see for yourself. I'm looking and I'm on just last week. There were four things on one day, there were about 10 things on a different day.
Probably about eight or nine things on the day before that. So it really is, it's going up, there's lots and lots on there each and every day. And then if you click into, so for example, it lists the name of the plugin. So that's nice and easy for you to, you know, hopefully, the names of most of the plugins that you're utilizing.
So you can go and search for those. Then you can click in and you can have a look at the severity rating. Based upon the CVSs three score. Um, and then it tells you which version is problematic and then a little description about exactly what's gone wrong and what the solution is and whether it can be updated and so on.
This is such a nice initiative. Thank you.
Thanks. And the thingOliver Sild: [00:45:06] is that all the vulnerabilities on this database, Or patch that customers are already protected from them. So the moment when there is a new vulnerability added to the database at the same exact moment, a virtual patch is being sent to all our customers.
Nathan Wrigley: [00:45:23] Yeah. Yeah. So it's going up there because you've had a look and mitigated it. It's you're not putting stuff up there, which you haven't fixed already. That's nice to know.
Oliver Sild: [00:45:33] We are putting everything there. Yep. But at the same time, we are also providing protection
Nathan Wrigley: [00:45:37] from everything, okay. Yeah, that was good to clarify that the, if I was to come here and I'm a, I don't know, an agency owner and I've got 50 WordPress websites under my belt. Therefore as a result, there's probably a few, there might be lots and lots of plugins, some of which are on one website and I've forgotten the names of them.
Is there any way of interacting with this? Definitely. You saying API a little while ago, but I don't know if it was connected to this or something else. Is there any way that we can programmatically? I don't know if you're connected to any of the services, like managed WP or main WP, any of those kinds of things too.
Kind of alert us automatically to a list of plugins that we've already curated ourselves.
Oliver Sild: [00:46:22] Yeah. Uh, we actually, uh, we actually are having free. We have a free API, which can be used on commercially and that, I think, uh, we don't have the information yet about this because we are still, I think.
We're trying to put it live as soon as possible. But if you can if you don't find the information on the website, just reach out to me. And can I give you the information? We just haven't been able to put it up on the website just yet. But yeah, there, there is an API that you can use programmatically to basically get, all the latest vulnerabilities automatically and also all sorts of stuff like that.
Uh, so yeah, all that is available and also for the hosting companies, we, we are actually. Going to announce pretty big partnerships within the upcoming week semen. And, uh, yeah, they all uh, benefit from, uh, kind of getting API to alert their whole hosting kind of customers about these vulnerabilities and at the same time uh, data actually support direct team because, right.
We have w we don't have a commercial building. Just for the API. What we have is that if you support the record, You'll get access to the API. Got it. Yeah, I mean, it's a community, it's the database and the red team is more of a community project to kind of really solve the work purse kind of plugin teams, security problem that we've had for quite some time.
And I think we are on the brink of actually solving this problem for real
Nathan Wrigley: [00:48:02] nice, the the, the. The URL again, it's patched act.com forward slash database. And you can actually, if there's a button on there where you can submit a vulnerability, if you've discovered something, it takes you back to the red team page.
So there's a nice, complete circle here. Is there anything that I've missed? Is there a question you wish I had asked that I failed to do?
Oliver Sild: [00:48:25] It's a good question. I don't actually live to be the
Nathan Wrigley: [00:48:28] best question. Yeah, it's okay to say no. Yeah.
Oliver Sild: [00:48:33] I think we have covered. Pretty much everything. If someone has any questions to me, feel free to reach out to me on Twitter.
It's uh, Oliver, silt I don't know. You can maybe somewhere posted too.
Nathan Wrigley: [00:48:47] I, if I put it on
Oliver Sild: [00:48:49] the show notes happens that someone who has a hosting company or who has a, like a plugin who is developing plugins, let's say. There is a way how to support that red team initiative and the database and get this, get the value out of it for yourself as well.
Then reach out to me and I can actually let you give you some more information about this, because I think there is a way for everyone to contribute to this and get also value out of this for their own company. And for. Really contributing to the whole world per se ecosystem in a sense.
Nathan Wrigley: [00:49:26] thank you so much for coming on the WP builder podcast today. One final mention it's patch, stack.com. Go check it out and see if see if there's any value in that for you and your WordPress business. Oliver. Thanks a lot. Thank you. I hope that you enjoyed that. It was very nice chatting to all of a sealed all about the web barks, rebranding into patch stack.
Perhaps if you've used the product and seeing the updates that were created, you could leave some comments. You can do that by going to WP Builds.com and searching for this episode, which is 2, 3, 9, or you could go to our Facebook group. WP Builds.com forward slash Facebook and find the appropriate thread and leave a comment there.
We're always very happy to receive comments. Good. All bad. The WP Bill's podcast was brought to you today by AB split test. Do you want to set up your AB split test in record time, then you AB split test plugin for WordPress. We'll have you up and running in a couple of minutes. Use your existing pages and test anything against anything else.
Buttons, images, headers, rows, anything. And the best part is it works with element or beaver builder and the WordPress block editor. So check it out and get a free demo [email protected] Okie dokie. I will be back with you next week, but because this was an interview episode next week, I'll be chatting with David Waumsley about something to do with the a, to Z of WordPress.
Join us then or come and join us. Live 2:00 PM UK time, every Monday for our this week in WordPress show, Paul Lacey and some notable guests from the WordPress community will be joining us to chat about the WordPress. If you subscribe to our newsletter, you'll be updated about all of that automatically as in, when it gets published.
And in this case, the Monday show gets published on a Tuesday, but obviously we have a Thursday podcast to WP Builds.com forward slash subscribe. If you'd like to stay up to date. I hope that you enjoyed this week's show, stay safe, have a good week. I'm going to fade in some dreadful, cheesy music and say, bye bye for now.