[00:00:00] Nathan Wrigley: Welcome. So the WP builds podcast, bringing you the latest news from the WordPress community. Welcome your hosts, David Waumsley and Nathan Wrigley.
Hello there, and welcome to the WP Builds podcast. Once again, you've reached episode number 251 entitled V is for vulnerabilities. It was published on Thursday, the 14th of October, 2021. My name's Nathan Wrigley. And in a few minutes, I'll be joined by my good friend David Wamsley, so that we can chat through our ETAs, that of WordPress.
We're finally getting towards the end of the alphabet. In fact, we're very close V for vulnerabilities. That's coming up next before then. Just one real bit of housekeeping. And that is to say that the page builder. It's going to be starting next week on Monday at around about midday UK time, we've got our kickoff call in the Facebook group.
We've got loads of events, organized loads of presenters, 40 plus presenters. We've got some sessions from the previous summits plus loads and loads of brand new content as well. You can find it all over, out to page builder, summit.com. It's free to attend. If you want to come and watch for the 24 hours after the presentation is put live, you can get it completely free.
There's an upgrade called the power pack, which entitles you to get absolutely everything in perpetuity forever, including up to $2,000 of speaker bonuses. It really is. I hope going to be very nice event. It's running from Monday. Through to Friday, you can check out the schedule at page builder, summit.com forward slash schedule, and then go back to the homepage and click the button to sign up page builder, summit.com.
We hope to see you there. Okay. What have we got on the podcast today while it's me and David talking V for vulnerabilities, really? This is all about security, all of the different types of things that we might need to be mindful of when we're thinking about WordPress and our website. So is WordPress insecure, are there any security plugins which we commonly use?
Are they worth the money? Are they a bit of a con? What about hosting? And what about having a sensible perspective? Is there some kind of middle ground between paranoia and just being lackadaisical that we need to think about? So we talk about all of that today, and it's a really nice. I hope that you enjoy it.
[00:02:37] David Waumsley: Hello. It's another 80% of WordPress, the series where we attempt to cover all major aspects of building and maintaining sites with WordPress today is V for vulnerabilities. But I did save the last time we were talking to each other, it was going to be V for virus, but I just decided vulnerabilities was a nicer word.
Are
[00:02:56] Nathan Wrigley: they basically the same thing?
[00:02:59] David Waumsley: I think so. I think probably it's better. It's more descriptive. Isn't it of what we're talking about here in WordPress, where virus has got all the connotations of that nasty sort of health stuff.
[00:03:10] Nathan Wrigley: I'm curious because in the talk that we had prior to recording this, it didn't really occur to me that there was any difference.
And suddenly I'm thinking actually virus is definitely software. Whereas vulnerabilities could be anything. It could be that. Data center burns to the ground, or I know that's ridiculous, but that is a point of attack. Isn't it? And if, if you're a WordPress person, like we are, we only have to worry about the code, but I'm guessing if you're, let's say working, I dunno, for the FBI or something, you'd have to literally put a perimeter fence around your data center because there's a vulnerability that's physical as well as software hadn't thought of that.
Yeah.
[00:03:52] David Waumsley: Nah, I like talking about vulnerabilities with you. Cause our roles get reversed because you're really the optimistic person. And when it comes to things on security, because you listen to podcasts and stuff, you always come up with all the worst things that can happen and where I'm going.
Clueless and just feel entirely invincible when it comes to
[00:04:13] Nathan Wrigley: this stuff. I do listen to a podcast each and every week. I confess that for reasons that I can't quite explain. I've been dropping the occasional one here and there, but I highly recommend naturally it's on the Twitter network. It's called security now.
And it's with Leo LaPorte and Steve Gibson. And they produced this podcast. It's often a couple of hours every week now, right up into the sort of 800 and somethings episodes. And it's really good. It's a, it's a really entertaining, listen, the guy that introduces it is very engaging. It isn't like you did imagine really morose, but it doesn't cover WordPress specifically.
Although actually it's quite interesting. WordPress has crept. Quite a lot lately. So obviously reached that maturity and saturation of the marketplace that they feel it's important enough, but usually it's things like Android windows and Marco SIOS, and then networking, cabling, infrastructure, all of that.
It's really fascinating, but it is definitely for the people who enjoy this kind of stuff. I wouldn't recommend it if you're not into it. Does it
[00:05:21] David Waumsley: have a kind of entertainment value, like a murder mysteries are where you just like to look at those kind of nasty stuff?
[00:05:28] Nathan Wrigley: It's really interesting. The guy Steve Gibson, I would say is very knowledgeable about all this kind of stuff.
And he goes really in depth. Whereas we'll cover things for them from a very high up angle and we'll anecdotal stuff than the, you know, the amount that we know is very minimal. He really gets into the weeds and spends sometimes like an hour talking about. Individual vulnerability. And yeah, but he does it in an entertaining way and he's always shocked and he's really animated.
He's incredibly animated when he speaks. So essentially this podcast ought to be called, an advert for the security now podcast, because that's all that we've managed to do in the first four minutes or so.
[00:06:13] David Waumsley: Exactly. So let's start with a basic sense. So WordPress is totally insecure, isn't it?
And that's what makes it the weakest platform out there.
[00:06:21] Nathan Wrigley: Yeah. This is what all the clients will be told by all of us lot that it's not worth messing about with WordPress. It's a total liability. I wouldn't bother. Oh, I think it's, I think it's really secure. I think the core of WordPress is. Is updated all the time and you get these little point releases and usually it's a secure, often it's a security patch and that goes with almost no fanfare.
It just happens. And usually it will update itself automatically. And you'll notice 2, 3, 4, 5, whatever. The amount is little modifications where people have phoned in something that they've discovered and they've updated WordPress core. And then occasionally you'll get the sort of out of bounds release where it's suddenly done very quickly, perhaps within a day or two of being announced because something has really taken the eye of the core team.
And they think actually this needs to happen really quickly. My understanding, again, caveat emptor neither David or I are experts at this. My understanding is that WordPress core itself is pretty darn.
[00:07:25] David Waumsley: Yeah, I think because it's got so many eyeballs on it and I've never, ever heard of anybody who's been hacked because of WordPress core.
It's always been associated with a plugin and that's where our vulnerabilities come in. The more stuff we add from various different sources. That's what,
[00:07:43] Nathan Wrigley: so how does it have the reputation of being incredibly insecure? Is it just that it's the biggest attack surface? And you know, if you compare like the amount of attacks against Drupal, as opposed to WordPress, it may be that they receive the same amount per user, but WordPress is user base is so much.
[00:08:05] David Waumsley: Exactly. And there was an article which talked about some data that actually comes from security, who look after other open source software. And they put it that this is going back to 2018. 90% of the hacks were WordPress. Th that, that is pretty much going to be the market share amongst all of those open source communities like Magento, Joomla, Drupal, and et cetera.
So we don't hear so much about the third party proprietary software things like Wix and Squarespace and Shopify in terms of vulnerabilities.
[00:08:45] Nathan Wrigley: I guess they can keep everything under their hats. I don't know what their posture is in terms of being open and honest. If there is a vulnerability, whether they produce a blog post, or they have some sort of timeline of when things were updated, I honestly don't know that.
They have the capacity of keeping it under their lid if they wish to. Whereas obviously in WordPress, especially the open source variant you have to release that stuff into the world, make it publicly available as a mechanism of advertising. It's time to update ladies and gentlemen, this is important.
Go and do it now. Yeah.
[00:09:20] David Waumsley: I do remember the ones, one on a Wix quite a few years back. And you know, that was expected to affect millions of people, but it was I really didn't remember that. And there was something I've just found more recently on Shopify where they, there were disclosing security incident caused by two rogue employees.
And, it was something that involved the FBI in there. You know, but yeah, I guess they can keep, small things on the wraps where, we are public and open and everyone can look at the code and And as you say, there were more people there it's the same with the windows and the kind of apple Mac argument, isn't it, windows, people like me always say it may be, it does have more security problems, but there are more of
us.
[00:10:13] Nathan Wrigley: The other, the other thing to say, is that let's say, for example, in the case of the Wix problem that you just highlighted with one fix, they'll fix everybody. Yeah. You know, let's say that they get their team up and running and within half a day or a day, you will have you, they managed.
Deploy a fix, presumably that fix is available to everybody and everybody is from that moment on no longer vulnerable to that one thing. Whereas the WordPress model is so much more difficult. It's got to be trickled out to the media, maybe a plugin or the core has to be updated. People's websites need to be updated.
People need to be managing the updates successfully and so on. And I guess all of this was why non-point releases are usually happening automatically. You don't really get a choice in that. It just updates. And you'll probably get an email to say you've been updated and there'll be some sort of information on the inside.
But yeah, much more difficult in our case. And so maybe the vulnerabilities get a few extra minutes, weeks days, I don't know, have time to be exploring. Because if you manage to get a plugin hack on WordPress, or indeed you got a WordPress core hack, there's going to be a window of opportunity, which is greater in time than the Wix one, I guess it's the whole open source versus SAS model.
Isn't it? The arguments for and against?
[00:11:46] David Waumsley: Yeah. It's only what a year ago. Maybe two years ago when we could automatically update our plugins in WordPress. I wonder if that's going to have a knock-on effect. So this article I was looking at, it goes back to 2018. I wonder if that will change things, the fact that we can now set all our plugins to automatically.
[00:12:06] Nathan Wrigley: That's interesting. Let's just go on that one for a minute. Do you use that feature a core feature of the WordPress version of automatic updates where you go into the plugins and unright have the table of plugins listed as an option and individually you can go and enable or to update. Do you make.
I do now a
[00:12:27] David Waumsley: bit, but mostly I don't need to, because of the fact that I'm using main WP to update all the client sites, but on some of these test sites that I've got, where I didn't want to connect them up as well, because I don't know how long they're going to be around. I now go in there and do it. I tell you what I forget though.
I forget to go in and do the themes because
[00:12:46] Nathan Wrigley: I'm in a separate place. That's right. You have to go with this there's little tabs across the top. Isn't there's uh, themes plug-ins core what prescription comes first and then also at the end, I think there's a list of out of date plugins or something like that, where it highlights once they haven't been updated for a while.
But yeah, you have to notice the themes. I always click on the updates in the left sidebar menu of main WP. And that takes me directly to the plugins that need updating because they are invariably the more frequent updates required and yeah, you're right. You have to notice, but they do a pretty good job of surfacing it.
There's a great big red sort of icon it's not flashing or anything, but it's fairly often. But yeah, you're right
[00:13:28] David Waumsley: in WordPress core itself that you don't, you have to go to three different places to, to update everything. So you need to go into your themes to update the individual themes one by one, then
[00:13:37] Nathan Wrigley: logins, you could click on the, you could go to WordPress and hover over the site name and click updates over there and you go on the one screen for them all, but they're all listed beneath each other.
Aren't they you've got the core theme plugins and then themes. But yeah, typically I would end up in the plugins area and then I would go through and update them more or less one at a time and do it that way. But yeah, there, there is a mechanism it's not ideal. Is it there's I do. I do feel though the on balance, if you're not logging into WordPress everyday, or you haven't got a system.
For updating every day. You know, let's say you've got your own website and you infrequently visit it. I think the benefit of clicking or to what blame on all the things you've got in a installed outweighs the sort of the caution that you might have. In other words, I think get everything updated just in case something really nasty comes along.
There's a security vulnerability and a plugin, and you've had it sitting there for six weeks happily being abused, where you could have had it updated six weeks ago. And you do nothing to achieve that. Of course, I really think those days of the white screen of death and all of the fear of updating things, it feels if you're using reputable plugins, a lot of that is in the past.
Clearly it's not over and it does happen, but I think it's worth the, I think it's worth the. I
[00:15:10] David Waumsley: agree. I've changed a lot on that because mostly I've got trusted plugins anyway, and I just trust them to update. And there's not the exception used to be commerce with that. I wasn't sure about their updates and because of the nature of those sites, what damage that might do.
So I wanted to check them rather than that be automatically happened during the night or something. But, uh, yeah, otherwise I agree because very rarely does anything break and also, you get notified as well and get a safe way of being able to return back to WordPress. So I think,
[00:15:45] Nathan Wrigley: yeah, the last time you had a plugin update or theme, whichever you pick where it caused you a real catastrophe where you updated something and the site properly died and you had to go and restore from a backup.
I call it. Remember at that time, there you go. That's all we needed to know really isn't it was a long time. I'm guessing it wasn't like a week ago or two weeks ago. I feel like at the beginning, if we'd have rewound 10 years or something this would have been a cause for concern. And I think more things did break, but I, I'm just imagining that the people who write plugins and the people who write themes are just, there's just more information out there about how to do it correctly, such that things don't break because they're being WordPress standards.
[00:16:34] David Waumsley: Yeah, I think it's more important now as WordPress has grown and there's more people who are dly in their business sites and it say the expectation is set by the likes of Wix Squarespace and Shopify. And, presumably this is what this whole gunboat project is about. Bringing it in line with these new expectations that we have.
But I wonder, when it comes to security, how many people differentiate the difference between suddenly self hosted WordPress and the responsibilities you have. And also we were talking about this. We didn't really know what happens with wordpress.com, either who's responsible there when you have a security
[00:17:15] Nathan Wrigley: issue.
I really don't have a clue Dewey, whether the possible upgrades on wp.com, if you go to Jetpack, you can pay a small amount of dollars. I think it's four or five pounds per month. Something like that. And you can pay to upgrade to have scans done, but that then made might think, then who's, who's fixing that.
Should the scan reveal a problem? I genuinely don't know.
[00:17:42] David Waumsley: No. I think the jet pack thing has got this kind of one click fix thing with it. So it's like mascara as I understand it, but I've not used it. But I think that's what you're paying for. So it takes care of it. But ultimately, if it can't one click fix it, I'm assuming it's the same deal.
They are, wordpress.com or just a hosting company for you then, and then you will have to have responsibility for your own software that you've introduced. Cause they, they couldn't possibly take that
[00:18:12] Nathan Wrigley: responsibility for that. That's interesting. Maybe there's somebody out there who's a big wp.com user and they could let us know.
Yeah. It's curious though, that you've got main WP and a hitting that site on a more or less daily basis if memory serves and yet you've still decided to. To go in and enable the auto updates. Is that just so that you've got less to do, or is it you when you started to tick those boxes and enable or to updates, was it was the thinking that there might be a day where you miss updating on main WP where something could go wrong or is it more just while it's there it's in core, I might as well use it as opposed to a third party connection common in no,
[00:18:54] David Waumsley: I just wasn't clear explaining myself what I've done is I've really only ticked the auto updates on the sites that I'm not putting into main WP.
So got it. The, I haven't done it on the client sites where I still want to do that because we're doing it daily. I might as well just carry on, but I am considering now because really nothing has happened on my other sites that my test sites that I think why am I bothering? Why are we going in there manually and clicking.
Yeah. There's only a couple of sites where you know, that they might be more important where I might still feel like I need to be the person doing it or rather my wife.
[00:19:32] Nathan Wrigley: See? Yes, you've given her that lovely job before dating. You get some, you get to blame somebody else. If the updates go wrong, you are the one that clicked the button.
It was fine three minutes ago. So where do all these vulnerabilities, how do they get in then we could probably start with the repository, maybe the WordPress repository. Yeah.
[00:19:52] David Waumsley: I think a lot of this is about finding who's responsible. Isn't it? So that's the question. Is it the role of the repository to protect us against dodgy software that might go in there?
And I think we already know the answer. It's probably not. It's impossible for them to do it. Yeah.
[00:20:12] Nathan Wrigley: It feels if I'm going to, okay. So this just comes from my British consumer law head that I've gotten screwed on where, you go into a shop and if something is purchased from that shop and that, that might even be the word purchase might be wrong.
If I get something from a shop, even if it's for free, there's some kind of consumer law wrapped up in that where I expect it to be as, as described and it shouldn't be broken and it certainly shouldn't harm. It shouldn't be electrocuting me if I've bought it. I don't have a CD player or something like that.
I should expect it to be functioning and harmless. And so that's the expectation I would wander into the WordPress repository with. I would expect that, look, it's, it's a shop of sorts. I can download things to make my WordPress site better. And, oh, look on some of these sites, some of these plugins that I'm downloading they're clearly businesses because I can upgrade.
So they must be, there must be some sort of model for them gaining revenue. This is all, this is commerce, isn't it, I'm getting something from here. So I feel that most people would have an expectation that anything off the repository would be thoroughly scanned, tested, cleaned on a regular basis. And I'm sure that isn't how it works.
[00:21:37] David Waumsley: Yeah, I think you're right. And that's a really good point. And I think increasingly, so that will be the expectation because you WordPress is marketed against other commercial solutions and people will go with that expectation. But I guess I go back still to the early days when it was still considered a blogging platform and an open source community where everybody was contributing freely to that.
No one owned it. Like we feel perhaps they do more now, but that expectation was never there in the first place. So I still carry that one, where it's really just free stuff that people are sharing. They've put it up there in this one place where you can grab it and play around with it and use it as you like it's GPL have a play, not that ex not that consumer expectation has never been with me.
But I think, yeah, it's interesting
[00:22:32] Nathan Wrigley: times now curious, actually, because. In the real world. It certainly in the country that I live in the United Kingdom, and I know the case would be true for probably most of the Western Europe. And I'm guessing north America and Australia and so on, but I don't know about different parts of the world.
We have this incredible culture of warning, everybody about every possible thing, to prevent litigation. So if I go into the supermarket and there's even a slight hint that the floor might still be wet from somebody cleaning up half an hour ago, they put some sort of barrier up to prevent me, or at least to visually warn me that caveat.
Emptor if you go down this aisle, there is a high risk of slipping and death. And so you don't, I don't know, on the repository, cause I don't really go in there too much. Do they have those caveats? Do they put up warnings about download, user buyer beware? I really don't.
[00:23:32] David Waumsley: I'm simply not. Most people are going to install, the one click get WordPress with their hosting, and then they're going to go to the repository via their installed.
And there's just nothing that prevents you installed in anything that's there.
[00:23:46] Nathan Wrigley: And I guess we have to be a little bit on the other side as well in that not everything is let into the repository. There has to be checks and balances and, it's, you can't just rock up with a bit of code and shove it on the repository.
And Ray, I've written a hacker plugin and I'm going to get it out to millions of people. It's not quite as straightforward as that, but I'm not entirely sure what kind of automations are going on there. What, how often that automation is updated, how things are processed by real humans with real skills, if there are concerns or people flag a plugin.
Accidentally or deliberately because of vulnerabilities. I'm not entirely sure how that works, but we know that there are. Checks and balances because you've got a lovely story here about a plugin, which was recently just totally pulled. So there must be something going on.
[00:24:46] David Waumsley: Yeah. We've just been watching that on Moto press.
They had, most of their plugins were not made available on the wordpress.org site temporarily from the 20th of September. And now we can see, at least one of these is now, which is get a WID, which is one of the blocks it's now permanently. It's changed its ban, but we don't know because they've accounted this.
The, we think the band might be due to what they're saying about they were accused of creating false profiles and reviews with that. But there's also the other conspiracy side of it is that they also flagged up as having a vulnerability by another site, which is called plugin vulnerabilities dot.
But interestingly enough, they revealed the hack on that. And they're also another plugin developer. Who's been banned from life on the WordPress repository for revealing premature insecurities. So no one really knows at the moment whether that's to do with the security side of this or whether it's something else, but it's interesting that while people are doing work there, aren't they to.
To see what's going on in the report.
[00:26:02] Nathan Wrigley: So that's the basic takeaway, isn't it is that despite the fact that in that particular case we really, we spent a good 15 minutes trying to dig into that. And we came up blanked and we really didn't get to the bottom of what was going on there, but something has happened and the plugin has been removed.
And I, I don't know what the history of that is. Whether plugins constantly go in and out of being available on the repository, when a vulnerability is identified, I'm not entirely sure, but I have memories of plugins being temporarily taken off the repository because there's something has been discovered.
And then, period of time goes by and it's fixed. And I guess all the checks and balances are done and whether that's done by a human or more software, I'm not sure, but then they pop up again because everything's straight. So you've got to hope that to some extent. There's a level of security in there.
[00:27:00] David Waumsley: Yeah. It's been quite a debatable topic because when they have banned plugins, they can't update them. So it's the argument against the repository is that they prevented in people being able to put out those security patches during that time. And there's no system is the, to tell somebody that it, so once this plugin is gone, if you are using this Moto press plugin as a user, you're just not going to get more updates, but you don't know what happened unless you actually went to the repository and looked at them notification, which is unlikely to happen with the average
[00:27:32] Nathan Wrigley: user.
Although not a vulnerability memory serves that. Sorry. Was polled. This is probably going back about 18 months or so. And it was nothing to do with the vulnerability. It was more to do with adding in affiliate links if I believe. And I can't remember the, anyway, the point being that Astra was really popular and it didn't the repository walk back there ban because it was supposed to be for a period of time, let's say it was a month or six weeks or something like that.
They walked it back and made it available again, if memory serves because they realized that the installed base really did need to receive updates during that period. Do you have a recollection of that?
[00:28:14] David Waumsley: Yeah, you're right. You are absolutely right on that. They changed it. So instead that ban, I think, was something con the, it was the promotion side because you get rewarded don't you for them, the more installs you have.
So they were they dropped down on the popularity list. So that was that.
[00:28:30] Nathan Wrigley: So that was it. Yeah. They change the punishment from a total ban on the repository to be. Not surfaced you, it wasn't made available in search or in the, the popular plugins or themes section of the repository that I wonder if that's still the case.
I wonder if they changed the policy on that? I don't recall. Yeah.
[00:28:52] David Waumsley: I guess the thing is with the repository, it is an up to them. It's up to us to do our own checks and balances. And one thing that crossed my mind, even though I've used Moto press plug in, actually, and it was perfectly fine. I have no clue who they are.
You know, if they were banned for Yeah, I guess most people wouldn't know who they are. They could just pop up as somebody else next week with some new
[00:29:16] Nathan Wrigley: plugins. That's a really good point. And it's a big red flag for you. Isn't it. If you don't know the credentials of a particular company and you can't read and about us page, which looks authentic and has a backstory you're always a bit on the suspicious side, which I learned from you.
I think that's a really good way of operating. It's just occurred to me as well. Is that whilst we're talking about WordPress vulnerabilities, we have got ourselves into, especially with things like care plans. We've got ourselves into a nice position where we can sell the benefits of WordPress because it's extensible as 10 gazillion plugins and it can do everything.
And if you get fed up of me as a developer, you can go to somebody else in the town who can fix things for you. You're not locked in by anything. There's no one point of failure. But at the same time, we also get to sell that if in a way we get to sell the weaknesses of WordPress as a method of generating revenue, because all sites are vulnerable all the time.
We've got to be mindful of this. And so come onto our care plan, we'll manage the backups, we'll manage the updates. And so it's a sort of, it's a mixed blessing. On the one hand, we don't want there to be vulnerabilities. On the other hand, I would imagine that a lot of us are making money off the fact of its existence.
[00:30:37] David Waumsley: Yeah. But I I'm when the, I've only got the client side note to go by, but I don't feel it touches them any longer. I really put that to the back. Really. It's just that I'm going to host in is what I concentrate on. Yes. That's provided as well, rather than the care, because I've tried all of that, you know, following other people, it's a great way of.
Yeah, feeding off the fear. There is good. It works for insurance companies, but I've pushed that to the back. Cause I just don't. I honestly feel with our clients, it's almost a turnoff. If I start to concentrate on that,
[00:31:14] Nathan Wrigley: that's a really interesting point. I've got to ask you another up question in that case, have you ever had a client who has had a problem and then totally assumed that you were in charge of the security of their website, even though you didn't address that?
Huh?
[00:31:37] David Waumsley: Do you know what? No, because
[00:31:39] Nathan Wrigley: I've had a problem where I deliberately didn't get into the conversation of that. They didn't want the care plan at the level that I was offering, but I did, you live and learn. I did do the hosting side of things. This was in the days when I had my own servers and they did get hacked.
This was a long time ago and it actually wasn't anything to do with WordPress was on a Drupal site. And they, they totally were forthright in believing that because I was hosting the site, I was also responsible for updating the site and maintaining the site and fixing the site if anything were to go wrong.
So they'd conflated hosting with managing, and I'm sure that most of us now probably aren't making that basic mistake in drawing a comparison between two, hosting is not the same thing as securing or maintaining or backing up or restoring or fixing. So yeah.
[00:32:37] David Waumsley: No, it's a really good point. And I don't think that is clear to anyone.
W we're probably going to talk later about the fact we think it might be the hosting company's job, so yeah. You were a fault then you should have
[00:32:49] Nathan Wrigley: that's right? Yes. Thankfully it was easy to fix. And I just sort thought, do you know what? I think it was unclear the fault lay with me and when the whole care plan thing started like a decade ago or something it was prior to that.
So I really hadn't got my posture figured out. I hadn't got my thoughts around this figured, and, but now much more clear that really, if you, if you come in any way to, on a recurring thing, then the system would have been from now on that, that involves everything. If the hosting is done, then I'm also doing the backups, but it's not just hosting ever.
[00:33:29] David Waumsley: Yeah, exactly the same with me. Once I started that, I thought that they can't really I'm selling hosting because that's what they understand. And that the care is something that I tried to, so it's in a way I'm selling them an upgraded hosting experience because I think that's the only thing that my clients can really understand.
So they have to be in the package and then they're going to get those daily updates. And so far with the people I've managed, I've never had an issue and hope it stays that way. But with the people before they came on the plan, when they had the choice and they self-manage, none of those, and I've had, I think seven of those sites have come that have been hacked just because they haven't updated their plugins.
I fixed it for them and charge them for it. And they've never looked to me as to blame me, which has been nice. Yeah.
[00:34:14] Nathan Wrigley: That's yeah. You've obviously got a nice relationship. Okay. Let's draw a distinction here then. So if I'm selling a care plan and I do, I offer them hosts. They're looking to me in a way as the host.
It may be that I reveal that I'm using X company or Y company, but I might not, I might just tell them that I'm taking care of the hosting. It's all bundled in who's responsible on the hosting side. Do you think that there's any responsibility to be borne by the hosting company at all?
Is it is it a product of how much you pay? In other words, if you're paying a very cheap hosting monthly bill, does the house bear any responsibility for this at all? Or is it all for the more expensive managed WordPress hosting? Maybe utter neglect would come into it. I don't know, but I'm just curious on your thoughts.
Yeah, I don't think
[00:35:13] David Waumsley: you're ever going to get to the bottom of this rarely when you've got a problem, because, so I think it's not the hosting companies, whoever they are responsibility, if you're the person installed in the vulnerable software on their servers, it can't be can it, and so I think that way, but again, it is possible.
Certainly it was in the very early days of shared hosting when there was no partitioning for you to be infected by one of their other customers sites, but you're never going to get to the bottom of
[00:35:46] Nathan Wrigley: it. Oh, you and I would imagine that on that level, although this has nothing to do with WordPress, we're talking about, the, the operating system Linux and the kernel and all that, and yeah.
And isolated. I would imagine that all of that is under review. If you're a hosting company, you probably just got to maintain your OSHC and make sure that the implementation that you've got for isolating one site from another is actually working, feels like they've got that nailed down now, but I could be wrong.
It may be that there are critical things happening in the Linux space all the time, which are putting that in jeopardy. And that I feel would now belong in the domain of the hosting company. If I was infected by another site on some shared hosting, I know shared hosting, we talk it down all the time, but this is what a lot of people use.
I feel that now that's on them, not on me, but if it's from a plugin, it's on me. Not on them.
[00:36:45] David Waumsley: Yeah. But I just think, with, um, We're not experts, I guess you would need expertise to come in to actually pin down whether it was the hosting company or not, but would it ever be worth the expense of doing that?
I don't know. It's an interesting one, but I just, it does seem to me it's going to be impossible for those cheap shared hosting services that are offering for $3 a month to host your site to, for that type of client. Who's going to be very similar to the ones who feel they could self manage a WordPress, the sites that I built, they're not going to update their plugins.
And it, it would be, seems too much to expect from the hosting companies to have to take on that responsibility. But but we were talking about, other examples, like kinks is very popular with, people who build sites. And they've got a good reputation, but we're thinking I'm sure they would take care of you for sure.
They probably got really great customers who are going to do most of the work themselves because they are expensive. And they're generally, it's something recommended amongst professionals.
[00:37:54] Nathan Wrigley: Is there a price point? I don't know what this price point is. I'm just throwing it out there. Is there a price point at which you think this is now?
Totally not my responsibility. I can do anything I like to this site and I fully expect it to be, obviously you're not beyond the realms of stupidity, mistakes I'm talking about, but I can go in and install any old plugin, any old thing, anything I like, and for the money that I'm paying you, I expect you to jump up and fix it.
If anything goes wrong. I wonder if, is that a reasonable expectation? I
[00:38:35] David Waumsley: don't know. It's interesting. Security, solution that I use because it was a great lifetime deal. I got his virus die and this is, software. It's not limited to WordPress and you install it on your server and it will scan your install.
But they started off as providing this scanning service for hosting companies that the Russian company, and they did it for the biggest Rish and hosts. So they must have been scanning those hosts. Must've been scanning individual sites on their server. So yeah, maybe it should be hosting companies doing that.
[00:39:16] Nathan Wrigley: I feel that with the advent of managed WordPress hosting, that feels like an offer that they're making. I haven't read the terms and conditions of more or less any of them, but it feels like that's the offer. You're paying us a really decent amount of money each month. And in most cases that will be a decent profit for us, but every once in a while, we're gonna end up you know, digging into that barrel of money that you've given us because we're going to have to dedicate two or three hours of somebody's time is probably on a decent wage.
You would have thought to get in there and fix the problems that have been found in one to 10,000. I don't know, websites. And I'm, I'm feeling that with the managed WordPress hosting, that feels like the offer that I would expect, I would want to be able to get on support, get on their chat, whatever it is and say, look, this is a problem that I've got a white screen, whatever, and I would like you to take a look, please, and get back to me when it's sorted and tell me what the problem is.
[00:40:25] David Waumsley: You've convinced me actually, it should be the hosting companies. In fact, virus state. Interesting enough. I think providing something so you can scan all, instead of have to individually load in some files for each site, you can put it on your server and scan the whole thing. You know, as they did for hosting companies before, so you would think they should have that system that would look out for vulnerabilities on your behalf.
But then we get to the question then, which I've often asked myself aren't security plugins for WordPress, just a big con.
[00:40:56] Nathan Wrigley: There. Okay. So this is a really interesting idea. So do you just want to lay out why they could be?
[00:41:04] David Waumsley: Yeah, I, I think. There are certainly people who don't believe that you really need these.
If you harden up your WordPress install, people like Jeff star who's, he's got a couple of lightweight plugins that help you block. Let me say this properly block, bad bots. And and that's pretty much all he would say you need. So all the other stuff, the scanning that we do, I feel I need it cause I need to be accountable to clients and the firewall, which should be done really by the hosting company.
I feel again, I need to be showing that something is going on and I can produce reports from the stuff that my own firewall is doing. I'm doing it for my protection, but otherwise, if I harden up and I update my plug-ins surely that's as secure as it's going to be with. Or needs to
be you see?
[00:41:59] Nathan Wrigley: Yeah, that's an interesting argument. So he's got that black hole for bad bots. I believe it's called plugin, which really is extremely lightweight and quite an interesting one. And yeah. So in that situation, the description that you're offering there, if you have a very low traffic site perhaps, that's not particularly critical, you're suggesting that layer lay off the, the plugins, except some basic hardening.
In other words, you set it up, you harden it and then you leave it alone. You're not doing scans, you're not actively putting putting up some defenses like a firewall or something like that. You're just setting everything up, hardening things. Then that's the posture that you've got. And from there you can, then if you like produce some sort of insurance document to say I did this, this is what I did.
I'm curious from my point of view, if my site was hacked, there would be a, there'll be an interesting discussion to be had there about what about, what about a firewall? Do you not have a FA goodness knows whether your client had know about this, but didn't you, weren't you carrying out regular malware scams a little bit like I do on my PC each day and you'd probably end up in that discussion, but I can totally see why that might be the most economic way of doing it again.
I suppose it comes back to what discussion you've had with your clients. And if you've told them that this is what you're going to do, and if they want to do the more complicated solution, the firewall and so on, that's going to be a little bit extra because there's a fee.
[00:43:34] David Waumsley: Yeah, exactly. My plugins now, perhaps in the early days when I started with WordPress and had no idea of security at all, a lot of the plugins that are out there would be very useful.
Now they make no sense to me. So things like I theme security, which does a lot of that tick box hardening of your WordPress site would have made a, did make a lot of sense when I started now, I just think, why do I want this plugin to do this? I should just set up my install correctly in the first place.
And again, is this who does that job? It should be us, I guess shouldn't it as people who build the sites, but yeah, it's never clear. Cut.
[00:44:13] Nathan Wrigley: Yeah, it's interesting. So th but that is a reasonable posture to take. I think it is fair to say I'm going to harden it. I'm going to do deploy this plugin.
Here you go. Find the details, read up about it. This is what it's going to be. And and that'll do a certain amount, but. You could go extra. Do you actually use any of the more widely known firewall type plugins? So things like patch, stack and Wordfence and.
[00:44:42] David Waumsley: No, I guess the closest I've got is that this is belt embraces kind of thing.
Ready? Cause I have virus dial on doing some scans, but I also use mal care as well. And that has its own firewall and we'll do scans. So it's a little bit over the top with two solutions. I think so part of me is with this kind of just star approach and there are others out there I've done articles, how you can secure WordPress without using plugins, but I still ended up going to the complete opposite to what I really think.
And but it's just my protection because I feel responsible for the clients and at least I'd be able to look at the log on my own firewall, where if I trust the hosting company, I won't get access to that.
[00:45:26] Nathan Wrigley: It's just occurred to me how difficult the sales proposition for security solutions in WordPress is because yes.
If you go into these plugins, there are so many options and they are very difficult to understand unless you really spend the time reading it. And very often even reading it, doesn't help you read it. Anything, I'll be still completely confused. I really don't know what that's doing. And so plugins Wordfence and so on trying to sell to end users must be really difficult to explain how it works.
They, I know they have their wizards where here you go. Here's the basic novice settings. Just click, click, install, click a few buttons. You're done. That's your basic setup. But if you want to go into anything more depth in more depth, then that really is the job of an expert. And even a jobbing WordPress website, builder, and implementer, if you like will be struggling to actually I'm sure.
Honestly, explain what all of the settings do and what's involved when they tick a certain.
[00:46:34] David Waumsley: Yeah, I've sat in at Wordfence is really quite confusing for the first time. Most popular plugin in security in WordPress is something I still recommend to a lot of people, even though the ones shared hosting.
And even though it really is quite demanding on the server, just because if they're going out alone and they might forget to update their plugins or whatever, it's going to let them know if they've got an issue. And that's been the issue with some of the ex clients they've had really, clever hacks where they just don't know they've been hacked, but sending off their visitors to some other dodgy site or something like that.
Yeah, so I ended up telling other people, install, something that I know is quite heavy and quite complex, just because it might let them know where some of the other security plugins that are out there really are just about hardening. And they won't really let you know whether you've got an issue or not.
[00:47:29] Nathan Wrigley: And sometimes the communication that you get from the. You may end up believing that everything, the sky is falling out. There's a total crisis. I've got a notification from X plugin. And actually it's just saying you recently updated something and we noticed that there was a file change.
Yes, of course there was a file change. I just updated things. But you get this constant stream of emails telling you that files have changed. Oh, is this? Yeah. And if you've got those emails coming into the, the, the actual owner, if you like of the site, that could be a bit of a thorn in their side.
It creates some anxiety when it didn't need to be.
[00:48:07] David Waumsley: Yeah, exactly. The whole industry now, because we've got so many options available that, which is true of WordPress generally. But we've got more security options, more dedicated firewalls, as you was mentioned. And that didn't used to be a thing before.
I never heard of that. It's now there's quite a few choices there for that kind of thing. And and that's bringing its own fear as well. Isn't it? Because each of these new security plugins or firewalls are doing their reports on vulnerabilities and generally, the same way that we might do with clients the generating business by feeding off our fear of vulnerabilities.
[00:48:46] Nathan Wrigley: Yeah. I love the word firewall. It's just such a what even is that? What is it, why firewall of all things is setting the idea that you've already burned the ground in front of you. So it can't be re burned or.
[00:49:00] David Waumsley: I don't. I sound, it sounds like a challenge. There's a wall of fire for me to go through AI.
I can jump through
[00:49:05] Nathan Wrigley: that. I remember the first time I ever heard that word and I can't even remember the context, but I remember thinking that's just such, mumbo-jumbo just, can we have a better word please? But we've got it. It's fine. It's firewall. Can I just move this on a little bit? And I'm going to ask what, what on earth?
Why do we even need to protect ourselves? What on earth is the point of people creating vulnerabilities? W like w so w these sites they're always under attack. We're told that, we can see that there are bots going all over the internet, trying to do things. We know this is happening. Why is it happening?
[00:49:47] David Waumsley: Why is there so many mean people in the right?
[00:49:50] Nathan Wrigley: Wouldn't that be better? Can't we have you know, decent people throughout the earth. And then we don't have to worry about this. No, seriously. Logistical question. Why? I mean, I remember in the day when vulnerabilities began, software for your windows, computer would get infected.
And so we got plugins, to defend again, not plugins. So you've got software that you could install to defend against that. And that became a billion dollar industry. And then it moved over to the online stuff. And it felt like in the beginning it was just about showing off. It was just about being able to deface things.
You could put your tag on somebody's important home page. Imagine that Q dos, if you're in deputies, if you took down, let's say NASA, and you could put your tag all over the NASA homepage spec deal. But that obviously it didn't stay that way.
[00:50:47] David Waumsley: Yeah. I think those, I would say the hacks that I've encountered must be, is it a script kiddies?
They call us the kind of people who, just the ones who know about existing vulnerabilities and the, once they're exposed, they're shown how you can do it yourself. And I guess they that's like a little club, isn't it? They're the ones you're talking about that they just want to show off to their friends that they've managed to do it on these sites.
But yeah, the other stuff, which I really don't know about, or have any experience of maybe it's even happening on sites and I'm unaware, but the stuff that you probably know more about with the crypto mining and data scraping stuff.
[00:51:25] Nathan Wrigley: I mean, it's, this is just such a bizarre, yet. Very interesting.
Area of development. Let's say that you know, if you know how Bitcoin is created, if you like, you just need to essentially have a lot of computers doing a lot of boring, but difficult maths in order to get a row of zeros. And if you get a row of zeros, you get loads of Bitcoin and you get rich. And, but you need loads of computer power to do that.
So why not steal it off website servers? And you know, this kind of came along, hacking websites to take control just to sit in the background and consume your resources. That's the thing, I don't know if it's still a thing. I don't know if those days have gone or whether the hosting companies have really wised up to that.
I don't, I certainly don't hear about that quite so much anymore, but now it feels to me as if the money is in the data, the damage can be. By taking the data, you could, in some way, scrape the data from an e-commerce store and use that in some other way to get access in the real world. You connect the dots and phone somebody up and somehow convince a mobile phone company that you are somebody else and get their SIM swapped out and all of this kind of stuff.
So there's that. And then I also think just reputational damage, it may be that dare I say it. You would you nefarious company a want to destroy the reputation of good company B. And so you hire a bunch of hackers just to do them reputational damage, just to put some incendiary stuff on their website, stuff that is inflammatory, politically incorrect or.
Plain rude and do reputational damage in that way. I feel that's like the Vanguard of where we're at the minute, no longer about defacing or mining, more about scraping data for use elsewhere, or just destroying the, the reputation of somebody else.
[00:53:28] David Waumsley: Have you heard of any sort of cases of reputational damage where.
Did you know, the vet, she found company B has been attacking company. Do you know what
[00:53:37] Nathan Wrigley: I want to say? Yes, but I cannot bring anything to the top of my head. So I'm going to say no, but I'm pretty sure I've heard stories about that, but I honestly can't but yeah, obviously that is in the, that's totally, you know, that really is real world illegal.
Isn't it? You can actually see the result of that. Whereas I think the Bitcoin mining type of stuff and the data scraping is is a little bit less obvious. You're going to be all of that stuff would be conducted in the background and hopefully never get caught, but if you're actually posting mean stuff, the finger is definitely going to be pointing at your competitors straight away.
Yeah,
[00:54:16] David Waumsley: I guess so. Yeah. I've certainly heard of one case and you'd have heard the same one where a competitor was trying to bring the site down really just by, repeated login to target that kind of stuff. That, but that kind of seems you know, just all good fun, and japes really,
[00:54:32] Nathan Wrigley: unless you have a cyclic.
Yeah. And that's another one, of course, isn't, it is denial of service. I'd forgotten to include that. It's just, yeah. That's not really attack an attack on WordPress, as such as it's just a tack on the network infrastructure and hoping to flood it to the point where your websites won't work. So it's out of bounds for this discussion a bit, but yeah.
That's also something.
[00:54:52] David Waumsley: Yeah. Um, um, should we just talk about, what's a sensible perspective for this then? Because we can't even decide whether plugins are responsible, the WordPress repository or hosting um, where do we draw our own lines?
[00:55:06] Nathan Wrigley: Get involved with anything online, just stay away from. At any, in any way that you possibly can and you'll be really safe from hackers.
I promise you if you never use the internet, you won't ever suffer at the hands of a hacker that is cast iron guarantee. I don't know for
[00:55:29] David Waumsley: me, no, I don't feel very worried about the sites now, because most of the stuff that I deal with doesn't it doesn't contain a lot of data that's of value. So there's that right?
So that helps me have a better perspective on it. Most of the sites can be restored with a backup. So if I'm in a fix, that's a good thing. So I, most of the time I think I just stay out of stuff, which has too much responsibility. We talked about this with with commerce. I feel the weight of. The shop that I have to manage, because that has got people's data on it.
[00:56:07] Nathan Wrigley: Yeah. Yeah. Th this is that is a really good point. And I don't get involved in e-commerce at all anymore, but I'm just like, you know the vendors that you getting your plugins from and find out that they are reputable and that they fix stuff in a timely way and they're updating and so on.
Update your stuff regularly. In my case, keep WordPress updated. And as I said, all the plugins get some backups and that's where I'm at really it's F O and I think GDPR did teach us. Possibly destroying data that you really don't need to have hanging around on your server as well. So any forms that come in, I'm pretty sure that this is true.
I know that the plugin that I use, the two that I use allow you to just expunge the data probably recommend to do that. Then there's just less stuff for people to get. Should you be the recipient of a successful attack?
[00:57:09] David Waumsley: Yeah, I cleared up a lot of the data due to that and thus great thing that happened with all the plugins on that.
Do take much notice, as you mentioned, this, that you know, to get information, there are lots of updates you can get from themes, WP, scan, patch, stack, et cetera. Do you. Do you take a look at that when you're thinking about plugins, do you look at their history?
[00:57:31] Nathan Wrigley: Yeah, it's interesting. I look at those, but I feel that I'm in a bit of a quirky position.
I look at those things really regularly when they call my own, but purely I think, because I'm just doing the Monday news thing. So I want to see if there's anything standing out, but I honestly don't think I would be looking at that. I, it was curious because when we, before we hit record, we did talk about whether those are some sort of advertising material for security plugins, the more, yeah.
The more harmful things happening each week, the more of a posture you've got selling your security plus. Out into the masses, because look, there are 7,000 vulnerabilities this year. This is very important. We must it's up from 5,000 the previous year, we must you know, we must get our security posture in order, but I do read them, but I don't, I can't get into the weeds of it because I don't understand it.
And I just don't have the time to do that. I'm just hoping that people who are in a position to understand it are reading it and taking note on my behalf and updating things in their own plugins. And what have you.
[00:58:42] David Waumsley: Yeah. I felt very pleased with myself when I discover things like WP scan and I subscribed so I could get this information.
But what I realized is that it's partly helpful in learning. Maybe there were certain types of plugins, like contact forms, which were probably more likely to be vulnerable than other types of plugins. But generally I didn't understand the critical level of. Security issues that are being picked up on.
And I still don't think I do. So if I see there's a plugin, that's had a long history of it in all honesty, I would probably just go, oh, and that might be one to avoid compared to another. But I think really no idea whether they might've been picked out as a plug in, that's looked at quite a lot by a lot of these people who do that, or how important those you know, those security leaks are often the very particular, you have to be a logged in user of of, uh, I don't know of a certain level or something to be able to implement some of these things.
So yeah, I've realized that I've don't learn
[00:59:46] Nathan Wrigley: much from these. I think it's a bit like my father always used to say. Some know your place. In other words, I totally get that this is not an area of expertise. Luckily, there are people like Tim Nash out there, who I know he is an expert in all this kind of stuff.
And he's constantly writing pieces and making sure that the world is a better place. And I defer to people like him. I am an implementer in WordPress. I am not the plugin developer. I am not the writer of security software. I don't really understand the nuances and the machinations of how hosting truly works.
That's not where I put myself. And so I'm happy that other people are doing this.
[01:00:32] David Waumsley: I think you and I though do something that helps a lot. We're aware of updating and hardening our sites, but I think also we're quite keen to find vendors that we trust. And we're quite keen to install plugins that only do what we need them to do.
So we're not installing more code that could be vulnerable above what we need. So I think, I think those to me have been the most important things about figuring out security. Just keep things as simple
[01:01:02] Nathan Wrigley: as possible. Yeah. I think we're done.
[01:01:05] David Waumsley: Yeah, I think we are. We've slept
[01:01:06] Nathan Wrigley: on V for vulnerabilities.
Oh, goodness. Me David. It's almost an hour. Good grief. Go to ABC. D E V w
[01:01:17] David Waumsley: w w for Wrigley or warms. I forgot me. Yeah, let's do you,
[01:01:23] Nathan Wrigley: so y'all gonna tell us, we're going to lie you down on a couch in the next episode. Tell us about your father. I know what are we really doing? We don't have, we're not sure, but we've settled on something.
Have we? Yeah, we're doing,
[01:01:36] David Waumsley: but no, we're okay with, if we do writing, which, because we cannot be for blogging and that's what WordPress was made for. So we're doing writing and then she'll be, cause that's going to be our penultimate,
[01:01:48] Nathan Wrigley: but hold on a minute. W X, Y is that there's three letters of the alphabet
[01:01:52] David Waumsley: left.
I know X, Y, Z. We're going to do them all together. You're cheating.
[01:01:57] Nathan Wrigley: Yeah, it's just blatant cheating yet. Honestly, try to get XYZ that into three episodes. No chance. So we're going to, we're going to do writing in the next one, and then we're gonna wrap up with X, Y Zed, and then in the XYZ, that episode will probably say a bit more about what we're going to do after that.
Yeah. Okay. All right. Perfect. That was great. I enjoyed that. Thank you. Bye.
[01:02:19] David Waumsley: You too. Bye.
[01:02:21] Nathan Wrigley: I hope that you enjoyed that episode. Always very nice chatting to David about these things. We've got just a small amount of content in the eight. Is that of WordPress coming up? That'll be in a couple of weeks time.
I'm not a hundred percent sure. I might actually not to put the podcast out during the page builder summit, because it seems almost like there'd be too much going on for me that week. But speaking of the page builder summit, as I said at the beginning, head over to page Butler, summit.com, starting on the 18th of October, going through the 22nd of October, 20, 21 40 plus guests talking about all things.
Page build rate, no matter which one you're using, there'll be something for you to learn. And there's quite a bit of content about blocks as well. So you can get all of that page, but with summit.com and look at the schedule, that'd be forward slash share jewel and get yourself signed up and get your free ticket.
Okay. That's all I've got for you this week. I hope that you enjoyed it. I'm in a fade in some pretty cheesy music. We'll see you at the summit.
