[00:00:00] Nathan Wrigley: Hello there. And welcome once again to the WP Builds podcast. You've reached episode number 340 entitled Akshat Choudhary on the utility of WordPress firewall and malware scanners, security mini series two of four.
It was published on Thursday, the 7th of September. 2023. My name's Nathan Wrigley, and I'll be joined by Akshat in a little while so that we can have our conversation. But before that a few pieces of housekeeping. First up, the page builder summit will be starting not next week, but the week after that, it's version six of the summit and it's running from the 18th to the 22nd of September, 2023. The best place to go at this point is page builder summit.com. Fairly straightforward to remember that, but I'm going to say it again. page builder summit.com, sign up there and we will keep you updated. It's looking like a really incredible lineup. We have over 40 presentations lined up during the course of the week. So it's going to be really action packed. I'll do it again. page builder summit.com ever so quickly.
Okay. The other things to mention are. If, when you've heard this episode, you've got something that you'd like to say. I'm kind of going to start saying this. I would really appreciate any commentary going on the WP Builds.com website. After all, we have a commenting system in WordPress. So head over to episode number 340, use the search at wpbuilds.com and leave us a comment there. I would really appreciate that.
The WP Builds podcast is brought to you today by GoDaddy Pro. GoDaddy Pro the home of managed WordPress hosting that includes free domain SSL and 24 7 support. Bundle that with The Hub by GoDaddy pro to unlock more free benefits to manage multiple sites in one place, invoice clients, and get 30% of new purchases. You can find out more at go.me forward slash WP Builds. Once more, go.me forward slash WP Builds. And we thank GoDaddy Pro for their continuing, ongoing support of the WP Builds podcast.
Okay. What have we got for you today? While I was, like I said, at the top, it's an episode, two out of four in our security, many series. We had an episode a couple of weeks ago. With Calvin Alkan from Snicco. This is another episode in this series and there's a few little caveats. The first thing to say is because of the sensitive nature of this topic, I laid some ground rules when I recorded these podcast episodes, the podcast series, the four guests are Calvin Alkan, that was the previous episode.
This week is Akshat Choudhary. We're also going to be featuring Dan Knauss from SolidWP, which used to be called iThemes security and Thomas J Raef from we watch your website. They'll be coming up in the weeks to come. But because of the sensitive nature of this topic, I laid some ground rules that each participant was going to be recorded separately. I would wait until all the recordings were taken before I published anything. So that kind of the right of reply, if you know what I mean, nobody could be pre-warned what the other people had said.
And each participant was told that their episode would be published in a random order. And that's because there is a little bit of adversarial nature to this. And so I wanted each person to get their fair say. So Akshat Choudhary is the founder CEO of a range of WordPress products. You've perhaps best heard of Blogvault and Malcare. And these came into the crosshairs of Calvin Alkan and he was, during his episode, he was picking apart whether he thought that the solutions that Blogvault and Malcare, and similar products offer are actually worthwhile. So this is Akshat's chance to explain why he thinks that his firewalls and solutions, and malware scanning software have some utility. Make your own mind up and then go and leave a comment over at wpbuilds.com. As I said, episode 340. I hope that you enjoy it.
I am joined on the podcast today by Akshat Choudhary. Hello Akshat!
[00:04:32] Akshat Choudhary: Hi, Nathan. How are you?
[00:04:33] Nathan Wrigley: Yep, good thank you. Akshat is joining us today to talk a little bit about security, WordPress security, plugin security, website security, all of that kind of stuff. Now this topic is obviously something where you need a little bit of expertise, you need to understand that the person who is on the other end of the call knows what they're talking about.
So we'll do a brief introduction to you in a moment, Akshat, but also just to say that this podcast episode will probably have various different sections to it. We're going to talk about hacking, talk about security, landscape, firewalls, but also at some point we will get into the topic which has been really in the WordPress news about malware scanners and how they work and whether or not they're effective.
Let's go back to the beginning. I said that I was going to give you a chance to introduce yourself, especially given the technical nature of the subject at hand. So Akshay, if you don't mind, just a minute or two, just tell us who you are and how come you get to talk on a WordPress podcast about security.
[00:05:39] Akshat Choudhary: All right. Again, thank you again, Nathan, for having me. And I started I, I'm the founder of Blogvault. That's the company behind products like Blogvault Malware and WP remote. These blog world deals with backups. Malware is a security plugin. WP Remote lets you manage multiple WordPress sites.
So Malcare, our security plugin is the reason why why I have a few opinions on, on, on WordPress security. We built Malcare for a specific reason when we saw a very big problem with the way WordPress security was perceived and and trying to solve that. So we, our first plugin was Blogvault, and with that we used to back up hundreds of thousands of websites.
And we realized that a large number of people would restore their website when their sites would get hacked. And that's when we thought that maybe there is a better way of solving this problem. And we built Malcare over multiple years. Yeah, we put in a lot of R& D build Malcare and finally release it a few years ago.
[00:06:51] Nathan Wrigley: Okay. Thank you. Is your background always been in the WordPress space or prior to WordPress, did you work in the security industry or the backup industry or just tech industry in general?
[00:07:03] Akshat Choudhary: No, so actually I consider myself like a WordPress outsider. Though I've been doing WordPress for now more than 11, 12 years. I'm an engineer. I used to, I used to build a really high end networking devices. So I was working with a company building really high end networking devices. Building SSL VPN.
So there is a security angle to it. And these devices would sell for hundreds of thousands of dollars per device to some of the largest tech companies in the world. So we have, I used to do a freeBSD kernel. So kernel hacking as that could be said. So for for the first few years of my professional life, that's what I was up to.
And very interesting. And then. From that to WordPress was a very big shift, but yeah, it's it's been fun.
[00:07:56] Nathan Wrigley: How did you stumble into WordPress then? Was it a bit of serendipity? Was it an accident? Did you design your career that way and thought that WordPress is growing, I'm going to get into that? Just how did that happen?
[00:08:07] Akshat Choudhary: I'd say I just luck. So I didn't even know what I barely knew what WordPress was. So the reason I got into WordPress is go back 12 years. And the founder of Stack Overflow, he had a blog which had crashed. Now this blog was really popular and I used to follow it. So I was like, Oh, if the founder of Stack Overflow cannot keep up.
Have proper backups for his website, then maybe there is something to, there's a problem here. And then I'm like fine. How do you, how does it build a website? And then I came across this thing called WordPress. And so yes, I was as much of a WordPress outsider and in many ways continue to be, but there was no plan when we started.
WordPress had 10, 15% market share. Today it has 45% market share. So it's it's grown and we have grown along with it.
[00:08:59] Nathan Wrigley: Yeah, it is amazing. Sometimes when I look back on the the chance that WordPress I've been in the WordPress space for, getting on for a decade now, something like that. And it's grown exponentially really during that time, of course it could have gone the other way. And we could have all.
We could have all aligned ourselves with a platform which was shrinking, but we managed to pick the right horse, nice. Let's get into the subject of website security and things. You're going to tell us from your perspective and then later on we'll go into malware and all of the stuff that's been in the news and we'll lay all of that out as we go.
First of all. We prepared some show notes and we'll just run through a bit, few of the bits and pieces on those show notes. First of all, you wanted to address how websites get hacked. I suppose that's an important piece to start. So yeah, run us through that. What's going on when a website gets hacked?
[00:09:54] Akshat Choudhary: right. So websites do get hacked, right? And WordPress sites getting hacked is a lot more common affair than any, honestly, any of us would like even being a security provider. We are not, we're not happy about it. But it's a reality that that websites do get hacked and and we need to deal with it.
We need to prepare for it. And the way to prepare for such a, for hacks is to first understand how do sites get hacked. All right. And if you ask actually 99. 9% of people in the WordPress ecosystem, they will just have the wrong understanding of sites getting hacked. And if you don't understand what the problem is, you will never find a good solution to it. Okay so how do sites really get hacked? If you ask somebody like, Oh, my site got hacked. I've got a terrible web host. You need to go to a better web host and we'll come to web host and their role in security, but that's the first very first thing anybody will say to look at the forums on online, almost any forum and they're like, Oh, yes, change your web host, get a good web host and your problem is solved.
And the problem is, or they will be like, no, I'll get to FAA and then your problem is solved. And all of those are important, but they do. That's like just shooting in the dark. Because if you look at the data and we have the data, we clean thousands and thousands of sites a month, right? We deal with hacked sites at such scale and we are the one of the largest largest player in this ecosystem and the security provider in this ecosystem.
When we see all of this data and what we see is. More than 95% of sites get hacked because because there's a vulnerability in a plugin or a theme. That's the single biggest reason sites get hacked. Now, if you think about it, what is it? Okay, so we can take a step back. What is a vulnerability in a plugin or a theme?
A vulnerability is nothing but a bug, which gives unauthorized access to your website or to any piece of software. In this case, every website has tons of plugins. And the reason why anyone uses WordPress is because you have the flexibility of being able to accomplish anything by installing a very simple plugin.
And when you have such complex system working, working in tandem, in a closed environment flaws, every software has flaws. There's no software which is, so I, this is the other thing and we'll come again, address it further down the conversation, but every software has flaws and every software will have security issues.
So the joke goes that you haven't found any security issues on my, in my plugin or in my software, it doesn't mean anything. It just means that you you haven't searched enough. So it's just give it time and you will find it. So 90 to 95% of sites get hacked because there's a vulnerability in a plugin.
And any plugin, you can name the largest, the most popular plugin out there, and they've all had vulnerabilities of different levels. Definitely severe vulnerabilities. And we know that whenever there's a vulnerability announced, or whenever a vulnerability is discovered, maybe prior, even prior to the discovery, you will see a very clear pattern of sites getting hacked, because of that vulnerability.
Okay. And if you understand this or 90, if you here we are saying that 95% of sites get hacked because of vulnerability, then we'll then the other 5% is because of I wouldn't say 5%, but mostly 5% is because your username password gets compromised, right? You might reuse the same username password, your one password or last password account gets compromised.
And we have seen all of this and the user, then just the hacker, then just logs into your website and or the hacker is able to crack your. username and password. And this is so you will see this whole a set of requests which are attacking your WP login page. And they just keep coming all day.
And it's very scary. If you're as a website owner, when you see these attacks, You are scared and you should be, but also remember. And so what happens is because these attacks are coming all day, you are thinking, okay, let me protect against these attacks and it's important to protect against them, but remember that only 5% of sites get hacked because of this reason.
So what people think do is they over index on protecting against login attacks. And they undermine the protection from from vulnerable plugins. Finally, the last part, and which is what, so the people who get unfairly get blamed for it, are web hosts. So web host security practices, or the reason why a web host itself has some really bad security or has some challenges with security, that is responsible for less than 1% of the sites getting hacked.
Once in a blue moon, it does happen. We saw we saw a very large hosting provider recently. I think a couple of years back announced that their services had been compromised, right? And and a lot of sites got affected by it. A lot of, there was a lot of roohah around it. So that does happen, but but it is much rarer than you would think.
So these are the three biggest reasons why sites get hacked. And now that you understand it, you will start protecting based on this.
[00:15:44] Nathan Wrigley: Okay, so what you're, if I've paraphrased it correctly your answer to how do sites get hacked is one of three ways, really, the, you're saying that the vast majority up in the 90% plus is some kind of leveraging of a plugin vulnerability. There's also something which is fairly rare, which is that your web host.
Gets hacked, but then there's also other channels, which again, count for not too much. You're saying more in the region of sort of 5% or something like that, which is that there is, it's not a vulnerability of the plugin. It's some other side channel, but it's not related to plugins and it's nothing to do with your web host.
[00:16:27] Akshat Choudhary: Yeah, that's correct. So something like your username password gets compromised in different
[00:16:31] Nathan Wrigley: yeah, okay. We're familiar in the WordPress landscape. There are a variety of different security solutions out there. I'm sure that we could name them. Yours is one. There's probably, I could list five or six others in the landscape. There... They're doing things differently. They're tackling a different part of the problem.
Now, obviously, each vendor is going to be telling me that there's that what they're doing is the best thing that they can do. It's offering the most protection or what have you, but do you want to just sum up? What those different things are that you do and how you might differ from the other plugins.
I don't know if you want to get into the whole naming of names, but it might just be good to concentrate on what you do. And just we could talk about other plugins doing other things.
[00:17:23] Akshat Choudhary: And so the important thing I want to cover here is the fact that actually every security plugin is. Significantly different from each other on the surface. They look the same. Their websites look the same. They all give you that same assurance. Even if you come to our website, you will see similar assurances.
Some of them have some major differences. They do look the same. They use similar language, but understand that not all plugins are the same. And when you start painting this thing with broad strokes, that's when you get that's that creates a commotion and that creates the commotion as to what protection do you apply to your website. Okay? What approach we have taken, and I think this is, in my opinion, this is the right approach to solving this problem, is we first identified why do sites get hacked. Okay? Number two, we've said that let's protect, let's reduce the chances of sites getting hacked, that's number one.
Number two there is no such thing as foolproof security. I think some people in some plugins do try and create that claim. I can assure you there's no such thing as foolproof security. You have to be prepared for the worst. I will never say that Malkia will protect you, welcome hell or high water.
And and so once you understand that, then you understand that you need to be prepared that eventuality. And and these are the two big tenets. And then there is okay, fine. If something really screws up what to do, that's the third part. These are the three big these are the three big principles on which we believe WordPress security should be done.
Even when you, even so we are not the only one who believe this. But even then, when you go deeper into it, for example, we believe that, and I'm, I know I'm speaking for WordFence, which I should not, but for example, WordFence does some of the, so you, it believes in protection of certain kind, it believes in scanning and remediation, assuming that sites will get hacked one day but even our approaches over here is day and night different, right?
So we have taken, we have tried to solve different problems. I think again we have we'd like to believe we have certain advantages, but I don't think this, we should make the conversation about the. Advantages of malcare or not.
[00:19:48] Nathan Wrigley: So what does, how is Malcare actually? Protecting your site. So if I'm coming to your website, I can re-read all the promotional bits and pieces on the website, but I've got you on the microphone, so you tell us what is it actually doing? What are steps the roadblocks that you create, the things that you fix, the backups that you take, whatever it may be.
Just lay out what. What your position is, because the, again, we'll get onto this in the future in maybe 10 minutes or so, but clearly some of the things that have happened recently, people have called into question the way that you're doing things. So just lay it out. Tell us how you do things, what approach you take and technically what's going on.
[00:20:36] Akshat Choudhary: All right. Again, thanks for asking this and this is let me try and break this down. So let's let's start with the first premise that we need to protect the website and website against attacks attacks on your plugin or theme. So let's let, the question to ask is what happens when a plugin or a theme is vulnerable? So does when a plugin or a theme is vulnerable, does a hacker need to come up with a million requests and figure out some really complex thing to crack such a, or hack into such a website? Does he, does the hacker need to need to what I mean to say is, do they need to specifically target you?
And for both of these things, the answer is no. So what the hacker needs to do is send one or two or maybe three requests. And most of the malware vulnerabilities we have seen recently. Can be easily exploited or can be exploited using these these these number of requests. So you can almost think of hacker the snipers and just taking an aim, shooting one, sending one request, which is very carefully crafted and hacking your site.
Now, the way to and how do you protect against this? The way to protect against them, frankly, the only way to protect against this is to use a firewall. So if you have a vulnerable plugin or theme on your website, how do you need to block out this request, because if the website, if the plugin or if the request reaches your WordPress site and it's processed by the plugin, then your site will get hacked. And the way to do it is by using a firewall, which which is looking at reviewing every single request coming into the website, even before the website loads. Now, this is true for our firewall. Different firewalls behave in different ways. Our firewall is the first line of code that gets executed on your WordPress site. Because of this, any kind of, any of this vulnerability can be easily intercepted. And we have a set of generic rules. These are standard. So security, again, today if you look at security 35 years or 25 years after the evolution of web, 30, yeah, 30 years after the evolution of web, is a fairly understood understood understood system.
So there are standardized ways of predicting against a whole bunch of attacks. And we create, we have taken your website and we push out specific rules for these type of attacks. Things like XSS attack, CSR, CSRF attacks SQL injection attacks, and we do it specifically for your website. So we understand your website, analyze it, and then push these rules for your, on your site.
Further, we also For if there is a major vulnerability, for example, there was this big element of vulnerability recently, or in that case, we will, if you see that your website has a vulnerable plugin that was specific vulnerable plugin, then we'll push out a special rule to, to protect against that attack.
Okay. So this is our approach to protecting against vulnerable attacks, we also will alarm you and get you to update it. Your plugins ASAP, so when we provide a lot of tooling to make it easier for you to and safely update your plugins, because in our opinion, that's the single most important thing you can do.
Keep everything up to date.
[00:24:12] Nathan Wrigley: So. Just explain to us what a firewall is actually doing, because it sounds very impressive, doesn't it? The idea of a wall around your property strikes me, it's fairly easy to understand. The intention of the wall block things and to make things ricochet off and bounce off at least just stop in their tracks.
But what is it actually So how is it making these determinations that, okay, this piece of traffic is fine, we see nothing there it looks completely legitimate let's, if you like, we'll open the gates of our wall, and that thing can come through, but wait a minute, this thing over here, there seems to be something dodgy let's leave the gate shut.
How does that actually work? And feel free to get a bit technical if you like.
[00:25:04] Akshat Choudhary: Alright, so that's a great question. So if let's take a step back and let's understand what is a request, what is a website, we've said a request is nothing but. Think of it as somebody is requesting like your homepage or a specific page on your site and they are sending parameters to it.
Okay, so if you know any programming, think of it as like a function call. Or does that make sense or should I go, I think maybe the function column maybe the wrong way of, maybe I'm coming from a programming
[00:25:36] Nathan Wrigley: Yeah, I think what I'm trying to, what I'm trying to help the listeners to understand is what is it, so you could use a concrete example, whether it's complicated or fairly trivial, doesn't really matter, an example of why you decide that something is not legitimate. So you mentioned that you had a list of vulnerabilities and that you're making checks against those, but how does it actually.
How does it actually work? If I'm a malicious hacker, what is it that I'm displaying to you, your firewall, that makes you say, hang on, that's not normal?
[00:26:15] Akshat Choudhary: all right, actually, this is a great idea. Now that you mentioned it, the best example would be, we've all gone through airports, and at an airport, you go through this body scanner of different kinds. And different body scanners are of different types, some body scanners nowadays, they don't need to tap you, they don't need to do anything, you just go across, they've got a very deep imagery of what you're carrying. So if you've got a knife, if you've got a nail cutter or anything, they're able to identify that such a thing exists in your pocket, and they can flag it very easily. And they can do it for every single person passing into the airport. That's essentially think of a firewall as this, we need to ensure that all the every person entering the airport.
is going through this body scanner and the body scanner is of the best kind. Now they might be, and the easiest ones to handle are, for example, they might be pre-configured systems to figure out if there's a knife, there's a sharp object and stuff like that. But if tomorrow there is a plastic explosive, which is new, and maybe that's something which is discovered that there are these kind of plastic explosives, which the traditional signature, traditional mechanism of is not able to identify.
Then you can also reconfigure the the scanner. To find that explosive and stop it and identify and block that even before they enter the airport.
[00:27:38] Nathan Wrigley: Okay. That all,
[00:27:40] Akshat Choudhary: the way the sorry. Go ahead.
[00:27:42] Nathan Wrigley: No, I was just going to say perfect sense. The thing that I'm thinking of in my head is that I'm imagining that analogy I'm imagining one guard looking at one person, and then, they say you're fine to go. And then we look at the next guard, sorry, the next person they go through and the whole process is incredibly slow, which is why you get these queues at
[00:28:06] Akshat Choudhary: Yeah, that's actually good. Is good.
[00:28:08] Nathan Wrigley: How is it that a firewall can make judgments against presumably tens of thousands of possible exploits on everything that's coming at the same time? So that's the confusion for me, really, is how do you carry out? those kind of checks on possibly thousands and thousands of different things that you're checking each second.
[00:28:31] Akshat Choudhary: Actually, that's a great question. And again, we can use the airport analogy. So what he can have is you can think of the airport analogy in two ways is and as you know, if you go back the longest time, you would see that you need to take off your bags, take out all the laptops. Take out all electronic devices, no water, nothing is permitted.
You need to walk through and then there's a person who pats you down that takes forever, right? And there are firewalls of that kind, right? And there are firewalls which are like where you have a whole stack of just imagine you're flying first class. You have a whole set of scanners available because are a Saudi prince, or sorry, a prince of, or a king of some kind.
And you obviously do not, or you're an important dignity. You don't want to wait, so you just walk across and you have the system which is able to identify. It's almost like you're just walking across the system with zero or no difference to slow you down. And scanners today can work like that.
In fact, Malkir, we've spent a lot of energy in making the scanner be almost negligible. It still takes something, but it is negligible. And the reason we are able to do so is, and this is where the differences start showing up, because people broadly say, okay, plugin based firewall, it's all the same.
No. We use our servers to do a lot of heavy analysis before pushing out rules to the site. This ensures that there is no database access when the firewall is loaded. Minimum amount of code is executed when our firewall is loaded. And because of this, the firewall works really fast. But I'll also tell you this thing that all things said and done and that the, there are other firewalls which might be slightly older.
But given the risks involved it is fine to even take them and if you look at the bigger picture as to how much time it's taken to, for example, you're flying across halfway across the world. Then the amount of time spent at the security is almost negligible, even with a traditional firewall, plugin based firewall.
So it comes down to the risks involved. And do you want to take that risk? It's, and people really paint especially a lot of plugin makers who do not have a firewall component. They will make very broad strokes saying that no, you'll slow down your website and it can. So you need to make a balanced judgment.
We at Malkit have taken an approach where we have said that no, all the heavy processing, let's not let the WordPress site not deal with it. Let's offload it to our specialized servers, which have optimized algorithms to deal with all of this data, analyze it and then set a rule, which will actually protect your website.
[00:31:22] Nathan Wrigley: So there are different types of firewalls. Yours is plug in and, but there are different things. So for example, what comes into my head are things like Cloudflare and Sucuri. Do you want to just explain What the difference is between the way that they approach things and the way that a plugin can approach things.
[00:31:46] Akshat Choudhary: All right. So yeah, actually, this is a great question. Cloudflare, the other thing you will see online is Hey, what are you doing? Just add cloudflare to your site will be protected and cloudflare is an incredible brand incredible product you know that they have this huge halo effect and we'll highly recommend doing adding cloudflare But understand why you are adding cloudflare, okay let's understand what's the difference between cloudflare based firewall even the plugin based firewall can be can be of multiple types.
Like I mentioned, our firewall is doing all the heavy lifting outside the, not on the WordPress side does it outside all the processing. There are others, for example, which do it and let me not take names they create a lot of, so you'll see very large tables getting created, they process all the data on the websites, adding to the load.
Further the plugin based firewall can be such that it the firewall is the very first line of code to execute when a request is sent to your site. Alternatively, plugin based firewall can also load as a traditional plugin. So that plugin will load just as so after half of WordPress is already loaded and there are at one, there's a disadvantage when that happens, because if there's another plugin which has a vulnerability before the firewall is loaded.
Then you are in a, you are in trouble. Now, the argument against plugin based firewall apart from this is that, hey, you should ideally block the request even before even before it comes to the web host. Why does it even come so close to your website? And then maybe there can be one sort of site, it makes sense, right?
You don't want germs to come anywhere close to you. Forget scrubbing it off later. And there is some sort of logic and there is some reasoning to it. And the obvious answer there is to use something like Cloudflare. Even Cloudflare versus Sakuri are greatly different. But let's talk about Cloudflare because that's the thing that everyone recommends.
Now in my opinion, Cloudflare is really good. But if when it comes to protecting against vulnerabilities Cloudflare like by out of the box is has zero protection almost. Okay, you can configure certain generic rules, but Cloudflare is not monitoring what plug vulnerabilities are existing on your site what is going on your site.
To configure special rules. And if you don't have those rules on your website, then you cannot protect against it. So CloudFlare frankly is good. It protects you far away. There are advantages of it, but the level of protection it offers is very limited.
[00:34:31] Nathan Wrigley: Is that a product of the fact that it's, that Cloudflare is generic as opposed to something which is WordPress, sorry, WordPress specific. In other words, I just want to know if I'm getting that basically. Is it because in the case of a WordPress firewall, there's WordPress vulnerability firewall rules that are configured?
Based upon knowledge of, the things that are going on in the WordPress hacking ecosystem.
[00:35:05] Akshat Choudhary: Exactly. Actually, you've just nailed it. And there is, if you understand CloudFlare, you'll see that there are no rules specific to WordPress in there. Not even one, and I'll give you two examples, right? For example, do you want to allow a zip file to be uploaded to your website? you'll be like I should not, maybe that can have a malware and maybe you can create a rule of that kind. But the thing is, if you are if what if you're an admin and uploading a plugin
Now how does CloudFlare make that distinction? It cannot. Whereas if you're in Malcare, we know if you're an admin level user, we will give you a lot more permissions than than you're a normal user.
And whereas Cloudflare is like a generic, they've tried to, again, solve every web application rather than WordPress.
[00:35:57] Nathan Wrigley: okay. Alright let's figure out exactly where Malcare fits in the stack of things. Now you mentioned that it runs inside WordPress, so let's nail all this down. It's a plugin, it is therefore sitting inside the WordPress file system. You go into the folder which holds all your plugins, there's Malcare somewhere in there or whatever it may be.
How is that getting in front? of traffic. So you'll need to explain that to me because I genuinely don't quite understand that. How is it that some, so that a plugin which is inside of WordPress, if you like, how can it get in front of WordPress and how is it able to detect things that are happening before WordPress itself is able to load?
[00:36:56] Akshat Choudhary: All right, so there are multiple ways and we do it based on figuring out like how does the website is set up. But basically what we do is we have a special, our own like firewall file. That file is the very first file that we force the WordPress site to load. Now, this can be done using this thing called htaccess or phpini rule, or it can be done by, inserting it in certain places in the WordPress code itself.
And by doing these things, depending on, again, the severity, that kind of configuration available on your website, we support different modes, and we figure out what is the best way to intercept all the traffic. Just imagine that as soon as a request is made to the website, and if it is not a JPEG or, it's not a static file, then you know, Then the then the web server is instructed to load our script first, even before it loads anything related to WordPress. Now our script can go through every parameter that is there in the request. So we can inspect the request inside out and then run those requests over very optimized rules to determine if something is wrong or not.
[00:38:13] Nathan Wrigley: Got it. Got it. Okay.
[00:38:14] Akshat Choudhary: Got it? Yeah, so that's a simplistic view, but I think that accurately covers it. It's the very first line of code that gets executed.
[00:38:20] Nathan Wrigley: Right. Okay. Okay. Thank you. So we've spent a long time building up the picture of how a firewall works and how it fits inside the WordPress ecosystem. Sorry, how it fits inside the WordPress install your unique installment and what it does and all of that. I think we've probably done a good job of that.
So let's move on and talk about this recent furore which has been going on. Now I've recorded a few episodes and I've said this inside of each of the episodes. I'm just going to basically repeat myself. There's been some toing and froing, largely on social media, I think about the nature of firewalls and whether or not they protect you and so on and so forth, and I've recorded three episodes about this subject.
I've tried to get both sides of the discussion and I've said to everybody who I've recorded, I'm going to get them all recorded and then I'll put them out in a random order. And nobody can listen to the podcast episode and have essentially everybody just gets their fair shot. So I'm going to do what I did with the other ones.
In the most recent news the, some of the other guests, and you can find those on the other episodes surrounding this, they were making the claim that because of the fact that the firewall lives inside of WordPress, if a vulnerability in a, in another plugin, so not your plugin, but another plugin has the ability To, let's say that you've found a vulnerability, a hacker knows about it and then they've got access to roam around inside the WordPress install, what's to stop them changing the firewall rules?
That Malcare introduces. In other words, if you can get inside the WordPress install and in some way rewrite the files, rewrite the firewall rules, if you like, what's to stop that from happening? And their argument was that renders it in some situations. It just wipes out the firewall or at least it potentially could if the hacker was skilled enough, if they got in, if they spotted there was a firewall, they could just say, okay we're going to add I don't know, we're going to whitelist our IP address.
We're going to rewrite the firewall rules so that our packets get through and so on. So yeah, address that.
[00:40:46] Akshat Choudhary: Alright, so actually again, first, Nathan, thank you again for, just keeping it so transparent and approaching it in good way, where everyone gets to talk about without setting on other stores. That's really important when you have such a heated discussion, and so the one fun one connection, I would say, and again, you see this happen so often is you're talking about mixing firewall from malware scanning. Okay, so firewall is a separate part, which is protecting from attacks. But let's assume that the firewall did not protect you from an attack. Okay. And this is something which we say that there's no such thing as foolproof protection there. And if any web host, any security plugin tells you that there's a foolproof protection, you cannot get hacked.
Now, frankly, they're lying. Okay. And they don't know what they're talking about or or they are misguiding you. So all you have to always be prepared that your site will get hacked and can get hacked. So what has happened is. A hacker has circumvented your firewall and and they are inside your site.
What they have done, what do hackers typically do when they are inside your site? They are going to install malware. And malware is this kind of code which does a lot of malicious stuff. It can it does a lot of things like, s e o spa, spam attacking, sending spam emails guess collecting data, installing malware on your visitors vis visitors computers, stealing WooCommerce information, credit card information.
So it does all of that stuff. And really dangerous thing. So in case your firewall is not able to protect you, you need a mechanism to identify. that your site has been hacked as soon as possible. Now there are, the way to do it is to scan your content, website's content. And this is again something which you will, which is not very well covered, is that malware can exist in the database and in files.
People again tend to say that, okay, no it's the files and files is a very important place, but it can also happen in the database. So what you need to do is you need to continuously scan or find if you're a regularly scan if your website has been hacked, and it has got this injected code, which which the which the hacker has put inside your site.
And you want to identify that at the earliest. All right. Now, again, like security plugins, every malware scanner is different. All right. The most popular malware scanner obviously is word fence. It has a built-in malware scanner. It's all self-contained in the plugin. It's I shouldn't call, wouldn't call it self fully self-contained, but mostly self-contained in the plugin where the plugin has a bunch of rules which which goes through every file and checks if if there, there's a malware in it.
Now, the and the whole controversy around it is at multiple levels. The one is that the checks, the malware, the, the checks that are present in something like WordFence is primitive, and hackers can easily circumvent those checks, and that is true. It is I wouldn't call it primitive, but yeah, they are, there is a scope to do a much better job with something like WordFence, and that really sets us apart, actually.
So that's number one, and that's number, first part of the controversy. The second part of the controversy is that once a hacker is inside, then the hacker can actually override the plugin's code. And effectively, you will no longer know that the plugin is the plugin, you'll stop the plugin from doing its job.
And there is a, there are a few POCs, et cetera, created to show that, This can also be done. And for something like WordFence, definitely it is an, it's a problem because it is fully self contained in the WordPress site. This is where this is where actually Malcare's approach is completely different.
In fact, even Malcare's approach has been. Has been combined with other service based security plugins and malware scanners. And again, their approach is very different from what we have. And we have a lot of systems in place for which will protect, which will alarm you when something is wrong.
When somebody has manipulated our code. They mentioned that as soon as you're, the person can just deactivate the plugin and you won't know. With malcare, you will know right away, the moment the plugin gets deactivated within five minutes, you'll get an alarm saying that, Hey, the malcare plugin has been deactivated.
Have you deactivated it? So again, they're because they are they are taking very broad approach, very broad to answer to paint, to make their point. I think they make a few mistakes of this kind. The further, even the malware scanning, right? We consistently find malware which all of these other guys cannot find.
And that is because we have spent years building algorithms which is beyond signature matching. And all these security scanners, they're all doing basically signature matching. They're looking for certain signatures and they're matching that signature. We, what we do is we have written from ground up our own algorithms and look at 100 plus signals to identify something is a malware or not.
And we track the data on your website, all the changes that are happening to your website. So if you mess up something, we will know further, we do not rely on what the website is telling us. We can actually execute signed code on your website. So you cannot like, there is no way you can circumvent.
Circumvent what can, what circumvent the malware scanner, or it is ridiculously difficult. And even if you get away with it once or twice. We will know. And once we know, we will be ahead of you. Because our scanners are completely independent of the website.
[00:47:34] Nathan Wrigley: Is there any scenario, sorry to interrupt you there, is there any scenario in which a hacker, having gained access to the WordPress website through a different means they've found a vulnerability in another plugin, is there any way that they can sit between your plugin And your infrastructure.
The SAS bit, if you like, of Malcare, is it possible to, for example hack the Malcare plugin or not the Malcare plugin, but embed some attack on the website such that the data, which passes from that website to your infrastructure can be rewritten in such a way that. Don't worry, everything's fine, even though everything is not fine, or the plug in is still installed, even though the plug in is not installed.
Because I seem to remember that was part of the argument as well, is that because it's a plug in and it sits on top of WordPress, if you can hack the WordPress website, there was an opportunity to get in between. Malka's SAS portion and the plugin and in effect hobble it at the knees and make it so that it wasn't receiving the telemetry that it should be receiving.
[00:48:53] Akshat Choudhary: Uh, so, It is incredibly difficult. It would be wrong for me to say that it's not possible at all. But it is incredibly difficult. And whatever they do, because we have so they might get away with it for a few days in the worst case situation after being super difficult.
But even when they do that, we have enough controls in place to be able to identify and fix those issues. Because we are running, so let me put it this way. So the hacker is running the code in the WordPress site, correct? And we can run code in the WordPress site because of the nature of the access that we have.
Hack, so we are on equal footing inside the plugin. But we also can run code on our servers. So we already have a one up advantage over what the hacker has. And we are tracking all the data, all the changes happening to your website. Just if you think strategically, if you think logically, you realize that we have an we have an advantage, which the hacker just does not have because.
of our ability to run code, which is completely outside his control. Does that make
[00:50:05] Nathan Wrigley: Yeah
[00:50:05] Akshat Choudhary: Because
[00:50:07] Nathan Wrigley: It's it.
[00:50:08] Akshat Choudhary: so far, let me give an example, let me give an example. So for example, suppose they say that they modify a file, right? And they modify a file which sits in front of the in front of WordPress, and they modify all the content of it. Now what they, what we have is suppose they sent us the modified content, what they do not understand is that we also have all the historic content of the website.
So we know that the content that you are sharing with us is not matching to the previous content and there are discrepancies there. Further, we can actually execute signed code on the website, which ensures that it's outside the ability of the hacker to manipulate. So there are these and again, we don't talk a lot about this because of the nature of the problem, in security, a lot of things are best left unsaid.
But we have a lot of controls in place to ensure that these kind of attacks, they look nice as a college project, but in reality, they are really difficult to, they are really difficult to pull off. Now, one last thing I want to say, actually, is it might appear that I've defended Malware and said that, and there are huge advantages of Malware.
There's a reason why we built it in a certain way because we didn't want to just build another security plugin. We had. We had a certain idea in mind, but I don't want to throw wordfence under the bus. Okay? It's feasible to, for such an attack to take place and it's feasible to circumvent wordfence.
I'm I understand that, but it is a lot more, we have not seen. So that kind of data being shared, I think in the article, there are certain kinds of data being shared and we were quite astounded that what the hell is happening there. And we'll, we're going to write an article as to what our data shows.
But WordFence is like this. They've mentioned that WordFence files are modified in a certain way and and that means that actually hackers are using it very aggressively, this kind of mechanism and the data does not, we have a lot of data. And that data does not reflect this at all. What does happen is that this is the funny part is And there are files which have every web host has a different version way of adding, you know They make changes to the comments on the plugin.
They change the way white spaces are added to the plugin So it does not match What is there in the repository further, and this is the thing that was a very insidious discovery for us is there are, and I think you would have seen GPL licensing, the same cracked plugins that exist.
There are a lot of people who have installed modified version of WordFence, so that they can use the premium features of WordFence.
And my guess is that these guys are just picking up such stuff because the data otherwise is not matching matching the kind of the data, which these guys have mentioned. It's just, it just does not add up. So I would stay there that. Whether Malware or Malcare or Wordfence, you need to use something for sure.
And there's a huge distinction, again, between what Wordfence, Malcare can do versus what a host level. So you, there are host level systems called Maldet and I think Immunify360. And they are, because they don't understand what is WordPress, what is not. There, that kind of job they do is very basic.
So you will see a lot more false alarms and stuff like that. Whereas Wordfence and Malcare and stuff like that have that advantage that they understand your WordPress site. They understand what is changing on your WordPress site. And it's very easy to get scared and say that, Oh no, this is happening so prevalently.
And I'm pretty sure that that data is is suspect. And yeah, and I think it needs to be reviewed reviewed once more to see actually what is happening. Why are these files getting modified? Yeah, and there's a final part and the final part is malware can also exist in the database. So you also need to scan your database.
And when, if you look at actually the last few vulnerabilities, many of them only affected the database. So when something is affecting the database, then it has to be approached in a... They do not have that advantage of being able to manipulate the files or the WordFence files, for example. Again, do not do not paint anything so broadly, be very careful as to how you understand the advantages and you for sure is that your website, there's no such thing as foolproof security and you need malware scanning.
Because when that happens, you need to clean your site as fast as possible. The longer you leave it around the more damage it will cause. And some of the best scanners out there are the ones who are WordPress aware.
[00:55:23] Nathan Wrigley: One of the one of the things which came out in the social media around this brouhaha as you described it was was that there seemed to be quite a few people saying that because of the nature. Of way that a firewall can be attacked if it's a WordPress plugin and you've just said, you've just put your case very well.
I think one of the things which I was hearing from one side of the argument was that you really ought to be hardening your WordPress website as well. Possibly, maybe they weren't saying as well, maybe they were saying instead, but we get the point. The idea that hardening it to, to make it more difficult to be attacked is either preferable or at least a good thing to add in as well.
So do you want to address that? Do you,
[00:56:16] Akshat Choudhary: actually a great question, and I know, and that's a great question because I know that this thing, this point came up in your, I think, the episode, I don't remember the episode where you did discuss the Malware Madness article. This point did come up about hardening, and hardening can mean a lot of things, so the name itself, hardening lost it's meaning in some ways you should harden it, but let's ask, let's understand this question.
Thank you. The question is, how do websites get hacked? If 95% of your hacks are happening because of vulnerabilities, then hardening is not going to solve, it is not going to solve it. Because, which is why the very first point we started with was, let's understand how websites get hacked. Because if you don't understand how websites get hacked, then you make...
These are then you make these arguments and let's harden it because that's a better way than doing firewall. Firewall, I'm not saying firewalls cannot, there's no such thing as foolproof security. But, what does hardening do? Mostly, let's look at the hardening from the perspective of the the most famous plugins.
And they do things like things which I actually completely disagree with. Things like renaming WP login page. Hiding WordPress, stuff like that, or doing things like directory listing, which today actually in today's world, the directory listing issue is a non issue. Most web hosts take care of it.
You should do it, but let's understand that it is not like, the likelihood of your website getting hacked because of that is approaching zero. What you need to address is, how do websites get hacked? Let's understand. It's like you've got a jewelry store and you know that you have this main gate which is, which does not have security.
So people are going to, or there are some flaws in their security. So people are going to exploit that they are not, they're not going to dig a hole. That's not the, that's not the standard way they are going to get in. You obviously need to protect the floor also, but in the process, in the, instead of spending all your money and protecting all your energy and protecting the floor, which sounds, nicer and you're like, okay, yes, there is somebody digging a hole in some corner of the city.
Oh, they must be attacking my my bank. And that's not that's not, that's a wrong approach. So you need to protect the entrances, the windows, and everything else. And also do the floor, but it is not a replacement for protecting your protecting the entrances, windows, etc., or the roof.
[00:58:55] Nathan Wrigley: Thank you. I think... I think that was probably everything that I wanted to ask around this. I'm conscious that I want to give you the opportunity to to say anything else that you think I may have missed, but also I would encourage everybody if they're listening to this and they're curious about what we're talking about, maybe this is the only episode you've listened to in weeks.
Maybe an episode before or an episode after there'll be connected episodes, if you like, all about WordPress security and you'll get to hear the different sides of the argument. Okay, Akshat, firstly, is there anything else that you wanted to get off your chest before we call it a day?
[00:59:36] Akshat Choudhary: All right. Thank you again for being very patient and asking some great questions and giving me this opportunity. I wouldn't call it get off my chest, but I just wanted to address one more thing, and because it comes up so often, and even in your previous, in your episode, I think a month ago, a lot of the, a lot of the panelists, I think all three panelists made the argument for good web host and saying that it is a responsibility of the web host to secure your website. And I understand the web host. It is super important and web hosts. are working towards securing your website, but when you look at the level of responsibility a web host has, they are actually dealing with things like state actors, really sophisticated hackers, as you have seen with the likes of GoDaddy and and more.
And these people are and then I kind of effort and systems they need to create to secure those parts is incredible. And a lot of their energy goes into solving for that because they are the most sophisticated actors in the ecosystem. Further, today web hosts are also a lot of web hosts, but not all of them are have, things like maldebt and a few security systems in place.
And those are good, but let us understand that they, these are only the web host has limited resources, the kind of money that we spend. on a web host. We want the world for 10, 20. It just is not feasible to provide this level of security across all their sites. And we have not seen, we have seen people improving it, but we have not seen anyone even get close, anywhere close to something like what a WordFence can do. Not even close to what a WordFence can do. So the, I think we unnecessarily blame or expect the web host to protect our website. It's an unfair. Expectation and because, because you have this unfair expectation, then you'll be, oh yes, my, it's my web host rule, but web host's responsibility, but the web host is not going to solve it.
It, or maybe they'll not solve it in the foreseeable future. So do you just give up and die? No, you don't. I think that argument that, or no, it's a web host responsibility to protect your website to some extent, yes. But the reality is, Web hosts are nowhere close to the state of the art that a plugin today has.
[01:02:12] Nathan Wrigley: Thank you. That was great. Yeah. Another final point to throw into the ring. That's lovely. Thank you. Okay. So we're coming up to an hour. So I think we'll knock it on the head. As we say in the UK, we'll end it there. Obviously, if you've got any comments surrounding this, please feel free to go to the wpbuilds. com website. There'll be some comments open there. You can contribute your thoughts. That would be great. But in the meantime, Akshat Choudhary, thank you so much for joining us on the podcast today. I really appreciate it.
[01:02:41] Akshat Choudhary: Uh, Thank you so much, Nathan. Thank you for being patient and having me on your, on, on this podcast. I'm glad to be here again. And I really appreciate it.
[01:02:50] Nathan Wrigley: Well, I hope that you enjoyed that. Very nice to get Akshat Choudhary on the podcast to give his opinion on his own products, whether or not there is any utility in software like malware scanners, and firewalls for WordPress.
As I said, this fits inside of four episodes of series. If you like. There's one from Calvin Alkan, Dan Knauss and Thomas J Raef. They all give their opinions. One of those is already live Calvin Alkans, but the other two are yet to come. So keep your eyes open about those.
The other thing to say is if you've got any commentary, please do it on the WP Builds.com website, WP Builds.com and search for episode number 340. And leave us your comments there.
The WP Builds podcast is brought to you today by GoDaddy Pro. GoDaddy Pro the home of managed WordPress hosting. That includes free domain SSL and 24 7 support. Bundle that with The Hub by GoDaddy Pro, to unlock more free benefits to manage multiple sites in one place, invoice clients, and get 30% off new purchases. Find out more at go.me forward slash WP builds. And we thank GoDaddy Pro for their support of the WP Builds podcast.
Okay, we'll be back next week. It'll be a chat with David Waumsley and I, and then the week after that, we will have another in this little mini series. I hope that you enjoyed it. Please remember the page builder summit, it's happening in a couple of weeks time, 18th to the 22nd of September. Go check it out. If you've never been before, it's really much more than page builders. I genuinely mean it. Page builder summit.com.
That's all I've got for this week. I am going to fade in some cheesy music and urge you to stay safe. Have a good week. Bye-bye for now.