344 – Dan Knauss on why you should harden WordPress

Interview with Dan Knauss and Nathan Wrigley.

This is forth of four podcast episodes related to WordPress security.

WP Builds is brought to you by...



GoDaddy Pro

In case you did not tune into the previous episodes, I feel like I need to add some context to the show notes so that you understand the context of what I’m doing here.

What follows is a repeat from other podcast show notes, so you can ignore the next few paragraphs if you’ve read them already.


A little while ago there was some news in the WordPress space about the merits of using plugins for securing your WordPress website. Researchers had discovered ways in which the effectiveness of the plugins might be compromised. There were several posts on social media which amplified the issue, making it harder to gain an understanding of what happened, and when.

Want to get your product or service on our 'viewed quite a lot' Black Friday Page? Fill out the form...

I decided to reach out to a number of people to get ‘their side of the story’.

Also a first for this podcast, I set some ground rules for the interviews to take place:

  • Each participant (there are four in total, one per episode) was told who the other guests were
  • Each participant was told that their episode would not be published until all four recordings had taken place
  • Each participant was told that their episode would be published in a random order

What you’re listening to today is the second of that random publishing schedule. The other three episodes will come out in the following weeks.

This was done to ensure that the guests did not have. a chance to listen to the other participants episode, and therefore had. a chance to ‘better prepare’.

With hindsight, this was likely overkill as all the guests were very thoughtful and polite. They do in some cases mention rival products and describe areas where they think that errors were made in code and communication. That being said, there was no general sense of mud slinging that I detected.

The guests are (in random order):

  1. Calvin Alkan – Snicco
  2. Akshat Choudhary – Malcare
  3. Dan Knauss – iThemes (now SolidWP) – this episode
  4. Thomas J Raef – We Watch Your Website


I’m going to keep my commentary here to a minimum to avoid getting embroiled in the debate, but here’s some additional information about what we cover.

Headlines of the topics we discuss:

The importance of WordPress security

  • Metaphor of a firewall to discuss security approach
  • Different levels of security: firewall, server level, targeted security measures
  • Importance of timely updates and vulnerability management
  • Recent social media dialogue on security

Introduction to the guest and speaker

  • Dan introduction, Dan as a technical content generalist
  • Rebranding from iThemes to SolidWP
  • Long history with WordPress and other platforms

Discussion of the article that sparked community conversation

  • Article headline and justification
  • Community dialogue and internal discussion
  • Importance of the discussed issue and confidence in its relevance
  • Importance of education and understanding WordPress security

Comparison of different security approaches

  • Different approaches to WordPress security
  • Mention of security plugins and firewalls
  • Introduction of a new interface for determining security needs
  • Custom security policies and risk management
  • Two-factor authentication and other security measures

SolidWP’s approach to security

  • Introduction of SolidWP’s product
  • Interface features and guidance on security measures
  • Firewall-like features to prevent malicious activity
  • Description of PatchStack and its role in identifying vulnerabilities
  • SolidWP’s ethical focus and alignment with open source values

Critique of other security plugins

  • Criticism of “bolted-on” features in other plugins
  • Exclusion of malware scanner in SolidWP’s product
  • Separation of security failure and cleanup concerns
  • Recommendation of external services for security issues

Verification of advanced malware capabilities

  • Reference to collaboration with Calvin Alkin, and Snicco (see other episode)
  • Techniques to bypass security plugins and scanners
  • Mention of Thomas J Raef (see other episode) organisation for intrusion detection
  • Hard numbers on compromised sites and plugin effectiveness

Interviews with industry professionals

  • Mention of interviews with Calvin, Thomas, and Akshat Choudhary
  • Recommendation to listen to previous episodes for more information
  • Agreement with Calvin’s critique of WordPress malware scanners
  • Comparison of security plugins to building fences
  • Impact of scanners on performance and system infiltration

Rebranding and updates for SolidWP

  • Dropping the Pro language in favour of Solid Security
  • Rebranding process and updates in progress
  • Free version with essential features and premium paid version

The WP Builds podcast is brought to you this week by…


Omnisend is the top-rated email and SMS marketing platform for WordPress. More than a hundred thousand merchants use Omnisend every day to grow their audience and sales. Ready to start building campaigns that really sell? Find out more at www.omnisend.com

GoDaddy Pro

The home of Managed WordPress hosting that includes free domain, SSL, and 24/7 support. Bundle that with the Hub by GoDaddy Pro to unlock more free benefits to manage multiple sites in one place, invoice clients, and get 30% off new purchases! Find out more at go.me/wpbuilds.

The WP Builds Deals Page

It’s like Black Friday, but everyday of the year! Search and Filter WordPress Deals! Check out the deals now

Transcript (if available)

These transcripts are created using software, so apologies if there are errors in them.

Read Full Transcript

[00:00:00] Nathan Wrigley: Hello there, and welcome once again to the WP Builds podcast, you have reached episode number 344 entitled Dan Knauss on why you should harden WordPress. It was published on Thursday, the 5th of October, 2023. My name's Nathan Wrigley. And before we get over to Dan in the interview, there, a few bits of housekeeping.

The first thing to mention is that black Friday is coming up. As we do every year, we put together an exhaustive list of all of the best WordPress deals that could be hosting. That could be plugins, blocks, themes. Anything like that. We put them all on one giant page and it's searchable and filterable. So it makes it very easy for you to find all of the deals. If you would like to be a part of that. Head to WP Builds.com forward slash black. One more time, wP Builds.com forward slash black. And over there, you're going to be able to find a button, and that button is called, add a deal. And if you add a deal, then I will hopefully put it on the page. There are some caveats around that. Obviously it has to be related to WordPress and so on, but if you feel that you have a product or a service that you would like to feature on our page to increase your sales.

As I say, sometimes this page is viewed in air quotes, quite a lot. So, yeah, that's something that you might want to consider. The other option of course, is every year we have that page sponsored. We have a pride of place sets of little badges at the top, which we are offering in exchange for sponsorship. And if you go to the same page, WP Builds.com forward slash black. You'll see some little yellow buttons at the top. Entitled gets pride of place now. Well, if you want to be featured and have your product, have some sort of exclusivity on that page. Please feel free to do that.

The other thing to mention is I'm trying to encourage people during the course of the podcast. If there's something that you're interested in, rather than going and posting on social media about it, I'd really appreciate it. If you use the commenting system on WordPress. So if you've been triggered by something that you hear today or you're intrigued and you want to find out some more head to WP Builds.com search for episode number 3 4 4. And leave us a comment there. We would really appreciate it.

The WP Builds podcast is brought to you today by GoDaddy Pro. GoDaddy Pro the home of managed WordPress hosting. That includes free domain SSL and 24 7 support. Bundle that with The Hub by GoDaddy Pro to unlock more free benefits to manage multiple sites in one place, invoice clients and get 30% off new purchases. You can find out more by heading to go.me forward slash WP Builds. That's go.me forward slash WP Builds. And we sincerely, truly think. GoDaddy Pro for their ongoing support of the WP Builds podcast.

Okay. As I said, at the top of the show, we're featuring Dan Knauss today, he's from SolidWP, which was formally iThemes. And he's talking to us today about hardening WordPress. This is the fourth out of four episodes in which we feature WordPress security. We in the past have gone to great lengths to mention the fact that we don't really want to stand on any particular side and endorse any particular position. And so there were four episodes with Calvin Alkin Akshat Choudhary, Dan Knauss, which is this one and Thomas J Raef, and we put them out in a random order.

And the rules of engagement were that no episode was going to be published until all the episodes had been recorded. So this is Dan's position. He's talking about hardening WordPress. So we talk about the importance of WordPress security. We introduce Dan, we have a discussion about the malware madness that sparked these four episodes. We compare different security approaches and talk about SolidWPS approach. And we also talk about the verification of, uh, of advanced malware capabilities. And we talk, we actually get into the other episodes as well. And we talk about those and also about SolidWP and what's caused the rebrand from iThemes. So this is an episode which stands not in isolation, but with three others. And I hope that you enjoy it.

I am joined on the podcast today by Dan Knauss. Hello, Dan.

[00:04:50] Dan Knauss: Hi, Nathan. How you doing?

[00:04:52] Nathan Wrigley: Yeah, good. Thank you. Nice to have you on. We are going to be recording a podcast episode today all about security. There will be mention of certain security products. This is going to fall in a kind of mini series almost of WordPress podcasts that I'm doing with various people who have an interest in the security side of things.

Given that we're talking about security and vulnerabilities and all of that gets at least can get fairly technical. I think Dan, it might be a good idea at the beginning just to just to give us your bio. Who do you work for? How long have you been using WordPress? What's your background in tech and all of that?

So over to you.

[00:05:32] Dan Knauss: Sure. Oh it's been a long time. Currently I'm the I'm a technical content generalist. And I get into a lot of things beyond writing and editing, but I, you'll see my byline coming up at at the I Themes brand. We're going through a rebranding in public where we will end up in a few months time as solid wp which, After which point iThemes will be history, a large part of WordPress history, but the products and the people behind them are largely unchanged going back, ooh, ten, ten years and more.

My own history with WordPress goes back to the beginning. I I'm one of those. Generation X WordPress people who got into open source and web design at the very beginning in the 90s and then when when things like movable type and did a lot with Joomla for a long time and a bit with Drupal and some things that are no longer with us, but probably influenced WordPress a lot like text pattern.

Was always interested in WordPress right from the beginning and client work led to using it, as a blog initially. Ad, adjunct to another CMS or something like that or an e commerce platform. And then it just became... The way to do just about anything probably around 2008 to 10.

And yeah, I've done a lot of a lot of client work, a lot of projects of my own, building things with WordPress. And then previously worked with PostStatus for many years. More and more with David Bissett and Michelle Frechette there, who's a colleague at... StellarWP, the parent for iThemes and the Solid brand and many others.

So I've been thinking and writing about and talking with people in the WordPress community for quite some

[00:07:55] Nathan Wrigley: Yeah, that's an amazing history, isn't it? Bravo. A lot you've done. That's amazing. Can we just go on to the SolidWP rebrand just for a couple of minutes? Because I'm sure that many people will know about that, but equally, maybe there'll be some people thinking, Oh, hang on a minute. iThemes is going away.

What's going on there? What's the reasoning behind that? And which brands are being folded up underneath this new SolidWP brand?

[00:08:21] Dan Knauss: It's just it's just iThemes that's going in there. The reason that we're dropping, the very, the little lowercase I and the focus on themes was where that company was in the beginning. We're no longer doing doing themes, had one of the earliest builder

[00:08:46] Nathan Wrigley: Yeah,

[00:08:47] Dan Knauss: but now yeah, Cadence WP has taken off and is part of the Stellar WP portfolio.

And They are a tremendous theme. We use them at Postatus and use quite a lot with Stellar WP products. We're really focusing on the, what solid implies, the foundational products that have really come along. Especially iTheme Security, which will become Solid Security. And that will be part of a suite where we bring along the next iteration of what was BackupBuddy, Solid Backups.

And then there's a management somewhat of a Sass Solid Central, which replaces iThemes Sync. And these all flow together into a single suite where you can... You can log in and manage security and see what's going on with your site in terms of SEO, it's security and run backups or restore a backup archive onto a new site or something like that.

[00:09:56] Nathan Wrigley: Yeah, I guess if you're fresh into WordPress. Themes are not quite what they once were, where they when iThemes began, that was really plugins and themes were the buzzwords, weren't they? And if you're no longer doing themes and you've, that's really now being handled by Cadence. I guess it, it doesn't really make too much sense to have that confusing word in the title of the company.

So what was it? It's going to be iThemes, sorry, it's going to be solid backups, plural. It's going to be solid security, I think you said which was iThemes security and the sync, the iThemes sync is becoming solid central, right?

[00:10:38] Dan Knauss: Right. And there's also Solid Academy, which replaces continues iThemes training, where Nathan Ingram, with his weekly live streams and training courses Provides a continuity there with the great community he's brought along. We've got a lot of freelancers and agency people and people who are building things with WordPress.

Who are coming along with the solid brand too. We're a foundational website that's security hardened and ready to go is really important to them.

[00:11:18] Nathan Wrigley: It's on the surface, it seems like it would be a fairly simple thing to do to rebrand a company from one name to another. You swap out some logos and you're done. Of course, the reality is probably Really, anything but. You've got to forewarn all of your customers that something's about to change so they don't freak out when they see a load of differently named plugins suddenly within their WordPress install.

But also, I'm guessing, just things like rewriting the documentation so that it's all now correct and branded correctly. There must be weeks and weeks of work in this.

[00:11:53] Dan Knauss: Yes. I've been on it for a while. I came into the, into working on this with Stellar back in November, December last year. And yeah, there's a lot, there's so much older content that needs to come along and anyone who's done a migration of an older site it's just, it's all that. Plus you've got to do something with all the references to an older brand and the redesign that goes into that.

[00:12:25] Nathan Wrigley: Yeah, and all of the search engine stuff that needs to be done so that it gets picked up correctly. So we're going to talk a bit about security today. Obviously, we will in the future be talking about solid security. That's the plugin and the tool, if you like, that you're obviously most familiar talking about.

But, just a quick word for the audience members. This, like I said, is going to be in a, like a little mini series. If you like, I've spoken to three other people and I'm going to randomly put these episodes out in no particular order. But they all have. Interesting positions about security and the effectiveness or otherwise of the product that they have or the product that they've been inspecting.

So this really drops into that whole conversation, but let's kick it off, Dan, with just your thoughts on the state of security. What are the kind of things that a typical WordPress user, AKA somebody that's listening to this podcast, what are the things that they need to be thinking about when we talk about website security?

[00:13:30] Dan Knauss: I think one of the first things people run into when they're, when they've started building sites with WordPress, either their own, but especially with, for other people and they as you typically do, a good business model is to get into some kind of management maintenance ongoing where you might have a monthly recurring Revenue model based on providing support and maintenance to your clients.

WordPress ever since, I think it became most valuable to me for client work when auto updates came in. And now we have. A really complicated and interesting supply chain situation of where did this plugin come in? Does this premium plugin update separately? Things that are coming out of the plugin repo.

Running updates and managing those and compatibility with everything else you're doing becomes something you don't want to lay onto. the clients that you're serving and it becomes part of agency work or freelancer work, and we want to reduce the overhead and risk and involved in that.

I think as anyone learns quickly with, in the WordPress community, that running updates in a timely fashion is really critical. Even when there's not a security release, but there, there often are, and they're just looking from, in, in my work looking at the statistics and looking at patch stacks database over time.

We have more patched and un unpatched in, in the initial disclosure vulnerabilities coming out. And it's almost always plugins. There's some degree themes. WordPress core is really solid, and if there are any issues there, those get handled. And. Most really well supported plugins and themes, you could say that too, but there are always, there's always a little gap period where there could be an exploit for something that has more than a million active installs that you're using.

And there are people and bots out looking for ways to exploit those. So that's where we come in trying to assist with that.

[00:16:01] Nathan Wrigley: Yeah. I think it could be broadly stated that the I'm probably going to talk about I themed security, even though we now know it's going to become solid security. But the solution that you have, I think I could probably categorize it under one word and that would be hardening. So firstly, am I using the right word there?

Because I won't carry on down that line if that's the wrong way to classify it.

[00:16:29] Dan Knauss: No, that's a very good word. The new icon that comes with it is a shield,

[00:16:33] Nathan Wrigley: Ah, nice. Yeah.

[00:16:35] Dan Knauss: layers of protection and hardening is a very good metaphor.

[00:16:39] Nathan Wrigley: Yeah, because in the WordPress space, as you will find, if you listen to the other episodes, there's a whole different variety of approaches to WordPress security. So we have plugins, much like your own, which which hardens the website, AKA it, it tightens things up. There's some typical things which a website hacker may well go after and your solution attempts to lock those down a little bit.

And we can talk about what those things are in a minute. Then there's other things like I don't know, firewalls and things like that which are an entirely different approach. So let's get into that. Let's get into what is it that your solution, what is it that it does, what does it harden, what does it lock down.

[00:17:26] Dan Knauss: Well, There are a number of different layers, and I really like the new interface we'll be rolling out because it has walks you through your setup and helps you identify on this particular site there, it's unique what does this client need? What does this website call for?

What's an adequate level of security here? And helping you figure that out. We'll walk you down a path. Do you need to make all your users use passkeys or two factor authentication or just some of them? And one of the nice features we've had for a long time is the ability to create custom groups.

And I think this will, seems very simple, but it's great for people who are doing the kind of you can set a security policy, which is really a key part of, I think, risk management and definitely more where people are concerned with liability and prevention. Looking at your staff, looking at your users, if it's a community site, who here is getting more privileges and we should classify them as higher risk and, maybe prohibit anyone from using recycled passwords or passwords that have.

appeared in a breach, we can set up rules like that. But we could also give them the option, or make it mandatory that you must set up two factor authentication have a CAPTCHA on the login, or switch over to pass keys, which we're really proud to have brought, as for the first, really the first plugin to do

[00:19:04] Nathan Wrigley: Yeah, I remember that. That was a pretty amazing step. Good job. Yeah. Sorry, I interrupted. You carry on.

[00:19:12] Dan Knauss: No, go ahead. That's fine. That user level hardening individual users what they have to go through to get in is really that login screen is a key point. And we can harden that as well. Keeping an eye on it for brute force login attempts, locking that all down. And then besides from a lot of other tweaks you can do to To WordPress to make it harder to, to hack into reducing the attack surface.

We are bringing out a new firewall that is, that's a new feature for us. That's very, integrally related to our partnership with PatchStack and using their virtual patches. And that really closes the door on vulnerabilities. We have a version management tool that, that helps you understand, Oh, this needs, this hasn't been updated.

This is a concern. This theme or this plugin here has a security update or. It's become, it's landed in a vulnerability database. What do we do now? Now the great answer is we've got a firewall that's handling our DDoS type attacks and also preventing anyone from trying an exploit on a known vulnerability that may not even have an official patch yet.

And that's coming in from PatchDax, great work, they're a wonderful partner. So we're offering that to our users and that's really going to add a lot of peace of mind, I think, for security.

[00:21:01] Nathan Wrigley: So, That's curious, isn't it? Because from the outside, it might look as if PatchDeck and Solid Security are kind of commercial rivals in a way. But there's... There's an overlap there, which there's a sweet spot, which you managed to find where you can integrate with things that they have, they can get to be, part of your suite, but that you're not treading on each other's toes.

That's quite interesting.

[00:21:27] Dan Knauss: Yeah, it is. It's one of the great things about the WordPress community where there's a lot of cooperation and that, that whole coopetition thing that we're able to do. Yeah their expertise is available to us too. It's great to be able to learn and talk through our combined Slack channel and what they've done is quite a bit.

different in what we than what we offer. I think their approach is aimed at a different set of customers, but there's definitely huge synergies and their goals are tremendous to help secure open source software. Not just WordPress, I think their sites are much larger than that, but we all have the same purpose of increasing security and bringing greater confidence that when you're using open source platforms like WordPress, they're going to be solid and secure.

[00:22:25] Nathan Wrigley: So nice. He has a perfect overlap there with the word solid. That's good. But in terms of the collaboration that you've got with patch stack, then is that it? So the idea of a firewall, is that a new? thing entirely in your security suite, or is that something which you've had for a little while but you've now just, you're beefing it up, you've got a better option, if you like, with PatchDeck?

Yeah, or like I say, is it just something brand new?

[00:22:53] Dan Knauss: That's rather quite new, especially how we present it in the interface. There has been firewall like features in the sense that we notice when there's a bot that's slamming passwords into your login and block that, and then look across all the network of our entire users, and Recognize. Yeah this thing's hitting a lot of sites.

So let's just send a rule to everyone that blocks it. Patch deck does something similar on a huge level where they're watching the whole ecosystem and developing firewall rules that say, Oh, someone's trying to exploit this new vulnerability. Let's prevent that kind of query and send everyone who's using.

patch deck service and including solid security users. A firewall rule essentially. It's a, firewall is a useful metaphor for thinking about it. Cloudflare does things like this on a higher level. And I think we've usually avoided that, the language of firewalls because There would be a technically correct case for, and still is, that this is often best done at the server level.

And you're, at a good host, your server and your network is firewalled by, on a hardware level and by similar software that's looking for bad queries. So they never ever even hit your WordPress install and you're not using hosting resources on. Your web application to do this work, but this is a nice balance for us because it's very targeted We're not trying to cover, you know Every vulnerability from 10 years ago We're just getting the confidence that hey, there's a vulnerability and some code we're running They haven't quite got a patch yet, or we can't implement it There is an update but we can't do it yet because we haven't tested and we don't know if it's gonna break down The site.

So we need a little window here. We need a little extra time. That virtual patch is going to come down automatically and go into an effect, and if anyone tries to exploit that vulnerability, even though you theoretically have it no, they're not going to get in. They're blocked right there. So this really closes the door.

If you're, if you've done the due diligence with your user hardening, you know who your users are, you're managing them, you've done other hardening. You're running updates in a reasonable way. This is going to close that last potential higher risk area.

[00:25:35] Nathan Wrigley: Given that PatchDeck is obviously a, they're a company, they're in the WordPress ecosystem, but they also have a commercial slant to them. The question I've got really next would be, is that particular feature, is that going to be something that you would need to pay for additionally, or does it just get bundled in?

In other words, is it, can you toggle on and off the firewall as part of your billing, or is it just, if you've got the security solid security that comes with it.

[00:26:12] Dan Knauss: It does, it comes right with it. And we're dropping our Pro language, and we're simply selling Solid Security, and that's, that is the premium product that would use, would formally be called Pro, but the version, Solid Security Basic which would be the differentiating term. If you go into the, Plug in repository at wordpress.

org And find us there. We're working on rebranding and rolling that whole update out So what you would download there would still have all the essential features the foot what changes with the firewall is we're following how patchdoc works if you're using it for free you get patches that Aren't up to the minute they are so good that they've got a 48 hour window where there are vulnerabilities that have not yet been publicly announced, but have been known about and they have a solution.

There may be a patch coming from the plug in or theme owner. And there's a window of time where our our paid users even for that. That's a very small specialized audience that may really need that. If you have a ton of traffic, you're a high you're potentially a target or your sense of your risk level is high.

You, you probably want the best protection that you can get. That's going to close that risky level even further. But for the person who's trying it out or using it at a basic level, they are getting, they're still getting the firewall with really, I would say well beyond adequate protection there.

So we don't want to have features where they don't really deliver because you're not yet a paid subscriber.

[00:28:20] Nathan Wrigley: right. So there's going to be solid security and that in effect is like the pro version, then there's going to be a repo version where it's free, but there's a difference in the firewall set up in that as per patch stacks rules, the, there might be a slight delay of a number of days or something like that between the release of the patch and the, if you're on the, if you like the pro version, which is now just called Okay.

Solid security, you get that right off the bat. As soon as it's created, you have it. And if you're on the free version in the, from the repo, maybe not quite immediately.

[00:28:59] Dan Knauss: Right, and I don't think that would apply when there's like a zero day exploit that everyone's aware of and it's really bad. Everyone in the community is going to try to help everyone secure, secure a situation like that as quickly as possible. This is not that.

[00:29:17] Nathan Wrigley: There was, we're recording this right at the beginning of August. I'm not entirely sure when this episode is going to air, but we're recording it in August, 2023. Over the last few weeks, possibly months, maybe, there's been some interesting back and forth dialogue on social media in particular.

About certain security related issues. So obviously, we know where you're coming from. We understand that you're representing solid, but those other companies, they'll have their chance in their episodes as well. But I do want to touch on that. And if you've got anything you want to add to that conversation, anything that you've discovered recently, or just really stating your position about why you think your product hits the right balance of what a security plugin should be doing.

[00:30:08] Dan Knauss: Right. I'm really proud and I think we all are really proud of the product which owes a lot to our longtime lead developer, Timothy Jacobs being really ethically focused and really aligned with open source values where we don't add Features that we don't have the highest confidence are really adding security and really doing security.

There are a lot of other things that are often bolted on to security plugins that I would say are not, they're not really security tools. The malware scanner is what came up recently as a as a feature that we have never included and feel ever more justified in, in doing that because it's really a cleanup.

It's an, we want to prevent people from having hacked sites where you need to. have someone detect, Oh there's some, there's been a compromise. There's some malware on here. That is not, that's what exactly we want to prevent. That would be a security failure. So that's a separate concern of cleanup and.

In the past, we've recommended companies that do that, like Securi, and also going back a ways, WeWatch, your website, which is Tom Rafe's organization, and he recently along with some work that Calvin Alkin and Snicko and others were doing with PatchDeck, looking in and verifying What they were showing was that there is now advanced malware that if it lands on your site it's able to look and see, oh, you're running a security plugin with a with a malware scanner.

defeat it in some way. Then they showed there a couple of Calvin did this where there are a couple of techniques like white listing what the mal, where the malware is and what it's doing. So the scanner will never pick it up. And there are a variety of methods and Calvin provided not only proof of concept and published about that Tom Rafe's work with WeWatchYourWebsite, where he is, he's doing active intrusion detection and doing that at a huge scale.

He had hard numbers on, here's how many people were, here's how many sites were compromised with this vulnerability, and we saw the malware take out defensive efforts of security plugins that do offer a malware scanner. So as that technology becomes compromised, it's just, it's something we would drop.

If we find a feature that's not useful anymore we don't want to do that. And fortunately, we've never had malware detection. That really can only with high confidence be effectively deployed from the server level. If you're running a malware detection Program inside WordPress inside the same PHP instance where the infection is.

It's too late. The call is coming from inside the house.

[00:33:36] Nathan Wrigley: Yeah, so just to give again, if you're listening to this podcast in isolation, if you haven't listened to one of the previous episodes, or maybe circumstance will be that this episode is the first one that I put out, I don't know. But I have also spoken to. I've spoken to Calvin, who you just mentioned.

I've spoken to Thomas, who you've just mentioned. They'll be on episodes, giving those pieces of data to you, dear listener. So you'll be able to hear what they've got to say about it. But we also spoke to Akshat Chowdhury from several companies, but let's go with Malcare because that's the one probably in question here the most.

So if you want to get some different context around that, or you just want to hear what these. These numbers are and why they think it matters then. Yeah. Tune into those other episodes. Is your position then that if really that sorry, not a firewall a malware scanner, because people like Thomas and people like Calvin have been able to open the box there and demonstrate particular it's.

Examples of how it can be bypassed if you like, it's fairly technical. We won't go into the technicalities of it. You can find that in the other episodes for you. Then does that mean that kind of thing, a malware scanner is universally not worthwhile, or is it more a case of it was interesting that somebody managed to find an exploit, but maybe they'll patch that in such a way that it can't happen again, or is it more.

Is your position more that the way that it works means that it can never really be patched and trusted?

[00:35:15] Dan Knauss: Yeah, it's really the latter case and Calvin is correct. He, it was great to learn from him and Thomas what they're seeing. It confirmed things that I had heard anecdotally from other people and in my own experience had run into. I think fundamentally flawed is the phrase that he used and I adopted too.

I wrote WordPress malware scanners are worthless and that's really not. an exaggerating claim there because it is a fundamental flaw to try to catch, really to try to build a fence inside the house rather than to have a security line of security. That's outside and when you set up a, an application firewall inside the application, that's essentially what you're doing.

You're looking for detecting someone who's already gotten in and It also adds quite a performance burden, potentially. Some people see these things and it makes them nervous, and oh, I need to run this scanner all the time, or that, there's a set schedule for them. And that's using your CPU and memory resources potentially quite a lot.

I remember, Ten years ago or more, when these things started to first come out, and, oh, just everyone was getting hit with something called the TimThumb library. It was a dependency that caused, it was used by a lot of themes and a lot of plugins. And you had, you resorted to just checking to see if you had this file, and if it had been exploited.

But hosting has... Improved a lot since then. WordPress core has improved a lot. Plugin development has improved a lot. And if you do all the hardening correctly, and your hosting is of good quality, you really don't need those kind of cleanup tools as part of the package of what you're running inside.

And simply because they're being detected they're being defeated in the wild now, I would just assume it's an arms race always when hackers are, Figuring out better and better ways to break in. They're going to learn from each other, and pretty soon, almost all malware will probably have some kind of kit just baked into it, and it's just going to look for malware scanners that are known to be installed in many WordPress sites, and we'll just take them out.

We get in, they're done.

[00:38:01] Nathan Wrigley: Yeah. Yeah, interesting. Can I just ask, the piece that you just mentioned, it was called, I think I wrote it down correctly. Why WordPress malware scanners are, what did you say, worthless?

[00:38:11] Dan Knauss: Yes,

[00:38:12] Nathan Wrigley: And where do we find that? Was that something that you wrote on your own property or would that be on what is now the iThemes website?

[00:38:19] Dan Knauss: That's on the iThemes website iThemes blog, and yeah, don't usually have headlines like that, but I felt like that was very justified and so did it was, it has opened a very good community conversation, I think, and an internal one, and being able to talk with Timothy and and Thomas and Kathy's aunt, too, who's an old security pro.

Really made me feel confident that was, this isn't like a clickbait over stated thing here. This really is an important issue and part of our larger long ongoing concern is really education. Where, what is security? What actions can you actually take that are worth doing?

That are really maybe the first, the low hanging fruit of WordPress security when you set up a site. And then what things really... are so iffy, it may not be worth your time.

[00:39:16] Nathan Wrigley: Yeah. Thank you for explaining all of that to us. That's really intriguing. So we now know that if you are looking for iThemes it won't be around for too much longer. You're going to be looking at solid WP in the near future. Dan, where do we find you if you've got a Twitter handle or a, I don't know, a personal website that you want to share or whatever you like, where can we get in touch with you?

[00:39:39] Dan Knauss: Yeah, I'm still still largely on Twitter. I've enjoyed the WordPress community there. I don't know what's coming next. I don't even want to acknowledge the brand change there. What the, what to call

[00:39:50] Nathan Wrigley: very much not in the open.

[00:39:53] Dan Knauss: Yeah I'm Dan underscore Knauss on K N A U S on Twitter. And yeah, it's been a long, lovely time with the kind of WordPress learning and exchanges that, that happened there, but maybe we'll be somewhere else in the future.

I don't know.

[00:40:14] Nathan Wrigley: Yeah anyway, for now, Dan, really appreciate you chatting to us about your position on WordPress security. That's really interesting. I hope that I hope that people listening to it get in touch and give you their views. Thanks so much for joining us today.

[00:40:28] Dan Knauss: Thank you.

[00:40:30] Nathan Wrigley: Okay, that's it. I hope that you enjoyed that. Very nice chatting to Dan today, all about WordPress security and hardening your WordPress website. That wraps up our little mini series. All about WordPress security. Hopefully you've enjoyed those four episodes. I don't go away though. Stay tuned. Because we will be back for normal service. We will have normal interviews and a cycle of podcast episodes with David Walmsley. So hopefully you'll stick around for that.

The WP Builds podcast is brought to you today by GoDaddy Pro. GoDaddy Pro the home of managed WordPress hosting that includes free domain SSL, and 24 7 support. Bundle that with The Hub by GoDaddy Pro. A lot more free benefits to manage multiple sites in one place, invoice clients and get 30% off new purchases. You can find out more by going to go.me forward slash WP Builds. And thanks once again, to GoDaddy Pro for their ongoing support of the WP Builds podcast.

Okay, we'll be back next week. Hopefully you will enjoy the week. Hopefully you'll join us for this week in WordPress on Monday. If you'd want to know anything about that, you can go to the WP Builds.com website and you'll be able to search for this week in WordPress. We've got absolutely loads of them, but it's a live show. Typically joined by three other WordPress guests and. Come and join us. I joined in the commentary. It's a good deal of fun. Okay. Hopefully you will have a good week. Stay safe. Here comes some diabolically cheesy music. Bye-bye for now.

Support WP Builds

We put out this content as often as we can, and we hope that you like! If you do and feel like keeping the WP Builds podcast going then...

Donate to WP Builds

Thank you!

Nathan Wrigley
Nathan Wrigley

Nathan writes posts and creates audio about WordPress on WP Builds and WP Tavern. He can also be found in the WP Builds Facebook group, and on Mastodon at wpbuilds.social. Feel free to donate to WP Builds to keep the lights on as well!

Articles: 972

One comment

Please leave a comment...

Filter Deals

Filter Deals


  • Plugin (89)
  • WordPress (51)
  • Lifetime Deal (18)
  • eCommerce (16)
  • SaaS (7)
  • Hosting (6)
  • Theme (6)
  • Design (5)
  • Other (5)
  • Admin (4)
  • Security (4)
  • Maintenance (3)
  • Training (3)
  • Blocks (2)
  • Content (2)

% discounted

% discounted

Filter Deals

Filter Deals


  • WordPress (39)
  • Plugin (33)
  • Admin (30)
  • Content (18)
  • Design (11)
  • Blocks (6)
  • Maintenance (6)
  • Security (5)
  • Hosting (4)
  • Theme (3)
  • WooCommerce (3)
  • SaaS app (2)
  • Lifetime Deal (1)
  • Not WordPress (1)
  • Training (1)

% discounted

% discounted



WP Builds WordPress Podcast



WP Builds WordPress Podcast
%d bloggers like this: