[00:00:00] Nathan Wrigley: Hello there. And welcome once again to the WP Builds podcast, you have reached episode number 392 entitled, new show feeling insecure with Tim Nash, episode one.
It was published on Thursday, the 3rd of October, 2024. My name's Nathan Wrigley, and we will get to that show in just a moment. But before then, a few very important bits of housekeeping.
The first thing to mention is that if you are in the market, if you have any intuitions at all around the WordPress black Friday space, well head to our black Friday deals page. It's very spartan at the moment, there's almost nothing on there, but it's at WP Builds.com forward slash black. Once more WP Builds.com forward slash black. And in the run-up to black Friday, loads of plugin developers, theme developers, hosting companies will reach out to me, and I will put their deals all onto that one page, so that you can search and filter and find all of the WordPressy things in one place, rather than having to troll through your email and all the various different sites.
So let me mention it again, WP Builds.com forward slash black. If you'd like to sponsor that page as WS Form have done, you'll see their logo right at the top, then hit the, get started button in one of the little black cards. And also if you have not put something on there before, and you would like to hit the, add a deal button, which you'll find on that page, fill out the form and we will put your product, or service, your deal onto that page free of charge.
The other thing to mention is that Tim Nash, who is doing the show today, well hopefully we'll be doing a master class with him, live in London. It's going to be happening on Halloween the 31st of October. So that's not far away. If you would like to find out more about it, it's a wpldn.uk forward slash masterclass. That stands for WordPress London. It's the WordPress London meetup. wpldn.uk forward slash masterclass. You can find the link in the show notes, but if you had over there, you'll be able to find out all about the things that Tim is doing.
It's a half day master class. It's in-person, we're going to be in a room in London, and hopefully you will learn all of the bits and pieces to keep your website secure by auditing it, defining the scope, identifying vulnerabilities, and developing an action plan. So it really should be fun. And it would be very nice to hang out with you there.
The last thing to mention is that if you would like to advertise on the WP Builds podcast, head to WP Builds.com forward slash advertise to find out more. And we're very pleased that some companies have in fact done that, because...
The WP Builds podcast is brought to you today by GoDaddy Pro. GoDaddy Pro the home of managed WordPress hosting that includes free domain, SSL, and 24 7 support. Bundle that with The Hub by GoDaddy Pro to unlock more free benefits to manage multiple sites in one place, invoice clients, and get 30% off new purchases. You can find out more at go.me/wpbuilds.
We're also joined by Bluehost. Bluehost, redefine your web hosting experience with Bluehost Cloud. Managed WordPress hosting that comes with lightening fast websites, 100% network uptime, and 24 7 priority support. With Bluehost Cloud the possibilities are out of this world. Experience it today at Bluehost.com/cloud.
And by Omnisend. Omnisend, do you sell your stuff online? Then meet Omnisend. Yes, that Omnisend. The email and SMS tool that helps you make 73 bucks for every dollar spent. The one that's so good, it's almost boring. Hate the excitement of rollercoaster sales? Prefer a steady line going up? Well, try Omnisend today at omnisend.com.
And sincere thanks go to GoDaddy Pro, Bluehost, and Omnisend for keeping the lights on. Over at the WP Builds podcast.
Okay. What have we got for you today? Well, it is Tim Nash and we've started a brand new show. We're going to call the show feeling insecure, which is a bit of a strange title, but there you go. This is episode one of that show. And as I have done already with Ray Morey and also Courtney Robertson, this is a brand new show, which is going to be coming out quarterly. There's a few more that I've got to reveal with some well-known names in the WordPress space.
But Tim's going to be joining us on a regular basis about every quarter, every three months, to talk about internet security. And the idea is that we're going to raise some interesting things that he's seen more recently, as well as a few tips and tricks that you can implement on your WordPress websites right away.
So brand new show. I hope that you enjoy it.
I am joined on a brand new show of the WP Builds podcast by Tim Nash. How you doing, Tim?
[00:05:29] Tim Nash: I am okay. I'm a little poorly, so hopefully I can get through without too many coughs and splits, but I've done some Okay so
[00:05:36] Nathan Wrigley: do love it how we do these things. say, hello, Tim, how are you? Not we've been on the call for about an hour already, just having a natter about the world in general. We've, we really have put the world to rights over the last hour or so, but that's not anything you guys want to hear. You are here to listen to Tim Nash and, and he's gonna talk about security.
But before we begin, and I get Tim to introduce himself properly, I just wanna make an, announcement about. Why Tim is here, really. And, and that is because Tim, bless him, has decided to come on the podcast on a regular basis. A bit like some of the other shows that we've got in the feed about once every three months.
So quarterly, Tim's going to drop in and talk about all the bits and pieces of WordPress security. Now obviously we can't cover everything, but the idea would be to cover off a few things that have happened during the past three months or quarter. And then maybe drop a few little tips and tricks towards the end that you can take away and implement on your WordPress websites.
So that's gonna be coming. So this is the first of those shows. Just before we hit record, we were throwing around names for what this show might be called, and we haven't come up with one yet. So it might have a really unexciting name, it might be a really glamorous name. we don't know, but we'll get one, before it's actually published.
So how are you doing, Tim? Are you all right?
[00:07:00] Tim Nash: I.
[00:07:01] Nathan Wrigley: Good. We will get through it. He's been fairly poorly, so I've gotta give him, a bit of a hat tip and say thank you very much for making the effort. do you wanna tell us a little bit about yourself so that anybody listening to this, if they haven't come across you for the first time, if you're gonna be talking about security, I think the word credentials come to mind.
you can't realistically talk about security without having a background in it. So just paint the picture of you and what your previous incarnations in security hosting, anything you like.
[00:07:34] Tim Nash: Wow. I think the scary thing is that the number of people who think that they can talk about security without any sort of credentials. so my name is Tim Nash. I'm a WordPress security consultant. I am been involved in the sort of WordPress space for the. Last years, when you're starting to talk about decades and you're thinking no.
Oh, yes. But I've been around since, well before plugins existed.
[00:08:00] Nathan Wrigley: I.
[00:08:01] Tim Nash: and I got involved in the WordPress project because I wanted to build a site. I had never managed to complete that. Instead, I got involved with Duke, all sorts of other things, including, running a small development firm where we built payment gateways for, large NGOs.
and then I moved into working with a web host here in the uk and suddenly went from going, oh, yes, I secure a few, maybe a dozen sites to oh, a hundred thousand of them. Great. Which is, it was, it's, suddenly working at such scale and going, actually, I having to, as somebody who, Likes making sure everybody's sites are secure and are nice and maintained. Just knowing that there is a certain percentage of the sites I'm meant to look after are hacked because that's how laws of probability work is a very strange experience and it's quite a stressful one. these days I work with clients who, and help them not let their sites be hacked, and I am a huge advocate for WordPress security in general.
come on, shows like
[00:09:11] Nathan Wrigley: Nice. I appreciate that. Thank you. so we know a little bit about Tim. I've just gotta say a few bits and pieces of, promotional stuff, really. a quid pro quo. Tim's, come on. He's given up his time for free. So a nice thing to do in return for Tim is to, is to let the WP Builds listeners know about some of the endeavors that Tim's got, and he's got a newsletter.
So I'm gonna encourage you to listen to this URL, pause the podcast, type it into your browser and sign up for it. You can find it at tim nash.co.uk/newsletter. It's as you'd expect, TIMN nas.co.uk/newsletter. It'd be really nice if, some. Some proportion of our listeners who were into security went over there and got onto Tim's new newsletter.
and it's regular and entertaining. Tim does make an effort with his newsletter, unlike cough me. it's actually really worth reading, so go and check that out over there. But also, I. cu curiously, and I don't know if this will happen again, if you happen to be in the uk, Tim is doing a live event on, Halloween, which kind of is perfect considering, you like to tell scary stories about websites getting hacked.
So Halloween, 31st of October, in the uk, in London specifically. Now the place to find that is at the W-P-L-D-N, so the W-P-L-D-N website, and it's a masterclass all about WordPress security. It's like a morning or an afternoon, I should say. Anyway, the point is you go in person, it's not like an online thing, and you can find that at wpdn uk slash masterclass.
So WPDN UK slash masterclass. Tim, I've just mentioned the newsletter and the masterclass. Do you wanna add anything to those two bits that I just mentioned? Did I miss anything out there?
[00:11:09] Tim Nash: No, other than the, I am slowly but. Surely getting back into the, like the meetup trails. other than that, I will also be, af so I'm doing Dave VLDM, which is WordPress London Meetup the same night as I'm doing the masterclass. And then I will be in Tunbridge Wells in a very early November to go to a meetup there.
So you might actually, if you're in the uk, as we're starting to get all our meetups going, you may well see me at a meetup. Do you come along? Do you say hello? I always like talking to
[00:11:38] Nathan Wrigley: yeah. Nice. And would we find information about that on your website? So if we went to Tim Nash co uk does, is that the kind of thing you
[00:11:45] Tim Nash: Sure.
[00:11:45] Nathan Wrigley: there?
[00:11:46] Tim Nash: I totally keep my website up
[00:11:49] Nathan Wrigley: Maybe. Yeah.
[00:11:50] Tim Nash: Maybe. You certainly will. On the newsletter, which I tend to send now, while it is regular, it's it becomes more regular when I'm doing
[00:11:58] Nathan Wrigley: Okay. Okay. And do you do sort of client work still? Like for example, if an individual listening to this is unfortunately, if has their client website or their own website hacked, do you take on auditing work, things like that. do you know, remedial work for things that are currently broken or inspecting things that, somebody would like to have an audit and check that they're compliant.
[00:12:20] Tim Nash: All the other, I, my, my clients fall into roughly two groups. One lot is help, we've been hacked. And the second group is, Hey, we'd really like to not be hacked and we wanna be praised and told what a great job we've been doing. And that's what I, like focusing on the second group, but obviously I'm more than happy to help the first group.
But yeah, if you want to sign review or code review, or if you're worried that your site has been hacked, do get in touch. I'm really friendly and you can have a nice calming
[00:12:49] Nathan Wrigley: that's right. Calm you down, bring you, back from the precipice. So that's the stuff about Tim. So like I said, the endeavor of this show is every three months or so to talk about bits and pieces that have happened. of interest. Obviously there isn't like this three month window here, 'cause this is the first show, so it could really stretch back a long way in time.
But we've got three bits and pieces that Tim has brought to the fore, and so we'll go through those that I'll occupy most of the podcast. And then right at the end. and it may stay at the end. We might push it to the front, who knows? we'll do a few bits and pieces about WordPress security, little tiny bite-sized things that you might do that you perhaps have never heard of or thought about before.
So with that in mind, let's crack into the three top stories. What have you got for us? So let me just say, I'm recording this on the 1st of October, 2024. If you are in the WordPress space, it's quite likely that you have seen the WP Engine versus automatic, story. I imagine we don't need to explain too much about that, but if you feel the need, Tim, go for it.
But why is this one in, because that felt like a story about, a hosting company, and trademarks and things like that. How does this in any way touch security that's curious.
[00:14:06] Tim Nash: So I think, we'll try and skip as much of the legal stuff as possible, as fascinating as it to us as individuals. It's not necessarily relevant, but during the backwards and forwards. And so we have two conflicting, very large a, companies battling out with battles of words at the moment. But midway through this wordpress.org came out via, Mac Mullenweg and said, we are no longer allowing customers of DP Engine to access our services.
And they effectively stopped any, DP engine customers from being able to do updates to WordPress core, or updates to any plugin that was held on the WordPress repository, which is, most of the plugins that you will use. So if you went into your admin interface and you went to go and click update. Nothing happened. You got an error saying, we are sorry. We can't, you can't connect If you tried to update to your LA latest version of WordPress, same problem if you tried to use dop Engine Smart Manager, which is their built in plugin. Same problem. If you were using automatic updates, you couldn't do it.
If you were using dop, CLI, you couldn't do it. The only way to get your site up to date was for you to personally open up a browser, go to the website, download the plugin, and get it onto your site. Be that through some, be it through you uploading it yourself or you going and you using some other mechanism that you have, but you had to go and move this around so that the connection between your website and wordpress.org ceased.
[00:15:48] Nathan Wrigley: just going to put this in there right now because honestly, this podcast has such a wide audience and many of them will be technical. And so forgive me, just skip forward like 30 seconds because you'll know this, it'll be obvious to you. But we also have a, fairly large proportion of people who really, WordPress is a bit of a thing they, they toy with and they play with, and they don't really know the underpinnings of it.
And so they regard it almost like a SaaS product. they, go to their website and they log in and then they do things and then they log out. And part of the plugin bit, the updating the plugins from the repo almost feels like that's all happening inside of your website.
So you go update plugins and there they all are. They're just there and you click update and it just happens. But of course, that's bound. Whether you knew it or not, to wordpress.org, manage the WordPress plugin and theme and various other different bits and pieces. But for now, let's stick with those.
So you are actually calling the wordpress.org website, and that's where those files are coming from. And so it may look like a SaaS and feel like a SaaS to you, the point being wordpress.org can cut off access and did cut off access to servers inside the WP Engine infrastructure. So if you weren't on WP Engine, there's no story here for you.
You didn't need to worry about it. But if you're a customer of WP Engine, they did this, presumably, I don't know, by identifying certain IP address ranges or however they did that. But anyway, that's what's going on. So that may come as a surprise to you that wordpress.org is actually controlling, that's the wrong word, you know that they're the people who provide that service to you.
[00:17:31] Tim Nash: I'm not sure actually. I think controlling is a really good word to use in this particular instance. They are the controller of that, of the data and the, and ho hold the plugin. They also store that, all those plugins. they store the zip files that your site then pulls onto your machine. So if you imagine, you sit there with, going to an example of, let's say you are gonna download a new application on your computer.
You go to a website, you click on it, it downloads into your downloads folder, and you unzip it and drag the application. That's effectively how plugins work. You are making a remote request to the to day davep.org, server WordPress org, server it and say, Hey, I'd like the zip file. And then go, sure, here's the zip file come across now to make things more complicated.
when you go in, you get those little red icons with the number on there to tell you an update's available. the way we interact with your website interacts with wordpress.org is it uses WordPress dot org's, API. So it basically says, Hey, I've got these plugins, any updates, and WordPress org says, yes.
But that interaction was also lost. So WP Engine customers wouldn't know that there were updates available.
[00:18:49] Nathan Wrigley: Okay. Yeah. Interesting.
[00:18:51] Tim Nash: and this, so now we have two problems. One, we can't get the update in the first place. that's awkward. That means that if there was a, let's say, a major security issue, and I don't know, Bob's plugin needed to be updated.
You couldn't just press the button to get that update, but worse, you wouldn't know that there was an update available and. In terms of security and WordPress security, the biggest issue and the main reason WordPress sites get hacked is because they do not keep things up to date. We've spent an awful lot of time within the WordPress community drilling this into people that you must keep your site up to date it.
That is how you get hacked is if you do not keep your site up to date. And so it becomes an issue when you can't update your site and you can't see there, there are updates available. and this has now been partially rolled back. there was a reprieve in inverse commerce where basically they, the services would turn back on.
and WordPress engine. WordPress engine
[00:20:01] Nathan Wrigley: You said it. It's going in the record.
[00:20:06] Tim Nash: engine. I, would say I was conflating the two together, just, but yeah, apparently it's true. have said that they are putting a permanent fix in place, which appears to be that they are doing effectively a mirror. So that's where they have all the content from the wordpress.org repository on their own servers.
And instead of interacting with wordpress.org, you would interact with their servers, which is what Matt Mullenweg asked them to do. he said, you are using our resources. We don't want you to use our resources. You should be maintaining your own mirror. But that opens up so many interesting problems and questions about how they're going to manage this, maintaining these, and leave some really big questions that still haven't been answered.
One of which is, DP Engine manage a plugin called a CF, which is used by a lot of
[00:21:05] Nathan Wrigley: I think it's more than 2 million. The, the, it's enough that it's got, six zeros at the end anyway.
[00:21:13] Tim Nash: Yeah, so advanced custom fields used by lots of sites at the moment, it would appear that DP engine staff cannot push new releases into the wordpress.org repo. Now, if they've got a CF Pro, so the premium version, they still control that distribution pipeline. So they can still push releases for that, but they can't push releases for the free version.
And all of a sudden we're now like, oh, okay, we are now deliberately blocking access to allow developers to push changes. And you're sitting there going, oh wait, is this a good thing? And should we have this single point of failure? it all, lots of people are looking at this and going, wait, wordpress.org is where we get all this from?
What happens if it goes away? Whether that's goes away intentionally, IE someone blocks you or just goes away, stuff breaks on it, things go down. How are we gonna handle this as a community? And nobody likes you, Liz, so end user license agreement. But do I have a license agreement with wordpress.org
[00:22:26] Nathan Wrigley: Good question. I don't know what's the answer to that.
[00:22:28] Tim Nash: them?
As far as, there isn't one that's written down that says, Hey, you, do this. There is no, you, are not in a contract with them because it's just a service that an awful part, large part of the web is now going, wait, I don't have a contract with these people. I don't have a license agreement. I don't have any on paper to this data.
But then you've got plugin developers who are pushing their code there, assuming it will be distributed and distributed fairly and freely and all that good stuff. And these are all coming into conflict and we are stuck in a place where it's like, what do we do? There are several routes, and some of them are good and some of them are bad, and some of them will fragment things.
But from a security perspective, we should never be in a place where someone can turn off updates. That seems, I think everybody agrees, and I have no inside knowledge, but I think maybe the [email protected] and Matt realized, and that's partly where this reprieve came, was like, oh, maybe that was a line we stepped over.
That opens too many worms. Let's try and roll it back a
little
[00:23:47] Nathan Wrigley: I'll just briefly explain that as well. And I'm not a lawyer, I'm not gonna get into the whole, whether you think one side is right or the other. Go and read all of the blog posts, go and read all of the Twitter feeds, make your own mind up. But we're just talking about the security that Yeah, the many.
so as we stand at the moment, it's the 1st of October and it's in the uk so it's like one in the afternoon. So there's more or less half a day, a little bit more like 18 hours or something, until that reprieve. So access was turned off. For WP Engine, it was turned back on again. I guess there was a human cry or some realization that, maybe there's unexpected consequences that you've just described.
So it's been switched back on. and, but it will expire, today and at some point during the course of today, I'm imagining it's like California time or something like that, midnight that, will expire. And in the meantime, WP Engine have been doing remedial work, to mirror. For, to keep it simple, let's just say copy if you like, or be able to forward traffic towards, wordpress.org.
So hopefully that's fixed. But it does raise the question of collateral damage. There were obviously customers of WP Engines and the argument would go, they didn't know, they, how have they got caught up in a debate that they knew nothing about? they're just paying their monthly fee to WP Engine a, a host that they thought was reliable and useful, and they'd chosen that one, and all of a sudden they were not receiving updates and they didn't even know.
That they were receiving updates. And honestly, the way of finding updates, given what the wordpress.org repo provides the last 10 years of WordPress, nobody's been going and downloading files from wordpress.org, sticking them on your home computer and then uploading them and un zipping them and all that.
You've just been pressing buttons it, or text links inside of the WordPress backend admin area. And, so it raises those questions, which we won't get into, but there was collateral damage. And like you say, un, unless a CF can figure out a way to, to sidestep this problem, that will continue as a problem from today, I think that won't go away when the mirroring takes place, because they can't push the updates into the repo.
Yeah. Gosh.
[00:26:09] Tim Nash: weirdly, they probably will be able to push it into their own repo. So JP engine customers probably will get a CF updates, which does open up. The question are, will they then say, and there's nothing guaranteed about this at all. There's nothing that, but are they gonna have to say, look, here is a link.
This is a way to get a CF on your site. You, use our mirror of wordpress.org repo and you get the all, you get normal WordPress and a CF. That's a potential future
[00:26:39] Nathan Wrigley: Yeah, I, can't remember how a CF works, but I've got a feeling there's a, there must be, right? But I dunno if the free version, if the pro version, I should say, builds on top of the free version. Or if the pro version negates the need for the free version. Obviously if you're on the pro version, then WP Engine can sidestep that whole problem.
But they might have to reap, gosh, it does get interesting, doesn't it? what do they do with that business? Do they hive it off to a different entity, or do they roll it all into pro and hope for the best or, ah, it's complex.
[00:27:12] Tim Nash: it's really complicated. And then, suddenly they're going, we, get very annoyed when, developers like send like those full banner notifications and things telling us. But if a CF doesn't have a way of letting people know, suddenly there must be a lot of developers who are like, oh, hang on. I don't have a way to communicate with my customers except through wordpress.org. If I can't communicate with the end users and say, actually, you should download it from over here, but even if you can, then we are opening up all these potential problems where we have somebody malicious might come along and say, ha oh wait, I can send notifications out to all of these customers. What if someone takes over? I it, I can very much see a well-meaning person saying, oh, we'll let Joe take over the ownership of ACF on wordpress.org. This isn't, this is hypothetical, but I can very much easily see someone going, oh, Joe can do it. Joe's trustworthy and reliable. Joe gets to take over that repo 'cause there's no rules or anything thing written down that says Joe can do this.
the mechanism for managing and main moving contributors and ownership is, mostly is mostly automated, is just really sending some emails around and people clicking buttons. So I can easily see a CF accidentally being hijacked or any plugin. We're not, we're just using a CF as an example in these sort of scenarios.
And we could end up with a scenario where the WordPress org version of a CF is no longer being managed by the people at DP Engine who are actually putting the fixes in. And you might even find a scenario where the A CF version has to, is getting it from the MI is now being the reverse mirror and is pulling its version from DP engines repo and pulling it back into WordPress so that the rest of people get access to it.
At which point we are in the world of this is just silly and can heads bash, heads
together, but I think what we can say is it's not
[00:29:29] Nathan Wrigley: No,
[00:29:29] Tim Nash: of these scenarios is good.
[00:29:31] Nathan Wrigley: Again, caveat mTOR, we're not getting into the legal stuff. That's to be decided by, I imagine fairly well-paid lawyers, and we'll see what happens. but it,
[00:29:40] Tim Nash: more well paid than us.
[00:29:41] Nathan Wrigley: to me like a week ago, just over a week ago, we had, imagine WordPress as a whole, this whole thing as a calm pond.
There's not a ripple in sight. Somebody then suddenly there was this massive boulder throne. And that's the story that we've got at the moment. And it feels like the splash has just gone away. All this tweeting and all these posts online, we're in the splash moment, but now we're gonna start feeling the effects of the ripple spreading out.
And, this a CF thing is one example. The repo that WP Engine are gonna have to, in some way manage. and whether or not it promotes other hosting companies to take a look at their stack and think, gosh, this could. Maybe this could happen to us. I don't, I, just don't know where these ripples are gonna go, but it seems like, there's
[00:30:30] Tim Nash: We
[00:30:30] Nathan Wrigley: ripples. Yeah. Info
[00:30:32] Tim Nash: I.
Okay. We need to have some sort of contingency plan. And also as, a, if you are an agency, or you have customers who, it doesn't really matter where your clients host, you are gonna have to start thinking, I think now this is the time where people are gonna wake up and go, oh, we need a contingency plan for what if this happens to our host?
What? And so it's gonna help focus people into, we've been relying on this our whole 20 odd years. We just didn't think about it, and now we've gotta start thinking about it. And the answer could be, I thought about it, I'm putting my head firmly in the sand and hoping other people who are smarter than me will solve it.
[00:31:23] Nathan Wrigley: I,
[00:31:23] Tim Nash: But for some people, that's a luxury they sadly won't be
[00:31:27] Nathan Wrigley: yeah, the other bit in this story, we're gonna talk about Patch Stack in a minute in the context of something very different, but there's, there was a piece that you, want, you put into the show notes about Patch Stack in, in this story. And that was about their pausing, I think is the right word or not releasing.
Just tell us about that. So Patch Deck is a, I'll hand it over to you 'cause you can probably summon the language better than me.
[00:31:52] Tim Nash: So Patch Stack, Wordfence and Automatic are the free people who, free organizations, I should say, who have the ability to publish vulnerabilities and issue out CVEs, which are a way for as, a, much wider community of cybersecurity to say, oh, yes, this is a vulnerability. This is, and have a place and record for where that publishes the vulnerability and hopefully the fix is associated with it.
So Patch Stack regularly published vulnerability reports, and by that they say, plugin X had this problem. We worked with them, or the person who'd found the problem, worked with them, it got resolved on this date. Here's some details about the problem. Done. Patch deck said very quickly, you know what, we are not gonna publish anything that's critical, high or medium.
So we, anything we think is serious and might have a direct effect on clients, which is not gonna publish it for a little bit, which means that, 'cause when once something gets published, bad actors use that published data. Now, normally when things get published, the patches have already been out for a reasonable period of time, and most people who are on automatic updates or even on a weekly update cadence will have been patched a little while back.
So there's a little bit of a gap given through, but they said, no, we're just gonna pause everything just in case there is anybody who isn't patched on the engine and won't have this ability to patch. And that was taken, that decision was taken. And there seemed to be very much two voices and one was well done.
This is really good. I'm really glad that you've paused this. Don't let give bad actors the opportunity to make hay out at this and exploit people. ONP engine. The other side of the argument was, hey, these vulnerabilities still exist. This is still, other people should know about these and be alerted to these. Is it fair that you paused this just to, for a small subsect of users and small, we're still talking, I think it was something like 13
[00:34:13] Nathan Wrigley: million sites. Yeah, something like
[00:34:15] Tim Nash: Yeah, it's, that's not a small subsect of users in my head, but obviously in the wider 43% of the web, it's a, very small subsect of users. and I think I can see both sides of that argument.
But ultimately Patch Stack took that decision. Wordfence went, we're thinking about this, and obviously automatic didn't say anything. And I can't imagine that for one second they were thinking, oh, I know, we'll pause this. I think that would've probably wouldn't have been a con conversation that would've happened internally, given what was going on.
But for Patch Stack, they seem to have gone, come out of this quite well. and I think generally, I, ums and odd about whether I thought it was a good thing or a bad thing, but it. Did potentially protect, I don't know what was in their pipeline. Maybe they, their pipeline had actually dried up and they had no interesting vulnerabilities to publish.
And so they were like, oh, this is a good excuse for us to all go and have a cup of tea for a little while and not have to do anything. and we can just use this as cover for not doing any work for a couple of days. I don't, for one second truly believe that, but, and vulnerabilities are reported constantly, but it was a brave decision for them and it felt very much like they were standing up for end
[00:35:36] Nathan Wrigley: Yeah, it's an interesting one. You've only got two. It's binary that, isn't it? You got two directions to go. You either do what they did or you do the opposite of what they did. And I can see harms in both directions and benefits in both directions. So flip a coin and see where it lands for you. But, okay, Curiously. So that was all about the WP Engine, story, which has been ongoing. And by the time we do our next show, let's hope that one has, figured itself out and what have you. But the next piece that you wanna talk about is coincidentally about Patch Stack as well, and about something that they've, they're offering out.
It's a new, offering and it's called the VDP or the Vulnerability Disclosure Program. And, I think what you want to get into here is, basically what it is, but also whether or not we even need one. That's the question. Does WordPress need such a thing? So before we get into whether it's needed, tell us what it is.
What is a vulnerability disclosure program?
[00:36:33] Tim Nash: So Patch Stack have been really busy bees in the last few weeks it seems. Obviously they got a large amount of funding at work Camp us, which got somewhat overshadowed, with lots of different investors coming in. And just before workcamp us, they came out with their vulnerability disclosure program, which there's a response to some legislation in, called the European Cyber Resilience Act, which is gonna be coming into force over the next few months.
like most European law, where it's at the Europe, at the European Union level, it disseminates from like the central point and then individual countries. Convert that into law. So similar to GDPR, and it's the same sort of bulk legislation as GDPR is in, the European Cyber Resilience Act is quite a, broad set of terms and ideas and things around it, and individual countries are implementing it in different ways.
One of the key components of that is this idea that a software and a hardware vendor is responsible for security, which sounds, duh, but they enshrined that in a way that's basically says you, you have to take this seriously. You have to be able to prove that you are acting and making sure that there that vulnerabilities are managed.
[00:38:07] Nathan Wrigley: pause you there? Does that therefore imply the opposite is true? Now, if you release hardware and you release software, there's no legal obligation. There's no legal straight jacket to bind you to the updating of things. Are you basically free? Free of the shackles of law to just release something and say, I'm bored of that.
Forget it. Can't be bothered.
[00:38:28] Tim Nash: I believe, I am not a lawyer.
Most things, if you go read a warranty
[00:38:36] Nathan Wrigley: Oh yeah.
[00:38:38] Tim Nash: it.
[00:38:42] Nathan Wrigley: And it is amazing what we buy these days, which go into our house, which connect to our routers, which do all sorts of interesting things. And how often do they get updated? Do they update the moment you buy them? Do they update subsequently? Gosh.
[00:38:55] Tim Nash: So the, European, cyber Resilience Act covers things like, that you have, there has to be an intent to be keep things secure. There is some bits about, you should be maintaining updates that things should have life cycles that you should be, and you should be upfront and honest about the length of that life cycle.
but one part specifically, and this is the part that Patch Stack have got involved in, is this idea, you need to have a mechanism for people to tell you about vulnerabilities and you need to act upon these, and there's two countering measures. So the first part is you have to be able to tell people, Hey, this is the route that you can tell me if that, if my stuff is insecure.
Now, before we get there, it's worth emphasizing the word vendor.
And what, when this was all being initially proposed, lots of people in the open source community went, I am not a vendor. I am Bob. I am not a legal entity. I just release code. And a lot of people in the WordPress plugin repository is are Bob, they just release code.
They are not a, an organization, they are not a company, they are not a vendor. And the definition of vendor is up for interpretation and hasn't been legally tested. But it could be that anybody who releases code ever accidentally becomes a vendor and has legal responsibilities. It could also turn out to be the opposite, that there's, people go, hang on, Bob.
If you use Bob's software and Bob isn't claiming to be, a, company and things and then, and gives it to you under a license that says do what you want with it, then Bob probably shouldn't have any responsibilities attached to it. That's a legal
[00:40:55] Nathan Wrigley: yeah, so the, way that fits into the WordPress ecosystem potentially then would be, I don't know, if you've got a giant plugin company and you've got hundreds of staff and you're very profitable, this all kind of ties together nicely. you can do this, but if you are, I don't know, Joe and Joe's just released a plugin, which is, something that they worked on as a bit of a hobby.
It worked for them. They've put it into the repository and there it is, but they're never gonna look at it again. That maybe somebody will download it and it'll be nice if they do great. But are you saying that maybe in the future, Bob. Did I say Bob, Joe, whoever. they might be come, they might come under the purview of this potentially.
We don't know, but plugin developers, theme developers. Oh gosh. So it's a real dragnet.
[00:41:38] Tim Nash: Oh yeah. And just like GDPR was, and, over time we've like gone, okay, we've been able to refine GDPR and what it actually means. And you'll notice that cookie things have got less and less annoying because people have started to realize, oh, actually this doesn't affect me, or this does affect me in various ways.
So anyway, who's gonna be caught by this? Maybe a level of weight to be seen. What Patch have done is said, Hey, we're gonna provide you with some tools so you can basically point at and say, if you wanna report vulnerabilities. Go report them here. Now, before this, there were really two options. You could set something up yourself and we'll talk a little bit about what you could have could do if you don't want to go down this route.
Or you could join something like a bug bounty scheme. Now, a vulnerability disclosure program is not a bug bounty scheme. A bug bounty scheme implies some sort of, financial or some sort of gain in return. Whereas a vulnerability disclosure program is, Hey, tell us. We'll probably say thank you and we'll work with you to, go through this process.
But honestly, we are a free plugin. We haven't got any money. and so patch stack's offering that for free. I believe the terms are, if it's a free plugin, they will offer it for free. I think they have a paid for version, though I may have just made that up for people who have a premium plugin. If they don't, I'm sure it's on the roadmap.
[00:43:12] Nathan Wrigley: Yeah.
[00:43:14] Tim Nash: And they, you, they will allow you to basically point it at them and they will handle the initial taking in of the vulnerability. They'll flag it, they'll decide whether it's even worth your time seeing it or whether it's just pure spam and work with you to get the vulnerability report out, potentially getting the CVE through them and all of this stuff.
This work will work alongside their bug bounty scheme, and I'm not entirely sure that they, haven't gone into many details as to how when one takes over from the other because both patch stack. And Wordfence both offer bug bounties for certain size plugins. they'll give you monetary rewards if you find vulnerabilities.
and one of the things about the, cyber Resilience Act that might be a good thing is that there is a duty of care on the plugin developers to put out information about how to report vulnerabilities. But it also says that you to, once you've done that duty of care, you don't have to go above and beyond that that frameworks, so that actually you might actually see, less bug bounties that are specifically managed by companies.
people like Patch Stack and Wordfence probably still carry on, but your individual people on things like Hacker One, you might actually see them reduce. So there is still a lot of, is this good for the industry? Are we actually gonna see it all come back down? but. If you didn't wanna go with somebody like Patch Stack, if you run a free plugin or you, run on a, or you have a website and you're not quite sure what you could do, a couple of things you can do today.
One of which is if you run a plugin in your Read Me, have very clear instructions what you want someone to do. So have a section called Security and say, email this address. Explain what your, you, what you want, the steps you want the person to take. If you run a website, there is something called Security Do Text, which is a text file that will have details in there of what you want your steps to take and if you create a, an SOP or a standard operating procedure.
But it's basically just step by step guide of what you want people to do. That's effectively what A VDP is. now Patch Stack's gonna offer you ones with lots of tools and lots of bits in there, and they're offering it for free. So there's. you, should seriously look at it, at least go through and decide if it's for you.
but if you wanna simplify it, then something like security text. And if you've, if it's a very small problem plugin, you probably can just get away with literally having a thing in your reme file that's a security. Please email us and leave it at that.
[00:46:00] Nathan Wrigley: Yeah. 'cause one of the fears of legislation like this is, it I don't know, it scares developers into thinking, okay, they're gonna, the ambulance chasing lawyers are gonna come after me and, or, I'll be up for a, broken website somewhere out on the web that I have never seen or heard of because I had this plugin sitting in the repo.
So that chilling effect whether or not it's gonna reduce the wordpress.org repo for new contributions,
[00:46:29] Tim Nash: there's the author of the, software Curl
[00:46:34] Nathan Wrigley: Oh yeah.
[00:46:35] Tim Nash: regularly gets various legal
[00:46:38] Nathan Wrigley: Oh gosh.
[00:46:40] Tim Nash: From across all sorts of things because Curl is used absolutely everywhere. You imagine if you, if it something, if something connects to the internet, there's a reasonable chance it uses Curl somewhere in it.
And this includes things like car software and all sorts of things. And Curl has to be distributed with its license, which, because it starts with the letter C tends to be higher up most lists. If you're gonna set your licenses out for better, it's quite high up. And it turns out there aren't that many A and B softwares that are quite as ubiquitous as girl.
So it, it's the first license people hit is the GPL license for Curl or what I call it. I'm pretty sure it's under GPL L. And the name and information of the Curl dev is on that thing. So he gets all the emails, various pits. And just the idea of that is terrifying and puts it, it has put me off doing stuff in the past where I've gone, this is just gonna be too much of a
[00:47:45] Nathan Wrigley: Yeah.
[00:47:46] Tim Nash: Or, I don't wanna provide a something without a warranty, but I don't wanna provide a warranty.
[00:47:51] Nathan Wrigley: you've provided a piece of software and it breaks, then, or, rather, so something bad happens, whatever that may be as a consequence of that piece of software and you literally did it as a hobby and all of a sudden you've got the lawyers coming after you.
That is, that's fairly profound, isn't it? That's a real, a sea change and, let's see what the European Cyber Resilience Act, does. My, my guess is, as with all this legislation, that the intention isn't to common hit the small developer over the head with a giant hammer. It's more to impress upon, I don't know, the software vendors who are all in our back pockets, like the phone manufacturers and the bigger players to do the right thing and to update things, which frankly should have been being updated.
Forever anyway, but haven't been, and so we're like backfilling the, security posture, which wasn't good enough, but it has had this potentially chilling effect on, on the WordPress, ecosystem as well. Gosh,
[00:48:56] Tim Nash: Developed with the.
[00:48:58] Nathan Wrigley: right? Yeah,
yeah. That, yeah. nobody mentions that stuff anymore, do they? It was all the rage.
[00:49:08] Tim Nash: that, but that was where it was initially coming in. Then it in the dragnet picked up people like the car manufacturers that then into software. So it's an interesting how it's progressed from a point where it's oh yeah, that makes a lot of sense.
These things have a life cycles and yeah, they're just abandoned after 20 seconds, but then it's gonna pick up. Yeah, open source software that's empowering the web, but is also being maintained purely by individuals and small communities, and not necessarily by a company or anybody who's ever thought of themselves in their entire life as a vendor.
[00:49:47] Nathan Wrigley: Yeah. Interesting. Okay. So that was, that, that was all the patch stack stuff. So the last of the three main stories that have got nothing to do with tips and tricks is honestly something I don't know anything about. it's an acronym. I think Cops, maybe it isn't. Maybe that's just the name of it. But it's CUPS all capitalized on the show notes and, this is a Linux thing and I don't really use Linux in any way, shape, or form these days.
Back in the day I dabbled, but only, in ways that could break things. So what's been going on over with Linux and cops? What even is cops?
[00:50:23] Tim Nash: so first of all, Nate,
[00:50:26] Nathan Wrigley: Spoken like a true nerd.
[00:50:28] Tim Nash: you do use Linux
[00:50:30] Nathan Wrigley: I do.
[00:50:31] Tim Nash: you run a
[00:50:32] Nathan Wrigley: I do. I do use Linux.
[00:50:33] Tim Nash: and, but for most people, Linux is probably best known for the thing that runs their websites. But you have like desktop machines and workstations, and people use Linux every single day. And a security, researcher who on Twitter goes by the handle evil socket, came out and said, I have found something.
And this is a very well respected person. And he said basically, he came out saying, I have found something. But his bigger argument was that I am being, I'm getting very frustrated with software vendors. So the distributors, so people like Ubuntu, red Hat, he was saying, they're just dragging their heels.
They're not fixing things. And the people responsible for the, for fixing this vulnerability that I. I could, they're just, I cannot get them to do what, to come out with things. So I'm gonna break the normal rules of responsible disclosure and I'm giving them to X date and I am going to publish this vulnerability regardless.
Now, responsible disclosure is something that is, slightly hotly contested. And it's the idea that you work with the vendor and you won't ex disclose anything until the vendor has a patch in place. And you both agree that it has settled and it's a responsible thing to do, as in you will work with them.
When you don't have that ability to work with somebody and you unilaterally disclose a vulnerability, you are gonna come in for a little bit of shtick and people are gonna be grumpy
[00:52:08] Nathan Wrigley: Yep.
[00:52:09] Tim Nash: because you are effectively releasing this into the wild. And a bad actor may be able to abuse and use it.
So hotly contested, lots of eyes suddenly went and we're looking at him and going, okay. And he's this is a really serious
[00:52:29] Nathan Wrigley: So it's really big up how, detrimental it was gonna be.
[00:52:32] Tim Nash: Airing in mind the entire web, effectively, yes. I, is a thing, and so there are some windows machines out there, but if you go to most websites, they are running, probably a Linux
[00:52:44] Nathan Wrigley: Yeah.
[00:52:47] Tim Nash: A lot of scared people going, what on earth is he about to
[00:52:49] Nathan Wrigley: The sky is gonna fall in.
[00:52:52] Tim Nash: Yeah. Now, to be fair, he yet never at any point said, this affects your web server, et cetera. He just said it was a major Linux villain biting all the Linux distros, and then he releases
[00:53:04] Nathan Wrigley: Oh.
[00:53:04] Tim Nash: And it's a vulnerability in a piece of software called Cups, which is indeed distributed to most Linux Distros, including Ubuntu, including on things like Fedora and Red Hat, or Red Hat Enterprise Linux, which is, what's powers lots of websites, Devi and or n os, all of these.
But Cups is a system for interacting with printers,
[00:53:33] Nathan Wrigley: Okay. Okay.
[00:53:34] Tim Nash: and specifically it lets you print things from your computer to a printer. Now, cups does have a feature which allows you to, so network prints so people can send jobs to the computer, which then passes that job to the printer. Some and that he found a vulnerability in that process so that you could basically send what a malicious payload saying, haha, I'm a printer.
I want you to print this thing. But really you, it exposes and it could cause a problem on the computer that it was sending it to. So it never got to the printer. It was basically, I'm a print job. Oh no, I'm not really, haha, I'm in it's evil software and I'm
[00:54:19] Nathan Wrigley: Oh, so it could be used as like a beachhead, a foothold if you like to get further in.
[00:54:24] Tim Nash: Oh
[00:54:25] Nathan Wrigley: Ah, okay.
[00:54:26] Tim Nash: But here's the critical thing to use this, you have to remotely be able to connect to the computer to send the payload in the first
[00:54:35] Nathan Wrigley: oh gosh. okay, so, you had to be able to log into that computer in a remote way, so at that point you owned the computer anyway.
[00:54:42] Tim Nash: So in 99% of the scenarios you were gonna be in, you were you sending that data to that machine? You are in a trusted ne either in a trusted
[00:54:53] Nathan Wrigley: it.
[00:54:53] Tim Nash: or you had some sort of privilege connection to it. There are not many cups printers out on the internet,
[00:55:00] Nathan Wrigley: Okay. Okay.
[00:55:01] Tim Nash: where you can just randomly print stuff off,
[00:55:04] Nathan Wrigley: Oh
[00:55:05] Tim Nash: be great if you could.
I've been, they, if they are, they get abused very quickly. So the entire sort of Linux community went What?
[00:55:16] Nathan Wrigley: yeah. It sounds like somebody let off a whoopee cushion, oh. Okay.
[00:55:21] Tim Nash: But it, it brings out some interesting problems because when it was released, it had this CVSS score, which is a mechanism for determining how scary a vulnerability is
[00:55:33] Nathan Wrigley: It is outta 10, right? Yeah. Oh, it does sound severe. That sounds bad.
[00:55:39] Tim Nash: Which is like terrifying, because it's so easy to do. You can send a packet of data to the machine and it will over the network potentially be compromised, but only if it was all set up like this in a nice chain that works in the way that, and this is a problem with CVSS scores. Generally, we use them on for they 'cause they are a, a valued score.
We use these for when we work out vulnerabilities on web applications. If your WordPress, plugin has a vulnerability, it will probably have A-C-V-S-S score attached to it. And you might notice that they always sound really scary. And that's because one of the sort of factors is does this require, can this be done over a network? Now when we're talking about things like WordPress plugins. The only time you interact with a WordPress plugin unless you are actually SSHing onto the server and interacting with it via something like W-P-C-L-I is through the browser over the network. So every vulnerability in WordPress has a network component to it.
So this is why you see that R-C-V-S-S scores for something like cross-site scripting, something very minor or something that can be any exploited in a very limited way, still have CVSS scores in six, seven, eights and nines, even though they aren't, they sound, which makes 'em sound terrifying when they're of sometimes are and sometimes really not.
And this is a good example of this where it has this huge, really scary score. Genuinely would be a really scary bug in 19 19 4, assuming that. were the one person on the network, so it'd be great fun to mess around with and you could take over the printer server in your local building several decades ago.
[00:57:35] Nathan Wrigley: So this is a scenario where the score itself, if you've got this exact configuration of hardware and software. Then it truly is a 9.9, and it is that thing. it, it is, it's terrifying and it really could be exploited and do considerable harm, but in 99.9% of the cases, nobody's got that configuration of hardware.
So that's a curious thing about the score. Then I guess the score doesn't give you any into, doesn't tip you off to, actually it's a 9.9. Given this, they only have a score. They only have the top line number. presumably there's some supporting documentation that
[00:58:08] Tim Nash: There is long and there are, there have been various attempts to break it down and give you, in this scenario basically to, to provide the scenario set to go with it. But yeah, CVSS scores are on their own. Are just a number.
[00:58:22] Nathan Wrigley: Yeah.
[00:58:23] Tim Nash: and we have to take that number and translate it. And one of the things that I spend a lot of my time doing is, talking to clients on Friday afternoons.
'cause inevitably security vulnerabilities come out on
[00:58:36] Nathan Wrigley: Oh, of course.
[00:58:37] Tim Nash: with my clients going, we need to patch, is the end of the world about to happen? And me going, and having to read through the vulnerabilities and go, do you make use of this really weird little sub feature that, yeah.
And do you have contributors? Yes. Cool. Do you care if your contributors can, do this? No, just turn that button off. There we go. We've, solved the problem. And that's translation layer just doesn't come through on a score. A score is just a score. It's it is scary, but it's only scary in the scenario that's been identified through with the vulnerability report.
If you don't have any of that part of the chain, you don't actually have that vulnerability, but you have the potential to it. So then we have to think about risk and risk management and risk assessment, and it's ugh. And on a Friday night, you just
[00:59:31] Nathan Wrigley: Yay. That's right. So ladies and gentlemen, boys and Girls, you now know what Cups is and, and you've learned about three different things. So we've done the, the, the WP Engine and automatic rivalry and how that's impacted people. We've done the, VDP, the Vulnerability Disclosure program from Patch Stack, and we've also done about this problem in Linux, with cops.
That isn't quite the problem that it was billed as. And, that's the main body was that
[01:00:02] Tim Nash: Stands for Common Unix Printing
[01:00:04] Nathan Wrigley: I, of course, knew that it's, this is my waking, it's my waking study acronyms of Linux. it's what I do all day. I didn't know that. That's good. yeah.
[01:00:17] Tim Nash: I.
[01:00:19] Nathan Wrigley: Yeah, you had enough time to Google it. So there's, there's the main body of what we're doing today, but as we're always gonna do, hopefully, if Tim comes back, we'll do a few little bits and pieces of word pressy stuff towards the end that you could implement in a heartbeat. So what have we got this time around, Tim?
[01:00:37] Tim Nash: I dunno, that's only quite
[01:00:38] Nathan Wrigley: Oh, yeah, sorry. That was, yeah. I've really billed it. You've gotta be quick now you've gotta, you've gotta really do a sprint.
[01:00:47] Tim Nash: I think we've been talking about lots of things today. We, I was almost gonna do one on automatic updates and I thought that would be possibly in bad taste to do
[01:00:56] Nathan Wrigley: Yeah, we, can do that another time when it's safe.
[01:00:59] Tim Nash: Yes. So instead gonna look at users and specifically, something that I do on every time I arrive on a client site is the first place I go visit is the users section.
Whether I'm doing it on the server, or whether I'm doing into the, in today, if the admin slash users, and the third first thing I do is click at the top. You can, you have a little bit, which shows you the different roles. And I click on the one marked administrators, and then what will happen is I will sigh
[01:01:28] Nathan Wrigley: Oh, 'cause it will be more than one.
[01:01:31] Tim Nash: it will be yes if it's the length by sigh depends on the number of administrators.
If it's more than 10, it's a deep sigh.
[01:01:38] Nathan Wrigley: Yeah,
[01:01:40] Tim Nash: the, I looked at a few weeks ago, 27.
[01:01:46] Nathan Wrigley: all of them. All of them. Still with the company. I'm sure.
[01:01:49] Tim Nash: I'm sure what was worrying is there were 28 users in total of the site. So what that last user did to deserve to be dropped outta the
[01:01:58] Nathan Wrigley: Oh gosh.
[01:01:59] Tim Nash: I dunno. But needless to say, that site did not need 27 administrators. Your site probably doesn't need 10, 5, 1, or two administrators. It probably does need.
So here's a really simple thing to do. Assuming you have permission to do this and you are the person who's meant to be doing
[01:02:19] Nathan Wrigley: That's right.
[01:02:20] Tim Nash: and select all the administrators and drop everybody down to editor
[01:02:25] Nathan Wrigley: Nice.
[01:02:26] Tim Nash: and do not tell a single person and see how long it takes for
[01:02:33] Nathan Wrigley: See how many emails you get? You are predicting almost none. The, that change will be so undetectable by most regular users of WordPress. They won't even care.
[01:02:42] Tim Nash: Absolutely the, but you common ones that you, if by dropping everybody down to an editor, they won't have access to doing certain things like adding other users. That's the usual one that pings the, someone who maybe is a HR manager or whose job it is to add users. They will discover, they
[01:03:00] Nathan Wrigley: It'll be when somebody wanted to add a 28th admin, they suddenly logged in we must add another admin. We've only got 28.
[01:03:07] Tim Nash: Users. Yep. That person's gonna be the first person who's gonna get caught up. The next person might be if you have a web designer, but they're not normally responsible for doing updates, but they do occasional things on the site and they want to edit the site, especially with, full site editing.
They'll go, oh, I, suddenly can't edit certain things. They'll be your second person. But each time they come to you, you can have a conversation that says, why do you need this? And slowly but surely you can write a little document for your website, even if you are like a really small company, A little document that says who should have administrator access, how long they should have it accessed for.
And what happens when you get to the end of that? Because you don't wanna be in a scenario where you are looking at your 28 administrators. And three of them are web hosts
[01:03:57] Nathan Wrigley: That's quite common. I'll bet, isn't it? at some point some support agent logged in and needed admin access, or claimed to need
[01:04:04] Tim Nash: SEO companies, marketing agencies, that ex-employee who you left under the cloud of disgust. All of these people shouldn't be on
[01:04:16] Nathan Wrigley: Yeah.
[01:04:16] Tim Nash: there are a few other people who you think, oh, they definitely should be there, but they don't need to be your boss. Imagine a world where you are a, a CEO of a major company and you have this tendency to take to the company website and randomly rant.
[01:04:36] Nathan Wrigley: Stop
[01:04:36] Tim Nash: Should you be allowed to do that?
[01:04:38] Nathan Wrigley: Stop them.
[01:04:39] Tim Nash: That's one question that's maybe in place. But should you be allowed to fiddle with plugins and themes and all that stuff? Is that your job? Is that your role? And the answer is that for most bosses, no, they probably shouldn't be an administrator, but they want to be because they want to feel like they should be.
And in that scenario, you can use plugins and you can create thing other roles. So you can give that person a role of super duper boss or the Ubers administrator, and then you can give them the same privileges of absolutely
[01:05:12] Nathan Wrigley: like your idea better just knock 'em all down to editor and see who complains. That seems like a great
[01:05:17] Tim Nash: but knock them all down. Set them all to editor. See who complains. I am. I've done this enough times to know it is gloriously quiet.
[01:05:28] Nathan Wrigley: Yeah, unless you're a real regular WordPress user, the difference in the UI between editor and admin, obviously if you nerd out, you'll spot it almost immediately. But if, you're just a normal user of a website publishing content and clicking, into posts and pages and modifying them, what have you, it's just gonna feel just the same.
there'll be a little bit less in the ui, but very unlikely that you are gonna notice or complain. That is a top tip, Tim. I like that as top tips from Tim. It's all, it's what a great acronym. Oh. Oh, no, I think we've just come up with the title for the show right at the end. Gosh.
[01:06:06] Tim Nash: No.
[01:06:07] Nathan Wrigley: No. Okay. Okay.
that's been embargoed, but that's a good one. Find the admin users, knock 'em all down to editor and see if you get fired or see if anybody complains. But I like it and I think that probably rounds off our show. What do you think?
[01:06:22] Tim Nash: Sounds good.
[01:06:23] Nathan Wrigley: I appreciate it, Tim. Thanks you for joining me. Hopefully the, the bruhaha that was mentioned at the top of the show that we dwelled on at the beginning won't be with us next time we record.
That'll be towards the end of the year. Might not even air until January, something like that. But we'll see. But, Tim, really appreciate you and, wpl DN UK slash masterclass. If you're listening to this and it's before Halloween and you fancy an in-person event in London, go and check that out. Tim Nash co uk slash newsletter, if you fancy subscribing to, Tim's newsletter and finding out what he's up to and the tips that he does over there.
And don't forget that Tim is available for work. Go to tim nash.co uk and get in touch in that way. And, I dunno if you hang out on the socials, but if you do, where do you hang out?
[01:07:12] Tim Nash: to be honest, you will find me pretty much only on LinkedIn or on, Mastodon. I'm on Foster slash TN and I'm at TN on LinkedIn. Come find me. I'm normally there. I don't tend to do the other ones for,
[01:07:28] Nathan Wrigley: I understand.
[01:07:29] Tim Nash: not good for you mental
[01:07:31] Nathan Wrigley: That's a, there's a whole nother episode in there, but we'll knock it on the head there and I'll say, thanks, Tim. Really appreciate it, and I'll see you on the next one. Take it easy.
Well, I hope that you enjoyed that. As you heard a brand new show with Tim Nash, feeling insecure. That was episode one. Really hope that you enjoyed it.
Head over to the WP Builds.com website and search for episode number 392. You'll find it there. Leave us a comment. We'd really appreciate it.
Tim will be back roughly every three months to do something similar. To outline some of the things that have happened in the security space, and to give you some top tips and tricks. Really enjoyed that.
The WP Builds podcast is brought to you today by GoDaddy Pro. GoDaddy Pro the home of managed WordPress hosting that includes free domain, SSL, and 24 7 support. Bundle that with The Hub by GoDaddy Pro to unlock more free benefits to manage multiple sites in one place, invoice clients, and get 30% off new purchases. You can find out more at go.me/wpbuilds.
We're also joined by Bluehost. Bluehost, redefine your web hosting experience with Bluehost Cloud. Managed WordPress hosting that comes with lightening fast websites, 100% network uptime, and 24 7 priority support. With Bluehost Cloud the possibilities are out of this world. Experience it today at Bluehost.com/cloud.
And by Omnisend. Omnisend, do you sell your stuff online? Then meet Omnisend. Yes, that Omnisend. The email and SMS tool that helps you make 73 bucks for every dollar spent. The one that's so good, it's almost boring. Hate the excitement of rollercoaster sales? Prefer a steady line going up? Well, try Omnisend today at omnisend.com.
And sincere thanks go to GoDaddy Pro, Bluehost, and Omnisend for keeping the lights on. Over at the WP Builds podcast.
Okay. That's all I've got time for this week. I hope that you enjoyed it. Don't forget, wpldn.uk/masterclass. If you'd like to join Tim and I in London at the end of October.
The other ones I mentioned is WP Builds.com forward slash black. Get your deals on there. Bookmark it so that you've got the best WordPress experience possible in the run up to black Friday.
Okay, truly the end. Nothing else to say. Except here comes some cheesy music. Stay safe. Bye-bye for now.
