[00:00:00] Nathan Wrigley: Hello there, and welcome once again to the WP Builds podcast. You've reached episode number 415 entitled, Feeling insecure with Tim Nash, episode three, the state of WordPress security, and the transition to bcrypt.
It was published on Thursday, the 27th of March, 2025. My name's Nathan Wrigley, and I'll be joined by my guest Tim Nash in a few short moments, so that he can freak you out about the state of WordPress security.
Before we get into that though, a few bits of housekeeping. If you like what we do over at WP Builds, why not check out our schedule page? wpbuilds.com/schedule. Whilst you're there, check out all of the different episodes that we've got. We've got a whole bunch of archive pages. You can see the archive menu in the nav at the top of the website. Go and explore all the different bits and pieces that we've got.
I'd love for you to explore the accessibility show archive. That's also under the archive menu and ingeniously hidden inside the menu item called Accessibility Show Archive. There you go, that's clever. And in there you will find a whole bunch of episodes that I've been doing with Joe Dolson.
Joe Dolson is an expert in WordPress and website accessibility. And in the latest episode, episode five, which we released this week, we have a look at Jamie Marsland's new AI website, which he created as a personal project, and Joe goes over it in terms of accessibility and finds out, as you might expect, that the AI is basically making the same mistakes as humans do. That is on the archives page, but probably the easiest way to get to that is wpbuilds.com/accessibility/5, that is the numeral five.
The other thing to mention is that if you like what we do at WP Builds, why not think about advertising? You're about to hear from three companies that have done that, and I would ask the question of you, why are they doing that?
Well, the reason they're doing that is because we put them in front of a WordPress specific audience, a fairly large one, and perhaps that's something that you or your company, product, service, whatever you've got, may like to do as well. Find out more at wpbuilds.com/advertise.
The WP Builds podcast is brought to you today by GoDaddy Pro. GoDaddy Pro, the home of managed WordPress hosting that includes free domain, SSL, and 24 7 support. Bundle that with The Hub by GoDaddy Pro to unlock more free benefits to manage multiple sites in one place, invoice clients, and get 30% off new purchases. Find out more at go.me/wpbuilds.
We are also joined this week by Bluehost. Bluehost, redefine your web hosting experience with Bluehost Cloud. Managed WordPress hosting that comes with lightning fast websites, 100% network uptime, and 24 7 priority support. With Bluehost Cloud, the possibilities are outta this world. Experience it today at Bluehost.com/cloud.
This podcast was also made possible by Omnisend. Omnisend, do you sell your stuff online? Then meet Omnisend. Yes, that Omnisend. The email and SMS tool that helps you make 73 bucks for every dollar spent. The one that's so good, its all most boring. Hate the excitement of rollercoaster sales? Prefer a steady line going up? Try Omnisend today at omnisend.com.
And sincere thanks go out to GoDaddy Pro, Bluehost and Omnisend for their support of the WP Builds podcast. Podcasts like this cannot happen without the support of fine companies just like them. Okay. What have
we got for you today? Well, as I mentioned at the top, it's an episode of The Feeling Insecure Podcast. It's the third iteration that I've done with Tim Nash, and this is all about the state of WordPress security and the transition to bcrypt, whatever that is.
Well, first of all, we talk about Tim's background, and then we spend an absolute age talking about the Patchstack State of WordPress Security in 2025 article. We really do drill down into all of the bits and pieces that they've got there. What have they highlighted? What does Tim think is worth looking at, and what can you possibly ignore.
Towards the end of the show, we get into this new thing called bcrypt. Well, it's not that new, but it's new-ish to WordPress and it's the way that your passwords are going to be hashed so that you can have access to your WordPress website.
It's pretty interesting. It's a tinfoil hat episode, and I hope that you enjoy it.
I am joined on the podcast once again by Tim Nash, who's feeling a little insecure.
How you doing, Tim?
[00:05:20] Tim Nash: I'm doing okay. When you said that, I completely forgotten what the name of the show was, and I was like, am I
[00:05:26] Nathan Wrigley: what? Yeah.
[00:05:27] Tim Nash: What am I feeling insecure about? Oh, no.
[00:05:29] Nathan Wrigley: this show. Yeah. So we're calling this, we have done, calling it feeling insecure. Tim is, and hopefully will be in the future, a security expert. WordPress, is his weapon of choice these days. But I think it's fair to say that you, your history goes way beyond WordPress. You, wanna just give us your little bio, tell us who you are in case people haven't heard this before.
[00:05:52] Tim Nash: Yeah. my name's Tim. I'm, I think I go with a professional doom speaker or, but yeah, I work in, cybersecurity if I'm talking to people who wear suits and ties and, yeah, WordPress security to anybody else. And I've been doing this for many, years. I have a background in development.
I used to run a development agency. I've also worked for hosting companies. I've done, before that was doing physical penetration testing, so that's breaking into buildings, which is lots of fun.
[00:06:25] Nathan Wrigley: What
[00:06:26] Tim Nash: Yeah.
[00:06:27] Nathan Wrigley: breaking into actual buildings, like literally with like hammers and things like
[00:06:32] Tim Nash: no. that's, far too noisy. clipboards work Much better.
[00:06:37] Nathan Wrigley: gosh, really? So you were trying to gain access to secure locations by hacking the systems that guarded the fences and the walls and the doors and things.
[00:06:47] Tim Nash: the people more than any of the other stuff.
[00:06:50] Nathan Wrigley: How was your success? Did you, ever get in?
[00:06:53] Tim Nash: oh yes.
[00:06:54] Nathan Wrigley: Oh,
[00:06:55] Tim Nash: you'll be amazed the number of times a kind receptionist will just let you sit in somebody's office while
[00:07:00] Nathan Wrigley: Oh, so the social engineering approach is where you begin? Is it? You try to just talk the person around and explain, no, we really should be in this building.
[00:07:09] Tim Nash: Quite often you didn't even need to go that far. You just existed. really does help. I say clipboards are an amazing thing.
[00:07:17] Nathan Wrigley: I think that sounds really James Bond. Tim, I think that's brilliant.
[00:07:22] Tim Nash: don't think le I, unless he, I don't get the feeling he was very much into writing the reports side of things.
[00:07:29] Nathan Wrigley: Yeah. Afterwards, there's the, the written reports to be done. Gosh, I had no idea you did that, that there's a whole episode in there. Can we do that one day?
[00:07:38] Tim Nash: Sure.
[00:07:38] Nathan Wrigley: Okay. Today though, we're gonna be talking about a bunch of different things. We're gonna primarily focus on, a piece of content that was created by Patch Stack over on their website.
We'll get into that and then time allowing, we'll get into something dropping in WordPress 6.8, the way that your passwords are being hashed and stored, and then never know. Maybe there's a bit of time for some AI stuff at the end. but let's start where we, should begin. So this is the Patch Stack state of WordPress security in 2025 article.
I'll put the link in the show notes. but if you google that patch stack, state of WordPress security 2025, and click the link, you'll get a very, long page, which, I'm guessing you have read and drawn the conclusions from. it's over to you, Tim. Tell us what you found out.
[00:08:30] Tim Nash: I, think so worth saying Patch Stack do these every year. And for the last few years, they're not the only people who do these. I think Wordfence, which another security company, WordPress Security Company, also published their equivalent. and a couple of the, VIP hosting companies, VIP hosting, VIP, dev agencies also do their own like statements on the state of WordPress security.
It's a very long document. It's full of pretty graphs. It is very much meant for people who are perhaps in, either management positions or to give a more generic overview. If you are a deep hardened techie, what's in here probably won't interest you as much. It's not full of tips and tricks and all that sort of thing.
This is very much data and laying out the landscape today. it's also worth emphasizing that patch stack are. A company who's discloses vulnerabilities. They both through themselves, they have their own research team who, go and look for vulnerabilities and plugins, but they also, provide a mechanism for other people who find vulnerabilities to disclose through Patch Stack.
And Patch Stack will do all the communication with, plugin vendors and theme vendors, et cetera. So they see a lot of the vulnerabilities and they are responsible for reporting a lot of the vulnerabilities found in the WordPress ecosystem. So their document is really want to look at because it does give you probably the broadest view of what's going on right now.
[00:10:12] Nathan Wrigley: I think I quite like it for a couple of reasons. One of them incredibly vacuous, in that it looks nice, which I know is of no consequence at all. But when you're trying to, as an, as a person like me who doesn't have the expertise, the fact that it looks nice keeps me going. So there's that. But also I can actually read it.
They don't tend to, may maybe you, probably have a different opinion of this. Maybe it doesn't get into the weeds enough for you, given your background. But for me it's just the right level of. Comprehensible English and, difficulty, if Somebody who's inexperience can get draw conclusions from it.
Whereas I've definitely been to other websites where, they are really wearing the tinfoil hat and I lose the will to live quite quickly 'cause I simply don't understand. yeah.
[00:11:00] Tim Nash: They get the balance right. I think. I, there's a few, I, we are talking about prettiness. They have lots of graphs and one of my favorite features that they've got a button that says Download graph image next to every single one of those graphs and charts, which is great because if I then want to show a client something and I want to show them the data, I don't have to recreate it.
and it's all branded up with Patch Stack so I can give attribution. I really like that feature on, is it too simplistic? Obviously getting the language of security right is a big problem. and one of the reasons that I like coming on shows like this is to try and express more complicated things in relatively simplistic terms to help people generally not just keep gate keeping.
'cause there's a lot of problems with security about, around this idea of gatekeeping that only a few people have this knowledge, and we use our own language and our own terminology, especially if you then also mix in the compliance side and you are suddenly having to learn that a term that you thought meant something means something else.
And this particular set of ISO standards that you've never heard of.
[00:12:14] Nathan Wrigley: Yeah, that's right. I, it's easy to forget that that is the raison detra really for this show, that it is taking something basically incomprehensible to the vast majority of humanity. And it gets regurgitated and, cycled around in your head many, times and you spit it out in entirely comprehensible language.
yeah, that's what this is about. And, I, applaud you for doing it 'cause it's pretty thick. It's, this whole article is basically six areas. One is a, I guess a promotional bit at the stop at the top for patch stack. And then we get into the. The bits and the pieces, but, is your intention for this then to pick out the top level items, the bits you found most interesting?
[00:12:55] Tim Nash: yeah, there, there's obviously, this is a huge article if you, I encourage everybody to read it. But yeah, let's aim at some of the big things and obviously their sort of headline thing is that, there's been a massive increase in the number of vulnerabilities found. Now it's important to remember that just because a number of an increase in vulnerabilities is found doesn't mean that things are any less secure.
these are vulnerabilities that have been found in WordPress, core WordPress plugins and WordPress themes and associated stuff. If a block is being delivered by your host, for example, that might be in included in here. So while there's an increase in the. Baseline number of vulnerabilities and that what's more interesting is to look at those types of vulnerabilities that are occurring and in many ways to be happy that we are seeing an increase in vulnerabilities being found, because that does imply that we are, finding more stuff and therefore it's getting fixed.
And if we're fixing more stuff, what we don't want to see is a big gap between the number of vulnerabilities found and the number of vulnerabilities patched. And if we start seeing that gap growing that, or that's the thing to worry about more So this idea that if we found, so there was 7,966 new security vulnerabilities were found in the WordPress ecosystem in 2024.
That's coming from Patch Stack. They say that's 22 new vulnerabilities a day now. 96% of those were uncovered in plugins, 4% in themes. That's interesting because this is a shift over decades, but it's as we've slowly convinced people that themes should do pretty things and plugins do functionality, we've seen a significant decrease in the number of vulnerabilities found in themes 'cause they're doing less so they've got less things to break effectively.
Whereas, so I so that's great. That doesn't mean you're fee if, you've got a theme that's, doing lots of things. Maybe you've bought that. Not necessarily where you, if you bought a theme and you did so through a theme marketplace and it does thing, it does lots of things and say it was like, I dunno, a job theme and it came with a job manager thing attached to it, that's gonna have far more of a, problem and it's more likely to have vulnerabilities in it then say.
I don't know, 2025 theme be built out WordPress, which is basically a, not much more than a theme, JSON file. A functions file and some CSS,
[00:15:35] Nathan Wrigley: Yeah. Yeah.
[00:15:37] Tim Nash: not, to put that down at all, because, but it's, we are simplifying themes and consequently we're seeing less vulnerabilities. But if we've got the 797,966 plug vulnerable plugins, one of the data, bits of data that's not in the report that would've been really fascinating would be to see how many of these have been patched? Is it 700? 7,900? Patches and we've got 66 unpatched. And the really key number would be to see, okay, what percentage of remain unpatched and is that going up or down? If it's going down, then you can say our ecosystem's in a much better place. And if it's going up and so the, we've got more plugins, percentage-wise, remaining unpatched, then we're in a worse place.
Because our basic at the moment, our number one way to improve security is to update and keep things patched. But if vulnerabilities are being reported, but there's no patch available, then this is becoming more and more of a problem.
[00:16:43] Nathan Wrigley: Do you think that it's a, case here then of there's just more bodies on the ground looking for these things? So in other words, companies like Patch Stack who seem to be growing? I don't actually know if that's true, but I'm gonna guess that Patch Stack as an organization is growing, that they can deploy more resources.
So they just find more things. if you've got a, hundred needles in a haystack and one person looking, they'll find some. But if you have a hundred people looking in that haystack, they're gonna find more than one. and also it's a curious balance for a company like Patch Stack to tread, because you don't wanna, poison the Waterhole really, do you?
At the same time, you, want to explain, okay, WordPress has all these things going wrong with it, but at the same time, you don't wanna scare everybody away from WordPress because that's what you do. So let's deal with the first thing first. Do you think we're finding more? Is that what you were saying?
We're finding more because we're looking harder.
[00:17:40] Tim Nash: I, first of all, there is more code to look at. the plugin ecosystem is growing. So as the, and as more code enters the ecosystem, there is more potential places for vulnerabilities to be. But also there is significantly both more eyes on the code, but also the way we find bugs is, and the way bugs are getting reported has become easier, more automated, more managed.
And so we see these, this increasing. So I don't actually see that headline number as a scary number.
[00:18:14] Nathan Wrigley: Great.
[00:18:16] Tim Nash: you've gotta remember how huge the ecosystem is, and a lot of these vulnerabilities. being reported with high CVSS scores, which is, common vulnerability score scoring system, which is designed to work out, allow a system administrator to decide how important a vulnerability is.
But that system is the standard system used across all software, including software on your pc, on a server, a printer software. It covers the whole gamut to things and. Consequently WordPress and any web application gets quite high CVSS scores, which makes it seem that every vulnerability that's reported for WordPress sounds really scary.
[00:19:10] Nathan Wrigley: that is, I hadn't thought of that.
[00:19:11] Tim Nash: But the reason why is one of the require to decide if something is scary or not as far as A-C-B-S-S score is, can it be exploited over a network?
[00:19:23] Nathan Wrigley: All right. Yeah. Okay.
[00:19:25] Tim Nash: And if it is, then it immediately gets a much higher classification. 'cause it's super scary that if you can manage to do this, not have physical access to the computer, then this is a really scary vulnerability.
If it was something that affected your pc.
[00:19:40] Nathan Wrigley: So that's more or less a hundred percent of anything that WordPress has going on with it. Okay. Okay.
[00:19:45] Tim Nash: Everything to do with WordPress is over a network, so the CVSS scores are always significantly higher than what you would actually want to rate the vulnerability as.
[00:19:56] Nathan Wrigley: from, the point of view of somebody coming into the WordPress space, let's say I'm a blue chip company. I've never had a WordPress website before, and I approach a big agency and, I tout this number at them, but they were close to nine, 8,000 vulnerabilities last year, which is 22 a day. What the heck?
Why are you promoting this? It, those numbers really do challenge the assumption that WordPress is secure when you say them like that, but it's nice to hear you play it down a little bit.
[00:20:23] Tim Nash: Yeah, I can't remember how many WordPress plugins are in the repo, but
[00:20:27] Nathan Wrigley: 60 k, something
[00:20:28] Tim Nash: yeah, so if you've got 8,000 vulnerabilities distributed out amongst at 60 K plus, because obviously not every plugin is in the re in the repo distributed out across all of those that suddenly turns. If you, if your site has 20 plugins in, then you are maybe talking one or two vulnerabilities over the entire year, depending on your setup.
[00:20:54] Nathan Wrigley: Yeah. Okay. that's, that makes me feel more sanguine. That's good. As an owner of, a blue chip company, I'm now going to promote WordPress. There we go. Done.
[00:21:02] Tim Nash: But also it's worth saying that a lot of these vulnerabilities, are relatively minor. That doesn't mean and are hard to exploit in a practical way. So a lot of what's happening over the last couple of years, as you're seeing a lot more automation and a lot more where a vulnerability has been found in one plugin, the researcher goes, oh, I found this cross-site scripting issue in this plugin.
I bet it's in the others. And so they'll go and look for the same vulnerability across and use tooling to be able to check across all the plugins for a similar pattern and go, ah, I've now found it in 50
[00:21:46] Nathan Wrigley: Oh gosh.
[00:21:47] Tim Nash: So all 50 then get, so we now have fi instead of, so we, a vulnerability researcher can go from finding a vulnerability in one and having one vulnerability chalked up to their name, to suddenly having 50 vulnerabilities chalked up to their name through that one.
Just look finding it in one in the first place. 'cause they can then go, can I find this pattern elsewhere
[00:22:08] Nathan Wrigley: Got it. Say some sort of library or something like that's being used in a multi, a multitude
[00:22:13] Tim Nash: just some coding pattern that's been used in, some way?
[00:22:16] Nathan Wrigley: I hadn't thought about that.
[00:22:17] Tim Nash: so quite often, especially with the low hanging fruit ones, the very, low ones, which are tend to be, cross eye scripting is overwhelmingly the, largest amount of, vulnerabilities found.
[00:22:34] Nathan Wrigley: Just you're gonna have to, you're gonna, because I know that a lot of people will get that, but I think there'll be a proportion listening to this that won't. What is a, how do you define a cross-site scripting vulnerability? What does that do? What does it look like?
[00:22:45] Tim Nash: this is, It, it doesn't, it can look very limited. It's basically allow having it in such a way that allows a script to run locally to that appears to your job. I'm gonna come up with a better definition. Let me come. cross site scripting is where you would normally have a web application.
You might have, let's say a form and that form might have an option with let's you put some text in and you can put some JavaScript in there
[00:23:13] Nathan Wrigley: Got
[00:23:13] Tim Nash: and it, when you submit the form, the JavaScript acts. Now it's only affecting you as the end user in this case if you submitted the form. So normally you'd need to be able to trick somebody into submitting something with the extra data to, to perform the cross-site script to make it meaningful and useful to exploit.
But then you can have stored cross-site scripts. Let's say that form gets stored in the database.
[00:23:40] Nathan Wrigley: Ooh.
[00:23:42] Tim Nash: And so now it's hiding inside a post, let's say inside your WordPress table. Now, every time somebody else comes to the site and they load that data in that cross-site scripting attack can occur.
And now we have a problem. 'cause let's say we have a admin. You, make your attack, you store your cross-site scripting little script, and then the admin user comes along and they load up a page and go, Ooh, that. something weird just happened. It flashed for a second. And now as an admin user.
With that, JavaScript was designed to make a rest API request that added a new user or a multitude of things that can happen. So they are scary if they can be exploited in a wider way, whether that's through trickery or whether that's through storing them in a way that it would be represented. they are overwhelmingly the vast majority of the new ones found because, developers are really bad at doing their basic sort of checks and making sure that they are sanitizing and escaping things, which are database, which are, developer terms for making sure that you check the data going in into the, whenever data is submitted by an end user and going, hang on.
Is there anything naughty in here? Okay, we'll pass it through. And on the other side, any data that you're presenting back to the user going, Hey, should this have be able to run this? Probably not. We shouldn't be allowing JavaScripts, we should only probably be allowing, the B tag or I tag coming back in terms of HML elements.
Now WordPress has all the key things you need to do, safe escaping and sanitization, but it does require a developer to implement that in their code. And it's very easy to forget to escape something. It's very easy to not sanitize something in a database. And overwhelmingly, the vast majority of the vulnerabilities you find could have been picked up with a code sniffer. What's gonna be really interesting is next year we are really gonna see the benefits of the wordpress.org plugin checkup.
[00:26:01] Nathan Wrigley: Yes.
[00:26:04] Tim Nash: Last, year? Yeah, last
[00:26:05] Nathan Wrigley: Yeah, it was
[00:26:06] Tim Nash: they introduced a plugin. The wordpress.org introduced this plugin checker, which is basically a plugin that you install on your site, that you are developing your plugin.
And it would do a lot of the automated checks that you hopefully would already doing with a coding standard, including a load of these vulnerability checks that say, Hey, you forgot to escape this stuff now before you can submit to wordpress.org, your new plugin, that is gonna become a requirement that it has to pass the checker.
So for new plugins, we're in a much better place. Old plugins, not so much
[00:26:45] Nathan Wrigley: Do they get a pass or how does it work with older
[00:26:48] Tim Nash: so once you've submitted your plugin, unless there is a reason for it to be reviewed again, there is no review process in terms of updates
[00:26:57] Nathan Wrigley: Okay.
[00:26:58] Tim Nash: Now. I think if you'd told the plugins team a year and a half ago, yeah, we want you to start reviewing changes where, there was that huge backlog
[00:27:10] Nathan Wrigley: Oh, there was like 90 days worth of
[00:27:11] Tim Nash: yeah, three months worth backlog.
They were gonna go, eh, no, but this, just this one edition of having this tool that goes through, provides a load of feedback, including a bunch of security feedback will, has changed the posture of new plugins and you never know. Hopefully we could start talking. maybe old plugins need to have updates when they're doing their updates.
Maybe need to start complying with these standards as well.
[00:27:38] Nathan Wrigley: yeah. It's interesting 'cause in, in many walks of life we have something equivalent to that, don't we? you can't keep driving your car in the UK at least without an annual sort of checkup. We call it an MOT. But, there's some prescribed thing in law which says. No, that car is unfit unless you prove otherwise that's an all, that's a curious idea.
Yeah. Okay. Sorry, I got sidetracked a bit there. Yep.
[00:28:01] Tim Nash: funnily enough, and again, this is something that's referenced in the article, something we've talked about before. patch Stack is a European based firm. I'm pretty sure they, are entirely European based. and one of their big pushes for next year and has been a push for this is talking about the, EU Cyber Resilience Act.
[00:28:22] Nathan Wrigley: Oh yeah.
[00:28:23] Tim Nash: And we spoke about it, but from a UK perspective in that we have the, in the uk we're go, we are following through with something very similar with the, e with the UK cyber security bill. And part of that is exactly this idea that a companies should be. Making sure that they maintain a certain security standard.
And while it's not referred to as an MOT type event, that you should be regularly auditing code and regularly preventing vulnerabilities and regularly being aware of what vulnerabilities were inside your code base. And knowing, like having a, bill of materials for every part of your website, these are things that are gonna become legally required in the EU and then in the uk and presumably in California about five years later in a wash watered down way.
'cause that's how it goes.
[00:29:19] Nathan Wrigley: I, feel there's a whole new industry about to emerge that will satisfy the needs of these requirements in Europe.
[00:29:28] Tim Nash: so the folks at Patch Stack, that's pretty much what they're, very much that's, you might have heard of their vulnerability disclosure program, which is a big selling thing for them. That is, all to do with this, the language that they use, the terminology. It's all about making sure that you can tick the right boxes so that you can comply with the Cyber Resilience Act in the eu, as it comes into law.
So there is already a shift and, for myself, I'm also seeing more and more clients who are asking for very specific work done in are using language that you're like, Uhhuh, I, recognize this language. This is definitely coming from a place of I need to tick boxes off because I need to be legally compliant in the next couple of years.
[00:30:17] Nathan Wrigley: I have a totally random aside question, right? So I'm just gonna completely hijack the whole podcast here. So if you are so in the uk we, take our car to get this thing, this MOT, and then it goes off to a garage. A mechanic who has authorized to do the MOT, you know where I'm going. who authorizes.
The, person that gives the, tick box if you like the tick. And how do we know that they're credible at what they do? So when you are saying, I've checked this website, as far as I can tell, there's nothing wrong. How, in your case, I'm just trusting that you know it. 'cause I know you. But the people that I don't know, how do I know that their credentials match?
And how do I ensure that what they say is carries the force of authority? Really?
[00:31:09] Tim Nash: Is always the problem that you are always gonna find. no. so in the, is a little bit, but in the UK we do have, industry standard bodies. so weirdly, cybersecurity in the UK at a sort of like government level is handled by an offshoot of GCHQ, which is our main site, one of our main spy agencies.
and they handle a lot of the passing down what the standards for security should be at a government level. As part of that, they have a, approved programs for penetration testers, and there is an industry body called Crest, which are a basically a, I hate to call them a pyramid scheme, that's not fair, but they were one of these sort of bodies where if you pay them enough money, you get approved.
But they do come with, a set of substandards for the actual individuals. So as a company, you have to pay to join them as a join them. So if you are a big pen testing company, you would be a Crest approved pen testing company. Within that, though, the individual assessors need to have gone through some level of qualification requirements that Crest set out, and they have a set of courses and you can be, you specialize in maybe your instant response team, your, and you'll go on one of the Crest approved incident response team ones web application testing.
You might go on one of those courses. So there is that. The problem is that the bar to entry for that is quite high and that it is not a, it is quite an expense for a company to go and, become a Crest approved supplier. That's outta reach of a lot of the smaller businesses. For your really big companies, and you'll find it in some government work and some big companies will say, we need this to be a crest approved pen test, through a crest approved pen tester.
then that's the route you go for the smaller companies that's possibly going to come back and they're gonna go, I'm sorry, did you just save 300,000
[00:33:16] Nathan Wrigley: Oh, at that kinda level? Gosh.
[00:33:18] Tim Nash: Okay. I don't think I can afford that to, to get that from my one pen test a year, I'll, I'll come. Price is very massively, but you can easily spend half a million
[00:33:29] Nathan Wrigley: It's eye watering money.
[00:33:30] Tim Nash: Yeah. Which is understandable if you have eye watering steaks. If you are a, if you are a company that is running an e-commerce site and you have five, six, 700 million pounds going through, which. The scary thing is there are Spotify, Spotify, Shopify, Shopify sites with that sort of income going through their books and there are WooCommerce sites at, that sort of level as well.
Then you probably do want to go through and your insurance company are gonna go. We want to see that, before we underwrite all of this, we genuinely want to see how secure everything is. and so you'll find that a lot of, these sort of tests are done through those are levels. The other thing is if it's talking of insurance and that leads to accounting, is that there is a separate sort of standard for, for testing and that's something you might have heard of somebody being SOC two compliant.
[00:34:30] Nathan Wrigley: I have. Yeah. But I dunno what it means. Yeah.
[00:34:32] Tim Nash: So SOC two is a, where is a security, compliance standard written by accountants.
[00:34:40] Nathan Wrigley: Oh, is it
[00:34:41] Tim Nash: Literally the, I've forgotten what the agency, it's like the American Accountancy Association, came up with a level of security. But one of the things that makes SOC two a, a different type of compliance than say something like is O2 7 0 1, is that, when you do the assessment, you do that over a three to 12 month period. So it's rather, so normally if I go along and I do a, like a, if I'm doing a audit or site review, I will take that snapshot in time. What you present me or what at, given moment is what I'm reviewing. Whereas SOC two is all about showing, that you have all your policies in place. it has a set of things that you meet, standards you need to meet, but then you have to show that's happening over a prolonged period, over that three or 12 month period.
And so the assessment is over a much longer period. So when you see, particularly hosting companies saying they are SOC two compliant, they actually have gone through a hell of a lot of work to get that. whether that makes them any more secure. I don't know.
[00:35:51] Nathan Wrigley: No, but at least they, have given it thought. It may be that everything was bulletproof to begin with.
[00:35:57] Tim Nash: And I know it's also remembering that compliance is as much about the paperwork as it is about the actual, in fact, it's more about the paperwork and it ultimately SOC two because it's written by accountants.
It's more about risk and risk management than it is about security. But it's, so there is some sort of point where you can say, oh, okay, I, I, actually, I do want to go for a specific sort of level of tester. and that is available to you, just comes with that price
[00:36:27] Nathan Wrigley: Yeah, so there is a, there, there, is something, there are things, there are certificates, there are compliance requirements. So if you go to a vendor of security solutions who will check your plugin theme, whatever it may be in the WordPress space, there are, things that you can ask to see, let's put it that
[00:36:44] Tim Nash: Yes.
[00:36:45] Nathan Wrigley: okay. Sorry, I completely derailed the conversation there. Back to patch stacks annual report. Where did we get to?
[00:36:53] Tim Nash: we were just saying, cross site description remains the most vulnerable, widespread vulnerability.
[00:36:58] Nathan Wrigley: Okay.
[00:36:59] Tim Nash: where we would, one of the interesting things was, that I found surprising was the way they really highlight more than 500,000 websites infected in 2024. And I was like, wow, we're doing such a great job that's so low.
[00:37:15] Nathan Wrigley: Oh, that's intriguing. I thought that was so high.
[00:37:19] Tim Nash: That's, really, low. And then I read the line, secure Your loan observed over 500,000
[00:37:24] Nathan Wrigley: Oh.
[00:37:25] Tim Nash: There go, it's oh, One company had seen half a million websites
[00:37:30] Nathan Wrigley: Yeah, that sounds like such a breathtakingly large amount to me.
[00:37:34] Tim Nash: That's a tiny amount.
[00:37:35] Nathan Wrigley: Yeah. I have no real window into how many websites there
[00:37:38] Tim Nash: again, and, it's if you think about it just for a second, like, how many WordPress websites are there?
[00:37:46] Nathan Wrigley: guess. That's the number I'm missing, but it must
[00:37:47] Tim Nash: Yeah. Millions. Yeah. Big scary sort of numbers that we go, it is powering anywhere between 30 and 42% of the web depending on how you are thinking about it. And that's huge numbers of sites, most of which are not running up-to-date versions of WordPress.
[00:38:10] Nathan Wrigley: I.
[00:38:11] Tim Nash: So the idea that only a half a million had been hacked and they were saying this with some sort of authority was like, that can't, I probably see maybe 20 hacked sites a month.
Just me,
[00:38:27] Nathan Wrigley: Just you. Okay. Yeah.
[00:38:29] Tim Nash: to me saying, ah, we've got sites hacked. I've had clients come to me in the last two months. It has been a bit unfair. I've had two clients both come to me and each of them had over 500 sites each hacked. So I've seen in just in the last month or to over a thousand sites.
[00:38:46] Nathan Wrigley: That gives it a lot more
[00:38:49] Tim Nash: when I worked for a hosting company, we assumed a certain percentage of the network to the entire number of sites we had on the, across the hosting company. We assumed a certain percentage were hacked at any one time. We had to make that as a baseline assumption that there was always some site on our hosting that was hacked. And when you start thinking of it like that, and then you scale that up from a small hosting companies to the giant hosting companies, fi yeah. 500,000 seems like this like tiny number that's a blip that
[00:39:22] Nathan Wrigley: But your being sanguine was up upended by realizing it was just one. One report from one company. Okay. Okay.
[00:39:29] Tim Nash: and worse because of security, the way that they're probably have, they, when they're saying we've observed this, that's probably ones that are actively being seen and quite a lot of vulnerable sites that have been compromised. We don't necessarily immediately see anything.
[00:39:46] Nathan Wrigley: Yeah.
[00:39:47] Tim Nash: They don't all just suddenly have Viagra pill websites taking over the front page.
[00:39:51] Nathan Wrigley: Yeah, that's true. Something's going on in the background. Lurking, sitting there waiting for a moment, or just doing something ever so benign that you'll never see.
[00:40:00] Tim Nash: A lot of the, and a lot of the times it's worth emphasizing that while WordPress is the gateway in most bad access, are not necessarily looking to hack the WordPress site, they're looking for the server resources, whether that is to, send email, use it for crypto mining, use it to attack other sites,
[00:40:23] Nathan Wrigley: got it.
[00:40:24] Tim Nash: all of this sort of thing.
So we don't, there's a lot of the stuff we don't see. When we do see it on the, front end, it is nearly always to do with like SEO spam. you sometimes you see take down pages, occasionally you see, card stealers. So card skimming exploits, they're rare, relatively rare. they still, but they do still very much happen.
But the vast majority is SEO spam. Where, and again, this is something that's highlighted in the patch deck report. and that's data's coming from security and that's what they basically saw. Securities data includes a total of four, 422,000 incidents related to SEO spam. So with that half a million that they saw, overwhelmingly, most of that was, spam pages being spun up in, in the sites
[00:41:16] Nathan Wrigley: just in an endeavor to drive traffic to another property. So nothing, and I'm doing air quotes here, nothing harmful in that sense. Just, It's benign. At least they're not trying to, get money out of your bank account and things like that.
[00:41:32] Tim Nash: Yeah. They, are, and they, in this particular case, they are not even interested in driving traffic you directly to the traffic. They're interested in getting Google to drive
[00:41:43] Nathan Wrigley: There you go. Yeah.
[00:41:45] Tim Nash: the next sort of version and the next biggest category that curious saw that were our front facing were malicious redirects, where they are literally trying to drive you to the end point.
So you, as the end user might go on the website and go, oh, how did I end up on this porn website? I swear I didn't, mom. like thing. and you've, where you've just suddenly been redirected to something, whatever. And then the final group that the, security we're seeing a lot of on the front end were effectively unwanted ads.
And I think actually they also put inside that, oh no web, they put web defacement separate. So unwanted ads where they, the, hackers basically just put adverts all over the site.
[00:42:31] Nathan Wrigley: I seem so 1990s,
[00:42:33] Tim Nash: I know,
[00:42:33] Nathan Wrigley: Tim,
[00:42:35] Tim Nash: and the scary thing is a lot of people who are site owners are gonna be slightly tech savvy, might have an ad blocker on, might take them a very long time to realize that their site is being served adverts.
[00:42:49] Nathan Wrigley: that's a really interesting
[00:42:51] Tim Nash: Because who's going to tell you,
[00:42:54] Nathan Wrigley: no,
And pres the ad
[00:42:56] Tim Nash: a random comment saying, God, I really don't like the way that you've put all those adverts on trying to make money off me.
[00:43:03] Nathan Wrigley: Gosh, what a thought. Yeah, that's a good point. So just somewhere in amongst the text is a banner ad of some kind. And it looks like, 'cause that's what all the newspapers do, right? They just have banner
[00:43:14] Tim Nash: if you've gone on any of the major websites without a, I yeah, scrolling on my phone, this is the quickest way to get me to not use my phone for like doom scrolling is, do I, God, how many adverts are there on these things?
[00:43:28] Nathan Wrigley: yeah,
[00:43:29] Tim Nash: yeah, unwanted adverts, security outta that, 500,000, said that, 16,274 instance were linked to these unwanted ones.
And of those, like one of the biggest ad ad networks for doing this was something called Prop push, which I've be honest, I've never come across, but I'm not really into that space. But apparently it's really easy to get adverts running with them, apparent from the I guest, if you can get adverts running with them on another person's website.
[00:43:57] Nathan Wrigley: Yeah, no kidding. Yeah. You got a massive audience
[00:44:00] Tim Nash: My, my understanding is to, get, Google adverts to run is quite hard, so this is probably good.
[00:44:06] Nathan Wrigley: Oh, because Google do the work of discovering that this is not where it should be, that
[00:44:10] Tim Nash: And, they, you have to authorize, you have to say, this is my site. And you also have to have a certain amount of traffic maybe prop us as well, but that, I
[00:44:19] Nathan Wrigley: You'd imagine on some level it's in pro's interest to have all this happening, which is a bizarre thing to say, but you you understand my meaning. Oh,
[00:44:28] Tim Nash: And then the final category was website defacements. And I think this is where most people think of a site being hacked. I
[00:44:34] Nathan Wrigley: think so. Yeah.
[00:44:35] Tim Nash: people think of this as like where that, traditional anonymous style green screen takeovers and bits. But in reality of the ones that security saw that accounted for just 8,452.
Outta that, five five.
[00:44:55] Nathan Wrigley: Yeah. Half a million. That's very small, isn't it? So basically that's a tiny proportion.
[00:45:00] Tim Nash: But all of this represents just a fraction, and that's just what they're seeing, not what's happening behind the scenes. So we that, what they're not seeing is the sending out using your server to send out tens of thousands of emails. What they're not seeing is the DDoS attacks. So it is a, an odd thing for me to sit there and go, whoa.
[00:45:28] Nathan Wrigley: You are happy for the briefest moment and then, dug in. Oh, that is really interesting though. There's a ton of information in there and and a lot of that really fascinating and it sent us on lots of little blind alleys as well where you explain things like, the CSV scores and, the certification requirements, so that was fascinating.
Okay, where are we moving to next?
[00:45:48] Tim Nash: I think how we've got one last tiny little bit in patch stack, and then I thought we'd go and do some fun encryption and
[00:45:54] Nathan Wrigley: Nice. Let's do that.
[00:45:55] Tim Nash: So the, last section I did want to cover was, again, another big bold headline, which is, WordPress security Needs New Strategies. and it was, it's an interesting, if we go right back at the beginning and I said, oh, one of the nice things about this, is I don't, really care about the, how many vulnerabilities there are.
I care about how many are patched and the time to patching. so the, this section highlights that relying on updates is not enough to be safe. And the statement is, in 20 24, 30 3% of vulnerabilities were not fixed in time for public disclosure. Now, that does mean. Nearly 8,000. There's a fair chunk of those 8,000 that apparently didn't get a patch before they were announced as being there.
[00:46:48] Nathan Wrigley: What's the period of announcement there? Is it like 90 days or something like
[00:46:51] Tim Nash: It will depend on how the researchers and everybody's
[00:46:55] Nathan Wrigley: Okay, so it's not, there's not an industry standard around that, but
[00:46:59] Tim Nash: And sometimes, researchers can be quite, I am going to release this tomorrow.
[00:47:05] Nathan Wrigley: why do they do that? Is there some sort of fame element to that? Do they get something out of it?
[00:47:10] Tim Nash: I, there is a little bit of that. There's a little bit of, I, I'm, telling you this and then I'm publishing it. It depends on the per what the person wants out of this. there is a little bit of blackmail associated with that as well. Tell, if you don't engage with me, I'm gonna get this published and you are gonna look bad.
[00:47:29] Nathan Wrigley: Yes. Which I guess in some level is an effective strategy, but not necessarily good for the end users.
[00:47:35] Tim Nash: and potentially if it is actually combined with true blackmail, if you don't engage with me, I'm gonna tell the world about this and tell you them and make you look bad. But if you give me some money, I'll give you 90 days.
[00:47:46] Nathan Wrigley: God. Humans can be terrible.
[00:47:48] Tim Nash: absolutely clear, that's not something that somebody like Patch Stack would do.
That's what an individual bad actor
[00:47:55] Nathan Wrigley: Okay. Again, sorry. I derailed it, but, so there's no fixed industry standard on that, but it would be nice if there was, and it was a reasonable amount of time, but nevertheless,
[00:48:03] Tim Nash: for a lot of these, they will have been given plenty of
[00:48:06] Nathan Wrigley: okay, so
[00:48:06] Tim Nash: 33% not fixed. What we don't get is whether, in the document is, whether this is, up or down over the previous year, which is a shame 'cause that would be the really, the interesting figure. That's the one that would tell us whether we were winning or succeeding.
But also, it doesn't indicate the classifications. Now, if like a hundred percent of the highest vulnerability, highest priority vulnerabilities were patched and 70% of the really, low ones that we don't, that can't be easily exploited, weren't patched within that period. That's great.
If we are actually in a position where across all like the levels of scariness, all of them were roughly a third, that's not good. And what I suspect is when we were to dig into the data, we are gonna find that the higher risk vulnerabilities did have a higher percentage of those being patched before the vulnerability was being announced.
And that one of the reasons for this particular figure is because of the low hanging fruit where somebody has gone and found 500 plugins all have the same error, but it is really hard to exploit and it's really low, but they are technically a vulnerability and therefore classified and therefore, and been pushed out. One of the things I do for my clients, and one of the things that's, a mainstream of my job is reading the vulnerability reports and deciding if they're vulnerability reports, which sounds really bad 'cause somebody like Patch Stack will publish something and I'll look at it and go, okay, that is technically a vulnerability.
There is a problem, but I'm not going to ask my client to stand on one leg, pat their tummy and their, and their head at the same time while singing in the national anthem of a small country. So therefore this can't be exploited. The risk is so low, we don't need to worry about this. We'll put it over
[00:50:00] Nathan Wrigley: It is a theoretical exploitation, but it, a lot of dominoes need to fall for it
[00:50:05] Tim Nash: exactly. Versus, oh, if I type that URL and I get full control of your WordPress website.
[00:50:11] Nathan Wrigley: Okay. That's, yeah. Quick ringing the bells. Fire.
[00:50:15] Tim Nash: Yeah, that, that's important. We, fix that straight away and providing it's strange how that for me is a service. That's one of the services that I offer is translating vulnerability reports, which I think also is damning on vulnerability reports and the fact we are getting vulnerability fatigue where we report all of these low issues.
And it's not helped by, when we are talking about the CVSS scores, which to their credit patch stack do try to avoid by introducing their own priority scoring system. But if we're getting lots of low vulnerabilities, people see these figures, they give up and go, oh no, it's all overwhelm. so the thing for that I want to say more than anything is rely on updates.
Updates are, even, they, might not be enough, but they are still critical
[00:51:05] Nathan Wrigley: Yeah, it's
[00:51:05] Tim Nash: they are the best thing to
[00:51:07] Nathan Wrigley: isn't it? Yeah. They've, said, relying on updates is not enough to be safe, but I suppose the sort of subheading to that would be, but it's quite a bit.
[00:51:18] Tim Nash: Yeah. even if you took that 33% figure and bear, bear in mind that 33% figure is across all plugins, and there might have been a plugin that had a thousand vulnerabilities and didn't respond to any of them.
[00:51:34] Nathan Wrigley: yeah. And a, plugin that's vulnerable because, I don't know, it hasn't, it's been abandoned for two years or
[00:51:40] Tim Nash: All of these, and a lot of these, not fixed, will be abandoned. They will also be very low in 10 50 people are using them.
[00:51:49] Nathan Wrigley: Okay, so that's interesting. So the, so one, one in that score, one vulnerability counts as a plugin, but if that plugin has one install, it still counts as one. Whereas if another plugin has, I don't know, a hundred thousand users, 200,000, a million users, that also counts as
[00:52:07] Tim Nash: Yes.
[00:52:08] Nathan Wrigley: that's
[00:52:10] Tim Nash: the, pri this, the, risk assessment and therefore what scoring you give them doesn't change based on the number of users that doesn't have the impact.
[00:52:19] Nathan Wrigley: That's an interesting metric,
[00:52:20] Tim Nash: something like CVSS, it's all about your individual. So that said, if you have that one plugin and you are that one person who's got it installed, it's almost irrelevant.
'cause it's there. what is a good thing to remind you though is go check what plugins you've got installed and are they abandoned? Have they been receiving updates? are you getting notifications? And if you are getting notifications that you are, you've got plugins that have vulnerabilities and they are not, there doesn't appear to be an update.
That's something to be really looking at if there's been several updates. Since that vulnerability was announced to me, that makes me think, okay, maybe they've done some risk assessment. They thought about this, they've decided this is low hanging fruit, still worth checking. 'cause there still might be re this, they might have decided, no, actually we just like insecure code.
but it's unlikely. It's more likely that they've taken a, they've taken the decision that this is a reason that they don't need, necessarily need
[00:53:22] Nathan Wrigley: I love that. No, we love insecure code. that's what we do.
[00:53:26] Tim Nash: we'd go, we might get to talk about AI in a bit. It loves the secure code. So yeah, I would still advocate automatic updates and if not automatic updates, updating as soon as possible. A is one of the best benefits. The fallback to this WAFs do help, but generic WAF services, whether that's word, something that's a WordPress plugin, whether that's something like CloudFlare, whether that's something your host got, will again, help against certain classes of code.
But we've been saying for the last 10 plus years that a WAF only fixes certain things and it can't get everything. So you combine these two, that's a good starting way. Now, at this point, we should emphasize patch stack's main product is selling, what it refers to as virtual patching, which is that basically it, identifies vulnerabilities and it puts its own little patch in to protect you.
So it's no shocker really that the, claim for the best way to fix this from a company that does virtual patching is like, is to actually, Do virtual patching. This is that, that,
[00:54:43] Nathan Wrigley: they got.
[00:54:44] Tim Nash: yeah. that's not a surprise. Whether that's the right route or not very much up for today, but they definitely are.
That's the route they want to go on. I did however, think that it was quite funny that they have a, quote from Ryan, Ew who's the director of product that he made, and the quote is, patch Stack is like CrowdStrike. But for websites
[00:55:06] Nathan Wrigley: that
[00:55:07] Tim Nash: now, I don't think CrowdStrike, in the popular opinion, it has a really good, it's probably known best for taking out most Windows computers for a short period of time last year.
[00:55:19] Nathan Wrigley: Yeah.
[00:55:20] Tim Nash: It's not something I would be putting into my advertising slogan Patch stack. It's like a thing that broke the web,
[00:55:27] Nathan Wrigley: Okay. Yeah, so you'll be reaching out and, helping them with their pr. should we move on from that then? Have
[00:55:34] Tim Nash: I think so.
[00:55:34] Nathan Wrigley: the patch, that thing? I'll just drop, the URL once more, or rather the, the title of the post just in case you wanna get it, but it will be in the show notes, but it's, go for Google and then go patch stack state of WordPress security in 2025.
No doubt that'll get you the result, but if not, it will be dropped into the show notes. Right time allowing, I don't know that we will get to the AI in all honesty this time, but don't worry 'cause the AI conversation is going nowhere. We can do that on episode four, but let's move on to the, the, honestly, super interesting, I think bit about, hashing versus encryption and what's coming in WordPress 6.8 because.
I understand on a very, high level what's going on here, but the weeds of it are interesting to me as well. So what is shipping in 6.8 WordPress? 6.80. Thank goodness.
[00:56:32] Tim Nash: we'll, stop several high
[00:56:33] Nathan Wrigley: my crayons and pencil away.
[00:56:36] Tim Nash: Yeah. so WordPress 6.8, it has got possibly the biggest change to the underlying code base that we've had for some time in WordPress,
[00:56:46] Nathan Wrigley: Oh,
[00:56:47] Tim Nash: and it's probably one of the most significant changes in terms of potential things that might break.
Though they are very confident that they will not, which I'm really pleased at and I'm, the amount of testing they've been doing is fantastic. But, WordPress 6.8 is gonna ship change from using ryt to B crypt password hashing. Now you're probably there going, okay, I understood the word password amongst that.
[00:57:13] Nathan Wrigley: Exactly that. Yeah.
[00:57:15] Tim Nash: So the way that, WordPress and most web applications work is that when I, when you put in your password at the very beginning, when you set up the account, WordPress goes, oh. You've given me a password, I probably shouldn't store that in the database in plain text,
[00:57:33] Nathan Wrigley: Good idea.
[00:57:35] Tim Nash: based on what we've been talking about for most of the, show, there's quite a high chance that someone might at some point have access to that data based on the number of sites that get hacked.
So let's not store that in plain text. Let's store that in a way that a bad actor, if they got the password, couldn't do anything with it. Now the way we do that is through hashing. Now, hashing and encryption have very similar concepts, but are very different things, and you probably hear them words interchangeably occasionally, and they definitely cannot be used interchangeably.
So hashing is a way where I start off with some data, in our case, a password, and I pass it through an algorithm. At the end of it, I get some data out that looks like gibberish. It's a big, long string, which I can then store and I can store that safely. Now, if I take that string, it's very, difficult for me to then reverse that, to work out what the original response was.
This is a one way,
[00:58:39] Nathan Wrigley: to do that?
[00:58:40] Tim Nash: because it's a big, long string, and I have to work out how I could get from the original through
[00:58:45] Nathan Wrigley: Yeah, so I guess what I'm saying there is why don't you know the way back? Like where is that bit stored?
[00:58:53] Tim Nash: that it's not,
[00:58:54] Nathan Wrigley: Oh,
[00:58:55] Tim Nash: it's never stored. So the big long string just exists. So when we check our password, what we're not doing is taking the big long string and going backwards. When I, when you, come, someone log comes and logs in, they puts in their username and password. The next step is that WordPress goes into the user's data, into the user's table in the database and finds the associated user and returns the, big long string.
Now we've now got a password and the big long string, obviously we can't directly compare them. So what we do is we take the password that you submitted and hash that,
[00:59:34] Nathan Wrigley: Oh, and check
[00:59:35] Tim Nash: big, long string matches the big, long string, these two strings match, we know that the password you submitted is the same password that you originally stored.
So at no point do we store or look, compare the two passwords. We're comparing the two hash strings.
[00:59:53] Nathan Wrigley: Okay, so I have a further question. What's to stop a hacker knowing what the hash, what the process of hashing will output? How is it not possible that they could, let's say that was, okay. My ignorance is gonna come out in spades here, but here we go. What's to stop somebody stealing the thing which conducts the hashing?
So in other words, that they themselves could go, no. Okay. As I'm speaking it, it makes sense. Okay. Carry on. I've got it. Okay.
[01:00:26] Tim Nash: the answer is they can and do, whenever you hear about password dumps, these are not of hashes.
[01:00:35] Nathan Wrigley: But that's a brute force thing, right? There's no way of circumventing that process. You just have to guess.
[01:00:40] Tim Nash: might have this big list of hashes and you know how it was hashed. You even know the algorithm that was used. And in this case, the big change from 6.8 to, is going from m crypts to B crypt, which is just changing the algorithm used to hash those passwords.
[01:00:56] Nathan Wrigley: Yeah.
[01:00:57] Tim Nash: And b crypt is a significantly, harder, algorithm to crack than m crypt.
[01:01:05] Nathan Wrigley: So if I was in that process and I wanted to ha crack that password, I would have to just go through a process of try, this doesn't work. Try this doesn't work, try this. So it's a, I am, the security comes from the length of time and inconvenience and cost that is associated with just going through that process until I find a match.
No, you're shaking your head
[01:01:26] Tim Nash: Yeah, no, I You are right. it's, the more than inconvenience. It is the sheer time.
[01:01:33] Nathan Wrigley: It is like thousands and millions of years. This kind of
[01:01:37] Tim Nash: let's imagine just for a second if you, if I had a password that was a character length of one well, and you knew that my password was a character strip length of one, then you have, and you knew it was purely just letters.
You, I've
[01:01:55] Nathan Wrigley: 52
[01:01:57] Tim Nash: combination. Yeah.
[01:01:59] Nathan Wrigley: right.
[01:01:59] Tim Nash: now if we add in numbers and special characters, that's increased significantly. Now, if we've la letting, I don't know, non-Latin language characters in, we've increased it even more. That's for one. So you as a brute force have to go through and try each one of those in combinations.
Let's say that you can return that in a fraction of a second. You've got a big, beefy computer that can do this in a fraction of a second. Cool. Now we've had two characters.
[01:02:28] Nathan Wrigley: boy. It's logarithmic, isn't
[01:02:30] Tim Nash: it is. Yeah. So you are, if you, were to see this in a graph, you'd see this curve shooting up into the sky, getting steeper and steeper.
[01:02:37] Nathan Wrigley: Okay then, it somehow get, if you, the more characters you add, it's like the, the length of time it will take for the universe to equalize its energy. it's just, oh, heat, death of the universe, amounts of time.
[01:02:51] Tim Nash: and, over the years we have slowly but surely convinced people that he started with six characters. Minimum. That's a bit rubbish. Eight characters minimum. That's a bit rubbish. 16 characters minimum, or I'm using a password manager. It allows me to have 32 characters in a random string. Okay. Good luck trying to break that fruit.
Just brute forcing. Most people's passwords today fail not because somebody is brute forcing. By guessing the string, the random character string they get, what they do is they get known passwords and check against those
[01:03:31] Nathan Wrigley: So things that have appeared l like, I don't know, somehow they get hold of my password for this thing that goes into a database which gets circulated amongst all these people. So there's try those ones.
[01:03:42] Tim Nash: Exactly. So if, your email address turns up in a password database dump, and
[01:03:48] Nathan Wrigley: It did do that by the way. It
[01:03:49] Tim Nash: and it turns out that, you use the password. My princess 1, 2,
[01:03:53] Nathan Wrigley: How did, what the heck
[01:03:55] Tim Nash: I, know,
[01:03:56] Nathan Wrigley: don't say those words.
[01:03:58] Tim Nash: and then you decided that you really couldn't cope with multiple passwords. So you use my princess 1, 2, 3 on every site you've ever looked into that required you to put in a password
it's very easy to work out what your password is on your WordPress site because you go, oh, it's my princess, 1, 2, 3.
However, even if you were to just slightly manipulate that password, it would be hard, significantly harder. If someone was targeting you, they might go, okay, Nathan's a creature of habit, my princess 1, 2, 3, 4, sort of thing. they'll just work out. they'll
[01:04:34] Nathan Wrigley: how my mind works.
[01:04:36] Tim Nash: but nobody's really targeting you as an individual.
In
[01:04:39] Nathan Wrigley: No, I get it. Yeah.
[01:04:40] Tim Nash: Most of the time this is automated. they'll try passwords that they know with combinations of emails that they know. They'll also look for common passwords that turn up. The reality is if you have an uncommon password and you, make them unique and long, it's really, difficult to break into these things
[01:05:00] Nathan Wrigley: Okay. I gotta ask then, if it's so difficult, why are we changing it?
[01:05:07] Tim Nash: Because all things in life, we started off going, we started off with things like, SHA one and we were like, ah, this is really secure and sophisticated and there aren't giant super computers that can work backwards. So up until now we've worked on the assumption, you cannot go backwards from this, but there are some, it is a mathematical algorithm that does to do that, to make it so that it stays the same, you get the same response each time you hash it over time.
We started with SHA ones and older pass, pa older hashing algorithms and we said, yeah, they can't be oh, if you throw enough sheer power at this problem, you can work out, you can break backwards. So you don't need the original password. To work it back.
[01:06:02] Nathan Wrigley: So hold on. Just to understand that I, in some cases it's possible not just by brute force to figure it out. There is, like in the example of Ssha one, there was an algorithmic way of getting it right a hundred percent of the time. No guess rate work required,
[01:06:18] Tim Nash: but you needed significant computing power to
[01:06:21] Nathan Wrigley: but still some people have that, right?
[01:06:25] Tim Nash: Yeah. And
[01:06:26] Nathan Wrigley: So it's broken the minute somebody's got it, it's useless to everybody
[01:06:31] Tim Nash: potentially, and so over time we, so we started MD five, we went to S 61. We've now reached the point where theoretically. MT could potentially be broken and theoretically so could B crypt. But each time we do this, the big difference between B crypt and M ccrt is it's the adoption of B crypt hardens the security by increasing the computational cost of cracking even more.
So we're basically making this harder and harder require more computation just to even to be able to do this, to break these algorithms. So we at this switch is theoretical. Your, website is no in no danger of being, having your passwords cracked except through common guessing route right now.
But there is a potential and we are living in an age where there is a lot of compute power and we could see this being broken. So the move.
[01:07:31] Nathan Wrigley: I, yeah, I guess if somebody's figured out a theoretical, I don't know, maybe that's based upon the amount of compute power on planet Earth or something along those lines, then you've drawn a straight line between, this is an idea to, there's a horizon in which that is gonna happen, and Moore's law, it just, this stuff happens.
Give it enough time. If you don't change the M crypt to the B crypt, I don't know what that horizon is. Maybe it's one year, 10 years, 20 years. The point is it's getting closer every day that passes you, then you have to move in order to just stay ahead of that theoretical horizon.
[01:08:08] Tim Nash: Yes.
[01:08:09] Nathan Wrigley: Okay. Okay.
[01:08:11] Tim Nash: So this is why we're making the move. now there's a lot of people who will go, hang on B Crips already old hats. We already have other standards and the, close, the industry standards closer to Argonne and Argonne two, which are a whole new set of algorithms and ways to do hashing. And, the answer is yes, but also no, because you have to go with the lowest common denominator that is available across the most hosts possible.
[01:08:42] Nathan Wrigley: Got it. Okay. So we're
[01:08:44] Tim Nash: wonderful thing. Yeah. The wonderful thing
[01:08:47] Nathan Wrigley: by the hardware people have actually got available. Yeah. Yeah.
[01:08:50] Tim Nash: So every host have run, can, and pretty much every host who is running some sort of Linux system that is from the last. to years, and I can't, off the top of my head, I dunno what it is, but it is a long time.
We're not talking like in the last two years. So if you've got an OS that's been running Lin, that's a Linux OS that's been running for the last five, 10 years, it will have B Crypt enabled. It might not have Argon enabled, the version of PHP or using might not have argon enabled. So there is a practical benefit thing where we're like, okay, we can't necessarily rely that Argonne will be there.
So you have to use the, best, most, most widely available. And
[01:09:27] Nathan Wrigley: Yeah. Yeah. that makes sense. Yeah.
[01:09:30] Tim Nash: we've been, there have been plenty of people in the WordPress space who have been using B Crypt and Argonne for years.
[01:09:36] Nathan Wrigley: But they know that their hard work can accommodate that,
[01:09:39] Tim Nash: Yeah. there is a, the, people who do the roots theme and bedrock and all that stuff, they've had a, They basically had a plugin that allows you to replace the PHP Pass library, which is what WordPress uses with the default PHP library, which is one of those sad ironies that at one point WordPress was ahead of the game and we inherit, we brought in a library called PHP Pass that supported at the time ryt and it was really fancy and, but since then, PHP itself, we built its own hashing tools inside the PHP language, which were supported these other things, including B Crypt and Argonne.
So the Roots theme had a plugin that allowed you to take that and use, and it basically did a. A swap of PHP pass and use the default PHP myself, I've had, had a plugin for years that do, does a similar thing, that actually a fork of the, roots and con that's been in that code-base has then been used by other people, including hosts.
So there's multiple hosts, managed hosting companies that are using B Crypt under the hood for theirs, managed during the passwords. And there are several ho managed hosting companies that are been using Argon. So from their perspective, they've already done this. They've done on all the hard work. the only problem you do get is when you move from one algorithm to another.
'cause you do need to support both while you're doing the migration.
[01:11:13] Nathan Wrigley: Oh, so do we have both in pa, in WordPress? 6.8 and it'll at some point move
[01:11:18] Tim Nash: have far worse than that at the
moment
[01:11:21] Nathan Wrigley: oh, dear.
[01:11:26] Tim Nash: WordPress didn't start with m Ccrt. We started with MD five,
[01:11:31] Nathan Wrigley: Okay, that's a familiar old name.
[01:11:33] Tim Nash: yes. But this also means you can do really fun things like just randomly insert. MD five is very easy to generate and very easy to see. If you want to ever get into a WordPress site, you could just create an MD five string and shove it in the password field, and then WordPress will go, oh, that must be the password.
[01:11:54] Nathan Wrigley: oh
[01:11:55] Tim Nash: it doesn't know, it goes, oh, I'll use the old one and then I'll rehash it for you to use the
[01:11:58] Nathan Wrigley: That doesn't sound good
[01:12:01] Tim Nash: And we're gonna be in exactly the same situation with this. Basically the first time you log in, it's gonna try and, decrypt, they're going to do the hash using. Bryt and go, huh, that didn't work.
I'll try the same doing the, I'll try and hash it using Ryt and see if it match the string. Oh it does, I'll take the password you've given me. So I'm gonna store that in memory for a little bit and then I will rehash it and insert it in with the Bryt version back in to let you do the updates. So for a while
[01:12:33] Nathan Wrigley: bit of time
[01:12:35] Tim Nash: for a while, we are gonna have both in there, going through.
[01:12:39] Nathan Wrigley: Okay, that's interesting. Just by the way, the article that we're linking to here where this is all announced is on, make wordpress.org. It's, called WordPress 6.8. We'll use B crypt for password hashing. And this is the definition. John Blackburn, put this together on the 17th of February, and it's, to me, it's the definition of tinfoil hat.
This is a strap in and, enjoy it because it contains such wonderful lines as in addition, application passwords, user password, reset keys, personal data request keys, and the recovery mode key will switch from using PHP pass to Cryptographically Secure, but fast. Blake two b hashing algorithm via sodium.
Now, at this point, I'm sure that makes sense to you, but, I'm so grateful that there are people like you and John Blackborn who, who actually understand what's going on.
[01:13:32] Tim Nash: that is a lot of words to say. We're switching over to using better, a better
[01:13:37] Nathan Wrigley: Lovely. All the words. All the words. It's good.
[01:13:42] Tim Nash: But a couple of things that people might want to know is if you do support argon on your server, argon two, you can just, add a filter, with in. So you'll be able to a filter through this and say, actually, I want to use password.
Log on two. If you do use a completely different pass password hashing. Algorithm and set up, you can still do that. This is all replacing the drop in code base as it is now. So you can use exactly the same way that you could do previously to swap out, which is what people at root steam were doing anyway.
You can now, you can still do that with this, so if you've got something that's already existing for you, this won't automa automatically overwrite it. But going forward, this will be the default standard. It brings us up in line with most industry applications for web applications, and this is a positive thing.
[01:14:33] Nathan Wrigley: Good. Good. there we go. We're gonna end it on a positive note. We have run out of time. Sadly, we will move the AI vibe coding, interesting conversation to the next one, I think because, yeah, I, we've, yeah. What are we at now? An hour and 10 minutes. I feel that's enough security for more or less anybody except you, because when we finish this call, you are probably gonna get right on with a loan more, but I, as always, you've made the impenetrable, understandable and I appreciate it.
Thank you so much, Tim. I really, enjoy chatting to you. I appreciate it so much. Thank you. And we'll see you next time.
[01:15:10] Tim Nash: See you next time.
[01:15:11] Nathan Wrigley: Well, I hope that you enjoyed that. If you did, head to wpbuilds.com. Search for this episode. You're gonna be able to find it by searching for episode number 415, and leave us a comment there. We really appreciate it when folk like you leave a comment on the WordPress commenting system, that would be really, really nice.
The WP Builds podcast is brought to you today by GoDaddy Pro. GoDaddy Pro, the home of managed WordPress hosting that includes free domain, SSL, and 24 7 support. Bundle that with The Hub by GoDaddy Pro to unlock more free benefits to manage multiple sites in one place, invoice clients, and get 30% off new purchases. Find out more at go.me/wpbuilds.
We are also joined this week by Bluehost. Bluehost, redefine your web hosting experience with Bluehost Cloud. Managed WordPress hosting that comes with lightning fast websites, 100% network uptime, and 24 7 priority support. With Bluehost Cloud, the possibilities are outta this world. Experience it today at Bluehost.com/cloud.
This podcast was also made possible by Omnisend. Omnisend, do you sell your stuff online? Then meet Omnisend. Yes, that Omnisend. The email and SMS tool that helps you make 73 bucks for every dollar spent. The one that's so good, its all most boring. Hate the excitement of rollercoaster sales? Prefer a steady line going up? Try Omnisend today at omnisend.com.
And sincere thanks go out to GoDaddy Pro, Bluehost and Omnisend for their support of the WP Builds podcast.
Okay. That truly is all that we've got time for. Well, not quite. I've got a couple of things to say and they are as follows.
Why not join us for the This Week in WordPress show? We do that live every Monday. wpbuilds.com/live. Come and join in the commentary from all over the world. We are typically represented in the comments by people from literally every time zone. It's a lot of fun. You might enjoy it, and it's very lighthearted. Once more, wpbuilds.com/live. I'll be joined by three other panelists, and we'll have a chat about the WordPress news from this week.
Also, don't forget, we'll have another podcast episode dropping on Thursday. Find us in your podcast player of choice by searching for WP Builds. And if you want to advertise, that's slash advertise as well.
Okay, I'm gonna fade in some cheesy music and say stay safe, have a good week, bye-bye for now.
[…] https://wpbuilds.com/2025/03/27/415-feeling-insecure-with-tim-nash-episode-3-the-state-of-wordpress-… […]
I’m biased because I’m good friends with Tim, but my goodness, he is a wealth of knowledge, and such a great communicator – so very eloquent and good at making complicated things simple. This is a joy to listen to.