Skip to content

WPwatercooler

WPwatercooler is recorded & streamed live Fridays at 11:00 am Pacific

'EP388
EP388 – Securing WordPress: Bots and Hackers
Subscribe to our YouTube Channel

Show Notes

On this episode of WPwatercooler we will be discussing how you can secure your WordPress website to defend against bots and hackers. This is a question that comes up all the time at our local WordPress Meetups and at our WordCamps and we thought we’d share with you the best methods to do so as well as understand what the information you get out of these tools should mean to you.

Security Series

Panel

Show Sponsors

Desktop Server – ServerPress https://serverpress.com
WPsitesync – https://www.wpsitesync.com

LOFT provides support for WordPress sites — including disaster preparedness, patches, maintenance and plugin management, content updates, and more — all for a flat monthly fee. Right now they’re offering a free trial. Check them out at https://poweredbyloft.com

Are You Looking For Brand Awareness?

You could be a show sponsor. Let people know you’re still in business and supporting your products. Supporting podcasts is a great way to repurpose your in-person conference budget.

We have been sponsored by big brands such as Kinsta and Cloudways. Why not get your audience in front of the thousands of people who download this show every month?

Yes, WPwatercooler has thousands of downloads every month. We’re not just a YouTube Show.

https://www.wpwatercooler.com/sponsor

Comments

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Show Transcript

Editor’s Note: Transcriptions of episodes are created with a mix of speech recognition software and human transcribers, and may contain some grammatical errors or slight deviations from the audio.

Se Reed: [00:00:00] Hey,

Jason Tucker: [00:00:13] This is WP watercooler, episode number 388. Securing WordPress spots and hackers.

Se Reed: [00:00:19] Hey.

Jason Tucker: [00:00:19] ServerPress maker of DesktopServer. They make local WordPress development, easy. Check them out at serverpress.com

Jason Tucker: [00:00:22] Loft provides WordPress sites, including disaster preparedness, patches, maintenance, and plug-in management content updates and more all for a flat fee.
Check them out over at poweredbyloft.com for a free trial.
I’m Jason Tucker. I’m an it director and we’re press web developer. You can go find me over at Jason Tector on

Se Reed: [00:00:45] Hi, I’m Steve Zehngut I do stuff. WordPress something about the orange county meetup. Hi, I’m Sé I do make WordPress teach WordPress for at Sé Reed Media on all the things
Okay. That’s Casper. He’s not talking apparently either. That’s a dog. Oh, okay.

Jason Tucker: [00:01:05] you follow us over on apple podcasts, Google podcasts, and Spotify. We’d really appreciate if you did that. And one last thing we have a discord go. wpwatercooler.com/discord where you can join us over in the discord and hang out with us.

Se Reed: [00:01:23] You can say, Hey.

Jason Cosper: [00:01:24] I swear. I swear. I know how mute button. It’s work. I,

Se Reed: [00:01:30] How far are we, how, like you work home anyway, you don’t even need the like work from home. You’ve been working from home. Excuse you learned how to use a mute button thing.

Jason Cosper: [00:01:39] I’ve been working from home for 10 years. I should know how a mute button works at this point.

Jason Tucker: [00:01:44] So we swapped Steve out today for Dan, how are you doing?

Dan Walmsley: [00:01:49] hi, my, my deep seated lack of confidence stemming from an unloved childhood is my own personal mute button. So I was just like sitting back. Yeah, exactly. No, I’d just like to launch into it. I just like to go all the way there, all the way there and off the edge. Yeah.

Se Reed: [00:02:03] Who are you and what are you doing here?

Dan Walmsley: [00:02:05] I’m Dan Walmsley. I work at automatic and I’ve done a lot of different roles at automate and mostly right now I do a certain amount of R and D and kind of data wrangling in the jet pack part of the company and yeah, rank.

Se Reed: [00:02:16] mean? Exactly? No, just kidding. Just

Dan Walmsley: [00:02:18] I think it’s something to do with Buffalo. I don’t know. But it has been hijacked by techno it’s just so many other words.
So yes. Yeah, I’m a Coda by background. I’m a programmer. Yes, I’m kind of a dog’s buddy at automatic at this point. I’ve run in launched a few different products over the years. And I was most

Se Reed: [00:02:33] yourself a dog’s buddy.

Dan Walmsley: [00:02:35] Dog’s body. I think it again, would the text people have probably stolen from somewhere else?

Se Reed: [00:02:40] Food, like eating your own dog food. Okay.

Dan Walmsley: [00:02:43] that’s a great question. I didn’t think so, but now I’m wondering,

Se Reed: [00:02:46] Your dog body eats your own dog. Food is this is a weird analogy. We should probably stop going into it.

Dan Walmsley: [00:02:54] I just love how much we’ve already talked about security.

Jason Tucker: [00:02:57] Yeah,
Are great passwords by the way. Great passwords.

Se Reed: [00:03:00] Oh, yeah, dog body is a good password. I you haven’t been on in a while, so I’m just going to remind you real quick. Half the show is not educational

Dan Walmsley: [00:03:11] That’s right,

Se Reed: [00:03:11] and that’s mostly the part where I’m speaking. No, just kidding. I’m very

Dan Walmsley: [00:03:15] That’s what I’m here for, because I actually have almost no expertise in the subject matter. So I hope that it’s mostly banter,

Se Reed: [00:03:22] Just banter,

Dan Walmsley: [00:03:23] but I will say I did get the download from the actual experts at automatic before coming on. So I will pretend really well to know what I’m talking about because we do have actual security

Se Reed: [00:03:34] so here’s the deal. Why is it broken and how are you going to fix it?

Dan Walmsley: [00:03:38] Have you tried turning it off and on

Se Reed: [00:03:39] Shit, it’s always the question.

Dan Walmsley: [00:03:42] so fast with that answer?

Se Reed: [00:03:44] And then it’s done. Here’s a really fun thing. And this was not related to our Topic today. I didn’t mention this when we were talking about our topic, but this week I was talking to there’s that pipeline pack, ransomware fun times, Capitol pipeline, back hack.
So one of my clients is in the project public works industry, and I was literally on the phone with my client and she goes, Oh, my God. We were talking about that and email security in general and fishing and all that. We’re literally on the contracting. And she got an email from one of her employees that said, this email looks a little suspicious.
Should I click it? And it had gone out to the entire year company and it was from Adobe, but it was like, all the words were spelled wrong or whatever, but turns out three employees clicked it. And yeah, it was just the irony that it was while we were on the phone talking about it.
And so tweeted back at me cause I was tweeting about it and they were like, yeah, it’s almost security concerns. Haven’t been a problem. Like phishing, hasn’t been a problem for the last 30 years. Like it’s brand new information. Like people can hack computers. Wait, what?

Jason Tucker: [00:04:56] movies about it.

Se Reed: [00:04:57] That’s

Dan Walmsley: [00:04:58] I run it. Ironically, Gutenberg is such a powerful editor. Now that it’s like making a fishing site, it’s become easier than ever. I think I’ve seen some tutorials, like of people being like, this is how you can make, this is how you can make like the chase bank website and Gutenberg and under five minutes, I’m like, don’t tell people that.

Se Reed: [00:05:14] Oh, wow. So literal, like spoof, phishing sites. Wow.

Dan Walmsley: [00:05:19] Yeah.

Se Reed: [00:05:19] Are there patterns for that? There’s

Dan Walmsley: [00:05:22] yeah,

Se Reed: [00:05:22] a special pattern library for like load up chase load up Wells Fargo. It’s a pre-built pattern. Don’t worry about it. Just load up your ACH. Wait, is that really happening though? I just want to know.
Is that really happening with Gutenberg?

Dan Walmsley: [00:05:36] WordPress has always been used, like all CMS is, have been used to create like fake websites that you took people into clicking on. It’s just, as the CMS has get better, like including Drupal and other ones and wakes and whatever. It does make it easier and easier to make a professional looking website that you can click someone into tricking on because it doesn’t have coming soon animated gift, shovels all over it, right?
Like it’s near cities and my space we’re limited in how much you could make a fake bank, but now it’s you can do a pretty good job. Make a fake bank, make a fake bank and make real bank at the same time.

Se Reed: [00:06:07] Yeah. See, we’re so lucky that so many security people use their powers for good. there’s a whole, there’s a whole lot of people who use their powers for evil.

Jason Tucker: [00:06:17] Where should we start off on this topic? We’re seven minutes in,

Se Reed: [00:06:21] Okay. Why are you so time focused today?

Jason Tucker: [00:06:24] Cause there’s only 30 of them.

Se Reed: [00:06:25] we got topics to do.

Jason Tucker: [00:06:28] There’s only 30 of them. Dan, what did you hear so far from your folks when you went and posed this question?

Dan Walmsley: [00:06:34] Yeah, so actually one of the most interesting things is like a T to me is like, how has the WordPress security picture kind of changed over time? Because I think a lot of people are used to thinking about it in terms of I don’t know, like people hacking individual sites, like back in the day or like a malicious plugin or something like that.
And what people are seeing increasingly now is automated attacks that are basically like you, you have some machine like running on the Amazon cloud. The Hakka does that just basically firing off attacks at every single known WordPress site. So

Se Reed: [00:07:05] Thanks. Jeff Bezos

Dan Walmsley: [00:07:08] yeah.

Se Reed: [00:07:09] Hacks brought to you by Jeff pesos.

Dan Walmsley: [00:07:11] You can do like there’s so much parallel computing capacity now that it really does make this viable to test a particular zero day exploit on a million websites in a minute. As, so that’s becoming increasingly prevalent and that’s one of the things that like really worries people.
Cause you start to see more and more hacks, like happening on your site, because all these different hackers are automating them and trying every single different test. And not only, does that worrying as an end user, like you see all the alarm bells going red and stuff, but it’s also like it’s stressing your site out, right?
Like it could almost be a DDoSs at some point, if you’ve got people. Trying out all these different passwords or trying a different length strings with different encodings and stuff like that. That’s like stressing your website out. That’s the thing that’s changed?

Se Reed: [00:07:53] have you heard of Eric Jones?

Dan Walmsley: [00:07:54] No,

Se Reed: [00:07:55] Oh I was some forum somewhere and I keep getting spam on one of the sites that I haven’t locked down properly and on a contact form. And I’m like, it’s always from Eric Jones and everyone was like talking about how. The spam is going out, like through WordPress context from this gap.
Obviously it’s not a guy, but like they keep using the same names and so interesting. I was like, huh. Okay. I got that spam too. Now I feel like I’m in the, I’m in the group. It’s cool. No question. I don’t know how many years ago time is weird, but. A while back there was a really big there was a big botnet and there was more of a concern about WordPress sites, especially old WordPress sites being strung together to make botnets.
Is that still something that is I haven’t really heard about a lot of this. So is that something that’s still a concern or is that concern lessened to a degree

Dan Walmsley: [00:08:44] I haven’t seen we didn’t actually touch on that in my discussions with the Jetpack scan team, but I have to imagine that it’s a possibility like you do see. So there’s a particular class of attacks that basically where you You can upload what’s called a web shell. So it’s if there’s a, if there’s a plugin that like like a media library kind of thing, or whatever that writes to the file system and you can, as an end-user as a known admin, you can trick it into uploading a file. And then sometimes you can use that file to create like what’s known as a web shell. So it’s it is able to take HTTP requests and run them locally, like a shell. So you can run commands and enumerate the file system, do all kinds of stuff.
And once you’ve got a web shell and you can get in and create like to an actual terminal, in the system. So for end users like this is that black and white thing. Like where, you can type commands and the computer runs them, as opposed to WordPress the front end.
Once you can do that, like all bets are off, you can turn, you can make it part of a button that you can make it part of. You can just, the most malicious thing is you make it part of a button that, but you don’t do anything for a long time. So the person doesn’t know, like the computer’s been hijacked and then at the right time of your ch yeah.
And then at the right time, You hold someone to ransom and say, I’ve got a hundred thousand computers pointing their network connections at you. And I can take you off the internet because I’ve hijacked all these computers and made them part of my army. So that is.

Se Reed: [00:10:03] their hands.

Dan Walmsley: [00:10:04] And here’s the thing

Se Reed: [00:10:05] very profitable,

Dan Walmsley: [00:10:07] it’s very profitable, right?
Like we used to see a lot of link farming back in the day where like you could like post comments pointing back to you. This is why we ended up with REL equals no-follow and stuff. Like people were posting like comments, spam pointing back to their site. And Google sees that as a ranking signal and you get on the front page then we started to see we would call them this and these other in Magento and things, making it easier to do comment comments online, and then this still links band, but now there’s a lot of credit card spam, right?
Because you can take these fake credit cards and really buy stuff with it. And then we’re seeing like really crazy things now where. People are like creating fake reseller pages that sell real products and harvest the the reseller so they’ll take somebody else’s Amazon reseller page where they’ve written a review of a sewn also whatever.
And they like scrape that replaced the reseller IDs and run it on their own site. Now, is that a hack, right? Or, is that a

Se Reed: [00:10:57] Just an arse hole,

Dan Walmsley: [00:10:59] right? Are Are you just a Butthead? But it is the thing that I have in common is it’s all about money. And ultimately, that’s going to be a good guide to the kind of hacks we’ll see in the future.
If you can start paying for things with Bitcoin, what new hacks does that create? And so on.

Se Reed: [00:11:12] So many last summer I had a like a pro bono client, not pro bono client pro bono clients had someone else for him, it set up a Stripe. Like buy button for stripes specifically, but inter interacted with Stripe and It basically someone hacked it I’m don’t even know how this happened, but they paid for, with, fake credit cards.
They bought a $5, a digital thing or whatever. So nothing was being shipped or anything. But the account got received. I think it was like $80,000 of $5 transactions. Like it was like 8,000 transaction, something like that. And it all went through Stripe and then, because the way Stripe works and like automatically puts the money in the bank account.
It was just like, whoa, why is all this money here? And so we had to refund all of that. And then all of those credit cards, had to get refunded. It was a total nightmare and I’m not even sure how they spoofed. That obviously there could have been some sort of a hole in the plugin, the Stripe I’ll get the name for the notes or for the show notes.
But I don’t know. I still never figured out if it was that plugin that they were going directly to Stripe or was it like they, cause there were no transactions on the site itself. Like it was all in some weird middle space. Like where is that even happening? I don’t even know, but it was a product that was on the site.
But it was just like, weirdly, I don’t even know how would one even protect against that. Obviously the plugin is probably where that gap was but what’s your do you have any like recommendations or, does not shameless plug time or anything, but does, is that something that Jetpack scan would even notice if it’s happening on the way out of the website?

Dan Walmsley: [00:12:54] It’s a really easy, so we actually, so we have jet pack scan and we also have a kismet. And the two are actually increasingly closely related because at some point you’re not just looking for known kind of things that you’ve seen before, but you’re looking for signals of like unusual behavior, that you can then investigate and turn into a signature. So In the Jetpack scan team, like one thing we’re getting better and better at actually really quickly is this sort of feedback loop between like how do we spot weirdness and identify weirdness? Like how do we turn that?
Yeah. There it is. It’s a blue spectacles. There’s floating, colorful bubbles. That’s where it is. Yeah. Or you’re floating above a planet. No. How do you spot, how do you spot weirdness new kinds of weirdness, existing kinds of weird? How do you turn? And that really is sufficiently as you can into a signature that like, and what do I say signature?

Se Reed: [00:13:42] Somebody who

Dan Walmsley: [00:13:43] this is exactly. And it’s you want it to be specific enough that it always catches this particular kind of hack or this particular kind of spam or whatever it is, but but it doesn’t catch stuff. That’s not spam. And so that’s like a real, it’s an art form.
Like you, it’s very hard right now to take humans out of the loop on that. But what you can do is have systems that look for anomalies and prioritize those and put them in front of like security experts who can then say, oh yeah. Okay. I can see that this is malicious or non-malicious. One interesting thing is obfuscated code.
So when a lot of what a lot of hacks do is they’ll rewrite the PHP in a different way for every website. So that’s really hard to write a signature. And one thing we’ve started doing is look, these try to like D off escape that code and then change all the variable names to like sequential numbers or whatever, and put it in an abstract syntax tree and basically say not do these pieces of code look the same, but do they do the same thing?
Because the hackers are always,

Se Reed: [00:14:36] pattern recognition, right?
Or not pattern recognition in the code, but pattern recognition in the, what the code does, like you’re saying. So

Dan Walmsley: [00:14:43] yeah.

Se Reed: [00:14:44] that’s interesting. So there are patterns in hacking

Dan Walmsley: [00:14:47] And what’s interesting is if you’re in the Magento space and obfuscated code like Magento has so many like closed source plugins that like it’s very common for a vendor to obfuscate their PHP so that their competitors can take it because it’s proprietary. What’s really cool about WordPress is if you see up the skated code, That’s like coming down, like it isn’t a plugin that came from the.org directory.
You can be moderately sure. That’s a problem,

Se Reed: [00:15:14] it’s not

Dan Walmsley: [00:15:14] because, cause like it’s not permitted in the doddle repo. And obviously there are commercial plugins you can download for WordPress, but it’s a lot less common. So it’s an interesting signal. And then we do have all sorts of ongoing issues with order spam and stuff in woo commerce.
And it’s some way between spam and a hack. Cause it’s someone’s getting stuff for free. So it’s a hack and like maybe they’re exploiting. So credit card stuff, but then it’s also spam because it’s in the form of an order. It’s got content in there and like addresses in there that maybe you could see patterns in those and say this is fake.
So we’re really lucky to have all these different signals and the final really great signal is. We provide so many different features. Like we provide, search indexing for your content over here. And we provide, like monitoring, like uptime monitoring over there that like we can combine compared to say other security plugins that either aren’t WordPress specific or.
Just our kind of narrowly, just a WordPress plugin. We can take a lot more signals to look for these like anomalies. And that gives us a better chance of catching them and putting them in front of these experts and turning them into signatures and much more quickly. And that’s.

Se Reed: [00:16:18] do you think the sorry. Did you want to finish your

Dan Walmsley: [00:16:21] Oh, no, it’s okay. And I will say it’s because so many hacks now are automated. It is a speed thing, right? Like you do want to get these signatures made quickly and you want to have a production line of that. And so prioritizing anomalies is really cool.
Se Reed: [00:16:33] So just that’s the same, what I was going to follow up on. How often, since, you are speaking, not the jet pack is the only solution to this, but since we have you here how often does that get updated for I’m assuming every day you’re, recognizing more patterns you’re pulling in so much data, but how often does that get.
Crunched and pushed back out where is it just every day? There’s here’s 10 more flags that we’ve added to this? Or is that just thousands? What is that?
Dan Walmsley: [00:17:01] So we have a bunch of different processes and some are more real time support requests from someone saying my website’s being hacked. And you need to respond in real time. You need to figure out what the vector was in real time. But then some like some deepest stuff, like I actually started doing is taking all of the information we have about exploits and we had we had it all in sort of these Maya SQL tables, right?
Like a lot of stuff and automatic where, all the signatures and all the times things have been hacked. And all the times that they’ve been corrected, are in a big SQL table. Now we started loading this into Hadoop and doing like big data analytics on it. So there’s this separate like batch process where it’s it’s fun for me.

Se Reed: [00:17:39] Yeah. It was like a data analysis

Dan Walmsley: [00:17:42] I don’t know. Ooh. Telling me mom

Se Reed: [00:17:44] that. Literally was like, tell me more.

Dan Walmsley: [00:17:46] So w what’s really cool about that and it’s like more heavyweight, so you have to do it in like chunks, right? What will you like? What we call scoop data into Hadoop, which is a big data system where you can operate a lots of data from lots of machines in parallel. And then from there, you create reports that are like, okay, How fast are we catching stuff versus how fast it’s being reported?
Like how effective are these signatures? There’s this thing in statistics like precision versus recall how many false positives, how many false negatives, and then surfacing that, and just continuous that lets us continuously iterate on like the whole system, as opposed to just being reactive and not having this like bigger picture Of like how we’re doing.
Yeah, so it’s really exciting. It’s you constantly, we constantly have to make these things better. There isn’t, some established system that you can just put in stone and like never change because

Se Reed: [00:18:35] the Internet’s not static. Shit.

Dan Walmsley: [00:18:37] It’s this thing I said before, about how so many attacks now were audited that it’s like the time between an exploit being created say an insecure plugin comes out right?
The time between an accidentally insecure plugin coming out and like that being on lots of sites. And then that being exploited at scale is like getting shorter and shorter. So the, and I will say to people, keep your plugins up to date because, keep your WordPress up to date, keep your plugins up to date.
If you do nothing else, like that’s a great way to avoid security issues because they often come in the form of a point release and you want to get those point releases really quickly. And that’s why it’s a great thing that WordPress put in auto updates for security releases. It’s huge, right.
But that’s like the floor. And then from there, you can start to do better and better.

Se Reed: [00:19:19] So how often is the jet pack scan? Database of bad things. Let’s call it that like how often is that? Is it, I’m assuming that’s more real-time that’s not just updated when you update the software, right? That’s cause it’s pulling from some sort of external database that’s being updated all the time.
So it was, it just like constantly just getting stuff where it’s starting to flag things like on an ongoing basis.

Dan Walmsley: [00:19:43] Abs. Yeah. So we’re very fortunate in that as well as having the security plugin. We host a lot of we had this atomic impressible and these other like small hosting sort of things like live on to automatic. So we get a constant stream of Information about because the systems teams are obviously trying to keep those those sites all working all the time.
And and people will go in and obviously there’ll be manual fixes for things that have happened even before we’ve got we call a fixer for it but we are in the process of actually. Making that even more real time and fixing some of those things automatically, it’s it’s a little tricky fixing things automatically.
Cause you have to have so much confidence that it’s the actual hack and you have to have so much confidence that the fix isn’t going to break the site. And that thing is just really tricky to get to, but like we’re getting closer and closer to that because we host a lot of WordPress sites ourselves.
And then, as those things get, we get more confidence in them. We can roll that into the plugin for other hosts. So things will get more real time. Right now there’s this process of we get a lot of data about what’s going on sites, but we don’t always turn that into like direct actions straight away.
Like it has to go through a review process. It has to go through because not everything we see is what we think it is. Unless you look closely. Yeah.

Se Reed: [00:20:55] I have I went on another thing I wanted to talk about, but I wanted to allow Cosper and or Jason to say something if they want.

Jason Tucker: [00:21:03] We get the last five minutes. Cassper I’m

Se Reed: [00:21:05] No. Only like the next two only the next two. Cause I don’t get crazy. Okay. I wasn’t like giving up all of my air time.

Jason Cosper: [00:21:17] No. So I’m actually just within what w which release was that I’m a little shaky on it. It’s been a weird year, but they’ve also had a plugin auto updates available and theme auto updates available. That is something that I know a few people are shaky. On enabling on their sites. Especially when they have something big, woo commerce running that they can’t necessarily, they need to make sure their extensions and everything else are working with the new version of WooCommerce before they update it.
But fortunately because that is built in to WordPress now you can add a plugin level. Say, Hey upgrade these like handful of plugins that I know aren’t going to break the site. And then I do that on most of my sites now. And then have a tool like I use theme sync in the background.
Just to okay, now, you can use managed WP or whatever else to have. Like here’s the centralized dashboard where if I have a handful of other sites I can make sure that those plugin updates are rolled out and control the ones that I need to control, but everything else

Se Reed: [00:22:32] Cause it’s all the little plugins that I think are the bigger risk, because it’s woo. Commerce has literally a team of people, like making sure that it’s not. Breaking and making sure that it’s secure. So if there’s a real problem in WooCommerce, like there’s people on it, as opposed to, maybe one of these, a couple of small plugins that has one person who checks back on it every couple of months.
And, they, that is more right for exploitation than something like WooCommerce, which is basically like attacking a castle instead of

Dan Walmsley: [00:23:01] that’s true. Yeah. The real,

Jason Cosper: [00:23:03] It’s

Dan Walmsley: [00:23:04] sorry I was,

Se Reed: [00:23:04] was going to say

Jason Cosper: [00:23:05] I was gonna say it’s rarely will commerce. It’s a WooCommerce extension that you need to make sure is aligned up before. Yeah.

Jason Tucker: [00:23:11] Yeah.

Jason Cosper: [00:23:13] Proceed.

Dan Walmsley: [00:23:14] Oh yeah. Yeah, I was just gonna say that there’s usually the less frequently updated plugins are less popular. The really dangerous thing is when you have a maintained plugin, that’s really popular because that increases the incentive for someone to exploit it. There’s more sites running this sort of popular things.
Yeah, it’s this is one of the.

Se Reed: [00:23:31] plugin or something that has part of it, use like actual data entry or

Dan Walmsley: [00:23:35] Yeah. Receiving.

Se Reed: [00:23:37] to transmit data. And so it’s so much more easily exploitable. You don’t even have to poke a hole in it. There’s already a hole.

Dan Walmsley: [00:23:44] Yeah. And actually, oh, here’s a really nefarious thing that I learned today is some exploits are just from a combination of two plugins. So either plugin by themselves, does it have a vulnerability, but when you install two plugins together, then like you can exploit the file system rights from one with the escaped user input from the other and get something.
And yeah, so

Se Reed: [00:24:05] not heard of that.

Dan Walmsley: [00:24:06] That’s the way that people are getting really sophisticated and and our team is always trying to obviously stay two steps ahead, like every security company team, but those are some of the things that have

Jason Tucker: [00:24:15] that right? There is a dev branch episode in itself. Like Dan, whoever you got to get, whoever you got to get in to talk about that. I think that right there is one of those, one of those topics that you don’t really think about because of the fact that if you’re building just one plugin and then someone else’s building that, plug in, that’s going to help with that type of exploitation.
You’re not thinking about that.

Se Reed: [00:24:40] No, and you’re not coordinating.

Jason Tucker: [00:24:42] different plugins to make sure that they don’t like break or anything. And they’re, there’s correct

Se Reed: [00:24:46] What does that data look like? Is that a spreadsheet that the hackers have where they’re like on most websites, if you have contact form seven, you also have, this other shoddy plugin set up and then let’s pull these together. Like, how do you that’s a really interesting approach. That’s very creative.

Jason Cosper: [00:25:03] So say there are tools like Debbie P scan that will check for a particular

Se Reed: [00:25:10] I know, but you’re not going to just pick one site and be like those two work together. You want two plugins that are often installed on the same site. So that’s like a whole person that’s like marketing profiling with people level like what type of person with their cat blog installed, both this plugin and, That’s just, like I said, that’s really creative.
I I’m almost impressed is that’s weird, right?

Dan Walmsley: [00:25:32] And this is why one of the things, again, as well as keeping your plugins up to date, have the minimum number of plugins that you need. Don’t. God, like we’ve seen a lot of we just released a great performance plugin. And we see only bad interactions where people have got four other performance plugins, and then they install Jetpack boost on top.
And it’s you don’t need all those plugins. Often if you’ve installed more than one plugin, that does the same thing, you’re asking for trouble. And if you installed more plugins than you need, you’re obviously exposing yourself to more different kinds of attacks. So like minimizing the number of plugins, focusing on high quality frequently updated plugins and like having one security solution on top I think is probably good advice to people.

Jason Tucker: [00:26:10] Yeah this is part of Cosper.

Jason Cosper: [00:26:13] ju just one last thing. Multiple plugins, multiple first performance plugins is like adding basically a second spoiler on top of your spoiler and your

Se Reed: [00:26:22] you guys? I saw that truck with a spoiler on top of it two days ago. What was that? It was amazing.

Dan Walmsley: [00:26:29] Yeah. If four wheels, a fast 12 wheels must be really fast.

Jason Tucker: [00:26:32] Exactly. Hey, this is episode. This is like the first of a series that we’re trying to do here on security. We’re going back and we’ve talked about this start. We’ve been doing this for eight years now. There’s so much stuff. Yeah. There’s so much stuff that we’ve talked about.
We’re going back to the basics and going okay, what should we be doing here?

Se Reed: [00:26:48] Like where is it at now? This stuff changes

Jason Tucker: [00:26:51] Oh, yeah. We’re not worried about changing your admin username from admin to something else. There’s more to it than just that.

Se Reed: [00:26:58] Although I have a word fence site that keeps sending me it notices that someone is being flooded with the intention, like the admin

Jason Tucker: [00:27:07] It’s the worst. It’s

Se Reed: [00:27:08] still a thing.

Jason Tucker: [00:27:09] Yeah, we’re going to be discussing more of the, this next week. And for, I think for, at least for the last couple or the next couple of weeks here, we’re going to be talking about security type stuff. Dan, thank you very much for coming and hanging out with us.
We really appreciate it. And,

Dan Walmsley: [00:27:21] so fun.

Jason Tucker: [00:27:21] It’s been a pleasure to not have Steve on for one episode, like I just talked to his ear off. He’s just crazy. Yeah,

Se Reed: [00:27:28] Thanks for the banter.

Jason Tucker: [00:27:30] Yes, definitely. Thank you very much for that. And you guys have a good rest of your day.
Here’s our outro. Thanks over to WPwatercooler.com/subscribe, where you could learn to subscribe to this content and all the other content that we have on our network. If you want, listen to us as a podcast, you can do that as well. We’re available on apple podcasts, Google podcasts, Stitcher, Spotify. And if you want to watch us, we’re on YouTube.
Talk to you later. Bye bye.

Discord Chat

Follow our podcast

Podchaser - WPwatercooler - Weekly WordPress Talk Show

Episode Info

0
Would love your thoughts, please comment.x
()
x
Scroll To Top