\r\n\r\nMarch 20 from 2:00-3:00p Central Time\r\n\r\n\r\n\r\n\r\nNathan Ingram will discuss how to talk to your clients about WordPress Security, and how keep them safe as you build recurring revenue for your business.\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925577957\";s:16:\"course-resources\";a:2:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 3 Slides\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1SEmE-bmlbMScYzlc4Y7dbYj9tWWIw1hG\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}i:1;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 4 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1X4jK_jv2ZsH6uXLCBQIXqZ8NAbvkKYQV\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1HfxF6OjN88O-CFMQnuBp_Tq7L_rlGnTk\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/hhv_RTU6GaLQyMVsrx0gCeUoakc?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";"]}},"postCountOnPage":1,"postCountTotal":1,"postID":448494,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content ); \r\n\r\n\r\nMarch 20 from 2:00-3:00p Central Time\r\n\r\n\r\n\r\n\r\nNathan Ingram will discuss how to talk to your clients about WordPress Security, and how keep them safe as you build recurring revenue for your business.\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925577957\";s:16:\"course-resources\";a:2:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 3 Slides\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1SEmE-bmlbMScYzlc4Y7dbYj9tWWIw1hG\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}i:1;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 4 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1X4jK_jv2ZsH6uXLCBQIXqZ8NAbvkKYQV\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1HfxF6OjN88O-CFMQnuBp_Tq7L_rlGnTk\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/hhv_RTU6GaLQyMVsrx0gCeUoakc?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";"]}},"postCountOnPage":1,"postCountTotal":1,"postID":448494,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content ); \r\nSolidWP Lead Developer Timothy Jacobs will explain how to protect your website using the powerful features of Solid Security Pro.\r\n\r\n\r\n\r\n\r\nSession 4 - Talking to Clients about WordPress Security: Generating Recurring Revenue\r\n\r\n\r\n\r\n\r\n\r\nMarch 20 from 2:00-3:00p Central Time\r\n\r\n\r\n\r\n\r\nNathan Ingram will discuss how to talk to your clients about WordPress Security, and how keep them safe as you build recurring revenue for your business.\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925577957\";s:16:\"course-resources\";a:2:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 3 Slides\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1SEmE-bmlbMScYzlc4Y7dbYj9tWWIw1hG\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}i:1;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 4 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1X4jK_jv2ZsH6uXLCBQIXqZ8NAbvkKYQV\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1HfxF6OjN88O-CFMQnuBp_Tq7L_rlGnTk\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/hhv_RTU6GaLQyMVsrx0gCeUoakc?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";"]}},"postCountOnPage":1,"postCountTotal":1,"postID":448494,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content ); \r\n\r\nMarch 20 from 1:00-2:00p Central Time\r\n\r\n\r\n\r\n\r\nSolidWP Lead Developer Timothy Jacobs will explain how to protect your website using the powerful features of Solid Security Pro.\r\n\r\n\r\n\r\n\r\nSession 4 - Talking to Clients about WordPress Security: Generating Recurring Revenue\r\n\r\n\r\n\r\n\r\n\r\nMarch 20 from 2:00-3:00p Central Time\r\n\r\n\r\n\r\n\r\nNathan Ingram will discuss how to talk to your clients about WordPress Security, and how keep them safe as you build recurring revenue for your business.\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925577957\";s:16:\"course-resources\";a:2:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 3 Slides\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1SEmE-bmlbMScYzlc4Y7dbYj9tWWIw1hG\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}i:1;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 4 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1X4jK_jv2ZsH6uXLCBQIXqZ8NAbvkKYQV\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1HfxF6OjN88O-CFMQnuBp_Tq7L_rlGnTk\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/hhv_RTU6GaLQyMVsrx0gCeUoakc?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";"]}},"postCountOnPage":1,"postCountTotal":1,"postID":448494,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content ); \r\n\r\n\r\nMarch 20 from 1:00-2:00p Central Time\r\n\r\n\r\n\r\n\r\nSolidWP Lead Developer Timothy Jacobs will explain how to protect your website using the powerful features of Solid Security Pro.\r\n\r\n\r\n\r\n\r\nSession 4 - Talking to Clients about WordPress Security: Generating Recurring Revenue\r\n\r\n\r\n\r\n\r\n\r\nMarch 20 from 2:00-3:00p Central Time\r\n\r\n\r\n\r\n\r\nNathan Ingram will discuss how to talk to your clients about WordPress Security, and how keep them safe as you build recurring revenue for your business.\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925577957\";s:16:\"course-resources\";a:2:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 3 Slides\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1SEmE-bmlbMScYzlc4Y7dbYj9tWWIw1hG\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}i:1;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 4 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1X4jK_jv2ZsH6uXLCBQIXqZ8NAbvkKYQV\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1HfxF6OjN88O-CFMQnuBp_Tq7L_rlGnTk\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/hhv_RTU6GaLQyMVsrx0gCeUoakc?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";"]}},"postCountOnPage":1,"postCountTotal":1,"postID":448494,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content ); \r\nThe panel will cover security trends in detail with plenty of time for questions from attendees.\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925169294\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 1 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1GV5SRsGhaOckgTkXf-62b8vf1WWjJg5v\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:85:\"https:\/\/drive.google.com\/file\/d\/1UP8bFXnyB_odC6r9B4Wbeys8odOfPW7z\/view?usp=drive_link\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/-vGsb4xe8EmwnEda1Ecv_1_RsTI?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";","s:3231:\"a:7:{s:18:\"event_replay_title\";s:7:\"Day Two\";s:25:\"day_description_cloneable\";s:2255:\"\r\nSession 3 - Reducing Your Site's Risk to Nearly 0 with Solid Security Pro\r\n\r\n\r\n\r\n\r\n\r\nMarch 20 from 1:00-2:00p Central Time\r\n\r\n\r\n\r\n\r\nSolidWP Lead Developer Timothy Jacobs will explain how to protect your website using the powerful features of Solid Security Pro.\r\n\r\n\r\n\r\n\r\nSession 4 - Talking to Clients about WordPress Security: Generating Recurring Revenue\r\n\r\n\r\n\r\n\r\n\r\nMarch 20 from 2:00-3:00p Central Time\r\n\r\n\r\n\r\n\r\nNathan Ingram will discuss how to talk to your clients about WordPress Security, and how keep them safe as you build recurring revenue for your business.\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925577957\";s:16:\"course-resources\";a:2:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 3 Slides\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1SEmE-bmlbMScYzlc4Y7dbYj9tWWIw1hG\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}i:1;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 4 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1X4jK_jv2ZsH6uXLCBQIXqZ8NAbvkKYQV\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1HfxF6OjN88O-CFMQnuBp_Tq7L_rlGnTk\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/hhv_RTU6GaLQyMVsrx0gCeUoakc?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";"]}},"postCountOnPage":1,"postCountTotal":1,"postID":448494,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content ); \r\nNathan Ingram will lead a panel of WordPress Security experts: Kathy Zant, Thomas Raef, Timothy Jacobs, and David Johnson.\r\n\r\n\r\n\r\nThe panel will cover security trends in detail with plenty of time for questions from attendees.\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925169294\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 1 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1GV5SRsGhaOckgTkXf-62b8vf1WWjJg5v\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:85:\"https:\/\/drive.google.com\/file\/d\/1UP8bFXnyB_odC6r9B4Wbeys8odOfPW7z\/view?usp=drive_link\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/-vGsb4xe8EmwnEda1Ecv_1_RsTI?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";","s:3231:\"a:7:{s:18:\"event_replay_title\";s:7:\"Day Two\";s:25:\"day_description_cloneable\";s:2255:\"\r\nSession 3 - Reducing Your Site's Risk to Nearly 0 with Solid Security Pro\r\n\r\n\r\n\r\n\r\n\r\nMarch 20 from 1:00-2:00p Central Time\r\n\r\n\r\n\r\n\r\nSolidWP Lead Developer Timothy Jacobs will explain how to protect your website using the powerful features of Solid Security Pro.\r\n\r\n\r\n\r\n\r\nSession 4 - Talking to Clients about WordPress Security: Generating Recurring Revenue\r\n\r\n\r\n\r\n\r\n\r\nMarch 20 from 2:00-3:00p Central Time\r\n\r\n\r\n\r\n\r\nNathan Ingram will discuss how to talk to your clients about WordPress Security, and how keep them safe as you build recurring revenue for your business.\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925577957\";s:16:\"course-resources\";a:2:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 3 Slides\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1SEmE-bmlbMScYzlc4Y7dbYj9tWWIw1hG\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}i:1;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 4 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1X4jK_jv2ZsH6uXLCBQIXqZ8NAbvkKYQV\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1HfxF6OjN88O-CFMQnuBp_Tq7L_rlGnTk\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/hhv_RTU6GaLQyMVsrx0gCeUoakc?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";"]}},"postCountOnPage":1,"postCountTotal":1,"postID":448494,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content ); \r\n\r\nMarch 19 from 2:00-3:00 pm Central Time\r\n\r\n\r\n\r\n\r\nNathan Ingram will lead a panel of WordPress Security experts: Kathy Zant, Thomas Raef, Timothy Jacobs, and David Johnson.\r\n\r\n\r\n\r\nThe panel will cover security trends in detail with plenty of time for questions from attendees.\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925169294\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 1 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1GV5SRsGhaOckgTkXf-62b8vf1WWjJg5v\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:85:\"https:\/\/drive.google.com\/file\/d\/1UP8bFXnyB_odC6r9B4Wbeys8odOfPW7z\/view?usp=drive_link\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/-vGsb4xe8EmwnEda1Ecv_1_RsTI?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";","s:3231:\"a:7:{s:18:\"event_replay_title\";s:7:\"Day Two\";s:25:\"day_description_cloneable\";s:2255:\"\r\nSession 3 - Reducing Your Site's Risk to Nearly 0 with Solid Security Pro\r\n\r\n\r\n\r\n\r\n\r\nMarch 20 from 1:00-2:00p Central Time\r\n\r\n\r\n\r\n\r\nSolidWP Lead Developer Timothy Jacobs will explain how to protect your website using the powerful features of Solid Security Pro.\r\n\r\n\r\n\r\n\r\nSession 4 - Talking to Clients about WordPress Security: Generating Recurring Revenue\r\n\r\n\r\n\r\n\r\n\r\nMarch 20 from 2:00-3:00p Central Time\r\n\r\n\r\n\r\n\r\nNathan Ingram will discuss how to talk to your clients about WordPress Security, and how keep them safe as you build recurring revenue for your business.\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925577957\";s:16:\"course-resources\";a:2:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 3 Slides\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1SEmE-bmlbMScYzlc4Y7dbYj9tWWIw1hG\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}i:1;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 4 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1X4jK_jv2ZsH6uXLCBQIXqZ8NAbvkKYQV\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1HfxF6OjN88O-CFMQnuBp_Tq7L_rlGnTk\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/hhv_RTU6GaLQyMVsrx0gCeUoakc?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";"]}},"postCountOnPage":1,"postCountTotal":1,"postID":448494,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content ); \r\n\r\n\r\nMarch 19 from 2:00-3:00 pm Central Time\r\n\r\n\r\n\r\n\r\nNathan Ingram will lead a panel of WordPress Security experts: Kathy Zant, Thomas Raef, Timothy Jacobs, and David Johnson.\r\n\r\n\r\n\r\nThe panel will cover security trends in detail with plenty of time for questions from attendees.\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925169294\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 1 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1GV5SRsGhaOckgTkXf-62b8vf1WWjJg5v\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:85:\"https:\/\/drive.google.com\/file\/d\/1UP8bFXnyB_odC6r9B4Wbeys8odOfPW7z\/view?usp=drive_link\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/-vGsb4xe8EmwnEda1Ecv_1_RsTI?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";","s:3231:\"a:7:{s:18:\"event_replay_title\";s:7:\"Day Two\";s:25:\"day_description_cloneable\";s:2255:\"\r\nSession 3 - Reducing Your Site's Risk to Nearly 0 with Solid Security Pro\r\n\r\n\r\n\r\n\r\n\r\nMarch 20 from 1:00-2:00p Central Time\r\n\r\n\r\n\r\n\r\nSolidWP Lead Developer Timothy Jacobs will explain how to protect your website using the powerful features of Solid Security Pro.\r\n\r\n\r\n\r\n\r\nSession 4 - Talking to Clients about WordPress Security: Generating Recurring Revenue\r\n\r\n\r\n\r\n\r\n\r\nMarch 20 from 2:00-3:00p Central Time\r\n\r\n\r\n\r\n\r\nNathan Ingram will discuss how to talk to your clients about WordPress Security, and how keep them safe as you build recurring revenue for your business.\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925577957\";s:16:\"course-resources\";a:2:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 3 Slides\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1SEmE-bmlbMScYzlc4Y7dbYj9tWWIw1hG\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}i:1;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 4 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1X4jK_jv2ZsH6uXLCBQIXqZ8NAbvkKYQV\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1HfxF6OjN88O-CFMQnuBp_Tq7L_rlGnTk\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/hhv_RTU6GaLQyMVsrx0gCeUoakc?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";"]}},"postCountOnPage":1,"postCountTotal":1,"postID":448494,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content ); \r\nKathy Zant will give a helpful overview of the issues impacting WordPress security in 2024, especially from the perspective of solopreneurs and agencies who manage WordPress websites for clients.\r\n\r\n\r\n\r\n\r\nSession 2 - Security Expert Panel: Trends You Need to Know\r\n\r\n\r\n\r\n\r\n\r\nMarch 19 from 2:00-3:00 pm Central Time\r\n\r\n\r\n\r\n\r\nNathan Ingram will lead a panel of WordPress Security experts: Kathy Zant, Thomas Raef, Timothy Jacobs, and David Johnson.\r\n\r\n\r\n\r\nThe panel will cover security trends in detail with plenty of time for questions from attendees.\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925169294\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 1 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1GV5SRsGhaOckgTkXf-62b8vf1WWjJg5v\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:85:\"https:\/\/drive.google.com\/file\/d\/1UP8bFXnyB_odC6r9B4Wbeys8odOfPW7z\/view?usp=drive_link\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/-vGsb4xe8EmwnEda1Ecv_1_RsTI?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";","s:3231:\"a:7:{s:18:\"event_replay_title\";s:7:\"Day Two\";s:25:\"day_description_cloneable\";s:2255:\"\r\nSession 3 - Reducing Your Site's Risk to Nearly 0 with Solid Security Pro\r\n\r\n\r\n\r\n\r\n\r\nMarch 20 from 1:00-2:00p Central Time\r\n\r\n\r\n\r\n\r\nSolidWP Lead Developer Timothy Jacobs will explain how to protect your website using the powerful features of Solid Security Pro.\r\n\r\n\r\n\r\n\r\nSession 4 - Talking to Clients about WordPress Security: Generating Recurring Revenue\r\n\r\n\r\n\r\n\r\n\r\nMarch 20 from 2:00-3:00p Central Time\r\n\r\n\r\n\r\n\r\nNathan Ingram will discuss how to talk to your clients about WordPress Security, and how keep them safe as you build recurring revenue for your business.\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925577957\";s:16:\"course-resources\";a:2:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 3 Slides\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1SEmE-bmlbMScYzlc4Y7dbYj9tWWIw1hG\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}i:1;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 4 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1X4jK_jv2ZsH6uXLCBQIXqZ8NAbvkKYQV\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1HfxF6OjN88O-CFMQnuBp_Tq7L_rlGnTk\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/hhv_RTU6GaLQyMVsrx0gCeUoakc?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";"]}},"postCountOnPage":1,"postCountTotal":1,"postID":448494,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content ); \r\n\r\nMarch 19 from 1:00-2:00 pm Central Time\r\n\r\n\r\n\r\n\r\nKathy Zant will give a helpful overview of the issues impacting WordPress security in 2024, especially from the perspective of solopreneurs and agencies who manage WordPress websites for clients.\r\n\r\n\r\n\r\n\r\nSession 2 - Security Expert Panel: Trends You Need to Know\r\n\r\n\r\n\r\n\r\n\r\nMarch 19 from 2:00-3:00 pm Central Time\r\n\r\n\r\n\r\n\r\nNathan Ingram will lead a panel of WordPress Security experts: Kathy Zant, Thomas Raef, Timothy Jacobs, and David Johnson.\r\n\r\n\r\n\r\nThe panel will cover security trends in detail with plenty of time for questions from attendees.\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925169294\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 1 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1GV5SRsGhaOckgTkXf-62b8vf1WWjJg5v\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:85:\"https:\/\/drive.google.com\/file\/d\/1UP8bFXnyB_odC6r9B4Wbeys8odOfPW7z\/view?usp=drive_link\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/-vGsb4xe8EmwnEda1Ecv_1_RsTI?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";","s:3231:\"a:7:{s:18:\"event_replay_title\";s:7:\"Day Two\";s:25:\"day_description_cloneable\";s:2255:\"\r\nSession 3 - Reducing Your Site's Risk to Nearly 0 with Solid Security Pro\r\n\r\n\r\n\r\n\r\n\r\nMarch 20 from 1:00-2:00p Central Time\r\n\r\n\r\n\r\n\r\nSolidWP Lead Developer Timothy Jacobs will explain how to protect your website using the powerful features of Solid Security Pro.\r\n\r\n\r\n\r\n\r\nSession 4 - Talking to Clients about WordPress Security: Generating Recurring Revenue\r\n\r\n\r\n\r\n\r\n\r\nMarch 20 from 2:00-3:00p Central Time\r\n\r\n\r\n\r\n\r\nNathan Ingram will discuss how to talk to your clients about WordPress Security, and how keep them safe as you build recurring revenue for your business.\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925577957\";s:16:\"course-resources\";a:2:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 3 Slides\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1SEmE-bmlbMScYzlc4Y7dbYj9tWWIw1hG\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}i:1;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 4 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1X4jK_jv2ZsH6uXLCBQIXqZ8NAbvkKYQV\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1HfxF6OjN88O-CFMQnuBp_Tq7L_rlGnTk\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/hhv_RTU6GaLQyMVsrx0gCeUoakc?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";"]}},"postCountOnPage":1,"postCountTotal":1,"postID":448494,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content ); \r\n\r\n\r\nMarch 19 from 1:00-2:00 pm Central Time\r\n\r\n\r\n\r\n\r\nKathy Zant will give a helpful overview of the issues impacting WordPress security in 2024, especially from the perspective of solopreneurs and agencies who manage WordPress websites for clients.\r\n\r\n\r\n\r\n\r\nSession 2 - Security Expert Panel: Trends You Need to Know\r\n\r\n\r\n\r\n\r\n\r\nMarch 19 from 2:00-3:00 pm Central Time\r\n\r\n\r\n\r\n\r\nNathan Ingram will lead a panel of WordPress Security experts: Kathy Zant, Thomas Raef, Timothy Jacobs, and David Johnson.\r\n\r\n\r\n\r\nThe panel will cover security trends in detail with plenty of time for questions from attendees.\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925169294\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 1 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1GV5SRsGhaOckgTkXf-62b8vf1WWjJg5v\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:85:\"https:\/\/drive.google.com\/file\/d\/1UP8bFXnyB_odC6r9B4Wbeys8odOfPW7z\/view?usp=drive_link\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/-vGsb4xe8EmwnEda1Ecv_1_RsTI?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";","s:3231:\"a:7:{s:18:\"event_replay_title\";s:7:\"Day Two\";s:25:\"day_description_cloneable\";s:2255:\"\r\nSession 3 - Reducing Your Site's Risk to Nearly 0 with Solid Security Pro\r\n\r\n\r\n\r\n\r\n\r\nMarch 20 from 1:00-2:00p Central Time\r\n\r\n\r\n\r\n\r\nSolidWP Lead Developer Timothy Jacobs will explain how to protect your website using the powerful features of Solid Security Pro.\r\n\r\n\r\n\r\n\r\nSession 4 - Talking to Clients about WordPress Security: Generating Recurring Revenue\r\n\r\n\r\n\r\n\r\n\r\nMarch 20 from 2:00-3:00p Central Time\r\n\r\n\r\n\r\n\r\nNathan Ingram will discuss how to talk to your clients about WordPress Security, and how keep them safe as you build recurring revenue for your business.\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925577957\";s:16:\"course-resources\";a:2:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 3 Slides\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1SEmE-bmlbMScYzlc4Y7dbYj9tWWIw1hG\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}i:1;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 4 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1X4jK_jv2ZsH6uXLCBQIXqZ8NAbvkKYQV\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1HfxF6OjN88O-CFMQnuBp_Tq7L_rlGnTk\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/hhv_RTU6GaLQyMVsrx0gCeUoakc?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";"]}},"postCountOnPage":1,"postCountTotal":1,"postID":448494,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content ); \nRegister once to attend all sessions of WordPress Disaster Week. If you can't attend live, we will send you the link to view replays of the full event!\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n","livestream_live_transcript_url":"https:\/\/otter.ai\/u\/-vGsb4xe8EmwnEda1Ecv_1_RsTI?utm_source=copy_url","livestream_live_transcript_text":"Again, welcome. If you're just joining us, it's disaster week 2024. We have Kathy Zant here. She's going to be talking about the state of WordPress security in our first hour and then we have an excellent lineup of security experts and a panel that is coming right up. We're going to be getting things underway here momentarily. The links I posted in the chat just a minute ago are not correct. I'll get that straightened out in just a minute.\r\n\r\nOddly, that should have been working but hey, it's Tuesday.\r\n\r\nAgain, welcome everybody. It's good to see folks logging in from across the country and around the world. Hi, Kay. Sue is here. Barney. Welcome. Thomas Byrne. Paul class, Doug. Good to see everybody today. We'll have the links up for you in just a moment.\r\n\r\nAgain, welcome. We'll be getting started officially at about three minutes after the hour. So glad you're here just a bit early. We'd love to hear from you in the chat where you're logging in from and here are the correct links. There we go. This is of course being recorded the replays available at the link that I just posted. You can also download Cathy's slide deck link is also there in the chat. Really glad everybody's here today. Welcome. Welcome. Dan. Good to see you, Rob.\r\n\r\nGreat to see everybody logging in today.\r\n\r\nHi, Tina from South Africa. Welcome. Welcome, Marie. Welcome from Massachusetts.\r\n\r\nAll right, folks. Good to see everybody coming in. Hey Stacey. We're about three minutes away three and a half minutes away from getting started with disaster week for 2024 This has been an annual event here with solid WP formerly I themes for many years. We always enjoy bringing some great experts on this topic to give you the lowdown on what you need to know as you're managing your own WordPress site or perhaps even managing sites for clients. So welcome, everybody. We have a lot. Lots to talk about today. Great panel of experts plenty of time for questions. The world of WordPress security is much more complicated today than it has been in the past. And Kathy is going to unpack a lot of that for us here in just a little bit.\r\n\r\nOh Sue, that's great.\r\n\r\nWelcome everybody. Just about three minutes away from getting started. Kathy Zant is here where she's going to be talking about the state of WordPress security to get disaster week going. I really glad to have everybody here. Welcome to folks across the US and around the world. If you're just logging in to zoom, open up the chat and say hello. The slide link bundle is in the chat you will have today's slide deck is there. Also the replay if you want to go back and rewatch this live stream you can do that at the link there in the chat. Share that with anyone as well. Those links will be available. Hey Michael, good to see you.\r\n\r\nMelissa, welcome from France.\r\n\r\nGreat to see everybody. Hi, Frank. Melanie.\r\n\r\nAnd I am using the wrong microphone. Wow. All right, that should be considerably better audio than it was before.\r\n\r\nI thank you so much for that. Little tip.\r\n\r\nMelanie, I appreciate that. Yes, yes. Yes. All right. Welcome, everybody. We are just about two minutes away from getting started with disaster week.\r\n\r\nThe link bundle is there in the chat. You can download today's slide deck that Kathy has on her screen now and follow along if you'd like I think there's some helpful links in there. as well. Also, the replay of today's event will be at the link there posted in the chat as well. You'll be able to share that video out.\r\n\r\nThe chat log and transcript for this event will also be there. At that link.\r\n\r\nNiles welcome\r\n\r\nHey, Charlie, welcome back. Mateus. Welcome. Good to see everybody there in the chat. We're about a minute away now from getting started with disaster week. Kathy Zant is going to kick us off talking about the state of WordPress security. Our two today is going to be a star studded panel of security experts will be here to talk about some of the current issues in WordPress security in the next hour. And of course have plenty of time to answer your questions as well. Welcome, George. Glad you're here.\r\n\r\nFolks, if you're coming in to zoom, we invite you to open the chat say hi and tell us where you're logging in from if you'd like to chat with others during the live stream, make sure that you've dropped down the little blue drop down above where you type in your chat to everyone, not just hosts and panelists. It does default the host and panelists for some reason, but if you'd like to chat with everyone, just make sure you make that change.\r\n\r\nOnce again, if you're just joining us attendee number is ticking up the link bundle is there in the chat. You can download today's slides that you're seeing there on the screen with Kathy state of WordPress security. Also the replay link is there for you. Hey Rob Vera, welcome. Glad you're all here. Just about ready to get started Kathy ready to light this candle.\r\n\r\nI am ready to kick this off the fun. Well, let's get started.\r\n\r\nWell, good afternoon. Good evening. Good morning, wherever you happen to be around the world. Welcome to disaster week. 2024 here on the solid Academy. This has been an event that we've done for many years here at solid formerly I themes as we talk about the state of WordPress security and give you tips from experts as you seek to make your WordPress site safer and protect the sites of the clients that you are helping as well. I'm joined today in our first hour by Kathy Zant. Kathy, it's so great to have you back. Kathy is an internationally recognized expert on security and marketing, data driven website development. She's spoken at countless events worldwide, and is a frequent guest on all sorts of podcasts about WordPress and other emerging technologies. Kathy, welcome back. How are you? I'm so happy to be here. It feels like like coming home to the to the gang and I'm so happy to be here. Thanks for having me back. Absolutely. So a lot of folks are saying hi to you there in the chat. You got a lot of fans here in in the attendee group today.\r\n\r\nWe're talking about WordPress security and the things that you need to know here in this first hour. Kathy, let's just talk for a minute about how you got interested in WordPress security. When did you start this and how did it happen? Yeah, well, I got interested in security back when before WordPress, I inherited a server, a web server from the technical people. I was the marketing person and that server got hacked and so I was thrown into the depths of learning about security in the early days of the Internet and learned how to spoof emails and do all sorts of things. So that was way before WordPress and then when I when I first started like migrating some of the sites I was developing, you know, coding myself and migrating things over to WordPress just because it was easier to manage. WordPress Tim thumb vulnerability, my husband's site of all things got hacked. So that was an adventure. You got me on this WordPress stuff. You better fix it. Yeah. Okay. Hon, I'm on it. I mean, it's so got involved then and you know, you know, I mean, then then hacks happened, help friends and everything. And then a company put out a call for people to clean hack sites and I was basically helping my husband run his business and I was a little bit bored. So I'm like clean hack sites. I've done that before. Let me see if I can do this. So I was just cleaning hack sites sitting next to my daughter who was homeschooling and I got sucked in. And no, look at me. I'm giving the state of WordPress security almost sounds like I'm a security politician. No politics here though. Promise.\r\n\r\nOh, well. We have a lot to talk about. Because the state of WordPress security is always evolving. And if you follow security news and we do a monthly news roundup here on solid Academy, and we're always talking about new and trending security issues. We also have a regular webinar at least every quarter with Thomas Rafe and we watch your website, giving us really scaring us to death, quite frankly, with some of the things that are happening. On the cutting edge of the things that hackers are doing. So we have a lot to talk about today. Folks. Let me give a couple of bits of housekeeping details and I'm going to disappear and let Kathy start speaking here. But if you're just joining us in zoom, we're grateful that you're here. Hopefully this will be a good investment of your time today. I'm dropping in once again into the chat, the link bundle for today, which includes today's slide deck, and also the link to the replay. We'll have the video of today's two hours posted by around four o'clock central time. That will also have our transcript and the chat log. So a lot of times during the live stream the chats will have some good information so we save all that it'll be available for you on the replay link that is there in the chat now. Also, let me just invite you to go ahead and open up the zoom q&a You'll find that link as an icon under Kathy shared screen. If you mouse over the shared screen, you'll see the q&a icon. That is the place to ask your questions. So if you have a question for Kathy, or anything related to WordPress security, please use the q&a and not the chat because the q&a chat may go on past and we might miss that question. But if you use the q&a, it'll be there. And also we invite you to keep that open simply because if you see someone else who has asked a question that you also have, you can click the thumbs up icon. And we'll take the questions in the order of upvotes. Now likely what we're going to do today is Kathy is going to speak and sort of set the table for us with all the current issues with WordPress security, then we're going to take a break so no questions immediately. After Kathy's talk today. We'll take about a 10 minute break and get our panel in place. And we'll take all the questions toward the end of today's panel discussion. So very important that you up vote the questions that are asked is likely we won't get to all the questions but we'll take the questions that do have those up the most number of up votes. So with that, I'm going to disappear and Kathy let's talk about the state of WordPress security.\r\n\r\nShouldn't there be like a band playing or something? I guess I'll just imagine that you know, Pomp and Circumstance playing as we talk about the state of WordPress security. Now when I first first started cleaning, hacked WordPress sites, WordPress security was a little, a little different, a little more simple, but some things some things haven't changed. And I want to talk about some things that haven't changed and some things that will continue to kind of be sort of this undercurrent of WordPress security threats. But I want to talk about what is changing some of the things that we're seeing that trends that you should be aware of, of where we're going. I'll talk about some recent attacks that we've seen that are very interesting for somebody who's into security, maybe a little bit scary. If you're not into this, then I'm going to pull out my crystal ball. And I'm going to make some predictions about some things that I see in the great greater security space. That will come toward presidentially, and then I have some thoughts about the WordPress security community WordPress as a community as an open source community. I fully believe that WordPress wouldn't be what it is today, without you, without the community without all of us helping each other to have some thoughts about how security plays into that. So that is that's the little teaser, is there going to be drama, maybe stick around. Alright, so what hasn't changed? hackers want to make money with your site. They want to take your server resources, your sparkly clean domain reputation and they want to use it for their profits. So they're going to put spam on any site that they can hack. They're going to use phishing malware backdoors to get back into the server. They're going to do all sorts of crazy things with your asset. WordPress is an asset and if you start thinking about your WordPress site as an asset, the same way you think about your bank account, your cryptocurrency, your home, your car, the shed in your backyard, all of these things that you want protected from malicious attackers and thieves. If you start thinking about WordPress, that way things will make sense because that is something that hasn't changed the profit motive, and that's the reason why they come after WordPress. WordPress is also powering more than 40% of the internet and they target WordPress because they expect smaller sites like yours in many cases and larger sites but mostly sites like yours, they expect it to not have as much security. Now the New York Times in the Rolling Stone Rolling stone.com use WordPress in order to present their content, but those major sites have security operations teams looking at every log file, they have security professionals looking at every login, but you are busy running your business. In many cases, small businesses just do not have the resources to watch security so they expect less security on your site. So if they can hack into 100 WordPress sites, it's the equivalent of getting into one larger site that has a ton of traffic.\r\n\r\nPlus, it's just your resources that they're after. Now historically, what hackers have done if they've exploited weakness now that could be weakness in the people who are running the site who just don't know any better and are doing things like reusing passwords, or it could be a weakness in software vulnerabilities. Typically over the past few years, decade. We've seen this in software packages primarily and plugins and themes. There have been a few core vulnerabilities that have been significant, but in recent years, we haven't seen that so much. But we're still seeing plugins that have vulnerabilities. We're still seeing some themes that have vulnerabilities and sometimes those come under attack rather quickly. So software vulnerabilities and authentication issues are still going to be a problem. This is a problem in the wider space, not just word processing hole, but it is historically how we have seen attacks coming at WordPress, the game of security and one of the reasons why I love it so much is you know some of you people do crossword puzzles and other things to keep your mind active. I like to see what hackers are up to my friend Thomas Ray who will be in our panel later. He likes to share the stuff he finds he finds the most amazing malware and the amazing attack vectors, an intrusion vectors. I find it fascinating what the mice are up to in order to get the cheese. It's constantly a challenge because you have security professionals who are trying to protect sites and then we have security professionals, security Blackhat professionals who are trying to get into those things. So the constant cat and mouse game of sometimes the mice are getting in and sometimes the Cat's got everything locked down. That challenge to me is exciting. And that's never going to change that's how security works. You have security protections and hackers. Just that hacker mindset that playful. Let's break out of these defined boundaries. It makes it interesting. So I find that very interesting and this is never going to change we are never going to stop hackers activity we are just going to be able to slow them down. They are always going to be looking for vulnerabilities that they could possibly exploit so that cat and mouse game is going to continue for forever. But what is changing is that these hackers are getting more clever.\r\n\r\nThe attacks are maturing, they're not just looking for plugin vulnerabilities because we are seeing many plugin developers really up their security game a few years ago, saw a lot of plugin developers that were using is admin a function in WordPress they were using that wrong is admin as a function will tell you are you on an admin page or not? Is this person an administrator and so we saw a bunch of different plugins that were using that function and inappropriately and causing vulnerabilities. We're not really seeing that kind of thing. But we are seeing vulnerabilities still but attackers are having to become more sophisticated. The mice want the cheese and so they have to get around the cat's defenses and they have to try new things, new creative things. We just have to be aware of what's going on. What we're seeing is some of the general attacks on computing on computers. Those general attacks are also targeting WordPress. Why? Because WordPress is an asset your WordPress site is of value. Even if it's just your hobby blog, just the resources of your computing power of that website is an asset that hackers are after. So we're seeing some of these general security attacks now aiming at WordPress. Now Tomas last year, he started sharing with us some of the attacks that he was seeing and he was seeing that many hacks were coming in. And it was almost as if you look over the log files and you would be you know user coming in working in WP admin and then all of a sudden that same users cookie was being used, but it's like coming from some weird site someplace else and you know, Malta or some someplace where you know, that user that administrative user isn't. These were stolen session cookies. And on January 3, it's in the links that Nathan shared in the chat. Thomas's research he published on January 3 of showing what he found over 2023. And he found that 60% of WordPress hacks were coming from authentication problems and there's a whole section in there about these stolen cookies. And then if you look at the general security press, Trevor Hilla gas who was a former FBI digital crime expert, uh, he said that last year, he had seen more new advances in info stealers than any year previously. So Thomas put two and two together, Trevor is putting two and two together in terms of these attackers, basically assuming the role of an administrator. Now how exactly does this work? Well, info stealer is malware that's distributed through phishing emails, malicious links, and infected attachments like a PDF with an info stealer embedded in it compromised. websites that you might visit and then end up clicking on a link that download something, a malvertising which is advertising that is actually malicious. So all of these things are not targeting WordPress directly. They're targeting your computer and if you have access to a WordPress website, and you're logged into that WordPress website, then they try to get into that asset. Now, have you noticed that your bank let's say you go to pay a bill and then you go make a cup of coffee and you come back and you're logged out automatically?\r\n\r\nThis is what the banking industry is doing. They're closing those session cookies rather quickly. Because those session cookies if they are ever stolen, basically give attackers the ability to basically impersonate you and that's what these info stealers are allowing people to do. So how does it work? It basically takes that session cookie from your browser, and then they take those cookies, put them on their device or more likely just embed them in their scripts as they are attacking many different things. And then they access your WP admin as if it's you. It bypasses firewalls, it bypasses to FA basically then just becomes you they have a script that just gets into WP admin so the log files will look like oh, there's people doing all this editing and then boom, this weird IP address that now is doing malicious things using those session cookies. So Thomas's research is showing that this is being used to target WordPress and yeah, so kind of scary, but obviously info stealers aren't existing just for the sole purpose of getting into WordPress, but this broader problem in security is affecting WordPress and this is one of the trends that we're seeing.\r\n\r\nSo these types of info stealers that exist can be in email, FTP, credentials, clipboard, you know, you copy something, copy a password out of your password manager. Um, if you have an info stealer it can get onto your clipboard and take things key loggers, form grabbers, browser hijackers, so there's a lot of different kinds of info stealers that are out there that can have an impact on your WordPress site. So what can we do about things like that? Well, obviously it's most important that you protect your devices and protect your computer's making sure that just like with WP admin, you log in and update all of your plugins and your theme. You got to make sure that your operating system make sure your browser Chrome, I've seen so many chrome vulnerabilities. Chrome's the most popular browser, you know, so attackers are going after vulnerabilities in Chrome. So if you see that your chrome needs an update, make sure you are updating your browsers. Make sure you're very judicious about the types of extensions you install into your browser just the same way you would with plugins that you're installing and WordPress or the apps that you put on your phone, just being making sure that they are coming from reputable sources. And then you know a lot of us who use MAC's have lived this sheltered life thinking that we don't need any kind of protection on our Max Max don't get viruses right?\r\n\r\nExcept that they do. So you need to make sure that you have some kind of malware scanner like any kind of antivirus Avast is a great one. Um, there's other ones that you can use Malwarebytes, things like that. But Jason, just make sure that you're downloading signatures regularly and scanning your machine regularly. So making sure that you're doing those general protections for your computer and your devices. And, again, think about those assets, your banking accounts, cryptocurrency accounts, crypto wallets, Amazon, but you don't think your Amazon account is an asset. While it is I helped someone last year who got their Amazon account hacked, and they bought the attackers used the credit cards that were stored in it was a debit card, actually that was stored in Amazon into that Amazon account and bought gift cards, sent them to themselves and then archived those orders. Make sure you've got protection for that because your Amazon account can be hacked and can drain a debit card or bank account, kind of blog post on my site about that and of course WordPress consider WordPress and asset as well. Making sure that you protect your credentials, strong unique passwords everywhere that Amazon hack actually we traced it back and it went back to the LastPass breach that happened and that person had not changed their password out of LastPass. And they actually had one of their I think it was SendGrid their SendGrid account had two FA on it, but somebody was trying to log into that as well. So we kind of traced it back to that last pass breach. So making sure that you protect your credentials, strong unique passwords. If you have past keys available like you do in solid security use those two factor authentication just needs to be everywhere according to Verizon, only 28% of people are using to FA and at this point we we all need to be using it and there's many places even your Amazon account, make sure you have to FA and that as well. Don't open links in emails. You probably heard this before SMS smishing. They call it it's like phishing except it's coming over SMS don't open attachments. If you are unsure what an attachment is all about. An attachment that comes through that says that you're part of a class action lawsuit and somebody wants to send you money. Be suspicious of those types of things.\r\n\r\nGo through fishing education, test yourself. Do you really have the knowledge and the foresight to defend yourself against phishing attacks? You know, Gmail and a lot of the email services are great at filtering out a lot of these attacks. But really the buck stops with you. These are just tools they're trying to help you but every once in a while that mouse gets a piece of cheese so Okay, so what can we do about WordPress and defending WordPress against info stealers? How long is that WordPress session when you log in?\r\n\r\nIt lasts for 48 hours but if you clicked remember me your session cookie is going to last for 14 days. This is why WordPress gets targeted rather than you know there's plenty of people are like oh, well if this was really a thing, then your bank accounts would all be drained. But you notice your bank account logged out pretty quickly these days. Right? WordPress does not have that WordPress will last for 48 hours. That cookie it does not log you out automatically. And remember he will last 14 days so those session cookies stay in your browser. They will be in perpetuity until you click logout or until the cookie expires. So if you want to protect yourself and protect your WordPress site, from the possibility of an info stealers ending up on your computer, usually it's the kids they're downloading everything off the internet. Let's just blame them.\r\n\r\nBut you want to log out when you log out. You kill the session cookie so you don't have to go through I've had people ask me oh, do I need to go clean up all my cookies out of my browser now not necessarily. You can if you want to, but that's a lot of work. Just logout if you click Log out that session. Variable that session cookie goes away. Solid security also has a trusted devices protection which I haven't even had a chance to play with yet but this is something hopefully you can talk about that in the panel a little bit because trusted devices is addressing this. So one of the reasons why I love solid security and the team especially Timothy amazing, is because if he's on top of all of this he pays attention to what's going on is your plugin vendor or your security vendor paying attention to all of the things that security researchers are finding out.\r\n\r\nAll right, another really fit this one was fascinating. I got to tell you about this so Sucuri found this malware. This is malware that actually uses a site visitors browser to attack other WordPress sites. Crazy, right? I'm like reading all of this. It's a little bit like a crypto miner and we saw crypto miners like in 2017 when there was there was this JavaScript thing you can put on your website and have it just like mine cryptocurrency on people's browsers. Well attackers loved that right because profit motive, of course, but that all kind of went away. I think it's gonna come back but we'll talk about that and my predictions.\r\n\r\nBut this is very similar. So you have a hacked site, and a person visits that hack site, and then maybe their CPU starts going through the roof or something is happening because their browser is getting instructions from the hacked website to go attack other WordPress websites.\r\n\r\nbrute force attacks. So this is just I find this incredibly fascinating. It's not it's not it's not infecting the browser, but it is using the computing resource of the browser to go off and attack other WordPress sites. So if you are a site owner, and these weird attacks are coming from just like somebody's home IP address, like is that a malicious IP address? No, it's just some guy who doesn't even know that his browser is attacking you. He's visiting some malicious site and that malicious site is telling his browser to be malicious. So we have plenty of brute force protections that are out there that are like okay, here are all the malicious IPs that we're seeing malicious traffic from this to kind of throws a wrench in that a little bit because now we're seeing, you know, Joe down the street is attacking WordPress sites. You would not expect that but it's a brute force attacks. So the same principles of brute force attack prevention apply here. Strong, unique passwords, two factor authentication, but you can't just say block all the malicious IPs and set it and forget it. No, you have to consider that any IP address could be malicious. You just don't know. One thing that you could do if you really if you if you know your IP address your wherever you're logging into your WP admin. You can block all of the IP addresses in the world except your own whitelist your IP address, so your IP address can always log into WP admin, but just block everybody else that type of thing. And that can cut down from it, but it's not necessarily going to stop attacks like this, but pretty clever, huh?\r\n\r\nAnother thing, zero day vulnerabilities. Now the bricks bold builder vulnerability wasn't necessarily a zero day, but I think there's this was just so interesting. So on February 13, Calvin Alcon he Well, he actually found a vulnerability a pretty severe vulnerability. It was an unauthenticated remote code execution vulnerability, which means anybody could use this attack to basically take over a WordPress site, worked with patch stack to communicate with the bricks builder team to make sure that this vulnerability was patched. So February 13, The announcement comes out that there's a patch within five hours started seeing attacks five hours this kind of new to me I haven't seen it happen like quite this fast. I've seen you know, vulnerability, you know, zero days happening and then the attacks are are happening and then a patch comes out. I've seen like crazy things, but this was responsible disclosure. This was security vendors working with the brookstein bricks team have gone through like in the past month, they've gone through so much in terms of like hardening that application. They're doing great.\r\n\r\nBut it just happened so fast. The bricks community was just like, you know the dog with the hair. On it was crazy for a while because it was just such an easily exploitable vulnerability. So we're just going to see these types of attacks are going to happen very, very quickly. So that if that happens, you know when there's a very very sensitive vulnerability, a very critical vulnerability, we'll see stuff like this happen, but I was kind of shocked at how fast that how fast that all happened. Um, this is something malvertising I just saw this yesterday on Twitter. One of the guys who runs WP umbrella which is like a management tool for managing a lot of different websites, WP umbrella and you can see on the screenshot that he shared on Twitter WP hyphen umbrella that info is actually a malicious domain, and it is sponsored their real domain is down below that but that malicious domain malvertising so people would click on that if they searched for WP umbrella, they could click on that and maybe give up their username and password. So he was very concerned about that. Lots of people were reporting it to Google and everything but just a reminder, don't go searching for sites and trust the search results all the time. They can be malicious at times. So make sure you bookmark things that are important to you and to always use two factor authentication.\r\n\r\nIn case you accidentally give up your password to someone.\r\n\r\nSo predictions of What's Next there's the crystal ball. So I think we're still going to see vulnerabilities found by researchers and attackers. Sometimes there's going to be zero day vulnerabilities that the attackers find first and there's going to be zero day attacks that the attackers are doing and everyone's going to have to defend against those types of things. But the thing that I'm really excited about seeing is that there are more and more security companies that are managing managing vulnerabilities for plugins patch stack is doing this that are also working with security researchers and it's much more organized now than it was like five or six years ago, so that's very encouraging. A Bitcoin uncle bitcoin is doing better he's recovered from his illness and Uncle bitcoin is you know, increasing in value. As we see that happening. We're gonna probably see some kind of crypto mining attacks happening. I'm not quite sure what yet, but I that's one of my predictions that's gonna happen. We're gonna see more attempts to exploit the weakest link in all security to humans.\r\n\r\nThat's going to be in the form of social engineering attacks. People are going to get tricked out of their passwords, either through phishing, through phone calls, through emails, all sorts of things.\r\n\r\nWe're going to see malvertising like we saw just yesterday with WPM Rolla we're gonna see sim swapping attacks and sim swapping attacks have been typically I you know, when I first learned about that this was even a thing many years ago and it was in the crypto space and I read an article and it's in the links. I recommend everyone go read it, it's on medium you might need an account to like log in and read it but it goes through how the sim swap attack happened sky. At night his phone's just not connecting to the tower and he's like, Yeah, I'll fix it in the morning. By the morning he had lost $100,000 Basically, an attacker takes over your SIM card takes over your phone number. They can do all sorts of things like resetting passwords on your email account, resetting passwords on your bank accounts, all of those types of things because they've got your phone number. And so those codes, those SMS codes are coming to that number of the new phone rather than your phone. So I don't know I haven't heard of any stories of WordPress sites being affected by a sim swap attack. But my prediction is I think it's going to happen one of these days.\r\n\r\nAnyway, we'll see. Maybe next year, I'll come back and we'll see what actually has happened or not there have been there's a recent story of a person who was on the inside at self provider and was working with criminals to some SWAT people, which is just lovely. Anyway, do not use SMS based two factor authentication as your backup because when you are using Google Authenticator and you using the time based codes, those are something that they can't take if they've got your cell phone number, they can't add get that code for your sonicator accounts and whatnot.\r\n\r\nThere is a recent article about acoustic attacks that was in bleeping computer just recently. I found this interesting, just by listening to whatever you're typing in on your keyboard. They can guess what you're typing, like passwords. That could be interesting. That could happen. I think it's gonna happen somewhere. It might not happen to WordPress first, but it's just research right now. security researchers are always looking for these types of things in order to protect against attackers finding things first. But that could happen. And then I've seen some research. It's just very high level research right now about AI and large language models.\r\n\r\nBasically forming some attacks so I can't wait to see what happens. It's exciting. And WordPress is an asset. So eventually it's gonna, it's gonna happen. So here's the stuff about sim swapping attacks. It's not not targeting WordPress now, but basically how it works. They they're not using it to like get your two factor codes. They're doing it to like reset passwords on your email account, and take out those types of accounts and drain whatever asset that they're after.\r\n\r\nLet's talk about what I see as the need for what we need for WordPress security. We have a bunch of companies that are selling security products, security services, cleaning up packed sites, there's plugins, there's firewalls, there's all sorts of services that are here to help you secure your WordPress site. They all have their profit motives, but we are also in a open source community and collaboration and communication are key.\r\n\r\nNow when a researcher like Calvin finds a vulnerability, communication between that security researcher and the plugin vendor needs to happen and security vendors or have like patch stack was instrumental in ensuring that Calvin Brooks and the communication flow between researcher and developer happened but we need greater community collaboration and communication throughout the entire community. We need communication between developers and users. Better communication about what vulnerabilities are happening and why.\r\n\r\nWe need better communication between security vendors if one's if patch stack knows that this vulnerability is happening, let's communicate with the other security vendors so that they can protect their customers as well. Those types of things, security and software is all about trust. And I think that if our security community community can work together better, kind of like how solid actually solid and patched at having an integration have communication, they work together as well. We I would like to see more of that. There have been some security debates. And you know, obviously conflict can be good. We learn from each other with differing viewpoints. But I would like the safety of the community to be put forefront the safety of the users remember why we're here that's who we're here to serve. I would also like all of us to have a better security mindset. We can't just install a plug in and set and forget it. We need to understand how that plugin works. We need to understand what it's trying to do. We need to understand how to use that tool. You can't build the house just like by buying a hammer you have to understand how that hammer works. So I think we need better education and better knowledge not just in that this is this is not just for WordPress this is across the board was helping my daughter's she rides horses and it was helping her the barn people with their website on Squarespace. And just the password hygiene might have a little PTSD from that is this is a worldwide problem. That the cat and mouse game is not just after WordPress, it's after anything that can be profitable. So heightening security education. I think it can happen in WordPress and then everyone who learns in WordPress and the people that you build sites for helping them up level their knowledge and being able to run recognize a phishing attack recognize social engineering, recognizing malware when they come across those types of things. They can teach their family and so on and so on. So I think we as we take responsibility for our own security and up up leveling everyone around us, so I feel like that's my mission. That's what I'm here to do. So I would like everybody to become just more vigilant.\r\n\r\nSome more advice just locking down your device with your provider to protect against sim swap attacks. Although that one guy he was an inside job kind of person. But if you can't lock it down, do don't use your public. You know, you give out your email address, right you go to the storage would you like your receipt emailed to you sure, of course and you give out via email address. Don't use that for your WordPress. Don't use that for your bank. Have a separate private email that you use for things that are sensitive, reduce your online footprint. I know we all like to celebrate our birthdays on Facebook and whatnot. I do too. But reducing the amount of information that you share can also force attackers because when they're doing social engineering they gather information, and then they use that against you. One thing that I've seen recently is like a lot of people who do online presentations and have like their voice out there. They can do AI voice mimicking and there's these calls, they call mom up and say hey, I'm in Nigeria and I needed $1,000 to get home please help me but it's your voice right? So those types of tricks I get played. So reducing your online footprint, having a safe word with mom so that you know mom call me back and make sure that I you know if we say the word you know strawberry, then it's really me asking for help.\r\n\r\nAnd then for critical accounts, you know, I highly recommend using password managers. But we did have that LastPass breach that happened use an offline password manager for your critical accounts. You know security is a continuum. The most secure computers buried in the ground in Casten says meant and no one can access it and the most open thing is anybody can get to it. So where where is your bank account? You know, it's more buried in ground right and maybe a test site, password 123 Who cares? So you have to make a judgment of security for each individual asset that you are trying to secure and then auditing your site. Lots of people don't do this very regularly unless they're afraid of something but I would audit you know, every quarter just go take a look. I can't tell you I went to one of my test sites. And there was WP config, that PHP dash old which basically turned that into a text field.\r\n\r\nNot exactly a good security practice because you're taking that PHP file away from the parsing. of PHP and turning it into a text file. So I didn't know that was there. My hosting provider on that particular account had done that lovely.\r\n\r\nAudit your site's just go poke around, go look at the files, go look around are all of the users who have admin access. should they all be there if you need a checklist? of auditing things, I can get you a checklist. I do have one of all of the things I look at when I'm auditing a site just maybe I can give this to Nathan, I'll find it and we'll have it in the second half. I didn't think to bring it no your developers would that brings vulnerability if you were on the bricks list, you would have gotten notified within those first five hours you would have been able to take action quickly. Get you know develop relationships with the people who are developing the software that you are committed to using and use the plugins like solid security plugin to help you make good decisions through application security. So one of the more forward thinking Timothy is just so brilliant and he watches all of this stuff and acts very quickly when he sees that there's something that he can do to help you protect yourself. Software is all about trust. So make sure you know who is helping you. Secure your things and remember who you're up against. So after the cheese, you got to be the cat. You have to protect your cheese. Because, you know, you know how these guys are they're just going to try anything and everything at all. So anyway, there's my little about thing.\r\n\r\nYou guys know me we've been we've hung out before, but yeah, I've been doing this for a while. I like to when I see stuff, I like to put it up on YouTube. Go subscribe to me. On YouTube. You can also get on my newsletter because if I see something that really needs action, I will send it to the newsletter. I will put it on YouTube. I am here for education first so and I'm so happy that I get to share all this with you.\r\n\r\nThank you Kathy. This has been excellent, really good overview of the landscape of all the things that are happening in WordPress security right now and there's a lot we have to be aware of. So excellent material here. I'm going to drop in once again if you came in late and you missed the link bundle. It is now back in the chat that has today's slide deck as well as the replay link that you can go back and rewatch or share this live stream with someone else. I also dropped the link in just before we have Kathy you've agreed to come back and do several live streams on security with us over the next few months. So we're super excited about that. And that link to those upcoming live streams is there in the chat. I'm noticing that there's a problem with the last one for July. We'll get that wrapped up and fix here in the next couple of hours. But there are several that are out there and waiting. If you'd like to go sign up. They're all free. And join Kathy for more security conversations. I Katherine we've got just a few minutes here before we're going to take a break prior to the panel and there's a couple of questions that came in throughout your talk that I think it'll be a good time to pose to you if you're open to that. Yeah, of course. So Savannah has just a great comment here. And it's something I've heard also from other people that are just even considering WordPress as a platform at all. Savannah says it really put me off having a WordPress site because I'm supposed to be attending to business and not spending all my time on security, which I can't keep up with. How do you respond to that?\r\n\r\nWell, yeah, sure you can have a straight HTML website. But if your FTP application is using reused password, if your hosting account panel is using a reused password, and there are so many other ways beyond just you know, vulnerabilities and plugins and all of this other stuff. The great thing is, you know, we there's so many vendors, and there's so many tools out there for you to pay attention to this stuff. And honestly, by doing that, I mean as a small business owner, you're you're running your business, you don't have a lot of time to pay attention to stuff but you have to be aware of I know of one business that, you know, they did the whole Hey, I'm the CEO at email. It was a it was a phishing email. Hey, I'm the CEO you need to send money to this company pay this invoice right now. And the person fell for it and $42,000 later, those types of things, if you can get rid of WordPress, but those types of things are still a threat to your business. So by being in the WordPress space by being in this community that is so security focused and is security aware and being connected with events like this and educators like me, we are here to help you uplevel everything it's so I don't think that you know saying goodbye to WordPress is necessarily going to help you it might make you less aware of other things that are a threat.\r\n\r\nYeah, 100%. There there. The security landscape is so broad now and hackers are so clever with their social engineering attempts and very, very smart ways to separate people from their money.\r\n\r\nNow when it comes to WordPress, the issue of WordPress security is something that it's one of the criticisms that most many people have about WordPress. And honestly that's why solid security pro exists. Our security plugin which we believe is a very intelligent approach to WordPress security, and by giving it a little time and setting that up on your website. It does the hard work of keeping WordPress secure does a big chunk of that WordPress security. We're going to be talking especially tomorrow Timothy Jacobs the lead developer of solid WP is going to be with us talking through the settings in our security plugin that help you reduce your security risk to almost zero. And so Timothy will be in the panel in the next hour but also with us tomorrow for a full hour talking about those very important settings that can let you take your mind off of security and focus more on your business like you're talking about Samantha i It's really that really is a you're not the only one who has that challenge.\r\n\r\nHere's another quick question from Chris. Chris is just wondering, when are we going to maybe see a better approach to security from core WordPress, is there something that core should be doing in your opinion, that maybe they're not focused on?\r\n\r\nI would like to have a to be a part of core I think at this juncture, it just makes sense.\r\n\r\nIt just makes sense at this point. So I would like that to be a part of core. But you know, with most development the innovations happen with a plugin like Timothy like Timothy, I think of all I mean, I watched the security landscape especially with WordPress quite a bit and Timothy is always like he pays attention to what's going on past keys. He was like the first one to bring past keys to WordPress. So the innovation is going to happen with people like Timothy with developers like solids team. So they're courted when there's a vulnerability core has been very, very responsive.\r\n\r\nThe File Manager vulnerability in 2019 was just so long ago seems like yesterday, but that was like a very easy to exploit. You didn't even have to have file manager activated. You could just have it installed on your site not active and it could still be exploited. And I think that was one where the core was like you know what, let's just push out the patch. And so core has been very, very acutely aware of security concerns as they arise and I think they respond very quickly.\r\n\r\nI'm always more curious. There's one thing I think that personally I don't think it's a big deal, but I would like to know more when a patch to a security vulnerability is applied, but they are more they explain more of what's going on. So security researchers like those a few of them that will go through and like okay, this is what could have happened with that. I want to understand what is happening. I like the education after the patch type of thing. But they kind of keep that close. To the best to keep, you know, people from poking around too much but that's just me.\r\n\r\nYeah, it's a great it's a great answer. And you know, the, what?\r\n\r\nThis whole subject is one that comes up in lots of different areas like what should be core and what should be a plug in and start. It's a hard debate among the core developers on what ought to be core and what ought to be an extension and a plug in. I think we're going to continue to see that debate raging on. Well, Kathy, this has been great. There's a lot of thank yous there in the chat for a really good overview presentation of the current landscape of WordPress security and gazing into your crystal ball. Kathy's crystal ball. So that's gonna wrap it up for this hour, folks. We're going to press pause on the recording and pause our cameras and mics. We'll be back at two o'clock Central that's about eight and a half minutes from now with our two which is our panel of security experts. And I hope you'll join us for that. In the meantime, if you'd like to open up the q&a and zoom, look at the questions that have been asked by others and upvote the ones that you would also like to hear answered. We'll be taking your questions toward the end of our security panel and we want to get those in the order of boats. So thanks for hanging out with us the last hour we'll see you back here and just about eight minutes. From now.\r\n\r\nAll right, folks, this is your One Minute Warning. We are back in one minute from now.\r\n\r\nWelcome back, everybody, we're back for our two of disaster. Week for 2024. We have our panel of security experts who will be shortly turning on their mics and cameras and popping in here. Good to see everybody back with us. Hopefully during the break, you've had a chance to open up the zoom q&a and either ask your questions or also upload the questions of others.\r\n\r\nWe're waiting on our other panelists to jump in here. Hopefully you can all join us Timothy is here Kathy is here.\r\n\r\nAnd Thomas, we don't have your camera.\r\n\r\nHey, there he is. All right.\r\n\r\nWell, thanks.\r\n\r\nYeah, thanks for being with us, everybody. We've got a lot of great questions that are stacked up from our viewers today, as well as a number that I've put together for each of you based on your background. So folks, welcome our security experts today. Let me just go around and introduce everybody. First of all, we have Thomas race. Thomas is the founder of we watch your website. Thomas and his team have been removing malware from millions of WordPress sites since 2007. Currently, they monitor over 13 million WordPress sites. Thomas is a he loves data and is on the cutting edge of the latest that all the malware folks are involved in. Kathy Zant Of course, we enjoy Kathy's presentation on the state of WordPress security in the last hour. Excellent stuff. She is an internationally recognized expert on security, marketing and website development. She's spoken events everywhere, all over podcast. You can find her everywhere. Kathy thanks for coming back for the panel. Timothy Jacobs is with us. He is the lead developer for solid WP he is a WordPress Core committer and a component maintainer for the WordPress REST API. And last but certainly not least, David Johnson the product owner for solid WP David has hidden and has been involved in the WordPress community since 2007. He comes from an agency background where he managed hundreds of WordPress websites. So again, thanks everybody for being with us today.\r\n\r\nThank you for the opportunity. Absolutely.\r\n\r\nWell, Thomas, let's start with you. So one of the things that we've had you on a number of different live streams over the last several months, and we've all we're we have scheduled now at least a quarterly at WordPress security roundup with you going forward into 2024, which is excellent. We always benefit from your cutting edge knowledge of the latest things that the bad guys are doing. I've heard you talk about this concept of defense in depth or layers. of security. Can you talk about kind of what that means? Why it's important, you know, what practically is involved in that particularly? What should I as a WordPress agency owner be aware of when it comes to layers of security and defense in depth? Okay, yes.\r\n\r\nDefense in depth goes back pretty far in the whole cybersecurity world, not just websites. But basically what you have to do is you have to look at the other various attack vectors that hackers use to get into your your website. So it could be we talked about stolen passwords, stolen session cookies, vulnerable plugins and themes, things like that. Each of those is like a different layer of security and you can't just rely on you know, like, for instance, for plugins, themes and core, you know, a great layer of defense is patch stack. You know, they do an awesome job they focus on and their niche you know, which is protecting those providing updates letting you know when you're you know, when you're vulnerable in some in any one of those three areas.\r\n\r\nYou know, malware removal is is one part of defense although that's a that's a reactive you know, layer of defense.\r\n\r\nBlocking, you know, attack vectors.\r\n\r\nI look at outdated user agents, blocking various ranges of IP addresses. And these aren't meant to be like, you know, the the end all be all to to your security. It's just another layer in in the defense in depth strategy.\r\n\r\nAnd, you know, one of my friends Calvin Elkins has used the he's the first one I heard it from, because it's like, like Swiss cheese. You know, Swiss cheese has holes in it. And all depends on how you stack those slices of cheese will determine if a hole goes all the way through or not. So, each defense each layer of defense is like another slice of cheese and you stack them all together. If the holes don't line up, you're secure.\r\n\r\nSo you need but you need your protection.\r\n\r\nAnd then you also need you know, early notification. So if something does happen, you can action can be taken. Yeah, very good. So David Timothy, either one of you can chime in here but in this concept of defense in depth or layers of protection are really like the holes in the Swiss cheese quite frankly I can that's I can grab that. Where does solid security fit into that strategy?\r\n\r\nYeah, so I think solid security helps with two big ones, which is user accounts rich. You got to do the bare minimum right if your clients are still using a terrible, terrible password it's not going to protect you for very long. And I'm really proud of our integration with patch stack. So patch stack does it an excellent job of I think they had 5000 vulnerabilities reported through them last year. They've created 1000s and 1000s of virtual patches. And I think our integration with patch stack works really excellently to bring that first of data into your site so you don't have to worry about Okay, let's keep track of all the vulnerabilities ourselves. Let's make sure we're on top of every single update and letting those two pieces come into play. And then services like Thomas said, do an excellent job at being reactive and cleaning up when there's an issue and making sure that happens automatically for you and they all kind of piece together.\r\n\r\nYeah, very good. Very good.\r\n\r\nKathy, so you've done lots of different things in the WordPress space. You've worked on WordPress security from the plugin product side. You've also worked on the agency side. So you your position, you have an understanding of things that a lot of people don't have. So you can relate to a lot of the folks I would imagine who are in the audience today. They either have their own website WordPress site or they're they work for an agency managing multiple sites are there an agency owner?\r\n\r\nThat's busy work, right? We stay busy. How in the world? Can you stay educated about all these things that you're talking about? While you're busy serving clients? How do you stay on track with all these things?\r\n\r\nWell, you know, with open source, you have a lot of you own your site, you own everything you're working with and with that power and that freedom and that flexibility comes a bit of responsibility. It's kind of like you own a car. I know I don't necessarily want to go get my husband used to do that for me take care of the tire pressure and there's just so much to deal with. If I want to have a car I've got some responsibilities to take care of it. Unfortunately, same thing with a website. But same thing with your business. You get like lots of different things right? But I think that being up to date with everything is it's good practice because it makes you more security aware for other things that could come into your life and attacks that that might not even be related to your WordPress site that something that comes through SMS message, something that's coming through, you just have this heightened security awareness. So unlike, you know, taking care of my car, there's no benefit to me whatsoever with dealing with that other than than, you know, not being abandoned on the side of the road. Taking care of my site educates me about so much else that's happening in the world and makes me a better digital citizen. It makes me more able to like tell my daughter go there's an update for your phone you need to go update it now and busy and Tic Tac Toe update your phone. You know, I mean there's like being security aware has a number of different benefits to it. So I think it's just it's one of the responsibility. You're either going to get hacked and figure out how much of a benefit it is to be security aware, or you're going to be proactive. And you know, actually at&t did a study and they found that businesses that are more security aware have better business outcomes. They often have better sales numbers than those who aren't. Of course, they're selling network security to enterprise right. But I mean, people who are more proactive about things in their life tend to have more proactive, like people who work out they tend to have you know better food choices, those types of things. They kind of just go together. So being proactive in your business for security can also be helping you be proactive in your business but with other things. Yeah, very good. Anybody else want to speak to that topic?\r\n\r\nOr David maybe what are some things that solid WP helps bring? To keep agency owners and site owners educated to the most important issues and security?\r\n\r\nWell, I'll say one thing that that Kathy mentioned in in her first session is true advantage of working with solid security and it's Timothy so we're gonna we're just going to have a Timothy session today. I don't know. But Timothy, by virtue of introducing pass keys when he did into the product, and this was before long before I joined the team became the first WordPress security solution to offer pass keys and I'm confident that that introduced the idea of pass keys to a lot of people who hadn't maybe not yet heard of it. And it remains arguably the most secure login authentication method available. And that's just one example. And so as we continue to think about ways for solid security to improve over time and to adapt to the changing landscape, you're going to continue to see us introduce new features and new solutions for the security issues that you're facing. And that's one way that using solid security can can help you become a better digital citizen all the way around.\r\n\r\nYeah, there's this like this content the solid WP Academy and going into Nathan's webinars every month, and our roundups with Thomas like this content is like an excellent place to keep up to date and share with others. If this is your first time joining us. We do lots of these types of things. Absolutely. So all of our content here on solid Academy is geared specifically for people who are building and managing WordPress sites for clients. So if that's you, you can stay up to date with WordPress security news with our monthly news roundup where there's a section on security news, and we basically look at what's out there the most important things that I as an agency owner think you as an agency owner will benefit from. Also we do a weekly email that talks about vulnerabilities and the top issues in WordPress security as well. So make sure you're signed up for those solid updates. Thomas I think I interrupted you earlier. Was this something you wanted to add here? No. I was just gonna say that. Yeah, the work that solid WP has done. Thanks to Timothy, with the past keys. And also like you said, I'm still a fan of the trusted devices. It's it's just, it's amazing and it's it's a great layer or several layers, you know, in the defense in depth strategy. It's another Swiss cheese that's just gonna have a task to do this is you know, I update my cheese board\r\n\r\nnow I'm getting hungry.\r\n\r\ncrackers and cheese.\r\n\r\nSo, Timothy, let's move over to you. So we just talked about past keys and how solid security was the first WordPress plugin to bring pass keys as an authentication method to WordPress.\r\n\r\nIt has to be incredibly complicated to develop a security plugin that is both usable for people like actual people. And stable and staying up to date with all the things that are happening in security. How in the world to get do that. Yeah, it's absolutely the hardest part.\r\n\r\nAnd I'd say there's kind of like two aspects to it, one of which that we're gonna touch on a little bit later. But the other is we do things that I think a lot of WordPress plugin developers do, who are really on top of their game, we write lots and lots of tests. We have automated checks that happen for basically all the security features in the plugin. We don't want to be thinking every single time there's a WordPress release or a plugin update or something. Okay, we have to check all 500 features and security by hand and where every day that something might break. So part of that is just like following good development practices. I see there's a question in the chat about like the uptick in security vulnerabilities over the past year and whether that's in some way part of you know, WordPress developers not following all of those things. So that's part of it. The other side is that we don't jump on everything. We jump on the things that we do think are going to have a big impact. And we try and really think through what the user experiences for those features. There are past years. I think integration is a great example where we saw that this was the feature that a lot of the big tech players, Apple, Google, Microsoft all uniting on and are really pushing as the next big thing. And we've seen over the past year and a half or so as more and more websites adopt this is we're seeing pretty early on then. Okay, this is a place that we want to be this is a feature that is worth as developing, as opposed to a feature that, you know, might stick around for a little bit, you know, 5% of your users might use and it's a little bit harder to justify. So we try to be really careful about what features we do adopt and making sure we're only adopting the amount of like settings that we need. We could easily add dozens and dozens and dozens of more checkboxes in security that let you do everything. But all of those mean more code for us to maintain. It's more complicated for y'all to understand how to use it. So I'd say that is like a big part of the balance. The other side of this is partnerships, which we're going to talk about a little bit later. Yeah, absolutely. And so, Timothy tomorrow, your session, which begins at one o'clock Central is going to be focused on looking at some of those settings in solid security and how people can reduce their security risk to almost zero. talk just a little bit about what you're going to cover tomorrow as we get into the details of the plugin. Yeah, we're gonna be doing a tour of some of my favorite features in solid security. We're gonna be learning about vulnerability management, virtual patches with patch stack, two factor still a good thing to be using and enforcing for your sites, and also look at past keys. So we're gonna be taking a kind of high level overview of a lot of different features. And these are also all things that we have a lot of good content in the bank for. So if you want to see a whole hour about trusted devices, we got that like two weeks ago. We did a whole hour about passkey as a couple of times, so there's lots of back catalogue stuff but this one is going to be a kind of an overview of some of my favorite features in solid security. Yeah, very good. So that's coming up the first hour tomorrow one o'clock central time. And David let me bring you in on something as well. You got a really cool title which is product owner at solid WP right. So your role is kind of translate users to developers, right? Like how, how do we create product? How do we interface with the actual users of our product and our development team? So talk just a little bit about how people even folks in the audience today can contribute to the ongoing development of solid security? Absolutely, I mean, the most there are two two key ways I'll mention the most important of which is just to reach out. We want feedback. And of course, we get feedback in the form of support tickets. You know, when there's something broken or there's an issue, so we hear about those, but we also want to hear from you with Feature Ideas. Now, we've already surfaced one during Kathy session, you know, like, Hey, here's a here's an idea for solid security. And so those are the kinds of things we want to hear from you. It's important for us to know that we're building what you use what you want to use, what meets your needs, and and so we want to hear all the things but the second way that I'll mention aside from just reaching out, and you can do that I should mention you can do that lots of ways and we'll share my email address. You can just hit me up that way. as well. It's David at solid wp.com. So just write me. If you have a support issue, talk to support they can help you much faster than I will but if you have a feature requests or feedback or whatever, I want to hear from you directly. That's one way to do that. But the other way that I mentioned is that we rolled out something that we call opt in data sharing, and it's about your usage data. This released in solid security in January. It's also in solid backups. And if you enable that it allows us to understand a little bit more about your site, we don't collect any personally identifiable information. What we do is gather lots of details about your hosting environment and so forth. And we do take a look at some of the features you've got enabled and that sort of stuff, but we don't again, we don't see any sensitive information. What that does is allows us to understand what features are being adopted, what features may not be as well adopted. And it also gives us a measuring stick to know like if we release a feature that drastically improves site security, and no one turns it on. Then we've got work to do. And so there are lots of ways that that helps us. And so I would encourage you if you've not yet enabled usage, data sharing, it is an opt in. And so it's purely your choice, but we would invite you to do that because it does allow us to learn a lot. It's a way to vote without having to actually contact you it's like automatically. Yes, yes. Excellent. So David, follow with you. Let me just ask you this your background prior to coming to solid and doing some other things you were with a large agency. You're managing hundreds of WordPress sites. What did you learn in that experience that could be helpful to smaller agencies or solopreneurs as you're thinking about maybe scaling up or doing what they're doing better? Sure. So I went on the journey from being the owner of what was effectively an agency with five people to being inside the web team and later and near the top of the web team for a 250 person agency. And so that scale was kind of staggering. And one of the things that I quickly learned was that especially where security is concerned, since we're focusing on security for today, I will say that some of the basics still applied. You know, you have to clarify in your agreements, who's responsible when when something goes wrong with a site, you know, do your clients know that that security is partly their responsibility? And, you know, one of the issues that we would run into when I was completely in charge and it was my business, if I hadn't properly educated clients on the need to patch plugins or to use better passwords. Or whatever, then I always felt like there was some responsibility that I needed to take on when a site got compromised. But at scale when you have a team of dozens of support staff and you're managing hundreds of sites and something goes down, you know we would scramble to get sites back up but then the question became like, is this work billable or not? And if so, you know, why did we create code that was faulty that our that our web build team developed custom stuff, you know, so there was a lot of there were a lot of gray areas around responsibility. So one of the things that I will urge anyone watching this is, if you maintain sites for clients or you build sites for clients, is to be super clear about the risks involved and the security issues that your clients will have to face and what your responsibility is and what their responsibilities are and the clearer you can you can make that better. And that applies at any size. But one of the things that got incredibly complex that I didn't really fully appreciate until I was in the middle of it was that we had to do quite a bit of work around that scale around managing roles and responsibilities, and making sure that our protocols and our procedures were actually being followed. Things like you know, in a 250 person agency, knowing which of our 250 people needed access to a given website. That was that was a big deal and what happens when you off board and employee, do you have the ability to kill all of that employees access to every website that they were connected to all at once? Or do you have to go through hundreds of sites and check? You know, so there were a lot of systems and ways that we had to scale but there was one other piece that sort of became clear for me, which was when we were a larger agency, we attracted bigger brands. And so our SEO team, for example, might land a big account where our corporate headquarters is overseas, and they have hundreds of staff that need access to a WordPress site. And so the complexity of and the the amount of leverage we did or didn't have to institute policies or do things the way that we did them. That all got really difficult to manage really quickly. And so it really requires some thinking through and if you can put some solid procedures if you'll excuse the intentional solid pun, if you can put some procedures in place at a smaller size and really think through those processes. Then it will help you a lot when you do scale up and land bigger accounts or have more and more, you know, sites to manage that scale.\r\n\r\nAnd so those are just a few quick thoughts about about managing things that with larger volume that you know, weren't necessarily obvious until I was in the middle of it. Yeah, it's really great insights. And, folks, if you're serving clients, that's gonna be the focus of our second hour tomorrow. I'll be talking about how do you talk to clients about security? And really, how can you leverage WordPress security as a service so that you can build your recurring revenue in your agency. It's really important and I'm looking forward to that conversation tomorrow. And again, that's in the second hour starting at 2pm Central. And I'll just add just one quick thought on that needed is that offering security as a separate part of your care package, you know, as an add on or whatever with a clearly defined offering is one simple way to make it clear to clients that there are things that are not included in juice your basic support.\r\n\r\nYeah, yeah, very good.\r\n\r\nSo let's turn our attention to a story that really made a lot of headlines make created a lot of conversation in the WordPress security space last month, and that is the vulnerability at the bricks plugin. And I want to be real careful here like I'm not trying to disparage bricks because a vulnerability can happen to anybody. Right. But it's, it's in our recent thoughts, and I think it's instructive. They're never waste a bad situation. Right. So what can we learn from this vulnerability that happened that we can take away from so first, Kathy let me just ask you.\r\n\r\nIf you're a solopreneur and agency owner, and you know, there's just vulnerabilities vulnerabilities that happen, how do you again it kind of goes back to how in the world do we stay informed on these things when we're just trying to do our work? Yeah, that will happen so quickly.\r\n\r\nAnd so quickly. Crazy.\r\n\r\nCalvin Alcon who was the one that found the vulnerability like had messaged me and invited me into the BRICS group on Facebook and the conversation was just like, it was crazy. And there was a lot of interesting advice that was being given to people of what to do to fix their space and what was happening. There was a lot of misinformation that was flying around.\r\n\r\nI think it's, I've thought about this a lot. And I think it's really important. If you are committed to using a tool. If you are using solid security, make sure you're on the solid security list. If you are using bricks, get on the bricks list.\r\n\r\nembed yourself in the community of and this isn't just for for security vulnerabilities. This is for new features that are coming software to me has really become a especially in the WordPress space. It's community driven, you know, all of David you watch what people are talking about, about the product about what's happening in security and and you kind of shape where the products going.\r\n\r\nIt's not just like, Oh, this guy over here is creating this product. It's not like no this is embed yourself with the community with the team so that the people who are creating these products, understand what you need so that you can be informed of what features are coming. You can be informed of. Maybe I should wait on this very large update that's coming from WooCommerce. Just like those types of things. Just being embedded in the community of the products that you've chosen for your stack, I think is just incredibly important.\r\n\r\nYou just you want to be the first to know what's going on when it's going to impact your business. That's such great advice and we'll talk a little bit about some of that sketchy advice in just a minute. But others how, what would you say to agency owners solopreneurs that are building sites for clients about staying engaged with a development community. How do you get informed about these issues? So this is something to be touching on tomorrow. But I think this is one of the places where tools like patch stack and virtual patching become key. You can we saw exploits for bricks happening within 24 hours of the fix actually being published. I imagine you were on vacation when this happened. It's gonna be a problem. So this is one of those places where tools like patch that can virtual patching can be so helpful, because they will automatically push out a fix for your site that is laser targeted just to kind of prevent this vulnerability from being exploited. You don't have to worry about okay, do we need to test this update? Do we have a process in place? Are we on the plane right now? Or is it 1am And I'm sleeping when this vulnerability drops. They'll be there to protect you much faster. So I think that's where adding in additional tools is really helpful for protecting your site's security, particularly once you have hundreds of sites that you need to manage. Yeah. Great. Anybody else? Yeah, one of the comments that Kathy had touched on earlier was the communication between vendors. And, you know, I think of you know, had Calvin worked with somebody other than patchstick and the whole responsible reporting procedure and so forth.\r\n\r\nYou know, wouldn't have had, you know, what had had a worst impact, you know, would have would, more people have been vulnerable.\r\n\r\nSo, yeah, the communication that Kathy talked about in the previous hour, I think is is real key. Hi, how you make that happen? That I have no idea but you know, it definitely needs to be especially when it comes to the patching. Years ago when I first heard people talking about virtual patching. I'm like, Why? Why virtually patch why not just patch, you know, reality patch shield, let's let's call it we got virtual patching and read reality patching, but you know, I mean, something like patch deck, where you can't, you can't stay on top of it by yourself. You need something like patch deck and I think the the integration that solid WP is done with patch tech, to me was just amazing. So I'll leave it at that.\r\n\r\nYeah, I remember when this which I think, at least for me, I think it was like 2016 or something where there was this huge group of vulnerability. And it was at the time where people were saying, Hey, if you had did an update, within eight hours, you should consider that your site has been compromised. And I feel like at least in my mind, that is when things like really started switches like attackers are moving very, very fast now, and just updating you know, the next day, or two days later, or if you say, Hey, we apply updates every Monday it'll be fine. Let's just wait until then. It's not enough anymore. Well, if I could add one other things might be a little controversial, but I'll put it out there.\r\n\r\nWe actually saw some attacks happening to that API endpoint in BRICS and February 7.\r\n\r\nBut we didn't know what it was, you know, we monitor the database. We monitor the files, the access logs, so we could see the traffic and then we see changes in the database and the in the files, and we're like, you know, how is that happening? And before we, at that point, we did not have a procedure for bringing somebody else in, you know, had I known what was happening or had I realized what was happening? Nobody reached out to Kelvin at that moment. Now.\r\n\r\nThere were things going on in the the WordPress community.\r\n\r\nquestions being asked about themes that include embedded code and so forth. So was that a tip off? I don't know. But you I mean, if from the time information was asked in the communities until the time we started seeing that traffic was less than six hours, and then once it was announced, yeah, I mean, it was like I think Kathy mentioned in her previous talk, like five hours from the time the patch was announced until you know, all hell broke loose.\r\n\r\nYeah, it things are moving so quickly these days.\r\n\r\nIt's you have to have a tool that's doing these things for you unless you just don't want to sleep ever.\r\n\r\nRight, which is not sustainable. So let's go back to something that Kathy mentioned at the very beginning of this conversation, which is, you know, some of the social media channels were talking about that this exploit there was a lot there's advice that was being given that was not the best. So I'll just open this up. Whoever wants to jump in. At what point should you try to fix a problem yourself versus bring in an expert\r\n\r\nwhy don't we start with Thomas Thomas is a little biased on this.\r\n\r\nBut, you know, I mean, I we've been, you know, working on WordPress websites since 2007. So, you know, Nathan, I've known you for years and years.\r\n\r\nSo there are people out there that have a good strategy.\r\n\r\nAnd they're aware enough of what their shortcomings are.\r\n\r\nTo be able to tackle it on their own, you know, so in a in a DIY, do it yourself scenario, some of those places and some of the large agencies have, you know, staffs of people that focus on you know, malware remediation, and that you know, I have no problem with that at all. There's obviously gazillions of websites out there, but the done for you, when people are asking, you know, hey, what, you know, what steps can I do to know my sites are hacked and especially with this I mean, this was, you know, they were adding admin users they were embedding code depends on what hacker group was attacking at the time they were dumping Perl scripts outside of the WordPress folder structure.\r\n\r\nSo there's stuff that you can't explain to people because they're gonna start deleting stuff and like, oh, you gave me bad, bad information, and now my site doesn't work. I had to restore and now I gotta rebuild the site and you know, blah, blah, blah. So, you know, the the DIY versus the done for you, the d f y has to be carefully examined, and you know, people that are asking like, you know, what steps should I do to clean my site?\r\n\r\nWell, you know, if you're asking those questions, you should probably have somebody do it for you. That's just that's my opinion.\r\n\r\nYeah, good.\r\n\r\nWho else would like champion on this?\r\n\r\nIt's been a lot perfect for me, is that you know, if you're if you need to, you need to ask the question. You can't afford it. If you need to ask the question on, you know how to do the cleanup. I think it makes sense to use an expert. I think it's great to learn and practice, you know, maybe on your own personal blog or something like that. Install an old version of bricks and let your site get hacked and try cleaning it up. I would never do that. Though. For a client site. Right. I would be working with an expert to make sure that that site is getting repaired it's so easy to miss just one thing and you miss just one thing and it's what it's way worse to tell a client is okay, I thought I cleaned up your site yesterday. It turns out got hacked again. is one thing. Okay, your site got hacked. We fixed it.\r\n\r\nDay three, it got hacked again. Day five. It got hacked again, day seven. That's when things like really become a problem.\r\n\r\nAnd we weren't getting Oh god.\r\n\r\nI don't fix my car. I'll clean a hicksite But I won't fix my car. Know your limits. And can I just say that I was shocked to see that people are still putting like 550 sites in a cpanel that's still happening. I thought.\r\n\r\nSo yeah, that still happened. So one site once he panel, I just, that'll be my mantra for the rest of the day like a shirt. Yeah. Yeah, exactly.\r\n\r\nYeah, it's a lot like the car analogy is great though. Because there was a time when you could just climb inside the hood. You know, you open the hood you climb inside the engine compartment. There was room to maneuver and now you can't even fit a hand anywhere. And there's you know, technology has changed but we sort of all started well, many of us I don't know Timothy might be too young for this. But we started at a time when it was possible to just dig in you know, Tim thumb you Kathy. You mentioned Tim thumb. I found the first YouTube video I ever uploaded about WordPress was in August of 2011 when I had found a Tim thumb vulnerability on my woo themes, sites, and you know, had to head to that that's how we all learned. And so, today though the complexity of the attacks and the in the sophistication of code malware that gets uploaded, if once a site gets compromised, it can be nearly impossible for someone that is not a pro to find all the ways in which a site got compromised. It's just a different world.\r\n\r\nAnd I'll say that, even today, we're getting people who are infected with the bricks vulnerability coming to us because their sites as Timothy mentioned, they get hacked one day, another day, another day another day. And you know until you find it all and get rid of it. It's just going to keep happening.\r\n\r\nAbsolutely.\r\n\r\nWell, let's turn our attention to some of the q&a that's come in from folks in the audience and what and we'll wrap up today if it's alright with you all though, or the discussion about the collaboration topic. I think that'll be a good way to end our panel. We have a bunch of questions that have come in they're 20 Questions open right now. I folks, if you haven't done that yet, please open the zoom q&a. Take a look at the questions that are there. Up vote the ones that you would most like to hear the answers to because we're going to take these in the order of upvotes. And of course, if you have a question, just drop it in there. Let's start with the first question from Kay. There are plugins that allow you to add code snippets to WordPress there's a bunch of different ones are those risky to use on a WordPress site? Or maybe we could say Are they more risky than other types of plugins? Timothy, you want to start with that answer then we'll open it up. Sure, I'd say more risky is the thing to identify risk isn't binary.\r\n\r\nSo it's thinking through what the threat model is. I would say one thing that's very important if you try and submit a plugin to.org And maybe this is a bad thing. I think it's a good thing though. If you try and submit a plug into.org today that is duplicating the functionality of code snippets, they'll tell you know, they'll say that, hey, we already have a plug in the directory that does this. This is an extremely important thing to get right so you don't open up a huge vulnerability on your site. They're confident that hey, that plugin works. Well.\r\n\r\nThat's it the barn door is shut on new plugins being added to.org that do this. So I'd say code snippets is a plugin that I use. And I use frequently on sites when I just want to have some simple snippets available and turn them on and turn them off. You might get code snippets from plugin developers that say, Hey, we have this filter that you can use. We're not going to the checkbox, but you can use the code snippets to manage that for you it's I think code snippets is a fine plugin. The thing to think through is like the attack vector, if you say that code snippet is a securely developed plugin, and doesn't have any known vulnerabilities, and if their vulnerabilities come up, they'll fix them promptly. And the thing to that think about it is what would oh the impact of having that plugin installed on my site B. And I think the thing that most people would think of is that oh, this means that there's a really simple way for someone to just get into my site and add php code. And that's true. But unless your site is already locking down, for instance, or plugins from being installed, they can simply just install a plugin that has whatever malware and malicious content they want to include. So I would say think through what your attack vector is, is always like the important thing to conceptualize. And if you are a person who says hey, we locked down all plugins on our site, they're all managed by Git. Let's say we do a git deploy. And part of that is for being able to say this is exactly what the content on that site, but it is also a security benefit if you are locking down the file system from being modified. In that case note, I would say that then installing a plugin like code snippets is opening up a new kind of vulnerability so to speak in your site because you've taken an extra step or detached to protect your site. But I'd say in most cases, plugins like that are fine to use just use the reputable ones not the one that was $5 and Code Canyon.\r\n\r\nThis risk is not binary. I really That's That's great. Yeah, I love that too. That's awesome. Yeah. Anybody else want to weigh in on that question? What do you think about code snippets as a whole that there's a plug in called code snippets, but as a category, the code snippets?\r\n\r\nI think personally, it's it's one of those that goes, as Timothy mentioned, you know, if for the knowledgeable devs you know, could be a good thing. But same time, I think that some of these things get passed around too much.\r\n\r\nTalk to people all the time and like, Oh, my dev said that somebody on one of these forums recommended this. And so we put it in, and you know, like, Okay, well, that's how your site's getting infected. So, you know, maybe considered you know, do you really need that?\r\n\r\nSo, yeah, it's, they have their place but again, that's for the for the more experienced, di wires, not the, not the newbies. Yeah. Good. Thank you, Thomas. Okay, here's a great question from Dan, and we get this from time to time during the news roundup, because every month we look at the solid vulnerability report, we see the numbers of plugins that are vulnerable, the ones that have been fixed, the ones that are still vulnerable, and it used to be I clearly remember even last year, there were 30 plugins that were vulnerable this month or whatever. And I actually used to read those one by one. Right. Now there's routinely 150 to 200 plugin vulnerabilities each month. So Dan's question is, I've never seen as many vulnerable plugins that I've seen in the last six months is this from not enough people knowing how to properly build plugins and make them safe or what is at play in this? It's like a hockey stick of vulnerabilities that have just that have come about. I have a lot of opinions on this one. Jump right try and keep it short.\r\n\r\nBecause there's a talk that I've been ruminating over for a long time about writing secure WordPress code. But I'll say this one thing I this is kind of a measurement sample issue, I would say, I don't think plugins have become more insecure in the last year. I don't think that you know, suddenly, we knew how to write secure software five years ago and now all of a sudden we stopped. What's happened is that there are programs from companies like patch stack from wordfence others I think Trend Micro might have them. There are a lot of organizations out there that are offering bug bounties for security researchers to find vulnerabilities in WordPress plugins, submit them and get paid for them. Not even from the vendor liquidweb for instance, or kind of parent company, they have a bug bounty program and you can go over there if you find a vulnerability, submit it to them. And they'll go through that bug bounty process but a lot of WordPress plugins that are just maintained by single individuals or small teams, they might not have the resources like that. So I think that's been a huge uptick here is that security researchers are now incentivized monetarily to find these problems. And I think that's been one of the great things that companies like patch stack have done in the past year is creating these open bug bounty programs to reward security researchers for doing something that previously you had to kind of look into finding a plugin that had this bug bounty program set up and do all those conversations about it. So I think that is a huge, huge beneficiary. Huge beneficial thing that we've seen in the past year and a big reason for part of the uptick.\r\n\r\nThe part that I'm not going to dive too much into is I do think there is a there is a issue with how we write about writing secure code. And there was a vulnerability I think wordfence talked about it yesterday in a plug in where a plug in author was applying escape HTML and escape attribute to liberally they escaped something twice and that second escaping caused an issue. And part of the reason why that second escaping was probably there. It might have been flagged by tools that say hey, you need to add extra escaping here and so I'll find for instance, lots of vulnerabilities, not naming names, but plugins that will have specific fixes in place to let's say, sanitize some code, and they call a sanitize function in WordPress, but that isn't the correct thing to sanitize there or sanitizing. It isn't even the actual attack factor. So I think we don't do a great job about talking about how to write code securely. And a lot of times the things that we say are just well write escape H attribute every single place that you're writing any piece of code and that'll fix the problem for you.\r\n\r\nAnd but that that's a thing for a talk or a blog post or something.\r\n\r\nBut I will also just say it's hard. It's hard to write secure code. But I do think there there are things we can do as the WordPress community to make it easier. Yeah, really good. Anybody else want to weigh in on that? I think there's too many people.\r\n\r\nAlong those same lines as some of the sudden they think they get an idea for a plugin, like oh, yeah, this one sell millions. And they you know, jump in download some, you know, watch some YouTube videos on how to create your own WordPress plugin, and start writing code and then put it out there and people like, oh, yeah, this is greatest thing since sliced bread and so on, so forth. And it just goes from there sliced Swiss cheese.\r\n\r\nBoom.\r\n\r\nYeah, they just asked Chet GPT to write the code for them, package it all up and boom, yeah.\r\n\r\nYeah, there's a long time when, and it was really just by the actions of like a couple, I think even just one person, where if you went into Stack Overflow, and you were like, how to write some PHP code to do something, it would just have SQL injection vulnerability attacks and or you're just have encryption implemented in a completely wrong way. And there's been lots of people just writing content about how to do this thing. That and you Google that and you'd come across something that was insecure.\r\n\r\nFor the most part, those have now been fixed on sites like Stack Overflow through the hard work of like dedicated volunteers to like going through every single php answer about how to insert database, insert data into a database when someone submits a form, or how to implement a login process securely. But it's still very easy to make a mistake.\r\n\r\nMissing anybody else on that topic?\r\n\r\nAll right. Next question up is from Jean. This is a really practical question. So what would you all recommend as a good reliable way of passing secure information to and from clients, assuming they don't have a secure password? app installed? And maybe they're not tech savvy. Kathy, why don't we start with you on that one?\r\n\r\nI would set up like if you had to do that, and then they like absolutely refused to use password managers and whatnot.\r\n\r\nWell for setting up WP admin, they shouldn't be sending it. They should be setting up an account for you and then having you set your own password.\r\n\r\nBut for like FTP, and things like that, you can do forms that do that encrypt and send it via PGP. So that you can get an email with those credentials and then just decrypt that with your PGP. PGP key. So that would be my recommendation of people transmitting.\r\n\r\nBut I would Yeah, that's part of our job is to educate everyone that they should be using some method of secure password storage, like one password or bit or all of the major password managers allow you to share credentials, those types of things. So I would strongly encourage that they do that.\r\n\r\nGood. I get a lot of people we get a lot of people who obviously have to share their credentials with us. And it's always amazed me that so many people that just Oh, yeah, what's what's your email address? And they just send them to it, you know? And that's what I what I encourage people to do is, if you're gonna do that, because it's easy for you and you just want to wash your hands of this and put it in our hands, that's fine. But when you know, once we've started what we need to do, go back in and change your password. You know, cut that it's like you know, logging out of your WP admin session to kill the cookies. You know, just cut it off at the at the knees right there. And we'll take care of our stuff is very secure, I'm sure of that.\r\n\r\nAnd so, just change the password and you're done.\r\n\r\nYou could get them to just take a picture of the password written on the sticky note on their monitor and just text it to you, right.\r\n\r\nAbsolutely. posted on Twitter. Actually, that'd be a great way to get Twitter tag. We do. Right? We do sometimes recommend using a tool like one time secret.com which is which is a great way to encrypt something and prevent it from lasting long. But one one recommendation I always make to people is even if you're going to do that, like do we know who's running that server? Do we know that they don't keep that data, separate the lock from the key so send me a username and an email and send me only the password using one time secret.com With no context whatsoever, you know what I mean? So at least you know us a little bit of wisdom and Pig Latin. Yes, please do that also.\r\n\r\nOne of the things Kathy mentioned I think is really another one to highlight which is i It's been a long time since I've done this type of client work, but I would hate it if a client sent me their stripe username and password. Invite me to your Stripe account. There are so many tools that just allow you natively to invite a developer invite a user and I so much prefer that just invite me to your WP Engine or Nexus account. Don't give me your Nexus hosting credentials. If you don't need to use the tools built into the platform like WordPress to create a WordPress user for your developer. Don't just send them your WordPress admin username and password.\r\n\r\nVery good. delegated access. The worst was when I sat down next to someone at a meet up and they're like oh, here's my password. I use it for everything.\r\n\r\nMy my\r\n\r\nYeah, my favorite password. Yeah. How many times I've heard that from clients. I can't change that. It's my favorite one.\r\n\r\nI'd have to change it everywhere. Yeah.\r\n\r\nAll right. So a great question here from Chris.\r\n\r\nChris is wondering so talking about the stolen session cookies issue. Thomas, you've written extensively about this, and you had a great live stream with us several weeks ago about it. That just frankly terrified me to the core. But thank you for that.\r\n\r\nIs there any movement with browser developers can can this problem be solved at the browser level of taking dealing with a stolen session cookie compromise?\r\n\r\nI think it probably could.\r\n\r\nBut I don't see I know at one point the case from Mozilla, we're working on some different things. But then they had some this this goes back even a couple years ago.\r\n\r\nThey had some some shake up over there. And things changed and people got moved around and it just kind of got dropped but I know that they were looking at it, some different forms of encrypting the cookies, you know, and encrypting the messages and so forth to so that it couldn't be so widely used. But you know, even to this day, though you know, short offshoot here.\r\n\r\nWe're still getting customers that have hacked usernames and passwords. You know, it all has to do with, you know, the, the various layers of Swiss cheese. And one of those layers is your local, you know, device that you have to protect. I don't care if your Mac I don't care, you know, maybe Linux, you don't have to worry about too much. But any any platform that you're using to log in to sites. It's got to be secured.\r\n\r\nYeah. And circling back to something we mentioned in the last hour, which is the importance of the trusted devices feature in solid security. It's one of the only WordPress ways to deal with that exploit. And Timothy and David did a great livestream with us a few weeks ago just about this where Timothy hacked himself it was quite something. For Timothy hack David actually, you can you can watch Timothy hacked my website in real time and I was crazy enough to install a browser extension that he sent me to facilitate this. So Thomas you if you haven't seen that it's worth watching. But the one thing I'll say is that do take the time if you're if you're concerned about stolen session cookies and protecting yourself, take the time to either watch that webinar or thoroughly understand how to implement the feature because you can enable trusted devices. And if you if you don't enable it all the way so to speak, it won't stop stolen session cookie attacks from working there. There are a couple of layers there and we just want to make sure that you're that you're really thoroughly understanding what's involved. So that was the that was the big impetus behind that webinar and behind me allowing Timothy to hack me in real time. That to be fair, he did have you opt in to the hack. It was it was an opt in hack that is true, and I appreciated that but also I sandbox that extension when I got it just because you know Timothy is just there looking sly he's not saying a word.\r\n\r\nHe's like there's still I still have access David he's yeah he exfiltrated all my all my credit card numbers and everything.\r\n\r\nOh goodness. Yeah. So the link for that live stream is there in the chat if you didn't see that. It's really, really quite good.\r\n\r\nBack to the questions here. Another question from Chris. Chris says he's a WordPress developer who serves numerous clients. In my experience, the weakest link in security is always the user. Absolutely. What can you recommend as far as resources that we can share with our clients to get them to take security seriously, without scaring them to death? And I'll just kind of add it like, is there? Maybe that'd be scare tactics aren't always bad, but maybe a little scare isn't so bad in this case? What do you think Kathy? Wanna start with you?\r\n\r\nMy YouTube channel.\r\n\r\nKathy, it's just it's just education, right? It's being aware like it's just being aware really, that that opportunity. Hackers are opportunistic. They're gonna look for vulnerabilities. And it's just it's education. There's a bunch of us, there's tons of educational opportunities on YouTube.\r\n\r\nAnd I would, if you're an agency, I would assemble sort of as a part of an onboarding like, here's a new client. Here's how we do things. Here's how we transfer credentials. Here's how you're going to only have an editor access if you feel like that's, you know, whatever your protocols and procedures are for onboarding a new client, build security awareness into that. And if they have any kind of, you know, pushback whatsoever. I mean, it's bringing it's a red flag.\r\n\r\nTrue, but it's, you know, it's the ones who nobody wants to learn when I was doing security, marketing, nobody wants to hear about it. Nobody wants to hear about security until they hear that their neighbor got broken into then everybody wants the security system on their house. Same thing with WordPress. When that breaks vulnerability happen. Everybody wants to know about how do I protect myself? What's the best thing I should be doing? I want to know about all you know, lots of bad advice on Facebook, that's for sure. But it's I would just I would really make security education. It's gonna differentiate you I mean, at agency work. I know is incredibly competitive. When you start building security into not just the onboarding process, but also into the sales process that you take it seriously. They're going to be like, Oh, well, why isn't that other agency talking about any of this stuff? Is there something out there? They don't know about? And they'll ask questions. So build security into your processes. Really good. Anybody else have advice?\r\n\r\nthumbs it up.\r\n\r\nGood. Well, folks, we're coming right up to the top of the hour at the end of our live stream today. But I do want to circle back to something Kathy that you mentioned in your presentation, which is the importance of collaboration between companies and users in the WordPress space to make everybody more secure. So there seems to be and I've kind of noticed this as well this trend in WordPress security. Where you know, some companies are resistant to collaboration.\r\n\r\nHow can WordPress Kathy and your opinion you can kind of start here and others can chime in? How can WordPress security vendors work together to improve the safety of everyone in the WordPress ecosystem?\r\n\r\nWell, there's some that are looking at what salad and patch stack are doing. They're exhibiting sort of good stewards of WordPress security by the fact that there's collaboration happening.\r\n\r\nPatch deck is really great at some things. Solid security is really great at some things and they're cross pollinating information. There's communications happening there's sharing of information, security.\r\n\r\nAll security is is communication. A security researcher finds a vulnerability come meet finds it to the secure channels communicate to the developer to communicate the proof of concept to the developer that communication has to happen. Collaboration has to happen. Collaboration is the undercurrent of good security. So I mean, there's some companies that work better together I think than others which are more cloistered and have their way of doing things in their way of communicating and but I'm I'm seeing some that work really well together.\r\n\r\nYou know them not to get a biblical but you know them by their fruits. Right. You can see you can tell what's going on, you can see the actions that people are taking, make good judgment as a WordPress user and choose to work with the companies that are collaborative, that are putting the needs of users ahead of competition. When you go to a word camp. You've got hosting companies lining up the hallways of the sponsor, everybody is there. You don't have GoDaddy doing pot shots at liquid what maybe you do but everybody knows each other. They support each other our community is collaborative, we work together, and security needs to be a part of that. And the security teams and all of the security vendors and security educators and they need to be collaborative as well. It's what makes WordPress strong.\r\n\r\nExcellent.\r\n\r\nWho else wants to weigh in on that? Yeah, Cathy's Mic drop. Yeah. I echo everything Kathy said and to touch on it from the lens of the questions you were asking earlier. Nathan, I think it's what allows us to work on cool features at solid security as well as being able to partner with under other vendors. Patch stack is treated 1000s and 1000s of virtual patches.\r\n\r\nThat's work that then only had to be done once and could be shared to patch stack users and our users and lets us work on other features like trusted devices or pasties and things like that. So I think the developing those key partnerships and open communication between different services let us build tools that help protect site owners more than they could if we were all operating 100% independently and we had to build the same thing. 15 times. Yeah. Great.\r\n\r\nAnybody else we wrap this up?\r\n\r\nGreat information. Yes. I really appreciate each one of you and your expertise and the flavor you've brought to this conversation. Really, really appreciate the all the great advice. There's a lot of thank yous happening there in the chat as well.\r\n\r\nLet's see. Timothy, you're back tomorrow to start things off, walking through solid security. So we're looking forward to that and bring your security solid security questions. Do I know is there a couple of solid security questions in the chat that are specific to our plugin? And I'm gonna have plenty of time to answer those tomorrow. Yes. So yes, absolutely. I will walk through all those settings and in the second hour tomorrow, I'll be talking about the client side of this and how do you talk to your clients about security, for education for information also Pat, you know, how can you as an agency owner or solopreneur package security into the services you offer to build recurring revenue so it's gonna be a good day tomorrow as well. Kathy Thomas, especially thank you both for being with us today. David, your expertise has been excellent as well. Kathy Thomas, let's wrap up with how Kathy if they want to get more of you, where do they find you?\r\n\r\nI'm everywhere.\r\n\r\nLiterally, you are.\r\n\r\nKathy Zant. I am fast faster than the other Kathy Zant is out there. So I grabbed my My name is everywhere. So just follow me. I'm really trying to put out more security content on YouTube because that's kind of a fun thing. But LinkedIn, Facebook, I'm still in the Kadence community and still very much a fan there. So hit me up. There. Very good. And Thomas just dropped the URL for we watch your website in the chat. Quickly. You offer a free service to anyone who wants to sign up for monitoring for malware any bad things happen to the website you want to talk briefly about that? Yes.\r\n\r\nIt's free. It's, you can think of it as a free intrusion detection system. We don't protect anything on the free plan, obviously, but we monitor your database, your files, the processes, you know, if you're on a server, we can do it live.\r\n\r\nIf you're not on a server, you have forgotten a shared hosting plan. We do it once an hour. It's very good. And one of the great things especially if you're an agency owner solopreneur. You have your own server, or account where all of your clients are hosted. We want your website offers a single price to cover that whole server all the sites on that server. So it's really quite good. And if you want to learn more about that we watch your website.com So thanks again, Thomas for being with us today. You bet. Alright folks, that is gonna do it for us. We are back tomorrow. Again 1pm Central for a walkthrough of solid security and until then have a great rest of the evening. We'll see you back tomorrow on solid Academy where we go further together.\r\n\r\nSo again, welcome. If you are just joining us, open up the chat and say hello and let us know what your biggest takeaway from day one of disaster week was something you learned that maybe you didn't know or just a big aha moment. We'd love to hear from you in the chat with that.\r\n\r\nRight captions should now be working for everybody.\r\n\r\nJeffrey needs to convince clients to make security a priority. Yes. We'll be talking about that in the second hour today.\r\n\r\nSo, Doug learned yesterday, Timothy that you were born with a keyboard in your hands.\r\n\r\nThere Is there truth to that rumor.\r\n\r\nYou know, it's just that there's Apple keyboards. They're very good, very portable.\r\n\r\nLove it. Oh, gosh. Welcome back, everybody. Glad you're here. If you're just now joining us in zoom, open up the chat and say hello. We're asking what your biggest takeaway was? From yesterday. Head David needs more Swiss cheese in his life. Yeah, maybe so.\r\n\r\nThe slide button on the link bundle is going back in the chat. Now if you want to download either slide deck from either hour today you can do that. The replays are up from yesterday. If you want to go back and rewatch those it's also a discount code for disaster week. Use that code disaster week for 40% off the solid things.\r\n\r\nWe'll have more information about that at the beginning of the next hour. Hey Tanya, welcome from Finland.\r\n\r\nGood to see George from South Africa.\r\n\r\nMissing Dan welcome Kenna. Doug. George. Yeah, welcome, everybody. Glad you're here. Hey, Stephanie. Manu.\r\n\r\nAlright folks for about three and a half minutes away from getting started officially welcome back. To tea Sherry, Melissa. Bonnie. Good to see everybody. We're asking the checking question today is what your biggest takeaway from day one of disaster week was? You learned something interesting last. Yesterday in the last sessions we'd love to hear from you. I'm also going to drop in the chat the link bundle again for today's session one and two slides are there waiting if you want to download those. And of course the discount code disaster week 40% off all the solid things.\r\n\r\nBe the cat.\r\n\r\nThat's great.\r\n\r\nSo we're just about ready to get started. Just a few minutes away Timothy is going to be talking in the first hour about reducing our risk to nearly zero with solid security.\r\n\r\nAugustine welcome Glad you're here. Hey Sue Kay glass. Welcome everybody. Phoebe yes Sign Out of all the websites. That's really a good thing.\r\n\r\nAfter Thomas rave came on a few months ago and scared the pants off of me with that session stealing cookie hack. I am logging out of everything religiously. That I had a bad habit of not doing that.\r\n\r\nHey, Rob, welcome.\r\n\r\nMurray. Welcome. Glad to see everybody. If you're just now coming into zoom, open up the chat. Say hi. We'd love to hear what your biggest takeaway from yesterday was.\r\n\r\nYes, sim porting Sherry That's another big one.\r\n\r\nThe link bundle is in the chat if you're just joining us and you'd like to download the slide deck for the first or second hour today. Those links are there waiting on you in the chat. We're gonna get started here and about a minute and a half from now. Timothy's got a great session lined up about walking through the settings and solid security that can help you reduce your risk to nearly zero for your WordPress site.\r\n\r\nYes, Sue great idea.\r\n\r\nWith Kathy's hint, hurt her pro tip on the four digits of the password. It's good stuff. I Kathy's checklist was excellent.\r\n\r\nJust about a minute to go now, folks, glad you're all here. We've got a couple of great hours of security conversations coming to you today. Timothy in the first hour talking about solid security and the settings that can help you reduce your risk to almost zero. And I'll be talking in the second hour about talking to clients about security, the business side of all of this so we should have some fun today. The slide decks are there in the chat. If you're just joining us open up the chat and say hi, all those links are there waiting on you as well as the replay link from today. If you missed yesterday, we had an excellent presentation from Kathy Zant giving the state of WordPress security. I'd invite you to go back and rewatch that it was quite good. Also, we had a great panel of security experts. Really good discussion and comments on some of the big issues going on in WordPress security. So if you missed that yet, the replay is up from yesterday. And we'll have today's replay up about an hour after we finish as well. Welcome Christian from Quebec.\r\n\r\nJust about ready to get started. Hi Eddie. Yes watch the replay. It's out there ready to go. Really good stuff from yesterday. All right, it is now three minutes after so let's get the recording started and we'll dive right in.\r\n\r\nWelcome back to day two of disaster week for 2024 here on solid Academy. My name is Nathan Ingram. I'm the host here at solid Academy joined today by Timothy Jacobs, the lead developer for solid WP Welcome back, Timothy. How are you? I'm doing good. Thanks for having me, Nathan. Yeah, we appreciate your wisdom on the panel yesterday we had a great discussion with you and Kathy Zant and David Johnson and Thomas ray from we watch your website, a really good conversations there. And today, you're going to be talking to us about solid security and what we can do to reduce our risk to nearly zero. We want to give us kind of an overview of where we're headed in the next hour or so.\r\n\r\nYeah, so we're going to spend some time talking about some of my favorite features in solid security. We're going to talk about some of the threats that are facing your website and how you can use those features to help protect yourself. And then we'll have plenty of time for questions and answers either about cybersecurity in specific or security in general. Yeah, very good. I saw our lineup today Timothy will speak and we'll do questions for about an hour here and right around the hour mark at two o'clock central time or however that translates to wherever you are in around the world. I will take about a 10 minute break and then I'll come back for our final hour and talk about how to talk to clients about WordPress security. So just a couple of bits of housekeeping the replays from yesterday are up we've mentioned that I'm going to drop in the chat once again, our link bundle if you'd like to download the session slides for this session or the next those links when they're waiting on you. And that we invite you to ask questions because we will have a good time of q&a at the end of this session. And next session, please use the zoom q&a link which if you mouse over the shared screen, you'll see that q&a icon you can click that ask your questions there rather than the chat please. Because as the questions come up in that q&a, you'll be able to upvote the questions of others and we'll take those questions in the order of up votes when we get to our time for q&a. All right, Timothy, let's get started. I'm looking forward to this. Let's do it. Yeah, so we're gonna be talking about how you can reduce your risk to nearly zero using cloud security. And to do that we need to take a look at what are some of the threats and vulnerabilities that your site might face. So one of the ways that attackers can come at you is just through your front door through your login page. And so this is all about bog and security. It's probably the stuff that we know about the most. If your users are using weak passwords, well that leads to brute force attacks. If your users are reusing their passwords, let's say they have a favorite password. We mentioned that phrase a couple of times yesterday. That's not very good. Or they have similar passwords. Let's say they have a password formula or a password pattern that's like, you know, five random numbers and the name of the website or something like that. That's not great. That's gonna lead to credential stuffing attacks. Those are when an attacker finds a database of passwords that were leaked from another service and tries vo Pat those passwords across your actual site says, Hey, this user is using this username and this password everywhere. Let's try it and see if we can get into the site.\r\n\r\nthing that you might not think of immediately though, when it comes to login security is the reputational damage that your site can experience if you have issues like this. This isn't just about an administrator losing access to your site. Obviously, that's kind of a huge problem and administrators account gets compromised, you got malware, etc, etc, etc. But this is also risk if you let users log into your site. Let's say you are a e commerce shop or you are a buddy press install that has a membership base component. Anything like that. What you'll often find is that people blame the website when their account is hacked. It's rarely that someone says oh, I messed up my Facebook account got hacked because I had a weak password instead. It's Oh my God, my Facebook account got hacked. Facebook. Why did you screw up yada yada yada? We saw this with 23andme earlier this year, and last year where attackers ended up accessing personal data for millions and millions of users.\r\n\r\nThis was because of in some ways the fact that those users were compromised. Were practicing poor security hygiene. But the users didn't see it that way. Certainly the larger internet news media didn't see it that way. You have a responsibility to mandate security best practices not just for yourself and your site administrators. But if you're an E commerce or WooCommerce install for your customers as well. If their site gets compromised, if their account gets compromised, and their credit card details are able to get accessed or their address and personal information or orders are able to be placed. They're going to blame you they're not going to blame themselves.\r\n\r\nWe watch your website earlier this year published some really interesting statistics about how sites are getting compromised that he sees through his service. And he found that 7.2% of hacks were coming through the front door with login security. And in some ways that's a small number which I think is a good thing. It means that you know we are making progress, but in other ways, the fact that that 7.2% number is even 7.2% that in some ways just seems very very high to me that still yet we have people not following the best practices. So what can you do? Well in South security pro we have a number of different features that help in this regard. One is just enabling brute force protection. You don't need to let an attacker try as many times as they want to log into your site. You can stop them after they try a couple of times in a row and make it more difficult for them to get into your site.\r\n\r\nYou can require strong passwords. I saw it security has a really great feature where it will detect that a user is using a weak password and force them to change it during the login flow. So this isn't just something that is only for you know new accounts going forward. It's a great thing that you can enable and solid security will take care of upgrading users and forcing them to put in best security practices. You can also prevent using breach passwords through the half I've been poned integration. So this is where credential stuffing attacks occur. Let's say your account got compromised on some other website, some forum something like that, and they then retry and use that password. Well with have I been poned will say hey, has this password ever appeared in the data breach, and if it has will prevent you from using that password on that site, which is another great way to help your users protect themselves. You can also use Capture features. We recently launched an update to capture that adds in a couple of new providers as well. So it's not just a google recaptcha if you don't want to use Google you can use Cloudflare as turnstile feature, which is excellent and the one that I recommend the most or you can use h captcha and this helps slows bots down. If you're able to say hey, you need to complete this challenge to try logging in. It's a significant deterrent so they can't just try millions and millions of attempts at once.\r\n\r\nWhat else can you do? Well, you can enable two factor the two factor features in solid security they let you enforce two factor. So you can say hey all of our administrators are editors, people who can do privileged things in our site, we can force them to use two factor. And when you do this, you'll use a feature in solid security that I think is pretty unique, which is our two factor onboarding sequence. So this automatic onboarding flow lets users get up and running with two factor without your assistance you don't need to get involved. All you need to do is say, hey, solid security, make sure all my administrator is using two factor. And the next time the user logs in will prompt them to set it up. We'll tell them what the future is about. We'll make sure that they understood how two factor works. They need to enter in a two factor code before they can continue. And you will get all of that happening for you in the background without you needing to code from user use the user and say, Okay, I set up two factor for you or you know, let's go into the Zoom call and show you how this works. You can use these automatic onboarding features.\r\n\r\nAnd when you use all these features combined, you can see this is data from Google that showed how attacks were able to be prevented using two factor challenges using things like security keys as well. Now, I know what you're probably thinking, which is that okay, well two factor is great. I know two factor is great, but it's really hard to convince my clients to use two factor because it's confusing or it slows you down. And so for that I say let's use password of this login. So I gave a talk a couple of times now about killing the password that really dives into it. But passwordless login using past keys is a faster and more secure way to authenticate. It lets you skip your password and lets you skip entering in two factor authentication. And it provides basically a one click login experience. You can see here I just clicked use my passkey and I logged in my device authenticated me my device made sure that I was logging in to the site that I thought I was logging into. So it's also phishing proof. We're not going to dive into all about passwords today. There is a whole hour about it if you want to check it out on the academy and you can take a deep dive into why password this login is important using past keys, but I'd say it's a good option if you have it if this if this demo doesn't convince you read the whole hour or watch the whole hour and we'll really dive into it.\r\n\r\nAnother thing that you want to consider is access management.\r\n\r\nYou don't want to be in a spot where everyone on a site is an administrator you just give admin access out willy nilly.\r\n\r\nYou want to make sure that when responsibilities change people's access changes if someone needed an administrator account to do some initial setup, but now they're done with that. Consider changing the roles and changing their capabilities. You also have to make sure that you have a plan for when employees leave you know where no one sticks around in the same company forever. And you want to make sure that when an employee leaves your company or leaves your agency that their access isn't maintained anymore that they no longer able to log into all of your sites.\r\n\r\nSo how can you accomplish this with a solid security? Well, there are a couple of things that you can make use of one is just make the liberal use of roles that exist in WordPress, right? We're not limited to just an administrator or subscriber. We've got five that are built in. If you want to go further than that you can there are great plugins like the user role editor that lets you get very fine grained and say, hey, I want to use that that can do exactly these. Couple of things. Do that. That's awesome. We have some really cool features in solid security too, though, that can help you one is the privilege escalation feature. This lets you say hey, normally this user they just need to author access, but I need to give them some temporary access they need to do something special, but only for the next few days. And what privilege escalation will take care of is saying hey, once that period has expired, they'll revert back to their previous access. This is good both for you know when you have a team member who needs to take care of a special task but also if you're reaching out to support either our support at Southern WP or the support for any other WordPress companies. Instead of giving them an administrator account that sticks around forever. Create them an account, set it as a subscriber or an author and then temporarily give them privilege escalation for a week, let's say to an administrator and you can rest more easily knowing that hey, there isn't just administrator accounts hanging out there that are waiting to be compromised.\r\n\r\nYou can also use some other cool features and solid security for the site scan. So our site scan feature takes care of looking at vulnerable software for instance, but it also looks at inactive users. So if you have users on your site who haven't logged in recently, you can easily use the site scans feature to identify those users and demote their capabilities. If they aren't logging in every day, maybe they don't need administrator access anymore. Maybe you can demote them to an author.\r\n\r\nAnother general tip that I recommend though is just centrally document when you're giving out access, if you're getting privileged access, write that down startup, a spreadsheet, a Google Doc that saying hey, this employee has access to these systems. Whenever you give that out so that you know what different things to go through and revoke. It's not just WordPress sites. It might be you know, email accounts, marketing, automations, all these different tools. Start with that in place. So you're not saying hey, two years from now when they leave, oh gosh, what are the 1520 3040 50 different services that I invited them to? You have one place to consult So what's another aspect of how attackers can compromise your site? One of them is through the backdoor. And by this I mean vulnerable software. Patch Jack identified nearly 6000 issues last year, and the majority of these are in plugins over 97% The remaining 3% We've seen themes and it's just a fraction of issues that are in WordPress core. Every so often we just had six point 4.3 get released, I guess a month or two at this point, which was a security release that fixed a couple of issues. But really the primary issue and we talked about hey is WordPress insecure. It's not WordPress core. It's WordPress plugins.\r\n\r\nWe watch your website identified that nearly 33% of attacks that they saw on their sites that they clean up were due to vulnerable software.\r\n\r\nThere are some things that you need to understand about vulnerable software. We talked yesterday about how there are 100 150 200 different vulnerable software issues that are reported every week now in WordPress. And so that means you kind of need to take a look at vulnerabilities and say okay, let's not get too overwhelmed. One of the things to keep in mind is that not all vulnerabilities are equal a remote code execution attack. Where an attacker, let's say through the bricks vulnerability is just able to execute PHP code arbitrarily on your server that is way more severe than for instance itself cross site scripting attack where an attacker needs to trick you into clicking a link or entering in some data into a form. If you just look at the reports at a glance you might see oh, these are all the same. I've got 15 issues here, how am I ever gonna resolve them, but you can use things like the CBSs score. This is a score that ranges from zero to 10. And the higher the score, the higher the severity. And you can also use providers like patch stack who we integrate with to help you determine a priority and say this is when you should patch it. For example, this is the WP formance vulnerability that happened earlier this year. It has a high severity but it wasn't known to be exploited to patch stack. And so they came up with a patch priority based off of how likely it was to be exploited, how easy it is to be exploited and say hey, you should patch this within seven days. So these are kind of tools that you can look at to help you identify what fixes need to be made. Now.\r\n\r\nWhat we found with solid security is that at I checked the data last night that 45% of websites that are reading sense sites, yes, right now have at least one bit of vulnerable software installed. So what are some things that you can do with solid security to help this one is we have an awesome vulnerabilities page that tracks all the vulnerabilities that are affecting your site. So this gives you one view you don't need to watch your email or look in the logs it gives you one place where you can log in and see all of the vulnerabilities that are affecting your site. It'll automatically scan for you multiple times a day to find new vulnerabilities. You don't need to remember to go back and click Scan and click Scan and click Scan. It'll take care of that for you.\r\n\r\nWe also give you recommendations on how to resolve the issue that are specific to whatever vulnerability is actually present on your site. So for instance, this ancient WooCommerce plugin vulnerability, a fix was officially released by WooCommerce. So we recommend you to update that plugin right away. If you can't, you can deactivate it will give you those choices there and let you know what actions you should take depending on the vulnerability.\r\n\r\nAnother really cool feature is that it lets you view the historical vulnerabilities that have affected your site. So let's say this ninja forms vulnerability we can see here that hey, we updated this plugin on February 15. The vulnerability was reported on this date and so you can go back and if a client asks you hey, whatever happened with that Brix vulnerability, you can see oh, we automatically updated that or we manually updated that or we deactivated and switched away from it. You can see all of that data inside of solid security. So you don't have to be guessing or trying to remember what happened. And as you've been running the plugin for a long time, you'll see over the period of months and years, what vulnerabilities have affected your site in the past.\r\n\r\nThere's another really cool feature that I want to talk about though, which is virtual patching from patch stack. The thing to keep in mind and we talked about this yesterday as well with a bricks vulnerability is that sites can start getting compromised within hours or days with a vulnerability being published. So think about hey, what if this happens when I'm on vacation, or if I'm away from the computer? Or I just didn't know about it.\r\n\r\nvirtual patching is there to protect you when you're not able to update. Now, it's not just when you're not able to update because hey, you're AFK right now, but 25% of the virtual patches that patch stack publishes, they cover you when there isn't even an official fix yet. out for the plugin. This is a vulnerability that's out there, the plugin author hasn't been able to fix it yet or is unwilling or unable to. And there's a virtual patch to protect you. So this isn't just Hey, okay, I'm gonna pay I'm gonna be on my site 24\/7 And the second I see a vulnerability I'm gonna update to the fix. These are also important because they can protect you even if there isn't effects. Even if you want to do the best thing possible and update immediately you might not be able to.\r\n\r\nSo how do these virtual patches work? Well, they're targeted firewall rules that are deployed to your site to block attacks from being executed. And so what that means is, if you can't update yet, let's say there is a severe WooCommerce vulnerability, and you just can't update that right away without doing a lot of testing. Well, this targeted firewall rule will protect you by blocking that specific attack vector from being executed. These are also highly targeted. So this isn't just a general vague rule. And what that means is that they have a much much lower false positive rate. There are some tools that will kind of offer broad general blocks where they try and say okay, anything that kind of looks like this, well, we'll block that. But those can have false positives where suddenly you're just trying to use your site, and oops, it didn't protect you, or you're trying to use your site and it triggers one of these false positives and you get blocked from trying to do something normal or innocuous. But Pasternak creates virtual patches for every single specific vulnerability, not just broad patches, they have I think over 6000 vulnerabilities with V patches at this point, which is way more than pretty much any other provider out there. And if you're using solid security or the solid patch stack head on for our older customers. You don't get that protection automatically.\r\n\r\nIt's important to keep in mind that patches are mitigations. So you still want to update don't just be running an ancient version of WooCommerce forever, but they're there to help you when you can't update either because you're AFK or you know, a fix just hasn't been released yet. So what does this look like in cloud security? We can see an example of this with this WooCommerce vulnerability. You have this badge up in the top right, that tells you hey, this was patched automatically. And in our Status section, we tell you that hey, a virtual patch was automatically applied to mitigate this vulnerability. We still do again recommend that you update don't keep things inactive forever. But this patch automatically installed some firewall rules. And you can see that if you ever go to the firewall section in solid security, you'll see that hey, here are these different firewall rules and they came from packstack if you want to you could deactivate them, but we don't recommend that they're there to keep your site safe.\r\n\r\nWhat else can we do to manage updates? Well, I would keep in mind at this point, their sites have lots and lots of plugins and updates are important. So you should schedule the time to do them. Don't make this just a thing of okay, I decided to log in today and I have some free time. I guess I'll apply some updates. Make it intentional that you say hey, let's apply these updates this day.\r\n\r\nAnd don't do this too infrequently. It's easy to say okay, you know, every fifth, every fifth every second Tuesday, we're going to apply updates. I don't think that's a good idea these days. You need to do it more frequently, I would say at least once a week is when you should be saying okay, let's look for updates and apply them. The longer the they sit out there. The more updates you have to apply, the more complicated it gets anyway, but that also helps with security updates. You'll see for instance from packstack a lot of their issues, they say hey, patch this within seven days. So if you're applying updates once a week, you're gonna be on top of that.\r\n\r\nYou should prioritize high severity issues. So if you have a huge list of updates to apply, and you see that some of these are security related, work first on the ones that are high severity, you don't need to just go in the order that they were received. Look at their severity, look at the priority to help you determine which updates you should install.\r\n\r\nYou can also use hosts like Nexus that provide automatic updates for the visual regression tests. One of our fears with turning on automatic updates is okay, what happens if my site just breaks but using tools like these that do automatic regression tests can say, okay, there was an issue with this update. We're not going to apply it to the real site or we're gonna roll it back and we're gonna notify you that you need to do manual intervention, but for everything else will take care of it automatically.\r\n\r\nYou can also use solid central to apply updates across all of your sites and that gives you one UI where you can work them down and we're bringing some really cool updates soon to that screen as well. You also have the option to enable auto updates for security fixes. This is a feature in solid security Pro and the version management module that will let you say okay, we detected that this patch is a patch that is resolving a security issue. So let's just automatically update it to it, even if you wouldn't ordinarily apply automatic updates for that plugin.\r\n\r\nSo the last threat to be aware of that I want to talk about today is under your nose. And so this is about session stealing attacks. So this is something that we did a webinar a couple of weeks ago that really dived into it, and did some cool demos about our features in solid security. But if you haven't heard about session stealing attacks, this is when malware is installed on your device, and it steals the actual cookies that you use to authenticate with WordPress. These cookies are then sent to an attackers botnet or they're sold off. And with these cookies now an attacker is able to fully impersonate you. They have your full capabilities for all intents and purposes. They are you it is your actual login and a big thing to keep in mind. Here's because they're stealing the cookies and these cookies you get after you've logged in. It means that usual protections like brute force prevention or two factor aren't able to effectively block this attack, because you actually logged in and you completed two factor and then the attacker stole those cookies.\r\n\r\nThomas from we watch your website found that this affected nearly 60% of the websites that he was cleaning up, but it is a huge number. So what can you do? Well, the first thing is keep your computer secure. If your computer is safe if you're not using untrusted devices. If you're always connecting over HTTPS on secure Wi Fi, you're not going to be subject to this attack. If you're just you know, using your home computer, you're up to date you have no malware installed, and an attacker isn't able to magically steal your cookies your device must have some way been compromised, or you're using a compromised network. Or let's say you go to a computer cafe and you're like hey, I'm gonna log into my E commerce WooCommerce site and you know, nothing will go wrong. I'm sure that's fine. Don't do those things. Keep your device up to date. Use the firewall tools or anti malware tools that are installed on your devices Windows Defender, Mac devices, gatekeepers those types of tools to keep your computer safe.\r\n\r\nYou can also implement additional controls on sessions. And so this is where the trusted devices feature and solid security comes into play. With trusted devices lets you do is it alerts you when a login has happened on a new device. So this can be Hey, I'm just now traveling for work, let's say and normally I based in New York City but now I'm in Huntington apparently from this demo. And you'll get a email that says hey is this you are you're trying to log into this device and you can say yes it was me or you can secure your account and change your password. If it got compromised. But it comes with additional features as well. One of which is restrict capabilities. So if someone is logging in on a new device will restrict their access instead of being able to do everything like Install Plugins create new users edit your passwords. Instead, they only have limited access so if you are on the road and you need to, you know make a quick update to your posts, you can do that. But when you don't want to take more sensitive actions or more secure actions, you will be prompted to actually confirm that new device. Another feature is session hijacking protection. You can see a cool demo that we did with David a couple of weeks ago in our webinar, where we said hey, what would it look like if someone stole your session cookies? And you can take a look at that to see how solid security would stop that attack from taking place.\r\n\r\nSo in summary, you have to think about the weakest link, one admin account with a weak password can result in your site getting compromised. One unpatched login with a critical security issue can result in your site getting compromised. We need to stay ever vigilant. We need to be making sure that hey, if one thing slips through, that can be you know a disaster so use every tool available to you. This isn't something I think once you're managing more than one site that you can reasonably stay reasonably expect to stay up to date on all by yourself. Use tools that help you and of course, the tool that I like is solid security.\r\n\r\nSo I'm now at this point ready to open up the questions Nathan.\r\n\r\nAll right. Excellent overview of all the things that solid security has to offer and we have plenty of time for your questions. There are 10 questions currently stacked up in the queue. Folks, if you have a question about anything regarding WordPress security, including of course the solid security plugin, open up that Zoom q&a and drop in your question also about the questions of others and we're just about to start taking our first questions. The first one being from Paul, Paul says in the past moving the WP config file to the root level of hosting I get the same level of public html help to protect a site is that still something that helps?\r\n\r\nI guess I'd say Does it hurt? I mean, is there like originally some of this was\r\n\r\nhow do we make sure that hey, WP config is not exposed in the public HTML directory. It was kind of the idea. So we would move the WP config file a route above public html actually. So you'd have public html slash index dot php, and that index dot php would be the WordPress and then WP config would be below that. So it'd be web, config, public HTML, everything else on one level, and then your WordPress and so the idea is that, hey, if we move that out of the web route, it could prevent some attacks. I'd say at this point, you know, it doesn't harm anything, but unless your server was misconfigured in the first place, it probably isn't going to really\r\n\r\nit isn't going to be a problem to begin with, if that makes sense. So it doesn't harm anything. It's an easy thing to do, but it's probably not actually preventing an attack.\r\n\r\nEspecially these days. I think those types of server configurations are much rarer.\r\n\r\nYeah, so one of the tools in solid security allows you to check out file permissions, and it shows you what the recommended permissions are of things like the htaccess file and WP config. So if I know just from using the product that the recommended is the 444 write for WP config. So if the P config lives in the regular WordPress directory and public html and it's set for 444 You said that's pretty secure. Yeah, there's no issue there.\r\n\r\nSo like if you had a scenario, where PHP files were not being properly executed, which is kind of part of where this attack lies. Then if someone went to your site slash WP config that PHP, it could then return the plain text of that PHP file. And then they would have your database credentials and your salts and things like that. And that could be an issue. That could be these days, though, that is not really a thing where servers are configured in such a way that we only say hey, only index dot php can be directly executed. So yes, I would say putting it in the root level is totally fine. And yeah, it's great to use that file permissions tool in security, to help you identify what permissions aren't what they should be. Task anthropods question I do this on some sites. So for a couple of sites, I have like a pretty specific custom setup of how web config dot PHP works, and they are better than others. I don't.\r\n\r\nI'd say at this point, it's just not, not on the top of my list of security improvements. I think there are more significant things that you can be doing. Yeah. Good. Next question that was from Kenneth Is there a class or video on how to set up the free parts of Cloudflare I see a lot of areas there but I don't know how to set them up. And Timothy, before I turn this to you, let me just mention that actually the premium course for the month of April, which will be about a month from now. I'll be doing a course specifically for WordPress agency owners on setting up Cloudflare basically all the stuff we've learned in my agency over the last year and a half or so of muddling through Cloudflare and getting things set up both with settings and processes, with how we migrate things, and just what we've learned from moving 100 sites into Cloudflare. So that is the premium course for April, you could register for that if you're a member of solid Academy.\r\n\r\nIt's up there on the courses now but so let me pivot back to you, Timothy, anything that you would recommend on that or how effective even is Cloudflare as part of a holistic security approach for your website? Yeah, um, so I would say that sounds like a great academy training to check out for this I think we've talked about in the past of offering like more content through solid WP about how you can most effectively use Cloudflare. And that sounds like a great session. Um, in general, I'd say Cloudflare is definitely a great tool in your tool belt and if you are able to use it, I highly recommend it. I would say it works very well in conjunction with some of the other features with solid security. So Cloudflare offers for instance, graph functionality. Their raft functionality is more broad than patch stacks, virtual patches, so they're applying things like Okay, let's try and prevent a large set of cross site scripting attacks, or a large set of SQL injection attacks, things like this. And you'll find that those have those trade offs right where sometimes they're not able to protect against an attack. Like patch stack is able to patch stack is dedicated to WordPress specifically. And so they offer create new patches multiple times a day, that Cloudflare often won't be you also see because of Cloudflare is kind of broad based support that you might actually run into issues with Cloudflare. I, for instance, writing about security, sometimes you can try and publish a blog post and Cloudflare will say not ah, because you're describing a SQL injection attack and we're like, oh, that looks like a SQL injection attack. We're gonna block that. How on earth do I publish this blog post? Cloudflare I get off me. So you'll see kind of the difference between how to like five learn how to like patch stack works. I think they work excellently in conjunction with each other. But patch stack is able to go beyond that and say, okay, you've detected you have this specific vulnerability we're going to create a patch that protects against this specific vulnerability. Yeah, it's really good. I think this is a great illustration of the analogy that Tomas made yesterday with this holes of Swiss cheese lining up actually patch stack is just another layer of CI a patch stack is a layer Cloudflare is a layer server level, security layer WordPress security with solid security and they all hopefully can block all the holes so no hole goes all the way through. Really good.\r\n\r\nOkay, questions from Vern, we get this one a lot. Hide the back end, which refers to changing the WP login URL changing dopey admin URL to something else. Is that effective in today's WordPress security landscape?\r\n\r\nI do not use this feature on any of my sites. I will say if I could, I would remove it. And we know this is a feature that a lot of people like so we haven't don't have any plans to currently. But what we always encourage people if they reach out to our support desk and ask about this feature is use things like I talked about in the login security section. Those provide real security oops, these slides went away. Those provide real security. So those are things like saying hey, two factor CAPTCHA lockouts. Those are much better than just making your login page something different. You're adding like one small step but oftentimes Hey, if you're an e commerce Store with WooCommerce, your customers need to log in. So there's going to be a login page that is exposed out there and that feature isn't going to protect you. So no, it is not a feature that I really recommend it. It falls under these kind of warm and fuzzy type of features, I guess you could say.\r\n\r\nBut I don't think they provide the real security that we want which is you know, use two factor require two factor, prevent people from logging in 50 times from the same IP address in a minute. Use CAPTCHA all of these different things. 100% is so much better just to have a CAPTCHA between the world and your login page no matter what that URL is having a CAPTCHA Exactly. That's that's really the thing.\r\n\r\nOkay, question from SU Timothy. Which plugins do you use feel comfortable setting to auto update so I may be controversial in this i auto update most plugins?\r\n\r\nSolid security has a really cool feature in the version management module, which lets you delay auto updates. So for instance, let's say you have a plugin that you know, releases updates that sometimes breaks things you can say, hey, don't auto update this immediately, but auto update two days after it was released or three days after it was released. And the idea behind that is saying okay, if there was a bug, they caught the bug, identify the bug, fix the bug, and now auto update to it. So it can still be something that happens in the background, but I'll be honest, I auto update most plugins, I think.\r\n\r\nYou want to make that decision when you're setting up the site. If this is a plugin that I'm not comfortable auto updating, should I be using that plugin in the first place if this plugin author is so frequently releasing updates that just completely wreck my site?\r\n\r\nMaybe that means it's a different plugin for the job. Now I say this as a developer who you know, very much happily will build everything in anything from scratch. But yeah, I have you know, Yoast SEO to auto update. I have a lot of different blocks plugins to auto update.\r\n\r\nAnd yeah, I try and keep keep my plugin list down not at 50 Plus, so it helps in that regard. But I totally understand if that's not something that you're comfortable with doing either because the complexity of the site, and that's where you know, virtual patching and those types of tours come into play.\r\n\r\nSo, let me dig in and push back on something on that. I think maybe I need some education on this too. But or a different way to think about this. But sometimes well known reputable, I guess plugin developers, certainly big ones that everybody would know will push an update. And they'll some it'll break something unintentionally. And they'll push you know a dot one version of it within the next couple of days. Does it what what what danger Do you have does that worry you just having everything set to auto update? So I would say yes, there are plugin authors that release plugin updates that just totally break everything and those are on my list. of plugins that I try not to use\r\n\r\nYeah, without without Without naming names. I guess that would be my general approach, right is that I I much rather when I do do client work these days.\r\n\r\nUsually we're building something very specific and we could build it with you know, a combination of six different plugins, but kind of the value that I'm able to bring to the client and say, Hey, we architected this special. We have developed it for your specific use cases in mind. We're not using you know 5% of a plugin, and fibers are another plugin for fibers and another plug in and that's where things kind of like start to break down. So I would say it's a different kind of approach for building things where it's more okay. What are other plugins that I'm very comfortable with and then I think they're bulletproof and you know, set them and auto update, and I'm not particularly worried about it. And if those aren't ones, whatever the thing is that I should just build instead, and write the code specifically for that client.\r\n\r\nAnd I know that their site will be more stable, because they also didn't, you know, get a new feature that they didn't ask for that completely changes the UI, things like that. So I would say it's a different approach. But it is not at all uncommon to have that feeling around auto updates, which is again, why you know, patch stack and things like that are helpful tools.\r\n\r\nAlso, because there's the 25% of cases where there just isn't a fix available for the security release.\r\n\r\nBut yeah, that's that's generally my attitude is how can I reduce the plugins that I'm using that are just breaking things all the time? And for the ones that do send an auto update delay, say like, Hey, five days, and if the plugin has been stable for five days, then it's probably good enough to auto update at that point, you would hope that if they break everything, it gets fixed pretty quickly. And that delay is part of the solid security version management feature. And let's just say there's also a setting on that version management page. That allows you to auto update if a vulnerability exists. If that's the case, then that delay doesn't come into play, right? It auto it auto updates no matter what.\r\n\r\nIt's a fantastic feature.\r\n\r\nOkay, question from Dan. How resource heavy is solid security with its constant scanning and so forth? It's pretty late. So we don't believe that a plugin should be doing things like individual file scanning for malware. It doesn't make sense to happen in a plug in Thomas, I think has done a couple of different discussions about this. I think on our solid the VP Academy where he finds malware, that one of the first things they do is turn off a file scanning feature and say, Hey, I'm all good or they whitelist their plugin things like that. So we don't believe that plugins should be doing that type of heavy scanning.\r\n\r\nInstead, we do things like hey, checking for vulnerable software. And that's very fast. That's very minimal. We make API requests out to our servers, and it contains the list of plugins. You have installed the versions and it does a really quick check so it doesn't really add any weight to your site. Things like checking for inactive users, all of these things are pretty resource light. So that is a really key thing that we keep in mind when we're building solid security is we don't want to slow your site to a crawl. If your site is slow, slow that no one can use it doesn't matter if it's 100% secure.\r\n\r\nBut yeah, we don't believe in putting those types of super heavy features. In the plugin. They are best left for other services focused on preventing an attacker from getting into your site. As opposed to okay an attacker has gotten into my site. Now I need to scan my site for malware every single day and for infected PHP files because then you are talking about a very intensive process. And it's something that smart malware these days can just disable.\r\n\r\nYeah, and it seems like especially a file level malware scanner seems like that should be something that lives at the server level, right? Yeah. So Thomas is tool for instance. That's one of the things they do is they send the files over off to his servers and then his server is able to very efficiently scan them. It doesn't make a lot of sense to be doing that from WordPress, both for the performance reason for the security reason if it's happening in WordPress, then any plugin can stop it from happening. There's a lot of reasons why that doesn't make a lot of sense. For virtual patching with firewall tools. That's another thing to keep in mind. So that's why virtual patches from patch stack, they only apply if your site has that specific vulnerability. They don't apply you know 2030 4050 100 generic firewall rules that apply with every request. We only apply specific firewall rules and only if your site is vulnerable. If your site doesn't have a vulnerable version of Timpson, there is no reason why you should be looking for attacks against him from and blocking them. It doesn't provide you any security benefit, the attacker wasn't going to get in there anyway. What that as doing is things like DDoS protection, stuff like that. But that shouldn't live in the plugin to that's where you want to use Cloudflare in conjunction with solid security. Solid security isn't going to protect you. If 10 million requests hit your server within an hour and no WordPress plugin can but that's where it was like Cloudflare come into play. And again, the Swiss cheese analogy is this it's such a great point I don't want to zip right past because this multi layered approach is critical. And honestly correct me if this analogy is wrong, Timothy But you know, back in the day, there was this season of WordPress theme development where people were selling themes on a giant marketplace and the way they found to sell themes was to cram all these features in there that really should have been in plugins but now they're kind of rolled into this giant kitchen sink type theme. And they ended up being a bloated monster that was just really difficult to manage long term and slow. And so a lot maybe in some security plugins for WordPress are kind of adopting the same approach like we like a scanner, we do these things, but we should really separate those out. To have a lighter, more efficient site. Am I right on that? I agree. I think the things that were should live in WordPress should live in WordPress, the things that should live at the network level should live in in network level. The things that exist in your server should exist on your server. There are things for instance, I don't think Cloudflare is going to offer pass keys as a login method, right? If you have a credential stuffing attack Cloudflare probably isn't going to prevent that. Because someone the first try they log in and they know your username and they know your password because if you're in a breach, there's no opportunity for Cloudflare to protect you there. But if you're using solid security prevent a user from using a password that has appeared in a breach. That's the perfect thing that should live in WordPress, right. It wouldn't make sense for Cloudflare to you know, somehow be operating on your WordPress site and prompt up and update password page or change how your login process works. That wouldn't make sense for Cloudflare to do so. Use the tools for what those tools do best. And take advantage of the fact that some of those tools can live in WordPress and can provide a context knowing that this is a WordPress request with this user and this password and they're trying to do this specific thing. Yeah, really good. Okay, moving on to the next question here from Nate. Does solid security provide a way to have a two factor code sent to a phone via texts like what Facebook does? No. So we do not we do not plan to SMS two factor is convenient. It's a way that you can kind of get people a little bit more used to it. But I would say at this point email, in my opinion is just as convenient. But the issue with two factor via text messaging is that SMS is not a great protocol and a lot of mobile phone providers don't have the best security practices around things like preventing sim sim swapping attacks. So I would say SMS in my opinion is a legacy two factor method.\r\n\r\nIt was helpful for getting people used to the concept but I think at this point everyone is familiar with email based two factor.\r\n\r\nAnd my big push really would be Hey, use past keys. That gives you a two factor experience that exists on your phone or not a two factor experience a well it's kind of a two factor experience. The point is that it has your phone and your biometrics and it accomplishes that same bit, but does it rely on a text message being sent and all of that happening? It just provides you with one simple login flow that is protected with face ID or touch ID things like that. So no, we do not we do not plan to right answer. Okay, here's a good question from Stephanie.\r\n\r\nSo Stephanie, I'm guessing you're you're a legacy AI iThemes member she's asking how to activate virtual patching. I have patch patch stack in solid sweet it's on the dashboard, but the firewall is inactive. So if you go to Security, and on any of those things, you can click into the licensing page. It's under Settings and then solid to VP licensing. And there'll be a section there that says passionate enabled sites. And so if you are a new customer, when you activate an license, solid security will automatically enable patch stack for you. But if you are new, or you don't have enough patch stack licenses, let's say you are a legacy customer that had a gold subscription for instance. You then need to choose to enable a patch stack for that site. So the thing you want to do is go to settings, solid WP licensing and enable patch stack for that site. If you're still having trouble, that's an excellent reason to reach out to support. If you go to solid wp.com There's a link to support and they'll be able to help you out. But that is probably the bit that you're missing. Make sure your plugin is licensed.\r\n\r\nYeah, very good. And I'm also dropping in a link to a live stream we did back in December on that covers a lot of the how to even position if you're a legacy I iThemes customer for example positioning an upgrade with a patch stack firewall is a better layer of care plan. So that that that link is there in the chat. Yes, definitely. So if you're still having trouble with that reach out to support and they'll give you some help right away.\r\n\r\nKENNETH is asking what is the 40% off deal for so Canada that I'm going to go into a lot of detail about that in the first of the next hour. It is for any purchase from solid WP other than the solid central monthly and it does also does not apply if you're adding licenses, patch stack licenses as a legacy I iThemes customer, but anything else the solid suite any of the products the 40% off is good if you are a new customer.\r\n\r\nLet's see.\r\n\r\nManu has a question here. Monica says my email has been pawned so I changed my password. Is this good enough? And when does their database update so you can see if the pond email is updated?\r\n\r\nOh poned yep, yep, is what's going on there with that spelling. So the service that we use is have I been poned and that relies upon a Troy Okay, now there are two choices. We're both Australian. One of them is a WordPress person. And the other one is a security person I think Troy Dean is the person who runs haven't been honed and Troy hunts the person who runs the other way around is the one that is to Australian people both in this space is very confusing. Troy hunt kind of collects data and is responsible for ingesting things into have I been poned so it isn't really specific to your email address but more about the password. There's also a have I been poned service where you can just enter in your email. And I'll like show you hey, here are all the places where we find your credentials in a database breach, which is awesome. But what we specifically use in security is their password feature. So it checks whether a password specifically has been entered into that database. Yeah, very good. So Manu, if you update your password, it's not going to remove it from that. Have I been poned database? Right that it's that's basically letting you know that your email address has shown up in a breach. And that's always going to be there.\r\n\r\nTina, how does two factor work if your sites are on solid Central?\r\n\r\nI don't know what this is driving yet. I think the question is, if if I'm accessing my site through solid Central is there a way to turn on two factor is two factor needed in that case?\r\n\r\nOkay, so the two factor in cybersecurity what?\r\n\r\nYeah, what she was answering basically, um, so when you authenticate for the first time with central against your WordPress site that has solid security installed you're actually doing go through a specific onboarding process that shows you hey, you're gonna connect with solid Central, and it will give you a big purple button to click on and you'll get connected.\r\n\r\nIf you are then for further API requests that solid central makes over to your site and it's not going through the login form. So it never runs into two factor. And there are some specific features in solid central that do help you with two factors. So for instance, you can bypass two factor by clicking a button in solid Central. And if you saw that Central's feature to automatically log you into your WordPress site, you don't need to enter in your two factor code. But yeah, there shouldn't be any confliction. There. You don't need to turn it off or anything like that. It'll just work. Good.\r\n\r\nQuestion from Nate. Does solid security provide a recommended set of settings like by an export json file or something? How do you figure out what are the best recommended settings? Yeah, so we don't specifically the general thing is that we like our defaults and then it is just up to you to what more things you want to apply. So for instance, having to factor is better than not having to factor. Having, you know, more protections available, having more checkboxes checked, so to speak, is just oftentimes more secure. We try not to have any things. It's like, Hey, if you missed this, this is a complete disaster. It's really it's up to you what kind of security features you want. To have enabled. There are docs that talks through like global settings and things like that. But generally in the plugin will say hey, these are the things that we recommend. The defaults are things that we recommend, and it's just up to you to say hey, what more features do I want available? Do I want to have past us do I want to have two factor and we can't make that decision for you. And what is the onboarding wizard? factor into this? Yeah. So when you go through onboarding, it's an ask you some things like, Hey, do you want to use two factor and if so it'll automatically configure it for you. If you want to use strong passwords, it'll automatically configure that for you. My recommendation model is basically because you enable everything there's nothing that we have put in the plugin that we're like, Hey, this is something that we don't recommend you using.\r\n\r\nThis stuff that is you know, more legacy is kind of like hidden away, hide back end. It's under the advanced section. I don't recommend it. It's there because people love it.\r\n\r\nBut yes, I My recommendation is to enable trusted devices enable two factor enable password login, enable pass keys, enable virtual patching and enable enable, enable enable enable.\r\n\r\nI'm going to hand pick a couple of more questions and we'll wrap this up and go to a break. Great question. From Joan.\r\n\r\nDoes solid security pro come with patch stack by default? Yes. So if you are a new customer and you go on over to solid a VP and you make a purchase, you are going to have patch stack what you're going to want to do is after you install the plugin you want to license it and that licensing process will automatically set up patch stack for you so yeah, all new plans come with patch stack. And if you are a I iThemes customer you can add patch stack but yes all new plans come with patch stack automatically. You don't need to do anything else besides just licensed the plugin. Awesome. And last but not least Tina does your page speed suffer with all the blocked IPs that accumulated over the years? Um, so not really, um, we do specific queries to get a list of banned IPs.\r\n\r\nThere are also setting for htaccess where IPs that are banned get put into the htaccess file and if you go into the settings, there's the limited defaults to 100 of how many of those IPS actually add into your htaccess file. So if you had you know, 10 million could be an issue.\r\n\r\nBut even on my site that is many years old at this point it gets quite a lot of traffic. I don't have anywhere near that many banned IPs. So I haven't seen banned IP is specifically become a Page Speed issue. I just haven't seen someone get that high, where we're making such a large query that it would be pretty ineffectual. And it's pretty quick to compare IP addresses and just do a search for saying this IP addresses here or it's not there. If you do have millions, I'd be curious to know more about your site, and then maybe it would make sense to remove some. But yeah, I have not seen that to be the case in any other sites. I've come across. A very good Alright, excellent session. Timothy, thanks so much for your wisdom. As usual. You always have excellent answers. Folks, thank you for hanging with us last hour. We're going to take about a six minute break here. We're going to come back I'll be talking about how to talk to your clients about security taking plenty of time for questions. If you have specific things you'd like to talk about in regard to how in the world do we make our clients understand these things? So that's what's coming up in our next hour. We're going to pause the recording and go dark for the next six minutes and we're back at 205 Central time. We'll see you back then.\r\n\r\nAll right, we're back for the final hour of disaster week. 2024. Hopefully this has been a great time for all of you who've been part of the whole thing. We will again have the alright we will again have the replays up in about an hour as soon as we wrap up here and I'm dropping once again in the chat the session slides for today. You can download Timothy slide deck as well as mine which is now available there. Alright, so across the break, we had several questions about upgrades. And I just want to address those briefly before we get into our actual content here. So first of all, we do have this deal that's going on disaster week is the coupon code for 40% off of solid WP products now this is for new purchases only. So you can't extend or add a new subscription to an existing account. It's also not available if you want to purchase solid central monthly plans. Or if you're a legacy I iThemes customer and you want to add on patch stack licenses, it does not apply to individual patch stack licenses. So those are the caveats on that deal, but it's a great deal if you've not yet become part of the solid WP family 40% off is an excellent deal to take advantage of that. Now several questions that came in about updates.\r\n\r\nThe patch stack is included if you buy the solid suite or if you purchase solid security pro individually. Hatch stack is bundled if you're a legacy I iThemes customer patch stack is an add on for the legacy I themes security product that is now solid security. So there is a live stream we did that walk through how do I add patch that licenses if I'm a legacy I iThemes customer and that link that I have dropped in the chat and I will just invite you to walk through that it goes it takes you through the whole process. Matthew Why isn't an add on because there's a light well I mean to be frank it cost solid WP money for every site that licenses patch stack. And so that sort of the cost involved in that was not factored in to the you know, the price that a lot of folks paid for I theme security. It's an extra feature that was added with the solid move and when solid rebranded for my themes. And so there wasn't a way to include that in older legacy plans. I don't think it's mean I think it's just it's an additional feature that could not be included. You know, if you want solid WP to be around for a while. So you know, it's I think it's a pretty reasonable upgrade, particularly with the pricing per site is very reasonable can be easily passed on to a client. That's actually what that livestream was about the link that I gave you in the chat. All right, so let's talk just a little bit now about how do we talk to clients. And actually, before I go there, let me just mention one more thing. I know there's a lot of you who are maybe new to solid Academy, and we're grateful that you're here and hopefully this live stream has been helpful to you over the last couple of days. Here on solid Academy. We actually do two or three live streams every week on all sorts of WordPress topics. You can access all the upcoming training here at Academy dot solid wp.com.\r\n\r\nYou can search for upcoming live streams and see everything that's available. Also there's a handy calendar view here that shows you all the things that are happening and allows you to register right here. So Tuesday, Wednesday and Thursday of most weeks we have a live stream about WordPress things and we invite you to come be part you can become a member of solid Academy by purchasing the solid suite. That's the only way you can become a solid Academy member now and if you are a member not only do you get access to all the free training and replays, you also get access to a weekly office hours with me where we answer all sorts of WordPress questions, whether it's technical questions or business related questions. We always have a lot of fun there. It's a good community of folks that gathers every Thursday. We also do one premium course every month and I've just lost my window. But our premium course for this month is a WordPress accessibility crash course with Amber Hines from equalised digital. Next month's premium course is the Cloudflare course which I'll be teaching. So we always have a two day four hour course every month. That's very helpful.\r\n\r\nI'm hearing reports in the chat that coupon isn't valid. I'll look into that after we wrap up with our marketing team. Or David if you're still on the stream. Maybe you could ping somebody see anybody from the iThemes team on Sara disaster week. 40. Okay, it's possible I typo that.\r\n\r\nSo the coupon code Sarah is from the iThemes team, solid MVP team. The coupon code is disaster week. 40. So I apologize about that. That was likely my fault.\r\n\r\nAll right. So for those of you again, new to solid Academy, just a little bit about me I've been working with clients on the web since 1995. I started with WordPress in 2008. All WordPress since 2010. For the last 10 years I've been a growth coach for micro agency owners, people who are doing WordPress things for clients. I've had hundreds and hundreds of coaching conversations over those years. And a lot of those things are around this topic that we're talking about in this last hour, which is building recurring revenue talking to clients about security to grow our businesses. I'm also the creator of monster contracts, which is a proven contract for WordPress client work. So let's start out with the foundational idea here which is recurring revenue is critical to our business. It is the foundation of a successful agency. It's virtually impossible for us to survive in the long term without some sort of recurring revenue. And if you're doing WordPress things the natural place to start is with a WordPress care plan. It's a WordPress care plan and all the products that are associated with that, that actually brought me to eye themes many years ago as a customer long before I started doing any sort of live streaming on our educational side here so WordPress care plan is absolutely the place to start to build recurring revenue. It's what all the products that solid WP offers are built around is helping us do care plans better. So you've built a client relationship to maximize that relationship for the long term we want to build in recurring revenue with some sort of care plan. Now the challenge with a care plan is explaining to clients why they even need one right? So we understand it but getting a client particularly a non technical client to understand the value of a WordPress care plan. can be a challenge sometimes. So what I'm gonna do in the next several minutes is just basically give you how I explain things to clients, and some of the common mistakes that I see happen and hopefully give you some language that maybe you can use as you're trying to explain care plans to clients and how to do that. So a couple of things I want to start off with are two very common mistakes that I see that people in our position make when we are explaining care plans to clients. The first is presenting care plans as an option.\r\n\r\nSo I would encourage you to consider care plans, not an option, but a necessity. So a care plan is not like an extended warranty that car dealers try to sell you just in case something goes wrong. Instead of better analogy is that a care plan is like regularly scheduled maintenance that helps to keep your vehicle healthy for the long term. Matter of fact, in my agency, we don't take any website build projects that don't include a care plan. It's just part of our pricing. So and I'll even tell clients if they have a budget challenge. It's really better to spend less on building the website and a phase one than it would be you know, spend less so you can afford a care plan within your budget. Your plans are that important. So the second mistake that I see clients or the see people in our position make as we're explaining care plans to clients is waiting until launch to add a care plan. Surprising a client with a care plan at the very end oh by the way, you really need to purchase this additional monthly thing that's going to keep the site that you've just paid for healthy that's a bad idea. It never works out it rarely works. And it can often it can cause the client to become very agitated. You didn't explain to me that a care plan was needed after in all these conversations we've had. So what I've learned over the years is that the key to selling a WordPress care plan is education. And that education has to start in the first conversation. So we need to include care plan pricing in our proposal. That's my advice as part of the total cost of the project. Now something I moved two years ago was in my proposal for years I used to have the care plan to the little checkbox and you'd check the box if you want the care plan. Now it's just bundled in. There's a cost to build. There's a cost to manage and one sign here box that agrees to all of those things. So if you're struggling to get clients to buy your care plan, maybe it's because you're waiting a little too long or not talking about it early enough in the process. I recommend that you start talking about the management of the website in the very first conversation you have with the client, when you're starting to talk about pricing in general position, the care plan, as you know, the cost to bill a cost to manage. We're going to be here for the lifetime of the project to help you note you know, as things come up, and it's just all part of the conversation from the very beginning. I think you'll be much more successful at selling care plans. If you position it that way and don't offer it is an option in your proposal make that part of the price.\r\n\r\nSo how do we educate clients education is key in selling care plans. Many clients don't understand why they need to have a care plan to begin with. And so one of the first things that I would recommend is that as you're talking tech with clients about anything, focus on benefits, not features, save the technical talk for people that are you know, that love the technical stuff, most clients that you're going to work with our you know, they're busy professionals or their business people or that they're not as interested in technical things as we are I generally speaking, don't talk about gigabytes as much as we love packstack I don't talk about patch stack with clients. As much as I love solid security Pro that never comes up in a client conversation. As technical people we love those details about our care plans. We love to talk with each other about those things. But in most cases, features features don't sell but the small little things like patch stack and solid security. Those are things that are internal for us. Clients generally aren't as concerned about those things. What they're concerned about are the benefits. If I you know, with this care plan, what does that mean for me? I'm busy doing my business and doing my thing. I don't care about all these little technical details. What does your care plan benefit me? And the primary benefit of a care plan is simply peace of mind for the client. I cannot tell you how important this is. It's very easy for us who love technology to get into conversation with a client and we take them to death. It's just it's not a good idea. It's much better just to explain to the client the benefit. The reason we do this is so you can go about your business and not have to worry about the health and management of your website. That is absolutely the reason and the way to most effectively sell well sell a care plan. And part of this is just learning to determine what is the most important thing to a client. So we're going to see this pop up at several times during the next few minutes in my talk, but you may have a client who for whatever reason, they're all about backups. Now backups are important. We know that and a lot of and I will mention that as part of our care plan explanation, but goodness, they don't need to know where we store backups and how often necessarily run it or keep an archive that most clients don't care about that level of detail. They just want to make sure the site is backed up. But I've had conversation with clients who've been burned by backups and a lot of times they have very granular questions. So when those things happen, absolutely engage with the client on the sorts of technical details but in general, stick with peace of mind and that's really what the client is after.\r\n\r\nThe next thing to consider just another guiding principle in educating clients is to position security as a partnership. So keeping a website secure as you've heard throughout all of disaster week, there's a lot we can do on the website to keep a website secure, but the weakest link in the chain is typically the user right? So we need that security is a partnership between us and our client. We can secure their website, but the client has to do their part too and by the way, your contract needs to reflect this and explain what the client's responsibilities in web security are. And those can be conversations as well as you're onboarding the client into your management service and the kinds of things they ought to be paying attention to the things that we've talked about throughout the course of disaster week. I'm going to give you a few ways to talk about those things later on in the talk today.\r\n\r\nAnother guiding principle is this question that clients always seem to have. Yeah, but why would a hacker even go after my site to begin with? This is something that most clients don't understand. Like I'm just a small business or we're just a little nonprofit or, you know, why would they even care about me? And my encouragement to you would be find a hacker analogy that connects with this particular client. See, it's not personal hackers. Don't care if you're a small nonprofit, if you're a mom and pop shop someplace, whatever. They don't care about you personally. Usually, they just want you to use your website for gain. And there's some reasons for this. So try to find an analogy. That connects with your kinds of clients. The story I always tell when I'm talking about or if a client has a question about why would hackers hack me is I would tell a story that happened several years ago in our neighborhood. Now we live in a very safe neighborhood. But several years ago, we had a string of car break ins and it turned out, you know, people's cars, they weren't being damaged, but things were being stolen out of them. And it turns out that there were a bunch of teenagers walking around the neighborhood late at night, walking from driveway to driveway trying the door handles of cars that were parked, and if a car was left unlocked, they'd go through the car and steal contents out of the glove compartment or purses or anything that were left in there and they take those and that's what they would do. And that's very, very similar to what hackers do. They're just checking doors and windows of your website to see if anything is going to let them in to give them easy access. But a hacker they don't just try one door at a time. They've got software that scans the web looking for 1000s and millions of open doors and windows. It'd be like the hacker pressing one button and checking all the doors and windows of all the houses and all the cars in my whole neighborhood and that's what they do it again, it's not personal. They want to use your website for their gain. Now, what do they possibly have to gain from my little website as a little nonprofit or a little mom and pop shop? Well, they want your server resources, all the spam messages that you and I get. Those are generated a lot of times by compromised servers. Oftentimes as a hacker will go in and add some some code to use the server resources to help generate cryptocurrency. It's not about you. It's about what they can use your server resources for. Sometimes they'll do content injection where they'll inject ads for products that you probably don't want on your website, or they might redirect your website to other websites. And they do that very cleverly. So it's again, it's not personal, they're just trying to use your website for their own gain. synonyms. They'll also inject malware that can be used to further infect the visitors to your website. So all these are reasons they don't care who you are. They just find an easy target that they can leverage to use for their own purposes. So find it an easy analogy that connects with your customers, for me at the car break and one always works well. And then explain that it's not personal. They're not after you. They're after your server resources.\r\n\r\nSo how do we then go about presenting a care plan to a client I always use this. This lingo actually came up accidentally one day as I was meeting with a client in a coffee shop face to face back when we used to meet face to face with our clients goodness, it's been a while since I've done that. But I actually took a napkin and I drew out this box with a big WordPress w in the middle and I called it the four walls of protection. And here's what's included. I still use this explanation today. It's an acronym hubs H UB s. These are the four primary things that our care plan does. We provide hosting. We provide software updates, we provide backups and we provide security. And those are the four walls of protection that keep our WordPress sites safe. And this is what we offer as part of our care plan. Now as you're presenting this concept to your client, there's a few things to keep in mind. I'm gonna go into each one of these and kind of how I talk about them. The first as throughout this whole process, pay attention to your client. If you're like me, it's really easy to geek out and go down a tech rabbit hole the client doesn't care anything about so I'm really careful as I'm talking about anything technical with the client to watch for eyes glazing over. You know, the client starts you. You're talking and you're really excited about what you're talking about. And you realize the client has checked out. They don't care about any of this. So you have to pay attention to your client and just ask yourself, what are the what are the parts of this conversation the client is really interested in and you want to give just enough detail to satisfy their interest without going into depth by details in technology. Right? Remember, the big picture of all of this is your selling peace of mind. And if you think I'm oversimplifying that I promise you add not. I've been selling WordPress care plans since about 2010. So, you know, 14 years I've been selling this and doing a pretty good job of it.\r\n\r\nIt's about peace of mind, folks. This is ultimately what clients buy. That's why they want a care plan. They just want to know that you are going to be there to take care of the website if something goes wrong. Some clients may have particular technical concerns to ask about Awesome, let's get into it. But in general, they just want to know that you are someone they can trust buying a care plan is a trust based decision that the client makes. So again, throughout this try to create analogies that the client can understand.\r\n\r\nYou know, technical things can be a little hard for some folks to grasp. Nothing wrong with that but just try to make them practical with some analogies. I'm going to give you a few throughout this.\r\n\r\nSo when we get into the first wall of protection, which is hosting for us in my agency, hosting is included as part of our care plans. We do not manage sites that we don't host so if you want to bring your own hosting, that's not an option for us. Now you as an agency owner can make that decision. I strongly encourage my coaching clients especially to don't do this don't have websites on lots of different platforms with hosting that's all different and some have different requirements and the control panels are different. It's it's a killer, for efficiency in your process. It's much better to have all the sites you host on a server that you control. Now, that's the benefit from my side. From my client side. The benefit is what I tell clients literally as I will as we build your site and manage it, I want to be able to look you in the eye as a business owner and say, we're going to take full responsibility for managing your website so that you only have one person to call if there's ever a problem about anything. What we don't want to do is get into a blame game between between your hosting company and what we're doing and they might blame us will not blame them and you get caught in the middle. We want you to be certain that no matter what you have one person to call one one business to call one neck to strangle if there's a problem, and we're going to take full responsibility we can do that. Because we control the whole situation from end to end from hosting to site. It is all we deal with all of it. We have a private server that's optimized for WordPress and our process that allows us to build the site efficiently for you and to manage it successfully for the long term. Now that's the way I position hosting and in general, I don't have to do anything more than that. Our clients in general and honestly most clients, they're well good good clients especially are not going to push back too much on you on hosting if you have your solution because they just again, they want someone they can trust who's gonna be there for the long term. And if you bring hosting to the to the conversation, and you have a solution for that is much better for the client because they don't have to worry about it anymore.\r\n\r\nNow occasionally a client might bring up well what about you know, I get hosting on fill in the blank name of the host for $5 A month or $8 a month? I don't get that much anymore but I used to a long time ago. And the way I would explain that situation is look sure there are there are $5 hosting out there. You can also go on Facebook marketplace and buy a car for $500 I wouldn't recommend either. If you're serious about your business. You know, you can buy a car for $500 on Facebook marketplace. I wouldn't put my family in it. Just like you can go and get hosting for $5 a month I would not put my business website in it. So it's not just you know there's there are huge differences between the level of hosting that we offer on our server than what you're going to get at on a cheap shared hosting. Shared hosting is like an apartment building. Here's an analogy. It's an apartment building where you can't control who your neighbors are. So you know the people next door to you on that server. And there are 1000s of sites on a shared hosting platform, all sharing the same IP address. So you are at risk of misbehavior by your neighbors over which you have no control. Or you might find that your speed goes down because what other sites on the server or doing your system resources are unpredictable because of what other sites on the server are doing. You may find that one of the sites on that server gets compromised and they're hacked. And that server is sending out millions of spam messages every day. Well guess what happens? That server IP gets blacklisted in some banned list on a spam list. And now you have problems with your deliverability because you're wrapped up on the same IP address. hacks on other sites affect you. So it's much better like if you have a premium website you're paying for a professional to build your website, get professional hosting to go along with it. Don't put yourself in a situation where you're an apartment building with neighbors who you can't control and that's going to affect your business.\r\n\r\nAs we turn the page to software updates as a feature of our care plan, we're talking about WordPress core theme and plugin updates. Now I call these software updates when I'm talking to the client as to avoid any confusion with content updates. I found that I found this is really important to do that phrase software updates make sense. It's something a lot of folks can relate to because we do software updates on our computers. And I found actually when I start talking about updates, the clients thinking about you know, we're adding text adding things to their website, which we do that's just another conversation. So I always talk about updates in using the free software updates. And I explained to the client, we have a scheduled process that we do every week. It's reliable for doing software updates across all the sites we manage so your site is going to stay secure and healthy. Now when it comes to software updates. Sometimes non technical clients don't understand why this is important. Why would you have to do that anyway? Can't you just build a website and there it is, and it's good. Unfortunately, no, that's not the way websites work anymore. Good analogy is the software updates on your computer can you just buy a computer and you're good? Well, you could. But the software on your computer has to be regularly updated because of vulnerabilities that are found. If you're not updating your web browser to the latest version, or at least have those auto updates turned on. Super important. Or you're gonna find yourself with a security vulnerability on your website. So people even non technical clients tend to understand the software update analogy. And I'll often ask why Okay, so be honest. How often do you ignore the software updates on your computer delay? Remind me tomorrow or do it next week? You know, it just get rid of the thing because I'm trying to do something right now. You can't ignore when it comes to web updates. If you ignore those software patches on your website, your site could be compromised. So you know what would happen if your computer gets infected. You might get malware, you might get some other things. But if your website gets infected, your business is at risk. It's a big, big deal. Now there's also the approach of semi technical clients. Maybe some of your clients have done WordPress before. And they're familiar even with going in and hitting update and watching all the things update. And they think it's just as simple as clicking a button. And that is sometimes true. Sometimes running WordPress updates are as simple as clicking a button. But what happens when something goes wrong? And how do you know if that's that might happen? So if I have a client that pushes back, I run my own WordPress updates. The question I would ask is, How sure are you that you're going to do this regularly? Because it needs to happen at least weekly, just like Timothy said in the last hour. How sure are you that you will do this every single week without fail?\r\n\r\nWhen you've got a business to run, oh, well, my secretary will do it. Oh, adding that job on to someone who already has a bunch of things to do you know how sure are you? This is going to happen regularly. Most clients that I've talked to are not sure so they begin to think about this. Also, do you investigate major plugin updates before you run an update? Good grief before we update WooCommerce on any sites or any big plugins like that we're looking at the developer blog making sure that there's nothing here that might impact what's going on on that site already. You need to investigate major plugin updates before you run them. That's my opinion.\r\n\r\nSo a lot of times it is as simple as just clicking a button if you know what you're doing and what's being updated and if it's on a regular basis. And so what I tell clients like this is listen, for a small monthly fee. We're going to take care of all this for you hosting updates, backups, security, you don't have to worry about it at all. And you can just do your business. You don't have to think about the website you can offload that whole piece of your business for a really small monthly cost. That is a strong sales pitch to a good client.\r\n\r\nAll right, the next part of hubs is the backups. So in general, very few people these days that I've come across that don't understand the importance of backups, we get that backing up things as good we want to have a backup of our website. So there are two key reasons that I tell our clients that we have redundant backups. The first is human error. If you are Mr. And Mrs. Client if you're logging in, you're making updates and you break something you don't have to worry we have a backup from at least 24 hours ago that we can roll back and fix anything that was broken. We also have redundant backups in the case of disaster recovery. So if your site might get hacked, and they get through all of our layers of Defense's, we can roll back a backup and patch the things that need to be patched. Or, you know, let's say something happens and there's a broken update and we can roll back and keep the site it gets the site backed up very, very quickly. So we do these redundant backups to keep the site secure just in case anything might happen. Now, hopefully you do have a backup strategy and you have a consistent backup strategy that you use for all the sites that you're managing in your care plans. And if the clients interested, this is a good time to explain what that backup strategy is. And so we have a multi tiered backup strategy where we have a hosting level backup is our first line of defense. And we run a daily full site backup that's stored off site with a six month archive that gives some clients peace of mind and they want to know about that. But again, it's you have to kind of figure what is this important to the client how many details do they need? And give them what they need to be satisfied.\r\n\r\nAll right, let's talk about security. We've been talking about security but now security as a service. I explained that we have a multi level strategy to keep your website secure. So security is critical when it comes to your website. And that used to be a hard sell these days with all the website hacks and compromises that are in the news regularly. In mainstream news. People are more and more understanding and this is much less of a even an explanation that's required. I'm noticing these days with my clients than it used to be in years past. But we have this multi layered strategy that we use to keep our sites secure. We provide a free industry standard SSL certificate as long as we manage your site that you might think is a no brainer but it is it is amazing to me how many clients that we have that come to us that they're paying annually for a security certificate still It blows me away. SSL the industry standard SSL has been free for years. And we provide that of course so sometimes we can save our clients money. So here's what I mean by layers of security. If a client wants to know more about this, again, for many clients, we have a full strategy to keep your site secure, so you don't have to worry about it. And a lot of times that's all they need to know if they want to know more. Here's what I'll explain. We start with architecture. So I'm going to start at the core of the security and work my way out to all the layers. So the first is architecture. We're only going to use reliable themes and plugins to build your website. So many many of the vulnerabilities that are associated with WordPress, and a lot of people say well WordPress isn't secure. And like Timothy said in the last hour, WordPress is very secure in the core. It's these plugins or themes that are added that are from maybe questionable sources, or developers that may not be as on top of things as others are. That's where a lot of the vulnerabilities come. So we only choose the best themes and plugins to build your site. Then we go through and our launch, we have a 40 point lock or fill in the blank number lock in process that we use to launch your website. Well Nathan, what is your 40 Point lockdown process okay, go through and count the number of settings that you make in solid security.\r\n\r\nAnd if there's 40 of them, that's your 40 Point lockdown process as you're launching the website, and any other changes that you make. It's it's a really good line to use with clients and it's 100% True. I don't feel like this is shady at all. There's 43 points that we go through to lock down your website using the security plugin.\r\n\r\nSo the clients no this is a detailed process. There's a lot of things that are being considered in this situation. Also, now that the site's locked down now we move out to the next layer of user security. So built into the security that we have for your website. We offer two factor authentications past keys, password compromised protection, all the things that Timothy talked about in the last hour. We've got the way it's built the way it's locked down user security now on our server itself, our server, which is ours, the private server, it has security protocols and intrusion detection in place. What is intrusion detection? We watch your website our friend Tom right there watching the website and seeing what's going on with anything you know that's malicious or malicious intent. So our intrusion detection system is in place and even above our server there's another layer of network protection which we use Cloudflare we have network level filtering the block many of the bad guys before they can even get to the server in the first place. So starting with the core and working all the way out. We've got these layers of security with that wonderful analogy that Thomas raised us yesterday of like stacks of Swiss cheese, and it's going to be very difficult for any one hole to make it all the way to the bottom to let an attacker in to our network. I just love that analogy.\r\n\r\nAll right. So this is what we do. This these are our things and what we do to keep your website safe. Now there's also some responsibilities that you as a client are going to have in keeping your website safe because like I mentioned, security is a partnership we will keep the website secure, that you have the responsibility of keeping your computers and logins secure any computer that logs into the website. So a great analogy here is that we can put the best security system in the world in your office building, but if you leave the front door unlocked, it's not going to help very much. So just like in Timothy's presentation in the last hour, there's still a large percentage of attacks that are coming right in through the front door because of user security. And so yeah, that's the part that client really needs to take to take a look at. So security is a partnership, we do our part, you do your part, everything stays secure. So by the way, again, very, very important that your contract should explain the client's responsibilities and security. So they sign that as part of their agreement with working with you and then maybe you have some training or little video or you know, a little guide that you give to them on launch that explains those things. So what does the clients responsibilities entail? What what does it include? Well, the first as we've talked about a lot through disaster week, good password practices are critical. So what I tell my clients is you're going to log into the website as an editor who has the ability to edit pages, you must use a strong password as shown by the WordPress password indicator for any account that edits the website. This password can only be used on the website and nowhere else and we recommend using a password manager and we'll give them your recommendation. We as an agency. Use the keeper Password Manager. We love it. I think it's awesome. That's the one we settled on after the LastPass fiasco a year and a half ago. We love keeper we're an affiliate for keeper and if a client buys you know we have an affiliate link we give the client and then we can share passwords easier and so forth. So I see there's a lot of great questions in the chat. If you'll put those in the zoom q&a. We'll get to those at the end.\r\n\r\nSo good password practices use a password manager complex, unique password that's only used on that website. Also use multifactor login and trusted devices. So explaining two factor authentication and pass keys. Huskies have gotten a lot easier to use now than they used to be trusted devices. We've talked about that at length and disaster we've shared with you the links in the chat where Timothy walked through that whole flow of setting up a trusted device and what it looks like if a non trusted device has intercepted your session cookie.\r\n\r\nThat was a really excellent webinar. So go back and rewatch that if you haven't already. And again, solid security pro makes all of this easy so the client has to practice good password hygiene. They also need to keep their individual computers protected. So as part of our agreement in our contract, any computer that logs into the website must be protected by maintaining updated security software. So you have to have malware protection that's updated on a regular basis. And only using the latest browser versions. Make sure your browser is has auto update turned on most browsers do these days, but also your operating system other apps on your computer all have to be up to date because all those can be used to inject malware, which can steal your passwords or session cookie. So practice good hygiene. Keep your computer safe. Those are the two primary areas of client responsibility and website security.\r\n\r\nAll right, one last thing I want to cover today because it's always a question and I just think this is a helpful thing.\r\n\r\nHow do I price my care plan so if I use all the products that solid WP offers, and by the way, I hope you caught on to this, all the areas they're the hubs strategy the four walls or protection other than hosting the the the products from solid give you all that you need to offer a great care plan. So doing updates using solid central putting all your websites in a dashboard so you can see an overview of what sites need update and execute your updates their backups using solid backups, security, using solid security. All of our products are created to help you have a good reliable WordPress management system. So what can you do now to charge what should you be charging your plans for your clients? So the one kind of rule of thumb that I give here is that the price that you can charge for your care plan is often based on the price that you're charging for the site. So here's some general guidelines. And by the way, what I mean by that is, if you're building really inexpensive websites, it's going to be very unlikely you can sell a very expensive care plan. Because your customers aren't at that level. So your care plan price often depends on website build price. So this is just a basic guideline. Okay, if your typical website price is under $2,000, then you could probably have a typical care plan starting about $50 a month, roughly.\r\n\r\nIf your website price is 2000 to 3500, you might be able to charge around $75 a month. If you're 3500 to 5000, maybe $100 A month above 5000, maybe $150. But again, these are just guidelines and thoughts. We did a poll on this and a recent premium webinar with our members. This was about where everybody landed on what they were charging between 100 and $150 a month for most sites that fell within this price range. And so again, this is not a rule that says you have to do it this way. But if you're wondering, Am I charging too little? Am I not charging enough? This will give you at least some guidelines as to what other folks are charging. So hopefully that's helpful. Now we have plenty of time for questions. We've covered a lot. I've been talking a lot, plenty of time for questions here and I see that there's a bunch stacked up in the q&a if you've asked a question in the chat, if you would please just drop that in the q&a. It'll be a lot easier for me to just scroll down and take those one by one. In the meantime, I will reflect back to the discount code. This should actually be disaster week. 40 out of 40 there and that gives you 40% off of all solid WP products if you're a new customer, it is not available for renewals or to extend an existing subscription. It also doesn't work on solid central monthly plans. It does however work on the solid suite which includes solid Central. It does not work on patch stack add ons if you're a legacy I themes customer, those are done site by site. All right, so disaster week 40 Gets you 40% off of all of our things. Okay with that. Let me turn my attention to questions. And if you folks will also open up the q&a and upvote the questions that you would like to see answered. We'll spend the next 1015 minutes talking through some of these.\r\n\r\nAll right, first question from Dave. Does the care plan pricing that I suggested include hosting? So yes, I include hosting in the care plan and in that pricing. And so what I typically recommend for folks is depending on whether you know how technical you are, how comfortable are you with dealing with server related things. If you're not technical, then go towards a managed WordPress hosting situation like Nexus, you can buy a bundle of sites and put your clients into those. If you are more technical and you're okay with you know, a few server technical things, then get a VPS from a good reliable web host that has excellent support like liquidweb and you can stack your clients on a VPS there's usually more profit margin on a VPS than there isn't managed hosting. But I roll all that into one price and the client pays one price. Yeah, so hopefully that that answers your question there.\r\n\r\nAll right, next up is sue an upgrade question. I bought a single solid IP license in addition to my toolkit while I decide if I want to keep the toolkit or buy another solid license on sale, does it add to my account? No. So So you would be an existing customer in that scenario?\r\n\r\nYeah.\r\n\r\nSo it does not work to extend or add to existing customer licenses that is tied to your email address.\r\n\r\nAh, question from an anonymous attendee, instead of me educating about the care plan, can you just create a video that talks to all your clients that are onboarding? Absolutely, absolutely. So you know, well, okay, let me back up.\r\n\r\nThe talking first of all, talking about care plan should be part of the sales process. Okay. So as I'm talking to the client, in that first conversation, which I call a discovery call in my world, where we're talking about the all the things that the website needs to do the functionality, you know, all the factors of this project. I also have a section of that conversation in which I talk about the ongoing management of the project. There's a question in my discovery form that asks the client\r\n\r\ndo you need I forget exactly how it's worded? It's basically do you need an A, how will the site be maintained going forward?\r\n\r\nIt's, it's more elegantly worded than that, but that's basically it and it's a it's a it's a jump off point to have this conversation about a care plan. So that education and talking about the need for care plan, I think best happens in a sales conversation, just the basics, right? And what you don't want to do is at the very end of a project or just drop it into a proposal and you've never talked about it before. You want to let the client know that the way you approach website building and management is as a holistic process. There's a cost to build the site. There's a cost to manage the site. It starts around this amount for website management, and we include that in our proposals. That's what I would talk about in the context of a sales conversation. A lot of times what you'll find though, is that it will help you sell a website, when you talk about your lifetime approach to the website. Like you're not just gonna build it and disappear. That's what many web developers do. I'm constantly surprised by this. They just want to build sites, they don't want to manage them. The long term money in website work is the management. It's recurring revenue. That's what lets you stay in business for a long time. Anyway, I'm getting off down a tangent but the education piece starts at the beginning to introduce them to the idea of a care plan. Why it's important. I think it makes a lot of sense to have a video right at site launch when you're onboarding them out of the development process and onboarding them into management. This is what our care plan covers these again, are your responsibilities having a video or a little handout? A downloadable with that super helpful. Yeah.\r\n\r\nAll right. Next up is AJ. AJ, what hosting do you use in your agency is an in house solution or do you contract hosting companies? Great question, AJ. My goodness, I do not want to have a web server in my basement. Absolutely not.\r\n\r\nThere was a day in my life where I probably thought that would have been cool, but Good grief. All of the intricacies that are involved in website hosting are there's just too much it's too much to know and be doing web and know all about web and WordPress.\r\n\r\nIt's just too much to know. So my suggestion is always have a hosting partner. You have your sites with this host, whether that's a single managed WordPress solution like Nexus, or a host that's more traditional that has dedicated servers. VPS like liquidweb. We had a dedicated server at liquid web for years and we did that because the support was awesome. So if there's ever a problem, you reach out support takes care of it. And otherwise it just works really well. So you have to decide which situation is best. Next S is a liquid web company. Solid WP is a liquid web company. So I'm mentioning those. There's there are many good hosting options out there. But I would advise you to look at liquid web and nexus to start.\r\n\r\nAlright, next from anonymous attendee, how much time is involved in the care plan small monthly fee what is it? Okay, great question. So anonymous. Let me let me ask you if you could to clarify in the chat. What do you mean by how much time? Do you mean how much time does it take to manage a bunch of websites? Or how much are we building? Are we billing the clients for time if you can clarify that in the chat? I'll try to answer it.\r\n\r\nSo, the, the I'm going to step up and put my coach's hat on here, okay. As a business coach for micro agencies, what I what I advise people to do, it's what I've done for years in my agency, it's you don't want to build by the hour. billing by the hour is no fun. You end up losing track of time it takes forever to do I as an agency owner want to be in QuickBooks as little as possible, right. And so a change that I made years ago, instead of having to just kind of track time on all these things and build little bitty invoices that I never seem to do. What I did was when we raised our prices on care plans, I bundled in too fast tasks built in with every plan and every month so every client is on a care plan has included in the care plan up to two fast tasks every month, they don't roll over every month has up to two of them. And a fast task is something that we define as something that we can read a ticket, do the thing and reply to the ticket in about 15 minutes. So these are things like hey, I'm attaching a blog post in word when you post this on my site, hey, can you add this new staff member? Hey, can you update this wording or add a sale price to this product on my WooCommerce site is small tasks. If a client needs more than that, then we'll increase their service level agreement to have more fast tasks. If a client asks for something that is a few, you know, like build me a landing page, that wouldn't probably be a fast task. And so we would give them a flat price for that amount. So that would be more of a project instead of billing by the hour.\r\n\r\nMatthew's asking about what a half a fast task not so fast task of the past tense. So just try it. My advice as a coach is to make the billing part of your business as simple as possible. I cannot tell you so over the years in the last 10 years I've been coaching micro agency owners, hundreds and hundreds may be found out you know, probably getting close to 2000 conversations I've had over that time, maybe more. I haven't done the math. But in those conversations, when I talk to a coaching clients about the frustrations they have in their business, it almost always comes back to billing and finances and keeping all that stuff and they've created for themselves. A billing environment that is hard to manage. So simplify that billing, the whole process of billing and the way you're tracking work, and life gets a lot simpler, I promise Okay, next up is Jeffrey. Does your recommended price including hosting. Yes, so we answered that question a bit ago. Matthew, can you share the link rack and by the patch stack add ons for legacy customers? I've been looking but I can't find it out. Okay, so Matthew, I don't. Since I'm broadcasting right now I can't go back and look for that. It is like the link that I shared earlier that talks about?\r\n\r\nWell, it's in the chat. I shared it earlier about and I marked it as this talks about patch stack upgrades. We went through that whole process it's in the solid licensing portion I believe and you just click and it takes you to the solid cart and you can add licenses one at a time. Like you can buy three or one or 52 if you want and then you'll have that bulk, that bundle of licenses which you can then apply to an individual site.\r\n\r\nSo I'll go through that whole thing in that live stream. If you'll just go you can kind of scoot through the live stream and you'll find it\r\n\r\nThank you, Doug. It's under security and firewall. And again, if you have questions just reach out to support and they'll walk you through all that.\r\n\r\nAnonymous attendee is asking how are hours and billable hours related to starting prices? So I answered that a little bit a minute ago, and whoever you are anonymous if there's more texture to that question, then just drop it in the chat and I'll try to elaborate more.\r\n\r\nAll right, Jeffrey, what about training? Do you offer any sort of training in your package or is that extra? That's a great question. So Jeffrey, we have a set of training videos that we have in every site that covers basic WordPress things. If the client needs additional training that is billable. Now, a lot of times we'll cover this in the build project. So one of the questions we'll ask and in defining the scope of work is are you going to be getting in and editing the site or is this something we're going to do? Do you need training on how to use WordPress, if they if they need that training? That's that's an itemized addition to the scope of work that's going to affect the cost of the project. There's a cost for training right? hourly cost will usually record that training, make it available as a video link in the dashboard. If they sometimes what will happen is they'll have a new staff member come on board and they don't know they didn't go to the training and they don't know how everything works. Well. They can either watch the video that we provided or they can schedule training, but that is going to be an additional cost that they have to pay extra for. So we don't include training in a care plan package. But it's something they can they can purchase extra if they want to do that it's billable.\r\n\r\nDoug, all of my clients were on board with a care plan some many years ago, all before patch tack was available as an add on. How would you approach extend existing clients who are on your care plan about paying more money? Great question, Doug. We should have a live stream about that. Oh, wait, we did. That's that link I mentioned in the chat a little bit earlier. So that whole the whole webinar that I talked about that I gave that link a little bit ago scroll back it's up there about onboarding, it's all about creating additional recurring revenue with patch stack. So I talked in that livestream about creating a an extra level of security, where you charge more, it's, you know, you could probably add 10 $20 a month and the license cost you know, a couple of dollars a month, I think per site, it's a big profit center. So I talk all about that in that process there. So I would just recommend, go back and rewatch that website. I Jeffrey's asking, are those training videos available? No. i But what I will tell you is the bundle that I use is called Video user manuals, video user manuals.com. There's an annual cost and embeds right into WordPress. It's great and even has some premium plug in it they have videos for all the premium plugins we use we have a lot of sites on Beaver Builder they have videos for those. We have we use Gravity Forms, they have videos for that. They have videos for WooCommerce. They have classic editor, block editor, all the things and we just pay one fee for that every year. And those basic videos are in every site dashboard. It's excellent.\r\n\r\nMatthew, you mentioned you do coaching for agencies, is there a community forum or slack channel for designers or web hosters that you recommend? Where we can chat with peers? Absolutely. Matthew so my favorite group, well aside from our solid Academy, Slack group, of course, which you can get access to if you're a member of solid Academy, the Facebook group called the admin bar, it's run by my friend Calvin Dusen. Awesome. admin bar is great. I cannot cannot recommend it enough 1000s of WordPress folks just like us doing agency stuff with clients. They're in there. It's a brain trust. It can often be a firehose of information, but also become a solid Academy member. All you have to have is a solid suite license. It starts at 199 A year 40% off your first year. You get to be a solid Academy member come into office hours every week. You can ask whatever questions you want about business, about technical things, become part of the community. There's a lot of fun folks that Hangout every Thursday with me during office hours. And we have that slack group for offline conversations as well. So check that out.\r\n\r\nLast question. from Matthew, will this webinar be archived? Absolutely. I'm dropping the link for it again in the chat. The final link there is the replay link. It takes about an hour maybe a little longer today because it's a two hour video. It basically as long as it takes for zoom to render that video and push up to Vimeo we'll have the replay posted.\r\n\r\nSo Umberto, if you are a member, reach out to solid support and they will give you the link to join the slack group.\r\n\r\nMatthew, so legacy license owners can be part of solid Academy. So here's the history on that Matthew. And when you say legacy members I'm assuming you mean like you have an an older I think security license like IBM Security gold or something like that.\r\n\r\nWe use that so this training used to be called I iThemes Training and it was a product that sold by itself.\r\n\r\nSo it was you know something you could purchase individually or it was included in our toolkit or I think Toolkit, which included a whole bunch of things. So if you only had a security license, then you wouldn't have had access to training and you won't have access to a cat the premium Academy. We do a lot of free Academy events also, though, that anybody has access to but if you want access to the premium pieces of Academy, you can get that now through the solid suite. Any member of the solid suite has access to the solid Academy. So all right a lot of stuff today.\r\n\r\nAny final questions, drop them in the chat and I'll try to answer those and then we'll wrap things up otherwise.\r\n\r\nWell, I do appreciate you hanging out with me and lasting through the last four hours of training. This has been fun. We do this at least every year and disaster week, where we take a lot of time and talk about WordPress security issues. We started off with a great state of WordPress security from our friend Kathy Zant. Great WordPress experts panel if you missed that panel yesterday, that was quite a discussion with a lot of insight a lot of fun. I was some really smart people that WordPress security go back and rewatch that that replay is already up. And then today we had a great talk with Timothy and then the stuff that I talked about as well. Hopefully it was useful. Well that's gonna wrap it up for us for a disaster week. 2024. Again, the replay will be up later today. And if you remember hopefully I'll see you back here on Office Hours. That's tomorrow starting at 1pm here on solid Academy where we go further together\r\n","livestream-resources-group":"s:34:\"a:1:{s:6:\"_state\";s:8:\"expanded\";}\";","multi-day_replay_details":["s:3081:\"a:7:{s:18:\"event_replay_title\";s:7:\"Day One\";s:25:\"day_description_cloneable\";s:2364:\"\r\nSession 1 - The State of WordPress Security: What Affects YOU!\r\n\r\n\r\n\r\n\r\n\r\nMarch 19 from 1:00-2:00 pm Central Time\r\n\r\n\r\n\r\n\r\nKathy Zant will give a helpful overview of the issues impacting WordPress security in 2024, especially from the perspective of solopreneurs and agencies who manage WordPress websites for clients.\r\n\r\n\r\n\r\n\r\nSession 2 - Security Expert Panel: Trends You Need to Know\r\n\r\n\r\n\r\n\r\n\r\nMarch 19 from 2:00-3:00 pm Central Time\r\n\r\n\r\n\r\n\r\nNathan Ingram will lead a panel of WordPress Security experts: Kathy Zant, Thomas Raef, Timothy Jacobs, and David Johnson.\r\n\r\n\r\n\r\nThe panel will cover security trends in detail with plenty of time for questions from attendees.\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925169294\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 1 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1GV5SRsGhaOckgTkXf-62b8vf1WWjJg5v\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:85:\"https:\/\/drive.google.com\/file\/d\/1UP8bFXnyB_odC6r9B4Wbeys8odOfPW7z\/view?usp=drive_link\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/-vGsb4xe8EmwnEda1Ecv_1_RsTI?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";","s:3231:\"a:7:{s:18:\"event_replay_title\";s:7:\"Day Two\";s:25:\"day_description_cloneable\";s:2255:\"\r\nSession 3 - Reducing Your Site's Risk to Nearly 0 with Solid Security Pro\r\n\r\n\r\n\r\n\r\n\r\nMarch 20 from 1:00-2:00p Central Time\r\n\r\n\r\n\r\n\r\nSolidWP Lead Developer Timothy Jacobs will explain how to protect your website using the powerful features of Solid Security Pro.\r\n\r\n\r\n\r\n\r\nSession 4 - Talking to Clients about WordPress Security: Generating Recurring Revenue\r\n\r\n\r\n\r\n\r\n\r\nMarch 20 from 2:00-3:00p Central Time\r\n\r\n\r\n\r\n\r\nNathan Ingram will discuss how to talk to your clients about WordPress Security, and how keep them safe as you build recurring revenue for your business.\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925577957\";s:16:\"course-resources\";a:2:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 3 Slides\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1SEmE-bmlbMScYzlc4Y7dbYj9tWWIw1hG\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}i:1;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 4 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1X4jK_jv2ZsH6uXLCBQIXqZ8NAbvkKYQV\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1HfxF6OjN88O-CFMQnuBp_Tq7L_rlGnTk\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/hhv_RTU6GaLQyMVsrx0gCeUoakc?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";"]}},"postCountOnPage":1,"postCountTotal":1,"postID":448494,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content ); \nWordPress Disaster Week is also great if you build or manage websites for clients, as we’ll cover a session on how to talk to clients about WordPress security.\n\n\n\nRegister once to attend all sessions of WordPress Disaster Week. If you can't attend live, we will send you the link to view replays of the full event!\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n","livestream_live_transcript_url":"https:\/\/otter.ai\/u\/-vGsb4xe8EmwnEda1Ecv_1_RsTI?utm_source=copy_url","livestream_live_transcript_text":"Again, welcome. If you're just joining us, it's disaster week 2024. We have Kathy Zant here. She's going to be talking about the state of WordPress security in our first hour and then we have an excellent lineup of security experts and a panel that is coming right up. We're going to be getting things underway here momentarily. The links I posted in the chat just a minute ago are not correct. I'll get that straightened out in just a minute.\r\n\r\nOddly, that should have been working but hey, it's Tuesday.\r\n\r\nAgain, welcome everybody. It's good to see folks logging in from across the country and around the world. Hi, Kay. Sue is here. Barney. Welcome. Thomas Byrne. Paul class, Doug. Good to see everybody today. We'll have the links up for you in just a moment.\r\n\r\nAgain, welcome. We'll be getting started officially at about three minutes after the hour. So glad you're here just a bit early. We'd love to hear from you in the chat where you're logging in from and here are the correct links. There we go. This is of course being recorded the replays available at the link that I just posted. You can also download Cathy's slide deck link is also there in the chat. Really glad everybody's here today. Welcome. Welcome. Dan. Good to see you, Rob.\r\n\r\nGreat to see everybody logging in today.\r\n\r\nHi, Tina from South Africa. Welcome. Welcome, Marie. Welcome from Massachusetts.\r\n\r\nAll right, folks. Good to see everybody coming in. Hey Stacey. We're about three minutes away three and a half minutes away from getting started with disaster week for 2024 This has been an annual event here with solid WP formerly I themes for many years. We always enjoy bringing some great experts on this topic to give you the lowdown on what you need to know as you're managing your own WordPress site or perhaps even managing sites for clients. So welcome, everybody. We have a lot. Lots to talk about today. Great panel of experts plenty of time for questions. The world of WordPress security is much more complicated today than it has been in the past. And Kathy is going to unpack a lot of that for us here in just a little bit.\r\n\r\nOh Sue, that's great.\r\n\r\nWelcome everybody. Just about three minutes away from getting started. Kathy Zant is here where she's going to be talking about the state of WordPress security to get disaster week going. I really glad to have everybody here. Welcome to folks across the US and around the world. If you're just logging in to zoom, open up the chat and say hello. The slide link bundle is in the chat you will have today's slide deck is there. Also the replay if you want to go back and rewatch this live stream you can do that at the link there in the chat. Share that with anyone as well. Those links will be available. Hey Michael, good to see you.\r\n\r\nMelissa, welcome from France.\r\n\r\nGreat to see everybody. Hi, Frank. Melanie.\r\n\r\nAnd I am using the wrong microphone. Wow. All right, that should be considerably better audio than it was before.\r\n\r\nI thank you so much for that. Little tip.\r\n\r\nMelanie, I appreciate that. Yes, yes. Yes. All right. Welcome, everybody. We are just about two minutes away from getting started with disaster week.\r\n\r\nThe link bundle is there in the chat. You can download today's slide deck that Kathy has on her screen now and follow along if you'd like I think there's some helpful links in there. as well. Also, the replay of today's event will be at the link there posted in the chat as well. You'll be able to share that video out.\r\n\r\nThe chat log and transcript for this event will also be there. At that link.\r\n\r\nNiles welcome\r\n\r\nHey, Charlie, welcome back. Mateus. Welcome. Good to see everybody there in the chat. We're about a minute away now from getting started with disaster week. Kathy Zant is going to kick us off talking about the state of WordPress security. Our two today is going to be a star studded panel of security experts will be here to talk about some of the current issues in WordPress security in the next hour. And of course have plenty of time to answer your questions as well. Welcome, George. Glad you're here.\r\n\r\nFolks, if you're coming in to zoom, we invite you to open the chat say hi and tell us where you're logging in from if you'd like to chat with others during the live stream, make sure that you've dropped down the little blue drop down above where you type in your chat to everyone, not just hosts and panelists. It does default the host and panelists for some reason, but if you'd like to chat with everyone, just make sure you make that change.\r\n\r\nOnce again, if you're just joining us attendee number is ticking up the link bundle is there in the chat. You can download today's slides that you're seeing there on the screen with Kathy state of WordPress security. Also the replay link is there for you. Hey Rob Vera, welcome. Glad you're all here. Just about ready to get started Kathy ready to light this candle.\r\n\r\nI am ready to kick this off the fun. Well, let's get started.\r\n\r\nWell, good afternoon. Good evening. Good morning, wherever you happen to be around the world. Welcome to disaster week. 2024 here on the solid Academy. This has been an event that we've done for many years here at solid formerly I themes as we talk about the state of WordPress security and give you tips from experts as you seek to make your WordPress site safer and protect the sites of the clients that you are helping as well. I'm joined today in our first hour by Kathy Zant. Kathy, it's so great to have you back. Kathy is an internationally recognized expert on security and marketing, data driven website development. She's spoken at countless events worldwide, and is a frequent guest on all sorts of podcasts about WordPress and other emerging technologies. Kathy, welcome back. How are you? I'm so happy to be here. It feels like like coming home to the to the gang and I'm so happy to be here. Thanks for having me back. Absolutely. So a lot of folks are saying hi to you there in the chat. You got a lot of fans here in in the attendee group today.\r\n\r\nWe're talking about WordPress security and the things that you need to know here in this first hour. Kathy, let's just talk for a minute about how you got interested in WordPress security. When did you start this and how did it happen? Yeah, well, I got interested in security back when before WordPress, I inherited a server, a web server from the technical people. I was the marketing person and that server got hacked and so I was thrown into the depths of learning about security in the early days of the Internet and learned how to spoof emails and do all sorts of things. So that was way before WordPress and then when I when I first started like migrating some of the sites I was developing, you know, coding myself and migrating things over to WordPress just because it was easier to manage. WordPress Tim thumb vulnerability, my husband's site of all things got hacked. So that was an adventure. You got me on this WordPress stuff. You better fix it. Yeah. Okay. Hon, I'm on it. I mean, it's so got involved then and you know, you know, I mean, then then hacks happened, help friends and everything. And then a company put out a call for people to clean hack sites and I was basically helping my husband run his business and I was a little bit bored. So I'm like clean hack sites. I've done that before. Let me see if I can do this. So I was just cleaning hack sites sitting next to my daughter who was homeschooling and I got sucked in. And no, look at me. I'm giving the state of WordPress security almost sounds like I'm a security politician. No politics here though. Promise.\r\n\r\nOh, well. We have a lot to talk about. Because the state of WordPress security is always evolving. And if you follow security news and we do a monthly news roundup here on solid Academy, and we're always talking about new and trending security issues. We also have a regular webinar at least every quarter with Thomas Rafe and we watch your website, giving us really scaring us to death, quite frankly, with some of the things that are happening. On the cutting edge of the things that hackers are doing. So we have a lot to talk about today. Folks. Let me give a couple of bits of housekeeping details and I'm going to disappear and let Kathy start speaking here. But if you're just joining us in zoom, we're grateful that you're here. Hopefully this will be a good investment of your time today. I'm dropping in once again into the chat, the link bundle for today, which includes today's slide deck, and also the link to the replay. We'll have the video of today's two hours posted by around four o'clock central time. That will also have our transcript and the chat log. So a lot of times during the live stream the chats will have some good information so we save all that it'll be available for you on the replay link that is there in the chat now. Also, let me just invite you to go ahead and open up the zoom q&a You'll find that link as an icon under Kathy shared screen. If you mouse over the shared screen, you'll see the q&a icon. That is the place to ask your questions. So if you have a question for Kathy, or anything related to WordPress security, please use the q&a and not the chat because the q&a chat may go on past and we might miss that question. But if you use the q&a, it'll be there. And also we invite you to keep that open simply because if you see someone else who has asked a question that you also have, you can click the thumbs up icon. And we'll take the questions in the order of upvotes. Now likely what we're going to do today is Kathy is going to speak and sort of set the table for us with all the current issues with WordPress security, then we're going to take a break so no questions immediately. After Kathy's talk today. We'll take about a 10 minute break and get our panel in place. And we'll take all the questions toward the end of today's panel discussion. So very important that you up vote the questions that are asked is likely we won't get to all the questions but we'll take the questions that do have those up the most number of up votes. So with that, I'm going to disappear and Kathy let's talk about the state of WordPress security.\r\n\r\nShouldn't there be like a band playing or something? I guess I'll just imagine that you know, Pomp and Circumstance playing as we talk about the state of WordPress security. Now when I first first started cleaning, hacked WordPress sites, WordPress security was a little, a little different, a little more simple, but some things some things haven't changed. And I want to talk about some things that haven't changed and some things that will continue to kind of be sort of this undercurrent of WordPress security threats. But I want to talk about what is changing some of the things that we're seeing that trends that you should be aware of, of where we're going. I'll talk about some recent attacks that we've seen that are very interesting for somebody who's into security, maybe a little bit scary. If you're not into this, then I'm going to pull out my crystal ball. And I'm going to make some predictions about some things that I see in the great greater security space. That will come toward presidentially, and then I have some thoughts about the WordPress security community WordPress as a community as an open source community. I fully believe that WordPress wouldn't be what it is today, without you, without the community without all of us helping each other to have some thoughts about how security plays into that. So that is that's the little teaser, is there going to be drama, maybe stick around. Alright, so what hasn't changed? hackers want to make money with your site. They want to take your server resources, your sparkly clean domain reputation and they want to use it for their profits. So they're going to put spam on any site that they can hack. They're going to use phishing malware backdoors to get back into the server. They're going to do all sorts of crazy things with your asset. WordPress is an asset and if you start thinking about your WordPress site as an asset, the same way you think about your bank account, your cryptocurrency, your home, your car, the shed in your backyard, all of these things that you want protected from malicious attackers and thieves. If you start thinking about WordPress, that way things will make sense because that is something that hasn't changed the profit motive, and that's the reason why they come after WordPress. WordPress is also powering more than 40% of the internet and they target WordPress because they expect smaller sites like yours in many cases and larger sites but mostly sites like yours, they expect it to not have as much security. Now the New York Times in the Rolling Stone Rolling stone.com use WordPress in order to present their content, but those major sites have security operations teams looking at every log file, they have security professionals looking at every login, but you are busy running your business. In many cases, small businesses just do not have the resources to watch security so they expect less security on your site. So if they can hack into 100 WordPress sites, it's the equivalent of getting into one larger site that has a ton of traffic.\r\n\r\nPlus, it's just your resources that they're after. Now historically, what hackers have done if they've exploited weakness now that could be weakness in the people who are running the site who just don't know any better and are doing things like reusing passwords, or it could be a weakness in software vulnerabilities. Typically over the past few years, decade. We've seen this in software packages primarily and plugins and themes. There have been a few core vulnerabilities that have been significant, but in recent years, we haven't seen that so much. But we're still seeing plugins that have vulnerabilities. We're still seeing some themes that have vulnerabilities and sometimes those come under attack rather quickly. So software vulnerabilities and authentication issues are still going to be a problem. This is a problem in the wider space, not just word processing hole, but it is historically how we have seen attacks coming at WordPress, the game of security and one of the reasons why I love it so much is you know some of you people do crossword puzzles and other things to keep your mind active. I like to see what hackers are up to my friend Thomas Ray who will be in our panel later. He likes to share the stuff he finds he finds the most amazing malware and the amazing attack vectors, an intrusion vectors. I find it fascinating what the mice are up to in order to get the cheese. It's constantly a challenge because you have security professionals who are trying to protect sites and then we have security professionals, security Blackhat professionals who are trying to get into those things. So the constant cat and mouse game of sometimes the mice are getting in and sometimes the Cat's got everything locked down. That challenge to me is exciting. And that's never going to change that's how security works. You have security protections and hackers. Just that hacker mindset that playful. Let's break out of these defined boundaries. It makes it interesting. So I find that very interesting and this is never going to change we are never going to stop hackers activity we are just going to be able to slow them down. They are always going to be looking for vulnerabilities that they could possibly exploit so that cat and mouse game is going to continue for forever. But what is changing is that these hackers are getting more clever.\r\n\r\nThe attacks are maturing, they're not just looking for plugin vulnerabilities because we are seeing many plugin developers really up their security game a few years ago, saw a lot of plugin developers that were using is admin a function in WordPress they were using that wrong is admin as a function will tell you are you on an admin page or not? Is this person an administrator and so we saw a bunch of different plugins that were using that function and inappropriately and causing vulnerabilities. We're not really seeing that kind of thing. But we are seeing vulnerabilities still but attackers are having to become more sophisticated. The mice want the cheese and so they have to get around the cat's defenses and they have to try new things, new creative things. We just have to be aware of what's going on. What we're seeing is some of the general attacks on computing on computers. Those general attacks are also targeting WordPress. Why? Because WordPress is an asset your WordPress site is of value. Even if it's just your hobby blog, just the resources of your computing power of that website is an asset that hackers are after. So we're seeing some of these general security attacks now aiming at WordPress. Now Tomas last year, he started sharing with us some of the attacks that he was seeing and he was seeing that many hacks were coming in. And it was almost as if you look over the log files and you would be you know user coming in working in WP admin and then all of a sudden that same users cookie was being used, but it's like coming from some weird site someplace else and you know, Malta or some someplace where you know, that user that administrative user isn't. These were stolen session cookies. And on January 3, it's in the links that Nathan shared in the chat. Thomas's research he published on January 3 of showing what he found over 2023. And he found that 60% of WordPress hacks were coming from authentication problems and there's a whole section in there about these stolen cookies. And then if you look at the general security press, Trevor Hilla gas who was a former FBI digital crime expert, uh, he said that last year, he had seen more new advances in info stealers than any year previously. So Thomas put two and two together, Trevor is putting two and two together in terms of these attackers, basically assuming the role of an administrator. Now how exactly does this work? Well, info stealer is malware that's distributed through phishing emails, malicious links, and infected attachments like a PDF with an info stealer embedded in it compromised. websites that you might visit and then end up clicking on a link that download something, a malvertising which is advertising that is actually malicious. So all of these things are not targeting WordPress directly. They're targeting your computer and if you have access to a WordPress website, and you're logged into that WordPress website, then they try to get into that asset. Now, have you noticed that your bank let's say you go to pay a bill and then you go make a cup of coffee and you come back and you're logged out automatically?\r\n\r\nThis is what the banking industry is doing. They're closing those session cookies rather quickly. Because those session cookies if they are ever stolen, basically give attackers the ability to basically impersonate you and that's what these info stealers are allowing people to do. So how does it work? It basically takes that session cookie from your browser, and then they take those cookies, put them on their device or more likely just embed them in their scripts as they are attacking many different things. And then they access your WP admin as if it's you. It bypasses firewalls, it bypasses to FA basically then just becomes you they have a script that just gets into WP admin so the log files will look like oh, there's people doing all this editing and then boom, this weird IP address that now is doing malicious things using those session cookies. So Thomas's research is showing that this is being used to target WordPress and yeah, so kind of scary, but obviously info stealers aren't existing just for the sole purpose of getting into WordPress, but this broader problem in security is affecting WordPress and this is one of the trends that we're seeing.\r\n\r\nSo these types of info stealers that exist can be in email, FTP, credentials, clipboard, you know, you copy something, copy a password out of your password manager. Um, if you have an info stealer it can get onto your clipboard and take things key loggers, form grabbers, browser hijackers, so there's a lot of different kinds of info stealers that are out there that can have an impact on your WordPress site. So what can we do about things like that? Well, obviously it's most important that you protect your devices and protect your computer's making sure that just like with WP admin, you log in and update all of your plugins and your theme. You got to make sure that your operating system make sure your browser Chrome, I've seen so many chrome vulnerabilities. Chrome's the most popular browser, you know, so attackers are going after vulnerabilities in Chrome. So if you see that your chrome needs an update, make sure you are updating your browsers. Make sure you're very judicious about the types of extensions you install into your browser just the same way you would with plugins that you're installing and WordPress or the apps that you put on your phone, just being making sure that they are coming from reputable sources. And then you know a lot of us who use MAC's have lived this sheltered life thinking that we don't need any kind of protection on our Max Max don't get viruses right?\r\n\r\nExcept that they do. So you need to make sure that you have some kind of malware scanner like any kind of antivirus Avast is a great one. Um, there's other ones that you can use Malwarebytes, things like that. But Jason, just make sure that you're downloading signatures regularly and scanning your machine regularly. So making sure that you're doing those general protections for your computer and your devices. And, again, think about those assets, your banking accounts, cryptocurrency accounts, crypto wallets, Amazon, but you don't think your Amazon account is an asset. While it is I helped someone last year who got their Amazon account hacked, and they bought the attackers used the credit cards that were stored in it was a debit card, actually that was stored in Amazon into that Amazon account and bought gift cards, sent them to themselves and then archived those orders. Make sure you've got protection for that because your Amazon account can be hacked and can drain a debit card or bank account, kind of blog post on my site about that and of course WordPress consider WordPress and asset as well. Making sure that you protect your credentials, strong unique passwords everywhere that Amazon hack actually we traced it back and it went back to the LastPass breach that happened and that person had not changed their password out of LastPass. And they actually had one of their I think it was SendGrid their SendGrid account had two FA on it, but somebody was trying to log into that as well. So we kind of traced it back to that last pass breach. So making sure that you protect your credentials, strong unique passwords. If you have past keys available like you do in solid security use those two factor authentication just needs to be everywhere according to Verizon, only 28% of people are using to FA and at this point we we all need to be using it and there's many places even your Amazon account, make sure you have to FA and that as well. Don't open links in emails. You probably heard this before SMS smishing. They call it it's like phishing except it's coming over SMS don't open attachments. If you are unsure what an attachment is all about. An attachment that comes through that says that you're part of a class action lawsuit and somebody wants to send you money. Be suspicious of those types of things.\r\n\r\nGo through fishing education, test yourself. Do you really have the knowledge and the foresight to defend yourself against phishing attacks? You know, Gmail and a lot of the email services are great at filtering out a lot of these attacks. But really the buck stops with you. These are just tools they're trying to help you but every once in a while that mouse gets a piece of cheese so Okay, so what can we do about WordPress and defending WordPress against info stealers? How long is that WordPress session when you log in?\r\n\r\nIt lasts for 48 hours but if you clicked remember me your session cookie is going to last for 14 days. This is why WordPress gets targeted rather than you know there's plenty of people are like oh, well if this was really a thing, then your bank accounts would all be drained. But you notice your bank account logged out pretty quickly these days. Right? WordPress does not have that WordPress will last for 48 hours. That cookie it does not log you out automatically. And remember he will last 14 days so those session cookies stay in your browser. They will be in perpetuity until you click logout or until the cookie expires. So if you want to protect yourself and protect your WordPress site, from the possibility of an info stealers ending up on your computer, usually it's the kids they're downloading everything off the internet. Let's just blame them.\r\n\r\nBut you want to log out when you log out. You kill the session cookie so you don't have to go through I've had people ask me oh, do I need to go clean up all my cookies out of my browser now not necessarily. You can if you want to, but that's a lot of work. Just logout if you click Log out that session. Variable that session cookie goes away. Solid security also has a trusted devices protection which I haven't even had a chance to play with yet but this is something hopefully you can talk about that in the panel a little bit because trusted devices is addressing this. So one of the reasons why I love solid security and the team especially Timothy amazing, is because if he's on top of all of this he pays attention to what's going on is your plugin vendor or your security vendor paying attention to all of the things that security researchers are finding out.\r\n\r\nAll right, another really fit this one was fascinating. I got to tell you about this so Sucuri found this malware. This is malware that actually uses a site visitors browser to attack other WordPress sites. Crazy, right? I'm like reading all of this. It's a little bit like a crypto miner and we saw crypto miners like in 2017 when there was there was this JavaScript thing you can put on your website and have it just like mine cryptocurrency on people's browsers. Well attackers loved that right because profit motive, of course, but that all kind of went away. I think it's gonna come back but we'll talk about that and my predictions.\r\n\r\nBut this is very similar. So you have a hacked site, and a person visits that hack site, and then maybe their CPU starts going through the roof or something is happening because their browser is getting instructions from the hacked website to go attack other WordPress websites.\r\n\r\nbrute force attacks. So this is just I find this incredibly fascinating. It's not it's not it's not infecting the browser, but it is using the computing resource of the browser to go off and attack other WordPress sites. So if you are a site owner, and these weird attacks are coming from just like somebody's home IP address, like is that a malicious IP address? No, it's just some guy who doesn't even know that his browser is attacking you. He's visiting some malicious site and that malicious site is telling his browser to be malicious. So we have plenty of brute force protections that are out there that are like okay, here are all the malicious IPs that we're seeing malicious traffic from this to kind of throws a wrench in that a little bit because now we're seeing, you know, Joe down the street is attacking WordPress sites. You would not expect that but it's a brute force attacks. So the same principles of brute force attack prevention apply here. Strong, unique passwords, two factor authentication, but you can't just say block all the malicious IPs and set it and forget it. No, you have to consider that any IP address could be malicious. You just don't know. One thing that you could do if you really if you if you know your IP address your wherever you're logging into your WP admin. You can block all of the IP addresses in the world except your own whitelist your IP address, so your IP address can always log into WP admin, but just block everybody else that type of thing. And that can cut down from it, but it's not necessarily going to stop attacks like this, but pretty clever, huh?\r\n\r\nAnother thing, zero day vulnerabilities. Now the bricks bold builder vulnerability wasn't necessarily a zero day, but I think there's this was just so interesting. So on February 13, Calvin Alcon he Well, he actually found a vulnerability a pretty severe vulnerability. It was an unauthenticated remote code execution vulnerability, which means anybody could use this attack to basically take over a WordPress site, worked with patch stack to communicate with the bricks builder team to make sure that this vulnerability was patched. So February 13, The announcement comes out that there's a patch within five hours started seeing attacks five hours this kind of new to me I haven't seen it happen like quite this fast. I've seen you know, vulnerability, you know, zero days happening and then the attacks are are happening and then a patch comes out. I've seen like crazy things, but this was responsible disclosure. This was security vendors working with the brookstein bricks team have gone through like in the past month, they've gone through so much in terms of like hardening that application. They're doing great.\r\n\r\nBut it just happened so fast. The bricks community was just like, you know the dog with the hair. On it was crazy for a while because it was just such an easily exploitable vulnerability. So we're just going to see these types of attacks are going to happen very, very quickly. So that if that happens, you know when there's a very very sensitive vulnerability, a very critical vulnerability, we'll see stuff like this happen, but I was kind of shocked at how fast that how fast that all happened. Um, this is something malvertising I just saw this yesterday on Twitter. One of the guys who runs WP umbrella which is like a management tool for managing a lot of different websites, WP umbrella and you can see on the screenshot that he shared on Twitter WP hyphen umbrella that info is actually a malicious domain, and it is sponsored their real domain is down below that but that malicious domain malvertising so people would click on that if they searched for WP umbrella, they could click on that and maybe give up their username and password. So he was very concerned about that. Lots of people were reporting it to Google and everything but just a reminder, don't go searching for sites and trust the search results all the time. They can be malicious at times. So make sure you bookmark things that are important to you and to always use two factor authentication.\r\n\r\nIn case you accidentally give up your password to someone.\r\n\r\nSo predictions of What's Next there's the crystal ball. So I think we're still going to see vulnerabilities found by researchers and attackers. Sometimes there's going to be zero day vulnerabilities that the attackers find first and there's going to be zero day attacks that the attackers are doing and everyone's going to have to defend against those types of things. But the thing that I'm really excited about seeing is that there are more and more security companies that are managing managing vulnerabilities for plugins patch stack is doing this that are also working with security researchers and it's much more organized now than it was like five or six years ago, so that's very encouraging. A Bitcoin uncle bitcoin is doing better he's recovered from his illness and Uncle bitcoin is you know, increasing in value. As we see that happening. We're gonna probably see some kind of crypto mining attacks happening. I'm not quite sure what yet, but I that's one of my predictions that's gonna happen. We're gonna see more attempts to exploit the weakest link in all security to humans.\r\n\r\nThat's going to be in the form of social engineering attacks. People are going to get tricked out of their passwords, either through phishing, through phone calls, through emails, all sorts of things.\r\n\r\nWe're going to see malvertising like we saw just yesterday with WPM Rolla we're gonna see sim swapping attacks and sim swapping attacks have been typically I you know, when I first learned about that this was even a thing many years ago and it was in the crypto space and I read an article and it's in the links. I recommend everyone go read it, it's on medium you might need an account to like log in and read it but it goes through how the sim swap attack happened sky. At night his phone's just not connecting to the tower and he's like, Yeah, I'll fix it in the morning. By the morning he had lost $100,000 Basically, an attacker takes over your SIM card takes over your phone number. They can do all sorts of things like resetting passwords on your email account, resetting passwords on your bank accounts, all of those types of things because they've got your phone number. And so those codes, those SMS codes are coming to that number of the new phone rather than your phone. So I don't know I haven't heard of any stories of WordPress sites being affected by a sim swap attack. But my prediction is I think it's going to happen one of these days.\r\n\r\nAnyway, we'll see. Maybe next year, I'll come back and we'll see what actually has happened or not there have been there's a recent story of a person who was on the inside at self provider and was working with criminals to some SWAT people, which is just lovely. Anyway, do not use SMS based two factor authentication as your backup because when you are using Google Authenticator and you using the time based codes, those are something that they can't take if they've got your cell phone number, they can't add get that code for your sonicator accounts and whatnot.\r\n\r\nThere is a recent article about acoustic attacks that was in bleeping computer just recently. I found this interesting, just by listening to whatever you're typing in on your keyboard. They can guess what you're typing, like passwords. That could be interesting. That could happen. I think it's gonna happen somewhere. It might not happen to WordPress first, but it's just research right now. security researchers are always looking for these types of things in order to protect against attackers finding things first. But that could happen. And then I've seen some research. It's just very high level research right now about AI and large language models.\r\n\r\nBasically forming some attacks so I can't wait to see what happens. It's exciting. And WordPress is an asset. So eventually it's gonna, it's gonna happen. So here's the stuff about sim swapping attacks. It's not not targeting WordPress now, but basically how it works. They they're not using it to like get your two factor codes. They're doing it to like reset passwords on your email account, and take out those types of accounts and drain whatever asset that they're after.\r\n\r\nLet's talk about what I see as the need for what we need for WordPress security. We have a bunch of companies that are selling security products, security services, cleaning up packed sites, there's plugins, there's firewalls, there's all sorts of services that are here to help you secure your WordPress site. They all have their profit motives, but we are also in a open source community and collaboration and communication are key.\r\n\r\nNow when a researcher like Calvin finds a vulnerability, communication between that security researcher and the plugin vendor needs to happen and security vendors or have like patch stack was instrumental in ensuring that Calvin Brooks and the communication flow between researcher and developer happened but we need greater community collaboration and communication throughout the entire community. We need communication between developers and users. Better communication about what vulnerabilities are happening and why.\r\n\r\nWe need better communication between security vendors if one's if patch stack knows that this vulnerability is happening, let's communicate with the other security vendors so that they can protect their customers as well. Those types of things, security and software is all about trust. And I think that if our security community community can work together better, kind of like how solid actually solid and patched at having an integration have communication, they work together as well. We I would like to see more of that. There have been some security debates. And you know, obviously conflict can be good. We learn from each other with differing viewpoints. But I would like the safety of the community to be put forefront the safety of the users remember why we're here that's who we're here to serve. I would also like all of us to have a better security mindset. We can't just install a plug in and set and forget it. We need to understand how that plugin works. We need to understand what it's trying to do. We need to understand how to use that tool. You can't build the house just like by buying a hammer you have to understand how that hammer works. So I think we need better education and better knowledge not just in that this is this is not just for WordPress this is across the board was helping my daughter's she rides horses and it was helping her the barn people with their website on Squarespace. And just the password hygiene might have a little PTSD from that is this is a worldwide problem. That the cat and mouse game is not just after WordPress, it's after anything that can be profitable. So heightening security education. I think it can happen in WordPress and then everyone who learns in WordPress and the people that you build sites for helping them up level their knowledge and being able to run recognize a phishing attack recognize social engineering, recognizing malware when they come across those types of things. They can teach their family and so on and so on. So I think we as we take responsibility for our own security and up up leveling everyone around us, so I feel like that's my mission. That's what I'm here to do. So I would like everybody to become just more vigilant.\r\n\r\nSome more advice just locking down your device with your provider to protect against sim swap attacks. Although that one guy he was an inside job kind of person. But if you can't lock it down, do don't use your public. You know, you give out your email address, right you go to the storage would you like your receipt emailed to you sure, of course and you give out via email address. Don't use that for your WordPress. Don't use that for your bank. Have a separate private email that you use for things that are sensitive, reduce your online footprint. I know we all like to celebrate our birthdays on Facebook and whatnot. I do too. But reducing the amount of information that you share can also force attackers because when they're doing social engineering they gather information, and then they use that against you. One thing that I've seen recently is like a lot of people who do online presentations and have like their voice out there. They can do AI voice mimicking and there's these calls, they call mom up and say hey, I'm in Nigeria and I needed $1,000 to get home please help me but it's your voice right? So those types of tricks I get played. So reducing your online footprint, having a safe word with mom so that you know mom call me back and make sure that I you know if we say the word you know strawberry, then it's really me asking for help.\r\n\r\nAnd then for critical accounts, you know, I highly recommend using password managers. But we did have that LastPass breach that happened use an offline password manager for your critical accounts. You know security is a continuum. The most secure computers buried in the ground in Casten says meant and no one can access it and the most open thing is anybody can get to it. So where where is your bank account? You know, it's more buried in ground right and maybe a test site, password 123 Who cares? So you have to make a judgment of security for each individual asset that you are trying to secure and then auditing your site. Lots of people don't do this very regularly unless they're afraid of something but I would audit you know, every quarter just go take a look. I can't tell you I went to one of my test sites. And there was WP config, that PHP dash old which basically turned that into a text field.\r\n\r\nNot exactly a good security practice because you're taking that PHP file away from the parsing. of PHP and turning it into a text file. So I didn't know that was there. My hosting provider on that particular account had done that lovely.\r\n\r\nAudit your site's just go poke around, go look at the files, go look around are all of the users who have admin access. should they all be there if you need a checklist? of auditing things, I can get you a checklist. I do have one of all of the things I look at when I'm auditing a site just maybe I can give this to Nathan, I'll find it and we'll have it in the second half. I didn't think to bring it no your developers would that brings vulnerability if you were on the bricks list, you would have gotten notified within those first five hours you would have been able to take action quickly. Get you know develop relationships with the people who are developing the software that you are committed to using and use the plugins like solid security plugin to help you make good decisions through application security. So one of the more forward thinking Timothy is just so brilliant and he watches all of this stuff and acts very quickly when he sees that there's something that he can do to help you protect yourself. Software is all about trust. So make sure you know who is helping you. Secure your things and remember who you're up against. So after the cheese, you got to be the cat. You have to protect your cheese. Because, you know, you know how these guys are they're just going to try anything and everything at all. So anyway, there's my little about thing.\r\n\r\nYou guys know me we've been we've hung out before, but yeah, I've been doing this for a while. I like to when I see stuff, I like to put it up on YouTube. Go subscribe to me. On YouTube. You can also get on my newsletter because if I see something that really needs action, I will send it to the newsletter. I will put it on YouTube. I am here for education first so and I'm so happy that I get to share all this with you.\r\n\r\nThank you Kathy. This has been excellent, really good overview of the landscape of all the things that are happening in WordPress security right now and there's a lot we have to be aware of. So excellent material here. I'm going to drop in once again if you came in late and you missed the link bundle. It is now back in the chat that has today's slide deck as well as the replay link that you can go back and rewatch or share this live stream with someone else. I also dropped the link in just before we have Kathy you've agreed to come back and do several live streams on security with us over the next few months. So we're super excited about that. And that link to those upcoming live streams is there in the chat. I'm noticing that there's a problem with the last one for July. We'll get that wrapped up and fix here in the next couple of hours. But there are several that are out there and waiting. If you'd like to go sign up. They're all free. And join Kathy for more security conversations. I Katherine we've got just a few minutes here before we're going to take a break prior to the panel and there's a couple of questions that came in throughout your talk that I think it'll be a good time to pose to you if you're open to that. Yeah, of course. So Savannah has just a great comment here. And it's something I've heard also from other people that are just even considering WordPress as a platform at all. Savannah says it really put me off having a WordPress site because I'm supposed to be attending to business and not spending all my time on security, which I can't keep up with. How do you respond to that?\r\n\r\nWell, yeah, sure you can have a straight HTML website. But if your FTP application is using reused password, if your hosting account panel is using a reused password, and there are so many other ways beyond just you know, vulnerabilities and plugins and all of this other stuff. The great thing is, you know, we there's so many vendors, and there's so many tools out there for you to pay attention to this stuff. And honestly, by doing that, I mean as a small business owner, you're you're running your business, you don't have a lot of time to pay attention to stuff but you have to be aware of I know of one business that, you know, they did the whole Hey, I'm the CEO at email. It was a it was a phishing email. Hey, I'm the CEO you need to send money to this company pay this invoice right now. And the person fell for it and $42,000 later, those types of things, if you can get rid of WordPress, but those types of things are still a threat to your business. So by being in the WordPress space by being in this community that is so security focused and is security aware and being connected with events like this and educators like me, we are here to help you uplevel everything it's so I don't think that you know saying goodbye to WordPress is necessarily going to help you it might make you less aware of other things that are a threat.\r\n\r\nYeah, 100%. There there. The security landscape is so broad now and hackers are so clever with their social engineering attempts and very, very smart ways to separate people from their money.\r\n\r\nNow when it comes to WordPress, the issue of WordPress security is something that it's one of the criticisms that most many people have about WordPress. And honestly that's why solid security pro exists. Our security plugin which we believe is a very intelligent approach to WordPress security, and by giving it a little time and setting that up on your website. It does the hard work of keeping WordPress secure does a big chunk of that WordPress security. We're going to be talking especially tomorrow Timothy Jacobs the lead developer of solid WP is going to be with us talking through the settings in our security plugin that help you reduce your security risk to almost zero. And so Timothy will be in the panel in the next hour but also with us tomorrow for a full hour talking about those very important settings that can let you take your mind off of security and focus more on your business like you're talking about Samantha i It's really that really is a you're not the only one who has that challenge.\r\n\r\nHere's another quick question from Chris. Chris is just wondering, when are we going to maybe see a better approach to security from core WordPress, is there something that core should be doing in your opinion, that maybe they're not focused on?\r\n\r\nI would like to have a to be a part of core I think at this juncture, it just makes sense.\r\n\r\nIt just makes sense at this point. So I would like that to be a part of core. But you know, with most development the innovations happen with a plugin like Timothy like Timothy, I think of all I mean, I watched the security landscape especially with WordPress quite a bit and Timothy is always like he pays attention to what's going on past keys. He was like the first one to bring past keys to WordPress. So the innovation is going to happen with people like Timothy with developers like solids team. So they're courted when there's a vulnerability core has been very, very responsive.\r\n\r\nThe File Manager vulnerability in 2019 was just so long ago seems like yesterday, but that was like a very easy to exploit. You didn't even have to have file manager activated. You could just have it installed on your site not active and it could still be exploited. And I think that was one where the core was like you know what, let's just push out the patch. And so core has been very, very acutely aware of security concerns as they arise and I think they respond very quickly.\r\n\r\nI'm always more curious. There's one thing I think that personally I don't think it's a big deal, but I would like to know more when a patch to a security vulnerability is applied, but they are more they explain more of what's going on. So security researchers like those a few of them that will go through and like okay, this is what could have happened with that. I want to understand what is happening. I like the education after the patch type of thing. But they kind of keep that close. To the best to keep, you know, people from poking around too much but that's just me.\r\n\r\nYeah, it's a great it's a great answer. And you know, the, what?\r\n\r\nThis whole subject is one that comes up in lots of different areas like what should be core and what should be a plug in and start. It's a hard debate among the core developers on what ought to be core and what ought to be an extension and a plug in. I think we're going to continue to see that debate raging on. Well, Kathy, this has been great. There's a lot of thank yous there in the chat for a really good overview presentation of the current landscape of WordPress security and gazing into your crystal ball. Kathy's crystal ball. So that's gonna wrap it up for this hour, folks. We're going to press pause on the recording and pause our cameras and mics. We'll be back at two o'clock Central that's about eight and a half minutes from now with our two which is our panel of security experts. And I hope you'll join us for that. In the meantime, if you'd like to open up the q&a and zoom, look at the questions that have been asked by others and upvote the ones that you would also like to hear answered. We'll be taking your questions toward the end of our security panel and we want to get those in the order of boats. So thanks for hanging out with us the last hour we'll see you back here and just about eight minutes. From now.\r\n\r\nAll right, folks, this is your One Minute Warning. We are back in one minute from now.\r\n\r\nWelcome back, everybody, we're back for our two of disaster. Week for 2024. We have our panel of security experts who will be shortly turning on their mics and cameras and popping in here. Good to see everybody back with us. Hopefully during the break, you've had a chance to open up the zoom q&a and either ask your questions or also upload the questions of others.\r\n\r\nWe're waiting on our other panelists to jump in here. Hopefully you can all join us Timothy is here Kathy is here.\r\n\r\nAnd Thomas, we don't have your camera.\r\n\r\nHey, there he is. All right.\r\n\r\nWell, thanks.\r\n\r\nYeah, thanks for being with us, everybody. We've got a lot of great questions that are stacked up from our viewers today, as well as a number that I've put together for each of you based on your background. So folks, welcome our security experts today. Let me just go around and introduce everybody. First of all, we have Thomas race. Thomas is the founder of we watch your website. Thomas and his team have been removing malware from millions of WordPress sites since 2007. Currently, they monitor over 13 million WordPress sites. Thomas is a he loves data and is on the cutting edge of the latest that all the malware folks are involved in. Kathy Zant Of course, we enjoy Kathy's presentation on the state of WordPress security in the last hour. Excellent stuff. She is an internationally recognized expert on security, marketing and website development. She's spoken events everywhere, all over podcast. You can find her everywhere. Kathy thanks for coming back for the panel. Timothy Jacobs is with us. He is the lead developer for solid WP he is a WordPress Core committer and a component maintainer for the WordPress REST API. And last but certainly not least, David Johnson the product owner for solid WP David has hidden and has been involved in the WordPress community since 2007. He comes from an agency background where he managed hundreds of WordPress websites. So again, thanks everybody for being with us today.\r\n\r\nThank you for the opportunity. Absolutely.\r\n\r\nWell, Thomas, let's start with you. So one of the things that we've had you on a number of different live streams over the last several months, and we've all we're we have scheduled now at least a quarterly at WordPress security roundup with you going forward into 2024, which is excellent. We always benefit from your cutting edge knowledge of the latest things that the bad guys are doing. I've heard you talk about this concept of defense in depth or layers. of security. Can you talk about kind of what that means? Why it's important, you know, what practically is involved in that particularly? What should I as a WordPress agency owner be aware of when it comes to layers of security and defense in depth? Okay, yes.\r\n\r\nDefense in depth goes back pretty far in the whole cybersecurity world, not just websites. But basically what you have to do is you have to look at the other various attack vectors that hackers use to get into your your website. So it could be we talked about stolen passwords, stolen session cookies, vulnerable plugins and themes, things like that. Each of those is like a different layer of security and you can't just rely on you know, like, for instance, for plugins, themes and core, you know, a great layer of defense is patch stack. You know, they do an awesome job they focus on and their niche you know, which is protecting those providing updates letting you know when you're you know, when you're vulnerable in some in any one of those three areas.\r\n\r\nYou know, malware removal is is one part of defense although that's a that's a reactive you know, layer of defense.\r\n\r\nBlocking, you know, attack vectors.\r\n\r\nI look at outdated user agents, blocking various ranges of IP addresses. And these aren't meant to be like, you know, the the end all be all to to your security. It's just another layer in in the defense in depth strategy.\r\n\r\nAnd, you know, one of my friends Calvin Elkins has used the he's the first one I heard it from, because it's like, like Swiss cheese. You know, Swiss cheese has holes in it. And all depends on how you stack those slices of cheese will determine if a hole goes all the way through or not. So, each defense each layer of defense is like another slice of cheese and you stack them all together. If the holes don't line up, you're secure.\r\n\r\nSo you need but you need your protection.\r\n\r\nAnd then you also need you know, early notification. So if something does happen, you can action can be taken. Yeah, very good. So David Timothy, either one of you can chime in here but in this concept of defense in depth or layers of protection are really like the holes in the Swiss cheese quite frankly I can that's I can grab that. Where does solid security fit into that strategy?\r\n\r\nYeah, so I think solid security helps with two big ones, which is user accounts rich. You got to do the bare minimum right if your clients are still using a terrible, terrible password it's not going to protect you for very long. And I'm really proud of our integration with patch stack. So patch stack does it an excellent job of I think they had 5000 vulnerabilities reported through them last year. They've created 1000s and 1000s of virtual patches. And I think our integration with patch stack works really excellently to bring that first of data into your site so you don't have to worry about Okay, let's keep track of all the vulnerabilities ourselves. Let's make sure we're on top of every single update and letting those two pieces come into play. And then services like Thomas said, do an excellent job at being reactive and cleaning up when there's an issue and making sure that happens automatically for you and they all kind of piece together.\r\n\r\nYeah, very good. Very good.\r\n\r\nKathy, so you've done lots of different things in the WordPress space. You've worked on WordPress security from the plugin product side. You've also worked on the agency side. So you your position, you have an understanding of things that a lot of people don't have. So you can relate to a lot of the folks I would imagine who are in the audience today. They either have their own website WordPress site or they're they work for an agency managing multiple sites are there an agency owner?\r\n\r\nThat's busy work, right? We stay busy. How in the world? Can you stay educated about all these things that you're talking about? While you're busy serving clients? How do you stay on track with all these things?\r\n\r\nWell, you know, with open source, you have a lot of you own your site, you own everything you're working with and with that power and that freedom and that flexibility comes a bit of responsibility. It's kind of like you own a car. I know I don't necessarily want to go get my husband used to do that for me take care of the tire pressure and there's just so much to deal with. If I want to have a car I've got some responsibilities to take care of it. Unfortunately, same thing with a website. But same thing with your business. You get like lots of different things right? But I think that being up to date with everything is it's good practice because it makes you more security aware for other things that could come into your life and attacks that that might not even be related to your WordPress site that something that comes through SMS message, something that's coming through, you just have this heightened security awareness. So unlike, you know, taking care of my car, there's no benefit to me whatsoever with dealing with that other than than, you know, not being abandoned on the side of the road. Taking care of my site educates me about so much else that's happening in the world and makes me a better digital citizen. It makes me more able to like tell my daughter go there's an update for your phone you need to go update it now and busy and Tic Tac Toe update your phone. You know, I mean there's like being security aware has a number of different benefits to it. So I think it's just it's one of the responsibility. You're either going to get hacked and figure out how much of a benefit it is to be security aware, or you're going to be proactive. And you know, actually at&t did a study and they found that businesses that are more security aware have better business outcomes. They often have better sales numbers than those who aren't. Of course, they're selling network security to enterprise right. But I mean, people who are more proactive about things in their life tend to have more proactive, like people who work out they tend to have you know better food choices, those types of things. They kind of just go together. So being proactive in your business for security can also be helping you be proactive in your business but with other things. Yeah, very good. Anybody else want to speak to that topic?\r\n\r\nOr David maybe what are some things that solid WP helps bring? To keep agency owners and site owners educated to the most important issues and security?\r\n\r\nWell, I'll say one thing that that Kathy mentioned in in her first session is true advantage of working with solid security and it's Timothy so we're gonna we're just going to have a Timothy session today. I don't know. But Timothy, by virtue of introducing pass keys when he did into the product, and this was before long before I joined the team became the first WordPress security solution to offer pass keys and I'm confident that that introduced the idea of pass keys to a lot of people who hadn't maybe not yet heard of it. And it remains arguably the most secure login authentication method available. And that's just one example. And so as we continue to think about ways for solid security to improve over time and to adapt to the changing landscape, you're going to continue to see us introduce new features and new solutions for the security issues that you're facing. And that's one way that using solid security can can help you become a better digital citizen all the way around.\r\n\r\nYeah, there's this like this content the solid WP Academy and going into Nathan's webinars every month, and our roundups with Thomas like this content is like an excellent place to keep up to date and share with others. If this is your first time joining us. We do lots of these types of things. Absolutely. So all of our content here on solid Academy is geared specifically for people who are building and managing WordPress sites for clients. So if that's you, you can stay up to date with WordPress security news with our monthly news roundup where there's a section on security news, and we basically look at what's out there the most important things that I as an agency owner think you as an agency owner will benefit from. Also we do a weekly email that talks about vulnerabilities and the top issues in WordPress security as well. So make sure you're signed up for those solid updates. Thomas I think I interrupted you earlier. Was this something you wanted to add here? No. I was just gonna say that. Yeah, the work that solid WP has done. Thanks to Timothy, with the past keys. And also like you said, I'm still a fan of the trusted devices. It's it's just, it's amazing and it's it's a great layer or several layers, you know, in the defense in depth strategy. It's another Swiss cheese that's just gonna have a task to do this is you know, I update my cheese board\r\n\r\nnow I'm getting hungry.\r\n\r\ncrackers and cheese.\r\n\r\nSo, Timothy, let's move over to you. So we just talked about past keys and how solid security was the first WordPress plugin to bring pass keys as an authentication method to WordPress.\r\n\r\nIt has to be incredibly complicated to develop a security plugin that is both usable for people like actual people. And stable and staying up to date with all the things that are happening in security. How in the world to get do that. Yeah, it's absolutely the hardest part.\r\n\r\nAnd I'd say there's kind of like two aspects to it, one of which that we're gonna touch on a little bit later. But the other is we do things that I think a lot of WordPress plugin developers do, who are really on top of their game, we write lots and lots of tests. We have automated checks that happen for basically all the security features in the plugin. We don't want to be thinking every single time there's a WordPress release or a plugin update or something. Okay, we have to check all 500 features and security by hand and where every day that something might break. So part of that is just like following good development practices. I see there's a question in the chat about like the uptick in security vulnerabilities over the past year and whether that's in some way part of you know, WordPress developers not following all of those things. So that's part of it. The other side is that we don't jump on everything. We jump on the things that we do think are going to have a big impact. And we try and really think through what the user experiences for those features. There are past years. I think integration is a great example where we saw that this was the feature that a lot of the big tech players, Apple, Google, Microsoft all uniting on and are really pushing as the next big thing. And we've seen over the past year and a half or so as more and more websites adopt this is we're seeing pretty early on then. Okay, this is a place that we want to be this is a feature that is worth as developing, as opposed to a feature that, you know, might stick around for a little bit, you know, 5% of your users might use and it's a little bit harder to justify. So we try to be really careful about what features we do adopt and making sure we're only adopting the amount of like settings that we need. We could easily add dozens and dozens and dozens of more checkboxes in security that let you do everything. But all of those mean more code for us to maintain. It's more complicated for y'all to understand how to use it. So I'd say that is like a big part of the balance. The other side of this is partnerships, which we're going to talk about a little bit later. Yeah, absolutely. And so, Timothy tomorrow, your session, which begins at one o'clock Central is going to be focused on looking at some of those settings in solid security and how people can reduce their security risk to almost zero. talk just a little bit about what you're going to cover tomorrow as we get into the details of the plugin. Yeah, we're gonna be doing a tour of some of my favorite features in solid security. We're gonna be learning about vulnerability management, virtual patches with patch stack, two factor still a good thing to be using and enforcing for your sites, and also look at past keys. So we're gonna be taking a kind of high level overview of a lot of different features. And these are also all things that we have a lot of good content in the bank for. So if you want to see a whole hour about trusted devices, we got that like two weeks ago. We did a whole hour about passkey as a couple of times, so there's lots of back catalogue stuff but this one is going to be a kind of an overview of some of my favorite features in solid security. Yeah, very good. So that's coming up the first hour tomorrow one o'clock central time. And David let me bring you in on something as well. You got a really cool title which is product owner at solid WP right. So your role is kind of translate users to developers, right? Like how, how do we create product? How do we interface with the actual users of our product and our development team? So talk just a little bit about how people even folks in the audience today can contribute to the ongoing development of solid security? Absolutely, I mean, the most there are two two key ways I'll mention the most important of which is just to reach out. We want feedback. And of course, we get feedback in the form of support tickets. You know, when there's something broken or there's an issue, so we hear about those, but we also want to hear from you with Feature Ideas. Now, we've already surfaced one during Kathy session, you know, like, Hey, here's a here's an idea for solid security. And so those are the kinds of things we want to hear from you. It's important for us to know that we're building what you use what you want to use, what meets your needs, and and so we want to hear all the things but the second way that I'll mention aside from just reaching out, and you can do that I should mention you can do that lots of ways and we'll share my email address. You can just hit me up that way. as well. It's David at solid wp.com. So just write me. If you have a support issue, talk to support they can help you much faster than I will but if you have a feature requests or feedback or whatever, I want to hear from you directly. That's one way to do that. But the other way that I mentioned is that we rolled out something that we call opt in data sharing, and it's about your usage data. This released in solid security in January. It's also in solid backups. And if you enable that it allows us to understand a little bit more about your site, we don't collect any personally identifiable information. What we do is gather lots of details about your hosting environment and so forth. And we do take a look at some of the features you've got enabled and that sort of stuff, but we don't again, we don't see any sensitive information. What that does is allows us to understand what features are being adopted, what features may not be as well adopted. And it also gives us a measuring stick to know like if we release a feature that drastically improves site security, and no one turns it on. Then we've got work to do. And so there are lots of ways that that helps us. And so I would encourage you if you've not yet enabled usage, data sharing, it is an opt in. And so it's purely your choice, but we would invite you to do that because it does allow us to learn a lot. It's a way to vote without having to actually contact you it's like automatically. Yes, yes. Excellent. So David, follow with you. Let me just ask you this your background prior to coming to solid and doing some other things you were with a large agency. You're managing hundreds of WordPress sites. What did you learn in that experience that could be helpful to smaller agencies or solopreneurs as you're thinking about maybe scaling up or doing what they're doing better? Sure. So I went on the journey from being the owner of what was effectively an agency with five people to being inside the web team and later and near the top of the web team for a 250 person agency. And so that scale was kind of staggering. And one of the things that I quickly learned was that especially where security is concerned, since we're focusing on security for today, I will say that some of the basics still applied. You know, you have to clarify in your agreements, who's responsible when when something goes wrong with a site, you know, do your clients know that that security is partly their responsibility? And, you know, one of the issues that we would run into when I was completely in charge and it was my business, if I hadn't properly educated clients on the need to patch plugins or to use better passwords. Or whatever, then I always felt like there was some responsibility that I needed to take on when a site got compromised. But at scale when you have a team of dozens of support staff and you're managing hundreds of sites and something goes down, you know we would scramble to get sites back up but then the question became like, is this work billable or not? And if so, you know, why did we create code that was faulty that our that our web build team developed custom stuff, you know, so there was a lot of there were a lot of gray areas around responsibility. So one of the things that I will urge anyone watching this is, if you maintain sites for clients or you build sites for clients, is to be super clear about the risks involved and the security issues that your clients will have to face and what your responsibility is and what their responsibilities are and the clearer you can you can make that better. And that applies at any size. But one of the things that got incredibly complex that I didn't really fully appreciate until I was in the middle of it was that we had to do quite a bit of work around that scale around managing roles and responsibilities, and making sure that our protocols and our procedures were actually being followed. Things like you know, in a 250 person agency, knowing which of our 250 people needed access to a given website. That was that was a big deal and what happens when you off board and employee, do you have the ability to kill all of that employees access to every website that they were connected to all at once? Or do you have to go through hundreds of sites and check? You know, so there were a lot of systems and ways that we had to scale but there was one other piece that sort of became clear for me, which was when we were a larger agency, we attracted bigger brands. And so our SEO team, for example, might land a big account where our corporate headquarters is overseas, and they have hundreds of staff that need access to a WordPress site. And so the complexity of and the the amount of leverage we did or didn't have to institute policies or do things the way that we did them. That all got really difficult to manage really quickly. And so it really requires some thinking through and if you can put some solid procedures if you'll excuse the intentional solid pun, if you can put some procedures in place at a smaller size and really think through those processes. Then it will help you a lot when you do scale up and land bigger accounts or have more and more, you know, sites to manage that scale.\r\n\r\nAnd so those are just a few quick thoughts about about managing things that with larger volume that you know, weren't necessarily obvious until I was in the middle of it. Yeah, it's really great insights. And, folks, if you're serving clients, that's gonna be the focus of our second hour tomorrow. I'll be talking about how do you talk to clients about security? And really, how can you leverage WordPress security as a service so that you can build your recurring revenue in your agency. It's really important and I'm looking forward to that conversation tomorrow. And again, that's in the second hour starting at 2pm Central. And I'll just add just one quick thought on that needed is that offering security as a separate part of your care package, you know, as an add on or whatever with a clearly defined offering is one simple way to make it clear to clients that there are things that are not included in juice your basic support.\r\n\r\nYeah, yeah, very good.\r\n\r\nSo let's turn our attention to a story that really made a lot of headlines make created a lot of conversation in the WordPress security space last month, and that is the vulnerability at the bricks plugin. And I want to be real careful here like I'm not trying to disparage bricks because a vulnerability can happen to anybody. Right. But it's, it's in our recent thoughts, and I think it's instructive. They're never waste a bad situation. Right. So what can we learn from this vulnerability that happened that we can take away from so first, Kathy let me just ask you.\r\n\r\nIf you're a solopreneur and agency owner, and you know, there's just vulnerabilities vulnerabilities that happen, how do you again it kind of goes back to how in the world do we stay informed on these things when we're just trying to do our work? Yeah, that will happen so quickly.\r\n\r\nAnd so quickly. Crazy.\r\n\r\nCalvin Alcon who was the one that found the vulnerability like had messaged me and invited me into the BRICS group on Facebook and the conversation was just like, it was crazy. And there was a lot of interesting advice that was being given to people of what to do to fix their space and what was happening. There was a lot of misinformation that was flying around.\r\n\r\nI think it's, I've thought about this a lot. And I think it's really important. If you are committed to using a tool. If you are using solid security, make sure you're on the solid security list. If you are using bricks, get on the bricks list.\r\n\r\nembed yourself in the community of and this isn't just for for security vulnerabilities. This is for new features that are coming software to me has really become a especially in the WordPress space. It's community driven, you know, all of David you watch what people are talking about, about the product about what's happening in security and and you kind of shape where the products going.\r\n\r\nIt's not just like, Oh, this guy over here is creating this product. It's not like no this is embed yourself with the community with the team so that the people who are creating these products, understand what you need so that you can be informed of what features are coming. You can be informed of. Maybe I should wait on this very large update that's coming from WooCommerce. Just like those types of things. Just being embedded in the community of the products that you've chosen for your stack, I think is just incredibly important.\r\n\r\nYou just you want to be the first to know what's going on when it's going to impact your business. That's such great advice and we'll talk a little bit about some of that sketchy advice in just a minute. But others how, what would you say to agency owners solopreneurs that are building sites for clients about staying engaged with a development community. How do you get informed about these issues? So this is something to be touching on tomorrow. But I think this is one of the places where tools like patch stack and virtual patching become key. You can we saw exploits for bricks happening within 24 hours of the fix actually being published. I imagine you were on vacation when this happened. It's gonna be a problem. So this is one of those places where tools like patch that can virtual patching can be so helpful, because they will automatically push out a fix for your site that is laser targeted just to kind of prevent this vulnerability from being exploited. You don't have to worry about okay, do we need to test this update? Do we have a process in place? Are we on the plane right now? Or is it 1am And I'm sleeping when this vulnerability drops. They'll be there to protect you much faster. So I think that's where adding in additional tools is really helpful for protecting your site's security, particularly once you have hundreds of sites that you need to manage. Yeah. Great. Anybody else? Yeah, one of the comments that Kathy had touched on earlier was the communication between vendors. And, you know, I think of you know, had Calvin worked with somebody other than patchstick and the whole responsible reporting procedure and so forth.\r\n\r\nYou know, wouldn't have had, you know, what had had a worst impact, you know, would have would, more people have been vulnerable.\r\n\r\nSo, yeah, the communication that Kathy talked about in the previous hour, I think is is real key. Hi, how you make that happen? That I have no idea but you know, it definitely needs to be especially when it comes to the patching. Years ago when I first heard people talking about virtual patching. I'm like, Why? Why virtually patch why not just patch, you know, reality patch shield, let's let's call it we got virtual patching and read reality patching, but you know, I mean, something like patch deck, where you can't, you can't stay on top of it by yourself. You need something like patch deck and I think the the integration that solid WP is done with patch tech, to me was just amazing. So I'll leave it at that.\r\n\r\nYeah, I remember when this which I think, at least for me, I think it was like 2016 or something where there was this huge group of vulnerability. And it was at the time where people were saying, Hey, if you had did an update, within eight hours, you should consider that your site has been compromised. And I feel like at least in my mind, that is when things like really started switches like attackers are moving very, very fast now, and just updating you know, the next day, or two days later, or if you say, Hey, we apply updates every Monday it'll be fine. Let's just wait until then. It's not enough anymore. Well, if I could add one other things might be a little controversial, but I'll put it out there.\r\n\r\nWe actually saw some attacks happening to that API endpoint in BRICS and February 7.\r\n\r\nBut we didn't know what it was, you know, we monitor the database. We monitor the files, the access logs, so we could see the traffic and then we see changes in the database and the in the files, and we're like, you know, how is that happening? And before we, at that point, we did not have a procedure for bringing somebody else in, you know, had I known what was happening or had I realized what was happening? Nobody reached out to Kelvin at that moment. Now.\r\n\r\nThere were things going on in the the WordPress community.\r\n\r\nquestions being asked about themes that include embedded code and so forth. So was that a tip off? I don't know. But you I mean, if from the time information was asked in the communities until the time we started seeing that traffic was less than six hours, and then once it was announced, yeah, I mean, it was like I think Kathy mentioned in her previous talk, like five hours from the time the patch was announced until you know, all hell broke loose.\r\n\r\nYeah, it things are moving so quickly these days.\r\n\r\nIt's you have to have a tool that's doing these things for you unless you just don't want to sleep ever.\r\n\r\nRight, which is not sustainable. So let's go back to something that Kathy mentioned at the very beginning of this conversation, which is, you know, some of the social media channels were talking about that this exploit there was a lot there's advice that was being given that was not the best. So I'll just open this up. Whoever wants to jump in. At what point should you try to fix a problem yourself versus bring in an expert\r\n\r\nwhy don't we start with Thomas Thomas is a little biased on this.\r\n\r\nBut, you know, I mean, I we've been, you know, working on WordPress websites since 2007. So, you know, Nathan, I've known you for years and years.\r\n\r\nSo there are people out there that have a good strategy.\r\n\r\nAnd they're aware enough of what their shortcomings are.\r\n\r\nTo be able to tackle it on their own, you know, so in a in a DIY, do it yourself scenario, some of those places and some of the large agencies have, you know, staffs of people that focus on you know, malware remediation, and that you know, I have no problem with that at all. There's obviously gazillions of websites out there, but the done for you, when people are asking, you know, hey, what, you know, what steps can I do to know my sites are hacked and especially with this I mean, this was, you know, they were adding admin users they were embedding code depends on what hacker group was attacking at the time they were dumping Perl scripts outside of the WordPress folder structure.\r\n\r\nSo there's stuff that you can't explain to people because they're gonna start deleting stuff and like, oh, you gave me bad, bad information, and now my site doesn't work. I had to restore and now I gotta rebuild the site and you know, blah, blah, blah. So, you know, the the DIY versus the done for you, the d f y has to be carefully examined, and you know, people that are asking like, you know, what steps should I do to clean my site?\r\n\r\nWell, you know, if you're asking those questions, you should probably have somebody do it for you. That's just that's my opinion.\r\n\r\nYeah, good.\r\n\r\nWho else would like champion on this?\r\n\r\nIt's been a lot perfect for me, is that you know, if you're if you need to, you need to ask the question. You can't afford it. If you need to ask the question on, you know how to do the cleanup. I think it makes sense to use an expert. I think it's great to learn and practice, you know, maybe on your own personal blog or something like that. Install an old version of bricks and let your site get hacked and try cleaning it up. I would never do that. Though. For a client site. Right. I would be working with an expert to make sure that that site is getting repaired it's so easy to miss just one thing and you miss just one thing and it's what it's way worse to tell a client is okay, I thought I cleaned up your site yesterday. It turns out got hacked again. is one thing. Okay, your site got hacked. We fixed it.\r\n\r\nDay three, it got hacked again. Day five. It got hacked again, day seven. That's when things like really become a problem.\r\n\r\nAnd we weren't getting Oh god.\r\n\r\nI don't fix my car. I'll clean a hicksite But I won't fix my car. Know your limits. And can I just say that I was shocked to see that people are still putting like 550 sites in a cpanel that's still happening. I thought.\r\n\r\nSo yeah, that still happened. So one site once he panel, I just, that'll be my mantra for the rest of the day like a shirt. Yeah. Yeah, exactly.\r\n\r\nYeah, it's a lot like the car analogy is great though. Because there was a time when you could just climb inside the hood. You know, you open the hood you climb inside the engine compartment. There was room to maneuver and now you can't even fit a hand anywhere. And there's you know, technology has changed but we sort of all started well, many of us I don't know Timothy might be too young for this. But we started at a time when it was possible to just dig in you know, Tim thumb you Kathy. You mentioned Tim thumb. I found the first YouTube video I ever uploaded about WordPress was in August of 2011 when I had found a Tim thumb vulnerability on my woo themes, sites, and you know, had to head to that that's how we all learned. And so, today though the complexity of the attacks and the in the sophistication of code malware that gets uploaded, if once a site gets compromised, it can be nearly impossible for someone that is not a pro to find all the ways in which a site got compromised. It's just a different world.\r\n\r\nAnd I'll say that, even today, we're getting people who are infected with the bricks vulnerability coming to us because their sites as Timothy mentioned, they get hacked one day, another day, another day another day. And you know until you find it all and get rid of it. It's just going to keep happening.\r\n\r\nAbsolutely.\r\n\r\nWell, let's turn our attention to some of the q&a that's come in from folks in the audience and what and we'll wrap up today if it's alright with you all though, or the discussion about the collaboration topic. I think that'll be a good way to end our panel. We have a bunch of questions that have come in they're 20 Questions open right now. I folks, if you haven't done that yet, please open the zoom q&a. Take a look at the questions that are there. Up vote the ones that you would most like to hear the answers to because we're going to take these in the order of upvotes. And of course, if you have a question, just drop it in there. Let's start with the first question from Kay. There are plugins that allow you to add code snippets to WordPress there's a bunch of different ones are those risky to use on a WordPress site? Or maybe we could say Are they more risky than other types of plugins? Timothy, you want to start with that answer then we'll open it up. Sure, I'd say more risky is the thing to identify risk isn't binary.\r\n\r\nSo it's thinking through what the threat model is. I would say one thing that's very important if you try and submit a plugin to.org And maybe this is a bad thing. I think it's a good thing though. If you try and submit a plug into.org today that is duplicating the functionality of code snippets, they'll tell you know, they'll say that, hey, we already have a plug in the directory that does this. This is an extremely important thing to get right so you don't open up a huge vulnerability on your site. They're confident that hey, that plugin works. Well.\r\n\r\nThat's it the barn door is shut on new plugins being added to.org that do this. So I'd say code snippets is a plugin that I use. And I use frequently on sites when I just want to have some simple snippets available and turn them on and turn them off. You might get code snippets from plugin developers that say, Hey, we have this filter that you can use. We're not going to the checkbox, but you can use the code snippets to manage that for you it's I think code snippets is a fine plugin. The thing to think through is like the attack vector, if you say that code snippet is a securely developed plugin, and doesn't have any known vulnerabilities, and if their vulnerabilities come up, they'll fix them promptly. And the thing to that think about it is what would oh the impact of having that plugin installed on my site B. And I think the thing that most people would think of is that oh, this means that there's a really simple way for someone to just get into my site and add php code. And that's true. But unless your site is already locking down, for instance, or plugins from being installed, they can simply just install a plugin that has whatever malware and malicious content they want to include. So I would say think through what your attack vector is, is always like the important thing to conceptualize. And if you are a person who says hey, we locked down all plugins on our site, they're all managed by Git. Let's say we do a git deploy. And part of that is for being able to say this is exactly what the content on that site, but it is also a security benefit if you are locking down the file system from being modified. In that case note, I would say that then installing a plugin like code snippets is opening up a new kind of vulnerability so to speak in your site because you've taken an extra step or detached to protect your site. But I'd say in most cases, plugins like that are fine to use just use the reputable ones not the one that was $5 and Code Canyon.\r\n\r\nThis risk is not binary. I really That's That's great. Yeah, I love that too. That's awesome. Yeah. Anybody else want to weigh in on that question? What do you think about code snippets as a whole that there's a plug in called code snippets, but as a category, the code snippets?\r\n\r\nI think personally, it's it's one of those that goes, as Timothy mentioned, you know, if for the knowledgeable devs you know, could be a good thing. But same time, I think that some of these things get passed around too much.\r\n\r\nTalk to people all the time and like, Oh, my dev said that somebody on one of these forums recommended this. And so we put it in, and you know, like, Okay, well, that's how your site's getting infected. So, you know, maybe considered you know, do you really need that?\r\n\r\nSo, yeah, it's, they have their place but again, that's for the for the more experienced, di wires, not the, not the newbies. Yeah. Good. Thank you, Thomas. Okay, here's a great question from Dan, and we get this from time to time during the news roundup, because every month we look at the solid vulnerability report, we see the numbers of plugins that are vulnerable, the ones that have been fixed, the ones that are still vulnerable, and it used to be I clearly remember even last year, there were 30 plugins that were vulnerable this month or whatever. And I actually used to read those one by one. Right. Now there's routinely 150 to 200 plugin vulnerabilities each month. So Dan's question is, I've never seen as many vulnerable plugins that I've seen in the last six months is this from not enough people knowing how to properly build plugins and make them safe or what is at play in this? It's like a hockey stick of vulnerabilities that have just that have come about. I have a lot of opinions on this one. Jump right try and keep it short.\r\n\r\nBecause there's a talk that I've been ruminating over for a long time about writing secure WordPress code. But I'll say this one thing I this is kind of a measurement sample issue, I would say, I don't think plugins have become more insecure in the last year. I don't think that you know, suddenly, we knew how to write secure software five years ago and now all of a sudden we stopped. What's happened is that there are programs from companies like patch stack from wordfence others I think Trend Micro might have them. There are a lot of organizations out there that are offering bug bounties for security researchers to find vulnerabilities in WordPress plugins, submit them and get paid for them. Not even from the vendor liquidweb for instance, or kind of parent company, they have a bug bounty program and you can go over there if you find a vulnerability, submit it to them. And they'll go through that bug bounty process but a lot of WordPress plugins that are just maintained by single individuals or small teams, they might not have the resources like that. So I think that's been a huge uptick here is that security researchers are now incentivized monetarily to find these problems. And I think that's been one of the great things that companies like patch stack have done in the past year is creating these open bug bounty programs to reward security researchers for doing something that previously you had to kind of look into finding a plugin that had this bug bounty program set up and do all those conversations about it. So I think that is a huge, huge beneficiary. Huge beneficial thing that we've seen in the past year and a big reason for part of the uptick.\r\n\r\nThe part that I'm not going to dive too much into is I do think there is a there is a issue with how we write about writing secure code. And there was a vulnerability I think wordfence talked about it yesterday in a plug in where a plug in author was applying escape HTML and escape attribute to liberally they escaped something twice and that second escaping caused an issue. And part of the reason why that second escaping was probably there. It might have been flagged by tools that say hey, you need to add extra escaping here and so I'll find for instance, lots of vulnerabilities, not naming names, but plugins that will have specific fixes in place to let's say, sanitize some code, and they call a sanitize function in WordPress, but that isn't the correct thing to sanitize there or sanitizing. It isn't even the actual attack factor. So I think we don't do a great job about talking about how to write code securely. And a lot of times the things that we say are just well write escape H attribute every single place that you're writing any piece of code and that'll fix the problem for you.\r\n\r\nAnd but that that's a thing for a talk or a blog post or something.\r\n\r\nBut I will also just say it's hard. It's hard to write secure code. But I do think there there are things we can do as the WordPress community to make it easier. Yeah, really good. Anybody else want to weigh in on that? I think there's too many people.\r\n\r\nAlong those same lines as some of the sudden they think they get an idea for a plugin, like oh, yeah, this one sell millions. And they you know, jump in download some, you know, watch some YouTube videos on how to create your own WordPress plugin, and start writing code and then put it out there and people like, oh, yeah, this is greatest thing since sliced bread and so on, so forth. And it just goes from there sliced Swiss cheese.\r\n\r\nBoom.\r\n\r\nYeah, they just asked Chet GPT to write the code for them, package it all up and boom, yeah.\r\n\r\nYeah, there's a long time when, and it was really just by the actions of like a couple, I think even just one person, where if you went into Stack Overflow, and you were like, how to write some PHP code to do something, it would just have SQL injection vulnerability attacks and or you're just have encryption implemented in a completely wrong way. And there's been lots of people just writing content about how to do this thing. That and you Google that and you'd come across something that was insecure.\r\n\r\nFor the most part, those have now been fixed on sites like Stack Overflow through the hard work of like dedicated volunteers to like going through every single php answer about how to insert database, insert data into a database when someone submits a form, or how to implement a login process securely. But it's still very easy to make a mistake.\r\n\r\nMissing anybody else on that topic?\r\n\r\nAll right. Next question up is from Jean. This is a really practical question. So what would you all recommend as a good reliable way of passing secure information to and from clients, assuming they don't have a secure password? app installed? And maybe they're not tech savvy. Kathy, why don't we start with you on that one?\r\n\r\nI would set up like if you had to do that, and then they like absolutely refused to use password managers and whatnot.\r\n\r\nWell for setting up WP admin, they shouldn't be sending it. They should be setting up an account for you and then having you set your own password.\r\n\r\nBut for like FTP, and things like that, you can do forms that do that encrypt and send it via PGP. So that you can get an email with those credentials and then just decrypt that with your PGP. PGP key. So that would be my recommendation of people transmitting.\r\n\r\nBut I would Yeah, that's part of our job is to educate everyone that they should be using some method of secure password storage, like one password or bit or all of the major password managers allow you to share credentials, those types of things. So I would strongly encourage that they do that.\r\n\r\nGood. I get a lot of people we get a lot of people who obviously have to share their credentials with us. And it's always amazed me that so many people that just Oh, yeah, what's what's your email address? And they just send them to it, you know? And that's what I what I encourage people to do is, if you're gonna do that, because it's easy for you and you just want to wash your hands of this and put it in our hands, that's fine. But when you know, once we've started what we need to do, go back in and change your password. You know, cut that it's like you know, logging out of your WP admin session to kill the cookies. You know, just cut it off at the at the knees right there. And we'll take care of our stuff is very secure, I'm sure of that.\r\n\r\nAnd so, just change the password and you're done.\r\n\r\nYou could get them to just take a picture of the password written on the sticky note on their monitor and just text it to you, right.\r\n\r\nAbsolutely. posted on Twitter. Actually, that'd be a great way to get Twitter tag. We do. Right? We do sometimes recommend using a tool like one time secret.com which is which is a great way to encrypt something and prevent it from lasting long. But one one recommendation I always make to people is even if you're going to do that, like do we know who's running that server? Do we know that they don't keep that data, separate the lock from the key so send me a username and an email and send me only the password using one time secret.com With no context whatsoever, you know what I mean? So at least you know us a little bit of wisdom and Pig Latin. Yes, please do that also.\r\n\r\nOne of the things Kathy mentioned I think is really another one to highlight which is i It's been a long time since I've done this type of client work, but I would hate it if a client sent me their stripe username and password. Invite me to your Stripe account. There are so many tools that just allow you natively to invite a developer invite a user and I so much prefer that just invite me to your WP Engine or Nexus account. Don't give me your Nexus hosting credentials. If you don't need to use the tools built into the platform like WordPress to create a WordPress user for your developer. Don't just send them your WordPress admin username and password.\r\n\r\nVery good. delegated access. The worst was when I sat down next to someone at a meet up and they're like oh, here's my password. I use it for everything.\r\n\r\nMy my\r\n\r\nYeah, my favorite password. Yeah. How many times I've heard that from clients. I can't change that. It's my favorite one.\r\n\r\nI'd have to change it everywhere. Yeah.\r\n\r\nAll right. So a great question here from Chris.\r\n\r\nChris is wondering so talking about the stolen session cookies issue. Thomas, you've written extensively about this, and you had a great live stream with us several weeks ago about it. That just frankly terrified me to the core. But thank you for that.\r\n\r\nIs there any movement with browser developers can can this problem be solved at the browser level of taking dealing with a stolen session cookie compromise?\r\n\r\nI think it probably could.\r\n\r\nBut I don't see I know at one point the case from Mozilla, we're working on some different things. But then they had some this this goes back even a couple years ago.\r\n\r\nThey had some some shake up over there. And things changed and people got moved around and it just kind of got dropped but I know that they were looking at it, some different forms of encrypting the cookies, you know, and encrypting the messages and so forth to so that it couldn't be so widely used. But you know, even to this day, though you know, short offshoot here.\r\n\r\nWe're still getting customers that have hacked usernames and passwords. You know, it all has to do with, you know, the, the various layers of Swiss cheese. And one of those layers is your local, you know, device that you have to protect. I don't care if your Mac I don't care, you know, maybe Linux, you don't have to worry about too much. But any any platform that you're using to log in to sites. It's got to be secured.\r\n\r\nYeah. And circling back to something we mentioned in the last hour, which is the importance of the trusted devices feature in solid security. It's one of the only WordPress ways to deal with that exploit. And Timothy and David did a great livestream with us a few weeks ago just about this where Timothy hacked himself it was quite something. For Timothy hack David actually, you can you can watch Timothy hacked my website in real time and I was crazy enough to install a browser extension that he sent me to facilitate this. So Thomas you if you haven't seen that it's worth watching. But the one thing I'll say is that do take the time if you're if you're concerned about stolen session cookies and protecting yourself, take the time to either watch that webinar or thoroughly understand how to implement the feature because you can enable trusted devices. And if you if you don't enable it all the way so to speak, it won't stop stolen session cookie attacks from working there. There are a couple of layers there and we just want to make sure that you're that you're really thoroughly understanding what's involved. So that was the that was the big impetus behind that webinar and behind me allowing Timothy to hack me in real time. That to be fair, he did have you opt in to the hack. It was it was an opt in hack that is true, and I appreciated that but also I sandbox that extension when I got it just because you know Timothy is just there looking sly he's not saying a word.\r\n\r\nHe's like there's still I still have access David he's yeah he exfiltrated all my all my credit card numbers and everything.\r\n\r\nOh goodness. Yeah. So the link for that live stream is there in the chat if you didn't see that. It's really, really quite good.\r\n\r\nBack to the questions here. Another question from Chris. Chris says he's a WordPress developer who serves numerous clients. In my experience, the weakest link in security is always the user. Absolutely. What can you recommend as far as resources that we can share with our clients to get them to take security seriously, without scaring them to death? And I'll just kind of add it like, is there? Maybe that'd be scare tactics aren't always bad, but maybe a little scare isn't so bad in this case? What do you think Kathy? Wanna start with you?\r\n\r\nMy YouTube channel.\r\n\r\nKathy, it's just it's just education, right? It's being aware like it's just being aware really, that that opportunity. Hackers are opportunistic. They're gonna look for vulnerabilities. And it's just it's education. There's a bunch of us, there's tons of educational opportunities on YouTube.\r\n\r\nAnd I would, if you're an agency, I would assemble sort of as a part of an onboarding like, here's a new client. Here's how we do things. Here's how we transfer credentials. Here's how you're going to only have an editor access if you feel like that's, you know, whatever your protocols and procedures are for onboarding a new client, build security awareness into that. And if they have any kind of, you know, pushback whatsoever. I mean, it's bringing it's a red flag.\r\n\r\nTrue, but it's, you know, it's the ones who nobody wants to learn when I was doing security, marketing, nobody wants to hear about it. Nobody wants to hear about security until they hear that their neighbor got broken into then everybody wants the security system on their house. Same thing with WordPress. When that breaks vulnerability happen. Everybody wants to know about how do I protect myself? What's the best thing I should be doing? I want to know about all you know, lots of bad advice on Facebook, that's for sure. But it's I would just I would really make security education. It's gonna differentiate you I mean, at agency work. I know is incredibly competitive. When you start building security into not just the onboarding process, but also into the sales process that you take it seriously. They're going to be like, Oh, well, why isn't that other agency talking about any of this stuff? Is there something out there? They don't know about? And they'll ask questions. So build security into your processes. Really good. Anybody else have advice?\r\n\r\nthumbs it up.\r\n\r\nGood. Well, folks, we're coming right up to the top of the hour at the end of our live stream today. But I do want to circle back to something Kathy that you mentioned in your presentation, which is the importance of collaboration between companies and users in the WordPress space to make everybody more secure. So there seems to be and I've kind of noticed this as well this trend in WordPress security. Where you know, some companies are resistant to collaboration.\r\n\r\nHow can WordPress Kathy and your opinion you can kind of start here and others can chime in? How can WordPress security vendors work together to improve the safety of everyone in the WordPress ecosystem?\r\n\r\nWell, there's some that are looking at what salad and patch stack are doing. They're exhibiting sort of good stewards of WordPress security by the fact that there's collaboration happening.\r\n\r\nPatch deck is really great at some things. Solid security is really great at some things and they're cross pollinating information. There's communications happening there's sharing of information, security.\r\n\r\nAll security is is communication. A security researcher finds a vulnerability come meet finds it to the secure channels communicate to the developer to communicate the proof of concept to the developer that communication has to happen. Collaboration has to happen. Collaboration is the undercurrent of good security. So I mean, there's some companies that work better together I think than others which are more cloistered and have their way of doing things in their way of communicating and but I'm I'm seeing some that work really well together.\r\n\r\nYou know them not to get a biblical but you know them by their fruits. Right. You can see you can tell what's going on, you can see the actions that people are taking, make good judgment as a WordPress user and choose to work with the companies that are collaborative, that are putting the needs of users ahead of competition. When you go to a word camp. You've got hosting companies lining up the hallways of the sponsor, everybody is there. You don't have GoDaddy doing pot shots at liquid what maybe you do but everybody knows each other. They support each other our community is collaborative, we work together, and security needs to be a part of that. And the security teams and all of the security vendors and security educators and they need to be collaborative as well. It's what makes WordPress strong.\r\n\r\nExcellent.\r\n\r\nWho else wants to weigh in on that? Yeah, Cathy's Mic drop. Yeah. I echo everything Kathy said and to touch on it from the lens of the questions you were asking earlier. Nathan, I think it's what allows us to work on cool features at solid security as well as being able to partner with under other vendors. Patch stack is treated 1000s and 1000s of virtual patches.\r\n\r\nThat's work that then only had to be done once and could be shared to patch stack users and our users and lets us work on other features like trusted devices or pasties and things like that. So I think the developing those key partnerships and open communication between different services let us build tools that help protect site owners more than they could if we were all operating 100% independently and we had to build the same thing. 15 times. Yeah. Great.\r\n\r\nAnybody else we wrap this up?\r\n\r\nGreat information. Yes. I really appreciate each one of you and your expertise and the flavor you've brought to this conversation. Really, really appreciate the all the great advice. There's a lot of thank yous happening there in the chat as well.\r\n\r\nLet's see. Timothy, you're back tomorrow to start things off, walking through solid security. So we're looking forward to that and bring your security solid security questions. Do I know is there a couple of solid security questions in the chat that are specific to our plugin? And I'm gonna have plenty of time to answer those tomorrow. Yes. So yes, absolutely. I will walk through all those settings and in the second hour tomorrow, I'll be talking about the client side of this and how do you talk to your clients about security, for education for information also Pat, you know, how can you as an agency owner or solopreneur package security into the services you offer to build recurring revenue so it's gonna be a good day tomorrow as well. Kathy Thomas, especially thank you both for being with us today. David, your expertise has been excellent as well. Kathy Thomas, let's wrap up with how Kathy if they want to get more of you, where do they find you?\r\n\r\nI'm everywhere.\r\n\r\nLiterally, you are.\r\n\r\nKathy Zant. I am fast faster than the other Kathy Zant is out there. So I grabbed my My name is everywhere. So just follow me. I'm really trying to put out more security content on YouTube because that's kind of a fun thing. But LinkedIn, Facebook, I'm still in the Kadence community and still very much a fan there. So hit me up. There. Very good. And Thomas just dropped the URL for we watch your website in the chat. Quickly. You offer a free service to anyone who wants to sign up for monitoring for malware any bad things happen to the website you want to talk briefly about that? Yes.\r\n\r\nIt's free. It's, you can think of it as a free intrusion detection system. We don't protect anything on the free plan, obviously, but we monitor your database, your files, the processes, you know, if you're on a server, we can do it live.\r\n\r\nIf you're not on a server, you have forgotten a shared hosting plan. We do it once an hour. It's very good. And one of the great things especially if you're an agency owner solopreneur. You have your own server, or account where all of your clients are hosted. We want your website offers a single price to cover that whole server all the sites on that server. So it's really quite good. And if you want to learn more about that we watch your website.com So thanks again, Thomas for being with us today. You bet. Alright folks, that is gonna do it for us. We are back tomorrow. Again 1pm Central for a walkthrough of solid security and until then have a great rest of the evening. We'll see you back tomorrow on solid Academy where we go further together.\r\n\r\nSo again, welcome. If you are just joining us, open up the chat and say hello and let us know what your biggest takeaway from day one of disaster week was something you learned that maybe you didn't know or just a big aha moment. We'd love to hear from you in the chat with that.\r\n\r\nRight captions should now be working for everybody.\r\n\r\nJeffrey needs to convince clients to make security a priority. Yes. We'll be talking about that in the second hour today.\r\n\r\nSo, Doug learned yesterday, Timothy that you were born with a keyboard in your hands.\r\n\r\nThere Is there truth to that rumor.\r\n\r\nYou know, it's just that there's Apple keyboards. They're very good, very portable.\r\n\r\nLove it. Oh, gosh. Welcome back, everybody. Glad you're here. If you're just now joining us in zoom, open up the chat and say hello. We're asking what your biggest takeaway was? From yesterday. Head David needs more Swiss cheese in his life. Yeah, maybe so.\r\n\r\nThe slide button on the link bundle is going back in the chat. Now if you want to download either slide deck from either hour today you can do that. The replays are up from yesterday. If you want to go back and rewatch those it's also a discount code for disaster week. Use that code disaster week for 40% off the solid things.\r\n\r\nWe'll have more information about that at the beginning of the next hour. Hey Tanya, welcome from Finland.\r\n\r\nGood to see George from South Africa.\r\n\r\nMissing Dan welcome Kenna. Doug. George. Yeah, welcome, everybody. Glad you're here. Hey, Stephanie. Manu.\r\n\r\nAlright folks for about three and a half minutes away from getting started officially welcome back. To tea Sherry, Melissa. Bonnie. Good to see everybody. We're asking the checking question today is what your biggest takeaway from day one of disaster week was? You learned something interesting last. Yesterday in the last sessions we'd love to hear from you. I'm also going to drop in the chat the link bundle again for today's session one and two slides are there waiting if you want to download those. And of course the discount code disaster week 40% off all the solid things.\r\n\r\nBe the cat.\r\n\r\nThat's great.\r\n\r\nSo we're just about ready to get started. Just a few minutes away Timothy is going to be talking in the first hour about reducing our risk to nearly zero with solid security.\r\n\r\nAugustine welcome Glad you're here. Hey Sue Kay glass. Welcome everybody. Phoebe yes Sign Out of all the websites. That's really a good thing.\r\n\r\nAfter Thomas rave came on a few months ago and scared the pants off of me with that session stealing cookie hack. I am logging out of everything religiously. That I had a bad habit of not doing that.\r\n\r\nHey, Rob, welcome.\r\n\r\nMurray. Welcome. Glad to see everybody. If you're just now coming into zoom, open up the chat. Say hi. We'd love to hear what your biggest takeaway from yesterday was.\r\n\r\nYes, sim porting Sherry That's another big one.\r\n\r\nThe link bundle is in the chat if you're just joining us and you'd like to download the slide deck for the first or second hour today. Those links are there waiting on you in the chat. We're gonna get started here and about a minute and a half from now. Timothy's got a great session lined up about walking through the settings and solid security that can help you reduce your risk to nearly zero for your WordPress site.\r\n\r\nYes, Sue great idea.\r\n\r\nWith Kathy's hint, hurt her pro tip on the four digits of the password. It's good stuff. I Kathy's checklist was excellent.\r\n\r\nJust about a minute to go now, folks, glad you're all here. We've got a couple of great hours of security conversations coming to you today. Timothy in the first hour talking about solid security and the settings that can help you reduce your risk to almost zero. And I'll be talking in the second hour about talking to clients about security, the business side of all of this so we should have some fun today. The slide decks are there in the chat. If you're just joining us open up the chat and say hi, all those links are there waiting on you as well as the replay link from today. If you missed yesterday, we had an excellent presentation from Kathy Zant giving the state of WordPress security. I'd invite you to go back and rewatch that it was quite good. Also, we had a great panel of security experts. Really good discussion and comments on some of the big issues going on in WordPress security. So if you missed that yet, the replay is up from yesterday. And we'll have today's replay up about an hour after we finish as well. Welcome Christian from Quebec.\r\n\r\nJust about ready to get started. Hi Eddie. Yes watch the replay. It's out there ready to go. Really good stuff from yesterday. All right, it is now three minutes after so let's get the recording started and we'll dive right in.\r\n\r\nWelcome back to day two of disaster week for 2024 here on solid Academy. My name is Nathan Ingram. I'm the host here at solid Academy joined today by Timothy Jacobs, the lead developer for solid WP Welcome back, Timothy. How are you? I'm doing good. Thanks for having me, Nathan. Yeah, we appreciate your wisdom on the panel yesterday we had a great discussion with you and Kathy Zant and David Johnson and Thomas ray from we watch your website, a really good conversations there. And today, you're going to be talking to us about solid security and what we can do to reduce our risk to nearly zero. We want to give us kind of an overview of where we're headed in the next hour or so.\r\n\r\nYeah, so we're going to spend some time talking about some of my favorite features in solid security. We're going to talk about some of the threats that are facing your website and how you can use those features to help protect yourself. And then we'll have plenty of time for questions and answers either about cybersecurity in specific or security in general. Yeah, very good. I saw our lineup today Timothy will speak and we'll do questions for about an hour here and right around the hour mark at two o'clock central time or however that translates to wherever you are in around the world. I will take about a 10 minute break and then I'll come back for our final hour and talk about how to talk to clients about WordPress security. So just a couple of bits of housekeeping the replays from yesterday are up we've mentioned that I'm going to drop in the chat once again, our link bundle if you'd like to download the session slides for this session or the next those links when they're waiting on you. And that we invite you to ask questions because we will have a good time of q&a at the end of this session. And next session, please use the zoom q&a link which if you mouse over the shared screen, you'll see that q&a icon you can click that ask your questions there rather than the chat please. Because as the questions come up in that q&a, you'll be able to upvote the questions of others and we'll take those questions in the order of up votes when we get to our time for q&a. All right, Timothy, let's get started. I'm looking forward to this. Let's do it. Yeah, so we're gonna be talking about how you can reduce your risk to nearly zero using cloud security. And to do that we need to take a look at what are some of the threats and vulnerabilities that your site might face. So one of the ways that attackers can come at you is just through your front door through your login page. And so this is all about bog and security. It's probably the stuff that we know about the most. If your users are using weak passwords, well that leads to brute force attacks. If your users are reusing their passwords, let's say they have a favorite password. We mentioned that phrase a couple of times yesterday. That's not very good. Or they have similar passwords. Let's say they have a password formula or a password pattern that's like, you know, five random numbers and the name of the website or something like that. That's not great. That's gonna lead to credential stuffing attacks. Those are when an attacker finds a database of passwords that were leaked from another service and tries vo Pat those passwords across your actual site says, Hey, this user is using this username and this password everywhere. Let's try it and see if we can get into the site.\r\n\r\nthing that you might not think of immediately though, when it comes to login security is the reputational damage that your site can experience if you have issues like this. This isn't just about an administrator losing access to your site. Obviously, that's kind of a huge problem and administrators account gets compromised, you got malware, etc, etc, etc. But this is also risk if you let users log into your site. Let's say you are a e commerce shop or you are a buddy press install that has a membership base component. Anything like that. What you'll often find is that people blame the website when their account is hacked. It's rarely that someone says oh, I messed up my Facebook account got hacked because I had a weak password instead. It's Oh my God, my Facebook account got hacked. Facebook. Why did you screw up yada yada yada? We saw this with 23andme earlier this year, and last year where attackers ended up accessing personal data for millions and millions of users.\r\n\r\nThis was because of in some ways the fact that those users were compromised. Were practicing poor security hygiene. But the users didn't see it that way. Certainly the larger internet news media didn't see it that way. You have a responsibility to mandate security best practices not just for yourself and your site administrators. But if you're an E commerce or WooCommerce install for your customers as well. If their site gets compromised, if their account gets compromised, and their credit card details are able to get accessed or their address and personal information or orders are able to be placed. They're going to blame you they're not going to blame themselves.\r\n\r\nWe watch your website earlier this year published some really interesting statistics about how sites are getting compromised that he sees through his service. And he found that 7.2% of hacks were coming through the front door with login security. And in some ways that's a small number which I think is a good thing. It means that you know we are making progress, but in other ways, the fact that that 7.2% number is even 7.2% that in some ways just seems very very high to me that still yet we have people not following the best practices. So what can you do? Well in South security pro we have a number of different features that help in this regard. One is just enabling brute force protection. You don't need to let an attacker try as many times as they want to log into your site. You can stop them after they try a couple of times in a row and make it more difficult for them to get into your site.\r\n\r\nYou can require strong passwords. I saw it security has a really great feature where it will detect that a user is using a weak password and force them to change it during the login flow. So this isn't just something that is only for you know new accounts going forward. It's a great thing that you can enable and solid security will take care of upgrading users and forcing them to put in best security practices. You can also prevent using breach passwords through the half I've been poned integration. So this is where credential stuffing attacks occur. Let's say your account got compromised on some other website, some forum something like that, and they then retry and use that password. Well with have I been poned will say hey, has this password ever appeared in the data breach, and if it has will prevent you from using that password on that site, which is another great way to help your users protect themselves. You can also use Capture features. We recently launched an update to capture that adds in a couple of new providers as well. So it's not just a google recaptcha if you don't want to use Google you can use Cloudflare as turnstile feature, which is excellent and the one that I recommend the most or you can use h captcha and this helps slows bots down. If you're able to say hey, you need to complete this challenge to try logging in. It's a significant deterrent so they can't just try millions and millions of attempts at once.\r\n\r\nWhat else can you do? Well, you can enable two factor the two factor features in solid security they let you enforce two factor. So you can say hey all of our administrators are editors, people who can do privileged things in our site, we can force them to use two factor. And when you do this, you'll use a feature in solid security that I think is pretty unique, which is our two factor onboarding sequence. So this automatic onboarding flow lets users get up and running with two factor without your assistance you don't need to get involved. All you need to do is say, hey, solid security, make sure all my administrator is using two factor. And the next time the user logs in will prompt them to set it up. We'll tell them what the future is about. We'll make sure that they understood how two factor works. They need to enter in a two factor code before they can continue. And you will get all of that happening for you in the background without you needing to code from user use the user and say, Okay, I set up two factor for you or you know, let's go into the Zoom call and show you how this works. You can use these automatic onboarding features.\r\n\r\nAnd when you use all these features combined, you can see this is data from Google that showed how attacks were able to be prevented using two factor challenges using things like security keys as well. Now, I know what you're probably thinking, which is that okay, well two factor is great. I know two factor is great, but it's really hard to convince my clients to use two factor because it's confusing or it slows you down. And so for that I say let's use password of this login. So I gave a talk a couple of times now about killing the password that really dives into it. But passwordless login using past keys is a faster and more secure way to authenticate. It lets you skip your password and lets you skip entering in two factor authentication. And it provides basically a one click login experience. You can see here I just clicked use my passkey and I logged in my device authenticated me my device made sure that I was logging in to the site that I thought I was logging into. So it's also phishing proof. We're not going to dive into all about passwords today. There is a whole hour about it if you want to check it out on the academy and you can take a deep dive into why password this login is important using past keys, but I'd say it's a good option if you have it if this if this demo doesn't convince you read the whole hour or watch the whole hour and we'll really dive into it.\r\n\r\nAnother thing that you want to consider is access management.\r\n\r\nYou don't want to be in a spot where everyone on a site is an administrator you just give admin access out willy nilly.\r\n\r\nYou want to make sure that when responsibilities change people's access changes if someone needed an administrator account to do some initial setup, but now they're done with that. Consider changing the roles and changing their capabilities. You also have to make sure that you have a plan for when employees leave you know where no one sticks around in the same company forever. And you want to make sure that when an employee leaves your company or leaves your agency that their access isn't maintained anymore that they no longer able to log into all of your sites.\r\n\r\nSo how can you accomplish this with a solid security? Well, there are a couple of things that you can make use of one is just make the liberal use of roles that exist in WordPress, right? We're not limited to just an administrator or subscriber. We've got five that are built in. If you want to go further than that you can there are great plugins like the user role editor that lets you get very fine grained and say, hey, I want to use that that can do exactly these. Couple of things. Do that. That's awesome. We have some really cool features in solid security too, though, that can help you one is the privilege escalation feature. This lets you say hey, normally this user they just need to author access, but I need to give them some temporary access they need to do something special, but only for the next few days. And what privilege escalation will take care of is saying hey, once that period has expired, they'll revert back to their previous access. This is good both for you know when you have a team member who needs to take care of a special task but also if you're reaching out to support either our support at Southern WP or the support for any other WordPress companies. Instead of giving them an administrator account that sticks around forever. Create them an account, set it as a subscriber or an author and then temporarily give them privilege escalation for a week, let's say to an administrator and you can rest more easily knowing that hey, there isn't just administrator accounts hanging out there that are waiting to be compromised.\r\n\r\nYou can also use some other cool features and solid security for the site scan. So our site scan feature takes care of looking at vulnerable software for instance, but it also looks at inactive users. So if you have users on your site who haven't logged in recently, you can easily use the site scans feature to identify those users and demote their capabilities. If they aren't logging in every day, maybe they don't need administrator access anymore. Maybe you can demote them to an author.\r\n\r\nAnother general tip that I recommend though is just centrally document when you're giving out access, if you're getting privileged access, write that down startup, a spreadsheet, a Google Doc that saying hey, this employee has access to these systems. Whenever you give that out so that you know what different things to go through and revoke. It's not just WordPress sites. It might be you know, email accounts, marketing, automations, all these different tools. Start with that in place. So you're not saying hey, two years from now when they leave, oh gosh, what are the 1520 3040 50 different services that I invited them to? You have one place to consult So what's another aspect of how attackers can compromise your site? One of them is through the backdoor. And by this I mean vulnerable software. Patch Jack identified nearly 6000 issues last year, and the majority of these are in plugins over 97% The remaining 3% We've seen themes and it's just a fraction of issues that are in WordPress core. Every so often we just had six point 4.3 get released, I guess a month or two at this point, which was a security release that fixed a couple of issues. But really the primary issue and we talked about hey is WordPress insecure. It's not WordPress core. It's WordPress plugins.\r\n\r\nWe watch your website identified that nearly 33% of attacks that they saw on their sites that they clean up were due to vulnerable software.\r\n\r\nThere are some things that you need to understand about vulnerable software. We talked yesterday about how there are 100 150 200 different vulnerable software issues that are reported every week now in WordPress. And so that means you kind of need to take a look at vulnerabilities and say okay, let's not get too overwhelmed. One of the things to keep in mind is that not all vulnerabilities are equal a remote code execution attack. Where an attacker, let's say through the bricks vulnerability is just able to execute PHP code arbitrarily on your server that is way more severe than for instance itself cross site scripting attack where an attacker needs to trick you into clicking a link or entering in some data into a form. If you just look at the reports at a glance you might see oh, these are all the same. I've got 15 issues here, how am I ever gonna resolve them, but you can use things like the CBSs score. This is a score that ranges from zero to 10. And the higher the score, the higher the severity. And you can also use providers like patch stack who we integrate with to help you determine a priority and say this is when you should patch it. For example, this is the WP formance vulnerability that happened earlier this year. It has a high severity but it wasn't known to be exploited to patch stack. And so they came up with a patch priority based off of how likely it was to be exploited, how easy it is to be exploited and say hey, you should patch this within seven days. So these are kind of tools that you can look at to help you identify what fixes need to be made. Now.\r\n\r\nWhat we found with solid security is that at I checked the data last night that 45% of websites that are reading sense sites, yes, right now have at least one bit of vulnerable software installed. So what are some things that you can do with solid security to help this one is we have an awesome vulnerabilities page that tracks all the vulnerabilities that are affecting your site. So this gives you one view you don't need to watch your email or look in the logs it gives you one place where you can log in and see all of the vulnerabilities that are affecting your site. It'll automatically scan for you multiple times a day to find new vulnerabilities. You don't need to remember to go back and click Scan and click Scan and click Scan. It'll take care of that for you.\r\n\r\nWe also give you recommendations on how to resolve the issue that are specific to whatever vulnerability is actually present on your site. So for instance, this ancient WooCommerce plugin vulnerability, a fix was officially released by WooCommerce. So we recommend you to update that plugin right away. If you can't, you can deactivate it will give you those choices there and let you know what actions you should take depending on the vulnerability.\r\n\r\nAnother really cool feature is that it lets you view the historical vulnerabilities that have affected your site. So let's say this ninja forms vulnerability we can see here that hey, we updated this plugin on February 15. The vulnerability was reported on this date and so you can go back and if a client asks you hey, whatever happened with that Brix vulnerability, you can see oh, we automatically updated that or we manually updated that or we deactivated and switched away from it. You can see all of that data inside of solid security. So you don't have to be guessing or trying to remember what happened. And as you've been running the plugin for a long time, you'll see over the period of months and years, what vulnerabilities have affected your site in the past.\r\n\r\nThere's another really cool feature that I want to talk about though, which is virtual patching from patch stack. The thing to keep in mind and we talked about this yesterday as well with a bricks vulnerability is that sites can start getting compromised within hours or days with a vulnerability being published. So think about hey, what if this happens when I'm on vacation, or if I'm away from the computer? Or I just didn't know about it.\r\n\r\nvirtual patching is there to protect you when you're not able to update. Now, it's not just when you're not able to update because hey, you're AFK right now, but 25% of the virtual patches that patch stack publishes, they cover you when there isn't even an official fix yet. out for the plugin. This is a vulnerability that's out there, the plugin author hasn't been able to fix it yet or is unwilling or unable to. And there's a virtual patch to protect you. So this isn't just Hey, okay, I'm gonna pay I'm gonna be on my site 24\/7 And the second I see a vulnerability I'm gonna update to the fix. These are also important because they can protect you even if there isn't effects. Even if you want to do the best thing possible and update immediately you might not be able to.\r\n\r\nSo how do these virtual patches work? Well, they're targeted firewall rules that are deployed to your site to block attacks from being executed. And so what that means is, if you can't update yet, let's say there is a severe WooCommerce vulnerability, and you just can't update that right away without doing a lot of testing. Well, this targeted firewall rule will protect you by blocking that specific attack vector from being executed. These are also highly targeted. So this isn't just a general vague rule. And what that means is that they have a much much lower false positive rate. There are some tools that will kind of offer broad general blocks where they try and say okay, anything that kind of looks like this, well, we'll block that. But those can have false positives where suddenly you're just trying to use your site, and oops, it didn't protect you, or you're trying to use your site and it triggers one of these false positives and you get blocked from trying to do something normal or innocuous. But Pasternak creates virtual patches for every single specific vulnerability, not just broad patches, they have I think over 6000 vulnerabilities with V patches at this point, which is way more than pretty much any other provider out there. And if you're using solid security or the solid patch stack head on for our older customers. You don't get that protection automatically.\r\n\r\nIt's important to keep in mind that patches are mitigations. So you still want to update don't just be running an ancient version of WooCommerce forever, but they're there to help you when you can't update either because you're AFK or you know, a fix just hasn't been released yet. So what does this look like in cloud security? We can see an example of this with this WooCommerce vulnerability. You have this badge up in the top right, that tells you hey, this was patched automatically. And in our Status section, we tell you that hey, a virtual patch was automatically applied to mitigate this vulnerability. We still do again recommend that you update don't keep things inactive forever. But this patch automatically installed some firewall rules. And you can see that if you ever go to the firewall section in solid security, you'll see that hey, here are these different firewall rules and they came from packstack if you want to you could deactivate them, but we don't recommend that they're there to keep your site safe.\r\n\r\nWhat else can we do to manage updates? Well, I would keep in mind at this point, their sites have lots and lots of plugins and updates are important. So you should schedule the time to do them. Don't make this just a thing of okay, I decided to log in today and I have some free time. I guess I'll apply some updates. Make it intentional that you say hey, let's apply these updates this day.\r\n\r\nAnd don't do this too infrequently. It's easy to say okay, you know, every fifth, every fifth every second Tuesday, we're going to apply updates. I don't think that's a good idea these days. You need to do it more frequently, I would say at least once a week is when you should be saying okay, let's look for updates and apply them. The longer the they sit out there. The more updates you have to apply, the more complicated it gets anyway, but that also helps with security updates. You'll see for instance from packstack a lot of their issues, they say hey, patch this within seven days. So if you're applying updates once a week, you're gonna be on top of that.\r\n\r\nYou should prioritize high severity issues. So if you have a huge list of updates to apply, and you see that some of these are security related, work first on the ones that are high severity, you don't need to just go in the order that they were received. Look at their severity, look at the priority to help you determine which updates you should install.\r\n\r\nYou can also use hosts like Nexus that provide automatic updates for the visual regression tests. One of our fears with turning on automatic updates is okay, what happens if my site just breaks but using tools like these that do automatic regression tests can say, okay, there was an issue with this update. We're not going to apply it to the real site or we're gonna roll it back and we're gonna notify you that you need to do manual intervention, but for everything else will take care of it automatically.\r\n\r\nYou can also use solid central to apply updates across all of your sites and that gives you one UI where you can work them down and we're bringing some really cool updates soon to that screen as well. You also have the option to enable auto updates for security fixes. This is a feature in solid security Pro and the version management module that will let you say okay, we detected that this patch is a patch that is resolving a security issue. So let's just automatically update it to it, even if you wouldn't ordinarily apply automatic updates for that plugin.\r\n\r\nSo the last threat to be aware of that I want to talk about today is under your nose. And so this is about session stealing attacks. So this is something that we did a webinar a couple of weeks ago that really dived into it, and did some cool demos about our features in solid security. But if you haven't heard about session stealing attacks, this is when malware is installed on your device, and it steals the actual cookies that you use to authenticate with WordPress. These cookies are then sent to an attackers botnet or they're sold off. And with these cookies now an attacker is able to fully impersonate you. They have your full capabilities for all intents and purposes. They are you it is your actual login and a big thing to keep in mind. Here's because they're stealing the cookies and these cookies you get after you've logged in. It means that usual protections like brute force prevention or two factor aren't able to effectively block this attack, because you actually logged in and you completed two factor and then the attacker stole those cookies.\r\n\r\nThomas from we watch your website found that this affected nearly 60% of the websites that he was cleaning up, but it is a huge number. So what can you do? Well, the first thing is keep your computer secure. If your computer is safe if you're not using untrusted devices. If you're always connecting over HTTPS on secure Wi Fi, you're not going to be subject to this attack. If you're just you know, using your home computer, you're up to date you have no malware installed, and an attacker isn't able to magically steal your cookies your device must have some way been compromised, or you're using a compromised network. Or let's say you go to a computer cafe and you're like hey, I'm gonna log into my E commerce WooCommerce site and you know, nothing will go wrong. I'm sure that's fine. Don't do those things. Keep your device up to date. Use the firewall tools or anti malware tools that are installed on your devices Windows Defender, Mac devices, gatekeepers those types of tools to keep your computer safe.\r\n\r\nYou can also implement additional controls on sessions. And so this is where the trusted devices feature and solid security comes into play. With trusted devices lets you do is it alerts you when a login has happened on a new device. So this can be Hey, I'm just now traveling for work, let's say and normally I based in New York City but now I'm in Huntington apparently from this demo. And you'll get a email that says hey is this you are you're trying to log into this device and you can say yes it was me or you can secure your account and change your password. If it got compromised. But it comes with additional features as well. One of which is restrict capabilities. So if someone is logging in on a new device will restrict their access instead of being able to do everything like Install Plugins create new users edit your passwords. Instead, they only have limited access so if you are on the road and you need to, you know make a quick update to your posts, you can do that. But when you don't want to take more sensitive actions or more secure actions, you will be prompted to actually confirm that new device. Another feature is session hijacking protection. You can see a cool demo that we did with David a couple of weeks ago in our webinar, where we said hey, what would it look like if someone stole your session cookies? And you can take a look at that to see how solid security would stop that attack from taking place.\r\n\r\nSo in summary, you have to think about the weakest link, one admin account with a weak password can result in your site getting compromised. One unpatched login with a critical security issue can result in your site getting compromised. We need to stay ever vigilant. We need to be making sure that hey, if one thing slips through, that can be you know a disaster so use every tool available to you. This isn't something I think once you're managing more than one site that you can reasonably stay reasonably expect to stay up to date on all by yourself. Use tools that help you and of course, the tool that I like is solid security.\r\n\r\nSo I'm now at this point ready to open up the questions Nathan.\r\n\r\nAll right. Excellent overview of all the things that solid security has to offer and we have plenty of time for your questions. There are 10 questions currently stacked up in the queue. Folks, if you have a question about anything regarding WordPress security, including of course the solid security plugin, open up that Zoom q&a and drop in your question also about the questions of others and we're just about to start taking our first questions. The first one being from Paul, Paul says in the past moving the WP config file to the root level of hosting I get the same level of public html help to protect a site is that still something that helps?\r\n\r\nI guess I'd say Does it hurt? I mean, is there like originally some of this was\r\n\r\nhow do we make sure that hey, WP config is not exposed in the public HTML directory. It was kind of the idea. So we would move the WP config file a route above public html actually. So you'd have public html slash index dot php, and that index dot php would be the WordPress and then WP config would be below that. So it'd be web, config, public HTML, everything else on one level, and then your WordPress and so the idea is that, hey, if we move that out of the web route, it could prevent some attacks. I'd say at this point, you know, it doesn't harm anything, but unless your server was misconfigured in the first place, it probably isn't going to really\r\n\r\nit isn't going to be a problem to begin with, if that makes sense. So it doesn't harm anything. It's an easy thing to do, but it's probably not actually preventing an attack.\r\n\r\nEspecially these days. I think those types of server configurations are much rarer.\r\n\r\nYeah, so one of the tools in solid security allows you to check out file permissions, and it shows you what the recommended permissions are of things like the htaccess file and WP config. So if I know just from using the product that the recommended is the 444 write for WP config. So if the P config lives in the regular WordPress directory and public html and it's set for 444 You said that's pretty secure. Yeah, there's no issue there.\r\n\r\nSo like if you had a scenario, where PHP files were not being properly executed, which is kind of part of where this attack lies. Then if someone went to your site slash WP config that PHP, it could then return the plain text of that PHP file. And then they would have your database credentials and your salts and things like that. And that could be an issue. That could be these days, though, that is not really a thing where servers are configured in such a way that we only say hey, only index dot php can be directly executed. So yes, I would say putting it in the root level is totally fine. And yeah, it's great to use that file permissions tool in security, to help you identify what permissions aren't what they should be. Task anthropods question I do this on some sites. So for a couple of sites, I have like a pretty specific custom setup of how web config dot PHP works, and they are better than others. I don't.\r\n\r\nI'd say at this point, it's just not, not on the top of my list of security improvements. I think there are more significant things that you can be doing. Yeah. Good. Next question that was from Kenneth Is there a class or video on how to set up the free parts of Cloudflare I see a lot of areas there but I don't know how to set them up. And Timothy, before I turn this to you, let me just mention that actually the premium course for the month of April, which will be about a month from now. I'll be doing a course specifically for WordPress agency owners on setting up Cloudflare basically all the stuff we've learned in my agency over the last year and a half or so of muddling through Cloudflare and getting things set up both with settings and processes, with how we migrate things, and just what we've learned from moving 100 sites into Cloudflare. So that is the premium course for April, you could register for that if you're a member of solid Academy.\r\n\r\nIt's up there on the courses now but so let me pivot back to you, Timothy, anything that you would recommend on that or how effective even is Cloudflare as part of a holistic security approach for your website? Yeah, um, so I would say that sounds like a great academy training to check out for this I think we've talked about in the past of offering like more content through solid WP about how you can most effectively use Cloudflare. And that sounds like a great session. Um, in general, I'd say Cloudflare is definitely a great tool in your tool belt and if you are able to use it, I highly recommend it. I would say it works very well in conjunction with some of the other features with solid security. So Cloudflare offers for instance, graph functionality. Their raft functionality is more broad than patch stacks, virtual patches, so they're applying things like Okay, let's try and prevent a large set of cross site scripting attacks, or a large set of SQL injection attacks, things like this. And you'll find that those have those trade offs right where sometimes they're not able to protect against an attack. Like patch stack is able to patch stack is dedicated to WordPress specifically. And so they offer create new patches multiple times a day, that Cloudflare often won't be you also see because of Cloudflare is kind of broad based support that you might actually run into issues with Cloudflare. I, for instance, writing about security, sometimes you can try and publish a blog post and Cloudflare will say not ah, because you're describing a SQL injection attack and we're like, oh, that looks like a SQL injection attack. We're gonna block that. How on earth do I publish this blog post? Cloudflare I get off me. So you'll see kind of the difference between how to like five learn how to like patch stack works. I think they work excellently in conjunction with each other. But patch stack is able to go beyond that and say, okay, you've detected you have this specific vulnerability we're going to create a patch that protects against this specific vulnerability. Yeah, it's really good. I think this is a great illustration of the analogy that Tomas made yesterday with this holes of Swiss cheese lining up actually patch stack is just another layer of CI a patch stack is a layer Cloudflare is a layer server level, security layer WordPress security with solid security and they all hopefully can block all the holes so no hole goes all the way through. Really good.\r\n\r\nOkay, questions from Vern, we get this one a lot. Hide the back end, which refers to changing the WP login URL changing dopey admin URL to something else. Is that effective in today's WordPress security landscape?\r\n\r\nI do not use this feature on any of my sites. I will say if I could, I would remove it. And we know this is a feature that a lot of people like so we haven't don't have any plans to currently. But what we always encourage people if they reach out to our support desk and ask about this feature is use things like I talked about in the login security section. Those provide real security oops, these slides went away. Those provide real security. So those are things like saying hey, two factor CAPTCHA lockouts. Those are much better than just making your login page something different. You're adding like one small step but oftentimes Hey, if you're an e commerce Store with WooCommerce, your customers need to log in. So there's going to be a login page that is exposed out there and that feature isn't going to protect you. So no, it is not a feature that I really recommend it. It falls under these kind of warm and fuzzy type of features, I guess you could say.\r\n\r\nBut I don't think they provide the real security that we want which is you know, use two factor require two factor, prevent people from logging in 50 times from the same IP address in a minute. Use CAPTCHA all of these different things. 100% is so much better just to have a CAPTCHA between the world and your login page no matter what that URL is having a CAPTCHA Exactly. That's that's really the thing.\r\n\r\nOkay, question from SU Timothy. Which plugins do you use feel comfortable setting to auto update so I may be controversial in this i auto update most plugins?\r\n\r\nSolid security has a really cool feature in the version management module, which lets you delay auto updates. So for instance, let's say you have a plugin that you know, releases updates that sometimes breaks things you can say, hey, don't auto update this immediately, but auto update two days after it was released or three days after it was released. And the idea behind that is saying okay, if there was a bug, they caught the bug, identify the bug, fix the bug, and now auto update to it. So it can still be something that happens in the background, but I'll be honest, I auto update most plugins, I think.\r\n\r\nYou want to make that decision when you're setting up the site. If this is a plugin that I'm not comfortable auto updating, should I be using that plugin in the first place if this plugin author is so frequently releasing updates that just completely wreck my site?\r\n\r\nMaybe that means it's a different plugin for the job. Now I say this as a developer who you know, very much happily will build everything in anything from scratch. But yeah, I have you know, Yoast SEO to auto update. I have a lot of different blocks plugins to auto update.\r\n\r\nAnd yeah, I try and keep keep my plugin list down not at 50 Plus, so it helps in that regard. But I totally understand if that's not something that you're comfortable with doing either because the complexity of the site, and that's where you know, virtual patching and those types of tours come into play.\r\n\r\nSo, let me dig in and push back on something on that. I think maybe I need some education on this too. But or a different way to think about this. But sometimes well known reputable, I guess plugin developers, certainly big ones that everybody would know will push an update. And they'll some it'll break something unintentionally. And they'll push you know a dot one version of it within the next couple of days. Does it what what what danger Do you have does that worry you just having everything set to auto update? So I would say yes, there are plugin authors that release plugin updates that just totally break everything and those are on my list. of plugins that I try not to use\r\n\r\nYeah, without without Without naming names. I guess that would be my general approach, right is that I I much rather when I do do client work these days.\r\n\r\nUsually we're building something very specific and we could build it with you know, a combination of six different plugins, but kind of the value that I'm able to bring to the client and say, Hey, we architected this special. We have developed it for your specific use cases in mind. We're not using you know 5% of a plugin, and fibers are another plugin for fibers and another plug in and that's where things kind of like start to break down. So I would say it's a different kind of approach for building things where it's more okay. What are other plugins that I'm very comfortable with and then I think they're bulletproof and you know, set them and auto update, and I'm not particularly worried about it. And if those aren't ones, whatever the thing is that I should just build instead, and write the code specifically for that client.\r\n\r\nAnd I know that their site will be more stable, because they also didn't, you know, get a new feature that they didn't ask for that completely changes the UI, things like that. So I would say it's a different approach. But it is not at all uncommon to have that feeling around auto updates, which is again, why you know, patch stack and things like that are helpful tools.\r\n\r\nAlso, because there's the 25% of cases where there just isn't a fix available for the security release.\r\n\r\nBut yeah, that's that's generally my attitude is how can I reduce the plugins that I'm using that are just breaking things all the time? And for the ones that do send an auto update delay, say like, Hey, five days, and if the plugin has been stable for five days, then it's probably good enough to auto update at that point, you would hope that if they break everything, it gets fixed pretty quickly. And that delay is part of the solid security version management feature. And let's just say there's also a setting on that version management page. That allows you to auto update if a vulnerability exists. If that's the case, then that delay doesn't come into play, right? It auto it auto updates no matter what.\r\n\r\nIt's a fantastic feature.\r\n\r\nOkay, question from Dan. How resource heavy is solid security with its constant scanning and so forth? It's pretty late. So we don't believe that a plugin should be doing things like individual file scanning for malware. It doesn't make sense to happen in a plug in Thomas, I think has done a couple of different discussions about this. I think on our solid the VP Academy where he finds malware, that one of the first things they do is turn off a file scanning feature and say, Hey, I'm all good or they whitelist their plugin things like that. So we don't believe that plugins should be doing that type of heavy scanning.\r\n\r\nInstead, we do things like hey, checking for vulnerable software. And that's very fast. That's very minimal. We make API requests out to our servers, and it contains the list of plugins. You have installed the versions and it does a really quick check so it doesn't really add any weight to your site. Things like checking for inactive users, all of these things are pretty resource light. So that is a really key thing that we keep in mind when we're building solid security is we don't want to slow your site to a crawl. If your site is slow, slow that no one can use it doesn't matter if it's 100% secure.\r\n\r\nBut yeah, we don't believe in putting those types of super heavy features. In the plugin. They are best left for other services focused on preventing an attacker from getting into your site. As opposed to okay an attacker has gotten into my site. Now I need to scan my site for malware every single day and for infected PHP files because then you are talking about a very intensive process. And it's something that smart malware these days can just disable.\r\n\r\nYeah, and it seems like especially a file level malware scanner seems like that should be something that lives at the server level, right? Yeah. So Thomas is tool for instance. That's one of the things they do is they send the files over off to his servers and then his server is able to very efficiently scan them. It doesn't make a lot of sense to be doing that from WordPress, both for the performance reason for the security reason if it's happening in WordPress, then any plugin can stop it from happening. There's a lot of reasons why that doesn't make a lot of sense. For virtual patching with firewall tools. That's another thing to keep in mind. So that's why virtual patches from patch stack, they only apply if your site has that specific vulnerability. They don't apply you know 2030 4050 100 generic firewall rules that apply with every request. We only apply specific firewall rules and only if your site is vulnerable. If your site doesn't have a vulnerable version of Timpson, there is no reason why you should be looking for attacks against him from and blocking them. It doesn't provide you any security benefit, the attacker wasn't going to get in there anyway. What that as doing is things like DDoS protection, stuff like that. But that shouldn't live in the plugin to that's where you want to use Cloudflare in conjunction with solid security. Solid security isn't going to protect you. If 10 million requests hit your server within an hour and no WordPress plugin can but that's where it was like Cloudflare come into play. And again, the Swiss cheese analogy is this it's such a great point I don't want to zip right past because this multi layered approach is critical. And honestly correct me if this analogy is wrong, Timothy But you know, back in the day, there was this season of WordPress theme development where people were selling themes on a giant marketplace and the way they found to sell themes was to cram all these features in there that really should have been in plugins but now they're kind of rolled into this giant kitchen sink type theme. And they ended up being a bloated monster that was just really difficult to manage long term and slow. And so a lot maybe in some security plugins for WordPress are kind of adopting the same approach like we like a scanner, we do these things, but we should really separate those out. To have a lighter, more efficient site. Am I right on that? I agree. I think the things that were should live in WordPress should live in WordPress, the things that should live at the network level should live in in network level. The things that exist in your server should exist on your server. There are things for instance, I don't think Cloudflare is going to offer pass keys as a login method, right? If you have a credential stuffing attack Cloudflare probably isn't going to prevent that. Because someone the first try they log in and they know your username and they know your password because if you're in a breach, there's no opportunity for Cloudflare to protect you there. But if you're using solid security prevent a user from using a password that has appeared in a breach. That's the perfect thing that should live in WordPress, right. It wouldn't make sense for Cloudflare to you know, somehow be operating on your WordPress site and prompt up and update password page or change how your login process works. That wouldn't make sense for Cloudflare to do so. Use the tools for what those tools do best. And take advantage of the fact that some of those tools can live in WordPress and can provide a context knowing that this is a WordPress request with this user and this password and they're trying to do this specific thing. Yeah, really good. Okay, moving on to the next question here from Nate. Does solid security provide a way to have a two factor code sent to a phone via texts like what Facebook does? No. So we do not we do not plan to SMS two factor is convenient. It's a way that you can kind of get people a little bit more used to it. But I would say at this point email, in my opinion is just as convenient. But the issue with two factor via text messaging is that SMS is not a great protocol and a lot of mobile phone providers don't have the best security practices around things like preventing sim sim swapping attacks. So I would say SMS in my opinion is a legacy two factor method.\r\n\r\nIt was helpful for getting people used to the concept but I think at this point everyone is familiar with email based two factor.\r\n\r\nAnd my big push really would be Hey, use past keys. That gives you a two factor experience that exists on your phone or not a two factor experience a well it's kind of a two factor experience. The point is that it has your phone and your biometrics and it accomplishes that same bit, but does it rely on a text message being sent and all of that happening? It just provides you with one simple login flow that is protected with face ID or touch ID things like that. So no, we do not we do not plan to right answer. Okay, here's a good question from Stephanie.\r\n\r\nSo Stephanie, I'm guessing you're you're a legacy AI iThemes member she's asking how to activate virtual patching. I have patch patch stack in solid sweet it's on the dashboard, but the firewall is inactive. So if you go to Security, and on any of those things, you can click into the licensing page. It's under Settings and then solid to VP licensing. And there'll be a section there that says passionate enabled sites. And so if you are a new customer, when you activate an license, solid security will automatically enable patch stack for you. But if you are new, or you don't have enough patch stack licenses, let's say you are a legacy customer that had a gold subscription for instance. You then need to choose to enable a patch stack for that site. So the thing you want to do is go to settings, solid WP licensing and enable patch stack for that site. If you're still having trouble, that's an excellent reason to reach out to support. If you go to solid wp.com There's a link to support and they'll be able to help you out. But that is probably the bit that you're missing. Make sure your plugin is licensed.\r\n\r\nYeah, very good. And I'm also dropping in a link to a live stream we did back in December on that covers a lot of the how to even position if you're a legacy I iThemes customer for example positioning an upgrade with a patch stack firewall is a better layer of care plan. So that that that link is there in the chat. Yes, definitely. So if you're still having trouble with that reach out to support and they'll give you some help right away.\r\n\r\nKENNETH is asking what is the 40% off deal for so Canada that I'm going to go into a lot of detail about that in the first of the next hour. It is for any purchase from solid WP other than the solid central monthly and it does also does not apply if you're adding licenses, patch stack licenses as a legacy I iThemes customer, but anything else the solid suite any of the products the 40% off is good if you are a new customer.\r\n\r\nLet's see.\r\n\r\nManu has a question here. Monica says my email has been pawned so I changed my password. Is this good enough? And when does their database update so you can see if the pond email is updated?\r\n\r\nOh poned yep, yep, is what's going on there with that spelling. So the service that we use is have I been poned and that relies upon a Troy Okay, now there are two choices. We're both Australian. One of them is a WordPress person. And the other one is a security person I think Troy Dean is the person who runs haven't been honed and Troy hunts the person who runs the other way around is the one that is to Australian people both in this space is very confusing. Troy hunt kind of collects data and is responsible for ingesting things into have I been poned so it isn't really specific to your email address but more about the password. There's also a have I been poned service where you can just enter in your email. And I'll like show you hey, here are all the places where we find your credentials in a database breach, which is awesome. But what we specifically use in security is their password feature. So it checks whether a password specifically has been entered into that database. Yeah, very good. So Manu, if you update your password, it's not going to remove it from that. Have I been poned database? Right that it's that's basically letting you know that your email address has shown up in a breach. And that's always going to be there.\r\n\r\nTina, how does two factor work if your sites are on solid Central?\r\n\r\nI don't know what this is driving yet. I think the question is, if if I'm accessing my site through solid Central is there a way to turn on two factor is two factor needed in that case?\r\n\r\nOkay, so the two factor in cybersecurity what?\r\n\r\nYeah, what she was answering basically, um, so when you authenticate for the first time with central against your WordPress site that has solid security installed you're actually doing go through a specific onboarding process that shows you hey, you're gonna connect with solid Central, and it will give you a big purple button to click on and you'll get connected.\r\n\r\nIf you are then for further API requests that solid central makes over to your site and it's not going through the login form. So it never runs into two factor. And there are some specific features in solid central that do help you with two factors. So for instance, you can bypass two factor by clicking a button in solid Central. And if you saw that Central's feature to automatically log you into your WordPress site, you don't need to enter in your two factor code. But yeah, there shouldn't be any confliction. There. You don't need to turn it off or anything like that. It'll just work. Good.\r\n\r\nQuestion from Nate. Does solid security provide a recommended set of settings like by an export json file or something? How do you figure out what are the best recommended settings? Yeah, so we don't specifically the general thing is that we like our defaults and then it is just up to you to what more things you want to apply. So for instance, having to factor is better than not having to factor. Having, you know, more protections available, having more checkboxes checked, so to speak, is just oftentimes more secure. We try not to have any things. It's like, Hey, if you missed this, this is a complete disaster. It's really it's up to you what kind of security features you want. To have enabled. There are docs that talks through like global settings and things like that. But generally in the plugin will say hey, these are the things that we recommend. The defaults are things that we recommend, and it's just up to you to say hey, what more features do I want available? Do I want to have past us do I want to have two factor and we can't make that decision for you. And what is the onboarding wizard? factor into this? Yeah. So when you go through onboarding, it's an ask you some things like, Hey, do you want to use two factor and if so it'll automatically configure it for you. If you want to use strong passwords, it'll automatically configure that for you. My recommendation model is basically because you enable everything there's nothing that we have put in the plugin that we're like, Hey, this is something that we don't recommend you using.\r\n\r\nThis stuff that is you know, more legacy is kind of like hidden away, hide back end. It's under the advanced section. I don't recommend it. It's there because people love it.\r\n\r\nBut yes, I My recommendation is to enable trusted devices enable two factor enable password login, enable pass keys, enable virtual patching and enable enable, enable enable enable.\r\n\r\nI'm going to hand pick a couple of more questions and we'll wrap this up and go to a break. Great question. From Joan.\r\n\r\nDoes solid security pro come with patch stack by default? Yes. So if you are a new customer and you go on over to solid a VP and you make a purchase, you are going to have patch stack what you're going to want to do is after you install the plugin you want to license it and that licensing process will automatically set up patch stack for you so yeah, all new plans come with patch stack. And if you are a I iThemes customer you can add patch stack but yes all new plans come with patch stack automatically. You don't need to do anything else besides just licensed the plugin. Awesome. And last but not least Tina does your page speed suffer with all the blocked IPs that accumulated over the years? Um, so not really, um, we do specific queries to get a list of banned IPs.\r\n\r\nThere are also setting for htaccess where IPs that are banned get put into the htaccess file and if you go into the settings, there's the limited defaults to 100 of how many of those IPS actually add into your htaccess file. So if you had you know, 10 million could be an issue.\r\n\r\nBut even on my site that is many years old at this point it gets quite a lot of traffic. I don't have anywhere near that many banned IPs. So I haven't seen banned IP is specifically become a Page Speed issue. I just haven't seen someone get that high, where we're making such a large query that it would be pretty ineffectual. And it's pretty quick to compare IP addresses and just do a search for saying this IP addresses here or it's not there. If you do have millions, I'd be curious to know more about your site, and then maybe it would make sense to remove some. But yeah, I have not seen that to be the case in any other sites. I've come across. A very good Alright, excellent session. Timothy, thanks so much for your wisdom. As usual. You always have excellent answers. Folks, thank you for hanging with us last hour. We're going to take about a six minute break here. We're going to come back I'll be talking about how to talk to your clients about security taking plenty of time for questions. If you have specific things you'd like to talk about in regard to how in the world do we make our clients understand these things? So that's what's coming up in our next hour. We're going to pause the recording and go dark for the next six minutes and we're back at 205 Central time. We'll see you back then.\r\n\r\nAll right, we're back for the final hour of disaster week. 2024. Hopefully this has been a great time for all of you who've been part of the whole thing. We will again have the alright we will again have the replays up in about an hour as soon as we wrap up here and I'm dropping once again in the chat the session slides for today. You can download Timothy slide deck as well as mine which is now available there. Alright, so across the break, we had several questions about upgrades. And I just want to address those briefly before we get into our actual content here. So first of all, we do have this deal that's going on disaster week is the coupon code for 40% off of solid WP products now this is for new purchases only. So you can't extend or add a new subscription to an existing account. It's also not available if you want to purchase solid central monthly plans. Or if you're a legacy I iThemes customer and you want to add on patch stack licenses, it does not apply to individual patch stack licenses. So those are the caveats on that deal, but it's a great deal if you've not yet become part of the solid WP family 40% off is an excellent deal to take advantage of that. Now several questions that came in about updates.\r\n\r\nThe patch stack is included if you buy the solid suite or if you purchase solid security pro individually. Hatch stack is bundled if you're a legacy I iThemes customer patch stack is an add on for the legacy I themes security product that is now solid security. So there is a live stream we did that walk through how do I add patch that licenses if I'm a legacy I iThemes customer and that link that I have dropped in the chat and I will just invite you to walk through that it goes it takes you through the whole process. Matthew Why isn't an add on because there's a light well I mean to be frank it cost solid WP money for every site that licenses patch stack. And so that sort of the cost involved in that was not factored in to the you know, the price that a lot of folks paid for I theme security. It's an extra feature that was added with the solid move and when solid rebranded for my themes. And so there wasn't a way to include that in older legacy plans. I don't think it's mean I think it's just it's an additional feature that could not be included. You know, if you want solid WP to be around for a while. So you know, it's I think it's a pretty reasonable upgrade, particularly with the pricing per site is very reasonable can be easily passed on to a client. That's actually what that livestream was about the link that I gave you in the chat. All right, so let's talk just a little bit now about how do we talk to clients. And actually, before I go there, let me just mention one more thing. I know there's a lot of you who are maybe new to solid Academy, and we're grateful that you're here and hopefully this live stream has been helpful to you over the last couple of days. Here on solid Academy. We actually do two or three live streams every week on all sorts of WordPress topics. You can access all the upcoming training here at Academy dot solid wp.com.\r\n\r\nYou can search for upcoming live streams and see everything that's available. Also there's a handy calendar view here that shows you all the things that are happening and allows you to register right here. So Tuesday, Wednesday and Thursday of most weeks we have a live stream about WordPress things and we invite you to come be part you can become a member of solid Academy by purchasing the solid suite. That's the only way you can become a solid Academy member now and if you are a member not only do you get access to all the free training and replays, you also get access to a weekly office hours with me where we answer all sorts of WordPress questions, whether it's technical questions or business related questions. We always have a lot of fun there. It's a good community of folks that gathers every Thursday. We also do one premium course every month and I've just lost my window. But our premium course for this month is a WordPress accessibility crash course with Amber Hines from equalised digital. Next month's premium course is the Cloudflare course which I'll be teaching. So we always have a two day four hour course every month. That's very helpful.\r\n\r\nI'm hearing reports in the chat that coupon isn't valid. I'll look into that after we wrap up with our marketing team. Or David if you're still on the stream. Maybe you could ping somebody see anybody from the iThemes team on Sara disaster week. 40. Okay, it's possible I typo that.\r\n\r\nSo the coupon code Sarah is from the iThemes team, solid MVP team. The coupon code is disaster week. 40. So I apologize about that. That was likely my fault.\r\n\r\nAll right. So for those of you again, new to solid Academy, just a little bit about me I've been working with clients on the web since 1995. I started with WordPress in 2008. All WordPress since 2010. For the last 10 years I've been a growth coach for micro agency owners, people who are doing WordPress things for clients. I've had hundreds and hundreds of coaching conversations over those years. And a lot of those things are around this topic that we're talking about in this last hour, which is building recurring revenue talking to clients about security to grow our businesses. I'm also the creator of monster contracts, which is a proven contract for WordPress client work. So let's start out with the foundational idea here which is recurring revenue is critical to our business. It is the foundation of a successful agency. It's virtually impossible for us to survive in the long term without some sort of recurring revenue. And if you're doing WordPress things the natural place to start is with a WordPress care plan. It's a WordPress care plan and all the products that are associated with that, that actually brought me to eye themes many years ago as a customer long before I started doing any sort of live streaming on our educational side here so WordPress care plan is absolutely the place to start to build recurring revenue. It's what all the products that solid WP offers are built around is helping us do care plans better. So you've built a client relationship to maximize that relationship for the long term we want to build in recurring revenue with some sort of care plan. Now the challenge with a care plan is explaining to clients why they even need one right? So we understand it but getting a client particularly a non technical client to understand the value of a WordPress care plan. can be a challenge sometimes. So what I'm gonna do in the next several minutes is just basically give you how I explain things to clients, and some of the common mistakes that I see happen and hopefully give you some language that maybe you can use as you're trying to explain care plans to clients and how to do that. So a couple of things I want to start off with are two very common mistakes that I see that people in our position make when we are explaining care plans to clients. The first is presenting care plans as an option.\r\n\r\nSo I would encourage you to consider care plans, not an option, but a necessity. So a care plan is not like an extended warranty that car dealers try to sell you just in case something goes wrong. Instead of better analogy is that a care plan is like regularly scheduled maintenance that helps to keep your vehicle healthy for the long term. Matter of fact, in my agency, we don't take any website build projects that don't include a care plan. It's just part of our pricing. So and I'll even tell clients if they have a budget challenge. It's really better to spend less on building the website and a phase one than it would be you know, spend less so you can afford a care plan within your budget. Your plans are that important. So the second mistake that I see clients or the see people in our position make as we're explaining care plans to clients is waiting until launch to add a care plan. Surprising a client with a care plan at the very end oh by the way, you really need to purchase this additional monthly thing that's going to keep the site that you've just paid for healthy that's a bad idea. It never works out it rarely works. And it can often it can cause the client to become very agitated. You didn't explain to me that a care plan was needed after in all these conversations we've had. So what I've learned over the years is that the key to selling a WordPress care plan is education. And that education has to start in the first conversation. So we need to include care plan pricing in our proposal. That's my advice as part of the total cost of the project. Now something I moved two years ago was in my proposal for years I used to have the care plan to the little checkbox and you'd check the box if you want the care plan. Now it's just bundled in. There's a cost to build. There's a cost to manage and one sign here box that agrees to all of those things. So if you're struggling to get clients to buy your care plan, maybe it's because you're waiting a little too long or not talking about it early enough in the process. I recommend that you start talking about the management of the website in the very first conversation you have with the client, when you're starting to talk about pricing in general position, the care plan, as you know, the cost to bill a cost to manage. We're going to be here for the lifetime of the project to help you note you know, as things come up, and it's just all part of the conversation from the very beginning. I think you'll be much more successful at selling care plans. If you position it that way and don't offer it is an option in your proposal make that part of the price.\r\n\r\nSo how do we educate clients education is key in selling care plans. Many clients don't understand why they need to have a care plan to begin with. And so one of the first things that I would recommend is that as you're talking tech with clients about anything, focus on benefits, not features, save the technical talk for people that are you know, that love the technical stuff, most clients that you're going to work with our you know, they're busy professionals or their business people or that they're not as interested in technical things as we are I generally speaking, don't talk about gigabytes as much as we love packstack I don't talk about patch stack with clients. As much as I love solid security Pro that never comes up in a client conversation. As technical people we love those details about our care plans. We love to talk with each other about those things. But in most cases, features features don't sell but the small little things like patch stack and solid security. Those are things that are internal for us. Clients generally aren't as concerned about those things. What they're concerned about are the benefits. If I you know, with this care plan, what does that mean for me? I'm busy doing my business and doing my thing. I don't care about all these little technical details. What does your care plan benefit me? And the primary benefit of a care plan is simply peace of mind for the client. I cannot tell you how important this is. It's very easy for us who love technology to get into conversation with a client and we take them to death. It's just it's not a good idea. It's much better just to explain to the client the benefit. The reason we do this is so you can go about your business and not have to worry about the health and management of your website. That is absolutely the reason and the way to most effectively sell well sell a care plan. And part of this is just learning to determine what is the most important thing to a client. So we're going to see this pop up at several times during the next few minutes in my talk, but you may have a client who for whatever reason, they're all about backups. Now backups are important. We know that and a lot of and I will mention that as part of our care plan explanation, but goodness, they don't need to know where we store backups and how often necessarily run it or keep an archive that most clients don't care about that level of detail. They just want to make sure the site is backed up. But I've had conversation with clients who've been burned by backups and a lot of times they have very granular questions. So when those things happen, absolutely engage with the client on the sorts of technical details but in general, stick with peace of mind and that's really what the client is after.\r\n\r\nThe next thing to consider just another guiding principle in educating clients is to position security as a partnership. So keeping a website secure as you've heard throughout all of disaster week, there's a lot we can do on the website to keep a website secure, but the weakest link in the chain is typically the user right? So we need that security is a partnership between us and our client. We can secure their website, but the client has to do their part too and by the way, your contract needs to reflect this and explain what the client's responsibilities in web security are. And those can be conversations as well as you're onboarding the client into your management service and the kinds of things they ought to be paying attention to the things that we've talked about throughout the course of disaster week. I'm going to give you a few ways to talk about those things later on in the talk today.\r\n\r\nAnother guiding principle is this question that clients always seem to have. Yeah, but why would a hacker even go after my site to begin with? This is something that most clients don't understand. Like I'm just a small business or we're just a little nonprofit or, you know, why would they even care about me? And my encouragement to you would be find a hacker analogy that connects with this particular client. See, it's not personal hackers. Don't care if you're a small nonprofit, if you're a mom and pop shop someplace, whatever. They don't care about you personally. Usually, they just want you to use your website for gain. And there's some reasons for this. So try to find an analogy. That connects with your kinds of clients. The story I always tell when I'm talking about or if a client has a question about why would hackers hack me is I would tell a story that happened several years ago in our neighborhood. Now we live in a very safe neighborhood. But several years ago, we had a string of car break ins and it turned out, you know, people's cars, they weren't being damaged, but things were being stolen out of them. And it turns out that there were a bunch of teenagers walking around the neighborhood late at night, walking from driveway to driveway trying the door handles of cars that were parked, and if a car was left unlocked, they'd go through the car and steal contents out of the glove compartment or purses or anything that were left in there and they take those and that's what they would do. And that's very, very similar to what hackers do. They're just checking doors and windows of your website to see if anything is going to let them in to give them easy access. But a hacker they don't just try one door at a time. They've got software that scans the web looking for 1000s and millions of open doors and windows. It'd be like the hacker pressing one button and checking all the doors and windows of all the houses and all the cars in my whole neighborhood and that's what they do it again, it's not personal. They want to use your website for their gain. Now, what do they possibly have to gain from my little website as a little nonprofit or a little mom and pop shop? Well, they want your server resources, all the spam messages that you and I get. Those are generated a lot of times by compromised servers. Oftentimes as a hacker will go in and add some some code to use the server resources to help generate cryptocurrency. It's not about you. It's about what they can use your server resources for. Sometimes they'll do content injection where they'll inject ads for products that you probably don't want on your website, or they might redirect your website to other websites. And they do that very cleverly. So it's again, it's not personal, they're just trying to use your website for their own gain. synonyms. They'll also inject malware that can be used to further infect the visitors to your website. So all these are reasons they don't care who you are. They just find an easy target that they can leverage to use for their own purposes. So find it an easy analogy that connects with your customers, for me at the car break and one always works well. And then explain that it's not personal. They're not after you. They're after your server resources.\r\n\r\nSo how do we then go about presenting a care plan to a client I always use this. This lingo actually came up accidentally one day as I was meeting with a client in a coffee shop face to face back when we used to meet face to face with our clients goodness, it's been a while since I've done that. But I actually took a napkin and I drew out this box with a big WordPress w in the middle and I called it the four walls of protection. And here's what's included. I still use this explanation today. It's an acronym hubs H UB s. These are the four primary things that our care plan does. We provide hosting. We provide software updates, we provide backups and we provide security. And those are the four walls of protection that keep our WordPress sites safe. And this is what we offer as part of our care plan. Now as you're presenting this concept to your client, there's a few things to keep in mind. I'm gonna go into each one of these and kind of how I talk about them. The first as throughout this whole process, pay attention to your client. If you're like me, it's really easy to geek out and go down a tech rabbit hole the client doesn't care anything about so I'm really careful as I'm talking about anything technical with the client to watch for eyes glazing over. You know, the client starts you. You're talking and you're really excited about what you're talking about. And you realize the client has checked out. They don't care about any of this. So you have to pay attention to your client and just ask yourself, what are the what are the parts of this conversation the client is really interested in and you want to give just enough detail to satisfy their interest without going into depth by details in technology. Right? Remember, the big picture of all of this is your selling peace of mind. And if you think I'm oversimplifying that I promise you add not. I've been selling WordPress care plans since about 2010. So, you know, 14 years I've been selling this and doing a pretty good job of it.\r\n\r\nIt's about peace of mind, folks. This is ultimately what clients buy. That's why they want a care plan. They just want to know that you are going to be there to take care of the website if something goes wrong. Some clients may have particular technical concerns to ask about Awesome, let's get into it. But in general, they just want to know that you are someone they can trust buying a care plan is a trust based decision that the client makes. So again, throughout this try to create analogies that the client can understand.\r\n\r\nYou know, technical things can be a little hard for some folks to grasp. Nothing wrong with that but just try to make them practical with some analogies. I'm going to give you a few throughout this.\r\n\r\nSo when we get into the first wall of protection, which is hosting for us in my agency, hosting is included as part of our care plans. We do not manage sites that we don't host so if you want to bring your own hosting, that's not an option for us. Now you as an agency owner can make that decision. I strongly encourage my coaching clients especially to don't do this don't have websites on lots of different platforms with hosting that's all different and some have different requirements and the control panels are different. It's it's a killer, for efficiency in your process. It's much better to have all the sites you host on a server that you control. Now, that's the benefit from my side. From my client side. The benefit is what I tell clients literally as I will as we build your site and manage it, I want to be able to look you in the eye as a business owner and say, we're going to take full responsibility for managing your website so that you only have one person to call if there's ever a problem about anything. What we don't want to do is get into a blame game between between your hosting company and what we're doing and they might blame us will not blame them and you get caught in the middle. We want you to be certain that no matter what you have one person to call one one business to call one neck to strangle if there's a problem, and we're going to take full responsibility we can do that. Because we control the whole situation from end to end from hosting to site. It is all we deal with all of it. We have a private server that's optimized for WordPress and our process that allows us to build the site efficiently for you and to manage it successfully for the long term. Now that's the way I position hosting and in general, I don't have to do anything more than that. Our clients in general and honestly most clients, they're well good good clients especially are not going to push back too much on you on hosting if you have your solution because they just again, they want someone they can trust who's gonna be there for the long term. And if you bring hosting to the to the conversation, and you have a solution for that is much better for the client because they don't have to worry about it anymore.\r\n\r\nNow occasionally a client might bring up well what about you know, I get hosting on fill in the blank name of the host for $5 A month or $8 a month? I don't get that much anymore but I used to a long time ago. And the way I would explain that situation is look sure there are there are $5 hosting out there. You can also go on Facebook marketplace and buy a car for $500 I wouldn't recommend either. If you're serious about your business. You know, you can buy a car for $500 on Facebook marketplace. I wouldn't put my family in it. Just like you can go and get hosting for $5 a month I would not put my business website in it. So it's not just you know there's there are huge differences between the level of hosting that we offer on our server than what you're going to get at on a cheap shared hosting. Shared hosting is like an apartment building. Here's an analogy. It's an apartment building where you can't control who your neighbors are. So you know the people next door to you on that server. And there are 1000s of sites on a shared hosting platform, all sharing the same IP address. So you are at risk of misbehavior by your neighbors over which you have no control. Or you might find that your speed goes down because what other sites on the server or doing your system resources are unpredictable because of what other sites on the server are doing. You may find that one of the sites on that server gets compromised and they're hacked. And that server is sending out millions of spam messages every day. Well guess what happens? That server IP gets blacklisted in some banned list on a spam list. And now you have problems with your deliverability because you're wrapped up on the same IP address. hacks on other sites affect you. So it's much better like if you have a premium website you're paying for a professional to build your website, get professional hosting to go along with it. Don't put yourself in a situation where you're an apartment building with neighbors who you can't control and that's going to affect your business.\r\n\r\nAs we turn the page to software updates as a feature of our care plan, we're talking about WordPress core theme and plugin updates. Now I call these software updates when I'm talking to the client as to avoid any confusion with content updates. I found that I found this is really important to do that phrase software updates make sense. It's something a lot of folks can relate to because we do software updates on our computers. And I found actually when I start talking about updates, the clients thinking about you know, we're adding text adding things to their website, which we do that's just another conversation. So I always talk about updates in using the free software updates. And I explained to the client, we have a scheduled process that we do every week. It's reliable for doing software updates across all the sites we manage so your site is going to stay secure and healthy. Now when it comes to software updates. Sometimes non technical clients don't understand why this is important. Why would you have to do that anyway? Can't you just build a website and there it is, and it's good. Unfortunately, no, that's not the way websites work anymore. Good analogy is the software updates on your computer can you just buy a computer and you're good? Well, you could. But the software on your computer has to be regularly updated because of vulnerabilities that are found. If you're not updating your web browser to the latest version, or at least have those auto updates turned on. Super important. Or you're gonna find yourself with a security vulnerability on your website. So people even non technical clients tend to understand the software update analogy. And I'll often ask why Okay, so be honest. How often do you ignore the software updates on your computer delay? Remind me tomorrow or do it next week? You know, it just get rid of the thing because I'm trying to do something right now. You can't ignore when it comes to web updates. If you ignore those software patches on your website, your site could be compromised. So you know what would happen if your computer gets infected. You might get malware, you might get some other things. But if your website gets infected, your business is at risk. It's a big, big deal. Now there's also the approach of semi technical clients. Maybe some of your clients have done WordPress before. And they're familiar even with going in and hitting update and watching all the things update. And they think it's just as simple as clicking a button. And that is sometimes true. Sometimes running WordPress updates are as simple as clicking a button. But what happens when something goes wrong? And how do you know if that's that might happen? So if I have a client that pushes back, I run my own WordPress updates. The question I would ask is, How sure are you that you're going to do this regularly? Because it needs to happen at least weekly, just like Timothy said in the last hour. How sure are you that you will do this every single week without fail?\r\n\r\nWhen you've got a business to run, oh, well, my secretary will do it. Oh, adding that job on to someone who already has a bunch of things to do you know how sure are you? This is going to happen regularly. Most clients that I've talked to are not sure so they begin to think about this. Also, do you investigate major plugin updates before you run an update? Good grief before we update WooCommerce on any sites or any big plugins like that we're looking at the developer blog making sure that there's nothing here that might impact what's going on on that site already. You need to investigate major plugin updates before you run them. That's my opinion.\r\n\r\nSo a lot of times it is as simple as just clicking a button if you know what you're doing and what's being updated and if it's on a regular basis. And so what I tell clients like this is listen, for a small monthly fee. We're going to take care of all this for you hosting updates, backups, security, you don't have to worry about it at all. And you can just do your business. You don't have to think about the website you can offload that whole piece of your business for a really small monthly cost. That is a strong sales pitch to a good client.\r\n\r\nAll right, the next part of hubs is the backups. So in general, very few people these days that I've come across that don't understand the importance of backups, we get that backing up things as good we want to have a backup of our website. So there are two key reasons that I tell our clients that we have redundant backups. The first is human error. If you are Mr. And Mrs. Client if you're logging in, you're making updates and you break something you don't have to worry we have a backup from at least 24 hours ago that we can roll back and fix anything that was broken. We also have redundant backups in the case of disaster recovery. So if your site might get hacked, and they get through all of our layers of Defense's, we can roll back a backup and patch the things that need to be patched. Or, you know, let's say something happens and there's a broken update and we can roll back and keep the site it gets the site backed up very, very quickly. So we do these redundant backups to keep the site secure just in case anything might happen. Now, hopefully you do have a backup strategy and you have a consistent backup strategy that you use for all the sites that you're managing in your care plans. And if the clients interested, this is a good time to explain what that backup strategy is. And so we have a multi tiered backup strategy where we have a hosting level backup is our first line of defense. And we run a daily full site backup that's stored off site with a six month archive that gives some clients peace of mind and they want to know about that. But again, it's you have to kind of figure what is this important to the client how many details do they need? And give them what they need to be satisfied.\r\n\r\nAll right, let's talk about security. We've been talking about security but now security as a service. I explained that we have a multi level strategy to keep your website secure. So security is critical when it comes to your website. And that used to be a hard sell these days with all the website hacks and compromises that are in the news regularly. In mainstream news. People are more and more understanding and this is much less of a even an explanation that's required. I'm noticing these days with my clients than it used to be in years past. But we have this multi layered strategy that we use to keep our sites secure. We provide a free industry standard SSL certificate as long as we manage your site that you might think is a no brainer but it is it is amazing to me how many clients that we have that come to us that they're paying annually for a security certificate still It blows me away. SSL the industry standard SSL has been free for years. And we provide that of course so sometimes we can save our clients money. So here's what I mean by layers of security. If a client wants to know more about this, again, for many clients, we have a full strategy to keep your site secure, so you don't have to worry about it. And a lot of times that's all they need to know if they want to know more. Here's what I'll explain. We start with architecture. So I'm going to start at the core of the security and work my way out to all the layers. So the first is architecture. We're only going to use reliable themes and plugins to build your website. So many many of the vulnerabilities that are associated with WordPress, and a lot of people say well WordPress isn't secure. And like Timothy said in the last hour, WordPress is very secure in the core. It's these plugins or themes that are added that are from maybe questionable sources, or developers that may not be as on top of things as others are. That's where a lot of the vulnerabilities come. So we only choose the best themes and plugins to build your site. Then we go through and our launch, we have a 40 point lock or fill in the blank number lock in process that we use to launch your website. Well Nathan, what is your 40 Point lockdown process okay, go through and count the number of settings that you make in solid security.\r\n\r\nAnd if there's 40 of them, that's your 40 Point lockdown process as you're launching the website, and any other changes that you make. It's it's a really good line to use with clients and it's 100% True. I don't feel like this is shady at all. There's 43 points that we go through to lock down your website using the security plugin.\r\n\r\nSo the clients no this is a detailed process. There's a lot of things that are being considered in this situation. Also, now that the site's locked down now we move out to the next layer of user security. So built into the security that we have for your website. We offer two factor authentications past keys, password compromised protection, all the things that Timothy talked about in the last hour. We've got the way it's built the way it's locked down user security now on our server itself, our server, which is ours, the private server, it has security protocols and intrusion detection in place. What is intrusion detection? We watch your website our friend Tom right there watching the website and seeing what's going on with anything you know that's malicious or malicious intent. So our intrusion detection system is in place and even above our server there's another layer of network protection which we use Cloudflare we have network level filtering the block many of the bad guys before they can even get to the server in the first place. So starting with the core and working all the way out. We've got these layers of security with that wonderful analogy that Thomas raised us yesterday of like stacks of Swiss cheese, and it's going to be very difficult for any one hole to make it all the way to the bottom to let an attacker in to our network. I just love that analogy.\r\n\r\nAll right. So this is what we do. This these are our things and what we do to keep your website safe. Now there's also some responsibilities that you as a client are going to have in keeping your website safe because like I mentioned, security is a partnership we will keep the website secure, that you have the responsibility of keeping your computers and logins secure any computer that logs into the website. So a great analogy here is that we can put the best security system in the world in your office building, but if you leave the front door unlocked, it's not going to help very much. So just like in Timothy's presentation in the last hour, there's still a large percentage of attacks that are coming right in through the front door because of user security. And so yeah, that's the part that client really needs to take to take a look at. So security is a partnership, we do our part, you do your part, everything stays secure. So by the way, again, very, very important that your contract should explain the client's responsibilities and security. So they sign that as part of their agreement with working with you and then maybe you have some training or little video or you know, a little guide that you give to them on launch that explains those things. So what does the clients responsibilities entail? What what does it include? Well, the first as we've talked about a lot through disaster week, good password practices are critical. So what I tell my clients is you're going to log into the website as an editor who has the ability to edit pages, you must use a strong password as shown by the WordPress password indicator for any account that edits the website. This password can only be used on the website and nowhere else and we recommend using a password manager and we'll give them your recommendation. We as an agency. Use the keeper Password Manager. We love it. I think it's awesome. That's the one we settled on after the LastPass fiasco a year and a half ago. We love keeper we're an affiliate for keeper and if a client buys you know we have an affiliate link we give the client and then we can share passwords easier and so forth. So I see there's a lot of great questions in the chat. If you'll put those in the zoom q&a. We'll get to those at the end.\r\n\r\nSo good password practices use a password manager complex, unique password that's only used on that website. Also use multifactor login and trusted devices. So explaining two factor authentication and pass keys. Huskies have gotten a lot easier to use now than they used to be trusted devices. We've talked about that at length and disaster we've shared with you the links in the chat where Timothy walked through that whole flow of setting up a trusted device and what it looks like if a non trusted device has intercepted your session cookie.\r\n\r\nThat was a really excellent webinar. So go back and rewatch that if you haven't already. And again, solid security pro makes all of this easy so the client has to practice good password hygiene. They also need to keep their individual computers protected. So as part of our agreement in our contract, any computer that logs into the website must be protected by maintaining updated security software. So you have to have malware protection that's updated on a regular basis. And only using the latest browser versions. Make sure your browser is has auto update turned on most browsers do these days, but also your operating system other apps on your computer all have to be up to date because all those can be used to inject malware, which can steal your passwords or session cookie. So practice good hygiene. Keep your computer safe. Those are the two primary areas of client responsibility and website security.\r\n\r\nAll right, one last thing I want to cover today because it's always a question and I just think this is a helpful thing.\r\n\r\nHow do I price my care plan so if I use all the products that solid WP offers, and by the way, I hope you caught on to this, all the areas they're the hubs strategy the four walls or protection other than hosting the the the products from solid give you all that you need to offer a great care plan. So doing updates using solid central putting all your websites in a dashboard so you can see an overview of what sites need update and execute your updates their backups using solid backups, security, using solid security. All of our products are created to help you have a good reliable WordPress management system. So what can you do now to charge what should you be charging your plans for your clients? So the one kind of rule of thumb that I give here is that the price that you can charge for your care plan is often based on the price that you're charging for the site. So here's some general guidelines. And by the way, what I mean by that is, if you're building really inexpensive websites, it's going to be very unlikely you can sell a very expensive care plan. Because your customers aren't at that level. So your care plan price often depends on website build price. So this is just a basic guideline. Okay, if your typical website price is under $2,000, then you could probably have a typical care plan starting about $50 a month, roughly.\r\n\r\nIf your website price is 2000 to 3500, you might be able to charge around $75 a month. If you're 3500 to 5000, maybe $100 A month above 5000, maybe $150. But again, these are just guidelines and thoughts. We did a poll on this and a recent premium webinar with our members. This was about where everybody landed on what they were charging between 100 and $150 a month for most sites that fell within this price range. And so again, this is not a rule that says you have to do it this way. But if you're wondering, Am I charging too little? Am I not charging enough? This will give you at least some guidelines as to what other folks are charging. So hopefully that's helpful. Now we have plenty of time for questions. We've covered a lot. I've been talking a lot, plenty of time for questions here and I see that there's a bunch stacked up in the q&a if you've asked a question in the chat, if you would please just drop that in the q&a. It'll be a lot easier for me to just scroll down and take those one by one. In the meantime, I will reflect back to the discount code. This should actually be disaster week. 40 out of 40 there and that gives you 40% off of all solid WP products if you're a new customer, it is not available for renewals or to extend an existing subscription. It also doesn't work on solid central monthly plans. It does however work on the solid suite which includes solid Central. It does not work on patch stack add ons if you're a legacy I themes customer, those are done site by site. All right, so disaster week 40 Gets you 40% off of all of our things. Okay with that. Let me turn my attention to questions. And if you folks will also open up the q&a and upvote the questions that you would like to see answered. We'll spend the next 1015 minutes talking through some of these.\r\n\r\nAll right, first question from Dave. Does the care plan pricing that I suggested include hosting? So yes, I include hosting in the care plan and in that pricing. And so what I typically recommend for folks is depending on whether you know how technical you are, how comfortable are you with dealing with server related things. If you're not technical, then go towards a managed WordPress hosting situation like Nexus, you can buy a bundle of sites and put your clients into those. If you are more technical and you're okay with you know, a few server technical things, then get a VPS from a good reliable web host that has excellent support like liquidweb and you can stack your clients on a VPS there's usually more profit margin on a VPS than there isn't managed hosting. But I roll all that into one price and the client pays one price. Yeah, so hopefully that that answers your question there.\r\n\r\nAll right, next up is sue an upgrade question. I bought a single solid IP license in addition to my toolkit while I decide if I want to keep the toolkit or buy another solid license on sale, does it add to my account? No. So So you would be an existing customer in that scenario?\r\n\r\nYeah.\r\n\r\nSo it does not work to extend or add to existing customer licenses that is tied to your email address.\r\n\r\nAh, question from an anonymous attendee, instead of me educating about the care plan, can you just create a video that talks to all your clients that are onboarding? Absolutely, absolutely. So you know, well, okay, let me back up.\r\n\r\nThe talking first of all, talking about care plan should be part of the sales process. Okay. So as I'm talking to the client, in that first conversation, which I call a discovery call in my world, where we're talking about the all the things that the website needs to do the functionality, you know, all the factors of this project. I also have a section of that conversation in which I talk about the ongoing management of the project. There's a question in my discovery form that asks the client\r\n\r\ndo you need I forget exactly how it's worded? It's basically do you need an A, how will the site be maintained going forward?\r\n\r\nIt's, it's more elegantly worded than that, but that's basically it and it's a it's a it's a jump off point to have this conversation about a care plan. So that education and talking about the need for care plan, I think best happens in a sales conversation, just the basics, right? And what you don't want to do is at the very end of a project or just drop it into a proposal and you've never talked about it before. You want to let the client know that the way you approach website building and management is as a holistic process. There's a cost to build the site. There's a cost to manage the site. It starts around this amount for website management, and we include that in our proposals. That's what I would talk about in the context of a sales conversation. A lot of times what you'll find though, is that it will help you sell a website, when you talk about your lifetime approach to the website. Like you're not just gonna build it and disappear. That's what many web developers do. I'm constantly surprised by this. They just want to build sites, they don't want to manage them. The long term money in website work is the management. It's recurring revenue. That's what lets you stay in business for a long time. Anyway, I'm getting off down a tangent but the education piece starts at the beginning to introduce them to the idea of a care plan. Why it's important. I think it makes a lot of sense to have a video right at site launch when you're onboarding them out of the development process and onboarding them into management. This is what our care plan covers these again, are your responsibilities having a video or a little handout? A downloadable with that super helpful. Yeah.\r\n\r\nAll right. Next up is AJ. AJ, what hosting do you use in your agency is an in house solution or do you contract hosting companies? Great question, AJ. My goodness, I do not want to have a web server in my basement. Absolutely not.\r\n\r\nThere was a day in my life where I probably thought that would have been cool, but Good grief. All of the intricacies that are involved in website hosting are there's just too much it's too much to know and be doing web and know all about web and WordPress.\r\n\r\nIt's just too much to know. So my suggestion is always have a hosting partner. You have your sites with this host, whether that's a single managed WordPress solution like Nexus, or a host that's more traditional that has dedicated servers. VPS like liquidweb. We had a dedicated server at liquid web for years and we did that because the support was awesome. So if there's ever a problem, you reach out support takes care of it. And otherwise it just works really well. So you have to decide which situation is best. Next S is a liquid web company. Solid WP is a liquid web company. So I'm mentioning those. There's there are many good hosting options out there. But I would advise you to look at liquid web and nexus to start.\r\n\r\nAlright, next from anonymous attendee, how much time is involved in the care plan small monthly fee what is it? Okay, great question. So anonymous. Let me let me ask you if you could to clarify in the chat. What do you mean by how much time? Do you mean how much time does it take to manage a bunch of websites? Or how much are we building? Are we billing the clients for time if you can clarify that in the chat? I'll try to answer it.\r\n\r\nSo, the, the I'm going to step up and put my coach's hat on here, okay. As a business coach for micro agencies, what I what I advise people to do, it's what I've done for years in my agency, it's you don't want to build by the hour. billing by the hour is no fun. You end up losing track of time it takes forever to do I as an agency owner want to be in QuickBooks as little as possible, right. And so a change that I made years ago, instead of having to just kind of track time on all these things and build little bitty invoices that I never seem to do. What I did was when we raised our prices on care plans, I bundled in too fast tasks built in with every plan and every month so every client is on a care plan has included in the care plan up to two fast tasks every month, they don't roll over every month has up to two of them. And a fast task is something that we define as something that we can read a ticket, do the thing and reply to the ticket in about 15 minutes. So these are things like hey, I'm attaching a blog post in word when you post this on my site, hey, can you add this new staff member? Hey, can you update this wording or add a sale price to this product on my WooCommerce site is small tasks. If a client needs more than that, then we'll increase their service level agreement to have more fast tasks. If a client asks for something that is a few, you know, like build me a landing page, that wouldn't probably be a fast task. And so we would give them a flat price for that amount. So that would be more of a project instead of billing by the hour.\r\n\r\nMatthew's asking about what a half a fast task not so fast task of the past tense. So just try it. My advice as a coach is to make the billing part of your business as simple as possible. I cannot tell you so over the years in the last 10 years I've been coaching micro agency owners, hundreds and hundreds may be found out you know, probably getting close to 2000 conversations I've had over that time, maybe more. I haven't done the math. But in those conversations, when I talk to a coaching clients about the frustrations they have in their business, it almost always comes back to billing and finances and keeping all that stuff and they've created for themselves. A billing environment that is hard to manage. So simplify that billing, the whole process of billing and the way you're tracking work, and life gets a lot simpler, I promise Okay, next up is Jeffrey. Does your recommended price including hosting. Yes, so we answered that question a bit ago. Matthew, can you share the link rack and by the patch stack add ons for legacy customers? I've been looking but I can't find it out. Okay, so Matthew, I don't. Since I'm broadcasting right now I can't go back and look for that. It is like the link that I shared earlier that talks about?\r\n\r\nWell, it's in the chat. I shared it earlier about and I marked it as this talks about patch stack upgrades. We went through that whole process it's in the solid licensing portion I believe and you just click and it takes you to the solid cart and you can add licenses one at a time. Like you can buy three or one or 52 if you want and then you'll have that bulk, that bundle of licenses which you can then apply to an individual site.\r\n\r\nSo I'll go through that whole thing in that live stream. If you'll just go you can kind of scoot through the live stream and you'll find it\r\n\r\nThank you, Doug. It's under security and firewall. And again, if you have questions just reach out to support and they'll walk you through all that.\r\n\r\nAnonymous attendee is asking how are hours and billable hours related to starting prices? So I answered that a little bit a minute ago, and whoever you are anonymous if there's more texture to that question, then just drop it in the chat and I'll try to elaborate more.\r\n\r\nAll right, Jeffrey, what about training? Do you offer any sort of training in your package or is that extra? That's a great question. So Jeffrey, we have a set of training videos that we have in every site that covers basic WordPress things. If the client needs additional training that is billable. Now, a lot of times we'll cover this in the build project. So one of the questions we'll ask and in defining the scope of work is are you going to be getting in and editing the site or is this something we're going to do? Do you need training on how to use WordPress, if they if they need that training? That's that's an itemized addition to the scope of work that's going to affect the cost of the project. There's a cost for training right? hourly cost will usually record that training, make it available as a video link in the dashboard. If they sometimes what will happen is they'll have a new staff member come on board and they don't know they didn't go to the training and they don't know how everything works. Well. They can either watch the video that we provided or they can schedule training, but that is going to be an additional cost that they have to pay extra for. So we don't include training in a care plan package. But it's something they can they can purchase extra if they want to do that it's billable.\r\n\r\nDoug, all of my clients were on board with a care plan some many years ago, all before patch tack was available as an add on. How would you approach extend existing clients who are on your care plan about paying more money? Great question, Doug. We should have a live stream about that. Oh, wait, we did. That's that link I mentioned in the chat a little bit earlier. So that whole the whole webinar that I talked about that I gave that link a little bit ago scroll back it's up there about onboarding, it's all about creating additional recurring revenue with patch stack. So I talked in that livestream about creating a an extra level of security, where you charge more, it's, you know, you could probably add 10 $20 a month and the license cost you know, a couple of dollars a month, I think per site, it's a big profit center. So I talk all about that in that process there. So I would just recommend, go back and rewatch that website. I Jeffrey's asking, are those training videos available? No. i But what I will tell you is the bundle that I use is called Video user manuals, video user manuals.com. There's an annual cost and embeds right into WordPress. It's great and even has some premium plug in it they have videos for all the premium plugins we use we have a lot of sites on Beaver Builder they have videos for those. We have we use Gravity Forms, they have videos for that. They have videos for WooCommerce. They have classic editor, block editor, all the things and we just pay one fee for that every year. And those basic videos are in every site dashboard. It's excellent.\r\n\r\nMatthew, you mentioned you do coaching for agencies, is there a community forum or slack channel for designers or web hosters that you recommend? Where we can chat with peers? Absolutely. Matthew so my favorite group, well aside from our solid Academy, Slack group, of course, which you can get access to if you're a member of solid Academy, the Facebook group called the admin bar, it's run by my friend Calvin Dusen. Awesome. admin bar is great. I cannot cannot recommend it enough 1000s of WordPress folks just like us doing agency stuff with clients. They're in there. It's a brain trust. It can often be a firehose of information, but also become a solid Academy member. All you have to have is a solid suite license. It starts at 199 A year 40% off your first year. You get to be a solid Academy member come into office hours every week. You can ask whatever questions you want about business, about technical things, become part of the community. There's a lot of fun folks that Hangout every Thursday with me during office hours. And we have that slack group for offline conversations as well. So check that out.\r\n\r\nLast question. from Matthew, will this webinar be archived? Absolutely. I'm dropping the link for it again in the chat. The final link there is the replay link. It takes about an hour maybe a little longer today because it's a two hour video. It basically as long as it takes for zoom to render that video and push up to Vimeo we'll have the replay posted.\r\n\r\nSo Umberto, if you are a member, reach out to solid support and they will give you the link to join the slack group.\r\n\r\nMatthew, so legacy license owners can be part of solid Academy. So here's the history on that Matthew. And when you say legacy members I'm assuming you mean like you have an an older I think security license like IBM Security gold or something like that.\r\n\r\nWe use that so this training used to be called I iThemes Training and it was a product that sold by itself.\r\n\r\nSo it was you know something you could purchase individually or it was included in our toolkit or I think Toolkit, which included a whole bunch of things. So if you only had a security license, then you wouldn't have had access to training and you won't have access to a cat the premium Academy. We do a lot of free Academy events also, though, that anybody has access to but if you want access to the premium pieces of Academy, you can get that now through the solid suite. Any member of the solid suite has access to the solid Academy. So all right a lot of stuff today.\r\n\r\nAny final questions, drop them in the chat and I'll try to answer those and then we'll wrap things up otherwise.\r\n\r\nWell, I do appreciate you hanging out with me and lasting through the last four hours of training. This has been fun. We do this at least every year and disaster week, where we take a lot of time and talk about WordPress security issues. We started off with a great state of WordPress security from our friend Kathy Zant. Great WordPress experts panel if you missed that panel yesterday, that was quite a discussion with a lot of insight a lot of fun. I was some really smart people that WordPress security go back and rewatch that that replay is already up. And then today we had a great talk with Timothy and then the stuff that I talked about as well. Hopefully it was useful. Well that's gonna wrap it up for us for a disaster week. 2024. Again, the replay will be up later today. And if you remember hopefully I'll see you back here on Office Hours. That's tomorrow starting at 1pm here on solid Academy where we go further together\r\n","livestream-resources-group":"s:34:\"a:1:{s:6:\"_state\";s:8:\"expanded\";}\";","multi-day_replay_details":["s:3081:\"a:7:{s:18:\"event_replay_title\";s:7:\"Day One\";s:25:\"day_description_cloneable\";s:2364:\"\r\nSession 1 - The State of WordPress Security: What Affects YOU!\r\n\r\n\r\n\r\n\r\n\r\nMarch 19 from 1:00-2:00 pm Central Time\r\n\r\n\r\n\r\n\r\nKathy Zant will give a helpful overview of the issues impacting WordPress security in 2024, especially from the perspective of solopreneurs and agencies who manage WordPress websites for clients.\r\n\r\n\r\n\r\n\r\nSession 2 - Security Expert Panel: Trends You Need to Know\r\n\r\n\r\n\r\n\r\n\r\nMarch 19 from 2:00-3:00 pm Central Time\r\n\r\n\r\n\r\n\r\nNathan Ingram will lead a panel of WordPress Security experts: Kathy Zant, Thomas Raef, Timothy Jacobs, and David Johnson.\r\n\r\n\r\n\r\nThe panel will cover security trends in detail with plenty of time for questions from attendees.\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925169294\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 1 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1GV5SRsGhaOckgTkXf-62b8vf1WWjJg5v\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:85:\"https:\/\/drive.google.com\/file\/d\/1UP8bFXnyB_odC6r9B4Wbeys8odOfPW7z\/view?usp=drive_link\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/-vGsb4xe8EmwnEda1Ecv_1_RsTI?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";","s:3231:\"a:7:{s:18:\"event_replay_title\";s:7:\"Day Two\";s:25:\"day_description_cloneable\";s:2255:\"\r\nSession 3 - Reducing Your Site's Risk to Nearly 0 with Solid Security Pro\r\n\r\n\r\n\r\n\r\n\r\nMarch 20 from 1:00-2:00p Central Time\r\n\r\n\r\n\r\n\r\nSolidWP Lead Developer Timothy Jacobs will explain how to protect your website using the powerful features of Solid Security Pro.\r\n\r\n\r\n\r\n\r\nSession 4 - Talking to Clients about WordPress Security: Generating Recurring Revenue\r\n\r\n\r\n\r\n\r\n\r\nMarch 20 from 2:00-3:00p Central Time\r\n\r\n\r\n\r\n\r\nNathan Ingram will discuss how to talk to your clients about WordPress Security, and how keep them safe as you build recurring revenue for your business.\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925577957\";s:16:\"course-resources\";a:2:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 3 Slides\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1SEmE-bmlbMScYzlc4Y7dbYj9tWWIw1hG\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}i:1;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 4 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1X4jK_jv2ZsH6uXLCBQIXqZ8NAbvkKYQV\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1HfxF6OjN88O-CFMQnuBp_Tq7L_rlGnTk\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/hhv_RTU6GaLQyMVsrx0gCeUoakc?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";"]}},"postCountOnPage":1,"postCountTotal":1,"postID":448494,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content ); \nDisaster Week is great for anyone who owns or manages a WordPress website. The topics covered during WordPress Disaster Week will help you understand the basics of WordPress security, how hacks happen, and how to secure your site.\n\n\n\nWordPress Disaster Week is also great if you build or manage websites for clients, as we’ll cover a session on how to talk to clients about WordPress security.\n\n\n\nRegister once to attend all sessions of WordPress Disaster Week. If you can't attend live, we will send you the link to view replays of the full event!\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n","livestream_live_transcript_url":"https:\/\/otter.ai\/u\/-vGsb4xe8EmwnEda1Ecv_1_RsTI?utm_source=copy_url","livestream_live_transcript_text":"Again, welcome. If you're just joining us, it's disaster week 2024. We have Kathy Zant here. She's going to be talking about the state of WordPress security in our first hour and then we have an excellent lineup of security experts and a panel that is coming right up. We're going to be getting things underway here momentarily. The links I posted in the chat just a minute ago are not correct. I'll get that straightened out in just a minute.\r\n\r\nOddly, that should have been working but hey, it's Tuesday.\r\n\r\nAgain, welcome everybody. It's good to see folks logging in from across the country and around the world. Hi, Kay. Sue is here. Barney. Welcome. Thomas Byrne. Paul class, Doug. Good to see everybody today. We'll have the links up for you in just a moment.\r\n\r\nAgain, welcome. We'll be getting started officially at about three minutes after the hour. So glad you're here just a bit early. We'd love to hear from you in the chat where you're logging in from and here are the correct links. There we go. This is of course being recorded the replays available at the link that I just posted. You can also download Cathy's slide deck link is also there in the chat. Really glad everybody's here today. Welcome. Welcome. Dan. Good to see you, Rob.\r\n\r\nGreat to see everybody logging in today.\r\n\r\nHi, Tina from South Africa. Welcome. Welcome, Marie. Welcome from Massachusetts.\r\n\r\nAll right, folks. Good to see everybody coming in. Hey Stacey. We're about three minutes away three and a half minutes away from getting started with disaster week for 2024 This has been an annual event here with solid WP formerly I themes for many years. We always enjoy bringing some great experts on this topic to give you the lowdown on what you need to know as you're managing your own WordPress site or perhaps even managing sites for clients. So welcome, everybody. We have a lot. Lots to talk about today. Great panel of experts plenty of time for questions. The world of WordPress security is much more complicated today than it has been in the past. And Kathy is going to unpack a lot of that for us here in just a little bit.\r\n\r\nOh Sue, that's great.\r\n\r\nWelcome everybody. Just about three minutes away from getting started. Kathy Zant is here where she's going to be talking about the state of WordPress security to get disaster week going. I really glad to have everybody here. Welcome to folks across the US and around the world. If you're just logging in to zoom, open up the chat and say hello. The slide link bundle is in the chat you will have today's slide deck is there. Also the replay if you want to go back and rewatch this live stream you can do that at the link there in the chat. Share that with anyone as well. Those links will be available. Hey Michael, good to see you.\r\n\r\nMelissa, welcome from France.\r\n\r\nGreat to see everybody. Hi, Frank. Melanie.\r\n\r\nAnd I am using the wrong microphone. Wow. All right, that should be considerably better audio than it was before.\r\n\r\nI thank you so much for that. Little tip.\r\n\r\nMelanie, I appreciate that. Yes, yes. Yes. All right. Welcome, everybody. We are just about two minutes away from getting started with disaster week.\r\n\r\nThe link bundle is there in the chat. You can download today's slide deck that Kathy has on her screen now and follow along if you'd like I think there's some helpful links in there. as well. Also, the replay of today's event will be at the link there posted in the chat as well. You'll be able to share that video out.\r\n\r\nThe chat log and transcript for this event will also be there. At that link.\r\n\r\nNiles welcome\r\n\r\nHey, Charlie, welcome back. Mateus. Welcome. Good to see everybody there in the chat. We're about a minute away now from getting started with disaster week. Kathy Zant is going to kick us off talking about the state of WordPress security. Our two today is going to be a star studded panel of security experts will be here to talk about some of the current issues in WordPress security in the next hour. And of course have plenty of time to answer your questions as well. Welcome, George. Glad you're here.\r\n\r\nFolks, if you're coming in to zoom, we invite you to open the chat say hi and tell us where you're logging in from if you'd like to chat with others during the live stream, make sure that you've dropped down the little blue drop down above where you type in your chat to everyone, not just hosts and panelists. It does default the host and panelists for some reason, but if you'd like to chat with everyone, just make sure you make that change.\r\n\r\nOnce again, if you're just joining us attendee number is ticking up the link bundle is there in the chat. You can download today's slides that you're seeing there on the screen with Kathy state of WordPress security. Also the replay link is there for you. Hey Rob Vera, welcome. Glad you're all here. Just about ready to get started Kathy ready to light this candle.\r\n\r\nI am ready to kick this off the fun. Well, let's get started.\r\n\r\nWell, good afternoon. Good evening. Good morning, wherever you happen to be around the world. Welcome to disaster week. 2024 here on the solid Academy. This has been an event that we've done for many years here at solid formerly I themes as we talk about the state of WordPress security and give you tips from experts as you seek to make your WordPress site safer and protect the sites of the clients that you are helping as well. I'm joined today in our first hour by Kathy Zant. Kathy, it's so great to have you back. Kathy is an internationally recognized expert on security and marketing, data driven website development. She's spoken at countless events worldwide, and is a frequent guest on all sorts of podcasts about WordPress and other emerging technologies. Kathy, welcome back. How are you? I'm so happy to be here. It feels like like coming home to the to the gang and I'm so happy to be here. Thanks for having me back. Absolutely. So a lot of folks are saying hi to you there in the chat. You got a lot of fans here in in the attendee group today.\r\n\r\nWe're talking about WordPress security and the things that you need to know here in this first hour. Kathy, let's just talk for a minute about how you got interested in WordPress security. When did you start this and how did it happen? Yeah, well, I got interested in security back when before WordPress, I inherited a server, a web server from the technical people. I was the marketing person and that server got hacked and so I was thrown into the depths of learning about security in the early days of the Internet and learned how to spoof emails and do all sorts of things. So that was way before WordPress and then when I when I first started like migrating some of the sites I was developing, you know, coding myself and migrating things over to WordPress just because it was easier to manage. WordPress Tim thumb vulnerability, my husband's site of all things got hacked. So that was an adventure. You got me on this WordPress stuff. You better fix it. Yeah. Okay. Hon, I'm on it. I mean, it's so got involved then and you know, you know, I mean, then then hacks happened, help friends and everything. And then a company put out a call for people to clean hack sites and I was basically helping my husband run his business and I was a little bit bored. So I'm like clean hack sites. I've done that before. Let me see if I can do this. So I was just cleaning hack sites sitting next to my daughter who was homeschooling and I got sucked in. And no, look at me. I'm giving the state of WordPress security almost sounds like I'm a security politician. No politics here though. Promise.\r\n\r\nOh, well. We have a lot to talk about. Because the state of WordPress security is always evolving. And if you follow security news and we do a monthly news roundup here on solid Academy, and we're always talking about new and trending security issues. We also have a regular webinar at least every quarter with Thomas Rafe and we watch your website, giving us really scaring us to death, quite frankly, with some of the things that are happening. On the cutting edge of the things that hackers are doing. So we have a lot to talk about today. Folks. Let me give a couple of bits of housekeeping details and I'm going to disappear and let Kathy start speaking here. But if you're just joining us in zoom, we're grateful that you're here. Hopefully this will be a good investment of your time today. I'm dropping in once again into the chat, the link bundle for today, which includes today's slide deck, and also the link to the replay. We'll have the video of today's two hours posted by around four o'clock central time. That will also have our transcript and the chat log. So a lot of times during the live stream the chats will have some good information so we save all that it'll be available for you on the replay link that is there in the chat now. Also, let me just invite you to go ahead and open up the zoom q&a You'll find that link as an icon under Kathy shared screen. If you mouse over the shared screen, you'll see the q&a icon. That is the place to ask your questions. So if you have a question for Kathy, or anything related to WordPress security, please use the q&a and not the chat because the q&a chat may go on past and we might miss that question. But if you use the q&a, it'll be there. And also we invite you to keep that open simply because if you see someone else who has asked a question that you also have, you can click the thumbs up icon. And we'll take the questions in the order of upvotes. Now likely what we're going to do today is Kathy is going to speak and sort of set the table for us with all the current issues with WordPress security, then we're going to take a break so no questions immediately. After Kathy's talk today. We'll take about a 10 minute break and get our panel in place. And we'll take all the questions toward the end of today's panel discussion. So very important that you up vote the questions that are asked is likely we won't get to all the questions but we'll take the questions that do have those up the most number of up votes. So with that, I'm going to disappear and Kathy let's talk about the state of WordPress security.\r\n\r\nShouldn't there be like a band playing or something? I guess I'll just imagine that you know, Pomp and Circumstance playing as we talk about the state of WordPress security. Now when I first first started cleaning, hacked WordPress sites, WordPress security was a little, a little different, a little more simple, but some things some things haven't changed. And I want to talk about some things that haven't changed and some things that will continue to kind of be sort of this undercurrent of WordPress security threats. But I want to talk about what is changing some of the things that we're seeing that trends that you should be aware of, of where we're going. I'll talk about some recent attacks that we've seen that are very interesting for somebody who's into security, maybe a little bit scary. If you're not into this, then I'm going to pull out my crystal ball. And I'm going to make some predictions about some things that I see in the great greater security space. That will come toward presidentially, and then I have some thoughts about the WordPress security community WordPress as a community as an open source community. I fully believe that WordPress wouldn't be what it is today, without you, without the community without all of us helping each other to have some thoughts about how security plays into that. So that is that's the little teaser, is there going to be drama, maybe stick around. Alright, so what hasn't changed? hackers want to make money with your site. They want to take your server resources, your sparkly clean domain reputation and they want to use it for their profits. So they're going to put spam on any site that they can hack. They're going to use phishing malware backdoors to get back into the server. They're going to do all sorts of crazy things with your asset. WordPress is an asset and if you start thinking about your WordPress site as an asset, the same way you think about your bank account, your cryptocurrency, your home, your car, the shed in your backyard, all of these things that you want protected from malicious attackers and thieves. If you start thinking about WordPress, that way things will make sense because that is something that hasn't changed the profit motive, and that's the reason why they come after WordPress. WordPress is also powering more than 40% of the internet and they target WordPress because they expect smaller sites like yours in many cases and larger sites but mostly sites like yours, they expect it to not have as much security. Now the New York Times in the Rolling Stone Rolling stone.com use WordPress in order to present their content, but those major sites have security operations teams looking at every log file, they have security professionals looking at every login, but you are busy running your business. In many cases, small businesses just do not have the resources to watch security so they expect less security on your site. So if they can hack into 100 WordPress sites, it's the equivalent of getting into one larger site that has a ton of traffic.\r\n\r\nPlus, it's just your resources that they're after. Now historically, what hackers have done if they've exploited weakness now that could be weakness in the people who are running the site who just don't know any better and are doing things like reusing passwords, or it could be a weakness in software vulnerabilities. Typically over the past few years, decade. We've seen this in software packages primarily and plugins and themes. There have been a few core vulnerabilities that have been significant, but in recent years, we haven't seen that so much. But we're still seeing plugins that have vulnerabilities. We're still seeing some themes that have vulnerabilities and sometimes those come under attack rather quickly. So software vulnerabilities and authentication issues are still going to be a problem. This is a problem in the wider space, not just word processing hole, but it is historically how we have seen attacks coming at WordPress, the game of security and one of the reasons why I love it so much is you know some of you people do crossword puzzles and other things to keep your mind active. I like to see what hackers are up to my friend Thomas Ray who will be in our panel later. He likes to share the stuff he finds he finds the most amazing malware and the amazing attack vectors, an intrusion vectors. I find it fascinating what the mice are up to in order to get the cheese. It's constantly a challenge because you have security professionals who are trying to protect sites and then we have security professionals, security Blackhat professionals who are trying to get into those things. So the constant cat and mouse game of sometimes the mice are getting in and sometimes the Cat's got everything locked down. That challenge to me is exciting. And that's never going to change that's how security works. You have security protections and hackers. Just that hacker mindset that playful. Let's break out of these defined boundaries. It makes it interesting. So I find that very interesting and this is never going to change we are never going to stop hackers activity we are just going to be able to slow them down. They are always going to be looking for vulnerabilities that they could possibly exploit so that cat and mouse game is going to continue for forever. But what is changing is that these hackers are getting more clever.\r\n\r\nThe attacks are maturing, they're not just looking for plugin vulnerabilities because we are seeing many plugin developers really up their security game a few years ago, saw a lot of plugin developers that were using is admin a function in WordPress they were using that wrong is admin as a function will tell you are you on an admin page or not? Is this person an administrator and so we saw a bunch of different plugins that were using that function and inappropriately and causing vulnerabilities. We're not really seeing that kind of thing. But we are seeing vulnerabilities still but attackers are having to become more sophisticated. The mice want the cheese and so they have to get around the cat's defenses and they have to try new things, new creative things. We just have to be aware of what's going on. What we're seeing is some of the general attacks on computing on computers. Those general attacks are also targeting WordPress. Why? Because WordPress is an asset your WordPress site is of value. Even if it's just your hobby blog, just the resources of your computing power of that website is an asset that hackers are after. So we're seeing some of these general security attacks now aiming at WordPress. Now Tomas last year, he started sharing with us some of the attacks that he was seeing and he was seeing that many hacks were coming in. And it was almost as if you look over the log files and you would be you know user coming in working in WP admin and then all of a sudden that same users cookie was being used, but it's like coming from some weird site someplace else and you know, Malta or some someplace where you know, that user that administrative user isn't. These were stolen session cookies. And on January 3, it's in the links that Nathan shared in the chat. Thomas's research he published on January 3 of showing what he found over 2023. And he found that 60% of WordPress hacks were coming from authentication problems and there's a whole section in there about these stolen cookies. And then if you look at the general security press, Trevor Hilla gas who was a former FBI digital crime expert, uh, he said that last year, he had seen more new advances in info stealers than any year previously. So Thomas put two and two together, Trevor is putting two and two together in terms of these attackers, basically assuming the role of an administrator. Now how exactly does this work? Well, info stealer is malware that's distributed through phishing emails, malicious links, and infected attachments like a PDF with an info stealer embedded in it compromised. websites that you might visit and then end up clicking on a link that download something, a malvertising which is advertising that is actually malicious. So all of these things are not targeting WordPress directly. They're targeting your computer and if you have access to a WordPress website, and you're logged into that WordPress website, then they try to get into that asset. Now, have you noticed that your bank let's say you go to pay a bill and then you go make a cup of coffee and you come back and you're logged out automatically?\r\n\r\nThis is what the banking industry is doing. They're closing those session cookies rather quickly. Because those session cookies if they are ever stolen, basically give attackers the ability to basically impersonate you and that's what these info stealers are allowing people to do. So how does it work? It basically takes that session cookie from your browser, and then they take those cookies, put them on their device or more likely just embed them in their scripts as they are attacking many different things. And then they access your WP admin as if it's you. It bypasses firewalls, it bypasses to FA basically then just becomes you they have a script that just gets into WP admin so the log files will look like oh, there's people doing all this editing and then boom, this weird IP address that now is doing malicious things using those session cookies. So Thomas's research is showing that this is being used to target WordPress and yeah, so kind of scary, but obviously info stealers aren't existing just for the sole purpose of getting into WordPress, but this broader problem in security is affecting WordPress and this is one of the trends that we're seeing.\r\n\r\nSo these types of info stealers that exist can be in email, FTP, credentials, clipboard, you know, you copy something, copy a password out of your password manager. Um, if you have an info stealer it can get onto your clipboard and take things key loggers, form grabbers, browser hijackers, so there's a lot of different kinds of info stealers that are out there that can have an impact on your WordPress site. So what can we do about things like that? Well, obviously it's most important that you protect your devices and protect your computer's making sure that just like with WP admin, you log in and update all of your plugins and your theme. You got to make sure that your operating system make sure your browser Chrome, I've seen so many chrome vulnerabilities. Chrome's the most popular browser, you know, so attackers are going after vulnerabilities in Chrome. So if you see that your chrome needs an update, make sure you are updating your browsers. Make sure you're very judicious about the types of extensions you install into your browser just the same way you would with plugins that you're installing and WordPress or the apps that you put on your phone, just being making sure that they are coming from reputable sources. And then you know a lot of us who use MAC's have lived this sheltered life thinking that we don't need any kind of protection on our Max Max don't get viruses right?\r\n\r\nExcept that they do. So you need to make sure that you have some kind of malware scanner like any kind of antivirus Avast is a great one. Um, there's other ones that you can use Malwarebytes, things like that. But Jason, just make sure that you're downloading signatures regularly and scanning your machine regularly. So making sure that you're doing those general protections for your computer and your devices. And, again, think about those assets, your banking accounts, cryptocurrency accounts, crypto wallets, Amazon, but you don't think your Amazon account is an asset. While it is I helped someone last year who got their Amazon account hacked, and they bought the attackers used the credit cards that were stored in it was a debit card, actually that was stored in Amazon into that Amazon account and bought gift cards, sent them to themselves and then archived those orders. Make sure you've got protection for that because your Amazon account can be hacked and can drain a debit card or bank account, kind of blog post on my site about that and of course WordPress consider WordPress and asset as well. Making sure that you protect your credentials, strong unique passwords everywhere that Amazon hack actually we traced it back and it went back to the LastPass breach that happened and that person had not changed their password out of LastPass. And they actually had one of their I think it was SendGrid their SendGrid account had two FA on it, but somebody was trying to log into that as well. So we kind of traced it back to that last pass breach. So making sure that you protect your credentials, strong unique passwords. If you have past keys available like you do in solid security use those two factor authentication just needs to be everywhere according to Verizon, only 28% of people are using to FA and at this point we we all need to be using it and there's many places even your Amazon account, make sure you have to FA and that as well. Don't open links in emails. You probably heard this before SMS smishing. They call it it's like phishing except it's coming over SMS don't open attachments. If you are unsure what an attachment is all about. An attachment that comes through that says that you're part of a class action lawsuit and somebody wants to send you money. Be suspicious of those types of things.\r\n\r\nGo through fishing education, test yourself. Do you really have the knowledge and the foresight to defend yourself against phishing attacks? You know, Gmail and a lot of the email services are great at filtering out a lot of these attacks. But really the buck stops with you. These are just tools they're trying to help you but every once in a while that mouse gets a piece of cheese so Okay, so what can we do about WordPress and defending WordPress against info stealers? How long is that WordPress session when you log in?\r\n\r\nIt lasts for 48 hours but if you clicked remember me your session cookie is going to last for 14 days. This is why WordPress gets targeted rather than you know there's plenty of people are like oh, well if this was really a thing, then your bank accounts would all be drained. But you notice your bank account logged out pretty quickly these days. Right? WordPress does not have that WordPress will last for 48 hours. That cookie it does not log you out automatically. And remember he will last 14 days so those session cookies stay in your browser. They will be in perpetuity until you click logout or until the cookie expires. So if you want to protect yourself and protect your WordPress site, from the possibility of an info stealers ending up on your computer, usually it's the kids they're downloading everything off the internet. Let's just blame them.\r\n\r\nBut you want to log out when you log out. You kill the session cookie so you don't have to go through I've had people ask me oh, do I need to go clean up all my cookies out of my browser now not necessarily. You can if you want to, but that's a lot of work. Just logout if you click Log out that session. Variable that session cookie goes away. Solid security also has a trusted devices protection which I haven't even had a chance to play with yet but this is something hopefully you can talk about that in the panel a little bit because trusted devices is addressing this. So one of the reasons why I love solid security and the team especially Timothy amazing, is because if he's on top of all of this he pays attention to what's going on is your plugin vendor or your security vendor paying attention to all of the things that security researchers are finding out.\r\n\r\nAll right, another really fit this one was fascinating. I got to tell you about this so Sucuri found this malware. This is malware that actually uses a site visitors browser to attack other WordPress sites. Crazy, right? I'm like reading all of this. It's a little bit like a crypto miner and we saw crypto miners like in 2017 when there was there was this JavaScript thing you can put on your website and have it just like mine cryptocurrency on people's browsers. Well attackers loved that right because profit motive, of course, but that all kind of went away. I think it's gonna come back but we'll talk about that and my predictions.\r\n\r\nBut this is very similar. So you have a hacked site, and a person visits that hack site, and then maybe their CPU starts going through the roof or something is happening because their browser is getting instructions from the hacked website to go attack other WordPress websites.\r\n\r\nbrute force attacks. So this is just I find this incredibly fascinating. It's not it's not it's not infecting the browser, but it is using the computing resource of the browser to go off and attack other WordPress sites. So if you are a site owner, and these weird attacks are coming from just like somebody's home IP address, like is that a malicious IP address? No, it's just some guy who doesn't even know that his browser is attacking you. He's visiting some malicious site and that malicious site is telling his browser to be malicious. So we have plenty of brute force protections that are out there that are like okay, here are all the malicious IPs that we're seeing malicious traffic from this to kind of throws a wrench in that a little bit because now we're seeing, you know, Joe down the street is attacking WordPress sites. You would not expect that but it's a brute force attacks. So the same principles of brute force attack prevention apply here. Strong, unique passwords, two factor authentication, but you can't just say block all the malicious IPs and set it and forget it. No, you have to consider that any IP address could be malicious. You just don't know. One thing that you could do if you really if you if you know your IP address your wherever you're logging into your WP admin. You can block all of the IP addresses in the world except your own whitelist your IP address, so your IP address can always log into WP admin, but just block everybody else that type of thing. And that can cut down from it, but it's not necessarily going to stop attacks like this, but pretty clever, huh?\r\n\r\nAnother thing, zero day vulnerabilities. Now the bricks bold builder vulnerability wasn't necessarily a zero day, but I think there's this was just so interesting. So on February 13, Calvin Alcon he Well, he actually found a vulnerability a pretty severe vulnerability. It was an unauthenticated remote code execution vulnerability, which means anybody could use this attack to basically take over a WordPress site, worked with patch stack to communicate with the bricks builder team to make sure that this vulnerability was patched. So February 13, The announcement comes out that there's a patch within five hours started seeing attacks five hours this kind of new to me I haven't seen it happen like quite this fast. I've seen you know, vulnerability, you know, zero days happening and then the attacks are are happening and then a patch comes out. I've seen like crazy things, but this was responsible disclosure. This was security vendors working with the brookstein bricks team have gone through like in the past month, they've gone through so much in terms of like hardening that application. They're doing great.\r\n\r\nBut it just happened so fast. The bricks community was just like, you know the dog with the hair. On it was crazy for a while because it was just such an easily exploitable vulnerability. So we're just going to see these types of attacks are going to happen very, very quickly. So that if that happens, you know when there's a very very sensitive vulnerability, a very critical vulnerability, we'll see stuff like this happen, but I was kind of shocked at how fast that how fast that all happened. Um, this is something malvertising I just saw this yesterday on Twitter. One of the guys who runs WP umbrella which is like a management tool for managing a lot of different websites, WP umbrella and you can see on the screenshot that he shared on Twitter WP hyphen umbrella that info is actually a malicious domain, and it is sponsored their real domain is down below that but that malicious domain malvertising so people would click on that if they searched for WP umbrella, they could click on that and maybe give up their username and password. So he was very concerned about that. Lots of people were reporting it to Google and everything but just a reminder, don't go searching for sites and trust the search results all the time. They can be malicious at times. So make sure you bookmark things that are important to you and to always use two factor authentication.\r\n\r\nIn case you accidentally give up your password to someone.\r\n\r\nSo predictions of What's Next there's the crystal ball. So I think we're still going to see vulnerabilities found by researchers and attackers. Sometimes there's going to be zero day vulnerabilities that the attackers find first and there's going to be zero day attacks that the attackers are doing and everyone's going to have to defend against those types of things. But the thing that I'm really excited about seeing is that there are more and more security companies that are managing managing vulnerabilities for plugins patch stack is doing this that are also working with security researchers and it's much more organized now than it was like five or six years ago, so that's very encouraging. A Bitcoin uncle bitcoin is doing better he's recovered from his illness and Uncle bitcoin is you know, increasing in value. As we see that happening. We're gonna probably see some kind of crypto mining attacks happening. I'm not quite sure what yet, but I that's one of my predictions that's gonna happen. We're gonna see more attempts to exploit the weakest link in all security to humans.\r\n\r\nThat's going to be in the form of social engineering attacks. People are going to get tricked out of their passwords, either through phishing, through phone calls, through emails, all sorts of things.\r\n\r\nWe're going to see malvertising like we saw just yesterday with WPM Rolla we're gonna see sim swapping attacks and sim swapping attacks have been typically I you know, when I first learned about that this was even a thing many years ago and it was in the crypto space and I read an article and it's in the links. I recommend everyone go read it, it's on medium you might need an account to like log in and read it but it goes through how the sim swap attack happened sky. At night his phone's just not connecting to the tower and he's like, Yeah, I'll fix it in the morning. By the morning he had lost $100,000 Basically, an attacker takes over your SIM card takes over your phone number. They can do all sorts of things like resetting passwords on your email account, resetting passwords on your bank accounts, all of those types of things because they've got your phone number. And so those codes, those SMS codes are coming to that number of the new phone rather than your phone. So I don't know I haven't heard of any stories of WordPress sites being affected by a sim swap attack. But my prediction is I think it's going to happen one of these days.\r\n\r\nAnyway, we'll see. Maybe next year, I'll come back and we'll see what actually has happened or not there have been there's a recent story of a person who was on the inside at self provider and was working with criminals to some SWAT people, which is just lovely. Anyway, do not use SMS based two factor authentication as your backup because when you are using Google Authenticator and you using the time based codes, those are something that they can't take if they've got your cell phone number, they can't add get that code for your sonicator accounts and whatnot.\r\n\r\nThere is a recent article about acoustic attacks that was in bleeping computer just recently. I found this interesting, just by listening to whatever you're typing in on your keyboard. They can guess what you're typing, like passwords. That could be interesting. That could happen. I think it's gonna happen somewhere. It might not happen to WordPress first, but it's just research right now. security researchers are always looking for these types of things in order to protect against attackers finding things first. But that could happen. And then I've seen some research. It's just very high level research right now about AI and large language models.\r\n\r\nBasically forming some attacks so I can't wait to see what happens. It's exciting. And WordPress is an asset. So eventually it's gonna, it's gonna happen. So here's the stuff about sim swapping attacks. It's not not targeting WordPress now, but basically how it works. They they're not using it to like get your two factor codes. They're doing it to like reset passwords on your email account, and take out those types of accounts and drain whatever asset that they're after.\r\n\r\nLet's talk about what I see as the need for what we need for WordPress security. We have a bunch of companies that are selling security products, security services, cleaning up packed sites, there's plugins, there's firewalls, there's all sorts of services that are here to help you secure your WordPress site. They all have their profit motives, but we are also in a open source community and collaboration and communication are key.\r\n\r\nNow when a researcher like Calvin finds a vulnerability, communication between that security researcher and the plugin vendor needs to happen and security vendors or have like patch stack was instrumental in ensuring that Calvin Brooks and the communication flow between researcher and developer happened but we need greater community collaboration and communication throughout the entire community. We need communication between developers and users. Better communication about what vulnerabilities are happening and why.\r\n\r\nWe need better communication between security vendors if one's if patch stack knows that this vulnerability is happening, let's communicate with the other security vendors so that they can protect their customers as well. Those types of things, security and software is all about trust. And I think that if our security community community can work together better, kind of like how solid actually solid and patched at having an integration have communication, they work together as well. We I would like to see more of that. There have been some security debates. And you know, obviously conflict can be good. We learn from each other with differing viewpoints. But I would like the safety of the community to be put forefront the safety of the users remember why we're here that's who we're here to serve. I would also like all of us to have a better security mindset. We can't just install a plug in and set and forget it. We need to understand how that plugin works. We need to understand what it's trying to do. We need to understand how to use that tool. You can't build the house just like by buying a hammer you have to understand how that hammer works. So I think we need better education and better knowledge not just in that this is this is not just for WordPress this is across the board was helping my daughter's she rides horses and it was helping her the barn people with their website on Squarespace. And just the password hygiene might have a little PTSD from that is this is a worldwide problem. That the cat and mouse game is not just after WordPress, it's after anything that can be profitable. So heightening security education. I think it can happen in WordPress and then everyone who learns in WordPress and the people that you build sites for helping them up level their knowledge and being able to run recognize a phishing attack recognize social engineering, recognizing malware when they come across those types of things. They can teach their family and so on and so on. So I think we as we take responsibility for our own security and up up leveling everyone around us, so I feel like that's my mission. That's what I'm here to do. So I would like everybody to become just more vigilant.\r\n\r\nSome more advice just locking down your device with your provider to protect against sim swap attacks. Although that one guy he was an inside job kind of person. But if you can't lock it down, do don't use your public. You know, you give out your email address, right you go to the storage would you like your receipt emailed to you sure, of course and you give out via email address. Don't use that for your WordPress. Don't use that for your bank. Have a separate private email that you use for things that are sensitive, reduce your online footprint. I know we all like to celebrate our birthdays on Facebook and whatnot. I do too. But reducing the amount of information that you share can also force attackers because when they're doing social engineering they gather information, and then they use that against you. One thing that I've seen recently is like a lot of people who do online presentations and have like their voice out there. They can do AI voice mimicking and there's these calls, they call mom up and say hey, I'm in Nigeria and I needed $1,000 to get home please help me but it's your voice right? So those types of tricks I get played. So reducing your online footprint, having a safe word with mom so that you know mom call me back and make sure that I you know if we say the word you know strawberry, then it's really me asking for help.\r\n\r\nAnd then for critical accounts, you know, I highly recommend using password managers. But we did have that LastPass breach that happened use an offline password manager for your critical accounts. You know security is a continuum. The most secure computers buried in the ground in Casten says meant and no one can access it and the most open thing is anybody can get to it. So where where is your bank account? You know, it's more buried in ground right and maybe a test site, password 123 Who cares? So you have to make a judgment of security for each individual asset that you are trying to secure and then auditing your site. Lots of people don't do this very regularly unless they're afraid of something but I would audit you know, every quarter just go take a look. I can't tell you I went to one of my test sites. And there was WP config, that PHP dash old which basically turned that into a text field.\r\n\r\nNot exactly a good security practice because you're taking that PHP file away from the parsing. of PHP and turning it into a text file. So I didn't know that was there. My hosting provider on that particular account had done that lovely.\r\n\r\nAudit your site's just go poke around, go look at the files, go look around are all of the users who have admin access. should they all be there if you need a checklist? of auditing things, I can get you a checklist. I do have one of all of the things I look at when I'm auditing a site just maybe I can give this to Nathan, I'll find it and we'll have it in the second half. I didn't think to bring it no your developers would that brings vulnerability if you were on the bricks list, you would have gotten notified within those first five hours you would have been able to take action quickly. Get you know develop relationships with the people who are developing the software that you are committed to using and use the plugins like solid security plugin to help you make good decisions through application security. So one of the more forward thinking Timothy is just so brilliant and he watches all of this stuff and acts very quickly when he sees that there's something that he can do to help you protect yourself. Software is all about trust. So make sure you know who is helping you. Secure your things and remember who you're up against. So after the cheese, you got to be the cat. You have to protect your cheese. Because, you know, you know how these guys are they're just going to try anything and everything at all. So anyway, there's my little about thing.\r\n\r\nYou guys know me we've been we've hung out before, but yeah, I've been doing this for a while. I like to when I see stuff, I like to put it up on YouTube. Go subscribe to me. On YouTube. You can also get on my newsletter because if I see something that really needs action, I will send it to the newsletter. I will put it on YouTube. I am here for education first so and I'm so happy that I get to share all this with you.\r\n\r\nThank you Kathy. This has been excellent, really good overview of the landscape of all the things that are happening in WordPress security right now and there's a lot we have to be aware of. So excellent material here. I'm going to drop in once again if you came in late and you missed the link bundle. It is now back in the chat that has today's slide deck as well as the replay link that you can go back and rewatch or share this live stream with someone else. I also dropped the link in just before we have Kathy you've agreed to come back and do several live streams on security with us over the next few months. So we're super excited about that. And that link to those upcoming live streams is there in the chat. I'm noticing that there's a problem with the last one for July. We'll get that wrapped up and fix here in the next couple of hours. But there are several that are out there and waiting. If you'd like to go sign up. They're all free. And join Kathy for more security conversations. I Katherine we've got just a few minutes here before we're going to take a break prior to the panel and there's a couple of questions that came in throughout your talk that I think it'll be a good time to pose to you if you're open to that. Yeah, of course. So Savannah has just a great comment here. And it's something I've heard also from other people that are just even considering WordPress as a platform at all. Savannah says it really put me off having a WordPress site because I'm supposed to be attending to business and not spending all my time on security, which I can't keep up with. How do you respond to that?\r\n\r\nWell, yeah, sure you can have a straight HTML website. But if your FTP application is using reused password, if your hosting account panel is using a reused password, and there are so many other ways beyond just you know, vulnerabilities and plugins and all of this other stuff. The great thing is, you know, we there's so many vendors, and there's so many tools out there for you to pay attention to this stuff. And honestly, by doing that, I mean as a small business owner, you're you're running your business, you don't have a lot of time to pay attention to stuff but you have to be aware of I know of one business that, you know, they did the whole Hey, I'm the CEO at email. It was a it was a phishing email. Hey, I'm the CEO you need to send money to this company pay this invoice right now. And the person fell for it and $42,000 later, those types of things, if you can get rid of WordPress, but those types of things are still a threat to your business. So by being in the WordPress space by being in this community that is so security focused and is security aware and being connected with events like this and educators like me, we are here to help you uplevel everything it's so I don't think that you know saying goodbye to WordPress is necessarily going to help you it might make you less aware of other things that are a threat.\r\n\r\nYeah, 100%. There there. The security landscape is so broad now and hackers are so clever with their social engineering attempts and very, very smart ways to separate people from their money.\r\n\r\nNow when it comes to WordPress, the issue of WordPress security is something that it's one of the criticisms that most many people have about WordPress. And honestly that's why solid security pro exists. Our security plugin which we believe is a very intelligent approach to WordPress security, and by giving it a little time and setting that up on your website. It does the hard work of keeping WordPress secure does a big chunk of that WordPress security. We're going to be talking especially tomorrow Timothy Jacobs the lead developer of solid WP is going to be with us talking through the settings in our security plugin that help you reduce your security risk to almost zero. And so Timothy will be in the panel in the next hour but also with us tomorrow for a full hour talking about those very important settings that can let you take your mind off of security and focus more on your business like you're talking about Samantha i It's really that really is a you're not the only one who has that challenge.\r\n\r\nHere's another quick question from Chris. Chris is just wondering, when are we going to maybe see a better approach to security from core WordPress, is there something that core should be doing in your opinion, that maybe they're not focused on?\r\n\r\nI would like to have a to be a part of core I think at this juncture, it just makes sense.\r\n\r\nIt just makes sense at this point. So I would like that to be a part of core. But you know, with most development the innovations happen with a plugin like Timothy like Timothy, I think of all I mean, I watched the security landscape especially with WordPress quite a bit and Timothy is always like he pays attention to what's going on past keys. He was like the first one to bring past keys to WordPress. So the innovation is going to happen with people like Timothy with developers like solids team. So they're courted when there's a vulnerability core has been very, very responsive.\r\n\r\nThe File Manager vulnerability in 2019 was just so long ago seems like yesterday, but that was like a very easy to exploit. You didn't even have to have file manager activated. You could just have it installed on your site not active and it could still be exploited. And I think that was one where the core was like you know what, let's just push out the patch. And so core has been very, very acutely aware of security concerns as they arise and I think they respond very quickly.\r\n\r\nI'm always more curious. There's one thing I think that personally I don't think it's a big deal, but I would like to know more when a patch to a security vulnerability is applied, but they are more they explain more of what's going on. So security researchers like those a few of them that will go through and like okay, this is what could have happened with that. I want to understand what is happening. I like the education after the patch type of thing. But they kind of keep that close. To the best to keep, you know, people from poking around too much but that's just me.\r\n\r\nYeah, it's a great it's a great answer. And you know, the, what?\r\n\r\nThis whole subject is one that comes up in lots of different areas like what should be core and what should be a plug in and start. It's a hard debate among the core developers on what ought to be core and what ought to be an extension and a plug in. I think we're going to continue to see that debate raging on. Well, Kathy, this has been great. There's a lot of thank yous there in the chat for a really good overview presentation of the current landscape of WordPress security and gazing into your crystal ball. Kathy's crystal ball. So that's gonna wrap it up for this hour, folks. We're going to press pause on the recording and pause our cameras and mics. We'll be back at two o'clock Central that's about eight and a half minutes from now with our two which is our panel of security experts. And I hope you'll join us for that. In the meantime, if you'd like to open up the q&a and zoom, look at the questions that have been asked by others and upvote the ones that you would also like to hear answered. We'll be taking your questions toward the end of our security panel and we want to get those in the order of boats. So thanks for hanging out with us the last hour we'll see you back here and just about eight minutes. From now.\r\n\r\nAll right, folks, this is your One Minute Warning. We are back in one minute from now.\r\n\r\nWelcome back, everybody, we're back for our two of disaster. Week for 2024. We have our panel of security experts who will be shortly turning on their mics and cameras and popping in here. Good to see everybody back with us. Hopefully during the break, you've had a chance to open up the zoom q&a and either ask your questions or also upload the questions of others.\r\n\r\nWe're waiting on our other panelists to jump in here. Hopefully you can all join us Timothy is here Kathy is here.\r\n\r\nAnd Thomas, we don't have your camera.\r\n\r\nHey, there he is. All right.\r\n\r\nWell, thanks.\r\n\r\nYeah, thanks for being with us, everybody. We've got a lot of great questions that are stacked up from our viewers today, as well as a number that I've put together for each of you based on your background. So folks, welcome our security experts today. Let me just go around and introduce everybody. First of all, we have Thomas race. Thomas is the founder of we watch your website. Thomas and his team have been removing malware from millions of WordPress sites since 2007. Currently, they monitor over 13 million WordPress sites. Thomas is a he loves data and is on the cutting edge of the latest that all the malware folks are involved in. Kathy Zant Of course, we enjoy Kathy's presentation on the state of WordPress security in the last hour. Excellent stuff. She is an internationally recognized expert on security, marketing and website development. She's spoken events everywhere, all over podcast. You can find her everywhere. Kathy thanks for coming back for the panel. Timothy Jacobs is with us. He is the lead developer for solid WP he is a WordPress Core committer and a component maintainer for the WordPress REST API. And last but certainly not least, David Johnson the product owner for solid WP David has hidden and has been involved in the WordPress community since 2007. He comes from an agency background where he managed hundreds of WordPress websites. So again, thanks everybody for being with us today.\r\n\r\nThank you for the opportunity. Absolutely.\r\n\r\nWell, Thomas, let's start with you. So one of the things that we've had you on a number of different live streams over the last several months, and we've all we're we have scheduled now at least a quarterly at WordPress security roundup with you going forward into 2024, which is excellent. We always benefit from your cutting edge knowledge of the latest things that the bad guys are doing. I've heard you talk about this concept of defense in depth or layers. of security. Can you talk about kind of what that means? Why it's important, you know, what practically is involved in that particularly? What should I as a WordPress agency owner be aware of when it comes to layers of security and defense in depth? Okay, yes.\r\n\r\nDefense in depth goes back pretty far in the whole cybersecurity world, not just websites. But basically what you have to do is you have to look at the other various attack vectors that hackers use to get into your your website. So it could be we talked about stolen passwords, stolen session cookies, vulnerable plugins and themes, things like that. Each of those is like a different layer of security and you can't just rely on you know, like, for instance, for plugins, themes and core, you know, a great layer of defense is patch stack. You know, they do an awesome job they focus on and their niche you know, which is protecting those providing updates letting you know when you're you know, when you're vulnerable in some in any one of those three areas.\r\n\r\nYou know, malware removal is is one part of defense although that's a that's a reactive you know, layer of defense.\r\n\r\nBlocking, you know, attack vectors.\r\n\r\nI look at outdated user agents, blocking various ranges of IP addresses. And these aren't meant to be like, you know, the the end all be all to to your security. It's just another layer in in the defense in depth strategy.\r\n\r\nAnd, you know, one of my friends Calvin Elkins has used the he's the first one I heard it from, because it's like, like Swiss cheese. You know, Swiss cheese has holes in it. And all depends on how you stack those slices of cheese will determine if a hole goes all the way through or not. So, each defense each layer of defense is like another slice of cheese and you stack them all together. If the holes don't line up, you're secure.\r\n\r\nSo you need but you need your protection.\r\n\r\nAnd then you also need you know, early notification. So if something does happen, you can action can be taken. Yeah, very good. So David Timothy, either one of you can chime in here but in this concept of defense in depth or layers of protection are really like the holes in the Swiss cheese quite frankly I can that's I can grab that. Where does solid security fit into that strategy?\r\n\r\nYeah, so I think solid security helps with two big ones, which is user accounts rich. You got to do the bare minimum right if your clients are still using a terrible, terrible password it's not going to protect you for very long. And I'm really proud of our integration with patch stack. So patch stack does it an excellent job of I think they had 5000 vulnerabilities reported through them last year. They've created 1000s and 1000s of virtual patches. And I think our integration with patch stack works really excellently to bring that first of data into your site so you don't have to worry about Okay, let's keep track of all the vulnerabilities ourselves. Let's make sure we're on top of every single update and letting those two pieces come into play. And then services like Thomas said, do an excellent job at being reactive and cleaning up when there's an issue and making sure that happens automatically for you and they all kind of piece together.\r\n\r\nYeah, very good. Very good.\r\n\r\nKathy, so you've done lots of different things in the WordPress space. You've worked on WordPress security from the plugin product side. You've also worked on the agency side. So you your position, you have an understanding of things that a lot of people don't have. So you can relate to a lot of the folks I would imagine who are in the audience today. They either have their own website WordPress site or they're they work for an agency managing multiple sites are there an agency owner?\r\n\r\nThat's busy work, right? We stay busy. How in the world? Can you stay educated about all these things that you're talking about? While you're busy serving clients? How do you stay on track with all these things?\r\n\r\nWell, you know, with open source, you have a lot of you own your site, you own everything you're working with and with that power and that freedom and that flexibility comes a bit of responsibility. It's kind of like you own a car. I know I don't necessarily want to go get my husband used to do that for me take care of the tire pressure and there's just so much to deal with. If I want to have a car I've got some responsibilities to take care of it. Unfortunately, same thing with a website. But same thing with your business. You get like lots of different things right? But I think that being up to date with everything is it's good practice because it makes you more security aware for other things that could come into your life and attacks that that might not even be related to your WordPress site that something that comes through SMS message, something that's coming through, you just have this heightened security awareness. So unlike, you know, taking care of my car, there's no benefit to me whatsoever with dealing with that other than than, you know, not being abandoned on the side of the road. Taking care of my site educates me about so much else that's happening in the world and makes me a better digital citizen. It makes me more able to like tell my daughter go there's an update for your phone you need to go update it now and busy and Tic Tac Toe update your phone. You know, I mean there's like being security aware has a number of different benefits to it. So I think it's just it's one of the responsibility. You're either going to get hacked and figure out how much of a benefit it is to be security aware, or you're going to be proactive. And you know, actually at&t did a study and they found that businesses that are more security aware have better business outcomes. They often have better sales numbers than those who aren't. Of course, they're selling network security to enterprise right. But I mean, people who are more proactive about things in their life tend to have more proactive, like people who work out they tend to have you know better food choices, those types of things. They kind of just go together. So being proactive in your business for security can also be helping you be proactive in your business but with other things. Yeah, very good. Anybody else want to speak to that topic?\r\n\r\nOr David maybe what are some things that solid WP helps bring? To keep agency owners and site owners educated to the most important issues and security?\r\n\r\nWell, I'll say one thing that that Kathy mentioned in in her first session is true advantage of working with solid security and it's Timothy so we're gonna we're just going to have a Timothy session today. I don't know. But Timothy, by virtue of introducing pass keys when he did into the product, and this was before long before I joined the team became the first WordPress security solution to offer pass keys and I'm confident that that introduced the idea of pass keys to a lot of people who hadn't maybe not yet heard of it. And it remains arguably the most secure login authentication method available. And that's just one example. And so as we continue to think about ways for solid security to improve over time and to adapt to the changing landscape, you're going to continue to see us introduce new features and new solutions for the security issues that you're facing. And that's one way that using solid security can can help you become a better digital citizen all the way around.\r\n\r\nYeah, there's this like this content the solid WP Academy and going into Nathan's webinars every month, and our roundups with Thomas like this content is like an excellent place to keep up to date and share with others. If this is your first time joining us. We do lots of these types of things. Absolutely. So all of our content here on solid Academy is geared specifically for people who are building and managing WordPress sites for clients. So if that's you, you can stay up to date with WordPress security news with our monthly news roundup where there's a section on security news, and we basically look at what's out there the most important things that I as an agency owner think you as an agency owner will benefit from. Also we do a weekly email that talks about vulnerabilities and the top issues in WordPress security as well. So make sure you're signed up for those solid updates. Thomas I think I interrupted you earlier. Was this something you wanted to add here? No. I was just gonna say that. Yeah, the work that solid WP has done. Thanks to Timothy, with the past keys. And also like you said, I'm still a fan of the trusted devices. It's it's just, it's amazing and it's it's a great layer or several layers, you know, in the defense in depth strategy. It's another Swiss cheese that's just gonna have a task to do this is you know, I update my cheese board\r\n\r\nnow I'm getting hungry.\r\n\r\ncrackers and cheese.\r\n\r\nSo, Timothy, let's move over to you. So we just talked about past keys and how solid security was the first WordPress plugin to bring pass keys as an authentication method to WordPress.\r\n\r\nIt has to be incredibly complicated to develop a security plugin that is both usable for people like actual people. And stable and staying up to date with all the things that are happening in security. How in the world to get do that. Yeah, it's absolutely the hardest part.\r\n\r\nAnd I'd say there's kind of like two aspects to it, one of which that we're gonna touch on a little bit later. But the other is we do things that I think a lot of WordPress plugin developers do, who are really on top of their game, we write lots and lots of tests. We have automated checks that happen for basically all the security features in the plugin. We don't want to be thinking every single time there's a WordPress release or a plugin update or something. Okay, we have to check all 500 features and security by hand and where every day that something might break. So part of that is just like following good development practices. I see there's a question in the chat about like the uptick in security vulnerabilities over the past year and whether that's in some way part of you know, WordPress developers not following all of those things. So that's part of it. The other side is that we don't jump on everything. We jump on the things that we do think are going to have a big impact. And we try and really think through what the user experiences for those features. There are past years. I think integration is a great example where we saw that this was the feature that a lot of the big tech players, Apple, Google, Microsoft all uniting on and are really pushing as the next big thing. And we've seen over the past year and a half or so as more and more websites adopt this is we're seeing pretty early on then. Okay, this is a place that we want to be this is a feature that is worth as developing, as opposed to a feature that, you know, might stick around for a little bit, you know, 5% of your users might use and it's a little bit harder to justify. So we try to be really careful about what features we do adopt and making sure we're only adopting the amount of like settings that we need. We could easily add dozens and dozens and dozens of more checkboxes in security that let you do everything. But all of those mean more code for us to maintain. It's more complicated for y'all to understand how to use it. So I'd say that is like a big part of the balance. The other side of this is partnerships, which we're going to talk about a little bit later. Yeah, absolutely. And so, Timothy tomorrow, your session, which begins at one o'clock Central is going to be focused on looking at some of those settings in solid security and how people can reduce their security risk to almost zero. talk just a little bit about what you're going to cover tomorrow as we get into the details of the plugin. Yeah, we're gonna be doing a tour of some of my favorite features in solid security. We're gonna be learning about vulnerability management, virtual patches with patch stack, two factor still a good thing to be using and enforcing for your sites, and also look at past keys. So we're gonna be taking a kind of high level overview of a lot of different features. And these are also all things that we have a lot of good content in the bank for. So if you want to see a whole hour about trusted devices, we got that like two weeks ago. We did a whole hour about passkey as a couple of times, so there's lots of back catalogue stuff but this one is going to be a kind of an overview of some of my favorite features in solid security. Yeah, very good. So that's coming up the first hour tomorrow one o'clock central time. And David let me bring you in on something as well. You got a really cool title which is product owner at solid WP right. So your role is kind of translate users to developers, right? Like how, how do we create product? How do we interface with the actual users of our product and our development team? So talk just a little bit about how people even folks in the audience today can contribute to the ongoing development of solid security? Absolutely, I mean, the most there are two two key ways I'll mention the most important of which is just to reach out. We want feedback. And of course, we get feedback in the form of support tickets. You know, when there's something broken or there's an issue, so we hear about those, but we also want to hear from you with Feature Ideas. Now, we've already surfaced one during Kathy session, you know, like, Hey, here's a here's an idea for solid security. And so those are the kinds of things we want to hear from you. It's important for us to know that we're building what you use what you want to use, what meets your needs, and and so we want to hear all the things but the second way that I'll mention aside from just reaching out, and you can do that I should mention you can do that lots of ways and we'll share my email address. You can just hit me up that way. as well. It's David at solid wp.com. So just write me. If you have a support issue, talk to support they can help you much faster than I will but if you have a feature requests or feedback or whatever, I want to hear from you directly. That's one way to do that. But the other way that I mentioned is that we rolled out something that we call opt in data sharing, and it's about your usage data. This released in solid security in January. It's also in solid backups. And if you enable that it allows us to understand a little bit more about your site, we don't collect any personally identifiable information. What we do is gather lots of details about your hosting environment and so forth. And we do take a look at some of the features you've got enabled and that sort of stuff, but we don't again, we don't see any sensitive information. What that does is allows us to understand what features are being adopted, what features may not be as well adopted. And it also gives us a measuring stick to know like if we release a feature that drastically improves site security, and no one turns it on. Then we've got work to do. And so there are lots of ways that that helps us. And so I would encourage you if you've not yet enabled usage, data sharing, it is an opt in. And so it's purely your choice, but we would invite you to do that because it does allow us to learn a lot. It's a way to vote without having to actually contact you it's like automatically. Yes, yes. Excellent. So David, follow with you. Let me just ask you this your background prior to coming to solid and doing some other things you were with a large agency. You're managing hundreds of WordPress sites. What did you learn in that experience that could be helpful to smaller agencies or solopreneurs as you're thinking about maybe scaling up or doing what they're doing better? Sure. So I went on the journey from being the owner of what was effectively an agency with five people to being inside the web team and later and near the top of the web team for a 250 person agency. And so that scale was kind of staggering. And one of the things that I quickly learned was that especially where security is concerned, since we're focusing on security for today, I will say that some of the basics still applied. You know, you have to clarify in your agreements, who's responsible when when something goes wrong with a site, you know, do your clients know that that security is partly their responsibility? And, you know, one of the issues that we would run into when I was completely in charge and it was my business, if I hadn't properly educated clients on the need to patch plugins or to use better passwords. Or whatever, then I always felt like there was some responsibility that I needed to take on when a site got compromised. But at scale when you have a team of dozens of support staff and you're managing hundreds of sites and something goes down, you know we would scramble to get sites back up but then the question became like, is this work billable or not? And if so, you know, why did we create code that was faulty that our that our web build team developed custom stuff, you know, so there was a lot of there were a lot of gray areas around responsibility. So one of the things that I will urge anyone watching this is, if you maintain sites for clients or you build sites for clients, is to be super clear about the risks involved and the security issues that your clients will have to face and what your responsibility is and what their responsibilities are and the clearer you can you can make that better. And that applies at any size. But one of the things that got incredibly complex that I didn't really fully appreciate until I was in the middle of it was that we had to do quite a bit of work around that scale around managing roles and responsibilities, and making sure that our protocols and our procedures were actually being followed. Things like you know, in a 250 person agency, knowing which of our 250 people needed access to a given website. That was that was a big deal and what happens when you off board and employee, do you have the ability to kill all of that employees access to every website that they were connected to all at once? Or do you have to go through hundreds of sites and check? You know, so there were a lot of systems and ways that we had to scale but there was one other piece that sort of became clear for me, which was when we were a larger agency, we attracted bigger brands. And so our SEO team, for example, might land a big account where our corporate headquarters is overseas, and they have hundreds of staff that need access to a WordPress site. And so the complexity of and the the amount of leverage we did or didn't have to institute policies or do things the way that we did them. That all got really difficult to manage really quickly. And so it really requires some thinking through and if you can put some solid procedures if you'll excuse the intentional solid pun, if you can put some procedures in place at a smaller size and really think through those processes. Then it will help you a lot when you do scale up and land bigger accounts or have more and more, you know, sites to manage that scale.\r\n\r\nAnd so those are just a few quick thoughts about about managing things that with larger volume that you know, weren't necessarily obvious until I was in the middle of it. Yeah, it's really great insights. And, folks, if you're serving clients, that's gonna be the focus of our second hour tomorrow. I'll be talking about how do you talk to clients about security? And really, how can you leverage WordPress security as a service so that you can build your recurring revenue in your agency. It's really important and I'm looking forward to that conversation tomorrow. And again, that's in the second hour starting at 2pm Central. And I'll just add just one quick thought on that needed is that offering security as a separate part of your care package, you know, as an add on or whatever with a clearly defined offering is one simple way to make it clear to clients that there are things that are not included in juice your basic support.\r\n\r\nYeah, yeah, very good.\r\n\r\nSo let's turn our attention to a story that really made a lot of headlines make created a lot of conversation in the WordPress security space last month, and that is the vulnerability at the bricks plugin. And I want to be real careful here like I'm not trying to disparage bricks because a vulnerability can happen to anybody. Right. But it's, it's in our recent thoughts, and I think it's instructive. They're never waste a bad situation. Right. So what can we learn from this vulnerability that happened that we can take away from so first, Kathy let me just ask you.\r\n\r\nIf you're a solopreneur and agency owner, and you know, there's just vulnerabilities vulnerabilities that happen, how do you again it kind of goes back to how in the world do we stay informed on these things when we're just trying to do our work? Yeah, that will happen so quickly.\r\n\r\nAnd so quickly. Crazy.\r\n\r\nCalvin Alcon who was the one that found the vulnerability like had messaged me and invited me into the BRICS group on Facebook and the conversation was just like, it was crazy. And there was a lot of interesting advice that was being given to people of what to do to fix their space and what was happening. There was a lot of misinformation that was flying around.\r\n\r\nI think it's, I've thought about this a lot. And I think it's really important. If you are committed to using a tool. If you are using solid security, make sure you're on the solid security list. If you are using bricks, get on the bricks list.\r\n\r\nembed yourself in the community of and this isn't just for for security vulnerabilities. This is for new features that are coming software to me has really become a especially in the WordPress space. It's community driven, you know, all of David you watch what people are talking about, about the product about what's happening in security and and you kind of shape where the products going.\r\n\r\nIt's not just like, Oh, this guy over here is creating this product. It's not like no this is embed yourself with the community with the team so that the people who are creating these products, understand what you need so that you can be informed of what features are coming. You can be informed of. Maybe I should wait on this very large update that's coming from WooCommerce. Just like those types of things. Just being embedded in the community of the products that you've chosen for your stack, I think is just incredibly important.\r\n\r\nYou just you want to be the first to know what's going on when it's going to impact your business. That's such great advice and we'll talk a little bit about some of that sketchy advice in just a minute. But others how, what would you say to agency owners solopreneurs that are building sites for clients about staying engaged with a development community. How do you get informed about these issues? So this is something to be touching on tomorrow. But I think this is one of the places where tools like patch stack and virtual patching become key. You can we saw exploits for bricks happening within 24 hours of the fix actually being published. I imagine you were on vacation when this happened. It's gonna be a problem. So this is one of those places where tools like patch that can virtual patching can be so helpful, because they will automatically push out a fix for your site that is laser targeted just to kind of prevent this vulnerability from being exploited. You don't have to worry about okay, do we need to test this update? Do we have a process in place? Are we on the plane right now? Or is it 1am And I'm sleeping when this vulnerability drops. They'll be there to protect you much faster. So I think that's where adding in additional tools is really helpful for protecting your site's security, particularly once you have hundreds of sites that you need to manage. Yeah. Great. Anybody else? Yeah, one of the comments that Kathy had touched on earlier was the communication between vendors. And, you know, I think of you know, had Calvin worked with somebody other than patchstick and the whole responsible reporting procedure and so forth.\r\n\r\nYou know, wouldn't have had, you know, what had had a worst impact, you know, would have would, more people have been vulnerable.\r\n\r\nSo, yeah, the communication that Kathy talked about in the previous hour, I think is is real key. Hi, how you make that happen? That I have no idea but you know, it definitely needs to be especially when it comes to the patching. Years ago when I first heard people talking about virtual patching. I'm like, Why? Why virtually patch why not just patch, you know, reality patch shield, let's let's call it we got virtual patching and read reality patching, but you know, I mean, something like patch deck, where you can't, you can't stay on top of it by yourself. You need something like patch deck and I think the the integration that solid WP is done with patch tech, to me was just amazing. So I'll leave it at that.\r\n\r\nYeah, I remember when this which I think, at least for me, I think it was like 2016 or something where there was this huge group of vulnerability. And it was at the time where people were saying, Hey, if you had did an update, within eight hours, you should consider that your site has been compromised. And I feel like at least in my mind, that is when things like really started switches like attackers are moving very, very fast now, and just updating you know, the next day, or two days later, or if you say, Hey, we apply updates every Monday it'll be fine. Let's just wait until then. It's not enough anymore. Well, if I could add one other things might be a little controversial, but I'll put it out there.\r\n\r\nWe actually saw some attacks happening to that API endpoint in BRICS and February 7.\r\n\r\nBut we didn't know what it was, you know, we monitor the database. We monitor the files, the access logs, so we could see the traffic and then we see changes in the database and the in the files, and we're like, you know, how is that happening? And before we, at that point, we did not have a procedure for bringing somebody else in, you know, had I known what was happening or had I realized what was happening? Nobody reached out to Kelvin at that moment. Now.\r\n\r\nThere were things going on in the the WordPress community.\r\n\r\nquestions being asked about themes that include embedded code and so forth. So was that a tip off? I don't know. But you I mean, if from the time information was asked in the communities until the time we started seeing that traffic was less than six hours, and then once it was announced, yeah, I mean, it was like I think Kathy mentioned in her previous talk, like five hours from the time the patch was announced until you know, all hell broke loose.\r\n\r\nYeah, it things are moving so quickly these days.\r\n\r\nIt's you have to have a tool that's doing these things for you unless you just don't want to sleep ever.\r\n\r\nRight, which is not sustainable. So let's go back to something that Kathy mentioned at the very beginning of this conversation, which is, you know, some of the social media channels were talking about that this exploit there was a lot there's advice that was being given that was not the best. So I'll just open this up. Whoever wants to jump in. At what point should you try to fix a problem yourself versus bring in an expert\r\n\r\nwhy don't we start with Thomas Thomas is a little biased on this.\r\n\r\nBut, you know, I mean, I we've been, you know, working on WordPress websites since 2007. So, you know, Nathan, I've known you for years and years.\r\n\r\nSo there are people out there that have a good strategy.\r\n\r\nAnd they're aware enough of what their shortcomings are.\r\n\r\nTo be able to tackle it on their own, you know, so in a in a DIY, do it yourself scenario, some of those places and some of the large agencies have, you know, staffs of people that focus on you know, malware remediation, and that you know, I have no problem with that at all. There's obviously gazillions of websites out there, but the done for you, when people are asking, you know, hey, what, you know, what steps can I do to know my sites are hacked and especially with this I mean, this was, you know, they were adding admin users they were embedding code depends on what hacker group was attacking at the time they were dumping Perl scripts outside of the WordPress folder structure.\r\n\r\nSo there's stuff that you can't explain to people because they're gonna start deleting stuff and like, oh, you gave me bad, bad information, and now my site doesn't work. I had to restore and now I gotta rebuild the site and you know, blah, blah, blah. So, you know, the the DIY versus the done for you, the d f y has to be carefully examined, and you know, people that are asking like, you know, what steps should I do to clean my site?\r\n\r\nWell, you know, if you're asking those questions, you should probably have somebody do it for you. That's just that's my opinion.\r\n\r\nYeah, good.\r\n\r\nWho else would like champion on this?\r\n\r\nIt's been a lot perfect for me, is that you know, if you're if you need to, you need to ask the question. You can't afford it. If you need to ask the question on, you know how to do the cleanup. I think it makes sense to use an expert. I think it's great to learn and practice, you know, maybe on your own personal blog or something like that. Install an old version of bricks and let your site get hacked and try cleaning it up. I would never do that. Though. For a client site. Right. I would be working with an expert to make sure that that site is getting repaired it's so easy to miss just one thing and you miss just one thing and it's what it's way worse to tell a client is okay, I thought I cleaned up your site yesterday. It turns out got hacked again. is one thing. Okay, your site got hacked. We fixed it.\r\n\r\nDay three, it got hacked again. Day five. It got hacked again, day seven. That's when things like really become a problem.\r\n\r\nAnd we weren't getting Oh god.\r\n\r\nI don't fix my car. I'll clean a hicksite But I won't fix my car. Know your limits. And can I just say that I was shocked to see that people are still putting like 550 sites in a cpanel that's still happening. I thought.\r\n\r\nSo yeah, that still happened. So one site once he panel, I just, that'll be my mantra for the rest of the day like a shirt. Yeah. Yeah, exactly.\r\n\r\nYeah, it's a lot like the car analogy is great though. Because there was a time when you could just climb inside the hood. You know, you open the hood you climb inside the engine compartment. There was room to maneuver and now you can't even fit a hand anywhere. And there's you know, technology has changed but we sort of all started well, many of us I don't know Timothy might be too young for this. But we started at a time when it was possible to just dig in you know, Tim thumb you Kathy. You mentioned Tim thumb. I found the first YouTube video I ever uploaded about WordPress was in August of 2011 when I had found a Tim thumb vulnerability on my woo themes, sites, and you know, had to head to that that's how we all learned. And so, today though the complexity of the attacks and the in the sophistication of code malware that gets uploaded, if once a site gets compromised, it can be nearly impossible for someone that is not a pro to find all the ways in which a site got compromised. It's just a different world.\r\n\r\nAnd I'll say that, even today, we're getting people who are infected with the bricks vulnerability coming to us because their sites as Timothy mentioned, they get hacked one day, another day, another day another day. And you know until you find it all and get rid of it. It's just going to keep happening.\r\n\r\nAbsolutely.\r\n\r\nWell, let's turn our attention to some of the q&a that's come in from folks in the audience and what and we'll wrap up today if it's alright with you all though, or the discussion about the collaboration topic. I think that'll be a good way to end our panel. We have a bunch of questions that have come in they're 20 Questions open right now. I folks, if you haven't done that yet, please open the zoom q&a. Take a look at the questions that are there. Up vote the ones that you would most like to hear the answers to because we're going to take these in the order of upvotes. And of course, if you have a question, just drop it in there. Let's start with the first question from Kay. There are plugins that allow you to add code snippets to WordPress there's a bunch of different ones are those risky to use on a WordPress site? Or maybe we could say Are they more risky than other types of plugins? Timothy, you want to start with that answer then we'll open it up. Sure, I'd say more risky is the thing to identify risk isn't binary.\r\n\r\nSo it's thinking through what the threat model is. I would say one thing that's very important if you try and submit a plugin to.org And maybe this is a bad thing. I think it's a good thing though. If you try and submit a plug into.org today that is duplicating the functionality of code snippets, they'll tell you know, they'll say that, hey, we already have a plug in the directory that does this. This is an extremely important thing to get right so you don't open up a huge vulnerability on your site. They're confident that hey, that plugin works. Well.\r\n\r\nThat's it the barn door is shut on new plugins being added to.org that do this. So I'd say code snippets is a plugin that I use. And I use frequently on sites when I just want to have some simple snippets available and turn them on and turn them off. You might get code snippets from plugin developers that say, Hey, we have this filter that you can use. We're not going to the checkbox, but you can use the code snippets to manage that for you it's I think code snippets is a fine plugin. The thing to think through is like the attack vector, if you say that code snippet is a securely developed plugin, and doesn't have any known vulnerabilities, and if their vulnerabilities come up, they'll fix them promptly. And the thing to that think about it is what would oh the impact of having that plugin installed on my site B. And I think the thing that most people would think of is that oh, this means that there's a really simple way for someone to just get into my site and add php code. And that's true. But unless your site is already locking down, for instance, or plugins from being installed, they can simply just install a plugin that has whatever malware and malicious content they want to include. So I would say think through what your attack vector is, is always like the important thing to conceptualize. And if you are a person who says hey, we locked down all plugins on our site, they're all managed by Git. Let's say we do a git deploy. And part of that is for being able to say this is exactly what the content on that site, but it is also a security benefit if you are locking down the file system from being modified. In that case note, I would say that then installing a plugin like code snippets is opening up a new kind of vulnerability so to speak in your site because you've taken an extra step or detached to protect your site. But I'd say in most cases, plugins like that are fine to use just use the reputable ones not the one that was $5 and Code Canyon.\r\n\r\nThis risk is not binary. I really That's That's great. Yeah, I love that too. That's awesome. Yeah. Anybody else want to weigh in on that question? What do you think about code snippets as a whole that there's a plug in called code snippets, but as a category, the code snippets?\r\n\r\nI think personally, it's it's one of those that goes, as Timothy mentioned, you know, if for the knowledgeable devs you know, could be a good thing. But same time, I think that some of these things get passed around too much.\r\n\r\nTalk to people all the time and like, Oh, my dev said that somebody on one of these forums recommended this. And so we put it in, and you know, like, Okay, well, that's how your site's getting infected. So, you know, maybe considered you know, do you really need that?\r\n\r\nSo, yeah, it's, they have their place but again, that's for the for the more experienced, di wires, not the, not the newbies. Yeah. Good. Thank you, Thomas. Okay, here's a great question from Dan, and we get this from time to time during the news roundup, because every month we look at the solid vulnerability report, we see the numbers of plugins that are vulnerable, the ones that have been fixed, the ones that are still vulnerable, and it used to be I clearly remember even last year, there were 30 plugins that were vulnerable this month or whatever. And I actually used to read those one by one. Right. Now there's routinely 150 to 200 plugin vulnerabilities each month. So Dan's question is, I've never seen as many vulnerable plugins that I've seen in the last six months is this from not enough people knowing how to properly build plugins and make them safe or what is at play in this? It's like a hockey stick of vulnerabilities that have just that have come about. I have a lot of opinions on this one. Jump right try and keep it short.\r\n\r\nBecause there's a talk that I've been ruminating over for a long time about writing secure WordPress code. But I'll say this one thing I this is kind of a measurement sample issue, I would say, I don't think plugins have become more insecure in the last year. I don't think that you know, suddenly, we knew how to write secure software five years ago and now all of a sudden we stopped. What's happened is that there are programs from companies like patch stack from wordfence others I think Trend Micro might have them. There are a lot of organizations out there that are offering bug bounties for security researchers to find vulnerabilities in WordPress plugins, submit them and get paid for them. Not even from the vendor liquidweb for instance, or kind of parent company, they have a bug bounty program and you can go over there if you find a vulnerability, submit it to them. And they'll go through that bug bounty process but a lot of WordPress plugins that are just maintained by single individuals or small teams, they might not have the resources like that. So I think that's been a huge uptick here is that security researchers are now incentivized monetarily to find these problems. And I think that's been one of the great things that companies like patch stack have done in the past year is creating these open bug bounty programs to reward security researchers for doing something that previously you had to kind of look into finding a plugin that had this bug bounty program set up and do all those conversations about it. So I think that is a huge, huge beneficiary. Huge beneficial thing that we've seen in the past year and a big reason for part of the uptick.\r\n\r\nThe part that I'm not going to dive too much into is I do think there is a there is a issue with how we write about writing secure code. And there was a vulnerability I think wordfence talked about it yesterday in a plug in where a plug in author was applying escape HTML and escape attribute to liberally they escaped something twice and that second escaping caused an issue. And part of the reason why that second escaping was probably there. It might have been flagged by tools that say hey, you need to add extra escaping here and so I'll find for instance, lots of vulnerabilities, not naming names, but plugins that will have specific fixes in place to let's say, sanitize some code, and they call a sanitize function in WordPress, but that isn't the correct thing to sanitize there or sanitizing. It isn't even the actual attack factor. So I think we don't do a great job about talking about how to write code securely. And a lot of times the things that we say are just well write escape H attribute every single place that you're writing any piece of code and that'll fix the problem for you.\r\n\r\nAnd but that that's a thing for a talk or a blog post or something.\r\n\r\nBut I will also just say it's hard. It's hard to write secure code. But I do think there there are things we can do as the WordPress community to make it easier. Yeah, really good. Anybody else want to weigh in on that? I think there's too many people.\r\n\r\nAlong those same lines as some of the sudden they think they get an idea for a plugin, like oh, yeah, this one sell millions. And they you know, jump in download some, you know, watch some YouTube videos on how to create your own WordPress plugin, and start writing code and then put it out there and people like, oh, yeah, this is greatest thing since sliced bread and so on, so forth. And it just goes from there sliced Swiss cheese.\r\n\r\nBoom.\r\n\r\nYeah, they just asked Chet GPT to write the code for them, package it all up and boom, yeah.\r\n\r\nYeah, there's a long time when, and it was really just by the actions of like a couple, I think even just one person, where if you went into Stack Overflow, and you were like, how to write some PHP code to do something, it would just have SQL injection vulnerability attacks and or you're just have encryption implemented in a completely wrong way. And there's been lots of people just writing content about how to do this thing. That and you Google that and you'd come across something that was insecure.\r\n\r\nFor the most part, those have now been fixed on sites like Stack Overflow through the hard work of like dedicated volunteers to like going through every single php answer about how to insert database, insert data into a database when someone submits a form, or how to implement a login process securely. But it's still very easy to make a mistake.\r\n\r\nMissing anybody else on that topic?\r\n\r\nAll right. Next question up is from Jean. This is a really practical question. So what would you all recommend as a good reliable way of passing secure information to and from clients, assuming they don't have a secure password? app installed? And maybe they're not tech savvy. Kathy, why don't we start with you on that one?\r\n\r\nI would set up like if you had to do that, and then they like absolutely refused to use password managers and whatnot.\r\n\r\nWell for setting up WP admin, they shouldn't be sending it. They should be setting up an account for you and then having you set your own password.\r\n\r\nBut for like FTP, and things like that, you can do forms that do that encrypt and send it via PGP. So that you can get an email with those credentials and then just decrypt that with your PGP. PGP key. So that would be my recommendation of people transmitting.\r\n\r\nBut I would Yeah, that's part of our job is to educate everyone that they should be using some method of secure password storage, like one password or bit or all of the major password managers allow you to share credentials, those types of things. So I would strongly encourage that they do that.\r\n\r\nGood. I get a lot of people we get a lot of people who obviously have to share their credentials with us. And it's always amazed me that so many people that just Oh, yeah, what's what's your email address? And they just send them to it, you know? And that's what I what I encourage people to do is, if you're gonna do that, because it's easy for you and you just want to wash your hands of this and put it in our hands, that's fine. But when you know, once we've started what we need to do, go back in and change your password. You know, cut that it's like you know, logging out of your WP admin session to kill the cookies. You know, just cut it off at the at the knees right there. And we'll take care of our stuff is very secure, I'm sure of that.\r\n\r\nAnd so, just change the password and you're done.\r\n\r\nYou could get them to just take a picture of the password written on the sticky note on their monitor and just text it to you, right.\r\n\r\nAbsolutely. posted on Twitter. Actually, that'd be a great way to get Twitter tag. We do. Right? We do sometimes recommend using a tool like one time secret.com which is which is a great way to encrypt something and prevent it from lasting long. But one one recommendation I always make to people is even if you're going to do that, like do we know who's running that server? Do we know that they don't keep that data, separate the lock from the key so send me a username and an email and send me only the password using one time secret.com With no context whatsoever, you know what I mean? So at least you know us a little bit of wisdom and Pig Latin. Yes, please do that also.\r\n\r\nOne of the things Kathy mentioned I think is really another one to highlight which is i It's been a long time since I've done this type of client work, but I would hate it if a client sent me their stripe username and password. Invite me to your Stripe account. There are so many tools that just allow you natively to invite a developer invite a user and I so much prefer that just invite me to your WP Engine or Nexus account. Don't give me your Nexus hosting credentials. If you don't need to use the tools built into the platform like WordPress to create a WordPress user for your developer. Don't just send them your WordPress admin username and password.\r\n\r\nVery good. delegated access. The worst was when I sat down next to someone at a meet up and they're like oh, here's my password. I use it for everything.\r\n\r\nMy my\r\n\r\nYeah, my favorite password. Yeah. How many times I've heard that from clients. I can't change that. It's my favorite one.\r\n\r\nI'd have to change it everywhere. Yeah.\r\n\r\nAll right. So a great question here from Chris.\r\n\r\nChris is wondering so talking about the stolen session cookies issue. Thomas, you've written extensively about this, and you had a great live stream with us several weeks ago about it. That just frankly terrified me to the core. But thank you for that.\r\n\r\nIs there any movement with browser developers can can this problem be solved at the browser level of taking dealing with a stolen session cookie compromise?\r\n\r\nI think it probably could.\r\n\r\nBut I don't see I know at one point the case from Mozilla, we're working on some different things. But then they had some this this goes back even a couple years ago.\r\n\r\nThey had some some shake up over there. And things changed and people got moved around and it just kind of got dropped but I know that they were looking at it, some different forms of encrypting the cookies, you know, and encrypting the messages and so forth to so that it couldn't be so widely used. But you know, even to this day, though you know, short offshoot here.\r\n\r\nWe're still getting customers that have hacked usernames and passwords. You know, it all has to do with, you know, the, the various layers of Swiss cheese. And one of those layers is your local, you know, device that you have to protect. I don't care if your Mac I don't care, you know, maybe Linux, you don't have to worry about too much. But any any platform that you're using to log in to sites. It's got to be secured.\r\n\r\nYeah. And circling back to something we mentioned in the last hour, which is the importance of the trusted devices feature in solid security. It's one of the only WordPress ways to deal with that exploit. And Timothy and David did a great livestream with us a few weeks ago just about this where Timothy hacked himself it was quite something. For Timothy hack David actually, you can you can watch Timothy hacked my website in real time and I was crazy enough to install a browser extension that he sent me to facilitate this. So Thomas you if you haven't seen that it's worth watching. But the one thing I'll say is that do take the time if you're if you're concerned about stolen session cookies and protecting yourself, take the time to either watch that webinar or thoroughly understand how to implement the feature because you can enable trusted devices. And if you if you don't enable it all the way so to speak, it won't stop stolen session cookie attacks from working there. There are a couple of layers there and we just want to make sure that you're that you're really thoroughly understanding what's involved. So that was the that was the big impetus behind that webinar and behind me allowing Timothy to hack me in real time. That to be fair, he did have you opt in to the hack. It was it was an opt in hack that is true, and I appreciated that but also I sandbox that extension when I got it just because you know Timothy is just there looking sly he's not saying a word.\r\n\r\nHe's like there's still I still have access David he's yeah he exfiltrated all my all my credit card numbers and everything.\r\n\r\nOh goodness. Yeah. So the link for that live stream is there in the chat if you didn't see that. It's really, really quite good.\r\n\r\nBack to the questions here. Another question from Chris. Chris says he's a WordPress developer who serves numerous clients. In my experience, the weakest link in security is always the user. Absolutely. What can you recommend as far as resources that we can share with our clients to get them to take security seriously, without scaring them to death? And I'll just kind of add it like, is there? Maybe that'd be scare tactics aren't always bad, but maybe a little scare isn't so bad in this case? What do you think Kathy? Wanna start with you?\r\n\r\nMy YouTube channel.\r\n\r\nKathy, it's just it's just education, right? It's being aware like it's just being aware really, that that opportunity. Hackers are opportunistic. They're gonna look for vulnerabilities. And it's just it's education. There's a bunch of us, there's tons of educational opportunities on YouTube.\r\n\r\nAnd I would, if you're an agency, I would assemble sort of as a part of an onboarding like, here's a new client. Here's how we do things. Here's how we transfer credentials. Here's how you're going to only have an editor access if you feel like that's, you know, whatever your protocols and procedures are for onboarding a new client, build security awareness into that. And if they have any kind of, you know, pushback whatsoever. I mean, it's bringing it's a red flag.\r\n\r\nTrue, but it's, you know, it's the ones who nobody wants to learn when I was doing security, marketing, nobody wants to hear about it. Nobody wants to hear about security until they hear that their neighbor got broken into then everybody wants the security system on their house. Same thing with WordPress. When that breaks vulnerability happen. Everybody wants to know about how do I protect myself? What's the best thing I should be doing? I want to know about all you know, lots of bad advice on Facebook, that's for sure. But it's I would just I would really make security education. It's gonna differentiate you I mean, at agency work. I know is incredibly competitive. When you start building security into not just the onboarding process, but also into the sales process that you take it seriously. They're going to be like, Oh, well, why isn't that other agency talking about any of this stuff? Is there something out there? They don't know about? And they'll ask questions. So build security into your processes. Really good. Anybody else have advice?\r\n\r\nthumbs it up.\r\n\r\nGood. Well, folks, we're coming right up to the top of the hour at the end of our live stream today. But I do want to circle back to something Kathy that you mentioned in your presentation, which is the importance of collaboration between companies and users in the WordPress space to make everybody more secure. So there seems to be and I've kind of noticed this as well this trend in WordPress security. Where you know, some companies are resistant to collaboration.\r\n\r\nHow can WordPress Kathy and your opinion you can kind of start here and others can chime in? How can WordPress security vendors work together to improve the safety of everyone in the WordPress ecosystem?\r\n\r\nWell, there's some that are looking at what salad and patch stack are doing. They're exhibiting sort of good stewards of WordPress security by the fact that there's collaboration happening.\r\n\r\nPatch deck is really great at some things. Solid security is really great at some things and they're cross pollinating information. There's communications happening there's sharing of information, security.\r\n\r\nAll security is is communication. A security researcher finds a vulnerability come meet finds it to the secure channels communicate to the developer to communicate the proof of concept to the developer that communication has to happen. Collaboration has to happen. Collaboration is the undercurrent of good security. So I mean, there's some companies that work better together I think than others which are more cloistered and have their way of doing things in their way of communicating and but I'm I'm seeing some that work really well together.\r\n\r\nYou know them not to get a biblical but you know them by their fruits. Right. You can see you can tell what's going on, you can see the actions that people are taking, make good judgment as a WordPress user and choose to work with the companies that are collaborative, that are putting the needs of users ahead of competition. When you go to a word camp. You've got hosting companies lining up the hallways of the sponsor, everybody is there. You don't have GoDaddy doing pot shots at liquid what maybe you do but everybody knows each other. They support each other our community is collaborative, we work together, and security needs to be a part of that. And the security teams and all of the security vendors and security educators and they need to be collaborative as well. It's what makes WordPress strong.\r\n\r\nExcellent.\r\n\r\nWho else wants to weigh in on that? Yeah, Cathy's Mic drop. Yeah. I echo everything Kathy said and to touch on it from the lens of the questions you were asking earlier. Nathan, I think it's what allows us to work on cool features at solid security as well as being able to partner with under other vendors. Patch stack is treated 1000s and 1000s of virtual patches.\r\n\r\nThat's work that then only had to be done once and could be shared to patch stack users and our users and lets us work on other features like trusted devices or pasties and things like that. So I think the developing those key partnerships and open communication between different services let us build tools that help protect site owners more than they could if we were all operating 100% independently and we had to build the same thing. 15 times. Yeah. Great.\r\n\r\nAnybody else we wrap this up?\r\n\r\nGreat information. Yes. I really appreciate each one of you and your expertise and the flavor you've brought to this conversation. Really, really appreciate the all the great advice. There's a lot of thank yous happening there in the chat as well.\r\n\r\nLet's see. Timothy, you're back tomorrow to start things off, walking through solid security. So we're looking forward to that and bring your security solid security questions. Do I know is there a couple of solid security questions in the chat that are specific to our plugin? And I'm gonna have plenty of time to answer those tomorrow. Yes. So yes, absolutely. I will walk through all those settings and in the second hour tomorrow, I'll be talking about the client side of this and how do you talk to your clients about security, for education for information also Pat, you know, how can you as an agency owner or solopreneur package security into the services you offer to build recurring revenue so it's gonna be a good day tomorrow as well. Kathy Thomas, especially thank you both for being with us today. David, your expertise has been excellent as well. Kathy Thomas, let's wrap up with how Kathy if they want to get more of you, where do they find you?\r\n\r\nI'm everywhere.\r\n\r\nLiterally, you are.\r\n\r\nKathy Zant. I am fast faster than the other Kathy Zant is out there. So I grabbed my My name is everywhere. So just follow me. I'm really trying to put out more security content on YouTube because that's kind of a fun thing. But LinkedIn, Facebook, I'm still in the Kadence community and still very much a fan there. So hit me up. There. Very good. And Thomas just dropped the URL for we watch your website in the chat. Quickly. You offer a free service to anyone who wants to sign up for monitoring for malware any bad things happen to the website you want to talk briefly about that? Yes.\r\n\r\nIt's free. It's, you can think of it as a free intrusion detection system. We don't protect anything on the free plan, obviously, but we monitor your database, your files, the processes, you know, if you're on a server, we can do it live.\r\n\r\nIf you're not on a server, you have forgotten a shared hosting plan. We do it once an hour. It's very good. And one of the great things especially if you're an agency owner solopreneur. You have your own server, or account where all of your clients are hosted. We want your website offers a single price to cover that whole server all the sites on that server. So it's really quite good. And if you want to learn more about that we watch your website.com So thanks again, Thomas for being with us today. You bet. Alright folks, that is gonna do it for us. We are back tomorrow. Again 1pm Central for a walkthrough of solid security and until then have a great rest of the evening. We'll see you back tomorrow on solid Academy where we go further together.\r\n\r\nSo again, welcome. If you are just joining us, open up the chat and say hello and let us know what your biggest takeaway from day one of disaster week was something you learned that maybe you didn't know or just a big aha moment. We'd love to hear from you in the chat with that.\r\n\r\nRight captions should now be working for everybody.\r\n\r\nJeffrey needs to convince clients to make security a priority. Yes. We'll be talking about that in the second hour today.\r\n\r\nSo, Doug learned yesterday, Timothy that you were born with a keyboard in your hands.\r\n\r\nThere Is there truth to that rumor.\r\n\r\nYou know, it's just that there's Apple keyboards. They're very good, very portable.\r\n\r\nLove it. Oh, gosh. Welcome back, everybody. Glad you're here. If you're just now joining us in zoom, open up the chat and say hello. We're asking what your biggest takeaway was? From yesterday. Head David needs more Swiss cheese in his life. Yeah, maybe so.\r\n\r\nThe slide button on the link bundle is going back in the chat. Now if you want to download either slide deck from either hour today you can do that. The replays are up from yesterday. If you want to go back and rewatch those it's also a discount code for disaster week. Use that code disaster week for 40% off the solid things.\r\n\r\nWe'll have more information about that at the beginning of the next hour. Hey Tanya, welcome from Finland.\r\n\r\nGood to see George from South Africa.\r\n\r\nMissing Dan welcome Kenna. Doug. George. Yeah, welcome, everybody. Glad you're here. Hey, Stephanie. Manu.\r\n\r\nAlright folks for about three and a half minutes away from getting started officially welcome back. To tea Sherry, Melissa. Bonnie. Good to see everybody. We're asking the checking question today is what your biggest takeaway from day one of disaster week was? You learned something interesting last. Yesterday in the last sessions we'd love to hear from you. I'm also going to drop in the chat the link bundle again for today's session one and two slides are there waiting if you want to download those. And of course the discount code disaster week 40% off all the solid things.\r\n\r\nBe the cat.\r\n\r\nThat's great.\r\n\r\nSo we're just about ready to get started. Just a few minutes away Timothy is going to be talking in the first hour about reducing our risk to nearly zero with solid security.\r\n\r\nAugustine welcome Glad you're here. Hey Sue Kay glass. Welcome everybody. Phoebe yes Sign Out of all the websites. That's really a good thing.\r\n\r\nAfter Thomas rave came on a few months ago and scared the pants off of me with that session stealing cookie hack. I am logging out of everything religiously. That I had a bad habit of not doing that.\r\n\r\nHey, Rob, welcome.\r\n\r\nMurray. Welcome. Glad to see everybody. If you're just now coming into zoom, open up the chat. Say hi. We'd love to hear what your biggest takeaway from yesterday was.\r\n\r\nYes, sim porting Sherry That's another big one.\r\n\r\nThe link bundle is in the chat if you're just joining us and you'd like to download the slide deck for the first or second hour today. Those links are there waiting on you in the chat. We're gonna get started here and about a minute and a half from now. Timothy's got a great session lined up about walking through the settings and solid security that can help you reduce your risk to nearly zero for your WordPress site.\r\n\r\nYes, Sue great idea.\r\n\r\nWith Kathy's hint, hurt her pro tip on the four digits of the password. It's good stuff. I Kathy's checklist was excellent.\r\n\r\nJust about a minute to go now, folks, glad you're all here. We've got a couple of great hours of security conversations coming to you today. Timothy in the first hour talking about solid security and the settings that can help you reduce your risk to almost zero. And I'll be talking in the second hour about talking to clients about security, the business side of all of this so we should have some fun today. The slide decks are there in the chat. If you're just joining us open up the chat and say hi, all those links are there waiting on you as well as the replay link from today. If you missed yesterday, we had an excellent presentation from Kathy Zant giving the state of WordPress security. I'd invite you to go back and rewatch that it was quite good. Also, we had a great panel of security experts. Really good discussion and comments on some of the big issues going on in WordPress security. So if you missed that yet, the replay is up from yesterday. And we'll have today's replay up about an hour after we finish as well. Welcome Christian from Quebec.\r\n\r\nJust about ready to get started. Hi Eddie. Yes watch the replay. It's out there ready to go. Really good stuff from yesterday. All right, it is now three minutes after so let's get the recording started and we'll dive right in.\r\n\r\nWelcome back to day two of disaster week for 2024 here on solid Academy. My name is Nathan Ingram. I'm the host here at solid Academy joined today by Timothy Jacobs, the lead developer for solid WP Welcome back, Timothy. How are you? I'm doing good. Thanks for having me, Nathan. Yeah, we appreciate your wisdom on the panel yesterday we had a great discussion with you and Kathy Zant and David Johnson and Thomas ray from we watch your website, a really good conversations there. And today, you're going to be talking to us about solid security and what we can do to reduce our risk to nearly zero. We want to give us kind of an overview of where we're headed in the next hour or so.\r\n\r\nYeah, so we're going to spend some time talking about some of my favorite features in solid security. We're going to talk about some of the threats that are facing your website and how you can use those features to help protect yourself. And then we'll have plenty of time for questions and answers either about cybersecurity in specific or security in general. Yeah, very good. I saw our lineup today Timothy will speak and we'll do questions for about an hour here and right around the hour mark at two o'clock central time or however that translates to wherever you are in around the world. I will take about a 10 minute break and then I'll come back for our final hour and talk about how to talk to clients about WordPress security. So just a couple of bits of housekeeping the replays from yesterday are up we've mentioned that I'm going to drop in the chat once again, our link bundle if you'd like to download the session slides for this session or the next those links when they're waiting on you. And that we invite you to ask questions because we will have a good time of q&a at the end of this session. And next session, please use the zoom q&a link which if you mouse over the shared screen, you'll see that q&a icon you can click that ask your questions there rather than the chat please. Because as the questions come up in that q&a, you'll be able to upvote the questions of others and we'll take those questions in the order of up votes when we get to our time for q&a. All right, Timothy, let's get started. I'm looking forward to this. Let's do it. Yeah, so we're gonna be talking about how you can reduce your risk to nearly zero using cloud security. And to do that we need to take a look at what are some of the threats and vulnerabilities that your site might face. So one of the ways that attackers can come at you is just through your front door through your login page. And so this is all about bog and security. It's probably the stuff that we know about the most. If your users are using weak passwords, well that leads to brute force attacks. If your users are reusing their passwords, let's say they have a favorite password. We mentioned that phrase a couple of times yesterday. That's not very good. Or they have similar passwords. Let's say they have a password formula or a password pattern that's like, you know, five random numbers and the name of the website or something like that. That's not great. That's gonna lead to credential stuffing attacks. Those are when an attacker finds a database of passwords that were leaked from another service and tries vo Pat those passwords across your actual site says, Hey, this user is using this username and this password everywhere. Let's try it and see if we can get into the site.\r\n\r\nthing that you might not think of immediately though, when it comes to login security is the reputational damage that your site can experience if you have issues like this. This isn't just about an administrator losing access to your site. Obviously, that's kind of a huge problem and administrators account gets compromised, you got malware, etc, etc, etc. But this is also risk if you let users log into your site. Let's say you are a e commerce shop or you are a buddy press install that has a membership base component. Anything like that. What you'll often find is that people blame the website when their account is hacked. It's rarely that someone says oh, I messed up my Facebook account got hacked because I had a weak password instead. It's Oh my God, my Facebook account got hacked. Facebook. Why did you screw up yada yada yada? We saw this with 23andme earlier this year, and last year where attackers ended up accessing personal data for millions and millions of users.\r\n\r\nThis was because of in some ways the fact that those users were compromised. Were practicing poor security hygiene. But the users didn't see it that way. Certainly the larger internet news media didn't see it that way. You have a responsibility to mandate security best practices not just for yourself and your site administrators. But if you're an E commerce or WooCommerce install for your customers as well. If their site gets compromised, if their account gets compromised, and their credit card details are able to get accessed or their address and personal information or orders are able to be placed. They're going to blame you they're not going to blame themselves.\r\n\r\nWe watch your website earlier this year published some really interesting statistics about how sites are getting compromised that he sees through his service. And he found that 7.2% of hacks were coming through the front door with login security. And in some ways that's a small number which I think is a good thing. It means that you know we are making progress, but in other ways, the fact that that 7.2% number is even 7.2% that in some ways just seems very very high to me that still yet we have people not following the best practices. So what can you do? Well in South security pro we have a number of different features that help in this regard. One is just enabling brute force protection. You don't need to let an attacker try as many times as they want to log into your site. You can stop them after they try a couple of times in a row and make it more difficult for them to get into your site.\r\n\r\nYou can require strong passwords. I saw it security has a really great feature where it will detect that a user is using a weak password and force them to change it during the login flow. So this isn't just something that is only for you know new accounts going forward. It's a great thing that you can enable and solid security will take care of upgrading users and forcing them to put in best security practices. You can also prevent using breach passwords through the half I've been poned integration. So this is where credential stuffing attacks occur. Let's say your account got compromised on some other website, some forum something like that, and they then retry and use that password. Well with have I been poned will say hey, has this password ever appeared in the data breach, and if it has will prevent you from using that password on that site, which is another great way to help your users protect themselves. You can also use Capture features. We recently launched an update to capture that adds in a couple of new providers as well. So it's not just a google recaptcha if you don't want to use Google you can use Cloudflare as turnstile feature, which is excellent and the one that I recommend the most or you can use h captcha and this helps slows bots down. If you're able to say hey, you need to complete this challenge to try logging in. It's a significant deterrent so they can't just try millions and millions of attempts at once.\r\n\r\nWhat else can you do? Well, you can enable two factor the two factor features in solid security they let you enforce two factor. So you can say hey all of our administrators are editors, people who can do privileged things in our site, we can force them to use two factor. And when you do this, you'll use a feature in solid security that I think is pretty unique, which is our two factor onboarding sequence. So this automatic onboarding flow lets users get up and running with two factor without your assistance you don't need to get involved. All you need to do is say, hey, solid security, make sure all my administrator is using two factor. And the next time the user logs in will prompt them to set it up. We'll tell them what the future is about. We'll make sure that they understood how two factor works. They need to enter in a two factor code before they can continue. And you will get all of that happening for you in the background without you needing to code from user use the user and say, Okay, I set up two factor for you or you know, let's go into the Zoom call and show you how this works. You can use these automatic onboarding features.\r\n\r\nAnd when you use all these features combined, you can see this is data from Google that showed how attacks were able to be prevented using two factor challenges using things like security keys as well. Now, I know what you're probably thinking, which is that okay, well two factor is great. I know two factor is great, but it's really hard to convince my clients to use two factor because it's confusing or it slows you down. And so for that I say let's use password of this login. So I gave a talk a couple of times now about killing the password that really dives into it. But passwordless login using past keys is a faster and more secure way to authenticate. It lets you skip your password and lets you skip entering in two factor authentication. And it provides basically a one click login experience. You can see here I just clicked use my passkey and I logged in my device authenticated me my device made sure that I was logging in to the site that I thought I was logging into. So it's also phishing proof. We're not going to dive into all about passwords today. There is a whole hour about it if you want to check it out on the academy and you can take a deep dive into why password this login is important using past keys, but I'd say it's a good option if you have it if this if this demo doesn't convince you read the whole hour or watch the whole hour and we'll really dive into it.\r\n\r\nAnother thing that you want to consider is access management.\r\n\r\nYou don't want to be in a spot where everyone on a site is an administrator you just give admin access out willy nilly.\r\n\r\nYou want to make sure that when responsibilities change people's access changes if someone needed an administrator account to do some initial setup, but now they're done with that. Consider changing the roles and changing their capabilities. You also have to make sure that you have a plan for when employees leave you know where no one sticks around in the same company forever. And you want to make sure that when an employee leaves your company or leaves your agency that their access isn't maintained anymore that they no longer able to log into all of your sites.\r\n\r\nSo how can you accomplish this with a solid security? Well, there are a couple of things that you can make use of one is just make the liberal use of roles that exist in WordPress, right? We're not limited to just an administrator or subscriber. We've got five that are built in. If you want to go further than that you can there are great plugins like the user role editor that lets you get very fine grained and say, hey, I want to use that that can do exactly these. Couple of things. Do that. That's awesome. We have some really cool features in solid security too, though, that can help you one is the privilege escalation feature. This lets you say hey, normally this user they just need to author access, but I need to give them some temporary access they need to do something special, but only for the next few days. And what privilege escalation will take care of is saying hey, once that period has expired, they'll revert back to their previous access. This is good both for you know when you have a team member who needs to take care of a special task but also if you're reaching out to support either our support at Southern WP or the support for any other WordPress companies. Instead of giving them an administrator account that sticks around forever. Create them an account, set it as a subscriber or an author and then temporarily give them privilege escalation for a week, let's say to an administrator and you can rest more easily knowing that hey, there isn't just administrator accounts hanging out there that are waiting to be compromised.\r\n\r\nYou can also use some other cool features and solid security for the site scan. So our site scan feature takes care of looking at vulnerable software for instance, but it also looks at inactive users. So if you have users on your site who haven't logged in recently, you can easily use the site scans feature to identify those users and demote their capabilities. If they aren't logging in every day, maybe they don't need administrator access anymore. Maybe you can demote them to an author.\r\n\r\nAnother general tip that I recommend though is just centrally document when you're giving out access, if you're getting privileged access, write that down startup, a spreadsheet, a Google Doc that saying hey, this employee has access to these systems. Whenever you give that out so that you know what different things to go through and revoke. It's not just WordPress sites. It might be you know, email accounts, marketing, automations, all these different tools. Start with that in place. So you're not saying hey, two years from now when they leave, oh gosh, what are the 1520 3040 50 different services that I invited them to? You have one place to consult So what's another aspect of how attackers can compromise your site? One of them is through the backdoor. And by this I mean vulnerable software. Patch Jack identified nearly 6000 issues last year, and the majority of these are in plugins over 97% The remaining 3% We've seen themes and it's just a fraction of issues that are in WordPress core. Every so often we just had six point 4.3 get released, I guess a month or two at this point, which was a security release that fixed a couple of issues. But really the primary issue and we talked about hey is WordPress insecure. It's not WordPress core. It's WordPress plugins.\r\n\r\nWe watch your website identified that nearly 33% of attacks that they saw on their sites that they clean up were due to vulnerable software.\r\n\r\nThere are some things that you need to understand about vulnerable software. We talked yesterday about how there are 100 150 200 different vulnerable software issues that are reported every week now in WordPress. And so that means you kind of need to take a look at vulnerabilities and say okay, let's not get too overwhelmed. One of the things to keep in mind is that not all vulnerabilities are equal a remote code execution attack. Where an attacker, let's say through the bricks vulnerability is just able to execute PHP code arbitrarily on your server that is way more severe than for instance itself cross site scripting attack where an attacker needs to trick you into clicking a link or entering in some data into a form. If you just look at the reports at a glance you might see oh, these are all the same. I've got 15 issues here, how am I ever gonna resolve them, but you can use things like the CBSs score. This is a score that ranges from zero to 10. And the higher the score, the higher the severity. And you can also use providers like patch stack who we integrate with to help you determine a priority and say this is when you should patch it. For example, this is the WP formance vulnerability that happened earlier this year. It has a high severity but it wasn't known to be exploited to patch stack. And so they came up with a patch priority based off of how likely it was to be exploited, how easy it is to be exploited and say hey, you should patch this within seven days. So these are kind of tools that you can look at to help you identify what fixes need to be made. Now.\r\n\r\nWhat we found with solid security is that at I checked the data last night that 45% of websites that are reading sense sites, yes, right now have at least one bit of vulnerable software installed. So what are some things that you can do with solid security to help this one is we have an awesome vulnerabilities page that tracks all the vulnerabilities that are affecting your site. So this gives you one view you don't need to watch your email or look in the logs it gives you one place where you can log in and see all of the vulnerabilities that are affecting your site. It'll automatically scan for you multiple times a day to find new vulnerabilities. You don't need to remember to go back and click Scan and click Scan and click Scan. It'll take care of that for you.\r\n\r\nWe also give you recommendations on how to resolve the issue that are specific to whatever vulnerability is actually present on your site. So for instance, this ancient WooCommerce plugin vulnerability, a fix was officially released by WooCommerce. So we recommend you to update that plugin right away. If you can't, you can deactivate it will give you those choices there and let you know what actions you should take depending on the vulnerability.\r\n\r\nAnother really cool feature is that it lets you view the historical vulnerabilities that have affected your site. So let's say this ninja forms vulnerability we can see here that hey, we updated this plugin on February 15. The vulnerability was reported on this date and so you can go back and if a client asks you hey, whatever happened with that Brix vulnerability, you can see oh, we automatically updated that or we manually updated that or we deactivated and switched away from it. You can see all of that data inside of solid security. So you don't have to be guessing or trying to remember what happened. And as you've been running the plugin for a long time, you'll see over the period of months and years, what vulnerabilities have affected your site in the past.\r\n\r\nThere's another really cool feature that I want to talk about though, which is virtual patching from patch stack. The thing to keep in mind and we talked about this yesterday as well with a bricks vulnerability is that sites can start getting compromised within hours or days with a vulnerability being published. So think about hey, what if this happens when I'm on vacation, or if I'm away from the computer? Or I just didn't know about it.\r\n\r\nvirtual patching is there to protect you when you're not able to update. Now, it's not just when you're not able to update because hey, you're AFK right now, but 25% of the virtual patches that patch stack publishes, they cover you when there isn't even an official fix yet. out for the plugin. This is a vulnerability that's out there, the plugin author hasn't been able to fix it yet or is unwilling or unable to. And there's a virtual patch to protect you. So this isn't just Hey, okay, I'm gonna pay I'm gonna be on my site 24\/7 And the second I see a vulnerability I'm gonna update to the fix. These are also important because they can protect you even if there isn't effects. Even if you want to do the best thing possible and update immediately you might not be able to.\r\n\r\nSo how do these virtual patches work? Well, they're targeted firewall rules that are deployed to your site to block attacks from being executed. And so what that means is, if you can't update yet, let's say there is a severe WooCommerce vulnerability, and you just can't update that right away without doing a lot of testing. Well, this targeted firewall rule will protect you by blocking that specific attack vector from being executed. These are also highly targeted. So this isn't just a general vague rule. And what that means is that they have a much much lower false positive rate. There are some tools that will kind of offer broad general blocks where they try and say okay, anything that kind of looks like this, well, we'll block that. But those can have false positives where suddenly you're just trying to use your site, and oops, it didn't protect you, or you're trying to use your site and it triggers one of these false positives and you get blocked from trying to do something normal or innocuous. But Pasternak creates virtual patches for every single specific vulnerability, not just broad patches, they have I think over 6000 vulnerabilities with V patches at this point, which is way more than pretty much any other provider out there. And if you're using solid security or the solid patch stack head on for our older customers. You don't get that protection automatically.\r\n\r\nIt's important to keep in mind that patches are mitigations. So you still want to update don't just be running an ancient version of WooCommerce forever, but they're there to help you when you can't update either because you're AFK or you know, a fix just hasn't been released yet. So what does this look like in cloud security? We can see an example of this with this WooCommerce vulnerability. You have this badge up in the top right, that tells you hey, this was patched automatically. And in our Status section, we tell you that hey, a virtual patch was automatically applied to mitigate this vulnerability. We still do again recommend that you update don't keep things inactive forever. But this patch automatically installed some firewall rules. And you can see that if you ever go to the firewall section in solid security, you'll see that hey, here are these different firewall rules and they came from packstack if you want to you could deactivate them, but we don't recommend that they're there to keep your site safe.\r\n\r\nWhat else can we do to manage updates? Well, I would keep in mind at this point, their sites have lots and lots of plugins and updates are important. So you should schedule the time to do them. Don't make this just a thing of okay, I decided to log in today and I have some free time. I guess I'll apply some updates. Make it intentional that you say hey, let's apply these updates this day.\r\n\r\nAnd don't do this too infrequently. It's easy to say okay, you know, every fifth, every fifth every second Tuesday, we're going to apply updates. I don't think that's a good idea these days. You need to do it more frequently, I would say at least once a week is when you should be saying okay, let's look for updates and apply them. The longer the they sit out there. The more updates you have to apply, the more complicated it gets anyway, but that also helps with security updates. You'll see for instance from packstack a lot of their issues, they say hey, patch this within seven days. So if you're applying updates once a week, you're gonna be on top of that.\r\n\r\nYou should prioritize high severity issues. So if you have a huge list of updates to apply, and you see that some of these are security related, work first on the ones that are high severity, you don't need to just go in the order that they were received. Look at their severity, look at the priority to help you determine which updates you should install.\r\n\r\nYou can also use hosts like Nexus that provide automatic updates for the visual regression tests. One of our fears with turning on automatic updates is okay, what happens if my site just breaks but using tools like these that do automatic regression tests can say, okay, there was an issue with this update. We're not going to apply it to the real site or we're gonna roll it back and we're gonna notify you that you need to do manual intervention, but for everything else will take care of it automatically.\r\n\r\nYou can also use solid central to apply updates across all of your sites and that gives you one UI where you can work them down and we're bringing some really cool updates soon to that screen as well. You also have the option to enable auto updates for security fixes. This is a feature in solid security Pro and the version management module that will let you say okay, we detected that this patch is a patch that is resolving a security issue. So let's just automatically update it to it, even if you wouldn't ordinarily apply automatic updates for that plugin.\r\n\r\nSo the last threat to be aware of that I want to talk about today is under your nose. And so this is about session stealing attacks. So this is something that we did a webinar a couple of weeks ago that really dived into it, and did some cool demos about our features in solid security. But if you haven't heard about session stealing attacks, this is when malware is installed on your device, and it steals the actual cookies that you use to authenticate with WordPress. These cookies are then sent to an attackers botnet or they're sold off. And with these cookies now an attacker is able to fully impersonate you. They have your full capabilities for all intents and purposes. They are you it is your actual login and a big thing to keep in mind. Here's because they're stealing the cookies and these cookies you get after you've logged in. It means that usual protections like brute force prevention or two factor aren't able to effectively block this attack, because you actually logged in and you completed two factor and then the attacker stole those cookies.\r\n\r\nThomas from we watch your website found that this affected nearly 60% of the websites that he was cleaning up, but it is a huge number. So what can you do? Well, the first thing is keep your computer secure. If your computer is safe if you're not using untrusted devices. If you're always connecting over HTTPS on secure Wi Fi, you're not going to be subject to this attack. If you're just you know, using your home computer, you're up to date you have no malware installed, and an attacker isn't able to magically steal your cookies your device must have some way been compromised, or you're using a compromised network. Or let's say you go to a computer cafe and you're like hey, I'm gonna log into my E commerce WooCommerce site and you know, nothing will go wrong. I'm sure that's fine. Don't do those things. Keep your device up to date. Use the firewall tools or anti malware tools that are installed on your devices Windows Defender, Mac devices, gatekeepers those types of tools to keep your computer safe.\r\n\r\nYou can also implement additional controls on sessions. And so this is where the trusted devices feature and solid security comes into play. With trusted devices lets you do is it alerts you when a login has happened on a new device. So this can be Hey, I'm just now traveling for work, let's say and normally I based in New York City but now I'm in Huntington apparently from this demo. And you'll get a email that says hey is this you are you're trying to log into this device and you can say yes it was me or you can secure your account and change your password. If it got compromised. But it comes with additional features as well. One of which is restrict capabilities. So if someone is logging in on a new device will restrict their access instead of being able to do everything like Install Plugins create new users edit your passwords. Instead, they only have limited access so if you are on the road and you need to, you know make a quick update to your posts, you can do that. But when you don't want to take more sensitive actions or more secure actions, you will be prompted to actually confirm that new device. Another feature is session hijacking protection. You can see a cool demo that we did with David a couple of weeks ago in our webinar, where we said hey, what would it look like if someone stole your session cookies? And you can take a look at that to see how solid security would stop that attack from taking place.\r\n\r\nSo in summary, you have to think about the weakest link, one admin account with a weak password can result in your site getting compromised. One unpatched login with a critical security issue can result in your site getting compromised. We need to stay ever vigilant. We need to be making sure that hey, if one thing slips through, that can be you know a disaster so use every tool available to you. This isn't something I think once you're managing more than one site that you can reasonably stay reasonably expect to stay up to date on all by yourself. Use tools that help you and of course, the tool that I like is solid security.\r\n\r\nSo I'm now at this point ready to open up the questions Nathan.\r\n\r\nAll right. Excellent overview of all the things that solid security has to offer and we have plenty of time for your questions. There are 10 questions currently stacked up in the queue. Folks, if you have a question about anything regarding WordPress security, including of course the solid security plugin, open up that Zoom q&a and drop in your question also about the questions of others and we're just about to start taking our first questions. The first one being from Paul, Paul says in the past moving the WP config file to the root level of hosting I get the same level of public html help to protect a site is that still something that helps?\r\n\r\nI guess I'd say Does it hurt? I mean, is there like originally some of this was\r\n\r\nhow do we make sure that hey, WP config is not exposed in the public HTML directory. It was kind of the idea. So we would move the WP config file a route above public html actually. So you'd have public html slash index dot php, and that index dot php would be the WordPress and then WP config would be below that. So it'd be web, config, public HTML, everything else on one level, and then your WordPress and so the idea is that, hey, if we move that out of the web route, it could prevent some attacks. I'd say at this point, you know, it doesn't harm anything, but unless your server was misconfigured in the first place, it probably isn't going to really\r\n\r\nit isn't going to be a problem to begin with, if that makes sense. So it doesn't harm anything. It's an easy thing to do, but it's probably not actually preventing an attack.\r\n\r\nEspecially these days. I think those types of server configurations are much rarer.\r\n\r\nYeah, so one of the tools in solid security allows you to check out file permissions, and it shows you what the recommended permissions are of things like the htaccess file and WP config. So if I know just from using the product that the recommended is the 444 write for WP config. So if the P config lives in the regular WordPress directory and public html and it's set for 444 You said that's pretty secure. Yeah, there's no issue there.\r\n\r\nSo like if you had a scenario, where PHP files were not being properly executed, which is kind of part of where this attack lies. Then if someone went to your site slash WP config that PHP, it could then return the plain text of that PHP file. And then they would have your database credentials and your salts and things like that. And that could be an issue. That could be these days, though, that is not really a thing where servers are configured in such a way that we only say hey, only index dot php can be directly executed. So yes, I would say putting it in the root level is totally fine. And yeah, it's great to use that file permissions tool in security, to help you identify what permissions aren't what they should be. Task anthropods question I do this on some sites. So for a couple of sites, I have like a pretty specific custom setup of how web config dot PHP works, and they are better than others. I don't.\r\n\r\nI'd say at this point, it's just not, not on the top of my list of security improvements. I think there are more significant things that you can be doing. Yeah. Good. Next question that was from Kenneth Is there a class or video on how to set up the free parts of Cloudflare I see a lot of areas there but I don't know how to set them up. And Timothy, before I turn this to you, let me just mention that actually the premium course for the month of April, which will be about a month from now. I'll be doing a course specifically for WordPress agency owners on setting up Cloudflare basically all the stuff we've learned in my agency over the last year and a half or so of muddling through Cloudflare and getting things set up both with settings and processes, with how we migrate things, and just what we've learned from moving 100 sites into Cloudflare. So that is the premium course for April, you could register for that if you're a member of solid Academy.\r\n\r\nIt's up there on the courses now but so let me pivot back to you, Timothy, anything that you would recommend on that or how effective even is Cloudflare as part of a holistic security approach for your website? Yeah, um, so I would say that sounds like a great academy training to check out for this I think we've talked about in the past of offering like more content through solid WP about how you can most effectively use Cloudflare. And that sounds like a great session. Um, in general, I'd say Cloudflare is definitely a great tool in your tool belt and if you are able to use it, I highly recommend it. I would say it works very well in conjunction with some of the other features with solid security. So Cloudflare offers for instance, graph functionality. Their raft functionality is more broad than patch stacks, virtual patches, so they're applying things like Okay, let's try and prevent a large set of cross site scripting attacks, or a large set of SQL injection attacks, things like this. And you'll find that those have those trade offs right where sometimes they're not able to protect against an attack. Like patch stack is able to patch stack is dedicated to WordPress specifically. And so they offer create new patches multiple times a day, that Cloudflare often won't be you also see because of Cloudflare is kind of broad based support that you might actually run into issues with Cloudflare. I, for instance, writing about security, sometimes you can try and publish a blog post and Cloudflare will say not ah, because you're describing a SQL injection attack and we're like, oh, that looks like a SQL injection attack. We're gonna block that. How on earth do I publish this blog post? Cloudflare I get off me. So you'll see kind of the difference between how to like five learn how to like patch stack works. I think they work excellently in conjunction with each other. But patch stack is able to go beyond that and say, okay, you've detected you have this specific vulnerability we're going to create a patch that protects against this specific vulnerability. Yeah, it's really good. I think this is a great illustration of the analogy that Tomas made yesterday with this holes of Swiss cheese lining up actually patch stack is just another layer of CI a patch stack is a layer Cloudflare is a layer server level, security layer WordPress security with solid security and they all hopefully can block all the holes so no hole goes all the way through. Really good.\r\n\r\nOkay, questions from Vern, we get this one a lot. Hide the back end, which refers to changing the WP login URL changing dopey admin URL to something else. Is that effective in today's WordPress security landscape?\r\n\r\nI do not use this feature on any of my sites. I will say if I could, I would remove it. And we know this is a feature that a lot of people like so we haven't don't have any plans to currently. But what we always encourage people if they reach out to our support desk and ask about this feature is use things like I talked about in the login security section. Those provide real security oops, these slides went away. Those provide real security. So those are things like saying hey, two factor CAPTCHA lockouts. Those are much better than just making your login page something different. You're adding like one small step but oftentimes Hey, if you're an e commerce Store with WooCommerce, your customers need to log in. So there's going to be a login page that is exposed out there and that feature isn't going to protect you. So no, it is not a feature that I really recommend it. It falls under these kind of warm and fuzzy type of features, I guess you could say.\r\n\r\nBut I don't think they provide the real security that we want which is you know, use two factor require two factor, prevent people from logging in 50 times from the same IP address in a minute. Use CAPTCHA all of these different things. 100% is so much better just to have a CAPTCHA between the world and your login page no matter what that URL is having a CAPTCHA Exactly. That's that's really the thing.\r\n\r\nOkay, question from SU Timothy. Which plugins do you use feel comfortable setting to auto update so I may be controversial in this i auto update most plugins?\r\n\r\nSolid security has a really cool feature in the version management module, which lets you delay auto updates. So for instance, let's say you have a plugin that you know, releases updates that sometimes breaks things you can say, hey, don't auto update this immediately, but auto update two days after it was released or three days after it was released. And the idea behind that is saying okay, if there was a bug, they caught the bug, identify the bug, fix the bug, and now auto update to it. So it can still be something that happens in the background, but I'll be honest, I auto update most plugins, I think.\r\n\r\nYou want to make that decision when you're setting up the site. If this is a plugin that I'm not comfortable auto updating, should I be using that plugin in the first place if this plugin author is so frequently releasing updates that just completely wreck my site?\r\n\r\nMaybe that means it's a different plugin for the job. Now I say this as a developer who you know, very much happily will build everything in anything from scratch. But yeah, I have you know, Yoast SEO to auto update. I have a lot of different blocks plugins to auto update.\r\n\r\nAnd yeah, I try and keep keep my plugin list down not at 50 Plus, so it helps in that regard. But I totally understand if that's not something that you're comfortable with doing either because the complexity of the site, and that's where you know, virtual patching and those types of tours come into play.\r\n\r\nSo, let me dig in and push back on something on that. I think maybe I need some education on this too. But or a different way to think about this. But sometimes well known reputable, I guess plugin developers, certainly big ones that everybody would know will push an update. And they'll some it'll break something unintentionally. And they'll push you know a dot one version of it within the next couple of days. Does it what what what danger Do you have does that worry you just having everything set to auto update? So I would say yes, there are plugin authors that release plugin updates that just totally break everything and those are on my list. of plugins that I try not to use\r\n\r\nYeah, without without Without naming names. I guess that would be my general approach, right is that I I much rather when I do do client work these days.\r\n\r\nUsually we're building something very specific and we could build it with you know, a combination of six different plugins, but kind of the value that I'm able to bring to the client and say, Hey, we architected this special. We have developed it for your specific use cases in mind. We're not using you know 5% of a plugin, and fibers are another plugin for fibers and another plug in and that's where things kind of like start to break down. So I would say it's a different kind of approach for building things where it's more okay. What are other plugins that I'm very comfortable with and then I think they're bulletproof and you know, set them and auto update, and I'm not particularly worried about it. And if those aren't ones, whatever the thing is that I should just build instead, and write the code specifically for that client.\r\n\r\nAnd I know that their site will be more stable, because they also didn't, you know, get a new feature that they didn't ask for that completely changes the UI, things like that. So I would say it's a different approach. But it is not at all uncommon to have that feeling around auto updates, which is again, why you know, patch stack and things like that are helpful tools.\r\n\r\nAlso, because there's the 25% of cases where there just isn't a fix available for the security release.\r\n\r\nBut yeah, that's that's generally my attitude is how can I reduce the plugins that I'm using that are just breaking things all the time? And for the ones that do send an auto update delay, say like, Hey, five days, and if the plugin has been stable for five days, then it's probably good enough to auto update at that point, you would hope that if they break everything, it gets fixed pretty quickly. And that delay is part of the solid security version management feature. And let's just say there's also a setting on that version management page. That allows you to auto update if a vulnerability exists. If that's the case, then that delay doesn't come into play, right? It auto it auto updates no matter what.\r\n\r\nIt's a fantastic feature.\r\n\r\nOkay, question from Dan. How resource heavy is solid security with its constant scanning and so forth? It's pretty late. So we don't believe that a plugin should be doing things like individual file scanning for malware. It doesn't make sense to happen in a plug in Thomas, I think has done a couple of different discussions about this. I think on our solid the VP Academy where he finds malware, that one of the first things they do is turn off a file scanning feature and say, Hey, I'm all good or they whitelist their plugin things like that. So we don't believe that plugins should be doing that type of heavy scanning.\r\n\r\nInstead, we do things like hey, checking for vulnerable software. And that's very fast. That's very minimal. We make API requests out to our servers, and it contains the list of plugins. You have installed the versions and it does a really quick check so it doesn't really add any weight to your site. Things like checking for inactive users, all of these things are pretty resource light. So that is a really key thing that we keep in mind when we're building solid security is we don't want to slow your site to a crawl. If your site is slow, slow that no one can use it doesn't matter if it's 100% secure.\r\n\r\nBut yeah, we don't believe in putting those types of super heavy features. In the plugin. They are best left for other services focused on preventing an attacker from getting into your site. As opposed to okay an attacker has gotten into my site. Now I need to scan my site for malware every single day and for infected PHP files because then you are talking about a very intensive process. And it's something that smart malware these days can just disable.\r\n\r\nYeah, and it seems like especially a file level malware scanner seems like that should be something that lives at the server level, right? Yeah. So Thomas is tool for instance. That's one of the things they do is they send the files over off to his servers and then his server is able to very efficiently scan them. It doesn't make a lot of sense to be doing that from WordPress, both for the performance reason for the security reason if it's happening in WordPress, then any plugin can stop it from happening. There's a lot of reasons why that doesn't make a lot of sense. For virtual patching with firewall tools. That's another thing to keep in mind. So that's why virtual patches from patch stack, they only apply if your site has that specific vulnerability. They don't apply you know 2030 4050 100 generic firewall rules that apply with every request. We only apply specific firewall rules and only if your site is vulnerable. If your site doesn't have a vulnerable version of Timpson, there is no reason why you should be looking for attacks against him from and blocking them. It doesn't provide you any security benefit, the attacker wasn't going to get in there anyway. What that as doing is things like DDoS protection, stuff like that. But that shouldn't live in the plugin to that's where you want to use Cloudflare in conjunction with solid security. Solid security isn't going to protect you. If 10 million requests hit your server within an hour and no WordPress plugin can but that's where it was like Cloudflare come into play. And again, the Swiss cheese analogy is this it's such a great point I don't want to zip right past because this multi layered approach is critical. And honestly correct me if this analogy is wrong, Timothy But you know, back in the day, there was this season of WordPress theme development where people were selling themes on a giant marketplace and the way they found to sell themes was to cram all these features in there that really should have been in plugins but now they're kind of rolled into this giant kitchen sink type theme. And they ended up being a bloated monster that was just really difficult to manage long term and slow. And so a lot maybe in some security plugins for WordPress are kind of adopting the same approach like we like a scanner, we do these things, but we should really separate those out. To have a lighter, more efficient site. Am I right on that? I agree. I think the things that were should live in WordPress should live in WordPress, the things that should live at the network level should live in in network level. The things that exist in your server should exist on your server. There are things for instance, I don't think Cloudflare is going to offer pass keys as a login method, right? If you have a credential stuffing attack Cloudflare probably isn't going to prevent that. Because someone the first try they log in and they know your username and they know your password because if you're in a breach, there's no opportunity for Cloudflare to protect you there. But if you're using solid security prevent a user from using a password that has appeared in a breach. That's the perfect thing that should live in WordPress, right. It wouldn't make sense for Cloudflare to you know, somehow be operating on your WordPress site and prompt up and update password page or change how your login process works. That wouldn't make sense for Cloudflare to do so. Use the tools for what those tools do best. And take advantage of the fact that some of those tools can live in WordPress and can provide a context knowing that this is a WordPress request with this user and this password and they're trying to do this specific thing. Yeah, really good. Okay, moving on to the next question here from Nate. Does solid security provide a way to have a two factor code sent to a phone via texts like what Facebook does? No. So we do not we do not plan to SMS two factor is convenient. It's a way that you can kind of get people a little bit more used to it. But I would say at this point email, in my opinion is just as convenient. But the issue with two factor via text messaging is that SMS is not a great protocol and a lot of mobile phone providers don't have the best security practices around things like preventing sim sim swapping attacks. So I would say SMS in my opinion is a legacy two factor method.\r\n\r\nIt was helpful for getting people used to the concept but I think at this point everyone is familiar with email based two factor.\r\n\r\nAnd my big push really would be Hey, use past keys. That gives you a two factor experience that exists on your phone or not a two factor experience a well it's kind of a two factor experience. The point is that it has your phone and your biometrics and it accomplishes that same bit, but does it rely on a text message being sent and all of that happening? It just provides you with one simple login flow that is protected with face ID or touch ID things like that. So no, we do not we do not plan to right answer. Okay, here's a good question from Stephanie.\r\n\r\nSo Stephanie, I'm guessing you're you're a legacy AI iThemes member she's asking how to activate virtual patching. I have patch patch stack in solid sweet it's on the dashboard, but the firewall is inactive. So if you go to Security, and on any of those things, you can click into the licensing page. It's under Settings and then solid to VP licensing. And there'll be a section there that says passionate enabled sites. And so if you are a new customer, when you activate an license, solid security will automatically enable patch stack for you. But if you are new, or you don't have enough patch stack licenses, let's say you are a legacy customer that had a gold subscription for instance. You then need to choose to enable a patch stack for that site. So the thing you want to do is go to settings, solid WP licensing and enable patch stack for that site. If you're still having trouble, that's an excellent reason to reach out to support. If you go to solid wp.com There's a link to support and they'll be able to help you out. But that is probably the bit that you're missing. Make sure your plugin is licensed.\r\n\r\nYeah, very good. And I'm also dropping in a link to a live stream we did back in December on that covers a lot of the how to even position if you're a legacy I iThemes customer for example positioning an upgrade with a patch stack firewall is a better layer of care plan. So that that that link is there in the chat. Yes, definitely. So if you're still having trouble with that reach out to support and they'll give you some help right away.\r\n\r\nKENNETH is asking what is the 40% off deal for so Canada that I'm going to go into a lot of detail about that in the first of the next hour. It is for any purchase from solid WP other than the solid central monthly and it does also does not apply if you're adding licenses, patch stack licenses as a legacy I iThemes customer, but anything else the solid suite any of the products the 40% off is good if you are a new customer.\r\n\r\nLet's see.\r\n\r\nManu has a question here. Monica says my email has been pawned so I changed my password. Is this good enough? And when does their database update so you can see if the pond email is updated?\r\n\r\nOh poned yep, yep, is what's going on there with that spelling. So the service that we use is have I been poned and that relies upon a Troy Okay, now there are two choices. We're both Australian. One of them is a WordPress person. And the other one is a security person I think Troy Dean is the person who runs haven't been honed and Troy hunts the person who runs the other way around is the one that is to Australian people both in this space is very confusing. Troy hunt kind of collects data and is responsible for ingesting things into have I been poned so it isn't really specific to your email address but more about the password. There's also a have I been poned service where you can just enter in your email. And I'll like show you hey, here are all the places where we find your credentials in a database breach, which is awesome. But what we specifically use in security is their password feature. So it checks whether a password specifically has been entered into that database. Yeah, very good. So Manu, if you update your password, it's not going to remove it from that. Have I been poned database? Right that it's that's basically letting you know that your email address has shown up in a breach. And that's always going to be there.\r\n\r\nTina, how does two factor work if your sites are on solid Central?\r\n\r\nI don't know what this is driving yet. I think the question is, if if I'm accessing my site through solid Central is there a way to turn on two factor is two factor needed in that case?\r\n\r\nOkay, so the two factor in cybersecurity what?\r\n\r\nYeah, what she was answering basically, um, so when you authenticate for the first time with central against your WordPress site that has solid security installed you're actually doing go through a specific onboarding process that shows you hey, you're gonna connect with solid Central, and it will give you a big purple button to click on and you'll get connected.\r\n\r\nIf you are then for further API requests that solid central makes over to your site and it's not going through the login form. So it never runs into two factor. And there are some specific features in solid central that do help you with two factors. So for instance, you can bypass two factor by clicking a button in solid Central. And if you saw that Central's feature to automatically log you into your WordPress site, you don't need to enter in your two factor code. But yeah, there shouldn't be any confliction. There. You don't need to turn it off or anything like that. It'll just work. Good.\r\n\r\nQuestion from Nate. Does solid security provide a recommended set of settings like by an export json file or something? How do you figure out what are the best recommended settings? Yeah, so we don't specifically the general thing is that we like our defaults and then it is just up to you to what more things you want to apply. So for instance, having to factor is better than not having to factor. Having, you know, more protections available, having more checkboxes checked, so to speak, is just oftentimes more secure. We try not to have any things. It's like, Hey, if you missed this, this is a complete disaster. It's really it's up to you what kind of security features you want. To have enabled. There are docs that talks through like global settings and things like that. But generally in the plugin will say hey, these are the things that we recommend. The defaults are things that we recommend, and it's just up to you to say hey, what more features do I want available? Do I want to have past us do I want to have two factor and we can't make that decision for you. And what is the onboarding wizard? factor into this? Yeah. So when you go through onboarding, it's an ask you some things like, Hey, do you want to use two factor and if so it'll automatically configure it for you. If you want to use strong passwords, it'll automatically configure that for you. My recommendation model is basically because you enable everything there's nothing that we have put in the plugin that we're like, Hey, this is something that we don't recommend you using.\r\n\r\nThis stuff that is you know, more legacy is kind of like hidden away, hide back end. It's under the advanced section. I don't recommend it. It's there because people love it.\r\n\r\nBut yes, I My recommendation is to enable trusted devices enable two factor enable password login, enable pass keys, enable virtual patching and enable enable, enable enable enable.\r\n\r\nI'm going to hand pick a couple of more questions and we'll wrap this up and go to a break. Great question. From Joan.\r\n\r\nDoes solid security pro come with patch stack by default? Yes. So if you are a new customer and you go on over to solid a VP and you make a purchase, you are going to have patch stack what you're going to want to do is after you install the plugin you want to license it and that licensing process will automatically set up patch stack for you so yeah, all new plans come with patch stack. And if you are a I iThemes customer you can add patch stack but yes all new plans come with patch stack automatically. You don't need to do anything else besides just licensed the plugin. Awesome. And last but not least Tina does your page speed suffer with all the blocked IPs that accumulated over the years? Um, so not really, um, we do specific queries to get a list of banned IPs.\r\n\r\nThere are also setting for htaccess where IPs that are banned get put into the htaccess file and if you go into the settings, there's the limited defaults to 100 of how many of those IPS actually add into your htaccess file. So if you had you know, 10 million could be an issue.\r\n\r\nBut even on my site that is many years old at this point it gets quite a lot of traffic. I don't have anywhere near that many banned IPs. So I haven't seen banned IP is specifically become a Page Speed issue. I just haven't seen someone get that high, where we're making such a large query that it would be pretty ineffectual. And it's pretty quick to compare IP addresses and just do a search for saying this IP addresses here or it's not there. If you do have millions, I'd be curious to know more about your site, and then maybe it would make sense to remove some. But yeah, I have not seen that to be the case in any other sites. I've come across. A very good Alright, excellent session. Timothy, thanks so much for your wisdom. As usual. You always have excellent answers. Folks, thank you for hanging with us last hour. We're going to take about a six minute break here. We're going to come back I'll be talking about how to talk to your clients about security taking plenty of time for questions. If you have specific things you'd like to talk about in regard to how in the world do we make our clients understand these things? So that's what's coming up in our next hour. We're going to pause the recording and go dark for the next six minutes and we're back at 205 Central time. We'll see you back then.\r\n\r\nAll right, we're back for the final hour of disaster week. 2024. Hopefully this has been a great time for all of you who've been part of the whole thing. We will again have the alright we will again have the replays up in about an hour as soon as we wrap up here and I'm dropping once again in the chat the session slides for today. You can download Timothy slide deck as well as mine which is now available there. Alright, so across the break, we had several questions about upgrades. And I just want to address those briefly before we get into our actual content here. So first of all, we do have this deal that's going on disaster week is the coupon code for 40% off of solid WP products now this is for new purchases only. So you can't extend or add a new subscription to an existing account. It's also not available if you want to purchase solid central monthly plans. Or if you're a legacy I iThemes customer and you want to add on patch stack licenses, it does not apply to individual patch stack licenses. So those are the caveats on that deal, but it's a great deal if you've not yet become part of the solid WP family 40% off is an excellent deal to take advantage of that. Now several questions that came in about updates.\r\n\r\nThe patch stack is included if you buy the solid suite or if you purchase solid security pro individually. Hatch stack is bundled if you're a legacy I iThemes customer patch stack is an add on for the legacy I themes security product that is now solid security. So there is a live stream we did that walk through how do I add patch that licenses if I'm a legacy I iThemes customer and that link that I have dropped in the chat and I will just invite you to walk through that it goes it takes you through the whole process. Matthew Why isn't an add on because there's a light well I mean to be frank it cost solid WP money for every site that licenses patch stack. And so that sort of the cost involved in that was not factored in to the you know, the price that a lot of folks paid for I theme security. It's an extra feature that was added with the solid move and when solid rebranded for my themes. And so there wasn't a way to include that in older legacy plans. I don't think it's mean I think it's just it's an additional feature that could not be included. You know, if you want solid WP to be around for a while. So you know, it's I think it's a pretty reasonable upgrade, particularly with the pricing per site is very reasonable can be easily passed on to a client. That's actually what that livestream was about the link that I gave you in the chat. All right, so let's talk just a little bit now about how do we talk to clients. And actually, before I go there, let me just mention one more thing. I know there's a lot of you who are maybe new to solid Academy, and we're grateful that you're here and hopefully this live stream has been helpful to you over the last couple of days. Here on solid Academy. We actually do two or three live streams every week on all sorts of WordPress topics. You can access all the upcoming training here at Academy dot solid wp.com.\r\n\r\nYou can search for upcoming live streams and see everything that's available. Also there's a handy calendar view here that shows you all the things that are happening and allows you to register right here. So Tuesday, Wednesday and Thursday of most weeks we have a live stream about WordPress things and we invite you to come be part you can become a member of solid Academy by purchasing the solid suite. That's the only way you can become a solid Academy member now and if you are a member not only do you get access to all the free training and replays, you also get access to a weekly office hours with me where we answer all sorts of WordPress questions, whether it's technical questions or business related questions. We always have a lot of fun there. It's a good community of folks that gathers every Thursday. We also do one premium course every month and I've just lost my window. But our premium course for this month is a WordPress accessibility crash course with Amber Hines from equalised digital. Next month's premium course is the Cloudflare course which I'll be teaching. So we always have a two day four hour course every month. That's very helpful.\r\n\r\nI'm hearing reports in the chat that coupon isn't valid. I'll look into that after we wrap up with our marketing team. Or David if you're still on the stream. Maybe you could ping somebody see anybody from the iThemes team on Sara disaster week. 40. Okay, it's possible I typo that.\r\n\r\nSo the coupon code Sarah is from the iThemes team, solid MVP team. The coupon code is disaster week. 40. So I apologize about that. That was likely my fault.\r\n\r\nAll right. So for those of you again, new to solid Academy, just a little bit about me I've been working with clients on the web since 1995. I started with WordPress in 2008. All WordPress since 2010. For the last 10 years I've been a growth coach for micro agency owners, people who are doing WordPress things for clients. I've had hundreds and hundreds of coaching conversations over those years. And a lot of those things are around this topic that we're talking about in this last hour, which is building recurring revenue talking to clients about security to grow our businesses. I'm also the creator of monster contracts, which is a proven contract for WordPress client work. So let's start out with the foundational idea here which is recurring revenue is critical to our business. It is the foundation of a successful agency. It's virtually impossible for us to survive in the long term without some sort of recurring revenue. And if you're doing WordPress things the natural place to start is with a WordPress care plan. It's a WordPress care plan and all the products that are associated with that, that actually brought me to eye themes many years ago as a customer long before I started doing any sort of live streaming on our educational side here so WordPress care plan is absolutely the place to start to build recurring revenue. It's what all the products that solid WP offers are built around is helping us do care plans better. So you've built a client relationship to maximize that relationship for the long term we want to build in recurring revenue with some sort of care plan. Now the challenge with a care plan is explaining to clients why they even need one right? So we understand it but getting a client particularly a non technical client to understand the value of a WordPress care plan. can be a challenge sometimes. So what I'm gonna do in the next several minutes is just basically give you how I explain things to clients, and some of the common mistakes that I see happen and hopefully give you some language that maybe you can use as you're trying to explain care plans to clients and how to do that. So a couple of things I want to start off with are two very common mistakes that I see that people in our position make when we are explaining care plans to clients. The first is presenting care plans as an option.\r\n\r\nSo I would encourage you to consider care plans, not an option, but a necessity. So a care plan is not like an extended warranty that car dealers try to sell you just in case something goes wrong. Instead of better analogy is that a care plan is like regularly scheduled maintenance that helps to keep your vehicle healthy for the long term. Matter of fact, in my agency, we don't take any website build projects that don't include a care plan. It's just part of our pricing. So and I'll even tell clients if they have a budget challenge. It's really better to spend less on building the website and a phase one than it would be you know, spend less so you can afford a care plan within your budget. Your plans are that important. So the second mistake that I see clients or the see people in our position make as we're explaining care plans to clients is waiting until launch to add a care plan. Surprising a client with a care plan at the very end oh by the way, you really need to purchase this additional monthly thing that's going to keep the site that you've just paid for healthy that's a bad idea. It never works out it rarely works. And it can often it can cause the client to become very agitated. You didn't explain to me that a care plan was needed after in all these conversations we've had. So what I've learned over the years is that the key to selling a WordPress care plan is education. And that education has to start in the first conversation. So we need to include care plan pricing in our proposal. That's my advice as part of the total cost of the project. Now something I moved two years ago was in my proposal for years I used to have the care plan to the little checkbox and you'd check the box if you want the care plan. Now it's just bundled in. There's a cost to build. There's a cost to manage and one sign here box that agrees to all of those things. So if you're struggling to get clients to buy your care plan, maybe it's because you're waiting a little too long or not talking about it early enough in the process. I recommend that you start talking about the management of the website in the very first conversation you have with the client, when you're starting to talk about pricing in general position, the care plan, as you know, the cost to bill a cost to manage. We're going to be here for the lifetime of the project to help you note you know, as things come up, and it's just all part of the conversation from the very beginning. I think you'll be much more successful at selling care plans. If you position it that way and don't offer it is an option in your proposal make that part of the price.\r\n\r\nSo how do we educate clients education is key in selling care plans. Many clients don't understand why they need to have a care plan to begin with. And so one of the first things that I would recommend is that as you're talking tech with clients about anything, focus on benefits, not features, save the technical talk for people that are you know, that love the technical stuff, most clients that you're going to work with our you know, they're busy professionals or their business people or that they're not as interested in technical things as we are I generally speaking, don't talk about gigabytes as much as we love packstack I don't talk about patch stack with clients. As much as I love solid security Pro that never comes up in a client conversation. As technical people we love those details about our care plans. We love to talk with each other about those things. But in most cases, features features don't sell but the small little things like patch stack and solid security. Those are things that are internal for us. Clients generally aren't as concerned about those things. What they're concerned about are the benefits. If I you know, with this care plan, what does that mean for me? I'm busy doing my business and doing my thing. I don't care about all these little technical details. What does your care plan benefit me? And the primary benefit of a care plan is simply peace of mind for the client. I cannot tell you how important this is. It's very easy for us who love technology to get into conversation with a client and we take them to death. It's just it's not a good idea. It's much better just to explain to the client the benefit. The reason we do this is so you can go about your business and not have to worry about the health and management of your website. That is absolutely the reason and the way to most effectively sell well sell a care plan. And part of this is just learning to determine what is the most important thing to a client. So we're going to see this pop up at several times during the next few minutes in my talk, but you may have a client who for whatever reason, they're all about backups. Now backups are important. We know that and a lot of and I will mention that as part of our care plan explanation, but goodness, they don't need to know where we store backups and how often necessarily run it or keep an archive that most clients don't care about that level of detail. They just want to make sure the site is backed up. But I've had conversation with clients who've been burned by backups and a lot of times they have very granular questions. So when those things happen, absolutely engage with the client on the sorts of technical details but in general, stick with peace of mind and that's really what the client is after.\r\n\r\nThe next thing to consider just another guiding principle in educating clients is to position security as a partnership. So keeping a website secure as you've heard throughout all of disaster week, there's a lot we can do on the website to keep a website secure, but the weakest link in the chain is typically the user right? So we need that security is a partnership between us and our client. We can secure their website, but the client has to do their part too and by the way, your contract needs to reflect this and explain what the client's responsibilities in web security are. And those can be conversations as well as you're onboarding the client into your management service and the kinds of things they ought to be paying attention to the things that we've talked about throughout the course of disaster week. I'm going to give you a few ways to talk about those things later on in the talk today.\r\n\r\nAnother guiding principle is this question that clients always seem to have. Yeah, but why would a hacker even go after my site to begin with? This is something that most clients don't understand. Like I'm just a small business or we're just a little nonprofit or, you know, why would they even care about me? And my encouragement to you would be find a hacker analogy that connects with this particular client. See, it's not personal hackers. Don't care if you're a small nonprofit, if you're a mom and pop shop someplace, whatever. They don't care about you personally. Usually, they just want you to use your website for gain. And there's some reasons for this. So try to find an analogy. That connects with your kinds of clients. The story I always tell when I'm talking about or if a client has a question about why would hackers hack me is I would tell a story that happened several years ago in our neighborhood. Now we live in a very safe neighborhood. But several years ago, we had a string of car break ins and it turned out, you know, people's cars, they weren't being damaged, but things were being stolen out of them. And it turns out that there were a bunch of teenagers walking around the neighborhood late at night, walking from driveway to driveway trying the door handles of cars that were parked, and if a car was left unlocked, they'd go through the car and steal contents out of the glove compartment or purses or anything that were left in there and they take those and that's what they would do. And that's very, very similar to what hackers do. They're just checking doors and windows of your website to see if anything is going to let them in to give them easy access. But a hacker they don't just try one door at a time. They've got software that scans the web looking for 1000s and millions of open doors and windows. It'd be like the hacker pressing one button and checking all the doors and windows of all the houses and all the cars in my whole neighborhood and that's what they do it again, it's not personal. They want to use your website for their gain. Now, what do they possibly have to gain from my little website as a little nonprofit or a little mom and pop shop? Well, they want your server resources, all the spam messages that you and I get. Those are generated a lot of times by compromised servers. Oftentimes as a hacker will go in and add some some code to use the server resources to help generate cryptocurrency. It's not about you. It's about what they can use your server resources for. Sometimes they'll do content injection where they'll inject ads for products that you probably don't want on your website, or they might redirect your website to other websites. And they do that very cleverly. So it's again, it's not personal, they're just trying to use your website for their own gain. synonyms. They'll also inject malware that can be used to further infect the visitors to your website. So all these are reasons they don't care who you are. They just find an easy target that they can leverage to use for their own purposes. So find it an easy analogy that connects with your customers, for me at the car break and one always works well. And then explain that it's not personal. They're not after you. They're after your server resources.\r\n\r\nSo how do we then go about presenting a care plan to a client I always use this. This lingo actually came up accidentally one day as I was meeting with a client in a coffee shop face to face back when we used to meet face to face with our clients goodness, it's been a while since I've done that. But I actually took a napkin and I drew out this box with a big WordPress w in the middle and I called it the four walls of protection. And here's what's included. I still use this explanation today. It's an acronym hubs H UB s. These are the four primary things that our care plan does. We provide hosting. We provide software updates, we provide backups and we provide security. And those are the four walls of protection that keep our WordPress sites safe. And this is what we offer as part of our care plan. Now as you're presenting this concept to your client, there's a few things to keep in mind. I'm gonna go into each one of these and kind of how I talk about them. The first as throughout this whole process, pay attention to your client. If you're like me, it's really easy to geek out and go down a tech rabbit hole the client doesn't care anything about so I'm really careful as I'm talking about anything technical with the client to watch for eyes glazing over. You know, the client starts you. You're talking and you're really excited about what you're talking about. And you realize the client has checked out. They don't care about any of this. So you have to pay attention to your client and just ask yourself, what are the what are the parts of this conversation the client is really interested in and you want to give just enough detail to satisfy their interest without going into depth by details in technology. Right? Remember, the big picture of all of this is your selling peace of mind. And if you think I'm oversimplifying that I promise you add not. I've been selling WordPress care plans since about 2010. So, you know, 14 years I've been selling this and doing a pretty good job of it.\r\n\r\nIt's about peace of mind, folks. This is ultimately what clients buy. That's why they want a care plan. They just want to know that you are going to be there to take care of the website if something goes wrong. Some clients may have particular technical concerns to ask about Awesome, let's get into it. But in general, they just want to know that you are someone they can trust buying a care plan is a trust based decision that the client makes. So again, throughout this try to create analogies that the client can understand.\r\n\r\nYou know, technical things can be a little hard for some folks to grasp. Nothing wrong with that but just try to make them practical with some analogies. I'm going to give you a few throughout this.\r\n\r\nSo when we get into the first wall of protection, which is hosting for us in my agency, hosting is included as part of our care plans. We do not manage sites that we don't host so if you want to bring your own hosting, that's not an option for us. Now you as an agency owner can make that decision. I strongly encourage my coaching clients especially to don't do this don't have websites on lots of different platforms with hosting that's all different and some have different requirements and the control panels are different. It's it's a killer, for efficiency in your process. It's much better to have all the sites you host on a server that you control. Now, that's the benefit from my side. From my client side. The benefit is what I tell clients literally as I will as we build your site and manage it, I want to be able to look you in the eye as a business owner and say, we're going to take full responsibility for managing your website so that you only have one person to call if there's ever a problem about anything. What we don't want to do is get into a blame game between between your hosting company and what we're doing and they might blame us will not blame them and you get caught in the middle. We want you to be certain that no matter what you have one person to call one one business to call one neck to strangle if there's a problem, and we're going to take full responsibility we can do that. Because we control the whole situation from end to end from hosting to site. It is all we deal with all of it. We have a private server that's optimized for WordPress and our process that allows us to build the site efficiently for you and to manage it successfully for the long term. Now that's the way I position hosting and in general, I don't have to do anything more than that. Our clients in general and honestly most clients, they're well good good clients especially are not going to push back too much on you on hosting if you have your solution because they just again, they want someone they can trust who's gonna be there for the long term. And if you bring hosting to the to the conversation, and you have a solution for that is much better for the client because they don't have to worry about it anymore.\r\n\r\nNow occasionally a client might bring up well what about you know, I get hosting on fill in the blank name of the host for $5 A month or $8 a month? I don't get that much anymore but I used to a long time ago. And the way I would explain that situation is look sure there are there are $5 hosting out there. You can also go on Facebook marketplace and buy a car for $500 I wouldn't recommend either. If you're serious about your business. You know, you can buy a car for $500 on Facebook marketplace. I wouldn't put my family in it. Just like you can go and get hosting for $5 a month I would not put my business website in it. So it's not just you know there's there are huge differences between the level of hosting that we offer on our server than what you're going to get at on a cheap shared hosting. Shared hosting is like an apartment building. Here's an analogy. It's an apartment building where you can't control who your neighbors are. So you know the people next door to you on that server. And there are 1000s of sites on a shared hosting platform, all sharing the same IP address. So you are at risk of misbehavior by your neighbors over which you have no control. Or you might find that your speed goes down because what other sites on the server or doing your system resources are unpredictable because of what other sites on the server are doing. You may find that one of the sites on that server gets compromised and they're hacked. And that server is sending out millions of spam messages every day. Well guess what happens? That server IP gets blacklisted in some banned list on a spam list. And now you have problems with your deliverability because you're wrapped up on the same IP address. hacks on other sites affect you. So it's much better like if you have a premium website you're paying for a professional to build your website, get professional hosting to go along with it. Don't put yourself in a situation where you're an apartment building with neighbors who you can't control and that's going to affect your business.\r\n\r\nAs we turn the page to software updates as a feature of our care plan, we're talking about WordPress core theme and plugin updates. Now I call these software updates when I'm talking to the client as to avoid any confusion with content updates. I found that I found this is really important to do that phrase software updates make sense. It's something a lot of folks can relate to because we do software updates on our computers. And I found actually when I start talking about updates, the clients thinking about you know, we're adding text adding things to their website, which we do that's just another conversation. So I always talk about updates in using the free software updates. And I explained to the client, we have a scheduled process that we do every week. It's reliable for doing software updates across all the sites we manage so your site is going to stay secure and healthy. Now when it comes to software updates. Sometimes non technical clients don't understand why this is important. Why would you have to do that anyway? Can't you just build a website and there it is, and it's good. Unfortunately, no, that's not the way websites work anymore. Good analogy is the software updates on your computer can you just buy a computer and you're good? Well, you could. But the software on your computer has to be regularly updated because of vulnerabilities that are found. If you're not updating your web browser to the latest version, or at least have those auto updates turned on. Super important. Or you're gonna find yourself with a security vulnerability on your website. So people even non technical clients tend to understand the software update analogy. And I'll often ask why Okay, so be honest. How often do you ignore the software updates on your computer delay? Remind me tomorrow or do it next week? You know, it just get rid of the thing because I'm trying to do something right now. You can't ignore when it comes to web updates. If you ignore those software patches on your website, your site could be compromised. So you know what would happen if your computer gets infected. You might get malware, you might get some other things. But if your website gets infected, your business is at risk. It's a big, big deal. Now there's also the approach of semi technical clients. Maybe some of your clients have done WordPress before. And they're familiar even with going in and hitting update and watching all the things update. And they think it's just as simple as clicking a button. And that is sometimes true. Sometimes running WordPress updates are as simple as clicking a button. But what happens when something goes wrong? And how do you know if that's that might happen? So if I have a client that pushes back, I run my own WordPress updates. The question I would ask is, How sure are you that you're going to do this regularly? Because it needs to happen at least weekly, just like Timothy said in the last hour. How sure are you that you will do this every single week without fail?\r\n\r\nWhen you've got a business to run, oh, well, my secretary will do it. Oh, adding that job on to someone who already has a bunch of things to do you know how sure are you? This is going to happen regularly. Most clients that I've talked to are not sure so they begin to think about this. Also, do you investigate major plugin updates before you run an update? Good grief before we update WooCommerce on any sites or any big plugins like that we're looking at the developer blog making sure that there's nothing here that might impact what's going on on that site already. You need to investigate major plugin updates before you run them. That's my opinion.\r\n\r\nSo a lot of times it is as simple as just clicking a button if you know what you're doing and what's being updated and if it's on a regular basis. And so what I tell clients like this is listen, for a small monthly fee. We're going to take care of all this for you hosting updates, backups, security, you don't have to worry about it at all. And you can just do your business. You don't have to think about the website you can offload that whole piece of your business for a really small monthly cost. That is a strong sales pitch to a good client.\r\n\r\nAll right, the next part of hubs is the backups. So in general, very few people these days that I've come across that don't understand the importance of backups, we get that backing up things as good we want to have a backup of our website. So there are two key reasons that I tell our clients that we have redundant backups. The first is human error. If you are Mr. And Mrs. Client if you're logging in, you're making updates and you break something you don't have to worry we have a backup from at least 24 hours ago that we can roll back and fix anything that was broken. We also have redundant backups in the case of disaster recovery. So if your site might get hacked, and they get through all of our layers of Defense's, we can roll back a backup and patch the things that need to be patched. Or, you know, let's say something happens and there's a broken update and we can roll back and keep the site it gets the site backed up very, very quickly. So we do these redundant backups to keep the site secure just in case anything might happen. Now, hopefully you do have a backup strategy and you have a consistent backup strategy that you use for all the sites that you're managing in your care plans. And if the clients interested, this is a good time to explain what that backup strategy is. And so we have a multi tiered backup strategy where we have a hosting level backup is our first line of defense. And we run a daily full site backup that's stored off site with a six month archive that gives some clients peace of mind and they want to know about that. But again, it's you have to kind of figure what is this important to the client how many details do they need? And give them what they need to be satisfied.\r\n\r\nAll right, let's talk about security. We've been talking about security but now security as a service. I explained that we have a multi level strategy to keep your website secure. So security is critical when it comes to your website. And that used to be a hard sell these days with all the website hacks and compromises that are in the news regularly. In mainstream news. People are more and more understanding and this is much less of a even an explanation that's required. I'm noticing these days with my clients than it used to be in years past. But we have this multi layered strategy that we use to keep our sites secure. We provide a free industry standard SSL certificate as long as we manage your site that you might think is a no brainer but it is it is amazing to me how many clients that we have that come to us that they're paying annually for a security certificate still It blows me away. SSL the industry standard SSL has been free for years. And we provide that of course so sometimes we can save our clients money. So here's what I mean by layers of security. If a client wants to know more about this, again, for many clients, we have a full strategy to keep your site secure, so you don't have to worry about it. And a lot of times that's all they need to know if they want to know more. Here's what I'll explain. We start with architecture. So I'm going to start at the core of the security and work my way out to all the layers. So the first is architecture. We're only going to use reliable themes and plugins to build your website. So many many of the vulnerabilities that are associated with WordPress, and a lot of people say well WordPress isn't secure. And like Timothy said in the last hour, WordPress is very secure in the core. It's these plugins or themes that are added that are from maybe questionable sources, or developers that may not be as on top of things as others are. That's where a lot of the vulnerabilities come. So we only choose the best themes and plugins to build your site. Then we go through and our launch, we have a 40 point lock or fill in the blank number lock in process that we use to launch your website. Well Nathan, what is your 40 Point lockdown process okay, go through and count the number of settings that you make in solid security.\r\n\r\nAnd if there's 40 of them, that's your 40 Point lockdown process as you're launching the website, and any other changes that you make. It's it's a really good line to use with clients and it's 100% True. I don't feel like this is shady at all. There's 43 points that we go through to lock down your website using the security plugin.\r\n\r\nSo the clients no this is a detailed process. There's a lot of things that are being considered in this situation. Also, now that the site's locked down now we move out to the next layer of user security. So built into the security that we have for your website. We offer two factor authentications past keys, password compromised protection, all the things that Timothy talked about in the last hour. We've got the way it's built the way it's locked down user security now on our server itself, our server, which is ours, the private server, it has security protocols and intrusion detection in place. What is intrusion detection? We watch your website our friend Tom right there watching the website and seeing what's going on with anything you know that's malicious or malicious intent. So our intrusion detection system is in place and even above our server there's another layer of network protection which we use Cloudflare we have network level filtering the block many of the bad guys before they can even get to the server in the first place. So starting with the core and working all the way out. We've got these layers of security with that wonderful analogy that Thomas raised us yesterday of like stacks of Swiss cheese, and it's going to be very difficult for any one hole to make it all the way to the bottom to let an attacker in to our network. I just love that analogy.\r\n\r\nAll right. So this is what we do. This these are our things and what we do to keep your website safe. Now there's also some responsibilities that you as a client are going to have in keeping your website safe because like I mentioned, security is a partnership we will keep the website secure, that you have the responsibility of keeping your computers and logins secure any computer that logs into the website. So a great analogy here is that we can put the best security system in the world in your office building, but if you leave the front door unlocked, it's not going to help very much. So just like in Timothy's presentation in the last hour, there's still a large percentage of attacks that are coming right in through the front door because of user security. And so yeah, that's the part that client really needs to take to take a look at. So security is a partnership, we do our part, you do your part, everything stays secure. So by the way, again, very, very important that your contract should explain the client's responsibilities and security. So they sign that as part of their agreement with working with you and then maybe you have some training or little video or you know, a little guide that you give to them on launch that explains those things. So what does the clients responsibilities entail? What what does it include? Well, the first as we've talked about a lot through disaster week, good password practices are critical. So what I tell my clients is you're going to log into the website as an editor who has the ability to edit pages, you must use a strong password as shown by the WordPress password indicator for any account that edits the website. This password can only be used on the website and nowhere else and we recommend using a password manager and we'll give them your recommendation. We as an agency. Use the keeper Password Manager. We love it. I think it's awesome. That's the one we settled on after the LastPass fiasco a year and a half ago. We love keeper we're an affiliate for keeper and if a client buys you know we have an affiliate link we give the client and then we can share passwords easier and so forth. So I see there's a lot of great questions in the chat. If you'll put those in the zoom q&a. We'll get to those at the end.\r\n\r\nSo good password practices use a password manager complex, unique password that's only used on that website. Also use multifactor login and trusted devices. So explaining two factor authentication and pass keys. Huskies have gotten a lot easier to use now than they used to be trusted devices. We've talked about that at length and disaster we've shared with you the links in the chat where Timothy walked through that whole flow of setting up a trusted device and what it looks like if a non trusted device has intercepted your session cookie.\r\n\r\nThat was a really excellent webinar. So go back and rewatch that if you haven't already. And again, solid security pro makes all of this easy so the client has to practice good password hygiene. They also need to keep their individual computers protected. So as part of our agreement in our contract, any computer that logs into the website must be protected by maintaining updated security software. So you have to have malware protection that's updated on a regular basis. And only using the latest browser versions. Make sure your browser is has auto update turned on most browsers do these days, but also your operating system other apps on your computer all have to be up to date because all those can be used to inject malware, which can steal your passwords or session cookie. So practice good hygiene. Keep your computer safe. Those are the two primary areas of client responsibility and website security.\r\n\r\nAll right, one last thing I want to cover today because it's always a question and I just think this is a helpful thing.\r\n\r\nHow do I price my care plan so if I use all the products that solid WP offers, and by the way, I hope you caught on to this, all the areas they're the hubs strategy the four walls or protection other than hosting the the the products from solid give you all that you need to offer a great care plan. So doing updates using solid central putting all your websites in a dashboard so you can see an overview of what sites need update and execute your updates their backups using solid backups, security, using solid security. All of our products are created to help you have a good reliable WordPress management system. So what can you do now to charge what should you be charging your plans for your clients? So the one kind of rule of thumb that I give here is that the price that you can charge for your care plan is often based on the price that you're charging for the site. So here's some general guidelines. And by the way, what I mean by that is, if you're building really inexpensive websites, it's going to be very unlikely you can sell a very expensive care plan. Because your customers aren't at that level. So your care plan price often depends on website build price. So this is just a basic guideline. Okay, if your typical website price is under $2,000, then you could probably have a typical care plan starting about $50 a month, roughly.\r\n\r\nIf your website price is 2000 to 3500, you might be able to charge around $75 a month. If you're 3500 to 5000, maybe $100 A month above 5000, maybe $150. But again, these are just guidelines and thoughts. We did a poll on this and a recent premium webinar with our members. This was about where everybody landed on what they were charging between 100 and $150 a month for most sites that fell within this price range. And so again, this is not a rule that says you have to do it this way. But if you're wondering, Am I charging too little? Am I not charging enough? This will give you at least some guidelines as to what other folks are charging. So hopefully that's helpful. Now we have plenty of time for questions. We've covered a lot. I've been talking a lot, plenty of time for questions here and I see that there's a bunch stacked up in the q&a if you've asked a question in the chat, if you would please just drop that in the q&a. It'll be a lot easier for me to just scroll down and take those one by one. In the meantime, I will reflect back to the discount code. This should actually be disaster week. 40 out of 40 there and that gives you 40% off of all solid WP products if you're a new customer, it is not available for renewals or to extend an existing subscription. It also doesn't work on solid central monthly plans. It does however work on the solid suite which includes solid Central. It does not work on patch stack add ons if you're a legacy I themes customer, those are done site by site. All right, so disaster week 40 Gets you 40% off of all of our things. Okay with that. Let me turn my attention to questions. And if you folks will also open up the q&a and upvote the questions that you would like to see answered. We'll spend the next 1015 minutes talking through some of these.\r\n\r\nAll right, first question from Dave. Does the care plan pricing that I suggested include hosting? So yes, I include hosting in the care plan and in that pricing. And so what I typically recommend for folks is depending on whether you know how technical you are, how comfortable are you with dealing with server related things. If you're not technical, then go towards a managed WordPress hosting situation like Nexus, you can buy a bundle of sites and put your clients into those. If you are more technical and you're okay with you know, a few server technical things, then get a VPS from a good reliable web host that has excellent support like liquidweb and you can stack your clients on a VPS there's usually more profit margin on a VPS than there isn't managed hosting. But I roll all that into one price and the client pays one price. Yeah, so hopefully that that answers your question there.\r\n\r\nAll right, next up is sue an upgrade question. I bought a single solid IP license in addition to my toolkit while I decide if I want to keep the toolkit or buy another solid license on sale, does it add to my account? No. So So you would be an existing customer in that scenario?\r\n\r\nYeah.\r\n\r\nSo it does not work to extend or add to existing customer licenses that is tied to your email address.\r\n\r\nAh, question from an anonymous attendee, instead of me educating about the care plan, can you just create a video that talks to all your clients that are onboarding? Absolutely, absolutely. So you know, well, okay, let me back up.\r\n\r\nThe talking first of all, talking about care plan should be part of the sales process. Okay. So as I'm talking to the client, in that first conversation, which I call a discovery call in my world, where we're talking about the all the things that the website needs to do the functionality, you know, all the factors of this project. I also have a section of that conversation in which I talk about the ongoing management of the project. There's a question in my discovery form that asks the client\r\n\r\ndo you need I forget exactly how it's worded? It's basically do you need an A, how will the site be maintained going forward?\r\n\r\nIt's, it's more elegantly worded than that, but that's basically it and it's a it's a it's a jump off point to have this conversation about a care plan. So that education and talking about the need for care plan, I think best happens in a sales conversation, just the basics, right? And what you don't want to do is at the very end of a project or just drop it into a proposal and you've never talked about it before. You want to let the client know that the way you approach website building and management is as a holistic process. There's a cost to build the site. There's a cost to manage the site. It starts around this amount for website management, and we include that in our proposals. That's what I would talk about in the context of a sales conversation. A lot of times what you'll find though, is that it will help you sell a website, when you talk about your lifetime approach to the website. Like you're not just gonna build it and disappear. That's what many web developers do. I'm constantly surprised by this. They just want to build sites, they don't want to manage them. The long term money in website work is the management. It's recurring revenue. That's what lets you stay in business for a long time. Anyway, I'm getting off down a tangent but the education piece starts at the beginning to introduce them to the idea of a care plan. Why it's important. I think it makes a lot of sense to have a video right at site launch when you're onboarding them out of the development process and onboarding them into management. This is what our care plan covers these again, are your responsibilities having a video or a little handout? A downloadable with that super helpful. Yeah.\r\n\r\nAll right. Next up is AJ. AJ, what hosting do you use in your agency is an in house solution or do you contract hosting companies? Great question, AJ. My goodness, I do not want to have a web server in my basement. Absolutely not.\r\n\r\nThere was a day in my life where I probably thought that would have been cool, but Good grief. All of the intricacies that are involved in website hosting are there's just too much it's too much to know and be doing web and know all about web and WordPress.\r\n\r\nIt's just too much to know. So my suggestion is always have a hosting partner. You have your sites with this host, whether that's a single managed WordPress solution like Nexus, or a host that's more traditional that has dedicated servers. VPS like liquidweb. We had a dedicated server at liquid web for years and we did that because the support was awesome. So if there's ever a problem, you reach out support takes care of it. And otherwise it just works really well. So you have to decide which situation is best. Next S is a liquid web company. Solid WP is a liquid web company. So I'm mentioning those. There's there are many good hosting options out there. But I would advise you to look at liquid web and nexus to start.\r\n\r\nAlright, next from anonymous attendee, how much time is involved in the care plan small monthly fee what is it? Okay, great question. So anonymous. Let me let me ask you if you could to clarify in the chat. What do you mean by how much time? Do you mean how much time does it take to manage a bunch of websites? Or how much are we building? Are we billing the clients for time if you can clarify that in the chat? I'll try to answer it.\r\n\r\nSo, the, the I'm going to step up and put my coach's hat on here, okay. As a business coach for micro agencies, what I what I advise people to do, it's what I've done for years in my agency, it's you don't want to build by the hour. billing by the hour is no fun. You end up losing track of time it takes forever to do I as an agency owner want to be in QuickBooks as little as possible, right. And so a change that I made years ago, instead of having to just kind of track time on all these things and build little bitty invoices that I never seem to do. What I did was when we raised our prices on care plans, I bundled in too fast tasks built in with every plan and every month so every client is on a care plan has included in the care plan up to two fast tasks every month, they don't roll over every month has up to two of them. And a fast task is something that we define as something that we can read a ticket, do the thing and reply to the ticket in about 15 minutes. So these are things like hey, I'm attaching a blog post in word when you post this on my site, hey, can you add this new staff member? Hey, can you update this wording or add a sale price to this product on my WooCommerce site is small tasks. If a client needs more than that, then we'll increase their service level agreement to have more fast tasks. If a client asks for something that is a few, you know, like build me a landing page, that wouldn't probably be a fast task. And so we would give them a flat price for that amount. So that would be more of a project instead of billing by the hour.\r\n\r\nMatthew's asking about what a half a fast task not so fast task of the past tense. So just try it. My advice as a coach is to make the billing part of your business as simple as possible. I cannot tell you so over the years in the last 10 years I've been coaching micro agency owners, hundreds and hundreds may be found out you know, probably getting close to 2000 conversations I've had over that time, maybe more. I haven't done the math. But in those conversations, when I talk to a coaching clients about the frustrations they have in their business, it almost always comes back to billing and finances and keeping all that stuff and they've created for themselves. A billing environment that is hard to manage. So simplify that billing, the whole process of billing and the way you're tracking work, and life gets a lot simpler, I promise Okay, next up is Jeffrey. Does your recommended price including hosting. Yes, so we answered that question a bit ago. Matthew, can you share the link rack and by the patch stack add ons for legacy customers? I've been looking but I can't find it out. Okay, so Matthew, I don't. Since I'm broadcasting right now I can't go back and look for that. It is like the link that I shared earlier that talks about?\r\n\r\nWell, it's in the chat. I shared it earlier about and I marked it as this talks about patch stack upgrades. We went through that whole process it's in the solid licensing portion I believe and you just click and it takes you to the solid cart and you can add licenses one at a time. Like you can buy three or one or 52 if you want and then you'll have that bulk, that bundle of licenses which you can then apply to an individual site.\r\n\r\nSo I'll go through that whole thing in that live stream. If you'll just go you can kind of scoot through the live stream and you'll find it\r\n\r\nThank you, Doug. It's under security and firewall. And again, if you have questions just reach out to support and they'll walk you through all that.\r\n\r\nAnonymous attendee is asking how are hours and billable hours related to starting prices? So I answered that a little bit a minute ago, and whoever you are anonymous if there's more texture to that question, then just drop it in the chat and I'll try to elaborate more.\r\n\r\nAll right, Jeffrey, what about training? Do you offer any sort of training in your package or is that extra? That's a great question. So Jeffrey, we have a set of training videos that we have in every site that covers basic WordPress things. If the client needs additional training that is billable. Now, a lot of times we'll cover this in the build project. So one of the questions we'll ask and in defining the scope of work is are you going to be getting in and editing the site or is this something we're going to do? Do you need training on how to use WordPress, if they if they need that training? That's that's an itemized addition to the scope of work that's going to affect the cost of the project. There's a cost for training right? hourly cost will usually record that training, make it available as a video link in the dashboard. If they sometimes what will happen is they'll have a new staff member come on board and they don't know they didn't go to the training and they don't know how everything works. Well. They can either watch the video that we provided or they can schedule training, but that is going to be an additional cost that they have to pay extra for. So we don't include training in a care plan package. But it's something they can they can purchase extra if they want to do that it's billable.\r\n\r\nDoug, all of my clients were on board with a care plan some many years ago, all before patch tack was available as an add on. How would you approach extend existing clients who are on your care plan about paying more money? Great question, Doug. We should have a live stream about that. Oh, wait, we did. That's that link I mentioned in the chat a little bit earlier. So that whole the whole webinar that I talked about that I gave that link a little bit ago scroll back it's up there about onboarding, it's all about creating additional recurring revenue with patch stack. So I talked in that livestream about creating a an extra level of security, where you charge more, it's, you know, you could probably add 10 $20 a month and the license cost you know, a couple of dollars a month, I think per site, it's a big profit center. So I talk all about that in that process there. So I would just recommend, go back and rewatch that website. I Jeffrey's asking, are those training videos available? No. i But what I will tell you is the bundle that I use is called Video user manuals, video user manuals.com. There's an annual cost and embeds right into WordPress. It's great and even has some premium plug in it they have videos for all the premium plugins we use we have a lot of sites on Beaver Builder they have videos for those. We have we use Gravity Forms, they have videos for that. They have videos for WooCommerce. They have classic editor, block editor, all the things and we just pay one fee for that every year. And those basic videos are in every site dashboard. It's excellent.\r\n\r\nMatthew, you mentioned you do coaching for agencies, is there a community forum or slack channel for designers or web hosters that you recommend? Where we can chat with peers? Absolutely. Matthew so my favorite group, well aside from our solid Academy, Slack group, of course, which you can get access to if you're a member of solid Academy, the Facebook group called the admin bar, it's run by my friend Calvin Dusen. Awesome. admin bar is great. I cannot cannot recommend it enough 1000s of WordPress folks just like us doing agency stuff with clients. They're in there. It's a brain trust. It can often be a firehose of information, but also become a solid Academy member. All you have to have is a solid suite license. It starts at 199 A year 40% off your first year. You get to be a solid Academy member come into office hours every week. You can ask whatever questions you want about business, about technical things, become part of the community. There's a lot of fun folks that Hangout every Thursday with me during office hours. And we have that slack group for offline conversations as well. So check that out.\r\n\r\nLast question. from Matthew, will this webinar be archived? Absolutely. I'm dropping the link for it again in the chat. The final link there is the replay link. It takes about an hour maybe a little longer today because it's a two hour video. It basically as long as it takes for zoom to render that video and push up to Vimeo we'll have the replay posted.\r\n\r\nSo Umberto, if you are a member, reach out to solid support and they will give you the link to join the slack group.\r\n\r\nMatthew, so legacy license owners can be part of solid Academy. So here's the history on that Matthew. And when you say legacy members I'm assuming you mean like you have an an older I think security license like IBM Security gold or something like that.\r\n\r\nWe use that so this training used to be called I iThemes Training and it was a product that sold by itself.\r\n\r\nSo it was you know something you could purchase individually or it was included in our toolkit or I think Toolkit, which included a whole bunch of things. So if you only had a security license, then you wouldn't have had access to training and you won't have access to a cat the premium Academy. We do a lot of free Academy events also, though, that anybody has access to but if you want access to the premium pieces of Academy, you can get that now through the solid suite. Any member of the solid suite has access to the solid Academy. So all right a lot of stuff today.\r\n\r\nAny final questions, drop them in the chat and I'll try to answer those and then we'll wrap things up otherwise.\r\n\r\nWell, I do appreciate you hanging out with me and lasting through the last four hours of training. This has been fun. We do this at least every year and disaster week, where we take a lot of time and talk about WordPress security issues. We started off with a great state of WordPress security from our friend Kathy Zant. Great WordPress experts panel if you missed that panel yesterday, that was quite a discussion with a lot of insight a lot of fun. I was some really smart people that WordPress security go back and rewatch that that replay is already up. And then today we had a great talk with Timothy and then the stuff that I talked about as well. Hopefully it was useful. Well that's gonna wrap it up for us for a disaster week. 2024. Again, the replay will be up later today. And if you remember hopefully I'll see you back here on Office Hours. That's tomorrow starting at 1pm here on solid Academy where we go further together\r\n","livestream-resources-group":"s:34:\"a:1:{s:6:\"_state\";s:8:\"expanded\";}\";","multi-day_replay_details":["s:3081:\"a:7:{s:18:\"event_replay_title\";s:7:\"Day One\";s:25:\"day_description_cloneable\";s:2364:\"\r\nSession 1 - The State of WordPress Security: What Affects YOU!\r\n\r\n\r\n\r\n\r\n\r\nMarch 19 from 1:00-2:00 pm Central Time\r\n\r\n\r\n\r\n\r\nKathy Zant will give a helpful overview of the issues impacting WordPress security in 2024, especially from the perspective of solopreneurs and agencies who manage WordPress websites for clients.\r\n\r\n\r\n\r\n\r\nSession 2 - Security Expert Panel: Trends You Need to Know\r\n\r\n\r\n\r\n\r\n\r\nMarch 19 from 2:00-3:00 pm Central Time\r\n\r\n\r\n\r\n\r\nNathan Ingram will lead a panel of WordPress Security experts: Kathy Zant, Thomas Raef, Timothy Jacobs, and David Johnson.\r\n\r\n\r\n\r\nThe panel will cover security trends in detail with plenty of time for questions from attendees.\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925169294\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 1 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1GV5SRsGhaOckgTkXf-62b8vf1WWjJg5v\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:85:\"https:\/\/drive.google.com\/file\/d\/1UP8bFXnyB_odC6r9B4Wbeys8odOfPW7z\/view?usp=drive_link\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/-vGsb4xe8EmwnEda1Ecv_1_RsTI?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";","s:3231:\"a:7:{s:18:\"event_replay_title\";s:7:\"Day Two\";s:25:\"day_description_cloneable\";s:2255:\"\r\nSession 3 - Reducing Your Site's Risk to Nearly 0 with Solid Security Pro\r\n\r\n\r\n\r\n\r\n\r\nMarch 20 from 1:00-2:00p Central Time\r\n\r\n\r\n\r\n\r\nSolidWP Lead Developer Timothy Jacobs will explain how to protect your website using the powerful features of Solid Security Pro.\r\n\r\n\r\n\r\n\r\nSession 4 - Talking to Clients about WordPress Security: Generating Recurring Revenue\r\n\r\n\r\n\r\n\r\n\r\nMarch 20 from 2:00-3:00p Central Time\r\n\r\n\r\n\r\n\r\nNathan Ingram will discuss how to talk to your clients about WordPress Security, and how keep them safe as you build recurring revenue for your business.\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925577957\";s:16:\"course-resources\";a:2:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 3 Slides\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1SEmE-bmlbMScYzlc4Y7dbYj9tWWIw1hG\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}i:1;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 4 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1X4jK_jv2ZsH6uXLCBQIXqZ8NAbvkKYQV\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1HfxF6OjN88O-CFMQnuBp_Tq7L_rlGnTk\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/hhv_RTU6GaLQyMVsrx0gCeUoakc?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";"]}},"postCountOnPage":1,"postCountTotal":1,"postID":448494,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content ); \nWordPress Disaster Week is a website security training event hosted by the team behind the Solid Security plugin. WordPress Disaster Week sessions are totally free and available to anyone online via the webinar format.\n\n\n\nDisaster Week is great for anyone who owns or manages a WordPress website. The topics covered during WordPress Disaster Week will help you understand the basics of WordPress security, how hacks happen, and how to secure your site.\n\n\n\nWordPress Disaster Week is also great if you build or manage websites for clients, as we’ll cover a session on how to talk to clients about WordPress security.\n\n\n\nRegister once to attend all sessions of WordPress Disaster Week. If you can't attend live, we will send you the link to view replays of the full event!\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n","livestream_live_transcript_url":"https:\/\/otter.ai\/u\/-vGsb4xe8EmwnEda1Ecv_1_RsTI?utm_source=copy_url","livestream_live_transcript_text":"Again, welcome. If you're just joining us, it's disaster week 2024. We have Kathy Zant here. She's going to be talking about the state of WordPress security in our first hour and then we have an excellent lineup of security experts and a panel that is coming right up. We're going to be getting things underway here momentarily. The links I posted in the chat just a minute ago are not correct. I'll get that straightened out in just a minute.\r\n\r\nOddly, that should have been working but hey, it's Tuesday.\r\n\r\nAgain, welcome everybody. It's good to see folks logging in from across the country and around the world. Hi, Kay. Sue is here. Barney. Welcome. Thomas Byrne. Paul class, Doug. Good to see everybody today. We'll have the links up for you in just a moment.\r\n\r\nAgain, welcome. We'll be getting started officially at about three minutes after the hour. So glad you're here just a bit early. We'd love to hear from you in the chat where you're logging in from and here are the correct links. There we go. This is of course being recorded the replays available at the link that I just posted. You can also download Cathy's slide deck link is also there in the chat. Really glad everybody's here today. Welcome. Welcome. Dan. Good to see you, Rob.\r\n\r\nGreat to see everybody logging in today.\r\n\r\nHi, Tina from South Africa. Welcome. Welcome, Marie. Welcome from Massachusetts.\r\n\r\nAll right, folks. Good to see everybody coming in. Hey Stacey. We're about three minutes away three and a half minutes away from getting started with disaster week for 2024 This has been an annual event here with solid WP formerly I themes for many years. We always enjoy bringing some great experts on this topic to give you the lowdown on what you need to know as you're managing your own WordPress site or perhaps even managing sites for clients. So welcome, everybody. We have a lot. Lots to talk about today. Great panel of experts plenty of time for questions. The world of WordPress security is much more complicated today than it has been in the past. And Kathy is going to unpack a lot of that for us here in just a little bit.\r\n\r\nOh Sue, that's great.\r\n\r\nWelcome everybody. Just about three minutes away from getting started. Kathy Zant is here where she's going to be talking about the state of WordPress security to get disaster week going. I really glad to have everybody here. Welcome to folks across the US and around the world. If you're just logging in to zoom, open up the chat and say hello. The slide link bundle is in the chat you will have today's slide deck is there. Also the replay if you want to go back and rewatch this live stream you can do that at the link there in the chat. Share that with anyone as well. Those links will be available. Hey Michael, good to see you.\r\n\r\nMelissa, welcome from France.\r\n\r\nGreat to see everybody. Hi, Frank. Melanie.\r\n\r\nAnd I am using the wrong microphone. Wow. All right, that should be considerably better audio than it was before.\r\n\r\nI thank you so much for that. Little tip.\r\n\r\nMelanie, I appreciate that. Yes, yes. Yes. All right. Welcome, everybody. We are just about two minutes away from getting started with disaster week.\r\n\r\nThe link bundle is there in the chat. You can download today's slide deck that Kathy has on her screen now and follow along if you'd like I think there's some helpful links in there. as well. Also, the replay of today's event will be at the link there posted in the chat as well. You'll be able to share that video out.\r\n\r\nThe chat log and transcript for this event will also be there. At that link.\r\n\r\nNiles welcome\r\n\r\nHey, Charlie, welcome back. Mateus. Welcome. Good to see everybody there in the chat. We're about a minute away now from getting started with disaster week. Kathy Zant is going to kick us off talking about the state of WordPress security. Our two today is going to be a star studded panel of security experts will be here to talk about some of the current issues in WordPress security in the next hour. And of course have plenty of time to answer your questions as well. Welcome, George. Glad you're here.\r\n\r\nFolks, if you're coming in to zoom, we invite you to open the chat say hi and tell us where you're logging in from if you'd like to chat with others during the live stream, make sure that you've dropped down the little blue drop down above where you type in your chat to everyone, not just hosts and panelists. It does default the host and panelists for some reason, but if you'd like to chat with everyone, just make sure you make that change.\r\n\r\nOnce again, if you're just joining us attendee number is ticking up the link bundle is there in the chat. You can download today's slides that you're seeing there on the screen with Kathy state of WordPress security. Also the replay link is there for you. Hey Rob Vera, welcome. Glad you're all here. Just about ready to get started Kathy ready to light this candle.\r\n\r\nI am ready to kick this off the fun. Well, let's get started.\r\n\r\nWell, good afternoon. Good evening. Good morning, wherever you happen to be around the world. Welcome to disaster week. 2024 here on the solid Academy. This has been an event that we've done for many years here at solid formerly I themes as we talk about the state of WordPress security and give you tips from experts as you seek to make your WordPress site safer and protect the sites of the clients that you are helping as well. I'm joined today in our first hour by Kathy Zant. Kathy, it's so great to have you back. Kathy is an internationally recognized expert on security and marketing, data driven website development. She's spoken at countless events worldwide, and is a frequent guest on all sorts of podcasts about WordPress and other emerging technologies. Kathy, welcome back. How are you? I'm so happy to be here. It feels like like coming home to the to the gang and I'm so happy to be here. Thanks for having me back. Absolutely. So a lot of folks are saying hi to you there in the chat. You got a lot of fans here in in the attendee group today.\r\n\r\nWe're talking about WordPress security and the things that you need to know here in this first hour. Kathy, let's just talk for a minute about how you got interested in WordPress security. When did you start this and how did it happen? Yeah, well, I got interested in security back when before WordPress, I inherited a server, a web server from the technical people. I was the marketing person and that server got hacked and so I was thrown into the depths of learning about security in the early days of the Internet and learned how to spoof emails and do all sorts of things. So that was way before WordPress and then when I when I first started like migrating some of the sites I was developing, you know, coding myself and migrating things over to WordPress just because it was easier to manage. WordPress Tim thumb vulnerability, my husband's site of all things got hacked. So that was an adventure. You got me on this WordPress stuff. You better fix it. Yeah. Okay. Hon, I'm on it. I mean, it's so got involved then and you know, you know, I mean, then then hacks happened, help friends and everything. And then a company put out a call for people to clean hack sites and I was basically helping my husband run his business and I was a little bit bored. So I'm like clean hack sites. I've done that before. Let me see if I can do this. So I was just cleaning hack sites sitting next to my daughter who was homeschooling and I got sucked in. And no, look at me. I'm giving the state of WordPress security almost sounds like I'm a security politician. No politics here though. Promise.\r\n\r\nOh, well. We have a lot to talk about. Because the state of WordPress security is always evolving. And if you follow security news and we do a monthly news roundup here on solid Academy, and we're always talking about new and trending security issues. We also have a regular webinar at least every quarter with Thomas Rafe and we watch your website, giving us really scaring us to death, quite frankly, with some of the things that are happening. On the cutting edge of the things that hackers are doing. So we have a lot to talk about today. Folks. Let me give a couple of bits of housekeeping details and I'm going to disappear and let Kathy start speaking here. But if you're just joining us in zoom, we're grateful that you're here. Hopefully this will be a good investment of your time today. I'm dropping in once again into the chat, the link bundle for today, which includes today's slide deck, and also the link to the replay. We'll have the video of today's two hours posted by around four o'clock central time. That will also have our transcript and the chat log. So a lot of times during the live stream the chats will have some good information so we save all that it'll be available for you on the replay link that is there in the chat now. Also, let me just invite you to go ahead and open up the zoom q&a You'll find that link as an icon under Kathy shared screen. If you mouse over the shared screen, you'll see the q&a icon. That is the place to ask your questions. So if you have a question for Kathy, or anything related to WordPress security, please use the q&a and not the chat because the q&a chat may go on past and we might miss that question. But if you use the q&a, it'll be there. And also we invite you to keep that open simply because if you see someone else who has asked a question that you also have, you can click the thumbs up icon. And we'll take the questions in the order of upvotes. Now likely what we're going to do today is Kathy is going to speak and sort of set the table for us with all the current issues with WordPress security, then we're going to take a break so no questions immediately. After Kathy's talk today. We'll take about a 10 minute break and get our panel in place. And we'll take all the questions toward the end of today's panel discussion. So very important that you up vote the questions that are asked is likely we won't get to all the questions but we'll take the questions that do have those up the most number of up votes. So with that, I'm going to disappear and Kathy let's talk about the state of WordPress security.\r\n\r\nShouldn't there be like a band playing or something? I guess I'll just imagine that you know, Pomp and Circumstance playing as we talk about the state of WordPress security. Now when I first first started cleaning, hacked WordPress sites, WordPress security was a little, a little different, a little more simple, but some things some things haven't changed. And I want to talk about some things that haven't changed and some things that will continue to kind of be sort of this undercurrent of WordPress security threats. But I want to talk about what is changing some of the things that we're seeing that trends that you should be aware of, of where we're going. I'll talk about some recent attacks that we've seen that are very interesting for somebody who's into security, maybe a little bit scary. If you're not into this, then I'm going to pull out my crystal ball. And I'm going to make some predictions about some things that I see in the great greater security space. That will come toward presidentially, and then I have some thoughts about the WordPress security community WordPress as a community as an open source community. I fully believe that WordPress wouldn't be what it is today, without you, without the community without all of us helping each other to have some thoughts about how security plays into that. So that is that's the little teaser, is there going to be drama, maybe stick around. Alright, so what hasn't changed? hackers want to make money with your site. They want to take your server resources, your sparkly clean domain reputation and they want to use it for their profits. So they're going to put spam on any site that they can hack. They're going to use phishing malware backdoors to get back into the server. They're going to do all sorts of crazy things with your asset. WordPress is an asset and if you start thinking about your WordPress site as an asset, the same way you think about your bank account, your cryptocurrency, your home, your car, the shed in your backyard, all of these things that you want protected from malicious attackers and thieves. If you start thinking about WordPress, that way things will make sense because that is something that hasn't changed the profit motive, and that's the reason why they come after WordPress. WordPress is also powering more than 40% of the internet and they target WordPress because they expect smaller sites like yours in many cases and larger sites but mostly sites like yours, they expect it to not have as much security. Now the New York Times in the Rolling Stone Rolling stone.com use WordPress in order to present their content, but those major sites have security operations teams looking at every log file, they have security professionals looking at every login, but you are busy running your business. In many cases, small businesses just do not have the resources to watch security so they expect less security on your site. So if they can hack into 100 WordPress sites, it's the equivalent of getting into one larger site that has a ton of traffic.\r\n\r\nPlus, it's just your resources that they're after. Now historically, what hackers have done if they've exploited weakness now that could be weakness in the people who are running the site who just don't know any better and are doing things like reusing passwords, or it could be a weakness in software vulnerabilities. Typically over the past few years, decade. We've seen this in software packages primarily and plugins and themes. There have been a few core vulnerabilities that have been significant, but in recent years, we haven't seen that so much. But we're still seeing plugins that have vulnerabilities. We're still seeing some themes that have vulnerabilities and sometimes those come under attack rather quickly. So software vulnerabilities and authentication issues are still going to be a problem. This is a problem in the wider space, not just word processing hole, but it is historically how we have seen attacks coming at WordPress, the game of security and one of the reasons why I love it so much is you know some of you people do crossword puzzles and other things to keep your mind active. I like to see what hackers are up to my friend Thomas Ray who will be in our panel later. He likes to share the stuff he finds he finds the most amazing malware and the amazing attack vectors, an intrusion vectors. I find it fascinating what the mice are up to in order to get the cheese. It's constantly a challenge because you have security professionals who are trying to protect sites and then we have security professionals, security Blackhat professionals who are trying to get into those things. So the constant cat and mouse game of sometimes the mice are getting in and sometimes the Cat's got everything locked down. That challenge to me is exciting. And that's never going to change that's how security works. You have security protections and hackers. Just that hacker mindset that playful. Let's break out of these defined boundaries. It makes it interesting. So I find that very interesting and this is never going to change we are never going to stop hackers activity we are just going to be able to slow them down. They are always going to be looking for vulnerabilities that they could possibly exploit so that cat and mouse game is going to continue for forever. But what is changing is that these hackers are getting more clever.\r\n\r\nThe attacks are maturing, they're not just looking for plugin vulnerabilities because we are seeing many plugin developers really up their security game a few years ago, saw a lot of plugin developers that were using is admin a function in WordPress they were using that wrong is admin as a function will tell you are you on an admin page or not? Is this person an administrator and so we saw a bunch of different plugins that were using that function and inappropriately and causing vulnerabilities. We're not really seeing that kind of thing. But we are seeing vulnerabilities still but attackers are having to become more sophisticated. The mice want the cheese and so they have to get around the cat's defenses and they have to try new things, new creative things. We just have to be aware of what's going on. What we're seeing is some of the general attacks on computing on computers. Those general attacks are also targeting WordPress. Why? Because WordPress is an asset your WordPress site is of value. Even if it's just your hobby blog, just the resources of your computing power of that website is an asset that hackers are after. So we're seeing some of these general security attacks now aiming at WordPress. Now Tomas last year, he started sharing with us some of the attacks that he was seeing and he was seeing that many hacks were coming in. And it was almost as if you look over the log files and you would be you know user coming in working in WP admin and then all of a sudden that same users cookie was being used, but it's like coming from some weird site someplace else and you know, Malta or some someplace where you know, that user that administrative user isn't. These were stolen session cookies. And on January 3, it's in the links that Nathan shared in the chat. Thomas's research he published on January 3 of showing what he found over 2023. And he found that 60% of WordPress hacks were coming from authentication problems and there's a whole section in there about these stolen cookies. And then if you look at the general security press, Trevor Hilla gas who was a former FBI digital crime expert, uh, he said that last year, he had seen more new advances in info stealers than any year previously. So Thomas put two and two together, Trevor is putting two and two together in terms of these attackers, basically assuming the role of an administrator. Now how exactly does this work? Well, info stealer is malware that's distributed through phishing emails, malicious links, and infected attachments like a PDF with an info stealer embedded in it compromised. websites that you might visit and then end up clicking on a link that download something, a malvertising which is advertising that is actually malicious. So all of these things are not targeting WordPress directly. They're targeting your computer and if you have access to a WordPress website, and you're logged into that WordPress website, then they try to get into that asset. Now, have you noticed that your bank let's say you go to pay a bill and then you go make a cup of coffee and you come back and you're logged out automatically?\r\n\r\nThis is what the banking industry is doing. They're closing those session cookies rather quickly. Because those session cookies if they are ever stolen, basically give attackers the ability to basically impersonate you and that's what these info stealers are allowing people to do. So how does it work? It basically takes that session cookie from your browser, and then they take those cookies, put them on their device or more likely just embed them in their scripts as they are attacking many different things. And then they access your WP admin as if it's you. It bypasses firewalls, it bypasses to FA basically then just becomes you they have a script that just gets into WP admin so the log files will look like oh, there's people doing all this editing and then boom, this weird IP address that now is doing malicious things using those session cookies. So Thomas's research is showing that this is being used to target WordPress and yeah, so kind of scary, but obviously info stealers aren't existing just for the sole purpose of getting into WordPress, but this broader problem in security is affecting WordPress and this is one of the trends that we're seeing.\r\n\r\nSo these types of info stealers that exist can be in email, FTP, credentials, clipboard, you know, you copy something, copy a password out of your password manager. Um, if you have an info stealer it can get onto your clipboard and take things key loggers, form grabbers, browser hijackers, so there's a lot of different kinds of info stealers that are out there that can have an impact on your WordPress site. So what can we do about things like that? Well, obviously it's most important that you protect your devices and protect your computer's making sure that just like with WP admin, you log in and update all of your plugins and your theme. You got to make sure that your operating system make sure your browser Chrome, I've seen so many chrome vulnerabilities. Chrome's the most popular browser, you know, so attackers are going after vulnerabilities in Chrome. So if you see that your chrome needs an update, make sure you are updating your browsers. Make sure you're very judicious about the types of extensions you install into your browser just the same way you would with plugins that you're installing and WordPress or the apps that you put on your phone, just being making sure that they are coming from reputable sources. And then you know a lot of us who use MAC's have lived this sheltered life thinking that we don't need any kind of protection on our Max Max don't get viruses right?\r\n\r\nExcept that they do. So you need to make sure that you have some kind of malware scanner like any kind of antivirus Avast is a great one. Um, there's other ones that you can use Malwarebytes, things like that. But Jason, just make sure that you're downloading signatures regularly and scanning your machine regularly. So making sure that you're doing those general protections for your computer and your devices. And, again, think about those assets, your banking accounts, cryptocurrency accounts, crypto wallets, Amazon, but you don't think your Amazon account is an asset. While it is I helped someone last year who got their Amazon account hacked, and they bought the attackers used the credit cards that were stored in it was a debit card, actually that was stored in Amazon into that Amazon account and bought gift cards, sent them to themselves and then archived those orders. Make sure you've got protection for that because your Amazon account can be hacked and can drain a debit card or bank account, kind of blog post on my site about that and of course WordPress consider WordPress and asset as well. Making sure that you protect your credentials, strong unique passwords everywhere that Amazon hack actually we traced it back and it went back to the LastPass breach that happened and that person had not changed their password out of LastPass. And they actually had one of their I think it was SendGrid their SendGrid account had two FA on it, but somebody was trying to log into that as well. So we kind of traced it back to that last pass breach. So making sure that you protect your credentials, strong unique passwords. If you have past keys available like you do in solid security use those two factor authentication just needs to be everywhere according to Verizon, only 28% of people are using to FA and at this point we we all need to be using it and there's many places even your Amazon account, make sure you have to FA and that as well. Don't open links in emails. You probably heard this before SMS smishing. They call it it's like phishing except it's coming over SMS don't open attachments. If you are unsure what an attachment is all about. An attachment that comes through that says that you're part of a class action lawsuit and somebody wants to send you money. Be suspicious of those types of things.\r\n\r\nGo through fishing education, test yourself. Do you really have the knowledge and the foresight to defend yourself against phishing attacks? You know, Gmail and a lot of the email services are great at filtering out a lot of these attacks. But really the buck stops with you. These are just tools they're trying to help you but every once in a while that mouse gets a piece of cheese so Okay, so what can we do about WordPress and defending WordPress against info stealers? How long is that WordPress session when you log in?\r\n\r\nIt lasts for 48 hours but if you clicked remember me your session cookie is going to last for 14 days. This is why WordPress gets targeted rather than you know there's plenty of people are like oh, well if this was really a thing, then your bank accounts would all be drained. But you notice your bank account logged out pretty quickly these days. Right? WordPress does not have that WordPress will last for 48 hours. That cookie it does not log you out automatically. And remember he will last 14 days so those session cookies stay in your browser. They will be in perpetuity until you click logout or until the cookie expires. So if you want to protect yourself and protect your WordPress site, from the possibility of an info stealers ending up on your computer, usually it's the kids they're downloading everything off the internet. Let's just blame them.\r\n\r\nBut you want to log out when you log out. You kill the session cookie so you don't have to go through I've had people ask me oh, do I need to go clean up all my cookies out of my browser now not necessarily. You can if you want to, but that's a lot of work. Just logout if you click Log out that session. Variable that session cookie goes away. Solid security also has a trusted devices protection which I haven't even had a chance to play with yet but this is something hopefully you can talk about that in the panel a little bit because trusted devices is addressing this. So one of the reasons why I love solid security and the team especially Timothy amazing, is because if he's on top of all of this he pays attention to what's going on is your plugin vendor or your security vendor paying attention to all of the things that security researchers are finding out.\r\n\r\nAll right, another really fit this one was fascinating. I got to tell you about this so Sucuri found this malware. This is malware that actually uses a site visitors browser to attack other WordPress sites. Crazy, right? I'm like reading all of this. It's a little bit like a crypto miner and we saw crypto miners like in 2017 when there was there was this JavaScript thing you can put on your website and have it just like mine cryptocurrency on people's browsers. Well attackers loved that right because profit motive, of course, but that all kind of went away. I think it's gonna come back but we'll talk about that and my predictions.\r\n\r\nBut this is very similar. So you have a hacked site, and a person visits that hack site, and then maybe their CPU starts going through the roof or something is happening because their browser is getting instructions from the hacked website to go attack other WordPress websites.\r\n\r\nbrute force attacks. So this is just I find this incredibly fascinating. It's not it's not it's not infecting the browser, but it is using the computing resource of the browser to go off and attack other WordPress sites. So if you are a site owner, and these weird attacks are coming from just like somebody's home IP address, like is that a malicious IP address? No, it's just some guy who doesn't even know that his browser is attacking you. He's visiting some malicious site and that malicious site is telling his browser to be malicious. So we have plenty of brute force protections that are out there that are like okay, here are all the malicious IPs that we're seeing malicious traffic from this to kind of throws a wrench in that a little bit because now we're seeing, you know, Joe down the street is attacking WordPress sites. You would not expect that but it's a brute force attacks. So the same principles of brute force attack prevention apply here. Strong, unique passwords, two factor authentication, but you can't just say block all the malicious IPs and set it and forget it. No, you have to consider that any IP address could be malicious. You just don't know. One thing that you could do if you really if you if you know your IP address your wherever you're logging into your WP admin. You can block all of the IP addresses in the world except your own whitelist your IP address, so your IP address can always log into WP admin, but just block everybody else that type of thing. And that can cut down from it, but it's not necessarily going to stop attacks like this, but pretty clever, huh?\r\n\r\nAnother thing, zero day vulnerabilities. Now the bricks bold builder vulnerability wasn't necessarily a zero day, but I think there's this was just so interesting. So on February 13, Calvin Alcon he Well, he actually found a vulnerability a pretty severe vulnerability. It was an unauthenticated remote code execution vulnerability, which means anybody could use this attack to basically take over a WordPress site, worked with patch stack to communicate with the bricks builder team to make sure that this vulnerability was patched. So February 13, The announcement comes out that there's a patch within five hours started seeing attacks five hours this kind of new to me I haven't seen it happen like quite this fast. I've seen you know, vulnerability, you know, zero days happening and then the attacks are are happening and then a patch comes out. I've seen like crazy things, but this was responsible disclosure. This was security vendors working with the brookstein bricks team have gone through like in the past month, they've gone through so much in terms of like hardening that application. They're doing great.\r\n\r\nBut it just happened so fast. The bricks community was just like, you know the dog with the hair. On it was crazy for a while because it was just such an easily exploitable vulnerability. So we're just going to see these types of attacks are going to happen very, very quickly. So that if that happens, you know when there's a very very sensitive vulnerability, a very critical vulnerability, we'll see stuff like this happen, but I was kind of shocked at how fast that how fast that all happened. Um, this is something malvertising I just saw this yesterday on Twitter. One of the guys who runs WP umbrella which is like a management tool for managing a lot of different websites, WP umbrella and you can see on the screenshot that he shared on Twitter WP hyphen umbrella that info is actually a malicious domain, and it is sponsored their real domain is down below that but that malicious domain malvertising so people would click on that if they searched for WP umbrella, they could click on that and maybe give up their username and password. So he was very concerned about that. Lots of people were reporting it to Google and everything but just a reminder, don't go searching for sites and trust the search results all the time. They can be malicious at times. So make sure you bookmark things that are important to you and to always use two factor authentication.\r\n\r\nIn case you accidentally give up your password to someone.\r\n\r\nSo predictions of What's Next there's the crystal ball. So I think we're still going to see vulnerabilities found by researchers and attackers. Sometimes there's going to be zero day vulnerabilities that the attackers find first and there's going to be zero day attacks that the attackers are doing and everyone's going to have to defend against those types of things. But the thing that I'm really excited about seeing is that there are more and more security companies that are managing managing vulnerabilities for plugins patch stack is doing this that are also working with security researchers and it's much more organized now than it was like five or six years ago, so that's very encouraging. A Bitcoin uncle bitcoin is doing better he's recovered from his illness and Uncle bitcoin is you know, increasing in value. As we see that happening. We're gonna probably see some kind of crypto mining attacks happening. I'm not quite sure what yet, but I that's one of my predictions that's gonna happen. We're gonna see more attempts to exploit the weakest link in all security to humans.\r\n\r\nThat's going to be in the form of social engineering attacks. People are going to get tricked out of their passwords, either through phishing, through phone calls, through emails, all sorts of things.\r\n\r\nWe're going to see malvertising like we saw just yesterday with WPM Rolla we're gonna see sim swapping attacks and sim swapping attacks have been typically I you know, when I first learned about that this was even a thing many years ago and it was in the crypto space and I read an article and it's in the links. I recommend everyone go read it, it's on medium you might need an account to like log in and read it but it goes through how the sim swap attack happened sky. At night his phone's just not connecting to the tower and he's like, Yeah, I'll fix it in the morning. By the morning he had lost $100,000 Basically, an attacker takes over your SIM card takes over your phone number. They can do all sorts of things like resetting passwords on your email account, resetting passwords on your bank accounts, all of those types of things because they've got your phone number. And so those codes, those SMS codes are coming to that number of the new phone rather than your phone. So I don't know I haven't heard of any stories of WordPress sites being affected by a sim swap attack. But my prediction is I think it's going to happen one of these days.\r\n\r\nAnyway, we'll see. Maybe next year, I'll come back and we'll see what actually has happened or not there have been there's a recent story of a person who was on the inside at self provider and was working with criminals to some SWAT people, which is just lovely. Anyway, do not use SMS based two factor authentication as your backup because when you are using Google Authenticator and you using the time based codes, those are something that they can't take if they've got your cell phone number, they can't add get that code for your sonicator accounts and whatnot.\r\n\r\nThere is a recent article about acoustic attacks that was in bleeping computer just recently. I found this interesting, just by listening to whatever you're typing in on your keyboard. They can guess what you're typing, like passwords. That could be interesting. That could happen. I think it's gonna happen somewhere. It might not happen to WordPress first, but it's just research right now. security researchers are always looking for these types of things in order to protect against attackers finding things first. But that could happen. And then I've seen some research. It's just very high level research right now about AI and large language models.\r\n\r\nBasically forming some attacks so I can't wait to see what happens. It's exciting. And WordPress is an asset. So eventually it's gonna, it's gonna happen. So here's the stuff about sim swapping attacks. It's not not targeting WordPress now, but basically how it works. They they're not using it to like get your two factor codes. They're doing it to like reset passwords on your email account, and take out those types of accounts and drain whatever asset that they're after.\r\n\r\nLet's talk about what I see as the need for what we need for WordPress security. We have a bunch of companies that are selling security products, security services, cleaning up packed sites, there's plugins, there's firewalls, there's all sorts of services that are here to help you secure your WordPress site. They all have their profit motives, but we are also in a open source community and collaboration and communication are key.\r\n\r\nNow when a researcher like Calvin finds a vulnerability, communication between that security researcher and the plugin vendor needs to happen and security vendors or have like patch stack was instrumental in ensuring that Calvin Brooks and the communication flow between researcher and developer happened but we need greater community collaboration and communication throughout the entire community. We need communication between developers and users. Better communication about what vulnerabilities are happening and why.\r\n\r\nWe need better communication between security vendors if one's if patch stack knows that this vulnerability is happening, let's communicate with the other security vendors so that they can protect their customers as well. Those types of things, security and software is all about trust. And I think that if our security community community can work together better, kind of like how solid actually solid and patched at having an integration have communication, they work together as well. We I would like to see more of that. There have been some security debates. And you know, obviously conflict can be good. We learn from each other with differing viewpoints. But I would like the safety of the community to be put forefront the safety of the users remember why we're here that's who we're here to serve. I would also like all of us to have a better security mindset. We can't just install a plug in and set and forget it. We need to understand how that plugin works. We need to understand what it's trying to do. We need to understand how to use that tool. You can't build the house just like by buying a hammer you have to understand how that hammer works. So I think we need better education and better knowledge not just in that this is this is not just for WordPress this is across the board was helping my daughter's she rides horses and it was helping her the barn people with their website on Squarespace. And just the password hygiene might have a little PTSD from that is this is a worldwide problem. That the cat and mouse game is not just after WordPress, it's after anything that can be profitable. So heightening security education. I think it can happen in WordPress and then everyone who learns in WordPress and the people that you build sites for helping them up level their knowledge and being able to run recognize a phishing attack recognize social engineering, recognizing malware when they come across those types of things. They can teach their family and so on and so on. So I think we as we take responsibility for our own security and up up leveling everyone around us, so I feel like that's my mission. That's what I'm here to do. So I would like everybody to become just more vigilant.\r\n\r\nSome more advice just locking down your device with your provider to protect against sim swap attacks. Although that one guy he was an inside job kind of person. But if you can't lock it down, do don't use your public. You know, you give out your email address, right you go to the storage would you like your receipt emailed to you sure, of course and you give out via email address. Don't use that for your WordPress. Don't use that for your bank. Have a separate private email that you use for things that are sensitive, reduce your online footprint. I know we all like to celebrate our birthdays on Facebook and whatnot. I do too. But reducing the amount of information that you share can also force attackers because when they're doing social engineering they gather information, and then they use that against you. One thing that I've seen recently is like a lot of people who do online presentations and have like their voice out there. They can do AI voice mimicking and there's these calls, they call mom up and say hey, I'm in Nigeria and I needed $1,000 to get home please help me but it's your voice right? So those types of tricks I get played. So reducing your online footprint, having a safe word with mom so that you know mom call me back and make sure that I you know if we say the word you know strawberry, then it's really me asking for help.\r\n\r\nAnd then for critical accounts, you know, I highly recommend using password managers. But we did have that LastPass breach that happened use an offline password manager for your critical accounts. You know security is a continuum. The most secure computers buried in the ground in Casten says meant and no one can access it and the most open thing is anybody can get to it. So where where is your bank account? You know, it's more buried in ground right and maybe a test site, password 123 Who cares? So you have to make a judgment of security for each individual asset that you are trying to secure and then auditing your site. Lots of people don't do this very regularly unless they're afraid of something but I would audit you know, every quarter just go take a look. I can't tell you I went to one of my test sites. And there was WP config, that PHP dash old which basically turned that into a text field.\r\n\r\nNot exactly a good security practice because you're taking that PHP file away from the parsing. of PHP and turning it into a text file. So I didn't know that was there. My hosting provider on that particular account had done that lovely.\r\n\r\nAudit your site's just go poke around, go look at the files, go look around are all of the users who have admin access. should they all be there if you need a checklist? of auditing things, I can get you a checklist. I do have one of all of the things I look at when I'm auditing a site just maybe I can give this to Nathan, I'll find it and we'll have it in the second half. I didn't think to bring it no your developers would that brings vulnerability if you were on the bricks list, you would have gotten notified within those first five hours you would have been able to take action quickly. Get you know develop relationships with the people who are developing the software that you are committed to using and use the plugins like solid security plugin to help you make good decisions through application security. So one of the more forward thinking Timothy is just so brilliant and he watches all of this stuff and acts very quickly when he sees that there's something that he can do to help you protect yourself. Software is all about trust. So make sure you know who is helping you. Secure your things and remember who you're up against. So after the cheese, you got to be the cat. You have to protect your cheese. Because, you know, you know how these guys are they're just going to try anything and everything at all. So anyway, there's my little about thing.\r\n\r\nYou guys know me we've been we've hung out before, but yeah, I've been doing this for a while. I like to when I see stuff, I like to put it up on YouTube. Go subscribe to me. On YouTube. You can also get on my newsletter because if I see something that really needs action, I will send it to the newsletter. I will put it on YouTube. I am here for education first so and I'm so happy that I get to share all this with you.\r\n\r\nThank you Kathy. This has been excellent, really good overview of the landscape of all the things that are happening in WordPress security right now and there's a lot we have to be aware of. So excellent material here. I'm going to drop in once again if you came in late and you missed the link bundle. It is now back in the chat that has today's slide deck as well as the replay link that you can go back and rewatch or share this live stream with someone else. I also dropped the link in just before we have Kathy you've agreed to come back and do several live streams on security with us over the next few months. So we're super excited about that. And that link to those upcoming live streams is there in the chat. I'm noticing that there's a problem with the last one for July. We'll get that wrapped up and fix here in the next couple of hours. But there are several that are out there and waiting. If you'd like to go sign up. They're all free. And join Kathy for more security conversations. I Katherine we've got just a few minutes here before we're going to take a break prior to the panel and there's a couple of questions that came in throughout your talk that I think it'll be a good time to pose to you if you're open to that. Yeah, of course. So Savannah has just a great comment here. And it's something I've heard also from other people that are just even considering WordPress as a platform at all. Savannah says it really put me off having a WordPress site because I'm supposed to be attending to business and not spending all my time on security, which I can't keep up with. How do you respond to that?\r\n\r\nWell, yeah, sure you can have a straight HTML website. But if your FTP application is using reused password, if your hosting account panel is using a reused password, and there are so many other ways beyond just you know, vulnerabilities and plugins and all of this other stuff. The great thing is, you know, we there's so many vendors, and there's so many tools out there for you to pay attention to this stuff. And honestly, by doing that, I mean as a small business owner, you're you're running your business, you don't have a lot of time to pay attention to stuff but you have to be aware of I know of one business that, you know, they did the whole Hey, I'm the CEO at email. It was a it was a phishing email. Hey, I'm the CEO you need to send money to this company pay this invoice right now. And the person fell for it and $42,000 later, those types of things, if you can get rid of WordPress, but those types of things are still a threat to your business. So by being in the WordPress space by being in this community that is so security focused and is security aware and being connected with events like this and educators like me, we are here to help you uplevel everything it's so I don't think that you know saying goodbye to WordPress is necessarily going to help you it might make you less aware of other things that are a threat.\r\n\r\nYeah, 100%. There there. The security landscape is so broad now and hackers are so clever with their social engineering attempts and very, very smart ways to separate people from their money.\r\n\r\nNow when it comes to WordPress, the issue of WordPress security is something that it's one of the criticisms that most many people have about WordPress. And honestly that's why solid security pro exists. Our security plugin which we believe is a very intelligent approach to WordPress security, and by giving it a little time and setting that up on your website. It does the hard work of keeping WordPress secure does a big chunk of that WordPress security. We're going to be talking especially tomorrow Timothy Jacobs the lead developer of solid WP is going to be with us talking through the settings in our security plugin that help you reduce your security risk to almost zero. And so Timothy will be in the panel in the next hour but also with us tomorrow for a full hour talking about those very important settings that can let you take your mind off of security and focus more on your business like you're talking about Samantha i It's really that really is a you're not the only one who has that challenge.\r\n\r\nHere's another quick question from Chris. Chris is just wondering, when are we going to maybe see a better approach to security from core WordPress, is there something that core should be doing in your opinion, that maybe they're not focused on?\r\n\r\nI would like to have a to be a part of core I think at this juncture, it just makes sense.\r\n\r\nIt just makes sense at this point. So I would like that to be a part of core. But you know, with most development the innovations happen with a plugin like Timothy like Timothy, I think of all I mean, I watched the security landscape especially with WordPress quite a bit and Timothy is always like he pays attention to what's going on past keys. He was like the first one to bring past keys to WordPress. So the innovation is going to happen with people like Timothy with developers like solids team. So they're courted when there's a vulnerability core has been very, very responsive.\r\n\r\nThe File Manager vulnerability in 2019 was just so long ago seems like yesterday, but that was like a very easy to exploit. You didn't even have to have file manager activated. You could just have it installed on your site not active and it could still be exploited. And I think that was one where the core was like you know what, let's just push out the patch. And so core has been very, very acutely aware of security concerns as they arise and I think they respond very quickly.\r\n\r\nI'm always more curious. There's one thing I think that personally I don't think it's a big deal, but I would like to know more when a patch to a security vulnerability is applied, but they are more they explain more of what's going on. So security researchers like those a few of them that will go through and like okay, this is what could have happened with that. I want to understand what is happening. I like the education after the patch type of thing. But they kind of keep that close. To the best to keep, you know, people from poking around too much but that's just me.\r\n\r\nYeah, it's a great it's a great answer. And you know, the, what?\r\n\r\nThis whole subject is one that comes up in lots of different areas like what should be core and what should be a plug in and start. It's a hard debate among the core developers on what ought to be core and what ought to be an extension and a plug in. I think we're going to continue to see that debate raging on. Well, Kathy, this has been great. There's a lot of thank yous there in the chat for a really good overview presentation of the current landscape of WordPress security and gazing into your crystal ball. Kathy's crystal ball. So that's gonna wrap it up for this hour, folks. We're going to press pause on the recording and pause our cameras and mics. We'll be back at two o'clock Central that's about eight and a half minutes from now with our two which is our panel of security experts. And I hope you'll join us for that. In the meantime, if you'd like to open up the q&a and zoom, look at the questions that have been asked by others and upvote the ones that you would also like to hear answered. We'll be taking your questions toward the end of our security panel and we want to get those in the order of boats. So thanks for hanging out with us the last hour we'll see you back here and just about eight minutes. From now.\r\n\r\nAll right, folks, this is your One Minute Warning. We are back in one minute from now.\r\n\r\nWelcome back, everybody, we're back for our two of disaster. Week for 2024. We have our panel of security experts who will be shortly turning on their mics and cameras and popping in here. Good to see everybody back with us. Hopefully during the break, you've had a chance to open up the zoom q&a and either ask your questions or also upload the questions of others.\r\n\r\nWe're waiting on our other panelists to jump in here. Hopefully you can all join us Timothy is here Kathy is here.\r\n\r\nAnd Thomas, we don't have your camera.\r\n\r\nHey, there he is. All right.\r\n\r\nWell, thanks.\r\n\r\nYeah, thanks for being with us, everybody. We've got a lot of great questions that are stacked up from our viewers today, as well as a number that I've put together for each of you based on your background. So folks, welcome our security experts today. Let me just go around and introduce everybody. First of all, we have Thomas race. Thomas is the founder of we watch your website. Thomas and his team have been removing malware from millions of WordPress sites since 2007. Currently, they monitor over 13 million WordPress sites. Thomas is a he loves data and is on the cutting edge of the latest that all the malware folks are involved in. Kathy Zant Of course, we enjoy Kathy's presentation on the state of WordPress security in the last hour. Excellent stuff. She is an internationally recognized expert on security, marketing and website development. She's spoken events everywhere, all over podcast. You can find her everywhere. Kathy thanks for coming back for the panel. Timothy Jacobs is with us. He is the lead developer for solid WP he is a WordPress Core committer and a component maintainer for the WordPress REST API. And last but certainly not least, David Johnson the product owner for solid WP David has hidden and has been involved in the WordPress community since 2007. He comes from an agency background where he managed hundreds of WordPress websites. So again, thanks everybody for being with us today.\r\n\r\nThank you for the opportunity. Absolutely.\r\n\r\nWell, Thomas, let's start with you. So one of the things that we've had you on a number of different live streams over the last several months, and we've all we're we have scheduled now at least a quarterly at WordPress security roundup with you going forward into 2024, which is excellent. We always benefit from your cutting edge knowledge of the latest things that the bad guys are doing. I've heard you talk about this concept of defense in depth or layers. of security. Can you talk about kind of what that means? Why it's important, you know, what practically is involved in that particularly? What should I as a WordPress agency owner be aware of when it comes to layers of security and defense in depth? Okay, yes.\r\n\r\nDefense in depth goes back pretty far in the whole cybersecurity world, not just websites. But basically what you have to do is you have to look at the other various attack vectors that hackers use to get into your your website. So it could be we talked about stolen passwords, stolen session cookies, vulnerable plugins and themes, things like that. Each of those is like a different layer of security and you can't just rely on you know, like, for instance, for plugins, themes and core, you know, a great layer of defense is patch stack. You know, they do an awesome job they focus on and their niche you know, which is protecting those providing updates letting you know when you're you know, when you're vulnerable in some in any one of those three areas.\r\n\r\nYou know, malware removal is is one part of defense although that's a that's a reactive you know, layer of defense.\r\n\r\nBlocking, you know, attack vectors.\r\n\r\nI look at outdated user agents, blocking various ranges of IP addresses. And these aren't meant to be like, you know, the the end all be all to to your security. It's just another layer in in the defense in depth strategy.\r\n\r\nAnd, you know, one of my friends Calvin Elkins has used the he's the first one I heard it from, because it's like, like Swiss cheese. You know, Swiss cheese has holes in it. And all depends on how you stack those slices of cheese will determine if a hole goes all the way through or not. So, each defense each layer of defense is like another slice of cheese and you stack them all together. If the holes don't line up, you're secure.\r\n\r\nSo you need but you need your protection.\r\n\r\nAnd then you also need you know, early notification. So if something does happen, you can action can be taken. Yeah, very good. So David Timothy, either one of you can chime in here but in this concept of defense in depth or layers of protection are really like the holes in the Swiss cheese quite frankly I can that's I can grab that. Where does solid security fit into that strategy?\r\n\r\nYeah, so I think solid security helps with two big ones, which is user accounts rich. You got to do the bare minimum right if your clients are still using a terrible, terrible password it's not going to protect you for very long. And I'm really proud of our integration with patch stack. So patch stack does it an excellent job of I think they had 5000 vulnerabilities reported through them last year. They've created 1000s and 1000s of virtual patches. And I think our integration with patch stack works really excellently to bring that first of data into your site so you don't have to worry about Okay, let's keep track of all the vulnerabilities ourselves. Let's make sure we're on top of every single update and letting those two pieces come into play. And then services like Thomas said, do an excellent job at being reactive and cleaning up when there's an issue and making sure that happens automatically for you and they all kind of piece together.\r\n\r\nYeah, very good. Very good.\r\n\r\nKathy, so you've done lots of different things in the WordPress space. You've worked on WordPress security from the plugin product side. You've also worked on the agency side. So you your position, you have an understanding of things that a lot of people don't have. So you can relate to a lot of the folks I would imagine who are in the audience today. They either have their own website WordPress site or they're they work for an agency managing multiple sites are there an agency owner?\r\n\r\nThat's busy work, right? We stay busy. How in the world? Can you stay educated about all these things that you're talking about? While you're busy serving clients? How do you stay on track with all these things?\r\n\r\nWell, you know, with open source, you have a lot of you own your site, you own everything you're working with and with that power and that freedom and that flexibility comes a bit of responsibility. It's kind of like you own a car. I know I don't necessarily want to go get my husband used to do that for me take care of the tire pressure and there's just so much to deal with. If I want to have a car I've got some responsibilities to take care of it. Unfortunately, same thing with a website. But same thing with your business. You get like lots of different things right? But I think that being up to date with everything is it's good practice because it makes you more security aware for other things that could come into your life and attacks that that might not even be related to your WordPress site that something that comes through SMS message, something that's coming through, you just have this heightened security awareness. So unlike, you know, taking care of my car, there's no benefit to me whatsoever with dealing with that other than than, you know, not being abandoned on the side of the road. Taking care of my site educates me about so much else that's happening in the world and makes me a better digital citizen. It makes me more able to like tell my daughter go there's an update for your phone you need to go update it now and busy and Tic Tac Toe update your phone. You know, I mean there's like being security aware has a number of different benefits to it. So I think it's just it's one of the responsibility. You're either going to get hacked and figure out how much of a benefit it is to be security aware, or you're going to be proactive. And you know, actually at&t did a study and they found that businesses that are more security aware have better business outcomes. They often have better sales numbers than those who aren't. Of course, they're selling network security to enterprise right. But I mean, people who are more proactive about things in their life tend to have more proactive, like people who work out they tend to have you know better food choices, those types of things. They kind of just go together. So being proactive in your business for security can also be helping you be proactive in your business but with other things. Yeah, very good. Anybody else want to speak to that topic?\r\n\r\nOr David maybe what are some things that solid WP helps bring? To keep agency owners and site owners educated to the most important issues and security?\r\n\r\nWell, I'll say one thing that that Kathy mentioned in in her first session is true advantage of working with solid security and it's Timothy so we're gonna we're just going to have a Timothy session today. I don't know. But Timothy, by virtue of introducing pass keys when he did into the product, and this was before long before I joined the team became the first WordPress security solution to offer pass keys and I'm confident that that introduced the idea of pass keys to a lot of people who hadn't maybe not yet heard of it. And it remains arguably the most secure login authentication method available. And that's just one example. And so as we continue to think about ways for solid security to improve over time and to adapt to the changing landscape, you're going to continue to see us introduce new features and new solutions for the security issues that you're facing. And that's one way that using solid security can can help you become a better digital citizen all the way around.\r\n\r\nYeah, there's this like this content the solid WP Academy and going into Nathan's webinars every month, and our roundups with Thomas like this content is like an excellent place to keep up to date and share with others. If this is your first time joining us. We do lots of these types of things. Absolutely. So all of our content here on solid Academy is geared specifically for people who are building and managing WordPress sites for clients. So if that's you, you can stay up to date with WordPress security news with our monthly news roundup where there's a section on security news, and we basically look at what's out there the most important things that I as an agency owner think you as an agency owner will benefit from. Also we do a weekly email that talks about vulnerabilities and the top issues in WordPress security as well. So make sure you're signed up for those solid updates. Thomas I think I interrupted you earlier. Was this something you wanted to add here? No. I was just gonna say that. Yeah, the work that solid WP has done. Thanks to Timothy, with the past keys. And also like you said, I'm still a fan of the trusted devices. It's it's just, it's amazing and it's it's a great layer or several layers, you know, in the defense in depth strategy. It's another Swiss cheese that's just gonna have a task to do this is you know, I update my cheese board\r\n\r\nnow I'm getting hungry.\r\n\r\ncrackers and cheese.\r\n\r\nSo, Timothy, let's move over to you. So we just talked about past keys and how solid security was the first WordPress plugin to bring pass keys as an authentication method to WordPress.\r\n\r\nIt has to be incredibly complicated to develop a security plugin that is both usable for people like actual people. And stable and staying up to date with all the things that are happening in security. How in the world to get do that. Yeah, it's absolutely the hardest part.\r\n\r\nAnd I'd say there's kind of like two aspects to it, one of which that we're gonna touch on a little bit later. But the other is we do things that I think a lot of WordPress plugin developers do, who are really on top of their game, we write lots and lots of tests. We have automated checks that happen for basically all the security features in the plugin. We don't want to be thinking every single time there's a WordPress release or a plugin update or something. Okay, we have to check all 500 features and security by hand and where every day that something might break. So part of that is just like following good development practices. I see there's a question in the chat about like the uptick in security vulnerabilities over the past year and whether that's in some way part of you know, WordPress developers not following all of those things. So that's part of it. The other side is that we don't jump on everything. We jump on the things that we do think are going to have a big impact. And we try and really think through what the user experiences for those features. There are past years. I think integration is a great example where we saw that this was the feature that a lot of the big tech players, Apple, Google, Microsoft all uniting on and are really pushing as the next big thing. And we've seen over the past year and a half or so as more and more websites adopt this is we're seeing pretty early on then. Okay, this is a place that we want to be this is a feature that is worth as developing, as opposed to a feature that, you know, might stick around for a little bit, you know, 5% of your users might use and it's a little bit harder to justify. So we try to be really careful about what features we do adopt and making sure we're only adopting the amount of like settings that we need. We could easily add dozens and dozens and dozens of more checkboxes in security that let you do everything. But all of those mean more code for us to maintain. It's more complicated for y'all to understand how to use it. So I'd say that is like a big part of the balance. The other side of this is partnerships, which we're going to talk about a little bit later. Yeah, absolutely. And so, Timothy tomorrow, your session, which begins at one o'clock Central is going to be focused on looking at some of those settings in solid security and how people can reduce their security risk to almost zero. talk just a little bit about what you're going to cover tomorrow as we get into the details of the plugin. Yeah, we're gonna be doing a tour of some of my favorite features in solid security. We're gonna be learning about vulnerability management, virtual patches with patch stack, two factor still a good thing to be using and enforcing for your sites, and also look at past keys. So we're gonna be taking a kind of high level overview of a lot of different features. And these are also all things that we have a lot of good content in the bank for. So if you want to see a whole hour about trusted devices, we got that like two weeks ago. We did a whole hour about passkey as a couple of times, so there's lots of back catalogue stuff but this one is going to be a kind of an overview of some of my favorite features in solid security. Yeah, very good. So that's coming up the first hour tomorrow one o'clock central time. And David let me bring you in on something as well. You got a really cool title which is product owner at solid WP right. So your role is kind of translate users to developers, right? Like how, how do we create product? How do we interface with the actual users of our product and our development team? So talk just a little bit about how people even folks in the audience today can contribute to the ongoing development of solid security? Absolutely, I mean, the most there are two two key ways I'll mention the most important of which is just to reach out. We want feedback. And of course, we get feedback in the form of support tickets. You know, when there's something broken or there's an issue, so we hear about those, but we also want to hear from you with Feature Ideas. Now, we've already surfaced one during Kathy session, you know, like, Hey, here's a here's an idea for solid security. And so those are the kinds of things we want to hear from you. It's important for us to know that we're building what you use what you want to use, what meets your needs, and and so we want to hear all the things but the second way that I'll mention aside from just reaching out, and you can do that I should mention you can do that lots of ways and we'll share my email address. You can just hit me up that way. as well. It's David at solid wp.com. So just write me. If you have a support issue, talk to support they can help you much faster than I will but if you have a feature requests or feedback or whatever, I want to hear from you directly. That's one way to do that. But the other way that I mentioned is that we rolled out something that we call opt in data sharing, and it's about your usage data. This released in solid security in January. It's also in solid backups. And if you enable that it allows us to understand a little bit more about your site, we don't collect any personally identifiable information. What we do is gather lots of details about your hosting environment and so forth. And we do take a look at some of the features you've got enabled and that sort of stuff, but we don't again, we don't see any sensitive information. What that does is allows us to understand what features are being adopted, what features may not be as well adopted. And it also gives us a measuring stick to know like if we release a feature that drastically improves site security, and no one turns it on. Then we've got work to do. And so there are lots of ways that that helps us. And so I would encourage you if you've not yet enabled usage, data sharing, it is an opt in. And so it's purely your choice, but we would invite you to do that because it does allow us to learn a lot. It's a way to vote without having to actually contact you it's like automatically. Yes, yes. Excellent. So David, follow with you. Let me just ask you this your background prior to coming to solid and doing some other things you were with a large agency. You're managing hundreds of WordPress sites. What did you learn in that experience that could be helpful to smaller agencies or solopreneurs as you're thinking about maybe scaling up or doing what they're doing better? Sure. So I went on the journey from being the owner of what was effectively an agency with five people to being inside the web team and later and near the top of the web team for a 250 person agency. And so that scale was kind of staggering. And one of the things that I quickly learned was that especially where security is concerned, since we're focusing on security for today, I will say that some of the basics still applied. You know, you have to clarify in your agreements, who's responsible when when something goes wrong with a site, you know, do your clients know that that security is partly their responsibility? And, you know, one of the issues that we would run into when I was completely in charge and it was my business, if I hadn't properly educated clients on the need to patch plugins or to use better passwords. Or whatever, then I always felt like there was some responsibility that I needed to take on when a site got compromised. But at scale when you have a team of dozens of support staff and you're managing hundreds of sites and something goes down, you know we would scramble to get sites back up but then the question became like, is this work billable or not? And if so, you know, why did we create code that was faulty that our that our web build team developed custom stuff, you know, so there was a lot of there were a lot of gray areas around responsibility. So one of the things that I will urge anyone watching this is, if you maintain sites for clients or you build sites for clients, is to be super clear about the risks involved and the security issues that your clients will have to face and what your responsibility is and what their responsibilities are and the clearer you can you can make that better. And that applies at any size. But one of the things that got incredibly complex that I didn't really fully appreciate until I was in the middle of it was that we had to do quite a bit of work around that scale around managing roles and responsibilities, and making sure that our protocols and our procedures were actually being followed. Things like you know, in a 250 person agency, knowing which of our 250 people needed access to a given website. That was that was a big deal and what happens when you off board and employee, do you have the ability to kill all of that employees access to every website that they were connected to all at once? Or do you have to go through hundreds of sites and check? You know, so there were a lot of systems and ways that we had to scale but there was one other piece that sort of became clear for me, which was when we were a larger agency, we attracted bigger brands. And so our SEO team, for example, might land a big account where our corporate headquarters is overseas, and they have hundreds of staff that need access to a WordPress site. And so the complexity of and the the amount of leverage we did or didn't have to institute policies or do things the way that we did them. That all got really difficult to manage really quickly. And so it really requires some thinking through and if you can put some solid procedures if you'll excuse the intentional solid pun, if you can put some procedures in place at a smaller size and really think through those processes. Then it will help you a lot when you do scale up and land bigger accounts or have more and more, you know, sites to manage that scale.\r\n\r\nAnd so those are just a few quick thoughts about about managing things that with larger volume that you know, weren't necessarily obvious until I was in the middle of it. Yeah, it's really great insights. And, folks, if you're serving clients, that's gonna be the focus of our second hour tomorrow. I'll be talking about how do you talk to clients about security? And really, how can you leverage WordPress security as a service so that you can build your recurring revenue in your agency. It's really important and I'm looking forward to that conversation tomorrow. And again, that's in the second hour starting at 2pm Central. And I'll just add just one quick thought on that needed is that offering security as a separate part of your care package, you know, as an add on or whatever with a clearly defined offering is one simple way to make it clear to clients that there are things that are not included in juice your basic support.\r\n\r\nYeah, yeah, very good.\r\n\r\nSo let's turn our attention to a story that really made a lot of headlines make created a lot of conversation in the WordPress security space last month, and that is the vulnerability at the bricks plugin. And I want to be real careful here like I'm not trying to disparage bricks because a vulnerability can happen to anybody. Right. But it's, it's in our recent thoughts, and I think it's instructive. They're never waste a bad situation. Right. So what can we learn from this vulnerability that happened that we can take away from so first, Kathy let me just ask you.\r\n\r\nIf you're a solopreneur and agency owner, and you know, there's just vulnerabilities vulnerabilities that happen, how do you again it kind of goes back to how in the world do we stay informed on these things when we're just trying to do our work? Yeah, that will happen so quickly.\r\n\r\nAnd so quickly. Crazy.\r\n\r\nCalvin Alcon who was the one that found the vulnerability like had messaged me and invited me into the BRICS group on Facebook and the conversation was just like, it was crazy. And there was a lot of interesting advice that was being given to people of what to do to fix their space and what was happening. There was a lot of misinformation that was flying around.\r\n\r\nI think it's, I've thought about this a lot. And I think it's really important. If you are committed to using a tool. If you are using solid security, make sure you're on the solid security list. If you are using bricks, get on the bricks list.\r\n\r\nembed yourself in the community of and this isn't just for for security vulnerabilities. This is for new features that are coming software to me has really become a especially in the WordPress space. It's community driven, you know, all of David you watch what people are talking about, about the product about what's happening in security and and you kind of shape where the products going.\r\n\r\nIt's not just like, Oh, this guy over here is creating this product. It's not like no this is embed yourself with the community with the team so that the people who are creating these products, understand what you need so that you can be informed of what features are coming. You can be informed of. Maybe I should wait on this very large update that's coming from WooCommerce. Just like those types of things. Just being embedded in the community of the products that you've chosen for your stack, I think is just incredibly important.\r\n\r\nYou just you want to be the first to know what's going on when it's going to impact your business. That's such great advice and we'll talk a little bit about some of that sketchy advice in just a minute. But others how, what would you say to agency owners solopreneurs that are building sites for clients about staying engaged with a development community. How do you get informed about these issues? So this is something to be touching on tomorrow. But I think this is one of the places where tools like patch stack and virtual patching become key. You can we saw exploits for bricks happening within 24 hours of the fix actually being published. I imagine you were on vacation when this happened. It's gonna be a problem. So this is one of those places where tools like patch that can virtual patching can be so helpful, because they will automatically push out a fix for your site that is laser targeted just to kind of prevent this vulnerability from being exploited. You don't have to worry about okay, do we need to test this update? Do we have a process in place? Are we on the plane right now? Or is it 1am And I'm sleeping when this vulnerability drops. They'll be there to protect you much faster. So I think that's where adding in additional tools is really helpful for protecting your site's security, particularly once you have hundreds of sites that you need to manage. Yeah. Great. Anybody else? Yeah, one of the comments that Kathy had touched on earlier was the communication between vendors. And, you know, I think of you know, had Calvin worked with somebody other than patchstick and the whole responsible reporting procedure and so forth.\r\n\r\nYou know, wouldn't have had, you know, what had had a worst impact, you know, would have would, more people have been vulnerable.\r\n\r\nSo, yeah, the communication that Kathy talked about in the previous hour, I think is is real key. Hi, how you make that happen? That I have no idea but you know, it definitely needs to be especially when it comes to the patching. Years ago when I first heard people talking about virtual patching. I'm like, Why? Why virtually patch why not just patch, you know, reality patch shield, let's let's call it we got virtual patching and read reality patching, but you know, I mean, something like patch deck, where you can't, you can't stay on top of it by yourself. You need something like patch deck and I think the the integration that solid WP is done with patch tech, to me was just amazing. So I'll leave it at that.\r\n\r\nYeah, I remember when this which I think, at least for me, I think it was like 2016 or something where there was this huge group of vulnerability. And it was at the time where people were saying, Hey, if you had did an update, within eight hours, you should consider that your site has been compromised. And I feel like at least in my mind, that is when things like really started switches like attackers are moving very, very fast now, and just updating you know, the next day, or two days later, or if you say, Hey, we apply updates every Monday it'll be fine. Let's just wait until then. It's not enough anymore. Well, if I could add one other things might be a little controversial, but I'll put it out there.\r\n\r\nWe actually saw some attacks happening to that API endpoint in BRICS and February 7.\r\n\r\nBut we didn't know what it was, you know, we monitor the database. We monitor the files, the access logs, so we could see the traffic and then we see changes in the database and the in the files, and we're like, you know, how is that happening? And before we, at that point, we did not have a procedure for bringing somebody else in, you know, had I known what was happening or had I realized what was happening? Nobody reached out to Kelvin at that moment. Now.\r\n\r\nThere were things going on in the the WordPress community.\r\n\r\nquestions being asked about themes that include embedded code and so forth. So was that a tip off? I don't know. But you I mean, if from the time information was asked in the communities until the time we started seeing that traffic was less than six hours, and then once it was announced, yeah, I mean, it was like I think Kathy mentioned in her previous talk, like five hours from the time the patch was announced until you know, all hell broke loose.\r\n\r\nYeah, it things are moving so quickly these days.\r\n\r\nIt's you have to have a tool that's doing these things for you unless you just don't want to sleep ever.\r\n\r\nRight, which is not sustainable. So let's go back to something that Kathy mentioned at the very beginning of this conversation, which is, you know, some of the social media channels were talking about that this exploit there was a lot there's advice that was being given that was not the best. So I'll just open this up. Whoever wants to jump in. At what point should you try to fix a problem yourself versus bring in an expert\r\n\r\nwhy don't we start with Thomas Thomas is a little biased on this.\r\n\r\nBut, you know, I mean, I we've been, you know, working on WordPress websites since 2007. So, you know, Nathan, I've known you for years and years.\r\n\r\nSo there are people out there that have a good strategy.\r\n\r\nAnd they're aware enough of what their shortcomings are.\r\n\r\nTo be able to tackle it on their own, you know, so in a in a DIY, do it yourself scenario, some of those places and some of the large agencies have, you know, staffs of people that focus on you know, malware remediation, and that you know, I have no problem with that at all. There's obviously gazillions of websites out there, but the done for you, when people are asking, you know, hey, what, you know, what steps can I do to know my sites are hacked and especially with this I mean, this was, you know, they were adding admin users they were embedding code depends on what hacker group was attacking at the time they were dumping Perl scripts outside of the WordPress folder structure.\r\n\r\nSo there's stuff that you can't explain to people because they're gonna start deleting stuff and like, oh, you gave me bad, bad information, and now my site doesn't work. I had to restore and now I gotta rebuild the site and you know, blah, blah, blah. So, you know, the the DIY versus the done for you, the d f y has to be carefully examined, and you know, people that are asking like, you know, what steps should I do to clean my site?\r\n\r\nWell, you know, if you're asking those questions, you should probably have somebody do it for you. That's just that's my opinion.\r\n\r\nYeah, good.\r\n\r\nWho else would like champion on this?\r\n\r\nIt's been a lot perfect for me, is that you know, if you're if you need to, you need to ask the question. You can't afford it. If you need to ask the question on, you know how to do the cleanup. I think it makes sense to use an expert. I think it's great to learn and practice, you know, maybe on your own personal blog or something like that. Install an old version of bricks and let your site get hacked and try cleaning it up. I would never do that. Though. For a client site. Right. I would be working with an expert to make sure that that site is getting repaired it's so easy to miss just one thing and you miss just one thing and it's what it's way worse to tell a client is okay, I thought I cleaned up your site yesterday. It turns out got hacked again. is one thing. Okay, your site got hacked. We fixed it.\r\n\r\nDay three, it got hacked again. Day five. It got hacked again, day seven. That's when things like really become a problem.\r\n\r\nAnd we weren't getting Oh god.\r\n\r\nI don't fix my car. I'll clean a hicksite But I won't fix my car. Know your limits. And can I just say that I was shocked to see that people are still putting like 550 sites in a cpanel that's still happening. I thought.\r\n\r\nSo yeah, that still happened. So one site once he panel, I just, that'll be my mantra for the rest of the day like a shirt. Yeah. Yeah, exactly.\r\n\r\nYeah, it's a lot like the car analogy is great though. Because there was a time when you could just climb inside the hood. You know, you open the hood you climb inside the engine compartment. There was room to maneuver and now you can't even fit a hand anywhere. And there's you know, technology has changed but we sort of all started well, many of us I don't know Timothy might be too young for this. But we started at a time when it was possible to just dig in you know, Tim thumb you Kathy. You mentioned Tim thumb. I found the first YouTube video I ever uploaded about WordPress was in August of 2011 when I had found a Tim thumb vulnerability on my woo themes, sites, and you know, had to head to that that's how we all learned. And so, today though the complexity of the attacks and the in the sophistication of code malware that gets uploaded, if once a site gets compromised, it can be nearly impossible for someone that is not a pro to find all the ways in which a site got compromised. It's just a different world.\r\n\r\nAnd I'll say that, even today, we're getting people who are infected with the bricks vulnerability coming to us because their sites as Timothy mentioned, they get hacked one day, another day, another day another day. And you know until you find it all and get rid of it. It's just going to keep happening.\r\n\r\nAbsolutely.\r\n\r\nWell, let's turn our attention to some of the q&a that's come in from folks in the audience and what and we'll wrap up today if it's alright with you all though, or the discussion about the collaboration topic. I think that'll be a good way to end our panel. We have a bunch of questions that have come in they're 20 Questions open right now. I folks, if you haven't done that yet, please open the zoom q&a. Take a look at the questions that are there. Up vote the ones that you would most like to hear the answers to because we're going to take these in the order of upvotes. And of course, if you have a question, just drop it in there. Let's start with the first question from Kay. There are plugins that allow you to add code snippets to WordPress there's a bunch of different ones are those risky to use on a WordPress site? Or maybe we could say Are they more risky than other types of plugins? Timothy, you want to start with that answer then we'll open it up. Sure, I'd say more risky is the thing to identify risk isn't binary.\r\n\r\nSo it's thinking through what the threat model is. I would say one thing that's very important if you try and submit a plugin to.org And maybe this is a bad thing. I think it's a good thing though. If you try and submit a plug into.org today that is duplicating the functionality of code snippets, they'll tell you know, they'll say that, hey, we already have a plug in the directory that does this. This is an extremely important thing to get right so you don't open up a huge vulnerability on your site. They're confident that hey, that plugin works. Well.\r\n\r\nThat's it the barn door is shut on new plugins being added to.org that do this. So I'd say code snippets is a plugin that I use. And I use frequently on sites when I just want to have some simple snippets available and turn them on and turn them off. You might get code snippets from plugin developers that say, Hey, we have this filter that you can use. We're not going to the checkbox, but you can use the code snippets to manage that for you it's I think code snippets is a fine plugin. The thing to think through is like the attack vector, if you say that code snippet is a securely developed plugin, and doesn't have any known vulnerabilities, and if their vulnerabilities come up, they'll fix them promptly. And the thing to that think about it is what would oh the impact of having that plugin installed on my site B. And I think the thing that most people would think of is that oh, this means that there's a really simple way for someone to just get into my site and add php code. And that's true. But unless your site is already locking down, for instance, or plugins from being installed, they can simply just install a plugin that has whatever malware and malicious content they want to include. So I would say think through what your attack vector is, is always like the important thing to conceptualize. And if you are a person who says hey, we locked down all plugins on our site, they're all managed by Git. Let's say we do a git deploy. And part of that is for being able to say this is exactly what the content on that site, but it is also a security benefit if you are locking down the file system from being modified. In that case note, I would say that then installing a plugin like code snippets is opening up a new kind of vulnerability so to speak in your site because you've taken an extra step or detached to protect your site. But I'd say in most cases, plugins like that are fine to use just use the reputable ones not the one that was $5 and Code Canyon.\r\n\r\nThis risk is not binary. I really That's That's great. Yeah, I love that too. That's awesome. Yeah. Anybody else want to weigh in on that question? What do you think about code snippets as a whole that there's a plug in called code snippets, but as a category, the code snippets?\r\n\r\nI think personally, it's it's one of those that goes, as Timothy mentioned, you know, if for the knowledgeable devs you know, could be a good thing. But same time, I think that some of these things get passed around too much.\r\n\r\nTalk to people all the time and like, Oh, my dev said that somebody on one of these forums recommended this. And so we put it in, and you know, like, Okay, well, that's how your site's getting infected. So, you know, maybe considered you know, do you really need that?\r\n\r\nSo, yeah, it's, they have their place but again, that's for the for the more experienced, di wires, not the, not the newbies. Yeah. Good. Thank you, Thomas. Okay, here's a great question from Dan, and we get this from time to time during the news roundup, because every month we look at the solid vulnerability report, we see the numbers of plugins that are vulnerable, the ones that have been fixed, the ones that are still vulnerable, and it used to be I clearly remember even last year, there were 30 plugins that were vulnerable this month or whatever. And I actually used to read those one by one. Right. Now there's routinely 150 to 200 plugin vulnerabilities each month. So Dan's question is, I've never seen as many vulnerable plugins that I've seen in the last six months is this from not enough people knowing how to properly build plugins and make them safe or what is at play in this? It's like a hockey stick of vulnerabilities that have just that have come about. I have a lot of opinions on this one. Jump right try and keep it short.\r\n\r\nBecause there's a talk that I've been ruminating over for a long time about writing secure WordPress code. But I'll say this one thing I this is kind of a measurement sample issue, I would say, I don't think plugins have become more insecure in the last year. I don't think that you know, suddenly, we knew how to write secure software five years ago and now all of a sudden we stopped. What's happened is that there are programs from companies like patch stack from wordfence others I think Trend Micro might have them. There are a lot of organizations out there that are offering bug bounties for security researchers to find vulnerabilities in WordPress plugins, submit them and get paid for them. Not even from the vendor liquidweb for instance, or kind of parent company, they have a bug bounty program and you can go over there if you find a vulnerability, submit it to them. And they'll go through that bug bounty process but a lot of WordPress plugins that are just maintained by single individuals or small teams, they might not have the resources like that. So I think that's been a huge uptick here is that security researchers are now incentivized monetarily to find these problems. And I think that's been one of the great things that companies like patch stack have done in the past year is creating these open bug bounty programs to reward security researchers for doing something that previously you had to kind of look into finding a plugin that had this bug bounty program set up and do all those conversations about it. So I think that is a huge, huge beneficiary. Huge beneficial thing that we've seen in the past year and a big reason for part of the uptick.\r\n\r\nThe part that I'm not going to dive too much into is I do think there is a there is a issue with how we write about writing secure code. And there was a vulnerability I think wordfence talked about it yesterday in a plug in where a plug in author was applying escape HTML and escape attribute to liberally they escaped something twice and that second escaping caused an issue. And part of the reason why that second escaping was probably there. It might have been flagged by tools that say hey, you need to add extra escaping here and so I'll find for instance, lots of vulnerabilities, not naming names, but plugins that will have specific fixes in place to let's say, sanitize some code, and they call a sanitize function in WordPress, but that isn't the correct thing to sanitize there or sanitizing. It isn't even the actual attack factor. So I think we don't do a great job about talking about how to write code securely. And a lot of times the things that we say are just well write escape H attribute every single place that you're writing any piece of code and that'll fix the problem for you.\r\n\r\nAnd but that that's a thing for a talk or a blog post or something.\r\n\r\nBut I will also just say it's hard. It's hard to write secure code. But I do think there there are things we can do as the WordPress community to make it easier. Yeah, really good. Anybody else want to weigh in on that? I think there's too many people.\r\n\r\nAlong those same lines as some of the sudden they think they get an idea for a plugin, like oh, yeah, this one sell millions. And they you know, jump in download some, you know, watch some YouTube videos on how to create your own WordPress plugin, and start writing code and then put it out there and people like, oh, yeah, this is greatest thing since sliced bread and so on, so forth. And it just goes from there sliced Swiss cheese.\r\n\r\nBoom.\r\n\r\nYeah, they just asked Chet GPT to write the code for them, package it all up and boom, yeah.\r\n\r\nYeah, there's a long time when, and it was really just by the actions of like a couple, I think even just one person, where if you went into Stack Overflow, and you were like, how to write some PHP code to do something, it would just have SQL injection vulnerability attacks and or you're just have encryption implemented in a completely wrong way. And there's been lots of people just writing content about how to do this thing. That and you Google that and you'd come across something that was insecure.\r\n\r\nFor the most part, those have now been fixed on sites like Stack Overflow through the hard work of like dedicated volunteers to like going through every single php answer about how to insert database, insert data into a database when someone submits a form, or how to implement a login process securely. But it's still very easy to make a mistake.\r\n\r\nMissing anybody else on that topic?\r\n\r\nAll right. Next question up is from Jean. This is a really practical question. So what would you all recommend as a good reliable way of passing secure information to and from clients, assuming they don't have a secure password? app installed? And maybe they're not tech savvy. Kathy, why don't we start with you on that one?\r\n\r\nI would set up like if you had to do that, and then they like absolutely refused to use password managers and whatnot.\r\n\r\nWell for setting up WP admin, they shouldn't be sending it. They should be setting up an account for you and then having you set your own password.\r\n\r\nBut for like FTP, and things like that, you can do forms that do that encrypt and send it via PGP. So that you can get an email with those credentials and then just decrypt that with your PGP. PGP key. So that would be my recommendation of people transmitting.\r\n\r\nBut I would Yeah, that's part of our job is to educate everyone that they should be using some method of secure password storage, like one password or bit or all of the major password managers allow you to share credentials, those types of things. So I would strongly encourage that they do that.\r\n\r\nGood. I get a lot of people we get a lot of people who obviously have to share their credentials with us. And it's always amazed me that so many people that just Oh, yeah, what's what's your email address? And they just send them to it, you know? And that's what I what I encourage people to do is, if you're gonna do that, because it's easy for you and you just want to wash your hands of this and put it in our hands, that's fine. But when you know, once we've started what we need to do, go back in and change your password. You know, cut that it's like you know, logging out of your WP admin session to kill the cookies. You know, just cut it off at the at the knees right there. And we'll take care of our stuff is very secure, I'm sure of that.\r\n\r\nAnd so, just change the password and you're done.\r\n\r\nYou could get them to just take a picture of the password written on the sticky note on their monitor and just text it to you, right.\r\n\r\nAbsolutely. posted on Twitter. Actually, that'd be a great way to get Twitter tag. We do. Right? We do sometimes recommend using a tool like one time secret.com which is which is a great way to encrypt something and prevent it from lasting long. But one one recommendation I always make to people is even if you're going to do that, like do we know who's running that server? Do we know that they don't keep that data, separate the lock from the key so send me a username and an email and send me only the password using one time secret.com With no context whatsoever, you know what I mean? So at least you know us a little bit of wisdom and Pig Latin. Yes, please do that also.\r\n\r\nOne of the things Kathy mentioned I think is really another one to highlight which is i It's been a long time since I've done this type of client work, but I would hate it if a client sent me their stripe username and password. Invite me to your Stripe account. There are so many tools that just allow you natively to invite a developer invite a user and I so much prefer that just invite me to your WP Engine or Nexus account. Don't give me your Nexus hosting credentials. If you don't need to use the tools built into the platform like WordPress to create a WordPress user for your developer. Don't just send them your WordPress admin username and password.\r\n\r\nVery good. delegated access. The worst was when I sat down next to someone at a meet up and they're like oh, here's my password. I use it for everything.\r\n\r\nMy my\r\n\r\nYeah, my favorite password. Yeah. How many times I've heard that from clients. I can't change that. It's my favorite one.\r\n\r\nI'd have to change it everywhere. Yeah.\r\n\r\nAll right. So a great question here from Chris.\r\n\r\nChris is wondering so talking about the stolen session cookies issue. Thomas, you've written extensively about this, and you had a great live stream with us several weeks ago about it. That just frankly terrified me to the core. But thank you for that.\r\n\r\nIs there any movement with browser developers can can this problem be solved at the browser level of taking dealing with a stolen session cookie compromise?\r\n\r\nI think it probably could.\r\n\r\nBut I don't see I know at one point the case from Mozilla, we're working on some different things. But then they had some this this goes back even a couple years ago.\r\n\r\nThey had some some shake up over there. And things changed and people got moved around and it just kind of got dropped but I know that they were looking at it, some different forms of encrypting the cookies, you know, and encrypting the messages and so forth to so that it couldn't be so widely used. But you know, even to this day, though you know, short offshoot here.\r\n\r\nWe're still getting customers that have hacked usernames and passwords. You know, it all has to do with, you know, the, the various layers of Swiss cheese. And one of those layers is your local, you know, device that you have to protect. I don't care if your Mac I don't care, you know, maybe Linux, you don't have to worry about too much. But any any platform that you're using to log in to sites. It's got to be secured.\r\n\r\nYeah. And circling back to something we mentioned in the last hour, which is the importance of the trusted devices feature in solid security. It's one of the only WordPress ways to deal with that exploit. And Timothy and David did a great livestream with us a few weeks ago just about this where Timothy hacked himself it was quite something. For Timothy hack David actually, you can you can watch Timothy hacked my website in real time and I was crazy enough to install a browser extension that he sent me to facilitate this. So Thomas you if you haven't seen that it's worth watching. But the one thing I'll say is that do take the time if you're if you're concerned about stolen session cookies and protecting yourself, take the time to either watch that webinar or thoroughly understand how to implement the feature because you can enable trusted devices. And if you if you don't enable it all the way so to speak, it won't stop stolen session cookie attacks from working there. There are a couple of layers there and we just want to make sure that you're that you're really thoroughly understanding what's involved. So that was the that was the big impetus behind that webinar and behind me allowing Timothy to hack me in real time. That to be fair, he did have you opt in to the hack. It was it was an opt in hack that is true, and I appreciated that but also I sandbox that extension when I got it just because you know Timothy is just there looking sly he's not saying a word.\r\n\r\nHe's like there's still I still have access David he's yeah he exfiltrated all my all my credit card numbers and everything.\r\n\r\nOh goodness. Yeah. So the link for that live stream is there in the chat if you didn't see that. It's really, really quite good.\r\n\r\nBack to the questions here. Another question from Chris. Chris says he's a WordPress developer who serves numerous clients. In my experience, the weakest link in security is always the user. Absolutely. What can you recommend as far as resources that we can share with our clients to get them to take security seriously, without scaring them to death? And I'll just kind of add it like, is there? Maybe that'd be scare tactics aren't always bad, but maybe a little scare isn't so bad in this case? What do you think Kathy? Wanna start with you?\r\n\r\nMy YouTube channel.\r\n\r\nKathy, it's just it's just education, right? It's being aware like it's just being aware really, that that opportunity. Hackers are opportunistic. They're gonna look for vulnerabilities. And it's just it's education. There's a bunch of us, there's tons of educational opportunities on YouTube.\r\n\r\nAnd I would, if you're an agency, I would assemble sort of as a part of an onboarding like, here's a new client. Here's how we do things. Here's how we transfer credentials. Here's how you're going to only have an editor access if you feel like that's, you know, whatever your protocols and procedures are for onboarding a new client, build security awareness into that. And if they have any kind of, you know, pushback whatsoever. I mean, it's bringing it's a red flag.\r\n\r\nTrue, but it's, you know, it's the ones who nobody wants to learn when I was doing security, marketing, nobody wants to hear about it. Nobody wants to hear about security until they hear that their neighbor got broken into then everybody wants the security system on their house. Same thing with WordPress. When that breaks vulnerability happen. Everybody wants to know about how do I protect myself? What's the best thing I should be doing? I want to know about all you know, lots of bad advice on Facebook, that's for sure. But it's I would just I would really make security education. It's gonna differentiate you I mean, at agency work. I know is incredibly competitive. When you start building security into not just the onboarding process, but also into the sales process that you take it seriously. They're going to be like, Oh, well, why isn't that other agency talking about any of this stuff? Is there something out there? They don't know about? And they'll ask questions. So build security into your processes. Really good. Anybody else have advice?\r\n\r\nthumbs it up.\r\n\r\nGood. Well, folks, we're coming right up to the top of the hour at the end of our live stream today. But I do want to circle back to something Kathy that you mentioned in your presentation, which is the importance of collaboration between companies and users in the WordPress space to make everybody more secure. So there seems to be and I've kind of noticed this as well this trend in WordPress security. Where you know, some companies are resistant to collaboration.\r\n\r\nHow can WordPress Kathy and your opinion you can kind of start here and others can chime in? How can WordPress security vendors work together to improve the safety of everyone in the WordPress ecosystem?\r\n\r\nWell, there's some that are looking at what salad and patch stack are doing. They're exhibiting sort of good stewards of WordPress security by the fact that there's collaboration happening.\r\n\r\nPatch deck is really great at some things. Solid security is really great at some things and they're cross pollinating information. There's communications happening there's sharing of information, security.\r\n\r\nAll security is is communication. A security researcher finds a vulnerability come meet finds it to the secure channels communicate to the developer to communicate the proof of concept to the developer that communication has to happen. Collaboration has to happen. Collaboration is the undercurrent of good security. So I mean, there's some companies that work better together I think than others which are more cloistered and have their way of doing things in their way of communicating and but I'm I'm seeing some that work really well together.\r\n\r\nYou know them not to get a biblical but you know them by their fruits. Right. You can see you can tell what's going on, you can see the actions that people are taking, make good judgment as a WordPress user and choose to work with the companies that are collaborative, that are putting the needs of users ahead of competition. When you go to a word camp. You've got hosting companies lining up the hallways of the sponsor, everybody is there. You don't have GoDaddy doing pot shots at liquid what maybe you do but everybody knows each other. They support each other our community is collaborative, we work together, and security needs to be a part of that. And the security teams and all of the security vendors and security educators and they need to be collaborative as well. It's what makes WordPress strong.\r\n\r\nExcellent.\r\n\r\nWho else wants to weigh in on that? Yeah, Cathy's Mic drop. Yeah. I echo everything Kathy said and to touch on it from the lens of the questions you were asking earlier. Nathan, I think it's what allows us to work on cool features at solid security as well as being able to partner with under other vendors. Patch stack is treated 1000s and 1000s of virtual patches.\r\n\r\nThat's work that then only had to be done once and could be shared to patch stack users and our users and lets us work on other features like trusted devices or pasties and things like that. So I think the developing those key partnerships and open communication between different services let us build tools that help protect site owners more than they could if we were all operating 100% independently and we had to build the same thing. 15 times. Yeah. Great.\r\n\r\nAnybody else we wrap this up?\r\n\r\nGreat information. Yes. I really appreciate each one of you and your expertise and the flavor you've brought to this conversation. Really, really appreciate the all the great advice. There's a lot of thank yous happening there in the chat as well.\r\n\r\nLet's see. Timothy, you're back tomorrow to start things off, walking through solid security. So we're looking forward to that and bring your security solid security questions. Do I know is there a couple of solid security questions in the chat that are specific to our plugin? And I'm gonna have plenty of time to answer those tomorrow. Yes. So yes, absolutely. I will walk through all those settings and in the second hour tomorrow, I'll be talking about the client side of this and how do you talk to your clients about security, for education for information also Pat, you know, how can you as an agency owner or solopreneur package security into the services you offer to build recurring revenue so it's gonna be a good day tomorrow as well. Kathy Thomas, especially thank you both for being with us today. David, your expertise has been excellent as well. Kathy Thomas, let's wrap up with how Kathy if they want to get more of you, where do they find you?\r\n\r\nI'm everywhere.\r\n\r\nLiterally, you are.\r\n\r\nKathy Zant. I am fast faster than the other Kathy Zant is out there. So I grabbed my My name is everywhere. So just follow me. I'm really trying to put out more security content on YouTube because that's kind of a fun thing. But LinkedIn, Facebook, I'm still in the Kadence community and still very much a fan there. So hit me up. There. Very good. And Thomas just dropped the URL for we watch your website in the chat. Quickly. You offer a free service to anyone who wants to sign up for monitoring for malware any bad things happen to the website you want to talk briefly about that? Yes.\r\n\r\nIt's free. It's, you can think of it as a free intrusion detection system. We don't protect anything on the free plan, obviously, but we monitor your database, your files, the processes, you know, if you're on a server, we can do it live.\r\n\r\nIf you're not on a server, you have forgotten a shared hosting plan. We do it once an hour. It's very good. And one of the great things especially if you're an agency owner solopreneur. You have your own server, or account where all of your clients are hosted. We want your website offers a single price to cover that whole server all the sites on that server. So it's really quite good. And if you want to learn more about that we watch your website.com So thanks again, Thomas for being with us today. You bet. Alright folks, that is gonna do it for us. We are back tomorrow. Again 1pm Central for a walkthrough of solid security and until then have a great rest of the evening. We'll see you back tomorrow on solid Academy where we go further together.\r\n\r\nSo again, welcome. If you are just joining us, open up the chat and say hello and let us know what your biggest takeaway from day one of disaster week was something you learned that maybe you didn't know or just a big aha moment. We'd love to hear from you in the chat with that.\r\n\r\nRight captions should now be working for everybody.\r\n\r\nJeffrey needs to convince clients to make security a priority. Yes. We'll be talking about that in the second hour today.\r\n\r\nSo, Doug learned yesterday, Timothy that you were born with a keyboard in your hands.\r\n\r\nThere Is there truth to that rumor.\r\n\r\nYou know, it's just that there's Apple keyboards. They're very good, very portable.\r\n\r\nLove it. Oh, gosh. Welcome back, everybody. Glad you're here. If you're just now joining us in zoom, open up the chat and say hello. We're asking what your biggest takeaway was? From yesterday. Head David needs more Swiss cheese in his life. Yeah, maybe so.\r\n\r\nThe slide button on the link bundle is going back in the chat. Now if you want to download either slide deck from either hour today you can do that. The replays are up from yesterday. If you want to go back and rewatch those it's also a discount code for disaster week. Use that code disaster week for 40% off the solid things.\r\n\r\nWe'll have more information about that at the beginning of the next hour. Hey Tanya, welcome from Finland.\r\n\r\nGood to see George from South Africa.\r\n\r\nMissing Dan welcome Kenna. Doug. George. Yeah, welcome, everybody. Glad you're here. Hey, Stephanie. Manu.\r\n\r\nAlright folks for about three and a half minutes away from getting started officially welcome back. To tea Sherry, Melissa. Bonnie. Good to see everybody. We're asking the checking question today is what your biggest takeaway from day one of disaster week was? You learned something interesting last. Yesterday in the last sessions we'd love to hear from you. I'm also going to drop in the chat the link bundle again for today's session one and two slides are there waiting if you want to download those. And of course the discount code disaster week 40% off all the solid things.\r\n\r\nBe the cat.\r\n\r\nThat's great.\r\n\r\nSo we're just about ready to get started. Just a few minutes away Timothy is going to be talking in the first hour about reducing our risk to nearly zero with solid security.\r\n\r\nAugustine welcome Glad you're here. Hey Sue Kay glass. Welcome everybody. Phoebe yes Sign Out of all the websites. That's really a good thing.\r\n\r\nAfter Thomas rave came on a few months ago and scared the pants off of me with that session stealing cookie hack. I am logging out of everything religiously. That I had a bad habit of not doing that.\r\n\r\nHey, Rob, welcome.\r\n\r\nMurray. Welcome. Glad to see everybody. If you're just now coming into zoom, open up the chat. Say hi. We'd love to hear what your biggest takeaway from yesterday was.\r\n\r\nYes, sim porting Sherry That's another big one.\r\n\r\nThe link bundle is in the chat if you're just joining us and you'd like to download the slide deck for the first or second hour today. Those links are there waiting on you in the chat. We're gonna get started here and about a minute and a half from now. Timothy's got a great session lined up about walking through the settings and solid security that can help you reduce your risk to nearly zero for your WordPress site.\r\n\r\nYes, Sue great idea.\r\n\r\nWith Kathy's hint, hurt her pro tip on the four digits of the password. It's good stuff. I Kathy's checklist was excellent.\r\n\r\nJust about a minute to go now, folks, glad you're all here. We've got a couple of great hours of security conversations coming to you today. Timothy in the first hour talking about solid security and the settings that can help you reduce your risk to almost zero. And I'll be talking in the second hour about talking to clients about security, the business side of all of this so we should have some fun today. The slide decks are there in the chat. If you're just joining us open up the chat and say hi, all those links are there waiting on you as well as the replay link from today. If you missed yesterday, we had an excellent presentation from Kathy Zant giving the state of WordPress security. I'd invite you to go back and rewatch that it was quite good. Also, we had a great panel of security experts. Really good discussion and comments on some of the big issues going on in WordPress security. So if you missed that yet, the replay is up from yesterday. And we'll have today's replay up about an hour after we finish as well. Welcome Christian from Quebec.\r\n\r\nJust about ready to get started. Hi Eddie. Yes watch the replay. It's out there ready to go. Really good stuff from yesterday. All right, it is now three minutes after so let's get the recording started and we'll dive right in.\r\n\r\nWelcome back to day two of disaster week for 2024 here on solid Academy. My name is Nathan Ingram. I'm the host here at solid Academy joined today by Timothy Jacobs, the lead developer for solid WP Welcome back, Timothy. How are you? I'm doing good. Thanks for having me, Nathan. Yeah, we appreciate your wisdom on the panel yesterday we had a great discussion with you and Kathy Zant and David Johnson and Thomas ray from we watch your website, a really good conversations there. And today, you're going to be talking to us about solid security and what we can do to reduce our risk to nearly zero. We want to give us kind of an overview of where we're headed in the next hour or so.\r\n\r\nYeah, so we're going to spend some time talking about some of my favorite features in solid security. We're going to talk about some of the threats that are facing your website and how you can use those features to help protect yourself. And then we'll have plenty of time for questions and answers either about cybersecurity in specific or security in general. Yeah, very good. I saw our lineup today Timothy will speak and we'll do questions for about an hour here and right around the hour mark at two o'clock central time or however that translates to wherever you are in around the world. I will take about a 10 minute break and then I'll come back for our final hour and talk about how to talk to clients about WordPress security. So just a couple of bits of housekeeping the replays from yesterday are up we've mentioned that I'm going to drop in the chat once again, our link bundle if you'd like to download the session slides for this session or the next those links when they're waiting on you. And that we invite you to ask questions because we will have a good time of q&a at the end of this session. And next session, please use the zoom q&a link which if you mouse over the shared screen, you'll see that q&a icon you can click that ask your questions there rather than the chat please. Because as the questions come up in that q&a, you'll be able to upvote the questions of others and we'll take those questions in the order of up votes when we get to our time for q&a. All right, Timothy, let's get started. I'm looking forward to this. Let's do it. Yeah, so we're gonna be talking about how you can reduce your risk to nearly zero using cloud security. And to do that we need to take a look at what are some of the threats and vulnerabilities that your site might face. So one of the ways that attackers can come at you is just through your front door through your login page. And so this is all about bog and security. It's probably the stuff that we know about the most. If your users are using weak passwords, well that leads to brute force attacks. If your users are reusing their passwords, let's say they have a favorite password. We mentioned that phrase a couple of times yesterday. That's not very good. Or they have similar passwords. Let's say they have a password formula or a password pattern that's like, you know, five random numbers and the name of the website or something like that. That's not great. That's gonna lead to credential stuffing attacks. Those are when an attacker finds a database of passwords that were leaked from another service and tries vo Pat those passwords across your actual site says, Hey, this user is using this username and this password everywhere. Let's try it and see if we can get into the site.\r\n\r\nthing that you might not think of immediately though, when it comes to login security is the reputational damage that your site can experience if you have issues like this. This isn't just about an administrator losing access to your site. Obviously, that's kind of a huge problem and administrators account gets compromised, you got malware, etc, etc, etc. But this is also risk if you let users log into your site. Let's say you are a e commerce shop or you are a buddy press install that has a membership base component. Anything like that. What you'll often find is that people blame the website when their account is hacked. It's rarely that someone says oh, I messed up my Facebook account got hacked because I had a weak password instead. It's Oh my God, my Facebook account got hacked. Facebook. Why did you screw up yada yada yada? We saw this with 23andme earlier this year, and last year where attackers ended up accessing personal data for millions and millions of users.\r\n\r\nThis was because of in some ways the fact that those users were compromised. Were practicing poor security hygiene. But the users didn't see it that way. Certainly the larger internet news media didn't see it that way. You have a responsibility to mandate security best practices not just for yourself and your site administrators. But if you're an E commerce or WooCommerce install for your customers as well. If their site gets compromised, if their account gets compromised, and their credit card details are able to get accessed or their address and personal information or orders are able to be placed. They're going to blame you they're not going to blame themselves.\r\n\r\nWe watch your website earlier this year published some really interesting statistics about how sites are getting compromised that he sees through his service. And he found that 7.2% of hacks were coming through the front door with login security. And in some ways that's a small number which I think is a good thing. It means that you know we are making progress, but in other ways, the fact that that 7.2% number is even 7.2% that in some ways just seems very very high to me that still yet we have people not following the best practices. So what can you do? Well in South security pro we have a number of different features that help in this regard. One is just enabling brute force protection. You don't need to let an attacker try as many times as they want to log into your site. You can stop them after they try a couple of times in a row and make it more difficult for them to get into your site.\r\n\r\nYou can require strong passwords. I saw it security has a really great feature where it will detect that a user is using a weak password and force them to change it during the login flow. So this isn't just something that is only for you know new accounts going forward. It's a great thing that you can enable and solid security will take care of upgrading users and forcing them to put in best security practices. You can also prevent using breach passwords through the half I've been poned integration. So this is where credential stuffing attacks occur. Let's say your account got compromised on some other website, some forum something like that, and they then retry and use that password. Well with have I been poned will say hey, has this password ever appeared in the data breach, and if it has will prevent you from using that password on that site, which is another great way to help your users protect themselves. You can also use Capture features. We recently launched an update to capture that adds in a couple of new providers as well. So it's not just a google recaptcha if you don't want to use Google you can use Cloudflare as turnstile feature, which is excellent and the one that I recommend the most or you can use h captcha and this helps slows bots down. If you're able to say hey, you need to complete this challenge to try logging in. It's a significant deterrent so they can't just try millions and millions of attempts at once.\r\n\r\nWhat else can you do? Well, you can enable two factor the two factor features in solid security they let you enforce two factor. So you can say hey all of our administrators are editors, people who can do privileged things in our site, we can force them to use two factor. And when you do this, you'll use a feature in solid security that I think is pretty unique, which is our two factor onboarding sequence. So this automatic onboarding flow lets users get up and running with two factor without your assistance you don't need to get involved. All you need to do is say, hey, solid security, make sure all my administrator is using two factor. And the next time the user logs in will prompt them to set it up. We'll tell them what the future is about. We'll make sure that they understood how two factor works. They need to enter in a two factor code before they can continue. And you will get all of that happening for you in the background without you needing to code from user use the user and say, Okay, I set up two factor for you or you know, let's go into the Zoom call and show you how this works. You can use these automatic onboarding features.\r\n\r\nAnd when you use all these features combined, you can see this is data from Google that showed how attacks were able to be prevented using two factor challenges using things like security keys as well. Now, I know what you're probably thinking, which is that okay, well two factor is great. I know two factor is great, but it's really hard to convince my clients to use two factor because it's confusing or it slows you down. And so for that I say let's use password of this login. So I gave a talk a couple of times now about killing the password that really dives into it. But passwordless login using past keys is a faster and more secure way to authenticate. It lets you skip your password and lets you skip entering in two factor authentication. And it provides basically a one click login experience. You can see here I just clicked use my passkey and I logged in my device authenticated me my device made sure that I was logging in to the site that I thought I was logging into. So it's also phishing proof. We're not going to dive into all about passwords today. There is a whole hour about it if you want to check it out on the academy and you can take a deep dive into why password this login is important using past keys, but I'd say it's a good option if you have it if this if this demo doesn't convince you read the whole hour or watch the whole hour and we'll really dive into it.\r\n\r\nAnother thing that you want to consider is access management.\r\n\r\nYou don't want to be in a spot where everyone on a site is an administrator you just give admin access out willy nilly.\r\n\r\nYou want to make sure that when responsibilities change people's access changes if someone needed an administrator account to do some initial setup, but now they're done with that. Consider changing the roles and changing their capabilities. You also have to make sure that you have a plan for when employees leave you know where no one sticks around in the same company forever. And you want to make sure that when an employee leaves your company or leaves your agency that their access isn't maintained anymore that they no longer able to log into all of your sites.\r\n\r\nSo how can you accomplish this with a solid security? Well, there are a couple of things that you can make use of one is just make the liberal use of roles that exist in WordPress, right? We're not limited to just an administrator or subscriber. We've got five that are built in. If you want to go further than that you can there are great plugins like the user role editor that lets you get very fine grained and say, hey, I want to use that that can do exactly these. Couple of things. Do that. That's awesome. We have some really cool features in solid security too, though, that can help you one is the privilege escalation feature. This lets you say hey, normally this user they just need to author access, but I need to give them some temporary access they need to do something special, but only for the next few days. And what privilege escalation will take care of is saying hey, once that period has expired, they'll revert back to their previous access. This is good both for you know when you have a team member who needs to take care of a special task but also if you're reaching out to support either our support at Southern WP or the support for any other WordPress companies. Instead of giving them an administrator account that sticks around forever. Create them an account, set it as a subscriber or an author and then temporarily give them privilege escalation for a week, let's say to an administrator and you can rest more easily knowing that hey, there isn't just administrator accounts hanging out there that are waiting to be compromised.\r\n\r\nYou can also use some other cool features and solid security for the site scan. So our site scan feature takes care of looking at vulnerable software for instance, but it also looks at inactive users. So if you have users on your site who haven't logged in recently, you can easily use the site scans feature to identify those users and demote their capabilities. If they aren't logging in every day, maybe they don't need administrator access anymore. Maybe you can demote them to an author.\r\n\r\nAnother general tip that I recommend though is just centrally document when you're giving out access, if you're getting privileged access, write that down startup, a spreadsheet, a Google Doc that saying hey, this employee has access to these systems. Whenever you give that out so that you know what different things to go through and revoke. It's not just WordPress sites. It might be you know, email accounts, marketing, automations, all these different tools. Start with that in place. So you're not saying hey, two years from now when they leave, oh gosh, what are the 1520 3040 50 different services that I invited them to? You have one place to consult So what's another aspect of how attackers can compromise your site? One of them is through the backdoor. And by this I mean vulnerable software. Patch Jack identified nearly 6000 issues last year, and the majority of these are in plugins over 97% The remaining 3% We've seen themes and it's just a fraction of issues that are in WordPress core. Every so often we just had six point 4.3 get released, I guess a month or two at this point, which was a security release that fixed a couple of issues. But really the primary issue and we talked about hey is WordPress insecure. It's not WordPress core. It's WordPress plugins.\r\n\r\nWe watch your website identified that nearly 33% of attacks that they saw on their sites that they clean up were due to vulnerable software.\r\n\r\nThere are some things that you need to understand about vulnerable software. We talked yesterday about how there are 100 150 200 different vulnerable software issues that are reported every week now in WordPress. And so that means you kind of need to take a look at vulnerabilities and say okay, let's not get too overwhelmed. One of the things to keep in mind is that not all vulnerabilities are equal a remote code execution attack. Where an attacker, let's say through the bricks vulnerability is just able to execute PHP code arbitrarily on your server that is way more severe than for instance itself cross site scripting attack where an attacker needs to trick you into clicking a link or entering in some data into a form. If you just look at the reports at a glance you might see oh, these are all the same. I've got 15 issues here, how am I ever gonna resolve them, but you can use things like the CBSs score. This is a score that ranges from zero to 10. And the higher the score, the higher the severity. And you can also use providers like patch stack who we integrate with to help you determine a priority and say this is when you should patch it. For example, this is the WP formance vulnerability that happened earlier this year. It has a high severity but it wasn't known to be exploited to patch stack. And so they came up with a patch priority based off of how likely it was to be exploited, how easy it is to be exploited and say hey, you should patch this within seven days. So these are kind of tools that you can look at to help you identify what fixes need to be made. Now.\r\n\r\nWhat we found with solid security is that at I checked the data last night that 45% of websites that are reading sense sites, yes, right now have at least one bit of vulnerable software installed. So what are some things that you can do with solid security to help this one is we have an awesome vulnerabilities page that tracks all the vulnerabilities that are affecting your site. So this gives you one view you don't need to watch your email or look in the logs it gives you one place where you can log in and see all of the vulnerabilities that are affecting your site. It'll automatically scan for you multiple times a day to find new vulnerabilities. You don't need to remember to go back and click Scan and click Scan and click Scan. It'll take care of that for you.\r\n\r\nWe also give you recommendations on how to resolve the issue that are specific to whatever vulnerability is actually present on your site. So for instance, this ancient WooCommerce plugin vulnerability, a fix was officially released by WooCommerce. So we recommend you to update that plugin right away. If you can't, you can deactivate it will give you those choices there and let you know what actions you should take depending on the vulnerability.\r\n\r\nAnother really cool feature is that it lets you view the historical vulnerabilities that have affected your site. So let's say this ninja forms vulnerability we can see here that hey, we updated this plugin on February 15. The vulnerability was reported on this date and so you can go back and if a client asks you hey, whatever happened with that Brix vulnerability, you can see oh, we automatically updated that or we manually updated that or we deactivated and switched away from it. You can see all of that data inside of solid security. So you don't have to be guessing or trying to remember what happened. And as you've been running the plugin for a long time, you'll see over the period of months and years, what vulnerabilities have affected your site in the past.\r\n\r\nThere's another really cool feature that I want to talk about though, which is virtual patching from patch stack. The thing to keep in mind and we talked about this yesterday as well with a bricks vulnerability is that sites can start getting compromised within hours or days with a vulnerability being published. So think about hey, what if this happens when I'm on vacation, or if I'm away from the computer? Or I just didn't know about it.\r\n\r\nvirtual patching is there to protect you when you're not able to update. Now, it's not just when you're not able to update because hey, you're AFK right now, but 25% of the virtual patches that patch stack publishes, they cover you when there isn't even an official fix yet. out for the plugin. This is a vulnerability that's out there, the plugin author hasn't been able to fix it yet or is unwilling or unable to. And there's a virtual patch to protect you. So this isn't just Hey, okay, I'm gonna pay I'm gonna be on my site 24\/7 And the second I see a vulnerability I'm gonna update to the fix. These are also important because they can protect you even if there isn't effects. Even if you want to do the best thing possible and update immediately you might not be able to.\r\n\r\nSo how do these virtual patches work? Well, they're targeted firewall rules that are deployed to your site to block attacks from being executed. And so what that means is, if you can't update yet, let's say there is a severe WooCommerce vulnerability, and you just can't update that right away without doing a lot of testing. Well, this targeted firewall rule will protect you by blocking that specific attack vector from being executed. These are also highly targeted. So this isn't just a general vague rule. And what that means is that they have a much much lower false positive rate. There are some tools that will kind of offer broad general blocks where they try and say okay, anything that kind of looks like this, well, we'll block that. But those can have false positives where suddenly you're just trying to use your site, and oops, it didn't protect you, or you're trying to use your site and it triggers one of these false positives and you get blocked from trying to do something normal or innocuous. But Pasternak creates virtual patches for every single specific vulnerability, not just broad patches, they have I think over 6000 vulnerabilities with V patches at this point, which is way more than pretty much any other provider out there. And if you're using solid security or the solid patch stack head on for our older customers. You don't get that protection automatically.\r\n\r\nIt's important to keep in mind that patches are mitigations. So you still want to update don't just be running an ancient version of WooCommerce forever, but they're there to help you when you can't update either because you're AFK or you know, a fix just hasn't been released yet. So what does this look like in cloud security? We can see an example of this with this WooCommerce vulnerability. You have this badge up in the top right, that tells you hey, this was patched automatically. And in our Status section, we tell you that hey, a virtual patch was automatically applied to mitigate this vulnerability. We still do again recommend that you update don't keep things inactive forever. But this patch automatically installed some firewall rules. And you can see that if you ever go to the firewall section in solid security, you'll see that hey, here are these different firewall rules and they came from packstack if you want to you could deactivate them, but we don't recommend that they're there to keep your site safe.\r\n\r\nWhat else can we do to manage updates? Well, I would keep in mind at this point, their sites have lots and lots of plugins and updates are important. So you should schedule the time to do them. Don't make this just a thing of okay, I decided to log in today and I have some free time. I guess I'll apply some updates. Make it intentional that you say hey, let's apply these updates this day.\r\n\r\nAnd don't do this too infrequently. It's easy to say okay, you know, every fifth, every fifth every second Tuesday, we're going to apply updates. I don't think that's a good idea these days. You need to do it more frequently, I would say at least once a week is when you should be saying okay, let's look for updates and apply them. The longer the they sit out there. The more updates you have to apply, the more complicated it gets anyway, but that also helps with security updates. You'll see for instance from packstack a lot of their issues, they say hey, patch this within seven days. So if you're applying updates once a week, you're gonna be on top of that.\r\n\r\nYou should prioritize high severity issues. So if you have a huge list of updates to apply, and you see that some of these are security related, work first on the ones that are high severity, you don't need to just go in the order that they were received. Look at their severity, look at the priority to help you determine which updates you should install.\r\n\r\nYou can also use hosts like Nexus that provide automatic updates for the visual regression tests. One of our fears with turning on automatic updates is okay, what happens if my site just breaks but using tools like these that do automatic regression tests can say, okay, there was an issue with this update. We're not going to apply it to the real site or we're gonna roll it back and we're gonna notify you that you need to do manual intervention, but for everything else will take care of it automatically.\r\n\r\nYou can also use solid central to apply updates across all of your sites and that gives you one UI where you can work them down and we're bringing some really cool updates soon to that screen as well. You also have the option to enable auto updates for security fixes. This is a feature in solid security Pro and the version management module that will let you say okay, we detected that this patch is a patch that is resolving a security issue. So let's just automatically update it to it, even if you wouldn't ordinarily apply automatic updates for that plugin.\r\n\r\nSo the last threat to be aware of that I want to talk about today is under your nose. And so this is about session stealing attacks. So this is something that we did a webinar a couple of weeks ago that really dived into it, and did some cool demos about our features in solid security. But if you haven't heard about session stealing attacks, this is when malware is installed on your device, and it steals the actual cookies that you use to authenticate with WordPress. These cookies are then sent to an attackers botnet or they're sold off. And with these cookies now an attacker is able to fully impersonate you. They have your full capabilities for all intents and purposes. They are you it is your actual login and a big thing to keep in mind. Here's because they're stealing the cookies and these cookies you get after you've logged in. It means that usual protections like brute force prevention or two factor aren't able to effectively block this attack, because you actually logged in and you completed two factor and then the attacker stole those cookies.\r\n\r\nThomas from we watch your website found that this affected nearly 60% of the websites that he was cleaning up, but it is a huge number. So what can you do? Well, the first thing is keep your computer secure. If your computer is safe if you're not using untrusted devices. If you're always connecting over HTTPS on secure Wi Fi, you're not going to be subject to this attack. If you're just you know, using your home computer, you're up to date you have no malware installed, and an attacker isn't able to magically steal your cookies your device must have some way been compromised, or you're using a compromised network. Or let's say you go to a computer cafe and you're like hey, I'm gonna log into my E commerce WooCommerce site and you know, nothing will go wrong. I'm sure that's fine. Don't do those things. Keep your device up to date. Use the firewall tools or anti malware tools that are installed on your devices Windows Defender, Mac devices, gatekeepers those types of tools to keep your computer safe.\r\n\r\nYou can also implement additional controls on sessions. And so this is where the trusted devices feature and solid security comes into play. With trusted devices lets you do is it alerts you when a login has happened on a new device. So this can be Hey, I'm just now traveling for work, let's say and normally I based in New York City but now I'm in Huntington apparently from this demo. And you'll get a email that says hey is this you are you're trying to log into this device and you can say yes it was me or you can secure your account and change your password. If it got compromised. But it comes with additional features as well. One of which is restrict capabilities. So if someone is logging in on a new device will restrict their access instead of being able to do everything like Install Plugins create new users edit your passwords. Instead, they only have limited access so if you are on the road and you need to, you know make a quick update to your posts, you can do that. But when you don't want to take more sensitive actions or more secure actions, you will be prompted to actually confirm that new device. Another feature is session hijacking protection. You can see a cool demo that we did with David a couple of weeks ago in our webinar, where we said hey, what would it look like if someone stole your session cookies? And you can take a look at that to see how solid security would stop that attack from taking place.\r\n\r\nSo in summary, you have to think about the weakest link, one admin account with a weak password can result in your site getting compromised. One unpatched login with a critical security issue can result in your site getting compromised. We need to stay ever vigilant. We need to be making sure that hey, if one thing slips through, that can be you know a disaster so use every tool available to you. This isn't something I think once you're managing more than one site that you can reasonably stay reasonably expect to stay up to date on all by yourself. Use tools that help you and of course, the tool that I like is solid security.\r\n\r\nSo I'm now at this point ready to open up the questions Nathan.\r\n\r\nAll right. Excellent overview of all the things that solid security has to offer and we have plenty of time for your questions. There are 10 questions currently stacked up in the queue. Folks, if you have a question about anything regarding WordPress security, including of course the solid security plugin, open up that Zoom q&a and drop in your question also about the questions of others and we're just about to start taking our first questions. The first one being from Paul, Paul says in the past moving the WP config file to the root level of hosting I get the same level of public html help to protect a site is that still something that helps?\r\n\r\nI guess I'd say Does it hurt? I mean, is there like originally some of this was\r\n\r\nhow do we make sure that hey, WP config is not exposed in the public HTML directory. It was kind of the idea. So we would move the WP config file a route above public html actually. So you'd have public html slash index dot php, and that index dot php would be the WordPress and then WP config would be below that. So it'd be web, config, public HTML, everything else on one level, and then your WordPress and so the idea is that, hey, if we move that out of the web route, it could prevent some attacks. I'd say at this point, you know, it doesn't harm anything, but unless your server was misconfigured in the first place, it probably isn't going to really\r\n\r\nit isn't going to be a problem to begin with, if that makes sense. So it doesn't harm anything. It's an easy thing to do, but it's probably not actually preventing an attack.\r\n\r\nEspecially these days. I think those types of server configurations are much rarer.\r\n\r\nYeah, so one of the tools in solid security allows you to check out file permissions, and it shows you what the recommended permissions are of things like the htaccess file and WP config. So if I know just from using the product that the recommended is the 444 write for WP config. So if the P config lives in the regular WordPress directory and public html and it's set for 444 You said that's pretty secure. Yeah, there's no issue there.\r\n\r\nSo like if you had a scenario, where PHP files were not being properly executed, which is kind of part of where this attack lies. Then if someone went to your site slash WP config that PHP, it could then return the plain text of that PHP file. And then they would have your database credentials and your salts and things like that. And that could be an issue. That could be these days, though, that is not really a thing where servers are configured in such a way that we only say hey, only index dot php can be directly executed. So yes, I would say putting it in the root level is totally fine. And yeah, it's great to use that file permissions tool in security, to help you identify what permissions aren't what they should be. Task anthropods question I do this on some sites. So for a couple of sites, I have like a pretty specific custom setup of how web config dot PHP works, and they are better than others. I don't.\r\n\r\nI'd say at this point, it's just not, not on the top of my list of security improvements. I think there are more significant things that you can be doing. Yeah. Good. Next question that was from Kenneth Is there a class or video on how to set up the free parts of Cloudflare I see a lot of areas there but I don't know how to set them up. And Timothy, before I turn this to you, let me just mention that actually the premium course for the month of April, which will be about a month from now. I'll be doing a course specifically for WordPress agency owners on setting up Cloudflare basically all the stuff we've learned in my agency over the last year and a half or so of muddling through Cloudflare and getting things set up both with settings and processes, with how we migrate things, and just what we've learned from moving 100 sites into Cloudflare. So that is the premium course for April, you could register for that if you're a member of solid Academy.\r\n\r\nIt's up there on the courses now but so let me pivot back to you, Timothy, anything that you would recommend on that or how effective even is Cloudflare as part of a holistic security approach for your website? Yeah, um, so I would say that sounds like a great academy training to check out for this I think we've talked about in the past of offering like more content through solid WP about how you can most effectively use Cloudflare. And that sounds like a great session. Um, in general, I'd say Cloudflare is definitely a great tool in your tool belt and if you are able to use it, I highly recommend it. I would say it works very well in conjunction with some of the other features with solid security. So Cloudflare offers for instance, graph functionality. Their raft functionality is more broad than patch stacks, virtual patches, so they're applying things like Okay, let's try and prevent a large set of cross site scripting attacks, or a large set of SQL injection attacks, things like this. And you'll find that those have those trade offs right where sometimes they're not able to protect against an attack. Like patch stack is able to patch stack is dedicated to WordPress specifically. And so they offer create new patches multiple times a day, that Cloudflare often won't be you also see because of Cloudflare is kind of broad based support that you might actually run into issues with Cloudflare. I, for instance, writing about security, sometimes you can try and publish a blog post and Cloudflare will say not ah, because you're describing a SQL injection attack and we're like, oh, that looks like a SQL injection attack. We're gonna block that. How on earth do I publish this blog post? Cloudflare I get off me. So you'll see kind of the difference between how to like five learn how to like patch stack works. I think they work excellently in conjunction with each other. But patch stack is able to go beyond that and say, okay, you've detected you have this specific vulnerability we're going to create a patch that protects against this specific vulnerability. Yeah, it's really good. I think this is a great illustration of the analogy that Tomas made yesterday with this holes of Swiss cheese lining up actually patch stack is just another layer of CI a patch stack is a layer Cloudflare is a layer server level, security layer WordPress security with solid security and they all hopefully can block all the holes so no hole goes all the way through. Really good.\r\n\r\nOkay, questions from Vern, we get this one a lot. Hide the back end, which refers to changing the WP login URL changing dopey admin URL to something else. Is that effective in today's WordPress security landscape?\r\n\r\nI do not use this feature on any of my sites. I will say if I could, I would remove it. And we know this is a feature that a lot of people like so we haven't don't have any plans to currently. But what we always encourage people if they reach out to our support desk and ask about this feature is use things like I talked about in the login security section. Those provide real security oops, these slides went away. Those provide real security. So those are things like saying hey, two factor CAPTCHA lockouts. Those are much better than just making your login page something different. You're adding like one small step but oftentimes Hey, if you're an e commerce Store with WooCommerce, your customers need to log in. So there's going to be a login page that is exposed out there and that feature isn't going to protect you. So no, it is not a feature that I really recommend it. It falls under these kind of warm and fuzzy type of features, I guess you could say.\r\n\r\nBut I don't think they provide the real security that we want which is you know, use two factor require two factor, prevent people from logging in 50 times from the same IP address in a minute. Use CAPTCHA all of these different things. 100% is so much better just to have a CAPTCHA between the world and your login page no matter what that URL is having a CAPTCHA Exactly. That's that's really the thing.\r\n\r\nOkay, question from SU Timothy. Which plugins do you use feel comfortable setting to auto update so I may be controversial in this i auto update most plugins?\r\n\r\nSolid security has a really cool feature in the version management module, which lets you delay auto updates. So for instance, let's say you have a plugin that you know, releases updates that sometimes breaks things you can say, hey, don't auto update this immediately, but auto update two days after it was released or three days after it was released. And the idea behind that is saying okay, if there was a bug, they caught the bug, identify the bug, fix the bug, and now auto update to it. So it can still be something that happens in the background, but I'll be honest, I auto update most plugins, I think.\r\n\r\nYou want to make that decision when you're setting up the site. If this is a plugin that I'm not comfortable auto updating, should I be using that plugin in the first place if this plugin author is so frequently releasing updates that just completely wreck my site?\r\n\r\nMaybe that means it's a different plugin for the job. Now I say this as a developer who you know, very much happily will build everything in anything from scratch. But yeah, I have you know, Yoast SEO to auto update. I have a lot of different blocks plugins to auto update.\r\n\r\nAnd yeah, I try and keep keep my plugin list down not at 50 Plus, so it helps in that regard. But I totally understand if that's not something that you're comfortable with doing either because the complexity of the site, and that's where you know, virtual patching and those types of tours come into play.\r\n\r\nSo, let me dig in and push back on something on that. I think maybe I need some education on this too. But or a different way to think about this. But sometimes well known reputable, I guess plugin developers, certainly big ones that everybody would know will push an update. And they'll some it'll break something unintentionally. And they'll push you know a dot one version of it within the next couple of days. Does it what what what danger Do you have does that worry you just having everything set to auto update? So I would say yes, there are plugin authors that release plugin updates that just totally break everything and those are on my list. of plugins that I try not to use\r\n\r\nYeah, without without Without naming names. I guess that would be my general approach, right is that I I much rather when I do do client work these days.\r\n\r\nUsually we're building something very specific and we could build it with you know, a combination of six different plugins, but kind of the value that I'm able to bring to the client and say, Hey, we architected this special. We have developed it for your specific use cases in mind. We're not using you know 5% of a plugin, and fibers are another plugin for fibers and another plug in and that's where things kind of like start to break down. So I would say it's a different kind of approach for building things where it's more okay. What are other plugins that I'm very comfortable with and then I think they're bulletproof and you know, set them and auto update, and I'm not particularly worried about it. And if those aren't ones, whatever the thing is that I should just build instead, and write the code specifically for that client.\r\n\r\nAnd I know that their site will be more stable, because they also didn't, you know, get a new feature that they didn't ask for that completely changes the UI, things like that. So I would say it's a different approach. But it is not at all uncommon to have that feeling around auto updates, which is again, why you know, patch stack and things like that are helpful tools.\r\n\r\nAlso, because there's the 25% of cases where there just isn't a fix available for the security release.\r\n\r\nBut yeah, that's that's generally my attitude is how can I reduce the plugins that I'm using that are just breaking things all the time? And for the ones that do send an auto update delay, say like, Hey, five days, and if the plugin has been stable for five days, then it's probably good enough to auto update at that point, you would hope that if they break everything, it gets fixed pretty quickly. And that delay is part of the solid security version management feature. And let's just say there's also a setting on that version management page. That allows you to auto update if a vulnerability exists. If that's the case, then that delay doesn't come into play, right? It auto it auto updates no matter what.\r\n\r\nIt's a fantastic feature.\r\n\r\nOkay, question from Dan. How resource heavy is solid security with its constant scanning and so forth? It's pretty late. So we don't believe that a plugin should be doing things like individual file scanning for malware. It doesn't make sense to happen in a plug in Thomas, I think has done a couple of different discussions about this. I think on our solid the VP Academy where he finds malware, that one of the first things they do is turn off a file scanning feature and say, Hey, I'm all good or they whitelist their plugin things like that. So we don't believe that plugins should be doing that type of heavy scanning.\r\n\r\nInstead, we do things like hey, checking for vulnerable software. And that's very fast. That's very minimal. We make API requests out to our servers, and it contains the list of plugins. You have installed the versions and it does a really quick check so it doesn't really add any weight to your site. Things like checking for inactive users, all of these things are pretty resource light. So that is a really key thing that we keep in mind when we're building solid security is we don't want to slow your site to a crawl. If your site is slow, slow that no one can use it doesn't matter if it's 100% secure.\r\n\r\nBut yeah, we don't believe in putting those types of super heavy features. In the plugin. They are best left for other services focused on preventing an attacker from getting into your site. As opposed to okay an attacker has gotten into my site. Now I need to scan my site for malware every single day and for infected PHP files because then you are talking about a very intensive process. And it's something that smart malware these days can just disable.\r\n\r\nYeah, and it seems like especially a file level malware scanner seems like that should be something that lives at the server level, right? Yeah. So Thomas is tool for instance. That's one of the things they do is they send the files over off to his servers and then his server is able to very efficiently scan them. It doesn't make a lot of sense to be doing that from WordPress, both for the performance reason for the security reason if it's happening in WordPress, then any plugin can stop it from happening. There's a lot of reasons why that doesn't make a lot of sense. For virtual patching with firewall tools. That's another thing to keep in mind. So that's why virtual patches from patch stack, they only apply if your site has that specific vulnerability. They don't apply you know 2030 4050 100 generic firewall rules that apply with every request. We only apply specific firewall rules and only if your site is vulnerable. If your site doesn't have a vulnerable version of Timpson, there is no reason why you should be looking for attacks against him from and blocking them. It doesn't provide you any security benefit, the attacker wasn't going to get in there anyway. What that as doing is things like DDoS protection, stuff like that. But that shouldn't live in the plugin to that's where you want to use Cloudflare in conjunction with solid security. Solid security isn't going to protect you. If 10 million requests hit your server within an hour and no WordPress plugin can but that's where it was like Cloudflare come into play. And again, the Swiss cheese analogy is this it's such a great point I don't want to zip right past because this multi layered approach is critical. And honestly correct me if this analogy is wrong, Timothy But you know, back in the day, there was this season of WordPress theme development where people were selling themes on a giant marketplace and the way they found to sell themes was to cram all these features in there that really should have been in plugins but now they're kind of rolled into this giant kitchen sink type theme. And they ended up being a bloated monster that was just really difficult to manage long term and slow. And so a lot maybe in some security plugins for WordPress are kind of adopting the same approach like we like a scanner, we do these things, but we should really separate those out. To have a lighter, more efficient site. Am I right on that? I agree. I think the things that were should live in WordPress should live in WordPress, the things that should live at the network level should live in in network level. The things that exist in your server should exist on your server. There are things for instance, I don't think Cloudflare is going to offer pass keys as a login method, right? If you have a credential stuffing attack Cloudflare probably isn't going to prevent that. Because someone the first try they log in and they know your username and they know your password because if you're in a breach, there's no opportunity for Cloudflare to protect you there. But if you're using solid security prevent a user from using a password that has appeared in a breach. That's the perfect thing that should live in WordPress, right. It wouldn't make sense for Cloudflare to you know, somehow be operating on your WordPress site and prompt up and update password page or change how your login process works. That wouldn't make sense for Cloudflare to do so. Use the tools for what those tools do best. And take advantage of the fact that some of those tools can live in WordPress and can provide a context knowing that this is a WordPress request with this user and this password and they're trying to do this specific thing. Yeah, really good. Okay, moving on to the next question here from Nate. Does solid security provide a way to have a two factor code sent to a phone via texts like what Facebook does? No. So we do not we do not plan to SMS two factor is convenient. It's a way that you can kind of get people a little bit more used to it. But I would say at this point email, in my opinion is just as convenient. But the issue with two factor via text messaging is that SMS is not a great protocol and a lot of mobile phone providers don't have the best security practices around things like preventing sim sim swapping attacks. So I would say SMS in my opinion is a legacy two factor method.\r\n\r\nIt was helpful for getting people used to the concept but I think at this point everyone is familiar with email based two factor.\r\n\r\nAnd my big push really would be Hey, use past keys. That gives you a two factor experience that exists on your phone or not a two factor experience a well it's kind of a two factor experience. The point is that it has your phone and your biometrics and it accomplishes that same bit, but does it rely on a text message being sent and all of that happening? It just provides you with one simple login flow that is protected with face ID or touch ID things like that. So no, we do not we do not plan to right answer. Okay, here's a good question from Stephanie.\r\n\r\nSo Stephanie, I'm guessing you're you're a legacy AI iThemes member she's asking how to activate virtual patching. I have patch patch stack in solid sweet it's on the dashboard, but the firewall is inactive. So if you go to Security, and on any of those things, you can click into the licensing page. It's under Settings and then solid to VP licensing. And there'll be a section there that says passionate enabled sites. And so if you are a new customer, when you activate an license, solid security will automatically enable patch stack for you. But if you are new, or you don't have enough patch stack licenses, let's say you are a legacy customer that had a gold subscription for instance. You then need to choose to enable a patch stack for that site. So the thing you want to do is go to settings, solid WP licensing and enable patch stack for that site. If you're still having trouble, that's an excellent reason to reach out to support. If you go to solid wp.com There's a link to support and they'll be able to help you out. But that is probably the bit that you're missing. Make sure your plugin is licensed.\r\n\r\nYeah, very good. And I'm also dropping in a link to a live stream we did back in December on that covers a lot of the how to even position if you're a legacy I iThemes customer for example positioning an upgrade with a patch stack firewall is a better layer of care plan. So that that that link is there in the chat. Yes, definitely. So if you're still having trouble with that reach out to support and they'll give you some help right away.\r\n\r\nKENNETH is asking what is the 40% off deal for so Canada that I'm going to go into a lot of detail about that in the first of the next hour. It is for any purchase from solid WP other than the solid central monthly and it does also does not apply if you're adding licenses, patch stack licenses as a legacy I iThemes customer, but anything else the solid suite any of the products the 40% off is good if you are a new customer.\r\n\r\nLet's see.\r\n\r\nManu has a question here. Monica says my email has been pawned so I changed my password. Is this good enough? And when does their database update so you can see if the pond email is updated?\r\n\r\nOh poned yep, yep, is what's going on there with that spelling. So the service that we use is have I been poned and that relies upon a Troy Okay, now there are two choices. We're both Australian. One of them is a WordPress person. And the other one is a security person I think Troy Dean is the person who runs haven't been honed and Troy hunts the person who runs the other way around is the one that is to Australian people both in this space is very confusing. Troy hunt kind of collects data and is responsible for ingesting things into have I been poned so it isn't really specific to your email address but more about the password. There's also a have I been poned service where you can just enter in your email. And I'll like show you hey, here are all the places where we find your credentials in a database breach, which is awesome. But what we specifically use in security is their password feature. So it checks whether a password specifically has been entered into that database. Yeah, very good. So Manu, if you update your password, it's not going to remove it from that. Have I been poned database? Right that it's that's basically letting you know that your email address has shown up in a breach. And that's always going to be there.\r\n\r\nTina, how does two factor work if your sites are on solid Central?\r\n\r\nI don't know what this is driving yet. I think the question is, if if I'm accessing my site through solid Central is there a way to turn on two factor is two factor needed in that case?\r\n\r\nOkay, so the two factor in cybersecurity what?\r\n\r\nYeah, what she was answering basically, um, so when you authenticate for the first time with central against your WordPress site that has solid security installed you're actually doing go through a specific onboarding process that shows you hey, you're gonna connect with solid Central, and it will give you a big purple button to click on and you'll get connected.\r\n\r\nIf you are then for further API requests that solid central makes over to your site and it's not going through the login form. So it never runs into two factor. And there are some specific features in solid central that do help you with two factors. So for instance, you can bypass two factor by clicking a button in solid Central. And if you saw that Central's feature to automatically log you into your WordPress site, you don't need to enter in your two factor code. But yeah, there shouldn't be any confliction. There. You don't need to turn it off or anything like that. It'll just work. Good.\r\n\r\nQuestion from Nate. Does solid security provide a recommended set of settings like by an export json file or something? How do you figure out what are the best recommended settings? Yeah, so we don't specifically the general thing is that we like our defaults and then it is just up to you to what more things you want to apply. So for instance, having to factor is better than not having to factor. Having, you know, more protections available, having more checkboxes checked, so to speak, is just oftentimes more secure. We try not to have any things. It's like, Hey, if you missed this, this is a complete disaster. It's really it's up to you what kind of security features you want. To have enabled. There are docs that talks through like global settings and things like that. But generally in the plugin will say hey, these are the things that we recommend. The defaults are things that we recommend, and it's just up to you to say hey, what more features do I want available? Do I want to have past us do I want to have two factor and we can't make that decision for you. And what is the onboarding wizard? factor into this? Yeah. So when you go through onboarding, it's an ask you some things like, Hey, do you want to use two factor and if so it'll automatically configure it for you. If you want to use strong passwords, it'll automatically configure that for you. My recommendation model is basically because you enable everything there's nothing that we have put in the plugin that we're like, Hey, this is something that we don't recommend you using.\r\n\r\nThis stuff that is you know, more legacy is kind of like hidden away, hide back end. It's under the advanced section. I don't recommend it. It's there because people love it.\r\n\r\nBut yes, I My recommendation is to enable trusted devices enable two factor enable password login, enable pass keys, enable virtual patching and enable enable, enable enable enable.\r\n\r\nI'm going to hand pick a couple of more questions and we'll wrap this up and go to a break. Great question. From Joan.\r\n\r\nDoes solid security pro come with patch stack by default? Yes. So if you are a new customer and you go on over to solid a VP and you make a purchase, you are going to have patch stack what you're going to want to do is after you install the plugin you want to license it and that licensing process will automatically set up patch stack for you so yeah, all new plans come with patch stack. And if you are a I iThemes customer you can add patch stack but yes all new plans come with patch stack automatically. You don't need to do anything else besides just licensed the plugin. Awesome. And last but not least Tina does your page speed suffer with all the blocked IPs that accumulated over the years? Um, so not really, um, we do specific queries to get a list of banned IPs.\r\n\r\nThere are also setting for htaccess where IPs that are banned get put into the htaccess file and if you go into the settings, there's the limited defaults to 100 of how many of those IPS actually add into your htaccess file. So if you had you know, 10 million could be an issue.\r\n\r\nBut even on my site that is many years old at this point it gets quite a lot of traffic. I don't have anywhere near that many banned IPs. So I haven't seen banned IP is specifically become a Page Speed issue. I just haven't seen someone get that high, where we're making such a large query that it would be pretty ineffectual. And it's pretty quick to compare IP addresses and just do a search for saying this IP addresses here or it's not there. If you do have millions, I'd be curious to know more about your site, and then maybe it would make sense to remove some. But yeah, I have not seen that to be the case in any other sites. I've come across. A very good Alright, excellent session. Timothy, thanks so much for your wisdom. As usual. You always have excellent answers. Folks, thank you for hanging with us last hour. We're going to take about a six minute break here. We're going to come back I'll be talking about how to talk to your clients about security taking plenty of time for questions. If you have specific things you'd like to talk about in regard to how in the world do we make our clients understand these things? So that's what's coming up in our next hour. We're going to pause the recording and go dark for the next six minutes and we're back at 205 Central time. We'll see you back then.\r\n\r\nAll right, we're back for the final hour of disaster week. 2024. Hopefully this has been a great time for all of you who've been part of the whole thing. We will again have the alright we will again have the replays up in about an hour as soon as we wrap up here and I'm dropping once again in the chat the session slides for today. You can download Timothy slide deck as well as mine which is now available there. Alright, so across the break, we had several questions about upgrades. And I just want to address those briefly before we get into our actual content here. So first of all, we do have this deal that's going on disaster week is the coupon code for 40% off of solid WP products now this is for new purchases only. So you can't extend or add a new subscription to an existing account. It's also not available if you want to purchase solid central monthly plans. Or if you're a legacy I iThemes customer and you want to add on patch stack licenses, it does not apply to individual patch stack licenses. So those are the caveats on that deal, but it's a great deal if you've not yet become part of the solid WP family 40% off is an excellent deal to take advantage of that. Now several questions that came in about updates.\r\n\r\nThe patch stack is included if you buy the solid suite or if you purchase solid security pro individually. Hatch stack is bundled if you're a legacy I iThemes customer patch stack is an add on for the legacy I themes security product that is now solid security. So there is a live stream we did that walk through how do I add patch that licenses if I'm a legacy I iThemes customer and that link that I have dropped in the chat and I will just invite you to walk through that it goes it takes you through the whole process. Matthew Why isn't an add on because there's a light well I mean to be frank it cost solid WP money for every site that licenses patch stack. And so that sort of the cost involved in that was not factored in to the you know, the price that a lot of folks paid for I theme security. It's an extra feature that was added with the solid move and when solid rebranded for my themes. And so there wasn't a way to include that in older legacy plans. I don't think it's mean I think it's just it's an additional feature that could not be included. You know, if you want solid WP to be around for a while. So you know, it's I think it's a pretty reasonable upgrade, particularly with the pricing per site is very reasonable can be easily passed on to a client. That's actually what that livestream was about the link that I gave you in the chat. All right, so let's talk just a little bit now about how do we talk to clients. And actually, before I go there, let me just mention one more thing. I know there's a lot of you who are maybe new to solid Academy, and we're grateful that you're here and hopefully this live stream has been helpful to you over the last couple of days. Here on solid Academy. We actually do two or three live streams every week on all sorts of WordPress topics. You can access all the upcoming training here at Academy dot solid wp.com.\r\n\r\nYou can search for upcoming live streams and see everything that's available. Also there's a handy calendar view here that shows you all the things that are happening and allows you to register right here. So Tuesday, Wednesday and Thursday of most weeks we have a live stream about WordPress things and we invite you to come be part you can become a member of solid Academy by purchasing the solid suite. That's the only way you can become a solid Academy member now and if you are a member not only do you get access to all the free training and replays, you also get access to a weekly office hours with me where we answer all sorts of WordPress questions, whether it's technical questions or business related questions. We always have a lot of fun there. It's a good community of folks that gathers every Thursday. We also do one premium course every month and I've just lost my window. But our premium course for this month is a WordPress accessibility crash course with Amber Hines from equalised digital. Next month's premium course is the Cloudflare course which I'll be teaching. So we always have a two day four hour course every month. That's very helpful.\r\n\r\nI'm hearing reports in the chat that coupon isn't valid. I'll look into that after we wrap up with our marketing team. Or David if you're still on the stream. Maybe you could ping somebody see anybody from the iThemes team on Sara disaster week. 40. Okay, it's possible I typo that.\r\n\r\nSo the coupon code Sarah is from the iThemes team, solid MVP team. The coupon code is disaster week. 40. So I apologize about that. That was likely my fault.\r\n\r\nAll right. So for those of you again, new to solid Academy, just a little bit about me I've been working with clients on the web since 1995. I started with WordPress in 2008. All WordPress since 2010. For the last 10 years I've been a growth coach for micro agency owners, people who are doing WordPress things for clients. I've had hundreds and hundreds of coaching conversations over those years. And a lot of those things are around this topic that we're talking about in this last hour, which is building recurring revenue talking to clients about security to grow our businesses. I'm also the creator of monster contracts, which is a proven contract for WordPress client work. So let's start out with the foundational idea here which is recurring revenue is critical to our business. It is the foundation of a successful agency. It's virtually impossible for us to survive in the long term without some sort of recurring revenue. And if you're doing WordPress things the natural place to start is with a WordPress care plan. It's a WordPress care plan and all the products that are associated with that, that actually brought me to eye themes many years ago as a customer long before I started doing any sort of live streaming on our educational side here so WordPress care plan is absolutely the place to start to build recurring revenue. It's what all the products that solid WP offers are built around is helping us do care plans better. So you've built a client relationship to maximize that relationship for the long term we want to build in recurring revenue with some sort of care plan. Now the challenge with a care plan is explaining to clients why they even need one right? So we understand it but getting a client particularly a non technical client to understand the value of a WordPress care plan. can be a challenge sometimes. So what I'm gonna do in the next several minutes is just basically give you how I explain things to clients, and some of the common mistakes that I see happen and hopefully give you some language that maybe you can use as you're trying to explain care plans to clients and how to do that. So a couple of things I want to start off with are two very common mistakes that I see that people in our position make when we are explaining care plans to clients. The first is presenting care plans as an option.\r\n\r\nSo I would encourage you to consider care plans, not an option, but a necessity. So a care plan is not like an extended warranty that car dealers try to sell you just in case something goes wrong. Instead of better analogy is that a care plan is like regularly scheduled maintenance that helps to keep your vehicle healthy for the long term. Matter of fact, in my agency, we don't take any website build projects that don't include a care plan. It's just part of our pricing. So and I'll even tell clients if they have a budget challenge. It's really better to spend less on building the website and a phase one than it would be you know, spend less so you can afford a care plan within your budget. Your plans are that important. So the second mistake that I see clients or the see people in our position make as we're explaining care plans to clients is waiting until launch to add a care plan. Surprising a client with a care plan at the very end oh by the way, you really need to purchase this additional monthly thing that's going to keep the site that you've just paid for healthy that's a bad idea. It never works out it rarely works. And it can often it can cause the client to become very agitated. You didn't explain to me that a care plan was needed after in all these conversations we've had. So what I've learned over the years is that the key to selling a WordPress care plan is education. And that education has to start in the first conversation. So we need to include care plan pricing in our proposal. That's my advice as part of the total cost of the project. Now something I moved two years ago was in my proposal for years I used to have the care plan to the little checkbox and you'd check the box if you want the care plan. Now it's just bundled in. There's a cost to build. There's a cost to manage and one sign here box that agrees to all of those things. So if you're struggling to get clients to buy your care plan, maybe it's because you're waiting a little too long or not talking about it early enough in the process. I recommend that you start talking about the management of the website in the very first conversation you have with the client, when you're starting to talk about pricing in general position, the care plan, as you know, the cost to bill a cost to manage. We're going to be here for the lifetime of the project to help you note you know, as things come up, and it's just all part of the conversation from the very beginning. I think you'll be much more successful at selling care plans. If you position it that way and don't offer it is an option in your proposal make that part of the price.\r\n\r\nSo how do we educate clients education is key in selling care plans. Many clients don't understand why they need to have a care plan to begin with. And so one of the first things that I would recommend is that as you're talking tech with clients about anything, focus on benefits, not features, save the technical talk for people that are you know, that love the technical stuff, most clients that you're going to work with our you know, they're busy professionals or their business people or that they're not as interested in technical things as we are I generally speaking, don't talk about gigabytes as much as we love packstack I don't talk about patch stack with clients. As much as I love solid security Pro that never comes up in a client conversation. As technical people we love those details about our care plans. We love to talk with each other about those things. But in most cases, features features don't sell but the small little things like patch stack and solid security. Those are things that are internal for us. Clients generally aren't as concerned about those things. What they're concerned about are the benefits. If I you know, with this care plan, what does that mean for me? I'm busy doing my business and doing my thing. I don't care about all these little technical details. What does your care plan benefit me? And the primary benefit of a care plan is simply peace of mind for the client. I cannot tell you how important this is. It's very easy for us who love technology to get into conversation with a client and we take them to death. It's just it's not a good idea. It's much better just to explain to the client the benefit. The reason we do this is so you can go about your business and not have to worry about the health and management of your website. That is absolutely the reason and the way to most effectively sell well sell a care plan. And part of this is just learning to determine what is the most important thing to a client. So we're going to see this pop up at several times during the next few minutes in my talk, but you may have a client who for whatever reason, they're all about backups. Now backups are important. We know that and a lot of and I will mention that as part of our care plan explanation, but goodness, they don't need to know where we store backups and how often necessarily run it or keep an archive that most clients don't care about that level of detail. They just want to make sure the site is backed up. But I've had conversation with clients who've been burned by backups and a lot of times they have very granular questions. So when those things happen, absolutely engage with the client on the sorts of technical details but in general, stick with peace of mind and that's really what the client is after.\r\n\r\nThe next thing to consider just another guiding principle in educating clients is to position security as a partnership. So keeping a website secure as you've heard throughout all of disaster week, there's a lot we can do on the website to keep a website secure, but the weakest link in the chain is typically the user right? So we need that security is a partnership between us and our client. We can secure their website, but the client has to do their part too and by the way, your contract needs to reflect this and explain what the client's responsibilities in web security are. And those can be conversations as well as you're onboarding the client into your management service and the kinds of things they ought to be paying attention to the things that we've talked about throughout the course of disaster week. I'm going to give you a few ways to talk about those things later on in the talk today.\r\n\r\nAnother guiding principle is this question that clients always seem to have. Yeah, but why would a hacker even go after my site to begin with? This is something that most clients don't understand. Like I'm just a small business or we're just a little nonprofit or, you know, why would they even care about me? And my encouragement to you would be find a hacker analogy that connects with this particular client. See, it's not personal hackers. Don't care if you're a small nonprofit, if you're a mom and pop shop someplace, whatever. They don't care about you personally. Usually, they just want you to use your website for gain. And there's some reasons for this. So try to find an analogy. That connects with your kinds of clients. The story I always tell when I'm talking about or if a client has a question about why would hackers hack me is I would tell a story that happened several years ago in our neighborhood. Now we live in a very safe neighborhood. But several years ago, we had a string of car break ins and it turned out, you know, people's cars, they weren't being damaged, but things were being stolen out of them. And it turns out that there were a bunch of teenagers walking around the neighborhood late at night, walking from driveway to driveway trying the door handles of cars that were parked, and if a car was left unlocked, they'd go through the car and steal contents out of the glove compartment or purses or anything that were left in there and they take those and that's what they would do. And that's very, very similar to what hackers do. They're just checking doors and windows of your website to see if anything is going to let them in to give them easy access. But a hacker they don't just try one door at a time. They've got software that scans the web looking for 1000s and millions of open doors and windows. It'd be like the hacker pressing one button and checking all the doors and windows of all the houses and all the cars in my whole neighborhood and that's what they do it again, it's not personal. They want to use your website for their gain. Now, what do they possibly have to gain from my little website as a little nonprofit or a little mom and pop shop? Well, they want your server resources, all the spam messages that you and I get. Those are generated a lot of times by compromised servers. Oftentimes as a hacker will go in and add some some code to use the server resources to help generate cryptocurrency. It's not about you. It's about what they can use your server resources for. Sometimes they'll do content injection where they'll inject ads for products that you probably don't want on your website, or they might redirect your website to other websites. And they do that very cleverly. So it's again, it's not personal, they're just trying to use your website for their own gain. synonyms. They'll also inject malware that can be used to further infect the visitors to your website. So all these are reasons they don't care who you are. They just find an easy target that they can leverage to use for their own purposes. So find it an easy analogy that connects with your customers, for me at the car break and one always works well. And then explain that it's not personal. They're not after you. They're after your server resources.\r\n\r\nSo how do we then go about presenting a care plan to a client I always use this. This lingo actually came up accidentally one day as I was meeting with a client in a coffee shop face to face back when we used to meet face to face with our clients goodness, it's been a while since I've done that. But I actually took a napkin and I drew out this box with a big WordPress w in the middle and I called it the four walls of protection. And here's what's included. I still use this explanation today. It's an acronym hubs H UB s. These are the four primary things that our care plan does. We provide hosting. We provide software updates, we provide backups and we provide security. And those are the four walls of protection that keep our WordPress sites safe. And this is what we offer as part of our care plan. Now as you're presenting this concept to your client, there's a few things to keep in mind. I'm gonna go into each one of these and kind of how I talk about them. The first as throughout this whole process, pay attention to your client. If you're like me, it's really easy to geek out and go down a tech rabbit hole the client doesn't care anything about so I'm really careful as I'm talking about anything technical with the client to watch for eyes glazing over. You know, the client starts you. You're talking and you're really excited about what you're talking about. And you realize the client has checked out. They don't care about any of this. So you have to pay attention to your client and just ask yourself, what are the what are the parts of this conversation the client is really interested in and you want to give just enough detail to satisfy their interest without going into depth by details in technology. Right? Remember, the big picture of all of this is your selling peace of mind. And if you think I'm oversimplifying that I promise you add not. I've been selling WordPress care plans since about 2010. So, you know, 14 years I've been selling this and doing a pretty good job of it.\r\n\r\nIt's about peace of mind, folks. This is ultimately what clients buy. That's why they want a care plan. They just want to know that you are going to be there to take care of the website if something goes wrong. Some clients may have particular technical concerns to ask about Awesome, let's get into it. But in general, they just want to know that you are someone they can trust buying a care plan is a trust based decision that the client makes. So again, throughout this try to create analogies that the client can understand.\r\n\r\nYou know, technical things can be a little hard for some folks to grasp. Nothing wrong with that but just try to make them practical with some analogies. I'm going to give you a few throughout this.\r\n\r\nSo when we get into the first wall of protection, which is hosting for us in my agency, hosting is included as part of our care plans. We do not manage sites that we don't host so if you want to bring your own hosting, that's not an option for us. Now you as an agency owner can make that decision. I strongly encourage my coaching clients especially to don't do this don't have websites on lots of different platforms with hosting that's all different and some have different requirements and the control panels are different. It's it's a killer, for efficiency in your process. It's much better to have all the sites you host on a server that you control. Now, that's the benefit from my side. From my client side. The benefit is what I tell clients literally as I will as we build your site and manage it, I want to be able to look you in the eye as a business owner and say, we're going to take full responsibility for managing your website so that you only have one person to call if there's ever a problem about anything. What we don't want to do is get into a blame game between between your hosting company and what we're doing and they might blame us will not blame them and you get caught in the middle. We want you to be certain that no matter what you have one person to call one one business to call one neck to strangle if there's a problem, and we're going to take full responsibility we can do that. Because we control the whole situation from end to end from hosting to site. It is all we deal with all of it. We have a private server that's optimized for WordPress and our process that allows us to build the site efficiently for you and to manage it successfully for the long term. Now that's the way I position hosting and in general, I don't have to do anything more than that. Our clients in general and honestly most clients, they're well good good clients especially are not going to push back too much on you on hosting if you have your solution because they just again, they want someone they can trust who's gonna be there for the long term. And if you bring hosting to the to the conversation, and you have a solution for that is much better for the client because they don't have to worry about it anymore.\r\n\r\nNow occasionally a client might bring up well what about you know, I get hosting on fill in the blank name of the host for $5 A month or $8 a month? I don't get that much anymore but I used to a long time ago. And the way I would explain that situation is look sure there are there are $5 hosting out there. You can also go on Facebook marketplace and buy a car for $500 I wouldn't recommend either. If you're serious about your business. You know, you can buy a car for $500 on Facebook marketplace. I wouldn't put my family in it. Just like you can go and get hosting for $5 a month I would not put my business website in it. So it's not just you know there's there are huge differences between the level of hosting that we offer on our server than what you're going to get at on a cheap shared hosting. Shared hosting is like an apartment building. Here's an analogy. It's an apartment building where you can't control who your neighbors are. So you know the people next door to you on that server. And there are 1000s of sites on a shared hosting platform, all sharing the same IP address. So you are at risk of misbehavior by your neighbors over which you have no control. Or you might find that your speed goes down because what other sites on the server or doing your system resources are unpredictable because of what other sites on the server are doing. You may find that one of the sites on that server gets compromised and they're hacked. And that server is sending out millions of spam messages every day. Well guess what happens? That server IP gets blacklisted in some banned list on a spam list. And now you have problems with your deliverability because you're wrapped up on the same IP address. hacks on other sites affect you. So it's much better like if you have a premium website you're paying for a professional to build your website, get professional hosting to go along with it. Don't put yourself in a situation where you're an apartment building with neighbors who you can't control and that's going to affect your business.\r\n\r\nAs we turn the page to software updates as a feature of our care plan, we're talking about WordPress core theme and plugin updates. Now I call these software updates when I'm talking to the client as to avoid any confusion with content updates. I found that I found this is really important to do that phrase software updates make sense. It's something a lot of folks can relate to because we do software updates on our computers. And I found actually when I start talking about updates, the clients thinking about you know, we're adding text adding things to their website, which we do that's just another conversation. So I always talk about updates in using the free software updates. And I explained to the client, we have a scheduled process that we do every week. It's reliable for doing software updates across all the sites we manage so your site is going to stay secure and healthy. Now when it comes to software updates. Sometimes non technical clients don't understand why this is important. Why would you have to do that anyway? Can't you just build a website and there it is, and it's good. Unfortunately, no, that's not the way websites work anymore. Good analogy is the software updates on your computer can you just buy a computer and you're good? Well, you could. But the software on your computer has to be regularly updated because of vulnerabilities that are found. If you're not updating your web browser to the latest version, or at least have those auto updates turned on. Super important. Or you're gonna find yourself with a security vulnerability on your website. So people even non technical clients tend to understand the software update analogy. And I'll often ask why Okay, so be honest. How often do you ignore the software updates on your computer delay? Remind me tomorrow or do it next week? You know, it just get rid of the thing because I'm trying to do something right now. You can't ignore when it comes to web updates. If you ignore those software patches on your website, your site could be compromised. So you know what would happen if your computer gets infected. You might get malware, you might get some other things. But if your website gets infected, your business is at risk. It's a big, big deal. Now there's also the approach of semi technical clients. Maybe some of your clients have done WordPress before. And they're familiar even with going in and hitting update and watching all the things update. And they think it's just as simple as clicking a button. And that is sometimes true. Sometimes running WordPress updates are as simple as clicking a button. But what happens when something goes wrong? And how do you know if that's that might happen? So if I have a client that pushes back, I run my own WordPress updates. The question I would ask is, How sure are you that you're going to do this regularly? Because it needs to happen at least weekly, just like Timothy said in the last hour. How sure are you that you will do this every single week without fail?\r\n\r\nWhen you've got a business to run, oh, well, my secretary will do it. Oh, adding that job on to someone who already has a bunch of things to do you know how sure are you? This is going to happen regularly. Most clients that I've talked to are not sure so they begin to think about this. Also, do you investigate major plugin updates before you run an update? Good grief before we update WooCommerce on any sites or any big plugins like that we're looking at the developer blog making sure that there's nothing here that might impact what's going on on that site already. You need to investigate major plugin updates before you run them. That's my opinion.\r\n\r\nSo a lot of times it is as simple as just clicking a button if you know what you're doing and what's being updated and if it's on a regular basis. And so what I tell clients like this is listen, for a small monthly fee. We're going to take care of all this for you hosting updates, backups, security, you don't have to worry about it at all. And you can just do your business. You don't have to think about the website you can offload that whole piece of your business for a really small monthly cost. That is a strong sales pitch to a good client.\r\n\r\nAll right, the next part of hubs is the backups. So in general, very few people these days that I've come across that don't understand the importance of backups, we get that backing up things as good we want to have a backup of our website. So there are two key reasons that I tell our clients that we have redundant backups. The first is human error. If you are Mr. And Mrs. Client if you're logging in, you're making updates and you break something you don't have to worry we have a backup from at least 24 hours ago that we can roll back and fix anything that was broken. We also have redundant backups in the case of disaster recovery. So if your site might get hacked, and they get through all of our layers of Defense's, we can roll back a backup and patch the things that need to be patched. Or, you know, let's say something happens and there's a broken update and we can roll back and keep the site it gets the site backed up very, very quickly. So we do these redundant backups to keep the site secure just in case anything might happen. Now, hopefully you do have a backup strategy and you have a consistent backup strategy that you use for all the sites that you're managing in your care plans. And if the clients interested, this is a good time to explain what that backup strategy is. And so we have a multi tiered backup strategy where we have a hosting level backup is our first line of defense. And we run a daily full site backup that's stored off site with a six month archive that gives some clients peace of mind and they want to know about that. But again, it's you have to kind of figure what is this important to the client how many details do they need? And give them what they need to be satisfied.\r\n\r\nAll right, let's talk about security. We've been talking about security but now security as a service. I explained that we have a multi level strategy to keep your website secure. So security is critical when it comes to your website. And that used to be a hard sell these days with all the website hacks and compromises that are in the news regularly. In mainstream news. People are more and more understanding and this is much less of a even an explanation that's required. I'm noticing these days with my clients than it used to be in years past. But we have this multi layered strategy that we use to keep our sites secure. We provide a free industry standard SSL certificate as long as we manage your site that you might think is a no brainer but it is it is amazing to me how many clients that we have that come to us that they're paying annually for a security certificate still It blows me away. SSL the industry standard SSL has been free for years. And we provide that of course so sometimes we can save our clients money. So here's what I mean by layers of security. If a client wants to know more about this, again, for many clients, we have a full strategy to keep your site secure, so you don't have to worry about it. And a lot of times that's all they need to know if they want to know more. Here's what I'll explain. We start with architecture. So I'm going to start at the core of the security and work my way out to all the layers. So the first is architecture. We're only going to use reliable themes and plugins to build your website. So many many of the vulnerabilities that are associated with WordPress, and a lot of people say well WordPress isn't secure. And like Timothy said in the last hour, WordPress is very secure in the core. It's these plugins or themes that are added that are from maybe questionable sources, or developers that may not be as on top of things as others are. That's where a lot of the vulnerabilities come. So we only choose the best themes and plugins to build your site. Then we go through and our launch, we have a 40 point lock or fill in the blank number lock in process that we use to launch your website. Well Nathan, what is your 40 Point lockdown process okay, go through and count the number of settings that you make in solid security.\r\n\r\nAnd if there's 40 of them, that's your 40 Point lockdown process as you're launching the website, and any other changes that you make. It's it's a really good line to use with clients and it's 100% True. I don't feel like this is shady at all. There's 43 points that we go through to lock down your website using the security plugin.\r\n\r\nSo the clients no this is a detailed process. There's a lot of things that are being considered in this situation. Also, now that the site's locked down now we move out to the next layer of user security. So built into the security that we have for your website. We offer two factor authentications past keys, password compromised protection, all the things that Timothy talked about in the last hour. We've got the way it's built the way it's locked down user security now on our server itself, our server, which is ours, the private server, it has security protocols and intrusion detection in place. What is intrusion detection? We watch your website our friend Tom right there watching the website and seeing what's going on with anything you know that's malicious or malicious intent. So our intrusion detection system is in place and even above our server there's another layer of network protection which we use Cloudflare we have network level filtering the block many of the bad guys before they can even get to the server in the first place. So starting with the core and working all the way out. We've got these layers of security with that wonderful analogy that Thomas raised us yesterday of like stacks of Swiss cheese, and it's going to be very difficult for any one hole to make it all the way to the bottom to let an attacker in to our network. I just love that analogy.\r\n\r\nAll right. So this is what we do. This these are our things and what we do to keep your website safe. Now there's also some responsibilities that you as a client are going to have in keeping your website safe because like I mentioned, security is a partnership we will keep the website secure, that you have the responsibility of keeping your computers and logins secure any computer that logs into the website. So a great analogy here is that we can put the best security system in the world in your office building, but if you leave the front door unlocked, it's not going to help very much. So just like in Timothy's presentation in the last hour, there's still a large percentage of attacks that are coming right in through the front door because of user security. And so yeah, that's the part that client really needs to take to take a look at. So security is a partnership, we do our part, you do your part, everything stays secure. So by the way, again, very, very important that your contract should explain the client's responsibilities and security. So they sign that as part of their agreement with working with you and then maybe you have some training or little video or you know, a little guide that you give to them on launch that explains those things. So what does the clients responsibilities entail? What what does it include? Well, the first as we've talked about a lot through disaster week, good password practices are critical. So what I tell my clients is you're going to log into the website as an editor who has the ability to edit pages, you must use a strong password as shown by the WordPress password indicator for any account that edits the website. This password can only be used on the website and nowhere else and we recommend using a password manager and we'll give them your recommendation. We as an agency. Use the keeper Password Manager. We love it. I think it's awesome. That's the one we settled on after the LastPass fiasco a year and a half ago. We love keeper we're an affiliate for keeper and if a client buys you know we have an affiliate link we give the client and then we can share passwords easier and so forth. So I see there's a lot of great questions in the chat. If you'll put those in the zoom q&a. We'll get to those at the end.\r\n\r\nSo good password practices use a password manager complex, unique password that's only used on that website. Also use multifactor login and trusted devices. So explaining two factor authentication and pass keys. Huskies have gotten a lot easier to use now than they used to be trusted devices. We've talked about that at length and disaster we've shared with you the links in the chat where Timothy walked through that whole flow of setting up a trusted device and what it looks like if a non trusted device has intercepted your session cookie.\r\n\r\nThat was a really excellent webinar. So go back and rewatch that if you haven't already. And again, solid security pro makes all of this easy so the client has to practice good password hygiene. They also need to keep their individual computers protected. So as part of our agreement in our contract, any computer that logs into the website must be protected by maintaining updated security software. So you have to have malware protection that's updated on a regular basis. And only using the latest browser versions. Make sure your browser is has auto update turned on most browsers do these days, but also your operating system other apps on your computer all have to be up to date because all those can be used to inject malware, which can steal your passwords or session cookie. So practice good hygiene. Keep your computer safe. Those are the two primary areas of client responsibility and website security.\r\n\r\nAll right, one last thing I want to cover today because it's always a question and I just think this is a helpful thing.\r\n\r\nHow do I price my care plan so if I use all the products that solid WP offers, and by the way, I hope you caught on to this, all the areas they're the hubs strategy the four walls or protection other than hosting the the the products from solid give you all that you need to offer a great care plan. So doing updates using solid central putting all your websites in a dashboard so you can see an overview of what sites need update and execute your updates their backups using solid backups, security, using solid security. All of our products are created to help you have a good reliable WordPress management system. So what can you do now to charge what should you be charging your plans for your clients? So the one kind of rule of thumb that I give here is that the price that you can charge for your care plan is often based on the price that you're charging for the site. So here's some general guidelines. And by the way, what I mean by that is, if you're building really inexpensive websites, it's going to be very unlikely you can sell a very expensive care plan. Because your customers aren't at that level. So your care plan price often depends on website build price. So this is just a basic guideline. Okay, if your typical website price is under $2,000, then you could probably have a typical care plan starting about $50 a month, roughly.\r\n\r\nIf your website price is 2000 to 3500, you might be able to charge around $75 a month. If you're 3500 to 5000, maybe $100 A month above 5000, maybe $150. But again, these are just guidelines and thoughts. We did a poll on this and a recent premium webinar with our members. This was about where everybody landed on what they were charging between 100 and $150 a month for most sites that fell within this price range. And so again, this is not a rule that says you have to do it this way. But if you're wondering, Am I charging too little? Am I not charging enough? This will give you at least some guidelines as to what other folks are charging. So hopefully that's helpful. Now we have plenty of time for questions. We've covered a lot. I've been talking a lot, plenty of time for questions here and I see that there's a bunch stacked up in the q&a if you've asked a question in the chat, if you would please just drop that in the q&a. It'll be a lot easier for me to just scroll down and take those one by one. In the meantime, I will reflect back to the discount code. This should actually be disaster week. 40 out of 40 there and that gives you 40% off of all solid WP products if you're a new customer, it is not available for renewals or to extend an existing subscription. It also doesn't work on solid central monthly plans. It does however work on the solid suite which includes solid Central. It does not work on patch stack add ons if you're a legacy I themes customer, those are done site by site. All right, so disaster week 40 Gets you 40% off of all of our things. Okay with that. Let me turn my attention to questions. And if you folks will also open up the q&a and upvote the questions that you would like to see answered. We'll spend the next 1015 minutes talking through some of these.\r\n\r\nAll right, first question from Dave. Does the care plan pricing that I suggested include hosting? So yes, I include hosting in the care plan and in that pricing. And so what I typically recommend for folks is depending on whether you know how technical you are, how comfortable are you with dealing with server related things. If you're not technical, then go towards a managed WordPress hosting situation like Nexus, you can buy a bundle of sites and put your clients into those. If you are more technical and you're okay with you know, a few server technical things, then get a VPS from a good reliable web host that has excellent support like liquidweb and you can stack your clients on a VPS there's usually more profit margin on a VPS than there isn't managed hosting. But I roll all that into one price and the client pays one price. Yeah, so hopefully that that answers your question there.\r\n\r\nAll right, next up is sue an upgrade question. I bought a single solid IP license in addition to my toolkit while I decide if I want to keep the toolkit or buy another solid license on sale, does it add to my account? No. So So you would be an existing customer in that scenario?\r\n\r\nYeah.\r\n\r\nSo it does not work to extend or add to existing customer licenses that is tied to your email address.\r\n\r\nAh, question from an anonymous attendee, instead of me educating about the care plan, can you just create a video that talks to all your clients that are onboarding? Absolutely, absolutely. So you know, well, okay, let me back up.\r\n\r\nThe talking first of all, talking about care plan should be part of the sales process. Okay. So as I'm talking to the client, in that first conversation, which I call a discovery call in my world, where we're talking about the all the things that the website needs to do the functionality, you know, all the factors of this project. I also have a section of that conversation in which I talk about the ongoing management of the project. There's a question in my discovery form that asks the client\r\n\r\ndo you need I forget exactly how it's worded? It's basically do you need an A, how will the site be maintained going forward?\r\n\r\nIt's, it's more elegantly worded than that, but that's basically it and it's a it's a it's a jump off point to have this conversation about a care plan. So that education and talking about the need for care plan, I think best happens in a sales conversation, just the basics, right? And what you don't want to do is at the very end of a project or just drop it into a proposal and you've never talked about it before. You want to let the client know that the way you approach website building and management is as a holistic process. There's a cost to build the site. There's a cost to manage the site. It starts around this amount for website management, and we include that in our proposals. That's what I would talk about in the context of a sales conversation. A lot of times what you'll find though, is that it will help you sell a website, when you talk about your lifetime approach to the website. Like you're not just gonna build it and disappear. That's what many web developers do. I'm constantly surprised by this. They just want to build sites, they don't want to manage them. The long term money in website work is the management. It's recurring revenue. That's what lets you stay in business for a long time. Anyway, I'm getting off down a tangent but the education piece starts at the beginning to introduce them to the idea of a care plan. Why it's important. I think it makes a lot of sense to have a video right at site launch when you're onboarding them out of the development process and onboarding them into management. This is what our care plan covers these again, are your responsibilities having a video or a little handout? A downloadable with that super helpful. Yeah.\r\n\r\nAll right. Next up is AJ. AJ, what hosting do you use in your agency is an in house solution or do you contract hosting companies? Great question, AJ. My goodness, I do not want to have a web server in my basement. Absolutely not.\r\n\r\nThere was a day in my life where I probably thought that would have been cool, but Good grief. All of the intricacies that are involved in website hosting are there's just too much it's too much to know and be doing web and know all about web and WordPress.\r\n\r\nIt's just too much to know. So my suggestion is always have a hosting partner. You have your sites with this host, whether that's a single managed WordPress solution like Nexus, or a host that's more traditional that has dedicated servers. VPS like liquidweb. We had a dedicated server at liquid web for years and we did that because the support was awesome. So if there's ever a problem, you reach out support takes care of it. And otherwise it just works really well. So you have to decide which situation is best. Next S is a liquid web company. Solid WP is a liquid web company. So I'm mentioning those. There's there are many good hosting options out there. But I would advise you to look at liquid web and nexus to start.\r\n\r\nAlright, next from anonymous attendee, how much time is involved in the care plan small monthly fee what is it? Okay, great question. So anonymous. Let me let me ask you if you could to clarify in the chat. What do you mean by how much time? Do you mean how much time does it take to manage a bunch of websites? Or how much are we building? Are we billing the clients for time if you can clarify that in the chat? I'll try to answer it.\r\n\r\nSo, the, the I'm going to step up and put my coach's hat on here, okay. As a business coach for micro agencies, what I what I advise people to do, it's what I've done for years in my agency, it's you don't want to build by the hour. billing by the hour is no fun. You end up losing track of time it takes forever to do I as an agency owner want to be in QuickBooks as little as possible, right. And so a change that I made years ago, instead of having to just kind of track time on all these things and build little bitty invoices that I never seem to do. What I did was when we raised our prices on care plans, I bundled in too fast tasks built in with every plan and every month so every client is on a care plan has included in the care plan up to two fast tasks every month, they don't roll over every month has up to two of them. And a fast task is something that we define as something that we can read a ticket, do the thing and reply to the ticket in about 15 minutes. So these are things like hey, I'm attaching a blog post in word when you post this on my site, hey, can you add this new staff member? Hey, can you update this wording or add a sale price to this product on my WooCommerce site is small tasks. If a client needs more than that, then we'll increase their service level agreement to have more fast tasks. If a client asks for something that is a few, you know, like build me a landing page, that wouldn't probably be a fast task. And so we would give them a flat price for that amount. So that would be more of a project instead of billing by the hour.\r\n\r\nMatthew's asking about what a half a fast task not so fast task of the past tense. So just try it. My advice as a coach is to make the billing part of your business as simple as possible. I cannot tell you so over the years in the last 10 years I've been coaching micro agency owners, hundreds and hundreds may be found out you know, probably getting close to 2000 conversations I've had over that time, maybe more. I haven't done the math. But in those conversations, when I talk to a coaching clients about the frustrations they have in their business, it almost always comes back to billing and finances and keeping all that stuff and they've created for themselves. A billing environment that is hard to manage. So simplify that billing, the whole process of billing and the way you're tracking work, and life gets a lot simpler, I promise Okay, next up is Jeffrey. Does your recommended price including hosting. Yes, so we answered that question a bit ago. Matthew, can you share the link rack and by the patch stack add ons for legacy customers? I've been looking but I can't find it out. Okay, so Matthew, I don't. Since I'm broadcasting right now I can't go back and look for that. It is like the link that I shared earlier that talks about?\r\n\r\nWell, it's in the chat. I shared it earlier about and I marked it as this talks about patch stack upgrades. We went through that whole process it's in the solid licensing portion I believe and you just click and it takes you to the solid cart and you can add licenses one at a time. Like you can buy three or one or 52 if you want and then you'll have that bulk, that bundle of licenses which you can then apply to an individual site.\r\n\r\nSo I'll go through that whole thing in that live stream. If you'll just go you can kind of scoot through the live stream and you'll find it\r\n\r\nThank you, Doug. It's under security and firewall. And again, if you have questions just reach out to support and they'll walk you through all that.\r\n\r\nAnonymous attendee is asking how are hours and billable hours related to starting prices? So I answered that a little bit a minute ago, and whoever you are anonymous if there's more texture to that question, then just drop it in the chat and I'll try to elaborate more.\r\n\r\nAll right, Jeffrey, what about training? Do you offer any sort of training in your package or is that extra? That's a great question. So Jeffrey, we have a set of training videos that we have in every site that covers basic WordPress things. If the client needs additional training that is billable. Now, a lot of times we'll cover this in the build project. So one of the questions we'll ask and in defining the scope of work is are you going to be getting in and editing the site or is this something we're going to do? Do you need training on how to use WordPress, if they if they need that training? That's that's an itemized addition to the scope of work that's going to affect the cost of the project. There's a cost for training right? hourly cost will usually record that training, make it available as a video link in the dashboard. If they sometimes what will happen is they'll have a new staff member come on board and they don't know they didn't go to the training and they don't know how everything works. Well. They can either watch the video that we provided or they can schedule training, but that is going to be an additional cost that they have to pay extra for. So we don't include training in a care plan package. But it's something they can they can purchase extra if they want to do that it's billable.\r\n\r\nDoug, all of my clients were on board with a care plan some many years ago, all before patch tack was available as an add on. How would you approach extend existing clients who are on your care plan about paying more money? Great question, Doug. We should have a live stream about that. Oh, wait, we did. That's that link I mentioned in the chat a little bit earlier. So that whole the whole webinar that I talked about that I gave that link a little bit ago scroll back it's up there about onboarding, it's all about creating additional recurring revenue with patch stack. So I talked in that livestream about creating a an extra level of security, where you charge more, it's, you know, you could probably add 10 $20 a month and the license cost you know, a couple of dollars a month, I think per site, it's a big profit center. So I talk all about that in that process there. So I would just recommend, go back and rewatch that website. I Jeffrey's asking, are those training videos available? No. i But what I will tell you is the bundle that I use is called Video user manuals, video user manuals.com. There's an annual cost and embeds right into WordPress. It's great and even has some premium plug in it they have videos for all the premium plugins we use we have a lot of sites on Beaver Builder they have videos for those. We have we use Gravity Forms, they have videos for that. They have videos for WooCommerce. They have classic editor, block editor, all the things and we just pay one fee for that every year. And those basic videos are in every site dashboard. It's excellent.\r\n\r\nMatthew, you mentioned you do coaching for agencies, is there a community forum or slack channel for designers or web hosters that you recommend? Where we can chat with peers? Absolutely. Matthew so my favorite group, well aside from our solid Academy, Slack group, of course, which you can get access to if you're a member of solid Academy, the Facebook group called the admin bar, it's run by my friend Calvin Dusen. Awesome. admin bar is great. I cannot cannot recommend it enough 1000s of WordPress folks just like us doing agency stuff with clients. They're in there. It's a brain trust. It can often be a firehose of information, but also become a solid Academy member. All you have to have is a solid suite license. It starts at 199 A year 40% off your first year. You get to be a solid Academy member come into office hours every week. You can ask whatever questions you want about business, about technical things, become part of the community. There's a lot of fun folks that Hangout every Thursday with me during office hours. And we have that slack group for offline conversations as well. So check that out.\r\n\r\nLast question. from Matthew, will this webinar be archived? Absolutely. I'm dropping the link for it again in the chat. The final link there is the replay link. It takes about an hour maybe a little longer today because it's a two hour video. It basically as long as it takes for zoom to render that video and push up to Vimeo we'll have the replay posted.\r\n\r\nSo Umberto, if you are a member, reach out to solid support and they will give you the link to join the slack group.\r\n\r\nMatthew, so legacy license owners can be part of solid Academy. So here's the history on that Matthew. And when you say legacy members I'm assuming you mean like you have an an older I think security license like IBM Security gold or something like that.\r\n\r\nWe use that so this training used to be called I iThemes Training and it was a product that sold by itself.\r\n\r\nSo it was you know something you could purchase individually or it was included in our toolkit or I think Toolkit, which included a whole bunch of things. So if you only had a security license, then you wouldn't have had access to training and you won't have access to a cat the premium Academy. We do a lot of free Academy events also, though, that anybody has access to but if you want access to the premium pieces of Academy, you can get that now through the solid suite. Any member of the solid suite has access to the solid Academy. So all right a lot of stuff today.\r\n\r\nAny final questions, drop them in the chat and I'll try to answer those and then we'll wrap things up otherwise.\r\n\r\nWell, I do appreciate you hanging out with me and lasting through the last four hours of training. This has been fun. We do this at least every year and disaster week, where we take a lot of time and talk about WordPress security issues. We started off with a great state of WordPress security from our friend Kathy Zant. Great WordPress experts panel if you missed that panel yesterday, that was quite a discussion with a lot of insight a lot of fun. I was some really smart people that WordPress security go back and rewatch that that replay is already up. And then today we had a great talk with Timothy and then the stuff that I talked about as well. Hopefully it was useful. Well that's gonna wrap it up for us for a disaster week. 2024. Again, the replay will be up later today. And if you remember hopefully I'll see you back here on Office Hours. That's tomorrow starting at 1pm here on solid Academy where we go further together\r\n","livestream-resources-group":"s:34:\"a:1:{s:6:\"_state\";s:8:\"expanded\";}\";","multi-day_replay_details":["s:3081:\"a:7:{s:18:\"event_replay_title\";s:7:\"Day One\";s:25:\"day_description_cloneable\";s:2364:\"\r\nSession 1 - The State of WordPress Security: What Affects YOU!\r\n\r\n\r\n\r\n\r\n\r\nMarch 19 from 1:00-2:00 pm Central Time\r\n\r\n\r\n\r\n\r\nKathy Zant will give a helpful overview of the issues impacting WordPress security in 2024, especially from the perspective of solopreneurs and agencies who manage WordPress websites for clients.\r\n\r\n\r\n\r\n\r\nSession 2 - Security Expert Panel: Trends You Need to Know\r\n\r\n\r\n\r\n\r\n\r\nMarch 19 from 2:00-3:00 pm Central Time\r\n\r\n\r\n\r\n\r\nNathan Ingram will lead a panel of WordPress Security experts: Kathy Zant, Thomas Raef, Timothy Jacobs, and David Johnson.\r\n\r\n\r\n\r\nThe panel will cover security trends in detail with plenty of time for questions from attendees.\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925169294\";s:16:\"course-resources\";a:1:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 1 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1GV5SRsGhaOckgTkXf-62b8vf1WWjJg5v\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:85:\"https:\/\/drive.google.com\/file\/d\/1UP8bFXnyB_odC6r9B4Wbeys8odOfPW7z\/view?usp=drive_link\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/-vGsb4xe8EmwnEda1Ecv_1_RsTI?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";","s:3231:\"a:7:{s:18:\"event_replay_title\";s:7:\"Day Two\";s:25:\"day_description_cloneable\";s:2255:\"\r\nSession 3 - Reducing Your Site's Risk to Nearly 0 with Solid Security Pro\r\n\r\n\r\n\r\n\r\n\r\nMarch 20 from 1:00-2:00p Central Time\r\n\r\n\r\n\r\n\r\nSolidWP Lead Developer Timothy Jacobs will explain how to protect your website using the powerful features of Solid Security Pro.\r\n\r\n\r\n\r\n\r\nSession 4 - Talking to Clients about WordPress Security: Generating Recurring Revenue\r\n\r\n\r\n\r\n\r\n\r\nMarch 20 from 2:00-3:00p Central Time\r\n\r\n\r\n\r\n\r\nNathan Ingram will discuss how to talk to your clients about WordPress Security, and how keep them safe as you build recurring revenue for your business.\r\n\r\n\";s:35:\"livestream_vimeo_video_id_cloneable\";s:9:\"925577957\";s:16:\"course-resources\";a:2:{i:0;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 3 Slides\";s:22:\"resource_url_multi_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1SEmE-bmlbMScYzlc4Y7dbYj9tWWIw1hG\/view?usp=sharing\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}i:1;a:4:{s:28:\"resource_link_text_multi_day\";s:16:\"Session 4 Slides\";s:22:\"resource_url_multi_day\";s:85:\"https:\/\/drive.google.com\/file\/d\/1X4jK_jv2ZsH6uXLCBQIXqZ8NAbvkKYQV\/view?usp=drive_link\";s:23:\"resource_type_multi_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}}s:23:\"livestream_chat_log_url\";s:82:\"https:\/\/drive.google.com\/file\/d\/1HfxF6OjN88O-CFMQnuBp_Tq7L_rlGnTk\/view?usp=sharing\";s:40:\"livestream_live_transcript_url_cloneable\";s:66:\"https:\/\/otter.ai\/u\/hhv_RTU6GaLQyMVsrx0gCeUoakc?utm_source=copy_url\";s:6:\"_state\";s:8:\"expanded\";}\";"]}},"postCountOnPage":1,"postCountTotal":1,"postID":448494,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content );

Help Docs Software Kadence WordPress Disaster Week 2024

WordPress Disaster Week 2024

WordPress Disaster Week is a website security training event hosted by the team behind the Solid Security plugin. WordPress Disaster Week sessions are totally free and available to anyone online via the webinar format.

Disaster Week is great for anyone who owns or manages a WordPress website. The topics covered during WordPress Disaster Week will help you understand the basics of WordPress security, how hacks happen, and how to secure your site.

WordPress Disaster Week is also great if you build or manage websites for clients, as we’ll cover a session on how to talk to clients about WordPress security.

Register once to attend all sessions of WordPress Disaster Week. If you can’t attend live, we will send you the link to view replays of the full event!

Was this article helpful?

Thank you for your input.

Thank you for your feedback.