\nRegister once for all future WordPress Security Roundups\n\n\n\nThe world of WordPress Security is always changing, so staying informed of the latest developments is critical. Thomas Raef and his team at WeWatchYourWebsite monitor the security more than 13 million WordPress websites. With that much data at his fingertips, Thomas is in a unique position to explain the latest methods hackers are using to infect WordPress websites.\n\n\n\n\n\n\n\n\n\n\n\n\n","EventOrganizerNames":"Thomas Raef","inline_featured_image":"","livestream_public":0,"is_multi-day_event":0,"livestream_zoom_registration_link":"https:\/\/us06web.zoom.us\/webinar\/register\/WN_5Uk2oScZR5yWML0mgIpnKw","livestream_replay_set":0,"livestream_chat_log":"https:\/\/drive.google.com\/file\/d\/1pCyn_3dMxJdxzckBErwCf_F987P1YjEH\/view?usp=sharing","livestream_live_transcript_url":"https:\/\/otter.ai\/u\/xpDoUxPJ6pvtT2oNKVlEzW3DotE?utm_source=copy_url","livestream_live_transcript_text":"Nathan Ingram 0:03 \r\nYeah, so we're gonna start off with a conversation before we get into Thomas's slide deck about these two updates and what's going on their transcript is firing up now welcome everybody. Again, if you're just joining us in zoom, open up the chat, say hello. I'm going to drop in our link bundle again there now. transcripts should now be working for everybody as well. We'll get started here in just about two and a half minutes from now. Glad you're all here for security roundup for the first quarter of 2024. Thomas ray from we watch your website is with us ready to spill the beans on all the things that he and his team have found in all of the websites they manage? Hey Kay from Sweden. Welcome. Doris is concerned about getting people to log out. Yeah, exactly. Good ones. Yep, Indeed, indeed. All right, folks. Just a couple of minutes to go. If you're just joining us in zoom, the link bundle is there in the chat if you'd like to download today's slides and follow along you can do that. As always, we are recording this live stream and it will be available for replay about an hour after we wrap up. That link is also in the chat\r\n\r\noh yes to password managers and weak passwords you gotta love it Alright folks, just about a minute to go now before we get started with security roundup for the first quarter. Thomas ray from we watch our website is with us. Check in question is what's on your mind when it comes to security? What's your biggest concern? What's your biggest fear? Let us hear from you in the chat either about your websites or sites that you manage for clients. Yeah, well, I've managed saying what's the easiest way to tell clients about logging out I mean,\r\n\r\nThomas Raef 2:05 \r\nlog out or get hacked.\r\n\r\nNathan Ingram 2:08 \r\nMinor you should create a GIF of yourself that's going log out. Log out. That'd be great. Just about ready to go for just about 30 seconds to go. If you're just joining us in zoom, I'm going to drop in the link bundle. Once again, you want to follow along and grab today's slides. You can do that. The replay link for the replay is there as well. If you want to go back and rewatch or share this live stream with somebody but an hour after we wrap up it'll be ready to go they're just about ready to go here. Glad you're all with us. Another few seconds there for the check in question. What's your biggest concern what's on your mind when it comes to WordPress security? Let us hear from you there in the chat. We'll be getting going here right now. Actually, I'm going to start the recording and we will begin. Well, good afternoon. Good evening. Good morning wherever you happen to be around the world. Welcome to another solid Academy livestream. My name is Nathan Ingram. I am the host here at solid Academy joined once again by my friend Thomas Wraith. When we watch your website Hey, timeless hasn't gone in your world today.\r\n\r\nThomas Raef 3:15 \r\nSo far. So good, clear skies. today.\r\n\r\nNathan Ingram 3:17 \r\nYeah, it's nice down here as well. We're actually gonna have some weather rolling through probably about the middle of this live stream so hopefully it doesn't feel my connectivity. We'll see how that goes. But welcome everybody about once a quarter we have Thomas and to talk about all the things that he is seeing as human he and his team manage many, many WordPress websites. Thomas we watch is currently managing you said over 13 million WordPress sites right now.\r\n\r\nThomas Raef 3:42 \r\nA little over 13 point 6 million. It's amazing.\r\n\r\nNathan Ingram 3:46 \r\nAnd so just that sheer volume of data gives you a great insight as to what's happening across the WordPress security landscape.\r\n\r\nThomas Raef 3:54 \r\nYes, it does. It's the the amount of data is is overwhelming at times. But you know, we've got it all automated now to a point where, you know, run some queries on this huge data set and you know, starts giving you answers to questions you didn't even know you had. So\r\n\r\nNathan Ingram 4:16 \r\nyeah, it's really amazing. So once a quarter we had Thomas in to just talk about the highlights of what he's seeing and all this data, managing millions and millions of WordPress sites just to see what the latest trends that how these hackers are hacking so that's gonna be a lot of fun today. But before we begin, I asked Thomas if he would be open to having a quick conversation about the recent updates we've seen in WordPress Core. So you probably like me, folks in the audience. You probably got lots of emails from solid security last week about this new core vulnerability that was recently patched. Thomas, can you talk about what that vulnerability was and what was going on there?\r\n\r\nThomas Raef 4:58 \r\nYeah, it was the stored cross site scripting so no, this particular one from the information that I was diving into, required like contributor or higher access. So you know, people like oh, well, you contributor that's not you know, it's not a user. So, you know, a writer it's but it does have some some pretty decent power to it. And so, it was discovered and patched and, and pushed out to everybody so you know, quickly, because being stored, it can affect your website pretty easily. You know, hackers can use it to, you know, to infect your site, and, and then elevate privileges, you know, so they get administrator, and then you know, then you got a whole big mess on your hands. And\r\n\r\nNathan Ingram 6:05 \r\nthey, so the core security team identified this and created a patch and a, a, I've never seen I've actually never seen this happen before, but the now the current version of WordPress six dot 5.2. They skipped technically six dot 5.1 Because there was a problem with the update package. And so they fix that and shipped it as dot two which is interesting. Have you ever seen that before? Thomas? No.\r\n\r\nThomas Raef 6:35 \r\nI was trying to dig back through my my history of WordPress and I think at one point they they jumped from like a dot O to like a.to. But I remember I couldn't find the exact details on that. So I don't know exactly when that you know what version that was, but yeah, that was pretty interesting. Yeah, it really is.\r\n\r\nNathan Ingram 7:00 \r\nAnd I just dropped the link in if any of you or would like to read the technical details of 652. The link is there in the chat that talks a little bit more about that vulnerability and how they patched it. So there is no technical six dot 5.1 We're on 652. Also, at the same time, they rolled out a backwards patch. So if you were still on 643 and had not yet updated to six, five, I You now have a 644 that should have automatically updated it's basically all the same. security patches, right? Yes, right.\r\n\r\nThomas Raef 7:32 \r\nYeah. And if you if you go through the releases, you'll see pretty much I don't even know how far back but all the releases got an extra dot one added to the to the end. Yeah,\r\n\r\nNathan Ingram 7:49 \r\nI can't remember how far back they go for those either. But yeah, they whichever versions that they're keeping current they roll that patch back to all of them, which is really good. And that should unless you have tech, you have specifically said you don't want these minor updates. All that should update automatically on your WordPress install. And that's what we recommend as how would you recommend also Thomas Oh,\r\n\r\nThomas Raef 8:10 \r\ndefinitely. Yeah. Because by the time you know, it's it's, it's announced, you know, we learned from the bricks fiasco. You know, by the time it's announced that the time hackers, reverse engineer it and start attacking it could be a few hours. And if you don't update all your sites in time, you're you're calling us. Yeah,\r\n\r\nNathan Ingram 8:33 \r\nexactly. So something else you and I were talking about as we were in the pre show, just as Thomas was the latest email from solid security that came out today, where this week, there were 200 vulnerabilities 200 in a week. Now, I remember back, you know, it wasn't that long ago, it was maybe just a little over a year ago. They were 40 or 50. And a month, in this week, there are 200 vulnerabilities. That's amazing. Yeah,\r\n\r\nThomas Raef 9:04 \r\nyeah. And as you and I talked, you know, I think a lot of that has to do with the the bounties that you know, organizations are paying now for for vulnerability announcements. And there's people here you can check the YouTube videos, there's people that you know that that's their, their main source of income is bounties. And so there they just hammer every plugin every theme every anything to do with WordPress because it's so popular, and they just hammer away at it and they find something bam, they package it and ship it off for their bounty and collect it and move on. Keep looking. Yeah,\r\n\r\nNathan Ingram 9:48 \r\nand it's interesting how some folks will look at these vulnerability reports and see the numbers ticking up and they're like, oh, WordPress is so insecure and actually, it's really good news to see these vulnerabilities going up because it just like Stacy said the vulnerabilities have been there. We just didn't know about them. And now it's a legitimate occupation to be a self employed bug. Killer. And there are security companies who pay contractors, developers to find and report a bug and figure out the fix and those sorts things. And people can make money that way. So now that it's incentivized people are jumping on that as a great source of income. Yeah,\r\n\r\nThomas Raef 10:29 \r\nthey really and it's you know, there are a lot of the bounty hunters are doing the same types of automation to find these that the hackers have been doing for years. You gotta love it. So yeah, I mean, they're, you know, rather than the hackers copying the white hats. Now it's the white hats copy the the hackers and they're out doing them. Now, yeah, so that that that plays heavily, I think into the 200 vulnerabilities in a week. Yeah, I saw that number and I was like, Nah, they must be like, a quarter or a month or something like no\r\n\r\nNathan Ingram 11:05 \r\nit was a week this week. It's pretty crazy. So as we start to look towards your slides and what you've seen here in the first quarter, Thomas, I think it's important that several folks who just joined us, I just remind everybody what you do and how you can help them and we watch your website. So you are managing 13.6 and some change million WordPress websites. You're watching data, you're looking for security, or what are you watching? What's you're watching for packet tips.\r\n\r\nThomas Raef 11:36 \r\nYeah, we write things we do. So we excuse me. Excuse me. First of all, we watch the file system. So we'll see when any file in the WordPress folder structure has changed whether it be added or modified. So like if somebody does a they update a plugin that changes the files. Our system sees that now. You know, initially, every time it somebody updated a plug in our system would download all the files for that. plugin, and scan them and then determine Oh, and it was just an update. Now we've built in the logic so we know when you know when things have been updated, or whether it's a you know, true hack. So we monitor the file system they call that file integrity, monitor monitoring, FIM all always have to have an acronym you know, call it something. So going way back. In my old days, we used to call we had a term for three letter acronyms, TL A's. Exactly. Anyway, so\r\n\r\nNathan Ingram 12:56 \r\nSo you and we'll get into more detail on this as we're wrapping up and folks, we will have time for q&a. But you do have a free plan where you will monitor websites for folks as well as a paid plan that includes cleanup. And so folks, if you're not familiar with we watch your website, I would strongly encourage you to go take a look at we watch your website.com and you can get more information there and Thomas, you have a new website that's coming very, very soon. Yes. This is really great. And let me just give another quick bit of housekeeping before I disappear and you jump into your slides. Folks, if you have a question to ask. We will I will have time here at the end for q&a. So please use the zoom q&a button. Just mouse over the shared screen. You'll see the menu items up here, like the q&a icon and have those questions. The q&a window open there. You can ask your question at any time and just keep that q&a window open. Because if somebody else asks a question that you would also like to hear the answer to you can click the little thumbs up icon there. And when we get to our time of q&a, we'll take those questions in order of up votes. So with that, Thomas I'll disappear and let you get into your slides and see what we what you've discovered in the last quarter. Sounds good.\r\n\r\nThomas Raef 14:08 \r\nOkay, so first of all, tying in the the information I'm going to be sharing today is ties into what Nathan and I were talking about with this, this new vulnerability that's been patched the new patched vulnerability with Word Press Corps, and that is that requires an authenticated user. So in this case, it's a contributor level or higher. That must be used, but you got to keep spit. A lot of people will discount it because Oh, it's you gotta be authenticated in order to, you know, to abuse this, this vulnerability. But the problem is, is that hackers are so aggressive right now and stealing credentials. I know I've talked about this before here with Nathan. The info Steelers are just going crazy. And they're finding ways to evade detection. It's just it's really getting way out of control. But it gives them so much power because you know, whether a lot of people are still trying to hide the login URL for WordPress, thinking that, okay, it's, you know, in my world, they call that security by obscurity. But it is a layer of security, however, with the info stealers there used to be you know, password stealers. But now they're info stealer. So it's stealing the login URL, the username and the password. And it just sends it straight to the hackers and they are getting so many of these things that, you know, collected from all their malware on local devices, that they have to have special systems to dig through everything, intellectually sort for them. Okay, this is a WordPress login, you know, this is a session cookie, you know, this is a bank login. This is a hotel login, you know, so it separates all these things so that they can decide, you know, what is it they want to do? Do they want to you know, batch it all together and sell it? Excuse me, or do they want to use it, you know, for their own financial gains. So, they have decisions that they have to make and they have a lot of times they were the session cookie, you know, it only lasts for up to 48 hours unless you hit click the remember me then it's two weeks. So they have a limited time there. But like, you know, username password and login URL, that's something that they could, you know, easily package up all you know, 1000s of those and sell them and up on the on the black market. You know, what they call the dark web never liked that term. But anyway, it is what it is. They can buy these info stealers for like, they can like rent them Leeson whatever for like $50 a month where they can buy certain higher level ones for like $350 So like there's a whole industry just trying to steal you know, the focused on stealing login credentials. And so the this authenticated stored cross site scripting, that WordPress just patched does require like a contributor or higher. But when you think about how, how much hackers are stealing, even contributor level you know, they don't know when they steal it. They don't know if it's an admin, contributor, author, user, whatever, they just steal it and try it. And their system is automated enough to tell them hey, hey, this is such and such level. So So, Nathan, I started talking about, you know, things that we collect and things that we monitor. One of the things that we monitor is your access logs. So we see you know, a lot of information and as I've stated stated before, you know, we've got seven clusters of servers for gathering access logs, because that's the most that's the one function that gathers the most data. And each cluster can collect up to 20 million log entries per second. Now, they're not always, you know, collecting that much all the time. So, you know, we've got a tune so that you know, some, some websites are there more, getting more traffic, you know, we'll redirect them to a, you know, one of our higher powered servers and so forth. But anyway, so provides a lot of data, a lot of facts about what's going on out there. And, you know, just a couple things here. Most of what we do monitor is pretty much everything, you know, we're watching the files. We're watching the access logs, we're watching the database, we're watching the processes. Now this is on servers. So like if you're using like, a grid plane grid pane, run cloud, you know, cyberpanel, some of those types of services where we can get in, you know, set up our stuff on the server. We're gathering all this stuff if you're on a cPanel account or something like that, you know, unless it's a VPS. You know, we don't have access enough to a shared hosting plan to install this stuff. But, you know, I put on here with the popularity of servers being so prevalent, we can watch everything we do file integrity monitoring data that we watch stuff that is outside of WordPress. So like the processes running on a server, you know, a lot of times we can see where, like a SQL query is running amok. In you know, using up 90% of the CPU and stuff like that. That's not what we do. That's not what we're focused on. But if we see a spike in a in the CPU usage, you know, some our system is smart enough to say okay, what other you know is what traffic is coming to that site. You know, is this an attack, if it's not an attack? You know, to be honest with you, our system doesn't really care because it's, it's designed and focused on attack traffic. And one other thing that we do, that's been a huge benefit for us is we watch outgoing traffic, because hackers a lot of times will use your servers to attack other sites. Well, that's outgoing port 80 and port 443. Traffic. Stan, standard web server doesn't really have a whole lot of outgoing traffic to those ports. Now it does, you know, there's some translation plugins, there's various plugins that will make requests out to to an API that is, you know, on Port 80, or port 443. But it's a, you know, by gathering that information for us and then analyzing it further. Is it legit or is it attack traffic? You know, it's a fantastic indicator of compromise for us. So we know that a site on that server is compromised and being used to by the hackers to attack other sites. So with this problem of hackers wanting to steal login authentication, you know, you said and I've gotten into arguments with people online info stealers are still extremely popular. They're stealing everything from login URL, username, password session cookies, everything and they don't know that they're using exploit kits on websites to try and infect your local devices. So it's a big deal, circular strategy here. You know, they infect websites, those websites are trying to infect the local devices of people coming to those infected websites. And then that gives the hackers even more information and more login credentials. And you know, they collect the authentication cookies, and as I've stated before, probably heard it from me before others.\r\n\r\nWith an authentication cookie, you totally bypass to FA. So hacker saw the writing on the wall. Okay, we're right now we're stealing usernames and passwords. Oh, now people are are trying to hide the login URL. Okay, well, now when we infect somebody's local device, we're gonna start stealing the login URL along with the username and password. Oh, now people are starting to adopt to FA so how can we get around that? Oh, look at this when we infect somebody's local device. We can steal their authentication cookies that we only have a short window to use them. So you know, we have to, you know, those take top priority in their whole ecosystem of the cybercrime. So they're they're always thinking they're always thinking and with the, with the exploit kits in info Steelers, this company spycloud reports a huge increase in number of recaptured data that stated that they've been able to get back and it's at 43 Point 7 billion records. And he claimed that most of that is the result of info stealers. So as I say here, exploit kits allow hackers to infect websites. Once the website is infected, it attempts to affect the local device of the visitor. Now hackers don't know if a visitor has access to a WordPress site or not, you know, they don't really care. They're just playing the numbers. So, you know, it could be that, you know, somebody who never logs into a WordPress site, visit your site, they get infected, and the hacker just grabs whatever they can offer their computer and then moves on from there. And another big security company, Palo Alto Networks so excited in here, due to their highly automated nature. exploit kits have become one of the most popular methods of mass malware or remote access tools. They call them rats, distribution by criminal groups lowering the barrier for entry to entry for attackers. So the the automated systems are becoming so inexpensive that you know you said you could rent an info stealer system for $50 a month because you know the hackers are pretty sure that you're going to you know, make much more than that. utilizing their services. Lisa, what did what do they want? You know, they want your your ultimately they want your server so that they can set up phishing campaigns. They want to steal your banking credentials. They want to use your your infected server for attacking other sites in the ransomware thing hasn't really been big. I shouldn't say that too loud. hasn't really been big with websites. years ago. I can't remember what year it was maybe 2017. I collaborated with Brian Krebs KrebsOnSecurity is his big thing. Great security researcher. But he was at that time talking about ransomware because it was just starting to get you're starting to build up in the in the overall cyber world. And we were seeing a number of cases through one specific big hosting provider that a lot of their cPanel accounts are getting hit with ransomware so the the hackers would in, in fact the good inside the cPanel account. encrypt all the files in the database everything and then leave some text files in there saying you know if you want the decryption key to get your all your information back, you know, send us X amount in Bitcoin and we'll send you the decryption key. So anyway, I collaborate with with Brian Krebs on this and he posted it on his site, but we haven't really seen a whole lot of that every so often I'll hear of of it happening here and there. But for the most part it never really took off. You know the hackers are probably going after bigger fish with their with their ransomware but I got in here Macs and PCs doesn't matter. You are susceptible. So I you know, I've asked I have nothing against Mac users. I wish I would have picked up on Macs early in my career, but I never did. But it's just that Mac users have been told for so long get a Mac because you don't need antivirus. You don't have to worry about security. That's not the way anymore. You know, every year. There's the guy that forget the conference, but they have like a hack the box competition. And this year. There was like over $200,000 in prizes, but one guy shows up every year, sits down in front of a Mac hacks it and wins the prize. It's like 10 grand and a new Mac, air or something I don't know. But I mean, this guy. He already knows what he's going to do when he sits down, sits down. Bam, Hex the Mac wins his prize. Off he goes. So anyway, everybody's got to be concerned about this. And as somebody had said in the opening remarks here, you know, how do you get it was a minute, I think, how do you get people to log out? You know, how do you get your customers to log out? And you know, I mean basically you just have to tell them you know if you don't log out and you get a virus on your local computer, your website's going to be infected. So unlike so when you think about all you have to do is log out and that removes that session cookie from being stolen from that point forward. No are being useful. From that point forward. It's an easy step to take. Now, recent attacks and this is alarming. It's growing fast. We've been seeing more sites compromised due to logins from single sign on. Now, a lot of this is management platforms. We have not seen it with at all with solid works. But some of the other platforms I'm not going to name names it's not my it's not my thing to point fingers and blame people but we're seeing sign ons from these management, panel control panels, management systems that are actually installing bogus plugins bloat bogus themes, doing all sorts of you know, adding new admin users but it's all coming from one source. And it's a legitimate source. It's just an illegitimate user. And this was years ago. So we've been I've been doing this since 2007. We'd start to see on a cPanel account. I don't know how many of you are familiar with cPanel. But if you look inside the root of a cPanel account has a file called dot last logins. And it's the last login into that records, the date, the time and the IP address. Of the last login. And I think it's like 20 up to 20 logins of people that logged into that cPanel account, which is genius. You know, I mean, and cPanel has been doing this for eons Okay, maybe not eons but you know, a long time. So we could, like XYZ hosting provider would come to us like hey, we got all these infected accounts. We don't know how it's happening. And so we go in and we take a look at the this file a dot last logins and there's all these IP addresses from all over the place. You're like, whoa, you know, who's been logging into your cPanel account? Nobody just me. Somebody and, you know, somebody Russia has done somebody from Bulgaria, somebody from, you know, here, they're everywhere, and they're like, No, it's not. It's impossible. No, it's because they stole the login credentials to your cPanel account. Well, now they're doing the same thing with logins to your control panels, your management councils and now some people say, you know, the, the popular thinking is, well, they couldn't have come in through my management council because I've got 20 websites on there, and only two or three or maybe only one\r\n\r\nwas infected. So you know, if hackers got in, if they had that kind of access, they probably they would have infected all my sites. No, that's what hackers wants you to think that's what they know. You think that's why they don't do that. And we used to see this with cPanel. Like there there might be 20 like a shared hosting. They might have 20 websites on the same cPanel. And, but they wouldn't have they wouldn't infect them. Well, sometimes they would put, they would only they like a 20 Let's say they infect websites, one, two and three. And then they watch as you get those cleaned up getting remediated, get everything locked down. And then they come back in, and they infect websites, five, six and seven. You know, and then they watch how you you know how long it takes you to handle those. And then they you know, they just jump around from there when their original point of entry was website for. So they don't always do what you may think is, is logical. They don't do what you expect them to do. And that's why they're, that's why they're hackers because they do the unexpected. So but, you know, and there's how are they getting that information the same way that they steal your admin session cookies and in login names and stuff through these info stealers. So, you have to be very careful with all of your login credentials so one thing you have to understand with hackers, their their methods change constantly, you know, like said this new thing where they're coming into the management platforms and control panels. You know, and like with the control panels and the management system, you know, each website is is separate. But so you have to look for the, you know, the common common grounds there. And, and then that's what we had to do. We had to you know, okay, well, how, how is it that all these sites are getting infected? No, they have different some of them have different plugins on them, some of them build. There's just so many different variables. And but you look for the common denominator. And you know, it was turns out it was the single sign on, and then that leads us down that rabbit hole, so we have to, okay, that's our hunch. But now we have to prove it. You know, we don't go off of of hunches. You know, they might start us on a journey, but you know, we want to know the facts. And sure enough, you know, we get to the facts. And we see that, you know, this is how the site was infected from this IP address. Oh, and where's that IP address? Oh, it belongs to this management. Console or belongs to this control panel. However, this breaks out. But, you know, the, the, so, the crux of today, and it actually just happened to fit in with the the vulnerability in WordPress. You know, it's an authenticated stored cross site scripting. vulnerability. So people like, oh, well, so you got to be authenticated, right. But think about how popular these info stealers are and how popular stealing that information is. It's it's not that big a stretch for them for you to to realize that for hackers to get an authentication credentials for contributor or hire. Really probably isn't all that tough for them. They're gonna find enough sites out there. And then they said they can launch attacks and other sites, etc, etc. But you got to keep in mind they're not always doing the expected so don't think that you know, you're safe. Oh, no, it couldn't have been that because, you know, otherwise this this and this, and now you can't, you got to have the facts. You got to have the details. Like, and I can't remember that. The case program where he's an investigator in the from the military, and he's like in investigation details matter. So, anyway, so, bottom line is you have to be very, very concerned. And pay attention to your local device security. Because you don't know when you're going to be hit. You have to be careful in what you install. Don't install, you know, some random you know, Chrome extension just because you think it might shave, you know, an hour off of your your workload every day. Do you know it's it's clean? I have no extensions. I mean, there's a lot of security extensions available. For chrome Chrome extensions. I don't have a single one because they just scare the daylights out of me. Guys see what happens all the time. So anyway, Nathan, are you around?\r\n\r\nNathan Ingram 39:09 \r\nOh, yes. Yes, yes. So interesting lay of the land, is we're looking at how hackers are doing their hacking. We have a few questions that have popped in. And Manu, I never take a nap. No, no, I'm listening. I am pondering just like you all are. This is a great chance to ask your questions, folks. So if you want to open up the zoom q&a and ask your question there, we'll get those over to Thomas and before we do that, let me just again mention that if you are interested in what Thomas and his team do at we watch your website, monitoring your site, there's a free level in Thomas they base if they if folks want to take advantage of the free level of monitoring they will just reach out to you X on your next slide right you have your contact info. Just you can just shoot Thomas an email at T rife, which is fear spelled backwards. I remember this and Thomas will walk you through the process of getting set up on their service. And there's also a paid level and this is especially helpful for I know many of you are doing WordPress things with clients and you perhaps have a VPS or your own server that has multiple sites on there. Your paid plan Thomas you have a server license, right? So let's just say if folks have all their clients on a VPS it would just take one license to cover all of those websites, no matter how many is that right? Correct.\r\n\r\nThomas Raef 40:39 \r\nIn the paid level, we don't just monitor but it does automatic malware removal. And a lot of protection schemes go into the that level as well.\r\n\r\nNathan Ingram 40:52 \r\nYeah, very good. So take advantage of that, folks. It's a great extra level of security for what you are doing on your server. And I'm gonna is the man when it comes to these things. You see how knowledgeable and helpful he is. Alright, so Thomas, couple of questions that popped in. And again, folks, if you have a question, just use that Zoom q&a And we'll get those over to Thomas. Doug would like to know about and I didn't know this either about this dot last login file and let's go look for that. Is that a bad thing to have in your cPanel accounts? No,\r\n\r\nThomas Raef 41:25 \r\nyou know, they it starts with a dot you know, period because, you know, in, in most file managers, that that's a hidden file so like if you know, the default settings for a cPanel account, they don't show hidden files. You have to go in the upper right hand corner, click on an icon up there and then you'll see the settings. So but yeah, it does show the last I think it's like 20 shows the IP address the date and the time. Looks\r\n\r\nNathan Ingram 42:06 \r\nlike 15 on mine. I just logged in to look at it. Yeah, last 15 logins. That's pretty cool.\r\n\r\nThomas Raef 42:12 \r\nYeah, and it's no cPanel has been doing that for years good like so when I first found it. I was like, ah, ah, ah\r\n\r\nNathan Ingram 42:23 \r\nlike signing gold. Yeah, it's interesting. And this folks, if you have a cpanel server, it's at the same level as public HTML. So right if if you go into your cPanel and you open up the file manager, the level that file manager opens you up in is where that dot last login is. But you do have to go click settings and show dot files in order to see it. That's pretty cool. Yeah, that's a that's a new learn thing for me today. Pretty knows.\r\n\r\nThomas Raef 42:49 \r\nSo we've been using it for years and it's awesome. Yeah,\r\n\r\nNathan Ingram 42:54 \r\nindeed. Okay, question from Sadie. Concerning logging out in session cookie stealing. Is there a risk if we're using solid Central or other dashboard, multi site management tools? Can a session cookie be stolen from something like that? This is not just a WordPress thing, right? It can be stolen from any site. So maybe talk a little bit about that. Yeah.\r\n\r\nThomas Raef 43:21 \r\nYou know, an authentication cookie, session, cookie, whatever you want to call it. Both. Same thing. It allows you to, you know, teach HTTP is a connectionless protocol. So without a session cookie, if you went from one page to another, and, you know, after you've logged in, it wouldn't you would have to log in to every page you go to. But with an authentication cookie, it says, okay, this person has the rights to, you know, the permissions to view this next page. Okay, and now you hit the back button. Okay, this this user has been authenticated, so they have the permissions to go back to the page they came from. So So without, without cookies, the web as we know, it wouldn't even be anywhere near the same. And you'd be a mess. And the thing is, too with the session cookies, it's so critical. Like, Google has announced a new project of theirs. dB SC I forget what the what the acronym is. But anyway, you can look up DT Google DB sc, and they're actually working on ways very much like solid has done. You know, with session cookies, Timothy and crew, you know, where they tie it to an IP address. Will Google is looking to tie the session cookie to the actual device. So it can't even if it is stolen, it can't be used. Because it's a different device. So so like I said, it's, you know, it's that big a problem and it is legit, to the point where Google is you know, consuming resources to solve this problem.\r\n\r\nNathan Ingram 45:19 \r\nYeah, it's definitely and this is you know, we hear about it because we are kind of connected to WordPress security news, but this is not a WordPress exclusive thing. These cookies are common to all platforms and so it just to circle back around a city specific question. You got a lot out of everything. Right, right. Yeah, yep. And I just dropped it in the chat folks a link back to a live stream that Timothy Jacobs, the lead developer for solid WP did as we walk through solid security and the the trusted devices option that can protect you and your WordPress site from stolen session cookies. We'll take a look at that if you missed that livestream. Let's see next question from Manu. How do you check whether or not a browser extension is vulnerable? Or and let me let me add on to that. Does the whatever team is running the you know, the Chrome team in the Chrome Web Store, whatever? Are they not checking these things for vulnerabilities?\r\n\r\nThomas Raef 46:28 \r\nI believe that they are checked, but there's so many people that will put I could create a Chrome extension and make it available on my website and everybody who downloads it till the theater send me a new orange lollipop. So yeah, I mean, if you get it from, you know, the How can you do to answer my news question? How can you verify? You can't really, you just have to think of the source. You know, what's this extension supposed to do? And you get it from a reliable source. You know, that that's really the only you know, your only options. Let unless you can dive into, you know, Chrome extension code and, you know, know what you're doing and, you know, feel your way around. There. You really can't know,\r\n\r\nNathan Ingram 47:24 \r\nyou almost have to think of it like, Okay, who would I let inside my home to just be there if I wasn't around, right? So I'm gonna make sure I know this person, whatever. Because when you're installing a browser extension, you're basically saying I trust you to do things in my browser and I'm not really going to watch you, you've given it access to lots of data.\r\n\r\nThomas Raef 47:44 \r\nGreat. Then, you know, when Chet GPT first came out, there was a ton of bogus Chrome extensions for Chet GPT. Yes, I know a lot of people that were downloading those bogus extensions. And you know, they contact me and like, you know, someone we're friends and contacts from online. They Hey, man, I download this extension and now my system is acting really weird like\r\n\r\nNathan Ingram 48:12 \r\nwell, there's a reason for that. Yeah, yeah. Interesting. All right. Here's a question from an anonymous attendee. They say recently, I got a client website hacked, but it had connected it. But it was connected to my web hosting provider. I almost lost the site but deleted the website and uploaded a backup. Now, does that affect my other sites on my hosting plan, and how do I ensure safety because I log into five websites a day. So several questions there does sit does restoring a backup, solve the problem? And then how do you keep safe if you're logging into multiple websites every day?\r\n\r\nThomas Raef 48:47 \r\nOkay. No, backing up or restoring a backup does not make the problem go away. One of the things that we learned during the whole BRICS fiasco, I should stop calling a fiasco because that makes them sound bad. They acted very responsibly. But in the BRICS exploits people were restoring the problem is they can servers even on shared hosting plans, hackers, were creating files outside the WordPress File System. And also in these files would start up hidden processes. So you could restore and restore and restore and restore, but these hidden processes, were modifying your htaccess and your index dot php file on a timely basis. And if you did, if you found the the file that they hid, but you didn't delete the process, like almost at the same time the hidden file would recreate the process. I'm sorry, the process would recreate the file and vice versa. If you deleted the, if you killed the process, but didn't catch the file. The file would recreate the process. So it's like a dog chasing its tail. Funny, but you know, yeah,\r\n\r\nNathan Ingram 50:06 \r\nso it's like, if what they were doing was not so damaging and caused so many problems for us. It's fascinating, like how smart these people are, what they're doing.\r\n\r\nThomas Raef 50:18 \r\nThey some people who when I say it, but I mean hackers are some of the smartest people in the world. Yeah, hate to give him credit. But, ya know, as far as does he have to worry about the other sites. It all depends on how the hosting account is set up. If there's a separate, like on cPanel if you're using Who am I think it's Yeah, where you can log into multiple cPanel accounts, like each website would have its own cPanel account, then you're safe because each of those cPanel accounts is run by a different user. So if I get the first site infected, the hackers don't have access to the file system for any of the other websites on that same. Who am and by\r\n\r\nNathan Ingram 51:09 \r\nuser. Let me just jump in by user you mean it's a server user. So it's actually still me. I'm just in a different user on the server for each of those C panels.\r\n\r\nThomas Raef 51:16 \r\nCorrect? Yeah, yeah, I keep using the common vernacular, a system user. But yeah, each each cPanel account has its own system user in the Linux operating system. So you can't just hackers can't just jump across those. But know if they're all in the same cPanel account, then yeah, your chances are that the hackers have hidden backdoors in the other sites, and you may not see anything now. They may wait like we've seen cases hackers, we'll wait two months because they've got so many infected websites to work with. So the way to months and then if we get that backdoor sitting on the website number three, let's let's fire that thing up right now and let's cause some havoc for a while. And bam, bam, bam, bam enough. To go. So yeah, to answer your question, it all depends on how the hosting account is set up.\r\n\r\nNathan Ingram 52:16 \r\nYeah. So you know, the and just to restate this slightly differently. The best practice if you're in a on a cpanel server is one WordPress site per cPanel. Right? Correct. And what that does is creates sort of a walled garden around that WordPress site. So if it gets hacked it that infection can't spread out of that cPanel. It's boxed in. But you know, if you're running multiple WordPress sites on a cPanel, you're asking for trouble. And by the way, you're not alone. If you're doing that Thomas and I met because, gosh, I don't know what 1214 years ago, I was running about 30 Something WordPress sites and a single I didn't know any better and in one single cPanel I was just getting into WordPress. And they all got hacked and I'm like, oh my god, Thomas came to the rescue. So yeah, that's that's how he and I actually met many, many years ago. So please don't make my mistake. run multiple, multiple WordPress sites in the cPanel. Make maybe the one lone exception from that as if you spin up a staging site or a dev site or something that's you know, okay, temporarily, but also don't forget that it's there. Because, you know, if WordPress is not auto updating, then you have an out of date vulnerable WordPress install, you will find it. They will and it's that by the way, solid Security does have that setting. That's it's meant to do that. So there's a setting in solid security, that will scan your environment to see if there's any other out of date WordPress installs, so make sure you have that on just in case you you know, might forget, like, we do this you have a site sitting out there. Okay, one final question here from Joan, what if I use my VPN and my IP keeps changing? Do I have to keep binding my IP to solid security? So let me maybe I'll jump in on that one, Thomas. And then maybe you can talk about VPNs in a minute. But so Joan, when it comes to solid security what I would recommend that you use is the trusted devices feature. trusted devices create sort of a fingerprint, that's not just based on your IP address, it considers lots of different things. And so, it it does if you're jumping around location with a VPN, then you'll you'll have to, you'll have to keep logging in. But if your location is roughly the same, it's the trusted devices feature is looking at a whole series of things about the device that you're logging in on and it might be able to keep you continue to recognize that that trusted users so I take a look at that. And yeah, it's what about VPN Thomas? Is it is it helpful to use a VPN if you're logging into the WordPress does that provide really any security?\r\n\r\nThomas Raef 55:11 \r\nNo. Short answer. And, you know, I have nothing against VPNs. You know, I've been familiar with him for years and years. I said I came from a networking background. And like most of the commercially available VPNs today do nothing more than provide an encrypted tunnel between two points. So if a hacker has access to your local device, and you're logged into a WordPress site, now the hackers have an encrypted tunnel from your device to that logged in WordPress site. So, yeah, I mean, it's not really, in my opinion. Some people could try and prove me wrong. I'm open to discussion to hear more. But you know, I've never been a big fan of VPNs it's just me.\r\n\r\nNathan Ingram 56:06 \r\nYeah. I mean, you hear people say, Oh, just use a VPN, it'll keep you safe. And that's wrong. It's just wrong. Right? So you know, and some people will say, Well, maybe if you're logging into public Wi Fi, it would help to have a VPN that may be true to Sunday like that might protect you from a man in the middle attack with the Wi Fi hotspot. But for me, I don't use a VPN. I just jump onto my phone hotspot if I'm going to do that. Right.\r\n\r\nThomas Raef 56:32 \r\nYeah. One quick comment. Last night, I was digging around on the on the dark web and came across this guy who was offering Wi Fi hacking tools. And I was like, blown away by the tools that the hackers have for hacking, Wi Fi hotspots in public in public places. I mean, it their stuffs especially designed to steal that cookies and usernames and modify your traffic in I mean, it's just like, I've thought I'd seen almost everything. Nope, this this blew my mind so you really have to be careful. But yeah, a VPN doesn't really do anything for you. Just stuff public Wi Fi.\r\n\r\nNathan Ingram 57:28 \r\nYeah, yeah, indeed. And that's where it just using it. Hopefully your phone has a hotspot you can connect to. And that's pretty darn secure as I understand it. Yep. This is an interesting question from Jeanne. Should I be logging out of my two factor authentication app every time I use it? Yes.\r\n\r\nThomas Raef 57:50 \r\nLog Out of everything. Why? Well, I take a chance to find out. Oh, darn the the heck my you know my two FA Cup. l know what yeah, just log out of it. Is a\r\n\r\nNathan Ingram 58:06 \r\nYeah. How much you making our world really hard man. It's not you you're telling us what to do? Well, but yeah, I always swallow hard during one of the one of the live streams with you, man. There's another thing I'm not doing. I don't even think to ask that question. Dean. So thanks for asking it.\r\n\r\nThomas Raef 58:27 \r\nIt's it's I spend hours and hours every day. Thinking about how what people could do or what I could do to help people just lock down their system so that you don't even have to worry about it. And, you know, I come up with all sorts of ideas, and I write the code doesn't work or it's going to be too cumbersome for people to use, and then they won't use it and then they'll get infected. And so anyway, yeah, I try.\r\n\r\nNathan Ingram 59:00 \r\nCouple more questions here and then we'll wrap things up. Another question follow up from our anonymous attendee. And I'm going to try to summarize this for you, Thomas. Basically, the question is, the site was compromised, it's been hacked, and they moved the site to another server, another host, and they have since put on the solid WP suite and all of that. Is there still something to worry about there?\r\n\r\nThomas Raef 59:33 \r\nI would say probably not. I would watch it real close. Because typically if you're moving the site you know, like, you know, any of the migration plugins. It it, it's just copying the WordPress files in the database, and then moving them. The question\r\n\r\nNathan Ingram 59:54 \r\nis if the site was infected, and they might try to migrate and infected site.\r\n\r\nThomas Raef 1:00:00 \r\nOh, yeah. If you're migrating an infected site, yeah, you definitely have to. It still has to be remediated, you know, no matter what. Because the the infection is still there. You haven't changed anything.\r\n\r\nNathan Ingram 1:00:14 \r\nYeah, and the question follow up can it affect a different plugin? If if someone has hacked your site and there's a vulnerability there? They're going to infect it in lots of different places, right? Yep. So anonymous, I would recommend that you email Thomas Rafe AT T Rafe and we watch your website.com and let them help you remediate. That site. Trying to clean a hacked site on your own is very, very difficult. I've been doing WordPress for more well over 15 years now. I wouldn't try to do it myself.\r\n\r\nThomas Raef 1:00:49 \r\nYes, I've seen we had one. Just the other day. Somebody tried to have their devs do it and it's a mess. Hell,\r\n\r\nNathan Ingram 1:01:00 \r\nyou know exactly what you're doing. Yeah. And like you were saying earlier, if you don't do it, in exactly the right order. There's all these existing processes that you delete something and it just puts it right back. And maybe in a different spot or in ways you don't notice it. And it's just and what like, if you miss one little file, they'll come back and get you again. It's just it's and let me just also mention anonymous when it comes to what solid Security offers. Solid security is excellent for WordPress protection for user level protection, but it doesn't clean a an infected website. It assumes the website is clean, and it will help to keep the website secure from that point forward. But if the website is if they if it if it's been hacked, you really need to reach out to a professional to help clean that site for you. That'd be my recommendation. I've just dug again, Doug has his way of saying things much more simply than I do in the chat. Solid is for prevention. Not remediation. Yeah. So none of us knew that's what I would do. And you it's, it's really frustrating to have a site that's been hacked. And I think many of us can relate to that. I've been in that position before it's just it's a pain. But once you get a professional in to help you things get better quickly. Yeah. Okay, one last question from Peter Thomas. We'll wrap it up. Besides hosting providers, security measures and wh M what other measures do we need to improve on security? Because since they hold that the server has the web files and become vulnerable it can be a problem. So basically, I think the question is, what do we need to know as as users of WordPress assuming the server security is taken care of? What are some good best practices we need to employ to stay safe and keep our WordPress site safe? Well, that's a big question.\r\n\r\nThomas Raef 1:03:02 \r\nYeah, it's a big question. And based on today's presentation, I'll say that, you know, you have to think outside the box. So this in this case, the box is WordPress. So you got to think outside of that. Think of your local devices. You know, I can't tell you the number of sites that we cleaned every week. I probably could have I could look it up. But do we clean you know, we remove malware from every week and the evidence is, is it stares you right in the face? When you know what to look for. And it's saying that, you know this, these sites were were hacked because of stolen credentials, stolen. Cookies. You got it out you really have to focus hard on your local device. Security.\r\n\r\nNathan Ingram 1:04:02 \r\nYep, indeed. And that's that's the place where a lot of folks fall off. Well, Thomas, as always, I love it when you're here. It's always a wealth of information. And I know our folks in the audience, appreciate your expertise as well. Folks, this has been recorded and we'll have the replay up in about an hour. I just dropped our link bundle back in the chat and the link to watch the replay is there. If you missed the slide download, you can also download the slides there. If you're watching this on the replay and you want the slides right below the videos, the download slide link. And one more thing I will mention we have several security webinars coming up with our friend Kathy Zant. The next one is coming up one week from today. Kathy is going to be talking about security incident response planning that's going to be a good one. It's a free live stream and the link to register is there in the chat. So we'll invite everybody to be part of that. Thomas as we wrap up any final words as we finish\r\n\r\nThomas Raef 1:04:56 \r\nthat really like said you know what your local device and watch any, any of your online stuff especially if it has Kathy Zant in it. She's like, I have mad respect for Kathy, in what she's learned what she knows what she does. So yeah, definitely tune into Kathy's presentation.\r\n\r\nNathan Ingram 1:05:17 \r\nAbsolutely. And folks, just one more. One more thing for me and we'll wrap things up if you are not familiar with we watch your website, reach out to Thomas you see his contact information there on the screen. Begin free monitoring now. And then also if you're managing sites and you want to be sure that things stay clean, if they're paid service, they'll protect your whole server with one license. Good stuff. All right. And also log out. Log out. Log out log out. That's the takeaway again. We're gonna we're gonna change your name on here to Thomas log out re oh, gosh, so funny. All right. Well, thanks everybody for being with us. Hopefully you picked up some good tips today. That's gonna wrap us up. If you're a solid Academy member. I'm back for office hours tomorrow at 1pm Central here on the solid Academy where we go further together.\r\n\r\nTranscribed by https:\/\/otter.ai\r\n","livestream_vimeo_video_id":933016652,"livestream-resources-group":"s:222:\"a:3:{s:29:\"resource_link_text_single_day\";s:6:\"Slides\";s:23:\"resource_url_single_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1O2z2cjlkznOPlRzpOeB8we4KA9JW8L9-\/view?usp=sharing\";s:24:\"resource_type_single_day\";s:6:\"Slides\";}\";"}},"postCountOnPage":1,"postCountTotal":1,"postID":448517,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content );

WordPress Security Roundup (April 2024)