|

Episode 610 Digital Security, Trust, and WordPress Updates With Tim Nash

ByRob
Tweet
Share
Pin
Share




Show Highlights

The source is an excerpt from “The SDM Show,” hosted by Rob Cairns, featuring guest Tim Nash, a security expert. The discussion centers on various cybersecurity topics, including recent security incidents like an AWS outage and a vulnerability used in airport PA systems, as well as the risks of using end-of-life operating systems like Windows 10. A primary focus is the “circle of trust” in the WordPress ecosystem, where they examine the security of popular form plugins like Contact Form 7 and Gravity Forms and the challenges of trusting third-party vendors and individual developers. Finally, they discuss the controversial timing and potential issues of the upcoming WordPress 6.9 feature release during the busy retail season, advocating for separate streams for security and feature updates.

Show Notes

Security News and Current Events

  • Airport PA System Takeover: Discussion of recent incidents in Vancouver and US airports where pro-Palestinian messages were broadcast over public address (PA) systems.
    • The method of access is officially unconfirmed, citing national security, but both agree it was likely over the network.
  • AWS Outage: Acknowledgment of the recent AWS (Amazon Web Services) outage.
    • It was not a hack attempt; it sounds like a DNS problem (an “oopsy issue,” not a threat).
    • The hosts agree that AWS US East 1 is a critical, high-value target for bad actors, as taking it down causes maximum internet mayhem.
  • Windows 10 End of Life: Windows 10 went end of life on October 14th. Users should:
    • Get one of the free extended support plans (for one year).
    • Upgrade their machine.
    • Switch to Linux (there are fantastic, easy-to-use distros available).

The Circle of Trust in Security

  • Trusting Experts and Vendors: The hosts discuss the fundamental question of who to trust in the security space.
    • Initial Mistrust: Tim advises that people shouldn’t blindly trust random people on the internet, including them.
    • Doing Your Homework:
      • Talk to them: Find out about their credentials (which don’t always mean formal qualifications) and serious experience.
      • Personal Recommendations: These are often more important than looking at formal qualifications. Find out if the person recommending the expert has actually used their services.
  • Trusting Microsoft: Rob notes that despite people hating Microsoft, they run 75% of business desktops because people trust Microsoft to patch security flaws.
    • Tim agrees, noting that Microsoft is a huge player in the security industry and often does a good job (e.g., Microsoft Defender is a very good, built-in antivirus system for Windows).
    • Microsoft is also a huge player in the cloud space (Azure) and through Office 365 and Active Directory, making up a massive segment of the web.

WordPress Forms and Trust

  • Form Spam Epidemic: A current epidemic of form spam and security issues with WordPress form packages.
  • Contact Form 7 (CF7): Rob advises against CF7 due to its history of very public problems and handling of vulnerabilities. Tim agrees that it’s the “Revolution Slider” equivalent for forms—frequently cited in vulnerability reports.
  • Form Package Trust: All form plugins have had problems; there are “less of losers” rather than a single “winner.”
    • Gravity Forms: A premium plugin with great support, but not immune (they recently had an incident where their own distributed zip files were compromised with malware).
    • WS Forms (Mark West): A good, well-regarded plugin, but its single developer presents a bus factor (what if the individual developer is suddenly unavailable?)
      • This highlights the need to risk assess based on whether a plugin is maintained by an individual or a large company.

The WordPress.org Single Point of Failure and Fair

  • WordPress.org Centralization: Rob raises the concern that WordPress.org is the single point of failure, which stops some larger organizations from adopting WordPress.
  • Fair (Federated Applications, Interoperable Repositories): Tim shouts out Fair, an attempt to create distributed plugin repositories.
    • The idea is to mirror and aggregate plugins across different repos, so if one (like WordPress.org) goes down, another is available.
    • Momentum is key. Pantheon is an early adopter, and many major hosts now manage mirrors or have contingency plans for rapid mirror deployment (following past incidents like WP Engine being cut off from updates).
  • Future Legislation: Tim notes the upcoming EU Cyber Resilience Act (and the UK equivalent), which will mandate separate security updates from feature updates—a huge change that WordPress core will need to address.
  • Fair Benefits: Fair already offers a nice, quicker setup (using Aspire Press/Fastly) and cuts off many internal ping-backs and calls to WordPress.org (like Gravatars and “happy” pings), making it good for intranet/headless setups.

Trusting Cloudflare

  • Cloudflare’s Trajectory: Tim sees Cloudflare on a similar path to Google: starting as the “cool kid” but eventually needing to make vast amounts of money, potentially leading to a concentration of power.
  • Single Point of Failure: Cloudflare is so massive that when it goes down, the entire internet is essentially done—it affects countless subservices and is a major component of the web’s infrastructure.
  • Cloudflare Turnstile: Rob’s favorite feature; he trusts it more than Google reCAPTCHA for spam mitigation.
    • Rob’s site went from 300 spam emails a day down to one after installing Turnstile.
  • Cloudflare Project Galileo: Tim gives a massive shout-out to Galileo, which provides their enterprise package for free to political, activist, and human rights organizations/NGOs who are constantly under attack (preventing massive hosting and DDoS costs).
    • Rob shares a story of the Ontario Police Memorial website being constantly hit by targeted DDoS attacks during their annual live-streamed ceremony, which Cloudflare successfully mitigated for years.

WordPress 6.9 Release Timing

  • The Problem: The major WordPress 6.9 release, containing both security and feature updates, is scheduled for the first week of December—in the middle of the critical retail/holiday season.
  • Need for Separate Streams: The hosts agree the biggest issue is that security updates are not separate from feature updates. They must be packaged together, forcing agencies to manage major feature changes during a high-stakes time.
    • Every update must be assumed to be a security release until a separated streaming method is available.
  • UI Changes: A major concern is the potential admin console UI changes coming in 6.9, which will require agencies to educate clients just before or during their busiest season.
  • Suggested Delay: Both agree delaying the major feature release until January would be the safer, more positive option, though core will likely stick to the early December date.

The DIY Security Myth

  • The Bottom Line: Rob argues that if a website is making a business money, the owner cannot DIY security. The average business owner lacks the required knowledge.
  • The Racketeering Problem: Tim notes that selling security often sounds like racketeering (“It would be a shame if your house burned down…”).
  • Security is Everyone’s Responsibility:
    • The business owner must be invested in security; it’s not just the consultant’s job.
    • Bringing in a specialist combines their knowledge with the business owner’s intimate knowledge of the business.
    • Hiring a specialist also makes it everyone’s responsibility internally, as nobody wants to be the point of failure.
  • Value of Review: A security review is worth the cost, even for a brochureware site, as it prevents incidents (like an e-commerce site being down for a week) and catches simple, common errors (like a backup.zip file lying in the root directory).

Subscribe to Our Substack To Get Podcasts and Marketing/Business Tips to Your Inbox

Get On The Substack Now!

Subscribe to The SDM Show Podcast

Tweet
Share
Pin
Share

Similar Posts

  • Episode 268 Talking Finances for Agency Owners

    ByRob

    Show Summary Rob Cairns talks to Nev Harris about Finances for your agency. Show Highlights: Budgeting for an agency. Costs you do not think about. Keep tracking of expenses you do not need. Show Notes   Hey everybody, Rob Cairns here today. I’m here with my good friend Nev Harris. We’re going to talk a…

  • Episode 169: Talking Business Processes With Briar Harvey

    ByRob

    Show Summary Rob Cairns sits down with Briar Harvey about Business Processes and why they matter. Show Highlights: Why you need processes in business. How do you determine processes. How business processes can improve your productivity. Show Notes   00:00 Everybody, Rob Cairns here, in today’s podcast, I’m here with Briar Harvey, and we’re gonna…

  • WordPress Security Issues

    ByRob

    Today our friends at SolidWP released their weekly WordPress vulnerability report. 192 new vulnerabilities were mentioned in the latest report. You can no longer do ANY web security on your own. What you should do is hire a professional to do your security. Many agencies do not do security well. We also do security work…

  • |

    Episode 516: Business Devlopment With Spencer Forman

    ByRob

    Show Summary The podcast features a discussion between Rob Cairns and Spencer Foreman about business development, particularly within the WordPress ecosystem. They explore the challenges of WordPress, including security vulnerabilities and the overwhelming number of plugins, advocating for a curated approach. Foreman emphasizes the value of specialized services and trusted experts, drawing analogies to concierge…