Episode 666 WordPress Security Concerns and New Online Protection Laws With Tim Nash
Show Highlights
This podcast episode features a conversation between Rob Cairns and security expert Tim Nash regarding the evolving landscape of WordPress security and digital privacy laws. The duo explores the controversial decision to delay automated plugin updates by twenty-four hours, arguing that this window primarily benefits hackers rather than protecting site owners. They also critique the integration of AI API keys into WordPress core, warning that storing expensive credentials in a database creates a high-value target for SQL injection attacks. Turning to government policy, the speakers compare Canadian and British legislation, such as Bill C-22, which they believe attempts to compromise encryption under the guise of public safety. Ultimately, the source concludes that technological literacy and critical thinking are more effective security tools than arbitrary government bans or poorly implemented software restrictions.
Thank You To Our Sponsor
Thanks you to our sponsor, All-in-One WP Migration by ServMask. Export your entire WordPress site in one click, import it anywhere. No server access needed, no command line, works with every hosting provider. Free on wordpress.org, Pro extension at servmask.com.
Show Notes
Topic: The WordPress 7.0 Release, Auto-Update Controversies, API Key Security, and Government Surveillance Overreach (Bill C-22)
1. The Pre-Show: World Cup Atmosphere & Regional Differences
- UK vs. North American Soccer Culture: Tim notes a surprisingly quiet atmosphere in the UK ahead of tomorrow’s World Cup matches, remarking that unless you drive past a McDonald’s, you wouldn’t even know it’s happening.
- Match Outlook: Rob’s partner is Italian, but with Italy failing to qualify, Canada will face Bosnia at home in Toronto tomorrow. Both hosts note that while professional soccer is still finding its footing in the US and Canada compared to Europe, the youth levels in North America are incredibly popular.
2. WordPress 7.0 Auto-Updates & The “One-Day Delay” Controversy
The hosts dive into their classic debate on update philosophies: Tim advocates for auto-updates to keep sites secure from fast-moving threat actors, while Rob prefers manual updates backed by fresh, on-hand backups.
- The Forced One-Day Delay: WordPress introduced a mandatory one-day delay on certain core/plugin updates, likely to mitigate “poison well” supply chain attacks.
- The Verdict: Both Rob and Tim agree this delay is a broken mechanic. It does not give everyday users time to test updates; it simply delays the deployment by 24 hours while giving malicious actors an extra day to exploit known vulnerabilities.
- Premium vs. Free Ecosystem Crashes: The delay causes critical failures where a premium plugin auto-updates immediately, but its required free framework plugin is held back by the one-day delay, breaking websites instantly.
- The Fix: Tim argues that WordPress should have given site owners variable update strategy options (e.g., choosing immediate, 1-day, or 7-day windows) rather than forcing an arbitrary, unprompted rule across the ecosystem.
3. WordPress 7.0 API Client Services & Token Bill Dangers
With the release of WordPress 7.0 “Armstrong”, native AI infrastructure (AI Client, Abilities API) has officially entered core.
- The Security Threat: Storing expensive AI API keys directly inside a WordPress database drastically raises the profile and value of an SQL injection attack for hackers.
- Database Realities: Tim reminds listeners that the WordPress database has never been fundamentally secure. Storing keys there is the equivalent of “putting a key under the welcome mat.”
- Best Practices & Recommendations:
- Avoid dropping raw API keys into standard backend boxes if you don’t understand the financial risk of automated token drain.
- If you must use API keys, Two-Factor Authentication (2FA) must be strictly enforced on all admin accounts.
- Follow Tim’s approach: Use code constants to define keys outside of the database or route them through third-party vault services.
4. Bill C-22 & The Global Rise of State Surveillance
The discussion shifts to Canada’s newly introduced Bill C-22 (Lawful Access Act) and broader global online privacy legislation.
- The Threat to Encryption: Bill C-22 threatens to mandate “backdoors” into encrypted services like VPNs and secure messaging apps (Signal), drawing public pushback from tech giants like Google, Meta, and Amazon.
- The “Under-16” Internet Bans: Similar to discussions in Australia and the UK, new bills aim to force minors off social media. The hosts argue this doesn’t protect kids; it pushes them toward sketchy VPN providers and malware.
- Implementation Failures: Tim highlights that most tech legislation is drafted by politicians who don’t understand technology, resulting in “dead laws” that are practically impossible for governments to securely implement or police.
- The Risk of Secondary Abuse: Rob highlights a major concern regarding local police corruption and the lack of judicial oversight, citing recent instances of police forces using un-warranted spyware on smartphones.
5. Education & Trust Over Parental Controls
- Why Hard Gates Fail: Rob and Tim agree that strict parental blocks and heavy monitoring break down the foundational trust between parents and children.
- The Analogy: Treating the internet like taboo alcohol usually backfires at age 18. Instead, youth need early training in critical thinking and digital safety to make informed choices.
6. Blast from the Past: 16-Year-Old Rob the Hacker
- Rob shares a nostalgic story from his high school days dealing with a network infrastructure co-developed with the University of Waterloo running “Janet” software.
Because school staff left the server room door unlocked, a teenage Rob copied the master administrative password file from a physical floppy disk—ultimately bringing the entire school network down on a boring Monday morning
PocketCasts
Radio Public
Spotify
Stitcher
Apple Podcasts
Amazon Music
