Episode 358 WordPress Security and SolidWP With Dan Knauss

Hey everybody. Rob, Cairns here. And today I’m here with my guest Dan Knauss. He works with Stellar WP. He works with post status in a long-time community member. How are you today then? And it’s it’s always good to have a fellow Canadian ownership.

Well, yeah, I’m. I’m. I’m still a U.S. citizen, but I might end up with both. I’m eligible. So I might chill. I might stay.

And you do live in Edmonton, so I think you’re staying for a while, yeah.

Yeah, it’s been. About been about 8 years now, yeah.

Give or take of all places, Edmonton, but better there than winter.

You know.

Winnipeg’s got a nice downtown and small buildings and. Things I like, but yeah, it’s cold.

Yeah, we were kind of talking beforehand, and one of the things I always like and I know you’ve been in this space for a long time, is to ask people how they got into WordPress and what’s the WordPress origin stories. Do you want to kind of share a little bit about how you found this wonderful? Community of ours.

Yeah, yeah, that goes. Back a long, long, long way. When WordPress was getting started, I was just peripherally aware of it because it was just a little little project. Initially. I remember when B2 was was available. I I think in C panel back then I I started like a lot of people. Well, my age, I guess just learning early HTML and then CSS and some JavaScript and doing a lot of the front end stuff in the 90s and you know really very early. And then when movable type was like the first, there was Blogger and but movable type was like the first oh, you can install this and hack away. On it and then like a lot of people. They kind of bungled their licensing and a lot of people went to word press. It was a it was attractive at the right moment, but I actually spent a lot of years in Joomla and we have a ton of Joomla people who have drifted in and or done both all along. I I probably started using WordPress around. To build stuff for other people 2004 to 6, but I was doing most of my main work on other open source systems especially. Jumla and then. It it it reached a point where where WordPress was clearly superior choice for. Doing specially client work on. So yeah, I ended up doing more and. More work with. It for my own my own clients and my myself and. It was it. Was interesting to come in from a. Different community. I also did more with Drupal back then and I feel like I kind of side sidled in slowly. I. I was because I I was kind of on the edge and on the outside of. Of WordPress community and it’s I guess it’s really formative years and. Kind of jumped in more exclusively after 2010. Twelve, thereabouts.

I took one look at Drupal and said this is not for me. I’m done and you can improve it that it’s more. Yeah, big enterprise product.

It’s a totally different culture and where when I where I lived, then Milwaukee had a really strong Drupal community. There was bar camps and that led into heavy Drupal stuff. And then Vic Drover, who’s now heavily WordPress, he had an early he had a started with a forked. Plug in. He kind of started a family business Joomla extensions and and organized a A meet up locally and I met him that way. So I kind of had friends doing things in a couple of different platforms, open source and local conferences and and that was really nice and they each had different kind of read each other about about stuff, but. The the different cultures around different platforms offer. A lot of insight into how you know you’re one way is not necessarily the only way or the best way. Or they’re all. They’re all quite fascinating how they develop.

No, I would agree with that. Even the WordPress way. One of the things we always talk about in the community is WordPress will let you do it multitude of ways and there’s no right way or the wrong way. It’s whatever you’re comfortable with, right? And you know, in practice.

It’s hard to actually believe that.

I think we all.

And that’s kind of good the frictions. Kind of come. Up because there are there are better and worse. Worse ways to do things, but but it’s true.

No, no, no. So yeah, so you wear, you wear a number of hats. So let’s jump in. The one is you’re heavily involved doing work with the post status community and what? Are you doing?

Well, I used to. Yeah, I’ve been. I still hang out and it’s a great place to, to meet and mingle and all the new friends on the post status slack. But yeah, I was editing that for a long time. Yep, and at stellar. Stellar WP really kind of focused on our on I themes as it becomes solid WP and a rebrand we’re doing in the open.

So what is the timing for that rerun? Do you, do you have any sense of it and what?

Well, it’s in motion.

Why the? Why the why the rebate? I have to ask.

Sure. Yeah. Well, you know, I themes is one of the original early commercial. WordPress brands in the space and had a lot of really. Notable people. Early in their careers, working there some you know many of you are still still involved, but the the themes that I, the little, very, very apple of first decade of this century kind of feel to it and. It was. It was focused on theme products initially and some build some of the early builder themes and that’s that part of of it’s being sunsetted and we’re the part of the the pivot and the shift to the. The brand around solid, solid, WWP is that we’re emphasizing the the whole. The suite of three. That come together solid suite, solid security, central and. Let’s see their backups and. Yeah, backup buddy becomes solid backups and their integration altogether central is is the SAS that lets you operate potentially many, many sites running these and and other products. And then we’ve got solid Academy too. Don’t leave Nathan Ingram. Who’s also? Goes back about the same. As me, I kind of always feel good when. Hear other people about as old and to doing things in the. 90S and know it have a have a nice memory. Of of a. Lot of different things in the WordPress space, so he’s he’s continuing what from I themes training to what will be Academy.

Yeah, that that’s really well done. And it makes sense actually to be doing it. I think at this point in time, I think I think there’s no longer a theme company more and more I think about it, the focus has kind of been the security side of the business which. I spend a lot of time in. I’m both day. But now I. Can see to be solid secured.

Whoops, froze.

One of our mutual friends, Paul Miller, was the original founder of I think so. You know, in this space and also the involved in post address. So there’s there’s a lot of. Reasons for change and I think the hardest part with the rebrand is what do you do with brand recognition? Think if Coke rebranded and remember all the new taste and the the Coke Classic fight. And when all that went back in the day, do you have any concerns about losing people we went?

I haven’t heard anyone really express that. It’s not not something I thought as as a concern because our our oldest and you know biggest fans are pretty looped in and and Nathan with The Academy Is kind of a huge community hub. For that, and I’ve been able to to kind of hook into those. Those relationships and find out who. I think they’re they’re following along. It’s it’s a it’s been a an ongoing process. So we’re we’re rebranding in public and in the open. So I think the chances of the people who are more distantly following maybe. Won’t pick up on it the first couple of times, but it it should be hard to miss. And remember, I can’t think of what example it was, but I’ve I’ve had plugins. You know you one day you do. An update and then boom. You know, maybe something acquired by awesome motive or or. Or something but. And then then you have. A rather different user experience on the on the back end, and we’re actually walking our our users through that now to Timothy did Timothy Jacobs, our awesome developer for security long time. Has been doing live sessions and walk throughs with that so I think anyone who’s paying halfway attention is. Is going to. Catch what’s coming and know all about it and. We’ve got to. Building out a a new customer success team and and I think. I like to talk to our support people and, you know, connect the devs and marketing and and support and kind of really understand how how it’s working, how people are using the products and and who they are. And and chit chatting with them sometimes. Twitter. Unfortunately, that’s probably. Going to change at some point, not that it’s twittering and WordPress is pretty awesome. I love doing it at post status and and to it’s a niche that you know for all the all the things that can happen, it’s a community in there and it’s too it’s it’s served well over the years but it’s too bad. But it it is super when you can. You can be. In close touch with listening to and. And knowing your people around the product and brand and. So yeah, I don’t. Think I don’t think anyone’s going to be too. Too surprised. But there’s always. There’s always some and we’ll be ready for that. It’s mostly that kind of whole. SEO thing that you got to watch out. About and, you know we’re all. Concerned with? Site migration stuff and. The whole, the whole fun content side of. Older content and you know you can. You can. You can’t just go. You can just search, replace a bunch of stuff. But the whole context has changed. You’ve got. You’ve got to respect some of the older content and bring it into a new new place, and situate that and. Yeah, it’s always interesting. When when you’ve got a decade or more. Of history on the web to. To preserve and and in some ways and and keep using without confusing people.

So, so, so true. And one of the biggest things you you guys have done is on the security side is you now have no audience with patch that which to think is pretty exciting. They’re kind of a leader in our space to deal with security and how do you feel about that alliance or that?

Yeah, that’s that’s really great to be able to do. We really admire that stack and what they’ve done and really changing the security space and really have ambitions for open source. Broadly not just WordPress, but we we sure need them in in WordPress right now in in solid security. I think security at still at this point we have integrated with with them for vulnerability. Detection and and when you do. When you get your updates there, they’re providing that you you click, click through and getting that kind of public information about about vulnerabilities and that’s going to become a a stronger, a stronger integration in the product with using their virtual patching within a firewall where we’re bringing. Into there is kind of technically. A kind of firewall and going on with our own brute force protection network and the way that the plug-in picks off. Attack trends in in bad logins and and stuff that looks brute force like a brute force attack, but that’s getting beefed up into full firewall with patch decks, virtual patching, and. Yeah, really just having having them. As people to talk to which I. Enjoyed doing? Lot at. And still still doing security channel at at post status and around they just provide a lot of insight and their their networks and their researchers are highly educational to people to to learn from.

Yeah, it’s, it’s interesting. And it it’s been a rough year in the security space. We’re seeing more and more SAS companies get hit. We’re seeing more and more retailers, the latest bad one in Canada. As you probably know, was Petro Canada, the gas company and Suncor, their parent company, got hit. We saw it with chapters. Blockchain their website was down for like a month and a half. Believe it or not, it just goes on. It goes on and goes on and and by the way, don’t get caught with the information with CRA and Canopy. Because they’ve been hacked more times than I can count, frankly. So it is a tough place to be and I think one of the biggest things people can do is have a good strategy. My my platform of choice for my clients is patch that and I think solid security. You know combined, that’s kind of where I am right now and I’ve been there for a long time and I think it’s really good combination. Should, but also make sure you have a backup. And by the way, I hate to say it. Test those backups before you need them, not after you need them. Cause I just went through this with client where they said ohh we’ve got a backup and the backup with one so you. Know there you. Go right.

Yeah, I’ve run into that. Yeah, on sites and also on network. Backups with the older. Older PCs and stuff but. I’m on Mac now. I used to have a. Real mongrel network of Linux and. Mac and Windows stuff, but yeah. Wow, it’s. I was just having dinner last night with a friend who’s not in tech, but she works in construction and. Project managing things, auditing projects and kind of, you know, gets gets risk and. Just I people. Know what ransomware is now like? I was kind of surprised the first conversation I’ve had where where someone I know is. Like, Oh yeah, this colleague or this. Company. Someone very close to me. They had to pay, you know, these huge, enormous sums. We had a university here that it didn’t, it wasn’t ransomware, but they were fished successfully and changed their bank credentials and paid out 100 million Canadian to. Who? Who knows who instead of their. Their construction company, Clark Builders, is doing the a huge add-on and you know, no one caught this for a couple. Of months it’s. The security goes all the way down. You know. Now that kind of targeting, very targeting leadership targeting and in small and medium business medium sized businesses. That’s that’s the trend and to be doing more sophisticated personalized attacks, getting at your your user accounts, there’s a lot of information you can pull out of a seemingly simple. Small business site and. Yeah, they’re. They’re after what? What? They can extort out of you later. Us governments getting more interested in in this legislation coming down on dealing with with open source and security because of some of these things. It’s a really interesting time and it and I think educating end users. The risks, and also how do you reach a point of confidence? Of I mean this.

Is this is?

Manageable. You can handle this and we can help you. I don’t think that messages of. You know, alarm and fear and. Are helpful. So we’re we’re trying to find that that proper balance it’s it’s, it’s tough and and it’s an interest, it’s a good challenge in open source to be really transparent about bad. Things people don’t want to do it. It’s not our nature, but it helps.

Yeah, I I would agree. Now one of the things I wanted to touch on in the security space, there was an article that came out about a week maybe two weeks ago and it was a a long malware scanners and WordPress and and I know your you guys posted a response to it or a revised version or whatever you want to call it at the time. And it was. Should you run a malware scanner within WordPress and the? The crux of the article was no, you should probably be running an external scanner, which is kind of where I sit. Where do you sit personally? On that one.

Yeah, that was, that was my article and really just kind of summarizing and pulling together. Research done by Calvin Alkin Snicko and Thomas. Raif. We watch. Your website so. I’ve gotten to know a lot. Better since then, he’s got he’s got some new stuff coming out, kind of detailing how how their system works for detecting malware and and analyzing it. And Patrick Gallagher, good pain was was involved with that and also Oliver sealed CEO Patch Stack provided some verification of of their work. That was very interesting to a lot of us. I think Kathy’s aunt and some other colleagues put that in front of me. So we have ongoing. Conversations about security, of course, and Kathy is an old pro and has kind of been a great mentor and. If I don’t see something, you know someone. Likely likely Kathy will. Will draw my attention to it, so there’s a lot to follow, a lot to. Follow in the security space. And what came out, what had really the crux of that all was particularly calvins research was that as a lot of us had had long suspected, if if you’re running a essentially a kind of virus scanner type. Program in through a plug in in your WordPress site. It’s running within the same PHP process in the same environment that the malware is. So if it’s only going to detect it’s not seeing it coming way off. If you have a malware scanner on your network. If your host is providing. One if cloud you know cloud flare or some other kind of firewalling solution sees it further out. It doesn’t reach your site, but once it’s on. And it’s it’s active on your site and executing its own code. There’s really no, there’s no reason why it couldn’t check to see if you’re using a security plug in any any plug-in or any security features, and then then start to manipulate them. And what what? Calvin in particular. Brought out with his report at Snicko, his security company. Was that this is happening and he gave example. Well, let’s. See he, he. Gave proofs of. Concept he he didn’t reveal specifically how to do this, but he gave the proof of concept and others verified that and and then it was. Others who have. Pointed out that yeah, we see this happening in the wild. So that’s kind of a, that’s an eye opener, I. And and I’m surprised to the extent. That people really trust those scanners or think of them even as a as a form of security. Because I I think they’re properly they’re at best to clean up tool you’ve you know someone intelligently came up with a good analogy on Twitter that. Why would you build the fence inside your house? You want to put the fence outside the house. Once they’re in the house? I don’t know. You’re high. You’re. They’ve got free run of it, so that’s the problem with. Malware scanners that are running out of. PHP running out running with the application like with WordPress as a plug in. So we don’t, we don’t have one, never have had one. When I started at working with. I think security and came came to stellar some of the early conversations I had, you know, get my head around the product set and used it in a couple of years. I’m pretty familiar with all these different. Super brands and products, we’ve gone in built a lot of things with them at different times, but it it moves so quickly and it’s not what you think. You know what you thought of them a year ago or even six months and catching up with the lead developer there? It’s been Timothy’s baby for a long. Time it’s like this. Is really interesting. People kick us around for not having a virus malware scanner and you know, I haven’t used I’ve. Never. I haven’t used one in. Like 10 years since, like. Tim Thumb ran loose and. Which is still an. An issue that is being dealt with with some cool stuff in core dependency dependency chains. Like what do you do about that when your plug-in is fine but it’s using something else that another project someone else is responsible for. I hadn’t. I I relied on, you know, managed hosting has been awesome. And yeah, our parent companies Liquid Web and brought Nexus into the fold. I’d I’d been using Nexus for clients almost since they started in in Michigan. When I was. Living across the pond in Milwaukee, it’s like 1 hop was like this. This is pretty fast and they know WordPress. I I shifted my client. Due diligence and education and you know, concern for maintaining client sites that wouldn’t get hacked and and weren’t to to things like hosting and then you know building the site in a secure and hardened way where. Malware scanning is not part of that on the application level.

I don’t. I don’t think it should be. Then I’ll I’ll break it down even more simple. I we’re talking before we went to the record. I’m an old time security guy and come. Out of an enterprise? And to this day, on a home PC. On a Windows PC. Will not find a malware scanning running on my PC for exactly that same philosophy and scanning with inside what potentially could be infected. So if the operating system gets infected. What good does that do me?

You know.

Yes, and I and I’ve gone to that philosophy and my brother used to do sales for the AVG Canada. Corporate sales, and he’d say to me, you probably haven’t run a virus scanner in years. And I said exactly like. Because there’s no. It’s the same philosophy and people don’t get that you’re better off to follow best practices than to rely on a false sense of security.

Yeah, yeah. And I, I think that’s that’s a good comparison especially for those of us who who remember running things like a VG and McAfee security and Norton. And I remember back in, in grad school that you go and use, like, a university computer lab, North Carolina State. And they’re just macro viruses infecting everything from word documents and stuff. And everyone was getting worms and viruses. And, I mean, you had to using a virus scanner was not guaranteeing anything except that it’s it’s like a. Taking a A a pill that you hope it’s like an antibiotic and that was like a lot of them were packages like injection like medicine and. You know, that was the concept that’s we’re already ill and that was because Windows especially was very was not engineered. For security, the way it is now and and and things have things have come. A long way not giving. Route admin access to like. Number one, you know, assuming that the person logged in. Should be able to do. Everything and that’s you’d be surprised on word. Yeah. Thinking about user, user management and policy. And then this is something I want. I hope that. Talked about for a long, long time down the road and right about with our freelance and agency folks. That’s a value added service that people are going to appreciate more and more and more to sit down and and talk about this particular site you we’ve developed for your business here. OK, so you got your team, other vendors maybe who might be accessing it, who, what? How are you going to handle the different levels of access that that come in here and follow that principle of? Of the least least privileges don’t need to know basis and and just get them more participating in. User policy use user management and for their own protection and to understand that that and that goes down all the way to your computers, devices and at home and remote work is. Driving our our need to to be careful even more.

No kidding. And you know, in the website world, especially the WordPress world, every site owner I know, after I do a build says I want admin rights. And my first question is why? Why do you want no responses? Because I own the site and I said and you’re on my care. And I don’t think. And that’s just the way that conversation usually goes, because I’m a big fan of getting people access to what they need to do their job. Not everything because they can. And that’s the wrong way. And I think part of the problem in the WordPress world is most agencies. Most sites I look at that are in trouble, there’ll be 5 admins on the website and I’m like why? No kidding, you’re having problems like and we need to get into this where we need to start looking at user roles and thing. What do you need and we need to educate agents we to say tell your clients no. To say no.

Yeah, no password sharing please. Yeah, and that’s that’s why I’m I’m really proud that. We brought, you know again, Timothy, it’s to great props and and credit for bringing pass keys and password list login into I think security. It was the first one to to do pass keys and I think that’s going to be a big lifesaver. Things will really. Change and Google is pushing that now. I think in the next year or two. We’ll stop having passwords to a great, much greater extent than you might imagine right now, and you know it’s. Not it shift more in the biometrics and and. Things that you know Apple and Windows have. You know Microsoft have built into their devices.

But we have to be careful there and I’ll tell you why. Say tomorrow you become incapacity. And then your you’ve got a knife. So we’re gonna go down this road. And I know there’s some monsters they’re gonna be saying. Why are you going down this road? And I’ve used face ID to unlock that iPhone. And I’m in capacity. If you’re gonna go to all this biometric stuff, you still need a backup way of into that phone because most people don’t know.

Right.

Apple will not unlock a phone just because you’re the trustee on a will or you’re the trustee on in the state. I’ve heard cases where Apple said too bad. Go away. And that’s a problem. So we really gotta think moving forward with it. And I I know I’m sounding morbid. Ohh, what do we do if something happens? What do we do if somebody dies and we’re all using biometrics? That’s a bit of a problem too then.

Ohh yeah yeah. I’ve had my my thing set up in my Google accounts for a long time where every once in a while. It reminds me it’s there and it. It’s kind of that. Ted man, Switch kind of thing. Like if you don’t reply to after a while I I forget how quite how that works, but it’s, you know, it’s got my oldest daughter and and. Maybe some other people that. They would. They’d be able to step in and in case I was, you know, I don’t know if they want any. The junk I’ve got on my digital life. But yeah, I’m sure lots of people need to do that.

I’ve actually got in my safe a masterd password. List that says in the event that you need to open this homework and it’s got basically an export out of my password manager as I do every month and update it just in case something happens and then my phone. I’m an Android phone user so I’ve got face ID set up. On my phone. But in the Android world you can set up a pin as a backup. So I’ve gone now, what do you think of password manager? Since we’re on this track?

Right. I don’t like password. I’ve done a bit of writing about that because it forced us. It forced itself on us as as terrible, but terrific news stories when you know so many things to learn from. The LastPass last year and then they did all the wrong PR and internal. Things to destroy trust by covering up, not being Full disclosure. Yeah, yeah, that was. No, that was that was bad. So as a as a company, we quit using LastPass and recommended I wrote an article about that for on the I themes blog and I kept updating it because it kept getting worse. That more would come out and like what they said previously wasn’t true. And and it was worse and worse and worse. That was a developer who didn’t update some. Software on on his local home machine or his or her. And it was like 2 years out of date and they got targeted and got into the whole developer side of the whole company, not not just LastPass and stuff.

So we we quit using.

The LastPass at stellar. And shifted Bitwarden is I know a lot of people use it. It’s the totally open source. Run your own server. One that. Yeah, a lot of people might want to go for.

I do.

Personally, but as an organization we’re on one password one. Yeah, one password now and. I I still avoid using. These things because. It’s and it’s funny bit Warden. I think you have to pay. They they were very slow to in in introduce sharing features and that’s what you pay for. That seems to be what most people want to use them for. And when you have teams, you know I I wish I wish. That like. There were better. For software that you’re you’re going to inevitably have multiple people using there, there are a lot of ways we could make that. More secure but. Any kind of password sharing is a login sharing of of any kind is just inherently insecure and. Because this, who knows? I could. Be copying, writing it down. I don’t know what you’re doing. You. Know if if. I’m the only one. Who has my hands on my own password here? It’s it’s all on me. I know what’s going on, at least if I’m doing something dumb. Like writing it down, printing it out.

I agree with. We will do dumb stuff. When? It comes to security all the time, like for example. You go get that rental car at the airport and what’s the first thing you do? You take your phone and you join the Bluetooth, the rental car, and before you know it, with all your contacts in, in the Apple airplane on the rental car, right? Or or they walk or they walk into that hotel room. And they going to the TV and the first thing they do is they say I wanna watch Netflix. I can’t be bothered to connect my laptop. So what do they do? Log into Netflix on the hotel. TV. Right on this, things like that. And it’s funny when I travel, I travel with the travel. Router. So that’s basically routing to the Wi-Fi and then I carry in my bag a Google Chromecast that only connects to that travel. And I refuse to connect any devices to direct you to the hotel Wi-Fi. And then I use the VPN for multitudes. I’m I mean, but but I don’t have.

I think that is probably becoming more more common. You know, like 5 or 10 years ago. If you, you know, even you know some. People think that’s. That’s extreme. Do I need to? But hopefully. Accessible consumer products will come to come about that will help give some of that level of protection on travel because yeah, there’s it’s a huge, perfect place to target people. Yeah. And I think the.

And then. And then while we’re at it. Please, please please folks and the FBI released a. The news was earlier this year on that 10 year old program problem. Don’t take your smartphone and plug it into that free USB hub on the bus in the mall, in the hotel, in the airport, the plane, because those have been hacked too, so they just. Don’t do it.

Yeah, it’s. It’s interesting how much trust. There there is and has been that that really it’s it’s convenience and laziness. I don’t. I think if people are asked to stop and think, do you trust this? Then it changes the story I saw. Are they still? They still exist. These USB devices that get between your device. Your phone and and something else it was. It’s like a USB condom, I think some.

Yeah, they’re still there.

One was marketing it as it. Boy, yeah, you have no. You no idea what’s going to happen if you just plug directly in and and. Yeah. Does that change is that we’re kind of moving away from the USB technology is changing. But yeah, if if you were to, I don’t know if there’s any hardware level security still on that, you stick a USB C device in is that. Does that change anything?

Have they?

There are devices out there, but what how I get around it is when I travel, cause if you’re plugged right into power it doesn’t matter, right? If you use a traditional adapter. So I just carry a portable power bar that’s got USB plugs in it in my travel bag if I forget. It I’m not. I don’t even want to go. And and you know that’s just well. And the other reason for doing that is a lot of old hotels don’t have how where you actually want. That’s another story all again. But it’s just, it’s it kind of. It seems people need to think about like, do you think and security it’s a tough one. I’m reading a a book right now called the Art of Deception. Do you know who wrote that book then?

No, no, that sounds good.

By the legendary hacker Kevin Mitnick and what it talks.

OK.

Is how to hide on the Internet, so one of the stories Kevin tells is there was a struggle Lord in South America and he was yeah. Pretty smart. He had seven burner phones. There’s only one problem. He made all seven calls from the same location. So even though he had burner phone, the police were able to triangulate his location on the seven burner phones, so they might as well made all those calls.

Right.

On this accident cell phone.

Yeah. Yeah, I do. You read, do you follow Bruce Schneider stuff?

I very much so yeah.

Yeah, he’s great there. There’s so many interesting stories that come up from people like that who work deeply in insecurity. And it really is a way of thinking. It’s not just tech stuff there it, the tech intersects with the physical and the social and really the the psychology. And how people interact and what trust is. And yeah, deception is unfortunately probably. On the rise and trust on. On the way and in many parts of the world today, which complicates things in open source.

It does. One of the things I would suggest on a WordPress website just taking a product like yours, solid WP security and turn 2FA on. Just do it and do it when you’re done listening to Dan and I because that will solve probably 50 to 60%. Ugly like. It’s really hard. We’ll do that now, the other tip is from a guy who just lost his smartphone, so we don’t even want to go there. I actually watched the bus, I dropped it and watched the bus. Run over the third. You you take your authenticator app, so if you’re using Google Authenticator, it now will back stuff up to the cloud. We know that if you have a tablet, an iPad or an Android tablet, make sure it ventilator app is on two devices, not just one. It comes in real. If you have a problem.

Yes. Yeah, it’s never, it’s. Never going to be easy, but I think. Pass keys will make it a little easier and people get a little bit more used to multiple devices and. Yeah, it’s complicated. Even family sharing is can be tricky. Yeah, it’s it’s definitely. Not going away in our lives.

I have like 4 devices so I don’t you know it’s really complicated and that doesn’t count my PC in front of me. So make that 5:00 so it it doesn’t go away and I think we just got to be aware there’s a lot of bad actors out there. I hate to say it and they’re getting.

I always try to think of user experience through like my grandparents when they. Were alive because. I I put together somehow got a 286 Intel 286 machine for my my mom’s dad running an early win like. Beta windows or something? It was 3.0 I don’t know but. You know, I’ve seen. I’ve spent a lot of time with a lot of different people using trying to use different interfaces and and things and that kind of grounds you in the realism of of. You know what? What people are going to. Do and what? Around security or what? They’ll. What they’ll put up with and something like a passwordless login is nice if you can get. If you can get comfortable with your two FA. That’s great. I think getting past keys once they’re set up, that’s really convenient. And yeah, for WordPress we have. I theme security has a has long had a passwordless login that’s essentially like a kind of two FA where you you put in your e-mail or username and it sends you a link to the e-mail associated with that account. Then you just click on that as it comes to you and boom, you’re you’re already in. That’s that’s really nice for. For people who. I mean the the. Pure just password and username. Steiner is a lot of folks and I’ve worked with a lot of. Older clients and and even not. Older folks who. You know, for whatever reason, their their password practice is 1 where. They’re they’re writing something down or trying to remember it and forget and go through the recovery thing. And I don’t know, it’s just there’s so many ways to frustrate yourself still with that. So this the password list log in with just sending you a link is is really nice. You don’t have to think.

Moving on word person, exciting time. There’s a lot of changes going on. What excites you the most in the workplace space right now?

Well, a funny little things lately. Just the the stuff on the top of my mind is. Is pretty pretty small in some ways. I was tweeting last night because I I noticed that wordpress.com which which I used for some some blogs.

58.

Has maybe finally standardized a feature that will we’ll see in Gutenberg at at some point for doing footnotes, and I’ve always struggled with how to. You know, you really need a standard way to do that because it’s. There are kind of paratextual part of the content, but they stand outside. It’s there, you know, in in serious documents or writing, you know, that’s where you put these. How do we standardize these and make them portable? That’s never really been there. There’s lots of different ways I. I’ve had fun migrations later because we had footnotes and. Drop caps and things you know for typography. And then it was short codes and you had to somehow deal with this later when that was no longer a viable solution. So I like little things like that. And just as we’re doing continuing this, this. Evolution of the site editor and just I guess we’re calling all the editor now. The Gutenberg has matured. There’s there’s always neat new little little things coming out in there, but the big one now is the the collaboration stuff. So I’m I’m looking forward to seeing how. How that plays out?

It’s going to drive hosting plans, I think because I. Think, which is the traditional 299 hosting a month plan and we know what hosts do those type of plans. I’m not calling anybody out, but those cheap resource plans are gonna go away because collaboration won’t be capable of handling.

Right. Yeah, I’m sure it’s it’s a feature that many will want to turn off. I think a lot of hosts have this. I wish they’d tell you they they kind of quietly turn off revisions. You can you can get a lot of overhead from revision tracking, but you really want to know when if you’re thinking it’s on and it’s not and then you need one. Yeah. It’s. A failed backup. So yeah, that really really makes your your hosting and I that’s very close in my mind to security is performance because you see how. When people are frustrated for. How that how their WordPress site is working? How it’s running on in performance they do things to. They do hacky things or add things to cut corners, and there there can be security implications to that. A nice a nice quickly responsive experience is is where you want to be. And yeah, I don’t know about cheaper hosting plans on either security or or. Performance anymore but. And then they. No, go ahead.

And then I can’t get to a WordPress podcast these days without asking the two letter question. Everybody’s talking about AI and that’s my that’s a minefield in itself because I took a a couple weeks ago. I was playing around, I built a plug in. For fun, using AI to do some meatball task and then I looked at the code and said oh crap, I don’t want it. I would never use this. It was an experimental project because the code was security laden. So like if you’re gonna use the AI to do stuff, be really careful for what you use.

It’s a.

Oh, yeah, yeah. Well, it seems to me that it will amplify problems that we get from just Google Googling too freely. It it’s a really interesting thing. I I got to to do some writing and like a lot of a lot of good long writing, I don’t know what I think about it initially. You know, it’s going to write some stuff about AI, for cadence and and or stellar blog and. Did one one interview about it, so I had to come up with some some opinions and playing around with ChatGPT, you know, and not reading quite a lot about it, yeah. Kind of got my I think. A pretty long view on it I. Don’t. There’s a lot. Of fast moving stuff in the news and I I kind of ignore all of. That all the oh, it’s. You know really bad or. Yeah, you know, or the most amazing thing ever. I think it’s a lot it. Takes a lot of work, it’s. A it’s. A. It’s not another mind, but it’s sort of. Kind of. Like that in some ways, and if you if you don’t switch ears off if you aren’t just like. Google for a code snippet. Bam copy paste. You know that’s that’s never been good. And if you’re doing that with an an AI like tell me this and then, you know, trust whatever it it says it. I’ve had some pretty good plug-in code generated, but I think it’s better as a. This is this is where it gets where it gets tricky because people just this is a security thinking type of thing. Too to limit yourself. UM. Would you just go on the street and ask someone for some kind of random code and then plug it into your, you know, or pick up a USB key and from anyone, and then just it’s that kind of thing. The AI isn’t trying to hack your site, but it may give you some. Crappy code that makes it vulnerable. In really any field I did I put in. A bunch of medical data. I had some diagnostic medical stuff to see how ChatGPT 4 would handle that and I blogged about that at length. It was really interesting. For subjects where you know. A lot. You can evaluate and you can evaluate and edit appropriately the responses you get. It’s great. It’s like having a. An assistant like a junior, you know? Research assistants or something, but if you’re using it to give you answers about things you. Don’t know at all. That’s that’s where you run into problems and in between is is the learning opportunity. I think if a lot of the times you’re asking so you know kind of pretty good working knowledge but. If you can learn something new, even better. So you kind of have to get your mindset in. I’m having a dialogue here with an. Intelligent, you know, June. Maybe, maybe sporadically. You know, they know this field really well in some areas, not others or you. You have to Fact Check everything if you. If you work very critically with it, it can be a a learning tool for you. You can ask creative questions like you know, have it evaluate existing code. Or look at two different ways to code something. And kind of raise your confidence level that you understand what you’re asking for and you understand what you’re getting back. I’ve done. I’ve done less very little with coding and more like learning as I was learning more advanced stuff with spreadsheets. And then just completely different fields I like to. Doing things like translation and trying to get ChatGPT to do poetry. Which I don’t think it’s. Going to be good at but.

If you can.

Thanks, Dan. Have a great day. Bye for.

Now, all right. Thank you.