Episode 390: Blogvault With Ashkat

Everybody Rob Cairns here and in today’s podcast I have my friend Akshat from Blogvault  with me. How are you today?

Hi. Well, I’m glad to be here and I’m. Doing well. Hope you’re doing well too.

Yeah, much, much better than the last time we spoke. So life is a little better and you know at the time of this record, it will we’re. Bearing down on the Christmas season in North America, so it’s a little a little crazy right now to say the least, but that’s OK. It’s Toronto is sunny and freezing today, so you know, that’s the way. It goes.

Do you have like 10 feet of snow outside or is that how it? Is in Toronto.

No, there’s no snow. We. We won’t even have a snow till January at this point in time, it’s pretty. It’s a weird year, to say the least, but. It’s cold. So it’s OK. I’m into the podcast and. Before we get into product discussion, stuff like that, I was like, ask people, how did you end up getting involved in more press than what you’re doing now?

Right, that’s a that’s such a good question. So I go back to WordPress maybe 13 years now or 12 to 13 years and I consider myself a WordPress outsider, so I used to work at a tech company building high end networking devices and hacking previous teams on that essentially. So from that to. Two workplaces like day and night transition. So what happened was the bloggers. I would follow his site had crashed. And I was. Like, OK, fine. If if this this cycle has crashed and this is. The guy who? Is really famous. He’s the founder of Stack Overflow. Sounds like OK, fine. If if he cannot keep a side running, then maybe there is a need for this problem and I’m. I’m a smart guy. I’m going to solve. This problem in like. Two to three weeks. Yeah. Those are the, like, the famous last words. It’s been 12 years. And even now we are making backups better. So that’s the transition. So we found out, like, what’s the software they’re using to create? A blog, and that’s where the name also came from. And that happened to be WordPress and then I got deeper and deeper into WordPress. So that’s my entry into WordPress.

Oh, that’s really cool. Let’s jump into just a general security discussion, because we’re gonna go there. I mean, there’s no question is it is it securely a bit of a problem that a lot of website owners, they’ll take it serious enough in your opinion.

Yeah, it’s actually really sad, you know, in WordPress you people say they’re taking it seriously, but they don’t really like the hack is a very, very major event, if you. Think about it. It is something which cannot be taken lightly at all and in workers. It’s. Oh, yeah. OK, fine. Thank your hat. Let’s fix it. And then let’s move forward. And that. That attitude is is actually coming from, you know, just the other end of spectrum does it? That doesn’t sit well with me even today that that perspective of security, he understand why it happens, but I really cannot. Make peace with. With that, the the casualness with which security is taken in WordPress.

No, I I agree with you. And one I think one of our biggest problems and I’ll say this and I’ll say this and I’ll say this, there’s a couple of them. Number one, people don’t keep their sights up to date. We all know that, right? That’s a that’s a problem. Usually by the time people like you or I look at sites and they got security problems. We’re dealing with old versions of core. We’re dealing with old versions of plugins, and it’s like, why haven’t you done something about this? The other problem is and as far as I’m concerned, one of the biggest problems is we don’t take user role management. Very seriously. So by that you set up a new user. What do you do? You give them administrative rights to everything and that to me is one of the biggest issues ever. As what we need to do is start realizing and say no, not every user needs admin rights. I’ve got a site I’m working on right now where there was 20 administrators. So what did I do? The first thing I did was I took the I made them all. Diggers and nobody’s complained at me in 2 weeks, so guess what? They’re not getting him in rights back. That’s just the way it is. It’s not happening because because in the corporate environment. If we take ourselves out of the entrepreneurs world and you go down to like a Fortune 500 company, there’s no way a bank would give a teller access to everything. So why do we do it right?

And it is such an interesting one. And actually I. Have two two ways of looking at. I’ve I’ll have two different thoughts on it. Once people have admin rights all over and the reason is there are so many people who end up touching the website, you know so people change. People will change their developer every few months. Every few years. And then somebody else from the team will come and each one will keep piling up all of these things. And there’s no one. Going to clear, going in there and clearing the deck. And if you and if you’re scared like you mentioned, you know you even you could. You were like fine if our people were to complain. Even editor is a friendly if you ask me even. Editor is a fairly. Fairly high privilege role and you don’t even want people to be editors because there’s a lot of damage that an editor can also do so. That’s that’s one. Way of looking at it, but I. Also understand why this is happening. And we see this all the time like with all. The data that we. Have it’s insane the number of. Administrators that exist on almost every website and people don’t. There’s no awareness. Also of it frankly, like now the other side of looking at it. Is you know how many sites do you get hacked because of this, they do get hacked. I’m sure of it, and we have seen that data also. But plugins is the main vector, you know, vulnerabilities are the main is the main vector through which sites get hacked like and by an overly majority. So it’s the balance that you create. And I think in workplace space, actually, if you think about it, what is the workplace is possibly the only application which a normal human being is managing like a web application. There’s no other web application a normal person ever thinks about running themselves. Like it’s all. Yeah. I can’t think of another one which, you know, every business owner anyone is managing, which I I can’t think of any any other application which is. And this again makes it. So I think the complexity that comes with having something which is so prevalent. Like the web application being in every person’s hand and the world should not be like that. Actually it is countered to the normal normal behavior. If you think about it, this is not.

I agree, I agree. And the other thing we gotta be very careful of is what we call social engineering attacks. So in the last couple of weeks, I don’t know if you said there was a. An attack going around where and I forget who it was off top my head. They sent out an e-mail that looked like he came from wordpress.org and saying by the way, click here to download this plugin and it was a phishing. By the way, it read the e-mail, they didn’t spell WordPress properly, cause we all know WordPress has they tied in it right? And then you need to do that and. A number of people. Excuse me, including one of my clients actually clicked on the e-mail and what it does is installs. A pile of back doors like we just gotta be really careful what we do. And then frankly, if you don’t know.

Ask some.

Because it’s a problem.

Yeah. No, I I’m such an interesting thing that people will make all of these mistakes that impossible, like I mentioned. These like, even if you ask me, I should not be running like such a web application of them. Lots of people on the team who should not be running because they just don’t have the right capability to do so and then expecting them to be so mindful. Is we are going to raise the grain and which is why actually I think that the answer to all of this is instead of user education is technology.

I agree with you. So let’s jump in. You work for Volvo. What does your product do? And basically in a nutshell.

All right, so block one is was the first that’s that helps you back up over this site it it’s a complete service, it’s not like a just a basic, it’s not a plug in and we consistently backup website which no one else in the world can simply because of the way we we have structured and the amount of effort. Built into it. That’s our first product. The second product, which is where security becomes. So with something I’m so passionate about is Medicare. So as we were doing backups, what we realized is that a lot of people were using backups and we’ll go in there and ask them why are you restoring from a backup? And they would say that I’ve been hacked. And then we would help them go back into the history to know when they got hacked and we would see that they would be hacked. They would have been hacked for six months before they realized that they’ve been hacked. And they had all the security plugins in there. They were on every single web host that you can think of, and they would just not identify them anyway. So we thought, OK, fine, this is the problem. We think it can be solved using technology and we got we went head first into solving that problem first. Actually at the Manger scanning tool and we thought we built a algorithm from ground up. We didn’t really rely on any of the standard. And those kind of those kind of systems, but rather we said that, OK, fine. Malware in this case is code and code can have infinite. Combinations. There’s no there’s no significantly for it. So how do you solve this problem if there is infinite?

No, and I.

How would you like?

I agree with you like the problem with taxes and you know, having come from an enterprise background and being involved in security and then being involved in security in WordPress, I just what most people don’t understand is they say ohh I’ve been hacked, let’s do a restore from yesterday’s. The only problem with that is the smart hackers. It just the payload 2 months ago and let it sit there dormant for two months. So even if you go back to yesterday’s back up, guess what, the payload’s still there. So it’s one of the week. It’s one of the reasons I’m a big fan of keeping. Backups that go back many, many months, not just a couple weeks because you never know where that hack is, and sometimes you have to go back more than you think.

Yeah, but then the the the downside of that is content gets created on the website. So in fact, even even the older bankrupts, you know, a normal person does not know how to identify which backup is clean and not. In fact, if you ask me, forget a normal person, even you take some of the most sophisticated plugin developers, people who are totally all agencies, and we consistently see them that there is, they just do not have this of the understanding of what is happening when it comes to. Mandate and WordPress. It’s just I actually had somebody which how would I respect tremendously. And really, smart guy, really smart. Technically, I was talking to him recently and the number of mistakes he made and the approach he took, it’s confounding. And you know that. It’s it is not because he’s stupid, but there I think approaching it, understanding it from first principles is really difficult. And yeah, what? We need to do is approach this from first principles, because if you approach it like ohh yeah, OK fine this there’s this people doing. You know hackers are, you know, there’s there’s a there’s a, there’s a mystique around hackers. Right. And and the process that actually if you think about it, I keep coming back to it, it’s a technology problem to to us all of this is a technology problem. It’s not a you know you can talk about. Your user and you could talk about. They did not update their website and the problem is they will not. People will not because it’s so painful that you there are people who do update websites. But but if you look at 100 right before between the discovery and the and when the vulnerability really got introduced in the software. There is like in almost every case there is months or years of time between that happening and it’s not. The good guys are only and we see this because we have a firewall which is protecting hundreds of thousands of websites. We see the data that attacks are happening even before. The public announcement of availability comes in, so there is no patch available. And how do you solve it like so again you need to look at it from first principles and and again. The reason I’m saying all of this is not to scare people, but. Actually, to understand how the only way you can solve it is by actually recognizing. All of this, then, am I saying that do not do updates? No, I will say that updates are the most important things you should do. And why? Because most cases.

Are you?

Most cases the attacks happen after the public announcement, so that’s also true, but.

Yeah, I agree.

So for example, there is this tag day vulnerability. And there the announcement came in. There’s an excessive attack. I think it happened about two to three weeks, and since then there have been over a billion attacks from about 20. It’s on only our sites, a billion, which have been blocked.

By the way, and that’s because. The hackers read the vulnerability reports as much as the techie guys, so they what they do is they basically create a bot and for those who don’t know bots, I can automate it. Basically strip that runs around and does whatever it wants to do and it goes out in the head. Like can I? And how how do I deal with it? And it’s it’s one of the hardest things that people don’t get is most of these hacks are not targeted attacks. They’re just. Going at there are some. There’s a difference between scripts and targeted attacks, and we all know that. So the problem becomes. The minute you put out a vulnerability list, part of the problem is not only helping people, you’re actually hurting people because you’re telling everybody the vulnerabilities there.

Yeah, absolutely. And and this is and and you don’t have like blame them, this is the, you know, responsible disclosure. It’s again it’s not new to WordPress responsible disclosure as the system has been around forever. And I think I have not seen anybody not follow responsible disclosure. Because if you don’t do responsible disclosure or for example if you just let the patch come in and then sit around for a month before you release it, it does not mean that the hacker has not seen the patch come in, even if it’s not labeled as the patch. Because yeah, you just need to know that looking at the change list, it takes 5 minutes. Once you once the change list is there to identify what the what the change list is about. So you don’t need to be extremely smart to. To to devote that so it makes sense to make that announcement early, but at the same time, you know that the attacks happened beforehand, but. We have seen this consistency attacks. Happen even before the rest. Of them, it happens all. The time like you just see it. There are are. I can just you can just go back in history. In fact, the very first famous attack was the one which Mark Maunder found Ginther, but I don’t know if you remember. Yeah, it was one of the really that was the one which really I think brought security into spotlight in one place in a manner because so prevalent everything was getting half left, right and center and even there the before the discovery was made, sites were hacked like and Mars.

Yeah, yeah, it’s. So it’s so true.

It’s the. So yeah, the history and the things are now how do you solve this problem given all of these constraints that normal people are using your website? WordPress they’re adding admins they are adding. They’re not going to update stuff, they’re going to use weak passwords, and they’re going to do everything that you. Can think of. And how you still protect their sites? So and I still think it. And personally we feel that it’s still so solvable problem and that’s actually that’s that’s the thing that we are going after instead of trying to say that.

I am so much I am so much in your camp like I agree with you. Like 100% like with the philosophy, right? It’s just people. Yeah. People don’t understand. And the other problem is a lot of business owners trying. DIY their websites. I don’t believe you can DIY security anymore. I’m sorry, you just can’t do it anymore. It’s because yeah.

Yeah, it’s not possible.

No, I don’t. I don’t believe it’s possible you if you don’t live in Breeze security and you know what’s going on every day, there’s no way you know how you can stay on top anymore. It doesn’t have.

Yes. And you know actually what we are doing is we are actually just conquering with everything we are saying to each other. And it’s almost like we’re we’re we’re acting as we think should we should, we should talk about some of the contradictory stuff because I do know that about a lot of things. A lot of things I do disagree with when it comes to security with your approach. I’m sorry. I’m trying to digest the thing, but because that’s something which I don’t. I don’t want to miss out on the time for because I know that we have been going back and forth and finally getting a chance to talk. So that’s something I think again, this is very interesting to the. To the audience.

So what? Yeah. So let’s jump in a little bit. I’m with your mail care product. Does your scanner run inside WordPress or outside WordPress?

Yeah, so it’s runs in inside WordPress, it runs. In the context of WordPress.

1. So the the part. The only issue then becomes is what happens if you have a piece of malware that turns off the scanner? Where does that? Where does that leave you because. I I’ve always taken in past the approach and it’s just my approach. If you’re gonna run a malware scanner, I don’t care if it’s WordPress, if it’s a Mac, if it’s window. Because you should always run the scanner outside the environment you’re working in, because if you’re already in the environment, there’s always the chance the environment could be compromised. How do you? How do you deal with that?

And and you know logically what you’re saying makes sense. And this is where I I’ll tell you, there are two parts to it. One, I think, and we have insane amount of data around. This that frankly like, even with so if you compare scanners which are working within the WordPress context, all the scanners actually are slightly different. So if you look at WordPress, WordPress, WordPress is running within the context of WordPress, there’s nothing happening outside. It’s connecting to an external server to get signature.

OK.

And stuff like that. But it’s not controlled, so even if somebody, some a hacker. Goes in the disabled. Boyfriend. He will not know about it. With mail care actually everything is happening on our servers. All the hardware is up by our servers. So what we do is as soon as suppose someone goes and disconnects mancare or disables anything, you’ll be the first ones to know and you set your alarm right away. You can try. You can try installing malware and go and disconnect, deactivate the plugin and you will see that you will get a mail right away saying that. The plugin has been deactivated. Now plug deactivating the plugin and again people don’t understand this difference. That as soon as you have an external context which is overseeing your website, then the limitation of the plugin, even even in that case, there are certain ways in which, for example, and something again which the famous Calvin Calvin’s post talks about is for example, you can modify the curl request. In actually, in our case we don’t use the call request. You know every request is driven from our server. So, so you can’t really overcome that. You can’t. There’s no call request. It’s we’re not trusting anything that the site is doing.

Yeah, but which is probably a better idea. Yeah, that makes sense because you.

And this is not a defense of frankly, this is not a defense of male care, but I’m trying to tell you that it’s so easy to brush everything. And the argument I will make it actually the opposite is if you look at any other malware scanner. Out there or WordPress, they’re all ship. Not market specifically what I’m trying to tell you, the underlying layer malware scanners, they’re all garbage. There is so much malware it’s not even funny. Memory can sit in processes. It can sit in, you know. They can spin up process and we have seen everywhere they can sit in crontab, they can sit in database, they can sit as they can create an admin user, they can create files and files again like I mentioned the plugins the sorry. It’s basically code. There’s infinite code that can exist, and identifying that using for any of the other traditional mechanism. Is just insufficient. You. I can’t. I can. I can, like. And that’s where the thing becomes. That’s where the argument becomes much more nuanced and complex. Right. So one is can you can a can a marriage cannot reside inside workers? Absolutely it can can a marriage cannot decide outside workers it can but it has its own significant drawbacks. When it comes to that, because it does not have the context that of someone sitting inside workplace has at all. Especially since further when you look at her. Sorry, go ahead.

So in terms of Mao Care, though, say for example. Vulnerability A for the sake argument comes out today, and it’s a zero day. How long does it take your team to get and what do you do to deal with that zero day from your perspective?

OK, so this is actually such an interesting again, can we like go deeper into it because again the answer is not straightforward. A lot of yes. So we do push out rules for zero to 1 abilities all the time, any major 0, but not every single one because not every single vulnerability is easily exploitable.

Yeah, of course.

Required in and a registered user of a certain privilege which is which does not exist in the world like it’s very difficult to hackers. Don’t try try to attack those. So they do, but much, much rarer. So creating zero day rules for those are not important like I think can also cause damage because and, which is again something that you’ll you’ll see we can talk about that separately, but we do push our tools as soon as any any major disclosure is made. The big element of availability, the big element. Was very important, but the bigger immediately after that was the essential ability, which was. Which was really, really dangerous. There were like a 99 counter and unfortunately Elementor got blamed. For both of them.

Yeah, they did. They did drink.

Even for that, people sell foods, but in the law. And frankly, I don’t think pushing out rules is. The right answer. Because because I mentioned that attackers are attacking websites even before the discovery is publicly made. Or White Hat Hacker identifies the the variability. So in this case actually again, So what we did is and we are still in the process of doing it is we have gone through every single major vulnerability in the past five years, these are. Thousands and thousands of. Vulnerabilities, not the not the 5-6 pointers, but every single medium with 789 pointers and. And I think pointers is the wrong way to. Describing it at the moment, it goes slightly different, but just for the sake of conversation and anything with the highest vulnerability score, they’ve gone and identify what the hell is actually. Happening with each. Of these vulnerabilities. And we feel that actually, workers being open source and the way the architecture of workplace means that it can be protected in a manner which no other web application can be. So the patch mechanism of updating a web application is what goes back 25 years, right? Availability comes out. You pack it by a firewall rule. Now why do you need to do that? Because your firewall is sitting. Outside the scope. Of the application and the application itself is not like a widely. It’s like there is only limited usage of that application. Right, whereas workers is a completely different beast altogether. And now how can you change what happens when you understand what is happening with WordPress? Can you go in and find out what exactly is happening and how those sites? Get hacked in some. Ways. If you think about it, that’s. What the OWASP top? Top 10 is, you know, the excesses, attacks and the signatures. Get created for it but. What is and that’s one part of it, but they only cover the part of WordPress attacks, so excesses you have to have a. Good excesses rule. But you also the challenges. The excesses rule, obviously, that there are risks for false positives. Or any of these SQL injection rules. But the advantage is with WordPress is because you understand the application. You can do it in a manner you can tune the rules in such a way that it actually becomes even more all-encompassing without the false positives. It’s not easy to do, but you can identify how the application is behaving for example, and then a simple example of it is. Let’s take a lot of work. They’re actually nothing but a simple website that will be the most complexity they have on it as a form. And we know the form is a very big vector for attacks. Every single major form has a line, severity line vulnerability. In the past five years. Like ninja forms, gravity forms, you name it. They’ve all have a.

White, White, white, you. Yeah. Whitely formed software seems to be a big issue with the tax lately.

Right. And I think the nature of it’s the nature of it, right, because you are accepting inputs which is which as soon as you accept of payload and input from an unauthenticated user and process it, the likelihood of those attacks happen increases significantly. But let’s assume that let’s take this a simple website, which and there are I think half the website. You would have a form plugin on it. Right. And in these websites, if you think about it, the only requests they are supposed to receive? Are 4 requests four types of requests? And those four types of requests can be. Very, very clearly demarcated. And very strong boots can be created around there. So when you start thinking about it in this manner. Then you realize that actually WordPress can be a much, much more secure platform than almost any. Other platform out. There you just need to approach it in a different way. The other thing is something which we call atomic security is. You can go deep into WordPress. So for example normal website should never have an admin user getting created outside it unless you’re an admin user yourself. But and that’s what workplace enforces to some extent because workplace in a plugin can give can do almost anything outside the control of WordPress. It can override this functionality and we’ve seen this happen, so even if a plug in by mistake overrides this functionality, we can come in and block that overriding. So that mistake we get further. That’s it. So and that can be done simply by understanding what is happening in WordPress by looking at all the volubility in the past. So we have seen such vulnerabilities happen in the past where a plugin makes this mistake. We can say that wherever a WordPress admin user is, your WordPress user is getting created. I will make sure that it cannot be an admin, it cannot be an. Editor. It cannot be an author. And actually in large large number of websites, we did not allow any legislation to happen whatsoever because there should not be even a subscriber because that’s the nature of these websites. So as and. And you can enforce it by taking a different approach to the whole firewall and and security. And this abnormal weather application does not give you this this freedom. So how can we leverage wordpress’s power? To actually make WordPress more secure and the most secure platform in my opinion, we can get there. It’s not easy. There are lots of you know, workplace sites that have small or small. There are lots of small things happening on WordPress site. But if you think. Clearly it can be solved and you don’t need to tell people that. OK. Yes, you. Need to go in there. And you know, we should still encourage people to do it, and we should make a lot of noise around there, but also understand that people are going to behave like people. They’re going to look at Instagram and not update their plugins. It’s just the nature of TikTok, because it’s always easier to pick out then. Go in there and figure out and take the risk of breaking your website, updating your flight. So if we don’t, if we don’t accept this reality, if we don’t accept this reality, then we’ll keep blaming the.

So true.

User and we’ll. Keep and we’ll go. Keep going in circles. I don’t believe we should go in servers. Technology can solve this problem. It’s not like, frankly, I think that when we are in the world of elements and AI, what we are talking about here is. Very, very simple tech like compared to that. This is very simple tech.

No, I I agree with you is so if you’ve got a novice user and you and I are both not novice users. So I’ve looked at the product is it, is it hard for a novice user to set up or just to take a little bit of doing?

I think a novice user should just install a plugin and not click on another button. After that there should not be any configuration. In my opinion, or configure it, you can’t like you just go in there you go like you, you have clients, you go in there and ask them to.

So it’s.

Do anything they cannot, and even if they do it in front of you, they’re going to. Go back and just going to be like a school that I’m going to. Find another another agency doesn’t ask me to do this stuff.

I know, I know. What are? What’s the usual looking for cost? Like how expensive is mail care in comparison? To other products.

So if you have a free plan also we don’t advertise it very well. I think our marketing sucks. But yeah, we do have a free plan also we try and give as much as possible as much protection as possible in the free plan. So we will cover that. But we have a paid plan, it’s it starts at I think now it’s. Now it started 149 a year for a single site, but if you are an agency with hundreds of sites, it comes up to $2.00 the website. And this is good backups. Any updates activity log everything like. We throw the whole kitchen sink at it.

Yeah, that that’s actually quite reasonable now with backups. Does your backup product right, you put the backup wherever you want. So if you want to store them, say on S3, you can store them there. If you want to store them on, say, Google Drive, you can store them there. Just you’re you’re plugging allow for that.

So we’re actually a complete service. So you install the plugin and you don’t need to do any configuration. We’ll store the backups for you. So we have multiple redundant redundant data centers. We do incremental backups. Again, those are things frankly that’s a very bad security stance. Connecting your S3 or Dropbox or Google Drive from your WordPress means that if your site. This hack that key can be utilized to crack all the websites that. That exist on and this is a mistake every. Agency on a mix? If you if you think about it, it’s not that you’re segregating and creating separate keys with separate folders for every site.

Yeah. No, I I agree with that to some degree. The biggest problem with backups is actually people don’t test that they work before they need them. They see this all. Time somebody goes, I’ve got backups. There’s a reason why enterprise companies do backup and disaster recovery because they want to know their backups are work. And the best thing I can say is I would encourage any site owner to make sure your backups get tested on a regular basis. What are you using? Or another product like let’s be fair.

Absolutely. I totally agree with it.

Here you ask.

And testing purpose is such an interesting one, right? We have this system called test restore. So we let you test your backups. On our servers. Temporarily. So we have our Web servers running dockerized, fully isolated with the best security practices. And you can recover any backups with the click of a button onto our servers, and Duffy says we don’t want you to play Russian roulette with your website. So what we do is we have this thing called a history page. And I’m sorry, I’m sorry. I think I don’t think that we should be doing a pitch about blog. All that’s not the goal of.

It’s OK.

Yeah, but and, but I think the same principle applies in other places. Also is, you know, you should not be playing, you should do that with your website. You should not be like well, let me test out this backup rather try it out in an external environment with a click of a button. Find out which backup is the right one that you need, and then do the actual restore because again. Coming from, you know, purist application perspective, I would never do that with my. Because we built a very complex has and a web application and you that’s not the approach you take to your web application, you have to be very methodical about the whole thing. And being a being, you know the carbon mechanism of just. Yeah, let’s do whatever. Let’s get this working and I understand where people are coming from. But at the end of it, that’s not our approach. And what we think is how do we make sure that we enable people to not do that.

Yeah. Yeah. So we’ve talked about that. Is there anything else in either of the two products that? You should highlight.

I think there are lots of things, but I honestly I feel very awkward talking about the products in this in this conversation and I appreciate your asking. But yeah, yeah, I know that that was not the goal of this conversation. The goal was to talk about other things.

Yeah. OK. So that’s that’s really interesting and I think I think what it comes down to is people need to sit down whether they use your product or another product and define what their security strategy is. Cause I know when I look at companies, I say what’s your security? Strategy and they said we don’t have one. And I called that plug and play. It’s a very bad idea because if you’ve got a strategy in place and. Something goes wrong. You could do a restore in minutes if you have to, and especially if that’s a high volume e-commerce site I manage a couple. I have one e-commerce site that’s got over 2000 variable products on it. And that’s a lot of that’s a lot of products. And the one of the things we did early on was we sat down and defined, OK, if we have a security problem, here’s how we handle it. So we know that the site owner knows exactly what route we’re gonna go. We shouldn’t be leaving stuff like that up to surprise.

But you don’t have even in the agency world. You are one of the very few who are doing this. We have seen this again and again. You are one of the very few who. Are taking this approach and I think the agency with agencies we, we should expect them to be much, much more fun and it’s not, it’s it is not the norm. It’s just not the norm.

Part of the problem is a lot of agencies are great. Design agencies. Don’t get me wrong. So. I’ve taken the approach of my business. I’ve been a designer. I’ll be honest. I don’t like to build sites from scratch unless they’re for a very specific reason. I would rather spend my time locking down sites and helping people protect their businesses than building them from the bottom up. And I actually do a lot of work for other agencies where because a lot of these agencies are great designers. But when it comes to security, they can’t work themselves out of brown paper bag. And that’s a problem too, like it’s just they don’t have a clue how to deal with stuff.

Absolutely. I think that we see agencies falling under like I think there is the agencies, the designers. But then I think it’s. The auto preneurs. Yeah. And they are there to make clients successful in terms of making their businesses successful. That’s the main goal and that’s where the that’s what we made really sets them apart. And you know that and that’s such an incredible skill set. But that is not.

So so.

That does not enable like men to run a web application of this complexity like typically like and they have to be and this is again we have tons and tons of agencies as customers with our agency level plans but and but we see this again and sometimes it keeps us in business in some way, it’s almost like. Because of this, because they are focused on a different aspect, we can be in business because we are filling in their shortcomings.

Yeah. So.

That that shortcoming definitely exists.

Yeah, that is. That is so true. So somebody wanted to talk to you about Bob male care. Any of your products, what’s the best? Way to get a whole day issue.

So I’m I think you can meeting me or ping me on Twitter. I’m not a very social person. I’m a I’m a pretty much an introvert and but if somebody does reach out, I’m more than happy to to talk to them. It’s not. I tend to be. Can be awkward at. Times, but really happy to chat anywhere. I think e-mail after the blog world.net Facebook at Facebook. I do engage quite a bit. Do you know this Facebook group called Admin Bar?

I do very much so.

Yeah. So that’s where I again, I hang out a bit and yeah, some of the other places. But Twitter also, I’m always monitoring it. So if anyone wants to reach out, I’m there on Twitter too. And action.

And what’s the website?

So our website is https://blogvault.net/

Thank you very much. And you have yourself a wonderful day.

Thank you so much, Rob. Thank you for having me.