Episode 391: WordPress Security With Thomas Raef

Hey everybody, Rob Cairns here and today I’m here with. A good friend and security expert, Tom Reaf. Hey, Tom, how are you?

Good, Robert, how are you doing?

Ohh doing good man. You know, it’s funny. We were. We were just talking as I always do with guests before the show and I was thinking, geez, I need to start recording these out days because sometimes the conversations. Are better than the podcast day.

Sometimes, yeah. Yeah, yeah, yeah.

Yeah. So we’re gonna jump into some stuff. There’s a lot going on in the. Security world we. Do I I? Don’t know if I’ve ever asked to do you use the password manager? Do you avoid them like the Pike?

I avoid him like the plague.

OK, so you don’t, you don’t even go to. I know our mutual friend Kathy’s in his theory, but he put your passwords in and you don’t put the last string of the passwords in and you make them comment across even always tactics like that.

Right.

Yeah, the uh, yeah, no. I’ve got my own way of of handling things, and uh people have asked me about it and then they pick it apart. And so I just like, Nah, I got my own way and I just move on.

Thing is, there’s so one of the things I’ve done for years is the security as being in the security spaces. I don’t run a virus check or a malware checker on my PC. I know you’re shaking your head now, would I? Would I do? Do is I do do a manual scan once, once a month. But I do not run, so I’m just as bad. So there you go. And yeah, and then the other thing and then the other thing I do which isn’t WordPress related is when I do banking, I fire up a virtual machine and I do my banking in a virtual machine and then delete the file as soon as I’m done.

1. It’s delivered.

I I I I can. I can go along with that.

Yeah, I know you can cause there’s been, there’s been some issues in Canada where we all know about phishing schemes, right? And people have clicked on fake bank links and then they scream at the bank and say you stole our money. No, the bank didn’t steal the money.

Right.

That’s the hacker. So. Interestingly enough, and I know it, we’ll get to what we talked about. They’re actually saying the best way to protect yourself from fraud and banking is do it from your mobile app on your smartphone or your tablet, cause it can’t go anywhere else.

Right. But. Yeah. I mean, there’s there’s plenty of, uh. You know you you see it all the time, you know, mobile app is, you know found, you know, vulnerable to, you know, zero day exploit and blah blah blah and like. Yeah, I I don’t know. It’s. Yeah, I I I’m. I’m the same as you. I I fire up a V. Do what I need to do, close it out. It’s all gone.

Yeah, that’s why I do it. I mean, I should tell you, I think I’ve shared with you before. I’ve been the victim of bank fraud in the last three years. And as of last week since last time we talked, my MasterCard has been compromised for the fifth time in the last two years. I know, I know. And I’m a secure and I’m a security guy. Is that alright?

Yeah, yeah, yeah.

Do you do? While you’re working in a Linux environment, Tom or a Windows environment or a Mac environment, would you prefer?

UM, Windows and Linux?

OK, so you’re where I sit.

Yeah, yeah, it. I I enjoy Linux I, but I’m you know, I grew up, you know, with Doss. And so you know. So yeah, and I used to call. I used to call Bill Gates uncle. It was back when I was in my uh IT consulting days. Every time they they came out with a new version of something, you know, I knew I had plenty of work to do. You know, I’d contact my customers and say, hey, you know, see the new update. Yep. Once come on in and give us a quote on what’s gonna cost to upgrade, you know, six, 660 PC’s or.

I’m fine.

You know 900 servers across the country, you know, just give us a price and let’s go, alright?

So I don’t miss those days. I come as you know, I come from the same background and I I really don’t miss it. There’s a really good book out there. I don’t know if you’re familiar with pulse or rock. The big Windows journalist, and he’s written a book which you get online. Pub. I’m trying to think name. I think it’s called essential Windows. He walks you down the history of all the Windows versions in in a you might find that interesting, but but Paul’s one of those really knowledgeable journalist, he’s not a Microsoft fanboy by any means. Yeah. Yeah. So. He’s resting. I’m there’s some of that going on. I I’m like you. I I work in Windows and Linux these days. Depends what I’m doing. Depends what I’m looking for. Depends what my mood is. Do you want anything like wood storage for backup in your house or anything like that?

Uh, no, not in the house. You know, I have a a NASS that I back up everything to but. You know, we’ve got various places online. I store, you know, files and so on, but. Yeah, no, just hell. You can’t say it’s intuitive because it’s not as soon as you. You know, as soon as I start hearing people, I I hear it all the time. Unfortunately from from web web devs that, Oh no, I just you know, I don’t run any antivirus, I don’t do the, you know, I don’t like. And they’re like, I just know what websites to stay away from. I’m like. You do know why I’m contacting you, right? Because you got infected websites and like. Ohh yeah, that’s, you know, probably some zero day. You know, they start throwing out terms I’m like. Yeah. OK.

Yeah, I I agree. I’ve gone to two phonologies. I have one here and then I have one halfway across the city. So the house burns. Down and A and a good friend’s house. The compromise is somebody pays the second Internet bill every month. It’s good deal. And it just kind of churns away. And the way Synology’s work is, if you have two of them, you can set it up so they sync automatically. And so they sync. And then I’ve got. I might the biggest joke in my house is how big are the hard drives that I’m running externally I’m looking at. Two external 14 terabytes beside me as we speak, just because I can’t. You know you’re laughing, but you know, you know what this guys are like, right?

Uh, yeah, I’ve got.

You know.

Go ahead, go ahead. But I’ve got systems online, you know, except we. We collect log files from. Over 10 million websites now and so we’ve got petabytes of of storage online and people like oh, so yeah, you probably just store your stuff up there. I’m like, no, no, no, no, I don’t, I don’t. I don’t mix, you know, personal and business. I do not mix. No, not at all.

It’s such it’s such a good. And I’m gonna jump into the we’ll start with the subject of backups cause you and I were having got involved in a Facebook group conversation there named Stephanie Hudson’s group. Right. I think it was and.

Yeah. Yeah, I think so.

And the reason I mentioned backups is you need to. You need to kind of test them. So I had an incident ohh about 12 years ago, 14 years ago morning actually. And I was in the hospital for a week and I came home and I turned on my computer. In those days laptops were expensive and I was running a desktop at. Home and all I heard was ketchup. Could chunk could chunk and you know what that sounds like, right? Even in the business, like, you know, and my then partner at the time. So what you then do is, and I’m going to sort of buy new hard drive and and at the time I was in one and 14 years ago, it was about 17. 18 I was running carbonite on my on my desktop. Yeah, so I I did a restore. I let it run for a couple of days. I didn’t lose anything. I’ve had probably 3 or 4 hard drives go bad, really bad, and I don’t think I’ve ever lost an answer.

There you go. Yep.

What is the number one problem with backups? And I know your answer.

Yeah, they’re untested.

That’s correct.

Like I said like like I like. I I’ll tell people. You’ve got two types of data, data that’s backed up and validated or data that’s lost and usually it ends with and guess which one you have.

And white. Yeah. So I did. I did a restore from a. The site recently a client out East that was a referral and do you know they were running backups but they didn’t know what Google Drive account they put them in. You’re laughing cause you’ve heard this, haven’t you? And it’s like. What do you want me to do? Like, I’m sorry. Like, so. So back up, Sean. Test it. How’s he just went test it back up.

Restore it.

When you don’t need it, right?

Right. Yes, yeah, yeah. Test it before you need it. Always.

There, there is a reason that Fortune 5 hundreds at banks, insurance and financial companies do what I call disaster recovery days, right? So they they’re not in this position.

Yeah. Yeah. And that’s, you know. I mean, but you can’t get. You the problem is you can’t get people. To do that because then it’s like, OK, well, how do I test it? So I have to restore it someplace and then I have to, you know, come up with the URL so I can actually check the site and make sure everything, you know. So yeah, it’s it’s it’s a strange. Situation, but I think if somebody were to make it easy for people to like validate their backups, you know, yeah, it’s a whole. It’s a whole new. It’s a whole new world then.

No, but I would say it’s easier today than it was 20 years ago. I mean, there’s.

Ohh yeah.

I mean, 20 years ago backups were a mess, right?

Ohh yeah, big time. Big time they were. And yeah, I mean it’s and it’s still not like. It’s it’s not much better now put it that way. So.

Yeah, but is it not being better now because the technology is not there? Or is it that not better now because the user is lazy? Or dead gizmos.

Yeah, I hate to say that people are lazy, even though some are, but I think that the technology is not there, you know. A lot of people, like I said, if it if there was a. System. You know that you could say, OK, you know, send your back up here and and then go to this URL and check it. People would be like, oh, yeah. OK. Yeah. Now I see. All right. Or, you know something, you know, something didn’t carry over something, you know didn’t happen, etcetera. I don’t know, but.

Yeah, I.

And the other, the other thing, since we’re talking about backups is. I can’t tell you the number of times people have gone to like, you know, they get a hacked website and like, I’m just gonna restore it. And you know, I’ve got a backup from a, you know, four days ago, a week ago, whatever they don’t realize, you know, how long ago their site was hacked? So they’re restoring infected files onto their live site. And then they do that three or four times and then I get the call. Hey, you know I’ve restored four or five times and it’s, you know, my sites still infected. Can you jump on it? Ohh yeah, sure.

But it’s it’s funny because it used to be. You could keep if you kept three months of backups. You’re probably good, and now I don’t think that’s enough to be honest with it. I actually, I actually keep clients backups on my nest for a one year period and I and I actually download.

Oh no.

So when I do that general’s rule, I’ll keep them three or four times a week. If a client wants more, they pay more. I’ve got a couple of weeks on those clients that want. Daily backups kept for a year and they pay for that. And because they know the cost of within their ecommerce site is big dollars so.

Right.

And couple of those sites are actually backed up. 3:00 and 4:00. Times a day, not once a day.

Yeah, yeah. I don’t know. You can never have enough backups. You. You just can’t. It’s, you know, and and. You know the the. Whole. You gotta have them off site. You know the the number of people that have come to me from. You know, some of the large hosting providers like, hey, all my backups are gone. You know, can you help me? Ohh I. You know I can work magic at times, but not magic like that.

No, no. And please don’t depend on your hosting provider for backups, because we were talking before we went there. There’s several hosting providers have had backup servers hacked and. Then what do you do?

Yeah. Yep. Yeah. Yeah. Or you know the the SYS admins for the hosting provider. You know, I don’t know. I won’t say goofed. But you know, they ran through a normal procedure and it deleted all your backups. Ohh, sorry.

It happens, yeah. So the thing we’re talking about, which is really interesting, is hackers in general, right? The. And set. They’re pretty smart, aren’t they? They’re not like stupid people typically like they’re not, or I don’t want to use words. Stupid, maybe uneducated as a better word, you know, right. They’re not. They’re pretty. They use. You’re pretty bright when you think.

For the most part, yeah, there’s, you know. Having been in fighting them for so long, you kind of learn their personalities without ever meeting them. And you know, there’s, as you know, you know there’s there’s different levels of people. You know, there’s this what they call the script kitties or some, some of even shortened it to skinnies, which. OK. You know, let’s let’s shorten the word, but yeah. And a lot of those people are individuals that you know. The way I I see it, they want to be look cool to their peers, you know? Hey, yeah, I’m a hacker. You know, I’m a cyber criminal. And so they just buy tools and run. UM, and then there’s, you know, at the other end of the spectrum, there’s the people who write the tools that the script kiddies use. And those are the people that are super smart and. You know, they’ll sell their stuff on the on the dark web. Uh, I have to do air quotes when I say dark web. Just that that term is always bothered me. But anyway, yeah, people will, you know, the the smart. Hackers will write the tools and then charge for them or charge for service. You know, if you you know, if you deposit this ransomware, you know I get 30% of whatever you collect. You know, and so yeah. And and those people are they’re. Incredibly smart, so like, like I’ve said for years, you know if. If hackers were to focus on a cure for cancer, there’d be no more cancer. I guarantee it.

Yep. Yep. Just.

Wouldn’t happen so.

Yeah, it’s funny. It’s funny when you talk about attacks and ransomware. You may or may not have read in the states. The Toronto Library system went through a massive hack attempt the first week of December. And you know all their services are saying will not be back up till the end of February. They’ve got books. Trailers full of books of return to books sitting in a yard. There’s like 18 or 20 trailers because they can’t check books back in right that bad, and you can’t even renew memberships or anything like that. It’s just awful.

Yeah. Yeah, it’s uh, you know there. But you know what people don’t understand is that, you know, it’s that’s how hackers make their money. You know, by hacking it’s it’s ransomware, it’s, you know. Whatever they choose, you know they have their niche and you know that’s that’s what they go after and. Yeah, it’s just, you know, we see it all the time. You know, they’re constantly, you know, the the possibly the low hanging fruit in all of this is websites. And they use websites to launch attacks on anything and everything. It’s just. Yeah, bizarre so.

And as a small business owner, all these small businesses that. OK, I don’t need to worry about security. They’re not gonna touch my website. What’s your answer to that? I think I know, but.

Yeah, yeah. They want everything, you know, I mean, and and it’s. It’s gotten to the point where. You know, if you think that you’re not vulnerable, that thought itself makes you vulnerable. You know, and I’ve said that for years and I, you know, I don’t mean to. You know the labor of the point, but you know, Mac users have been told for years. You know, you don’t need antivirus and that and that in itself made them targets because you know you you think that you’re not. And I I think there were some, you know was it. The book The art of. Four. Yeah, and I forget the saying right now. But it says something in the oh, there’s one of those catchy phrases from that book about, you know, when you think you’re not susceptible to an attack. That in itself makes you susceptible. So.

Yeah. So there’s that. And then we were. You and I, and I know our our mutual friend Kathy, that is kind of in the. Same flavor on this one is cookies and let’s talk about cookies. And I don’t mean the ones that Oscar the grouch on Sesame Street eats in his hand. He’s lovable and.

I’ll see you then. You’re making me hungry.

And curly. Yeah, I know, I know. What’s wrong with cookies and hacking?

I just. One of the articles I shared, I don’t know if it was up on tab. You know some. Other security people you know, not in the in the web space, but protecting corporate networks and so forth and they had a big long article about, you know, how people are so vulnerable through cookies because an authentication cookie. If you just close out of your browser. Rather than logging off, did leave that cookie open for like on a WordPress site by default it’s so it’s valid for 48 hours. If you if you click on the Remember Me, it’s valid for two weeks so Hacker could steal that. And they don’t. Even it it bypasses 22FA MFA. You know gazillion F. They it, it bypasses all that because you’re already authenticated, so you know like and I’m. I’m a guy who reads log files, you know Kathy and the and Jen always kid me about that, like, oh, yeah, this is the guy who reads log files for fun. And I do. But. You know, you see in the log file an IP address and all of a sudden it’s doing something. Like Edit post dot PHP. And you you look scan through the and search through the log files for that same IP address and there’s no it, it never went to WP admin or WP login dot PHP, it went straight to an authenticated function and or a function that requires authentication and. Off they go. And so you’re like. Wow. You know how how? How they do that, you know, if you must not have log files back far enough, but no, they they stole a session cookie.

Yeah, and this is one of the reasons people shouldn’t be working on websites on public terminals, right? That’s just a recipe for disaster, isn’t it?

Yeah. Yeah, cause you know, they they they can do a man in the middle type of attack and steal the session cookie that way. Yeah. So the people that you know go into their local coffee shop and ohh I’m gonna work here all day and you know load up on lattes and this and that. Well, I’m getting some work done. Yeah, you log into, you know, you log into a site and it could steal everything. So. Yeah, it’s. And I used to do that years ago as as like a just a test. When I was early on getting into security, I’d go to local Panera Bread and I talked to the the manager there and like, hey, you know, you got open Wi-Fi here. You know, is it alright if I, you know, run a test here, you know, with your permission? I said I promise you I’m not gonna steal anything, you know, blah blah. And I the guy had seen me there numerous times and knew I just lived down the street. So like, yeah, OK, so I set up the, you know, Wi-Fi hotspot, exact same name. And people are connecting to mine and I was actually changing stuff so that it would filter through my system. And so, like, you know, Cubs win. I’d put Cubs, lose another one. And people are like, wait, what you know, so yeah, it’s it’s it’s pretty easy to do.

Yeah, it is. I’m at the point now where. I do some work out in the House because we all get stir crazy, right? But I have a I have a cell phone with a large data plan and when I mean large I’m talking in hundreds of gigabytes for that reason. So I tethered to my smartphone when I’m not home because then I don’t have these problems. And then the other approach I take when I go stay in hotels, I actually carry a travel router with me that is built in firewall. So all my devices connect to the travel router, the travel router connects to the hotel. There’s a firewall on the travel router and it tells everybody else. If you’re not in these IP addresses to go away.

Yeah, yeah. You know, you, you, you almost have to. You know, I I think I had mentioned to you before that, you know, in 2016, my wife and I went to Ukraine to go through the adoption process. And we both work remote. So. People are like. You know, you’re like in the land of hackers and. Now and you’re doing work online? Well, yeah, we were. We were tethered, you know, to the to to our cell phones. We had unlimited data plans, so it’s not fast, but. It’s very secure so.

Yeah, it’s it’s settled usability versus security problem. So as far as you’re concerned, session cookies going back there is the number one reason that we’re pretty sites get hacked, correct.

Yep, our data shows that last year 60% of WordPress sites that were hacked were hacked via stolen session cookies.

And what’s the number two reason?

Stolen username and password? No, actually it’s not that. That was like the the 3rd, but it’s something. Yeah. Yeah. The 2nd is vulnerable, you know, themes and plugins.

No, first.

Yes, so. And that’s, you know, that’s something that we feel that, you know, I I don’t have data for the for 2022, but it did seem like there was a lot of vulnerabilities that were being exposed, you know, in 2022 and. But then like. With the data that we collected it, it appears that you know services like patch pad like patch stack. You know where that’s that’s really olivers’s focus is identifying vulnerabilities and core themes and plugins and then you know, virtually patching them, reporting them and so forth. And you know to give credit where credit is due. Word Fence does the same. You know Mark Maunder has created a. Their bug bounty program, and you know he’s doing a great job with that. So those you know, those are attacking that, but you know still in session cookie is that gets down to. The end users local device. You know that’s where the that’s where the hack actually happens. You know, but you know, said. Lot of people just don’t. I don’t know. They don’t. They don’t know. They don’t. I can’t. I won’t say they don’t care, but they just don’t know. That’s what.

Yeah. And they don’t. And sometimes they just don’t want to be educated. I’ve got a client out East that’s been hacked. Not once, not twice, but three times. And they still think it’s cheaper to pay for these to be fixed than get on a security care plan.

Oh ill thing.

And then when yeah. Yeah. For some people, you know, the they they don’t believe in the an ounce of prevention is worth a pound of cure. You know they’d rather pay the pound of cure each time and you know move on. So let’s sell different strokes for different folks.

OK.

As they say.

So true. So if you were to say to John, who owns a small little retail store, the three things he should do besides hire you and I, because that’s always #1, right?

Right.

What should he do to protect himself?

The average Joe.

Yeah, yeah, Rachel.

1. I know this is gonna go against your grain, but you gotta have a good antivirus.

I knew you were gonna. Say that. I agree for most people.

Yeah, yeah, yeah, you know, but, you know, at the same time, you know, if you’re if you’re using the.

It’s the one in windows. Good. It’s the one in windows. Good enough.

Ohh yeah, defender and. I used to be a I used to. Go into every forum I could and look for where people were talking about Windows Defender because it’s free and I would bash it because it was terrible at the at detecting. Yeah the the common virus is back then, but you know Microsoft’s behemoth. So you know, and they’re they’re it’s their operating system. So they know what’s going on and they they made it better and better and better. And today, you know, to me it’s one of the best. Now with with the PC, what I recommend is that people double up because like the free version of Malwarebytes, will detect things that Microsoft Defender doesn’t, and they both play well very nicely. You know, now if you try and do like Microsoft Defender with. I don’t know Norton or McAfee. Some of the more older mature.

Ohh no.

Yeah, it’s it. It it. It’s not good. You know, one, your your system will come to a crawl, but also a lot of times those older mature ones will detect Microsoft Defender as a malicious file, as a malicious program and kill it. So but you? Know the. You and I were talking earlier and you know about how smart hacker. They are. I read articles all the time and research paper research papers about how hackers have found a way to evade detection by today’s antivirus programs, and they can. They can nullify, you know, basically stop the antivirus program.

Yeah, I’ve heard that.

And and prevent it from starting again and then you know they’ve got, you know, free rein on your system. They they hide it. I mean, it’s just. But you have to, you know, you have to take the step in my opinion and have a good first line of defense. And but you know it, it also goes to education, which is something that we’re trying to work on too, is, yeah, providing education for people, you know, don’t open that file. You know, even if it says it’s from some friend of yours. You know and.

Don’t open that UPS link on your cell phone that says you got a package you don’t know it’s coming right?

We used to run. Yeah. On your, on your cell phone on, you know, on your desktop, on your tablet, laptop, whatever. It just don’t cause, you know, or you know you’re you’re due a refund from the Facebook, you know.

From the IRS, even worse.

Yeah. Yeah. From the IRS or, you know, Facebook was in a class action lawsuit and it was determined that, you know, your your due a, you know, dollar amount, you know, could be thousands of dollars. Just you know, if we need you to to log in here and do this, that and the other.

Thing and or this security expert that calls you on the phone and says can I remote to your PC? I have to share it with the story around that. About a year ago I had one do that to me. I said sure you can and I let I let him down remote into a virtual machine for over an hour and a half. They could. He was not happy to not happy.

The the.

Well, sometimes you know. So what’s the what’s the second thing you do? For small business owner.

So yeah, you have to have a good antivirus, but yeah, you know, education. You know, you you’ve got to teach people what not to open. Yeah. And, you know, a thing that I see frequently and you should see it more, but I think, you know, people are using. Google and like Office 365 type applications now, and those two companies that behemoths. But you know they they do provide a valuable service of of trying to keep you safe and secure. But you know, hackers would get into your system.

Thank you.

Download your address book and then send emails. Cause e-mail address is easy to spoof. Send everybody in your address book. Hey, you know, like one of the current ones. That’s that’s a see on Facebook so and so died. And all the friends see that and they’re they click on. It like really. Ohh man, I just talked to him like 2 weeks ago and they click on it and you know it’s trying to, you know, attack your system. And so yeah, hackers have no morals so. To tell you that a friend of yours just died, they don’t care.

And and downloading the address book is one of the oldest, oldest, oldest scams going ohh. Which leads me to my next point is your e-mail password all your passwords your friend but certainly your e-mail password because all you got to do is go to a site called. If I’ve been poned and put your e-mail address in and it will tell you exactly where you’ve been compromised.

Right. Yeah. And for people who use the same password. Word you know across multiple websites. You know the same e-mail address and the same password across multiple websites. Ah, come on, people like. No, I don’t. I don’t need a a password manager. Like. Why? Because he’s the same password across all my accounts. Like. Oh, no.

My problem is I can’t tell you what my passwords are except for the last four characters because I I was telling you. As far as as subscribed as something Kathy talks about a lot is put a put a string at the end and make it common. But my passwords all random I except for the password to get into my password manager. Good luck up, it’s not.

Yeah, it. Yeah. I mean, there’s there’s all sorts of things you can do, and yeah, you know, the, the, the big thing with security is, you know. A lot of it has to do with just avoid being the low hanging fruit fruit. If if you throw up like a couple of lines of defense, they’re just gonna go on to the next one, cause they know that there’s somebody else who’s totally vulnerable. So.

They don’t have time to go through somebody that’s got 5 lines up. That’s not happening. You just move on.

Right.

And would you say the third thing is probably keeping your systems and your website and everything up to date. From a software perspective.

Yep, definitely. You know when when you see that Chrome’s got a, an, an update your Chrome or Firefox has an update and you’re like ah, you know, I’ll do it later. No, do it now because you never know that the next thing you click on. You could be vulnerable with a zero day.

What is your favorite browser from a security perspective?

Uhm, I use Chrome.

And that’s probably with no extensions, right?

Ohh yeah. No, no no, no extensions whatsoever. You know, I I was tempted when ChatGPT came on. There was one Chrome extension. I forgot what it was called now but it it it it like prompted you with prompts for what you wanted to do.

OK.

And uh, I was like ohh man, that would be cool. And just as about ready to, you know, click the install this extension and like. No, because I know nothing about this company. I know you know nothing about what’s going on here. Yeah. And then it was like 2 weeks later. I hear that. Yeah. Somebody was pushing around a a bogus Chrome extension for ChatGPT and like.

What a surprise surprise. Thanks for Mr. Hacker.

So yeah, yes. So uh, but yeah, like you said, they’re. They’re, uh, they’re I, I think due last year due to the. The success of, you know, the virtual patching that some of these services offer, you know, hackers shifted their focus to stolen session cookies and you know, you can just you can Google the word info. Dealer and you’ll just see tons and tons of research from, you know, Bitdefender and sofos. And you know, every security company in the world about these info stealers and. How prevalent they are and you know, first thing they they like to do is steal cookies. And it’s so automated for them. You know, it’s it’s steals a cookie and then sends it off to their servers and their servers immediately try it. Because they know like what site you were on. You know. The the the cookie and you know the policies like. So we’ve seen stuff in our log files where while the the user. The the legitimate admin user is doing work on a WordPress site. Traffic from another IP address comes in and starts installing bogus plugins.

Yeah, yeah.

Like in the same session.

So I unlike our friends who try to infiltratethewordpress.org team and send out a notice saying you’ve been hacked them, by the way, click here and install the plugin. You remember that one and a lot of people went and quit because it was still running around a month.

That’s how fast they are. Yep. Yep, Yep. Yep. Yeah.

Later, obviously, and it’s like. I so I I tested the plugin just for fun in a local environment on a virtual machine, the back doors Tom that it put in.

Just a few. Yeah, it’s it’s never ending.

And since we’re talking, we’ve talked about education, somebody wants to keep up to date on some of the stuff, and they’re an average user. Where do you send them?

I don’t. To be honest with you, I don’t have. There’s a guy, Terry Cutler up, you know, north of north of our border up in your country. And and he does an excellent job. I don’t remember his website, but just look up Terry Cutler and he does an amazing job. He talks all sorts of conferences and so forth about educating people on, you know, where to. You know what to avoid.

And then the other, the other place I still think is a good overview, but still more technical is probably Hacker News from a high level perspective, I think they. Yeah, they’re pretty. I mean, don’t go there if you’re faint of heart, cause you’ll be paranoid, I guarantee.

And that’s I think a lot of people avoid sites like that just because it’s got the word hacker in it. And they’re like. I’m trying to learn how to stay away from hurting myself. So yeah, maybe I’ll just avoid that.

Yeah, yeah, I. I would agree any more last minute tips stump.

No. You know, I think we we covered it. You know you you got to keep your local device safe, you got you have to. You know, keep your all your software up to date. You know whether it’s on your website or on your local device. And UM, yeah, you just gotta. It’s gotta be vigilant, man.

Yeah, I agree with you. Somebody wants to get a hold of the how’s the best way on your website, please?

Website is we watchyourwebsite.com we are in the process of still redoing it but. You know, we will get there or.

You should make sure he. Can’t fix his own stuff as usual. You know that problem?

I’ve got some customers. They, they’ll, they’ll, they brag about our services on, you know, in the Facebook. Whoops, and the the one guy Justin Korn posted something about his website sucks, but his service doesn’t. Thanks Justin.

Yeah. Love you too. Yes, I had that problem. I’ve been in the middle of the website makeover for like 4 months now, and I’m not getting.

Yeah, yeah.

Any closer so. OK. And and then and of course you’re on. I assume you’re on Twitter, you’re certainly on Facebook because that’s where I usually talk to you and you just play on X at all or do you avoid the X monster?

Yeah. Yeah. On Facebook, yeah. No. Yeah, we’re on XI. Still call it Twitter. You know, I still call the Sears Tower the Sears Tower in downtown Chicago. They can call it the Willis Tower or whatever. Yeah, it was. I’m not. It may have even changed, you know? But I’m. I’m a thick head thick.

Is that what it’s called? Now wow well.

It’s old, old man, so it’s hard to change. Change my ways.

So my. Thanks Tom. I was appreciate talking security. You have a wonderful day, my friend.

Thanks, Robert. You as well. Take care. Bye.