Episode 392: More WordPress Security With Tim Nash

It’s Rob Cairns here. And today I’m here with security expert Tim Nash. How are you today, Tim?

I’m doing OK. Thank you very much. I was enjoying the the lights going up on the slides just then. It’s like ohh it’s snowing and then it’s like Oh no, it’s snowing, but upwards. That’s not right.

Your buddy. You know, it’s funny. We were talking before the show, you and I at the time of this record were just on WP builds together. And the interesting enough, we were on with Jess Frick and Taco Verda, who I absolutely adore. And of course, our steamed host, Nathan Wrigley, and out of that show, everybody that was on that particular episode has now been on this podcast. So welcome.

Thank you. I would say you’d save the best till last, but that’s that’s not true at all. Ohh you know what?

I say the same thing. I I think we don’t give ourselves enough credit sometimes, right, Tim? So that’s just the way this. So I wanna jump in and and ask you for we dive into security. How did you find yourself in the WordPress world? Do you have a bit of a WordPress origin? Sorry.

I mean, it’s a sort of very similar tale to a lot of people I guess, but I I started in WordPress very long time ago like pre plugins long time ago. Yeah. And I was actually working for a university at the time and I wanted to build a membership site for a side project. And there wasn’t a membership site capabilities or anything like that. All all the things you’d think of today are weren’t there. And so I I found something that half did the job in typical open source fashion and went went at it and and hacked it for a bit until I could get. It to do what I wanted it to do. Wanted a friend who helped get it over the line. And then from. There we realized ohh that was cool. And when I do other projects and then over time I found that other people needed to have a membership site. And so I helped set up one of the very first UK based, that certainly dev agencies who built commercial plugins and you can we can sort of. Work our way through the timeline of where we were at that point in the WordPress evolution, we went to one of the very first word camps in the UK we. We sponsored it and. We were booted it because we were commercial WordPress developers.

Are you kidding me? Wow.

No. So there’s an entire. Room of people who are there. On our dime. And got the opportunity to do us when? It was announced what? We did so that was fun. Obviously, the world has moved on quite a bit since then, as have I and yeah, but yeah, that’s where I started being in a big auditorium in Manchester University being booed.

You know, it’s funny. They always say any publicity is better than no publicity. So I guess people recognize what you guys were doing. Like, I don’t know what to say about that. Right. And I’ve had this. I’ve had this discussion with many people like there’s still that cross in the open source community about making money off a free project, right? We’re we we always end up in that crossroads. And I know a number of plug-in developers Mark W card over at WS forms. How we keep showing up at podcast. I’ll never know, but that’s another story. He’s a good friend. Adrian. Toby at Groundhog. If you know Adrian. Adrian’s a good friend. His dad was one of my mentors in the marketing game and people like that. And we’re always talking about. How do you how do you draw that line? Right.

It’s a hard one and it’s it’s got easier by the fact that there’s now a market. Yeah, that, that it’s it’s, it’s it’s considered more the norm now. But yes, back then it was. A very strange scenario to be in and I honestly thought at the time that we were not necessarily pioneers, but we were going to be pushing the direction that we’d find thingslikewordpress.org being much more open to us and and things didn’t. Some things changed to the manner and some things changed to the worst and it’s. It’s now interesting, looking back and sitting there going. Well, we we were doing really well at certain things way before they became a sort of mission critical part of WordPress. A really good example is we actually had an updating system in place and auto updates in place. In 2000 and nine 2010, yeah, for our premium plugin because we. Were like well. You know, we, we, we, we you’re spending money on us and we’re empowering you. Right to take money, you should probably keep this thing up to date, so it’s interesting how that things like that, which the rest of the community has only. Us started to catch up. I. Mean the idea of automatic updates is. Only really still. Something that terrifies 95% of people.

Or even manage WordPress hosting, because in a managed environment they often control your updates and that terrifies people too. I mean, they say, why am I not running the latest version of core? Because I want to manage WordPress host day of version before. I mean that’s just the way they they roll. Right.

I mean it it that. It does depend on host. Quite a lot of the hosts have now realised that to that their detriment that perhaps not keeping up to date and at least not patching their WordPress versions will result in not just one, but thousands of sites being compromised. So on the whole the hosts are. Pretty good at staying, at least at core up, but every host has its own way of managing updates. You’ve got people like dopey engine who have their like smart plug in manager tool. And then you’ve got other house that just like effectively run DP CLI in the background and just go. Yeah JP plugins update, hyphen, hyphen all and job done and they could and there’s a lot of disparity between individual hosts. And then there’s all these other tools that you can use if you’re not gonna managed host it’s. It’s still quite a Wild West we. Haven’t standardized yet. Even if you have a 20 years.

Maybe, maybe, maybe. So you’re you’re in the security field. So am I to some degree. One of the things I do is I lock down websites. I I now manage from a security perspective over 400. So I know tools better than most people. How did you end up in that field? In that extra 50.

So in in. In previous life I used to do pen testing as a. And before WordPress and then as I sort of left the development field I got more and more involved in system administration. I worked for a hosting company as their platform lead, which basically means I did a bunch of stuff and I went from oh, I look after for a four. Weights to ohh I I I appear to now be looking after 40,000 WordPress websites.

So wonderful, isn’t it?

I should probably try and keep. These up to date and secure somehow. No. Yeah, obviously there was a team. It wasn’t just me that that would be a terrifying for, but so I I I really got my passion back for security during that phase. And to be honest, the easiest thing for me was to sit there. Go right. Well, what can I do? Well, we can implement all this stuff. What can I do? I.

Yes, yes.

Didn’t teach people because. At the time, the company I worked for was very keen on and education program and was very keen on being seen to be delivering an education program which is ideal for me because I basically came along and said what I’d like to do is go to work camps and user groups and I wanna talk about security and they went what we’d like you to do is go to work camps and use groups and talk about security. So that messed up nicely. And I was able to. Sort of follow that passion through when I left. I was like, well, actually I. Could you know? I’d like to take the things that I know now, but on a wide scale and bring them back down to individual sites, cause one of the things that I really disliked about working in a hosting company is I never got to stay on the project more than 30 seconds. Because I was the person who you called when you called when the other person didn’t know the answer and the other person didn’t know the answer and the other. So I was at the end of the chain and what I would often be looking at. Is 4 lines of your project. I would never see a bigger picture. I never see other parts of it so. When I left. The hosting I was like, well, I’d like to get involved in people’s projects, so. I thought what better? Way to do that then become a security consultant and terrify.

Everybody for a living. That’s so cool. I I ended up in this space. It’s interesting. I worked in healthcare for 21 years. I was the team leader for the client services call Center, IE where everybody went to when they had a problem and I fell in love with security on an enterprise perspective, a server. And our security lead used to come sit in my office every week. We’d have these chats. What’s that helped us in? What are you guys seeing? How can I help you? How can you help me? And I just started diving in more and then I ran across a legendary hacker by the name of Kevin Mitnick. And we all know who he is. He just passed away recently and he was kind of big on the whole social reengineering side. He’s written a number of books. The art of deception, the art of intrusion. And he talks about how people social reengineering. So I got fascinated with that side of it. And then. That’s how I ended up in it. I just kind of grew from there. Interesting different past but same result, right? Yeah. So. We talked in more press security. In your opinion, what’s the number one thing site owners do wrong? I have to ask.

Well, we, we’ve already passed it. They don’t update their sites. Inevitably, sites not up to date, it’s the number one reason that sites get hacked. It’s. As simple as that. There’s no point for a bad actor to try and come up with some cunning way to break into your sight. They don’t have a grudge against you. Normally if they do, then that’s a separate issue. We can talk about that a bit, but it’s for the vast, vast majority of people. It’s an automated attack and no one’s going to craft an automated attack against you. Specifically, they craft them. Against the vulnerabilities. Known the vulnerabilities are known are tend to be the older out of date plugins. It’s very rare you see a zero day vulnerability in a WordPress plugin that is then being actively exploited particularly quickly. It’s nearly always there’s some sort of patching not every single time, but more often than not. If you’ve got hacked, the chances are you got hacked for a vulnerable plug in that vulnerable plugin, you probably had an update and you probably didn’t install it. And it’s as simple as that. And that counts for something like 99.99% of cases. So it’s not like a small figure. And that’s finding other things to do. So if we can fix people updating their websites, we don’t have a job, we can go and sit on the beach.

And and I hate to tell you, I don’t think that’s ever gonna happen. I know. And I’m sure you’re in the same boat. By the time you look at the site or I look at the site and the first thing I look at is plugins that are out of date core. That’s out of date and it’s like. Here we go and it’s the same. And then they they look at you like I don’t have time to do this. And it’s like so then why aren’t you paying somebody to do it? So that’s problem #1. There’s 2FA2 factor authentication, so hackers now.

I’m so if we’ve. Got all if. We’ve got any update users and update plugins in one basket. The next lot of problems is users. That’s. Hey, I reused my the same password across everything. Ohh and by the way, the password was my my beautiful daughter. Want or whatever they they choose. Use to a model. Factor authentication has its place. It doesn’t always prevent people from getting through. If someone has managed to socially engineer you. To the point that they, you you are you are actively giving that person’s username and password information on a one to one basis. Then the next step for them is to ask you for the two factor authentication. Of course, there are some tooling that prevents that, but to give you a really good example, I I watched a a an experiment where someone was on the phone and they were told Ohh Yep. So I’m just gonna log in for you. What’s your username? Which password are you gonna get a code through to your phone? What’s that?

Could you give me? Yep.

Yeah, yeah, yeah, they just.

Yeah, yeah, yeah, yeah.

Yeah, that sort of attack will always defeat MFA now. There are some. Really impressive phishing attacks, which use fake logging. Stream and how it works is that you put in your username and password and in real time normally with a phishing attack, they don’t in real time check the credentials, they’ll just throw you to a screen that says Ohh it’s dead. Sorry, something’s.

Or the.

Wrong or or nothing depending what they want to do or just install malware, whatever. They’re gonna do. On you, but they don’t normally then check the credentials in real time. The bad actor will come along, grab the credentials and make use of it later. Or probably not ever check it and actually just show it on a list and sell it. But there are some attacks where they will ask for your username, password and the first thing they’ll do is make a post request to your website. With the username and password. Yeah, they’ll then look for the feedback and if the feedback comes and says, hey, I’ve got two FA, then they could pretty they should know with reasonable certainty whether or not MFA is installed. Yeah, because there’s enough ways to iterate through tooling. There’s enough little telltale signs that you can normally. What are the tips I would give if you’re ever setting up? A multi factor authentication is. Don’t go for any of the plugins which put the MFA field underneath your username and password field showing. It at the. Front because that’s a pretty big obvious hey. They we’re gonna need that key field as though you wonder it to be a second step, the next on the next page, cause that just adds to, making it harder for a an attacker to know it’s there. But that’s attackers probably can get that information in various ways. Yeah, MFA works. It works for a lot of people. It’s no defence against just having buddy pass.

Like and then I know when we were on builds together, you and I both commented on an article where the wordpress.org team and they used that word in quotes, sent out the notification saying go download this plugin and what what a brilliant phishing attack to be honest with you. And it it was funny because I had said at the time I had had several clients call me. I had one client that actually downloaded the plugin. Sweet. Wonderful.

Guy. Yeah, he did. And it was like.

Thank you very much. The back doors like we need to stop doing this stuff. Like if you’re if you’re an inside owner and you’re not sure, ask somebody. Just don’t do it.

It’s hard though, because that that that that particular e-mail was, uh, well, it still had telltale signs that you sell for most people if they stopped and thought about it. For a while. Yeah, pick up. But it was still crafted enough, and it had that the key component with all good scams, which is a sense of urgency. If you ever finding yourself being like. Why am I? Being pressured to do this thing right now. When it came out of nowhere, sometimes disasters happen and think you do need to do things. But normally when you’re being pressured into a certain route to do something straight away, right now this very second you must you must you must do the. That’s a big red flag to hang on a. Minute. You’re you’re not giving. Me time. Why? Are you not giving me time to think about this and? When you whenever. You’re in that scenario. I mean this is good. Exact for for. Life. If you’re ever in a scenario where you’re feeling like you’re being railroaded by something, it is always worth saying. Stop, I’m going to take a minute. I’m just going to look this through and reread. What I’m being asked to do? I’m not gonna do the instructions. You’re just sending me down. And then you’d start picking. Up on the. Little things and go this doesn’t make sense. Why would they want to plug in? Can’t they just update WordPress call this? This doesn’t make sense and the alarms bells will start to ring properly, but that particular e-mail worked by railroading you and you were going to do this thing and you had to do it now. Because Ohh boy, what would happen if you didn’t do it? It would be catastrophic. And so you did it. And I don’t feel that. I think anybody who fell for it, they they they shouldn’t feel bad. I think there is clearly a need for more education. We haven’t got there yet. But it was. Really well written. And if they could just. Learn to spell. They they. They’ve done so much, but I don’t get it though. How can you? Be so good at writing something like that and then get the name of the product wrong.

Ohh I know that was the telltale sign in that one.

Yeah, I mean, it’s come to the point that we’re now using capital P as our as a security mechanism. It’s like our our way of identifying it’s the equivalent of quite our banks here, certainly here in the UK had a system where you had to pick a funny, you had to pick an animal. And then they’d show you a picture on the login screen to show that it was that that they knew, and in many ways our our, our our equivalent in WordPress is just whether or not there’s a capital P in the word WordPress.

Yeah, yeah.

So we’ve talked about two FA, I won’t jump in the backups for a second because the biggest concern I have with backups coming from an enterprise environment is we used to do disaster recovery days. And the reason we did them was to make sure our backups were good and I would bet. You and I just went through this with a client where they said Ohh we have backups. And then I looked at their backup archives and none of them were good. And I would bet 99% of the clients who don’t use somebody that you or myself have never tested their backup. So they don’t have a coolant. These backups have been taken for two years work or. Don’t work. Isn’t that a problem?

I mean it is and and I I like to use the phrase of you haven’t tested your backup, you don’t have a backup. You have a prayer. UM. Now it’s quite difficult for some people to actually do that. I mean, quite a lot of these, these systems, they, they will download a backup plugin for example, that’s that’s. I’m not gonna. We’ll just something like updraft. There are plenty of them, but they download the backup buddy. They’ll they’ll download these plugins, they’ll install it and it’s configured. And that’s it. They just go. They never investigate what it does or how it does it, and you end up with wonderful scenarios where I I came across regularly up Jeff Plus would back itself.

Yes, we through this.

Flow so you get ever expanding backups with the backup inside the backup inside the backup, but then you couldn’t. You can’t restore that backup. Without having another site downloading it, moving the backup across in putting it back. On go through. Once the person started this process. It’s gonna take them time to even understand how they’re gonna do it. Most people don’t have a. Disaster recovery plan. Because their disaster recovery plan, if they had a backup program was that, but they’ve not thought beyond that. They’ve never tested these things. If you’re a doing regular development on your site, one way you can do this sort of testing is is that instead of when you’re getting your dev environment and start, let’s say you’re starting a new project, you’re about to go. I’m going to go and start my new theme. You start by taking by taking the last backup that you did. And restoring from that. Yeah. And in fact, if you want to keep your dev environment up to date with live, by using your backups, that’s one way that you think that’s.

That’s how. How I do it? Actually my my dev for my agency site is an exact restore my backup, so I subscribed to that theory wholeheartedly actually.

You’re also going to find a lot more of the bugs and the little things that that don’t work for some reason because you’re now actively using it. The second method is to, if you wanna, if you wanna go the more enterprise. Easy route and the one that I fully subscribe to, but I it’s I understand why most clients can’t implement it for various reasons, which is to before you take a backup because you’ve got tests because everybody writes tests, yes. But let’s say everybody’s written some tests for whether they were doing development or they’ve just written. Yes, your tests are good. You, you you run your gamut of tests on your live sites. You then take your backup. You then install your backup on your dummy sites and you run the gamut of tests again and you know. That they’re OK. Even better, we then can do the updates that we wanted to on the live site and rerun those tests again. So now we’ve got, now we’re testing our life. We’ve got these tests, we’ve got a test, we’ve got a backup, we’ve got the updates and we retest and we know all the way through everything is OK that is the perfect world. This is and you can do it on small sites and big sites. I do it for my personal sites. I do it for client sites at do use big comma. Right, but it takes a lot of time and a lot of effort because you need that testing in place in the 1st place and that in itself is a is effort, but it’s worth doing cause you didn’t use those tests all the time. I was talking to a client today and we were talking about how we were going to get them there and we were saying well actually maybe automatic updates. Is not on your road map for the next year or even 2. Yes, because you have.

Let’s start.

Weird stuff. So we’re not going to get there quickly, but what we can do is start by get by taking when you do an update, OK, what do you test as in, do you go to the homepage? Do you put a test transaction through? Write that down right, every single step down. So we’ve got a process. Excellent. We love processes. We love it when people write things out and nice, easy step by step process because the next thing you do is go well, you’re. Not running that? Let’s get. A. Let’s get a robot to do that for.

We’ll, we’ll, we’ll, we’ll.

Right. We’ll turn that into some sort of acceptance integration test that a system can run. Now we’ve just halved update time. If not significantly, reduce it even more, because now you’ve run your tests, do your updates, run your tests? Yeah, no manual interaction on the testing phase. Once we’re there, we can then start talking about automated tests, but I know we’ve switched from backups. Backups are really, really important. You should always take backups. You should always take your backups as well if you’re ever thinking ohh what my host takes my backups. Your host takes brilliant backups, but they’re their backups. They’re not your backups.

And they get hacked in the hosting companies there was you hosting in Europe, in UK? It got hacked, there was Melbourne IT in Australia that got hacked a number of years ago and there was a company out Of Montreal W three hosting where the hackers took out the backup server as well. Yeah, you know.

Manage.com got ransomware and all of their clients got ransomware and the backups got ransomware. This is a the it’s on but you but it’s still even in these non extreme scenarios. The fact that they’re not your backups then you’re not got the sovereign sovereignty of that data means that you’re reliant on them to do a restore when they go. Oh yeah, we can only restore from last week. And we have to restore everything. We can’t just restore. Insert whatever you wanted. These. These are all very. On the a host getting hacked in a similar way that you don’t necessarily want to rely on your hosts backups, it’s worth starting to think do I want to rely on my host DNS? You know I I mentioned managed. They were they got ransom. Yeah, and all of their systems went offline, including the control panel, yeah. So all these people who were going, ah, my website, it’s it’s down, OK? They’re not coming back up anytime soon. I need to make great, but I can’t migrate because my DNS is with them. Yeah, I wrote a blog based a couple of years ago called your so your host has ransomware. And I have a little challenge, which is basically how long will it take you to be able to restore your site if you had. If your host got completely disappeared, maybe we can link that. Into some sort of show. Because I think it really a a nice sort of prep tail for you to go through and go, Oh well, you might want to think about these things and how they’re associated with your hosting, one of which is perhaps but.

Sure thing. I agree. I agree wholeheartedly with you. Now I’m gonna dive in a little more backups. I had a client yesterday asked me how often should you do backups. And my response is it depends and I’m not trying to be vague, it depends what type of site I’ve got an e-commerce client right now who’s got 400 products and they’re making $10,000 US a day. That site gets backed up multiple times during the day. Because of the transactions, the if it’s a brochure site that’s static and doesn’t change once a week might work. And then the question always becomes is how long do you keep those backups? Or I keep a minimum and this is a bare minimum of a weekly backup for a client for six months on a offline mass server. I go that far back because we all know you can have malware infected today and the payload does not invoke for three months. And I’ve seen cases where I’ve had to go back over. Three months. What do you think about that dose 2 scenarios?

So the time between infection and exploitation is increasing, so the time between a vulnerability being being made public and it being exploited is being reduced. So these two things are weirdly contractual, so that means that it’s very we’re getting scenarios where people are getting hacked, but they don’t know about it. And worse, they’re getting hacked and then they’re patching and don’t know that the back door’s there. And that back door stays dormant for a longer period of time than it historic. He has. A. A really good example of this is woo commerce payments, which was a payment gateway. They got hacked in March. The window of opportunity was really quite small. It was a couple of weeks exploitation. Yeah, we’re still seeing people who were were hacked, then now finding out they’re being they were hacked back then because they found the rogue admin user and the other two back doors that were put in.

I saw one. Two weeks ago, actually. Yeah, exactly right. Hack. Yeah.

So these these. This is happening more and more now. The thing is, I would always argue there are only there’s really only a couple of times. Where you should ever restore from a backup. When it comes to a hacked site. The vast majority. Of times I don’t recommend restoring from backups for hacked sites because. You don’t know when they were hacked, so we either have to go alright. We’re going to restore from a. Year ago and be sure. Or we have to go. OK. Well, we can’t just restore from backups, so we’re gonna have to re effectively rebuild. Reboot this site. Not completely. There’s ways around to do this in a sensible way, but get there very quickly there. Are a couple. Of times, I would always say you restore from backup, one is ransomware. That’s a really good example of where you would want to. You can restore from back up because you have to. You might wanna burn the site again and then rebuild it afterwards, but you need. Something to put. It up in the 1st place and the 2nd. One is ironically fishing.

I agree.

Because we know when we were finished, we can work that out quite easily. So as long as we know when you opened the e-mail and clicked it, we know when we took restore. The backup to out. Of those two scenarios, I wouldn’t necessarily recommend restoring from a backup, so for me, I’m not as worried about. Just having backups that last six months to a year, do I think that they’re really useful for other things? Because I have been in that meeting where someone’s gone. So that feature, yeah, we why is it broken? Well, what feature? That that feature, the one that’s here is like that file hasn’t existed for six months. Can you get it back? No, our backups are only for 28 days. What I would do is suggest that there are some really good backup strategies where you basically take you have the if you’re doing daily backups, you do so, then the next first you have two weeks worth of daily backups. Then you have one at the monthly mark. And then you have one at the three month mark out. Yeah. And then one at the six month mark and these rotate through almost on a daily basis. So you’re you’re building out. And then that last one gets bumped and but. This means that you at least have some data there, but you don’t need to keep everything. You could also consider whether or not a site is changing regularly. While I think daily backups at minimum, some should, times might need to be hourly, but. At some sites. You might not have user interactive. It might be that brochure where site. You might even want to hook your back up into. I published A blog post, yet the site should be backed up if that’s the only time that there’s any changes on the site. Then that’s probably the point. You should do the backups so it really does check the frequency really does depend. If you in doubt, opt for daily. But I I think on a large e-commerce site daily is not good enough. Also consider that you have different types of backups. You can be backing up the database versus backing up files. Yeah. And I tend to recommend you that backing up your database more often than you’re backing up your file.

No, it’s not.

Those files could often be recreated. It’s much harder to recreate the database, so if we did lose that, if we did make if a blog post had a pretty picture attached to it, and we lose that pretty picture in the next 12 hours, that’s OK. If we lose the customer’s order, not so, OK. He’s that. That’s gonna have a a upset client who’s gonna not want to want to know why we’ve lost these orders.

I agree with you the other. The other thing you know we we talk about this stuff is if and I just went through this too. I had a client who was a problem client. So I fired him two years ago. And what did the seller client do? His new web dev didn’t change where the backups were going and did it changed? Ohh this gets better and did it change where the notifications were going? So I’ve been getting all these notifications for two years. To the point, I finally went into my e-mail about six months ago and set up a rule and said anything that comes and I had emailed them multiple times and saying if there was Dev, there’s nicely any grain of salt, get him to fix this stuff because you’re at risk. So what happens two weeks ago? His site goes down. He knows the backups are going to my server. He calls me up and says can I have a backup? He said no. And he said, what do you mean? No, it’s fine. I said no. I fired you two years ago. What did you want to have do? The the long and short of this is we came to some financial renumeration in. But if you’re gonna move your site around. And this is just standard housekeeping. Make sure your backups are going where you think they’re going. Make sure your notifications are going where you think you’re going. That’s key isn’t.

Yeah, I’m just having so many people just install a plugin and I think they’re done. Yeah. Yeah. And also uninstalling clean up your stuff. The number of sites that I come along and go, oh, you have a backup folder full of backups and that backup. It hasn’t been on there for. A very long time. And apart from anything else, is taking up file. You know I managed to save a client hundreds of dollars a month because we went in and went well. You don’t use this. Backup plug in anymore but. You know, we know we took it off years ago, right? But the backups are still here because you weren’t backing up to a third party. Place you were backing up to yourself. Yeah, but is that bad? Yeah. So, I mean, that’s another thing we haven’t mentioned, which is you should put your backup somewhere. There is not your server.

Yeah, that’s a bad idea. Yeah.

Because let’s go back to or we keep using the scenario of ransomware. But let’s go back to that one of our backup.

It’s a good.

On the thing that is currently ransomed, excellent. We have no way to. Get to our backups. That’s a good point. I ideally again you want this slight 321 scenario where you really in the perfect world we’d be backing up to a a remote host somewhere and we’d have a localised copy in our within our own network, be that your. Else or be that the office scenario we’d have it maybe going down to 1 less as well, but we’d be doing that. That might not be our primary source, but we’d want at least a copy every so often coming down here for example, for me, my backups go to a remote cloud storage, but the. One a month that I take, that’s always the my monthly one. I also have a secondary copy of that locally here. In the house.

That’s good. Good idea. Good day.

And ultimately that does mean that I can go on to that and. Go. Oh, I have. Copy. I can use that. Yes, it’s behind. But if we’re at the stage where my my sights gone, my cloud hosting supports gone, then we’ll be happy. For what we. Have and if it’s month slightly a month out of date, that’s not a problem. We can rebuild. It’s better than nothing.

Yeah, so true. The approach I go is I have a Synology Nas server raid 5, cause I don’t play around raid drives do go. I also have a Synology Nas server off site at a friend’s place that I. Gracious, they pay their Internet connection for every month because they give me the hydro to run this Nas server. So we came to an agreement those two Nas server Synology has a cool little thing that will let you keep your Nas servers In Sync, so that helps. And then the one here is actually backed up to the cloud as well. You can do that office analogy. So I’ve covered myself cause I’ve got 2 servers plus a cloud storage. I’m I’m good and I do. What we have to get people to understand is having one copy and one in the cloud isn’t good enough. You gotta do more than that and I don’t care if it’s your website, your files, or whatever you’re dealing with. You gotta take backups seriously.

I think there’s a level of. Backing up important things because I think one of the things we do end up with is we end up with this backup fatigue and you if you have, if you offer to people, you must back up. Everything you must. Do this well actually on a WordPress site there’s very little you actually really really really have to back up. We have to back up the database because that’s where the data is. We probably want to back up our dope contents uploads folder because that’s where the files are that we’ve uploaded. Do we need to back up that WordPress core files? No. We can get those quickly unless we’ve been making some weird modifications. We can get those very quickly. Do I need to get most back up? Most of? The plug in. No, those plugins I can get from the WordPress repo or from other places do I need to back up my custom plugins probably, but have I got those in version controls somewhere else? Can these things be recreated really quickly? And all of a sudden, we’re looking around and going, actually what we need to back up is quite minimal. That’s great, because now we can back it up lots more. So anybody who was going, I can’t have her back. I can’t do backups because I can’t do week daily backup because it takes up too much space. Maybe consider what are you backing up and do we? Shooting and it’s the same with your computer at home. So many people back up their entire using Windows C drive. I was like, OK. Why did you do that? That’s a lot of stuff, including temporary files. You didn’t need to do. There are times where you do want to backup stuff like that, but it’s rare and for the average person, just like for the average site owner, you can probably minimize your backups to just what you might need and recreate everything else quickly. But that relies on you being able to recreate it. Quickly, which really only works if you’ve got a decent automated deployment system or automation in place, or you’re using a managed host, but somewhere where in the perfect world you should be able to just run a script and go da da message is back. And if you’re not there yet. That’s maybe as we’re coming into 2024, this might come out after 2024, that the goal should be. To your 2024 should be. You could go to spin up your your website and go. OK. I need to get my site up and running now and you should be able to go do DA and that would be it. The site is loaded because you your script is running an automated. If you can’t do that at the moment your site’s probably not in a good enough place and it needs to get better. Because there will be reasons that you will have to do this in the next couple of years because everybody will have problems. At some point.

Yeah, so true. So we talked about backups, we’ve talked about patching. I really want to dive into user roles for a minute and that’s really important to this whole scenario. So what happens in the WordPress world and coming from an enterprise background, both of us? It’s a little different. You go into a bank and they say this teller needs access. You only get to tell her what? To need access. To and the WordPress world, every site owner stomps her feet and says I own the website. I want everybody to have admin rights, and I looked at it, look at them and say then I’m not working with you because that’s my standard answer. And I’ll tell the story. Recently I had a client who insisted had his intern get admin rights, and I had a long discussion with him and said you’re not doing this, he said. It’s my sight. I said. So sign me a letter that says if you’re intern screws up, I can bill you 5 hours at my regular rate on a 5 hour minimum, regardless of. OK. How long do you think it took the Internet to screw the website up?

Well, of course he. I was gonna say. Of course he got a really good tell him that this shouldn’t happen. And he he was so ultra careful. So I’d give it 20 minutes. Yeah.

Yeah. So not only did he intern do that, you’re gonna love this, Tim. He read an article that saying backup plugins and security plugins cause website bloat and slow websites down. So he deleted the backup plugin. He deleted the sync. Again on the on an e-commerce site that had transactions. I know, I know, I know. So. The lesson here is. Don’t let your site owners, despite the fact that they own these websites, all have admin rights. Most site owners don’t themselves don’t need admin rights. What they need is somebody to manage it for them that they trust.

I mean some admin owners do probably do really well with admin rights I have in the past created super duper admin role which is a author role which could also see other posts. So they can see that their people are being busy bees. But they can’t do anything. And then I give. The Super duper admin. Role to the boss and whoever that that works quite well. Generally what I recommend when you coming to auditing a site and you see a list of humongous list of admins is you go what we’re going to do is we’re going to put everybody down to edit. And we’ll then wait to see who comes and complains if someone can’t find come and complain within the first week, they probably didn’t need to be an admin. That gives us. Enough time when someone comes along, they say I need to do this. You can go. OK. The thing is, most people don’t realize that WordPress actually has quite a good capability system behind the scenes. So a role is just a collection of capabilities and the capabilities is just an if statement. So so when you go to do a task, if the task is being checked against, we checked against the capability which let’s say user can read post. Yeah, pretty much everybody can, but user can read post, so we’ll go. So basically it goes in. And it goes. To your user, into your user meta and finds this big array of things that you can do and it looks for that string inside there and if you matches it says yes. So you can add capabilities to any user. I wouldn’t recommend doing that. You can just say OK, I want to make this person available to manage users, so you can just give them the capability. You can go into the database and edit it. You need something like DPLA. You can use a plane. I wouldn’t do that. Specifically because that becomes an administrative nightmare trying to work out who has what capable. This is where we have roles. But you can create a a super editor role or a very specific role. That’s why the with commerce has its shop manager roles. For example will give them the capabilities they want. This works really well, so if you’ve got the designer person and they must have access to the appearances section.

Yes, yes.

Crunch is either wrong. If Joe’s secretary must add users. Give them the get option to create users. That was a bit more iffy because you have to do some hacking to make sure that they can’t totally abuse that, but you can give them the ability to create users and then you can just make sure that they. Can’t create admin users. You can give these people. Specific roles with specific capabilities rather than just blank admin and super admin roles, but yeah the boss give him. The shiny role. The other really. Cruel way to do this is to. Give the the boss the. Administrator role and then just. Remove all the capabilities you don’t want to have.

I’ve done that before.

And then you and then give yourself the web agency role with all of them back back in. Yeah.

Yeah, that’s a that’s a Roku conversation. Now we know the third party products are there. Patch Stack security, a couple of others, which I won’t mention for a number of reasons. What do you think about using something like patch back on your front end to help you? Do? I think there’s some value in that. What do you think?

So I’m never going to tell someone not to use a security plugin, because that way madness lies and lots of arguments with people on hills. I think. Security plugins have their place, and they’re oddly in the places, and that most people don’t realize. Where I don’t think they’re very good is using them as web application firewalls. On the home. Because that’s what a host is there for. There are sometimes that they have unique advantages because they can hook inside your system and know that you’ve got certain plugins set up in certain ways that would allow for a certain thing to happen, and they can block that certain thing from happening at that level that your host wouldn’t normally be able to see and get that sort of insight into. But on the whole their wafs. Are fairly useless and are just taking up processing power that didn’t need. Yeah. When it comes to vulnerability management and telling you that you’ve got a vulnerable plug in, there’s some real value in that. No, if we’re not on automatic updating world, we need to know that they’re a vulnerable plugins. So that vulnerability, scanning, vulnerability management kind, I think is key and if? You can find a good. Tool that you get on with you should have some sort of vulnerability management. Again, this is one of those core retailers. I’m not relying on your host. Most managed WordPress hosts have vulnerability management now. If you go into WP engine it will have its plugins page and. It will show. You. Hey, this plugins out of dated insecure.

But they’re getting.

That information through these companies remotely third party. Sometimes they’re either slow and taking too long to get that information, or worse, they try to be proactive and there’s nothing worse than the managed house trying to be proactive about things, cause they inevitably cocking up and things go wrong. And we saw that recently there was a bunch of plugins that were getting. Positively flagged as having as being vulnerable and the post status chat had, like this stream of developers coming in and going. Is anybody here work for? It’s a hosting company. Is there anybody here work for this hosting company? So we. There there is value for the vulnerability scanning. There is value in some. Of the features. But bringing all these features together into one plugin and saying this is the security. Plugin that will fix your world. Rarely is because they’re not. Normally they require setup. They require understanding of what they’re doing. They require you to do other things, but they sell themselves as. This is the few this you do. Install me and you will be fine. I like patch stack. I like the people at Patch Stack.

I do too.

But if you go to their home page. I do not believe the. Average person could tell you what patch that does.

No, I agree.

I’m not sure.

The security person could tell you what patch that does, what they could say tell you is that they’ve got a marketing person who’s really good at making. Up very long words.

Yes, right.

So perhaps that’s got perhaps that so you end up in this now, but it’s not just Patch Lake. Every security plugin is the same. It’s full of lots of words full of lots of promise. There’s some of which can come true if you correctly configure them and do things in. That way, but. For a lot of people, if you want to manage host for example, they should be taking care of most of this stuff and the real irony if you’re on a really dirt cheap host. They’re probably taking care of this because the stack it up, stack them high and. Sell them low. Really. Really cheap hosts have really locked down whack. To yeah, because they do not because they know if they get infection on one. Side they get it. Across the board. And you’re they. They’re basically selling themselves on. They’re just stamping out WordPress sites that are configured in a certain way and fixed in a certain way. And only you can’t deviate from it. So they’re in a relatively good place. The managed WordPress hosts people in it and these security plugins tend to fit in the middle area. Those people who are on the shared hosts or on VPS’s that they. Perhaps should be. Shouldn’t be managing themselves. I wouldn’t, for example, use the two factor authentication from my. Security plugin. I’d get a dedicated plugin to do that. I wouldn’t use the auditing and logging tools for it. I’m not even sure I’d use the malware scanning. I’d much rather see the malware scanning being done by an external thing.

Thank you very much.

Should point out. Every major security plugin has had at least one time where there has been a vulnerability in the first thing they do is turn off the security plugin, particularly with fence, are affected because they’re just sheer popularity. It’s becoming increasingly common to see.

Thank you.

Bad actors come in and disable word fences rules so. They can scan all. They like, it’s not gonna do anything because. It’s just been turned off.

I watched jump in there with flower scanners. I was gonna go there. So, Dan House, who’s up at stout? And I had a conversation which we recorded for this show some time ago. Out of a conversation he had on the stellar site that said there is no point in running malware scanners with inside your website and I so heartily agree with that philosophy because exactly what you’re saying and even more so is you’re always better running. The scanner outside the environment that you’re scanning it and we, you know, we know that. And I’ll and I’ll share you with you The Dirty little secret security guy. I do not run a Windows virus checker on my PC at all. Now people say you’re foolish. No, I know what to do. I know what to look for. I know that if I’m doing something complicated and I fire up a virtual machine and do it there and then I’m gonna do it. The machine. I I don’t play that game. I do my scanning. Even in windows, outside the environment I’m in. And I don’t think scanning. Inside the environment, it’s a good idea.

I mean, I don’t, but I would also argue that if you’re in a scenario where you don’t have the opportunity to have an external scanning till that you’re not in the position because you’re for whatever reason you’re hosting your setup that way. It’s still better than nothing. But if you if you’re in.

I agree.

A scenario where you’ve already this is already happening. Then there you’re not. It’s not like it’s better for you to. Do it twice. It’s not going to think of anything that the other tooling won’t so, and they do have different rule sets. So there is a potential that they could pick up something different. But it’s unlikely they’re they’re probably coming from a relatively common source base. But it’s still. I wouldn’t. I wouldn’t immediately jump to they it will. It should. You would never do this because there is a scenario where you’re one of the in the middle of these two scales that. We were talking. About that area, it’s. Better than nothing. And that’s again why I’m, like, 11. Interesting thing that from. When I was doing hosting was that you were just. As likely to be hacked. With a security plugin installed. Then if you won’t.

That’s interesting, and let’s talk about.

Because the people who exactly the the percentage was exactly the difference was the type of attacks. Yeah. And the type. So they did stop some things, but then they. Just stop others.

And let’s talk about hosting. So I’m a believer that your hosting has to be a partner in your website, not a vendor #1. So if my host treats me like a client, I’m. The other thing is we gotta be really careful with shared hosting and a lot of people for economic reasons go to a shared host. The problem with that is if site #1 and and then they’ll say ohh let me go 10. Who’s up on my same control panel on my same C panel that. Is not a good idea because all you gotta do is hack one site and we know on a shared host, unless it’s containerized and there are some shirt hosts that do that. That once you hack one side, it just goes cross C panel and goes cross host and that’s how you end up in these scenarios where you have 102 hundred sites act very quickly. I don’t believe from my standpoint share hosting is a good idea. I actually I’m almost to the point of view where. VPS Hosting’s not necessarily a good idea, because I call VPS just a glorified shared host, just in a different way.

So I think it’s worth clarifying what a shared host is, because actually you look to containerized as shared like so shared hosting in the traditional sense. When we talk about shared hosting, we’re talking about a either a dedicated box, but actually it’s more likely these days.

Yeah, go ahead.

A VPS. Which has either. Patchy or engine X or something sitting on it that then has a bunch of websites and they all share all the resources, all the memory and they something we can refer to as jailed. Sometimes we call them C groups, but we group we we basically prevent. Individual sites SFTP users being able to come back up the chain to see each other, but you’re all sharing everything which means, and this is literally the the best example is this is a shared house. You come in through the front door. You all come through the same front door. You just go off to your individual rooms. Now if the police come to raid you because somebody was making vodka and vodka, could jellies in the back? Well, you’re gonna find that you’re hauled outside, too, and that so when? And to put that back into a perspective or website, let’s say Joe goes and blasts an e-mail spam list and starts spamming out Viagra websites. The IP of the server that you are on is now going to be blocked. On the block lists of all the major e-mail providers, you can’t send e-mail. It’s the equivalent of, you know, finding the guy making the vodka Jelly in your bath. Our next set up sort of from there is OK well, we probably shouldn’t be doing business from our house. We’ve decided this we we don’t want people coming and knocking on our house, we’re gonna go and set up a concession stand in the mall. So we’re going to the shopping mall. We’re gonna set up our little concession stand. That’s a VPS. We don’t own the hardware, but we have our own little resources. Very little space in the mall. And we can go and do a job on the whole, this comes with lots of advantages. The more security guard walks around for us, we don’t get rained on and there isn’t a guy. If the guys selling vodka jellies and the other stand, it doesn’t affect us. But if our if the model gets shut down for any reason the the the server our VPS is on, well we get shut down too. Now it’s worth saying at this point that the moral analogy works for containers and containerization. Now, if you’ve ever been told of the word cloud hosting, what you’re really being sold is a bunch of containers. There’s some stuff behind the scenes, but it’s a bunch of containers and it’s and a bunch of containers most VPS hosting. When it’s sold to you probably is, in fact containerized hosting and not VPS. A virtual private VPS is more money. We would consider something VPS if it had its own kernel. Now that’s going deep down into the roots, but basically it has its own version of Windows or its own version of Mac OS or its own Linux system inside the box. With containerization, you have everything yourself except that very bottom layer, which is the kernel which is served by the thing at below that. Now Totalization VPS sit at the same levels on the whole we can cross between the two and not worry about it. There are sometimes where we need to sort of like separate them out, but on the whole we can call cloud hosting, VPS containerization same sort of thing all on that level and then at the top. Well, we own the house. We own the building and. All the problems that go with that. Brilliant thing about dedicated hosting is that you are completely in charge of everything to do with it because you are a physical piece of bare metal. We sometimes call it bare. You can get bare metal clouds, but that’s a whole other thing. We call it bare metal because it’s literally you get the motherboard, the hard drives and everything, and they plugged in. Now whether that’s Co location. Or whether you’ve. You’re renting a box. That dedicated hosting. Is probably ideal for a lot of people, except for the fact it’s really expensive, really hard to maintain, and the hardware dies. And when it dies, you don’t have a website until. You put it. On your notice the hardware. And it dies. And then that does. Now you can get really clever. You’re OK. I’m going to put this piece of hardware here, this piece of hardware here, and I’m going to balance load balance and then I won’t have this problem. And now you’re a hosting company. And you just didn’t know it. Once we scale like that. All of this is to say. I actually think the underlying technology, whether it’s shared VPS, cloud dedicated is less of a thing than the service being provided on top. Of it for you. I do not like shared hosting. Shared hosting is bad. There are almost no scenarios I could think where I’d recommend someone who’s shared hosting, especially as VPS and containerized hosting is so cheap in compare. But I do think that you should look more at what management services are being offered to you by the host. And their support and how everything works with the host then worry about what that underlying technology is, unless you are a techie. I would much rather see people going on and managed WordPress host and not not knowing whether they’re on a dedicated or a VPS or cloud hosting. Yeah, but going on DC managed hosting then I would then sitting on a thing with C panel that’s just being configured once and forgotten about.

I agree.

Which is the vast majority of cheap hosting. Whether and you can get really ****** shared hosting and you can get equally as ****** dedicated hosting. Yeah, the difference is that one charged you. 5 bucks a month and the other one charged you 5 grand a month. And that is the sort of scale difference we can be sometimes looking at. Not always you can get a dedicated metal box from somebody like Ovie, H or herzner for like 30 bucks, but it comes with 0 support. And you’re on your own. And you get you get managed, you’re press hosting for like 9 bucks, 10 bucks. That’s on shared. That’s not on shared hosting. That’s on a VPS. So you should probably invest that. The other thing I would say is that if you’re a business.

If you’re not.

And you can think back to when we had these things called stores, bricks and mortar places you would walk into and you figure about how much that cost to rent. Yeah. And then you think about your hosting and you’re complaining because you have to pay 10 bucks, not 5. It shouldn’t be a that that cost line shouldn’t. You should just be absorbing it, not not moaning about it. I’d like people to pay more for their hosting. Generally, I think people underpay their hosting because they want to get a cheaper deal, and I think that they would have easier lives if they spent a little bit more and got decent hosting. The problem is finding that decent host in the 1st place, because they’re very hard to find.

I agree, and one of the things you touched on, we’re taught you were talking about IP issues. If the server gets blocked and it’s one of the biggest reasons I say to clients. Find an e-mail provider to put your e-mail on. Don’t don’t ever put it on your host so we know there’s workspaces. If you choose to go that route. I don’t. There’s Office 365 if you choose to go that route. I don’t. There’s companies like Pronto. Mail, which now offers security e-mail I don’t. I actually use a company that’s privacy based called fast mail out of Australia, they’re wonderful. I will say that and they don’t pay me for that plug so their their app is really good and and that way if I have an e-mail issue, I’m not dealing with the host. And saying hey guys, your IP range is got blocked on dealing with an e-mail company. So I think people need to stop cheaping out on e-mail as well.

Yeah, I mean, so going back to, I worked for a hosting company. We jokingly would say that people don’t buy actually pay for websites, they pay for e-mail, e-mail hosting with free websites, because if e-mail went down. The phones lit up.

Oh, I know.

We could take whole segments of our network down for the web hosting and. We’re getting and up, so if. You don’t get me wrong. People would still complain and they’d still be upset. But you take someones e-mail away from from even a. Few minutes and well, the phones just go.

My 79 year old mother had a problem 4 weeks ago where she was paying an e-mail provider and she came to me and said, well, I haven’t gotten any e-mail in 14 hours from here. So I picked up the phone. I did, you know, knowing the way support goes and called support, it turned out her problem was her mailbox was full. So she’s undiplomatically a pack crack and doesn’t clean up her e-mail box. So I in the interim, I just said forget this. Let’s just take the box to a TB box because the cost difference wasn’t worth it and said just do it and do it now, problem solved. But it’s exactly what you’re saying. E-mail goes. Down and people stream. When I was in enterprise, I was also an exchange admin. So I’ve been on that side of it and when and we had nine exchange servers all synced and when one went down, you would watch the numbers in the call center go to 200 calls waiting over. In 5 minutes, e-mail is the blunt of our existence, no question.

Yeah. And it’s like anything you get what? You pay for. If you’re getting, you’re using the free e-mail that comes with your hosting. Sometimes it can be remarkably good. I don’t. I don’t want to decry it, but on the whole I would say if you want to get that support, you need to go. To a third party. I there were plenty of options out there for me. Like you, data, privacy, data, data sovereignty is important to me. I would say that if you’ve got a data, if you’re interested in data privacy and data, somebody there are lots of options out there. These tend to come with a cost because the big hosting. Effectively act like the mafia, they they hustle and each other. They will only accept each other as a male, even somebody like, if you want to send stuff to Hotmail or outlook, you really are going to have to think about looking at the larger companies or be in a constant fight to get these to work. And that’s really frustrating. And it’s wrong and we shouldn’t be in this scenario, but we we currently. So for most people, I do tend to push them towards the bigger companies for their make their lives easier while simultaneously hating myself. And the fact that this is the world we live in, I I would put a shout out for ProtonMail. I I do think that that’s good service, fast mail, you mentioned fast. Mail as well. Both how? How privacy focused. But the vast majority of customers will go to. Google Workspaces, Google G Suite, whatever it’s called this week and Office 365 because, yeah, they are the places where that’s gonna be guaranteed and reliable. And that’s so frustrating that that’s the recommendation that you have to give at times because it shouldn’t be that way.

You know, fast Films actually really reasonable. They’re like 5 bucks US a month per hosting account, unlimited aliases for each account. So if you wanna go that route and they and believe it or not. They’re so confident in their product, they give you the 1st 30 days for free, no questions.

Which is nice.

Yeah, the only.

Free to try it out for a decent period of time. The other thing is that migrating e-mail is actually a complete that’s a pig, so look for something that you.

Yeah. Do you?

Like, because you’re gonna end up sticking with it. It’s not like hosting which you can swap hosts pretty quickly. Swapping your e-mail is is a bit more of a nightmare at times, so it’s worth taking that time to see if you actually like the hosting to provide the support and the services that you want. Don’t feel you have to migrate over straight away. The other thing is that maybe consider that you set up a dedicated my domain dot e-mail and only use that for hosting because a lot of the blacklist and block lists that use IP reputation. So for example, let’s say I have my website hosted at digital Ocean. That’s great. Unfortunately, that means that I can’t send e-mail from my main e-mail provider, but to most things like Gmail and similar because I’m on a their entire IP range is put on several blocks. In that scenario, you could send if I had Tim Nash dot e-mail, I could send the e-mail through that way using that address, because that’s not associated with my main website. Yep. So that’s something else to consider, and this also means that you can use this for testing as well, so that you could maybe set up a get a really cheap domain name, and then set up some tests on various e-mail providers. Find the one you like, then migrate your main platform across. But yeah, hopefully you don’t all move to Google cause that would be sad. We we’ll. We’ll, we’ll, we’ll. It would be.

The other thing worth mentioning is this cause they’re talking now I’m talking IP blocking is if you’re gonna call the e-mail potential clients do not. And I stress do not do it off your main e-mail account. Create a domain similar so that if it gets blocked your main e-mail account doesn’t get blocked and that would be a shame. So don’t do that please.

Yeah. I I cannot overstate that, that’s. To be honest, I really do not recommend not having your e-mail associated to your main account at all, but also if you’re using a your web host to. Send e-mail through. Maybe consider using a third party tool like SES or SENDGRID or similar. They have a higher. Reliability rate because they’re not coming through your own. Servers. But also this gives you a nice separation so that if. Your site gets. Hacked your your server that’s being hacked. Hacked is not inside that SBF record and therefore isn’t immediately being authenticated as you. Go ahead and send them. We we, we we approve this message. You’d much rather be in a position where you’re not sending that. The only thing with using a third party of service is they tend to have quotas and. Limits and let you. Know that you’re did. Did you mean to send 10,000 emails out just then? And you can go. No, no, no, I really didn’t. Please stop doing that and you can shut them down. A lot more easily, so I generally e-mail is a pain though. We should just stop using e-mail. I I would.

I wish so this conversation’s been great. So to kind of wrap up, give you a quick three condensed takeaways that somebody should do when locking down their WordPress thing real quickly.

Go away and remove all the users. Throw them away. Turn off all everything, delete everything, delete the WP admin area entirely. We got away. Is something we can. Do and your site will work quite happily without any user interaction there. Seriously, keep things up to date. Yeah, that’s the take away I want anybody to take from this. All the other stuff we’ve talked about is great. Keep your site up to date. Yeah, as you said earlier, the time between a vulnerability, uh being exposed and it being actually used and abused on your site is getting smaller. We used to talk about this in terms of weeks. And then last year, we were talking about it in days. This year we’ve been talking about it in hours. Yeah. Also, just because someone has exploited it doesn’t mean you’re going to know about it for weeks or even months. So that’s getting longer. So this means it is really critical to keep site up to date. To consider this. You have this point where you regularly review users. It it can be six months, I’d rather it be less, but let’s say 6 every six months. We do a review, we go through all our users. Hey. That admin user, we sacked him, right? Why is he still there? Ohh who’s that? Why is that woo commerce user suddenly an admin user? That doesn’t seem right. We should probably deal with that. Go for your users. Use MFA. Even though we’ve talked a little bit about how it can be bypassed. Use secure passwords. Educate your users and I think the combination so keep things up to date. Use MFA. And secure passwords as one and educate your users would be my free takeaways.

That that’s.

Or keep things up to date.

If somebody wants to get ahold of. You, Tim, the. Employer services talk security. How’s the best way?

Best way to get hold of Maine is to visit my website timnash.co.uk and you can book a 20 minute chat with me. We can talk about anything. There’s no, it’s not like a good show a sales. Picture on you come. Here with your questions quite happy to answer them, but I do my day-to-day job is that I primarily do site reviews. So I do secure code and secure site reviews where I go along and go through your site and find all the problems and then help you fix them. So I basically produce this. Nice report. We’ll go. Through it, we’ve got a bunch of recommendation. And that makes me different from your normal pen tester because I have the advantage that I’ve lived in your shoes, so I know what it’s like and I can give you an actual recommendation rather than just telling you something benign like ohh you should definitely hide your WordPress login page. And you should you you. You shouldn’t have things showing that you’re using WordPress and stuff like that, that your average pen test will come back. And there’s a load of. But yeah, come and talk to me. I quite happy answering questions. Don’t really do social media. Anymore that whole I I was off Twitter before it was called to be off Twitter. But you can also find me on LinkedIn. My LinkedIn handles at T Nash.

This conversation’s been absolutely awesome. Thanks for being so gracious.