Episode 469: Security With Tim Nash – Securing Your WordPres Site in Uncertain Times
Show Summary
Tim Nash talks with Rob Cairns about securing your website in uncertain times.
Show Highlights:
1. How to lock your website down.
2. Backups and more backups.
3. What to watch for to help with yor website security.
Show Notes
Hey. Hey everybody, Rob Cairns here and today I’ve got my good friend, Mr. Tim Nash with me talking all about security. How are you this month, Tim?
I’m doing well. It’s it’s. It feels like it’s been. A very, very, very long month.
Yeah, it’s. It’s almost like if you’re in a security space, it’s almost like 5 months of one kind of and you know, and we are just about to go into black into Black Friday very quickly. So that will add to it even more. No, but I don’t want to use today to kind of drudge up what’s happened in the last month. There’s been so much written about it, talked about it, said about it, including on this podcast. So I’ll be very transparent. But what I wanted to do was talk about what we need to do to help some people. So. Let’s talk security in uncertain times because we are there. Right. Where do you sit with all this?
I mean. We should have probably done the free show rules. Of how much can I swear?
You can swear. What? It’s my shirt. So the.
I mean I I will say an e-mail to my clients and it needed several iterations cause the first version was what a *********** and we went back from there into more palatable language. Ice. Yeah, it is what it is, but boy is it a mess. And a mess that I can’t see being. All. The way people want it to be resolved for a very long time, maybe down the line in the short term we are in, as you say, uncertain times and that that’s not good for security. We like it when things are nice and steady and and reliable, then we can we’re doing other things when things are uncertain, you end up. Into this fire. Writing mode where? What’s the next problem and clients become really uncertain and they start doing silly things and clicking on silly links. So we’re we’re there. We’ve already started seeing this spear phishing attempt.
Yeah. I I I would agree with you. I think we’ve been there for a couple weeks now. To be fair, I don’t think we just got there. I think clients are concerned some aren’t, some aren’t. I’ve spent way too much time in e-mail saying. We’ve got your back. Don’t worry about your site. I was sharing with you before we went to record. I’ve got sites on WP engine, so that’s fair. I’ve also got a number of sites over 60 running events, custom fields and that’s fair. The other thing I’m seeing out there is more and more vulnerabilities are coming out too. I looked at the I think just before we went to record this, there was 312 vulnerabilities this week in that mess. So just to add to this ***********, we’ve got more there. I haven’t gone through the list in detail, so I don’t know how many are dev saying. Forget about it. I don’t need this mess. So walking away from plugins versus Dev saying I need a strategy. Where do we go from here? With the site owner like I think our site owners are kind of stuck between a rock and a hard place right now.
I mean, everybody is stuck between a rock and a hard place, so I think that’s the the problem. So, well, we’re not gonna delve into the whole thing. I think it’s worth just emphasizing a couple of points that are important and one of which is that. Until maybe this week. But certainly in the last month. Everybody sort of assumed the WordPress project included WordPress Org. And the repository and. WordPress is entirely focused around that. If you go and grep wordpress.org into the WordPress code base, it’s there a lot because WordPress makes lots of calls to thewordpress.org repository. So when you’re suddenly in a scenario where that’s been cut off and we can take that scenario. For somebody like David Engine, where they’ve been forcibly cut off by. Mass and automatic, but it could be another scenario. Let’s say bad actors take down WordPress or or illegal. There’s some legal reason that you can’t access 30p.org in your jurisdiction. Then your WordPress instance can’t automatically update. Which for somebody like me, that’s like, well, I be I I push people towards automatic updates because they are safe and secure, but if they’re not happening, they are never safe nor secure. But worse, you won’t know about the update. So you’re in. Just the same bad mode if you’re manually updating. People who wake up one day and they can’t access wordpress.org do not know if there are updates available. I mean, so they fundamentally sit there. And go. What do I do now? You could get a list of the plugins you’ve got. Go to either WordPress org via some other mechanism that works or go to one of the plug in mirrors like on GitHub. And go and download and check each plug in to see if it’s been updated and manually do that. Visiting each plugin developers website, but we both know how that’s not going to happen.
That’s correct.
So what’s really going to happen is if a site gets cut off from wordpress.org for any reason, the site will not update. There are means to make make it work. Look, especially if it’s satins off, like being driven by a development team or by a good support team. They might have it, for example, will be using something like composer and it it being pulled from their git repository so they might not notice it as much, but for the average user they’re going to come into an interface and it’s going to say there are no updates and they’re going to go. There are no updates worse. There is nothing to tell them that there is anything wrong. So where you were saying that you’ve been getting emails from clients, the scary scenario? Is when client that clients, let’s say. It This happens again, but with a new host, we’re gonna call them bad host. Bad host gets blocked, but bad host is actually a rubbish host. They’re a terrible host and they don’t put in safeguard, put in new things to protect their customer, to the credit of WP engine for whatever side you sit on, they manage to stand up a full. Plugins repo and core update mechanism in a weekend. And a little bit. That’s really impressive that in terms of their customers and what how little issue they’re worth for their customers.
Hey.
That’s pretty good, but let’s say bad host doesn’t do that. Bad host just goes. I had enough. We’ll just we’ll just ignore it. Now all of bad host customers have no real way of knowing that they’ve been affected. So. When we’re full of planning for the future, one of the things we have to plan for is how do we know we’re not getting updates? How do we know things are not working? Because a lot of people don’t have that very basic before we get to. How can I get to multiple pipelines? How can I get to custom repos? How do I do any of? That. Fundamentally, the biggest worrying thing is that if you’re cut off, you do not know. You are in silent land and many clients will just. Carry on regardless.
And it’s and it, you know, as we record this and as this comes out. We’re headed into the Christmas shop. Thinks he’s just to talk about that and not only we headed into the Christmas Shopping Center, we’re headed into the season of we’ll press 6.7 release candidate one dropped this morning. So not only do we have the uncertain times about all these updates, we’ve got the issues running into. First, first time and we got the issues doing with the latest update and the question is. And my question still is, should we trust the code in that update with all the shenanigans that have gone on in the last one?
I mean the one thing we do have, so when we’re talking about transparency and about uh. Governance, which is what this ultimately boils down to, and we do not have transparency in governance, I think. That’s a fair. Statement. I don’t think anybody’s gonna argue with me that, that and that and that certainly could be improved. But we do. Have transparency in code. Sort of. In that we know what is being published to the repos. And we can build from them. So you can go to GitHub and get a copy of WordPress and we can see what has been committed to that copy. That’s a very public copy. And that is a that is a direct mirror of the version on. It’s a version and as far as I know, that has always been the case that there has never been any deviation, so that that’s meant as a sort of mechanism where you can trust the subversion, which isn’t controlled. A The WordPress project so version is sitting on wordpress.org which we’ve discovered is somehow legally not part of the WordPress project, which seems a bit weird, but yeah, we’ll go with it, but these do match, so we do have some sort of transparency over that code. What you don’t have is transparency over the. Arbal so when you actually do the update, the zip file that comes to your to the server when you unpack it, we can do something where we can verify the checksums. There’s one fundamental problem in this chain. The checksums we’re checking against are hosted on the place that we got the tarball from. And so if they’re wrong, if they’ve, if somebody has. Hypothetically, and I don’t think this would ever be the case, but I we’ll go down this sort of hypothetical line and then we’ll talk about more practical stuff. But hypothetically, the tarball was somehow manipulated and the checksums were manipulated at the server end. Then you could have bad malicious code put in, or you could certainly have code that makes things break that looks perfectly innocent. It’s more likely that will be picked up in the whole chain, and I really think that somebody to manipulate it at the end of the sequence. Well, possible is. Very unlikely in the scenarios we’re in now, but a very good example of where a bad. Actor could do this. Where you could have a if a bad actor can break into the pipeline and change the code. That’s at the point where the turbo’s being generated and where the checksums are being done. Then that can be distributed without anybody really noticing. Well, if you’ve got a paranoid tin, bring tin foil around your head, this is a good example of where. You might go ohh. OK, when 6.7 comes out, I’m gonna pull from GitHub. Which is somewhere we can see it. Well, it’s not perfect. Because all the work gets done on subversion, which is again separated and then pushed across, those commits aren’t signed, so we’re not can’t guarantee that Bob put that commit in, but we can see that somebody called Bob has more or less has committed something, and we can see everything that’s come in. So we have a bit more. Transparency that way. So I’m not worried too much about 6.7 having bad code in. Obviously, shenanigans may occur, and I. Would. You know, I don’t want to sort of like suggest things that I could. I I can come up with many world scenarios for how you could break, say ace, yes.
Yes.
You know, you know core release or make things a bit more awkward. I don’t think anything like that’s gonna happen. I think people will be safe to upgrade 6.7 but. I’ve always had this thing where it’s like major releases near holidays. Is horrible.
As someone who.
Doesn’t get to go on holiday because of major.
- I agree. I agree. It used to be worse than the days when we got them in the first week of December. Remember those days?
Yeah. Well, yes. I mean, yeah, you’re worse is when they were in the first week of.
Which?
December, but then they slipped. Yeah. So then they were in the second week or third week of December, like, I’ve got gotta go on. Chris, Christmas is coming, going, going, the the office is empty.
Yeah, I agree. It’s. Yeah, I think the other thing we’re starting to see. And I think I’ve seen some of it already. There have some devs who have actually pulled their plugins from the repository. And what they have done is they have said please go to our website and update once manually. And then the update. Points back to their repository because the only way that you can. Update for morepress.org is that you can. Sorry the only way you can host a plug in or a theme on wordpress.org is that the update goes to wordpress.org and I think what we need to do, and I was saying this earlier and I’ve been thinking and talking a lot about this is I look at the Linux world. If I want to download Linux Mint tomorrow, I have the choice of going to any repository that’s mirrored, including some in Canada at university, some across the world to get that. Program. I think in the WordPress world we need to go to mirrored repository and I I think that would actually help enterprise groups not hurt it because enterprises don’t like one point in Philly.
Ohh yes sorry. The reason I’ve suddenly one clicking I’m clicking in the background is I’m opening up a document that I wrote. In September. Which was going to be a blog post and I never published it for many reasons, and it’s called democratizing updates.
Oh, OK.
And it’s a, you know, 5000 Word document on how to create. A distributed. Multi channel repositories based on the Linux system. I very much in favour of this sort of scenario where you can and I’ve seen some examples where people have built UI’s and built ideas around this, but very simply I think inside WordPress core there should be an option for you to. Subscribe to channels. Absolutely. The wordpress.org one should be like this. Yeah, I don’t mind if it’s worded. This is the official 1. I don’t really care on that, but it’s like this is the primary channel. But I want the ability to be able to say OK, but I want to subscribe to. Packages channel or I want to be able to subscribe to the engines channel or.
The. The one in London, England. Which is closer to you, yeah.
Exactly somewhere that’s nearby. But I also want the ability to disable channels to be able to say I’m going to disable the wordpress.org or I’m going to disable all these.
The answer?
Channels, but I’m going to enable Tim’s special magical Security Service channel where the only plugins that appear in that Channel are are approved plugins that have been code reviewed by myself. That would be fantastic for my clients, so I could just say here is a list of approved things.
Yeah.
I’m hosting the mirror. And so I’m host the mayor, just the channels with just the plugins that I want my clients to be able to have access to. And then I how I how I decide when they get updated. That’s down to me. You then subscribe to that Channel owner and that Channel owner takes over that position of trust. Now when we have that distributed system and that Channel owner takes over the trust, we do end up in a scenario where bad actor could take over a channel. But because it’s distributed. In many ways this is easier because we can then say warning that Channel is bad. Disable that Channel, go to a new channel. There’s a a. Lot of and people can then start building out new and innovative things. Do you want to have custom? You know, just premieres. Want a channel so that now, if you’re a freemium plugin owner, you don’t need to put in their library. That is 28. Gigabytes or how big it is? The of junk that’s in every single one plugin that has to that uses freeness. Because it has to send an entire e-commerce solution in in. With it you could just install. You could just have the previous channel and people can buy plugins through the previous marketplace and they would just appear on the channel. This is a really well trodden path. We can then start doing things like OK. We want to make sure that the checksums are distributed. And now we can distribute them out so we can have a mechanism where the plug in owners. Say these are the checksums I am publishing them on my GitHub on my website. As long as we come up with a standardized. Mechanism. Then the mirrors can take those checksums. They can use them, but they can also pass them. On to the. Clients. Yeah, so you can end up in a scenario where, like, OK, I want to use. Dope engines channel for ACF. Or or I’m going to use wordpress.org channel for ACS. But I’m going to use dope engines checksums to make sure that the dev.org channel is actually publishing what is meant to be on there. Again, this is well trodden half.
Yeah, that makes sense.
There are technical problems to do this, but it’s not that much. We could probably build in this into the WordPress core infrastructure as it is now through a plugin. A little bit, but. You could certainly do this with a plugin, and if we could do it with plugin it wouldn’t take much to then take that and go. Let’s put this into WordPress call if there’s a will.
Yeah, that is the key. Now the other thing that happened in all this mess as we call it and I’m being very gentle at this point that you you know that is all the sin the patch that came out very publicly and said Patch stack is not going to announce any vulnerabilities publicly at this point in time. Interesting enough, I teams, as I said, they’re still announcing them because the list had 302 or 303 today. That came out. Where do you sit on that? I I personally think Oliver’s taking the High Road as saying. This is unprecedented at times. Let’s help the community and let’s deal with it. What do?
You think? I mean, I think perhaps I can now resume I think. It was just well.
Worth.
WP engine were completely out blocked out. I think the second that that was over they carry, they started publishing again. I mean I thought it was a very pragmatic. Step. It weighed the balance between, OK, we’ve got, we’ve got a large percentage. That cannot at the moment update in a reasonable way. If we start publishing things that do that, they can’t update to. That will cause a problem. I thought his misting was really good and I fully expected to see word fence and the others go on board. Obviously I didn’t expect automatic. So I think I made a sarcastic comment about I give it a week and A and they’ll and the on automatic will publish a vulnerability in a CF you did. I think it was six days, so they they they cut they cut movement slightly. I really hate it when. Vulnerabilities are weaponized when security is weaponized and made into things. It it it because our entire industry is built on trust. Yeah. And when people are publishing vulnerabilities that are so trivial. And and often not vulnerabilities. It lessens the real ones because the problem with our current setup is we rely on CVS scores and these scores are designed for archaic software running on Windows machines inside corporate networks. Yeah, so every single score is seems ridiculously. Gary, you know this is an 8.9919 point 9. It’s like, yes, but most of that score is because it’s network because it’s on a website. So it’s all schematically going to be jumping all the way up here so. We can easily scare people by accident or on purpose when there’s absolutely no need to and. I think that this is not holding back with those military reports, just gave everybody that little bit of breathing space and let people not panic. Longer term though, we now have some really interesting problems. Like going back to check something early. Yeah. Try check something ACF, we’ll do a verify checksum whose checksum are you using? How are you using it? What version is it? If you’ve got SCF and ACF and they now both get joint vulnerability reports. But one they’re on totally different version numbers. The whole thing is a mess as a as doing incident response and doing vulnerability management where you’re looking at, you’re getting a vulnerability report in and you’re going. This is tip for tat is pointless. These are really low and meaningless, but something’s gonna come along and it’s not gonna be meaningless. And it’s gonna be ignored because it’s in this tip for tat. Going on it it. Yeah. Frustrating as hell.
That and and that is using Nice language, I think it’s.
Yeah, I’m. I’m being I. I’m being very polite. I don’t want either side to send nasty lawyers to.
Yes, yes, have and the and the problem is people like you and I aren’t getting much sleep these days, which is another problem which we.
Won’t even. Well, I mean a a really good example is obviously you know when everybody knows that Dave Engine had. Their access to WordPress to all cut off. This was done at like I think it was 5:00 PM in the Pacific on a Saturday.
Yeah. Yeah.
Can’t help think that timing was a little bit done to make the App engine staff work over the weekend, but it didn’t just affect OP engine staff. Cause of course that was me at 3:00 in the morning in my time. Building proxy servers. For my clients so that my clients on the. App Engine could get the updates. That they needed that day. I was really proud. We managed to get the proxy, our proxy server set up and running for them in about 3 hours from start to finish and we’re getting those updates from WordPress or back on App Engine clients that I was working with. And let’s say deep engine managed to build up on that whole stack over a weekend, so credit to them. You know the next weekend. There was like. The ACF stuff going on and last weekend I genuinely left the message in a slack group that I belong to that said. I’m going to write an e-mail to my clients and say turn your servers off from 9:00 PM on GMT on Saturday and we’ll deal with it. Whatever **** has happened by the Monday morning. And I genuinely turned off social media. I had my e-mail on. I did. I didn’t quite get to the point where I could turn off my phone because I do have clients who rely on me. But I did sort of like, right, we’re we’re not gonna play. This we’re in. A good place it should be fine. And longer term. I’m really pleased that that I’m getting a lot more. Inquiries for things like hey, talk to us about immutable immutable WordPress and setting up immutable stat. So this is good. This is a positive thing that’s coming out of this that I’m getting a lot more people who are interested in that side of things that really more deep technical but very secure setups that we use.
Yeah. As we move forward with all this going on, if you’re a client. And you’ve got a web. Right. We got a bit of an IT department and. You know a lot of from my experience have been being in healthcare for 22 years. A lot of IT departments don’t know how to manage web servers. I hate to say it, I’ll I’ll say that again, you’re shaking your head. So you agree with me. I’m where do you go? If you got that big critical WordPress site and make sure you don’t let the bad actors in with all. This stuff going on. Besides hiring somebody like you or me.
I mean, obviously you hire us. That’s clearly the answer that I mean The thing is that world. The managed hosting companies are spooked. That is a. We’re sending then. That’s a good thing, yes. Yeah, because I mean right now they are the most reactive they have ever been, all of them, whether that, I mean JP engine is probably at the moment one of the most reliable hosts you’re going to get because they are firefighting like mad and they now that they’ve stood up their servers. Now they’ve got those bits in place, actually. They’re probably in a better state than most other managed hosts to deal with this sort of disaster recovery. But as I any of the major managed hosts. Are probably in a good place. To be obviously there. Are some hosts that are going to be better than others? There are some hosts that are owned by different people who sit on different sides of fences and you may or may not have. Moral and legal. Ideas why you would want to go with? One versus the. Other but I’m still advocating that if you don’t have the internal skills. Go down that managed managed WordPress hosting route. Making sure you you look for these hosts that are very much containers containerized cloud based hosting solutions don’t go for something that’s cheap and nasty. Don’t get for a shared host, you just you you. You do manage WordPress hosting makes this difficult, but you do tend to still get a little bit of what you pay for. If you’re paying 199. It ain’t going to be good. That’s not it. Can’t be the the the the literally laws of physics dictating how many bits can be sent around on a on a chip. It means that it can’t be that good. So you wanna be paying a reasonable amount of money, not masses, but remembering for most companies how much they pay for a physical store. Now you’re getting even more traffic through your virtual store for 110th, 100th of the price. It’s worth spending 5060 lbs or dollars a month on hosting minimum sort of level of you’ve got a business and your business relies on your hosting. That’s the level you probably want to be at.
Hey.
And you can then get a half decent managed host at that price. Even better if you can find somebody who will do your hosting and support alongside you. That’s not a bad place to be going and finding these people, they they you having someone to hold your hand through this, who’s gonna be up at 3:00 in the morning building your proxy server. It’s it’s a good place to be. You want, you want those people if possible.
You.
Yeah. It has been, I would agree with you and don’t. We’ve been telling people this for years. You have, I have don’t go buy those one 99299 plans. They’re not going to get you anywhere at the end of the day. Uh, they might get you cheaply on the web, but beyond that, they’re not going to do anything and they’re certainly not going to provide you support for 199. So don’t be.
No, I mean, I genuinely still recommend that the biggest thing that I say to people when they’re saying how do. I pick a house I. I have like a triangle diagram. I show them which is, you know has this idea of where you’ve got. You can do it on price. You can do it on performance and you can do it on scalability, but you can’t have all three unless you’re willing to spend a humongous amount of money to pick two of these. Things and support is on that track, so one of those was support and for support I just say bring them. And ask the and ask to speak to the pre sales team. If you can’t rule the person and ask the pre sales team. Way sure. You’re going to be in a scenario where you’re not going to be able. To get to. The sport team, because there’s nothing that a hosting company likes more than to sell to you. And if their sales team can’t get to you, you go get the sales team on the phone. Probably not gonna get the support team on the phone either, which is a nurse we’ve got. I know we live in a world where I and I personally hate phoning people, but this is one of the times that I actively do it, saying, look, if you can get the sales team on the phone, then there’s a reasonable chance you might be able to find the support team member on the phone. But if you can’t get the sales team on the phone. That’s probably not hosts that you wanna be hosting with necessarily. There are always exceptions, but that’s my one of my little tips.
Yeah. So we talked about hosting. We obviously even more. So now gotta make sure your backups are running and working like that’s assumed, but even more so now. What else would you do? Would you run? A software firewall in your WordPress install or is that a waste of time with all this going on?
Sorry, thinking I, I managed to cough at just the wrong moment.
What was the question? It’s OK. Would you run a software firewall within your install? Something like solid security? Something like Patch Stack app, solid space. Just on patch that gap would be phased. Something like word fence. Would you bother running that at this time or is that just a waste of overhead?
So. I am always very careful to say no one should ever uninstall their security plugin if they’re happy with it. I do not routinely recommend installing a software based firewall. They have a massive advantage in that they are contextually aware by that I mean they know what plugins you’ve got installed and therefore they can.
OK.
Deeply embed those rules inside the setup. However, they have a massive performance overhead and honestly most of. Them do not. Do any contextual awareness they just download the rules for everything and just bring it through. There are some scenarios where. I would recommend something like Hatch stack over in. Those are the scenarios where they are fire and forget on a cheaper where you do have that client who refuses the maintenance package. There is on the cheaper hosting. Who you’ve set them up? You know they’re gonna get hacked, but you’re shoving on something in the hope. If you are maintaining a regular updates cadence. By the time they’ve written the rules to protect you, you already patched with the. Plugin should be. Perhaps it’s very rare we end up in a scenario where we have a zero day and that the patch comes out from the security vendors, comes out before the patch from the plugin developers come out. So as long as you you’re a good either automatic updates or a good cadence for your updates. Normally, the benefits of these firewall solutions is limited and the performance side is often a big overhead. Also you you end up at you all of these if you’re going down that route, you have to pay for. There is no point in killing rules 14 days later.
I agree.
So if you’re going, if you are going down this route, it’s you’re buying a puppy. You have to keep feeding it so you have to pay them monthly. If you don’t pay the monthly fee, you might as well not have it on. It’s just wait a waste of space. But. Having done that, I’m going to caveat that. That with the plugin might have extra features. It might have user monitoring, it might do these other bits. I wouldn’t worry too much about them. Things like malware scanning. I’d rather that have a dedicated malware scanner for this and that and I wouldn’t be doing. You would fit a word fence WordPress. Is a PHP application and you do not want PHP to be doing long running processes in the web browser. It is just going to be.
Bad. Not good, yeah.
So if you’re going. To do this, try and get it server side. And a good hosts will be doing all of this for you. And weirdly, actually, the ******** cheaper the host, the better their WAF is. Because the the chief of the hosts, the more they’re stacking onto their servers, they care about CPU cycles a lot more than your larger hosts who have given you a container because they don’t care. They’ve given you a container, you use your container resources. It’s not affecting everybody else. If you want shared hosting, running a multi instance of. Cache and you start spawning Apache that instances and spinning up and causing their CPUs to spike they. Care. Consequently, they’ll be running. Some sort of. WAF. Software web inside that Apache setup and because of that they’ll have a bunch of mod security rules and it will be really tightly controlled. So the cheaper the host the better the wax normally. But I’d still shove word fence on for that or or catch stack. Or does solid actually produce stereo firewall rules?
Now they solid security users patch tax their relationship with us.
In this patch tax. Yeah. So I I mean, if I was going to choose between them, I would probably go down path. Back, it’s just that is just my if someone recommend ask for a recommendation. I be grudgingly say, if you’re gonna go down this route, then patch, that’s the route to go there, so I’d probably, but I’d only be doing that on sites where I did not believe I would have any there. I wouldn’t be managing them. The client won’t manage them and the chances of an update happening on them is limited. In that scenario, I also sneakily go into an automatic updates on everything and add a little MU plugin that will automate that will enable automatic updates by default instead of on by default instead of off. And that’s my little gift to them on my way out of look, I’ve done the best for you I can. You’re on your own now, but if you’re a managed customer, I tend not to recommend it. There are there are better solutions and better ways of dealing with.
Yeah, and unmanaged hosts a lot of, let’s be fair, a lot of hosting companies, especially with four updates, especially core version updates. So 6.6 point one for example, they don’t push those updates out right away. They control those updates very closely on the managed host.
Yeah, I mean most managed hosts will be giving at least some basic level of testing before they push them out to their clients, even if that is as simple. As going when it’s. Spinning up their own single staging site or they. Might in fact. Quite a lot of them. If they if they’re part of the hosting teams, they the WordPress hosting team have a plan where they basically. Give out a benchmarking system and get hosts to run their benchmarks, which actually works as quite a neat little thing for the hosts because they get to see, hey, is this all going to work well or not? And so at minimum the managed all the managed hosts, the big managed hosts certainly are doing at that at the minimum. Ahead of time right now, I think every major managed host will have somebody who is currently running and testing the beta, and when it goes into production, they’ll have a a barrage of testing that they’ll do before they push it through. On minor releases, which are like security releases and the really minor ones, they probably will just do as minimal mouse testing and just pass them through on to the the clients as soon as possible, but major releases. It’s not uncommon to see two week plus delays across the board.
At least, yeah. Is there anything else you would suggest beside owner does at this time beyond all the usual stuff they should be doing any other time to you?
So we talked about backups and really this is the this is the time. If you’re not regularly testing your backup. This is the time. To go and just take a peek. At your backups. Because you’re going to be wanting to be thinking about, especially coming into if you’re an e-commerce owner, you you are not going to want to roll back. Multiple days of your database. There is nothing worse than black. You have the best Black Friday sale possible and something goes wrong over that weekend and you do not have a backup that covers Black Friday and you so you are now stuck looking at your.
Ohh yeah.
PayPal or Stripe screen looking at figures. I’m going. There is no associated data with this, so we’re going to play guess the product to try and recreate.
So what? So let me share with you one unrelated to this, but I’m going to and the former clients not gonna like me. He had a website on my server. Which he did not pay a bill for. And as per his contract, the web server. The website was brought down when he refused to pay the bill. It says right in his contract. There’s only one little problem. He has outstanding e-commerce orders in woo and he can’t figure out in direct relationship to his stripe account who ordered what and where. And this is my real life as I’m living. It right now.
Lovely. Well, I mean, this is a common that it doesn’t matter whether you’re homeless, you’re hosting you off or you’re getting robbed, turning you off. Or if it’s an accident or a bad actor and you’ve been hacked, all of these end up in the same scenario with you staring at the screen going. How can we recreate it? And sometimes the answer is.
Yes.
Yeah.
You can’t.
Yes.
And you are going to have to refund the customer, but then you get even more fun because when you hit the you can’t refund them through your own website. So you’re in your bank wherever merchant account and you hit refund and that fires a web hook back to WooCommerce who goes what? I don’t know what to do. And if you’re really unlucky, it goes ohh. I’ve got a new order ID because the incremental ID’s have kicked in and you inadvertently refund WooCommerce then marks somebody else’s order. As refunded. This is a fun scenario. Let’s not go there. Try not the way to avoid this is making sure we have really good backups. Make sure we’re actually testing our backups, and I think I’ve every time I’ve come on your show I’ve come on and gone. Take your backups, test your backups and every time I I feel like there must be a portion of your audience going. I take backups, I test backups.
It’s like, yeah.
But you don’t really do you? You. You’re telling yourself you take backups and you, you you’re telling me you’ve tested the back up, but in your heart, you know you haven’t actually tested the backup? Yeah, you really have.
What else?
Yeah. What I’ll tell you is the last three weekends in the middle of this cluster fund. I have sat around and pulled.
You like that word now?
Don’t you? Ohh. I use that word. I’ve used worse in the last three weeks to I have actually pulled sections of 50 backups and then restores. The test domains to make sure my backwoods are good. I have not played around at all and what Tim and I are saying is. We do this stuff. A lot of people always look at people like us and say, oh, you recommend it, but you don’t do it. I know you well enough to know that if you suggest to somebody to do it, you’re doing it yourself and that’s the same way I would if I suggest to somebody to do something. That’s the way I work. So test your backups projects.
I have a blog post that I think it’s called. Does your host have ransomware? I’ll send you the link and you can pop it in the show notes if you like and and it goes through a list of how quickly can you restore your website if your host disappears. And it goes through the steps you’ll need to take and the process that I do as well, and it basically gives you a challenge for. So the the challenge is, can you beat my time on how quickly I can restore a site moving hosts entirely without access to the old host you want it realistically, you should be able to take your site. And it’s and take the last backup, which should be within the last 24 hours. And I think you should be able to go. With and getting new signs up, including changing of the DNS systems in about two hours maps.
I agree with you.
Yeah, we would.
I think most people couldn’t do it in two weeks.
I can do this.
And you’re gonna hit the first snag, which is my DNS is with the. Company I host with.
Which is something you should never do.
So we were talking about other steps now is this time for this, these little things where you’re like, OK, it’s not just WordPress we need to think about my hosting. Do I need to think about that? Do I really need all my eggs in one basket? Maybe I should think about when it comes to domain renewal time or before I I maybe I should.
You. Mm-hmm.
Transfer my domain to a dedicated domain renewals partner that I I trust and want to use.
And I will calculate.
How about you?
And while we’re talking about domains. Don’t save the 20 bucks and get one of these 3 domains. Because it’s worth mentioning while we’re on this wonderful topic that a free domain the host owns, you do not own, so you cannot transfer that domain anywhere. It is not going anywhere.
Yeah. I mean, at the best of times you least domains. Another good example is you and I don’t want to put people off get getting interesting TLD, so that’s the bit at the end the dot Coms. But if you’re currently a dot IO user, you probably are starting to panic a little bit. Yes, because there is literally a well that country is not going to exist officially. And so those domains at the moment as it stands by the various bylaws of ICANN bits have to be sunsetted within 2. Yes. So that will be interesting. And now I got a sneaky feeling there’s gonna be some changing to make that not happen. I think that they’ll just budget. But in theory all dot IO domains will cease to exist in about two years time, which is. Awkward because there’s quite lots of people who use dot IO.
Yeah. Yeah. The other thing is I’m let’s kind of go to plugins. I was gonna go to before we got into a whole domain discussion. If you’ve got plugins running on a mission critical site. There’s anything that should have taught you in the last three weeks is she should be using the paid version and stop being a cheapskate. Because if you’re running a paid version of ACF, if you’re running paid versions of other plugins, all this I can’t connect to wordpress.org becomes a mute point.
Right.
Yeah, I mean I I I I so I have two sort of issues that I I think I I tend to buy the paid version of something even if I’m not going to use it.
To support them.
Because I’m supporting the the plug in development, which means I’m supporting its existence going forward, which is going to give me vulnerability updates, which means I’m going to be more secure. So I’m helping the whole process through even if I what ultimately don’t need to use the features, I think that’s also. You know, this is someone. If someone has got a paid version available then they are clearly wanting to make their livelihood out of this. Now. Not everybody in open source wants to do that. Some people give away and support their plugins because that’s what they absolutely love doing and 100% support them. I’m not saying that. Plugin should have a paid version, but if they do have a paid version, to me that’s them saying hey. If you want this to continue, here’s how you help me so I feel it’s really important people support plugging vendors that way, but also, as you say, that plug-in is going to be distributed by them. Now there are pros and cons to that. If a bad actor does gain access to their distribution mechanism, you are in an awkward position and in theory somewhere like wordpress.org has should have better. Security. We have seen plenty of poison, well attacks and word pressed or where a developer account has been compromised and bad stuff happened. So it’s by no means more secure than necessarily than the developer’s own site. But the developer is more likely to know you’re going to get to updates more timely. And right now. We are in a world where. A lot of our trust has been broken.
Yes.
And it doesn’t matter who you are or what you think about the situation. There are us and them and them and us and camps have formed and some people are. We have reaching the stage where someone says the sky is green and you’re going. No, no it it. It’s pretty black right now, but normally it’s blue. No, no. The sky is green and so. We’re at that stage where there are things are so polarized and so different. That there one place that you can trust a plugin is the actual developer. Yeah. So if Elliot says this is I I, I am running this plugin and this is my plugin and I am it’s I’m getting it from here. I think generally you should go to them if they have a paid full version even better you’re supporting them. And that’s the plugins that have moved away from the repo. Again, I would follow them. I worry about this about them setting up and putting their own update mechanisms in. I really wish we had the infrastructure changes we were talking about earlier. Yeah, in case first that would have been ideal because then they could do what they wanted and we could just they, I I’d, I’d love to have an ACF channel up.
Let me just.
And then an ACF Pro channel where I just got a key and that went into my and that Channel was now active for me. Even better because then I could have the two channels and if I did stop paying for ACF Pro then it just downgraded me to ACF and I got the free. Vision. You could do so many cool things and we could have a much nicer world, but. We’re not there. But at least if you’re following the developers. They. Writing your code their their code is running on your site. If you do, you have mail before. We used to have to say it. WordPress Org was a safe source of trust. It’s up to you whether you still think that, but either way, you now get the option to have developers being a safe source trust. Otherwise you are the source of trust, and that means that you have to manage all this infrastructure. Which isn’t a bad thing.
No question.
There’s there’s nothing wrong with you saying. Actually our our get repo is the source of truth and we owe and hope that it’s only come from our git repo and we will merge things in on a we you know, we’ll manually merge things in. That’s not a bad solution if you have the support and. And manpower to do so, and the dev time to do so and you, you can automate a lot of that. But it is.
Yeah.
There was a a comment that was made in. Might have been from that and he was talking about he was talking about how everybody had a free ride and their free lunch was over or words to that. I remember I can’t remember the quote exactly. And anyway, he sort of write in that we have. Complacent about what? What we have available and how we gonna get it and consequently a lot of people are running on somebody else’s infrastructure and somebody else’s. Cocktails. And I think if nothing else, maybe not now. Maybe not. In the next three months while we go over the Christmas period, but into the new year, I think you’re gonna see a lot of mid size organizations going. We don’t want to move from WordPress. WordPress is a fantastic solution for us. But we need to take ownership and we need to take more control over what we do with it and how we manage it. And so I think there’s going to be a very noticeable drop in the number of plug. Things being downloaded from wordpress.org as people come up with mirrors come up with. Mechanism or just? Bring things into their into their own infrastructure and manage their own updates that way.
I agree with you, which again brings another set of rules, another set of complexity, and another set of issues as we kind of wrap this up, Tim, couple quick things that people can do or have. We basically have it again.
I think we, we’ve, we’ve done the IT. I’m gonna be I I’m gonna just drill back ups into people. There’s other things you can do but I I think if we drill in backups as a primary bit. Don’t I mean? Actually no AA thing to do is to not care too much about the drama.
Yeah.
I there are important things we have to do, especially if you manage multiple sites. You do have to pay some attention, but the drama can make everything feel heightened and require, like we must do things right now because everything is and you can take. Time to breathe.
What?
And it’s worth noting that if you’re getting any e-mail saying with any sense of urgency attached to it, you must do this. Now I I I laughed because there was a change to WordPress is slack and Slack sent out an e-mail telling me how I had to log back in because of a single. The old thing and the reason I was laughing is like this reads like a spear phishing e-mail.
Oh.
It did actually, and I and I should tell you, I don’t have that problem because, you know, I sit on word press like. Don’t you?
Well, there you.
Go. That’s what I thought.
And a lot and. I, and I mean, I imagine that that slack community has has reduced significantly in the number of people because they haven’t. I think you it said something like you have 5 days to log in and then otherwise your account gets deactivated. It’s like this just reads really badly. But if you’re getting things like that that aren’t. For. Slack if you’re getting any communication that seems to be coming from WordPress or from your host, but it doesn’t feel like it’s really from your host. Yeah, it’s just, you know, we we’ve all developed these, like, tingly senses, and we’re nearly all on a heightened states anyway, because we’re coming into Black Friday. And the amount of.
Hmm.
Fishing goes through the roof, but just be ultra careful because there are direct fishing campaigns and there are campaigns which are getting fairly smart. The finally after God knows how many years. Fishers have learned to use well. Presumably chat TBT to proofread their emails. Your standard of quality of the English in the emails has gone up in the last few months.
Unfortunately yes. Way up.
We, which is terrifying. Because that was like the easy you could you could open up a phishing e-mail and go. Yeah, but all of this is misspelt. It’s like now the quality is ratcheting up and maybe that’s actually a whole topic for another time. Just talking about how fishing and spearfish.
Yeah, we should.
Thing has developed around WordPress in the last few months because it it I’ve seen some amazing examples and ones that I. Would fall for, I think it.
Two, I caught one. I caught one recently where I had to go back and look at it three times and I saw 1 outside of WordPress. Interestingly enough and I’ll share this and I actually showed this on my personal blog there. There was even a phishing e-mail that took the Royal Canadian Mounted Police and put it in a fake e-mail summons.
Which is quite terrifying.
In the e-mail and all the verbiage was right, there’s only one problem the RCMP doesn’t send out court summons by e-mail. But all the verbiage was right. I actually have a good friend who works for the RCP. I walked it into it and he’s like. His response was holy. Ohh, use the word crap. Those were the words he used. Where did this come from? And I said. A friend sent it to me. Would you deal with it, please? That’s how good they’re getting. They are not. They are not. The misspelled mess as a 10 years ago. That’s out the window for most of. Them now, to be honest. So.
We had a very similar one in the UK that came from Her Majesty’s Courts and Tribunals, which was basically a a jury summons. But if you wanted, but if you wanted to get out of your jury summons, you could basically fill in the form and pay a small fee to get out of your jury service, I imagine.
Thank you very much.
A lot of people fell for it.
I’m sure.
Because it it looks so legit. Yeah. And it’s only that, you know, common sense would go hold on a minute. I feel I would know if I could just pay my way out of jury something and it would. It would the value be quite. So low, yeah.
So true. Thanks again for this, Kim. I hope you and I have shed some light. On this for some people cause I know right now, as I said, I didn’t want Drudge in the past. Drama, I want to help our community. That’s what we did this show this way today to try and help some people and close some of the concern out there. This is a lot of it rightfully. So if somebody wants to hire you, how’s the best way these days?
Uh, you can come visit me on timnash.co.uk. Uh, I’m I don’t really hang out on Twitter very much. Uh, I’ll be honest. The drama has dragged me back in a little bit, but you can phone me on most platforms as either teen Nash or Tim Nash, Co, UK and yeah, LinkedIn. My web. Sites and if you I don’t know when we’re going to be putting this out, but there’s a small chance that if it comes out early, if you’re around on the 31st of October in London, I will be at WordPress, London doing spooky Halloween stories for since the WordPress London security night.
I so love that and also get on time’s. News other list he does someone else and he also writes some really good great blog posts in the last couple weeks I was saying to him before we went to record and on LinkedIn your blog posts are right on the money. So go read what Tim has to say because he’s he’s out there to help you guys. So appreciate that so much. Have a wonderful day. Tim. Thank you so much.
PocketCasts
Radio Public
Spotify
Stitcher
Apple Podcasts
Amazon Music
