Welcome to Press This, the WordPress community podcast from WMR. Here host David Vogelpohl sits down with guests from around the community to talk about the biggest issues facing WordPress developers. The following is a transcription of the original recording.
Powered by RedCircle
David Vogelpohl: Hello everyone and welcome to Press This the WordPress community podcasts on WMR. This is your host, David Vogelpohl, I support the WordPress community through my role at WP Engine, and I love to bring the best of the community to you hear every week on press this as a reminder, you can find me on Twitter @wpdavidv, or you can subscribe to press this on iTunes, iHeartRadio, Spotify, or download the latest episodes at wmr.fm. In this episode we’re gonna be talking about security and in particular sleeping well by locking down your WordPress build. And joining us today for that conversation. I would like to welcome to Press This, Rob Cairns. Rob, welcome.
Rob Cairns: Thank you, David, and thank you for having me. Appreciate it.
DV: Yeah, so excited to have you here. For those listening. Rob is in digital marketing and has been building and optimizing WordPress sites for a long time. In this episode, what Rob is going to cover are his views on the best approaches. For locking down the WordPress sites Rob is going to share his thoughts on security through obscurity. Is that a good idea? Bad idea, considerations around passwords and users timing for your updates WordPress and PHP and a whole lot more. Really excited to have Rob here to talk today and his securities have a lot of folks minds these days, with everything going on in the world and just in general relative to web security. This is a very kind of timely episode, I think as people are thinking about how to secure their digital experiences. Rob, I’m going to ask you the same first question I asked every other guest. Could you briefly tell me about your WordPress origin story? When was the first time you used WordPress?
RC: sure Well, David, what I should do is take you back a little bit. I about 20 years ago, registered the domain for the first 125 years ago and one of the reasons I gave was free email my family used to complain that I changed email addresses more time than people change the clothes. So I registered the domain. I created a static HTML website because I worked in tech. And then about 15 years ago I morphed that static website into a blog and of course, my viewpoint from WordPress. I left the health care’s circle about 12 years ago I was in tech and healthcare and then I started creating websites full time. So that’s basically my origin story.
DV: And then you remember approximately what year it was when he first transformed that HTML site into a WordPress blog.
RC: It Would it been Oh, probably 26/27. Somewhere in there 26. No long ago I was early adopter of WordPress. Yeah.
DV: Yeah. So that would have been right around the time of widgets and shortcodes and transforming WordPress from a blog platform to kind of a website release how I found that.
RC: Yeah, I’m one of the first things I actually used. Who’s really had its issues over the years is headway themes was one of the first big themes I developed sage sign and we all in the community know the history headway and what kind of happened there. So yeah, so a lot a lot going on. It was an exciting diamond now. It’s an exciting time.
DV: Excellent Well, I’m glad you’ve had some at bats and locking down WordPress sites you so you’re we’re we got a good episode here. Real quick. Could you tell us a little bit about Dunning digital marketing?
RC: And what yeah, I I run a marketing agency based in the Toronto area of Canada. We basically are two strengths our email marketing and locking down websites. I mean, that’s a big bulk of our clientele right now, is people don’t want to worry about to secure those websites. And that’s the base of what we do. Over the years. We’ve done everything from Pay Per Click ads to digital campaigns and I’ve just kind of narrowed it down over the last one.
DV: All right, good. Do I have so many friends in the WordPress community out of Toronto is glad to hear you’re close by when things open up and go out to look for you the next WordCamp Toronto.
RC: we haven’t had to word camp Toronto in a couple of years now. So I’m dying to get out and see some people. That’d be great.
DV: yeah, it’s it was a fantastic city. I really enjoy it there. So let’s kind of move into the topic at hand. So as you thought about security as a specialty, did you have a security incident that caused you to focus on security or was this rather something that developed over time for you like was there an aha moment or, or problem you experienced? Or is it more something that developed over time?
RC: Um, it developed over time, I would say, I actually have a security background in enterprise servers. So when I worked in healthcare for one of Trumps biggest hospitals, one of the things I was I was looking at is how do we help our server team with the security of our servers or exchange servers, which is email and how do we help an educated clients back then in healthcare biggest problems were phishing scams? So people clicking on links, they shouldn’t bring in documents with security. So my interest in security just kind of developed from there.
DV: This explains so much about your focus on email marketing, and locking downsides I guess, like those are such different disciplines, but it makes sense with your healthcare background, thinking about those Exchange servers, then the security aspects of person well as healthcare servers, it makes a lot of sense. So let’s kind of get into the WordPress side of things. You know, we see a lot in the news, you know, 70 million sites have a vulnerability because some, you know, volume in a plugin or something like that. But do you personally think that WordPress is inherently secure and then if so, why or why not?
RC: I would agree it is and what I would say before we trust the WordPress site is Microsoft Windows has security issues. Every month Microsoft put puts out patches on what they call Patch Tuesday, and it’s the biggest business operating system in the world. So my argument is, it’s not that we find patches it see or security issues, it’s how we deal with them. And what I like to see is responsiveness from vendors. So given a real life example UpdraftPlus one of the biggest backup programs lately has come up in security, lots of issues for the last couple of months off and on. But what they’ve done well is issued patches right away, which for those who don’t know are security fixes, and they’ve dealt with them promptly and timely. And that, to me is more important. I think. Once something becomes over 40% of the market, or process, you’ll always have people taking shots at it from a security perspective, because it’s now worth the hackers time.
DV: Yeah, those are great points. I often think of it is like the author of the software might be incentivized to, quote downplay the problem. The reporter who’s trying to get readers is trained to overplay the problem, into your point, every piece of major software in your life if it is properly managed, and paid attention to has vulnerabilities discovered over time, and promptly patches those vulnerabilities. And I think the other point I personally make is that WordPress has no known public vulnerabilities at this time that are unpatched and so that’s how I think about it. I really love this place. And I also love how you call out how updraft is approaching the ball is being discovered there. And, you know, I think there’s a lot of responsibility to a lot of really good providers in the system. They do an excellent job at managing phones when they’re reported to them in responsible ways. Whether your voice or anything you’d add to that,
RC: by the way, I PodOmatic. They’ve done an amazing job of patching vulnerabilities. I know we had a 5.9 release recently. And when 5.9 point one came out last week, it was just a maintenance release. There was not even a security fix in that release. So kudos and I think automatic takes security pretty seriously. So yeah, good space.
DV: My exposure to that team is it has a lot of folks on it. With like, I would say enterprise grade security experience. In my exposure. They’ve certainly followed best practices around responsible disclosure evolves responding to them. And not just I would say the WordPress core team, but I would say also the WordPress plugin team, and how they manage vulnerabilities, how they think about for stuff dates, how they communicate with authors, how they take plugins out of the repo if they’re unpatched. I don’t know like, I don’t know if you’ve gotten that deep with it. But these are things that stood out to me.
RC: I have an I actually recently had a discussion with Proteus fetcher, who too weak Gutenberg architect and he said his team takes it very, very seriously. So I think anybody who’s thinking they don’t, I don’t think they’re quite on Mark. To be honest. I think they are taking it seriously. They are listening. And they’re disclosing inappropriately.
DV: Yeah, it feels like a lot of the negativity that gets out there is you know that kind of sensationalist headlines that people interpreted in the wrong way but, and I find most, most authors actually, like do accurately describe what’s going on. It’s just that the headline is really scary reading and that it’s the target pool of security and software. And that’s just the way it’s always gonna work. That’s the way it is. So I want to kind of get into some more specific practices, particularly the notion of security through obscurity. But we’re going to take our first break, we’ll be right back time. To plug into a commercial break. Stay tuned for more press this in just a moment. Everyone welcome back to press this the WordPress community podcast on W EMR. This is your host David Vogel. Paul. I’m interviewing Rob Curtis of stunning digital media about locking down your WordPress builds. Rob right before the break we were talking a little bit about the inherent security of WordPress how the core team addresses it even folks within like, say the plugin team, but I want to kind of shift gears now to build a guest topics. You know, some folks often will rely on the notion of security through obscurity, like no one can find this thing who cares that it’s not locked down? I know that you’re not a big fan of that. But like why and help folks understand. Why not.
RC: Personally, I think the two things by obscurity a lot of people like to do you like to change and WordPress, their database prefix tables, and they like to change their login back end. And I think those are just fancy window dressing. At the end of the day. I don’t think they do I personally, most of the hackers have tools that can scan a site and figure out the backend are all using scripts or figure out the database tables. So I mean, I don’t think things like that really matter at the end of the day. If it makes you feel mentally competent or better. Go do it. But in the end, I don’t think it provides a lot for your client or the end user.
DV: Yeah, it’s those discovery tools that the bad actors use that you know, even if you’re obfuscating, it can not necessarily like achieve the objective. I remember, way back in the I guess it must have been the late 90s I got a free web hosting account with a job and I remember uploading my credit cards to it for storage. And I’m like, nobody knows the address. But the differences are big. And I remember getting shamed quite quickly by some of my co workers around that. So that was a lesson I learned way back then. Okay, so that’s a good point on security through obscurity and how bad actors can use, you know, their various toolkits to subvert that. You know, as I look at, you know, security and you talked about this, I think a little bit earlier, but you know, a lot of folks talk about, you know, people in your organization’s being the biggest risk to your security. How do you address that? With things like password policies or other approaches within your WordPress builds.
RC: So the first thing I like to do is, especially for an admin account for say, a strong and complex password, I always suggest to people use a password generator don’t store use a password that’s in the dictionary. I think it’s real bad idea. Make it as long as possible and people will say, Oh, I can’t remember that. Well, that’s when you need to spend time and get a password manager choose one LastPass one password bit Warden, which is why Password Manager choice to find one that works for you. And start to use complex passwords that you don’t use anywhere else. And if you don’t believe that there’s a really good site called if you’ve been pawned out there and what it will do is tell you your email address and your password had been found anywhere else on the internet in a known vulnerability so it can password secure combination of numbers and letters and, you know, special characters and do all those things. And I know people have hoped for this all before but I don’t think enough people are doing so
DV: like relative to the bill, then like from a configuration perspective, you’re thinking of forcing strong passwords but it sounds like you’re also thinking of training as part of this like you’re training those that will use the sites you’ve built on proper password. Practices.
RC: No question on that one and using software to force and also change those admin passwords on a regular basis. I usually force them to be changed every 90 days. That’s what they do in the corporate world and there’s a reason for it. And I think it’s a good idea on a WordPress website.
DV: Oh, interesting. You know, heard some recent revise that that was not recommended, but I’m not an expert. So I’m not gonna ask you there. But I think those are those are obviously sound practices. I really like reinforcing with folks. He uses unique passwords per site. And by the way, Rob, are you a gamer?
RC: I used to be I don’t play as many games these days because frankly, at the end of day if I start playing I’ll get absorbed in
DV: okay, cool. So that’s really thinking about it from the password perspective as enforcing strong policies, but then also training your users. Is there anything else in the training or other side around limiting the risk?
RC: People don’t give people roles in the WordPress dashboard. They don’t eat so somebody is only gonna be doing blog posts don’t give him an admin role, no matter how much they scream and it’s worth mentioning that WP Engine has a really good white label CMS program plugin that I’ve used many times is if somebody spreads for admin rights, and I know I don’t want them to have access to that section all installed the white label CMS by WP Engine and lock them out of certain parts of the website. So really give people what they need. Not everything. And that’s a big deal too.
DV: Yeah, I’m unfamiliar with this plugin. I’m gonna have to go look around. So you think working here I know you’re sure it’s us that makes it? I think so. Okay, wrong. But the the key point here though, is limiting admin roles. And I monitor various bones in the WordPress plugin repo. And, like a lot of the vulnerabilities that are reported are cross site scripting vulnerabilities. Yes, and a lot of those are limited to admin roles and plugin authors will often react like well, it’s just the admins that have that access, who cares? And you’re kind of making the point that there’s some users though that maybe you trust them, but maybe you don’t trust them at the software level.
RC: No kidding. I’ve got one client right now that I will not give his staff admin roles if my life depended on it, because I know what’s gonna happen. So I just, I just say no.
DV: Yeah, and it’s in your thinking like, well, it’s their site, who cares what they did, I guess, you know, there’s always that kind of trope of the client breaking their insight. But like, with those elevated permissions, when they’re logged in things like cross site scripting vulnerabilities can play a bigger role. And so for this novice users, by chopping it off with the with the access you’re granting, in their role in their users roles, you’re kind of helping to lower that risk for them as a client.
RC: Yeah, so true. And you’re actually doing them a favor, not a disservice in the long run.
DV:Sure. I’m guessing you probably give them some like, you know, okay, here’s the real admin but don’t ever log into a is this other one kind of thing. Obviously, I don’t like locking them out of their insights.
RC: And the other thing to do too is if it’s really high insight, I have some high insights installed two factor authentication, that also helps as well besides password, then they then they need an app on a smartphone or something else to get in and that locks it down even one more step. So that’s such such a huge part I think of password security.
DV: WP Engine and some other hosts do this. We have like a, essentially a single sign on solutions you can kind of bounce between your word presses. But it also incorporates a huge piece of two factor for the for the very reasons you put it. I can’t believe we didn’t bring that up before as a big part of passwords. Good mention Alright, let me switch gears a little bit. So as you think about, you know, reacting to WordPress, PHP and plugin updates. How do you think about like your strategy for doing that in a way that you feel puts you in the best chance for success with security?
RC: First of all, before you do any major update takes a backup. Don’t rely on your host take one using a WordPress plugin. Mine of choices Updraft Plus Pro right now so that’s what you should do to take a backup. Also, test your backups before you need them. Don’t wait till you need to backup the backups only good is the ability to restore. It’s tested on a staging site or a demonstrator sandbox before you need it on a regular basis.
DV: It’s a great point because like you could make a backup something could go wrong and you’re relying on it and then all of a sudden it was bad back up.
RC: I’ve seen that happen way too. Much. Sure. I’ve been there. We’ve all been to in the morning when it’s got to be up for 6am Yeah. The other thing is, I usually do core updates. So those are the WordPress themselves updates pretty well as soon as they come out. I’m a big fan of getting the updates in especially to security fixes in the updates. Many updates are in between updates I tend to do sooner than later. In terms of plugins, he kind of got it take a good look around. So for example, by that I mean you got to make sure there’s no known dependencies where one plugin doesn’t play nice with another plugin. We’ve all seen that. Do Do your homework ahead of time if you have to do some testing in a sandbox, do that.
DV: So I’m kind of like go ahead. I was gonna say like, I think like the testing points are very salient. And so I’m thinking though, like when you see the release, and you’re thinking like, Is my hair on fire or not? I’m kind of curious, like, how you think about interpreting things like release notes. I’d like to get your thoughts on that. We’re gonna take our last break and we’ll be right back. Time to plug into a commercial break. Stay tuned for more press this in just a moment. Everyone welcome back to press this WordPress community podcast on W Mr. We’re in the middle of talking about locking down your WordPress builds with Rob Curtis. Rob, right before the break. We were talking a little bit about your strategies around managing WordPress, PHP and plugin updates. And I was kind of alluding to my next question, which is like, how do you know when you see a release coming out with maybe security mentioned in the release notes that that’s the kind of thing you should you should really worry about right, the second or whether you have a little time?
RC: Yeah, what I usually do with releases is in the WordPress community, most releases have a release candidate, and then they’ll go do a beta and then they’ll go to a release. Now with a minor release, they just put release out with a major release. They actually have a release party on Slack where they do some final testing, and I’ve been through some of those release parties and they’re quite interesting. What I would suggest is to read as much as he can from wordpress.org. Read as much as he can about to release candidates but also read third party sources and a couple of the big ones are things they put out a regular security blog. Read a little bit about some of the stuff on WordFence they put out some really good information. And even places like Hacker News and Search Engine Journal and places like that. They talk a little bit about what’s going into the releases and it matters because the more educated you are yourself, the better you can deal with really so I think the fountain of knowledge is really in this case,
DV: Do you use things like the WP DB before to analyze the different security patches are coming into your plugins or themes or whatever.
RC: Yeah, it has and I’ve also even used third party sites like security to do scan. So I kind of take the approach go to Analyze, talk to people listen, you got to have your head to the ground. It’s a multitude of things to to help out and I think they’re all useful tools.
DV: So a patch is coming out basically you become aware that it’s coming out, you research what’s in the patch and what it’s addressing. And then I’m guessing from there, you’re trying to figure out how much risk you carry in terms of like how much time and energy you’re going to put into it right now. So like I was mentioning those cross site scripting volumes connected to admin accounts. Like if your site you’re the only admin, I’m guessing you’re probably not like running out to update right away. But if you have like dozens of admins, then you’re like, oh, I don’t know what they’re doing. And so you’re probably more urgent is that fair? But how you think about it?
RC: Um, yes and no. And the reason is and for some some pandemic started, we all know the hackers are bored at home. So I used to do security updates for clients once a week. Typically on a on a Saturday or Sunday. Believe it or not, I look at websites and the security side now three times a week. Because I’m trying to mitigate the risk. And with all the hackers at home and being bored, and now what’s going on in Ukraine, as we record this, the security space is a really tough space right now. So I think you actually have to elevate your knowledge and what you’re doing instead of d elevate it, and I think that’s really important.
DV: Yeah, I see what you’re saying a more aggressive stance there, especially with all the risks that are bound. Okay, so next question. What role do you see is hosting playing in your security approach?
RC: I love that question. Because most people don’t think hosts matter and I free of yours have said Your host is your partner in the business you’re not just hiring. And by that I mean you need to do some investigation and see a what type of plan you’re going on. So did you first find the stone always have the best be what is the hosts reputation and see what they’re doing from a security perspective on their firewalls on their end to help you the website owner from their perspective, some hosts and I’m not going to call them out both do a very good job and some hosts do a really amazing job. I think you’ve got to look at those things and treat them as your partner.
DV: those are definitely fair points. Because they work for us. I definitely agree with some of those points. I think one of the encouraging things I’ve seen in the WordPress community is just a vast variety of hosts that participate in the security conversations around making sure WordPress sites are locked down. But yeah, the level of depth definitely is a big thing that evolves. I monitor actually an internal Slack channel that our security team monitors that we use to email out alerts to our customers, when they have plugins with bones. So yeah, we’ll definitely go kind of the extra mile there. This has been incredibly interesting, Rob, I think we could probably talk all day, but we’re kind of coming to the end here. Thank you so much for joining us today.
RC: My pleasure is so much fun, David and I hope it helps some more people
DV: Yeah, I think so. There were some good points you dropped today and I definitely enjoyed the conversation and everyone listening would like to learn more about what Rob is up to, you can visit StunningDigitalmarketing.com Thanks for listening to Press This WordPress community podcasts on WMR. This has been your host David Vogelpohl. I support the WordPress community through my role at WP Engine and I love to bring the best of the community to you here every week on Press This.
