Security is top-of-mind for every site owner. Unfortunately, for us WordPress users, it can be quite complicated and confusing if you don’t stay “in the know”. For this ep., Josh and Micah dig into cyber security, speak with someone who was hacked by Anonymous, security professionals, and more.
Micah: I’ve never been overly concerned with my security. And, I know what you’re thinking, and as uncomfortable as I am to say it: You’re right. There’s a lot of privilege in that statement. Aside from being a straight, white male living in America, I’ve also just never been robbed, jumped, or hacked.
But to be honest, I’ve also become pretty disillusioned to the topic of security. Every time I turn around, another big company has been breached and my personal information is floating around in the abyss. Or, a friend I haven’t talked to in years joins a life insurance MLM and calls to say, “If you died tomorrow, would your wife have a security blanket?” It’s not that I don’t care; I guess I’ve just accepted that if somebody wanted to take me out, they’d find a way. Wow, that sounded a lot worse coming out of my mouth than it did in my head.
Anyway, needless to say, when we decided to make an episode about web security, I didn’t feel like the most eligible podcaster. But, in the spirit of the show–and because I didn’t want to get fired from my dream job–I dove in, head first, to learn from the book worms and students at the school of hard knocks.
Micah: Back in August, I began hunting for a, what I’ll call, ‘hack story’, to share on this episode. While perusing the Internet, I came across a piece on CNN Money that immediately pulled me in. The headline read: “Cyberattacks Devastated My Business.” Don’t judge me; you would have clicked it too. And, you can, too, because I’ve included a link in the show notes. When I started the search I knew I’d probably find some interesting tales of being hacked, but the first accounting on this post blew my mind. Like we’re talking TV show material, here.
Male Voice: Hey, how you doin?
Micah: I’m good; how are you doing?
Micah: Meet the subject of this hack story. Currently, he works with some of the most loved–and hated–people in the world.
Micah: You were on the Obama campaign?
Male Voice: Yes, I was in charge of Students for Obama; well, Deputy Coordinator for Students for Obama, in 2008. I did that and then did Hillary’s campaign in 2016.
Male Voice: And it’s just an amazing experience. There’s nothing like campaigns.
Micah: That’s so cool. I was trying to find people who’ve experienced hacking and I came across the story that CNN Money did about your company. So, yeah, if you want to just launch right into it after you say your name and stuff that’d be great.
MichaelStarr Hopkins: So, my name is MichaelStarr Hopkins. I’m an attorney and Democratic strategist. I was also the founder of a company called Only Honest. And, my childhood friends and I created this company that was a political platform for discussions; kind of a town square idea. And we got a website and an app built where people could go on and create videos and talk to each other through these short videos about different political topics that they thought were really interesting and could really engage in kind of an authentic, unfiltered way. And, yeah, we started to get some traction and things really started to take off and then our website was hacked. And it was hacked during the Israeli / Lebanon War. We had people who were in Israel and they were uploading videos talking about what was going on in the ground. And Anonymous–the hacking group, which I think we all know now–wasn’t very happy with some of the videos that were getting posted up. And so, they hacked our website and left up one of those really weird Matrix-y webpages that re-directed it. It’s frustrating, because we were really beginning to build momentum and our followers were really starting to uptick.
The website had to go down for about a month. And we crowdsourced again and got money to get it rebuilt, and as soon as the website got back up, we got hacked again. And this time, they took a lot of the code, really messed up the site in a way that we didn’t see a way for us to recover. It was really frustrating. We reached out to the FBI to try to get some help.
Micah: Did you guys take a lot of security precautions? I mean, I’m sure your developers did; do you know what they did?
Michael: So, I think this was one of the things we hadn’t really planned out. Neither of us has a tech background or design background. Every time we had to update things for the various plugins, or for WordPress–we had WordPress–we were using a different developer. When it comes to cyber security and things like that, you got to be able to respond immediately. And it taught us a lot about running a startup and how that plan and how there are certain things you can never plan for. It was a great lesson and I’d like to think that other companies can learn from some of our mistakes. I take those lessons with me every day and try to apply them to my life now as a Democratic strategist.
Micah: We don’t need fear mongering or pushy salesmen to see the value of security. We just need to be well informed on the types of attacks that are out there, and what tools and practices we should have in place to combat them. And that’s our goal for the rest of this episode. So, friends, welcome to Hello, WP, a podcast that reminds you what it’s like to be a new WordPress user. My name is Micah, and coming up in just a minute you’ll hear my co-host Josh.
Segment #1: Framing WordPress Security
Josh: Welcome back to Hello, WP.
Micah: Yeah. Welcome.
Josh: Last time we were together, I went home and I started thinking about one of the biggest and most important conversation that nobody wants to talk about.
Micah: Why do you say that?
Josh: Because everybody likes talking about the sexy of WordPress.
Josh: We like talking about the sexy things like: speed.
Josh: We like talking about: optimization.
Josh: We like talking about those things.
Micah: Can you also turn down the vocal fry?
Josh: Vocal fry?
Micah: Have you heard that term?
Josh: No, I haven’t.
Micah: No? It’s where you go: SEOoooo.
Josh: Oh, let it simmer.
Micah: No, it’s when your voice breaks up and falls like frying steak. SEOooo. Some people really, really… hate it.
Josh: Oh, they hate it?
Micah: They find it really annoying in their ears.
Josh: Oh, okay I’m gonna turn it down.
Micah: Okay, but: optimization…
Josh: Okay, but what I was realizing is, I don’t think it’s safe to go very far into the conversation of WordPress without talking about security. And, this is personal for me, because I think back to when I started in WordPress. It was built around: Here I am designing, mostly in marketing, and I was just trying to get my stuff out there and here comes this magical thing–WordPress–that goes, “You don’t have to be a developer to create a great website”. So, I start using WordPress. I get mine set up. I’m on WordPress dot org, reveling in the glory of being able to create my own site. People see my beautiful websites…[laughter] my early two thousands glorious design capabilities. They come to me and they go, “Josh: Could you please build me something beautiful,” and I’m going, “Heck yes, I can. But, I’m going to turn this over to you as fast as I can, because I can build this out for you, but WordPress is a platform for you, my friend, to be able to blog and to tell your story and to continue doing this and it’s the days of static websites are gone.” Right? This is a new era where publishing is democratized…
Micah: [laughing] Yeah
Josh: And I’m becoming this salesman for WordPress… this evangelist for WordPress. So, we get WordPress up on their site, I turn it over to them, I give them admin access. Six months down the road, there’s a massive exploit and sites that I had built are displaying Viagra ads all over the place. The site is completely destroyed. And I’m looking at this going, “I don’t know what to do here. This site has broken and there was nobody around to be able to fix this stuff. My only hope is that I know one guy who can fix it. But, my budget was capped. This is, mind you, the days before Defender is saying, “We’re going to fix your site,” this is far back.
Josh: Security is something that’s not sexy because nobody loves talking about things or doing work that feels like it’s not speeding things up. Matter of fact, if I do it poorly, it’s gonna slow my site down. So, here I am, it feels counterintuitive, I just want it to work. I think it’s important that we talk about security, how to do it correctly, how do we get it done right…
Micah: And how do we talk about that in a way that new users like myself understand. I’m kind of in a similar place that you were in, where I love designing websites. But, I don’t know anything about making a safe website other than a good password or, you know…
Josh: Right. There’s ways to do this that are safe, that are secure, but it’s got to be on your radar.
Micah: Right. There’s so many efforts being made to make WordPress a safe space. It wasn’t always that way.
Josh: I think that’s funny that you bring this up, because it really is the difference between when I started in WordPress. It was like, do whatever you want to do out here in the Wild, Wild West, but be aware that you’re gonna get punted and hacked and all of these things. Where now, these companies like Google or WPMU DEV or WordPress are thinking, “How do we create a safer environment with some structure around it?” This is also a strange tension that it creates for a community. And I’m not even just talking about the WordPress community, but society at large. And every software, every government, every community, has conventions; but, it’s how tight can we get those conventions, and it kind of depends on what a community values, right?
Micah: That’s good.
Josh: Do we value open, free reign to everything, or do we value security and protection?
Micah: Is there a world where free rein in security can coexist on WordPress? Based on what I’ve learned from my research, the answer is one hundred percent yes, and one hundred percent no. Trust me, I was just as confused as some of you are right now. So, let me try to explain.
WordPress dot org as a platform is very safe. But, once you combine it with poor hosting, unattended plugins or themes, and user error, it can quickly become very unsafe. WordPress lives on the thin line between complete freedom and healthy constraints, but only if the user follows best security practices. This creates a tension in and outside of WordPress: Who carries the burden of security? Some say that the obvious scapegoat should be WordPress. Well, at least that’s what our local WordPress bad-mouther slash tech guru Kyle Campos thinks. Kyle is a highly sought-after DevOps guy who’s spoken on panels with folks like Michael Dell of Dell Computers. You’ll hear a lot from him throughout this season. Josh and I recorded a long conversation with Kyle while drinking White Russians on his back patio.
Josh: If a company is gonna do managed hosting for all of their customers, so they’re developing for their customers, they have certain set of tools that needs to be on everything from hosting and everything and it needs to just work. And so how do we automate all the processes around WordPress to just work? Backups, updates, so that someone doesn’t have to worry about updates, speed optimizations, security … like these core pieces of WordPress, and doing that–
Kyle Campos: Security’s core to WordPress now. Is that late breaking news?
Micah: Okay, go into that a little bit; what does that mean?
Josh: I feel like you’re holding back a little bit…
Micah: There’s an interesting element here…
Kyle: I just remembered weeks of my life in the past dealt with: “Oh, son of a [bleep].”
Kyle: “The whole thing’s got naked people on it now…”
Kyle: I was trying to build a nice thing here, and now I have to figure this thing out.
Micah: Did that ever happen to you? To your site?
Kyle: Yeah, of course.
Micah: Really? I didn’t know that.
Josh: I look back on those times as hilarious. I learn how to do this install. I don’t follow through with updates. Of course, around the whole time–and this is conversation about WordPress itself being safe verses all the third party stuff. Like the famous–
Josh: Come on!
Micah: [laughs] What?! He’s snoring.
Kyle: Oh, here’s the ‘third party’ thing again. “It’s those people.”
Josh: It’s us.
Kyle: It’s me; it’s you; we are to blame. [laughs] It’s this world we want. It’s the world we created.
Micah: Wait, I want to understand Kyle’s … What are you saying there with the security thing? Are you saying, this is WordPress? Like, WordPress should be more at fault for the security issues there?
Kyle: Yeah. I don’t know how a platform can get away with absolving themselves of responsibility for vulnerabilities that are core to the platform and the language that it’s written in. Like, you should be doing vulnerability scanning, and you should be taking care of it for me. So, it really depends: Are you a platform or are you a set of libraries that I just get to go run through the wilderness with?
Josh: Security stats would say: Fifty percent of hacked WordPress sites came from the server side–the host–not from WordPress.
Micah: [weird voice] Hey, he’s just here with stats bro!
Josh: I don’t have any stats.
Kyle: And what was that from, “Harry’s Security Stats dot com?”
[all three laughing and making comments about Josh’s stats]
Kyle: Fake news security dot com.
Micah: Okay, so Josh may have gotten that 50 percent number from “fake news security dot com”, but it’s actually not too far off. At least, according to WPTemplate.com. On an infographic posted in July, 2018, it shows that 41 percent of WordPress hacks are a result of hosting vulnerabilities; 51 percent are from bad plugins and themes; and eight percent are because of weak passwords. Quick disclaimer: I contacted WPTemplate to see if I could get my hands on their sources for these numbers; but, I never received a response.
Anyway, the point here is not the stats and numbers: It’s about the question. Who is responsible? You could agree with Kyle all day, but WordPress won’t take full responsibility. It’s just not gonna happen. WordPress has chosen the path of staying wild and free, leaving the responsibility of security with each and every site owner, for better or for worse. We–you and me–we hold the keys to our WordPress security and depending on how you look at it, that could be good news or bad news. There are steps being made to educate and lighten the load for users with new conventions included in WordPress 5.0, and the introduction of an automated code quality tester called Tide by XWP. But, there’s still one hundred percent flexibility and that’s always risky. If you’re anything like me, this new found calling to step up your security game is making your head spin. Let’s slow down. I think it’s important to reiterate here: I don’t want to scare you into caring about web security. We should create safe websites for ourselves, for our end users, and for the community at large. And in order to do that, like I said at the top of the show, we need to be well informed on the types of attacks that are out there and how to combat them. So, after the break, nothing to worry about at all–or is there?
Josh: This episode of Hello, WP is brought to you by Automate by WPMU DEV.
Male Voice: One could argue that probably the most important thing in keeping your site secure is updates. So, if you can automate that, like with our Automate tool, where it actually takes like a screen shot before and after, and so it will actually like send you an email with a cool image that shows highlighted in pink the parts that changed–like if it visually changed your website at all–that’s a really cool tool that no one else really has out there that I’ve seen.
Josh: I think you should say it the way that we talk about it in marketingland…[announcer voice] Automate, with safe upgrade technology [makes explosion sound].
Micah: [laughs] Always a voice with this guy.
Josh: Try Automate today, free, by visiting WPMUDEV.com.
Segment #2: Actionable Security Plans
Micah: I want to introduce you guys to one of the first friends I made in the WordPress community. Adam Warner now works for GoDaddy as their field marketing manager. But at the time of this interview, he was the open source software community manager for cloud-based security company called SiteLock. Similarly to Michael’s story earlier in the show, in 2006, Adam experienced the devastation of a hacked website that resulted in the closing of his startup, and thus began his security awareness journey. As far as I’m concerned, Adam is a pro, so I got on a call with him to get some practical advice and insight on web security.
Micah: So, I wanted to start big picture: What are the dangers of the internet today?
Adam Warner: Yeah, so, the the dangers are wide and varied. I like to put it in terms of both website security, but also personal security. The very first suggestion that I make to people is to simply be mindful. And what I mean by being mindful is being mindful that there are threats out there. Being aware that there is no such thing as 100 percent security in your daily life, but also on the internet. It’s all about really reducing that attack radius so there’s fewer chances of things going wrong.
Micah: What types of attacks are people facing?
Adam: There’s a few basic types of attacks. The most popular attack is malware–or malicious software. And, malware comes in many forms, but the most popular form is automated scripts. So, people will send out an automated script to basically scan the internet and look for open doors or vulnerabilities. It’s very rare when someone is actually targeting your website; although, that does happen as well. And the purpose of malware is two fold: it’s to spread more malware to have more reach, but the ultimate goal is financial gain.
Micah: From a developer, designer, implementer–you know, from from the perspective of somebody making a website–what are best practices for security for those people?
Adam: So, I have a list of about seven best practices. Number one are backups. The purpose of creating regular backups–and this should happen at least weekly sometimes more depending on your site–is that if your site does get hacked, you potentially now got a clean copy that you can restore. And the trick with backups that some people miss is that a lot there’s a lot of backup plugins for WordPress, and mostly the free versions of those will create a backup and then it will stored it on the same server where your website files live. Now, if your site gets hacked, and your backup is on the same server, it’s very likely that you’re backups will get hacked as well. So, you don’t know what is the clean version and what is not. So, if you’re running back ups, you should always store your backups off site.
The number two best practice are updates, specifically software updates. So, having a regular software update plan is really, really important to stay on top of things, but it also includes any other software that might be running on your server.
Number three is to use strong passwords and unique passwords: at least twelve characters long. And the next question I get when I tell someone that is: How in the world am I going to keep track of all these unique and strong passwords?
Micah: [laughs] Right.
Adam: So, you can use tools like password managers. There’s LastPass, there’s 1Password that will help you create and manage and save all of those different logins that you have.
Adam: There’s a website called Have I Been Pwned. If you go there and go to the password section you can type in a password that you regularly use, and it will check against all of the data breaches that have been made public and tell you if that password was exposed in the data breach.
Micah: Oh, wow.
Adam: That’s a pretty handy tool. And I like to do that, in my talks I have people do that live and there’s usually quite a few gasps. Now, then, so that was number three my best practices, and then number four would be the use of firewalls and CDNs. There are network firewalls and there are web application firewalls. A network firewall is typically used by web hosts to protect the security of their network. Now, a web application firewall is something that the end user or the web development provider would employ. And a web application firewall basically sits in the middle. And it’s a hardware and software solution that is solely designed to detect automated bad bot traffic. What a CDN does is it takes a copy of your site and it distributes it to servers throughout the world wherever this CDN provider provides, and so it basically reduces latency.
And that leads me into the number five security best practice, and that is continuous monitoring. Or in other words, having a website security scan that’s done every single day. The purpose of the scan is to monitor the health of the actual files on your server. So, if the web application firewall doesn’t catch everything and something gets through and then you have outdated software or some other vulnerability, than that daily scan usually does a really good job of recognizing that malicious software has now been injected in your files and will either alert you or some services’ scanners include automated removal of malware.
And the number six best practice would be to use two-factor authentication. And for those who are unfamiliar with 2FA or two factor authentication, it’s basically that process of receiving a code via text on your phone before you’re allowed to log in to any specific website.
And the number seven tip–the final best practice that I always recommend is the use of a VPN, or a virtual private network. Next time you do connect to any public wifi look really closely at the name of that network. So, in terms of places like Starbucks, their networks are called Google Starbucks or Starbucks Google. So, see how many versions of Starbucks Google there might be the next time you connect. Because, if there’s more than one version, it’s very likely that someone has set up a fake wifi network for the sole purpose of sniffing your traffic.
What a VPN does is it’s software that you can install on your computer, there’s mobile apps versions for both android and iOS, and what it does is it encrypts the traffic from your device to that wireless signal.
Micah: Are there any other things that you would suggest for the average user?
Adam: Sure, yeah. We’ve all become so accustomed to sharing photos and quite intimate details of our lives, and what I always recommend to people is to edit it themselves. Does the world really need to know that I am now leaving my house to travel? You know, Twitter has location-based searching, so if I were a ne’er do well, I could–theoretically–I could search a location in my city and if I were specifically searching for people posting about vacations or leaving on a trip, then I could probably use other methods–social engineering–to find out exactly where they live, and now I know that you’re not home.
Micah: Okay, so I know that was a lot of information in a short amount of time, but this conversation with Adam really helped clarify and define the complex world that is security. Let’s take it to the next level, though. How does the company I work for–WPMU DEV–handle hacks and attacks? And what are we doing to participate in WordPress security? To answer these questions, Josh and I are pulling back the curtain.
Aaron: Hey, just a second. Does this sound okay?
Josh: You sound so clean.
Micah: So beautiful.
Aaron: [laughs] Okay.
Micah: Meet Aaron Edwards. Officially, he’s the CTO at WPMU DEV. Unofficially, though, he prefers a different title.
Josh: What do you call yourself now?
Aaron: I like to say cloud architect.
Micah: Oh, wow.
Josh: That sounds fancy.
Micah: That’s a fancy…
Aaron: I know, it sounds fancy…
Josh: I like that title; we go with that.
Josh: Cloud Architect: We wanted to talk a little bit about security, specifically as it relates to WPMU DEV; and we are curious about, have we ever experienced a breach?
Aaron: To my knowledge, we haven’t for WPMU DEV. But yeah attacks, definitely. We have a much larger attack service probably than the average WP site, just a little bit more of a target. Probably one of the biggest things that we deal with is these massive dot nets that are just testing username and passwords. For example, yesterday we had an attack that lasted for about twelve hours and it was trying just a ton of emails and passwords, probably using those massive lists that have been leaked online, you know?
Adam: And we were getting, I think, 25 fill logins per second.
Josh: For twelve hours?
Aaron: For twelve hours, yeah. And any kind of plugin that would block, you know like multiple logins? That is essentially worthless because of those coming from… we counted at least 15,000 IP addresses. So, each address was tried maybe five times over that entire 12-hour period. So, blocking by IP does absolutely no good in that case with the bot that big, you know.
Micah: Wow. Were you kind of sitting there, like, watching this happen?
Micah: Oh, my gosh. What do you? What do you do?
Aaron: Well, I mean, ultimately I was able to stop it by writing a custom firewall rule. I won’t say exactly how we stopped it, in case he’s listening.
Micah: You know, actually, can you just read off the code that you used?
Josh: Can you just share that code with everybody?
Micah: You know, I’m a big code guy: Can you read off that code for me?
Micah: Okay, so what is WPMU DEV doing to participate in WordPress security?
Aaron: Right, probably the biggest thing is our Defender plugin. We just keep adding new features to it, and I think… first of all, we try to make it user friendly: not too many crazy options that confuse people where people have to learn about security themselves to know how to set it up, you know? A huge amount of the posts about WordPress security and things out there, and even the features on a lot of security plugins, are about obfuscation, which means trying to hide that’s WordPress, or trying to hide your login page, or trying to hide, like, what version it is, you know, those kind of things? And really in practice, all that stuff is basically worthless, you know? It’s just smoke and mirrors. So, we really tried to avoid that and tried to stick to things that really mattered, security wise.
Josh: Okay, one thing that I do think is kind of shocking and something that we get a lot of questions about is putting a firewall into Defender. But we’ve kind of refused to add that. And have gone as far as to say, “They’re not as effective as what people think and kind of provide this false sense of stability.”
Aaron: Well, in my opinion, a firewall has no business being in a plugin. So, traditionally, a firewall is like a separate box or separate computer that sits between, like, your server and the internet. What a lot of plugins have done, since a firewall traditionally requires server stuff, is they made the plugin handle that with PHP code itself. And there’s a few problems that. First of all, they’re already inside of your application before the firewall starts working on it. So, it’s technically possible that an exploit or something that happened to your system can disable that firewall. And then another problem is it’s much slower, because every request has to go through PHP and it has to do all these filters and things like that at the PHP-level. It’s like putting a fence inside of your house.
Micah: Wait, what’s wrong with that? I’ve got a couple fences in my house.
Josh: Okay, and lastly, I think you got to talk about it, because…still in the works, but by the time this is released–hosting.
Aaron: Hosting, yeah. So, I’ve been working for almost a year on our hosting. And… it was so fun and free-for-all: If you could build it exactly how you want it, with all the coolest, newest features, and security, and performance stuff, how would you do that? So, for example, when you spin up a new site with our hosting, it has the Defender plugin installed already. And we have a big list of things that are up and coming. For example, TLS 1.3. I don’t know if you’re familiar with that, but it’s the new version of basically SSL encryption for your site.
Aaron: The final draft was released in September, so this is a brand new. I’m excited that hopefully we’ll be one of the first managed hosts to provide that.
Josh: Micah definitely knew what TLS 1, 2, 3 was.
Micah: Yeah, I’m a big code guy; I love that stuff.
Aaron: I have one other thing to mention about our hosting, just because I’m excited I can talk about it forever: HTTPS. Right? I mean, pretty much every managed host now–in the last year–they started offering Let’s Encrypt to have free certificates that can be enabled automatically. It’s considered very, very bad practice to have a site that’s not SSL protected, you know? So, instead of making it hard to set up, what we really set up is, as soon as you add that DNS, it’s all automated. It goes through checks, it verifies, it creates the certificate, and it redirects your site to HTTPS. It changes all your URLS and takes care of all that for you without you even thinking about it or worrying about it.
Micah: We can’t stop bad people from doing bad things, but we can have an actionable security plan in place. While we are responsible for our own security, thankfully the future is here and there a lot of really great companies, products, services, and people out there who are ready to help you fight the good fight. And after all I’ve learned while making this episode, I now feel safe–not because I’m ignorant to the possibility of danger, but because if something does go wrong, I have a community of people to help me restore things. Like Adam said, there’s no such thing as one 100% safety online, or in real life for that matter. Short of locking yourself away in a box, you’re always opening yourself up to a certain level of danger. Really, all we can do is set healthy parameters and use the tools available to us to distance ourselves from danger. As contradictory as it may sound, distancing yourself from danger is not the same as distancing yourself from others. When we choose to open our lives to include others, we’re taking a calculated risk that assumes the benefits outweigh the danger. And in my opinion, people are always worth the risk.
Hello, WP is a podcast by WPMU DEV. It’s produced by me, Micah Dailey, and Josh Dailey. I did the editing and original score for this episode. Our super design team: Julian, Yudy, and Osh created our show’s art. A big thank you to Michael, Kyle, Adam, and Aaron for talking to me for this episode. Your experience and insight was invaluable.