Episode 72: WordPress 5.4 Released, Zoom Conferencing Safety & Security

This week, we look at the WordPress 5.4 release which includes turning distraction free editing on by default. We also look at new plugin vulnerabilities discovered by the Wordfence Threat Intelligence team, including those found in Rank Math and a Contact From 7 helper plugin. We review the new features recently added to Fast or Slow, the free global website speed profiler.

We also talk about Zoom’s recent security and privacy issues, including a recent discovery by a security researcher who found recordings of meetings containing sensitive information on Zoom’s cloud service.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
1:04 Join us for Wordfence Office Hours: WordPress Security Q&A
1:47 WordPress 5.4 released
4:03 Vulnerabilities in Rank Math SEO plugin on over 200,000 sites. Watch Ram’s talk on avoiding common vulnerabilities when developing WordPress plugins.
6:06 Vulnerabilities in the Contact Form 7 Datepicker plugin affects over 100,000 sites
8:30 New features added to Fast or Slow, the free global website profiler
10:00 Safety and security while using Zoom video conferencing, and a new report that Zoom meeting videos recorded to the cloud aren’t private

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 72 Transcript

Hi and welcome to Think Like a Hacker, the podcast about WordPress, security, and innovation. This is Episode 72.

And recording this on Saturday, April 4th after an extremely busy week in the land of WordPress. As such, I don’t have an interview again this week, but we do have some important news to share, and I didn’t want to wait. I have an interview ready, so hopefully I will be able to publish that next week.

I hope you are all doing well in this time of getting intimately familiar with our homes and families. I, too, am home with my family. My 11-year-old daughter is keeping things interesting. This morning I came downstairs to a Post-It note that said, “I will explain.” As much as I tried, I couldn’t figure out what needs an explanation, so as soon as she wakes up I’ll find out. If you want to know what that mystery is all about, you can follow me on Twitter, @KathyZant, and I will explain what the heck she’s up to once I figure that out.

We’d like to stay more connected with you, so we’re doing a Wordfence Office Hours for WordPress security Q&A and Tuesday morning. That’s Tuesday, April 7th at 9:00 AM Pacific, 12:00 noon Eastern. If you’d like to join us, write me at kathy@wordfence.com and I’ll send you an invitation. Our customer service engineers, Tim Cantrell and Scott Miller will join me. We’ll answer your questions and find a way to entertain you, and ourselves, with some fun stories about WordPress security and also answer any questions you have so you can feel more secure in these interesting times.

Our first story this week, WordPress 5.4 was released. Justin Tadlock at WP Tavern did a great, succinct overview of WordPress 5.4. This version was named after American jazz musician Nat Adderley. The update includes new social icons and button blocks, usability improvements to the block editor and new API for developers to use in plugins and themes.
The most controversial addition was that the WordPress editor is now defaulting to full screen. Now previously, we’ve known that option as sort of “distraction free” mode. So if you don’t want full screen mode, you can revert this change by clicking the tools and options button, which is the vertical ellipsis icon in the upper right corner, and you can uncheck the full screen mode option.

If you’re a theme author, a WordPress theme author, you now have access to the Gradients API for the cover and button blocks. You should also check and make sure that your theme block styles are handling the new social icons and button blocks.

Several CSS, or Cascading Style Sheet, classes have been renamed within the block editor, so if you’re a developer working with the editor, please look for those. The core team also rewrote the HTML markup for the calendar widget and updated those classes.

Now that WordPress is all about blocks, block developers can use the Collections API to group collections of blocks by namespace, and the Variations API is providing for the capability of creating variations of an individual block. If you’re looking to use this, the new social icons block makes good use of this particular API.

Plugin and theme authors also have new hooks for adding custom fields to their navigation menus. WordPress 5.4 also introduces the apply_shortcodes() alias for the former do_shortcode() function. So WordPress 5.4.

Next up, we have a couple of important plugin vulnerabilities to report. First off, critical vulnerabilities affecting over 200,000 sites patched in Rank Math SEO plugin. Rank Math is gaining in popularity as an SEO plugin, now installed on, like I said, over 200,000 sites.

Ram Gall is one of our QA professionals and he found these vulnerabilities and worked with the team at Rank Math to make sure that these flaws were patched. Rank Math was extremely quick to respond and the most recent version of Rank Math is patched, that is version 1.0.41.2 that was released on March 31st, 2020.

There are actually two flaws that Ram found, both dealt with the REST API endpoint. The first was critical and could lead to take over of a WordPress site. With that unprotected REST API endpoint, any number of attacks could have been leveraged. The most critical would be of course locking an administrative user out of their own site. Now the second vulnerability also dealt with the REST API endpoint and it could be used to redirect site visitors, which we see a lot of malware that is redirecting to nasty parts of the internet.

Now, advice from Ram if you’re a plugin developer. If your plugin is using the REST API, make sure to include a permission call back on any endpoints that you don’t want to be available to the public, and be aware that this requires a valid wp_rest nonce to be generated and sent with requests to that protected endpoint to keep your customers’ sites safe.

Here’s the place where I tell you that we’ve got a great video of Ram talking about writing more secure plugin code. We recorded this at WordCamp Phoenix. If you’re a developer, make sure you check that out and lock those front doors where attackers get into WordPress. I’ll have a link to that video in the show notes.

Next up, we have another vulnerability also discovered by Ram Gall. This was in the Contact Form 7 Datepicker plugin installed on over a hundred thousand sites. Now this does not affect the core Contact Form 7 plugin. That one’s installed on over 5 million sites. The Contact Form 7 Datepicker plugin is one of those helper plugins that are sometimes used to extend the functionality of a core plugin. WooCommerce, another one that has a lot of helper plugins. So again, Contact Form 7 not affected by this vulnerability.

Now the Datepicker plugin is no longer actively maintained. Ram reached out to the plugins team and this plugin was pulled from download from the repository. The vulnerability is an authenticated stored cross site scripting vulnerability, so it could only be leveraged by an attacker that had an account that was authenticated to that WordPress install.
However, now if you’re allowing site visitors to subscribe to your blog, if you have a WooCommerce site and your users are all, or your customers are all in your user table, if you have people who can sign up to view like a course and you’re using a learning management system like LearnDash or Lifter LMS, basically anyone that gets an account within your user section of WordPress is what is considered authenticated if they’re logged in. So your site with a large number of users could fall victim to exploitation of this vulnerability, and so it’s still important to pay attention to. A lot of times people will brush off authenticated vulnerabilities, thinking, “Well, that’s not that easily exploitable,” but these still have cases where you can see exploitation.

So now, more importantly than that, this plugin is not going to be patched. So if you’re using it, you’ll need to look for an alternative. Ram did find that Contact Form 7 can do date picking without a separate plugin. It uses an HTML5 date field, so you can go look up how to do that. If you’re using Contact Form 7 Datepicker, make sure you deactivate and delete this plugin from your WordPress installations and look further at the HTML5 date field capabilities into Contact Form 7 itself.

Next up, Fast or Slow, the new site speed monitoring tool we launched a few weeks ago, got some updates. As a reminder, Fast or Slow is a tool that monitors your website’s performance from 13 different locations around the world. It’s a completely free tool. You can subscribe to get updates so you can stay on top of how your site is performing over time. Of course, site performance is critical to your user’s experience wherever they are in the world, as well as to your performance in the search engine result pages, as Google has noted that site speed is a ranking factor.

We have added better charts to Fast or Slow, and we’ve also ensured that you’re getting more up to date metrics than any other site performance tool, amongst other metrics. Of course, I scanned my own site with the new tool, and I can tell you I’m pretty happy with how the data from Fast or Slow is helping me make better decisions about optimizing my site’s performance.

I’m pretty happy with how my site’s performing. Lots to learn there, so check it out at fastorslow.com. We’ll have a number of new updates coming soon. I will keep you updated about how you can leverage those to speed up your site, rank better, convert better, and create better experiences ultimately. That’s what we’re looking for, right, to create better experiences on our websites for our site visitors.

With many of us staying home, we’re turning to Zoom to stay connected, not only with our coworkers, but friends and family as well. And Zoom has come under fire for security and privacy concerns, with good reason. Space X and NASA have banned the use of Zoom in their meetings and there have been some zero days discovered.

One of the reasons that Zoom is so popular is that it’s barrier to entry is super low, that means you can install it and basically get started meeting very quickly and easily. Unfortunately with that ease of use and that openness, a lot of users are not going through the extra steps of locking down their meetings and securing their Zoom experience. There’s also a lot of unfamiliarity of how Zoom works, so we decided to do a little research in how to make a Zoom meeting more secure.

We created a little video to walk you through some of the default settings that are turned on and suggest some that you can turn off. For example, if you don’t need chat, you can turn that off, using passwords to prevent Zoom bombers from invading your meeting, locking meetings, not letting anyone but the host share a screen, not using file sharing via Zoom, those types of things. So we’ve written a blog post and we’ve got a short two and a half minute video that kind of walks through Zoom settings. We’ll link those in the show notes.

The day after publication of that blog post, Zoom announced that they are turning passwords and waiting rooms on by default starting on April 5th. So that’s good news. They’ve also patched some vulnerabilities and they have announced a 90-day freeze on releasing new features. They’re going to focus on fixing privacy and security issues.
Now from my perspective, you know, dealing in the security world, that’s what you want to hear. Software is dependent upon trust. And you want to use software that is written by someone you can trust, someone that’s going to be transparent about problems when they arise and shows a sense of understanding the importance of those problems and a commitment to fixing them. From my perspective, Zoom is doing all of those things.

Unfortunately Zoom’s problems continue. An article published on April 3rd in The Washington Post noted that a security researcher named Patrick Jackson found a way to find recorded Zoom meetings. At issue was the file naming convention used by Zoom to label recorded meanings.

Now what he found, meetings such as recorded one-on-one therapy sessions, training orientations for workers doing tele-health calls, including people’s names and phone numbers, small business meetings with private company financial statements, elementary school classes with kids’ faces, voices and personal details. Not exactly something you want publicly available on the web.

So more advice, do not use Zoom to record meetings to the cloud. If you need to record, record and save that to your personal computer or don’t record the session at all. Also, never share private information via Zoom or any video conferencing system.

We are doing our little Wordfence office hours WordPress Q&A on Tuesday and we’re going to use Zoom. We tried out a few alternatives and it’s just easier to connect using Zoom. So we’re going to do so, but we’re also doing so smartly. We’re going to answer any question we can, but we’re going to start that meeting with the direction that we’re not answering any personal questions, either for ourselves or for attendees. Anything that looks like personally identifiable information will not be allowed. What we’re intending to do is entertain and inform, but not consult.

So use Zoom, but drill into your head that you’re there to publicly entertain and inform and share knowledge and connect, but draw the line at consulting. Draw the line at getting personal. I do hope that Zoom’s commitment to privacy and security plays out by all of us being better secured with our video meetings going forward, and I’m hopeful that that’s what’s going to happen.

So we’ll talk to you again soon and I hope you all stay safe. If you have anything to share, please write me kathy@wordfence.com. Follow me on Twitter, @KathyZant, and we will talk to you soon.

The post Episode 72: WordPress 5.4 Released, Zoom Conferencing Safety & Security appeared first on Wordfence.

Read More

Safety and Security While Video Conferencing

With much of the world shifting to working from home due to public health concerns with COVID-19, video conferencing is booming. Businesses, and even schools, are turning to platforms such as Zoom, Microsoft Teams, Google hangouts and other technologies to stay connected.

Zoom has come under fire in recent days due to security issues with the platform. A zero-day vulnerability has recently been disclosed, and numerous users have noted that Zoom bombers are joining open meetings and sharing undesirable content. Zoom has also been found to overshare data with Facebook via their iOS app, a problem now fixed. BleepingComputer recently reported about a newly found vulnerability in Zoom that allows an attacker to steal Windows login credentials from other users.

In response, SpaceX has banned the use of Zoom for company meetings as has NASA. Zoom announced that they’re freezing all new feature development to focus on security and privacy.

Houseparty, another video conferencing platform, has also come under scrutiny with some users claiming that Houseparty is enabling hackers to get into their social media accounts amongst other things. Unfortunately, there does not seem to be much evidence to support these claims and Epic Games has offered a $1 million bounty to anyone who can prove these claims.

With all of these news stories, is it possible to have a safe video conference? Are some platforms safer than others? Why is Zoom so popular even though it has been plagued by so many security and privacy issues?

Remote businesses like Wordfence have been using remote connection tools for years, and we’ve learned a few things. With these concerns, we wanted to take a look at the security of numerous video conferencing platforms and provide some tips to help you stay safe when connecting online, whether you’re a meeting host or an attendee.

Video Conference Options

There are a number of video conferencing options available, all with different capabilities. While not everyone has a choice of video conferencing options, decision-makers will need to evaluate which offering has the functionality they need. Zoom, facing intense scrutiny, will no doubt be forced to improve their security to remain viable. If security is paramount to your conversations, choose an option such as Signal for secure text communication. For video conferencing, Cisco’s WebEx offers end-to-end encryption and encrypted recordings at the file and logical volume levels.

Even with their recent troubles, there are many reasons why Zoom is so popular. It’s easy to use, inexpensive, reliable and convenient. When security is paramount, however, using an alternative with a better security history makes sense. The larger concern is the expectation of security with a widely used product. This lulls users into a sense of security when it is not warranted.

Perhaps the greatest benefit of the recent media focus on Zoom is the realization that we’re never fully secure when sharing information online, and we should always be prepared for an eventual breach.

There are, however, some steps you can take to improve security when using Zoom.

If You’re Required to use Zoom as a Meeting Host

Zoom is the most widely known platform, and when participating we don’t often get to choose which system we’ll be meeting on. Sometimes our employers require a certain platform, or sometimes our audience expects it. If you don’t have a choice in which platform to use, there are still some steps you can take to heighten your meeting security.

This video reviews some settings in your Zoom account that can help prevent Zoom bombing and ensure that your attendees have a safe experience.

Leverage your Zoom settings. There are a number of settings in Zoom that can help you keep your meeting safe. Lock down your meetings with passwords, mute attendees on joining, and lock down screen sharing so that an attendee can’t take over your meeting with their screen without your permission.

Kick out users. You can kick a user out of your room. You shouldn’t have to if you’ve secured your Zoom account, but know that this is available to you. Click Manage Participants at the bottom of the Zoom window. Next to the person you want to remove, click More. From the list that appears, click Remove and confirm.

Kick out users on Zoom

Share Zoom links carefully. Without any controls in place, a Zoom link will let anyone join. Don’t share your Zoom meeting link in public places like social media or other public forums. Hackers and pranksters have been searching for these and accessing meeting rooms at will, wreaking havoc on business meetings and even online schooling.

Lock your meetings. Once a meeting has started and everyone is in attendance, click Participants at the bottom of your Zoom window. In the participants pop-up box, you will see a button that says Lock Meeting. When you lock the meeting, no new participants can join, even if they have the meeting ID and password.

Lock Meetings

Using Video Conferencing as an Attendee

Don’t use Zoom chats for private messages. If you’re attending a meeting and want to send a private message to another attendee, be aware that when your Zoom meeting is being recorded, the room owner will receive a transcript of everything you say privately.

Don’t share personal information. As with any public forum, assume that anything you type into chat or say in a Zoom meeting, you are being recorded and you don’t have control of what happens to that recording. Don’t share personally identifiable information with anyone, whether private or publicly.

Turn off video and mute yourself unless needed. If you’re attending a class or meeting and you don’t need video or audio, mute yourself and turn off your video. This prevents video conferencing from inadvertently recording conversations in your home or exposing information you might not want it to.

Helping Kids Use Zoom

As many schools transition to distance learning, helping our kids understand the importance of security and privacy is important and a great life lesson.

Zoom has some resources for school administrators to help them get started, but don’t assume that a teacher is fully versed in all of Zoom’s tools. Many are teaching online for the first time, and we’re all under a little more stress than usual. If you’re able to support a teacher as a moderator, you’ll make the learning experience better for everyone.

For younger students, stay with your child during online video conferencing. Schools should be asking for parental consent for video conferencing, and minors are not allowed to create Zoom accounts.

For older kids, teach them good video conferencing etiquette, including muting when they’re not speaking, not using the chat function, and not downloading files via Zoom.

Ask teachers if students can use aliases instead of real names, and find ways to limit the amount and depth of personal sharing via any channel online, whether video or otherwise.

Can We Stay Safe on Video Calls?

Yes, we can. Scrutiny of any platform is never a bad thing, as security research ultimately makes technology safer in the long run. It’s heartening to know that Zoom is taking security and privacy very seriously, and that pressure from the greater community will heighten that commitment.

Knowing how to use the tools is our first line of defense. We hope that you use these tools safely and fully to stay connected to those who matter most to you.

Thank you to Nate Smith for his research contribution on this post.

The post Safety and Security While Video Conferencing appeared first on Wordfence.

Read More

Episode 71: Hackers Targeting COVID-19 Fears

With many of us under either lockdown or shelter-in-place orders due to the COVID-19/Corona virus, fear and stress are rampant. This additional stress lowers our critical thinking capabilities and increases our vulnerability. Hackers targeting these human vulnerabilities are using the global pandemic to attempt exploitation through numerous scams and phishing campaigns. We also cover plugin vulnerabilities affecting tens of thousands of sites as well as a new product from Wordfence, Fast or Slow, a global website speed profiler.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
2:05 Coronavirus scams found and explained
4:48 HHS.gov open redirect used by coronavirus phishing to spread malware
8:00 Vulnerabilities patched in the Data Tables Generator by Supsystic Plugin
9:52 Vulnerability in WPvivid Backup Plugin can lead To database leak
10:29 Wordfence launches Fast or Slow, a website profiling tool measuring site performance from major global locations

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Have a story you’d like us to cover or someone you’d like to interview? Let us know! Contact us at press AT wordfence.com!

Episode 71 Transcript

Hi, and welcome to episode 71 of Think Like a Hacker. This is the podcast about WordPress, security, and innovation.

It is the end of March 2020, and we’re going through a lot worldwide. We’re not going to have an interview this week with so much going on. We are under shelter-in -place or lockdowns around the world as public health officials strive to keep as many people safe from coronavirus infection as possible. With death tolls rising around the world, it feels like we’re in a new era of humanity.

Obviously, we’re all under some elevated stress, and that elevated stress and the requisite fear is making us susceptible to making poor decisions. As I talked about last week, scientists say that when we are under no stress whatsoever, we can handle about seven, plus or minus two, bits of information at any given time, that means what we can can perceive, and when we’re under stress or when we’re in a fear state, which is basically a stress state, that makes us even more susceptible to perceiving less. It makes us vulnerable.

I woke up this morning to a news story that a man here in the Phoenix area had died from taking an aquarium cleaning substance that he thought would protect him from coronavirus. When we’re in fear, we’re not thinking our best. It’s really time for us now to slow down, to put a buffer zone between the stimulus of this stressful environment that we are all now in, and our response to that environment. It’s important now for us to really get good data and make good decisions.

With that, our first story today is from MalwareBytes, and they went through some of the coronavirus scams that have been coming online. In their blog post, they noted that a Twitter user had published a web tracker finding that 3,600 host names came online in just 24 hours that were related to coronavirus or COVID-19, and Risk IQ reported that they had tracked more than 13,000 suspicious coronavirus related domains over the course of a weekend, and on the very next day, more than 35,000 domains. All of these links are going to be in the show notes.

What does this tell us? It tells us that hackers are detecting vulnerability. They’re not detecting necessarily vulnerability in our systems, but they know that there’s vulnerability where there is fear, and they are targeting the weakest link. Most of these are phishing campaigns. They also detail a story that we’ve covered in the podcast a couple of episodes ago about an email phishing campaign sent by threat actors that were impersonating the World Health Organization with the intent of stealing credentials, usernames and passwords. They detail some incidents where threat actors are attempting to install malicious payloads on systems.

Now obviously, this shows that there’s going to be a growing threat, and this threat is not targeting our computers, it’s targeting us, and it’s targeting us because we are in vulnerable states, and what do we do when we’re in vulnerable states? The best thing you can do is to take care of yourself, not only your physical health and obviously boosting your immune system, getting decent sleep, getting decent exercise, but taking care of your mental health. Your mental health ends up being that which alleviates the vulnerability of fear and stress. It alleviates the vulnerability that hackers are attempting to target right now. Whether it is meditation, deep breathing, yoga, whatever you need to do in order to take care of yourself and your mental health is going to sort of be that firewall for your life, not just your mind, not just your email, but it’s going to help you make better decisions for you, for your family, everyone around you.

Our second article is an open redirect that’s being used. It is on the Health and Human Services (HHS.gov), domain and this is being used by malicious attackers to spread coronavirus phishing malware. So basically, emails are being sent out through this open redirect on one of their web addresses, and open redirect basically automatically redirects users between a source website and a target site, and malicious actors use these to target phishing landing pages or deliver malware payloads, because they can do so under the guise of a legitimate service, and with everybody attuned to wanting to get the latest information about coronavirus, having an open redirect on the hhs.gov Health and Human Services website, that is definitely something dangerous. So the open redirect is in the article on BleepingComputer using it to send out a malicious attachment containing a coronavirus.doc.lnk file that unpacks obfuscated VBScript that executes a raccoon information stealer malware payload that’s coming from an IP address also detailed in that blog post.

Now, one of the things that coronavirus is really exposing, to me, is how as a society, we are not equipped well, in many ways, to care for our elders. Obviously, this virus is targeting the most vulnerable, those of our parents and grandparents, and it’s much like what’s happening with phishing and other scams like this. Obviously, we all get phishing emails, but those who are most vulnerable to these are the most trusting, and those of our parents and our grandparents, who often find themselves victims of these types of scams, whether it’s coming through an email or it’s on a phone call or an SMS message.

I would like to posit that it is our responsibility as security professionals, and even if you don’t think of yourself as a security professional, the fact that you’re listening to this podcast means that you are aware of security, and we have a responsibility to take care of the most vulnerable in our communities, whether that be the WordPress community or our communities at home. So talk to your parents, obviously, with social distancing at this time, but talk to them about these types of threats. Make sure that they are aware. Use antivirus on their computers if you can, and support them and educate them. Obviously, our first line of defense is going to be educating anyone who’s using the internet to realize that these types of threats exist.

On to some stories in the WordPress world, we have a couple of plugin vulnerabilities to cover. First of all, Chloe Chamberland, one of our Threat Analysts here at Wordfence, found vulnerabilities in the Data Tables Generator by Supsystic [plugin]. She did find some vulnerabilities in the pricing table by Supsystic plugin and worked with them and both of these plugins. Now, the Data Tables Generator plugin is a WordPress plugin installed on over 30,000 sites. These flaws were quite similar, allowed attackers to execute AJAX actions that could inject malicious JavaScript and forge requests on behalf of authenticated site users.

Wordfence premium users received firewall rules against this vulnerability’s exploit on January 21, 2020, and free received that rule on February 20th, so even though we hadn’t disclosed this because it was still being patched, you’ve been protected, if you’re using Wordfence, for quite some time. With all of the crazy stuff that’s happening in the world right now, the last thing you want to think about is updating plugins immediately, or even writing blog posts. There’s a lot of other things that are demanding our attention. So these are the times when it’s really good to have a firewall, because firewalls buy you time. Even though a vulnerability might exist in the world, you don’t even have to be aware of it. Your firewall is blocking malicious attacks, and as we’re seeing, hackers and malicious actors are much more active in times of great fear and vulnerability. So now’s the best time to make sure that everything is protected, including your WordPress site.

Our next story is a vulnerability that was patched in the WPvivid Backup plugin. This could lead to a database leak. This plugin was installed on over 30,000 sites as of a few weeks ago, and the issue has been fixed in version 0.9.36. It was another AJAX action that didn’t have an authorization check, so make sure that if you’re using that plugin that you have that patched.

Our final story. I saved the best for last, because there’s no fear associated with this. It’s not even a vulnerability. Wordfence is really happy to announce that we have a new product. This product, all free. It’s called Fast or Slow. You can find it fastorslow.com. This tool helps you measure your WordPress — or other — sites performance from various locations around the world. Now, if you’re interested in site performance, you’ve probably used various tools in order to measure whether an at your site was performing well for your users.

This tool is unique in that it looks at performance globally. So if you have a product or a service that is relevant to anyone in the world, say for example, software that you are selling online, and you would like to ensure that users in Australia, even though you’re based in, let’s say Kansas, that your users in Australia are having a good experience with your website. You can use Fast or Slow to see how Australians are experiencing your site, to see how South Americans are experiencing your site, how Europeans are. It’s a really neat tool. It’s free. You can put in your website, see how it’s performing, and we really recommend signing up for monitoring.

What this will do is run reports over time. So if your hosting provider, for example, is having an issue or you’re seeing degraded performance over time, Fast or Slow will let you know when a problem like that exists. It’s horrible to have those types of experiences sneak up on you, and you realize that your server is overloaded and not performing well, especially for a location where you have no visual experience. Fast or Slow will monitor this for you, let you know when your site might be having a problem, give you some relevant data that you can take to your developers, that you can take to your hosting provider, that you can take to heart and make better decisions in order to make sure that your site is serving your users.

With that, that is podcast episode 71 of Think Like a Hacker. Thanks for listening. If there is anything that Wordfence can do in order to support you during these very strange and different times, please, please reach out and let us know what we can do in order to be of service. We have been a remote team since our inception. All of us have our methodologies and procedures in place in order to be of service from where we’re at, and if things are shifting for you, please let us know how we can be of service, we’re here for you, and I just want to underscore again how important it is to take time during this experience to take care of your mental health. Your mental health is your firewall for your life. It’s going to allow you to really ascertain what you need to do for yourself, what you need to do for your family, what you need to do for your business in order to not only survive these troubled times, but to succeed within them.

If there’s anything I personally can do, reach out to me, Kathy [AT] wordfence.com. If there is someone that you would like me to bring on the podcast, let me know. And with that, we will wrap it up. Next week, we will have another episode, and hopefully even more good news to report.

Thanks for listening!

The post Episode 71: Hackers Targeting COVID-19 Fears appeared first on Wordfence.

Read More

Episode 70: Customer Education and Agency Resiliency with Jon Bius

We chat with Jon Bius, a web developer at Biz Tools One, an agency in Fayetteville, NC, about how they use customer education to build relationships and differentiate their business. Jon has been helping customers build websites for over two decades, and he talks about how WordPress helps him empower his customers.

In the news, we cover two plugins with vulnerabilities, more cancelled WordCamps, some hackers taking advantage of the fear surrounding COVID-19, the rise of remote work, and what’s coming with full screen editing on by default in WordPress 5.4.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
1:05 Vulnerabilities Patched in Popup Builder Plugin Affecting over 100,000 Sites
2:18 Vulnerability Patched in Import Export WordPress Users
3:47 More WordCamp cancellations due to COVID-19
4:07 Coronavirus Maps containing malware infecting PCs to steal passwords
8:05 Remote work skyrocketing
9:27 Full screen editing mode on by default in WordPress 5.4
12:54 Interview with Jon Bius from Biz Tools One

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Have a story you’d like us to cover or someone you’d like to interview? Let us know! Contact us at press@wordfence.com!

Episode 70 Transcript

Jon Bius:
You’re talking about somebody who’s from the accounting department at a local real estate company, and their whole reason for being here is they were the ones that when the boss said, “Who wants to handle the website,” they were the first ones to make eye contact.

Kathy Zant:
Hello, my WordPress friends. Welcome to episode 70 of Think Like a Hacker. Today we have some news items as well as an interview with Jon Bius. Jon is a developer at Biz Tools One, an agency in Fayetteville, North Carolina. Jon has been developing sites and retaining customers for 20 years. He has a great perspective on what makes an agency successful. So I asked him some of those questions. In the news today, we have a couple of plugin vulnerabilities, as usual. We have some hackers taking advantage of coronavirus fears, news that remote work is skyrocketing, and full-screen mode editing coming in WordPress 5.4.

Kathy:
First vulnerability is patched in Popup Builder plugin installed on over a hundred thousand sites. One of our quality assurance analyst, Ram Gall found this one, and he worked with the developer in order to get it fixed. As for the vulnerabilities, one allowed an unauthenticated attacker, that means basically anyone, to inject malicious JavaScript into any published popup, which then could be executed whenever the popup loaded. The other vulnerability allowed an authenticated logged-in user, even with minimal permission such as subscriber, to export a list of all newsletter subscribers, export system configuration information, as well as grant themselves access to various features of the plugin. This has been recently patched. Make sure you upgrade to version 3.64.1 immediately.

Now, Wordfence premium customers got their firewall rule on March 5th to protect against exploits targeting these vulnerabilities, and those of you still using the Wordfence free version for the community will receive the rule after 30 days, April 4th, 2020. So if you are using this plugin, make sure you are updated.

Next up, we have a vulnerability discovered by Chloe Chamberland. This affected the Import Export WordPress Users plugin installed on over 30,000 sites. The flaw she discovered allowed anybody with subscriber level access or above to import new users via a CSV file or a comma-separated values file, and that meant they could import administrative level users.

So worst case scenario, someone has their WordPress installation set to allow anyone to register as a subscriber. An attacker can then upload administrative users using CSV. Pretty slick. Now, this plugin is primarily set to work for WooCommerce. But it also works if you have a vanilla WordPress install. There’s a method of checking capabilities for WooCommerce called Manage WooCommerce. But this plugin didn’t check for capabilities for a vanilla WordPress installation. But that functionality was still there.

There are some other plugins by the same developer with missing capabilities checks, similar missing capabilities, checks, and these plugins are all linked on the blog post, which is in the show notes. They’re much smaller install bases, but if you’re using any of them, definitely make sure you update so you have the patch. I’m not going to read off these plugins because I will say Import, Export, WooCommerce too much. No one wants to hear that repeated six times, and I don’t know if my mouth could take it.

Next up, coronavirus. Obviously, our world is in a bit of disarray as this virus sweeps across the country. More and more WordCamps have been canceled, and a recommendation came from WordCamp Central that all WordCamps up until June consider canceling or postponing their events. Now, The Hacker News is reporting that hackers have created a downloadable .exe, executable file of the coronavirus map. Johns Hopkins University has created a map basically showing the total confirmed cases, and you can zoom in and look at specific cases around the world by geography. It’s basically a map and shows you where the coronavirus is having the greatest effect.

This was discovered by MalwareHunterTeam last week, and it has been analyzed by Shai Alfasi, a cybersecurity researcher at Reason Labs. Now, this malware looks to be stealing information. Alfasi presented a detailed account of how he dissected the malware on the Reason Security blog. It’s basically looking to steal passwords. It appears to be making specific calls in an attempt to steal login data from online accounts such as Telegram and Steam.

Now, I wanted to cover the story because of something that I’ve noticed in the world. Whenever there is fear, your mind can process information, and it only can perceive and process, they say, seven plus or minus two bits of information at any given time. That’s when you are not under stress. When you are under stress, when you are in a fearful state, when your mind is preoccupied, your ability to process information and to perceive information goes down dramatically. So your plus or minus seven bits might be at one plus or minus two. I don’t know what a negative bit of being able to process information looks like, but I think we all realize that when we are a stressful situation, when we are in fear states, our ability to make good decisions goes down dramatically. That applies to those of us in security as well as those of us in the greater society.

But those of us listening to this podcast, those of us who are aware of security, we’re aware how hackers operate. We’re aware that hackers target the most vulnerable first. They target the most vulnerable systems first and the most vulnerable people first. Now, we are going to be better set to perceive these types of threats coming. But our parents, our grandparents, our kids, they might not. Everyone facing this crisis is having their ability to perceive and process threats compromised somewhat because of all of the fear in the world. It’s up to us, those of us in security, those of us who are aware, to educate and inform and protect the most vulnerable.

So my personal advice, talk to your parents about how hackers target those of us in fearful states. Talk to them about how they’re using this fear to exploit weakness. The vulnerability and weakness is in each and every one of us. It’s in all of our family members, and the weaknesses in our minds. It’s in our emotions. We can use antivirus on our computers as a first line of defense. But these attackers will take to other methods, whether it’s the telephone, SMS, or email to prey upon our fear.

I wrote a blog post on my personal site on zant.com about managing our mental security in the face of these types of crises. See, I’m old. I’ve been through both personal and societal stress before in my life. So I have methods of sort of managing that fear state by redefining what is most important to me, redefining my definition of what is secure and staying secure with that so that I can manage my own mental vulnerabilities. But that’s a whole ‘nother can of worms. Maybe I’ll write more about that later.

On to our next story, also related, remote work is skyrocketing. This article from Vox was posted on March 11th. Microsoft, Google, and Zoom are just trying to keep up with demand for their now free work from home software. All of us who have been working from home for quite some time are sharing our knowledge in various platforms, whether on Facebook or Twitter to help others who haven’t get used to sort of a new world of work, working from home or working from wherever you are. Microsoft’s Teams saw a 500% increase in meetings, calls, and conference usage in China since the end of January.

Zoom wouldn’t comment specifically on their growth in usership, but they said that at the end of January, if you took the run rate of our minutes usage at that point we were on a run rate of 100 billion annual meeting minutes, and that’s up significantly since then. Those of us working in WordPress are probably more adapted to working from anywhere. I think this is going to provide greater opportunity to help others who haven’t been in that situation adapt. We’re in a place of being able to help.

Our final news story is about WordPress 5.4 coming pretty soon. It is going to ship with the editor in full-screen mode by default. I read about this on make.wordpress.org. But I also read the article and WP Tavern about this, and they noted that while some form of full-screen or distraction-free writing has existed for years, this is the first time that it is the default experience. And make.wordpress.org, Matt Mullenweg posted, he said that, “This is on me as release lead. I’ve been meaning to get this in for a while.” He says he’s comfortable with this decision to have full screen on by default given user testing and other qualitative feedback, which he says is similar to what folks at GoDaddy have found in their testing and that the coaching is minimal. So if during the month of March they need to revert it, it shouldn’t be a problem. It’s going to definitely be a different experience.

Now, the comment on make.wordpress.org right underneath Matt’s comment says, “Nice. Very nice. I like it. But what can we do to confuse my grandma even more? She already started paying me for maintaining Gutenberg because she is in trouble with that, and I really would love to press even more money out of this old lady.” Okay. That’s hilarious. But it brings another point in. We have users across the spectrum. We have highly technical people using WordPress, and we have grandparents and moms and kids using WordPress. So having this be the default experience from the get-go may cause some confusion for users. I think that the editing experience might be perhaps easier, but once they get there, and if they’re not sure exactly how to get out of the editor once it is full screen. I haven’t played with it yet. I’m interested to see what it looks like.

Obviously, this will become a very contentious issue. What should that editor look like? What do you think it should look like? Leave your comments in the blog notes on wordfence.com. It’d be interesting to see what you think about full-screen editing coming. Now, all joking aside: yes, as WordPress users, as agencies, as people who are sort of influencers in the WordPress world, we will now have to teach other people how to navigate around a new change in WordPress. I would like to posit a different way of looking at this. Rather than looking at it as more work that you have to do, let’s look at this as a gift, as an opportunity, as a way of being of service to someone else, as a way to develop stronger relationships with your customers.

You have an opportunity, to be of service, you have an opportunity to make someone’s life easier. Let’s see what we can do with that and with me preaching at you, how you should perceive a change in WordPress. Let’s call that the news. Thanks for listening. Up next, we have our interview with Jon Bius from Biz Tools One. Enjoy.

Hi, everyone. I am here with Jon Bius. He is with Biz Tools One. It is a digital agency in Fayetteville, North Carolina. They are one of our larger customers using Wordfence for their customers. Jon and I have had a number of conversations about some of the unique things that their agency does. I thought it would be a great way to bring some knowledge about agency processes and other things to us. So Jon, thanks for joining me today.

Jon:
Thank you for having me, Kathy. I appreciate it.

Kathy:
Yeah, no problem. So give me the lowdown about Biz Tools One and what you do there.

Jon:
Yeah. We’re based in Fayetteville, North Carolina. Here in Southeast North Carolina, we’re one of the larger developers in the area, and we work mostly with local businesses in this area, everything from community colleges to plumbers to real estate agents. We do have a few websites, a few customers around the country, but most of it is located here locally. So we get to have plenty of face-to-face interaction with the clients and make sure their needs are taken care of. We tell them we’re in the handholding business, and we try to make sure that they’re squared away with their website.

Kathy:
That’s great. Now, how many customers or how many websites are you actually managing for customers?

Jon:
Right now, we’re managing close to 500 websites. About 350 of those are WordPress. We’ve still got some old holdouts from the days when we were still developing just in what I call plain HTML. But most of them now are WordPress. We also do the local school system, which is a WordPress multi-site install, and it has about 150 installations on that.

Kathy:
That’s incredible. Obviously, you have all these customers who have different business needs. How does WordPress help you meet those types of business needs with… Do you have certain plugins that are your go-to or certain themes that are your go-to tools?

Jon:
Yeah. Well, one of the things that I think really… When I got here, they were not doing WordPress. I got to this company in 2010 that I’m at now, Biz Tools One, and I had been using it. I started saying, “We might want to look at this. We might want to look at this.” As we started migrating to it, I started showing that the ability to re-theme a website, to have backups through the database, to start off with a fairly stable platform from the very beginning that allowed us to train clients to handle their own sites. Previously, we had been working with clients and training them on a program called Adobe Contribute, which required them to purchase some software, and there was a whole lot of hoops you had to jump through to get that hooked up.

When I started showing my boss, the company owner, “Hey, here’s what you can do with WordPress,” the benefits all around worked for us. He saw it immediately, and we begun moving customers onto it because the speed with which we can deploy a very robust platform where the content development can be focused on was immediately apparent. Also, we don’t buy themes and use those for clients. Everything we do is custom built. I’ve never been a fan of taking an existing theme and modifying it even with child themes because every client we’ve ever tried that for, they said, “Yeah, but I want this, and I want that, and I want this.” By the time we put in the development, we’ve spent enough hours that we could just say, “Okay. Let’s just write our own theme for it.” So everything we do for the most part is custom made.

Also, you’d mentioned plugins. I am paranoid about security. So I try to really limit the number of plugins we use. We do have a default set that I like, Wordfence being one of them. But I try to limit the number of plugins we have so that it reduces, I guess you’d say the attack vectors that we have to worry about because stability and security are the two biggest things in my mind when we’re setting up a website for a customer.

Yeah, definitely. Now, I would imagine that having to custom-theme everything takes more time. Doesn’t it?

Jon:
Not really. Because for instance, we can show a customer a theme, and they can say, “Yeah, I like this. But I want to add this over here, and I want to take this away over here, and I want to slide this round over here, and oh yeah, I need this functionality built in. So we need these custom posts built in, and we need some other things.” By the time we end up modifying an existing theme and putting in all the plugins that it takes to get what they want, we’ve found that we’re just as well off to get them exactly what they want. By not having to use so many plugins or existing themes, I think it reduces the vulnerability overall.

It’s worked for us because when… We’ve had clients that have come to us from other places. They would pay just huge sums of money, and they would not be happy with, say the agency they’re working with because they weren’t getting the kind of attention they wanted, and they would come to us, and they would go, “I paid $10,000 for this 12,000, 15,000, 20,000 dollars for this.” We would look at it, and we would kind of laugh and go… They bought an off-the-shelf theme for $90 and did a child theme that took a couple of hours. But the client wasn’t happy with the site, and it wasn’t unique for them. Now, the client’s unhappy because they’ve spent a lot of money. That’s not what they want.

Here in Fayetteville, if we told people… if we quoted Atlanta prices, Charlotte prices, those kinds of things, they would have a heart attack, and we can do development for a lot less, deliver them a custom-built website. We’ve been around for 19 years, and we’ve been having growth every single year. So it’s kind of a formula that we found works, and we stick with it. And we have tried. Let’s get some off-the-shelf themes and work with those. They look okay. But I mean, literally every single time, the client goes, “Well, we also want to do this. We want to do this.” We continue to develop, and we have to start tweaking on it. At some point, we realized, “We’re putting in enough hours that just doing it custom works well.”

Now, when I say we do it custom, it’s not like we start off in Notepad every time with a blank page and just start coding PHP. There’s already some framework that we have that we use. I guess in a way, it’s almost taking our own theme that we’ve developed and doing a child theme of it in WordPress terms. So we’re not just starting from absolute zero each time. But we do find that just let’s give people a custom design, and they really like it.

Kathy:
It sounds like that custom design gives you greater flexibility in the long run and that that flexibility is what actually ends up working better, not only for your customers but for you, too?

Jon:
Oh, yeah. Yeah. We’ve had customers come to us that an existing developer would have done their site for them and used the method that most folks do. I understand why most folks do it. But they would take a pre-built theme. They would do a child theme, and the customer would come to us and go, “Look, I’ve been asking him for this and for this and for this.” Clients had told us that either their agency would say, “That’s not possible. We can’t do that.” Or they would try to do it, and it didn’t work out. We want to be able, when somebody comes to us and says, “Well, I want to do this, and I want to do this, and I want to do this,” to go, “All right, not a problem.”

What I tell clients is the only two limitations there are as time and money. Sometimes people ask us for something, and we go, “Yeah, that’s going to be 25 hours, and here’s how much that’s going to cost.” They’ll go, “Oh, that’s a little more than I wanted for that functionality.” But then we’re usually able to go, “Okay. 25 hours might get you the 100% solution. Here’s a 90% solution for 10 hours. Then here’s something you can use native to WordPress to get you a 70% solution, but it’s already baked in, and you can do it yourself.”

So it gives us a lot of flexibility, and because we know the underlying code, we know exactly how the site is built and what it’s going to take to change it and make it do what we want. Clients love that.

Kathy:
Yeah, I bet. Now, does WordPress give you a competitive advantage in the market?

Jon:
Oh, absolutely. When a client comes in, so I think they come in, and they say, “I just need a simple shopping cart.” They want to get up and selling quickly. We can get them into a custom look with WordPress and get them exactly what they want. I’ve used other CMS platforms. I don’t do it as much anymore, but when I used to get into the developer forums a lot, and I would see all the arguments between WordPress and all the other platforms that compete with it, I’d always come back and go, “You can say what you want, but WordPress just beats the pants off of them.” The rate of development, the richness of the community that’s out there, the richness of the ecosystem that supports it and all of that gives us the ability to deliver a website that a client can manage.

Because a lot of the agencies that we’ve dealt with, when clients bring us a site, a lot of times I think, and this is one of the weaknesses in our industry is people tend to think in terms of, “Okay, if I’m going to do it for this business, it’s going to be someone who’s familiar with the web that’s going to be handling it.” But in our experience, it’s Sally from accounting or Bob from purchasing, and they’re not happy with Microsoft Word. They hate using that. So when I can bring them in and train them and show them, “Look, you can manage your website, we make it as simple as possible.” We use pages like crazy so that they know that, okay, this block on their home page, you just go to a page and edit that, and it changes the text.

It gives us the ability to deliver something. I’m sitting in the room, we train in, and I bring people in this room, and I’ll point them to the big screen, and they’ve told me dozens of times, “Well, I don’t know anything about computers, I’m scared of this.” I’m like, “Don’t worry about it.” By the end of the class, they go, “This isn’t hard at all.” We don’t advertise. Everything we get is word of mouth, and the thing that that keeps driving it is that customer service, that we not only build them a website, we train them how to use it, and that’s one of the differentiators, I think, for our business.

Kathy:
That’s really brilliant actually. So do you feel training people using Gutenberg is becoming easier now?

Jon:
Yeah. It’s definitely becoming easier because the old way, I had it down. I mean, even to the stupid jokes that I made in the middle of a training session, it was always the same. When I started doing Gutenberg, I kind of sat by myself one time and gave an imaginary training session, as crazy as that sounded. But I wanted to go, “Okay, how am I going to train this?” The first few times I started doing it, especially because it was constantly evolving, there were some periods that I would find myself saying, “Okay, now to do this, you do this.” Then I would go, “Wait a minute. It’s changed in the interface. It’s moved. It’s been relabeled.”

Now that it seems to be a little more stable and I’ve done it more often and I’m using it, I think what’s helped is I’m using it in my own personal use of WordPress. I’m now able to say, “Okay, let me take all the tasks that I used to train people on in the old system, focus on the tasks and ignore the interface.” That has seemed to be the path to success because nobody sits here and looks at it and says, “Well, that doesn’t look like Microsoft Word. I just tell them, “Here’s something you’ve never seen before. Here’s how you do it.” I finally did one the other day, and I got finished. The two questions I always ask people, I say, “Do you have any questions about anything I’ve covered, or did you come in with questions that I have not answered?”

The client that I was training, they said, “Nope. Nope. You’ve covered it all, and this seems real easy.” Inside I said, “Yes. Okay. Now, just remember what you did and repeat this every time.”

Kathy:
Yeah. Exactly. It sounds like training and really kind of being sort of the IT and WordPress specialist for your customers is what makes Biz Tools One successful.

Jon:
Yeah. Yeah. I hear my boss when he’s doing sales calls, he tells people, “We’re in the handholding business.” Because I don’t know anything about real estate. I don’t know about plumbing. I don’t know about being an educator or a dentist or any of those things. That’s why I go to those people. They come to us because they want a website. When we ask people, “Well, what do you want on your website?” Nine times out of 10, they go, “I have no idea.” So everything from helping them decide what needs to go on the website to working with them on the basic verbiage to training them, setting up emails.

There’ve been plenty of times that I’ve sat in here with clients and essentially given them a condensed marketing plan for how you use your website to generate revenue either directly or indirectly and how you tie it into your social media campaigns and how you tie it into this and how you do that. Because most of them don’t know. We try to give them the straight scoop.

Kathy:
Talk to me again about… We talked a little bit about security. How does security and sort of using Wordfence, how does that help your agency?

Jon:
Yeah. Well, one of the things that I think helps with our security is I’m paranoid. I come from a military background. So thinking in terms of security is not new to me. Understanding that there’s always a threat out there and having seen it real-world, it’s easy to translate it into the digital world. Plus at a previous job I had, I worked with a guy who is, in my opinion, the best IT professional I’ve ever worked with, and he taught me so much about security and showed me, “Okay, here’s 20 different ways you can get into a web server that…” He wasn’t doing it illegally.

I mean, we would just set up a testing environment. He would show, “Okay, lock it down, and let me show you what you can do.” When I started seeing how vulnerable systems are, even when people think they’re doing a really good job with doing those, securing those, how vulnerable they can be, when we started getting into WordPress and we started early on seeing some security issues, that’s first when we found Wordfence, and we immediately saw the benefits that it had. But we translated it into everything we do.

When clients say, “Hey, we want to use this plugin,” we examined the plugin. If it doesn’t meet a certain criteria that we think is going to make sure that it’s secure, it’s being continually developed, it’s got a good user base, we tell them, “Look, we’re not able to do it.” Now, we’ll give them an alternative.” We’ll say, “Hey, we can bake it into the theme this way.” But every single thing we do has to pass the security test. Even the hosting platforms that we’re on, we try to make sure we’re really on some good stable platforms.

I will say this. You would expect me on a podcast like this to brag on Wordfence, but I say it truthfully. We had for the longest time been using the free version, and it worked well. But you remember, we had some issues with some sites that there was an exploit that came in that if you were on the free version, you didn’t immediately get all of the updates to protect against it. It really created some issues for us. I went to my boss, and he didn’t argue with me. I said, “We need to get paid licenses for everybody.” I think we bought like 200 at one time. But that has been a great, great benefit to us.

Now, from an agency standpoint, it’s easy to pass that cost along. You can roll that into a security package. It can include SSL and the hosting that you’re on, assuming you’re on some good secure hosting. But Wordfence and then just a very strict stance on security has helped us be as secure as possible. But we also recognize you’re never absolutely secure. I’m always paranoid whenever a client contacts me and says, “Hey, something’s weird about my website.” It may just be that they put in a photo wrong, and it’s stretching out the page or something. But I go in and I go, “Well, let me make sure nothing weird is going on.” So it’s baked into our DNA on everything we do.

Kathy:
Yeah. Well it sounds like the whole attitude that you guys have of let’s make sure that this website works for this customer, and if that means we have to educate this customer and teach them and go the extra mile and handholding them, we’re going to make sure this website works for them and then that security, sort of like the piece of or the cherry on top of the cake of that customer attention that you’re giving of just making sure that… Because nobody expects that their site is going to get hacked. Yet there’s hackers out there all the time targeting it. It’s up to agencies like you and security professionals like me to make sure that those people who don’t know are educated and that they do know that there are risks out there, but that we’ve got their back, right?

Jon:
Yeah. That’s one of the things that I love about Wordfence is sometimes clients will say, “Well, you’ve got this annual security fee that we pay. What does that really do?” All I show them is the log of who’s trying to hack into their site.

Kathy:
Really?

Jon:
I just go, “Look at this. Do you see this? Do you see how many intrusion attempts there were today?” They go, “You’re kidding me.” What people don’t understand is when they think hacking, they think Hollywood. They think, “Why would anybody hack into my website as a real estate agent or as a dentist?” One of the things we train them on is why sites are hacked. I tell people, “Look, we love you as a client, but the hackers don’t care about you. They don’t care about what you’re doing. They’re not trying to get your stuff. They’re trying to use your platform, and they’re looking for vulnerabilities. Because a lot of times people think, “Well, I don’t need this because who would hack me?”

Well, it’s not YOU they’re hacking. It’s the machine. They want to use the machine. When we start educating them on what happens, and after a while they either get it or they go, “Well, I don’t understand this, but I trust you then.” Then that’s longterm. They know we’re looking out for me. We do it in more than just, say with Wordfence and other software. When we set up emails for people, we pound into their head about secure passwords. When people leave a company, we talk to them about, “Okay. You might want to consider changing your passwords.” If they say, “Well, we want three people to share our account on WordPress.” “No, no. You need three different accounts.”

We don’t give people administrator access. We give them the minimum rights necessary to do just what they need to do. They see that in everything we do. It’s sometimes just kind of funny. I’ll have clients call me up, and they’ll go, “Hey, I need to change the password on my email or my WordPress site.” I always ask them, “Well, what would you like it to be?” I had one the other day that they mentioned the street that their business is located on and then one, two, three, four. I have known him long enough, and I said, “Are you really bringing that password to me?” They kind of laughed. They said, “I’m sorry. Is that not a good one.” I said, “If you ever asked for a password like that again, I’m going to give you a 256 character password.”

But I try to educate them on what makes a good password. Again, it gets to that service thing. But as a small business, I mean, there’s only three of us here. There’s three of us that manage 500 websites, 350 or so are WordPress. We can’t afford for things to go wrong. So I want them to think about secure passwords, to think about these things because it helps our platform to be more stable and reduces the number of phone calls that I get and problems we have. Because if you’ve ever seen a place get bad hacked, I mean, just files being deleted from the server, it’s ugly.

Kathy:
Yeah. I’ve been there.

Jon:
It’s a helpless feeling. We were talking to one of our clients, and I won’t go into too much detail about who they were, but they were a large entity, and their entire network was hacked, I mean, to the point they were having to buy new computers. It wasn’t anything we did. I mean, it was an internal thing. But just to watch the meltdown they had, it was awful. So we really try to get people to understand this is important stuff. This is not something that is just in the movies or doesn’t apply to you because you’re a small business. Security is a big deal.

Kathy:
It is. One of the benefits that I think you have that I’m sort of jealous about because I get to talk on these broad strokes of like, use two-factor authentication, use strong passwords, and it’s very general, and it’s just good security advice. But you get to contextually walk a customer through, “Hey, you’re doing this right now.” You get sort of those natural consequences. I mean, you could tell your kids, “Say no drugs.” But wait till you’ve got a kid who is having a challenge at school right then and there, and it’s like you have a very contextual learning experience that you get to show your customers, “Here’s a security issue right here, right now that we’re going through, and I’m going to help you through that.” So you get the benefit of them really having a positive learning experience with you that they’re going to remember.

Jon:
Yeah. Yeah. I’ve told a few people, and I’ve said, “Understand, if we run into security issues,” to put it in the terms you just used, “You’re going to have a negative learning experience, and then you’re going to have a positive learning experience.” Because there are times when we will find a problem, and we’ll go through it, and we’ll get it resolved, and then we’ll kind of do an after-action report to see what happened. There’ve been a few times that a customer would go, “Okay, what happened?” I’d say, “Well, you know your password that you changed three weeks ago, even though WordPress accepted it, you didn’t go all green. If it’s not all green, it’s not all good, and somebody would think of that password.”

Or somebody would use the same password on all of their stuff. When you demonstrate to them what can happen and show them and can give them real world experience, I mean, this is not WordPress related, but ransomware, a few years ago, it was huge and were still problems with it. We’ve talked to clients about email security and ransomware. We actually had one client that called up and said, “Well, how do I…” The first question they said was, “What’s Bitcoin?” I said, “Why are you asking about Bitcoin?” They said, “Well, how would I know if I got this ransomware stuff?” I talked to them and come to find out they had gotten hit.

So I started asking them some questions about backups and things like that, and they were talking about, “My computer’s locked up.” They said, “I know it must’ve been from this one email I got because I forwarded it to one of my coworkers, and her machine’s locked up now, too.”

Kathy:
Oh, no.

Jon:
So I can, I can talk to customers, and a few of them will call me and go, “Okay, Jon. You’ve gotten me paranoid enough that I got this email in, and I’m not touching it.” I’ll ask them some questions about it, and I teach them because they’ve heard those stories, and they know how devastating it can be to their business. But if they just take a few simple steps. It’s the same way with using WordPress, and Wordfence is one of those simple steps. How hard is it to install the plugin? Yeah. You got to pay the license fee, but how much more does it cost to get hacked and have to deal with that and potentially lose the client rather than, “Okay, we’ve got something here that works.”

Kathy:
Because of that and because of these new threats and because of the ransomware and the phishing and everything, it is a constant battle to just educate everyone that you can that these threats do exist and how to identify them and protect themselves because it’s really the weakest link in any security is going to be, it’s going to have a heartbeat rather than a plug. It’s always the humans.

Jon:
Right there on the front lines, y’all are on the front lines of it, but the agencies have to be right there shoulder to shoulder with you because again… But for obvious reasons, I sound like I’m tooting our horn, but I think we do a good job. When we take over websites from other agencies, and these are not fly-by-night kind of agencies. We had one recently that we took over, and if you go to look at the agency’s website, it’s all bright and happy, and man, they had taco Tuesday, and you know, they leave early on Friday, and they’ve got the ping-pong room, and everybody’s got these creative names for their job titles and all of this stuff.

When we made a copy of their site, put it on our server for analysis to see whether we could use it or whether we had rebuilt it or whatever, it was several versions outdated. WordPress was several versions outdated. There were 56 plugins installed on it. Some were active, some were not. Some had been out of date for two and three years, no longer in development. We had to look at it and just basically say, “You know what, we’re going to mimic the design because we had the rights to do so. We’re going to mimic the design, but we’re just going to basically rebuild the whole house and just make it look like the old one.” It was from an agency that if you looked at it, and you read their stuff, you would think, “Man, they should know what they’re doing.”

But sometimes people get lazy about security, and they’re more focused on, “Okay, let’s get this one done. It looks good. We can put in our portfolio and move onto the next one.” But the way we try to approach it is if that website still isn’t performing for the customer, and if the customer isn’t happy with it two years later, then we’ve failed.” On time my boss asked me, he said, “Have you ever been happy with any website we’ve taken over?” I had to tell him, “Not so far.” It’s been dozens and dozens and dozens. But it’s just simple stuff that we have to pay attention to for the client because they don’t know this stuff. When it comes down to just something as simple as saying, “Okay. They need this functionality. A plugin is appropriate for it. Here’s this plugin that we could use, and here’s this other plugin that we could use. Which one is the most secure, and which one is more actively developed?”

If it means telling the client, “Yeah. We could use that free plugin you suggested, but you’re going to get a safer, better experience if we spend $39 on this other one,” then we need to insist on that for their behalf.

Kathy:
Well you are sort of the tour guide for WordPress for the customer, and they rely on that expertise. So for them to have… I think if I was going to develop a website or hire an agency to develop a website because I don’t have the bandwidth for that, I would talk to you guys because you’re definitely covering not only the security bases but the SEO bases and the foundations that any small business needs in order to be successful so that they can focus on growing their business in the real world, and you guys kind of take care of that online world and make that easier for them.

Jon:
Yeah. Yeah. Because, well, there’s so many voices competing. I mean, we get people in all the time, and they say, “Well, I see this thing from this hosting company that I can do this for 3.99 a month, or I can do this for free. Why would I pay you several thousand dollars to do it?” We can go through and show them all of these things. I mean, a list of things as long as your arm, here’s what we’re doing. There have been a few times that people would say, “That all looks really good, but I’m going to go off, and I’m going to do this myself for $3.99 a month because the guy that I talked to on the phone that’s trying to sell me a domain name and cheap hosting said it’s easy and anybody can do it.”

Quite often, we hear from them six months later, and they go, “It just isn’t working.” Because the analogy I use, it’s kind of like modern cars. You no longer have shadetree mechanic like I used to see when I was growing up. You’d pull up your car, and some guy with a greasy hat on would dig up under it and say, “Well, it’s your carburetor there, bud.” Now, car repair is an IT job. They do all these computer diagnostics, and I tell people you wouldn’t go buy some off-the-shelf piece of software that says for $3.99, you can diagnose and fix your car. You wouldn’t do it. Your website is as complicated as your car’s engine. If you want to do this, understand the job of web developer is a real job that requires real knowledge and real experience.

We feel like we can… Between my boss and I, we’ve got close to 45 years experience. I’ve worked on, built, developed, managed, whatever you want to call it, over 2000 websites. He’s probably done as many. So when somebody says, “Well, I think I can do it myself for 3.99,” he’s more of a diplomat. He’ll continue talking about, “Well, here’s the advantages we bring to the table. If I’m to him, I just go, “All right. Hope it works out for you.” Because I don’t know what else to say.

Kathy:
Yeah. Yeah. That is definitely a tough one. But it sounds like being able to educate them and get them to the point where they can let go of the places where they’re not experts and let the experts do what the experts need to do and be better off for it, sounds like you guys are perfectly set up to do that kind of education and training. So that’s always a positive.

Jon:
Yeah, absolutely. It’s what we’ve built the business on really because we’ve… My boss, he’s owned this business for 19 years, and I came along 10 years ago. So he had built that foundation. The experience I brought in and bringing in, let’s focus on WordPress and security and some other things, it’s just really been a good combination. But it could be replicated anywhere. We’re not doing anything… I think part of the reason that I don’t see it as often is it’s not something that’s flashy or sexy or has a cool title to it. But just bringing somebody in and going, “Look, here’s how you insert a gallery, and let me make sure you can do it. If you continue having problems, call me, and I’ll talk you through it on the phone. I’ll send you some screenshots in email.”

Jon:
That’s the hard work down in the trenches day-to-day that keeps people with you for year, after year, after year, and they tell their friends about it. People call us up and go, “Hey, so-and-so told us about you. What can we do for you?” Because I feel like if we can get in front of somebody and show them what we bring to the table, we can get anybody’s business. It also means, at the same time, knowing when it’s too big for you, when it’s too much for you. That’s a thing that I see some agencies do that we try to avoid. We’ve had clients come to us, and they would say, “Here’s this really big project.” Yeah, there could be a lot of money in it, but we would go, “You know what, that’s not the core business we focus on.” We’ve told people, “You know what, we appreciate you thinking of us, but we’re not going to bid on this because here’s why.” They appreciate that.

Kathy:
Yeah. Yeah. It’s important to know your capabilities and your limits and what you can handle.

Jon:
Yeah. To quote that great philosopher Dirty Harry, “A man’s got to know his limitations.”

Kathy:
Definitely. It’s looking like we’ve hit our limitation of an hour. But Jon, I’m so grateful that you took an hour out of your day to talk to me today about what Biz Tools One is doing and all of the knowledge you’ve picked up over the years. I think a lot of people who are in the WordPress world helping other clients or helping their clients develop WordPress websites can learn a lot from this. So thank you so much. If somebody wanted to connect with you, where could they find you online?

Jon:
Yeah. If you just go to biztoolsone.com, we’re right there, biztoolsone.com. Like I said, we focus locally, but we’ve got clients across the country. So if anybody does want to talk either from a, “Hey, they want to engage us for something like that.” Or if somebody just wanted to contact us and ask for me and say, “Hey, we’re considering Wordfence. What do you think of it?” I’ll tell them all about it.

Kathy:
Awesome. Well, appreciate that. Thank you so much.

Jon:
Thank you for having me. I appreciate it.

Kathy:
We hope you enjoyed this episode 70 from Think Like a Hacker. We would love to have a review from you. If this podcast has helped you in any area of your life, any area of your business, has helped you understand WordPress security or innovation in a new way, leave us a review wherever you’re listening to Think Like a Hacker. Contact me on Twitter @Kathyzant or kathy@wordfence.com. We’d love to hear from you, and we will talk to you next week. Thanks for listening.

The post Episode 70: Customer Education and Agency Resiliency with Jon Bius appeared first on Wordfence.

Read More

Episode 69: The Meteoric Growth of Elementor with Kfir Bitton

On February 26, WordPress page building platform Elementor announced that they had received $15 million in venture funding. After topping 4 million installations of their plugin in January, it appears that Elementor is on a path to do some big things with WordPress. This week, we chat with Elementor CRO Kfir Bitton from his office in Tel Aviv, Israel about how Elementor grew so quickly, what’s next for this plugin-turned-platform, and how Elementor strives to give back to the WordPress community.

Of course, we also have a few news stories including how COVID-19 is affecting WordCamps, the Let’s Encrypt domain control validation bug, and the coupon creation vulnerability in WooCommerce Smart Coupons.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:55 The effect of COVID-19 on WordCamps includes Wordfence’s decision to suspend attendance, followed by others, and a statement from Josepha Haden to embrace the local nature of WordCamps, as well as a post discussing livestream support.
4:40 Let’s Encrypt certificates revoked due to a domain control validation issue.
6:20 Coupon Creation Vulnerability Patched in WooCommerce Smart Coupons
8:15 Elementor Kfir Bitton interview

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Have a story you’d like us to cover? Let us know! Contact us at press@wordfence.com!

Episode 69 Transcript

Kfir Bitton:
You have Elementor helping you build websites quicker, but then if you want to make your own custom poetry, you need to go and write your code or add code, you can do it.

Kathy Zant:
Welcome to Think Like a Hacker, the podcast about WordPress, security, and innovation. I am Kathy Zant. I am Director of Marketing here at Wordfence. This is episode 69. We have a few news stories of note this week and an interview with Kfir Bitton, the Chief Revenue Officer at Elementor. I ask of you, how Elementor has taken the WordPress world by storm. That plugin is now installed on over four million WordPress websites. I also ask what the $15 million in funding they received last week means for their users. I hope you enjoy that interview, but first, the news.

Our first story is about COVID-19, or the Coronavirus, affecting so many people worldwide right now. On Sunday, March 1st Wordfence CEO Mark Maunder released a blog post explaining our decision to cancel attendance at WordCamps during 2020 or until we see a change in the trajectory of infection with the Coronavirus that’s affecting so many people. Obviously, WordCamp Asia was canceled because of this virus. WordCamp Washington DC, WordCamp Geneva, Switzerland, and the WordPress retreat in Soltau, Germany have also been affected. On Wednesday, March 4th Josepha Haden, Executive Director of the WordPress project posted to on make.wordpress.org, “Encouragement for WordCamp attendees to minimize WordCamp travel and for WordCamp organizers to embrace their local nature.” On Wednesday afternoon also Adam Warner announced via Twitter that GoDaddy would be suspending travel temporarily as well.

We were a gold level sponsor of WordCamp Miami. We were hoping to participate in the game show, which is a big part of WordCamp Miami and something we were very much looking forward to. Our team was incredibly sad not to attend this event. It was excruciating to join in on Twitter and see everyone having such a great time connecting. In hindsight, however, as we’re seeing the trajectory of this virus’ spread, it does appear to be the right decision.

Now, we want to be abundantly clear. This in no way means that Wordfence is pulling back from the WordPress community. Our rationale is exactly the opposite. Now we’re security professionals, some call us security nerds, you can call us that, too. We’re looking out for the security of everyone in WordPress and even our communities beyond WordPress. We’re looking out for the least of us, for those of us with immune issues, those of us who would be hardest hit by this infection by ensuring that we’re not on planes or at events contributing to the spread of this virus. We’re hoping to protect our friends and our family, to protect grandparents and parents, and the least of us throughout communities. We will see you again. I’m certain I can promise that. We just feel there is a moral imperative to protect those who have less access to healthcare, who stand to suffer the most, and of course we encourage you to make the right decision for yourself, but we also ask that you consider others in doing so. And of course WordPress is not the only community affected by this.

There have been larger conferences around the world that have been canceled, but I think there are opportunities here. Now, if you’re listening to this podcast and you’re involved in WordPress, you are one of us. You’re one of the leaders in digital technology that connects people and helps to share information. How can we leverage what we know and what we can do to help others, those who don’t have those capabilities with WordPress, what can we do to share our knowledge and to encourage that the internet can help keep those connections alive online? How can you be of service when the world needs us most? I think there’s some opportunities we can explore here and with that I will link a discussion on make.wordpress.org about how they are trying to foster that kind of connection as well. And with that, let’s just hope for a fast resolution to this worldwide health crisis, and we hope that you stay safe.

Our next story, Let’s Encrypt, the certificate authority that is securing connections between web servers and browsers worldwide, announced that three million TLS Certificates needed to be revoked due to a certificate authority bug. This was about 2.6% of active certificates, and it came about due to a flaw in the way domain control validation processes worked. Details are on our blog, and if you’re affected by this, you probably already know either your hosting provider or Let’s Encrypt have already contacted you. The biggest issue would be security warnings on your site to your site visitors that the connection wasn’t secure or that the certificate was no longer valid. Now at this point, the biggest question some folks have had is whether or not this means that Let’s Encrypt is not a good certificate authority. Our position is that what they’ve done is exactly how you want a certificate authority to act. They’ve acted with complete transparency,, with honesty. They’ve rectified the situation, reported that themselves and even provided tools that allowed people to determine if they’re affected.

Now, if you’re listening to this podcast, you’re aware that bugs and vulnerabilities happen in software development. And certificates are about trust, and you want to ensure that the certificate authority that’s issuing those certificates is acting with integrity and honors the trust that we place in them. We just wanted you to be aware that this was happening and hope you were not affected by this bug.

Our last story is about a coupon creation vulnerability patched in WooCommerce Smart Coupons. This is a premium plugin and our estimates that about 90% of the plugins installed on WordPress sites worldwide still have this vulnerable version running. Wordfence Premium users have a firewall rule on their sites right now protecting them, but free users, people are still on the free plugin, won’t receive that rule until March 25th. This vulnerability allows an attacker to create a coupon that could be utilized to obtain free merchandise. I wanted to highlight this because this vulnerability is due to improper access controls. If you’re developing WordPress plugins and themes, validating user capabilities needs to be done for any privileged activity. Hooking code into functions like admin_init or attempting to secure functionality with is_admin checks is dangerous and ineffective.

If you need more explanation about this, look for Ram Gall’s talk from WordCamp Phoenix. It’s on our YouTube channel, and he explains how numerous plugin vulnerabilities can be attributed to developers not effectively using these. For more information, there’s a link in the blog post on the coupon creation vulnerability patch that links to the WordPress codex entry for current_user_can, which will assist you in making your plugins more secure. And with that, we are done with the news. Next up is my interview with Kfir Bitton from Elementor. We hope you enjoy.

Hi everyone. This is Kathy Zant with Wordfence and this is Think Like a Hacker, and today we have a treat talking to Kfir Bitton who is the Chief Revenue Officer at Elementor. Kfir, thanks for joining me today.

Kfir Bitton:
Hey, thank you for having me.

Kathy:
You guys have some interesting news in the last week, huh?

Kfir:
Yeah, actually exciting times for us. We actually announced a few days ago about our funding that we’ve got from the amazing partner that we hooked up with, which is Lightspeed Venture Partners. Really exciting days for us taking Elementor to the next step.

Kathy:
Yeah, you guys got what, fifteen million?

Kfir:
Yep. That’s the number.

Kathy:
That’s a big number. So I’m expecting you guys are going to do some pretty big things with that.

Kfir:
So actually we have a very packed roadmap almost in every probably aspect in the business. Some of them related to how we scale a business. How we grow up as a company, how we take our roadmap in terms of the product and services that we want to give our user base and take it to the next level. How we do it better, how we do it faster. So lots of things very interesting and challenging ahead.

Kathy:
Excellent. Now Elementor, you guys have not been around that long, but you’ve had this sort of meteoric growth. Can you kind of give for anyone who has been living in a cave somewhere, doesn’t know what Elementor is. Maybe we should give an overview of what Elementor is and just kind of the history of the company and how fast you guys have grown.

Kfir:
So really quickly, Elementor is the leading website builder platform for professional on WordPress. We serve professional web creators as we like to call them, which are developers, designers, and marketeers. And we’ve launched Elementor at around 2016 so not that long ago. And I think the most important thing Elementor achieved, which is mostly by the two amazing founders Yoni and Ariel, is that they’ve hit the nail on a very critical pain that exists within WordPress users, specifically ones who wants to be websites, and that is allowing them to have a website building editor, which is gift for their pains, whether it’s going to be a design ones or just removing the friction of having to write code on an open source platform, which is WordPress obviously.

Really quickly after June 2016 where Elementor was launched, the company was actually founded the year before that. I think the first milestone was I think April 2017 where we’ve hit 100,000 websites built on Elementor. The first one million website built on Elementor was July 2018 and then really quickly surpassed the point of four million websites in January 2020, really a hyperbolic curve of growth. A lot of it comes from the product-market fit, the community, which is I think our greatest claim to fame. We love the community and we get a lot of love from the community. So I think these are the two things which really stand out.

Kathy:
Yeah. So how did you introduce Elementor to the community?

Kfir:
So Elementor had several points of evolving at the beginning. So I think at the beginning Elementor went out as only at the core. So there wasn’t a pro version I think for six months. And the way Elementor emerged because Yoni and Ariel, both of them were WordPress community members, active community members, years before that, both of them together founded up an agency where they built websites for others, just like the rest of our users and customer base of Elementor. So they really had this pain of trying to figure out how to build websites and get to stay profitable. The margins were really low. They were running after the tail, trying to catch up with getting the next project, the next business that they’re going to build a website in some of the cases actually maintaining the website and helping them do tweaks and amendments and extensions.

Kfir:
But it was the same thing all over again. With every website that they’ve built as an agency, they encounter the same problems of setting up everything from scratch, doing a lot of the same work again and again without ability to scale the operation in terms of efforts and profitability. And then they said, “You know what, let’s build a tool which is going to help us become more efficient.” So they build their first tool for themselves, they actually called it the Pojo at the time, and they build their own tool and then they said, “Okay, maybe we can, let’s have other people enjoy Pojo.” So Pojo was out and then Elementor, they decided to build the rental ended to extend it. I’m not going to take you through every step though. But basically there was another leap day where they decided to take the product into a more extensive way and say, “Okay, let’s build a full solution still on an MVP level.” Right?

Kfir:
So it was very lean at the beginning, and it was about allowing themselves and then others [to] build websites in a very efficient way. And then so Elementor was emerging as a call and after six months they said, “You know what? We are adding more features.” A community was being built. They were asking for lots of requests, they liked it a lot. Said, “Look, we need to scale up the operation. Let’s offer the pro version so we can basically fund the operation.” So this is how Elementor emerged.

Kathy:
Excellent. It sounds like with that initial launch that they were really looking at not only what was going to solve their own needs, but close trusted friends and close people in the community where there was already a relationship and leveraged those relationships in order to really understand their customers and their customers’ customers. Does that sound about right?

Kfir:
It sounds right. I think the thing which strikes me the most when I joined Elementor is understanding that when I’m talking to Yoni and Ariel or for that matter to any employee, which is within Elementor for years now, is that we’re not talking to our customers, we’re not talking to your Yoni or Ariel or to the other team members we’re talking to Elementor as to WordPress website builders. It’s amazing. You don’t see Elementor talking to the user and customers because you’re seeing everyone here is Elementorist in soul, right?

Kfir:
So we have a very strong connection here to our users to the level that over 70% of the features that we have deployed last year came as a request from the community. So it’s really the Pro that is shaped in many ways by the community. So we deployed I think over 280 different features in the past 12 months, and we’re excited about it because again, most of them are driven and generated by the community. So in many ways we are a part of it. So we’re not talking to, it’s not us and them talking to each other. It’s all of us together.

Kathy:
It sounds like a community-driven plugin.

Kfir:
So yeah. By the way, we want to call Elementor today a platform because I think we are expanding into, we are more than just plugin today. There is a full ecosystem around us. I think we are now over a hundred add-ons building for Elementor. So there is an ecosystem within the WordPress ecosystem and yes, I think that’s communities like the greatest thing that we actually have and we cherish it a lot.

Kathy:
That’s amazing. Now are you doing similar things to what WordPress does in terms of meetups, and how do you help someone who’s brand new to Elementor sort of understand what they can do and empower them with the platform?

Kfir:
So thank you for that question because I think that’s another key component to Elementor success and a lot of the work that is being invested here by the teams is that we in Elementor, we understand that there’s a lot of knowledge building a website and as a proxy building your business as a service provider, takes a lot of effort and lots of knowledge and understanding that we provide guidance both to aspiring web creators and also as well as to advanced web creators. So that means that with every feature release we’re going to issue a video. It might be three minutes long, it might be an hour long, explaining how to use each of these features in a very efficient and simple way so that’s going to be one critical elements. That’s, we call it the knowledge hub. There is a learning team here which is led by Sal, and we actually invest a lot in it.

You can see our YouTube channel with over I think 130,000 subscribers. It’s growing, I think in Israel today compared to other companies, including by the way, Wix, we have the biggest YouTube channel, which is almost entirely filled with videos and tutorials about how to use Elementor in a proper way. So having hundreds of widgets, the theme builder, the pop up builder, you need to know how to navigate it when you are starting building a website, might be even just a simple landing page. So that’s one core component in our educational or learning process. And I think as we move forward, part of our strategy is to build an academy, which is going to be a source of knowledge, not only in website building, but also in business and how to help our web creators become more successful at what they do.

The second part is understanding that there is a need on a local basis. So whether it’s a language barrier, whether its unique requirements that is being driven for people who live in Sao Paolo, web creators in San Paolo, or in Berlin, or in anywhere in Asia. We actually have customers form 150 different countries. So we understand that going local and stay connected beyond our global community, which is manifested today mostly on our Facebook community, which is 70,000 strong. It’s actually a bit less, I think it’s 60,000 but then we have another 15 or 16,000 on our GitHub community. So beyond the global community, we understand that local is very important for us.

So last year I think we had over a hundred different meetups in 2019 and this year we are planned for over 500 meetups in more than 130 cities if I’m not mistaken. And that is being led by Nofar on our team, she’s doing amazing job, and we’re getting more and more local leaders helping us and we’re supporting them. Whether it’s in funds, whether in generating knowledge for them in finding the right venues, and just really with anything that they do, we are just there to support them. They dictate the agenda, talking about their pains. We are trying to bring insights and information to the best of our ability, but that’s a core for us to figure out in which areas where there is a need for web creators, we are going to be there.

Kathy:
And does that local outreach, does that also help you inform the product development process?

Kfir:
Yes, for sure. That’s yet another stream of information that we’re getting. So we’re talking to web creators and we understand that there are specific needs, or it’s either that they are strengthening and understanding of what we actually already know and that we need to develop or improve. We get recognition or support to specific avenues of where we want to take the products. We’re asking them. We were doing lots of surveys over there, not necessarily only within the local meetups, but generally speaking, that’s our core source of understanding shifts and trends of website building and what’s missing for them. And obviously there’s the different type of persona so you can talk to the marketeer and they would highlight specific needs, and the designers would have their own needs and also the developers. So we actually toggling between these three areas of marketeers, developers and designers and figuring out how to best solve it within our product roadmap or services.

Kathy:
Elementor, I started using it just a few months ago. I saw your booth at WordCamp US and I was like, “Whoa, they’ve got some something going on. I need to take a look at this.” So over the holidays I actually started playing with Elementor and was able to show some people that I support with WordPress who are non-technical, show them how Elementor works, and then they took it and ran with it. So the ramp up was really easy. So it’s kind of interesting that you have a tool that is, that someone technical can just dive in and use, but also non-technical people can ramp up really easy with Elementor. How were you able to sort of meet those disparate needs?

Kfir:
So I think that’s maybe that’s where Elementor hit the nail on its head, so to speak. It’s product-market fit is understanding the core pains. It’s not like just solving another… It’s not improving something. It’s solving a core pain. And the way we did it and when I say we, is mostly attributed to the founders because they actually build this product in their bare two hands or four hands in that matter, is that they experienced these pains, every pain. When you’re talking about website building and what does it mean, we actually have some very extensive debates here on what website and what’s the core definition of a website? Is it the page? Is it five pages? Is it the page with a form? There’s so many ways to tweak it or to define it, and we debate on what is a webpage, or what is a website and what does it mean to build a website today and what does it mean to build a website tomorrow?

So I think the short answer is that understanding these core things is what brought this solution that caters and addresses the needs of the different type of customers, whether they are the developers or the designers. So that’s going to be the critical part. The second part is that it’s an open source. As in an open source and specifically on WordPress, if you’re a developer, it saves you time. So you don’t need to write the code every time yet again and again. You have Elementor helping you build websites quicker.

But then if you want to make your own custom approach to it of the way you build it or the specific website where you need to go and write your code or add code, you can do it where most of the closed systems you just can do it. So I think that’s answering specifically the ones who don’t know code or literally afraid of it, and the ones who knows code and they are developers at core but they want to take their assets are a unique proposition and bring it into realization by having Elementor as a friction-reducing platforms and building beautiful websites very fast. But then if they want to make their own tweaks or being in their own valuable position into it, they can do it by moving into a code mode, so to speak.

Kathy:
Yeah, so it’s a platform that will basically support people wherever they are at on that spectrum. That’s really cool. Talk to me a little bit about what the future of Elementor is going to look like. I mean the fact that you’ve grown so fast, now you’ve got $15 million in funding, what are some of the things that WordPress users and Elementor users can expect coming up in 2020?

Kfir:
We’re starting from the basics. So the basic is how we scale a business. There was lots of inner growing pains for every business as it’s called serial entrepreneur. You can see companies in their growing pains and how we take these huge responsibility over having very big community and users and how we take it to the next step. So I think most of it is going to be focused again about the community and about what they need. We keep listening to them all the time. We’re talking to them and figuring out where are the core needs. Obviously we cannot address every specific need, but we understand that where are the trends? What’s the biggest pains for web creators? Both the advanced and the ones who want to get into this business of building websites and providing these services. So I think A, is going to be extending the platform. We want to take Elementor and extend the platform to a wider spectrum so it’s going to be end-to-end solution for web creators. So that’s going to be one thing.

Second part it’s going to be making sure that we keep the pace of deploying the new features and for the clients. So it’s going to be both more features and also more or new products that we’re going to introduce. Some of them are going to be very soon. We’re going to keep the surprise for the moment that we are going to announce them. The second part is making sure that the platform is going to be stable at scale. That’s a problem that companies who are growing need to put lots of attention to it, so it’s going to be making sure that the platform is stable. We are putting lots of emphasis on security, and we’re going to put a lot of emphasis on support. We’re getting tens of thousands of support tickets on a monthly basis. We really want to make sure that our support is going to be to the best that is possible. So that’s going to be another point of focus.

The third component is taking the community to the next level. Meaning investing even more in it, supporting more local meetups in providing more information, get in touch with them, setting them up with, let’s call it arenas where they can have more extensive and advanced conversations specifically for the advanced web creators about things which are undermined and they want to have partners to talk about it. And we can offer some of the information because we have lots of knowledge, so we want to share that. So that’s going to be another part where we’re going to invest our money and our effort.

I think the fourth component would be infrastructure. So seeing company that at a scale that we are, and at least what we are imagining will be in a year or two or three from today, we need to invest significantly in infrastructure. That’s going to be both technological one but also in terms of growing to where currently 130 employees we are planning in spread by the way in over fifteen countries scanning up to more than 200 and then some is another challenge. So infrastructure of how we get to stay connected and …. So these are the core areas. Yeah.

Kathy:
Okay. Are you a completely remote company or do you have offices in Tel Aviv?

Kfir:
So we have our headquarters in Tel Aviv I think we are here like 85 or 90 and then the rest of them are other countries, and I think this is the way we’re going to keep it, at least for now because it’s working for us very well.

Kathy:
Yeah. Okay, cool. Can you talk to me a little, well since Wordfence, we’re sort of a security-focused podcast and you mentioned that you’re going to have more emphasis on security, can you talk to me a little bit about what that means for Elementor?

Kfir:
So I think like in any other company, and I’m not a security guy here, but I can tell you that with size comes responsibility. We are aware to generally speaking security issues, and we understand that it involves information and then websites of businesses. And then it’s also the source of income for our users and customers. So we want to make sure that we provide a safe and secure environment to work with and to make sure that the websites that are being operated on WordPress with Elementor are going to be secure to the best possible.

Kathy:
Not only just making sure that Elementor is secure, but you’re supporting your customers as well and making sure that their installations of Elementor and whatnot are secure as well?

Kfir:
Yep.

Kathy:
Gotcha. Okay, cool. Is there anything else that I haven’t asked you that you’d like to talk about?

Kfir:
I think actually you, we’ve covered lots of it. I think maybe just one point relating the fact and thank you for mentioning that about WordCamps. We donate there, and we contribute as we see it as part of Elementor. We have actually two other plugins. One of them is for accessibility. Both of them are with a total of over 120,000 active users. So it’s part of our philosophy or culture so to speak, is making sure that we contribute back. It’s important to us. So I think WordCamps the first one we’ve actually sponsored was in WordCamp US, last year and this year we’re going to sponsor, we’ve actually secure that, I think you’re the first one to know. So here you go. We are going to sponsor a WordCamp Porto in Europe and we’re going to be looking to do the same again also with WordCamp US and hopefully we’re going to be able to sponsor another few local events in the US this year.

Kathy:
Oh that’s excellent. Well if WordCamp Phoenix comes on your radar for next year, I am the sponsor coordinator for that. So I will stay in touch with you. We have a great a WordCamp here in the Southwest of United States. We get about 500 people came and it kind of kicks off…

Kfir:
Oh that’s a lot.

Kathy:
It is and we draw from Southern California as well and because we have it in February when the weather in the United States, the Northern part of the United States is pretty bad. Everybody likes to come to Phoenix and escape the snow. So it’s kind of a destination WordCamp. So we would love to have Elementor here. I think you guys would enjoy it, and it’s so exciting that you guys are jumping into the community and really supporting the WordCamps. Did you have a lot of good experiences at WordCamp US last year?

Kfir:
Actually, it was enlightening just to see everyone, to talk to people to find like, I think the best thing is to get the acknowledgement and the love from our users. As a marketeer thing, the fact that we have people coming and asking to take the t-shirts or the hoodies with the Elementor logo and just walk with that and be proud of the fact, and getting literally genuine, honest, heartwarming feedback saying, “Guys, you’ve changed my life. Literally you’ve changed the way I live and I got a profession, and I’m working and I can provide for myself. Or my business extended significantly.” These are the moments where you go back and say, “Wow, that’s really amazing, and let’s do more of that.” So I think that we all came back really excited out of it and said, “We need to do that more.”

Kathy:
It’s a humbling experience to have those kinds of conversations and it just brings it back to me what we’re here for: to serve the WordPress users and serve the WordPress community. And it gives you sort of that passion and purpose for what we’re here for. Well, Kfir, thank you for joining me today. It was really great to hear how Elementor has grown and I’m so excited to watch now that I’m also an Elementor user.

Kfir:
We thank you for that and welcome to Elementor community.

Kathy:
You know what? I can tell you it’s changed my life because I’ve turned everybody on to WordPress and yet sometimes they’re asking, “Well, how do I make my site look like this? Or how do I do that?” And now I can show them, and now they get to do things that are above and beyond anything I could ever show them because of Elementor. So it’s changing my life and that I’m not doing as much tech support or dev myself because I can show people, I can empower other people to do it. And so Elementor’s very good for me. It gives me more free time. Thank you.

Kfir:
That’s amazing to hear. Thank you very much.

Kathy:
Great. Well thanks for joining me and we’ll talk to you soon.

Kfir:
Yeah, definitely. Thank you very much for having me.

Kathy:
We hope you enjoyed the interview with Kfir Bitton. A random factoid Kfir shared with me, his name actually means “small lion” in Hebrew. I thought that was pretty cool! If you’d like to learn more about Elementor, you can find their free plugin in the plugin directory and more information about them on elementor.com. Their YouTube channel has a ton of tutorials on how to use their product and even some great general WordPress tutorials.

As always, I’m @KathyZant on Twitter and I’m kathy AT wordfence DOT com. I would love to hear from you if there’s someone else in the WordPress space that you’d like me to interview, or maybe you think you’d like to be interviewed. Reach out!

We’ll talk to you soon.

The post Episode 69: The Meteoric Growth of Elementor with Kfir Bitton appeared first on Wordfence.

Read More

Happening Now: Over 2 Percent of Sites Using a Let’s Encrypt TLS Certificate May Throw Security Warnings

On Wednesday, March 4, 2020, 3 million Transport Layer Security (TLS) certificates issued by Let’s Encrypt will be revoked because of a Certificate Authority Authorization (CAA) bug. This is 2.6% of the over 116 million active certificates issued by Let’s Encrypt.

Let’s Encrypt has contacted all certificate holders affected by this bug, and they’ve created a tool and a list of serial numbers to determine if your TLS certificate is affected by the bug.

Let’s Encrypt have not set an exact time for revocation of the certificates, however, they say that the earliest timeframe will be UTC 00:00.

Some certificate holders have received emails that they’re affected, but they may have received that alert erroneously, either because the certificate was issued in the last few days after the bug was fixed, or by not meeting certain timing criteria necessary for the bug to trigger, adding to confusion.

How to tell if you’re affected

Let’s Encrypt created a tool where you can check your site’s host name and determine if your Let’s Encrypt-issued certificate is affected by this bug.

Let’s Encrypt can also see the list of all affected serial numbers.

On a Linux/BSD-like system, you can also run the following command to show your domain’s current certificate serial number. Replace example.com below with your own domain name:
openssl s_client -connect example.com:443 -servername example.com -showcerts /dev/null | openssl x509 -text -noout | grep -A 1 Serial\ Number | tr -d :

If your hosting provider provided a certificate for your website, they were likely the ones contacted by Let’s Encrypt. Numerous site owners have received notifications from hosting providers that they would be handling the reissuance of those certificates.

If you have created your own Let’s Encrypt certificate, you will need to update yourself if you are affected.

What will happen if I don’t fix this?

A secure TLS certificate ensures that your site visitors have encrypted traffic between their browsers and your website. Site visitors might see a certificate revoked error, a “not secure” warning, or other security warnings in their browser that may erode trust in your site.

What happened in technical terms?

Boulder, the software builder used by Let’s Encrypt’s CA, checks CAA records for a domain name at the same time that it verifies that a certificate requester controls that domain. Most subscribers to the service issue a certificate immediately after they validate domain control, however Let’s Encrypt trusts that validation for 30 days. Due to that trust, they sometimes have to recheck CAA records a second time, just prior to issuing the certificate. The timeframe for rechecking is 8 hours, meaning that any domain name validated more than 8 hours ago requires a recheck.

According to Let’s Encrypt:

The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.

Let’s Encrypt confirmed the bug at 2020-02-29 03:08 UTC, and halted issuance two minutes later. They deployed a fix at 05:22 UTC and re-enabled certificate issuance at that time.

According to security researcher Scott Helme, who posted his investigation on Twitter:

Does this mean we should use something other than Let’s Encrypt for SSL certificates?

Let’s Encrypt have been very transparent about this bug, both in identifying the problem themselves and reporting the CA incident. They are acting exactly how a certificate authority should act. As such, we are confident that Let’s Encrypt is still a good source for TLS certificates.

You can find details of the bug on the Let’s Encrypt bug tracker.

The post Happening Now: Over 2 Percent of Sites Using a Let’s Encrypt TLS Certificate May Throw Security Warnings appeared first on Wordfence.

Read More

Episode 68: More Plugin Vulnerabilities and Active Attack Campaigns

This week, we review numerous plugin vulnerabilities in popular WordPress plugins and the attacks that are targeting them. We also review the Duplicator vulnerability affecting over 1 million sites, and Chloe Chamberland’s discovery of multiple vulnerabilities in the Pricing Table by Supsystic plugin. Some WordPress-focused companies, Elementor and Strattic, receive venture funding.

We also ask lead customer support engineer Tim Cantrell about the different ways to use Wordfence settings for brute force protection, blocking IP addresses, and how to prevent alert fatigue.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
1:10 Site Takeover Campaign Exploits Multiple Zero-Day Vulnerabilities
4:45 Active Attack on Recently Patched Duplicator Plugin Vulnerability Affects Over 1 Million Sites
8:12 Multiple Vulnerabilities Patched in Pricing Table by Supsystic Plugin
10:00 Multiple Attack Campaigns Targeting Recent Plugin Vulnerabilities
11:19 Venture funding to Elementor and Strattic
15:44 Ask Wordfence with Tim Cantrell: Brute force protection, blocking IP addresses, and preventing alert fatigue

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find Tim on Twitter as @tcan1337 and Kathy as @kathyzant.

Have a story you’d like us to cover? Contact us at press AT wordfence [dot] com.

Episode 68 Transcript

Kathy Zant:
Hello my WordPress friends. And welcome to episode 68 of Think Like a Hacker. This is the podcast about WordPress, security, and innovation brought to you by the fine folks at Wordfence. Wordfence, obviously a security plugin, securing over three million WordPress sites. We have a firewall that protects your site from malicious attack and a malware scanner that alerts you if you have been compromised. And that’s my pitch for today.

Did you catch episode 67 previous to this? That was Ram Gall’s talk at WordCamp Phoenix about the most common mistakes found in plugin vulnerabilities. So if you’re writing plugin code for WordPress sites, Ram’s talk helps you identify some of the most common problems, well, the common problems we’ve seen, when plugins have significant vulnerabilities. Definitely check that out. You can see all of the slides on the YouTube video of his talk at WordCamp Phoenix. And with that mention, we do have a few plugin vulnerabilities to go over this week. So let’s dive into the news.

First up, let’s talk about an active campaign that the Wordfence threat intelligence team has identified. On February 26th, our friends over at the Ninja Technologies Network posted that a zero-day vulnerability had been fixed in WordPress Flexible Checkout Fields for WooCommerce. This was a plugin with about 20,000 active installations and this vulnerability was zero day. It was being actively exploited. It affected versions 2.3.1 and below. And that active exploitation had been happening for a few hours and there were some notes on wordpress.org in the support forums for that plugin.

Our threat intelligence team looked deeper to find out what was going on. Upon doing so, they identified that there were three additional plugins that had zero-day vulnerabilities. These popular plugins were also being exploited as a part of this campaign. The targeted plugins include Async JavaScript, Modern Events Calendar Lite and 10 Web Map Builder for Google Maps.

Our team reached out to the plugin’s development teams to help them resolve these issues as quickly as possible. As always, our Threat Intelligence team developed and released firewall rules to protect against active exploitation that was happening. So Wordfence Premium users have already received these protections and Wordfence free users will receive them in 30 days.

Fortunately, because these vulnerabilities were being exploited to inject cross site scripting payloads, these attacks were for the most part being blacked by the built in cross-site scripting protection available to all Wordfence users, whether you’re using the free plugin or premium. However, because of the nature of these vulnerabilities in each of these plugins, there were some other disruptive activity that we can’t really get into because of security reasons that could not be blocked by that built-in cross site scripting rule. So it’s really important that you take a look and if you have any of these plugins on your site and at the time of your listening they have not been patched, you either need to put additional protections in place like Wordfence Premium or we recommend that you remove those plugins. Don’t just deactivate them, but actually remove them, delete them from your site in order to keep your site safe.

So we’ll have a link to the blog post in our show notes that will go over the different vulnerabilities that were discovered in these plugins and we will have a follow up post in the next week that gives you some idea of what this active campaign is doing. Right now, we just wanted to let you know as soon as possible that we saw an active attack happening. We’re working with the developers to get these patched. We’ve released firewall rules. We’re doing what we can… And informing you is part of what we can do.

And what you do with your site is obviously up to you. If you keep these vulnerable plugins on your site, just make sure you have adequate protection or make sure you have backups, because this active campaign could be something that targets your site as well.

Next up was a blog post that we posted last week. This was covering the Duplicator plugin vulnerability that affected over a million sites. Duplicator is a plugin that basically allows you to take a copy of your site and move it elsewhere. This is installed oon over a million sites. There’s also a pro version and we have an estimate that that pro version is about 170,000 WordPress sites using that.

Both the pro and the free version of Duplicator are affected by this vulnerability, so it’s very important that you have the latest version of Duplicator on your site, if you need on your site. This is one of those plugins that I consider removing if I’m not actively using it because it doesn’t have anything that is required for the front end functionality of a site. It’s questionable whether or not you need to leave it on your site at all. Sometimes people use it for backups. So there could be reasons that you may want it on your site.

Now we found this, Ram Gall, who’s a talk you might have seen in episode 67 or on our YouTube channel, Ram actually found this vulnerability actively being exploited when he was checking some of our threat intelligence. He saw some requests that were getting blocked by the Wordfence firewall. So if you have Wordfence on your site and a vulnerable version of Duplicator, hackers cannot exploit this vulnerable version because Wordfence is blocking access to the files that hackers are after.

So this vulnerability was an unauthenticated, meaning anyone can exploit it, you don’t need to be an authenticated user. Unauthenticated arbitrary, meaning any file whatsoever, arbitrary file download. That means any user anywhere, if they know how to exploit this vulnerability, was able to grab any file.

And now when this happens on a WordPress site, usually the file thereafter is wp-config.php. Wp-config.php is a file that is in the root of every WordPress installation and it contains a number of things. Of greatest consequence are your WordPress, MYSQL or Maria, whatever database you’re using, your database credentials, so the database username and password.

Now if your database that is containing all of your WordPress content does not allow remote access, maybe not a problem, but if it does, a significant problem. So it’s really important to protect that file. Wordfence has built in protections for this and so if you were using Wordfence, whether free or premium, you are protected against this vulnerability being exploited still.

This is one of those plugins that maybe you don’t need on your site all the time. Obviously the front end of your site does not require Duplicator in order to operate. It is something that you maybe use sometimes. And if you’re not using it all the time, it makes sense to remove plugins that are sort of utilities that you use every once in a while. Remove those from your site because when a vulnerability like this comes along, better to not have that vulnerable code on your WordPress site.

On February 25th, Chloe Chamberland posted a blog post about multiple vulnerabilities patched in the Pricing Table by Supsystic plugin. This is a plugin installed on over 40,000 WordPress sites. Chloe discovered cross site scripting and cross site request forgery vulnerabilities in this plugin. She contacted the developers in January, ensured that Wordfence free and premium users would be protected with that firewall rule. At the time of this recording, both free and premium users are protected. Take a look at that blog post.

I really like how Chloe is doing these video walkthroughs of proof of concept. She’s actually showing how a vulnerable plugin can be exploited. I like these because it demystifies security. It shows you exactly how these types of attacks operate. Some hackers might enjoy them because it’s like, oh great, this shows me exactly what to do.

It’s our job as site owners to ensure that our sites are protected and if protection exists, if an update exists to a plugin, it’s important to just make sure that happens. After a patch has been released it’s important for security professionals to share that knowledge with other security professionals and that’s why these proof of concepts are published and why that information is shared, because when that information is shared, kind of like that whole idea of sunlight is the greatest disinfectant, the more people we can show how to keep WordPress and WordPress plugins and themes and basically any web application safe, the safer the web’s going to be.

Another post I wanted to highlight was one by Mikey Veenstra. Multiple attack campaigns are targeting all of these recent plugin vulnerabilities. These types of posts are important because it shows you indicators of compromise and lets you know what threat actors in the WordPress space are doing. So he goes over a couple of different threat actors and the types of vulnerabilities these guys are targeting. Or these girls. Not really sure. TonyRedball, sounds like a guy in a hoodie, right? That’s at least the stereotype that so many people say about hackers. SolarSalvador1234 is the second threat actor that Mikey profiles. These guys are definitely making hay targeting some of these recent vulnerabilities. So it’s our job, again, to keep our sites patched because as soon as a vulnerability is discovered, especially with large install bases, hackers and malicious actors get very busy trying to find ways to exploit vulnerability.

Finally, there are a couple of other stories that I wanted to highlight in the WordPress space. These are not scary stories. These are happy, somewhat interesting stories. We’re done with all the scary plugin vulnerabilities, at least for this week.

First of all, our friends over at Elementor. Elementor is a page building plugin that is currently installed on over four million WordPress sites. I am an Elementor user. I find it extremely easy to teach my non-technical friends how to do some amazing things with Elementor. They received $15 million in funding from Lightspeed Venture Partners.

Our friends over at Post Status broke this story this week and they had an interesting comment about how they are hiring for their cloud team and that cloud team is tasked with building, maintaining and supporting the company’s cloud hosting SaaS solution. Interesting. It will be very interesting to see what Elementor does with this venture funding. It’s an extremely popular page builder, for good reason. It’s very easy to use and very easy to ramp up on. We have some friends at Elementor and definitely wish them all the best in this funding round and can’t wait to see what they do.

In other VC funding, Strattic, a static hosting company based in Israel, as well as Elementor. It seems like all of the venture funding is going to Israel this week. Strattic raised $6.5 million to bring static WordPress to the masses. Now, Strattic has been around for a little while. I’ve met Miriam at WordCamp US I think in 2018 for the first time and have been following along watching Strattic’s journey. There’s a lot of interesting things happening there.

The whole idea of a static website is very interesting to me, of course. Performance, you don’t have calls to a database, so performance can be better. Security can be better because you just have a flat HTML file and maybe calling some other assets like JavaScript files or CSS files, images, other assets like that. And when I started with the web, there was no WordPress. There was no SQL Server and Active Server Pages and other technologies that connected websites to databases. It just didn’t exist. It was all HTML files and style sheets didn’t exist. You could do some fun things with CGI and Perl and other functionality like that, but it was all very flat file.

When WordPress came along, I was using a blogging system called movable type and movable type was a Perl-based application that was on your web server and you had an administrative dashboard very similar to how WordPress works and you would type up your blog post and you would hit publish and it would create a static file. It would create a static HTML file, no PHP, and it became incredibly cumbersome at times to work with.

When WordPress came along and it was using the same database class that I was using in my development work, I was like, oh, I can use this for a blog. This is great, and it’s working the exact same way. I work on my 9:00 to 5:00 job, so I jumped onto WordPress and started tearing apart core and putting it back together in ways that better suited me. I don’t do that anymore, obviously, but at the time… It was open source and it was a fairly simple blogging platform and I had developed sort of my own content management system. WordPress was obviously a better solution, jumped into it and never really looked back.

Now that we’re coming sort of full circle back into static sites. I find it very interesting that they are taking all of the benefits of WordPress and the structure and organization of a database and finding ways to make static files occur. Now, it’ll be interesting to see what they do with highly functional WordPress sites, and I’m kind of in wait and see mode. It’s interesting that they’ve gotten some funding here, and I’m interested to see what they do. Miriam and all of our friends at Strattic, I wish you the best of luck with your funding and hope to see some fun things happening there.

Next up, we have a new segment. This is “Ask Wordfence.” So I’ve been asking you, our podcast listeners, for questions and things that you would like us to address and one of our customers reached out and had a question about brute force. I thought, who would I talk to about better tightening a WordPress site using Wordfence and keeping sites protected from brute force attacks than our lead customer service engineer, Tim Cantrell.

If you’ve ever been to a WordCamp, I’m sure you’ve met Tim. Tim. Tim goes by “East Coast Kathy,” he is my counterpart on the East coast and I am “West Coast Tim” and we have shirts that say East Coast Kathy and West Coast Tim. And when we are both at a WordCamp, we laugh a lot. We have a great time. We laugh amongst ourselves, we laugh with customers. I have not had more laughter in my life than I have had being at a WordCamp with Tim Cantrell. So, here’s Tim.

Kathy:
Hi Tim. How you doing?

Tim Cantrell:
I’m great Kathy, how are you doing?

Kathy:
I am doing spectacularly. So I wanted to do a segment of the podcast, which is Ask Wordfence and I wanted our customers to ask them questions. We had one come in where a customer asked what settings in the Wordfence plugin they should use for brute force protection. Like for example, how many login attempts or password resets should they allow before they block an IP address. Do you have an answer?

Tim:
I do happen to have an answer. Yeah, it’s a real-

Kathy:
Amazing.

Tim:
Amazing. It’s a really good question, actually. There isn’t a hard or fast one size fits all kind of set of rules that work for every site. Really, how many login attempts or password resets you allow really depends on the type of site that you have and who’s actually going to be logging into it. If you’re the only person that has to log into your site, just like a simple site with one admin, then you probably you want to set that for a lower number, like three attempts and that’s a good place to start. If you have all kinds of users, maybe varying tech skill levels, you might want to actually give it a few extra tries over that. People may actually be like me and fat finger passwords and usernames all the time.

Tim:
While it’s good to want to block the bad guys, if you’re also with the same time blocking your customers or your site visitors too because your rules are too tight, well then your visitors, your customers, your members they may just take their business elsewhere. Or you’re going to spend all day unlocking accounts and neither of which are fun or optimal. You kind of want to land somewhere in there in between.

I generally allow about 10 attempts at logging in before I lock out a user. And I usually set the lockout period for about 30 minutes. Most of the time if it’s a bot or a script just kind of doing a random attack on you, they won’t stick around if they get blocked enough. And since they change IP addresses often 30 minutes, to keep them blocked is probably enough.

Of course, if you’re seeing a lot of log in attempts from bogus sources because you’ve got one ongoing attack happening, you might want to lower the number of attempts. You may want to increase the amount that they’re locked out just for the duration of the attack.

The trick is really to be aware and to pay attention to the alerts you’re getting. You’re probably always going to have somebody that gets locked out at some point or another. But if you’re diligent in responding when there is a problem for a visitor or a customer or a member, they’re going to appreciate that your policies are there to make sure and keep the site safe for everyone. So I guess that’s kind of an answer.

Kathy:
Yeah, that sounds reasonable. So like if somebody is first getting started with Wordfence, would you suggest that they receive notifications of all lockouts just to get started so that they’re aware of what’s happening on the site so that they get emails when that happens?

Tim:
You can, but I have a theory that it’s really easy to get lost. The more emails you get, the more alerts you get, it’s easy to kind of miss the trees for the forest.

Kathy:
Sure.

Tim:
So if you’re getting all these email alerts, and it’s great with our plugin, we want you to know that we’re doing our job. This is what we do. We want you to show you that things are happening. But the problem is that if you see them all the time, then you start to like miss things that you should probably be paying attention to. Like when scan alerts come in and there’s a problem, I want to be able to see that stuff front and center.

Kathy:
That makes sense. Cool.

Tim:
I hope so.

Kathy:
And so do you think people should go blocking IP addresses when they start seeing malicious activity?

Tim:
There’s two different schools of thoughts on that and I think a lot of people think that when they get those IP addresses that they need to block them right away. Let me add them to the block list. Like I kind of alluded to before, blocking IP addresses, probably not the good long-term security policy. And the reason for that is, is that again, like I said earlier, that these bots and scripts they get blocked for more than like 5 or 10 times, sometimes more than that, sometimes less, they’ll switch IP addresses. VPNs and proxies, it’s really easy to switch your IP fast and not be a problem there.

So blocking IP addresses, once those are released, the bot script or the hacker releases that IP address, well that can land in like an actual visitor. That could be an actual customer, after that. If you block their IP address and just walk away, well, you’ve locked somebody that may come and want to read what you’ve written and they may want to purchase something. So like long-term strategy, it’s not really a great idea to do that.

Plus pretty soon, you’ve blocked like hundreds and hundreds of IP addresses and then you have to manage all that. When do you go back and try to like go, and who’s been, and which IP addresses do I release now? So usually if you just want to set that for a time limit for however long you’re comfortable with, that’s the better strategy.

Kathy:
Sounds good. Sounds like you should just let Wordfence do its job, right?

Tim:
Well, that’s what we make it that way for us so that it makes it easy for anybody to be able to secure their site without really having to understand all the ins and outs and ups and downs. Just let the plugin do its job.

Kathy:
Great.

Tim:
Cool.

Kathy:
Thank you, Tim. Hey, if I have more questions from customers, can I bring you on again?

Tim:
Absolutely. I love being on your show. I’m so excited for this.

Kathy:
Thanks, Tim.

Tim:
This is really awesome.

Kathy:
This is awesome. And people should go follow you on Twitter, right? What’s your handle?

Tim:
It’s @tcan1337.

Kathy:
Excellent.

Tim:
Excellent. It’s excellent. What’s yours?

Kathy:
Oh, just KathyZant. I’m boring. No leet-talk.

Tim:
No leet-speak?

Kathy:
Not for me. All right, Thanks Tim.

Tim:
No problem at all. Thanks Kathy.

Kathy:
We hope that answered some of your questions about how to protect your site from brute force attacks using Wordfence. And we hope you learned a lot about WordPress, what’s happening in the ecosphere and also more about some of these plugin vulnerabilities that have been coming out of the woodwork. We’re doing our best to address these as they pop up. Our threat intelligence team, in our Slack channel for threat intel is just on fire lately. They are doing a bang up job protecting the WordPress community and we will keep you as informed as we can.

If you’re not on our mailing list, please do subscribe to that mailing list. We will send you out only alerts when a blog post is going live. Obviously you can follow the podcast and we will cover these, but can’t cover them as fast as we do with our WordPress site. So how do you like that? Yes, we use WordPress too and we use Wordfence too. And yes, I was a customer before I started working here.

So if you have a story you would like us to cover, please let us know. If you have a question about Wordfence and you’d like us to walk you through how to use the tool more effectively, you can let us know that too. If there is anything you want to tell us, we are open ears all the time, press@wordfence.com or kathy@wordfence.com to get me directly.

Please “like “this podcast, leave us a review on Apple Podcasts or wherever you are listening. If you have feedback, we love to hear it. If you have feedback on how to make things better for you, that’s what we’re here for. We’re here to serve you, the WordPress community, so thanks again. I am Kathy Zant. I am “KathyZant” on Facebook, on Twitter, on Instagram. And you can follow Wordfence at all of those social media accounts as well. We are Wordfence at Facebook, on Instagram and on Twitter.

Thank you again for listening and for all of your feedback and we will talk to you soon.

The post Episode 68: More Plugin Vulnerabilities and Active Attack Campaigns appeared first on Wordfence.

Read More

Episode 67: Avoiding Common Vulnerabilities When Developing WordPress Plugins

Almost every week, a new vulnerability is discovered in a popular WordPress plugin or theme, leaving developers scrambling to fix it before it’s widely exploited. Surprisingly, almost all critical vulnerabilities boil down to a few common mistakes. In this talk from WordCamp Phoenix, Ramuel Gall reviews these common errors and provides advice on creating secure plugins.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find Ram on Twitter as @ramuelgall.

Please feel free to post your feedback in the comments below.

Transcript for Episode 67

Kathy Zant:
Hey everyone. This is Kathy Zant and this is Think Like a Hacker, the podcast about WordPress, security and innovation. This is episode 67. This week we will have two episodes, 67, which is this one, and a separate episode later this week with the latest in WordPress and WordPress security news. We have a couple of stories in the works, but today we wanted to feature Ramuel Gall’s talk at WordCamp Phoenix earlier this month in February 2020. Ram is one of our senior quality assurance professionals. He makes sure that everything that happens at Wordfence is of the highest quality. From malware signatures, to firewall rules, to proofreading a blog post, Ram is one of those guys that just gets things done and can do a lot of different things. Ram is also a GIAC certified web application pen tester or penetration tester. That means he finds web application vulnerabilities, and no matter what I need Ram to do at any given moment, Ram is there to help. He’s just definitely one of those quintessential team players that you always want on your side. He’s also a ton of fun to work with.

I’ve been encouraging Ram for the last year to throw his name in the ring and share his love of application security with the WordPress community. He jumped up to the challenge. This is his second WordCamp talk. His first was at WordCamp Long Beach last fall. This talk is entitled Shut the Front Door, How to Avoid the Most Common Critical Vulnerabilities When Developing Your Plugin. Ram will talk about the different types of vulnerabilities and how these flaws end up in WordPress plugins. If you’re thinking about writing a WordPress plugin, or maybe you already have, Ram tells you about the common pitfalls plugin developers run into and how you can write more secure code. This talk is also available on our YouTube channel where you can also see Ram’s slides. Without further ado, here’s one of my favorite members of the Defiant/Wordfence team. Who am I kidding… I have so many favorite members of our team. We hope you enjoy.

Ramuel Gall:
Welcome to Shut the Front Door. My name is Ramuel Gall. I am a QA engineer at Wordfence. I am a GIAC certified web application penetration tester, also an EC-Council Certified Hacking Forensic Investigator, but I didn’t put that on the slide show because it’s not as relevant. If you put these together, I get to spend a lot of time looking at our firewall rules and which vulnerabilities are commonly targeted. Here’s what we’re going to cover. First we’ll go over some definitions, cross site scripting, cross-site request forgery, SQL injection and remote code execution. I just showed you the acronyms. We’re going to cover what successful attacks have in common. We’re going to cover what attackers do once they get in. We’re going to cover what could go wrong, which turns out it’s mostly broken access control. I’m going to provide some details and examples. We’re going to cover what to do instead.

Let’s start with the definitions. First is XSS, cross site scripting. That really is just running code in someone else’s browser, usually JavaScript, almost always JavaScript. CSRF, cross-site request forgery, is using someone else’s session, doing an action as someone else because you got them to click a link. Now SQL injection, SQLi, that’s running commands on someone else’s database. RCE, remote code execution, that’s running code on someone else’s server.

Cross site scripting, there’s two kinds. There’s reflected cross site scripting. It’s usually used in targeted attacks. It usually requires user interaction. You have to get someone to click a specialized link. It’s useful for a social engineering and it’s usually done to exploit CSRF, or at least that’s what it’s mostly used for in targeted attacks. Then there’s stored cross site scripting, which is the kind we see more often in untargeted wide-scale attacks. It’s using widespread drive-by attacks. It’s used to permanently insert malicious scripts. It is much more common in attacks against WordPress plugins.

Cross-site request forgery, basically that’s taking an action as the targeted user by hijacking their session. It typically, but not always, requires user interaction. It’s often used with cross site scripting because if you can get someone to click a link, let’s say someone’s logged in as an administrator on the WordPress site, you get them to click a link that submits a form that creates a new administrator … you. That’s a good example of that. Where cross site scripting comes in, well, that’s usually useful in getting past nonce protection. Nonces do help prevent this if there’s no cross site scripting vulnerabilities present.

SQL injection, usually it occurs when input isn’t validated correctly. It’s been less common in recent years. WordPress makes preparing statements easy so that you’re not just injecting raw SQL into your database queries. Then there’s remote code execution. Usually, PHP or shell code are used when WordPress is targeted because all WordPress runs on PHP and most WordPress runs on Linux. It’s typically very high severity because anyone who manages to pull this off can basically take any action as the PHP process owner. It can be used to establish permanent back doors.

What do successful attacks have in common? Well, first of all, they tend to take advantage of multiple flaws. It’s very rarely just a cross site scripting vulnerability. It’s cross site scripting, plus we forgot to check that this person’s allowed to insert a script because administrators usually should be allowed to do stuff like insert scripts. They tend to be low complexity. That is to say someone can just look up an exploit and copy it and put their own payload in it. They tend to require minimal privileges. A vulnerability that an unauthenticated user can exploit or that someone who’s only got subscriber permissions can exploit is going to be much more commonly attacked than one where only an editor or someone with publishing permissions can pull it off.

They tend to require minimal user interaction. Social engineering takes effort, not always a lot, but it does take some effort. If it’s an attack that happens when someone just visits the site or goes to a specific page on the site that they were going to visit anyway, it’s going to be much more commonly attacked than anything that requires someone to click a specific link. They tend to be high impact or high severity. Most attackers are not going to go after vulnerability that just gives them general information on how your server’s configured unless they’re specifically targeting you. The last and maybe most important thing, successful attacks tend to be monetizeable. Hackers like making money. That’s why they do all this.

What do attackers do when they get in? Well, usually one of three things. They tend to insert malicious JavaScript, which counts as stored cross site scripting. They tend to update options or they tend to upload a backdoor if they can. Let’s go over insert malicious JavaScript. Usually that will be used to redirect visitors to a malvertising site, which is like advertising except it takes you to an online gambling or something less benign. We also see malicious JavaScript used to scrape payment information. Anyone heard of Magecart? We have seen at least one campaign where the malicious stored JavaScript was actually used to insert an admin user via AJAX. It would actually show up on the administrative panel and when an administrator logged in, it would literally scrape the nonce used to make changes. At that point it’s basically stored cross site scripting plus stored CSRF except it’s no longer cross-site either.

We see a lot of attacks attempting to update options. A lot of the time they will change the home or site URL values to redirect visitors and, again, to malvertising sites where they can make money. The next two usually go together and usually they’ll change “users can register” to 1 if users can’t already register. They will change the default role to administrator, so the next time they make a user, they’re an administrator and they own your site now. We also do see options update vulnerabilities used to add malicious JavaScript.

Again, a lot of the time it’s via custom CSS fields or social media user ID fields, anything where the output isn’t sanitized. If they can, they will try to upload a backdoor. One of the big uses for this is hosting spam or a phishing content. SEO spam is a big business, building dirty back links and phishing. I mean, if you can get someone’s account credentials using phishing on a site that’s not blacklisted yet, people aren’t going to get that Google Chrome warning. We see basically back doors used to add malicious redirects to malvertising sites as well. You’ll see that happen a lot. We will also see that used to scrape payment information though through a server side code instead of Javascript. Last, but not least, if someone has a backdoor on your site, they can use it to attack other people’s sites, which is not a good look.

What could go wrong? Well, it’s mostly broken access control. One of the number one things we actually see broken is failing to add access control to settings or import functionality and sufficient access control, I should say. Usually this means using a little function called is_admin for access control, which does not do what it sounds like it does. We also see plugins using a function called admin_init for access control, which also doesn’t do exactly what it sounds like it does. We also see admin_action hooks for access control, and those also don’t do what they sound like they do. Finally we see plugins using ajax_nopriv hooks for administrative functions, and those do exactly what they sound like they do. They allow an unprivileged user to take an action.

We do also see failing to check nonces is a lot. Now these are usually a little bit less critical because again, if a nonce is the only thing standing in your way, then, well, you’ve got bigger problems, but not having a nonce will lead to a CSRF vulnerability and, while those usually need to be targeted attacks, they are still problematic. And last but not least, making nonces available to unauthorized users. This is actually worse because it doesn’t require social engineering or anything like that. If someone can log in as a subscriber and view the nonce that you think is standing between them and an administrative function, then they’ll be able to do that administrative function.

So I brought some details and examples today. So let’s start with is_admin. Now, it only checks if an administrative page is attempting to be displayed. It doesn’t check if you’re an administrator. So a logged in subscriber will pass this check and an unauthenticated request to admin-ajax.php or admin-post.php will also pass this check. And the example I chose for this is the Social Warfare plugin. It used the is_admin function to protect a debugging and settings migration function. It could be pointed to a crafted configuration document. You could just give it a getParameter to a URL that you set up ahead of time and stick a malicious script in there, or stick some code in there and it would be executed.

So most attacks earlier on changes the Twitter ID since it’s a social plugin, and they also failed to sanitize the output of the Twitter ID. Like I said, broken access control plus other things. We’re mostly focusing on the access control because it’s the mistake you see most frequently. But yes, most attacks [on Social Warfare] changed the Twitter ID to a malicious script and use it to redirect visitors to malvertising sites, or they used it to add a backdoor. Not the Twitter ID, they actually just put PHP code that grabbed yet another file and wrote it to the server. It also did lack a nonce check, not that that would have been sufficient, but it would have helped.

And the good news is, the developer of this plugin acted very quickly to fix this issue. I think it was within a day or two. One of the big lessons from this is, if you have an issue, it’s how you respond to it is the most important thing. I’m cutting out. There we go. I brought some code screenshots. If you look near the top, there’s a is_admin function, and look, they’re trying to use it to keep people out. And that clearly doesn’t work. And you’ll notice how the next thing is, it tries to assign file_get_contents of whatever URL it gives you, or you pass to it, and puts that in options array. Then it doesn’t eval on that array. But if they decide not to go for the remote code execution vulnerability, it will then update the Social Warfare settings options. See, we got a two-fer, an options update and remote code execution vulnerability. And this might seem a little bit limited except for the fact that, again, the Twitter user ID wasn’t sanitized, so cross site scripting.

The next not-so-safe function we’re going to cover is admin_init, and it runs when any administrative screen or script is initialized. A logged in subscriber will pass this check, and an unauthenticated request to admin-post.php or admin-ajax.php will pass this check as well, just like the last function. The main difference is that, that one’s supposed to only run or only pass when you’re attempting to load an admin screen. This one actually runs stuff when you attempt to load into admin screen. The Easy WP SMTP vulnerability is the one we’re going to cover for this. It used admin_init to protect a settings import feature that allowed arbitrary options to be updated. Some attacks updated the home or site URL to a malvertising site. Others changed users_can_register to 1 and updated the default role to administrator, and people ended up finding rogue administrators on their sites.

Again, the plugin developer released a patch a very quickly. I think it was again within a few days. Kudos to them. And here’s some screenshots. I did skip around in the code a little bit, but see how they’re adding an action on admin_init, and they’re literally naming the function that they’re running on admin_init, “admin_init.” Which is very creative. Anyways. Just pass it something in the files array and it unserializes whatever’s in that file you pass it, which also could be an object injection vulnerability, depending on what else is installed. But those are fairly rare these days. Well, fairly rarely exploitable these days, I should say. But if that’s not exploitable, it’ll just update your site options with whatever was in that serialized data in that file that you passed it.

Next we’re going to cover admin_action hooks. Now, these are registered on most pages in the admin interface. They can be triggered by subscribers, again. The Duplicate Page vulnerability is the one we’re going to cover for this, I used an admin_action hook to trigger duplicate post functionality, and this resulted in a SQL injection vulnerability. You will see it probably, hopefully, as soon as it’s highlighted. And the plugin author responded reasonably quickly. It took them about a week to actually get an updated version out. There were some problems, but they still managed to take care of it and had a decent response.

I’ve highlighted that admin_action_dt_duplicate_post_as_draft, and once that action runs it takes whatever you put in the getParameter, the getParameter called post, yes, that’s confusing, and assigns that to the post ID variable. And then if you look at the very bottom, it’s literally doing a SQL query with whatever it is you just fed it from that getParameter, and that can lead to SQL injection. Now, the good thing about modern SQL injection is most of the time you can’t actually use it to change things in a database, at least the way WordPress is set up, but it still can lead to exfiltration of data.

I don’t actually know what they use this one for much. I just thought it was a cool example. Now, this was actually one of my favorite, or least favorite, because it’s actually becoming a little bit less common. But when it does happen, it’s usually very bad. That’s using ajax_nopriv hooks. That’s not to say you shouldn’t use them, just don’t use them for anything that should require privileges, because an unauthenticated user can use the registered action. Adding capability checks and nonce protection does make these safer. If you want to have one AJAX function to rule them all, you can still do it and use regular AJAX hooks and ajax_nopriv hooks, and just have your capability checks if you want to do something administrative. But it’s probably safer to split it up. Yeah, you should probably still only use these for actions you want to be publicly accessible.

The example here is the Total Donations plugin. It used an unprotected ajax_nopriv hook, and this allowed arbitrary options updates. So some attacks added malicious JavaScript via a custom CSS option, other attacks, once again, changed users_can_register to 1 and changed the default role to administrator. We still see people trying to attack this even though… Well, spoilers. Even worse, the plugin had an alternate AJAX endpoint that meant it was vulnerable even if it was deactivated. You had to completely remove this plugin in order to make it not vulnerable.

Worst of all, and this is what I was talking about spoilers, there was no response from the plugin developer when people tried to notify them. CodeCanyon, Envato, had a wonderful response. They removed it as soon as it was made clear that the developer wouldn’t be fixing it. At least someone didn’t drop the ball. If you take a look at this it adds a add_action to miglaA_update_me(), and it just grabs whatever is in the POST[‘key’] and POST[‘value’] parameters and updates those options to whatever you want, which is kind of terrifying. No checks, no balances, just, “Oh yeah, I’m going to update all your options.”

The next two examples I’m going to cover are… Well, I wouldn’t call this one quite as not severe. Nonce available to unauthorized users. Because this one could actually be fairly severe and we still have seen some attacks for it. Basically the problem is it makes nonce checks irrelevant if anyone can grab your nonce. It doesn’t require social engineering, just access to a location where the nonce is shown. Now, that is usually a subscriber-accessible area so it’s going to be a little bit less heavily attacked than something that doesn’t require authentication at all, but there are a ton of sites that do allow open registration. This would have been a problem on those sites. The good news for these is that access controls do still work. This is also nonce available, but they also didn’t actually check to see if the person taking the action was an administrator.

The example I’m using for this is the Ad Inserter plugin. Attackers could basically use the ad preview functionality to execute arbitrary code. An attacker could basically set a cookie for a certain value, and once they set that cookie they could get a nonce that let them preview code on the homepage if they were logged in as a subscriber. They used a check_admin_referer to check the nonce, which is fine if all you’re doing is protecting against CSRF. It is not adequate to actually perform access control. The good news is the plugin developer released a patch the next day so great response on their part. This was actually one of the folks on our team who discovered this one. Here’s just a screenshot of, hey, there’s the nonce just chilling in the source code of the homepage after you set that cookie.

Okay, this is a pretty busy screen, and there’s a lot going on here. But basically, it does a check_admin_referer, grabs the post preview, sends it to a function called generate code preview. After we skip a bunch of steps it evals whatever you put in the POST[‘code’] parameter.

Finally, and probably least frequently attacked but still important if you are developing plugins and want to follow best practices, failing to check nonces is a bad idea. They’re much less frequently attacked. They typically do require social engineering, but CSRF POST attacks, you can basically send someone a link that goes to a site you control, and it will have a form that auto submits itself if you want to send a post request instead of, say, GET request to their site. Like I said, nonces cover most of the really important functionality in core WordPress these days, or a whole of it, I should say, most likely, but if your plugin does something interesting, then well, you should still have them. Failing to check nonces will allow CSRF attacks, even if you do have other access controls in place, so even if you are actually checking that someone has permissions to do something. It basically allows the attacker to use the unprotected function as the targeted user. It’s harder to exploit, but if you can exploit it, then it can get very bad.

The worst thing is that firewalls offer no protection against CSRF. They can offer protection against certain payloads, like if you’re trying to trick someone via CSRF into inserting malicious JavaScript on their own site, then a firewall might catch it. But if you’re trying to trick them into creating a new admin user, and your plugin allows them to do that, it probably won’t.

The example I have here is the WP Maintenance plugin. I think Chloe discovered this. Hi, Chloe. Basically, plugin failed to check the nonce for updating its own settings, and attackers could add a malicious script to newsletter titles. If for some reason it had a newsletter functionality, whenever it sent out a newsletter, you could basically send a malicious JavaScript out along with that newsletter. Or whenever an administrator checked on their newsletters, then they would be… the script would run.

Attackers could also enable maintenance mode, which meant that they could, temporarily at least, take down your site. Good news is, the plugin developer did release a patch within a day. Again, an excellent response. Most of the responses we see are actually pretty good. Plugin developers are getting much better about this than they may have been in the past.

Code screenshot, I haven’t highlighted anything because it just shows that they can update the options for that. That entire page is hidden behind, well, more typical WordPress admin menu access controls, just like when you log into… as a subscriber, you can’t see the admin menu page for plugins. This is one of those pages.

The question becomes, “What should I do instead?” That’s pretty easy. If you’re going to check access control use current_user_can. It allows more fine-grain control if you only want to allow access to people who can say, publish posts or edit plugin settings, you can set that as well. You can also use is_super_admin or is_network_admin if you plan on having your plugin run nicely on a multi-site installation that may cause complications, where only network or super administrators can do the thing and you might want local administrators to do the thing.

Use wp_create_nonce and wp_verify_nonce to protect it against CSRF. It’s not a substitute for access control, but it can still help. It’s better to have a nonce in place than not, and adding more friction to an attack is always a good thing. They always go for the low-hanging fruit, as they say. Be careful which pages show your nonce because nonces can be scraped or otherwise compromised. Also, check_admin_refer also works to verify nonces. I know we actually covered a vulnerability where this is what they did, but just don’t make it the only thing you do to check access control.

Finally, be aware of who can access what. Just because functionality isn’t exposed in the user interface doesn’t mean it can’t be accessed. I guess this is one of those real core lessons because that’s why it’s always settings imports, stuff like that, options updates. It’s the stuff that maybe gets added on as an extra feature, and maybe doesn’t even get fully developed, but they have the functionality in place. Just send it the right parameters and someone can change your settings. Add access controls to anything that changes settings or options.

Finally, treat anything a user can change as user input, because I have seen all sorts of weird stuff being used as user input. Cross-site scripting through HTTP referer headers is a thing.

Yes?

Audience Question:
Does that work with Booleans?

Ram Gall:
With what?

Audience Question:
Does that apply to Booleans as well?

Ram Gall:
Booleans? He’s asking you if it applies to Booleans. Usually, casting something as a Boolean or an integer does provide some defense, but I have seen at least one options update vulnerability where it allowed you to update the option key to whatever you wanted, but it only allowed you to update the option value to a Boolean value. That meant you could update the home or site URL to false and that would take down someone’s site as well. It can limit the amount of damage someone can do. Again, casting to an integer or Boolean will help limit the amount of damage someone can do with say, a SQL injection, but there are techniques like blind SQL injection that can sometimes overcome this.

Ram Gall:
I’m just going to leave this slide show up to keep in touch. Here’s my contact info and now, I will answer more questions if anyone has any. Okay.

Audience Question:
Okay. So most of these attacks, if I understand correctly, come from people scraping GitHub repositories and stuff like that. If you have your code in a private repository, how many protection will that give you?

Ram Gall:
So the question was that most of these attacks appear to come from people scraping GitHub repositories and whether or not having code in a private repository will protect you? The answer is that if you’re plugin code is not in an open repository… Am I correct in asking that? Well the thing is, the only way to really protect PHP plugin code like that is obfuscation. The truth is, anything that can be obfuscated can be de-obfuscated. Even if you don’t have your plugin on GitHub, if you’re releasing it and people are using it, someone can reverse engineer it or might just stumble upon a vulnerability by accident. A lot of attackers find vulnerabilities through essentially something called blackbox testing. They don’t even know what the plugin code looks like, they just fire up Burp Suite, and just batch test a bunch of common cross-site scripting bypasses on whatever parameters they can find.

Ram Gall:
Yes?

Audience Question:
Can you just be clear? Your belief regarding nonces is try not to make them available, but if we have a public forum, there’s going to be a nonce on the public forums. It needs to be in addition to you… as long as that’s used with public access or proper access control? Am I right?

Ram Gall:
The question is, should nonces on public forums be used for proper access control?

Ram Gall:
I feel like this is where I fell a little bit short in my description, because you don’t use a singular nonce for everything. It’s more that for every type of action you’d like to take, you should have a separate nonce available. That public-facing forum will have a nonce just to prevent someone else from submitting the form as them, whereas… and you will want to make that nonce available just on the main website. Whereas a form that only an administrator should be able to see to make plugin changes will also have a nonce that’s a very different nonce that should only be shown on that page that an administrator can access.

Ram Gall:
Yes?

Audience Question:
I have a plugin that doesn’t do anything on the front end and it… but your last point about user input has me thinking. It just checks for certain conditions and sends an email alert if that condition happens, but there’s an input box where the user can put in their own email. It doesn’t do anything to any of the standard WordPress settings, it doesn’t do anything on the front end, but could that still be used somehow …

Ram Gall:
The question is, if you have an email, if I’m correct, an email plugin that doesn’t have any user-facing interfaces, it’s going to be only administrative, but all it does is essentially check configuration information and send email. Well, if you don’t have access control, then an attacker could send the information to grab your site’s configuration information and send an email of your site’s configuration to themselves, and that depends on how sensitive that configuration information is. Like I said, configuration grabbing attacks are not as common, but if someone is specifically targeting your site, you really don’t want them to have that information. Also, they could potentially use that same functionality to send a bunch of emails to people who don’t want them and get your site’s IP on an email blacklist.

Audience Question:
Okay, thanks.

Ram Gall:
Any other questions? Oh, yes?

Audience Question:
I’ve asked this at several security talks. Even though I believe I follow best practices, I have questioned if there’s some sort of third party that could read my code and give me feedback. Do you know of any?

Ram Gall:
He is asking if… sorry?

Audience Question:
Yeah, security feedback is the main thing.

Ram Gall:
He’s asking if there’s any third party that will review your code and give you security feedback. From what I understand, there are a number of consultants that do offer this kind of service. Some of them use automation, some of them do manual review. I can’t give you any particular recommendations though. We do try to hunt for vulnerabilities in common open source plugins, but that is something that you can have done, yes.

Audience Question:
But no recommendations?

Ram Gall:
No recommendations at the moment.

Audience Question:
Every time I get recommendations it’s automation, and that’s not what I want.

Ram Gall:
Yeah. I mean, if you are going to have that, at least half the time, a vulnerability might not be obvious just from reading the code, which is, again, another reason why just having your plugin open source, which is a great thing, isn’t necessarily going to make it more or less vulnerable than having closed-source plugins.

Ram Gall:
I think we may be done. Last call?

[Applause.]

Kathy Zant:
We hope you enjoyed Ram’s talk and that you learned something about secure plugin development. If you’d like to get in touch with Ram, you can follow him on Twitter @RamuelGall. We’ll have a link to his Twitter profile in the show notes. And we will talk to you next time on Think Like a Hacker. Thanks for listening.

The post Episode 67: Avoiding Common Vulnerabilities When Developing WordPress Plugins appeared first on Wordfence.

Read More

Episode 66: New Plugin Vulnerabilities & Succeeding as a Digital Nomad with Chloe at WCPHX

It has been a busy week in WordPress security with active attacks on a number of plugins including ThemeRex Addons and Theme Grill Demo Importer plugins. In this week’s Think Like a Hacker, we look at what’s happening, review what a zero-day vulnerability is, and give you some advice on keeping WordPress installations clean and safe.

We also look at a vulnerability uncovered in the wpCentral plugin installed on over 60,000 sites, a WHO phishing attack, and Malwarebytes’ State of Malware report.

At WordCamp Phoenix, Wordfence Threat Analyst Chloe Chamberland spoke to a packed room of attendees looking to learn more about how she succeeds working remotely as a digital nomad.

Her talk starts at 19:13 if you’d like to skip ahead, though we recommend watching her talk on the YouTube video embedded below to see Chloe’s travel photos and audience interaction.

Here are timestamps for the audio if you would like to skip around:
4:27 Vulnerability in wpCentral Plugin Leads to Privilege Escalation
7:11 Zero-Day Vulnerability in ThemeREX Addons Plugin Exploited in the Wild
10:00 What is a “Zero Day”
11:28 Critical Issue In ThemeGrill Demo Importer Leads To Database Wipe and Auth Bypass
13:05 Keeping your WordPress installation clean
13:45 World Health Organization Warns of Coronavirus Phishing Attacks
16:28 Malwarebytes State of Malware 2020 Report
19:13 How to Succeed at Working Remotely as a Nomad – Chloe Chamberland’s talk at WordCamp Phoenix, video embedded below

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find Chloe Chamberland on Twitter as @infosecChloe.

Please feel free to post your feedback in the comments below.

Transcript for Episode 66

Kathy Zant:
Welcome to Think Like a Hacker, the podcast about WordPress security and innovation. I am Kathy Zant, your host, and this is episode 66. So, we have a number of plugin vulnerabilities to discuss as well as audio from Chloe Chamberland’s talk at WordCamp Phoenix. Now, I interviewed Chloe a few weeks ago from a remote location in Alaska where she was seeing the Aurora Borealis as well as meeting a moose for the first time. At WordCamp Phoenix, she gave a presentation where she outlined what made her successful as a remote working digital nomad. Her talk was incredibly successful. I had a number of people come up to me after her talk saying how much they enjoyed it and the inspiration they got from Chloe’s talk. So, we hope you enjoy that.

Now, if you know someone that you think would make an interesting guest and think like a hacker, please reach out to press@wordfence.com. We have a number of guests coming on the show in the next few weeks, but I want to hear from you. What are some of the challenges, some of the things you’re thinking about. What can we do to make your WordPress life easier? So press@wordfence.com, that comes to me and I will be in touch.

First of all, we have a new story about WordCamp Asia. Now, as many of you know, WordCamp Asia was canceled last week. The announcement came out, I think on February 11th, that it was canceled because of concerns in the region tied to the coronavirus. We did receive news that WordCamp Asia for 2021 has been scheduled. It is scheduled for January 2021.

Now, if you had a plan to go to WordCamp Asia and did not recoup all of your cancellation fees or found some financial hardship in this cancellation, there is a fund set up for some remuneration that could help you with that. That fund was started by Wordfence, and GoDaddy and Yoast also contributed. Now there are still funds available as a part of this assistance package. There is a process to go through in order to apply for assistance.

That is all detailed on the blog and I’ll have notes, links in the show notes.

We do have a number of plugin vulnerabilities to discuss today, but first I wanted to make a note, an editorial about plugin vulnerabilities and what it means for WordPress. Now there may be people out there that tell you “WordPress’s insecure, look at all the plugin vulnerabilities that exist.” I would take a contrary opinion to that primarily because the fact that WordPress is open-source means that plugin vulnerabilities, theme vulnerabilities, even vulnerabilities in core are disclosed, firewalled, patched much more quickly than a closed-source system might experience. So, the fact that we are seeing these vulnerabilities discussed and disclosed and firewalled is evidence that WordPress is secure and WordPress is secure more than I think other systems because of the community that’s associated with WordPress. It’s part of what makes WordPress unique. It’s part of what makes open source unique.

So don’t be afraid because you hear about plugin vulnerabilities and instead, feel empowered. Feel empowered by the fact that security researchers are poking at WordPress plugins. We are poking at WordPress core and themes and we are looking for vulnerabilities all of the time. This is just one way that WordPress and Wordfence and the other security researchers who are looking at vulnerabilities are working to keep your site, your business, and your assets as safe as possible.

So plugin vulnerability number one. This was published by Chloe Chamberland on February 17th. This was a vulnerability in the wpCentral plugin and this led to a privilege escalation. So, on February 13th, our threat intelligence team at Wordfence discovered a vulnerability in wpCentral. This was installed on over 60,000 sites at the time of our discovery. So wpCentral is a WordPress plugin. It’s designed to be used along with the wpCentral management dashboards. So this is another plugin that you plug into your WordPress site that allows you to basically manage WordPress through a different interface.

The software is designed to make site management easy and it has functionalities including automated sign-on with one click, as well as the ability to create backups, edit posts in their premium version and other things of that nature. So, this privilege escalation flaw allowed anyone that had an account on a WordPress site to basically escalate their privileges to that of an administrator, which is definitely problematic if you have a WordPress site that allows anyone to register. So if someone comes along and wants to register for updates and their level is a subscriber, they would then be able to escalate their privileges from a subscriber to an administrator, which of course, leads to a complete site takeover.

So of course, Chloe found this vulnerability, contacted the developer, and they made a number of changes to their plugin to ensure that their users are safe. We created a firewall rule to protect Wordfence premium customers and free users will receive that rule on March 15th.

And one note with this, even though we have a firewall rule in place to help protect our customers, it doesn’t completely protect against exploiting this vulnerability. So what’s really important if you’re using wpCentral to make sure that your site, your plugin is updated to the most recent version. You see, the problem is that exploitation and legitimate request via wpCentral look pretty much the same. So, if we’re going to block access to it being exploited, we would have to block legitimate requests as well. So, update your plugin.

The next vulnerability is a little scary. We heard about this actually from a customer, from a user who had seen some negative things happen on their site, and upon further investigation, we found that there was a zero-day vulnerability in a plugin called ThemeREX Addons, and that this is currently being exploited in the wild. We were seeing some rest end point usage that, because the REST-API endpoint was unprotected and improperly configured, we were seeing attackers actually adding malicious administrative users to sites that had this plugin installed.

So, we’ve investigated this and it appears that the REST-API endpoint within this plugin is unprotected and improperly configured. Attackers have already discovered this, and they are actively exploiting this on sites that are using this plugin. We estimate that there are probably about 44,000 sites that are using this plugin that are vulnerable. So we pushed out a firewall rule to premium customers. So they received that rule on February 18th at approximately 3:16 PM UTC to protect against this vulnerability being exploited. Free users will not receive this rule until March 19th. So if you are using this plugin, we are recommending at this point that you delete it from your site. Don’t just deactivate it, just delete it. It’s very good practice to remove any and all plugins that you don’t need on your WordPress sites if you’re not actively using them. And if you’re actively using this one, you obviously have to throw this in the balance.

What’s more important, keeping your site safe from intrusion or the functionality that you are receiving from this plugin? If the functionality is so great that you’re willing to take the risk, well that is your choice. If you positively need this functionality, now’s a good time to look at Wordfence premium because that’s going to protect you even though you’re using a vulnerable plugin. Now we don’t have a ton of data on who’s exploiting this vulnerability or what exactly they are doing other than the fact that we have seen suspicious administrative accounts on sites using this plugin. We will provide more details as they emerge. So if you’re unsure about this plugin and where it shows up, the plugin slug is “trx_addons.” So you would see that in your plugins directory.

So I guess now’s a good time to explain what a zero-day is. So a zero-day can be referring to a software vulnerability or it can be referring to an exploit.So it is a zero-day vulnerability or a zero-day exploit. So zero-day vulnerabilities refer to security holes in software. And now it could be in WordPress, it could be in your browser and could be in your phone. It refers to any vulnerability that exists in software. Now zero-days are not known to the software maker or to antivirus vendors. And so even though this vulnerability is not publicly known, it may be known to attackers who are quietly exploiting it, such is the case with this plugin. So think of a zero-day as basically an unlocked door, an open window, just a way into a system that attackers know about. As I’m sure you’re aware, zero-days are never any fun. You probably don’t discover that your software is vulnerable until you see exploits coming at it. And this is extraordinarily unfortunate when the users of your software are the ones experiencing the exploits.

Our final plugin vulnerability of this week was discovered by our friends at WebARX Security. They found a critical issue in ThemeGrill Demo Importer and this critical vulnerability led to database wipe and authorization bypass. So basically, it was allowing any authenticated user to get into a website, wipe the database, and basically become an administrator. At the time of discovery, this plugin had over 200,000 active installations and it was used to import official theme demo, content, widgets, and other theme settings with just a click. It was not required in order to use any of the ThemeGrill themes. It was just something that basically helped you get started. So it was not something that really needed to remain on a WordPress site. Yet many users, over 200,000 of them, had this installed. Now, after this vulnerability was disclosed, the install count dropped drastically. I guess people were saying, “Hey, I don’t really need this after all.” WebARX discovered this on February sixth and released a patch to all of their customers and reported that issue to the developer. And the developer published a new version which fixed the issue on February 16th.

So either update that plugin or if you’re not using it, just remove it from your site. Just another lesson in keeping your WordPress installations pretty tight and clean. If you are not using a theme, you should remove it. Don’t just deactivate it, actually remove it, delete it from the site. If you aren’t using a plugin, don’t just deactivate it. I have cleaned numerous sites that basically looked like the digital edition of Hoarders with hundreds of plugins installed and all deactivated and, of course, not updated. Really keep your WordPress installations updated and clean and of course, use Wordfence.

In non-WordPress security news, we have a couple of stories that I just wanted to bring to your attention. First of all, of course, there is fear in the world. Everyone is very concerned about the coronavirus, and phishing scammers see this as a perfect opportunity. Because when you are in a state of fear, you are apt to make decisions that you normally wouldn’t in your life. So phishing scammers are posing as the World Health Organization (WHO) and they’re trying to exploit coronavirus fears.

So, the WHO says that they are seeing offending emails, asking recipients to hand over sensitive information like usernames and passwords, and they’re including malicious links and attachments that are triggering installation of malware. Any time you see an email that is triggering fear, that is asking you to take immediate action or grave things are going to happen in your life, you need to take a step back from the computer and take a deep breath, and then maybe take another deep breath, and look carefully with the discerning eye at whatever is trying to trigger you into taking immediate action. Scammers prey on our fears and they prey on our fear of missing out, our fear of loss. And it’s just extraordinarily unfortunate as we are all dealing with this crisis that scammers are stepping up to the plate and taking a swing. But hackers gonna to hack and scammers gonna scam, and it’s just up to us to remain vigilant. And it’s important for us to not just remain vigilant for ourselves and for our family, but for our community as a whole.

Spread the word, educate older people who are often victims of scams like this, let them know what phishing is. Let them know how phishing works and let them know how scammers work. And it’s not just happening in emails, I’m sure. I’m sure it’s happening via telephone, via text, and it’s important for us to educate everyone we can so that everyone can stay safe. When everyone’s safe, it takes away the financial incentive that scammers and hackers have because we are on to them. Scammers and hackers and even spammers wouldn’t do what they do if it wasn’t profitable. So by reducing the surface area of their profitability, by keeping our communities safe, we make the world safer for everyone.

And in our final story, Malwarebytes Labs released their State of Malware report for 2020 last week. They took a look at the threats to both Mac and Windows/PC, the TL;DR or the too long/didn’t read, of this entire thing, is that malware and hackers and scammers and everyone we’re fighting against are becoming increasingly sophisticated.

What does that mean to you and me? It means that our defenses need to become increasingly sophisticated. So, I’m a Mac user, and I remember a time not long ago when Mac users were able to say, “Well, we don’t get malware because all of the malware is on Windows.” In 2020, Malwarebytes is reporting that Mac threats increased exponentially in comparison to those against Windows. Now, something to consider is that more Mac users are using Malwarebytes, so of course, they [Malwarebytes] are seeing more malware. When calculated end threats per endpoint, Mac still outpaced windows; however, by nearly two to one. So maybe, I need to apologize to all my windows using friends. Another takeaway from this report is that if you are working in the enterprise, the volume of global threats against business endpoints has increased 13% year over year, with aggressive adware, Trojans and HackTools leading the path.

Organizations are being hammered with Emotet and TrickBot to Trojan turned botnets that surfaced as the top five threats for nearly every region of the globe. TrickBot detections in particular had increased more than 50% over the previous year. I’ll have a link to the full report. The biggest takeaway I think just looking at the state of computing right now is that it is incredibly important for us to stay on the front lines, to stay informed. Education is the number one tool in staying secure. If you know what the hackers are up to, it is incredibly easy to stay protected. If you are unaware of how malware works, of how hackers work, how scammers and spammers and phishers and all of these bad guys are operating, this is when you are caught by surprise.

So, we are here to ensure that you are aware of what they’re up to so that you can protect the things and the people and the websites of course that are most important to you. That is the news for this week.

Up next is Chloe Chamberland at WordCamp Phoenix. We hope you enjoy this [talk]. You can also watch the full [talk]; it is released on our YouTube channel with all of Chloe’s slides. This is a good one to watch actually because you can see all of Chloe’s amazing pictures of all the places that she has been fighting the bad guys and helping customers recover from those attacks. She has been to some pretty amazing places. So thanks for listening and we will talk to you soon.

Chloe Chamberland:
So, who am I? I am a threat analyst at Wordfence. I go on the hunt for vulnerabilities and things inside of plugins and themes, and I have worked in multiple roles there. So I used to be a site cleaner, so I would clean hack sites and work with customers for that. And I used to be a customer service engineer, and so I was heavily [involved] or helping customers. And I did all three of these roles while traveling. So I think you can handle just about any role working remotely, and I highly recommend doing so. And I like to say I have two passions. I love security and I love traveling and I get to do both and it just makes me really happy and excited and hopefully I can inspire you to start traveling while you’re doing it or give you some tips if you already do.

I never really decided, I want to just go travel and work at the same time. It just kind of happened naturally. So I never really did any research. And so today I’m going to share with you some of the things that I learned from it and share with you some of the experiences I’ve had, and see why you might want to do it. So where I’ve been, I’ve been kind of around the world a little bit. I’ve been to China, Japan, London, Barcelona, Italy, a bunch of places in the States, a bunch of places in the Caribbean, a bunch of places in Canada. Last year, I spent 150 days away from home and this year my goal is 220 days away from home. And I’m hoping eventually I can go fully remote, like three months at different places all year long. I just have cats, and I need to figure out a way to get them to come with me because I love them so much.

Okay, so why travel when working? I feel like there’s kind of this connotation that when you’re traveling, you’re on vacation almost, but it’s not like that at all. It’s totally different. You’re traveling. It’s not always peachy and easy and it’s a challenge, but I genuinely think it’s so worth it. And I think if you’re at home working and you don’t have anything to do after work or things like that, why not be somewhere else in the world and be somewhere where you can explore at the end of your work day?

And so that brings me to travel is worth it. I have this quote from Anthony Bourdain that I just wanted to read. “Travel isn’t always pretty, it isn’t always comfortable. Sometimes it hurts. It even breaks your heart but that’s okay. The journey changes you, it should change you. It leaves marks on your memory, on your consciousness, on your heart, and on your body. You take something with you, hopefully you leave something good behind.”

And I think this applies both to working while you’re traveling and just traveling in general. It’s not always going to be easy. It’s not always going to be pretty. You’re going to see different things that are going to open your perspective and change your mind, but it is so worth it and it makes you a better person every single day and it makes you appreciate a lot of things in life more. So, one of the first main points is you’re going to have beautiful experiences. You’re going to see different places, you’re going to try different foods, you’re going to meet amazing people. And I’m about to start crying.

So, when I went to Japan we were standing in the subway just like trying to figure out where to go. We knew where we were going. We were just kind of indecisive and these two boys just came up to us and was like, “Do you need help? Do you know where you need to go?” And genuinely touched me so much that these people cared to help and same thing happened in Vancouver. We were lost, and someone came up to help. And I love interacting with these people that are just so willing to help and you get to experience these different cultures and you get to see these amazing things and I think that definitely makes travel while you’re working completely worth it even though there’s challenges. Which brings me to my next point is you’re going to have difficult challenges and you’re probably wondering why I would put this as why do you want to travel and work at the same time? But I’ll get to that in a second.

So you’re going to experience things like not having your VPN work when you need it to work. And that’s something I experienced in China. I didn’t plan, I obviously didn’t do any research and when I got there my VPN didn’t work and I need my VPN to do my job. So I just ended up having to take the whole week off which kind of sucked because I like to keep working and saved my PTO. And then you’re going to have challenges like wifi not working and you’re going to have just general travel challenges which is being in a different place after spending 36 hours on a plane. You were working on the plane, you could barely sleep. I have problems sleeping on planes. But with those difficult challenges and those beautiful experiences, you’re going to have personal growth. You’re going to grow as a person.

I personally have very bad anxiety, which has gotten so much better since I started traveling. I don’t do well in crowded spaces or things like that, but as I’ve traveled more and experienced different things and grown from these experiences, I have become less anxious of a person. And you can also just grow in the mindset. You can open your mind so much more and be more appreciative of everything in life. What brings me to my next point is you’re going to have a lot more positive energy and happiness. I’ve been through things traveling and you would too probably that would be challenging at the time. But you learn from those experiences and eventually things aren’t as bad as they were when you first started. You’re going to be more positive, you’re going to have a better outlook on things in certain situations and things that were bad, weren’t. And then with happiness, I am personally really happy because I travel all the time. I got to see a moose last week in Alaska, and I almost cried.

I feel like I get to be happy almost every single day. I mean obviously not every single day, but I definitely think that traveling has generally made me a happier person. And then for me, since I love my job so much, I feel like traveling helps me have a better work-life balance. So if I’m at home, I can sit on the computer all day just because I love my job, and I don’t want to disconnect from it. But when I’m traveling, I have that ability to disconnect cause I have something else that I love that I want to go do and I want to go explore. And I think if you have that same passion for your work, you might also have that same issue. So traveling might help you break away from working all the time, every day.

And then, where to begin? So you want to become a remote traveling worker and you don’t know where to start. Well, hello, hello. Okay. First things first, if you get a remote job if you don’t already have one or if you work for a company, you can try talking to them and seeing if they’d be willing to work out like you traveling for a little bit at a time and things like that. There’s so many great options. We’re obviously at a WordCamp, and so you can develop plugins, you can become a blogger, you can do so many different things. There’s so much freedom with WordPress and I think that’s how we all can have the ability to work remotely and then travel while doing so.

And then this one is make sure you’re prepared for your first trip if you haven’t done one yet. More so mentally. Things aren’t going to be perfect and you need to understand that things will go wrong and things are going to be frustrating. And just make sure you’re ready for that, and make sure you’re ready for things to go wrong. And I think that’s where you should be prepared, and you should plan like I never did.

And so then you’re going to want to plan your first remote work trip. My first trip was to Vancouver, it was a couple of weeks after I started at Wordfence, and I missed a meeting because they said I didn’t have to go to all the meetings, and I shouldn’t have done that. And I learned from that. And so with that trip I was on a boat for a couple of days and then in the Vancouver Harbor, I want to call it, I don’t know. But the first night we got there it was raining, and it was after a long flight and we took a dinghy out to get to the boat and it wasn’t the best. But then the second night it was great.

And so for your first trip I suggest doing a small little thing that is really memorable and then for the next few days, make sure you’re working while you’re there and seeing how it kind of flows. So when I travel now, I mostly do my things on the weekend, and I work during the week and just kind of get a feel for how that’s going to go for you.

And then I want to recommend starting small and gradually increasing your tripling. So don’t decide, oh, I’m going to go travel forever and find out you don’t like it just a couple of weeks into it. So I recommend starting smaller and then gradually increasing your trip lengths as you go. That’s how I kind of did it. I live in Florida, so I made little trips to Disney and St.Augustine and things like that. And it just kind of grew and grew over time. And last year I did two months away from home. And this year I have a few trips planned where it’s a month away and then I come back for a month.

And then once you have a feel for it and you decide that you do like it, I recommend determining how long you want to stay at places. I kind of figured out that a week isn’t really enough for me and I want to start staying at places for like a month at a time so I can kind of immerse myself a little bit better. Because when you’re working every day you don’t have as much time as if you’re just going to one destination. So I highly recommend staying longer, but figure out what works best for you. So my best single piece of advice is going to be to plan. That’s what I never did, and I think that would have saved me from so many different sticky situations that I had.

Determine your comfort zone. So, in that photo there’s a little outhouse. This is where I stayed in Alaska. It’s negative 30 degrees (Fahrenheit) there and I had to go to the bathroom in the outhouse and I was not okay with it at the start. But I actually enjoyed it, it’s nice, you have the birds chirping outside. And it wasn’t in my comfort zone before, but it’s in my comfort zone now. And so kind of figure out what your comfort zone is and then make sure you adapt with that over time. Figure out what kind of places you want to stay at, where you want to be. Do you want to be in places with lots of people? Are you going to be in places with little bits of people. And do you want to have fast working wifi all the time or are you comfortable working on one megabit per second? And kind of figure out what you’re comfortable with.

So, my second piece of advice is to budget accordingly. On my two month trip last year I was supposed to go to Paris at the end of it. I had flights booked and everything, but I ran out of money so I had to fly back home and that kind of sucked because I really wanted to go to Paris. But the lesson was learned there. Make sure you have enough money, budget accordingly. Make sure you say, “Okay, I’ll spend this much on food tonight. I’ll do that tomorrow.” I’m kind of in this place where I cook every night and then like do one night out at a nice place or do snacks here and there so I can try to taste all the different places. It’s important to consider accommodations, food and everything and your flights and make sure you budget accordingly.

Determine your workspace requirements. This is my boyfriend, we were at the Shanghai airport and that’s our makeshift desk because there was no tables or chairs available. Two luggages stacked on top of each other. And then our carry-on bags were our chairs. So you kind of want to determine are you comfortable working in a bed? Are you comfortable working at a desk? Do you need a co-working space? Do you need these certain things? And then you’ll also want to take that into account when you plan where you go and your budget. So if you want to go to somewhere, you’ve just got to make sure that they have your workspace requirements ready for you.

And then work out your work requirements. Like do they require you to use a VPN? Do they require you to do full disk encryption? Do they require you to not go to certain places? And I also would like to recommend that talk to them and let them know when you’re going to be places and if you work for yourself, this is not relevant. But if you do work for a company, make sure you let them know where you’re going. That way if you have any hiccups like I did, then they are already informed, and they’re going to be willing to help you and work things out with you. And then set your schedule accordingly.

There’s different time zones everywhere and if you’re on one side of the world and you work for a company and they’re on the other side of the world, or you’re a freelancer and you work with clients and they’re on one side of the world and you’re on the other, you need to make sure you’re setting your schedule accordingly and making sure you’re going to be available for anybody that might need you at work. When I went to China, my plan was to work from eight to 12 in the morning and then eight to 12 at night and then get my rest and do things during the day in that eight hour chunk. And well I ended up not being able to work. But that was my plan and I think you should set schedules in advance and then try and work with those when you’re in the place.

Now, always remember that things will not always be perfect, like ever. Hiccups are always going to happen. I don’t want to say never going to go as planned, but it probably isn’t going to go as planned a lot of the times. And so you just got to keep that in mind. And you got to take things slow and absorb everything. You got to make sure that even though things aren’t always perfect, you want to make sure that you’re still enjoying every little thing. So when I went on a Norwegian fjord cruise, my wifi cut out halfway through the fjords and I was pretty bummed about it, but I was like,”You know what? I’m in Norway, I got to just breathe, I can’t get my work done, it’s not going to be a problem.” And so you got to make sure that you remembered to take everything in even though work things might not go as planned. Because you can always work and make up your work. It’s not always guaranteed that you’re going to go back to a certain place that you’ve been or experience one particular moment that you’re in.

And then document everything. Make sure you take a lot of photos, make sure you take a lot of videos, write down notes. I think this is really important because once you’ve gone to a lot of places, you might start slowly forgetting certain things and then when you have these photos to come back to, you’ll be like, “Wow, I totally forgot about this. But I really loved it.” And I’ve had that happen multiple times and I think it’s very important to document everything. And then consider private journaling or blogging. We have WordPress, we can make blogs and we can share our stories with everyone. That’s something I’m personally trying to work on now is coming up with a blog and I’m trying to share my stories with other people. Because I have something to learn from you and you have something to learn from me, hopefully. Maybe. Yeah. So I like to share what I’ve learned and things and I think it’d be great if everybody shared everything that they learned. Because then everybody would not know everything.

And then I have some helpful resources for success. So this is a program called Remote Year. They provide, I think I want to say 3, 6, and 12 month programs. And they take care of your travel and accommodations and things like that. I think it’s five grand for a down payment and then two grand a month.

This is if you want to work and not have to worry about any of the travel planning. My favorite part is the travel planning, so I like the flexibility and freedom and finding good deals and things like that. So this isn’t for me, but it definitely can help you out if you don’t want to have that headache.

And then workingnomads.com is a place where you can find remote jobs if you don’t already have one. I like that the first three were WordPress because Automattic is a fully remote company as is Wordfence and a lot of other plug-in companies, and WordPress hosting companies.

Okay, and then I wanted to show you this one, Nomad List. It’s a really awesome resource and it can help you plan where you’re going to go. So let’s say you want to stay somewhere where the internet speed is higher, you can select internet speed right here, and then you can scroll down and you can see a lot of places that have higher internet speeds if that’s a requirement for you.

And then you can see the cost of living, you can see a cost of living for family, you can go to the scores, you can see the nomad scores, internet speed, humidity, walkability, all sorts of helpful resources for you to decide where you want to go on your trip.

Audience question:
Can you put up that last website you mentioned and the name of it again?

Chloe:
This one? Working Nomads.

Audience question:
No, the one you just finished.

Chloe:
Nomad List?

Audience question:
Yes. Thank you.

Chloe:
Yeah. And then I like to recommend Airbnb for accommodations and you can find really good bargains on there. In Thailand, you can stay there for $300 a month, which is on my list of places to go, and so you can find really reasonable places. And if you’re going to be traveling and you want to keep your house and you’re comfortable letting people into your home, you might want to consider Airbnb-ing out your house. You don’t have to do that obviously, but you can consider doing it. I personally do it and it helps me travel more, so I definitely recommend looking into that if it’s an option for you.

And then, because I’m a security professional, I just wanted to throw some security tips at you for while you’re traveling. Use a VPN wherever you go. If you’re going to be working in coffee shops and in public spaces, you want to use a VPN to make sure that your traffic is going to be encrypted when it’s running through the web. And make sure that nobody can ease drop on your traffic and steal work data or anything like that.

I recommend using a password manager and an authenticator app. Make sure you have one that’s going to be compatible with your phone and your computer. There’s LastPass, 1Password. Those are the two that come to my mind. Use an authenticator app that works offline.

Don’t use SMS. SMS isn’t secured, kind of. So use an authenticator app because if you go on a cruise like I do, you don’t have … I don’t pay for Wi-Fi on more than one device so I can only have one device logged in at a time. And having an authenticator app that works offline allows me to do that and log into my sites without having any issues.

And then use full disk encryption. If your devices are ever stolen, people won’t be able to steal the information off of your devices. And if you’re storing work data on there, this is pretty important because you don’t want someone to get ahold of any secret information.

Disable Bluetooth when not in use because if you’re working in public spaces and you have Bluetooth enabled, people can actually intercept the session and get access to your phone and things like that. And you don’t want that to happen, especially if you’re dealing with work.

And then be aware of your surroundings. Consider getting a privacy screen on your computer. If you work on airplanes and things like that and coffee shops, you don’t want people to be able to look at your screen and see what you’re doing. I work on airplanes a lot of the time. And I need to get a privacy screen and things like that as I start traveling more, and it’s definitely something you should consider. And just generally be aware of your surroundings, and seeing if anybody’s trying to look at your computer or things like that.

Then thank you. You can find me on Twitter @infosecchloe. You can email me at chloe[at]wordfence.com if you have any questions. And, again, my slides are available at chloechamberland.com/wordcampPhoenix. And now I’m happy to take any of your questions.

Chloe:
Yes?

Audience question:
What do you recommend for a VPN?

Chloe:
What do I recommend for a VPN? I use PIA. There’s several different options, though, so I recommend just looking up the best VPN options and then looking at some of the reviews of the top few and then seeing what works best for you.

Chloe:
Yes?

Audience question:
How do you pay for [inaudible] cash or do you just pay with credit card?

Chloe:
What was the question? It is how do you deal with different currencies at different locations?

Audience question:
Yeah.

Chloe:
I use credit cards and then sometimes I take out cash. I have a zero … I have a fully online banking company that does zero charges on ATM withdrawals and and foreign transaction fees. So that’s definitely the way to go.

Audience question:
Can I ask what bank that is?

Chloe:
Yeah.

Audience question:
What bank is that?

Chloe:
Oh, what bank? I use Bank of the Internet.

Audience question:
Bank of the Internet.

Chloe:
Yeah. Oh, sorry. It’s called Axos now. Yeah, they changed the name.

Audience question:
What did you do with the cats? What did you decide?

Chloe:
What did I do with the cats? They’re at home, and my boyfriend’s mom watches them for us every time we go. I need to get them to come with us.

Audience question:
What do you do about a hot spot or cellular Wi-Fi access?

Chloe:
What do I do about a hotspot or cellular Wi-Fi access? I currently don’t have a hotspot yet, but that’s something I’m looking into right now. I usually just use my phone in the the U.S. as a hotspot. But my cell phone, I have T-Mobile and it works in just about every country out there. So that’s what I do for my cell phone.

Audience question:
And when you said you were working with clients, how are you communicating with them? What app or resource are you using?

Chloe:
Yeah, so at work, we use a ticket manager system, because I was dealing with customer service regarding plugins and things.

Audience question:
… calls with them or anything?

Chloe:
No, no calls. It was fully online. Yeah. Any other questions? Yes?

Audience question:
What’s the longest trip you’ve taken?

Chloe:
The longest trip I have taken was two months long. Yeah. I’m hoping to go fully remote eventually.

Audience question:
Where to?

Chloe:
That was the one to … So we took a cruise to London and then we had to fly back to do something real quick. And then we flew back to London, took a cruise to the Norwegian fjords, and then we flew to Italy from there, spent a few nights in Rome, then went to Venice, and then we flew from Venice to China and stayed in Beijing for a few nights, and then we took a cruise to Japan, went around Japan a little bit, and then Japan back to China, went to Shanghai, went to Disney a little bit, and then that’s when we had to fly back home. So we went to Seattle, stayed there for a couple of nights, and then flew back to Florida. Yeah, it was fun.

Audience question:
So with your current job, is it project based where you can kind of go on whenever you want as long as you do 40 hours a week? Or do you have to log in at certain times just with the time zone difference. I’m curious.

Chloe:
Yeah. So my work is pretty flexible. I don’t have to deal with customers as much anymore. I do have core hours, but it’s only like a four hour time period. And the people I work with are so flexible that it’s not that big of a deal to have to be there as long as I communicate with them and let them know, “Hey, I’m going to China. The time zone’s 12 hours different,” and they’re really flexible working with me. Yeah.

Chloe:
Yes?

Audience question:
How do you keep yourself focused on your work and not get distracted by other things when you’re working?

Chloe:
So how do I keep myself focused and when I’m traveling? I love my job. I really do. So that really helps me sit down and get my work done. I get to go hunting for vulnerabilities and plugins and things. I have free reign to just explore. I absolutely love it. And so that’s kind of what keeps me settled in.

And so if you’re planning on going remote and working and things like that, find something you love to do. It’ll help you.

Chloe:
Yes?

Audience question:
You mentioned Airbnb. Were there any other resources you use to find lodging?

Chloe:
Yeah. So I mentioned Airbnb. Is there any other resources? There’s Vrbo. Hotels are always an option. I generally stick to Airbnb. That’s just my favorite platform to use and it’s really easy and I can always find cheap things for wherever I need to go. So that’s my main one.

Audience question:
The one time I’ve used Airbnb, I had a rude shock because it wasn’t what it was advertised as. …

Chloe:
I haven’t had that happen. I’ve stayed at several Airbnbs. But that can happen. You have hosts opening their homes. It can take … Actually, I did. Okay. So I just remembered. So when I went to Vancouver on that boat, there was these pictures of this really nice boat, clean, had like a nice table and everything. And I got on it and it was raining and everything and the boat was not what it pictured at all. The bathroom was really small and there was no area to sit. It was just a bed that was damp and cold, and not like the photos at all.

Chloe:
But I still like Airbnb and I gave it another shot, and I’m actually staying at one down the street and it’s nice, and it’s nice to have a kitchen and things like that with it.

Audience question:
You’ve found that it’s generally honest?

Chloe:
Yeah, it’s generally honest. Yeah. yeah.

Audience question:
Do you mind if I add to that question, too?

Chloe:
Yeah, of course.

Audience question:
So another cool way to travel, if you’re looking for lodging options or alternatives, you can do house or pet sitting in different countries and so you stay at that house for free. Sometimes they’ll even pay you or leave food in the house for you. So if you’re going to be working remotely, you can stay at someone else’s house, maybe just pet their cat every few hours and make sure it has food and get free rent. So that’s another idea.

Audience question:
That’s nice. Thank you.

Audience question:
Yeah.

Chloe:
Yeah, I know exactly what you’re talking about because I looked into that. I don’t remember the name of it, though.

Chloe:
Yeah?

Audience question:
Do you ever hire a local to be a guide for language purposes?

Chloe:
Do I ever hire a local to be a guide for language purposes? Not right now. I haven’t really gone to anywhere yet that’s been like too drastically different where I required that, but I’m going to Morocco next month and I was going to hire a guide for a day. It’s actually really reasonably priced there, and so that’s somewhere I’m going to do it.

Audience question:
And how do you find them?

Chloe:
Airbnb. They actually have experiences now and so that’s where I’m going to test this out and see how it goes.

Chloe:
Any other questions?

Audience question:
Where are you going in Morocco?

Chloe:
I’m going to Marrakesh.

Audience question:
You going to go to Chefchaouen?

Chloe:
What’s that?

Audience question:
You going to go to Chefchaouen?

Chloe:
No. What’s that?

Audience question:
The Blue City. It’s [inaudible 00:47:46] one of the Atlas Mountains.

Chloe:
Okay. I’ll look into that. Thank you.

Audience question:
Have a nice trip.

Audience question:
Where all are you going on your next trip?

Chloe:
So next month I am going on a transatlantic cruise. I’m going to get dropped off in Barcelona where I fly to Morocco and then I’m going to spend a week in Marrakesh and then I’m going to fly to Sweden, spend a week there. I’m going to come home. I’m going to be there for two weeks and then I’m going to take another cruise that drops me off in London, fly back from there. And then the next month, I go off to Japan, which I’m really, really excited to go back to. I’m going to be there for a week and a half, do another cruise, a transPacific that takes me over to Vancouver, and then I’m going to fly home.

And then I have some more trips planned towards the end of the year, another couple of cruises in Japan. And then at the end of the year, I really want to go to Europe for a month and see all the Christmas markets in December.

Audience question:
I know cruise internet is often slow and expensive. what do you do for that?

Chloe:
Yeah, it is really slow. What I do is I just kind of account for that and spend a little bit of extra time each day. And I stick to one cruise line, Royal Caribbean, because they have the cheapest Wi-Fi, so that’s how I make that work.

Chloe:
Any other questions? Yes?

Audience question:
You seem to be traveling quite a bit. Is it by choice or is it becomes you employer requires you to be at the location?

Chloe:
Is it by choice or is it because my employer requires me to be anywhere? It’s completely by choice. I choose to do this all the time and I really enjoy doing it.

Audience question:
I remember doing a lot of work for customers in California. And then when I moved out here to Tucson, to Arizona, I found that we worked together for a while, but after six months of not being in contact with them face to face, they started losing interest in and then going elsewhere to somebody else that they develop a relationship with. How do you keep the relationships going when you’re not there?

Chloe:
So I work for a company, and they’re just fully remote, and so all of our communication is done through the ticketing platform. And I’m not sure why they haven’t lost touch. It’s not like we provide like a long-term service to our customers. It’s more of like one time kind of thing.

So like when we clean a hacked site, it’s going to happen one time, so I would communicate with them for a day as I clean their site, and they would go about their way. And if they ever had any problems, they would just come back to us and we could help them out there.

Specifically speaking towards keeping relationships, I could recommend a conference calling. Did you do that? Like face-to-face on Zoom.

Chloe:
We do that now.

Chloe:
Yeah? Okay.

Audience question:
And you don’t have trouble with connectivity with the Zoom call or something like that?

Chloe:
No, I’ve been able to handle my meetings and things like that just fine wherever I’ve been.

Audience question:
Was the question about …

Chloe:
Communicating with customers. Yeah.

Audience question:
Yeah. …

Chloe:
Yeah, yeah. Mark’s back there. He can definitely help you with that. He’s the CEO of Wordfence and knows how things run. All right.

Audience question:
Are you going to any WordCamps?

Chloe:
I’m going to WordCamp Miami at the end of this month, and then from there I’m not sure yet, but I’m sure I’ll be at more.

Audience question:
Awesome.

Chloe:
Any other questions?

Audience question:
If there are any apps that are helpful for traveling?

Chloe:
Any blogs?

Audience question:
Apps.

Chloe:
Apps? I personally don’t use any so I couldn’t give you any right now, but I definitely need to look into some that can help manage my travel a little bit better. I just haven’t had time to fully dive into that.

Audience question:
When is your blog starting?

Chloe:
When is my blog starting? Yeah, so my website is chloechamberland.com and I’m hoping to start writing posts for that, and I’m trying to share everything I’ve learned and hopefully give tips and things like that so it makes it easier on other people, and maybe people will comment and give me their advice, too, because I’m always welcome to learning more things.

Any other questions? All right. Thank you guys so much.

Kathy Zant:
Thank you for listening to Think Like a Hacker episode 66. We hope you enjoyed it. If you’d like to follow Chloe, she is @InfoSecChloe on Twitter. You can follow me @KathyZant on Twitter. You can also follow the @Wordfence account with all the latest news about WordPress and security.

And we’d love to hear from you. If there’s someone you’d like us to talk to as an interview subject or if there is a topic you’d like us to explore more in depth on Think Like a Hacker, we’d love to hear from you. press@wordfence.com comes straight to me, and I can make those dreams come true.

Thanks again for listening and we will be back again next week. If you’re going to be at WordCamp Miami, please do find me. Say hi. I love to hear from people who are listening to the podcast. We’ll talk to you soon.

The post Episode 66: New Plugin Vulnerabilities & Succeeding as a Digital Nomad with Chloe at WCPHX appeared first on Wordfence.

Read More

Episode 65: WordCamp Asia Cancellation Prompts Community Support

WordCamp Asia was cancelled this week due to concerns of COVID-19/coronavirus in the region. This week, Wordfence CEO Mark Maunder talks about the decision to offer the WordCamp Asia Cancellation Fee Assistance Package to attendees, volunteers, organizers, and speakers that had planned to travel to this inaugural regional WordCamp.

We also cover a number of WordPress plugin vulnerabilities disclosed this week affecting hundreds of thousands of sites, and over 500 malicious Chrome extensions removed from the Chrome Web Store affecting millions of browsers worldwide.

Here are timestamps and links in case you’d like to jump around:

2:13 Event Manager plugin vulnerability disclosed affecting over 100,000 sites
2:44 GDPR Cookie Consent plugin improper access controls affecting over 700,000 sites
3:44 Profile Builder plugin vulnerability allowed site takeover affecting 65,000 sites
4:49 Google Chrome web store removes 500 malicious extensions affecting millions of browsers.
7:14 Interview with Mark Maunder about WordCamp Asia cancellation, the COVID-19 virus concerns, and the WordCamp Asia Cancellation Fee Assistance Package from Wordfence, GoDaddy, and Yoast.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

Have a story you’d like us to cover? Contact us at press AT wordfence [dot] com.

A transcript for Think Like a Hacker episode 65 is forthcoming.

The post Episode 65: WordCamp Asia Cancellation Prompts Community Support appeared first on Wordfence.

Read More
Page 1 of 1012345»...Last »