WEBVTT 00:00:00.731 --> 00:00:02.412 Hey, welcome back to Community & Code. 00:00:02.912 --> 00:00:04.053 I'm your host, Chris Reynolds. 00:00:04.773 --> 00:00:06.754 And have you ever talked to a real 00:00:06.774 --> 00:00:07.495 live hacker? 00:00:08.515 --> 00:00:09.296 When I was a teenager, 00:00:09.356 --> 00:00:11.017 I loved reading articles about the early 00:00:11.057 --> 00:00:11.777 days of hacking, 00:00:12.258 --> 00:00:13.478 even when I was just a little bit 00:00:13.498 --> 00:00:14.739 too late and maybe a little too 00:00:14.799 --> 00:00:16.420 intimidated to try most of the actual 00:00:16.460 --> 00:00:17.301 techniques myself. 00:00:17.789 --> 00:00:19.631 Still the terms war-driving and 00:00:19.691 --> 00:00:22.253 phone-freaking ring in my ears with a 00:00:22.293 --> 00:00:23.614 nostalgia for the wild, 00:00:23.795 --> 00:00:25.301 weird days of the early internet. 00:00:25.301 --> 00:00:28.308 start in 00:00:29.168 --> 00:00:30.890 information security as a result of 00:00:30.950 --> 00:00:32.552 following in the footsteps of the 00:00:32.612 --> 00:00:34.553 legendary early pioneers of computer 00:00:34.573 --> 00:00:34.874 hacking. 00:00:36.062 --> 00:00:37.323 His current company, Mela Press, 00:00:37.383 --> 00:00:39.224 pays homage to his Maltese heritage. 00:00:39.644 --> 00:00:43.406 Mela can mean yes, no, and maybe, 00:00:43.486 --> 00:00:44.687 depending on the context. 00:00:45.127 --> 00:00:46.668 And its founder, Robert Abella, 00:00:47.108 --> 00:00:48.929 shares a name with the Prime Minister of 00:00:48.969 --> 00:00:49.329 Malta, 00:00:49.710 --> 00:00:51.811 which means he occasionally catches strays 00:00:51.851 --> 00:00:54.112 from CNN or the BBC on X for 00:00:54.172 --> 00:00:55.873 things that he distinctly did not do. 00:00:57.014 --> 00:00:58.134 We talk about Melapress, 00:00:58.174 --> 00:01:00.255 which focuses on security plugins that 00:01:00.295 --> 00:01:02.255 compliment the other solutions that are 00:01:02.315 --> 00:01:04.136 out there, things like activity logs, 00:01:04.176 --> 00:01:06.456 two-factor auth, and login policies. 00:01:07.016 --> 00:01:08.757 And we talk about what security actually 00:01:08.797 --> 00:01:11.637 looks like for WordPress when it occupies 00:01:11.717 --> 00:01:13.818 forty-three percent of the web. 00:01:13.838 --> 00:01:15.758 Who's really responsible when things go 00:01:15.798 --> 00:01:16.178 wrong, 00:01:16.538 --> 00:01:18.419 how AI is making phishing attacks more 00:01:18.439 --> 00:01:19.359 convincing than ever, 00:01:19.779 --> 00:01:21.519 and whether the WordPress.org plugin 00:01:21.539 --> 00:01:23.760 repository has kept pace with the platform 00:01:23.780 --> 00:01:24.400 that it serves. 00:01:25.516 --> 00:01:27.596 Without further ado, Robert Abella. 00:01:47.680 --> 00:01:48.862 Welcome to Community & Code, 00:01:48.902 --> 00:01:50.706 the podcast where we talk to the human 00:01:50.746 --> 00:01:52.148 beings behind the commits. 00:01:52.549 --> 00:01:54.733 I'm here today with Robert Abella, 00:01:54.954 --> 00:01:57.397 the CER and founder of Mela Press. 00:01:57.797 --> 00:01:58.159 Robert, 00:01:58.378 --> 00:01:59.500 welcome to the show and tell us about 00:01:59.521 --> 00:01:59.781 yourself. 00:02:00.791 --> 00:02:02.893 Thank you very much for having me for 00:02:02.932 --> 00:02:03.472 the invites. 00:02:04.173 --> 00:02:04.574 Yeah, 00:02:04.693 --> 00:02:06.695 I'm a bit about myself as a person. 00:02:07.714 --> 00:02:09.175 I'm not the professional life. 00:02:09.295 --> 00:02:09.955 I'm Maltese. 00:02:10.236 --> 00:02:11.277 I'm originally from Malta. 00:02:12.077 --> 00:02:12.937 I live in the Netherlands. 00:02:12.996 --> 00:02:14.737 I've been living in the Netherlands for 00:02:14.757 --> 00:02:15.699 the last seven years. 00:02:15.998 --> 00:02:17.518 I've lived in a number of countries in 00:02:17.620 --> 00:02:17.940 Europe. 00:02:17.959 --> 00:02:19.300 I'm married. 00:02:19.339 --> 00:02:20.020 I have two children. 00:02:20.480 --> 00:02:21.380 And basically, 00:02:21.541 --> 00:02:24.543 WordPress years ago was my hobby. 00:02:24.602 --> 00:02:26.803 And now it became my full time the 00:02:26.824 --> 00:02:27.364 last few years. 00:02:28.394 --> 00:02:28.535 Well, 00:02:28.955 --> 00:02:31.757 I want to talk about what you do, 00:02:31.778 --> 00:02:33.038 but before you even get into that, 00:02:33.199 --> 00:02:36.342 I was looking at the website for Melapress 00:02:36.422 --> 00:02:38.684 and I feel like I want to give 00:02:38.705 --> 00:02:40.505 you the opportunity to talk about the name 00:02:40.525 --> 00:02:42.147 because there's a whole page that's about 00:02:43.269 --> 00:02:44.510 the name Melapress. 00:02:44.989 --> 00:02:48.894 What is the vibe of Melapress just as 00:02:48.934 --> 00:02:49.354 a company, 00:02:49.373 --> 00:02:50.915 but also where does the name come from? 00:02:51.901 --> 00:02:52.180 Very good. 00:02:52.821 --> 00:02:53.463 Originally, 00:02:53.582 --> 00:02:56.266 the name was WP White Security because we 00:02:56.305 --> 00:02:58.829 develop a number of security plugins. 00:02:59.309 --> 00:03:01.433 However, we don't develop the typical, 00:03:01.452 --> 00:03:03.034 you know, like firewall and the malware, 00:03:03.055 --> 00:03:03.174 etc. 00:03:03.255 --> 00:03:05.618 We develop like logs to authentication 00:03:05.657 --> 00:03:07.299 hard link and similar stuff. 00:03:07.799 --> 00:03:10.023 So whenever we started... 00:03:10.883 --> 00:03:13.284 sponsoring word camps and similar stuff a 00:03:13.305 --> 00:03:14.525 lot of people were coming up to us 00:03:14.805 --> 00:03:15.966 especially those who don't know about us 00:03:15.986 --> 00:03:17.627 like how do you compare yourself to you 00:03:17.647 --> 00:03:20.687 know world fans sukuri because this so it 00:03:20.728 --> 00:03:22.889 was yeah it was a bit frustrating because 00:03:23.088 --> 00:03:24.489 even though we do security we don't do 00:03:24.529 --> 00:03:26.049 that type of security actually our 00:03:26.089 --> 00:03:28.871 products complement those services not we 00:03:28.930 --> 00:03:31.231 don't compete with them also the name was 00:03:31.272 --> 00:03:33.773 a bit too long wp white security so 00:03:33.812 --> 00:03:37.754 yeah so we started um the rebrand it 00:03:37.793 --> 00:03:39.115 was quite difficult to find the name i 00:03:39.135 --> 00:03:39.454 wanted 00:03:40.600 --> 00:03:42.722 as i said i'm originally from malta so 00:03:42.761 --> 00:03:46.404 i wanted to yeah put something from malta 00:03:46.445 --> 00:03:49.228 or at least my language there uh we 00:03:49.248 --> 00:03:50.368 tried different things because we have a 00:03:50.389 --> 00:03:53.330 lot of words which are kind of like 00:03:53.451 --> 00:03:54.692 simple can be easily read 00:03:56.013 --> 00:03:58.414 um by english people and non-english 00:03:58.454 --> 00:03:59.694 native speakers because sometimes 00:03:59.713 --> 00:04:01.594 especially because english and the way 00:04:01.615 --> 00:04:03.035 they pronounce some words it was difficult 00:04:03.056 --> 00:04:05.796 to find the right words and we even 00:04:05.837 --> 00:04:07.557 paid a number of companies i think towards 00:04:07.576 --> 00:04:09.478 the companies where they suggest names and 00:04:09.497 --> 00:04:11.239 we just couldn't get about it and then 00:04:11.278 --> 00:04:12.859 i was talking back then to a colleague 00:04:12.898 --> 00:04:16.319 of mine joel who was who is maltese 00:04:16.360 --> 00:04:17.621 as well um 00:04:18.718 --> 00:04:19.700 And yeah, I said something like, yeah, 00:04:19.839 --> 00:04:20.360 Mela, Mela. 00:04:20.379 --> 00:04:23.021 Because we use Mela as a Maltese word. 00:04:23.962 --> 00:04:25.925 It's very difficult for foreigners to get, 00:04:26.964 --> 00:04:29.146 because depending on the tone, 00:04:29.247 --> 00:04:30.508 especially when your mother uses it, 00:04:30.587 --> 00:04:32.670 it means either yes, no, or maybe. 00:04:32.770 --> 00:04:35.812 So it's really difficult. 00:04:35.831 --> 00:04:37.634 It's pretty much the whole spectrum right 00:04:37.674 --> 00:04:37.833 there. 00:04:38.174 --> 00:04:39.575 Yes, it's like when someone does, 00:04:40.354 --> 00:04:42.015 you know, it's like, is it a yes? 00:04:42.075 --> 00:04:42.636 Is it a no? 00:04:43.477 --> 00:04:44.457 It's something very similar. 00:04:44.557 --> 00:04:47.458 So it depends on the pronunciation, 00:04:47.498 --> 00:04:47.998 how you pronounce it. 00:04:48.080 --> 00:04:48.979 And the tone is like, okay, 00:04:48.999 --> 00:04:50.061 it can mean a lot of things. 00:04:50.820 --> 00:04:53.041 And yeah, it fits in really well. 00:04:53.062 --> 00:04:55.422 Like, okay, and just, 00:04:56.183 --> 00:04:57.464 so we wasted a bit of money paying 00:04:57.504 --> 00:04:59.485 companies and just it came over 00:04:59.526 --> 00:04:59.945 discussion. 00:05:00.005 --> 00:05:01.366 So yeah, that's the origin of the name. 00:05:02.829 --> 00:05:05.730 So there's a piece of Maltese in the 00:05:05.751 --> 00:05:05.890 name. 00:05:06.230 --> 00:05:08.231 It's often confused because, of course, 00:05:08.271 --> 00:05:08.972 we are close to Italy. 00:05:09.231 --> 00:05:11.593 Mela in Italian is Mela, which is apple. 00:05:12.294 --> 00:05:13.414 So many people think it's apple. 00:05:14.033 --> 00:05:14.795 But no, it's actually... 00:05:16.695 --> 00:05:17.855 It's a Maltese word. 00:05:18.676 --> 00:05:19.856 And in terms of company... I mean, 00:05:19.877 --> 00:05:22.837 Apple Press isn't that bad either. 00:05:22.918 --> 00:05:23.277 True. 00:05:23.618 --> 00:05:24.299 Is there a company? 00:05:24.739 --> 00:05:25.740 No, I don't think so. 00:05:25.939 --> 00:05:26.719 Well, it's been Mela Press. 00:05:26.740 --> 00:05:28.721 Yeah. 00:05:28.841 --> 00:05:30.382 If you're Italian, it means Apple Press. 00:05:30.402 --> 00:05:30.682 Yeah. 00:05:32.306 --> 00:05:32.866 Yeah, no, 00:05:33.266 --> 00:05:35.769 one of the hardest things in software 00:05:35.808 --> 00:05:37.431 engineering, right, is naming things. 00:05:39.192 --> 00:05:43.676 And finding a name that is easy for 00:05:43.877 --> 00:05:45.277 English speakers to pronounce, 00:05:45.297 --> 00:05:48.080 it just reminds me of, what was it, 00:05:48.140 --> 00:05:49.361 last year when the 00:05:50.062 --> 00:05:53.765 the agency imp side renamed or imp seed 00:05:54.087 --> 00:05:57.189 uh renamed to just seed uh which is 00:05:57.229 --> 00:05:59.913 spelled s-y-d-e which still i think is 00:06:00.073 --> 00:06:02.235 problematic because i think half half the 00:06:02.256 --> 00:06:03.476 world is going to read that as side 00:06:04.117 --> 00:06:05.939 um but like that was the same thing 00:06:06.019 --> 00:06:07.341 and they had a they had a really 00:06:07.381 --> 00:06:09.564 funny video um as they were as they 00:06:09.583 --> 00:06:10.345 were rebranding 00:06:10.684 --> 00:06:12.367 where they I think they were actually even 00:06:12.507 --> 00:06:14.449 asking all of their employees how they 00:06:14.488 --> 00:06:16.131 pronounce it and everybody had a different 00:06:16.170 --> 00:06:16.891 pronunciation. 00:06:16.951 --> 00:06:18.514 So like even internally in the company, 00:06:19.716 --> 00:06:20.435 they couldn't pronounce it. 00:06:20.475 --> 00:06:20.956 So yes, 00:06:21.336 --> 00:06:24.040 settling on something that is easy to 00:06:24.081 --> 00:06:26.163 pronounce is probably a key thing in 00:06:26.483 --> 00:06:27.745 developing any sort of product. 00:06:28.720 --> 00:06:30.601 yes it's it's very difficult because even 00:06:30.682 --> 00:06:32.304 once you start reading about you know like 00:06:32.343 --> 00:06:33.704 brand names and stuff there are so many 00:06:33.925 --> 00:06:37.369 um hints like try to for example come 00:06:37.408 --> 00:06:38.649 up with a name that starts with a 00:06:38.769 --> 00:06:40.211 so when there's a whenever there's a 00:06:40.250 --> 00:06:41.453 listing of companies you're always you 00:06:41.552 --> 00:06:43.855 know all these type of optimization but 00:06:43.874 --> 00:06:45.956 yeah you can only go so far and 00:06:46.057 --> 00:06:48.019 there are there are so many companies out 00:06:48.038 --> 00:06:50.600 there and and trying to find something 00:06:51.362 --> 00:06:52.442 that sounds like a 00:06:53.483 --> 00:06:56.867 okay well okay to pronounce um and yeah 00:06:57.028 --> 00:06:59.249 and that fits and that works with everyone 00:06:59.329 --> 00:07:01.252 it's quite difficult you know it's about 00:07:01.271 --> 00:07:03.134 pronunciation it's about the length a lot 00:07:03.173 --> 00:07:05.216 of stuff so and there are so many 00:07:05.235 --> 00:07:06.656 companies out there so you have to find 00:07:06.677 --> 00:07:07.958 something unique which is it's very 00:07:07.978 --> 00:07:09.920 difficult it can take a few it took 00:07:09.939 --> 00:07:10.781 us a few months actually 00:07:10.961 --> 00:07:11.622 Yeah, yeah. 00:07:12.201 --> 00:07:14.043 We'll talk about what Melapress actually 00:07:14.403 --> 00:07:14.965 does, 00:07:15.444 --> 00:07:17.608 especially since you noted that it doesn't 00:07:17.668 --> 00:07:20.129 do security for WordPress in the way that 00:07:20.170 --> 00:07:22.853 most people consider WordPress security 00:07:22.872 --> 00:07:24.394 sort of plugins or platforms or whatever. 00:07:24.434 --> 00:07:25.735 So like, what is it that, 00:07:27.177 --> 00:07:28.958 what solution are you providing? 00:07:30.588 --> 00:07:30.769 Yes, 00:07:30.829 --> 00:07:33.410 typically when people talk about security, 00:07:33.810 --> 00:07:36.331 they think of either hardening, 00:07:36.911 --> 00:07:38.632 like hardening the website, 00:07:39.192 --> 00:07:41.194 some sort of protection, firewalls, 00:07:41.473 --> 00:07:42.653 or some type of scanning, 00:07:42.713 --> 00:07:43.934 or anti-malware cleaning, et cetera. 00:07:43.954 --> 00:07:45.256 We do none of that. 00:07:45.615 --> 00:07:47.617 Our flagship product is WP Activity Log, 00:07:47.696 --> 00:07:50.557 which basically keeps a log of what logged 00:07:50.578 --> 00:07:51.999 in users are doing on your website. 00:07:52.298 --> 00:07:53.319 Someone installed a plugin, 00:07:53.439 --> 00:07:54.879 someone changed some content, et cetera. 00:07:55.831 --> 00:07:57.512 We also have WP-to-FA, 00:07:57.533 --> 00:07:59.855 which is a plugin that allows you to 00:08:00.156 --> 00:08:00.956 enforce. 00:08:01.476 --> 00:08:02.458 It is a sort of hiding, 00:08:02.497 --> 00:08:03.398 but you know, the typical firewall. 00:08:04.038 --> 00:08:06.781 It allows you to enforce authentication, 00:08:06.882 --> 00:08:09.363 even pass keys and similar stuff. 00:08:09.403 --> 00:08:10.384 So it's login hardening. 00:08:10.965 --> 00:08:12.545 And we have Malapress Login Security, 00:08:13.466 --> 00:08:15.208 which allows you to configure a number of 00:08:15.949 --> 00:08:17.191 login security policies. 00:08:17.310 --> 00:08:18.992 It's not just about the failed login, 00:08:19.031 --> 00:08:20.333 but also a number of things. 00:08:20.353 --> 00:08:20.773 For example, 00:08:20.793 --> 00:08:23.937 you can control or configure policies to 00:08:23.976 --> 00:08:25.317 limit when users can log in, 00:08:25.418 --> 00:08:26.639 range of time or which dates, 00:08:26.718 --> 00:08:27.600 by user role, 00:08:29.081 --> 00:08:30.542 use specific number of machines. 00:08:30.603 --> 00:08:31.643 So when they try to use a new 00:08:31.684 --> 00:08:32.543 machine, they are alerted. 00:08:32.564 --> 00:08:32.723 You know, 00:08:32.744 --> 00:08:35.307 a lot of these kind of like helping 00:08:35.427 --> 00:08:35.687 users. 00:08:35.747 --> 00:08:37.007 And the reason why we went that way, 00:08:37.028 --> 00:08:37.389 because... 00:08:39.487 --> 00:08:39.807 First of all, 00:08:40.028 --> 00:08:42.790 we started with activity log years ago. 00:08:43.071 --> 00:08:46.333 But also, the more time passes, 00:08:46.353 --> 00:08:47.014 the more I'm realizing. 00:08:47.314 --> 00:08:48.576 Last week, I was at CloudFest. 00:08:50.057 --> 00:08:51.639 And most of these presentations, 00:08:51.658 --> 00:08:52.740 that's what they were talking about. 00:08:52.879 --> 00:08:56.223 Unfortunately, it's becoming way easier 00:08:56.963 --> 00:08:57.804 If you want to hack someone, 00:08:57.824 --> 00:09:00.245 it's becoming way easier going through 00:09:00.684 --> 00:09:01.225 their users. 00:09:01.564 --> 00:09:04.845 It's becoming more difficult to exploit 00:09:05.024 --> 00:09:05.865 technical vulnerabilities, 00:09:05.966 --> 00:09:07.985 trying to bypass a firewall and stuff like 00:09:08.006 --> 00:09:08.165 that. 00:09:08.826 --> 00:09:10.105 And because we are using more and more 00:09:10.185 --> 00:09:10.506 AI, 00:09:11.807 --> 00:09:13.266 it seems like the cognitive abilities of 00:09:13.346 --> 00:09:14.946 users are lowered nowadays. 00:09:15.026 --> 00:09:16.627 So it's much easier to launch a phishing 00:09:16.706 --> 00:09:18.007 attack and all this stuff. 00:09:18.028 --> 00:09:20.187 So hopefully, with using two FA, 00:09:20.708 --> 00:09:22.047 maybe a bit more login policies and stuff 00:09:22.067 --> 00:09:22.367 like that, 00:09:22.447 --> 00:09:24.728 you and training the users and helping the 00:09:24.749 --> 00:09:25.088 users 00:09:26.208 --> 00:09:27.990 get alerted when a new machine is used 00:09:28.069 --> 00:09:29.571 or the user was used somewhere else. 00:09:29.810 --> 00:09:29.930 Yeah, 00:09:29.971 --> 00:09:32.333 that hopefully hardens that part of 00:09:32.672 --> 00:09:34.293 WordPress security as well. 00:09:34.413 --> 00:09:35.334 Yeah. 00:09:35.355 --> 00:09:35.535 Well, 00:09:35.655 --> 00:09:38.656 and multi-factor authentication is 00:09:38.817 --> 00:09:39.536 crucial, right? 00:09:39.576 --> 00:09:40.437 Especially, like, 00:09:40.658 --> 00:09:45.341 since there are so many databases out 00:09:45.360 --> 00:09:47.721 there now, like, you know, 00:09:47.982 --> 00:09:48.622 it used to be, like, 00:09:48.742 --> 00:09:50.804 every other week or at least once a 00:09:50.863 --> 00:09:52.184 month there would be some new 00:09:52.684 --> 00:09:54.165 vulnerability disclosure that, like, 00:09:54.185 --> 00:09:55.386 there's a database of, like, 00:09:56.047 --> 00:09:59.048 fifty thousand two million different 00:09:59.269 --> 00:10:01.011 username and passwords that were scraped 00:10:01.071 --> 00:10:03.593 from some, you know, 00:10:03.833 --> 00:10:06.054 Google or like some ridiculously large 00:10:06.093 --> 00:10:07.055 company and all that. 00:10:07.134 --> 00:10:09.297 And and because people reuse passwords, 00:10:09.317 --> 00:10:11.817 then like if you're on a list somewhere 00:10:12.199 --> 00:10:13.019 like I mean, 00:10:13.179 --> 00:10:15.381 I it's impossible to follow it. 00:10:15.420 --> 00:10:15.641 Right. 00:10:15.680 --> 00:10:17.302 It's like I can't even I can't even 00:10:17.362 --> 00:10:19.384 worry about my my email address being on 00:10:19.423 --> 00:10:20.985 a list like that because there's so like 00:10:21.105 --> 00:10:22.205 obviously it's out there. 00:10:22.625 --> 00:10:23.887 I can only worry about like 00:10:24.626 --> 00:10:26.589 making sure that like my passwords are 00:10:26.609 --> 00:10:27.009 secure, 00:10:27.049 --> 00:10:28.650 that I'm using two factor authentication 00:10:28.671 --> 00:10:30.894 so that when somebody does inevitably find 00:10:30.913 --> 00:10:32.154 my email address on the list, 00:10:32.715 --> 00:10:35.177 the password they get isn't matching with 00:10:35.357 --> 00:10:37.259 the password that I'm using on an actually 00:10:37.299 --> 00:10:37.961 important site. 00:10:39.014 --> 00:10:40.596 exactly yeah i mean if if i don't 00:10:40.657 --> 00:10:42.177 know if you've ever heard of the website 00:10:42.217 --> 00:10:44.499 have i been punt oh yeah um if 00:10:44.519 --> 00:10:45.941 you subscribe to that one you receive 00:10:45.980 --> 00:10:48.102 quite a few alerts because yeah there are 00:10:48.203 --> 00:10:50.985 i think you find data leakages almost on 00:10:51.025 --> 00:10:52.967 a daily there are data leakages almost on 00:10:52.988 --> 00:10:55.971 a daily basis so it's quite um frustrating 00:10:56.010 --> 00:10:58.692 then of course um ideally you shouldn't 00:10:58.793 --> 00:11:00.815 use the same passwords for different 00:11:00.835 --> 00:11:01.855 websites that's why there are password 00:11:01.875 --> 00:11:03.437 managers but yeah of course to fba 00:11:04.595 --> 00:11:06.475 eases that process so yeah even if you 00:11:06.495 --> 00:11:08.937 use the same password at least yeah the 00:11:08.956 --> 00:11:10.618 the attackers if they guess your password 00:11:10.677 --> 00:11:12.518 they cannot log in because they need one 00:11:12.557 --> 00:11:15.220 time code either from your email address 00:11:15.360 --> 00:11:17.980 or from your mobile device etc so yeah 00:11:18.181 --> 00:11:20.581 in terms of credentials yeah as you said 00:11:20.601 --> 00:11:22.643 like you'll find your email address almost 00:11:23.523 --> 00:11:26.065 nowadays in a lot of lists it's funny 00:11:26.185 --> 00:11:27.625 talking about heaven being point because 00:11:28.306 --> 00:11:29.466 and because we're talking about fishing 00:11:29.506 --> 00:11:33.109 etc uh that website is maintained by troy 00:11:33.148 --> 00:11:35.110 hunt he's a very popular infrastructure 00:11:35.130 --> 00:11:36.751 researcher it's funny talking about at 00:11:36.831 --> 00:11:38.893 texas because last year he has a blog 00:11:38.932 --> 00:11:39.834 post about it in fact 00:11:40.494 --> 00:11:41.995 He was a victim of a phishing attack, 00:11:42.196 --> 00:11:44.941 and his MailChimp list was stolen. 00:11:45.260 --> 00:11:46.923 So it's a bit. 00:11:48.986 --> 00:11:51.711 A security speaker at CloudFest had this 00:11:51.750 --> 00:11:53.013 really funny comment, because he said, 00:11:53.894 --> 00:11:54.775 with AI especially, 00:11:55.870 --> 00:11:57.751 Phishing attacks are becoming so good, 00:11:57.871 --> 00:11:59.033 they actually look better than the 00:11:59.052 --> 00:11:59.852 legitimate emails. 00:12:02.294 --> 00:12:03.836 So it can happen to the best of 00:12:03.897 --> 00:12:03.996 us. 00:12:04.017 --> 00:12:06.118 You can be Troy Hunt and it can 00:12:06.158 --> 00:12:06.879 still happen to you. 00:12:07.198 --> 00:12:10.101 Yeah, I met Troy many, many, 00:12:10.142 --> 00:12:10.961 many years ago. 00:12:12.123 --> 00:12:12.724 Back in the day, 00:12:12.803 --> 00:12:15.605 I was doing online developer training 00:12:15.645 --> 00:12:16.667 courses for Pluralsight. 00:12:17.427 --> 00:12:19.988 And Troy was also doing courses for 00:12:20.028 --> 00:12:22.749 Pluralsight and all of his stuff was on 00:12:22.789 --> 00:12:23.230 security. 00:12:23.269 --> 00:12:26.250 And so Pluralsight held these sort of 00:12:26.390 --> 00:12:26.971 author summits. 00:12:27.010 --> 00:12:29.793 So they get all the Pluralsight authors to 00:12:29.873 --> 00:12:31.072 hang out and talk to each other and 00:12:31.113 --> 00:12:32.033 compare notes and stuff. 00:12:32.073 --> 00:12:32.933 And so I've met him. 00:12:33.293 --> 00:12:35.274 And one of the things I remember, 00:12:36.916 --> 00:12:42.357 he did a presentation and he put like 00:12:42.398 --> 00:12:45.879 a Wi-Fi like router in the room and 00:12:45.899 --> 00:12:46.460 basically like 00:12:46.679 --> 00:12:48.402 The idea was to see how much data 00:12:48.461 --> 00:12:51.004 he could get by people just jumping onto 00:12:51.484 --> 00:12:54.927 a freely available Wi-Fi node and then 00:12:55.008 --> 00:12:56.288 showed it in the demo. 00:12:57.549 --> 00:12:58.671 And this is all the information that I 00:12:58.691 --> 00:13:00.052 got from your computer because you just 00:13:00.071 --> 00:13:02.653 happened to jump on this free Wi-Fi that 00:13:02.715 --> 00:13:03.134 is like, 00:13:03.575 --> 00:13:05.676 that I put here for this purpose that 00:13:05.775 --> 00:13:07.437 looks legitimate, but is actually not. 00:13:08.437 --> 00:13:08.658 Yeah. 00:13:08.697 --> 00:13:09.839 And then that was about the time when 00:13:09.879 --> 00:13:11.999 he, when he had actually even launched, 00:13:12.100 --> 00:13:13.061 have I been an opponent? 00:13:13.100 --> 00:13:15.542 So, yeah, well, very, very big fan of, 00:13:15.662 --> 00:13:17.222 of Troy's work over the years. 00:13:17.783 --> 00:13:19.303 But what, so, 00:13:20.424 --> 00:13:23.025 so have you always been interested in sort 00:13:23.046 --> 00:13:24.626 of the security side of, 00:13:24.826 --> 00:13:27.168 of web development or what sort of brought 00:13:27.209 --> 00:13:30.390 you to the point at which you decided 00:13:30.411 --> 00:13:32.552 that, that this product, this set of, 00:13:32.952 --> 00:13:34.220 plug into whatever that you're building 00:13:34.240 --> 00:13:35.927 with MeloPress is the thing that you want 00:13:35.947 --> 00:13:36.350 to be doing. 00:13:38.741 --> 00:13:40.003 I've always been into security. 00:13:41.043 --> 00:13:43.244 Before working with WordPress, 00:13:43.264 --> 00:13:45.044 which I started thirteen years ago, 00:13:45.884 --> 00:13:47.046 in my previous career, 00:13:47.745 --> 00:13:49.687 I worked fourteen years for a number of 00:13:49.726 --> 00:13:50.547 different startups, 00:13:50.787 --> 00:13:53.047 and they were all security startups. 00:13:54.928 --> 00:13:55.948 Security software startups. 00:13:56.609 --> 00:13:58.129 I had a different number of roles. 00:13:58.649 --> 00:14:01.490 I started as a software tester, 00:14:01.530 --> 00:14:03.892 systems engineer, product management. 00:14:04.532 --> 00:14:05.352 I was never a developer. 00:14:06.393 --> 00:14:08.173 I can write a bit of code. 00:14:08.634 --> 00:14:09.435 I used to write, of course, 00:14:09.455 --> 00:14:10.355 when I was systems engineer, 00:14:10.374 --> 00:14:12.176 a lot of bash scripts and try to 00:14:12.235 --> 00:14:13.096 automate all this stuff. 00:14:13.137 --> 00:14:13.956 So I have an idea, 00:14:14.157 --> 00:14:15.297 a good concept of these things. 00:14:17.178 --> 00:14:17.438 But yeah, 00:14:17.459 --> 00:14:20.301 since I worked always with security 00:14:20.341 --> 00:14:21.762 software companies and startups, 00:14:22.697 --> 00:14:23.758 Yeah, 00:14:23.778 --> 00:14:25.959 it's what I heard for fourteen years 00:14:25.999 --> 00:14:27.178 about, you know, like security, 00:14:27.219 --> 00:14:28.178 what can happen, etc. 00:14:28.239 --> 00:14:30.919 So it's a field I know very well, 00:14:30.960 --> 00:14:31.399 basically. 00:14:31.799 --> 00:14:32.880 And most of my friends, 00:14:33.681 --> 00:14:34.280 some of my friends, 00:14:34.321 --> 00:14:35.740 which I still have from back in those 00:14:35.760 --> 00:14:37.942 days, they also have security. 00:14:38.302 --> 00:14:39.442 For example, a friend of mine, Sandra, 00:14:39.461 --> 00:14:40.763 has a penetration testing company. 00:14:40.783 --> 00:14:41.043 So, yeah, 00:14:41.082 --> 00:14:42.863 I'm always surrounded with security. 00:14:43.102 --> 00:14:45.244 It's something I've done from day one, 00:14:45.423 --> 00:14:45.864 basically. 00:14:46.803 --> 00:14:48.745 um so yeah that that's where the security 00:14:48.765 --> 00:14:50.407 is coming from in fact we jumped i 00:14:50.446 --> 00:14:52.288 jumped into wordpress because the last 00:14:52.347 --> 00:14:55.870 full-time job i had we needed a blog 00:14:57.730 --> 00:15:00.432 um it was this was um um years 00:15:00.452 --> 00:15:02.794 ago we needed a blog we started looking 00:15:03.394 --> 00:15:06.616 i've learned about wordpress and back then 00:15:06.637 --> 00:15:07.817 wordpress yeah there were 00:15:09.306 --> 00:15:10.326 security was still very weak. 00:15:10.346 --> 00:15:12.548 It's not the core, it's always the same, 00:15:12.568 --> 00:15:14.971 you know, like the reputation it had, 00:15:15.030 --> 00:15:16.131 et cetera. 00:15:16.152 --> 00:15:17.211 But there weren't a lot of security 00:15:17.231 --> 00:15:17.852 solutions either. 00:15:17.873 --> 00:15:20.095 In fact, I remember Sucuri starting, 00:15:20.315 --> 00:15:21.054 you know, back then it was, 00:15:21.075 --> 00:15:22.296 they just used to do free scans, 00:15:22.336 --> 00:15:24.038 like an Nmap scan and stuff like that. 00:15:25.205 --> 00:15:27.167 And, yeah, we tried to, 00:15:27.187 --> 00:15:29.509 because it was a security company already, 00:15:29.548 --> 00:15:31.451 we used to develop a web vulnerability 00:15:31.471 --> 00:15:31.730 scanner. 00:15:32.311 --> 00:15:34.133 We tried to develop a SaaS for WordPress 00:15:34.153 --> 00:15:37.034 back then, a security file monitoring, 00:15:37.274 --> 00:15:37.775 et cetera. 00:15:38.235 --> 00:15:39.137 It was a bit of a flop. 00:15:40.317 --> 00:15:41.438 Nothing with the technology, 00:15:41.459 --> 00:15:42.679 it's just the way we managed it, 00:15:42.740 --> 00:15:43.159 et cetera. 00:15:44.172 --> 00:15:44.611 And anyway, 00:15:44.672 --> 00:15:46.452 then it was time I was working for 00:15:46.493 --> 00:15:48.813 fourteen years for four different software 00:15:48.834 --> 00:15:49.214 companies, 00:15:49.315 --> 00:15:51.775 but always the same founder and CEO. 00:15:53.036 --> 00:15:54.596 I worked with him at Chetra through my 00:15:54.637 --> 00:15:56.258 career and it was time to move on. 00:15:56.317 --> 00:15:58.678 And anyway, just after fourteen years, 00:15:58.719 --> 00:16:01.320 I started my own thing because we just 00:16:01.580 --> 00:16:02.801 started working a lot with WordPress, 00:16:02.860 --> 00:16:04.162 even through my previous full time job. 00:16:05.042 --> 00:16:07.224 I met a few friends from WordPress and 00:16:07.283 --> 00:16:07.965 yeah, it just became, 00:16:08.384 --> 00:16:09.446 it's something I liked, you know, 00:16:09.985 --> 00:16:10.527 I really liked it. 00:16:11.147 --> 00:16:11.988 So yeah, 00:16:12.028 --> 00:16:14.310 security is coming since day one I started 00:16:14.330 --> 00:16:16.412 working in IT just because mostly I've 00:16:16.491 --> 00:16:19.114 worked with security software companies. 00:16:19.455 --> 00:16:22.057 What brought you into security to sort of 00:16:22.116 --> 00:16:22.557 begin with? 00:16:22.576 --> 00:16:23.937 Like where did that sort of interest 00:16:24.298 --> 00:16:24.778 develop? 00:16:26.200 --> 00:16:26.360 It's... 00:16:27.490 --> 00:16:29.171 This started when I was nineteen years 00:16:29.250 --> 00:16:29.411 old. 00:16:30.811 --> 00:16:32.312 Back then it was different, of course. 00:16:32.532 --> 00:16:34.373 Hacking is still cool. 00:16:34.393 --> 00:16:35.192 Back then it was a bit, 00:16:35.212 --> 00:16:36.374 in my opinion, it was cooler. 00:16:36.413 --> 00:16:36.854 Nowadays, 00:16:37.334 --> 00:16:40.956 I was just at the Cloud Fest capture 00:16:40.975 --> 00:16:41.275 the flag. 00:16:42.243 --> 00:16:44.563 uh the winning team i think within they 00:16:44.945 --> 00:16:48.125 they uh captured the flag in nine 00:16:48.166 --> 00:16:49.326 challenges in all the nine challenges 00:16:49.366 --> 00:16:50.807 within eighteen minutes because all they 00:16:50.827 --> 00:16:52.068 did spend ten minutes set up the ai 00:16:52.168 --> 00:16:54.490 net framework and then the rest just was 00:16:54.509 --> 00:16:56.971 just automated so it's nice from 00:16:56.991 --> 00:16:58.272 technology point of view but it's not fun 00:16:58.552 --> 00:17:00.173 back then i remember in my early days 00:17:00.273 --> 00:17:01.754 i used to go with my friend you 00:17:01.774 --> 00:17:04.115 know like world driving capturing wi-fi 00:17:04.176 --> 00:17:05.917 packets and stuff it was much different 00:17:05.937 --> 00:17:08.357 you know we also had this hack with 00:17:08.619 --> 00:17:08.719 um 00:17:09.438 --> 00:17:10.918 There used to be more of these public 00:17:10.979 --> 00:17:12.419 phones where you had internet access if 00:17:12.440 --> 00:17:13.179 you used a telecard. 00:17:13.740 --> 00:17:16.280 But a friend of mine found a bypass 00:17:16.341 --> 00:17:17.360 without the card. 00:17:17.380 --> 00:17:20.922 Just like scanning for open ports, 00:17:20.942 --> 00:17:24.102 you try to use netcat and all this 00:17:24.123 --> 00:17:24.302 stuff. 00:17:24.322 --> 00:17:25.624 So back then, it was much more different. 00:17:26.464 --> 00:17:28.485 so yes um when i was a gfi 00:17:28.905 --> 00:17:31.209 when i became systems engineer as i said 00:17:31.249 --> 00:17:32.649 it was a security software company so we 00:17:32.690 --> 00:17:34.471 always was this learning a lot about 00:17:34.512 --> 00:17:36.293 security but then i was i was sharing 00:17:36.312 --> 00:17:38.254 an office with sandra this friend of mine 00:17:38.735 --> 00:17:40.297 and who was the security engineer for gfi 00:17:40.317 --> 00:17:40.937 back then so 00:17:43.005 --> 00:17:44.827 nine ten hours a day just talking about 00:17:44.868 --> 00:17:47.490 security um was helping me back then you 00:17:47.509 --> 00:17:49.951 know like configuring the firewalls the 00:17:49.991 --> 00:17:51.712 routers and all this stuff and learning 00:17:51.732 --> 00:17:53.975 about back then dmz and all this stuff 00:17:53.995 --> 00:17:57.217 so yeah of course then that's the potato 00:17:57.278 --> 00:17:59.200 but it's it's it's something that's very 00:17:59.220 --> 00:18:01.662 interesting uh it's much more interesting 00:18:01.682 --> 00:18:03.322 than just systems engineering and yeah 00:18:03.503 --> 00:18:04.104 it's just also 00:18:05.485 --> 00:18:07.027 what the companies I worked for were doing 00:18:07.168 --> 00:18:07.587 in security. 00:18:07.607 --> 00:18:08.047 So it's just, 00:18:08.629 --> 00:18:10.690 I literally always been in this, 00:18:10.850 --> 00:18:12.571 since I was nineteen, 00:18:12.591 --> 00:18:14.334 I've always worked in this field in 00:18:14.394 --> 00:18:14.773 security. 00:18:15.678 --> 00:18:15.959 Yeah, 00:18:15.979 --> 00:18:17.900 I remember being a nerd in the nineties 00:18:17.941 --> 00:18:20.062 and early, early two thousands. 00:18:20.081 --> 00:18:20.783 And I never, 00:18:20.942 --> 00:18:24.384 I never did all of the cool old 00:18:24.424 --> 00:18:26.866 school analog hacking things that I read 00:18:26.887 --> 00:18:27.147 about. 00:18:27.207 --> 00:18:29.148 But I do remember reading about the things 00:18:29.168 --> 00:18:29.629 where like, 00:18:30.690 --> 00:18:33.591 like the whatever device that you get that 00:18:33.611 --> 00:18:33.871 you can, 00:18:34.172 --> 00:18:36.553 that like simulates the sound that a coin 00:18:36.573 --> 00:18:38.615 makes in a pay phone so that you 00:18:38.635 --> 00:18:40.456 can steal the, and then like, 00:18:41.258 --> 00:18:43.960 like being able to like rig up like, 00:18:44.880 --> 00:18:46.120 Off of that, 00:18:46.402 --> 00:18:48.363 connect it to a modem and then use 00:18:48.383 --> 00:18:49.963 that to dial up. 00:18:51.705 --> 00:18:52.645 There's no... 00:18:53.906 --> 00:18:56.189 Kids these days will never understand the 00:18:56.229 --> 00:18:59.330 amount of ingenuity that goes into all of 00:18:59.371 --> 00:19:01.972 the really old school analog... 00:19:03.213 --> 00:19:06.316 hacking, which is actually like literal, 00:19:06.375 --> 00:19:07.896 like not hacking on the computer, 00:19:07.936 --> 00:19:10.897 but like with hardware devices that you 00:19:10.958 --> 00:19:12.798 had to like physically hold in your hand 00:19:12.838 --> 00:19:14.839 and go to actual like places in the 00:19:14.880 --> 00:19:15.181 world, 00:19:15.240 --> 00:19:17.582 not just from behind a laptop screen. 00:19:18.309 --> 00:19:19.612 That telephone thing you're mentioning, 00:19:19.632 --> 00:19:20.511 if I'm not mistaken, 00:19:20.653 --> 00:19:23.655 it used to be a whistle with some 00:19:23.756 --> 00:19:25.217 Syrian America, Captain Crunch, I think. 00:19:25.917 --> 00:19:27.179 And if you blow this whistle on a 00:19:27.199 --> 00:19:27.880 public telephone, 00:19:29.000 --> 00:19:34.386 it used to have this specific tone and 00:19:34.426 --> 00:19:34.586 the... 00:19:36.384 --> 00:19:37.425 center, whatever it's called, 00:19:38.106 --> 00:19:39.348 the switchboard switch center. 00:19:39.368 --> 00:19:41.230 I used to hear this tone and detect 00:19:41.250 --> 00:19:42.011 it as something. 00:19:42.031 --> 00:19:42.811 So yeah, it used to root. 00:19:42.872 --> 00:19:44.554 I forgot how it is exactly, but yeah, 00:19:45.075 --> 00:19:46.336 it was much different back then. 00:19:46.355 --> 00:19:48.919 And in fact, I just found, 00:19:48.939 --> 00:19:49.940 because I was just cleaning, 00:19:49.960 --> 00:19:51.082 a bit of spring cleaning, 00:19:51.201 --> 00:19:51.721 I found the book. 00:19:51.741 --> 00:19:52.343 I have... 00:19:54.072 --> 00:19:55.894 book behind the wires from kevin mitnick 00:19:56.555 --> 00:19:58.718 uh signed it's and i remember reading 00:19:58.738 --> 00:20:00.901 those stories like when you read if most 00:20:00.921 --> 00:20:02.943 probably young people some might know who 00:20:02.963 --> 00:20:04.205 kevin mitnick is if you don't know who 00:20:04.246 --> 00:20:06.188 he is find his book goes behind the 00:20:06.208 --> 00:20:08.731 wires amazing story so basically kevin 00:20:08.751 --> 00:20:10.012 mitnick is the first 00:20:11.155 --> 00:20:13.458 popular mainstream hacker, basically. 00:20:14.858 --> 00:20:17.320 And yeah, he spent, after he was hacking, 00:20:17.381 --> 00:20:18.721 he spent a number of years, 00:20:18.741 --> 00:20:20.042 I don't know how much exactly, I forgot, 00:20:20.163 --> 00:20:21.884 five, six, or four years, I don't know, 00:20:22.984 --> 00:20:24.086 with the FBI following him, 00:20:24.546 --> 00:20:26.248 and he was tracing the FBI, 00:20:26.268 --> 00:20:27.449 so he was always a step ahead of 00:20:27.469 --> 00:20:27.608 them. 00:20:28.128 --> 00:20:29.490 And this story is amazing. 00:20:29.549 --> 00:20:31.932 Ghost in the Wires is definitely a 00:20:31.951 --> 00:20:32.932 must-read, and as you said, 00:20:32.992 --> 00:20:36.255 it will at least will give 00:20:37.365 --> 00:20:39.167 hackers of today a bit of an understanding 00:20:39.208 --> 00:20:40.388 how different it was back then because 00:20:40.429 --> 00:20:42.990 nowadays it's just yeah automation i mean 00:20:43.010 --> 00:20:45.614 there's still some development and skills 00:20:45.634 --> 00:20:47.115 in it but back then it was much 00:20:47.194 --> 00:20:48.936 more much more fun much more interesting 00:20:49.096 --> 00:20:49.897 at least in my opinion 00:20:50.541 --> 00:20:50.721 Yeah, well, 00:20:50.741 --> 00:20:53.083 I feel like right now you get more 00:20:53.123 --> 00:20:54.542 mileage out of social engineering. 00:20:54.702 --> 00:20:57.124 You get more mileage out of deep fakes 00:20:57.324 --> 00:21:00.865 or convincing someone to willingly hand 00:21:00.964 --> 00:21:04.286 over information rather than actually 00:21:04.546 --> 00:21:06.885 using any sort of brute force methods to 00:21:06.945 --> 00:21:08.346 infiltrate a system anymore. 00:21:08.567 --> 00:21:08.686 Yeah. 00:21:10.267 --> 00:21:10.487 Yes. 00:21:11.147 --> 00:21:12.709 People are not aware of these things until 00:21:12.729 --> 00:21:13.149 it is there. 00:21:13.409 --> 00:21:14.109 It's not the first time. 00:21:14.190 --> 00:21:15.250 I try it just for fun. 00:21:15.691 --> 00:21:16.491 For example, I don't know. 00:21:16.511 --> 00:21:17.772 I walk into a supermarket. 00:21:17.792 --> 00:21:19.334 You see some employees walking into some 00:21:19.394 --> 00:21:19.673 office. 00:21:19.693 --> 00:21:19.874 You know, 00:21:19.894 --> 00:21:21.855 there's this sign and stuff only. 00:21:22.355 --> 00:21:23.356 And you walk behind them like, oh, sorry, 00:21:23.396 --> 00:21:23.856 can I watch it? 00:21:23.936 --> 00:21:25.738 And no one asks questions like, 00:21:25.758 --> 00:21:26.358 why are you coming in? 00:21:26.399 --> 00:21:27.980 It's just they're so used, you know, 00:21:27.999 --> 00:21:29.641 like because you're being nice. 00:21:29.701 --> 00:21:30.261 Oh, yes, come in. 00:21:30.281 --> 00:21:30.481 You know, 00:21:30.501 --> 00:21:32.222 like people are not aware about these 00:21:32.242 --> 00:21:32.482 things. 00:21:32.563 --> 00:21:33.844 So it's very... 00:21:35.105 --> 00:21:35.724 It's very easy. 00:21:35.765 --> 00:21:37.306 It's still very easy to, 00:21:37.865 --> 00:21:39.185 I don't know if it's coming from because 00:21:39.205 --> 00:21:39.905 of politeness, 00:21:40.185 --> 00:21:43.086 but also as someone said at CloudFest, 00:21:43.207 --> 00:21:45.147 also because of the, we are, 00:21:45.407 --> 00:21:46.887 especially people working in IT, 00:21:46.988 --> 00:21:49.828 we are relying so much on AI that 00:21:49.888 --> 00:21:51.568 our cognitive abilities are being lowered 00:21:51.828 --> 00:21:53.710 because, so yeah, 00:21:53.730 --> 00:21:56.430 people need training about, yeah, 00:21:56.609 --> 00:21:57.611 what's social engineering, 00:21:57.691 --> 00:21:58.931 what type of issues there can be. 00:21:59.230 --> 00:22:00.570 I remember, again, 00:22:00.590 --> 00:22:02.011 back in my early twenties, 00:22:02.751 --> 00:22:04.153 We used to, in Malta, 00:22:04.555 --> 00:22:06.596 there is this ferry between Malta and 00:22:06.616 --> 00:22:07.598 Gozo, two islands. 00:22:08.539 --> 00:22:09.260 And yeah, it was, 00:22:09.822 --> 00:22:10.762 and most probably even nowadays, 00:22:10.803 --> 00:22:12.105 it was so easy to go down to 00:22:12.124 --> 00:22:12.644 the engine room. 00:22:13.105 --> 00:22:13.926 No one asks you anything, 00:22:14.166 --> 00:22:16.269 especially if you just buy a high 00:22:16.309 --> 00:22:17.592 visibility vest, just put it on, 00:22:19.334 --> 00:22:20.895 hang any type of id and just walk 00:22:20.935 --> 00:22:22.718 in no one no one will even ask 00:22:22.738 --> 00:22:25.342 you anything there are some youtube videos 00:22:25.362 --> 00:22:26.442 actually about this there are some people 00:22:26.462 --> 00:22:28.786 which just get by a high-visibility vest a 00:22:28.826 --> 00:22:31.368 helmet and a leather and they just walk 00:22:31.388 --> 00:22:33.231 into offices and see what they can do 00:22:33.551 --> 00:22:33.672 and 00:22:34.894 --> 00:22:36.074 There are some cases where they are 00:22:36.114 --> 00:22:36.994 stopped, but the majority, 00:22:37.015 --> 00:22:39.414 they just walk in and no one questions 00:22:39.434 --> 00:22:39.855 them. 00:22:40.154 --> 00:22:41.215 It's amazing. 00:22:41.296 --> 00:22:43.715 Yeah, for sure. 00:22:44.036 --> 00:22:44.297 Well, 00:22:44.457 --> 00:22:46.936 from the perspective of an old school 00:22:46.977 --> 00:22:48.458 hacker and from the perspective of 00:22:48.498 --> 00:22:50.258 somebody who's been working in security 00:22:50.297 --> 00:22:52.919 for a long time, I know that like... 00:22:53.798 --> 00:22:56.280 the thing that everybody from the outside 00:22:56.561 --> 00:22:59.984 of the wordpress community always sees or 00:23:00.065 --> 00:23:02.047 hears when they think about wordpress or 00:23:02.067 --> 00:23:03.528 they hear stories about wordpress and even 00:23:04.009 --> 00:23:06.611 even in cloudflare's announcement of their 00:23:06.651 --> 00:23:08.653 new cms mdash they mentioned they talk 00:23:08.692 --> 00:23:09.794 about like oh 00:23:10.233 --> 00:23:12.655 The security is a problem or specifically 00:23:12.715 --> 00:23:16.078 like security of WordPress plugins are a 00:23:16.118 --> 00:23:18.882 fundamental problem in the security of 00:23:18.922 --> 00:23:20.103 WordPress as a whole. 00:23:20.462 --> 00:23:22.444 So I'm interested to hear what your sort 00:23:22.464 --> 00:23:25.448 of take on or perspective is on WordPress 00:23:25.468 --> 00:23:28.009 security since like you've kind of you've 00:23:28.029 --> 00:23:29.171 been outside of that system. 00:23:29.250 --> 00:23:31.252 Now you're working within WordPress and 00:23:31.272 --> 00:23:32.753 making security things for WordPress. 00:23:33.752 --> 00:23:34.393 Yes, unfortunately, 00:23:34.413 --> 00:23:35.774 there are a number of factors which give 00:23:35.854 --> 00:23:38.336 WordPress this really bad reputation. 00:23:38.556 --> 00:23:39.737 First of all, even to this day, 00:23:39.757 --> 00:23:41.478 whenever I speak to people outside the 00:23:41.498 --> 00:23:42.939 WordPress community, the security people, 00:23:43.019 --> 00:23:44.259 they do look down on WordPress. 00:23:44.278 --> 00:23:45.999 Like, oh, it's just a script kitty, 00:23:46.401 --> 00:23:48.382 just some hobbyist application. 00:23:49.082 --> 00:23:50.182 A few months ago, 00:23:50.202 --> 00:23:51.284 I was talking to a recruiter. 00:23:51.943 --> 00:23:53.064 Because we're looking for people. 00:23:53.104 --> 00:23:53.624 And he asked me, 00:23:54.865 --> 00:23:56.205 are there full-time businesses working 00:23:56.246 --> 00:23:56.586 with WordPress? 00:23:56.605 --> 00:23:59.527 Yeah, duh, of course there are. 00:23:59.606 --> 00:23:59.866 Anyway, 00:24:00.426 --> 00:24:01.627 but I think the reputation is coming. 00:24:01.708 --> 00:24:02.968 Yes, back in the early days, 00:24:03.387 --> 00:24:04.449 WordPress had a number of... 00:24:06.105 --> 00:24:06.845 core vulnerabilities. 00:24:07.224 --> 00:24:09.405 By the way, it's not unique to WordPress. 00:24:09.546 --> 00:24:10.365 Every other software, 00:24:10.425 --> 00:24:11.346 especially in the early years, 00:24:11.646 --> 00:24:13.447 they have these vulnerabilities, 00:24:13.747 --> 00:24:14.826 which is nice because, of course, 00:24:15.768 --> 00:24:17.788 you can look at it differently. 00:24:17.928 --> 00:24:19.229 You can look at it like, say, oh, 00:24:19.489 --> 00:24:20.528 that software had a lot of 00:24:20.548 --> 00:24:22.088 vulnerabilities, so it's insecure. 00:24:22.128 --> 00:24:22.730 Or you can look at it, 00:24:22.970 --> 00:24:24.769 every vulnerability that's found and 00:24:24.869 --> 00:24:25.769 reported and fixed, 00:24:25.869 --> 00:24:27.351 that software is becoming more and more 00:24:27.391 --> 00:24:27.651 secure. 00:24:28.171 --> 00:24:30.494 So every software has to go to that 00:24:30.555 --> 00:24:32.759 phase where they find the number of MLTs 00:24:32.919 --> 00:24:33.840 and then becomes more secure. 00:24:34.101 --> 00:24:34.801 Even our plugins, 00:24:35.242 --> 00:24:36.064 even all the top plugins, 00:24:36.104 --> 00:24:37.866 look at all the top plugins, Yoast, 00:24:38.307 --> 00:24:38.848 WooCommerce, 00:24:38.909 --> 00:24:40.050 they all had their fair share, 00:24:40.070 --> 00:24:40.570 which is normal. 00:24:41.720 --> 00:24:43.161 So I think the reputation is coming from 00:24:43.221 --> 00:24:43.421 there. 00:24:44.342 --> 00:24:47.063 Secondly, the media doesn't help. 00:24:47.884 --> 00:24:49.525 Matt Mullenweg mentioned it. 00:24:50.465 --> 00:24:52.346 He wrote something about M-Dash. 00:24:53.327 --> 00:24:54.828 And yes, like unfortunately, 00:24:54.868 --> 00:24:56.910 when there's a vulnerability in a plugin 00:24:56.990 --> 00:24:58.971 that is installed on zero point zero one 00:24:59.030 --> 00:24:59.991 percent of the websites, 00:25:00.551 --> 00:25:02.053 we start seeing the media, emails, 00:25:02.172 --> 00:25:03.874 even some vendors like two hundred 00:25:03.894 --> 00:25:05.295 thousand websites vulnerable to. 00:25:06.476 --> 00:25:07.396 So that doesn't help. 00:25:07.416 --> 00:25:08.116 So people, of course, 00:25:08.176 --> 00:25:08.817 have this impression. 00:25:09.678 --> 00:25:12.680 Last but not least, yes, 00:25:13.621 --> 00:25:14.701 everyone can develop plugins. 00:25:14.842 --> 00:25:16.522 Now, the problem which I see, 00:25:16.542 --> 00:25:18.463 like people put all the plugins, 00:25:18.604 --> 00:25:19.605 WordPress core in one box, 00:25:19.845 --> 00:25:20.346 but they're not. 00:25:20.586 --> 00:25:22.047 I mean, you have a number of plugins, 00:25:22.968 --> 00:25:23.907 a small percentage of plugins, 00:25:23.928 --> 00:25:26.349 which are maintained by commercial 00:25:26.369 --> 00:25:26.690 companies. 00:25:26.789 --> 00:25:27.471 It's not always perfect, 00:25:27.510 --> 00:25:28.652 but they will always have issues. 00:25:28.692 --> 00:25:30.553 But yeah, there's someone behind them. 00:25:30.573 --> 00:25:31.513 They are being maintained. 00:25:32.034 --> 00:25:33.355 Of course, they will have vulnerabilities, 00:25:34.134 --> 00:25:35.076 but they are being fixed. 00:25:35.336 --> 00:25:35.997 But then, of course, 00:25:36.017 --> 00:25:37.097 you have a number of plugins 00:25:38.050 --> 00:25:40.452 that are from hobbyists or maybe for 00:25:40.472 --> 00:25:41.973 someone who's still learning and they have 00:25:41.993 --> 00:25:42.535 security issues. 00:25:42.615 --> 00:25:43.394 And unfortunately they are never 00:25:43.434 --> 00:25:43.895 maintained. 00:25:44.096 --> 00:25:46.958 I think PatchSec, not last year, 00:25:46.978 --> 00:25:47.479 the year before, 00:25:48.876 --> 00:25:49.377 or last year, 00:25:49.397 --> 00:25:52.181 they had a hackathon and I don't know 00:25:52.201 --> 00:25:53.162 how many vulnerabilities they found, 00:25:53.241 --> 00:25:54.643 but because of these issues, 00:25:55.024 --> 00:25:56.786 two thousand plugins were closed on the 00:25:56.806 --> 00:25:58.326 repository because when the repository 00:25:58.346 --> 00:25:59.407 tried to find the authors, 00:26:00.068 --> 00:26:00.970 they never got back to them. 00:26:01.029 --> 00:26:03.211 So you have to close them. 00:26:03.813 --> 00:26:04.413 And then of course, 00:26:04.452 --> 00:26:05.874 these stories are used for marketing, 00:26:06.015 --> 00:26:09.218 but they are sensationalized sometimes. 00:26:10.098 --> 00:26:12.039 and people don't read how many good 00:26:12.059 --> 00:26:13.820 plugins are people read oh two thousand 00:26:13.840 --> 00:26:16.521 plugins were closed oh uh especially 00:26:16.541 --> 00:26:18.782 nowadays with vibe coding uh i think 00:26:18.962 --> 00:26:21.263 oliver from page tech just posted in in 00:26:21.403 --> 00:26:25.666 feb in march they received uh two thousand 00:26:26.307 --> 00:26:27.928 vulnerabilities uh reports about two 00:26:27.948 --> 00:26:30.749 thousand varieties um they still have to 00:26:30.788 --> 00:26:32.049 check them at chat and verify them but 00:26:32.069 --> 00:26:34.830 yeah like unfortunately the bad news are 00:26:35.010 --> 00:26:36.372 still are used 00:26:37.271 --> 00:26:37.573 Right. 00:26:37.593 --> 00:26:38.432 So sometimes for marketing, 00:26:38.453 --> 00:26:39.815 but sometimes are sensationalized. 00:26:39.914 --> 00:26:43.638 And these, they don't have the WordPress. 00:26:44.759 --> 00:26:45.621 Even like, as I said, 00:26:45.641 --> 00:26:47.422 like whenever there is a vulnerability, 00:26:47.923 --> 00:26:49.164 you receive all these newsletters, 00:26:49.184 --> 00:26:51.268 like three hundred thousand websites. 00:26:52.348 --> 00:26:53.849 In regards to comparison to Amdash, 00:26:53.869 --> 00:26:55.132 because Amdash mentioned that they're 00:26:55.172 --> 00:26:55.572 going to 00:26:56.744 --> 00:26:59.186 The plugins will be sandboxed, et cetera. 00:27:00.007 --> 00:27:01.989 Matt mentioned, looked at it differently. 00:27:02.108 --> 00:27:04.269 He said the fact that, 00:27:04.990 --> 00:27:06.092 I'm going to butcher it roughly, 00:27:06.112 --> 00:27:12.076 but the fact that plugins can change every 00:27:12.115 --> 00:27:14.297 feature of every functionality of 00:27:14.336 --> 00:27:14.656 WordPress, 00:27:14.676 --> 00:27:16.618 that's actually a feature because you give 00:27:16.659 --> 00:27:17.098 them so much. 00:27:17.499 --> 00:27:19.240 I think it really depends on things. 00:27:19.320 --> 00:27:20.521 I mean, if you know what you're doing, 00:27:21.451 --> 00:27:22.633 and use reliable plugins. 00:27:23.213 --> 00:27:23.835 Yeah, it's not an issue. 00:27:23.894 --> 00:27:24.976 Of course, by design, 00:27:25.596 --> 00:27:28.180 especially if you try to compare WordPress 00:27:28.200 --> 00:27:29.861 to an operating system, like Linux, etc. 00:27:29.961 --> 00:27:32.403 Yes, you have permissions and sandbox, 00:27:32.483 --> 00:27:32.624 but 00:27:33.480 --> 00:27:34.961 We're talking about a CMS to run a 00:27:34.980 --> 00:27:36.382 website, not an operating system. 00:27:36.942 --> 00:27:38.124 So personally, 00:27:38.604 --> 00:27:40.365 are there things that can be improved? 00:27:40.726 --> 00:27:41.967 Some things, but in general, 00:27:42.106 --> 00:27:44.429 it's always like core at this stage is 00:27:44.489 --> 00:27:45.190 very, very secure. 00:27:46.490 --> 00:27:49.813 Many plugins nowadays are developed by 00:27:49.833 --> 00:27:50.673 seasoned developers. 00:27:50.693 --> 00:27:52.516 There are seasoned companies. 00:27:53.296 --> 00:27:54.637 that's been around for a few years they 00:27:54.657 --> 00:27:55.959 have the experience so if you use the 00:27:55.980 --> 00:27:59.042 right plugins and uh do the right research 00:27:59.163 --> 00:28:01.465 use the right plugins and keep your 00:28:01.486 --> 00:28:02.788 software up to date in general you're 00:28:02.887 --> 00:28:05.530 pretty much safe however as i said people 00:28:05.550 --> 00:28:07.534 are uh there are six thousand plugins 00:28:09.876 --> 00:28:10.237 Guaranteed, 00:28:10.257 --> 00:28:12.897 some of them are insecure or have some 00:28:12.917 --> 00:28:13.397 security issues. 00:28:13.577 --> 00:28:14.999 And whenever one of these have an issue, 00:28:15.378 --> 00:28:16.660 yeah, the media essentially manages that. 00:28:16.700 --> 00:28:17.319 So, of course, 00:28:17.359 --> 00:28:18.299 we are getting that impression. 00:28:18.920 --> 00:28:19.240 By the way, 00:28:19.280 --> 00:28:20.361 it's very important to point out, 00:28:20.421 --> 00:28:22.322 this is not just an issue with WordPress. 00:28:23.162 --> 00:28:24.823 Every software guaranteed has 00:28:24.843 --> 00:28:25.343 vulnerabilities. 00:28:25.442 --> 00:28:27.384 It's not a question of who doesn't have, 00:28:27.443 --> 00:28:28.703 it's a question of when they will be 00:28:28.743 --> 00:28:28.983 found. 00:28:29.664 --> 00:28:29.785 So... 00:28:30.904 --> 00:28:32.006 But the media, unfortunately, 00:28:32.046 --> 00:28:32.787 gives that impression. 00:28:32.906 --> 00:28:35.107 And those outside WordPress look at 00:28:35.147 --> 00:28:36.009 WordPress like, oh, 00:28:36.048 --> 00:28:38.211 it's a hobbyist script. 00:28:38.250 --> 00:28:40.092 Someone's a few scripts and running this. 00:28:40.311 --> 00:28:41.113 So it's not that secure. 00:28:41.979 --> 00:28:42.298 Yeah, I mean, 00:28:42.318 --> 00:28:45.902 the thing that occurs to me about that 00:28:46.001 --> 00:28:48.483 whole thing really is, like, I mean, 00:28:48.724 --> 00:28:49.986 I've been interested in and involved in 00:28:50.006 --> 00:28:51.487 open source for, I don't know, 00:28:51.527 --> 00:28:52.547 twenty-ish years, right? 00:28:52.567 --> 00:28:55.249 So, like, and, like, before WordPress, 00:28:55.269 --> 00:28:56.931 it was other things, and I was, like, 00:28:57.551 --> 00:28:58.752 you know, looking at, like, 00:28:58.813 --> 00:29:02.316 and using Linux, and, you know, the size, 00:29:02.635 --> 00:29:04.998 the more people that use a particular 00:29:05.038 --> 00:29:05.919 piece of software, 00:29:06.278 --> 00:29:08.681 particularly a piece of open source 00:29:08.701 --> 00:29:11.503 software, the more eyes there are on it, 00:29:11.524 --> 00:29:14.507 which means when you have more eyes on 00:29:14.547 --> 00:29:15.028 a thing, 00:29:15.087 --> 00:29:16.308 then it's more likely to actually get 00:29:16.388 --> 00:29:18.871 fixed than if you have not as many. 00:29:19.231 --> 00:29:21.274 And the other thing that occurs to me 00:29:21.294 --> 00:29:26.218 is no one says don't use Microsoft Windows 00:29:26.979 --> 00:29:29.660 because you need to run mcafee on it 00:29:29.720 --> 00:29:31.580 or something you know like yeah like 00:29:31.840 --> 00:29:34.221 windows had lots of viruses and bugs and 00:29:34.241 --> 00:29:37.042 like you know exploits and and and that 00:29:37.083 --> 00:29:41.565 was the operating system of every business 00:29:42.684 --> 00:29:45.246 industry like every everyone was using 00:29:45.346 --> 00:29:49.607 windows or windows like long past when 00:29:49.627 --> 00:29:50.868 they should have been using those 00:29:50.949 --> 00:29:53.069 operating systems and like 00:29:54.448 --> 00:29:57.672 there, I mean, it's, it's, I remember how, 00:29:57.932 --> 00:29:59.512 like, I used to work in, 00:29:59.753 --> 00:30:02.215 I used to do tech support for, 00:30:02.656 --> 00:30:05.660 for a grocery chain, and we had, 00:30:07.201 --> 00:30:07.422 we had, 00:30:07.442 --> 00:30:09.063 it was when we were rolling out, like, 00:30:09.083 --> 00:30:10.704 the self-checkouts and things, and, and, 00:30:10.744 --> 00:30:11.945 like, photo kiosks and stuff, 00:30:12.185 --> 00:30:13.106 and they all ran, like, 00:30:13.166 --> 00:30:13.488 Windows 00:30:16.371 --> 00:30:17.834 I think the version that was modern then 00:30:17.854 --> 00:30:20.858 was, like, probably Vista or whatever, 00:30:21.519 --> 00:30:22.822 maybe Windows seven or something. 00:30:23.742 --> 00:30:24.203 But, like... 00:30:25.258 --> 00:30:26.358 It was just because it was easy to 00:30:26.378 --> 00:30:27.760 write Windows ninety five or Windows 00:30:27.780 --> 00:30:28.580 ninety eight software, 00:30:28.601 --> 00:30:29.823 and that was just like what they had 00:30:29.863 --> 00:30:30.864 licenses for or whatever. 00:30:30.903 --> 00:30:33.546 But like and like arguably, 00:30:33.605 --> 00:30:35.448 it's probably a problem that a point of 00:30:35.488 --> 00:30:37.049 sale system is running an outdated 00:30:37.130 --> 00:30:38.911 operating system because it wouldn't be 00:30:38.951 --> 00:30:40.992 that hard to like they're connected to the 00:30:41.053 --> 00:30:42.414 Internet, they're connected to wireless, 00:30:42.434 --> 00:30:43.736 they're connected to the network in the in 00:30:43.776 --> 00:30:46.558 the store like you could get into it 00:30:46.618 --> 00:30:47.839 like, you know, 00:30:47.880 --> 00:30:49.501 like these are things that actually run 00:30:50.182 --> 00:30:53.965 things where there's a cash payment system 00:30:54.006 --> 00:30:56.087 attached to the actual physical device, 00:30:56.127 --> 00:30:56.347 right? 00:30:57.388 --> 00:30:59.852 And those are far more impactful than 00:31:00.112 --> 00:31:01.973 someone's website. 00:31:03.275 --> 00:31:04.316 Yeah. 00:31:04.436 --> 00:31:06.297 It's still an issue nowadays, by the way. 00:31:08.941 --> 00:31:10.201 You can find a lot of articles where 00:31:10.221 --> 00:31:12.082 they explain how especially main big 00:31:12.122 --> 00:31:12.602 frameworks, 00:31:13.182 --> 00:31:14.242 especially in the banking system, 00:31:14.884 --> 00:31:16.503 because of some old software, 00:31:16.524 --> 00:31:19.465 they still use some old versions of 00:31:19.526 --> 00:31:20.526 Windows or Linux, et cetera, 00:31:20.546 --> 00:31:21.326 and they cannot update. 00:31:22.067 --> 00:31:22.507 And it's funny. 00:31:23.467 --> 00:31:25.047 I remember this meme quite a few years 00:31:25.087 --> 00:31:26.528 ago, 00:31:26.608 --> 00:31:28.529 like someone laughing from behind the 00:31:28.549 --> 00:31:28.910 curtains. 00:31:29.390 --> 00:31:30.250 And it's like the devil... 00:31:31.290 --> 00:31:32.412 laughing from behind the curtain the idea 00:31:32.432 --> 00:31:33.893 is like because banks are all the time 00:31:33.913 --> 00:31:35.453 imposing all these compliance regulations 00:31:35.493 --> 00:31:37.414 and stuff and then when you look at 00:31:37.434 --> 00:31:39.376 this their networks because of some old 00:31:39.416 --> 00:31:40.837 software they cannot upgrade so their 00:31:40.877 --> 00:31:42.999 networks is their networks are much more 00:31:43.019 --> 00:31:45.221 insecure than all the software out there 00:31:45.240 --> 00:31:46.942 so yeah it it is still a common 00:31:46.961 --> 00:31:49.083 issue and i agree with you no one 00:31:49.103 --> 00:31:51.404 says don't use windows and windows has and 00:31:51.424 --> 00:31:53.006 still has a fair share of issues quite 00:31:53.046 --> 00:31:55.587 frankly um but yeah it's it's just 00:31:56.708 --> 00:31:57.189 I don't know. 00:31:57.209 --> 00:31:58.849 I think maybe WordPress is picked on 00:31:58.910 --> 00:32:00.730 because, as I said, 00:32:01.872 --> 00:32:03.393 the news in general doesn't help. 00:32:03.413 --> 00:32:05.054 We really sensationalize it. 00:32:05.434 --> 00:32:05.734 Yes, 00:32:05.795 --> 00:32:07.875 can there be improvements in the way 00:32:08.056 --> 00:32:09.698 plugins interface with the core? 00:32:09.738 --> 00:32:13.119 Can you maybe segregate that in a way? 00:32:13.941 --> 00:32:15.201 Yes, there can be ways, 00:32:15.240 --> 00:32:18.423 but it also depends on how you use 00:32:18.463 --> 00:32:18.544 it. 00:32:18.604 --> 00:32:19.403 I think one of the biggest... 00:32:19.584 --> 00:32:20.964 I have always said that one of the 00:32:20.984 --> 00:32:22.487 biggest issues with WordPress is... 00:32:24.362 --> 00:32:25.663 is the fact that it's easy to use. 00:32:25.762 --> 00:32:30.968 As in, it's a bit of a .. 00:32:27.904 --> 00:32:28.464 As in, 00:32:28.545 --> 00:32:30.307 the fact that it's easy to use is 00:32:30.346 --> 00:32:32.248 what made it popular, which is great. 00:32:32.909 --> 00:32:36.511 And so it truly democratizes publishing. 00:32:37.613 --> 00:32:39.394 However, also, when it's easy to use, 00:32:39.413 --> 00:32:41.855 you have a lot of people who start 00:32:41.875 --> 00:32:42.616 their own website. 00:32:42.936 --> 00:32:45.558 And yeah, they have no idea. 00:32:45.939 --> 00:32:47.560 Maybe, I don't know, you're a baker, 00:32:47.780 --> 00:32:48.862 and you have your own small business, 00:32:48.882 --> 00:32:49.822 and you want to set up a website. 00:32:49.922 --> 00:32:52.464 So it's very easy nowadays by hosting. 00:32:53.144 --> 00:32:54.346 install some plugins, et cetera. 00:32:55.547 --> 00:32:57.087 However, these people, yeah, 00:32:57.127 --> 00:32:58.028 their focus is business. 00:32:58.047 --> 00:33:00.069 It's not like technical stuff. 00:33:00.089 --> 00:33:01.431 So they have no idea what it takes 00:33:01.451 --> 00:33:02.250 to maintain a website. 00:33:02.270 --> 00:33:03.392 So yeah, they install a few plugins. 00:33:04.772 --> 00:33:05.794 They never log into the website. 00:33:05.814 --> 00:33:06.614 They never update their plugins. 00:33:06.634 --> 00:33:07.874 So of course, they're going to get hacked. 00:33:07.934 --> 00:33:10.656 It's not WordPress issue because they had 00:33:10.676 --> 00:33:12.238 some old plugins or maybe they use some 00:33:12.978 --> 00:33:15.240 plugin, which I don't know. 00:33:15.259 --> 00:33:16.580 Maybe it's not that reliable, et cetera. 00:33:16.760 --> 00:33:17.661 They never update it. 00:33:17.721 --> 00:33:18.622 So yeah, of course, 00:33:18.642 --> 00:33:19.682 we're going to see all these websites 00:33:19.722 --> 00:33:19.922 hacked. 00:33:20.063 --> 00:33:20.663 And that one... 00:33:22.124 --> 00:33:23.326 It's a bit of a double-edged sword because 00:33:23.346 --> 00:33:24.247 it's very easy to use. 00:33:24.626 --> 00:33:25.847 So it democratizes the web. 00:33:26.607 --> 00:33:28.128 But just because it's easy to use, 00:33:28.229 --> 00:33:29.990 also you get all these inexperienced users 00:33:30.090 --> 00:33:30.451 using it. 00:33:30.611 --> 00:33:32.051 So then it gets this better reputation. 00:33:32.072 --> 00:33:33.333 So it's a bit of a, yeah. 00:33:34.862 --> 00:33:35.001 Well, 00:33:35.061 --> 00:33:37.663 and I think a trend that I've noticed 00:33:38.044 --> 00:33:39.365 looking at some of like Patchstack's 00:33:39.384 --> 00:33:43.387 reports and their state of security in 00:33:43.428 --> 00:33:46.569 WordPress sort of things that, you know, 00:33:46.710 --> 00:33:48.531 once upon a time, especially, you know, 00:33:48.592 --> 00:33:50.732 when I was like freelancing very early on 00:33:50.772 --> 00:33:51.913 in my WordPress career, 00:33:52.374 --> 00:33:56.237 like the mechanism by which a site would 00:33:56.257 --> 00:33:59.058 get hacked was very frequently related to 00:34:00.580 --> 00:34:02.823 uh file system permissions and also like 00:34:02.863 --> 00:34:05.444 the security of the hosts such that like 00:34:05.786 --> 00:34:07.606 if you got access you could find it 00:34:07.646 --> 00:34:09.169 you could sort of like cd into like 00:34:09.189 --> 00:34:11.131 the right directory and then we inject an 00:34:11.211 --> 00:34:13.232 actual file because the file the file 00:34:13.272 --> 00:34:15.874 permissions on your folder were not secure 00:34:15.894 --> 00:34:17.757 enough so another user could drop a file 00:34:17.777 --> 00:34:19.659 there and then that would like write some 00:34:19.699 --> 00:34:21.480 other file or you know you'd get some 00:34:21.681 --> 00:34:22.801 something where it would execute and then 00:34:22.822 --> 00:34:24.383 you have this like base-sxty-four encoded 00:34:24.422 --> 00:34:24.844 bullshit 00:34:25.443 --> 00:34:29.525 So it's really fundamentally like, oh, 00:34:29.664 --> 00:34:31.465 you did your permissions wrong and now 00:34:31.526 --> 00:34:33.806 somebody was able to physically write to 00:34:33.846 --> 00:34:36.146 your file system, which is obviously bad. 00:34:37.406 --> 00:34:40.847 But that sort of attack isn't as common, 00:34:41.067 --> 00:34:41.649 I don't think, 00:34:42.169 --> 00:34:44.388 as now it's more like privilege 00:34:44.449 --> 00:34:44.990 escalation. 00:34:45.450 --> 00:34:46.609 It's more about like, oh, 00:34:46.670 --> 00:34:48.951 if you can get access in the first 00:34:48.990 --> 00:34:50.191 place, which again, as we've said, 00:34:50.570 --> 00:34:52.711 there are weak points your your your 00:34:52.971 --> 00:34:55.613 website your your computer is only as 00:34:55.913 --> 00:35:00.115 secure as the weakest password um so like 00:35:00.155 --> 00:35:01.816 if you can get access to the system 00:35:01.996 --> 00:35:03.957 then once you once you're in you can 00:35:03.977 --> 00:35:06.157 do all sorts of different things and then 00:35:06.198 --> 00:35:08.659 it's like and that becomes that's both 00:35:08.699 --> 00:35:10.799 like oh well if you have access to 00:35:10.819 --> 00:35:12.941 my website then I'm sort of tanked anyway 00:35:13.020 --> 00:35:13.961 but on the other hand like 00:35:14.990 --> 00:35:16.191 I that's, 00:35:16.270 --> 00:35:17.551 that's where a lot of the risks are 00:35:17.592 --> 00:35:17.791 in it. 00:35:17.872 --> 00:35:18.232 And it, 00:35:18.272 --> 00:35:20.874 you really need to think about like the, 00:35:21.454 --> 00:35:24.498 how you're enforcing a good, 00:35:25.338 --> 00:35:28.280 secure hygiene for just managing a system 00:35:28.300 --> 00:35:28.580 like that. 00:35:28.621 --> 00:35:30.063 Like it's not even WordPress specific. 00:35:30.083 --> 00:35:31.364 It's like any, any system, 00:35:31.403 --> 00:35:33.404 a network or a web, like a computer, 00:35:33.464 --> 00:35:36.928 like anything needs is only as secure as, 00:35:37.068 --> 00:35:38.730 as the weakest password in the link. 00:35:39.880 --> 00:35:40.960 Yes, I mean, first of all, 00:35:40.999 --> 00:35:42.361 WordPress powers, yeah, 00:35:42.421 --> 00:35:43.642 forty percent plus of the website. 00:35:43.662 --> 00:35:47.462 So that's a big chunk of the internet. 00:35:47.482 --> 00:35:49.243 So, of course, yeah, I mean, 00:35:49.324 --> 00:35:51.565 it will be the most targeted platform. 00:35:52.105 --> 00:35:53.085 Secondly, as you're saying, yeah, 00:35:53.124 --> 00:35:54.846 mostly are user issues. 00:35:55.846 --> 00:35:58.266 If you look at the state of security 00:35:58.447 --> 00:36:00.807 from PeshTech and the one of Rust, 00:36:00.827 --> 00:36:03.289 there was in the early beginning of the 00:36:03.309 --> 00:36:05.610 year was a joint report between Sucuri and 00:36:05.769 --> 00:36:06.130 PeshTech. 00:36:06.530 --> 00:36:08.952 The two biggest issues are user issues. 00:36:10.331 --> 00:36:12.293 Password is still the same old story. 00:36:12.813 --> 00:36:13.713 And outdated software. 00:36:13.773 --> 00:36:15.512 And that's why people are able to find 00:36:16.653 --> 00:36:19.434 exploitable vulnerabilities in plugins. 00:36:20.315 --> 00:36:21.695 Because even if a plugin has 00:36:21.735 --> 00:36:23.795 vulnerabilities, that doesn't worry me. 00:36:23.916 --> 00:36:26.815 What worries me is how quickly does the 00:36:26.856 --> 00:36:28.317 vendor respond? 00:36:28.436 --> 00:36:29.177 Do they release a patch? 00:36:29.556 --> 00:36:30.056 That's all good. 00:36:30.617 --> 00:36:31.577 But even then, 00:36:31.697 --> 00:36:33.577 most people don't update their plugins. 00:36:34.498 --> 00:36:37.960 And that is a user problem. 00:36:38.240 --> 00:36:40.842 And that is PatchSec's main business. 00:36:40.862 --> 00:36:41.322 I mean, like, 00:36:43.384 --> 00:36:46.286 they have specific firewall rules for the 00:36:46.527 --> 00:36:47.527 specific number of plugins you have on 00:36:47.547 --> 00:36:48.068 your website. 00:36:48.407 --> 00:36:48.827 Don't get me wrong, 00:36:48.847 --> 00:36:49.869 it's a very good business model. 00:36:49.909 --> 00:36:50.849 It's a very good solution. 00:36:51.389 --> 00:36:53.952 But yeah, the premise is like, 00:36:54.072 --> 00:36:55.733 if everyone really keeps their plugin up 00:36:55.753 --> 00:36:57.853 to date and keep their software up to 00:36:57.873 --> 00:36:59.574 date, PatchSec will run off the business, 00:37:00.456 --> 00:37:00.856 in theory. 00:37:00.876 --> 00:37:02.818 But yeah, so if you look at them, 00:37:04.934 --> 00:37:07.315 user issues because even if there's a 00:37:07.436 --> 00:37:09.217 privilege escalation issue most probably 00:37:09.297 --> 00:37:11.659 if so let's say you have an e-commerce 00:37:11.679 --> 00:37:13.820 store and someone hacks a customer account 00:37:14.119 --> 00:37:16.021 hijacks a customer account some people 00:37:16.041 --> 00:37:17.481 tell you like it's a low privilege account 00:37:17.501 --> 00:37:19.884 yeah fine it's true but first of all 00:37:20.164 --> 00:37:22.666 once once you have access to a website 00:37:22.766 --> 00:37:24.306 through an account regardless of 00:37:24.646 --> 00:37:26.748 privileges you have one foot in the door 00:37:27.349 --> 00:37:29.749 it's easier to launch social engineering 00:37:29.789 --> 00:37:31.452 attacks however even if um 00:37:32.644 --> 00:37:34.686 you try to exploit something in a 00:37:34.846 --> 00:37:37.208 privilege escalation you can do it most 00:37:37.447 --> 00:37:39.528 most probably because you can do it only 00:37:39.628 --> 00:37:41.710 if there's a plugin or there's a software 00:37:42.010 --> 00:37:43.590 that is vulnerable and allows you to do 00:37:43.630 --> 00:37:45.211 it because if you have a customer account 00:37:45.311 --> 00:37:46.532 and all your software is up to date 00:37:47.353 --> 00:37:49.934 you cannot escalate your privileges so 00:37:50.014 --> 00:37:51.856 easily you know so again it always 00:37:51.936 --> 00:37:53.655 revolves around user issues if you keep 00:37:53.675 --> 00:37:55.798 your plugin up to date and have some 00:37:56.597 --> 00:38:01.061 basic user security hygiene then all these 00:38:01.121 --> 00:38:02.923 problems will be solved but there are 00:38:03.123 --> 00:38:05.286 again many websites which are abandoned 00:38:05.445 --> 00:38:07.608 they are never locked in and and yeah 00:38:07.889 --> 00:38:09.650 again we get the oh wordpress is a 00:38:09.690 --> 00:38:10.911 problem now actually it's not where is the 00:38:10.952 --> 00:38:13.213 problem the users maintaining the websites 00:38:13.253 --> 00:38:13.554 are the problem 00:38:14.637 --> 00:38:19.300 You mentioned earlier about how if you get 00:38:19.340 --> 00:38:20.159 the right plugins, 00:38:20.340 --> 00:38:22.501 if you find trusted plugins and you do 00:38:22.521 --> 00:38:24.041 your research and things like that, 00:38:24.721 --> 00:38:26.601 but with sixty thousand or however many 00:38:26.641 --> 00:38:27.641 plugins there are in the WordPress 00:38:27.661 --> 00:38:28.322 repository, 00:38:28.443 --> 00:38:30.543 and like you do a search for any 00:38:30.603 --> 00:38:32.423 given string, you know, 00:38:32.503 --> 00:38:34.085 for I want this type of plugin, 00:38:34.105 --> 00:38:36.184 you're going to get dozens of results. 00:38:36.605 --> 00:38:39.967 So do you have thoughts around like I 00:38:40.007 --> 00:38:43.007 know how I evaluate plugins when I'm for 00:38:43.027 --> 00:38:43.427 myself, 00:38:43.467 --> 00:38:43.768 but I'm 00:38:44.288 --> 00:38:46.329 been doing this for twenty years and i 00:38:46.369 --> 00:38:47.949 go to the conferences and i talk to 00:38:47.969 --> 00:38:49.130 all the people and i know who i 00:38:49.190 --> 00:38:51.972 trust right so how do how does a 00:38:52.032 --> 00:38:55.175 person who is a baker or whatever like 00:38:55.494 --> 00:38:57.115 who's doing this thing who's trying to do 00:38:57.157 --> 00:39:00.798 their best to to get like trusted software 00:39:00.978 --> 00:39:04.021 packages on their website how do they 00:39:04.141 --> 00:39:08.164 evaluate what uh like what what things 00:39:08.184 --> 00:39:10.445 would you suggest to help them evaluate 00:39:10.644 --> 00:39:12.507 like what the best way of of 00:39:13.327 --> 00:39:16.210 finding a trusted plugin author when 00:39:16.230 --> 00:39:18.391 they're looking for a particular solution 00:39:18.411 --> 00:39:18.851 for their site? 00:39:18.871 --> 00:39:18.931 Yes. 00:39:19.713 --> 00:39:20.592 Yeah, very quick question. 00:39:21.333 --> 00:39:21.753 First of all, 00:39:21.793 --> 00:39:23.175 the fact that there are sixty thousand 00:39:23.235 --> 00:39:23.635 plugins, 00:39:23.815 --> 00:39:25.536 it's already a bit of a problem because 00:39:25.556 --> 00:39:26.938 you have this choice dilemma. 00:39:28.940 --> 00:39:31.061 I remember, by the way, 00:39:31.121 --> 00:39:31.561 when I got married, 00:39:31.581 --> 00:39:33.023 we were doing our house. 00:39:33.824 --> 00:39:35.005 My wife wanted to go to like four 00:39:35.025 --> 00:39:36.547 or five different vendors to choose the 00:39:36.567 --> 00:39:36.786 kitchen. 00:39:37.307 --> 00:39:38.009 I was like, oh, 00:39:38.028 --> 00:39:39.030 it would be nice if there was only 00:39:39.090 --> 00:39:40.512 one vendor and just go for one kitchen. 00:39:41.373 --> 00:39:42.315 It makes life easier. 00:39:42.536 --> 00:39:43.356 And the same with plugins. 00:39:43.717 --> 00:39:44.920 But yeah, there are a few rules. 00:39:46.552 --> 00:39:47.193 The repository, 00:39:47.213 --> 00:39:48.596 there are a number of statistics that help 00:39:48.615 --> 00:39:48.755 you. 00:39:48.896 --> 00:39:49.135 I mean, 00:39:49.436 --> 00:39:50.577 you have the number of active 00:39:50.597 --> 00:39:51.298 installations. 00:39:51.579 --> 00:39:52.579 If you just look at the number of 00:39:52.699 --> 00:39:53.601 active installations, 00:39:54.141 --> 00:39:55.282 if you look at the support tickets, 00:39:55.663 --> 00:39:56.824 how many support tickets were resolved, 00:39:56.844 --> 00:39:57.364 et cetera, 00:39:58.126 --> 00:39:59.887 and how quick they are resolved. 00:40:00.489 --> 00:40:01.610 And if you look at the ratings, 00:40:01.809 --> 00:40:03.211 those are really like three good things. 00:40:03.552 --> 00:40:05.114 You have the number of active 00:40:05.134 --> 00:40:05.795 installations. 00:40:08.157 --> 00:40:11.077 the the support and the reviews of course 00:40:11.157 --> 00:40:12.538 if you look at those it will be 00:40:12.557 --> 00:40:15.679 difficult for new new starter plugins to 00:40:15.719 --> 00:40:18.559 reach the but that's that's how it works 00:40:18.579 --> 00:40:19.719 you know like a plugin which has two 00:40:19.739 --> 00:40:21.059 hundred thousand active installations 00:40:21.099 --> 00:40:22.840 first of all or four hundred or more 00:40:23.501 --> 00:40:25.021 it means it's reliable it means a lot 00:40:25.041 --> 00:40:26.442 of people use it and most probably it's 00:40:26.461 --> 00:40:28.942 been around for a few years and yes 00:40:29.242 --> 00:40:31.202 it's very maintained another another one i 00:40:31.222 --> 00:40:33.902 would say it will depend but usually i 00:40:33.963 --> 00:40:35.724 prefer especially if i'm using it 00:40:36.324 --> 00:40:37.965 if I'm using my website for business, 00:40:38.124 --> 00:40:38.684 I mean, if it's a hobby, 00:40:38.704 --> 00:40:39.885 it's one thing, but if it's for business, 00:40:40.085 --> 00:40:42.688 I would opt to go for a commercial 00:40:42.708 --> 00:40:42.967 plugin. 00:40:43.048 --> 00:40:43.987 And the simple reason is this, 00:40:44.128 --> 00:40:45.469 even if I don't need the commercial 00:40:45.509 --> 00:40:45.869 features, 00:40:46.028 --> 00:40:47.429 I typically go for the commercial plugin 00:40:47.969 --> 00:40:49.791 because when you have a commercial entity 00:40:49.811 --> 00:40:50.472 behind the plugin, well, 00:40:52.052 --> 00:40:54.054 every business can go bankrupt, granted, 00:40:54.134 --> 00:40:56.894 but the chances of you being supported, 00:40:56.914 --> 00:40:58.815 getting support when there are issues 00:40:58.976 --> 00:41:00.858 being reported that vendor is going to 00:41:00.878 --> 00:41:03.139 respond and fix it are much higher. 00:41:03.498 --> 00:41:04.619 When you have a plugin which is, 00:41:05.480 --> 00:41:06.179 completely free. 00:41:06.239 --> 00:41:07.201 There's nothing wrong with it. 00:41:08.161 --> 00:41:10.021 But if it's especially someone's hobby, 00:41:10.963 --> 00:41:12.204 even if there are issues or not, 00:41:12.304 --> 00:41:13.704 or if there is support, yeah, 00:41:13.724 --> 00:41:15.684 maybe this person only, yeah, 00:41:15.764 --> 00:41:16.266 it's a hobby. 00:41:16.485 --> 00:41:18.527 So he can only give two, 00:41:18.547 --> 00:41:19.586 three hours a week, for example. 00:41:19.606 --> 00:41:21.307 So he only replies on support issues on 00:41:21.327 --> 00:41:22.048 Saturday evening. 00:41:22.509 --> 00:41:24.650 So if you are using it for business 00:41:24.749 --> 00:41:26.331 and something happens, like, 00:41:26.471 --> 00:41:27.931 are you willing to wait for a week 00:41:28.652 --> 00:41:29.032 for a fix? 00:41:29.251 --> 00:41:31.173 So by using commercial plugins, 00:41:31.333 --> 00:41:33.394 you are supporting vendors and you are 00:41:34.195 --> 00:41:36.195 encouraging higher quality of plugins. 00:41:37.277 --> 00:41:38.556 But you're also guaranteed, 00:41:38.757 --> 00:41:39.538 you're never guaranteed, 00:41:39.577 --> 00:41:41.878 but there's a higher chance of that plugin 00:41:41.918 --> 00:41:42.519 being maintained. 00:41:42.619 --> 00:41:42.820 So yeah, 00:41:42.840 --> 00:41:44.039 I would say number of active 00:41:44.079 --> 00:41:46.181 installations, look at the reviews, 00:41:46.782 --> 00:41:47.802 look at the support tickets, 00:41:48.282 --> 00:41:50.324 and optionally, but nice to have, 00:41:50.824 --> 00:41:52.204 if there's an option to buy a commercial 00:41:52.224 --> 00:41:52.505 plugin, 00:41:53.105 --> 00:41:56.907 it helps because there's a certain level 00:41:56.947 --> 00:41:57.827 of service, basically. 00:41:58.347 --> 00:41:59.927 Yeah, yeah, for sure. 00:42:00.088 --> 00:42:04.070 It's in the business's best interest for 00:42:04.150 --> 00:42:06.431 you to leave as a good customer, 00:42:06.530 --> 00:42:07.851 for you to have a good experience. 00:42:08.192 --> 00:42:10.253 It's literally their livelihood. 00:42:10.273 --> 00:42:12.753 So they're financially motivated to 00:42:12.793 --> 00:42:13.193 support you. 00:42:13.273 --> 00:42:14.514 Exactly, yeah. 00:42:14.655 --> 00:42:14.974 Yeah, 00:42:15.054 --> 00:42:16.735 if it's my plugin that I just threw 00:42:16.775 --> 00:42:19.336 up on WordPress.org five years ago and 00:42:19.376 --> 00:42:20.018 don't look at, 00:42:20.617 --> 00:42:22.858 I'm less inclined to respond to support 00:42:22.898 --> 00:42:23.239 tickets. 00:42:23.259 --> 00:42:24.800 Exactly. 00:42:24.820 --> 00:42:25.820 One of the things that... 00:42:27.161 --> 00:42:27.360 Yeah, 00:42:27.581 --> 00:42:30.463 you mentioned having so many options is a 00:42:30.503 --> 00:42:30.822 problem. 00:42:31.143 --> 00:42:33.623 A thing that I observed when I first 00:42:33.963 --> 00:42:36.824 went to my first DrupalCon that was 00:42:37.144 --> 00:42:39.686 distinct about the Drupal community versus 00:42:39.706 --> 00:42:44.528 the WordPress community was that because 00:42:44.548 --> 00:42:46.009 we have this sort of commercial 00:42:46.068 --> 00:42:46.650 marketplace, 00:42:46.670 --> 00:42:47.050 this sort of 00:42:47.630 --> 00:42:50.833 this e-commerce infrastructure around 00:42:51.012 --> 00:42:52.833 WordPress as a platform. 00:42:55.436 --> 00:42:56.998 There's this thing that happens in 00:42:57.038 --> 00:42:59.539 WordPress that doesn't happen in Drupal, 00:42:59.559 --> 00:43:00.079 which is 00:43:01.144 --> 00:43:03.007 if I have an idea for a security 00:43:03.027 --> 00:43:04.248 plugin and you have an idea for a 00:43:04.288 --> 00:43:04.887 security plugin, 00:43:05.427 --> 00:43:07.030 we're essentially competitors. 00:43:07.389 --> 00:43:08.911 So we're less likely to share notes, 00:43:08.931 --> 00:43:10.251 we're less likely to work together, 00:43:11.193 --> 00:43:13.255 because I want to hold onto my IP 00:43:13.275 --> 00:43:14.416 and you want to hold onto your IP. 00:43:14.655 --> 00:43:15.476 Whereas in Drupal, 00:43:16.657 --> 00:43:19.099 if you have two separate sort of plugins 00:43:19.119 --> 00:43:20.641 that both are modules that kind of do 00:43:20.661 --> 00:43:21.541 the same sort of thing, 00:43:21.902 --> 00:43:23.822 there's more of a culture of like, well, 00:43:24.083 --> 00:43:25.585 let's put our ideas together and 00:43:25.824 --> 00:43:28.306 collaborate and make this a single 00:43:28.347 --> 00:43:29.708 solution that is better for everyone. 00:43:31.268 --> 00:43:33.130 As a result, there are fewer options, 00:43:33.710 --> 00:43:34.909 but also as a result, 00:43:35.150 --> 00:43:39.673 there's less potential in the Drupal 00:43:39.753 --> 00:43:42.333 ecosystem as a whole to go out and 00:43:42.393 --> 00:43:45.074 sell that thing because everyone's trying 00:43:45.115 --> 00:43:45.916 to collectively build 00:43:46.436 --> 00:43:47.596 like the best thing, 00:43:48.076 --> 00:43:49.157 the single best thing, 00:43:49.416 --> 00:43:51.516 but also I can't take that idea and 00:43:51.536 --> 00:43:54.657 then sell it, you know, because like, 00:43:54.797 --> 00:43:56.157 yeah, it's, it's, it's, it's, 00:43:56.257 --> 00:43:58.177 and so that's the, they've like, 00:43:58.197 --> 00:43:59.938 they've struggled to sort of like product 00:43:59.958 --> 00:44:00.458 ties, 00:44:01.039 --> 00:44:04.539 the pieces of Drupal that the WordPress 00:44:04.579 --> 00:44:06.498 ecosystem has sort of naturally. 00:44:07.059 --> 00:44:08.739 And there's like pros and cons there. 00:44:08.800 --> 00:44:09.260 Like there's, 00:44:09.440 --> 00:44:10.940 there's a trade-off in terms of like 00:44:11.039 --> 00:44:12.981 collaboration versus competition and, 00:44:13.440 --> 00:44:13.940 and all sorts of, 00:44:14.041 --> 00:44:15.681 and then also just having so many options. 00:44:16.739 --> 00:44:16.920 Yes, 00:44:16.960 --> 00:44:18.501 I think there are pros and cons to 00:44:18.561 --> 00:44:19.221 both models. 00:44:20.021 --> 00:44:22.682 Personally, I prefer the WordPress. 00:44:23.702 --> 00:44:24.963 If I could change one thing in the 00:44:25.003 --> 00:44:27.605 WordPress ecosystem, I would maybe, 00:44:28.585 --> 00:44:29.106 for example, 00:44:29.146 --> 00:44:31.246 if you look at the WordPress repository, 00:44:32.427 --> 00:44:34.007 Maybe set the bar a bit higher, 00:44:34.148 --> 00:44:34.708 for example. 00:44:35.608 --> 00:44:36.789 Yeah, if a plugin, I mean, 00:44:36.909 --> 00:44:38.429 I understand some plugins don't need to be 00:44:38.449 --> 00:44:40.291 updated so often because they're just like 00:44:40.311 --> 00:44:41.010 a few lines of code. 00:44:41.311 --> 00:44:42.411 They do a very specific function. 00:44:42.811 --> 00:44:45.932 But still, I would force at least, yeah, 00:44:45.952 --> 00:44:48.353 the plugin to be updated once a year 00:44:48.414 --> 00:44:49.335 at least, for example. 00:44:49.594 --> 00:44:51.275 Or even if you just update supported 00:44:51.295 --> 00:44:51.556 version. 00:44:52.277 --> 00:44:52.976 Nowadays, of course, 00:44:52.996 --> 00:44:54.498 the repository has notifications. 00:44:54.579 --> 00:44:56.440 Like when a plugin hasn't been updated for 00:44:56.481 --> 00:44:57.581 the last three major versions, 00:44:57.682 --> 00:44:58.443 you get a notification. 00:44:58.824 --> 00:44:59.545 But it's still there. 00:44:59.824 --> 00:45:00.344 It's still there. 00:45:00.385 --> 00:45:01.487 People can still download it. 00:45:01.887 --> 00:45:02.827 It can still lead to issues. 00:45:03.608 --> 00:45:07.893 So I think by having some kind of 00:45:07.934 --> 00:45:08.134 like 00:45:09.114 --> 00:45:11.257 stricter regulations when it comes to the 00:45:11.277 --> 00:45:12.940 repository maybe we'll have a bit less 00:45:12.960 --> 00:45:15.603 plugins and the quality might go a bit 00:45:15.744 --> 00:45:18.387 uh not necessarily improve the quality but 00:45:18.407 --> 00:45:20.309 we will have less noise let's put this 00:45:20.329 --> 00:45:22.173 less like all these small plugins etc uh 00:45:23.855 --> 00:45:24.775 merging of 00:45:25.536 --> 00:45:27.538 of plugins in functionality it's i think 00:45:27.577 --> 00:45:29.338 it really depends on on yeah on what 00:45:29.378 --> 00:45:31.199 the people are doing uh the fact that 00:45:31.219 --> 00:45:33.041 you have that wordpress has all these many 00:45:33.081 --> 00:45:34.762 options it's also a good sign it means 00:45:35.681 --> 00:45:38.563 uh there are a lot of both business 00:45:38.724 --> 00:45:40.664 and opportunities and it also usually 00:45:40.684 --> 00:45:42.826 leads the more free the market is the 00:45:42.865 --> 00:45:44.686 more open the market is it leads to 00:45:44.706 --> 00:45:46.427 more innovation typically because once 00:45:46.447 --> 00:45:49.068 you're going to merge things then yeah 00:45:49.088 --> 00:45:50.528 they're working towards certain direction 00:45:50.668 --> 00:45:51.329 and other competition 00:45:52.751 --> 00:45:54.753 if someone has another idea they're not 00:45:54.793 --> 00:45:56.394 even it feels like you're not encouraged 00:45:56.414 --> 00:45:57.617 because now you have two people working 00:45:57.637 --> 00:45:59.699 together or two groups working together so 00:45:59.759 --> 00:46:00.880 starting something new is going to be 00:46:00.920 --> 00:46:04.224 difficult more difficult etc so yeah I 00:46:04.264 --> 00:46:06.166 don't get the kitchen sink problem right 00:46:06.206 --> 00:46:08.289 you get like exactly piled into one thing 00:46:08.329 --> 00:46:10.711 that you don't necessarily yeah so so I 00:46:10.731 --> 00:46:11.231 don't think there's 00:46:12.445 --> 00:46:13.246 One better than the other. 00:46:14.347 --> 00:46:14.608 But yeah, 00:46:14.648 --> 00:46:19.512 I think if the .org repository has some 00:46:19.572 --> 00:46:20.954 sort of stricter rules, 00:46:21.054 --> 00:46:21.874 it makes life easier. 00:46:22.155 --> 00:46:25.438 Even when PestSec did the hackathon two 00:46:25.458 --> 00:46:26.978 years ago and they closed two thousand 00:46:27.018 --> 00:46:27.420 plugins, 00:46:27.619 --> 00:46:29.161 the reason why they closed them is not 00:46:29.181 --> 00:46:30.222 because they had security issues. 00:46:30.302 --> 00:46:31.903 It's because there were much more plugins 00:46:31.923 --> 00:46:32.885 which had security issues. 00:46:33.465 --> 00:46:35.067 But when the repositories tried to contact 00:46:35.106 --> 00:46:36.327 the owners of that plugin, 00:46:37.027 --> 00:46:38.108 the owners never got back to them. 00:46:38.869 --> 00:46:41.072 a simple test which is quite fascinating 00:46:41.132 --> 00:46:42.773 last time i was speaking to someone i 00:46:42.793 --> 00:46:45.036 forgot who at cloudfest who used to work 00:46:45.376 --> 00:46:47.978 uh help with the plugin review scene and 00:46:48.018 --> 00:46:50.280 it's always surprising how many plugins 00:46:50.300 --> 00:46:52.322 there are that they try to contact the 00:46:52.362 --> 00:46:53.603 owner and the owner never responds for 00:46:53.623 --> 00:46:55.945 example that could be a simple test every 00:46:55.985 --> 00:46:58.548 six months send make sure there's a 00:46:58.628 --> 00:47:00.349 contact if there's no contact you're 00:47:00.389 --> 00:47:02.911 getting off of the repository you know now 00:47:02.952 --> 00:47:04.032 of course there's the question of 00:47:04.934 --> 00:47:06.335 backward compatibility because if there 00:47:06.355 --> 00:47:07.835 are people who has this plugin installed 00:47:07.856 --> 00:47:09.677 what's going to happen with them now um 00:47:09.757 --> 00:47:12.018 i don't know notification proposal 00:47:12.059 --> 00:47:14.699 replacement but yes but by a lot by 00:47:14.760 --> 00:47:16.221 opening this door of course you allow more 00:47:16.240 --> 00:47:17.981 innovation but you're also creating 00:47:18.021 --> 00:47:20.643 problems so there is no better good or 00:47:20.664 --> 00:47:22.465 wrong but yeah it's a bit of a 00:47:22.724 --> 00:47:23.965 like to find the right balance 00:47:24.179 --> 00:47:26.561 It's an interesting point because I feel 00:47:26.601 --> 00:47:29.302 like some of this has to do with 00:47:29.463 --> 00:47:32.885 where WordPress was when it started in 00:47:32.965 --> 00:47:34.786 contrast to where it is now. 00:47:35.226 --> 00:47:38.749 Because what you're talking about is a 00:47:38.849 --> 00:47:43.512 more mature way of identifying trustworthy 00:47:44.052 --> 00:47:49.016 packages for a robust product that powers 00:47:49.036 --> 00:47:50.297 forty percent of the Internet. 00:47:50.818 --> 00:47:53.018 But when the WordPress repository existed, 00:47:53.099 --> 00:47:53.860 it was just like 00:47:54.619 --> 00:47:58.003 hey, I've got a cool idea. 00:47:58.324 --> 00:48:01.425 I had a weird hacky thing that seems 00:48:01.505 --> 00:48:01.927 funny, 00:48:02.146 --> 00:48:04.289 and I'm going to put up this kind 00:48:04.309 --> 00:48:05.148 of jokey plugin. 00:48:05.268 --> 00:48:07.610 I had a friend that wrote a plugin 00:48:07.670 --> 00:48:09.353 called Login Roulette, 00:48:09.713 --> 00:48:12.755 which just on a random sequence, 00:48:12.876 --> 00:48:15.177 it'll just log you out on any given 00:48:15.197 --> 00:48:16.278 page load of the admin. 00:48:16.298 --> 00:48:16.759 Just like, 00:48:17.039 --> 00:48:19.940 You know, like just dumb stuff, right? 00:48:20.019 --> 00:48:22.139 That was just silly and like jokey and 00:48:22.159 --> 00:48:22.499 whatever. 00:48:22.619 --> 00:48:24.539 I have a plugin that I wrote called, 00:48:24.559 --> 00:48:25.960 what's it called? 00:48:26.101 --> 00:48:27.800 Oh, updates. 00:48:29.201 --> 00:48:30.021 I can't remember what I called it, 00:48:30.300 --> 00:48:31.121 but it basically like, 00:48:31.382 --> 00:48:32.842 it basically annoyed you. 00:48:33.722 --> 00:48:35.021 It gave you like, 00:48:35.702 --> 00:48:37.862 there is a GIF that would be like 00:48:37.882 --> 00:48:40.503 a really disapproving GIF if you had pages 00:48:40.762 --> 00:48:43.543 on your site that hadn't been updated in 00:48:43.563 --> 00:48:44.244 a period of time. 00:48:44.563 --> 00:48:45.967 and it would get progressively more 00:48:46.007 --> 00:48:49.277 annoying the longer those pages were left 00:48:49.418 --> 00:48:49.980 un-updated. 00:48:51.856 --> 00:48:56.322 And, like, that's, you know, 00:48:57.021 --> 00:48:58.163 back then there wasn't even, 00:48:58.222 --> 00:49:00.344 I don't think GitHub really existed then. 00:49:00.405 --> 00:49:00.606 So, like, 00:49:00.626 --> 00:49:02.286 there wasn't even an outlet for sharing 00:49:02.306 --> 00:49:05.249 these sorts of things to other people to 00:49:05.449 --> 00:49:06.632 use, even as a joke. 00:49:07.012 --> 00:49:09.735 But now we've got this framework, 00:49:09.775 --> 00:49:11.436 the WordPress.org repository, 00:49:11.576 --> 00:49:12.637 it still has all that stuff, 00:49:12.657 --> 00:49:15.659 but now we're also needing it to power 00:49:17.021 --> 00:49:19.684 of the internet and the infrastructure 00:49:19.724 --> 00:49:20.164 around that. 00:49:20.224 --> 00:49:23.126 So it's almost like we've moved so far, 00:49:23.166 --> 00:49:24.847 we've come so close to the sun and 00:49:25.048 --> 00:49:26.909 there's still these fundamental issues 00:49:26.949 --> 00:49:29.092 that were part of the openness and the 00:49:29.172 --> 00:49:31.653 freedom and the weirdness of the internet 00:49:32.554 --> 00:49:34.036 when WordPress was young, 00:49:34.356 --> 00:49:37.878 but now we need something more mature. 00:49:39.148 --> 00:49:41.170 Yes, I mean, as you're saying, 00:49:41.249 --> 00:49:42.510 when WordPress started, 00:49:42.570 --> 00:49:45.670 when the .org repository started as well, 00:49:46.032 --> 00:49:48.873 it was for a different time and different 00:49:49.853 --> 00:49:50.413 CMS. 00:49:50.572 --> 00:49:51.914 The WordPress was much smaller, 00:49:51.934 --> 00:49:52.574 powered much less. 00:49:52.634 --> 00:49:55.155 But now, yeah, it's much more popular. 00:49:56.414 --> 00:49:57.536 It's much more stable. 00:49:57.596 --> 00:49:58.635 It does much more different things. 00:49:58.695 --> 00:50:01.338 It's used for so much more many things 00:50:01.378 --> 00:50:02.318 and other solutions. 00:50:03.398 --> 00:50:05.800 But the dot org repository, of course, 00:50:05.820 --> 00:50:06.999 there have been changes. 00:50:07.059 --> 00:50:09.621 But it seems it didn't move as fast 00:50:09.661 --> 00:50:10.521 and it's not where it is. 00:50:10.822 --> 00:50:12.063 I mean, as I said, I think... 00:50:13.262 --> 00:50:15.364 um as you said like you had this 00:50:15.425 --> 00:50:17.126 plugin like it just shows you the annoying 00:50:17.327 --> 00:50:19.628 gif it's nice it's it's a nice thing 00:50:19.648 --> 00:50:21.409 to have even as a hobby but yeah 00:50:21.449 --> 00:50:23.652 just because the number as you said there 00:50:23.672 --> 00:50:25.574 are sixty thousand and many people 00:50:27.807 --> 00:50:29.487 I wouldn't say look dumb, but yeah, 00:50:29.527 --> 00:50:30.829 just because when they see that number, 00:50:30.889 --> 00:50:32.050 like, oh, there are too many plugins, 00:50:33.170 --> 00:50:34.170 they might get overwhelmed, 00:50:34.271 --> 00:50:34.931 there are too many choices, 00:50:34.990 --> 00:50:36.351 and they don't even try, you know? 00:50:36.931 --> 00:50:37.152 So yeah, 00:50:37.193 --> 00:50:40.213 by having some sort of stricter 00:50:41.175 --> 00:50:42.114 regulations, 00:50:42.155 --> 00:50:44.996 stricter policies when it comes to what 00:50:45.036 --> 00:50:46.277 can be submitted, what not, 00:50:46.376 --> 00:50:47.757 or at least everything can be submitted, 00:50:47.798 --> 00:50:49.498 but if after, I don't know, 00:50:50.340 --> 00:50:51.239 a year or two, 00:50:51.260 --> 00:50:53.260 there are a lot of plugins which still 00:50:53.300 --> 00:50:56.063 have ten, fifteen installations, like, 00:50:57.233 --> 00:50:59.273 So are they really useful? 00:50:59.454 --> 00:51:00.853 Maybe we should find a solution. 00:51:01.014 --> 00:51:02.434 Maybe they are useful for those fifty 00:51:02.454 --> 00:51:02.833 websites. 00:51:02.853 --> 00:51:03.393 Don't get me wrong. 00:51:03.874 --> 00:51:06.275 But maybe at that stage we need to 00:51:06.374 --> 00:51:07.894 look on a case-by-case basis what these 00:51:08.036 --> 00:51:10.235 are and try to help those websites. 00:51:10.295 --> 00:51:10.536 Again, 00:51:10.615 --> 00:51:13.956 I know the repository is all running on 00:51:13.976 --> 00:51:14.657 a voluntary basis, 00:51:14.737 --> 00:51:16.436 so it's not as easy as said and 00:51:16.476 --> 00:51:16.657 done. 00:51:17.177 --> 00:51:18.318 But yeah, we definitely can 00:51:18.978 --> 00:51:22.378 I'm sure the repository can be cleaned a 00:51:22.398 --> 00:51:22.599 bit. 00:51:22.619 --> 00:51:23.798 As I said, 00:51:23.858 --> 00:51:25.099 even just sending an email every six 00:51:25.159 --> 00:51:26.599 months to the plugin owners, like, hey, 00:51:26.639 --> 00:51:27.239 are you still there? 00:51:27.880 --> 00:51:29.920 I'm pretty sure we'll be closing quite a 00:51:29.940 --> 00:51:32.101 lot of plugins if we do that. 00:51:32.181 --> 00:51:32.742 Yeah, for sure. 00:51:33.561 --> 00:51:35.121 Well, thank you, Robert, for coming on. 00:51:35.702 --> 00:51:39.123 Thank you for talking about cool security 00:51:39.163 --> 00:51:39.483 things. 00:51:39.543 --> 00:51:41.523 Where can people find you on the internet 00:51:41.543 --> 00:51:42.423 if they are looking for you? 00:51:43.715 --> 00:51:45.356 Yes, I'm on LinkedIn. 00:51:46.617 --> 00:51:48.476 If you search for Robert Abella on Google, 00:51:48.516 --> 00:51:50.237 search for Robert Abella WordPress, 00:51:50.277 --> 00:51:52.097 because Robert Abella is also the prime 00:51:52.137 --> 00:51:52.778 minister of Malta. 00:51:52.798 --> 00:51:56.018 And he ranks better than me, 00:51:56.059 --> 00:51:56.659 unfortunately. 00:51:58.980 --> 00:52:00.061 It's funny because on Twitter, 00:52:00.161 --> 00:52:03.460 quite often I get tagged or sent messages 00:52:03.902 --> 00:52:05.661 from BBC, CNN, you know, 00:52:05.681 --> 00:52:06.342 like all this stuff. 00:52:06.362 --> 00:52:07.943 So I'm not that Robert Abella, 00:52:07.963 --> 00:52:08.523 I'm another one. 00:52:09.282 --> 00:52:10.882 yeah because i i have the my twitter 00:52:10.902 --> 00:52:12.744 handle is robert abella but the prime 00:52:12.764 --> 00:52:14.384 minister is robert abella underscore pm or 00:52:14.403 --> 00:52:16.204 something like that i was i was on 00:52:16.224 --> 00:52:19.706 twitter x sorry before him so um so 00:52:19.746 --> 00:52:22.547 yeah um yeah um i'm on linkedin robert 00:52:22.586 --> 00:52:26.007 abella x as well and if we have 00:52:26.027 --> 00:52:28.288 the website malapres.com i also by the way 00:52:28.527 --> 00:52:30.108 a few months ago launched my own website 00:52:30.128 --> 00:52:31.309 robertabella.me.me 00:52:32.949 --> 00:52:33.849 The simple reason, honestly, 00:52:33.909 --> 00:52:35.972 is like everyone else, 00:52:35.992 --> 00:52:39.454 there is this huge AI hype and I 00:52:39.474 --> 00:52:42.317 needed an excuse to play with it. 00:52:42.476 --> 00:52:42.757 I mean, 00:52:42.836 --> 00:52:44.137 I can develop my own team and stuff, 00:52:44.157 --> 00:52:45.498 but might as well. 00:52:45.539 --> 00:52:46.860 Let's try a bit of vibe coding, 00:52:46.900 --> 00:52:47.099 you know, 00:52:47.119 --> 00:52:49.342 play around with sub-agent skills and just 00:52:49.382 --> 00:52:49.983 play around with it. 00:52:50.103 --> 00:52:51.903 So yeah, my website robertabella.me, 00:52:52.324 --> 00:52:54.786 LinkedIn or malapris.com are the best way 00:52:54.806 --> 00:52:55.606 to find more about me. 00:52:56.304 --> 00:52:56.545 Awesome. 00:52:56.766 --> 00:52:58.248 Well, again, thank you for coming on. 00:52:58.548 --> 00:53:00.773 Thank everyone for watching or listening 00:53:02.295 --> 00:53:03.719 to this in the future. 00:53:04.581 --> 00:53:06.724 And we'll see you on the internet. 00:53:06.764 --> 00:53:07.525 Thank you very much, Chris. 00:53:07.726 --> 00:53:08.268 Thanks for having me.