WP&UP is a registered charity (no. 1179663)

Sponsored by:

Trying to keep the internet safe – #023

Show notes:

Share The Podcast:

Today I talk with Oliver Sild. Oliver is based in Estonia and is really into internet security. Having built websites in the past, he always found himself having to secure them, so they built tools to monitor their own sites.

It’s a constant battle in which the bad guys make a move and you have to react. After doing this for a while Oliver decided that their internal tools could be used just as easily by others, and so the company WebARX was born.

They have made WordPress an important part of WebARX, monitoring plugins and offering updates and so that’s why Oliver was at WordCamp Europe – to meet the people who use his product.

We have a wide ranging conversation touching upon internet security, how to secure your site, what kind of things can go wrong, who is behind all the mischief that we hear about online as well as how Oliver has embraced the WordPress community.

Interviewed by Nathan Wrigley.

We hope you enjoy the show, please do subscribe on Apple Podcasts or Spotify. We’re always looking for feedback, if you have any thoughts or comments, please do reach out.

And remember… Together we can #PressForward

Featured on this podcast:

Oliver Sild

Oliver is the founder of WebARX, an website firewall solution for WordPress. He’s been working with technology for…

PODCAST TRANSCRIPT

Nathan Wrigley: [00:00:00] Welcome to episode 23 of the press forward podcast. I’m Nathan Wrigley, and I want to welcome you back to the podcast and if this is your first time listening, it’s great that you found us. The press forward podcast is created by WPandUP. We’re a non-profit working in the word. Press space to help you.
Your colleagues. In fact anyone you can find out more about the mission at WPandUP dot-org
we’d love for you to get involved with WPandUP and that can be done in many ways. You could talk about this podcast on social. For talk about it on your own website. You could rate us on Apple podcasts or you can subscribe to us on your favorite podcast player, which can be done by going to WPandUP dot org forward slash podcast – feed.
We also greatly appreciate any donations that you’d like to make as you can imagine the support that we provide comes with a cost. And so we’re asking anyone who feels able to donate to WPandUP to visit WPandUP dot-org /give by doing so you will enable us to keep this important work going and to help people who have a real need.
You might also like to know that we’ve started a project over at head to dot-org. It’s a bike ride of some 3,000 kilometers taking place next spring a few members of the wpn up Community will be making this journey and there’s a couple of reasons that were doing it. Obviously. It’s a sponsored event.
And so the money that we raise will assist us, but we’re also doing this to raise awareness in the areas of physical and mental. It’s the intention to show that little changes can have a big impact over time. We’re not athletes and we’re getting on with our lives whilst adapting them slightly to accommodate the time needed to train for this ride.
We’d love you to spread the word about this project to so if you want to tweet or post about it, please feel free to do so mentioning head to dot-org the press forward podcast is brought to you today by Green Geeks. Green Geeks offers an awesome managed web hosting platform that’s built for Speed security and scalability whilst being environmentally friendly.
Enjoy a better web hosting experience for your WordPress website backed by 24/7 expert support and we thank green Geeks for helping us to put on. The press forward podcast
regular listeners will know that we went to wordcamp Europe in Berlin earlier this year. We set up our recording gear in the corridor and talked to many people.
It was a lot of fun. The corridor was a little noisy as you might imagine, but it didn’t spoil the conversations. Many of them have already been released and you can find those in the press forward podcast feed at WPandUP dot org forward slash podcasts. Okay, so onto today’s episode today. I talked with Oliver sild.
Oliver is based in Estonia and he’s really into Internet Security having built websites in the past. He always found himself having to secure them. And so his agency built tools to monitor their own sites. It’s a constant battle in which the bad guys make a move and you have to react. After doing this for a while Oliver and his team decided that their internal tools could be used just as easily by others.
And so the company where barks was born. They have made WordPress an important part of WebARX monitoring plugins and offering updates. And so that’s why Oliver was at wordcamp Europe to meet the people who use his product. We have a wide-ranging conversation touching upon internet. How to secure your site what kind of things can go wrong who is behind all of this Mischief that we hear about online as well as how Oliver has embraced the WordPress community and so without further Ado I bring you all of a silly old.
So today I’m joined Oliver Sild. Hello Oliver
Oliver Sild: [00:04:50] Hi, how are you?
Nathan Wrigley: [00:04:51] I’m good. If I said your name, right? Yeah filled. Yeah, it doesn’t have a meaning.
Oliver Sild: [00:04:55] Yeah, it’s in Estonian. So in Estonian, most of the last names are actually coming from something that is like a physical touchable things, you know, something like like a bridge.
Nathan Wrigley: [00:05:05] It’s a bridge. That’s a cool. So we’re in wordcamp Europe. Which is in Berlin. Have you ever been
Oliver Sild: [00:05:13] to no never Germany? No. No
Nathan Wrigley: [00:05:16] me neither first time. Yeah, well in it looks cool.
Oliver Sild: [00:05:18] Yeah, it’s really really different feeling here. Yeah. Yeah, we tried need schnitzel. Ah schnitzel.
No. Yeah. We tried that huge.
Nathan Wrigley: [00:05:26] Okay recommendation I’ll write it down write it down. Have you have you been to a word Camp before?
Oliver Sild: [00:05:31] No, I haven’t no first time any country.
Yeah. Yeah. It’s actually the first time I’ve been to like a smaller bird press meet. But not actually do Work Camp itself.
Nathan Wrigley: [00:05:42] Forgive me for being really ignorant. I don’t know a lot about Estonia. Yeah. I just
Oliver Sild: [00:05:48] I don’t know. What’s a small country. There’s like only like 1.3 million
Nathan Wrigley: [00:05:52] people. Oh, really? Okay.
Oliver Sild: [00:05:53] So it’s it’s right like it’s kind of a North we were like having like Finland is on top of us right now. And then there’s there’s like Latvia and Russia on the right side.
And then yeah, it’s a small country.
Nathan Wrigley: [00:06:08] Do you have WordPress things going on?
Oliver Sild: [00:06:10] Yeah, we have like we have like fuel meetups, but it’s still, you know, relatively small country. So. There’s like some meetups going on in the capital, but it’s not nothing like big there in this scene,
Nathan Wrigley: [00:06:22] But you come here. What do you what what are you hoping to do? Whilst you’re here.
Oliver Sild: [00:06:27] I think like we have a lot of customers who are also here. And I think for one of the reasons is to actually kind of get just do you know in touch with them, you know get this like like contact and this feedback, you know what you can get from face to face. So I think this is like one of them are very important kind. Values that we definitely get out of here
Nathan Wrigley: [00:06:46] first just forgive me It just strikes me that we haven’t said what it is that you do have your WordPress space. So tell us a little bit about your what Your what your company is and what its history is and what its purpose is.
Oliver Sild: [00:06:58] Yeah, so the company actually born out from a digital agency that was focused on like web security. So we were doing like a secure web development to build websites on back in the day. We didn’t do so much of a WordPress stuff. But we all mainly focused on Joomla and you know on the other cms’s so what we did like a our Focus was to build secure.
And eventually we needed tools to automate all that too. So we started to build their own kind of a platform to kind of monitor the websites that we have already developed and it ended up, you know building an actual platform that we now have named as web arcs, which is focused on component security basically plugging vulnerabilities and so forth and blocking them ended in advance.
So your website’s won’t get infected with malware. You can block call this malicious traffic and have these people on your websites that you actually. I want
Nathan Wrigley: [00:07:49] okay and how long has it been going?
Oliver Sild: [00:07:51] So now it’s been two years two years of active development and we launched back in 2018, July in 2017 in the end of 2017.
We were chosen already as one of the top cybersecurity startups in London so in. So it was actually really it’s been very I would say fast Journey.
Nathan Wrigley: [00:08:14] Yeah amazing really amazing. Do you so you’ve come with like a hat on to just meet people who are already customers. Do you also have like the Hat on I want to meet new customers as well make some connections with I don’t know other plug-in developers or like hosting companies or you hoping to get some new business out of this as well.
Oliver Sild: [00:08:34] I think so. Yeah, like usually like we’ve been going to a lot of conferences like. You know like web Summit and you know different like bigger ones, usually with a very strong focus of you know, actually getting a Partnerships and customers and so forth here. I would say I have a different feeling I do have like a feeling of a more like a community feeling more like just being open and so forth, but we definitely go and talk to the hosting companies and the different plug-in developers who are here and that’s why we are also hosting the word like this security meet up later today.
Nathan Wrigley: [00:09:07] Hey, you got an event.
Oliver Sild: [00:09:09] Yeah
Nathan Wrigley: [00:09:09] you are thinking about coming here, what did was that? Like, okay, we’re going to coat we’re going to go we’re going to bring all the team along with us and we’re going to put an event together or did was that like, okay, we’ve booked the tickets. What else should we do exactly.
Oliver Sild: [00:09:21] It was like very very random idea. It was you meant Darkness. So she just told me like in the last minute that hey why should like she was going through the tracks, you know, like all this different talks that are happening here and just like like there’s so much happening. You know when it comes to security with WordPress.
Why is nobody talking about that because there’s no talks about security whatsoever. Really?
Nathan Wrigley: [00:09:45] Yeah at this event. Yeah none. Yeah, that’s surprising
Oliver Sild: [00:09:49] like there’s nothing that is like literally focused on security to whole ecosystem like the security and you know. And we’re like, okay, let’s do a meet-up.
Nathan Wrigley: [00:09:58] Is it is it a hard thing to you? Obviously do it all the time. Do you find people interested in it that are people willing to talk about security or is it a bit like oh security I’d rather not think about it because actually at the bottom of it. Nobody really wants anything to be yeah insecure, but also they that it’s not the most glamorous.
Yeah. Subjects.
Oliver Sild: [00:10:19] Yeah. Yeah. Yeah. You have to make it kind of an easy to understand but in the same time if you make it too easy to understand that you don’t got to miss the point. So it is hard thing to communicate for sure. But I think you know, it’s getting better and better because you know, all these different attacks like you doing the you know lives and everything you have like something happening every week now, so I think it’s more and more getting into the eyes of people and into tears of people.
So I think they are they can’t even you know, ignore it anymore. So this has to be talked about.
Nathan Wrigley: [00:10:50] I think the hackers that the people putting out this stuff that you let go automated, you know, the Bots and what have you is it just getting are they just getting better? Do we need to worry about it or or a people like you actually on top of it?
Can you stop this stuff or are you in a constant War of Attrition? They come up with something you defend they come up you defend
Oliver Sild: [00:11:10] its kind of tool to things like. I think it’s still like a pretty pretty constant war in terms of, you know finding out what is happening. We are doing of course things like I was like, we really really see this open source static code analyzer for WordPress plugins, which is basically helping the WordPress developers to find like a vulnerable code within their code before someone else does so we do these kind of things that allow us to kind of be kind of few steps ahead from the hackers, but at the same time, you know, There’s like this ecosystems so big, you know, you still have like this momentum of kind of, you know feeling like, you know, following the tracks and you know finding out what is happening and you know, trying to mitigate sometimes and so forth.
So I think it’s both ways.
Nathan Wrigley: [00:11:58] So what’s the talk about that you’re giving tonight at the event? What what is it what we got a title of you prepared something or is it like show up and talk to everybody or are you going to be on a stage? And
Oliver Sild: [00:12:07] so we don’t having a small panel together with Raj from RunCloud, so.
Going to talk like more like openly about like what we think about the security in general what we see are they like bigger Channel challenges? What are the upcoming challenges for sure and kind of like talk what we see like, I have some statistics from our and to just you know show out and Raj is going to talk a bit more from the hosting side of things and from the side of things of like how he has a WordPress developer website WordPress sites manager or site’s owner.
See the whole thing. I think it’s going to be like a short panel like 20 minutes. And then after that like we have we have pre-ordered a lot of beer
Nathan Wrigley: [00:12:46] hanging out
Oliver Sild: [00:12:48] Yeah and snacks and food and all that kind of stuff. So it’s going to be more like an open discussion between all the people who are joining
Nathan Wrigley: [00:12:54] that’s quite a few that’s quite a few companies doing things a little bit like that. You know, there was there was a few that was on last night at least a really nice thing to do. Have you have you got feedback about how many people are going to come yet? Yeah.
Oliver Sild: [00:13:06] Well, we have reached out to a lot of people. I think we are expecting a like 20 to 30 people. So we have actually reached out to all the all the companies who are kind of doing something with insecurity here like Sucuri, you know, there’s a block wall guys here.
There’s a WPScan I think and you know, all these people who are here and kind of you know work with the unlike towards the same goal, you know. We have invited all of them. They’re so
Nathan Wrigley: [00:13:32] interesting say if if they if they take take you up on your offer. That would be nice. If you all got in there yet the same time.
Do you are you all in on WordPress has WordPress what you do or is it just is WebARX, you know, you can use it with WordPress, but you can also use it with Joomla or
Oliver Sild: [00:13:49] yeah. Yeah. So yeah our Focus from the beginning because we were not a word press agency. So that’s why we already had to have tools for securing sites that are running on Joomla Magento Drupal and also like very native PHP apps and PHP Frameworks as well.
So because of that we have built the whole thing in a way that it is actually already supporting all the PHP apps. It doesn’t matter if it’s running on any Frameworks. It can be just you know, vanilla PHP Bears. Let’s say. But yeah, we are focusing on component security. So component security is affecting all the Frameworks and cms’s so.
Nathan Wrigley: [00:14:29] But kind of but WordPress is the big one. Well, it’s
Oliver Sild: [00:14:32] 35% of the internet so we can’t really ignore that.
Nathan Wrigley: [00:14:35] Yeah at your peril. Yeah, so you just talked about component security, you know easy thing to say what what what is it? What is that?
Oliver Sild: [00:14:45] You know now it is the big issue with web applications is that nobody wants to really write a code anymore.
So while more on one hand it’s like, you know obvious, you know, it’s very. Productive you can get the things done really fast because someone else has already written the code for you. So you can kind of put in Puzzles like on WordPress install plugins and stuff, you know, someone else already solved the problem for you, but the issue is that why you do that?
You don’t really check who wrote the plugins. You don’t really check how well these plugins are written and you also don’t have an overview if these plugins like previously had any issues or if they currently have any issues with security wise and this is like a very very attractive for hackers because you know, you can have one plug-in that is vulnerable for let’s say.
SQL injection or like cross-site scripting to you know, eject adds to your website and it just unit just want this one will reveal it and you can have access to tens of thousands of websites. So this is like this component security from the application side. This has been a problem, you know years on server side, you know different Apache models, you know, you know all these different places, but right now, On our Focus we see that component security how we call it, like plugins extensions like to pot has extensions WordPress call them plugins, you know, they call them different names but they’re all components.
So in this ways, I think this issue is growing rapidly. And I think this is like like the whole thing around this, you know web development practices and things
is it growing because it feels like it is it feels like every I mean it is like it is in the new the normal news. Yeah. Not just you know Tech news there’s significant amount of this stuff leaks into the normal actual newspaper.
Yeah, because everybody’s got stuff attached to you know, I’ve offloaded my life to things online, you know, there’s an awful lot of stuffing WordPress database has Facebook has got a lot of stuff on me. So, you know, it’s I can understand why people are concerned about it. But how do. Like really, how do you keep up?
I can’t even imagine. What where do you go to find out what the latest threat is on what somebody just dumped on the internet last night?
Yeah. So we have like tools built inside of the product. So we have like a separate tools also that we have built within the team. So like for example the static code analysis, which we do we basically.
Pull all the plugins that we have on the WordPress repository and then run the static code analysis around against all of these. So we have kind of a patterns of different vulnerabilities have previously happened on some other plugins and then we see if there’s the same patterns in other plugins as well.
So in this case we can pretty much detect these vulnerabilities beforehand. The other thing is that we basically follow all the security blocks all the different security databases and everything and we have like. Separate dashboard for it which has alerts and stuff and basically posted in slack about all these things and it’s like, you know, automatically finding all the information from the web but this coming, you know concerned with WordPress and security.
Nathan Wrigley: [00:18:02] Is it ever possible to truly say, you know purchase any product your product or it arrivals? That you’ve got security down pat, you know, it’s fixed eyesight is now immutable. Nothing can touch it it no,
Oliver Sild: [00:18:16] it’s just there’s just so many, you know, even when young technically from the technical point of view, you might be able to like isolated so well.
Like you will find like for example, you lose all the functionality of your website. So it can’t be hacked from you know this side, but eventually there’s also you behind this. So there’s this person who have access to the site who can also be hacked. So social engineering is also very very, you know, like a real thing that can happen.
Also within WordPress ecosystem
Nathan Wrigley: [00:18:48] I remember hearing a story. I don’t know how true it is, but hearing a story about some seriously big IT company. And they hired this external guy to come in to sort of vet to their security and the the external agents made the Bold claim that I will be in your system within one minute and and you know, the guys were like no what no, and so he said, okay.
Can I have the CEO bring the CEO of. And so they brought the CEO out and said right start the clock and then he took the CEO to one of the junior people in the security team. And because the CEO was stood next to him. He said, can you just give me the passwords? And obviously there’s the CEO and he said yeah sure.
There you go. And that was it. He was in but a social engineer. Yeah, just look the boss is there it must this this request must be legitimate. Yeah. It’s too easy, isn’t it?
Oliver Sild: [00:19:43] Yeah, social engineering is very very. It’s effective like phishing, you know and all this like spear phishing and all these things.
It’s just so effective.
Nathan Wrigley: [00:19:52] Yeah. And is there nothing that you that I mean, I presume there’s nothing you can do about that. You just sort of man the boundaries and hope for the best of it.
Oliver Sild: [00:19:59] Well you basically what you can do is, you know, try to make your team as aware of as possible from the mistakes like that can happen or like from the things that are like the risks that are there, you know, but also in the same time, you have to tell your team that.
There are something that has happened you should never feel ashamed of it because you know, what’s really like be big issue is that people feel ashamed for like being you know stupid but in the same time actually this is creating an opposite issue because in this case these people are not, you know willing to say what happened.
So it’s very important to stay kind of transparent very open about these issues. And kind of you know, don’t blame people for the stuff that happened because someone was taking advantage from you know,
Nathan Wrigley: [00:20:47] so is WebARX, is it like a plug-in that you install? Is it a SaaS solution? What does it look like?
Oliver Sild: [00:20:53] So it’s a solution but it’s a plug-in that you install so it’s
Nathan Wrigley: [00:20:56] a bit of both
Oliver Sild: [00:20:57] Yeah. So basically it’s really easy to install it takes you like let’s really like one minute. So you have 14 days free trial. So people can just sign up put their website in there. Just type in your url this automatic.
Everything start right away and then you basically just like the scans what we do like monitoring up there monitoring security monitoring all happens externally, so it’s nothing actually done on your website itself. So it’s very like in terms of resources. It’s pretty much nothing. So but to actually activate the firewall and hardening options and you know backups and everything that we have within the plug-in then you just you know can.
Pretty much log into your WordPress sites from within our portal or just download the plug-in. So it’s really really easy.
Nathan Wrigley: [00:21:42] I think a lot of people who are listening to this will probably be you know, like me not really an expert in security got vague understanding what it means. But what some of the terms that you just threw out you mentioned firewall and you mentioned hardening I hear those words a lot.
But what what what let’s start with the firewall. What is a firewall? What does it even
Oliver Sild: [00:21:59] do? So in our case, I think firewalls are also different we have did have we have done a lot of kind of code analysis around different products that are on the WordPress Market as well. So there are some of the firewalls that are, you know, just putting a lot of rules into your HD access code.
For example, just you know to filter out some very just like basic like patterns. Let’s say but then there’s also firewalls the running on DNS, for example. So these firewalls are running, you know on the network level itself like cloudflare. For example, I think also security knows that so these firewalls really, you know filter the whole traffic that comes against your website and basically filter out the, you know, malicious requests, like what’s and you know attacking, you know attempts and all.
And then there’s like endpoint firewalls like more like wordfence and like ours as well. Like we’re basically it’s runs before the application itself is in the application, but it’s filtering all the HTTP requests and it’s not just only on the Apache level. So for from this side of things, I think it’s there are like different ways how they can work.
But eventually what firewall does is it basically tries to understand. What is the traffic that comes to your website? Is it what you want? And if it’s not what you want and if it’s malicious like, you know, trying to exploit some plug-in vulnerability, for example, it will block the access and in our case, for example, it will count how many times this specific IP has, you know abused the access to the website and then block it so there’s very different things that you can do with the firewall.
So in our case also, there’s an option to write your own rules. So for example, you know, I always bring this up as an example. For example, you can do a rule that will allow you to filter user agents and redirect them to for example to a specific website. So for example, if a user agent comes with an old Internet Explorer 6, let’s say you can just create a rule and say you pay redirect him to this page which you say is like, please don’t lock
Nathan Wrigley: [00:24:04] Chrome, you know the police but then at least website and so okay, that’s firewall. What’s hardening.
Oliver Sild: [00:24:11] So yeah hardening is pretty much like going, you know, Here’s the thing that with all software that this Plug and Play There is default settings and default settings are never the best settings default settings are always made just to work and to have as you know less support as possible.
So for that reason basically a hardening these important to kind of, you know, like turn kind of turn down the features that you don’t really use. And make them like for example, you know permissions file permissions for example, and so forth to like. Make them a bit stronger than they would on like would be on default.
So under hardening settings, you can find like, you know, blocking xml-rpc. If you don’t use it, you know, why bother having it because you know, a lot of Brute Force attacks come through that. So there’s like two full two Factor authentication. So you have like the second step of logging in to your website, which you can have on your mobile app.
So when someone even finds your let’s say admin password for your WordPress site. They would still need the actual, you know physical phone of yours to actually have the code. So there’s a lot of things like that, you know that like, you know, activity logs, you know, see what kind of what do users have done on the website.
There’s like recapture which you can put on your comment forms, like all these nitty-gritty things that eventually, you know, allow you to kind of improve the security in general
making it more difficult for the bad guys. Yeah. Just just making. Both more difficult order to getting so WordPress by by its very nature is like this extensible architecture extensible architecture, you know, you’ve got WordPress core and then you Chuck plugins and obviously, you know, a lot of people like to put a lot of plugins in sometimes unnecessarily large amounts of plugins.
How on Earth do you keep. How do you keep up with that? You know because presumably if you have a certain combination of plugins that that might be worse than a different combination of plugins and how do you even sort of keep up with all the possible things that could go wrong?
There is just so many of these things that can go wrong.
So, you know, it’s one of the hardest tasks actually is to you know, build your own like in our case like our Plug-In or like our WordPress plug-in. Let’s say it’s so it has so like very deep features that can affect the website in a very strong way. But, you know, you need this for all this hardening features.
So for these reasons like testing with so many different plugins making sure there’s no false positives for example, you know, It’s a it’s a lot of work, you know, it’s a lot of testing
Nathan Wrigley: [00:27:02] and I was wondering if that was it literally just testing every single combination.
Oliver Sild: [00:27:07] But, you know at the same time just you try to use as many.
Things that you have already inside WordPress, you know all the web WP Hooks and you know, all these things that you can actually use but then again there is also other plugins who might be using this roof, so there can be a lot of conflicts with you know, other plugins doing things, you know, maybe on traditional ways and these things can actually yeah can cause like conflicts and all these things so.
It’s a lot of work.
Nathan Wrigley: [00:27:34] I speak quite a lot to you know, plug-in developers and theme developers and things like that. And there’s a certain sense that the product over time the more hours they spend working on it the better it becomes you know, so okay last week my plugin. It was okay and I added these new features and now it’s better.
So, you know constantly you’re heading towards the top of this pyramid. I mean, I’ll never even finished you’ll never get to the top of the pyramid but all the time your Endeavor the amount of work you put in kind of leads to a better product whereas for you it must be slightly different because your product is always working with what other people are throwing at it, you know, the nasty stuff that people do we did you enjoy the work does it?
Is it enjoyable stuff to do you find it? Like, you know, do you do you smile at what you’re doing or is it like incredibly frustrating when somebody comes out with a new exploit? It’s like another one. I’ve got to start all over again.
Oliver Sild: [00:28:29] No, I think like because we don’t need to develop the plug-in to actually build blocked exploits because like we have.
Like our firewall is modular, for example, so all the rules are you don’t need to update the plug-in to be able to get the newest rules. So everything is coming from the portal, you know feeding to plug-in basically. So for this reason, we don’t actually have to do any development for blocking new attacks so for this reason I think for us it’s more like very exciting thing to actually see how the whole ecosystem evolves like, what are the new issues like past week. We had like this actually I think it was even on Monday. We had like one plug-in that had like this vulnerability with you know, this ended up, uh mailing out mate.
I was also talking to this developer and you know trying to understand yeah. Yeah. Yeah. He’s also coming to our meeting. No. No I so like I was talking to him and he was sending me the source code and we were like analyzing to. So I think it’s more like exciting things, you know to see what can you know also others learn from these kind of things.
So, yeah, I don’t think it’s like to frustrating. I think it’s more like exciting to you know, kind of it’s like a constant Marathon.
Nathan Wrigley: [00:29:38] Yeah, but it’s like fighting the good fight isn’t. Yeah, why do they why do people do it though? Because one of the things that you often hear is, well, I only have a little website.
Yeah. My website is only the biggest. Yeah, it’s I’m not doing anything that would warrant somebody hacking my but that’s not how it works. Is
Oliver Sild: [00:29:55] it? Yeah, so. Yeah, it’s it’s the biggest myth. I probably you know, you everyone probably gets this like like why the hell would I need any security because my site is like just a bakery store, you know some, you know random place, you know, like why would like there’s no value in it.
But the value is in the resources, you know resources of running this website itself. Like if you have like any traffic, you know, it’s already some of resources when you get it for free. So, you know, you can take it as like. As you have this website running up then, you know, you are paying for it.
You know, you’re paying for the domain you’re being for the hosting but when someone can get it for free, it’s obviously a value. So the other thing is that, you know, if you have like this like we were talking about this component security issue in general like you have just you need one vulnerability and then you can scan all the web to find all the websites that have the same kind of software to just basically host, you know ads and you know, And all these different things so money is obviously one of the reasons.
But the thing is that it’s very opportunistic. So nobody is actually coming to your website and you know, trying to unpack your website. It’s like they are hacking to software that is installed on your website.
Nathan Wrigley: [00:31:07] Is it ever an actual person is it did you think there’s actual people?
Oliver Sild: [00:31:11] Eventually there are actual people who write those exploits
Nathan Wrigley: [00:31:14] yeah, but they’re not actually so for example, if your website does get hacked it’s not usually
Oliver Sild: [00:31:18] yeah. Well, there’s nothing that once it’s there and hacking
Nathan Wrigley: [00:31:21] your well imagine it like on a movie or something some guy, you know wearing a dark mask or something. That’s not how it works.
Oliver Sild: [00:31:28] So so what
Nathan Wrigley: [00:31:29] so they’re trying to hack into your website so that they can basically take over the computer that’s running your website so that they can do stuff with that computer.
Oliver Sild: [00:31:38] Yeah so
Nathan Wrigley: [00:31:38] stuff do they want to do with that computer?
Oliver Sild: [00:31:40] I think like in the end of the last year or kind of like in the middle of 2018, I would say there was like this huge Spike of crypto mining for example. So like this is very obvious reason, you know, it’s resources on the Internet. It’s very easily accessible.
So, you know just taking over these resources as you know already a big value. So, you know, that’s actually not getting access to those who know only yeah, so access to the actual computer, let’s say that is running your website, but other thing is that, you know, just running ads, you know, if you have fifty thousand websites running your own ads. It’s money
Nathan Wrigley: [00:32:16] and then do they I mean I’ve heard of these things command and control, you know, where they can create networks of these computers and they can then go out and do bigger nasty stuff and take down bigger things because there’s a whole network of things flooding the internet with traffic.
Oliver Sild: [00:32:32] Yeah. So DDoS attacks are very, you know, it’s a common thing that you know hacked use packed websites are being used for that but also, Other actually if you look at for example, if we analyze our firewall locks what we see very often is that it I piece that are attacking other websites are actually the eyepiece of some very light.
No peak hosting companies. So this means that basically all these hosting companies already have a lot of websites hacked. So these hack websites are used to hack on other websites. So, you know, it’s all the pots. It’s like resources that you can use to, you know, put like automated scripts running and descript’s are basically just searching all the time for the new websites to hack and it just spreads and you know,
Nathan Wrigley: [00:33:17] so sometimes it might be about generating money for like cryptocurrency.
Sometimes it’s about taking down another property may be. I don’t know there are commercial rival or something.
Oliver Sild: [00:33:25] Yeah, but
Nathan Wrigley: [00:33:26] who okay. So how what are these hackers do where do they live what I mean the they are they like organized so they like have offices in places. Do they? You know, what are they even where do they where do they live?
Where did where do they habit what’s going on?
Oliver Sild: [00:33:42] I think there’s like very different kind of nurseries when it comes to that like there’s some I think it was a few years ago where there was actually some guy caught who was running like a team to do like this SEO. Kind of injection thing, you know just you know, basically sold services for other companies to bring down the SEO of the rivals.
Nathan Wrigley: [00:34:05] So those are business actual businesses with employees. Yeah to destroy other people’s websites.
Oliver Sild: [00:34:12] So, yeah, so basically I would call. I have the service. Let’s say with like for people who are basically hacking websites to do like SEO spam and then you come to me as a service and say like hey, I have this competitor who has like a really good SEO, please ruin it.
So what we would do is that we use all these hacked websites to create like this black hat SEO, but Google, you know understands that hey, this is a black hat SEO so they basically panel. The whole rival of yours. So this is the actual service that they’re like some companies have provided and being, you know getting caught with
Nathan Wrigley: [00:34:43] man alive.You can barely take it in can you!
Oliver Sild: [00:34:45] But yeah, but you know, you would pay a pretty decent amount of money for that service, you know for you know, getting the Rival completely out from
Nathan Wrigley: [00:34:53] the certain amount of the internet for a half a day or whatever. Yo depending on how quickly they
Oliver Sild: [00:34:57] can come back. It’s for a longer period it’s like few months at least
Nathan Wrigley: [00:35:01] and you ruin their search engine rankings in the process
Oliver Sild: [00:35:03] the main point, you know, ruin search engine ranking.
So you would come up as the you know main thing.
Nathan Wrigley: [00:35:08] Yeah, and do you ever get sort of metrics and I like to be able to convincingly prove that somebody. Like you can point the finger at a particular individual or IP address and you know, did you ever hand this stuff over to the authorities or
Oliver Sild: [00:35:22] we have handled some of the stuff over to our thirties when it comes to defacing for example, because we have like we have a lot of kind of internal tools as I was already saying like this static analysis and we also have we only database of defacement.
So basically we get like two to three thousand attacks every single day like hacked where information about hacked websites every single day. There’s government websites. There’s all different sorts of websites and then these sites are specifically being defaced. So there’s like, you know, some political propaganda texts on the website and there’s like all these different stuff.
So we have sometimes the IP addresses and like user agents involved information of where that came from. So we can really quickly check if these user used a VPN to hide or mask their location and stuff and if didn’t and we have actually kind of given this information doubt or it is but the thing is that you know, local authorities.
Don’t really do anything if the attacker is from Philippines, for example, so
Nathan Wrigley: [00:36:26] it’s it’s a hard battle. Do you do you get the sense though that the people that are doing this they’re actually. You know clever the clever people
Oliver Sild: [00:36:33] with I think sometimes not ways like a lot of a lot of malware that you can find this very basic a lot of that code is from you know, 10 years back, you know, when the PHP shells were like, you know used heavily like they are used also now, but but then sometimes you can find very decent apis like confiscations for the code so you can just open up the code and you’re like hell, you know, it’s you know, It’s even pretty difficult to understand.
What’s the code actually does because it’s you know. Just made to be so hardly understandable.
Nathan Wrigley: [00:37:09] And of course, this is the sort of increasing difficulty of the you know, you hear about these sort of events like poem to own and things like that where yeah, you know the guys show up and they’re offered significant.
Well, actually you can be you can earn a decent living if you’re at an ethical hacker absolutely, but they go and you know, so these guys are other people that could create these exploits that as luck would have it there creating the Xbox and then giving them to the companies, but still the.
Sophistication, you know, they get some sort of buffer overflow over here and they stick another thing on top of that and then five things later. They managed to flip a bit on the hard disk, which does something else and suddenly boom. We’re in but not on it. We’ve got out of chrome sandbox or whatever.
It might be and you just think yeah. These guys are clever, you know,
Oliver Sild: [00:37:55] and they’re very proud.
Nathan Wrigley: [00:37:56] How do you like presumably they’ll never be a point where you can say. Yeah, we’ve done it. This is always going to be a battle from this this point on until well forever.
Oliver Sild: [00:38:07] Yeah, I mean like. Especially WordPress is icon system is in a position where not only development, you know actual development of a website is very simple, but also the hacking is very simple.
So you don’t really need to be very clever to be able to hack a website nowadays, you know, you just need to find you know, these you don’t even find the vulnerabilities ourselves anymore, you know to get in so, you know, you can just find like some plug-in vulnerability that was you know, even you know, rev slider had this issue like I think two or three years ago, I remember like.
Was like a Havoc, you know, it’s still being exploited, you know, it’s still happening, you know, so even like, you know for some guy to just you know, get their hands dirty to you know, with the hacking stuff. It’s so easy.
Nathan Wrigley: [00:38:52] Yeah amazing. Let’s change the subject a bit. Stop talking about security.
Let’s talk about this. That place that we’re at on this event. I know that you said that you’ve never been to a word camp in Europe before this first time first time for me at wordcamp Europe as well. Have you got like a list of like events that you’re going to go to things that you’re going to attend people that you specifically want to see what I’m what I’m wondering is if you’re a kind of like a plug-in developer that said Somebody’s listening to this narrow plug-in development never taken the step of coming here.
Do you have you come like with the. Thing, you know or you are you going to go and find people and try to try to increase your business whilst you’re here.
Oliver Sild: [00:39:28] Yeah, I think it’s kind of both ways still like, you know, kind of find people who are in a position where they are thinking like. Yeah. Well, I now I manage like 50 websites.
I actually should you know, think about like how you know, what’s going to happen. If one of those are taken down or if they you know, sir, like servers that where I’m hosting all these 50 sites are they even secure to you know, like the malware won’t start moving, you know between all those websites and like what can happen at this point, so.
I think there’s definitely people like that here as well. That way I would like to speak you know and to meet but also I think it’s more like this, you know Community feeling, you know, get in touch with the already customers and you know talk to them and see what they see how they actually feel about the product and so forth.
So, I think it’s like a very if you’re a plug-in developer, for example, I think this is a place where you should be. I like definitely because that’s the place where you can actually understand how people are using, you know plugins and what they are looking from them and you can get like instant feedback.
Nathan Wrigley: [00:40:27] Are you quite a few quite confident person. Do you like walking to an event like this and you’re happy to like just rock up to people and start talking or get you a little bit more reserved and you know have to break the ice a bit.
Oliver Sild: [00:40:39] I think I mean somewhere in the middle. Well, I have practiced a lot like I’ve been to a lot of different conferences over the past two or three years.
So like over the counter over time, you know, you kind of break the barrier, but I still you know, it depends like sometimes I don’t feel like just going to jump in.
Nathan Wrigley: [00:40:56] I think you get better at these things. Don’t you just sort of practice it and you develop your develop strategies and little one lines that you can give out.
Yeah, and I was my first word camps. I kind of just stood kind of felt a bit awkward and then something happened and I started talking somebody and suddenly a couple of other guys show up and and before you know it, you know after you after you’ve done this a little bit the whole thing starts to.
It starts to mature and then people introduce you to other people. Yeah, it’s great. I mean look, there’s like there’s probably a hundred people in I well maybe not maybe not that but three 3000 people have cost me a
Oliver Sild: [00:41:33] thousand.
Nathan Wrigley: [00:41:33] Yeah, 3,000 tickets sold their reckon that 90% are going to show so 2700 do you?
Do you like the WordPress Community? I mean, even if you’ve not been to like the events, there’s all the there’s all the stuff going on in. Yeah, no make dot wordpress.org all these lateral Facebook group. Yeah, mean, it’s amazing, isn’t it? Really interesting? Do you sort of get into that and get stuck into it?
Would you say you’ve made any friends in WordPress?
Oliver Sild: [00:41:57] I think so. Yeah. Well I met you. Yeah, so I mean like actually I think it’s really cool. I mean. I wasn’t so much, you know into this. Like I think it’s really a new thing for me actually in all these Facebook group and stuff. But I realized that you know, just to be there, you know, when people have issues just help them out, you know, just do everything without asking anything back.
I think this is like something that will eventually get you a lot back.
Nathan Wrigley: [00:42:21] Yeah, I think so. Yeah.
Oliver Sild: [00:42:22] I think this is. This is my strategy right now just to be open and you know, just to talk with the community and you know help people with the stuff that I know and you know, if I have any issues that I will also post their like on these groups and stuff.
And people helped me as well. So I think it’s just the resources that everyone should use
Nathan Wrigley: [00:42:40] this is kind of like a famous thing people talk about this WordPress community and I believe it whether it’s you know, whether I’ve convinced myself of its truth or not. I am I am convinced that that there is something pretty special about this community WordPress.
I don’t know what it is.
Oliver Sild: [00:42:56] It’s a think very well like build up Community around open source software. I don’t know much of an open source software that has such a big community.
Nathan Wrigley: [00:43:05] So, I don’t know. I think the nature of people who participate in open source. I think there’s something about those people.
I don’t know what it is. But yeah, I mean, I’ve been to quite a lot of these events now and it just gets easier every time and to be honest with you. I’ve been to lots of events that are not connected with WordPress and pretty much all the time. I was kind of not looking forward to it was just like you got to go because you’ve got to know made to go whereas these I’m actually looking forward to it.
You know, I’m packing the bag and I’m getting excited and you know doing stuff like this recording these podcasts. It’s just exciting. It’s just interesting and
Oliver Sild: [00:43:39] it feels different. Like I’ve also been to like well web Summit and do this, you know startup conferences and all these like various, you know, suit and tie and stuff, you know, it’s different.
You know, it’s like so. Like I feel like this when I’ve been to like like, you know web Summit and so forth. It feels more about it’s more like work, you know, it’s like you go there you have like agenda you have to meet as many people as possible network network network, but here it feels more like, you know easygoing.
Nathan Wrigley: [00:44:08] Well, it just is very relaxed.
Oliver Sild: [00:44:09] I never went to conference
Nathan Wrigley: [00:44:11] with short. Yeah shorts. Yeah. I mean my sandals arnica t-shirt on us some shots on and that yeah and you know walk into the walk into the place and usually there’s like. Social thing going on, you know people sitting down having coffee having a beer or whatever and then you go to the talks and you know, there’s lots of different options.
Here. We are. We’re literally in the hallway. Yeah, and there are people
Oliver Sild: [00:44:32] I’m very good spot. Yeah. I mean it is
Nathan Wrigley: [00:44:34] we’ve done very well standing in the it’s just people hanging out having a chat making friends. It’s lovely. It’s really nice. I’m looking forward to the next few days. Yeah. Are you going to be sticking around till the very end?
Oliver Sild: [00:44:46] Yeah. We are. Actually I think our flight goes in Sunday. Yeah, so we sign around
Nathan Wrigley: [00:44:51] right until The Bitter End.
Oliver Sild: [00:44:52] I can’t wait for the meet up today. So I really am there’s like two options if there’s gonna be a lot of people coming because we have reached out to a lot of people or there’s gonna be like no people coming up and we have so much fear for
Nathan Wrigley: [00:45:04] herself.
Are you gonna go and see Matt
Oliver Sild: [00:45:07] like today? I think so.
Nathan Wrigley: [00:45:08] Yeah. I think that room will demonstrate just how big this event actually yeah definitely happening in a couple of hours times.
Oliver Sild: [00:45:14] So which track.
Nathan Wrigley: [00:45:16] So you have to go I presume it’s track one. I don’t really know but I presume it strike one, but I went into the room the other day a couple of days ago while they were setting up.
It’s huge.
Oliver Sild: [00:45:25] Yeah, it’s enormous
Nathan Wrigley: [00:45:27] and presumably it’s going to be full. He’s the big ticket. Yeah. Well, I’ve got I’ll hand the mic to you and say tell us anything you want, you know, too. Well the proper URL or a Twitter handle
Oliver Sild: [00:45:38] or what if anyone wants to you know, learn more about WebARX. For example, they can go to WebARX.com go and get your free trial and there’s like.
Chat bubble on the bottom and you can see right there and say Hey, I want to talk to Oliver. So I will you know, I can reply to you directly from there. And if there’s someone listening I don’t know, where are you putting this live?
Nathan Wrigley: [00:45:59] We’re not sure yet a couple of weeks. I think maybe more
Oliver Sild: [00:46:02] so I was thinking like if you’re listening to right now and don’t you coming to our meetup.
Nathan Wrigley: [00:46:07] But I guess not now well Oliver Sild have a enjoy the rest of your word cam.
It’s been an absolute pleasure talking to you today.
One of the purposes of the press forward podcast is to lift the lid on topics that don’t get talked about enough to allow people to share their stories. So that other people might listen and by listening they may gain an understanding that they’re not alone.
There are other people out there who have faced the same situations that you are facing. They have found a way through and can offer support to you on your journey. Maybe that person is already in your life, but they might not be and that’s what WPandUP is here for to connect you with the support that you need.
The press forward podcast is brought to you today by Green Geeks. Green Geeks offers a specially engineered platform that gives WordPress users web hosting that is designed to be the fastest most secure and scalable hosting available in multiple data centers their WordPress hosting makes deploying and managing WordPress website easy with automatic one click install managed updates real-time security protection SSD RAID 10 storage arrays power cacher and expert help 24/7 to make for the best web hosting experience.
And we thank green Geeks for their support of the press forward podcast. That’s it for this week. Please let us know if you’re enjoying the podcast if you’re finding it useful and helpful. You can reach out to us at WPandUP dot-org forward slash contact and you can donate at /give remember that there’s a serious point to all of this though.
And that is that WPandUP is here to provide help and support. That help is available for you or people, you know, and it can be easily accessed at the wpn op dot org website. Please spread the word about this podcast. Tell your friends and subscribe on your favorite podcast player and remember that together we can hashtag press forward.

Nathan Wrigley