Podcast: Play in new window | Download | Embed
Subscribe to WPPlugins A to Z on Apple Podcasts | Podcast Index | Email | RSS
Transcript of show
00:01 start it up We have a little bit of pre
00:03 preamble stuff and then I’ll hit the uh
00:05 intros and then we will roll right
00:08 along Sounds great All
00:12 right let’s get this
00:16 going Ladies and gentlemen it is time
00:18 for WordPress plugins A to Zed not Z
00:27 Well good morning And it is the
00:29 interview show today for WP plugins A to
00:33 Zed And we’ll be discussing the advanced
00:36 access manager plugin with Vassel Martin
00:40 All coming up next on WordPress plugins
00:43 from A to
00:46 Zed WordPress It’s the most popular
00:50 content management and website solution
00:52 on the internet That was the wrong one
00:56 Actually we’re going to roll this right
00:58 back and do the jingle all over again
00:59 because I got a messed up
01:03 opening This is what happens sometimes
01:05 Well what happens is I I the live stream
01:08 is live That’s period But the part that
01:11 goes out to the podcast is is recorded
01:14 and I try to keep the opening clean for
01:16 that one
01:18 All right let’s roll this back again One
01:20 more time Take two Take two
01:24 Ladies and gentlemen it is time for
01:26 WordPress plugins A to Zed not
01:32 Z It is interview number 66 with Vasel
01:37 Martin Martin Oh jeez Did I get your
01:40 name okay Yeah Yeah it’s actually
01:42 perfect Oh Martin Okay then I’m gonna
01:44 roll that back one more time since I
01:46 throw it all off Let’s get this right
01:49 Okay one more time for all the listener
01:52 that’s out there Ladies and gentlemen it
01:55 is time for WordPress plugins A One more
01:59 time Ladies and gentlemen it is time for
02:02 WordPress plugins A to Zed not Z It is
02:08 interview 66 with Vasil Martin from
02:11 Advanced Access Manager We’ll be
02:13 discussing this plugin and more All
02:16 coming up next on WordPress plugins from
02:18 A to
02:21 Zed WordPress the king of content
02:24 management systems powering the web with
02:26 over 80,000 plugins to choose from How
02:29 do you sort the junk from the gems
02:32 welcome to WP Plugins A to Zed where
02:35 we’ve been keeping the pulse of
02:36 WordPress alive for over 16 incredible
02:39 years Join us every week for an
02:42 unrehearsed real talk breakdowns of the
02:44 latest and greatest plugins developer
02:47 and community member interviews Some
02:49 weeks Amber and I team up to dig in
02:51 Others I’m flying solo unpacking
02:54 WordPress news demoing a standout plugin
02:57 or sharing tips to power up your site No
03:00 scripts no fluff just the good stuff
03:03 from A to Z So plug in and let’s get
03:06 rolling
03:08 Good morning good afternoon or good
03:10 evening wherever you happen to be hiding
03:11 out there on the globe today Coming to
03:12 you direct from the brewery overlook in
03:15 beautiful southern Vancouver Island I’m
03:18 John Overall and joining me today is
03:22 Vassel Martin from Advanced Access
03:24 Manager where we’ll be discussing this
03:26 plugin that’s installed on over 150,000
03:29 websites A very fantastic plugin I don’t
03:31 know why I didn’t discover it sooner
03:33 myself I started playing with it uh
03:35 after he reached out to me and I’m
03:37 really enjoying the free version of the
03:40 plugin So welcome to the show Basil
03:42 Greatly to have you here Thank you I’m
03:45 I’m happy to be here Well we’ve got a
03:48 lot to uh cover and go over here on the
03:50 plugin You were giving me some nice
03:52 feedback information that was going to
03:54 be useful for me to wander through and
03:57 talk about on all the different stuff
03:59 we’ve got going here And um first off
04:03 for start off tell us a little bit I
04:05 know your story’s been told many times
04:06 but tell us a little bit about yourself
04:08 and how you got started in in this I see
04:12 Well um I’m originally from Ukraine and
04:15 I came to United States back in 2011 Uh
04:19 I won green card in a lottery so it was
04:20 a free pass for me and uh my first job
04:24 was in a marketing agency um it happened
04:27 to be the their their WordPress shop
04:30 primarily So that’s how I started to to
04:33 to learn WordPress and just out of
04:35 curiosity uh created a plug-in over the
04:38 weekend called advanced access manager I
04:40 even didn’t think much how to name it
04:42 just first thing that came into my mind
04:45 I name it and um and then just uh submit
04:49 it for review to the WordPress.org
04:52 repository and that’s how the journey
04:54 started uh one way or another this
04:57 plug-in was keeping was keeping me
04:60 connected to WordPress uh community to
05:02 to WordPress in general and it’s been
05:05 already 14 years journey
05:09 Well it’s an excellent plugin Now tell
05:12 me a little bit
05:13 about what drew you to create a plugin
05:18 that protects the integrity of WordPress
05:21 So well I mean it goes into places I
05:24 wasn’t even fully aware existed
05:27 Yeah Uh it’s a it’s a very good question
05:29 and the answer can be very long so I’ll
05:32 try to be That’s okay We’ve got lots of
05:35 time All right All right So again it
05:38 just started out of curiosity you know
05:40 Um at the time when I worked in uh in
05:43 the marketing agency back in 2011
05:47 um there was a particular need for a um
05:50 granular access controls to admin menu
05:53 as well as ability to manage roles and
05:55 capabilities So there were solutions
05:58 available in a wordpress.org repository
06:01 that I could just download and install
06:03 Uh however uh a client at the time was
06:06 very particular about number of plugins
06:09 So I was like “All right you know what
06:11 let’s just create over the weekend.” And
06:14 um and I just combined these two ideas
06:17 ability to manage admin menu and manage
06:20 roles and capabilities into one plug-in
06:22 very lightweight nothing crazy And um
06:26 and when I launched it in a
06:29 WordPress.org repository immediately
06:31 start getting feedback from users They
06:34 wanted additional features They wanted
06:36 additional
06:37 flexibility And you know from that point
06:39 on it just became a community plug-in So
06:42 all the ideas that 100% of the ideas
06:45 that uh that are implemented in the
06:47 plug-in coming from end users and um um
06:53 naturally I started to work with with a
06:56 lot of developers
06:58 um agencies enterprises and learning
07:02 their hurdles learn learning their needs
07:05 and all that was distilled into the set
07:08 of features and functionality that is
07:10 available and and uh and advanced access
07:13 manager Um so all after all it’s a 14
07:18 years of all experience around access
07:20 controls
07:22 um are compiled into this one simple
07:26 cohesive plugin
07:29 Yeah Okay then Well my brain has just
07:34 gone sideways on
07:37 me I know what it was You were you had
07:40 made mention in your email about talking
07:44 about some of the difficulties or horror
07:48 stories that emphasize the importance of
07:52 the this uh plugin and
07:55 how it can help save people well from
07:59 what you mentioned a whole lot of money
08:02 That’s right you know John to answer to
08:06 answer that or elaborate more on that um
08:08 I’ll give a bit of
08:10 a background so when we talk about
08:13 security I think there is a there is a
08:16 very narrow um story about what is what
08:20 means security for WordPress when we
08:22 hear about security we hear about things
08:24 like you know brute force attacks or
08:27 vulnerable plugins outdated plugins u
08:30 talking about a ws two factor
08:33 authentications These are just a part of
08:36 the security The whole security starts
08:38 from the building where the uh hosting
08:42 hardware is and it ends with the very
08:45 last user that visited website and
08:48 everything in
08:49 between So when we hear stories about
08:52 WordPress security we hear only about
08:54 part of it right
08:57 um and you know for years I couldn’t
09:01 really um clearly articulate what
09:04 advanced access manager is what is what
09:07 is this for I was telling one some
09:11 people that it’s membership plugin and
09:12 other people that it’s a developer SDK
09:14 some other people that is somewhat
09:16 security plugin but visiting uh uh word
09:20 camp last year I clearly realized that
09:23 there is a huge gap in the security
09:27 awareness that nobody really talks about
09:29 and this is a gap in access controls Mhm
09:33 If you look at the OASP top 10 OASP top
09:36 10 it’s a it’s a list that a lot of
09:39 security organizations are paying
09:42 attention uh closely that shows top 10
09:47 um top 10 things that create incidents
09:51 security incidents and broken access
09:53 controls is actually number one issue
09:56 apparently Yes apparently Um and how do
09:60 they distill that list it’s they it’s a
10:02 nonprofit organization that analyzes
10:05 hundreds of thousands of security
10:07 breaches um every year and they distill
10:11 this top 10
10:13 list Uh so uh based on what they
10:18 discovering uh through all this analysis
10:20 that 94% of all web applications are uh
10:25 have some level of broken access
10:27 controls which
10:29 means which
10:31 means something is misconfigured Some
10:34 people have high privilege and then they
10:36 should some information is disclosed
10:38 that should not be disclosed You know I
10:40 can even uh mention some things that
10:43 even on a on a a
10:45 to website on your website or I’m
10:49 certain there is already uh I haven’t
10:51 applied your plugin to that site yet
10:53 that site’s going undergoing an overhaul
10:56 You know uh taking that a little further
10:59 is like one of the things you gave me in
11:01 your in the information you sent me in
11:03 the email you sent me to a couple of
11:04 videos to go watch and one of them you
11:08 showcase how an editor privilege user
11:13 could use that to get someone else to
11:16 look at their post and upgrade
11:18 themselves And I thought that was very
11:21 fascinating I didn’t even know that was
11:23 a possibility
11:25 Yes Yeah And all that it’s not really
11:27 even an editor but rather the capability
11:30 that editor has and that is unfiltered
11:33 HTML You know if you look at a WordPress
11:35 core um there are two very very unique
11:39 capabilities It’s unfiltered HTML and
11:41 unfiltered uploads they they these two
11:44 capability allow to inject pretty much
11:48 anything in the in WordPress website
11:51 Somehow unfiltered uploads by default is
11:54 disabled but unfiltered HTML is enabled
11:56 which means allows users like editors or
12:00 you can assign that capability to
12:02 subscriber right yeah it’s with amount
12:06 of plugins today available to manipulate
12:08 with roles and capabilities it can be
12:10 assigned and I’ve seen and I’ve seen
12:12 websites where this capability was
12:13 assigned to editors editors to
12:15 subscribers to authors to custom roles
12:19 um I even done an analysis
12:23 um on the top thousand most popular
12:26 plugins in repository in WordPress.org
12:28 repository Uh over 10% of the plugins
12:33 are relying on unfiltered HTML
12:36 capability to grant additional
12:37 functionality which means this is rel
12:40 this is a relatively popular um
12:43 capability that is also extremely
12:45 dangerous because anyone who has it can
12:47 inject malicious code in the post page
12:51 and trick You don’t have to even trick
12:53 administrator You just sit and wait Yeah
12:57 You put it on a homepage Yeah And wait
12:60 till the administrator comes in and just
13:03 accesses it That’s it That’s enough
13:06 That’s enough Yeah Well that was what I
13:08 I found quite interesting And as I was
13:10 digging down I didn’t have a lot of time
13:12 to dig into it I had other things
13:13 happening but I intend to dig down
13:16 further into it And I also noticed when
13:19 I was looking up all the info about your
13:20 plug-in you have your premium versions
13:23 which offer up the ability to lock the
13:26 website down even further into a private
13:30 website andor by IP address or geoloc So
13:36 can you tell us a little more about how
13:38 that works and what that does for us yep
13:41 Um so when people ask me what is a
13:44 premium premium add-on is for I
13:47 typically say it is ability to manage
13:50 access to your website at scale Uh the
13:53 free version includes pretty much
13:54 everything which you need If you’re a
13:56 small site you have small amount of
13:58 people you don’t even need to go in and
14:00 uh and bother buying a premium But if
14:02 you have a larger number of content
14:05 larger number of users that are visiting
14:07 your website it is much easier and much
14:10 more efficient to to to buy a premium
14:12 because you can manage access at scale
14:14 You can basically
14:16 um do a reverse access control saying I
14:20 want to deny everything but allow only
14:22 explicit explicit few pages or I want to
14:26 hide all the content for the countries
14:29 like
14:31 um like US but only show that content to
14:35 to people that coming from a country
14:36 like France So um this is the premium is
14:41 essentially again just designed to to
14:43 manage access to your website to website
14:45 resources at
14:47 scale and it’s relatively uh inexpensive
14:50 for the amount Yeah you got it priced
14:53 reasonably for for those that would need
14:54 it It’s priced in a reasonable level
14:56 I’ve always judged
14:58 plugins based upon whether the price was
15:01 reasonable over a period of time for
15:04 what it’s going to provide for the site
15:05 And I’ve seen a lot of them be
15:08 overpriced over the years Seen them come
15:10 and go And the overpriced ones often
15:13 either don’t move very fast or hardly
15:15 get enough clients or they have to come
15:17 down in price So another question on
15:20 this is like how would
15:23 this access management control plugin
15:27 um work to help you out if you’re
15:30 running an e-commerce site where you
15:32 have lots of people’s you know signing
15:34 up so they can see their different
15:35 accounts or
15:37 um just even a basic membership site And
15:40 of course we have there’s dozens of
15:41 membership plugins out there And there’s
15:43 even ways like I even noticed on mine
15:45 today like I didn’t even I I even forgot
15:47 like when people book on my site it
15:49 creates them a a booking level user on
15:53 my site and I have no idea I have no
15:56 idea what permissions are even applied
15:57 to that yet I have to now dig down deep
15:59 into it and I didn’t even realize it So
16:01 there’s lots of ways you add things to
16:03 your site and you create a new type of
16:07 user and unless you look to see what the
16:10 plug-in author chose for those you don’t
16:13 know what they get Is is that what I’m
16:15 I’m understanding It’s like as the
16:17 plug-in author creates and sets this up
16:18 he chooses what levels you of
16:22 permissions they give that user That’s
16:24 right And you know just um continuing on
16:28 on that like even even your website uh
16:31 if I log in as a the booking user or
16:34 wherever I subscriber uh I can see the
16:36 broken links not notifier on my
16:38 dashboard A broken link notifier Yeah
16:41 it’s a menu in admin that is added and I
16:44 know that you have 220 broken links
16:46 which actually grew by 50 the last time
16:49 I logged in
16:52 Sounds like my site right now You know
16:54 as they say the plumber’s pipes always
16:55 leak The uh mechanic’s car needs brakes
16:59 Yeah But that’s that is um so this this
17:03 is a segue to
17:05 um uh to the topic of the recycled
17:09 capabilities I find it one of the
17:11 biggest problems in a WordPress
17:13 ecosystem today So what is recycled
17:15 capability as as you mentioned as
17:17 developers they’re choosing specific
17:19 capability to um to code their
17:22 functionality for the plug-in saying if
17:24 if user had that capability then they
17:26 can do this additional things right and
17:29 um
17:30 and I’ve seen it and I continuously see
17:33 that developer no matter what level it
17:35 is from the associate to the principal
17:38 engineers they don’t really put too much
17:40 thinking into which capability to assign
17:43 so a lot of times I’ve se even seen a
17:46 e-commerce solutions with a admin
17:50 privilege capabilities that is granted
17:53 uh with edit posts Wow or yeah if if so
17:58 from developer standpoint they think
18:00 like okay if if uh if user has the
18:03 ability to edit posts they should be
18:05 able to manage all the products they
18:08 should be able to see all the all the
18:11 users in their mind it’s all right but
18:14 in a grand schema it’s not because
18:16 websites um you know there are different
18:19 level of users there are different
18:20 responsibilities that that users have so
18:23 they don’t really think through all
18:24 these details
18:25 And it happens over and over again
18:27 Recycle capabilities it’s a huge problem
18:30 Um so how am
18:34 uh to mitigate these problems again you
18:36 can enable restricted modes Essentially
18:38 what what you do is saying all right if
18:40 it’s a admin area I want to restrict
18:42 everything but only explicitly allow
18:45 specific admin pages And that can be
18:49 easily toggled with just a just
18:51 literally a button You click it Now no
18:54 matter even if you even if you’re
18:57 administrator you will be able to see
18:59 only pages that you explicitly allow to
19:02 see for that user Um for e-commerce
19:05 solution considering how large this uh
19:09 this space is how many add-ons available
19:13 uh restricted modes is must-h have uh
19:17 solution because again it’s it’s just a
19:19 piece of mind right you don’t leak
19:21 unnecessary information to to your users
19:24 you don’t give them ability to perform
19:26 action that they should not right take
19:30 just peace of mind as simple as that
19:32 well yeah absolutely Absolutely
19:34 And in today’s world with all of the
19:36 additional tax on the site you want to
19:38 have as much peace of mind as you can
19:40 Now I do have an interesting question
19:42 that just popped in me with the advanced
19:45 access manager
19:47 plugin How is there is is there a
19:50 prevention in place for the
19:52 administrator setting this all up to
19:54 prevent from locking themselves out of
19:56 the system while they’re setting it up
19:59 happens all the time Oh okay And then
20:02 what happens then do they have to reset
20:04 the database or how do they how do they
20:06 get back into it just turn the plugin
20:08 off What what fixes it yeah Um so if
20:12 they messing with the roles and
20:14 capabilities which is there’s a big
20:16 banner says be careful right ros and
20:19 capabilities If you’re messing with that
20:21 they are directly go into into the
20:23 database and you directly modifying the
20:26 database WordPress core right um uh
20:29 property If but however if if they um
20:32 messing up with other properties they
20:34 can easily go to database and clear all
20:36 the options that uh prefix with AM or
20:40 they can just disable plugin and uh they
20:43 going back So advanced access manager u
20:46 does not modify uh database It does not
20:50 modify any files on a on a website You
20:53 can you can deactivate it and it will
20:56 clear it by automatically Okay It will
20:58 delete everything Yeah Okay So so then
21:02 if you did lock yourself out you go into
21:05 the back end change the name of the
21:06 plugin it deactivates and then they then
21:09 they’ve got access back in there again
21:10 Okay Excellent And then if they
21:12 reactivated it would they be locked out
21:14 again just out of curiosity would it
21:16 would it remember some of that stuff
21:19 well yeah if they just rename the the
21:21 the plugin um plugin folder then you
21:24 know settings are persisted in that
21:26 basis Okay So the settings are
21:28 persistent and the only other way to
21:31 clear it out would be if you if you use
21:34 the uninstall function does it clean up
21:36 after itself when it’s done yes Yes As
21:39 soon as you deactivate uninstall it it
21:42 clears all the settings automatically
21:44 Okay And that’s always been a pet peeve
21:46 of mine Sorry When plugins uh don’t
21:49 clean up after themselves And recently I
21:52 started cleaning up databases that are
21:54 very old This is where WP plug-in site
21:57 is uh sitting right now is I spent a few
22:00 hours several weeks ago going through it
22:02 with the advanced uh database cleaning
22:05 tools to clean up stuff and I’d
22:07 forgotten I’d installed and it was you
22:09 know causing the site to be at a crawl
22:11 because it had left behind all this crap
22:13 over the years That’s right Yeah And I’m
22:16 I’m very well aware of that and I hate
22:18 this things too That’s why I want to
22:21 make sure it’s not it’s not part of AM
22:23 problem especially when you know
22:24 creating dozens of uh tables in database
22:29 Yeah And and then the oh
22:31 man transients in options table is just
22:35 killing it’s killing website performance
22:38 Well there’s the other one that is now
22:40 killing website performance that not
22:42 everyone’s aware of It’s that I’m trying
22:44 to remember the name of the setting the
22:46 preload setting and the yes yes in
22:49 options yes or no in options yes or no
22:52 and even and it started I started
22:56 noticing it last year when the um tool
23:00 in WordPress um the health tool started
23:03 popping up for some websites to saying
23:05 your preload options exceeded one gig
23:08 and it’s like what is this and it’s like
23:09 okay and the more I dug down into it the
23:11 more I realized okay and then You go
23:13 through and you see all this stuff and a
23:15 lot of it is from over time people
23:17 installing uninstalling plugins and it
23:20 leaves behind that stuff but that’s
23:22 still there still being preloaded every
23:25 time the database and that causes a lot
23:27 of draw down on your website or your
23:29 performance That’s right it it’s just
23:32 because autoload uh flag is out is on by
23:36 default and a lot of developers just
23:38 like hey I just gonna insert the option
23:40 in options table
23:42 and didn’t think through like should it
23:45 be false maybe no need to autoload maybe
23:48 lazy load it
23:49 um yeah u I spent I would say years um
23:54 optimizing am so I can proudly say that
23:58 it’s um there is a wphive.com
24:01 they what they do they analyze uh
24:04 WordPress plug-in repositories uh
24:06 plugins from the WordPress repository
24:08 right for for speed for errors um so
24:11 they claim that AM is faster than 99% of
24:15 the plugins in the take the claim sounds
24:17 like a valid one to me I’ll take it
24:20 always take the win no matter where it
24:22 comes from that’s right all right we’ve
24:26 got um so we we started off going down
24:29 the path of this horror
24:31 and how someone paid a massive penalty
24:35 for incorrectly updating a page and
24:38 losing a homepage So do you want to
24:41 elaborate on that one for us a little
24:42 bit yeah Yeah Uh I can say I can tell
24:45 several stories but that particular one
24:47 uh which it happens with a with a
24:50 company uh that was in a highly
24:52 regulated space So essentially it was a
24:55 financial sector Mhm And the the pages
24:58 were uh just these pages were for the
25:01 credit cards Oh credit cards and deals
25:05 and apparently one of the uh one of the
25:08 editors actually not authorized editor
25:11 It’s just just another person that
25:13 worked in an organization that were able
25:15 to go and update a published page which
25:20 WordPress core has the ability to
25:22 differentiate between ability to edit
25:25 pages and edit published pages But that
25:28 capability particular capability was
25:29 enabled for for the user and um was it a
25:34 mistake likely But essentially what they
25:37 did they changed the percentage of the
25:41 um it’s um what is this um when you get
25:47 um when you pay for card and you get
25:50 like 5% 3% cash back Cash back Okay Yeah
25:54 Yes So it was a card with a wrong cash
25:57 back percentage So which means users
26:00 that that saw like okay normal cash back
26:03 is like 3% but it was like 8% or
26:06 something Ah and user like all right
26:08 it’s a great deal let’s sign up Yeah So
26:11 there was a many people signed up and
26:15 what happened the banknot had to go buy
26:17 by by themselves out of that deal but
26:20 also they launched a case against their
26:22 organization because you know that’s
26:24 clearly organization mistake they are
26:27 doing content for
26:28 them in the end of the day insurance got
26:31 involved and they paid it out but it was
26:33 it was a big chunk of money that was
26:34 paid and why because really didn’t think
26:38 through who can do what and when and how
26:41 that capability should not been enabled
26:44 for for the lower level lower tier
26:48 editors Um so that’s one of the stories
26:51 Um another interesting story it’s one of
26:53 my favorite is anyone who is even
26:56 watching it right now can go to your own
26:59 site and settings general Mh And there
27:02 was a there was a dropown default role
27:05 that is assigned to newly created
27:08 user and that dropdown contained list of
27:11 all the roles including administrator
27:13 role Right so now uh by default it’s a
27:16 subscriber role Anyone who is who is
27:19 creating an account in a on a site is
27:22 assigned to subscriber role But that
27:24 dropdown for one for one website was
27:27 changed to administrator Oh ouch Yes
27:32 Means every new user was an
27:33 administrator
27:35 automatically It was a high it was a
27:38 high uh it was a high traffic website
27:40 too Uh so we’re talking about hundreds
27:43 hundreds of new users had administrator
27:45 role and there is no way to find out
27:47 because before that happened there was
27:50 close to a hundred of administrators on
27:53 the site that are like internal
27:55 employees right there’s no way to find
27:57 out who made that change No you you
28:00 would have had to have had some tracking
28:02 in place long past but then depends on
28:04 how long you keep the logs for the
28:06 tracking It’s like as one of the things
28:08 I implemented on uh many of my client
28:10 sites after I turned the site over to
28:12 them was log tracking so that I know who
28:14 does what and there’s been a time or two
28:16 where it saved my butt because they come
28:18 complaining well something broke on the
28:20 site and so I haven’t touched it in like
28:21 a week or two and I look at the log and
28:24 say well you did this this and this I’m
28:27 sorry I’ll fix it but now it’s going to
28:29 cost you Yep Yep logs are great uh a
28:33 great way to to monitor just
28:37 retroactively Um one thing I always
28:40 advise uh
28:41 um my customers and and people that
28:45 reach out to me is like if you have the
28:47 thing enabled keep in mind that any
28:49 administrator can can bypass
28:53 If if I’m administrator I have the
28:55 ability to install any plugin or modify
28:57 any plugin on the site Yeah that’s it
28:59 It’s game over I can bypass any
29:02 monitoring any logging I can go
29:04 retractively delete any activity that
29:06 that was uh that I did because I have
29:10 the ability to modify files mean I have
29:12 the ability to modify database There is
29:14 that But some of the logs one of the log
29:16 plug uh I can’t remember the name of the
29:18 logging plugin I use Now it allows you
29:21 to lock it down to one or two specific
29:24 users that can even access or see the
29:28 file or changes on it
29:31 Uh yes Uh well I’m referring to to
29:35 ability to modify any files on on a
29:37 server Yeah Yeah Yeah
29:41 There’s all of that All right
29:44 So see here We’ve got all kinds of
29:47 interesting
29:49 Oh yeah We can talk a lot about these
29:51 things It’s I haven’t even started Well
29:54 pick something and run All right Maybe
29:57 tell um some other horror stories that
30:00 happened um I don’t know about six
30:02 months ago I mentioned it a few times Um
30:05 there was a client of mine who has a
30:08 huge website 1.5 million
30:11 users on the website very active site
30:15 and their homepage got deleted
30:18 So the can you imagine that that amount
30:21 of users cannot really access the site
30:24 because homepage is deleted 404 It shows
30:27 404 Um and they like oh we get hacked
30:32 uh we got hacked we don’t know how it
30:34 happened how this privileges were
30:35 escalated So I asked okay can you just
30:38 give me an export of all the roles and
30:40 capabilities on the site and it happened
30:42 to be that there are nine custom roles
30:45 with ability to delete published pages
30:48 Nine with hundreds of users assigned to
30:51 those roles So now go find who actually
30:54 did did the damage
30:56 Could have just a pure mistake It could
30:59 be just pure mistake or yeah you
31:00 couldn’t couldn’t find it So yeah
31:03 So it sounds like making sure your roles
31:05 are set correctly is highly important
31:09 Even that is not doesn’t give you the
31:11 full story because I can show you the
31:13 subscriber user with more privileges
31:15 than administrator
31:17 Subscriber users with more privilege
31:19 than administrators Now how does that
31:21 happen
31:22 because in WordPress you can assign
31:24 capabilities to
31:25 roles and you can assign capabilities
31:28 directly to user account So in database
31:31 it well in in a dashboard it shows that
31:34 this user is subscriber
31:36 However the subscriber can have directly
31:39 assigned all the capabilities
31:41 So now you wouldn’t know it unless you
31:43 look directly Yes Unless you look look
31:46 directly Even so that doesn’t solve
31:49 anything because there is a concept of
31:50 dynamic capabilities It’s a capabilities
31:52 that and a lot of plugins not a lot but
31:55 I’ve seen several plugins that do that
31:57 They dynamically assign capabilities to
31:59 user account as a website loads but they
32:02 never persist those capabilities in
32:05 database So you cannot see that this
32:08 user has these additional capabilities
32:12 but they are loaded as a website loads
32:15 Okay And so how do you stop people from
32:18 getting these dynamically loaded
32:20 privileges well that’s a that’s like a a
32:23 needle needle in a stack of hay right
32:25 there is some plugin or theme that has a
32:27 code implemented that adds those
32:29 capabilities So we have to do the full
32:31 uh code analysis of your of your all
32:34 your files to find that okay and even if
32:37 so that doesn’t stop anything right
32:40 because WordPress core also has the
32:42 ability to override or overrule the um
32:47 the WP options users and capabilities
32:51 option So you can actually load all the
32:53 roles and capabilities from elsewhere
32:56 not from the database and WordPress core
32:58 has that ability you can override it So
33:01 essentially you can install a small
33:03 plugin few lines of code that overrides
33:06 all the roles and capabilities
33:09 uh and pretty much hijacks the roles and
33:11 capability system So there’s a lot of
33:14 intricacies There sounded more
33:16 intricacies in this than I even thought
33:18 was possible I didn’t even realize that
33:20 all of this exists I knew some of it but
33:22 not this much of it Yes there is a lot a
33:26 lot that is going on in a WordPress uh
33:28 WordPress core uh and even more in in
33:32 all these plugins that are available
33:34 Well yeah and of course you know the
33:36 plugins are you can pretty much do
33:38 anything you want with them I’ve I’ve
33:40 recently started diving into plugins
33:42 again myself recently with the advent of
33:45 AI to do all my typing for me because my
33:48 typing skills
33:49 suck which is which has always been my
33:52 drawback from creating plugins because
33:54 it takes me forever to type something
33:55 out and not have a typo in it But I’ve
33:58 been able to in the last several weeks
33:60 release four basic plugins that are
34:02 there we go that are really quite nice
34:05 and plugins that I’ve mostly been using
34:07 them as I’d mostly been throwing in the
34:10 the code that turned in the plugins into
34:12 the functions file which were just code
34:14 snippets to do certain things I you know
34:15 what I’m tired of editing the the
34:18 functions file or WP
34:20 uh config file Let’s see if we can throw
34:23 a plugin together So me and AI managed
34:25 to pull them together and they work
34:27 quite quite nicely I’ve released four of
34:29 them in the last several weeks with
34:30 three others in the uh queue Yeah Very
34:33 nice Very nice Yeah it’s really AI is
34:35 definitely helpful Yeah it’s changing
34:37 everything Yeah And how do you think AI
34:40 is going to impact this sort of problem
34:43 you’re having with uh with the security
34:46 i mean I saw something today Mullen was
34:49 asking about using AI to go after some
34:52 of this stuff
34:54 Um so you know I think it’s it will
34:58 impact particularly the security space
35:00 in in very positive way because think
35:03 about this up to this point up to the um
35:07 rollout of generative
35:09 AI what we had we had the ability to
35:12 analyze a code with a static code
35:13 analysis right which essentially you
35:16 would have to explicitly code all these
35:19 exceptions and rules that look
35:21 suspicious
35:23 With AI you don’t have to do that Um you
35:26 can still apply static code analysis to
35:29 analyze the code base Uh but you can use
35:31 also AI as additional dimension to
35:34 deeper deepen understand like what
35:37 exactly is going on in a code There is
35:39 something that suspicious So it will
35:43 positively impact it will make plugins
35:46 uh more resilient to all kind of errors
35:50 Um it will make them more secure because
35:53 the code will be
35:55 uh more secure Um will it solve all the
35:60 security problems absolutely not No it’s
36:02 never going to solve everything No
36:04 there’s security is not an end state
36:07 Security is ongoing process It’s it’s
36:10 never it’s it’s like you know
36:14 I can relate to that I’ve been playing
36:16 around on the internet since 96 and I
36:19 got serious about it in 99 when I opened
36:22 my business and I’ve watched it go from
36:24 the massive open state that it was to a
36:28 constant arms race between the people
36:31 who are trying to be nefarious and the
36:33 people who are trying to protect
36:35 everything and you know one year the
36:38 nefarious is winning next year the white
36:40 hat is winning It’s just it’s it’s a
36:43 constant battle and to see what happens
36:45 and we can see it in um patch stack in
36:49 particular with the stuff that they’ve
36:51 launched in the last year and a half
36:53 with their code bounty programs and
36:55 everything The number of security flaws
36:58 everyone thinks they’ve gone up Now
36:60 they’ve always been there It’s just now
37:02 we’re finding them you know That’s right
37:04 I think wasn’t too long ago I read about
37:07 a a zero day flaw they found in
37:10 Microsoft you know and it had been there
37:13 for a decade or more Yep You know so
37:16 it’s like it it they still exist The
37:18 security it’s like when the code’s
37:21 originally written it’s written to the
37:23 best it can be done but somebody else
37:25 comes down the pike later and has a
37:27 whole new way of thinking and looking at
37:28 it and go “Wait a minute I can do this
37:31 and bypass that.” That’s right That’s
37:34 right And um I you know here’s another
37:37 interesting thing about particularly
37:39 WordPress uh security when it’s come to
37:42 vulnerabilities in the plugins You know
37:44 we all looking into vulnerabilities in
37:46 plug-in at as as this is one plugin
37:49 there is vulnerability in it right but
37:52 there is there are circumstances where
37:54 two or more plugins collectively create
37:57 one vulnerability
37:59 Yeah Um speaking about patch stack they
38:02 reached out to me uh I think it was a
38:04 couple years ago and they like “Hey we
38:06 found a vulnerability in your plug-in uh
38:08 it allows to uh read the file uh file
38:12 content any file content.” And I was
38:14 like “Hey wait a minute AM does not read
38:16 any file content.” And they’re like “No
38:18 AM allows to create a short code that
38:21 invokes a function that is in other
38:25 plug-in.” And that plugin which happened
38:27 to be a word fence and that plugin uh
38:31 allows to read any file in a file system
38:33 Wow So yeah we are living in a very
38:37 dynamic uh ecosystem where not only
38:40 isolated plugin but combined multiple
38:44 plugins can create a vulnerability Yeah
38:46 By combining different things that
38:47 people couldn’t um or had wouldn’t have
38:51 thought of Yeah That’s interesting
38:52 Exactly Oh by the way uh since you you
38:55 met Ryan from Influence WP he was here
38:57 on the show watching So
39:00 I I looked over at my comments and saw
39:02 he gave us a clap
39:05 We And we we actually living like five
39:08 miles 10 miles away from each other Oh
39:11 wow That’s kind of cool Well Tell him hi
39:13 for me He’s a Go say hi to his boat He
39:16 He He sent me an image about his boat
39:19 Yes I will He’s a great guy Yeah I’m
39:22 definitely going to catch up with Well I
39:23 interviewed him uh several weeks ago
39:25 I’ve got an interview with him a few
39:26 weeks ago So I thoroughly enjoyed that
39:30 That’s how I found him through through
39:31 your um podcast Oh well that’s good I’m
39:35 glad to hear that the podcast is uh is
39:37 is getting people on board Yes One of
39:41 the things I’m trying to do is get more
39:42 people on board with all the different
39:44 opportunities in WordPress now because
39:46 there are way more opportunities than
39:48 there were Yeah and I appreciate it a
39:51 lot All right Well looks like we’re
39:54 wrapping up here Got one one thing here
39:57 for the end of it Um let’s end with some
39:59 fun If AM was a superhero what
40:02 superpower would it be and how would it
40:05 save the day for WordPress users
40:08 jeez that is a trick That is a tricky
40:11 question
40:13 Um a superhero You know I’m not really
40:15 into superhero on this
40:18 comic button
40:25 Um all right You You got me really real
40:29 well on that It could be a superhero
40:32 Okay Well I I still remember all the
40:35 ones from when I was a kid I’m thinking
40:37 Hulk myself you know You know what
40:39 that’s big strong Come on pound your way
40:42 through here Let’s uh let’s block the
40:44 path Hulk is a is a is a decent Yeah
40:49 this is a decent analogy It’s it’s
40:50 strong It’s powerful It’s agile Yeah And
40:54 uh and it scales up and down It scales
40:56 up and down Yeah Depend on what you need
40:59 That’s right That’s right
41:02 All right Well thanks Basil I greatly
41:05 appreciate your time This has been lots
41:07 of fun and I uh like I said this will be
41:10 uh out on uh the live stream is already
41:14 up and running for people to listen to
41:15 and uh the live podcast the podcast
41:18 itself will go out in the next 24 hours
41:20 along with the show notes All right I’m
41:23 going to play my uh outro Don’t run away
41:25 on me and I will be right back in a
41:28 moment or two Thank you John Reminders
41:32 for the show All show notes can be found
41:34 at
41:36 wppluginsz.com And while you’re there
41:38 subscribe to the newsletter for more
41:40 useful information delivered directly to
41:42 your inbox WP Plugins A to Zed is a show
41:46 that offers honest and unbiased reviews
41:48 of plugins created by developers because
41:50 you support the show Help keep the show
41:53 honest and unbiased by going to
41:57 wpplugins.com/donate and set the
41:58 donation level that fits your budget
42:02 Help us make the show better for you by
42:04 subscribing and reviewing the show at
42:06 Stitcher Radio Google Play and in the
42:08 iTunes store You can also leave us a
42:11 review on our Facebook page using wp
42:16 plugins.com/fas You can also watch the
42:18 show live on YouTube Check out the
42:20 screencasts and training videos and
42:22 remember to subscribe and hit the bell
42:24 to get notifications of all new videos
42:27 Follow the show on Twitter at wpplugins
42:30 a toz John can also be reached at his
42:33 website
42:34 johnoverall.com or email him directly
42:37 john at
42:39 wpro.ca Thanks for joining us and have a
42:42 great
42:47 day Thanks for listening to the show
42:50 This show is copyright by
42:52 johnoverall.com So until next time have
42:54 yourselves a good morning good afternoon
42:56 or good evening wherever you happen to
42:58 be out there on the globe
43:16 today Sorry about that We’re still
43:18 streaming by the way for the moment And
43:20 we will exit that in a minute
43:23 I forgot to share the uh audio with you
43:26 so you could hear the jingles and such
43:28 that we’re playing
43:30 I I completely I completely forgot that
43:33 it’s like I’m still adapting to this
43:36 format is what’s happening because this
43:38 is a new format for me and my brain
43:41 works in I need organization for
43:45 everything to flow and when the
43:46 organization’s not there I get scattered
43:48 I have found I’ve discovered coffee
43:50 about a month ago and it is actually
43:52 teaching me how to uh be more focused
43:55 which is surprisingly you know mo all my
43:58 life I couldn’t stand coughing and all
43:60 of a sudden it was good
44:02 Yeah it’s it’s actually a good tool Yeah
44:07 it’s it’s a ritual for me now at this
44:09 point the coffee for me is a ritual when
44:12 I need to be hyperfocused
44:14 That’s what it’s becoming for me All
44:15 right I’m gonna cut our streaming
00:03 preamble stuff and then I’ll hit the uh
00:05 intros and then we will roll right
00:08 along Sounds great All
00:12 right let’s get this
00:16 going Ladies and gentlemen it is time
00:18 for WordPress plugins A to Zed not Z
00:27 Well good morning And it is the
00:29 interview show today for WP plugins A to
00:33 Zed And we’ll be discussing the advanced
00:36 access manager plugin with Vassel Martin
00:40 All coming up next on WordPress plugins
00:43 from A to
00:46 Zed WordPress It’s the most popular
00:50 content management and website solution
00:52 on the internet That was the wrong one
00:56 Actually we’re going to roll this right
00:58 back and do the jingle all over again
00:59 because I got a messed up
01:03 opening This is what happens sometimes
01:05 Well what happens is I I the live stream
01:08 is live That’s period But the part that
01:11 goes out to the podcast is is recorded
01:14 and I try to keep the opening clean for
01:16 that one
01:18 All right let’s roll this back again One
01:20 more time Take two Take two
01:24 Ladies and gentlemen it is time for
01:26 WordPress plugins A to Zed not
01:32 Z It is interview number 66 with Vasel
01:37 Martin Martin Oh jeez Did I get your
01:40 name okay Yeah Yeah it’s actually
01:42 perfect Oh Martin Okay then I’m gonna
01:44 roll that back one more time since I
01:46 throw it all off Let’s get this right
01:49 Okay one more time for all the listener
01:52 that’s out there Ladies and gentlemen it
01:55 is time for WordPress plugins A One more
01:59 time Ladies and gentlemen it is time for
02:02 WordPress plugins A to Zed not Z It is
02:08 interview 66 with Vasil Martin from
02:11 Advanced Access Manager We’ll be
02:13 discussing this plugin and more All
02:16 coming up next on WordPress plugins from
02:18 A to
02:21 Zed WordPress the king of content
02:24 management systems powering the web with
02:26 over 80,000 plugins to choose from How
02:29 do you sort the junk from the gems
02:32 welcome to WP Plugins A to Zed where
02:35 we’ve been keeping the pulse of
02:36 WordPress alive for over 16 incredible
02:39 years Join us every week for an
02:42 unrehearsed real talk breakdowns of the
02:44 latest and greatest plugins developer
02:47 and community member interviews Some
02:49 weeks Amber and I team up to dig in
02:51 Others I’m flying solo unpacking
02:54 WordPress news demoing a standout plugin
02:57 or sharing tips to power up your site No
03:00 scripts no fluff just the good stuff
03:03 from A to Z So plug in and let’s get
03:06 rolling
03:08 Good morning good afternoon or good
03:10 evening wherever you happen to be hiding
03:11 out there on the globe today Coming to
03:12 you direct from the brewery overlook in
03:15 beautiful southern Vancouver Island I’m
03:18 John Overall and joining me today is
03:22 Vassel Martin from Advanced Access
03:24 Manager where we’ll be discussing this
03:26 plugin that’s installed on over 150,000
03:29 websites A very fantastic plugin I don’t
03:31 know why I didn’t discover it sooner
03:33 myself I started playing with it uh
03:35 after he reached out to me and I’m
03:37 really enjoying the free version of the
03:40 plugin So welcome to the show Basil
03:42 Greatly to have you here Thank you I’m
03:45 I’m happy to be here Well we’ve got a
03:48 lot to uh cover and go over here on the
03:50 plugin You were giving me some nice
03:52 feedback information that was going to
03:54 be useful for me to wander through and
03:57 talk about on all the different stuff
03:59 we’ve got going here And um first off
04:03 for start off tell us a little bit I
04:05 know your story’s been told many times
04:06 but tell us a little bit about yourself
04:08 and how you got started in in this I see
04:12 Well um I’m originally from Ukraine and
04:15 I came to United States back in 2011 Uh
04:19 I won green card in a lottery so it was
04:20 a free pass for me and uh my first job
04:24 was in a marketing agency um it happened
04:27 to be the their their WordPress shop
04:30 primarily So that’s how I started to to
04:33 to learn WordPress and just out of
04:35 curiosity uh created a plug-in over the
04:38 weekend called advanced access manager I
04:40 even didn’t think much how to name it
04:42 just first thing that came into my mind
04:45 I name it and um and then just uh submit
04:49 it for review to the WordPress.org
04:52 repository and that’s how the journey
04:54 started uh one way or another this
04:57 plug-in was keeping was keeping me
04:60 connected to WordPress uh community to
05:02 to WordPress in general and it’s been
05:05 already 14 years journey
05:09 Well it’s an excellent plugin Now tell
05:12 me a little bit
05:13 about what drew you to create a plugin
05:18 that protects the integrity of WordPress
05:21 So well I mean it goes into places I
05:24 wasn’t even fully aware existed
05:27 Yeah Uh it’s a it’s a very good question
05:29 and the answer can be very long so I’ll
05:32 try to be That’s okay We’ve got lots of
05:35 time All right All right So again it
05:38 just started out of curiosity you know
05:40 Um at the time when I worked in uh in
05:43 the marketing agency back in 2011
05:47 um there was a particular need for a um
05:50 granular access controls to admin menu
05:53 as well as ability to manage roles and
05:55 capabilities So there were solutions
05:58 available in a wordpress.org repository
06:01 that I could just download and install
06:03 Uh however uh a client at the time was
06:06 very particular about number of plugins
06:09 So I was like “All right you know what
06:11 let’s just create over the weekend.” And
06:14 um and I just combined these two ideas
06:17 ability to manage admin menu and manage
06:20 roles and capabilities into one plug-in
06:22 very lightweight nothing crazy And um
06:26 and when I launched it in a
06:29 WordPress.org repository immediately
06:31 start getting feedback from users They
06:34 wanted additional features They wanted
06:36 additional
06:37 flexibility And you know from that point
06:39 on it just became a community plug-in So
06:42 all the ideas that 100% of the ideas
06:45 that uh that are implemented in the
06:47 plug-in coming from end users and um um
06:53 naturally I started to work with with a
06:56 lot of developers
06:58 um agencies enterprises and learning
07:02 their hurdles learn learning their needs
07:05 and all that was distilled into the set
07:08 of features and functionality that is
07:10 available and and uh and advanced access
07:13 manager Um so all after all it’s a 14
07:18 years of all experience around access
07:20 controls
07:22 um are compiled into this one simple
07:26 cohesive plugin
07:29 Yeah Okay then Well my brain has just
07:34 gone sideways on
07:37 me I know what it was You were you had
07:40 made mention in your email about talking
07:44 about some of the difficulties or horror
07:48 stories that emphasize the importance of
07:52 the this uh plugin and
07:55 how it can help save people well from
07:59 what you mentioned a whole lot of money
08:02 That’s right you know John to answer to
08:06 answer that or elaborate more on that um
08:08 I’ll give a bit of
08:10 a background so when we talk about
08:13 security I think there is a there is a
08:16 very narrow um story about what is what
08:20 means security for WordPress when we
08:22 hear about security we hear about things
08:24 like you know brute force attacks or
08:27 vulnerable plugins outdated plugins u
08:30 talking about a ws two factor
08:33 authentications These are just a part of
08:36 the security The whole security starts
08:38 from the building where the uh hosting
08:42 hardware is and it ends with the very
08:45 last user that visited website and
08:48 everything in
08:49 between So when we hear stories about
08:52 WordPress security we hear only about
08:54 part of it right
08:57 um and you know for years I couldn’t
09:01 really um clearly articulate what
09:04 advanced access manager is what is what
09:07 is this for I was telling one some
09:11 people that it’s membership plugin and
09:12 other people that it’s a developer SDK
09:14 some other people that is somewhat
09:16 security plugin but visiting uh uh word
09:20 camp last year I clearly realized that
09:23 there is a huge gap in the security
09:27 awareness that nobody really talks about
09:29 and this is a gap in access controls Mhm
09:33 If you look at the OASP top 10 OASP top
09:36 10 it’s a it’s a list that a lot of
09:39 security organizations are paying
09:42 attention uh closely that shows top 10
09:47 um top 10 things that create incidents
09:51 security incidents and broken access
09:53 controls is actually number one issue
09:56 apparently Yes apparently Um and how do
09:60 they distill that list it’s they it’s a
10:02 nonprofit organization that analyzes
10:05 hundreds of thousands of security
10:07 breaches um every year and they distill
10:11 this top 10
10:13 list Uh so uh based on what they
10:18 discovering uh through all this analysis
10:20 that 94% of all web applications are uh
10:25 have some level of broken access
10:27 controls which
10:29 means which
10:31 means something is misconfigured Some
10:34 people have high privilege and then they
10:36 should some information is disclosed
10:38 that should not be disclosed You know I
10:40 can even uh mention some things that
10:43 even on a on a a
10:45 to website on your website or I’m
10:49 certain there is already uh I haven’t
10:51 applied your plugin to that site yet
10:53 that site’s going undergoing an overhaul
10:56 You know uh taking that a little further
10:59 is like one of the things you gave me in
11:01 your in the information you sent me in
11:03 the email you sent me to a couple of
11:04 videos to go watch and one of them you
11:08 showcase how an editor privilege user
11:13 could use that to get someone else to
11:16 look at their post and upgrade
11:18 themselves And I thought that was very
11:21 fascinating I didn’t even know that was
11:23 a possibility
11:25 Yes Yeah And all that it’s not really
11:27 even an editor but rather the capability
11:30 that editor has and that is unfiltered
11:33 HTML You know if you look at a WordPress
11:35 core um there are two very very unique
11:39 capabilities It’s unfiltered HTML and
11:41 unfiltered uploads they they these two
11:44 capability allow to inject pretty much
11:48 anything in the in WordPress website
11:51 Somehow unfiltered uploads by default is
11:54 disabled but unfiltered HTML is enabled
11:56 which means allows users like editors or
12:00 you can assign that capability to
12:02 subscriber right yeah it’s with amount
12:06 of plugins today available to manipulate
12:08 with roles and capabilities it can be
12:10 assigned and I’ve seen and I’ve seen
12:12 websites where this capability was
12:13 assigned to editors editors to
12:15 subscribers to authors to custom roles
12:19 um I even done an analysis
12:23 um on the top thousand most popular
12:26 plugins in repository in WordPress.org
12:28 repository Uh over 10% of the plugins
12:33 are relying on unfiltered HTML
12:36 capability to grant additional
12:37 functionality which means this is rel
12:40 this is a relatively popular um
12:43 capability that is also extremely
12:45 dangerous because anyone who has it can
12:47 inject malicious code in the post page
12:51 and trick You don’t have to even trick
12:53 administrator You just sit and wait Yeah
12:57 You put it on a homepage Yeah And wait
12:60 till the administrator comes in and just
13:03 accesses it That’s it That’s enough
13:06 That’s enough Yeah Well that was what I
13:08 I found quite interesting And as I was
13:10 digging down I didn’t have a lot of time
13:12 to dig into it I had other things
13:13 happening but I intend to dig down
13:16 further into it And I also noticed when
13:19 I was looking up all the info about your
13:20 plug-in you have your premium versions
13:23 which offer up the ability to lock the
13:26 website down even further into a private
13:30 website andor by IP address or geoloc So
13:36 can you tell us a little more about how
13:38 that works and what that does for us yep
13:41 Um so when people ask me what is a
13:44 premium premium add-on is for I
13:47 typically say it is ability to manage
13:50 access to your website at scale Uh the
13:53 free version includes pretty much
13:54 everything which you need If you’re a
13:56 small site you have small amount of
13:58 people you don’t even need to go in and
14:00 uh and bother buying a premium But if
14:02 you have a larger number of content
14:05 larger number of users that are visiting
14:07 your website it is much easier and much
14:10 more efficient to to to buy a premium
14:12 because you can manage access at scale
14:14 You can basically
14:16 um do a reverse access control saying I
14:20 want to deny everything but allow only
14:22 explicit explicit few pages or I want to
14:26 hide all the content for the countries
14:29 like
14:31 um like US but only show that content to
14:35 to people that coming from a country
14:36 like France So um this is the premium is
14:41 essentially again just designed to to
14:43 manage access to your website to website
14:45 resources at
14:47 scale and it’s relatively uh inexpensive
14:50 for the amount Yeah you got it priced
14:53 reasonably for for those that would need
14:54 it It’s priced in a reasonable level
14:56 I’ve always judged
14:58 plugins based upon whether the price was
15:01 reasonable over a period of time for
15:04 what it’s going to provide for the site
15:05 And I’ve seen a lot of them be
15:08 overpriced over the years Seen them come
15:10 and go And the overpriced ones often
15:13 either don’t move very fast or hardly
15:15 get enough clients or they have to come
15:17 down in price So another question on
15:20 this is like how would
15:23 this access management control plugin
15:27 um work to help you out if you’re
15:30 running an e-commerce site where you
15:32 have lots of people’s you know signing
15:34 up so they can see their different
15:35 accounts or
15:37 um just even a basic membership site And
15:40 of course we have there’s dozens of
15:41 membership plugins out there And there’s
15:43 even ways like I even noticed on mine
15:45 today like I didn’t even I I even forgot
15:47 like when people book on my site it
15:49 creates them a a booking level user on
15:53 my site and I have no idea I have no
15:56 idea what permissions are even applied
15:57 to that yet I have to now dig down deep
15:59 into it and I didn’t even realize it So
16:01 there’s lots of ways you add things to
16:03 your site and you create a new type of
16:07 user and unless you look to see what the
16:10 plug-in author chose for those you don’t
16:13 know what they get Is is that what I’m
16:15 I’m understanding It’s like as the
16:17 plug-in author creates and sets this up
16:18 he chooses what levels you of
16:22 permissions they give that user That’s
16:24 right And you know just um continuing on
16:28 on that like even even your website uh
16:31 if I log in as a the booking user or
16:34 wherever I subscriber uh I can see the
16:36 broken links not notifier on my
16:38 dashboard A broken link notifier Yeah
16:41 it’s a menu in admin that is added and I
16:44 know that you have 220 broken links
16:46 which actually grew by 50 the last time
16:49 I logged in
16:52 Sounds like my site right now You know
16:54 as they say the plumber’s pipes always
16:55 leak The uh mechanic’s car needs brakes
16:59 Yeah But that’s that is um so this this
17:03 is a segue to
17:05 um uh to the topic of the recycled
17:09 capabilities I find it one of the
17:11 biggest problems in a WordPress
17:13 ecosystem today So what is recycled
17:15 capability as as you mentioned as
17:17 developers they’re choosing specific
17:19 capability to um to code their
17:22 functionality for the plug-in saying if
17:24 if user had that capability then they
17:26 can do this additional things right and
17:29 um
17:30 and I’ve seen it and I continuously see
17:33 that developer no matter what level it
17:35 is from the associate to the principal
17:38 engineers they don’t really put too much
17:40 thinking into which capability to assign
17:43 so a lot of times I’ve se even seen a
17:46 e-commerce solutions with a admin
17:50 privilege capabilities that is granted
17:53 uh with edit posts Wow or yeah if if so
17:58 from developer standpoint they think
18:00 like okay if if uh if user has the
18:03 ability to edit posts they should be
18:05 able to manage all the products they
18:08 should be able to see all the all the
18:11 users in their mind it’s all right but
18:14 in a grand schema it’s not because
18:16 websites um you know there are different
18:19 level of users there are different
18:20 responsibilities that that users have so
18:23 they don’t really think through all
18:24 these details
18:25 And it happens over and over again
18:27 Recycle capabilities it’s a huge problem
18:30 Um so how am
18:34 uh to mitigate these problems again you
18:36 can enable restricted modes Essentially
18:38 what what you do is saying all right if
18:40 it’s a admin area I want to restrict
18:42 everything but only explicitly allow
18:45 specific admin pages And that can be
18:49 easily toggled with just a just
18:51 literally a button You click it Now no
18:54 matter even if you even if you’re
18:57 administrator you will be able to see
18:59 only pages that you explicitly allow to
19:02 see for that user Um for e-commerce
19:05 solution considering how large this uh
19:09 this space is how many add-ons available
19:13 uh restricted modes is must-h have uh
19:17 solution because again it’s it’s just a
19:19 piece of mind right you don’t leak
19:21 unnecessary information to to your users
19:24 you don’t give them ability to perform
19:26 action that they should not right take
19:30 just peace of mind as simple as that
19:32 well yeah absolutely Absolutely
19:34 And in today’s world with all of the
19:36 additional tax on the site you want to
19:38 have as much peace of mind as you can
19:40 Now I do have an interesting question
19:42 that just popped in me with the advanced
19:45 access manager
19:47 plugin How is there is is there a
19:50 prevention in place for the
19:52 administrator setting this all up to
19:54 prevent from locking themselves out of
19:56 the system while they’re setting it up
19:59 happens all the time Oh okay And then
20:02 what happens then do they have to reset
20:04 the database or how do they how do they
20:06 get back into it just turn the plugin
20:08 off What what fixes it yeah Um so if
20:12 they messing with the roles and
20:14 capabilities which is there’s a big
20:16 banner says be careful right ros and
20:19 capabilities If you’re messing with that
20:21 they are directly go into into the
20:23 database and you directly modifying the
20:26 database WordPress core right um uh
20:29 property If but however if if they um
20:32 messing up with other properties they
20:34 can easily go to database and clear all
20:36 the options that uh prefix with AM or
20:40 they can just disable plugin and uh they
20:43 going back So advanced access manager u
20:46 does not modify uh database It does not
20:50 modify any files on a on a website You
20:53 can you can deactivate it and it will
20:56 clear it by automatically Okay It will
20:58 delete everything Yeah Okay So so then
21:02 if you did lock yourself out you go into
21:05 the back end change the name of the
21:06 plugin it deactivates and then they then
21:09 they’ve got access back in there again
21:10 Okay Excellent And then if they
21:12 reactivated it would they be locked out
21:14 again just out of curiosity would it
21:16 would it remember some of that stuff
21:19 well yeah if they just rename the the
21:21 the plugin um plugin folder then you
21:24 know settings are persisted in that
21:26 basis Okay So the settings are
21:28 persistent and the only other way to
21:31 clear it out would be if you if you use
21:34 the uninstall function does it clean up
21:36 after itself when it’s done yes Yes As
21:39 soon as you deactivate uninstall it it
21:42 clears all the settings automatically
21:44 Okay And that’s always been a pet peeve
21:46 of mine Sorry When plugins uh don’t
21:49 clean up after themselves And recently I
21:52 started cleaning up databases that are
21:54 very old This is where WP plug-in site
21:57 is uh sitting right now is I spent a few
22:00 hours several weeks ago going through it
22:02 with the advanced uh database cleaning
22:05 tools to clean up stuff and I’d
22:07 forgotten I’d installed and it was you
22:09 know causing the site to be at a crawl
22:11 because it had left behind all this crap
22:13 over the years That’s right Yeah And I’m
22:16 I’m very well aware of that and I hate
22:18 this things too That’s why I want to
22:21 make sure it’s not it’s not part of AM
22:23 problem especially when you know
22:24 creating dozens of uh tables in database
22:29 Yeah And and then the oh
22:31 man transients in options table is just
22:35 killing it’s killing website performance
22:38 Well there’s the other one that is now
22:40 killing website performance that not
22:42 everyone’s aware of It’s that I’m trying
22:44 to remember the name of the setting the
22:46 preload setting and the yes yes in
22:49 options yes or no in options yes or no
22:52 and even and it started I started
22:56 noticing it last year when the um tool
23:00 in WordPress um the health tool started
23:03 popping up for some websites to saying
23:05 your preload options exceeded one gig
23:08 and it’s like what is this and it’s like
23:09 okay and the more I dug down into it the
23:11 more I realized okay and then You go
23:13 through and you see all this stuff and a
23:15 lot of it is from over time people
23:17 installing uninstalling plugins and it
23:20 leaves behind that stuff but that’s
23:22 still there still being preloaded every
23:25 time the database and that causes a lot
23:27 of draw down on your website or your
23:29 performance That’s right it it’s just
23:32 because autoload uh flag is out is on by
23:36 default and a lot of developers just
23:38 like hey I just gonna insert the option
23:40 in options table
23:42 and didn’t think through like should it
23:45 be false maybe no need to autoload maybe
23:48 lazy load it
23:49 um yeah u I spent I would say years um
23:54 optimizing am so I can proudly say that
23:58 it’s um there is a wphive.com
24:01 they what they do they analyze uh
24:04 WordPress plug-in repositories uh
24:06 plugins from the WordPress repository
24:08 right for for speed for errors um so
24:11 they claim that AM is faster than 99% of
24:15 the plugins in the take the claim sounds
24:17 like a valid one to me I’ll take it
24:20 always take the win no matter where it
24:22 comes from that’s right all right we’ve
24:26 got um so we we started off going down
24:29 the path of this horror
24:31 and how someone paid a massive penalty
24:35 for incorrectly updating a page and
24:38 losing a homepage So do you want to
24:41 elaborate on that one for us a little
24:42 bit yeah Yeah Uh I can say I can tell
24:45 several stories but that particular one
24:47 uh which it happens with a with a
24:50 company uh that was in a highly
24:52 regulated space So essentially it was a
24:55 financial sector Mhm And the the pages
24:58 were uh just these pages were for the
25:01 credit cards Oh credit cards and deals
25:05 and apparently one of the uh one of the
25:08 editors actually not authorized editor
25:11 It’s just just another person that
25:13 worked in an organization that were able
25:15 to go and update a published page which
25:20 WordPress core has the ability to
25:22 differentiate between ability to edit
25:25 pages and edit published pages But that
25:28 capability particular capability was
25:29 enabled for for the user and um was it a
25:34 mistake likely But essentially what they
25:37 did they changed the percentage of the
25:41 um it’s um what is this um when you get
25:47 um when you pay for card and you get
25:50 like 5% 3% cash back Cash back Okay Yeah
25:54 Yes So it was a card with a wrong cash
25:57 back percentage So which means users
26:00 that that saw like okay normal cash back
26:03 is like 3% but it was like 8% or
26:06 something Ah and user like all right
26:08 it’s a great deal let’s sign up Yeah So
26:11 there was a many people signed up and
26:15 what happened the banknot had to go buy
26:17 by by themselves out of that deal but
26:20 also they launched a case against their
26:22 organization because you know that’s
26:24 clearly organization mistake they are
26:27 doing content for
26:28 them in the end of the day insurance got
26:31 involved and they paid it out but it was
26:33 it was a big chunk of money that was
26:34 paid and why because really didn’t think
26:38 through who can do what and when and how
26:41 that capability should not been enabled
26:44 for for the lower level lower tier
26:48 editors Um so that’s one of the stories
26:51 Um another interesting story it’s one of
26:53 my favorite is anyone who is even
26:56 watching it right now can go to your own
26:59 site and settings general Mh And there
27:02 was a there was a dropown default role
27:05 that is assigned to newly created
27:08 user and that dropdown contained list of
27:11 all the roles including administrator
27:13 role Right so now uh by default it’s a
27:16 subscriber role Anyone who is who is
27:19 creating an account in a on a site is
27:22 assigned to subscriber role But that
27:24 dropdown for one for one website was
27:27 changed to administrator Oh ouch Yes
27:32 Means every new user was an
27:33 administrator
27:35 automatically It was a high it was a
27:38 high uh it was a high traffic website
27:40 too Uh so we’re talking about hundreds
27:43 hundreds of new users had administrator
27:45 role and there is no way to find out
27:47 because before that happened there was
27:50 close to a hundred of administrators on
27:53 the site that are like internal
27:55 employees right there’s no way to find
27:57 out who made that change No you you
28:00 would have had to have had some tracking
28:02 in place long past but then depends on
28:04 how long you keep the logs for the
28:06 tracking It’s like as one of the things
28:08 I implemented on uh many of my client
28:10 sites after I turned the site over to
28:12 them was log tracking so that I know who
28:14 does what and there’s been a time or two
28:16 where it saved my butt because they come
28:18 complaining well something broke on the
28:20 site and so I haven’t touched it in like
28:21 a week or two and I look at the log and
28:24 say well you did this this and this I’m
28:27 sorry I’ll fix it but now it’s going to
28:29 cost you Yep Yep logs are great uh a
28:33 great way to to monitor just
28:37 retroactively Um one thing I always
28:40 advise uh
28:41 um my customers and and people that
28:45 reach out to me is like if you have the
28:47 thing enabled keep in mind that any
28:49 administrator can can bypass
28:53 If if I’m administrator I have the
28:55 ability to install any plugin or modify
28:57 any plugin on the site Yeah that’s it
28:59 It’s game over I can bypass any
29:02 monitoring any logging I can go
29:04 retractively delete any activity that
29:06 that was uh that I did because I have
29:10 the ability to modify files mean I have
29:12 the ability to modify database There is
29:14 that But some of the logs one of the log
29:16 plug uh I can’t remember the name of the
29:18 logging plugin I use Now it allows you
29:21 to lock it down to one or two specific
29:24 users that can even access or see the
29:28 file or changes on it
29:31 Uh yes Uh well I’m referring to to
29:35 ability to modify any files on on a
29:37 server Yeah Yeah Yeah
29:41 There’s all of that All right
29:44 So see here We’ve got all kinds of
29:47 interesting
29:49 Oh yeah We can talk a lot about these
29:51 things It’s I haven’t even started Well
29:54 pick something and run All right Maybe
29:57 tell um some other horror stories that
30:00 happened um I don’t know about six
30:02 months ago I mentioned it a few times Um
30:05 there was a client of mine who has a
30:08 huge website 1.5 million
30:11 users on the website very active site
30:15 and their homepage got deleted
30:18 So the can you imagine that that amount
30:21 of users cannot really access the site
30:24 because homepage is deleted 404 It shows
30:27 404 Um and they like oh we get hacked
30:32 uh we got hacked we don’t know how it
30:34 happened how this privileges were
30:35 escalated So I asked okay can you just
30:38 give me an export of all the roles and
30:40 capabilities on the site and it happened
30:42 to be that there are nine custom roles
30:45 with ability to delete published pages
30:48 Nine with hundreds of users assigned to
30:51 those roles So now go find who actually
30:54 did did the damage
30:56 Could have just a pure mistake It could
30:59 be just pure mistake or yeah you
31:00 couldn’t couldn’t find it So yeah
31:03 So it sounds like making sure your roles
31:05 are set correctly is highly important
31:09 Even that is not doesn’t give you the
31:11 full story because I can show you the
31:13 subscriber user with more privileges
31:15 than administrator
31:17 Subscriber users with more privilege
31:19 than administrators Now how does that
31:21 happen
31:22 because in WordPress you can assign
31:24 capabilities to
31:25 roles and you can assign capabilities
31:28 directly to user account So in database
31:31 it well in in a dashboard it shows that
31:34 this user is subscriber
31:36 However the subscriber can have directly
31:39 assigned all the capabilities
31:41 So now you wouldn’t know it unless you
31:43 look directly Yes Unless you look look
31:46 directly Even so that doesn’t solve
31:49 anything because there is a concept of
31:50 dynamic capabilities It’s a capabilities
31:52 that and a lot of plugins not a lot but
31:55 I’ve seen several plugins that do that
31:57 They dynamically assign capabilities to
31:59 user account as a website loads but they
32:02 never persist those capabilities in
32:05 database So you cannot see that this
32:08 user has these additional capabilities
32:12 but they are loaded as a website loads
32:15 Okay And so how do you stop people from
32:18 getting these dynamically loaded
32:20 privileges well that’s a that’s like a a
32:23 needle needle in a stack of hay right
32:25 there is some plugin or theme that has a
32:27 code implemented that adds those
32:29 capabilities So we have to do the full
32:31 uh code analysis of your of your all
32:34 your files to find that okay and even if
32:37 so that doesn’t stop anything right
32:40 because WordPress core also has the
32:42 ability to override or overrule the um
32:47 the WP options users and capabilities
32:51 option So you can actually load all the
32:53 roles and capabilities from elsewhere
32:56 not from the database and WordPress core
32:58 has that ability you can override it So
33:01 essentially you can install a small
33:03 plugin few lines of code that overrides
33:06 all the roles and capabilities
33:09 uh and pretty much hijacks the roles and
33:11 capability system So there’s a lot of
33:14 intricacies There sounded more
33:16 intricacies in this than I even thought
33:18 was possible I didn’t even realize that
33:20 all of this exists I knew some of it but
33:22 not this much of it Yes there is a lot a
33:26 lot that is going on in a WordPress uh
33:28 WordPress core uh and even more in in
33:32 all these plugins that are available
33:34 Well yeah and of course you know the
33:36 plugins are you can pretty much do
33:38 anything you want with them I’ve I’ve
33:40 recently started diving into plugins
33:42 again myself recently with the advent of
33:45 AI to do all my typing for me because my
33:48 typing skills
33:49 suck which is which has always been my
33:52 drawback from creating plugins because
33:54 it takes me forever to type something
33:55 out and not have a typo in it But I’ve
33:58 been able to in the last several weeks
33:60 release four basic plugins that are
34:02 there we go that are really quite nice
34:05 and plugins that I’ve mostly been using
34:07 them as I’d mostly been throwing in the
34:10 the code that turned in the plugins into
34:12 the functions file which were just code
34:14 snippets to do certain things I you know
34:15 what I’m tired of editing the the
34:18 functions file or WP
34:20 uh config file Let’s see if we can throw
34:23 a plugin together So me and AI managed
34:25 to pull them together and they work
34:27 quite quite nicely I’ve released four of
34:29 them in the last several weeks with
34:30 three others in the uh queue Yeah Very
34:33 nice Very nice Yeah it’s really AI is
34:35 definitely helpful Yeah it’s changing
34:37 everything Yeah And how do you think AI
34:40 is going to impact this sort of problem
34:43 you’re having with uh with the security
34:46 i mean I saw something today Mullen was
34:49 asking about using AI to go after some
34:52 of this stuff
34:54 Um so you know I think it’s it will
34:58 impact particularly the security space
35:00 in in very positive way because think
35:03 about this up to this point up to the um
35:07 rollout of generative
35:09 AI what we had we had the ability to
35:12 analyze a code with a static code
35:13 analysis right which essentially you
35:16 would have to explicitly code all these
35:19 exceptions and rules that look
35:21 suspicious
35:23 With AI you don’t have to do that Um you
35:26 can still apply static code analysis to
35:29 analyze the code base Uh but you can use
35:31 also AI as additional dimension to
35:34 deeper deepen understand like what
35:37 exactly is going on in a code There is
35:39 something that suspicious So it will
35:43 positively impact it will make plugins
35:46 uh more resilient to all kind of errors
35:50 Um it will make them more secure because
35:53 the code will be
35:55 uh more secure Um will it solve all the
35:60 security problems absolutely not No it’s
36:02 never going to solve everything No
36:04 there’s security is not an end state
36:07 Security is ongoing process It’s it’s
36:10 never it’s it’s like you know
36:14 I can relate to that I’ve been playing
36:16 around on the internet since 96 and I
36:19 got serious about it in 99 when I opened
36:22 my business and I’ve watched it go from
36:24 the massive open state that it was to a
36:28 constant arms race between the people
36:31 who are trying to be nefarious and the
36:33 people who are trying to protect
36:35 everything and you know one year the
36:38 nefarious is winning next year the white
36:40 hat is winning It’s just it’s it’s a
36:43 constant battle and to see what happens
36:45 and we can see it in um patch stack in
36:49 particular with the stuff that they’ve
36:51 launched in the last year and a half
36:53 with their code bounty programs and
36:55 everything The number of security flaws
36:58 everyone thinks they’ve gone up Now
36:60 they’ve always been there It’s just now
37:02 we’re finding them you know That’s right
37:04 I think wasn’t too long ago I read about
37:07 a a zero day flaw they found in
37:10 Microsoft you know and it had been there
37:13 for a decade or more Yep You know so
37:16 it’s like it it they still exist The
37:18 security it’s like when the code’s
37:21 originally written it’s written to the
37:23 best it can be done but somebody else
37:25 comes down the pike later and has a
37:27 whole new way of thinking and looking at
37:28 it and go “Wait a minute I can do this
37:31 and bypass that.” That’s right That’s
37:34 right And um I you know here’s another
37:37 interesting thing about particularly
37:39 WordPress uh security when it’s come to
37:42 vulnerabilities in the plugins You know
37:44 we all looking into vulnerabilities in
37:46 plug-in at as as this is one plugin
37:49 there is vulnerability in it right but
37:52 there is there are circumstances where
37:54 two or more plugins collectively create
37:57 one vulnerability
37:59 Yeah Um speaking about patch stack they
38:02 reached out to me uh I think it was a
38:04 couple years ago and they like “Hey we
38:06 found a vulnerability in your plug-in uh
38:08 it allows to uh read the file uh file
38:12 content any file content.” And I was
38:14 like “Hey wait a minute AM does not read
38:16 any file content.” And they’re like “No
38:18 AM allows to create a short code that
38:21 invokes a function that is in other
38:25 plug-in.” And that plugin which happened
38:27 to be a word fence and that plugin uh
38:31 allows to read any file in a file system
38:33 Wow So yeah we are living in a very
38:37 dynamic uh ecosystem where not only
38:40 isolated plugin but combined multiple
38:44 plugins can create a vulnerability Yeah
38:46 By combining different things that
38:47 people couldn’t um or had wouldn’t have
38:51 thought of Yeah That’s interesting
38:52 Exactly Oh by the way uh since you you
38:55 met Ryan from Influence WP he was here
38:57 on the show watching So
39:00 I I looked over at my comments and saw
39:02 he gave us a clap
39:05 We And we we actually living like five
39:08 miles 10 miles away from each other Oh
39:11 wow That’s kind of cool Well Tell him hi
39:13 for me He’s a Go say hi to his boat He
39:16 He He sent me an image about his boat
39:19 Yes I will He’s a great guy Yeah I’m
39:22 definitely going to catch up with Well I
39:23 interviewed him uh several weeks ago
39:25 I’ve got an interview with him a few
39:26 weeks ago So I thoroughly enjoyed that
39:30 That’s how I found him through through
39:31 your um podcast Oh well that’s good I’m
39:35 glad to hear that the podcast is uh is
39:37 is getting people on board Yes One of
39:41 the things I’m trying to do is get more
39:42 people on board with all the different
39:44 opportunities in WordPress now because
39:46 there are way more opportunities than
39:48 there were Yeah and I appreciate it a
39:51 lot All right Well looks like we’re
39:54 wrapping up here Got one one thing here
39:57 for the end of it Um let’s end with some
39:59 fun If AM was a superhero what
40:02 superpower would it be and how would it
40:05 save the day for WordPress users
40:08 jeez that is a trick That is a tricky
40:11 question
40:13 Um a superhero You know I’m not really
40:15 into superhero on this
40:18 comic button
40:25 Um all right You You got me really real
40:29 well on that It could be a superhero
40:32 Okay Well I I still remember all the
40:35 ones from when I was a kid I’m thinking
40:37 Hulk myself you know You know what
40:39 that’s big strong Come on pound your way
40:42 through here Let’s uh let’s block the
40:44 path Hulk is a is a is a decent Yeah
40:49 this is a decent analogy It’s it’s
40:50 strong It’s powerful It’s agile Yeah And
40:54 uh and it scales up and down It scales
40:56 up and down Yeah Depend on what you need
40:59 That’s right That’s right
41:02 All right Well thanks Basil I greatly
41:05 appreciate your time This has been lots
41:07 of fun and I uh like I said this will be
41:10 uh out on uh the live stream is already
41:14 up and running for people to listen to
41:15 and uh the live podcast the podcast
41:18 itself will go out in the next 24 hours
41:20 along with the show notes All right I’m
41:23 going to play my uh outro Don’t run away
41:25 on me and I will be right back in a
41:28 moment or two Thank you John Reminders
41:32 for the show All show notes can be found
41:34 at
41:36 wppluginsz.com And while you’re there
41:38 subscribe to the newsletter for more
41:40 useful information delivered directly to
41:42 your inbox WP Plugins A to Zed is a show
41:46 that offers honest and unbiased reviews
41:48 of plugins created by developers because
41:50 you support the show Help keep the show
41:53 honest and unbiased by going to
41:57 wpplugins.com/donate and set the
41:58 donation level that fits your budget
42:02 Help us make the show better for you by
42:04 subscribing and reviewing the show at
42:06 Stitcher Radio Google Play and in the
42:08 iTunes store You can also leave us a
42:11 review on our Facebook page using wp
42:16 plugins.com/fas You can also watch the
42:18 show live on YouTube Check out the
42:20 screencasts and training videos and
42:22 remember to subscribe and hit the bell
42:24 to get notifications of all new videos
42:27 Follow the show on Twitter at wpplugins
42:30 a toz John can also be reached at his
42:33 website
42:34 johnoverall.com or email him directly
42:37 john at
42:39 wpro.ca Thanks for joining us and have a
42:42 great
42:47 day Thanks for listening to the show
42:50 This show is copyright by
42:52 johnoverall.com So until next time have
42:54 yourselves a good morning good afternoon
42:56 or good evening wherever you happen to
42:58 be out there on the globe
43:16 today Sorry about that We’re still
43:18 streaming by the way for the moment And
43:20 we will exit that in a minute
43:23 I forgot to share the uh audio with you
43:26 so you could hear the jingles and such
43:28 that we’re playing
43:30 I I completely I completely forgot that
43:33 it’s like I’m still adapting to this
43:36 format is what’s happening because this
43:38 is a new format for me and my brain
43:41 works in I need organization for
43:45 everything to flow and when the
43:46 organization’s not there I get scattered
43:48 I have found I’ve discovered coffee
43:50 about a month ago and it is actually
43:52 teaching me how to uh be more focused
43:55 which is surprisingly you know mo all my
43:58 life I couldn’t stand coughing and all
43:60 of a sudden it was good
44:02 Yeah it’s it’s actually a good tool Yeah
44:07 it’s it’s a ritual for me now at this
44:09 point the coffee for me is a ritual when
44:12 I need to be hyperfocused
44:14 That’s what it’s becoming for me All
44:15 right I’m gonna cut our streaming