Website Security – What Can We Learn Letting Hackers Attack Test Sites? - interview with Max Matłoka
Max Matłoka [00:00:00]:
You are basically a part of the Internet and you need to be cautious about that noise, that are trying to break your website or get the access to your own account. With this kind of procedures you can reduce the risks of something bad happening because of the plugins. Vibrant people inside this community and we've got like a we active community and we would like to share that passion to everyone in Europe, but also not only in Europe, around the world.
Maciej Nowak [00:00:37]:
Hello everyone, my name is Maciej Nowak and welcome to the Osom to Know podcast where we discuss all things related to building great websites. Today we are joined by Max Matloka, a veteran WordPress speaker, community organizer and the force behind WordCamp Gdynia, or one of the forces rather. First, today Max will explain why he's on a mission to take WordPress and advocacy beyond the usual circle, crafting a plan to share its strength with fresh audiences. Then we will dig into his hands on security experiment. He used Terraform and Docker to spin up over 70 WordPress honeypot sites, then watched how bots started to prowl them for vulnerabilities within seconds. Finally, get an exclusive preview of WordCamp Gdynia this September - double track sessions in both Polish and English, tips for non technical attendees and why a trip to Poland's Baltic coast might be the highlight of your year. If you don't want to miss new episodes and keep learning more about WordPress, subscribe to our newsletter @osomstudio.com/newsletter. This is OsOmstudio.com/newsletter. If you are watching this on YouTube, give us a thumb and subscribe to our channel. This means a world to us. Without further ado, please enjoy my conversation with Max Matloka.
Lector [00:02:03]:
Hey everyone, It's good to have you here. We're glad you decided to tune in for this episode of the Osom to Know podcast.
Maciej Nowak [00:02:10]:
Hi Max, great to have you on the podcast.
Max Matłoka [00:02:14]:
Yeah, I feel exactly in the same way. It's my very first podcast in my life and I was so stressed throughout the day and it is like completely different to for example, Word Camps when I'm so relaxed and I'm just walking in on stage with no emotions at all. But I was thinking about this particular moment, about my day, about the whole day, to be honest. And yeah, couldn't wait for this.
Maciej Nowak [00:02:47]:
Yeah, that's great to hear. I hope you will enjoy the experience. You know, your first broadcast. But you said you were stressed by other events or by this recording.
Max Matłoka [00:02:59]:
Okay, so to be honest. Well, I was waiting for this because I didn't really know what to expect. So the recording and everything else is, like, getting me excited. And I cannot wait for the very first question that I'm about to receive. I guess. So. Yeah, let's do this. Let's do this.
Maciej Nowak [00:03:18]:
Yeah. Yeah, let's cut to the chase, right, Max, So we've been discussing previously that you do a lot of, you know, talks at WordCamps, but also you are now organizing WordCamp Gdynia this year. And I would like to cover two areas. So one would be a little bit of a, like, technical approach to what you are doing and what you are talking about. And then I would like at the end to touch upon the WordCamp Gdynia event, because I'm very curious - what are you guys doing for all the participants? So I would love to know more about what's coming very, very soon, I guess.
Maciej Nowak [00:04:02]:
So that's the plan. And let's start with the technical approach, or maybe not technical approach, that technical subject, which is. We've been discussing that you want to focus more on the, like, advocacy for WordPress, WordPress evangelization. And my first question is, why do you even want to do this? What made you want to do that "Evangelization"?. So that's the first one.
Max Matłoka [00:04:35]:
Okay, so this is all connected because you mentioned WordCamps. And I realized when I was a speaker this year at WordCamp Krakow that, well, that's exactly 10 years after I was a speaker for the very first time. It was also in Krakow. So as you can guess, 10 years in the WordPress world, that's a lot of time. WordPress was always somewhere close to me. And even though I was using different technologies, I mean, my tech stack was evolving throughout all of these years, but WordPress was one of the important pieces of software that, well, I was always interested in. And that's also connected with my business experience because we actually did utilize WordPress in, like, enterprise world, in business world.
Max Matłoka [00:05:36]:
And I believe that we talk touched so many topics around WordPress. It got me really excited because I believe that there are lots of areas that are still not rediscovered. I don't know why, probably because people don't have to do this. So after all of these years in WordPress world, I just feel connected in some way. Don't know if that's the property way of talking about it, but yeah, it has been so long. So it always feels good to come back to WordPress. That's basically it.
Max Matłoka [00:06:17]:
I'm still using different tech stacks, and this is also exciting, but it feels safe just as at home. So yeah, it is what it is. I learned it was one of, the, one of the first CMSs I did use in my history. So it always feel like a little bit nostalgic, but I don't want to feel WordPress a little bit nostalgic anymore because I don't feel this is the case at this point.
Maciej Nowak [00:06:54]:
Yeah. But I'm still curious, you know, how are you going to do this advocacy? Because you now are organizing the Word Camp Gdynia, and you started to talk on Word Camps. So is this what you mean by, you know, that WordPress evangelization or do you have like a broader plan for that?
Max Matłoka [00:07:16]:
That's broader and well, I created a high level plan like a few months ago about how I would like to do this and I tried to create like a priority list of what needs to be done and then execute that. So one of the items on this list is basically to attend more WordCamps and the plan is like to attend 12 times publicly this year. This isn't just about the WordPress, but I believe that's a whole strategy of how can we, well, make WordPress a little bit more popular and basically highlight its best benefits and share it with the world. So yeah, I'm thinking about it very widely. This is not only about the WordPress but also about my career. I believe that I've been working with WordPress for so long. Well, I kind of like that's one of my priorities right now, to sell my services in this area.
Max Matłoka [00:08:25]:
So that makes a perfect sense. And basically that's a plan that I would like to introduce in life. So it consists of a few elements and basically we need to start talking about some facts. I strongly believe that WordPress requires some kind of advocacy right now because we forget about it a little bit. And when we talk about WordPress we usually talk with the same people and we need to get out of this loop. And that's what I'm trying to do. I've never been a guy that was into social media. You can see my Instagram account with zero posts.
Max Matłoka [00:09:17]:
So I didn't feel, you know, how to start and where to start. So I came up with a plan to basically share some of my knowledge about WordPress, about WordPress Vault and about how you can use it, about all my experiences because I've noticed when I was visiting WordCamps before, people are genuinely interested about my stories and about what I tell about working, for example, with big business and enterprises and how you deal with this kind of opportunities. So I realized - oh, so I've got this experience which I can share and gain some interest from people around the world. And that's what I'm trying to do. And at the same time, well, that's nothing extraordinary. But I'm also selling my services.
Max Matłoka [00:10:10]:
So that's like having two things done at once. So yeah, that's basically my idea. We can also carry on with talking about the plan, but maybe that's not your intention. So I'll wait for your questions.
Maciej Nowak [00:10:30]:
That's cool. And I want to understand more about your specific talks because I didn't have a chance to attend your WordCamp Vienna talk. And you know that that topic there was about honeypots. Yeah. How did you came up with the plan? Because, you know, let's, let's maybe we can make this, this episode like since Maciej didn't join that, that panel, let him ask some questions about the presentation, and you know, that's my plan for today. So I'd like to grill you more on the, you know, on the honeypot, how you did it and why in the first place and what are the conclusions.
Maciej Nowak [00:11:19]:
And I will bombard with more questions about that. But let me start first with beginnings, right? So what made you like, came up with this idea? Come up with this idea, why this? And then I will follow with more. We'll play with more questions about that.
Max Matłoka [00:11:37]:
Cool. So yeah, let's dig deeper into the plan that I'm having. So basically I realized that at some point we talk about WordPress in a way that is always about the WordPress itself. When we see the release updates, release notifications, it's "oh, we came up with notification API", we came up with this "Oh look, this is a new plugin that was just released for WordPress". And I realized by doing so in social media, you basically are close to your own bubble, which means if you see, oh, that's a new version of WordPress, and we've introduced the interactivity API, for example.
Max Matłoka [00:12:22]:
People are reading "a new version of WordPress" - okay, done, I'm done. I'm not interested in WordPress. So I realized that we need to switch the language into something more universal and interesting at the same time. So this, the honeypots, well, is one of examples that I wanted to introduce to the real life. So basically the reason why is like, it's interesting. So we love to hear about some crash talks. We love to hear about how people failed.
Max Matłoka [00:12:58]:
Basically we are learning and we can avoid this kind of mistakes in our real life. So I realized that security is one of the these topics that can interest the broader audience and at the same time we can send encrypted message in all of these talks that well actually WordPress is one of the most secure CMSs in the market right now. It has a super wide community that is basically involved into fixing all of these problems, all of the mistakes and basically when you look at the availability data databases it is extremely secure. So I feel sometimes a little bit guilty because what I'm doing is like I'm releasing some clickbait presentations but I'm trying like to, on top of that clickbait title, I'm trying to actually share some actual knowledge that I learned over, over the years and I think it kind of works because people are generally interested and well, there is always a lesson after each presentation and basically you can learn something out of it. But what I'm trying to do and what I'm trying to achieve is like get some people outside the bubble. So it's basically about inviting people for your talk and then it turns out it's about WordPress, it's about the fact it's secure. So for some of these people it would be like oh yeah, maybe I will reconsider using that cms. And well, that might be beneficial at some point because well, in this case it's really secure and you can actually, well, save you a lot of troubles.
Max Matłoka [00:15:01]:
Basically this is what the presentation is about.
Maciej Nowak [00:15:06]:
If I may interrupt you for a second, that seems counterintuitive if you are building a presentation built on like, if you are creating a presentation built on top of like how can my website be hacked? And at the same time state that WordPress is one of the most secure CMS. So like if I'm on the audience that might be a little bit, you know, contradictory.
Max Matłoka [00:15:31]:
Confusing to say the least. Yeah, yeah, I agree and this is something sometimes I'm not really proud about. But what I've, what I've learned about social media and what I've learned about the all of us, basically it's, we need to understand that, well, we changed the way how we communicate right now and there is this hook like you've got free between three and eight seconds to get people interested so they will listen for another 60 seconds. So this is the way I'm trying to convince people that listening to me might be actually a good idea. So as I said, the title is a little bit clickbaitish but at the same time what I'm trying to send a message that, well it's exactly the opposite. The WordPress is secure and you better use that. Just keep in mind that you need to follow the good practices. But it's not about WordPress.
Max Matłoka [00:16:41]:
These good practices is a word about basically any Internet application you'd use in the, in the real life. We've seen so many examples of people losing accounts on Facebook or social media. The social media platforms just because they didn't use a multifactor authentication. And in WordPress world is exactly the same. I'm not talking about WordPress, I'm trying to make that statements more universal. So yeah, again to reach out to people outside the bubble and at some point get more people interested in what I'm saying. So I believe that's also a part of my like high level plan. I would like to involve people outside the bubble and basically send my message about WordPress about what it can do.
Max Matłoka [00:17:38]:
Because obviously WordPress has some of the advantages that no other platform or no other CMS have. So that might be worth flagging for people that are maybe not aware of that fact.
Maciej Nowak [00:17:53]:
All right, so I think we will dig into this a little bit later in the conversation and I would like to understand more about the presentation itself. So let's say the topic is clickbaitish, right? But it's around building.
Max Matłoka [00:18:10]:
It is.
Maciej Nowak [00:18:10]:
Let's, let's leave it to judge by the, by the listeners and you know, of both the episode and the, you know who are on the audience. So I'm curious, can you walk me through the. What you did about the experiment? Because what you did, as I understand this is an experiment that was with real threats on the Internet. So now what you did in a nutshell.
Max Matłoka [00:18:36]:
Okay, okay. So starting from the day one, I'm a fractional head of product at the, at Sitebox, a hosting company. And I was given the statistics that most of the WordPress administrator cannot see, which is WordPress at scale, different projects, lots of different projects. And I could see all the dangers coming to that website. I decided that, well, I'm aware of these problems, so why don't I fix that at the platform layer. So basically that was my first thought. Then I realized, okay, so if these websites that are hosted in our platform are actually hit by this kind of, well, hackers, I don't even know if we can call these people hackers because these are usually bots that are just checking your website, checking open ports, checking known ways to get the access to multiple applications, not only WordPress but WordPress is obviously one of key area of my interest. So I was wondering, okay, so if this happens for so many websites, well, it can happen for anyone.
Max Matłoka [00:19:51]:
And basically that's how I came up with the very first honeypot. Because I wanted to learn if the danger is actually real or maybe it's just because, well, we host like popular websites or something like that. So I set up the very first honeypot with the clear intention just it was the only thing, there was only single intention to basic review if something bad happens to the website. So yeah, it happened. I set up like a really simple password and I really wanted to see if brute force in this specific example is still the case because I forgot about it like 10 years ago because if you have like passwords, multifactor authentication, you've got all of these best security practices in place which are not difficult to maintain. I realized that, oh, so this kind of dangers are still the problem. And well, maybe it would be good to flag. It would be good to flag that to people that well, you should take care of that.
Max Matłoka [00:21:04]:
You should think about how you deal with these kind of problems. So yeah, with my HD HD style I quickly started developing more and more around the experiment. So I developed a honeypot. Then I developed like a terraform to spin up more honeypots. Then I developed a Docker container to develop more honeypots and I ended up with having like between 50 and 75 honeypots. Then I developed more of these. Well that was quite a lot. And I was trying to inspect different kind of vectors of attack and trying to understand whether this work or not and share that with people basically.
Maciej Nowak [00:21:54]:
Why did you spin up so many of these instances? Because if you spin one like maybe this gets infected and you have some data to analyze then maybe two. But why 70?
Max Matłoka [00:22:06]:
Because I quickly realized that there are so many people trying to attack these that I wanted to learn about the tools that hackers are actually using. So I've collected like a large, large database of the applications like exploits or malware, however, however you call it. I basically have a huge collection of these. I tried to understand what happens after someone gets the access to your existing WordPress instance, usually because of administrators themselves because it's usually about not having multi factor authentication, a poor password or unblocked mechanisms that should be blocked from the day one. So I wanted to learn more. I tried for try to basically come from different angles. I have currently I have a Docker container docker image that is, that has like 50 different flags. You can enable of or disable, basically exposing or hiding the vulnerability.
Max Matłoka [00:23:15]:
And I was trying to learn where these dangers come from. So that's. That basically says why 70 is, is a good number. I mean, it was way more than that, but I, I stopped counting them, to be honest.
Maciej Nowak [00:23:31]:
All right, and do you change somehow these versions of websites among those, let's say 70, or is it the same instance multiplied by seven times under different domains so that, you know, bots would attack you? And maybe you are counting on different bot with different way of doing stuff. Like how do you make this experiment relevant and not be just a replication of one?
Max Matłoka [00:23:58]:
So yeah, I started simple and then I started digging up deeper and deeper and it turned out that I prepared like a fully scalable AI solution for building these websites. Whenever you start a Docker instance with one of these vulnerable websites, it's generating all of the content by itself using AI, which now I'm trying to extract from the Docker container because I realized that is actually a good piece of software. So it might be used not only by the experiment itself, but also outside it. So we'll see how it go.
Maciej Nowak [00:24:40]:
I'm curious, what are the most popular attack vectors? Because you mentioned that you prepared this in a special way, that there were many holes, let's say. So which hole got attacked first?
Max Matłoka [00:24:54]:
Okay, so what's really usually first is the underlying server services. So what happens is some bots are trying to reach MySQL server, for example, SSH protocol. And one of the experiments, it was attacked after 12 seconds. I was more than sure it was me still trying to see if the SSH is working and I provided a bad password, but no, it wasn't me. So after spinning up the instance, the SSH was attacked for the very first time after 12 seconds, so this kind of proves what I'm saying. People are trying to get into your website, get into your instance underlying server instances. But, well, if everything is configured in the right way, it's not going to happen, most likely.
Max Matłoka [00:26:00]:
But speaking about the actual vulnerabilities and how they are exploited, it's really difficult to say because I'm still running. This is just an experiment. What I'm saying is like these websites I created, they look legitimate, but everyone knows that they bring no actual value. So there is no need to spend like hours or days or weeks trying to attack it. So I don't really know if the experiment which I'm conducting is you can actually extrapolate that on the whole WordPress world, because if you are getting more traffic, if you are more popular, the attacks will be more sophisticated. And I would be more worried about some direct attacks when attackers are trying to get the password directly from you, some social ways of hacking the websites rather than exploiting the vulnerabilities.
Max Matłoka [00:27:06]:
But based on my experiment, I've seen that the brute force and these most stupid attacks were really popular. And yeah, I've seen different ways of executing these simple attacks, but it was still exciting sometimes because the variety of tools that were used in these scenarios was so different. That's why basically I was building more and more instances just to see the next tool that will be involved in that. So basically what I was trying to prove and it worked was the fact that, well, you basically a part of the Internet and you need to be cautious about that noise that, that noise that are trying to break your website or get the access to your own account. I didn't discover anything extraordinary. So this is, this was more like a proof that, oh yeah, you need to take care of that because otherwise you'll have a problem and it is relatively easy to take care of that and the problem will be solved before it actually, it actually rises.
Maciej Nowak [00:28:32]:
Okay. And if we are going deeper there, because I think if you are preparing these honeypots and you are collecting all of the data, you mentioned that, you know, 12 seconds before the first attempt of the attack. This is something I also noticed when I was recently launching some, let's say, side projects that when I look at the Apache log on the server level, I see, you know, like dozens and dozens of bots trying to access known files that, you know, people tend to leave on the server, like database log backups and stuff that, you know, because of, you know, human laziness, people tend to leave them, you know, publicly accessible under the domain, the default names and so on. So I, I see like logs, like screens of screens and screens of logs of these like typical bot attacks. And then if you are a little bit not familiar with, you know, how things works, you leave that to be attacked, right? Or something like this. So this is what surprised me that you know, the especially new domains are scanned and automatically attacked and everyone is under the constant attack. If you think about this, you are completely unaware if you are a person who are running a business, like a marketing director, and that person's responsible for their arm, which is the online presence, let's say that kind of a person is completely unaware that there is a war behind the screen, right? Constant war. And these type of experiments are in my opinion very illuminating for the broader audience.
Maciej Nowak [00:30:29]:
Now I'm curious if this is like marketers and non technical people. I'm curious, in your opinion, is this also a case where more technical people are aware what's going on outside of their like little laptop? You know, because I think this is like my hunch is not the case. But I'm curious, what do you think?
Max Matłoka [00:30:50]:
So what you just mentioned is like what I've seen in the experiments, like a lot is application enumeration. This is how I call it. So the bots were trying to guess what are you, I mean what kind of application, what's the underlying engine? If there are some environment variables left in the, in the visible area of your websitem so it happens, this kind of war. Usually people, more technical people are aware of that fact, but I don't understand really why, but this is often ignored by, even by more technical people. And that was surprising for non technicals always because well, for me as a people who worked with the security a little bit, I'm fully aware that people are trying to steal everything for you. They are trying different ways and you need to do the bare minimum to basically reduce the risk of losing any information, data, money, whatever it is by implementing the good practices.
Max Matłoka [00:32:00]:
So for non technical people, they were genuinely interested into learning how to do that. And speaking about the more technical people, this is why I came up with something, what I call a security framework for WordPress and I just created another website for sharing that with, with all of the people. And what I'm trying to do is gather all of these best security practices and basically make people more interested about the security related topics. Because usually we forget about the security until it's too late. So this is what usually happens and what I'm trying to do is like, okay, I'll give you this 65 points, which is a security framework right now and just give it a read and decide which ones are important for you. It's basically about understanding a risk. And when I was working with all of these institutions, large enterprises, my products, my websites underwent pen tests which. The very first one, the very first pen test, well, I experienced was a disaster.
Max Matłoka [00:33:30]:
I don't recall the exact number, but we're talking about hundreds of vulnerabilities. These were not serious and I realized that at some point the report contains some unrelevant stuff. But at the same time I learned how these enterprises, how large companies actually deal with security, and this is always about the risk management in the first place. You need to define the risk and Understand whether it's relevant or not for your business. So for more technical people I'm trying to approach it from a different angle and what I'm trying to do is like give them a full list and I say oh yeah, I know you are technical, you know how to deal with website properly. I know you have really difficult password and probably MFA implement it on all of your websites, but here is like 65 points which some of them you could forgot about. And basically that was my approach for more technical people. And the list contains like a strictly technical stuff but also about information about who owns the domain of your website.
Max Matłoka [00:34:47]:
Because we've seen, I mean we've seen that a lot when working with different clients. You are about to go live and you realize that client doesn't know who has access to the domain. And this is like the security framework is supposed to address this kind of risks. There are low risk like less important problems that, that you might experience from the security perspective but they're also like extremely important facts over there. So for the less more technical people I was, I basically gave them tool to decide whether some risks are relevant for them or not and they can decide based on the specifics of their business. So I believe that we don't have to talk about brute forcing because obviously the more technical people are aware of the fact but at the same time we can forget about some stuff. So I wanted to give like a checklist for everything that you may came across from a security perspective.
Maciej Nowak [00:35:56]:
I really have to go back to the beginning of our conversation and ask if you have to do that security checklist. Where is the claim about WordPress being a safe CMS? Because this is what for example sometimes comes up as like, you know, a pushback from a client who doesn't want a WordPress website. Right. And now there are vulnerabilities in the plugins. You have 60,000 plugins in the repository, you can install a plugin and make your website, you know, very, you know to have a huge problem. And so like you know, you sit in this like you, you are deep in the trenches. Explain like I'm five. No, how is WordPress is secure CMS where while I hear clients stating, sometimes stating that it's not.
Max Matłoka [00:36:54]:
Yeah, it's not a problem with the WordPress itself. But I'm telling exactly what every some experienced developer would say to you, it's not the WordPress fault, it's the plugins and it's absolutely correct. So I Believe that we don't talk about WordPress, only about... when we talk about the security of the WordPress, this isn't only about the WordPress itself, it's also about the server, the platform or all of the underlying services it uses, including plugins. So this is like a wider topic. Usually when clients come to you and say, oh, WordPress is insecure, they think it because they had an unpleasant experience probably caused by some inexperienced developer that well, developed like a super custom solution and it didn't work well. And I believe this is the difference between, this is the difference of how you get more bigger clients, like bigger clients enterprises and stuff like that.
Max Matłoka [00:38:11]:
Because at some point you prove that you know the ecosystem and you know the plugins that you use, you actually review them, so it makes the approach way more secure. And at the same time, if something bad happens and some vulnerabilities discovered in one of the plugins that you use, you can quickly fix that before anything bad happens to the website. So yeah, basically I believe that WordPress, the situation is complicated because the core is super secure. Speaking about the plugins, well, it's difficult to say because you need to take every single plugin as a separate piece of functionality and define the risks involved in using that plugin. So when I've seen people, I've seen companies working for big clients, you usually have some kind of a list of approved plugins that are usually reviewed by some kind of a security team against vulnerabilities and you've got procedures to basically make sure that any problems with the plugins are resolved really quickly. So with this kind of procedures you can reduce the risks of something bad happening because of the plugins and you have like a extremely secure ecosystem.
Max Matłoka [00:39:41]:
There are obviously some other tools that can help you in achieving that, for example, some web application firewalls, they can detect some of the potential issues. And again, this is not strictly for WordPress, but it's more universal and you can still use it. So yeah, when we talk about security, we in fact talk about the risks involved in using different solutions. So it's complicated, but with proper procedures you can reduce the risk to the minimum and you can be, in my opinion, more secure than most of the commercial solutions you have in the market right now.
Maciej Nowak [00:40:31]:
Personal opinion on this topic - because the fact that we don't hear it doesn't mean it doesn't happen, right?
Max Matłoka [00:40:38]:
Yeah, exactly.
Maciej Nowak [00:40:40]:
Is exposing that, that you know this is happening. They have to probably webflow will have to do this, if they were attacked so I'm curious because like I hear and I don't like this opinion that WordPress is vulnerable, and it is like other, other SaaS platforms are suggested as secure, right? And I'm curious how can you compare these two approaches where you own the code, you run the code, you host the code, you can do anything you want with the code including breaking it, right? And making a mess out of it. So like what's your personal take on comparing WordPress as a CMS to other closed solutions like Webflow for example.
Max Matłoka [00:41:27]:
Okay, so that's the power of the open source. Whenever something is discovered, you just share it publicly and it is fixed in no time because there is so many people around the world that will fix that for you. And it is propagated automatically, so if there is any zero day it will be probably fixed in few hours after it's discovered. The problem with the private businesses, I don't want to talk about any names because that's not like the reason of our talk, but in theory they are ordered to say about any problems with the security. But at the same time when you have like different certifications related to the security, you are supposed to say that to your customers, but not all of them. It's usually for customers that use some enterprise accounts, the most expensive ones.
Max Matłoka [00:42:30]:
So the audience is really limited. You don't have to state that publicly. And most of these companies wouldn't do that because, well, it affects how their public image. I'm not saying it happened before because that's why I'm trying not to talk about any names. But anyone can basically hide the fact that they were vulnerable or there was some security incident unless you are in some specific account tier that forces the company to send you a message about this kind of incidents. I'm pretty sure that any SaaS can fall a victim of a problem.
Max Matłoka [00:43:17]:
It doesn't have to be necessarily like a code problem or anything like that. It could be anything else. Some external problems, like we've seen examples in the past, for example, some security managers were able to get access to the system and make some mess. So basically you never know. It doesn't have to be code, it can be always the people and they can also break the software or get some unauthorized people to do some stuff to your SaaS application. So it doesn't mean that SaaS applications are more secure. It means that some part of the process of being secure and that observability you can have is basically taken out of sight. But I'm not trying to blame any company in here. I don't know if something like this happened.
Maciej Nowak [00:44:15]:
I'm also not fishing for any particular names but rather the general, general perception of if something is closed, it's not visible, whereas something is open and this is under scrutiny. And WordPress is 43, roughly 44, 42, whatever. Like it's massive, right? There's purpose, long, long, long, nothing else. And then yeah, all of the, all of the other CMSs and with such an exposure and ancient projects up and running as well, you know, not maintained. You know, you get that, you get that not up to date ecosystem of many, many websites. So this is what I was referring to.
Max Matłoka [00:45:01]:
Yeah, yeah. So that's the power of the open source which is often considered as a bad thing because if anyone can review a code it means that anyone can break it. But at the same time there is like lots of good people looking at the same code trying to fix all of the problems before anyone spots opportunity to use it in malicious way. So yeah, basically there are two approaches of seeing that problem and I believe that good people are winning in this war.
Maciej Nowak [00:45:35]:
I wanted to circle back to our original discussion where you were spinning out these instances. You used Terraform. And I'm curious for our maybe a little bit more technical listeners, how can you like what was the use case, how you've been doing that and maybe how can other people apply this type of approach to websites? So is there any other, you know, occasion you can use Terraform to spin up more instances of your website?
Max Matłoka [00:46:10]:
Yeah, of course, I mean the Terraform is more for like infrastructure so it allows you to build all of the underlying infrastructure bits like servers, droplets, file systems, databases. It has connection to different services so you can utilize in more different ways not only for honeypots. And I believe that honeypots is maybe like a less than 1%, I'm more than sure than that. It's not the main use of this functionality, of this software. It's basically about automating your ways how you operate with the infrastructure. It was really convenient for me because what I really want to have is like a kill switch. I could kill entire stack entire server in a second.
Max Matłoka [00:47:09]:
And that was really important for me because when building a honeypots I didn't want to affect anyone else besides myself, so I had to to have that kill switch that could kill entire operation and basically remove all of the server instances if situation could get out of control. So that was the main reason why I did it. I wanted to have like fully streamlined. So the Terraform was responsible for building the infrastructure underlying the experiment. Then I had like a user script that was actually executed in all of the instances, spinning up WordPress, underlying database and everything else and including that AI procedures that basically allowed to create content. So it was all about the automation. When I'm trying to spin up another instance for the experiment, it takes like 4 minutes and 20 seconds to kill it. So that was really quick. Instead of like configuring everything from scratch, that would take hours and I didn't have that time to spend on this kind of activities.
Maciej Nowak [00:48:28]:
And when you spin it up, it takes four minutes. Where does it land? Like how do you orchestrate the whole operation? What has to happen for you to publish that so that you don't do this manually for 70 times?
Max Matłoka [00:48:44]:
Yeah. So basically it's spinning up the instance. I prefer not to talk what kind of providers I use for hosting this because, well, obviously problems. So there is a hosting company I use. Yeah, it's secure, so no one really noticed that I'm doing anything bad about it. But yeah, it's spinning up the instances like the server instances. It works in a cloud, so it takes like two minutes for the provider to spin up instance within their net infrastructure.
Max Matłoka [00:49:21]:
Then I'm running the full automation. So it sets up the operating system, it installs the Docker engine, it clones the existing Docker images, it spin ups the Docker images into containers and basically by using Docker Compose, I could define all of this, stack all of the underlying services in minutes and that's basically executed., and all of these services, underlying services are up and running really quickly. Then what happens is I'm calling the WP-CLI to basically configure everything on the WordPress site. And that's a huge script because I allowed lots of different flags to be embedded into that and that was exposing different vectors that could be utilized by bad actors. And then there was another procedure that was basically generating content, attaching the domain and everything else that needs to happen before going live. So that's an exciting journey that takes like a few minutes, and in the beginning you have nothing and in the end you have like a nice and shiny one website with the dummy content in it.
Maciej Nowak [00:50:45]:
All right. Under the legitimate domains, did the domains were, did you like randomly generated the domains and register them or did you use sub domains? Because I missed that.
Max Matłoka [00:50:57]:
No, I did use the actual domains and I was like, oh, I've got another idea for a business, that's dummy business that I have. And yeah, I had lots of domains. Some of them are expiring right now. So the number of domains I currently have in my pocket is getting lower. But still that was a lot of them.
Max Matłoka [00:51:23]:
And I remember walking around WordCamps asking people, oh, do you know any cheap domains? Which are the cheapest one I could buy for the experiment? And yeah, that was fun.
Maciej Nowak [00:51:36]:
All right, cool. And what are your plans for that project? You did a lot of work around that to get it started, automate stuff and so on. So I'm curious, do you plan anything specific for that work that you have already done?
Max Matłoka [00:51:54]:
Yes, actually that's part of the high level plan that we mentioned in the very beginning. I'm trying to get out of the loop, so I'm trying to change my language into something more universal and start talking about WordPress in the most positive way as possible. Speaking about the security, it's really interesting, but currently I have to deal with peoples that are really, really new and they're learning and I need to explain stuff like what's honeypot, what's brute force, what's this kind of basics that I didn't really, someone can, someone might be not aware of. And yeah, basically I'm switching my language to at least explain these details. And then I explained why the experiment itself was beneficial for the community and what can we learn from that. And at the same time I'm trying to get the security framework a little bit more popular. I developed like a free websites already because that's a part of the wider plan. Again, it's basically about proving that WordPress can handle these modern websites with fancy effects, with animations and stuff like that.
Max Matłoka [00:53:17]:
So I decided to redesign the website twice before I actually release the security framework and I just hope that's the third time lucky and I'll finally release it. And that's one of one of the parts. And now I would like to focus on AI and basically I would share another journey that I basically followed for a long time about the AI and about how I utilize it with WordPress because AI is like more and more rooted in the WordPress core. I can see lots of changes coming to WordPress from that AI world. So I would like to make a use of it and prove that well, it actually works. And look, what can you do with this? And again, that's one of the strongest features of WordPress because I believe you can extend that with whatever you want. As part of a vibe coding experience, I actually recreated Windows 95 in Gutenberg Editor, and I was playing the games from that windows just for fun and I realized how nice it is to actually do whatever you want within the software. And I doubt it would be possible in any SaaS because it wasn't designed for this kind of interactions. And in WordPress you can do whatever you want.
Maciej Nowak [00:54:47]:
All right, cool, cool. All right, so I think we can now switch the topic to the WordCamp Gdynia. And I'm curious, you know, what do you plan, what the attendees should expect and you mentioned why you got involved in that in the beginning of our conversation. But I'm curious more on the like you know, if I go there, what I should expect?
Max Matłoka [00:55:17]:
That would be a slightly different work to what you experienced in the past, I'm sure about it. Because what I believe is important for the community right now, so getting outside of this bubble and trying to invite other people as well is basically what we do for that, for that event. So at first we decided let's not advertise ourselves on the Word Camps forums, forums or WordPress groups. Let's get out of this bubble and try to involve as much people as from different industries, from different conferences. It's basically to share everything that happens in the WordPress world. And I believe these changes that we can experience right now are one of the most exciting that WordPress had in the past. Probably the bigger one was just about the releasing of the Gutenberg, but except that we've got more and more feature exciting features coming to the core. So we would like to share it with the largest group possible of largest group of roof of group of people possible.
Max Matłoka [00:56:36]:
So on top of that we are trying to reach out to people that are not interested in the WordPress world. We are trying to convince them to join us. We decided well as a preparation also for the WordCamp Europe, we decided to have like two tracks from the day one that would be around Polish community, but also the English speaking community. I believe that the Polish community has a lot of vibrant people inside this community and we've got like really active community and we would like to share that passion to everyone in Europe, but also not only in Europe, around the world, to join us and basically talk about everything that's that's related to WordPress. So this is what we are trying to achieve. We are trying to think about the bigger picture right now and involve as many people as possible outside of the original bubble. And so far it's going pretty good and we'll see what the final result will be.
Maciej Nowak [00:57:51]:
I think There is not many WordCamps in Poland that are double track. And this is something I always enjoyed about WorldCom Vienna and WorldCom Porto. And you know in general the WordCamp in Portugal that there are tracks for local track, let's say local community, plus speakers from outside. Like there is a possibility that you as a, let's say foreigner, you can attend that and enjoy. And because that part of English track it means that the whole event is more international and this is more inclusive I would say for the foreigners. And there is that a bit of a WordCamp tourism. I would say I am part of WordCamp tourism.
Maciej Nowak [00:58:37]:
I enjoyed it very much. And I think this is something that work that Polish WordCamps were very missing. Like I'm super happy that there is that English track and that you know, in Polish community there is going to be an English track because also it opens the gates for speakers from other countries and also attendees from our other countries or even you know, non native in Polish speakers from like expats living in Poland, which is like there's more and more expats living in Poland from other countries. So I'm very excited about that. Yeah, that's a very good move I would say.
Max Matłoka [00:59:25]:
Thank you so much. And basically because our listeners might be not aware but we met so many times in different parts of the world when you said like WordCamp tourism. I genuinely love the idea of that. And considering the Poland is actually becoming more and more interesting in the tourist map, it's in bucket list of so many people right now. I believe it would be good to well, share that concept with others and you know I just hope that so many people from different corners of the world will come to Poland, come to Gdynia to basically attend the WordCamp because I believe it might be worth to. And at the same time as you said tourism part is also really nice because you can see all of the city. I know that we are trying to share all of the knowledge about the best places in Gdynia and basically share that knowledge with people coming, coming to Gdynia.
Max Matłoka [01:00:27]:
So you can see the sea, the nice and fancy restaurants and everything else. And that's what's really exciting about WordCamp is like you can enjoy not only the WordCamp itself, but the city as well. And I definitely recommend coming to Poland.
Maciej Nowak [01:00:50]:
What's the date for our listeners?
Max Matłoka [01:00:51]:
It's September 26th and it will be Friday, Saturday and Sunday. On Friday we will focus on the beginners as well. So if you are not really familiar with WordPress, that's one of the nice things because you can just come and learn the basics so you can explore it further by yourself. And obviously Saturday and Sunday would be like lots of nice presentations. We are doing our best to involve many interesting speakers around the world. So yeah, that's definitely worth checking and I believe that will have a nice agenda in place.
Maciej Nowak [01:01:35]:
And do you have all of the speakers approved already or is this forming?
Max Matłoka [01:01:41]:
We are still awaiting. We are still still awaiting for the speakers. So if you are listening to us, us and it's not surprising, we're asking. And yeah, because that might be in Archive for like months and you'll be listening that in 2027. And if you are listening that in 2027...
Maciej Nowak [01:02:02]:
That's too late. 2027 That's really the barrier.
Max Matłoka [01:02:03]:
Yeah, yeah, yeah, yeah. So basically we invite everyone that has really Insightful talks about WordPress, but not only about WordPress, the business around WordPress also. So if you are interested in visiting WordCamp Gdynia and sharing that knowledge with amazing community that would be widened by lots of different tourists coming just to see the world in Gdynia. Yeah, you should definitely try and send your application because that would be a super nice event worth visiting from both speakers point of view and attendees as well.
Maciej Nowak [01:02:46]:
Nice. That's, that's, that's very nice. Let's hope for the great lineup for the speakers. Would you like to share anything at the end of our conversation then about, you know, what you do or, or what you organize? Regarding WordCamp Gdynia, the scene is open for you.
Max Matłoka [01:03:09]:
Oh no.
Maciej Nowak [01:03:11]:
Oh no. Okay, we are closing the scene.
Max Matłoka [01:03:17]:
It's always surprising because we discuss so many topics and I'm trying to, well, think about the best I can do for this kind of moment. So yeah, I believe as WordCamp Europe was already announced and it will take apart in Poland. So visiting World Camp Gdynia might be a very, very nice experience because you will still learn something about the Polish community and basically that you will fall in love and basically the Europe one would be just like a must have on your list. So if you are not sure about whether you should come to Europe or come to Gdynia, you should definitely do that because with full responsibility I can tell you that it will be worth it. So yeah.
Maciej Nowak [01:04:14]:
All right, cool. All right, Max, thank you very much for the conversation then. It was pleasure to have you. And for anyone listening, please join WordCamp Gdynia this September.
Max Matłoka [01:04:31]:
Yeah , and Europe next year.
Maciej Nowak [01:04:33]:
And Europe next year in Krakow. That's true. I also look forward to European event in Poland. That, that, that will be cool.
Max Matłoka [01:04:42]:
What about Gdynia? You should, you should be there as well.
Maciej Nowak [01:04:45]:
It's so close now. Look, it's so close. It's not next year. Thank you very much, Max, and see you around another WordCamps.
Max Matłoka [01:04:57]:
Thank you. Thank you so much. And see you shortly. Bye. Bye.
Lector [01:05:01]:
If you like what you've just heard, don't forget to subscribe for more episodes. On the other hand, if you've got a question we haven't answered yet, feel free to reach out to us directly. Just go to osomestudio.com/contact. Thanks for listening and see you in the next episode of the Osom to Know podcast.
