Introduction i’m assuming a lot of you over here are site owners A lot of you over here are people who uh run websites for themselves or their clients or their agencies or or or you know for their friends and you must deal with B traffic on a daily basis right i mean it’s it’s uh it’s usual for site owners to deal with bot traffics and it’s important for us to learn that how we can manage bot traffic on our website How we can detect good bots versus bad bots which is why we have a an amazing set of you know panelists over here today among us who can who will be taking us through through this uh through through this topic and I’m sure you’re going to be getting a lot of information on bot traffic and how to manage those bots So let me first introduce our guest speakers for today So we have first up we have Aksha Chri Uh Aka thank you so much for being here Uh I know this is not the first event that we are doing together Uh this I mean we have been you know hosting and and doing events for the past couple of years and I thank you so much again for for being here and you know talking about security and uh you know just enlightening our audience with your knowledge you know hi Mohammad Uh it’s always good to be part of uh the Cloudways uh security boot camp It’s such a great event and thank you again for having me Uh and yeah I’m glad to be here to talk about bots which is such a important topic Perfect Thank you Thank you So everyone who so anyone who doesn’t know who Axar is Axar is the CEO and founder of Blog Walt which is a leading WordPress backup and security solution He’s also the driving force behind Malar and WB remote platform focused on again website security and management Uh he has over a decade of experience in WordPress ecosystem He has been playing a crucial role in making sure that WordPress websites uh all over the world are safe and secure Uh with that I would like to invite my second guest uh on stage uh Greg Fisher from limit login at Attempts Greg so happy to have you over here So for people who don’t know who Greg is Greg is the CMO of limit login attempts A lot of people that we know already use this plug-in Uh we use it over here as well A leading WordPress security plugin over 2.5 million active installations and he has you know over 20 plus years of experience in digital marketing and he co-ounded a couple multiple you know ventures as well So Greg thank you so much for being here I’m excited for you to have this you know to have you on this panel Yeah appreciate being here Thank you Finally we have Gui Habarov Gui thank you so much for being here Um Gui is the CEO of limit login attempts again is from the same team bringing over 20 plus years of experience of of development management Um so I am super excited to have all three of you over here on this on this session and I can’t wait to start off with the with with the questions on for for this panel Again I just want to remind everyone on over here who are listening to to this uh to this broadcast that we do have a prize for the most engaging attendee of this event So make sure that you keep asking questions leaving comments in the in the chat to make sure that you have a chance to win uh to win prizes So let’s start off uh fellows let’s start off with the with the first with the first question of the day So let me just let me just pull up the questions And my first question is for my first question is for Greg Greg uh your latest brute force attack report sort of uncovers some alarming trends right i mean can you share the most shocking insights and what they mean for website security in 2025 uh yes thank you So um the we did a brute force um attack report for 2024 or you can go to our website go to our Force Attack Trends blogs and so you can view the entire report But a couple of the most interesting things we saw from this is that brute force attacks have increased year-over-year per per average domain We have approximately 60,000 domains in our in our premium network that we actually uh receive uh IP uh data from but in it increased by approximately 120% year-over-year So brute force attacks are becoming much more prevalent in WordPress sites more than ever Um also another thing that was was interesting is that IP address uh that originally of these brute force attacks uh China and Singapore had the most steady incline of of attacks uh compared to other countries So uh surprisingly we’re seeing like emerging markets um having more uh IP now uh brute force attacks can originate from uh multiple different uh countries some of them are ran by proxy uh but we also saw a decline in IP addresses uh from the US that were uh from and we you know we have assumptions to why that that might be but we saw that kind of interesting that uh less less br force tax originating from US domains So those are like the two uh main things from a report that we kind of took away Awesome U next question is from is from Guri Guri As bot attacks you know become more advanced what are the biggest mistakes still make when trying to detect bots and you know block them uh yeah uh the B attacks become more advanced So uh the main idea is to stay ahead of them right uh from that perspective uh the biggest mistakes are well the first is relying on static methods for example maintaining a static list of bad IPs especially when done Mistakes in Bot Detection manually uh same goes with having a static list of browser signatures and user agents uh that’s because modern bots are very dynamic as you know they can easily change IPS especially with IPv6 coming into play and they can easily mimic user browsers and they fingerprints as well So you have to find a dynamic solution for the side defense uh to stay ahead Uh the next common mistake is uh using security tool alone uh like isolated from other tools For example if you use just a capture or just list of bad IPs or just 2FA or rate limiting alone those measures are usually insufficient on their own you should always use a layered security approach uh because the modern bots exploit different layers of security not just one And uh another mistake that I would mention is a lack of understanding of how a regular WordPress website and the server works and how it is visible to a bot So for instance a bot can attack a site that was just launched and is not even listed in search engines and that is usually a big surprise for a user Also if you just updated your username for example a bot can get the new one immediately and continue brute forcing it That’s because by default you probably know that uh WordPress has usernames publicly exposed via its API and bots like to use it a lot Also uh the fact that the user installed a security plugin itself doesn’t uh usually mean that the attacks will stop That is a very common delusion and we have a whole article about that Uh so to stop the attacks completely you need to set up a proxy and that proxy should be smart enough to recognize uh the WordPress attack specifically and to not harm user experience at the same time And this is usually something you cannot implement easily For instance uh we have thousands of clients who use Cloudflare and still still they need the extra protection from us M yeah So uh yeah one thing I just wanted to mention is that we get dozens of customers some somewhat daily that just cannot believe that they’re getting this many attacks and they just launched their website like a day ago and they’re like how can they do it and and the reality is that About New Site Security the brute force bot detection can happen you know from a hosting server level So you know they already kind of zeroed in on that that host They already know how to find that website immediately And and I that’s a big misconception we have to constantly explain this to users is that you know just because you just launched a site today doesn’t necessarily mean that you can’t be found immediately And that’s a this hard something hard to explain to a new WordPress user They just don’t believe it They honestly think that we’re doing it It’s like hey are you creating these attacks just to get us to upgrade to pre no Like these are legitimate brute force attacks that happen on day one So that’s why like when you launch a website especially if you’re a hosting company you need to have protection immediately They you can’t wait months to start putting security uh plugins and and start taking action You got to start on literally the the the day it launches So Yeah makes sense A do you have do you have anything to add over this like biggest mistakes website owners will make when trying to get bot and you know block them uh I think what what these guys have covered is is quite comprehensive I we see so many so many common mistakes and there’s so much bad advice you know out there especially for WordPress website owners think like hide WordPress hide WordPress uh login page hide XML RPC there are there are a lot of common a lot of common mistakes people make and unfortunately what they uh what they don’t realize is the way WordPress works the uh the sites can still uh get overloaded Does the password get cracked are the what is exactly happening the visibility is not there So it people make a lot of such mistakes and uh the answers are are much more complicated So so so yeah there are lots of mistakes and a lot of it is actually I I believe that a lot of the mistakes is because of really bad advice out there because if you’ll see so many people writing so many articles they are filled with with so much bad advice and it’s so difficult to distinguish good from bad because all of them come with great authority Yeah you know so so you you will come across so many articles which say you should first thing you should do is turn off change your login UR login page now is that a good thing is that a bad thing for a normal for a lay person it’s really difficult to understand that will that protect you from a bot attack will it not protect you from broad attack hey in theory it should hey okay but then what are the downsides so there are that that critical analysis really difficult for a lay person to do and and it is yeah so that’s what makes security such a tricky and such a difficult topic to discuss Yeah completely agree and I think you rightly mentioned that you know a lot of good or bad advice comes from very good authority So it’s very difficult to distinguish and you know decide which ones to follow and which ones to don’t A I will continue asking you another question which is you know with with the advent of AI and and and technology how can how can people distinguish between real you know bad bots and and real users right I mean because it’s sometimes very hard to distinguish because the user behavior is almost very humanike but you know it’s not a human AI-Powered Bots vs AI Defense So how how do you suggest people to you know distinguish between real users and bots no it’s it’s not an easy thing frankly and we are still in the early stages of the AI curve frankly like we are still very very early and we are already seeing AI bots resemble humans more and more Yeah Okay So lot of bots that we are blocking actually are the the non-AI bots The AI bots that we see are they are getting like they look so they behave so much like a normal human bot They you know they are they are doing they’re filling forms They are doing brute force attacks They doing credit card testing and traditional methods that we used to protect protect from them they just do not work anymore Earlier you could throw a capture at them I’m seeing capture getting uh uh cap capture getting solved You know Google v V2 V3 they that’s getting solved We are seeing uh you know earlier like a lot of firewalls had like a very simple JavaScript based uh check like they would test for browser but these bots are now solving them So and we are seeing this in action again and again like our firewall our data is clearly showing that bots are circumventing these things So tracking these bots is non-trivial I think what h what what what’s going to happen is you will need to do lot more behavioral analysis you will I think rate limiting like what login attempts or the rate limiting will play a role but also global networks uh and think solutions like cloudflare or you know proxies will play an even more important role because as as they have more data they can or people who have more data can help protect you in a better manner Yeah So that’s the I think the data will be the answer to this Perfect Very insightful Axhat Uh now my question is for all three of you I mean for someone managing a WordPress site right without deep security knowledge What are three immediate actions that they should take today to stop bot driven brute force attack u Greg I would go with you first Well obviously you got to install limit log attempts reloaded That’s the first thing Um so uh definitely limiting um excessive login attempts is is the easiest thing you can do The first thing you should do uh to to prevent brute force um obviously like having good password policy So let me give you an example of of why uh a lot of times password fails So you take a small business and they have uh the owner who knows good password policies you know they have a strong password They don’t reuse passwords like you shouldn’t But it’s the employees that are typically the culprits So the employees get a a login maybe they get a manager a login for WordPress that they Internal Security Risks can allow to post blogs and they use poor password policies They reuse passwords from previous websites and they’re the ones that are causing the issue They’re the ones getting hacked and that’s that’s why um it’s important to have companywide policies when it comes to uh protecting your sites So um I would say you know aside from getting security protection a cert plugin just having good sitewide uh company policies for for password protection Perfect Guri uh any insights on this one yeah I would add that updating your password so they are strong and unique And I want to emphasize the word unique because one of the very common types of attacks is credential stuffing And so the best way to avoid it is to use a unique password on every website you use And I would also add creating a backup because if you get hacked at least you will not lose your data and can restore your site uh afterwards in a new clean environment Interesting Axel anything to add over here yeah so I think both obviously limiting login attempts all of that is a very essential and having strong passwords Uh so you know sometimes you uh enforcing and having strong passwords is is important Doing two-actor authentication is also very useful because it it can help you from things like fishing in many cases We have seen that having a really good firewall and with which can protect you with which has good IP of IP scoring or IP rating that can also help you So yeah again these are these are good methodologies to protect your site Amazing U again I would start off with Guri on this one What’s the most effective way to uh monitor login attempts and detect suspicious activity before it turns into a full-blown bag uh yeah Well uh first of all you should know you should use a well-known uh trusted security plug-in For example login attempts We load it uh it can reduce the velocity of attacks by uh the ways of throttling and dynamic IP denial Uh the second one would be set up real time alerts Uh and uh also I’d recommend you to make a habit to analyze logs So some plugins provide login logs uh and you can also check your server logs from time to time and I would recommend putting this uh on your calendar uh and doing it on a regular basis Awesome Uh Greg anything to add over here yes Um so just recently we we launched a a new feature where you can actually uh review your login logs your successful login logs and why that’s important is because backing back to the employee issue is that let’s say that someone does log you know break in and logs in legitimately Uh so you need to know who’s coming in and coming out of your your website If you identify you know someone from uh another country logs in then most ideally this is not one of your team members and you can take corrective action And so it is very important like Lori said to make sure that you are monitoring not just your your brute force activity but the successful login logs to ensure that you know and even even besides uh brute force activity maybe it’s it’s a an old employee that still has access you know that’s going in there and uh maybe has malicious intent So it’s not there’s Monitoring Login Attempts sometime there’s some human components to security that we often forget Um so I just wanted to mention that Perfect A anything to add to this yeah So I have a slightly different take I think it’s just the nature of an internet of the internet that every public endpoint will be attacked Okay You know if you have a public endpoint you’re going to get attacked Now if you’re a normal person running a website but running the website is not your core business Your core business is to do your business right whatever that core business you might be running a a store or you might be running a salon or whatever right and that’s what you want to focus on What you want to do is rely on a good security plug-in or something like limit login or malcare which just takes care of it because it’s just the nature of the internet You cannot it’s not possible for a normal person to sit and review logs It’s super difficult There are lots of activities happening Uh make sure that the plug-in is doing its job Make sure that you have strong password and having some basic stance using a good security plug-in and then monitoring Yeah have monitoring have systems in place Like if you have malware you will have activity log built into it But you should not be like getting alarms for attacks happening Let let the security plug-in do its job You should not be Yeah You otherwise you are you’ll just you are going to lose your mind altogether Yeah So don’t I agree I agree with you on that But if if you are not watching the velocity of brute force attacks it could affect performance And I could tell you number of examples of where our customers had elevated amounts of brute force attacks that have slowed down and affected performance during heavy shopping seasons that we had to come in and help you know you know provide other solutions for them So you know I agree on a day-to-day ba basis it it doesn’t make sense to review your logs but if you’re getting an elevated attack it should be something that you need to be aware of Yeah Yeah Absolutely There are critical situations but yeah those those are critical edge cases but it’s super easy for people to you know because again there’s so much the the I think like Greg is mentioning right it’s the edge case when you need to know it like when you have a when when you have a real attack but that you it’s super easy to have like you know minor attacks or where the firewall or firewall is taking care of it pretty well and you can still get alarmed by it because you just don’t understand hey is this a big attack or is it not and that nuance has to be captured well because in the absence of it people and people start blaming whether or people start really double guessing is are they even capable of running the site or managing the site or they start blaming their web host So there are so many of those factors we and we have seen this so often right So trying to be more practical is uh is the approach we like to we like to take Yeah Yeah So a little differences of opinion over there but I think that’s the beauty of having a panel discussion So we get to see or and hear more of what other people think about a certain case So before I move on to the next question I would like to take a question from the audience over here So you mentioned a about Google capture being you know solved by bots AI So rest over here asked that what is a good Google recapture alternative for forms and to check out because it’s obviously not effective anymore So it’s not I wouldn’t say it’s not effective but we are seeing like I saw V3 recapture again getting solved multiple times It was actually strange that how well it was the the bot was bots were able to handle it But uh I think like this is a game of cat and mouse So uh I what you what we will see is there are certain places where bots will invest a lot more There are other places where capas will be complex enough that uh uh that ports will not invest because the cost there’s a cost involved in doing so So it just comes down to what is the what is it that you’re trying to protect and then the level of protection that you add there So I think the cloudflare has a has a capture which is pretty good but it’s again I I think regg mentioned it where or jury mentioned it that it’s a layered approach right So it’s not by itself it can help but if you have multiple layers one of the layers will catch it for sure All right Greg Judy anything to add over here i you know we have a lot of our customers that ask us why we don’t have capture as as a form of protection because it doesn’t work anymore So I mean for the most part um I don’t we don’t believe it’s an effective security solution because the bots are getting smarter and they’ll just break it um really 2FA uh and then limiting login is more of in line of like ample protection uh nowadays Um so you know that’s as far as alternative um I know limit login attempts in our premium version we do protect forms um as well um and maybe Gary can talk a little bit more about that but I’m not really familiar with um any other particular solutions uh that that protect uh forms but Gory if you have anything to add on that Yeah we we are planning to implement this feature It will be based on our huge data set and uh basically it will be similar to what we already doing with our login pages but we will uh apply this to other forms of the website like comments forms uh checkout forms and uh other different forms But yeah in general I agree with Greg Nothing to add here Perfect Um so moving on to the next question Um and I would start off with with Greg on this one Um you know Greg based on uh based on the latest brute force report I mean the one that you worked on can you walk us through an example of real world attack scenario and how a website successfully mitigated it yeah So um a a typical real world scenario I mean you got to brute force attacks typically are not constant you’ll see you could you could go a couple weeks with very little activity and then a couple days you could get massive spikes and then if the brute force bot doesn’t achieve success it just kind of moves on to the next one So that’s typically what we see in most cases So uh you know a real world example is that they have a a massive spike There might be some performance uh degradation because they’re just getting just bombarded Um yeah And so you know what what our our plug-in does is that our blog premium version it it absorbs that traffic So your website is can can rem retain its performance Um and then we absorb it and then we use our cloud intel So we have tens of thousands of of domains that we pull IP data up from from a daily basis So we’re using that IP intelligence to counter all of these attacks and absorb them So your site can remain uh at its optimal performance So that’s a typical example of how our um what we see when it comes to brute force and how the attacks happen Awesome U so another question that I have over here in in in the panel discussion questions and I think one of the or one of the people in the audience also had this question I’m just going to move on to that one and let’s say a site owner suspects that they’re under attack I mean they just had this signal or they felt that you know there there is something wrong with the website and you know it might have been compromised what’s a stepbystep emergency plan that they should follow I mean what what is the first thing that they should do and what is the most important thing that they should do i mean what should be the stepby-step execution plan to make sure that their website is safe akshhat can you can you go you know take us through that okay so there are two parts to this right one is a site is under attack as in they’re under attack by a bot and the second part is the bot has gotten through or there is a bot In fact bots are not always brute force bots There are also bots which are trying to exploit vulnerabilities which are also very very common and a very very big and a very big source of sites getting hacked which we see very very often with malcare So the very first thing you should do is if you suspect your site is get has gotten hacked is install something like Malcare a security plug-in which will deeply scan your site and identify if it has been hacked or not first That’s the first step because first you need to know if it has been compromised If you suspect it has been compromised or you should be having a system in place where your site is regularly scanned like some using Emergency Action Plan something like Malcare to ensure that your site is getting scanned every day and if there is any hack or any un irregular activity then that is quickly flagged and then you can take a quick remediation and the quickest remediation to take is to get rid of the hack or remove the malware at the earliest The longer the malware is around the more damage it causes It is uh the Yeah So removing the malware at the earliest is super important I think one of the mistakes which people make is if they think that the site is hacked is uh they think they try to restore it from a backup which we think is a really bad idea because you don’t know which backup whether your backup has been infected or not So essentially what you need to do is first try and remove the malware very very like in a very uh specific manner by uh first identifying what happened where is the malware and removing all the bad doors and once you are once you are confident about it then go about securing your site by installing a good firewall So that’s that’s our approach to protecting your site if you think it’s compromised Awesome Anything different that you might suggest Greg Yuri anything you want to add to this uh Rory Uh yeah Well uh I I can work well I can look at this topic from the person who worked in a hosting company for five to 10 years And the most frequent issue with the sites being attacked is uh their reduced performance So I would suggest uh the the following course of actions in this situation The first thing you should do is you should confirm that the site is indeed under an attack Uh for that you should check some logs and uh check your site performance Uh the second step would be notifying your dev team if you have any or your hosting provider if you are not self-hosted and uh usually well in emergency situations your website can go down and if it goes down uh you should uh block all IPs other than your developer IPs This should be done on the server server or proxy level Uh then you should create a backup of your site Uh the next steps step would be unlocking all IP addresses but start blocking them again Uh and you start block the most uh active attacking IP addresses Again this should be done on the server or proxy level and unfortunate unfortunately it should be done uh manually uh based on your locks Uh also another measure could be temporarily increasing your computing resources uh and uh if you if the attack targets some nonspecific pages you can cach them as well Uh so all of these are the most frequent scenarios that we experienced in the past and this is the most effective way of getting your website back on track especially during some busy seasons or during some events For example when we had a a network of newspaper websites this was pretty uh common issue when they uh publish a uh like hot new and uh there there’s a increased amount of traffic even legit traffic So we had to deal with this issues like that and uh I think this is usually enough to respond to the attack The next steps would be planning on how to avoid them in the future Perfect Thank you Greg anything that you would like to add to this or is it something that you think any your thoughts are similar to a Yuri no I just echo um the other panelists here So you know if you’re under attack the first thing you’re going to notice and is degraded performance um you know and and then from there on it’s um exactly what what these guys said So um I don’t really have just Yeah I mean what all of our customers from Limalong attempts when they decide you know to step up their security it’s always like hey my site’s slow It’s it’s it’s um you know it’s not loading page properly It’s it’s always starts there Perfect Before I move on to the next question I would just like to again call in the comments section see what our audience is up to So Ralph doesn’t have a question but it’s more of a comment One of my best security practices is to never rely on just one level of login or form security but to use multiple layers of security and and and security measure So I think that’s it’s very practical and I think very common among site owners uh view So Anto actually has a very good question I just wanted to address this one before I move on to the next question Uh so he asks that what industries or types of websites are currently the biggest threat or target for brute force attack i mean is there is there an industry or a niche that is you know certainly more uh you know exposed as compared to others correct Yeah I can take this one Um so typically um brute force attacks are very agnostic They they’ll go after small websites to very large ones It’s all about what are they trying to achieve and for the small websites even though there not might be a monetary or ransomware opportunity they use those sites as proxies to launch other attacks Attack Agnosticism Across Industries So just because you’re a small blog doesn’t necessarily mean that you don’t have value to a hacker Now we also see a spike in brute force activity in around seasons you know seasonality So like uh during the holiday shopping season we see a high increase in brute force attacks because one IT departments are on vacation and two if they do attack and are successful you know they can use ransomware or other forms of crime to uh you know give access back you know to to the site owners or you know uh one of the things we we saw with a couple of our clients where they’ll attack the site they’ll claim that they have a bug that’s slowing down their site and then there’s some deal with crypto to to get restore access There’s all sorts of things that could happen but um really it’s not so the bigger uh uh like bigger e-commerce stores are not necessarily the targets in that respect It’s sometimes it’s it’s those like medium-siz businesses or mid-market businesses that you know they could actually uh extract value or or extract things out of because like they um they’re they’re not big enough to where they have big IT departments but they’re big enough to where you know they can generate some some money by ransomware and whatnot But really brute force attacks are mostly agnostic You know they have a purpose in each industry small or large of what they’re going to do when they attack um whether it be using it as a proxy or using to uh you know use ransomware um anything to you want to add a or ki anything you feel differently on this on this topic no I think Greg uh said it pretty well that it’s pretty agnostic and u yeah even like I think Greg had mentioned earlier a site spins up and it’s under attack So yeah I’m assuming Guri you have the same opinion as as a and yeah I can cut from what G Perfect Yeah So I was just going to I’m just going to make sure that we take all the questions from from the comments before I move on to the next panel question and let’s see what people over here are talking about So NK Toy says that capture is dead Yeah They think that the new AI bots can can solve them better than humans So thank you so much for this comment and Kori um anything uh so yeah so I think this is pretty much it from the questions and the comments so far uh I’m sure there going to be many more once we move forward with the session so I’m going to be moving on to the next question uh from from the from the panel and uh I’m going to talk about more about the future of bot mitigation I mean what the future holds for you know sidebs And with AI shaping again I would like to you know inculcate AI over here again with AI shaping both attacks and defense The Future of Bot Mitigation mechanism I mean you have AI you know you have people using AI for B attacks and then you have people using AI to defend their websites from those bot attacks as well right Where do you see bot mitigation heading in the next two to three years Where do you see uh this technology or where do you see the shift in technology when it comes to you know website owners coming up with solutions or developers coming up with solutions that can completely mitigate bots muri can you can you take us off with that one well I think we’ll see more security systems using machine learning under the hood and uh we already heading into that direction with our plug-in I also think that uh more systems will start integrating with each other to increase the combined efficiency because uh well based on how we work uh on our cloud side I I can see a huge potential in sharing uh information and data between different websites So then they can fight together against uh botn nets So it it would be like uh something opposite to botnet but from the like uh uh that would be a dark side versus light side So yeah but uh the most exciting thing is machine learning right now I think and uh I’m I’m happy to to find out what is going to be next nice AX anything that you want to add to this I mean the future of B medication I mean you obviously are working in this industry for the past you know decade or so anything that you see changing over the next decade Yeah So uh again machine learning AI will will be needed to fight AI and machine learning more specifically Uh I think cloud-based solutions and because of the nature of it and especially especially because of this nature change of scale and the number of IPs that we see increasing a cloud-based solution hybrid solutions will become more prominent and more more important than we have seen in the past So uh so yeah machine learning cloud-based solutions will I I think we’ll go more in that direction Yeah in the next few years Yeah I’m just going to echo uh these guys here So last year we would counter uh around 88% of all um attacks u prior to getting to their log you know to to hitting their login database and our attack efficiency has grown from 88% to 97% in a year because of the cloud uh data that we have So just like Lori said you know there there’s a light side there There’s good guys that are gathering all this IP intelligence and using it to protect the entire WordPress network And the more sites that participate in this the stronger our protection will be as a whole And it’s getting more complex where these IP addresses could be uh legitimate one day but then be bad the next So you know that’s what we’re doing at limit long attempts reloaded We’re making sure that we build the most powerful cloud uh based IP intelligence in WordPress so that way we can you know do the best job we can to protect the entire community But there’ll be other services I’m sure like Melare that are going to you know support that effort But we really need you know to kind of work as a group here It’s kind of like her immunity with vaccines You know we want to make sure that the more of us that are are secure and protected and using cloud-based technologies the better the network will be as a whole Perfect Thank you so much gentlemen Uh there’s another question in the comment that I want to you know get your attention towards So Riyad Brie has a question He wants to thank us for the session You’re welcome Riyad I have a question Can you say something about the backend hacking implication of these issues i’m assuming I assume we are only talking only WordPress What are the tools used and what can you do in the WordPress back end and dashboard what can you do especially for example in the HTML level or in Python i mean if you guys can answer this question that’s fine If you can’t that’s also completely fine as well but I just wanted to make sure that we address this question because I think it’s a good one Uh can you I have a question Can you Yeah it’s a bit lengthy Can I implications of these issues i assume we are talking only about precise but what are the tools hackers use no Yeah I think that I’m not very familiar with the tools and it’s a it’s a completely different Gory Are you familiar with this question at all yeah sorry I barely heard the question If you repeat it Oh it’s um what are the tools that hackers use um and what can you do in the WordPress back end to uh protect i think I think I think what what the user is trying to ask is that what are the some of the tools that users use that attackers use to sort of you know attack websites and and in the back end what can we do to protect our websites All right So yeah we we had some uh events related to that in the past and usually it works like that Uh uh imagine that a hacker uh knows your password Well their login attempt was successful It can happen via your login page or via FTP uh uh their next step is installing a plug-in Uh that plug-in will be named uh somehow legit So you you cannot find out very fast that that this plug-in is malicious and that plug-in opens uh basically the whole website for for that hacker remotely They can do whatever they want and the worst case scenario is that they start uh silently gathering uh different information for example login unencrypted passwords payment information etc And uh well from my experience this is the most uh frequent way of uh doing this stuff Of course the they run some viruses that uh infect a lot of uh files across the whole WordPress installation But uh if we are talking about tools very frequently they just upload some uh already made plugins and uh I think uh those plugins are taken from someone somewhere online Uh a lot of people publish them on GitHub and uh well we saw plugins like uh two mo most frequent were the plugins for newslettering They Tools Used by Hackers just send out spam and the second one was uh like a shell It provides full access to your WordPress installation and you can do whatever you want with it Awesome So gentlemen I’m going to be moving towards the final question of this session and again it’s something about the future uh future of web security future of uh bot protection So if each of you had one golden rule that you would like to share with the audience about you know bot protection in 2025 and beyond what would that be i would start off with AA on this Okay So my approach is that yeah there are lots of bots out there Uh instead of trying to solve and trying to protect yourself from all the bots and be like you understand the bots that you want to protect your site from the ones that are really dangerous that are going to uh use resources or hack your site and have approach for that instead of like hey there’s a small bot there that’s accessed my site or that’s scraping my site Yeah there are some bots you should just let let it be and focus on the bots which are which are really dangerous or using up the resources So that’s one approach that we think we need to do more and more of in the future All right you want to go next yeah I would say the golden rule would would be always set up multiple layers of security So your security should look like a sandwich All right Greg any I was gonna say exact same thing Guri Guri said Um to have layers you know 2FA limit login malware scanning You don’t have to be an expert in security to have a secure website You know that’s that’s why you have you know Layered Security as a Must us up here We’re building the technology Uh we’re doing that work for you And I mean you can secure your website for very very little And I also would would caution to rely too heavily on free plugins for your security because free plugins obviously are limited in what they can what they can do And some sites might be fine with free uh security plugins but a lot of the premium features are where you’re going to get a lot of the meat in security So just be cautious of just going for the the the cheapest option because you know for and I’m not sure how much mail car is but even our premium annual is $40 a year u US dollars and it’s not very much to get much more protection So just consider like how valuable your if your if your website’s generating millions of dollars in e-commerce and you’re relying on a bunch of free tools to secure your website it might be a good idea to pay for the premium versions of some of these plugins whether it be friends or mail login attempts because that little extra could go a really long way in securing your your sites Perfect I think that with that I would like to you know conclude this session and I would like to thank all three of you for being here today and I’m out of your busy schedule and asking questions for us I’m sure all the people listening to this session must have learned a thing or two from you guys on how to protect their websites from bots and how to manage their how to identify between good and bad So thank you so much guys Thank you Thank you Greg Thank you Ji for being here today and uh I wish you all the best for your future and for your current project as well So uh thank you for