@Steve @leolaporte As is usually the case, I enjoyed SN #790, and it sparked some thoughts I wanted to share.
In the podcast, and frequently, you all ask several important questions, or express disbelief at people for:
* Why don't they patch?
* Why don't they auto patch?
* Why don't they update?
* Why don't they upgrade?
My answer is, in the nicest possible terms, you're kidding, right?
People in this audience, including me, are more knowledgeable, thanks to you, about security than most any average person not in the industry. We're more receptive to upgrading, updating, patching, and auto patching than almost any average person.
BUT, we're not average people. Average people have completely overly insanely full lives with work, kids, pets, school, zoom meetings, sports (for some), social activities (for some), home car and finance maintenance, etc. etc. taking up enough of their time to keep two people busy for each one person. Those people want to USE their PC to DO things, like posting forum posts, researching things, playing games, creating work products, having zoom meetings, etc. They DON'T want to use their PC and their time and emotional energy maintaining the PC. They also don't want to spend money that they don't have to. Not only that, most people don't even KNOW about the issues we discuss.
Why don't they patch? Because they don't know about it. Because they don't have time to mess with it.
I'm the same way to a slightly lesser extent. I'm typing this on a 5-10 year old Windows 7 PC. Why? Because it WORKS (most of the time). I, even I, an avid SN fan, do not wish to spend time patching 2-4 things per week on 2 PC's and 2 tablets. When you mentioned the Chrome problem, I thought, OH crud, I get to waste 2 hours of my time patching 4 different installations and checking all the settings, since they change and add things.
Why don't they auto patch? Why don't they update? Why don't they upgrade?
Because auto patches, updates, and upgrades OFTEN BREAK things or change things. You guys have talked about that a number of times. There are some threads floating around on the forum about it. Also, because updates and upgrades not only sometimes cost money, they OFTEN CHANGE things or REMOVE features. People HATE that. Very recently, my wife was complaining because some office upgrade changed a bunch of features and altered settings she had. She (we) had to go through a whole learning curve wasting time getting her to be able to work the way she was doing before.
Psychology, incentives, and motives. Simple. Patches, auto patches, updates, and upgrades PREVENT people from using their gear to do whatever they bought it to do. They cause hassle, grief, pain. They cost time and money and emotion. They cause all new learning curves.
People simply don't have the time, emotion, money budgets for this. Thus, they ignore it. There has to be a better way!
PS, I don't think IP locking a Wordpress login is a good idea. If you're on a VPN, as I am, your IP is always changing. Even if you're on a cable modem, it does. There's a good chance you'll get locked out of your own site.
The way to secure WordPress login, other than not using WordPress, is to get s SOLID and continually developed security product like WordFence. Then turn on login rate limiting and Google Authenticator time based 2FA or Yubikey 2FA. Use LastPass to generate a 32 or more character random password. It's highly unlikely that anyone will get in through the front door to your site. You could also country limit the login.
People may wish to see my threads on WordPress and Chrome security.
Hope this helps.
Ron
In the podcast, and frequently, you all ask several important questions, or express disbelief at people for:
* Why don't they patch?
* Why don't they auto patch?
* Why don't they update?
* Why don't they upgrade?
My answer is, in the nicest possible terms, you're kidding, right?
People in this audience, including me, are more knowledgeable, thanks to you, about security than most any average person not in the industry. We're more receptive to upgrading, updating, patching, and auto patching than almost any average person.
BUT, we're not average people. Average people have completely overly insanely full lives with work, kids, pets, school, zoom meetings, sports (for some), social activities (for some), home car and finance maintenance, etc. etc. taking up enough of their time to keep two people busy for each one person. Those people want to USE their PC to DO things, like posting forum posts, researching things, playing games, creating work products, having zoom meetings, etc. They DON'T want to use their PC and their time and emotional energy maintaining the PC. They also don't want to spend money that they don't have to. Not only that, most people don't even KNOW about the issues we discuss.
Why don't they patch? Because they don't know about it. Because they don't have time to mess with it.
I'm the same way to a slightly lesser extent. I'm typing this on a 5-10 year old Windows 7 PC. Why? Because it WORKS (most of the time). I, even I, an avid SN fan, do not wish to spend time patching 2-4 things per week on 2 PC's and 2 tablets. When you mentioned the Chrome problem, I thought, OH crud, I get to waste 2 hours of my time patching 4 different installations and checking all the settings, since they change and add things.
Why don't they auto patch? Why don't they update? Why don't they upgrade?
Because auto patches, updates, and upgrades OFTEN BREAK things or change things. You guys have talked about that a number of times. There are some threads floating around on the forum about it. Also, because updates and upgrades not only sometimes cost money, they OFTEN CHANGE things or REMOVE features. People HATE that. Very recently, my wife was complaining because some office upgrade changed a bunch of features and altered settings she had. She (we) had to go through a whole learning curve wasting time getting her to be able to work the way she was doing before.
Psychology, incentives, and motives. Simple. Patches, auto patches, updates, and upgrades PREVENT people from using their gear to do whatever they bought it to do. They cause hassle, grief, pain. They cost time and money and emotion. They cause all new learning curves.
People simply don't have the time, emotion, money budgets for this. Thus, they ignore it. There has to be a better way!
PS, I don't think IP locking a Wordpress login is a good idea. If you're on a VPN, as I am, your IP is always changing. Even if you're on a cable modem, it does. There's a good chance you'll get locked out of your own site.
The way to secure WordPress login, other than not using WordPress, is to get s SOLID and continually developed security product like WordFence. Then turn on login rate limiting and Google Authenticator time based 2FA or Yubikey 2FA. Use LastPass to generate a 32 or more character random password. It's highly unlikely that anyone will get in through the front door to your site. You could also country limit the login.
People may wish to see my threads on WordPress and Chrome security.
Hope this helps.
Ron
Last edited: