Maciek: [00:00:00] Hello everyone. Welcome. Today we are going to talk a bit about hosting companies and about all the promises they make because in most cases, hosting companies do promise a lot and in a lot of cases, not only they promise a lot, they end it with only for $5 a month, what can go wrong, right?
Maciek: That's why today I have Wes Tatters from Rapyd.Cloud. He's a managing director there and also a part of WordPress hosting. Did I forget something?
Wes Tatters: No, I think that's enough for a start.
Maciek: Okay. And we are going to talk a bit about a lot of aspects of hosting, and I think we'll start with those promises. For example, if you go to Rapyd Cloud website, you'll see that this nice model at the top, hyper speed performance, even at peak traffic. That's a bold claim.
Wes Tatters: It is.[00:01:00]
Maciek: And I can tell that similar things are promised on other websites, but how do you manage to fulfill it where others very often fail?
Wes Tatters: Look we looked at the problem differently. Hosting, really it's running a web server, it's allowing customers to connect to it. Running PHP, allowing customers to connect multiple times. And there are many ways to achieve that. We've been building web servers for the better part of 20 years now.
Wes Tatters: The challenge is though, that to stay up with technology to remain concurrent, you have to build an agile hosting infrastructure. In reality, most of our hosting infrastructures that we see currently are quite monolithic and they're quite a lot of legacy involved in them. They're data centers that might have been built 10 years ago and they're still running.
Wes Tatters: They're still got the same [00:02:00] box in there that was running 10 years ago, and it's got the same thousand sites on it, or the same a hundred sites on it. The logistics, the challenges as a hosting company of upgrading all of those customers, ironically, tends to be prohibitive. So in a world where we live with what's called "race to the bottom", "how much cheaper can I get my hosting than your hosting", the things that go firstly are upgrading technology. You can't be just trying to get the cheapest hosting for someone and be upgrading your technology every day. So we looked at the problem differently. Our specific customers and customers that Rapyd are targeting are customers that want the highest performance and they want the highest performance when a customer is logged in.
Wes Tatters: And this is a challenge, see, in the traditional space, the way we accelerate things or the way we make things faster, is to cache everything. So we'll cache in cloud we'll use CloudFlare APO, [00:03:00] and we'll cache every page theoretically possible. We'll use Varnish or Breeze or we'll use NGINX, fast CGI page caching.
Wes Tatters: All of these things are great until you need to deliver each individual customer their own customer experience. And that's the challenge that we had to address. We come outta the Buddy Boss world. Buddy Boss is a plugin and theme for WordPress. One of the most difficult, without a doubt WordPress hosts or plugins.
Wes Tatters: So we come outta the WordPress space and we come outta the Buddy Boss space. BuddyBoss is a theme and plugin for WordPress that effectively allows a WordPress site to be turned into a social media platform. Your own effectively private version of Facebook. It has activity feeds, it has user groups, has, profile pages.
Wes Tatters: It has all those things that you would see if you're on a Facebook site. The challenge is though. That Facebook runs a couple of billion [00:04:00] dollars worth of infrastructure to ensure that all that works. In the WordPress space, no one's got that sort of money. And your $5 shared hosting from a traditional hosting isn't going to be able to achieve those loads.
Wes Tatters: Because what it's not able to do is deliver a completely fresh page with completely unique information on every page request. It's an activity feed between the last time you looked at it and the time you're looking at it now. And that might only be a couple of seconds. 10 people might have made a new post, 20 people might have made comments.
Wes Tatters: Someone might have messaged you with a live message. You might have had messages or notifications into a group or some other chat that you're following. So it becomes a very dynamic space. So we had to look at hosting, not from how you trick the world by caching at the edge, or caching in the cloud, or page caching.
Wes Tatters: We had to work out ways to go, how do we build brand new pages for every individual customer in real [00:05:00] time? And the way you achieve that is both deploying the highest, most powerful processing resources that are currently available and do it at scale. We currently partner with AWS AWS have a very unique product at the high end of their infrastructure that can scale to 192 CPU Cores can scale to half a or three quarters of a terabyte of RAM. But most importantly, it can do that with true CPU cores running at, un-clocked clock rates, which means that we can get as much performance as we can out of every one of those. CPU Core, get as much performance as we can out of all those platforms.
Wes Tatters: And by doing that, Rapyd's made a name for itself as being highly performant because it's using the latest technology and we've also made commitments to our customers as new technology comes available. And there is, there's some brand new technology from AMD, there's Zen 5 processor and rumors [00:06:00] of a new Zen 6 processor are coming very soon.
Wes Tatters: We will be looking as those become commercially viable. , to deliver that to all of our customers. Our orchestration platform and our structure allows us to do things that in the traditional space are much more difficult. We can redeploy an entire user base of customers to a new data center without the customer even knowing it's happening.
Wes Tatters: They just wake up one morning and they're on the newest server, or they're on the newest infrastructure in their region. It's because of the architecture that we built, and that's a challenge for a lot of the other hosts. The architecture isn't such that they could just redeploy. There's logistics and complexities around how they redeploy their platforms and obviously costs which can itself be prohibitive.
Maciek: Yeah, that's true. The thing that you mentioned about being agile in your case and in a lot of cases being not agile. And that's when we see those [00:07:00] websites that are running on very outdated PHP versions, because it was all connected with some long-term contract and the hosting isn't doing too much effort to upgrade because the contract is running, so why change anything if it's running?
Wes Tatters: And that's the thing.
Wes Tatters: It is a bit of the why change everything. And unless the customers are really complaining about things like performance, and look, let's be honest, if you're paying $5 for your hosting, you don't have a lot of space to complain about your performance. We're honest, our hosting's not $5.
Wes Tatters: Our hosting is priced accordingly to the sort of data centers and the sort of performance that we offer on our platforms. But performance is only one part of that. It's about getting the entire stack right. And that comes down to things like how you manage your stack, how you make sure that you're on the latest versions of Linux Kernals on the latest versions of the Linux [00:08:00] platforms.
Wes Tatters: I've seen hosts that are still running CentOS in their data centers because, hey, it's a really good, it's been a great Linux platform for many years, but it's end of life. It's no longer being updated. There's no longer any security patches for it. But it's still there. 'cause it's great and people treat that.
Wes Tatters: We run Linux 9.3 and we're about to transition to Alma 9.5 in our platform. But again, that's because our orchestration and our infrastructure allows us to actually even update a customer's linux kernel without serious look, if we're upgrade the linux kernal, we've got a reboot.
Wes Tatters: We, we accept that. We've got a reboot to do that. But the customer's downtime is the downtime of a reboot. Which, might be a couple of minutes.
Maciek: Which is nothing.
Wes Tatters: it's not days.
Wes Tatters: It's not days of you got a retooling or re-architecting. So it's very much about thinking differently about hosting
Maciek: And you mentioned that you come from the Buddy Boss platform. [00:09:00] And as I understand, this is the reason why Rapyd.Cloud started right? To solve the problem.
Wes Tatters: Buddy Boss, 15 years in the WordPress space, 35 odd thousand customers. And they all hit a point where they become successful and it's the point where they become successful - and this isn't just Buddy Boss, it's not unique. This is the same from Learned Tutor, LMS. Same for WooCommerce sites.
Wes Tatters: There's a point where they become successful, where traditional hosting can't keep up. And it's largely to do with concurrency. It's largely to do with simultaneous users. Now, of course. If you're on a WooCommerce site and you've got 50 concurrent users, you're actually pretty excited because hey, that means you've potentially got 50 people through your checkout.
Wes Tatters: That's a good day. If you are running a LearnDash site, for example and you've sold a cohort of new people to start on your a hundred dollar LearnDash course, they might all log on at the same time on Monday [00:10:00] morning to start their new cohort, and all of a sudden you've got a hundred people on your server in real time, and they could potentially be there for eight hours.
Wes Tatters: It's not like a LearnDash, it's not like a WooCommerce transaction where you want to get 'em into your site, get them through the checkout, down the funnel, and get their money and kick them out the door. These people are there for a long time. Same thing with Buddy Boss, it's a social media platform.
Wes Tatters: It's an activity feed. It's groups and forums. You don't want them leaving. You want them there all the time. You want them interacting, you want them communicating with each other. So you wind up with scenarios where you've got real time customers for many hours a day. And that concurrency is where the problems start to occur.
Wes Tatters: And success isn't a big number. It's not millions. Success for a Buddy Boss site could be 500 users. If those 500 users all happen to log on every night at 7:00 PM and we have Buddy Boss sites that [00:11:00] do, that 500 users of concurrency becomes a very big hosting problem. And the hosts don't want to know about it.
Wes Tatters: The hosts don't want to be involved in it because it's putting massive amounts of load on their CPU resources, on their memory resources, their network bandwidth, and all those other resources. So what happens is you just keep on pushing the price up and they keep, so the price of the customer keeps going up and up.
Wes Tatters: But ironically, when these sites become successful, money isn't always an issue. See, I've seen Buddy Boss sites six figure and seven figure businesses. I've seen Buddy Boss and LearnDash sites that do $150,000 worth of sales a month on one course or so, the money itself isn't the problem.
Wes Tatters: And in many cases, these customers are willing to spend money.
Wes Tatters: But what they sadly find is that they can be spending money and actually not getting any real return on [00:12:00] their investment. So we've just doubled the amount we're paying, but our site's still the same speed, and in some cases we've spent more money and it's now gone slower.
Maciek: And the truth is that this is one of the very common solutions. We can learn that we, yeah, we see our website is slowing down. We ask our host, okay, we have a problem. What should I do? And instead of trying to find the root cause. It's more about, yeah, you should just upgrade and your problems should be solved.
Wes Tatters: See the challenge is that the problem that they're trying to solve is concurrency. And the only way to solve concurrency is more CPU cores and more memory. Now there are different ways of doing that. You can do it by scaling vertically, you can do it by trying to scale horizontally.
Wes Tatters: You can do it by all sorts of different data structures, but many of them actually cause as many problems in a complicated WordPress site as just not doing anything. I've seen [00:13:00] people that have said we were spending $2,000, we've up spent $4,000 now and our sites run slower for some reason. And you're then look, because what they did was they changed the architecture to try and fix a problem, or they decided, oh, we're gonna horizontally scale, we're gonna build a cluster and what they forgot to model in that cluster was, so a Buddy Boss site does 2000 SQL page data requests per page load. And all of a sudden that cluster where we went, let's move the database over into its own server, now adds latency between the two and you've got two milliseconds latency between each one. And all of a sudden you've got a site that's two seconds slower than it was before we tried to fix it.
Wes Tatters: So you've gotta think outside the box. You've gotta think about what the problem is you're trying to solve. And that's where Rapyd came into being. We spent a lot of time, we've worked with a lot of hosts inside Buddy Boss. We know most of the hosting companies, a lot of them had a really good go at trying to work out how best to host Rapyd how best to host Buddy Boss.
Wes Tatters: We know the same thing from Lyfter, from Tutor LMS, from the [00:14:00] LearnDash teams. They all have products. Some of them even have their own hosting products. But their own hosting products also face the same challenges. When those sites get successful, when they start to scale, they start to struggle. So Rapyd had just come at it from a very different angle and say, how do we scale WordPress sites in a way that's cost effective and in a way that doesn't penalize the customer?
Wes Tatters: One of the challenges of scaling is that the traditional way you scale is you charge the customer per month for the biggest box they need for the biggest hour of day, of the month. And then for the rest of the month, this site might be doing nothing, but they're actually paying an extra, and that's where that $4,000 or $2,000 or whatever it is a month price starts to come in.
Wes Tatters: So they get boxed in. And of course, once you've done something, you hope it works. Does it always work? Things crash. Things fail. So Rapyd was built to solve a problem to solve this problem of high concurrency in complex WordPress sites. [00:15:00] And there are some crazy complex WordPress sites out there.
Wes Tatters: We've seen sites with 250 plugins installed. And even I go, seriously let's sit with your dev team and work out which of those 250 plugins you don't really need. But see, that in itself has huge implications. And part of the reason we're talking today is security for every plugin new ad, for every extra bit of line of code you add, you increase your vector vulnerabilities for malware, for every plugin that's not updated.
Wes Tatters: I've seen customers running plugins that, oh, we can't update that plugin because if we do our site crashes, all that's a problem If that plugin's got a vulnerability in it, or we can't update to work to PHP 8.0 because we've got a plugin that we had custom built by a developer five years ago, and he, we can't find him.
Wes Tatters: We don't know where he is, and he's the only person that understands the source code, but we can't update. [00:16:00] So they're sitting, running software, which is potentially vulnerable, potential exposed on a PHP version, which we know is software compromised potentially on a linex stack, which we also know is potentially vulnerable and compromised because it's got, a version of open SSL from, 1.0, which we all know as malware, vulner wise, and every hacker in the world knows is out there.
Wes Tatters: So we get all these crazy combinations of things and all of them create vectors and risks. So in addition to thinking about performance and in addition to thinking about those things, we have also had to look at how we deal with other issues like plugin loads and specifically related to security.
Wes Tatters: Probably after Buddy Boss, the traditionally, the next heaviest plugin you install on your platform is probably a malware program. Probably a
Maciek: Or a Multilanguage. Or the Multilanguage.
Wes Tatters: Oh, multi-language. We won't even go there. That's just something. No. So something that [00:17:00] no one should ever run, but obviously we understand that it's important.
Wes Tatters: But big, heavy, complicated malware products that do a good job. But they're running inside WordPress. They're running in your PHP stack. Probably the wor worst place to put a put a fence is inside in, is in, is inside the gate. And they all add load and performance. And I think customers go, oh, I can't install that, that malware plugin 'cause it makes my site run slow.
Wes Tatters: And there's a reason because of the amount of work it's doing and the amount of problems we have. So we went and we started looking at how we help customers work with that. And we started at the bottom end by saying, let's get rid of them while we're out of the WordPress work. Let's move it out.
Wes Tatters: Of the stack entirely and put it in the server. We can put it in the server where it's not running PHP firstly. So it's not running a slow interpreted programming language that's, 15 years old. It's running modern, source code running at the kernel level. So we get performance advantages and [00:18:00] we get a bunch of, advantages in terms of also protection as well.
Wes Tatters: But you've gotta think holistically from the top to the bottom.
Maciek: But what was the reason why why you invested so much in security and, rather, let's call it unorthodox way, if we compare it to others because yeah. You already started saying
Wes Tatters: Okay. Why?
Maciek: about moving
Wes Tatters: as far as we're concerned, security shouldn't be an afterthought. And sadly it is.
Maciek: Is. Or, it's just a task. It's just a task that I will do once and that's it.
Wes Tatters: apparently I've gotta install something. And someone told me I've gotta download insert name of malware plugin here. And I want the, I need the free one. 'cause I'm, I can't afford to actually buy one.
Wes Tatters: Anyway, that's a, it's a totally separate conversation, but every one of those sites I can tell you right now, will be attacked. There will be an attack on your site. There are so many bots, [00:19:00] so many worms, so many tools out there, scanning the internet hourly, looking for WordPress sites. And why wouldn't they?
Wes Tatters: 43% of the world's website base is running, what's that? 895 million websites. Even if it's half of that, it doesn't really matter. That's still a whole lot of honeypots. For malware vectors and malware attackers to get into. 'cause what are they looking for? They're just looking for your user information.
Wes Tatters: They're looking for your email addresses or they're looking for a source that they can add to their, bitcoin mining network or they're looking at a tool for, to, for an attack bot or so they're out there continually looking. So security just cannot be in 2025 an afterthought.
Wes Tatters: It can't be something you think about doing. I've built my site now, I suppose I've gotta put some security on it. It's gotta be there from the day you install WordPress. [00:20:00] 'cause see some of this malware that's out there is really good and it might have snuck in while you were developing your site.
Wes Tatters: I. And it might be sitting there for six months, quietly hiding where no one can find it. It might be buried in a database record, or it might be hashed and decoded. And these days there isn't a signature out there that knows it exists 'cause it might've been written by an AI tool. We'll talk about that later, I'm sure.
Wes Tatters: But it might have been written. So it's just sitting there dormant. And it might have arrived day one when you were doing your development, or you might have installed a plugin while you're in development that, there used to be a plugin called Ad Miner which is basically a what a tool to let developer access the Mariah DB on MySQL database while lowering the browser.
Wes Tatters: Full of vulnerabilities, full of malware issues was installed for a long time, almost by default by most developers. Oh, just install ad miner. It allowed me just update and check the database and they might [00:21:00] a forget to de-install it or it might already be attacked. While it was in, in there, was on the development server and the vector was already exposed.
Wes Tatters: They might they probably deleted it. They probably removed it, but often, in many cases, the damage has already been done. So for us, it's too late almost in our opinion, to install a a malware tool after you put your site live. So for Rapid, the malware tool, which we use Monarchs, is installed before you get WordPress even up and running.
Wes Tatters: So
Maciek: But I know that your security stack is something more than monarchs. Monarchs is for malware.
Wes Tatters: Monarch is for
Wes Tatters: malware, but
Wes Tatters: it's layers. We build layers of tools. So we start with monarchs, we start with it in our kernel. We then add a Komodo firewall inside the WordPress stack. We then then we then build an edge tool, which we place in the cloud. And once we've done all those things, we are at a start.
Wes Tatters: Then we need to add [00:22:00] Patchstack, put that on top. So it's the front layer of our WordPress stack. The reason why that is, is that even when we cover all the malware, all those vulnerabilities, there's probably no one out there, but you guys who know about the plugin that hasn't been updated yet, or the new vulnerability that's just been dropped, that hasn't been even published yet, and.
Wes Tatters: By having this extremely diverse and dense stack, we're giving everyone the best chance to ensure that they're never attacked. They're never going to wake up one morning and discover that their website is no longer theirs, or is now porting to a gambling, online gambling casino in Central Europe or is now, running and spamming out millions of emails to, on an email spam campaign.
Wes Tatters: And their email provider said, but Bill, the [00:23:00] week after, we're protecting against all those things. So it's important to be very holistic. And Patchstacks a unique part of that solution because, see, we can stop the vulnerabilities, we can stop the malware attacks. What we can't do is, what we can't handle is the plugins that haven't been updated yet.
Wes Tatters: There's lots of reasons why plugins aren't updated. One of the best well-known scenarios, I think in the last couple of years was Elementor 30% of the WordPress, build a place. Really great plugin. We use it on a lot of our sites. Probably, I'd say probably two thirds of our site choose Elementor.
Wes Tatters: Unfortunately, a vulnerability was discovered in a particular component of Elementor Pro in combination with a particular component of WooCommerce. It's a perfect storm. You had to have all of these pieces in [00:24:00] place, but if they were all in place, someone who knew about the vulnerability could take administrative control of your site in about half a minute.
Wes Tatters: It literally was all it took. In fact, you could do it. You didn't need any special hacking tools. You didn't need, you could literally do it with a couple of lines of, in the query line of your browser, and you could take control of a site. Now, it wasn't malware. It didn't have a, it didn't have a signature of oh, there's a malicious file that's been uploaded into your system.
Wes Tatters: It was a plugin that had a bug in it. Now the Elemental team addressed it really quickly. The moment it was discovered, they worked, they got the patch up, they had it available and ready to go. But unfortunately, see Elementor is an incredibly complicated [00:25:00] plugin when you add a pro and the 35,000 other plugins that people add-ons that people add to it.
Wes Tatters: People rarely. Update it without being incredibly careful. The reason why there's a statistical chance every time you update it that something on your site will break. The layout might change, the look might change. So the standard workflow for a big complicated plugin like Elemental, same for buddy boss, same for Learn dash, same for tutor.
Wes Tatters: LMS, is that you plan a time, you create a staging site, you take a copy, you perform the updates. You then do regression testing, whether it's visually yourself or with regression testing tools. You make sure that everything's working and then you repeat that on the live side a day later. Now, the problem is that a lot of [00:26:00] people for a lot of people, they were precise, the side gig, so Elementor.
Wes Tatters: Announced there was a security update plugin and everyone went, oh good, I must do that on the weekend. Of course, that's when they get to work on their side gig. Unfortunately, Friday morning, the vulnerability hit,
Maciek: Yeah,
Wes Tatters: unfortunately. It went through all of the well-known malware tools. Of course, it wasn't a malware signature.
Wes Tatters: It wasn't a vulnerability. It was just a couple of standard looking requests that magically at the end of it, let you go, upload and a new user with administrative privileges. I've got administrative privileges now. I'm not now, I'm not malware. I'm the owner. It's totally fine for me to start changing things.
Wes Tatters: So nothing in that whole workflow was gonna [00:27:00] protect those customers except for people that had patch deck in store. Even though they had not updated their plugin yet, patch Tax's Virtual patching system was blocking the vulnerability. It was preventing the external attackers that were using this vector that they discovered from taking over the site.
Wes Tatters: The customer's plugin hadn't been updated yet, but Patch Tax's virtual stack technology protected them. And that's why we build such a deep security stack. Because see, again, remember I said my customers are successful, my customers are often customers who've gone past it just being, their side gig and they're earning real money.
Wes Tatters: They can't afford A, for their data to be lost, b, for their site to be taken offline or for [00:28:00] their customers to be disadvantaged in any way. It's vitally important that we do those things for them. So again, as I said early on, Rapid's about solving problems and what we want to try and do all the time is solve problems.
Wes Tatters: Customers dunno they have yet, and solve those problems in ways that they're already dealt with. Okay, and it will happen again. I can tell you now the next attack that has a plugin that's got a vector open, Elemental is not the other one. We had the blocks attack. We've had the, we've had malware tote programs with vulnerabilities in them, you name it.
Wes Tatters: It's gonna keep happening. But for us, a deep stack means that our customers can be much more confident that they can get on with the business of doing what they do, which is running their online course or running their social for, or running their shop and not be concerned. How, oh, if I installed the latest plugin [00:29:00] update or if I installed the latest oh.
Wes Tatters: Do I need to upgrade my security plugin or do I need to do this? Or what do I need to do? We take those problems away from 'em. We take them out of their space.
Maciek: You know what I, the thing that I really like about what you said, and this is also something we at Patch Tech very often try to learn our customers. I. It's about the importance of this layered security that, let's be honest, you can't be this all in one solution
Wes Tatters: Yeah.
Maciek: because you can't sit at all the layers at the same time.
Maciek: It's even impossible from the technical point of view because you either are, as we part of the, I mean we are a plugin, we are, we sit in WordPress, but thanks to this we have access to some context that firewalls that will sit on different layers won't have. And but having [00:30:00] this full full layer coverage is it's the priority when it comes to handling security. And we also have to remember also about the things that are not directly connected with with the technological stack because very often we also have to think about this general hygiene the things that users have to take care of.
Maciek: And let's be honest, sometimes they also fail here.
Wes Tatters: It's the only area where that we are yet to address fully. And it's something that we continue looking at is how to address the, what I would call the central layer of WordPress. We still can't solve the problem 100% ourselves of a customer that has a password called 1, 2, 3 because that's another plugin potentially, or another layer of plugins.
Wes Tatters: We can't easily address things like stolen session keys. We can't easily address things like that currently. But it's something again, we're investigating as well. And probably in the future it's I'd say [00:31:00] probably, definitely in the future. It's another area that we'll be investigating.
Wes Tatters: There are some really nice tools out there in the WordPress space that attempt already to address those problems. Some quite successfully, others not. But again, I think you've got to, from a hosting perspective, look at all the ways that you can take these problems out of the customer's space.
Wes Tatters: Make it something that they don't have to think about or in our space, don't give them options. We've got customers that, Patchstacks installed automatically with our WordPress site. If they own install it, we reinstall it. If they try to disable it, we re-enable it. If there is a specific reason why a customer has an issue, and occasionally there will be, there might be a specific plugin combination that, that is being blocked by patch decks, WAF engine or its security engine.
Wes Tatters: And we might have to go in and work with them to, lower a a white lister or white list something. We'll work with them on that. But we actually prefer them not to be able to touch those things. Our support [00:32:00] team know all about it. Our support team will work with our customers anytime of day, 24 hours, a day, 20 if 365 days a year if they have an issue.
Wes Tatters: But it makes sense for us. The same with monarchs, the same with our WAF at the other end and at the cloud. They're all locked down. The customer can't control 'em. They're on if a customer has a problem and occasionally there will be they work with our support team and our support team will manage that way.
Wes Tatters: Look, this is the concept of managed WordPress. If we can control the entire stack, we know what's going on everywhere. It's when you have customers coming in and trying to fiddle the stack and then going, oh, but you said your malware was, your site has Patchstack running? Yeah. You turned it off. Oh no, we didn't.
Wes Tatters: Yeah. Here's the log See deactivated batch stack. Here's our log that said we enabled it, but that's a separate conversation. But yeah there are things like this in the security space and in other spaces in the WordPress stack as well where we have to try [00:33:00] and control the quality. And I think partly security is such a a challenging area.
Wes Tatters: No one can know it all. And there are people out there being paid lots of money in real terms daily, in foreign countries, in black companies in, yeah, some just script kitties in their basement that are spending their lives trying to work out how to break into your server. For some it's just a game. I found the hole and I snuck in and told someone about it. For others it's for malicious reasons. And for others it's for commercial reasons. And because there's money involved, that means that the attack vectors are just continuing to grow all the time. And then we had AI on top of it and good luck. I was talking with the team at Monarchs recently [00:34:00] about the number of new malware. So Monarchs is a little bit different to Patch Deck. Obviously it's a malware tool, not a virtual patching tool, but it's also not a traditional malware tool. Traditional malware tools are primarily signature scanners.
Wes Tatters: So they create. Hashed signatures of a bunch of rules, and then every file that's opened or loaded or transferred is compared against that rule set to see if there is a matching signature. And if there is, then it's then a judge to be suspicious or vulnerable. Where tools like Monarchs go past this is into the space called the RA space which is tools that don't just watch the files, don't just look for signatures.
Wes Tatters: They actually look at what's happening, so they look and go, should a WordPress file be attempting to write into that temporary folder with what suspiciously looks [00:35:00] like? Ated, PHP code. Or ob ated pearl code or ated bash script. And immediately starts flagging those as suspicious. If they're, and if you think of a they've got a, they're basically a giant global honeypot.
Wes Tatters: If they start seeing a uptick in that exact same thing, they now know about a potential vulnerability long before it's ever become a CVS note or ever become a actual vector attack or but someone's already discovered it. And so what they're seeing is it's starting to happen. And we were talking about the uptick in that five or 10 years ago.
Wes Tatters: We'd get an announcement of a new malware virus once a week, and it might be on the head, it might be on the cover of a magazine or something you read. We're being told that there's up to 20,000 new virus or malware attack vectors. Appearing every couple of [00:36:00] months. And that's gonna grow.
Wes Tatters: It's gonna be hundreds of
Maciek: And this is.
Wes Tatters: 200, and then it's gonna grow and grow. We have to keep ahead of it.
Maciek: And this is the thing that I would like to talk now, it's thing that most people use right now for creating cool images or sometimes writing some simple code. So
Wes Tatters: and sometimes not. Simple code.
Maciek: oh yeah. I know I'm just trying to build one thing with with Claude it's amazing.
Maciek: It's a it can help a lot if you know what you are doing, if you know what you are doing. On the other hand, I, right now I see two dark sides of it. There are probably more, but in terms of what we're talking, so security and let's address them separately first. There will be, there already are a lot of people who [00:37:00] will submit a plugin to the WordPress repository that was 100% AI generated, maybe apart from the header when the user added,
Wes Tatters: Maybe not a hundred percent. They might have but it doesn't matter.
Maciek: But the code itself was totally AI generated and, but the biggest problem will lie in the fact that the person who generated it doesn't have a clue what is happening in there. And do you think this will be a mass problem in the upcoming years?
Wes Tatters: look I was talking to one of the team, the plugin development team a couple of weeks ago. And he actually did a presentation at cloudfest. He was on stage. They were talking about this exact problem. And he was basically saying that the plugin assessment team, when you submit a plugin, they have a bunch of scripts and a bunch of tools and tasks that they that, that evaluate that plugin before it's approved for release.
Wes Tatters: One of the [00:38:00] comments was. So you think there's these plugins that are arriving that are AI generated and his comment was Yes. And it was, how do you know? It was like of course they got comments, really well written comments, developers knocking out plugins. Don't write really well within pro comments, but that was just a side joke.
Wes Tatters: The concern was that they had vulnerabilities in there. The concern was that this plugin, this AI generated plugin had vulnerabilities that could be exploited an attacker. And they were in the plugin at the point when they were submitted Two issues, firstly, that there was a vulnerability that could be exploited.
Wes Tatters: But the second one, as you already alluded to, there was a pretty good chance 99.99, nine 9% chance that the person who submitted the code didn't know that the vulnerability was there, which means it could be a well-meaning local developer. Worst case scenario. Local developer, someone comes to him and says, Hey, I need a [00:39:00] plugin that does this.
Wes Tatters: He knocks that plugin up for them, hands it to them. They don't have to put it through the repository because it's a plugin just for that one, one site or that group of companies. And that plugins being released, it's got a vulnerability in it, it's going to be discovered at some time. So that's a big issue.
Maciek: And this is the moment when I, when personally I see really how v patching will be important.
Wes Tatters: course, it will hugely
Maciek: very important
Wes Tatters: at the point where you discover there's a problem. But that's still the challenge. It's still discovering there's a problem. Because see, the flip side of that, and it's the second part of the AI problem, is that if AI can write a plugin that's got vulnerabilities in it. AI can find plugin vulnerabilities in much the same way.
Wes Tatters: See, the entire WordPress repository is [00:40:00] available for download,
Maciek: It is.
Wes Tatters: which means I can download the source code, even those commercially closed plugins where you've gotta buy it, the source code's all there. So I can pour that source code, the lot of it through a AI tool that's been taught to look for vulnerabilities, and then ask that same AI tool to start writing me vector a malware attacks.
Wes Tatters: And again, it doesn't need to be someone with a, a PhD in cybersecurity. It could be someone in their basement that could be churning out malware attacks just based on. All that free source code that's being given out and the discoveries of it. So this is the, I guess the global danger patch deck has got a full-time job keeping up.
Wes Tatters: Monarchs sitting underneath it. It's got a full-time job catching them. We have [00:41:00] had, I'll be honest, we're a new host. We're not, but in the 18 months that we've been running real time, effectively honeypots for want of a better word, we've probably seen between 20 and 30 zero day attacks come through our platform that at the time no one knew what they were. Monarchs were capturing them and we were getting alerts and some of them I was sit sitting in the dashboard going, hey, we've just seen one of these come through and we're pinging monarchs and going, yeah, we're looking at it. What do you reckon? Almost 10 minutes later it's been, yeah, it's gone wild.
Wes Tatters: We're blocking it down and this is happening in real time now. It's not like the, it's not five days or 10 days later. This is, okay, there's one in the wild, we gotta lock this down. We gotta shut it down now. And this respectfully to those free plugins out there is one of the sad dangers of the people that go, oh, but I've got the free plugin installed.
Wes Tatters: Most of those free plugins update there. [00:42:00] Security vulnerability indexes once a month. 30
Wes Tatters: days is
Maciek: During one month.
Wes Tatters: 30 days at 20,000 new vulnerabilities a month. That's an awful lot of holes you've potentially got in your WordPress site. So again, the importance of paid malware protection. People go, oh, it's a bit expensive, and I'm going have a look at what patch backs is potentially worth to you when you've lost your site, when you've gotta go and try and explain to your customers that your entire user list, email addresses, hopefully not credit cards but, email addresses, personal information has just all been stolen.
Wes Tatters: But even more scarily because of the nature of some of these vulnerabilities. We know, we've seen it happening that some of them don't look like they've affected your site in any way, shape or [00:43:00] form.
Wes Tatters: They've snuck in, they're now hiding. They could be sitting there for 12 months, but during that time, they can be continually copying your entire user database in real time and handing it off to sell somewhere. Capturing credit card details, capturing user information, capturing PII, capturing all that information, and you don't actually know it's there unless you are running the appropriate tools to make sure that's not the case.
Wes Tatters: So for the end user, as far as I'm concerned, hosts have gotta step up as well. We've gotta be proactive, but it's also the end user. The WordPress users installing things and plugins, they've all gotta be a part of this 'cause it's not gonna get better, it's gonna get worse. And that's not a scare tactic, sadly, right now it's just a reality of life.
Maciek: Yeah, and this kind of leads to my next question. I. How do you see the future of hosting in, let's say three [00:44:00] or five years, but looking at how everything speeds up right now, even those three years can change everything.
Wes Tatters: Look. The nature of hosting is changing. Hostings always been a very transactional part of the WordPress space. Oh, something you have to do. Oh, you have to have a host. So it's been a very transactional space. And that's, forced to race the bottom. How cheap can we get? How little can we do?
Wes Tatters: And respectfully, if you're, you are on a $5 host with 10 free plugins and a free theme it's unlikely gonna spend a hundred dollars on a paid version of Wordfence or Patch Deck. But I think it becomes imperative that the hosts start to step up and say, Hey, it's gotta be a part of what we do, at least somewhere in the layer.
Wes Tatters: And there's at least gotta be something in there. But I think a part of that, certainly for what I would call the successful customer. Means that hosting companies have to become or revert [00:45:00] back to being less transactional and more partners.
Wes Tatters: And that's a hard thing because obviously there's costs and things like that, but that raised the bottom impacted two things.
Wes Tatters: It impacted CPUs and hardware upgrades. But the second thing that got cut was support. So if you're only paying five bucks a month, you are gonna get a support line that goes, have you tried turning it on and off again to quote the IT guys? And it's
Maciek: sometimes it works. Sometimes it works.
Wes Tatters: it works except when there's malware involved and when you try turning it on and off again, that's often when the malware triggers so there's something suspicious going on.
Wes Tatters: I've rebooted the server and the malware's gone surprise, I'm here now. But I think, yeah, so I think hosting is going to have to change. How we do that? Look, it's up to each individual company. Obviously the pricing pressures and all those things are a challenge, but the evolution of AI obviously is impacting everything [00:46:00] we do in the hosting space.
Wes Tatters: I can pretty much tell you that every host in the next five years has to deploy an AI site builder. Yay. Because people wanna build a website in five minutes, not five months. But the same garbage in, garbage out concern is there that AI site builders statistically building code based on its scraping of the entire internet of what you've taught it through.
Wes Tatters: Its LLM as we've already suggested. There's plugins out there with vulnerabilities because of the exact same problem. There's no guarantee in the real world that those, large language model build a website and one clicks don't have vulnerabilities either. So it's always gonna be a continual game of cat and mouse.
Wes Tatters: The attackers are gonna get faster, they're gonna get more visible. The attackers are gonna get more intelligent. They're gonna become more and more of them because, hey, if I can ask one of the, one of the, one of, one of the common, things that we know about pretty much all standard, from your nortons on your [00:47:00] PC or your, or, or Mel care or whatever on your computer, or the standard way we do things is by signatures.
Wes Tatters: And a signature is a hashed value. And if we then take that hash value and apply that to a block of code, we can come up with a match. But that hashed value is based on, in most cases, the shape of the script. It's based on what it looks like. Or something specific in that script that's easily recognizable.
Wes Tatters: Unfortunately, one of the superpowers of AI is, see, I can write a plugin, one, one page, PHP plugin and then hand it to cursor or one of the other really good AI tools and say, can you clean that up for me? And it'll rewrite
Maciek: the shape changes.
Wes Tatters: and the shape changes. I can go, can you stylize that in a [00:48:00] different format or can you change all the function names Or can you use, can you modify it so it does the same thing but doesn't work the same way?
Wes Tatters: And there's scripting and there's AI out there now that will do that. Once you've done that to a chunk of malware, it now looks different. So its signature potentially is now different. Now if you've got a script kitty in his basement doing that every day and then deploying one of those every day or a thousand of them every day our ski signature libraries are gonna go from that to that.
Wes Tatters: We're gonna be buckets and buckets and of course if you've gotta scan that many signatures, what's it gonna give Hosting
Wes Tatters: performance? As I said, heavy plugs like word fence. It's great tool for people. It's one of them else. All in one security. All good plugins, but they're all known for like performance problems 'cause they're doing what they need to [00:49:00] do, but they're doing it.
Wes Tatters: And as the complexity gets there, as the number of signatures, as the amount of malware, as the amount of attack vectors, IP databases that are, we used to have an IP database, so known attack vectors. And then IPV six came out and malware started hiding in IPV six only servers where there are quintillions of potential IP addresses.
Wes Tatters: Again, we used to have an attack vector IP address library, 10,000 records. It can now be 10 trillion records. And again, we've gotta scan it somehow, or we've gotta process it somehow, or we've gotta use techniques to how do we match the data and match all those things. So the complexity is going to become worse and worse over time.
Maciek: So when you talk about the future, you went into those [00:50:00] dark and pessimistic notes,
Wes Tatters: I'm honest.
Maciek: Yeah. But what will get better? Maybe you can think of something that
Wes Tatters: I can think of lots
Wes Tatters: of good things. The servers are gonna get faster, the memory's gonna get cheaper, the storage is gonna get cheaper, and then the process are gonna get faster again. And the servers are gonna get faster and the ram's gonna get faster. So everything's gonna get better. But at the same time, we've gotta be aware and self-aware.
Wes Tatters: Will hosting change forever at some stage? Yeah. People are still gonna wanna put us, put their own information up somewhere on something. We currently have the grand total of three primary well-known web servers. We've been doing it for 30, 20. When did Tim? 80, 90, early nineties was the first web server, ater, I think.
Wes Tatters: So what's that? 30 years. And we really only have three different web server types out there, Apache. [00:51:00] Engine X and Lightspeed,
Maciek: Yeah.
Wes Tatters: nothing's really evolved past that because why? But three, the three of them, they do the job we need. will that change? Maybe? I'm not convinced that it will change that rapidly, and one of the reasons it will change slowly is because, see again, we got all these data centers with 187 million websites on them that aren't gonna be updated anytime soon.
Wes Tatters: 'cause it's too complex or too costly or too complicated, or there's no real will or desire. There's still servers out there running versions of Apaches from, 2000 probably
Maciek: Yeah. The famous, if it ain't broke, don't touch it.
Wes Tatters: Yeah. Unfortunately, in the malware world and in the security world, something that we didn't know was ever broken.
Wes Tatters: Can become broken. And that's the challenge.
Wes Tatters: There are, they're a part of the Linx stack, really [00:52:00] well known parts of the Linx stack that have been there forever. And all of a sudden, not that long ago, we discovered that one of them had a massive hole in it. the open SSL Vector,
Maciek: Yeah.
Wes Tatters: Massive hole.
Maciek: So many people looking at this.
Wes Tatters: Yeah. Yeah. Massive hole that you could drive a truck through once you do what it was and how to trick the server into doing it. Even worse than that, every CPU core pretty much in existence today of recently, modern generations has a massive vulnerability in them. It was built into the CPU Corps.
Wes Tatters: It's in the microcode of the CPU cause. It is a version of it for Intel. There's a version of it for a MD.
Wes Tatters: They can't even fix it. All they can do is put patches there in the software to stop it being attacked anymore and in most [00:53:00] cases at the expense of performance.
Wes Tatters: New versions of CPU calls that are being released, they tell us won't have it. I'm sure they won't have that, but I'm sure some little script kitty with a bunch of AI scanning data at some stage in the future go, oh look Intel Xenon series seven has a insert name of leak here.
Wes Tatters: We talk about quantum computing, it's the big buzz word at the moment. Quantum computing, they tell us that it'll be able to decode a. A 248 bit RSA hashed security key faster than you can type it. So we'll have to find a way around that. But,
Maciek: True,
Wes Tatters: thankfully at the moment, not everyone's got a quantum computer in their basement.
Wes Tatters: And the moment they're, things of the future, but, I can't see anyone running a quantum web server anytime soon. There's really, probably not that need for their shopping [00:54:00] list or their blog of their favorite, cat videos. But time will tell.
Maciek: but Who knows?
Wes Tatters: Yeah, exactly.
Maciek: And let's, we already went a bit on the dark on the dark side, but let's end with, could you share your scariest hosting horror story that
Wes Tatters: I'd prefer not to.
Wes Tatters: Most of the horror stories aren't mine, thankfully. Touch wood. Probably the, probably there are two that are incredibly scary. One comes out of a very well known European hosting company who managed to build their server on the top floor and the backup data center on the bottom floor.
Wes Tatters: The server caught fire and burnt down to the bottom floor and destroyed all the backups as well. That's what you call a disaster story. So it's probably a horror story. And the other is pre, it's a pre lining, so it's actually a Microsoft platform that got hit by a worm. [00:55:00] One of those, ransomware type things.
Wes Tatters: Same thing happened. Ransomware got in shut down before they caught it. Something like two and a half thousand websites were completely ransomware locked. Back in the day, back in that day, backups were even back then, backups were something that the customers expected to do. Thankfully these days most of us do backups for our customers, but back then, if you wanted a backup, you had to do it yourself.
Wes Tatters: And lots of those thousands of customers had no backups, had no nothing and were literally down to rebuilding their site. 'cause no one was paying the ransomware fee to get the site back. And look, they're things that happen. But again, in 2025 best practices, obviously, I. Things that we do at Rapid Things that other hosting companies do mitigate those problems.
Wes Tatters: And that's about the same thing that we've been discussing this whole time, dealing with problems before they become problems for the customer. So how do you solve the burning a [00:56:00] building down? You put your backups in a separate building or you put your backups in a separate country in some cases, or at least in a separate data center, in a separate region rapid.
Wes Tatters: And then at Rapid, for example, we multiply back up, our, our customers back up their WordPress files and folders, that's great. But we also back up the entire Linex container independently, and we back up the infrastructure independently and it's all backed up. And because we can, these days, it's all cloud.
Wes Tatters: We can put things and store things in many locations. So touch wood, a data center burning sand down would inconvenience us. Like it would inconvenience any host, but it wouldn't take us offline. It might take a little bit of time to recover, but it wouldn't. The same thing with ransomware and malware.
Wes Tatters: Those sort of attacks. If you have appropriate attack vectors and you have appropriate backup solutions, you have appropriate storage solutions, then those things don't impact you. The same thing with security. If you address [00:57:00] them head on, then they aren't horror stories. We know that some of our customers have been attacked.
Wes Tatters: Why? Because monarchs goes off, or patch check goes off. We get real time warnings in most cases. We put patch tax real time assessment team into it. They generate a certificate 15 minutes later that says, fixed it, killed it, removed it. Everything's clean. Here's a certificate, which we send to the customer who wakes up 12 hours later and goes, oh, was that something I did?
Wes Tatters: Patch deck is doing the same thing in real time. It's going, there's a problem with a malware. There's a problem with this plugin. Don't worry. We've got it covered.
Wes Tatters: And again, communicating to the customer that there is a vulnerability and they should really update that plugin as soon as possible.
Wes Tatters: But it's getting the positives out of those negatives. Find a solution, address a problem, and deal with it before the customer's worried about it. 'cause again, the [00:58:00] bottom line is those customers aren't interested in running a data center. They're not interested in SecOps, they're not iterating in opsec, they're not interested in any of those things.
Wes Tatters: They're running a blog, they're running a shopping cart, they're running a social community, they're running a online learning course. That's their business. If they were on the high street selling, shoes in a shop,
Wes Tatters: they wouldn't build the shop. They'd rent it. They probably wouldn't even fit it out. They'd get a shop fitter in they probably wouldn't build, they would probably wouldn't sleep in the shop every day to make sure that it was secure. They'd probably put an alarm system on the door and they'd probably pay a security guard to walk by and rattle a rattle.
Wes Tatters: The locks. They're all the things that we do in the real world. But for some reason when we get into the WordPress hosting space or into the WordPress website space, we forget about 'em. So if we can take those [00:59:00] problems away and make the customer not have to worry about it we'll rattle the doors.
Wes Tatters: We'll ensure that the fire alarms and the security alarms and the door locks are all there. And we'll do our damnest to help them keep the problems at bay, same as
Maciek: Without the need of sleeping in your data center.
Wes Tatters: We've got people on 24 hours a day all around the world. Operators are standing by. Isn't that what they say?
Maciek: Exactly. Exactly. Yeah, I think we really touch on a lot of things. I'm I'm really happy that you shared so many things on how Rapid does so many things differently because it's I would use the word refreshing. It's really refreshing because it's nice to see that that they're hosting companies out there with this different approach, this agile approach open to whatever is changing outside, to keep up with it instead of, yeah, it's working.
Maciek: We let's better not touch it because it may break
Wes Tatters: [01:00:00] because we're new to a certain extent we were allowed to build a philosophy of being agile.
Maciek: True.
Wes Tatters: We haven't come out of a 10 year or 15 year journey where we've become locked into structures and locked into policies. But we've also started in a world where Agile is now the buzzword.
Wes Tatters: Where agile developers, where agile hosts, we are agile communities. So that you, for us, it's a good thing. I guess it extends us in well for the future. 'cause we will always remain agile. We'll always put the customer first and we'll always address the problems, hopefully every time before the customer knows that they're a problem.
Wes Tatters: That's our goal really is, there's a problem, we'll find it, we'll find a solution to it, and we'll just update the servers so that they, it fixes the problem for them.
Maciek: I also really like this general approach that you don't describe yourself as a [01:01:00] hosting company. You are more of a. Problem solver
Wes Tatters: We're problem solve. We're a hosting partner. Yes, we are a
Wes Tatters: managed, we are a, to use the technical term this week, we are a managed hosting provider for WordPress. That's our current
Maciek: Yes,
Wes Tatters: position to use the current terms. But we take managed hosting very seriously. And by that we're a partner. Even our support teams.
Wes Tatters: We empower, we, if you look at our support teams, they're a little bit different to a traditional support team. Most of them have a developer background. Most of them have a cs o or a. DevOps type background or have desires to be in that space, but I could pretty much guarantee that in every one of our developers or every one of our support team pretty much knows how to write a WordPress plan, and [01:02:00] more importantly, knows how to help you fix one.
Wes Tatters: And we empower our WordPress, our support teams, and our DevOps teams and our systems teams to help customers solve their problems. We aren't in the boat of saying, oh, yes, you've got a problem, you should go talk to your developer. Sure, there are points where we still may have to say the plugin that you've got installed is causing some serious issues.
Wes Tatters: But we try to do that in such a way that we at least can go look. This plugin that you've got here has some problems. These are the issues, these are the things that you need to talk to about with your developer. And if it's a well known plugin we've got back channels, 15 years in the industry, which means we know and have contacts.
Wes Tatters: So we'll often go into back channels and talk with plugin developers and say, Hey, you guys come across this before. And in some cases they go, never heard of it. And we'll go, I wonder why. Because it's a real issue. And they'll, and in most cases, they'll fix the problem and and themselves put out a patch.
Wes Tatters: In a lot [01:03:00] of cases, they'll provide us a soft patch for our customers and we'll get the customer up and running. So we wanna be proactive in all the levels. It's support, whether it's security, whether it's hosting, whether it's DevOps, SecOps even customer success and other areas that we wanna be involved in over time.
Maciek: So we really touched on a lot of things and I think it's really time to, I think it's really time to wrap it up.
Wes Tatters: Sounds good.
Maciek: So I. Wes, thank you so much for for sharing all of your knowledge here.
Wes Tatters: been
Maciek: It's really a lot. Personally, I also learned a lot, and it was a really cool webinar from my perspective because I didn't have to do a lot of talking. I just had to be here and listen to because you, you really had a, you have a lot of knowledge and you really know how to share it.
Maciek: So yeah, I was just here sitting, smiling.
Wes Tatters: And look, at the end of the day, [01:04:00] a part of what we do at Rapid is about community. We come out of the community space, we come out of this place where community is important for us, the WordPress community is important. The Buddy Boss community is important. The various plugin in CSOPs communities that we're involved in are important, and for us being in community means being a part of it.
Wes Tatters: Being willing to share, being willing to talk, being willing to have conversations, and being willing to help people.
Maciek: And you are doing it really well, I can tell you. So with this finally positive accent, really, because it's nice because we already touched on so many negative things today and while we are on this positive side, I think it's time to just raise our hands, wave and say goodbye and thank you all.
Wes Tatters: Thanks a lot, mate. It's been a
Maciek: So thanks was bye.
