 So my breakout track is the last for the day so I'm standing your way between going home so try to make it snappy so that you can catch the last train back. So I'll talk about tips and tricks regarding your workplace installation. So a little bit about myself. I'm from Tang Asia as well. I'm software developer then. So besides that, I'm a workplace plugin developer. I created about 22 plugins throughout license 203. So some of you may be using my plugin just that you don't really know that. So like page navi, post, rating, views, DMH, etc. So I just created in Tang Asia. I just joined them on 1st of September about 3 months ago. So WordPress is popular. So it powers about 22% of the web. So like Tang Asia we are using WordPress. Some of your locals might know Mother Sheep. SGT also using WordPress. I think Valker posts also they are using WordPress. So if you want to watch your journal, they are using WordPress as well. So some tech sites include like Mashable and TechCrunch. So because WordPress is popular, so they have been the target attacks quite around the world. So regardless of whether it's small or big site, they just target any random WordPress sites. So personally on my own site as well, it's a technician site. It definitely has been attacks as well on our site. So here are some hacktams. It's a bit technical. So basically what this G-line code does is first WordPress doesn't store your password in clear text. It's encrypted and the key is different from site to site. So there's no way a hacker will know your password even though he has access to your server. So the only way the hacker knows your password is basically to sniff your password when you log in. So what this G-line code does is basically whenever you answer your username and password, you will basically log into a file called hdss in the plugins folder. And if you access a server, he can basically read the file. So it's pretty smart. And this is by the way origin attacks. So the other one is once they have access to your server, they probably will upload a rootkit into your server. And I'm not too sure whether it's small, but okay, you basically upload a rootkit to the upload folder of your WordPress. So which I will cover later in details. So basically upload folder in WordPress contains all the images and static files that you uploaded. So by putting a rootkit there, it basically make it less suspicious to any normal users at all. So of course the first thing of Security 101 is always keep your WordPress up to date. So the latest WordPress plugin is like 4.01 which is on 20th of November. So it fixes some process scripting issues which I urge everyone to upgrade if you haven't already done so. So passwords, of course besides WordPress, in general any accounts you have online accounts just use a complex password. Actually, technically I recommend password about 16 characters. But actually my personal thing is as long as you can't remember a password it's basically a good password. If you can remember a password it's never a good password. Because if you can remember, it means at that time I know it as well. So for me, I'm using like one password tools and stuff to store my password, generated passwords, 20 characters, upon numeric. And I think for Chinese basically if you have some Mandarin characters you type inside, some site that support UTF-8, you can basically type Chinese inside. So I think the hacker must be a Chinese in order to have your account. So I will never try whether it works but I think it might work. So of course besides complex password a very important thing is to use a second factor authentication. I recommend everybody to use it because it's free. So there are two plugins on WordPress that Google Authenticator as well as Authenticator Factor. So once you install the plugin you can basically go to Apple App Store or Google Play, download the mobile and you will generate a time base token that you can use together with your login. When username password and you can put a code here to login. So it's free, go ahead and use it. So in this case in my first hack attempt if the attacker gets your username password without the token they also can't login to your account. So it's pretty good. So I think this is a bit more technical. So I recommend protecting your whole WordPress and main with HTTP off. So basically what it does is basically when user enter before even shows the login form it will basically shows HTTP authentication from your browser to key in the username password. If the site is being used by a lot of editors or others you all can have a shared username password. So basically that access in the first layer then when the password is correct it basically loads the login form for the second layer authentication then if you have another 2 FB it basically is your third layer so it's pretty well secure. But of course you need to waste security plus convenience. So in technician we don't use this it will be inconvenient for some of the editors as well. So of course SSL cert is cheap this day so I really recommend to use via SSL cert like $20 US So Black Friday just passed I just got SSL for like 98 cents for one year so you can keep out next Black Friday to get a cert. So basically SSL encrypts information between your browser and your WordPress so once that is done you basically have to define these 2 variables in your config and the whole panel will be that's easy as you can see so this is a bit slightly also more technical so file and folders in general file and folders should only be readable and writable by the owner which is normally the Apache process and you can do this by basically CHMOD which is change permission to all files to 644 and basically folder to 755 you can basically run these 2 comments in your Linux console for those technical saving and it will work so as one of my first few slides I mentioned about WordPress uploads so because WordPress upload stores everything that you upload that you can even upload a PHP script as well so because of that it's a very common factor of attacks so not many people monitor that files that it's really very hard to notice and normally when those users encounter problems uploading to this folder they will just see more into 77 which is everybody can upload to it and because that author hacker that has a test to yourself they will always put a rootkit so that you will never never notice it so basically what my rule of time is this folder should only serve static assets and not execute in scripts so this link here basically you can copy and paste the code and paste it in your HGSS in that folder so when user try to upload a CGI file or even a PHP file basically just show resource code so it will now be executed so I really recommend everybody to do this it's pretty important also security also comes with monitoring or change files so I basically monitor my change file on a daily basis so personally I'm using a cron job which basically does a fine in the folder name and M times minus one means any file has been modified within the last 24 hours you'll send me a copy you'll basically send me a copy and you'll see which file has been modified so if you did not modify any of this file you'll probably say I'm going to take a look at the file or do some auditing on your servers to see how they get in the first place which we basically use in technician as well as my website so we have two main folders which is basically call and content so call is basically a check out of the WordPress in the GitHub Rampus 3 so whenever there's a new version of WordPress you can basically the update button or for us we always go to we just basically go to their folder and do a gitfab tracks and git check out 4.0.1 that will update us to the latest version of WordPress whichever that is and the next folder is basically content our active teams and plugins teams and plugins that we use so if you go back to your parent directory if you do a git status or even a git diff you'll probably will know what are the file that has been changed so it's something like the m-1 as well but it's not going to be more specific it's going to tell the file content change as well backup okay yes backup backup the database regularly that's 101 as well so for technician we backup every 2 hours once because we have average about 20 posts a day so if we need to restore to something 2 hours one will be a good timing if not if you block like at least once or twice a day and I think basically once a day it's fine to backup so I have a plugin which is db manager which allows you to backup database automatically so once you backup you will basically mail you a copy of the database in a g-sync format so basically you can keep it in Gmail have a filter and store it in a folder so every day backup you basically know where when to store it and you also notice that the database increase your database size it means the hacker might have access to your database and then dump something in your database as well so for upload folder it's basically all your images and stuff it's good to backup as well but it'll be weird if you backup the database and if you want to restore your site on another server you don't have the images to restore as well but backing up upload folder is a very intensive task because easily you can easily you can easily you can easily you can there's a utility called S3CMD which basically sings your sings you can sing any folder to an S3 packet so you can sing it like 4am to start of time where your server is the lowest peak so that it will not interrupt any request going to your server so now I will talk about 2 commercial plugins WordPress is by automatic the guy is behind WordPress.com it's a paid service so it monitors your there are many plans available so the basic plan just monitors just backups your database and your files to their server and they also does automatic restore if there's anything happen so they also scan your file for MP5 hashes to see if you know you are a bit technical you can basically whatever I did you can basically covers this so for the non-technical guys you can basically pay for the service by WordPress the other one is WordPress which is pretty popular because there's free and a paid version so the paid version is about $39 a year so so basically it has this is not complete but okay it has some very nice feature they could side repair as well similar to what the WordPress does they also scan your file for changes and one thing I like is the geo IP blocking so basically they can alone allow certain countries from logging in let's say you know that all your editors are Singapore they don't work overseas so you can basically restrict me from Singapore IP address this should be we've seen quite a lot of attacks on your server as well okay I come to the end it's about 11 minutes so it's a fast one because before actually it was supposed to be a drill for a group so yeah so this is summary so basically I cover like trust protected I mean HTTPS files permission the upload folder is the most important actually try to go for the 2FA and the upload if you already have to take away from this session yeah monitor aside I will share these slides with the organisers then they will upload it somewhere because I did the same talk on the Singapore WordPress user group as well so this is a rehash an updated version so here are some references for starters actually you can take a look at the wordpress.tv slash text you can watch about what are some security things that plug-in team developers does as well the first thing is quite important as well how they so any question you can basically treat me 5e facebook or you can just do or let's just try this is before 11 so yeah any questions you can how many of you actually were using WordPress actually 1, 2, 3, 4 quite a lot of people were all technical or non-technical technical ya cool then this is it for you you can just copy and paste whatever slide and works proven ya no problem you also can cash the last trick of it thank you and no problem thanks guys any question you can just treat me all of the break out track material will be up in youtube courtesy of Michael Chang and just start engineer.sg he will upload all the video for today thank you thank you have a good night