 Thank you. That's quite the introduction. I tell you what you guys have the amazing emcee here, so I Don't have to introduce myself. He already took care of that So website security, you know security scary, right? You don't you don't really know what to make of it at first you you understand that you're gonna have to deal with it You start trying to figure it out. You realize some things like you know strong passwords are important Well, I can handle that. I think I got it figured out, you know and and you start to Go down that road just a little bit just starting to dip your toes in and then you start to hear about things like Cross-site scripting attacks and SQL injection and it just freaks you out You have no clue what to do. You try to wrap your head around it and then you feel like I can't I can't I can't figure it out It's terrifying right But it doesn't have to be it doesn't have to be terrifying This is actually a family pet. This is Aragon our our bearded dragon just like those lizards Not nearly as scary as that cat may have thought and This has been my son's pet for about eight maybe nine years now and She's actually extremely easy to handle But to be fair, I didn't get to know her as an 18 inch long lizard She started is maybe, you know six or seven centimeters and that's that's where I kind of want to start everybody here on security today is try to start at the beginning and Slowly move in we're not gonna dig into the all the scary things that That I was talking about if I wanted to just sit and list every possible You know type of attack then I would spend my whole 20 minutes just doing that We wouldn't even have time to talk about what they are what they mean or how to prevent them So instead I'm gonna try to get your mind around How to think for security and I'm gonna try to give you Some simple things that you can do to increase your security We want to drastically improve our security now being Completely secure perfectly secure with something that's attached to the internet probably a bit of a misnomer but with just a little bit of effort on your part and By taking the time to both make some smart decisions as well as realizing where those smart decisions need to happen We can do that we can drastically improve your security now When I talk about securing your website What's kind of the first thing that you guys think about go ahead somebody yell stuff out What's something that you think about needing to do to secure your website? Yeah Everybody thinks passwords, right? That's that's one of the biggest things that everybody knows right off the bat, but Securing your website doesn't start there as a matter of fact. I'd like to try to picture it like Trying to secure your home Passwords are like the locks on the door and that's great. That's important obviously for securing your home Having said that before you run out and buy the latest and greatest in deadbolts if you really want to have a secure home you might start by Picking a secure neighborhood one that's well lit one that has you know good response times from the authorities things that Detour crime, maybe it's a gated community. I don't know but starting at the beginning is important and With your website that's choosing a host now. How many of you thought about security when you chose your host? That's not nearly enough of you. That's important Now I'm not gonna stand up here and go through any list of hosts and talk about which ones I think are secure and which ones aren't but the the fantastic thing is you're at an event where there's a whole bunch of web hosts here And you can go and talk to them ask them very specifically What do you do to help make my site more secure some of them have things like you know DDOS? Detection and mitigation but a lot of things that you don't want to have to think about or do yourself for security your host does for you keeping all of the underlying architecture all the software Patched and up-to-date all the stuff that you don't want to worry about everything from the operating system to the web server to the database to PHP all that needs to be up to date and You if you're either you have to do it yourself, or you need to pick a good host that's gonna do it for you and so This is one of those places where I like to encourage people to take the time to stop and think about security as all of what you do rather than just one tiny part of Of your sort of online presence The next thing I want to talk about is choosing quality software and Obviously, I'm a little biased But I think that a lot of you here have already made a great first step in choosing WordPress We worked really hard to keep that Secure for everybody and everybody here probably knows that that Extends past WordPress to your plugins your themes and those kinds of things Are you are you picking plugins and themes that are developed by a security conscious developer? but I'd like to Tell you a quick story about a friend of mine to show you that this goes a lot further have a friend that has several websites and Quite a while back every one of his websites got hacked which Sucks you never want you never want that to happen but he got them all cleaned up or so we thought and He moved forward and like two days later. They were hacked again and so of course he calls me and Trying to be a good friend I get on and clean them all up for him. I'm very thorough. I'm very careful and By the way, that's a that's a horrible task cleaning up a site after it's hacked much better to prevent it But then I try to dig in and see if I can figure out where the attack came from and it's not very obvious I'm kind of time-limited helping my friend out here. So we didn't particularly find the issue And so of course two days later. He's hacked again this time I went and sat at his computer at his house and Found the problem right away Turns out that he was using shall we call it? questionably free software for doing his image editing and video editing and That amazing software that he was using that he downloaded off of some who knows where site Had malicious code in it that monitored all FTP traffic on his computer and even linked into Really commonly used FTP programs and that kind of stuff and was just simply taking his username password host and his IP sending it off to somebody else who was then Spoofing his IP and using his actual username and password to log in first try every time and have full access to all of his sites so Security is not just about your password on your website security is about everything that you do That you're going to be using to interact with your website the computers that you use to log on All that kind of stuff and so taking the time To think through the fact that all of these choices All along the way can potentially affect the security of your website you can get hacked because you used Image software that you didn't pay for it's something to try to wrap your head around to realize just how Often through the process you should be thinking about security And now we can move on to some of the stuff that That everybody does think about passwords right passwords. We should all have good passwords. We all know we need good passwords Everybody everybody here came into this talk knowing that you should have a good password. Maybe even a great password But what makes a great password? Well, it needs to be long and it needs to be random and it needs to be unique Long random and unique and by unique I mean not used in more than one place different password Everywhere that you need a password So how's that possible? How can you possibly have passwords that are long and random making them hard or impossible to remember and unique? Well, you need a password manager who here is using a password manager Hey, that's actually better than I thought Anybody that's not talked to somebody that had their hand up just now and figure out what one they use I use last pass But there are lots of good ones out there a lot of people use one password I Worry far less about which password manager you use and far more about using one This is one of those places where You have to put in a little effort It's gonna take a little bit for you to get your password manager set up It's gonna take a little bit for you to get used to using it. The great thing is in the long run Honestly, it's not going to drastically affect your workflow and it's probably going to make things easier rather than harder But it's going to improve your security so much So much So how can we take passwords something that everybody here knew was important to the next level? Who here uses two-factor authentication? Yeah, who uses it? Everywhere that it's offered Yeah, very few people. I definitely do. I'm a huge fan of two-factor authentication passwords even strong ones unfortunately have a few Weaknesses the the biggest one being that they don't get changed very often even somebody that's extremely security conscious May change their password every what few months three to six months Who has changed all their passwords within a year like has no passwords that are older than a year Yeah, see and so Let's imagine that your password is fantastic Nobody's gonna crack it. Nobody's gonna guess it. It's gonna take years to to figure out through brute force But what about that coffee house Wi-Fi that you use to log in? Is that just as secure as your password or did somebody snag your password off of it? And that's where something like two-factor authentication can really take passwords to the next level when we talk about Multi-factor authentication. There are three basic ways that you can Confirm that you are who you're claiming to be something that you know such as a password something that you have like your phone or one of those dongles that your bank might give you and Something that you are like a fingerprint or an iris scan And multi-factor or two factor in this case authentication is making sure that you have Something from at least two of those categories Most of the stuff that you see online is something that you know your password and something that you have your phone running some sort of Authentication app It's real easy to add two-factor authentication to WordPress. There are plugins out there that do it And it's there are several Apps for your smartphone, which pretty much who who has a smartphone in their pocket right now Yeah, see that why were there so many hands for that but not for the two-factor authentication just a little bit ago It's so easy you have the tool right there, but it does take a little bit of added effort the amount of Security return that you get for that little added effort though is definitely worth it now this is one that again, it'll take you a little bit to get used to the workflow, but unlike the Password manager, it'll always add a little bit of time to your workflow. It'll take you an extra Five or ten seconds to log in. It's definitely worth it and and Unfortunately, if you want to be secure, you're gonna have to put in some effort. It's just the way it is Now this is a this is a quote from Gerald Baron a guy that I that I work with he said It's not if you get attacked, but rather how you prevent it from being successful a Lot of times when I do these kinds of talks I get asked why why is it so important? You know my site doesn't process credit cards or you know isn't something that people might Target for any reason, but there are two basic types of attacks on the internet There are the focused attacks that people are specifically targeting a site often Politically motivated or monetarily motivated, you know trying to take You know credit cards or steal identities or whatever but the far more common far more prevalent attack is Just these scripted attacks where somebody has actually written a program that goes through looking for sites with weak passwords poorly configured servers out of date software with known vulnerabilities and those kinds of attacks are Completely indiscriminate. They simply go through Google not not looking for any particular key phrase other than maybe you know a WordPress page that they think might be susceptible and they simply Try everyone you will be attacked if you haven't already So make it hard on them. That's let's not make it easy for these guys, right? and if you take the time to make the tape make these few smart decisions that I was talking about and put in that little bit Of added effort you will be making it Drastically harder on these guys start by choosing a good host, right? Those of you that said you didn't consider security when you chose your host time to talk to your host Or at least go talk to some of these hosts that are here and You're going to choose good software and not just WordPress. I mean WordPress is a great start but take the time when you're thinking about all the different bits of software that you use to try to consider your whole workflow and How does everything that I do affect my security? You're going to use a password manager, right? It's the only way to have long random unique passwords, and that's what they should be long random and unique And you're going to use two-factor authentication Everybody that had that smartphone, but not that two-factor app You're going to go install one of these and start using it see it's easy And now I think that I have some time for questions