 All right. Good morning, everyone. I'm Ray Mitchell. I'm going to talk today a little bit about securing your WordPress website. As a bit of a disclaimer, I'm not a security expert, but a user. And for most of us here at the conference, we're users, whether we are first time here in the word WordPress or hardcore power developers, most of us actually use the platform. In my day-to-day life, I actually have a small web design business out of Winston-Salem in North Carolina, where I work with small businesses and nonprofits to help them with their websites. The reason why I'm talking about security is I had a little bit of a scare on one of my own sites. I saw somebody try to log in. Sorry about that. Oh, very good. Sorry about that. I saw somebody who tried to log into one of my sites with my username. And my username is kind of unique, and I was wondering how they got to my username so it forced me to kind of look and find out a little bit more about how to secure my site and prevent people from breaking into it. So, in order to get started, and again, because this is in the user track, a little bit of background about WordPress. People hear about WordPress and they know about it, but they really don't fully understand the impact of WordPress and the WordPress ecosystem. Right now, WordPress powers about 20% of all sites on the Internet. There's a lot of sites on the Internet. There are sites that have come and gone, but when they look at the technology that powers the Internet, it's about 22% of all websites actually are WordPress-based. And for websites that actually use a CMS or a content management system, over 60% of those sites actually use WordPress. When I'm selling WordPress to my clients, they tell them, you know, it's easy enough for the PTA and the Boy Scouts and the church group to use WordPress, but also it's big enough for big companies as well. So, this is actually a WordPress theme developed by somebody in the WordPress community that they donated to the Boy Scouts. And it's a theme that, you know, your individual Boy Scout group could customize and actually use, but it's a starting point, so literally the Boy Scouts have their own theme and it's easy enough for members of the Boy Scouts, 11 to 18, to actually use as the way to promote their troops. But again, beyond the Boy Scouts, WordPress is used by bigger organizations. Time Magazine and they're stable of companies. Sports Illustrated. Reuters, who produces news internationally. Entertainers, like Beyonce. And this is actually a pretty interesting site because it's very visual in the way the site is laid out, but it's the same WordPress that we all use for our sites. So that's just the loan. His site is powered by WordPress. And again, lots of different entities use WordPress and face some of the same issues that we face as users every day. This I put in because it's a corporate site. It's actually in New York Times, and New York Times uses WordPress for their blogs, but also for their main corporate site. And I found this one to be interesting because every time you load the home page on that site, it gives you a lot of statistics about how people are actually using the New York Times and interacting with their sites and their properties. And all of that is behind WordPress, which is kind of interesting. And no WordPress security talk would be complete without this one. Ashley Madison actually got hacked, or recently, and we heard about the hack last week. It was not a WordPress hack, but it goes to show that one big brands and profitable companies use WordPress, but everybody is subject to potentially being hacked on their website. All right, so a lot of WordPress sites are out there, a big piece of the Internet. How many people have heard this statement? Well, there's no viruses for Mac. That's the reason why I have a Mac. Well, the reason why for so long there were no viruses for Macs is nobody used Macs, right? Until the population of people who started using Macs started to grow, there was no reason to start putting viruses on those machines. Well, with WordPress being so ever-present on the Internet, there's a lot of places and a lot of value in trying to hack WordPress because there's targets there. And if the targets are there, it's worth your effort as a hacker to build something. In terms of WordPress as well, it's almost too easy to use. As I said, Boy Scouts, PTA, church groups, individuals, sometimes bloggers, you know, you can build a website that's actually powerful, communicates your message, gets out on the Internet and does things, and it doesn't take a lot of effort. You can get a hosting package for very little money, use their Fantastico or whatever their one-click install is, and boom, you've got a website. So it's really easy to do. Because it's so easy, people don't really think about it as something they need to work on or maintain. So I build and deliver websites for clients and tell them, well, I offer maintenance and I'll keep your site up to date and make sure everything is up to date. No, that's all right. I don't need that. People see the site is up and it's complete to think that's the end of the game where your website does need continual attention and maintenance. And if you fail to do that maintenance, you potentially make your website vulnerable. So people always ask me and then people who have gotten hacked ask, well, why are they messing with my little site or who's going to mess with my little five-page website? They're not really interested in your five-page website. The people who are doing this or are looking for scale, if you're like I am, you've got a lot of emails coming into your inbox and those emails are offering products of every type and every sort for every kind of interest you may have. And you have to wonder, who's sending out all these spam emails? Well, there's not one guy who's actually finding your email address and sending it out. It's an automated process. The way they do that and why spam is so lucrative, they can send out a million spam messages. If one person buys their 39.95 product, well, they make 35.95 because they're not paying for the resources to send those spam emails. They're actually using your little five-page website to send those spam emails and when your host cancels your hosting subscription, they move and find somebody else's unprotected website to send their spam emails. It doesn't cost them anything but the time to write that initial script to take over your website and use it to send spam. So it's not about the cooking recipes that you've got on your blog. It's about what your blog can do to help criminals in their activities. So there are a couple of different things that may happen. Drive-by downloads or malicious downloads. You always hear people downloading something, you always hear people downloading something and all of a sudden the machine is not working properly. Or as of late, the crypto locker where you may click on something and a pop-up tells you, well, you're being held ransom and once you pay $600 in Bitcoin, you won't get your hard drive back. Well, that's drive-by download or malicious download where they'll use one of your links for a recipe and when people think they're getting chocolate chips, instead their hard drive gets locked. I mentioned email spam, WordPress and most PHP-based hosting has the ability to send mail using the platform. So a hacker may get into your site and use your mail function, the same mail function that may drive your contact form but use that to send out thousands of emails a day and not be able to be traced because it's coming from your server as opposed to their server and whatever nation they may be. SEO spam, a principle of SEO used to be that you needed as many links to your page as possible. Well, what they would do is inject code into your site that put links for their page, their Cialis Viagra site or their porn site on your website. You may not see them as a user, but if somebody comes from Google to your site, then those links will be available to them on your homepage or pages in your site. So as a site owner, you may not recognize that's going on, but you may find out that people say, hey, are you advertising this on your website? And it takes a while before you realize what happened. You may have heard about denial-of-service attacks where thousands of thousands of websites or thousands and thousands of visitors come and flood a website with visitors. Well, typically it's not individual visitors putting in an address on the web. It's using your server and your server capacity to hit that site and hopefully bring it down. And there's also hacktivism. A lot of times the hacking is not necessarily financial, but it may be political in nature. So this is a recent FBI announcement and it actually specifically talks to WordPress. ISIL was defacing sites that they thought they could use to promote their message, right? So it may be sites specifically that they disagreed with from a political perspective, but it's an opportunity for them to get their message out and cause a little bit of havoc wherever they go. So even small sites are actually vulnerable and you can actually go to the FBI site and pick this up if you wanted to read it a little bit more detail. So how do you avoid these things? How can you protect your site? Well, I put it into like three areas that you really ought to pay attention to. It's practicing good hygiene and I always use that phrase kind of tongue in cheek, but really if you do things to kind of keep yourself and your site clean, you stay healthy. So it's the practices that you put in... the practices that you put in... thank you for being a great reminder on the microphone. The practices that you put in place around managing your site become very important. The way you choose a password, how and where you log into your site, all those things influence the total security of your website. You should take advantage of the tools and best practices. There are things that can help you manage and maintain your site. WordPress itself is one of those things. Keeping your WordPress version up to date is important in terms of managing your site. But around security, the probably the most important thing is don't put your head in the sand. Don't say, oh, it's too big or it's just too much trouble. You know, you can take actions that actually proactively protect your site. The thing is everybody can do something that helps keep their site healthy. It's very easy. You just have to make the decision that you want to do it. So there are three areas or three steps to securing your WordPress site. The first one is manage your behaviors as the site owner. You really don't want to be your worst enemy by doing things that make the site insecure. You want to make sure that the way you operate and the way you do business is meant with security in mind. The second thing is to control the users that have access to your site. You don't want to let people intentionally in as a user and give them the ability to mess with your site or inadvertently give them the ability to mess with your site. And then the last thing is to do things that actively frustrate the bad guys trying to infiltrate your site. And I put it here as frustrate because it would be like protect your site from hackers or prevent anybody from breaking in. And people talk about that in terms of security solutions just like banks. There's always someone who can break into a bank. There's always someone who can steal money. So what we want to do is really make the task as hard as possible for someone visiting your site with a bad intention. It's like with your home. Even if you don't have an alarm on your home, putting up alarm stickers on the windows sometimes makes the burglars go to other places. Putting an ADT sign near the driveway makes people drive by. You want to make your site look and act as difficult to get in as possible so that hackers will go someplace else. Could you give us a secure password? Secure passwords? And we'll talk about that. Two-factor authentication. We'll talk about it a little bit. But on my sites, I try to use two-factor authentication, which is in addition to having my username, which is a good username and a strong password, I actually use a Google authenticator with my site so that when I want to log in to my website, I've got to press a button on my smartphone that gives me a code that's only good for a minute and it matches the code on the back end of my server. If I don't have that code or I take longer than a minute to log in, I can't get in. I got to request another code. I got to my specific smartphone. So people, you know, even if they knew my username and password, if they didn't have my Google authenticator token, they wouldn't be able to get into the site. So that's one kind of easy measure, relatively easy measure, because it does require one extra step to get into the site, the second factor. But it's one thing that keeps people from, you know, just hitting your login page and getting into the site. All right, so from a site owner perspective, one of the things that I suggest is that you skip the one-click install on most of the hosting packages. It's not very hard to install WordPress as a manual installation from scratch. There's really great instructions on the codex at WordPress. It requires that you have FTP access to your site, so it is a little more hands-on dirty. But one of the advantages of doing that is you know, as part of your process, you're getting the most recent copy of WordPress. Your hosting company, where you're getting your hosting for $1.99 a month, they don't have the same interest in making sure that they've got the most recent version of WordPress. There's other things in the manual install, using the WordPress salts or a secret key that actually makes your installation unique and locks out any other prior user, right? The one-click installs also sometimes use the username of admin. It doesn't make sense for you to use the username of admin. That's typically the username that hackers will try first because that's the default or was the default for so long with WordPress that they figure if people haven't changed it, they can actually get in. And what's interesting, WordPress actually stopped using admin as the default username, but people are still going in and putting admin as one of the usernames because they think it's easy to remember, right? Just making that simple change also helps to defeat attempted entries into your site. The second site owner behavior is one that people neglect or don't do often. It's keep your WordPress core and WordPress plugins up to date. When security opportunities come up, WordPress, for the plugins and the themes in the repository and for WordPress Core, they actually update the software, and it's one way of making sure your site is up to date. One of the things that I do when I'm actually pitching somebody about maintenance is actually look at version of WordPress that they're running, and if it's an old version, I can tell them, you know, since your site was last updated, WordPress has gone through these different updates that you've not applied to your site. Don't you realize you're vulnerable? Let me help you by making your site up to date and getting things where it should be. Well, the hackers are doing the same thing. They're looking for old WordPress installations with vulnerabilities, and those will be the sites that they try to attack. So to defend yourself and defend your site against that, it's keep your plugins, the WordPress core, your themes up to date. And when I talk about themes and plugins as well, be sure that you're using safe themes. You want to use purchase, if you're going to purchase the theme, purchase it from a reliable developer, don't buy a cracked or wears version of a premium theme. You don't know what additional code or what additional backdoors may have been put into a free copy of a premium theme or a free copy of a premium plugin. The WordPress repository has, you know, five-digit thousands of themes, both free and commercial, and I know maybe close to 100,000 plugins that are available. So you can definitely find what you need up to date in the WordPress repository. I talked about this a little bit already. Don't use admin or other easily-guessed usernames. One of the things that I've seen recently is that people are actually using the domain name of their site as their username. Well, if I was going to choose what to break in with, the first thing I would choose would be admin, and the second thing would be the domain name of whatever site it is. So if it's MyCookieRecipes, don't use MyCookieRecipes.com or MyCookieRecipes or some variant as the username. Try to think of something that's unique. And then as the site owner, make sure that you're putting a strong password on the site. Now, a long or complex password sometimes is annoying, but it's not as annoying of having to recover your site after somebody guessed that your password was password. Okay? I got a little video I'm going to play at the moment, but you'll get the idea. I don't know if you watch Archer, but they're always getting hacked at his spy agency. At any time someone can't remember what the password is, it's guessed. Choose the complex password. Things should not be obvious as to what the password is. It takes just a little bit more. Eight digits is a good start. If you were to add two digits to your password, you increase... I don't know the number, but I can tell you what it is. You increase the difficulty of your password by 88 times 88. So if anybody's got a calculator or a quick math, you can see how much more difficult it is every time you increase your password by two letters or two characters, which would be uppercase, lowercase, the numbers, and the allowable special characters. The asterisk, the dash, question mark, and so on. As a site owner, you shouldn't use admin. You shouldn't use a weak password, but don't underpay for your hosting as well. There's plenty of hosting deals out there. We'll host your site for $2.99 a month. We'll host your site for $1 a month. You want to pay the right amount for hosting because if they're not making the amount of money that they need, they're not going to do the system administrator task to make sure that your website is safe. There are a lot of small hosting companies that resell other people's hosting. So it may already be a crowded, unsecured server that somebody else is selling to you and then crowding a whole lot of other accounts onto that. So the likelihood that you can get hacked increases if there's a lot of potentially unsafe sites on your server. So if your website is important to you, be reasonable about what you're paying for the site. Check the reviews on hosting companies to help you determine which companies are good. WordPress has some recommended hosting companies. We've got good hosting companies as sponsors for these events. Those will be some good places to look at for potential hosting. If I say this a thousand times, it's probably one time too few. Please make sure you're backing up your website regularly. Back of the database and the content. There's great plugins available to back up your site. There's free and premium or paid plugins to do it. I use a paid plugin that I like a lot. It saves me a lot of time from working on the site, but it also helps me recover people's sites if there's an issue. It may not be a hack. It could actually just be a file that's corrupted, but it helps me to replace the database and helps me do things quickly as opposed to having to root through each individual file or check database entries to see what might have changed. You can wipe the site out and then put up your backup and you're back in business. Make sure your computer's antivirus is up to date. If you have picked up a malicious file on your laptop or PC and it's a keylogger, well, they will actually get your username and password on all sites, your bank and your WordPress site. So it's important to keep your basic antivirus up to date as well. With regard to the user behavior, make sure your users actually have strong passwords. As an admin, you can grant somebody a password and you can give them a password when you're setting it up and issuing it. But if your site is a membership site or a site where you actually require people to sign in to see the content, people will create their username and their password. Make sure that you are setting it up in a way that people have to choose a secure password. You don't want to do the best in choosing a secure password for yourself and then give one of the people that you signed up ability to access your website with a very weak password. From a maintenance perspective and a site owner perspective, you want to make sure that your users have the appropriate permissions. So a lot of times you'll have a site where maybe a group of people are working or people change positions frequently. Make sure that you remove people who are no longer with the company, maybe no longer with the committee that's updating the website. Make sure you remove their access. If they don't need access to the site, you shouldn't leave a username and password available for that person or for somebody else to hijack and get into your site. And the last thing around user behavior is manage the user roles appropriately within WordPress. There are several layers of user roles all with increasing responsibility. If somebody only needs the user level to read your content or contribute your content, just give them that level. If somebody is an author, give them the author level. If they're going to be editing or publishing other people's posts, they don't actually need the admin level. You just give them the editor level for editing or publishing posts. You don't really need to give people a level of authority more than what they need because that increases your vulnerability. All right, in terms of frustrating the bad guys, this is an important one. There are a lot of tools and techniques that are available to kind of make the task a little bit harder. So what you want to do is limit brute force attacks. And that's one of the things that having a strong password will do. Does everybody know what a brute force attack is? Okay, I see a couple of nods. Let's put some notes. They're essentially trying to brute force their way into your username and password. So say I start with admin as the username. Well, I'm going to try every possible password combination until I get one that works. So username admin, one. Username admin, one, one. Username admin, one, one, one. And continue along that line until they get in. If they had to do that manually, it would take a real long time. But everybody's using computers to do this, so it doesn't really take that long to go in and crack a password. There's also a published list of the most commonly used passwords. So if your username is admin, all I need to do is start going through the list of most commonly used passwords, like password or password one or password one through three or I love you or something else you and just go down that list of passwords. Eventually it's going to get into the site. So what you want to do is actually put software on the site that limits the number of login attempts people get to make before they get locked out of your site. All right? By doing that, that can help protect your site from people who are, you know, actively trying to hit your site with the intention of breaking in. I mentioned two-factor authentication and that's a good simple tool. A lot of other services are doing it as well. Some banks, PayPal offers it. You know, we can do that within WordPress and that's another way of keeping your site safe. Right? You can scan your site regularly from malware. It's important to you that your site is secure, but it's also important to your visitors, the people you're actively asking to come to you, to come into your home to take advantage of the content that you've produced. Well, you have a little bit of responsibility to them as well. So as a site owner, you should actually scan your site from malware. There are a couple of online services that will do that and also let you know whether your site has been blacklisted as well. One of the ones that I use regularly that's free is sitecheck.secure.net and you just put in the URL and it will actually go through your site. It'll check to see whether your site is up to date but also scan for a malicious code as well. I will have to actually tweet out or put the link up sitecheck.secure.net. The company is, if you go to Secure, S-U-C-U-R-I.net S-U-C-U-R-I.net and that URL is, I believe, sitecheck, S-I-T-E-C-H-E-C-K.secure.net. Put in the URL for your site. It will tell you whether it sees whether the WordPress version is up to date. It'll tell you whether plugins are up to date as well. Excuse me. I mentioned the WordPress salt. In your WP config, there are actually... Excuse me. In the WP config, there are actually some long strings of code or text that actually control your ability to log into the site. It's almost like a long cookie. If you actually use or include that in your WP config, it actually ensures that the people who are logged in are the ones that should be logged in. If you feel that your site has been compromised, you can change the salt and it forces everybody who's currently logged in, it locks them out, or actually just logs them out and forces them to actually re-log into the site. That's a good opportunity for you just to, you know, after you've cleaned up a site where you think you might have a compromise, it forces everybody to re-change their password. One of the other things you can do is actually there's a file on the servers, most of them on the Linux servers where your account would be handled, called the HT access file. It's normally a protected file. If you have FTP access, you can go into this file and actually do some small changes in this file to make it harder for people who are visiting your site to actually have access to critical WordPress files. You can actually prevent people from, you know, browsing your directory. You can put in your URL list, the directory where your WordPress files or images are, and then people can actually see the individual sites that are in your file. With these HT access changes, you can actually prevent that from happening as well as restrict access to other files, so that's a good place to do that. All these items listed above, you can do manually, but a lot of the good security plugins will do that for you, and I've got a couple of them listed here. So one that I use a lot is WordPress. WordPress has the ability to do monitoring on your site and actually does some of these changes that prevent people from getting in your site. The interesting thing about WordPress and some of these other security sites is on so many WordPress installations, they can actually see what's happening on a lot of sites at the same time. So if they see certain IP addresses or trying to get into sites and getting locked out, it reports it back to WordPress and it prevents other sites. As soon as they see that IP address, they'll lock it out. So it's a good way of actually using the broader WordPress community to actually protect your site. The company I mentioned previously, Security, they actually have a WordPress plugin that does a lot of the same things and more. Both of them actually have the ability to run security scans, but they actually audit the activity on your site as well. So you can actually see who's logged into your site, what IP address, and when that login took place. So there's a lot of good tools available to you that help you protect your site. I theme security, they actually bought a plugin from another company and continue to improve it. It has, again, some of these ability to make changes to your HT access, to monitor users, to make sure that no one's using the admin password, to enforce that people are using strong passwords. It won't allow you to set a password that's weak on your site. It has integrated two factor authentication. So if you want to use that kind of smartphone or text, log into your site, it's part of those themes. These three themes are all free. They have paid upgrades, but the free versions are more than adequate to secure your site. I did put Google Authenticator down here on the bottom. The plugin appears not to have been updated in some time. You'll see that from time to time and since it's a security presentation, I'll say if the plugin's not been updated in a while, you may not want to use it. This one has been pretty good, so I've not really changed it yet. The core information or the core code behind the plugin may be stable. It's just that you haven't updated it recently. If you don't want to use a plugin that hasn't been updated recently, there are other authentication plugins in the repository or you could use it in security, which includes it as well. There are a couple additional resources that you can read. One of the best resources is the WordPress Codex. The WordPress Codex has a wealth of information about everything WordPress, so for me that's typically one of the first places I go. But the section on hardening WordPress talks through a lot of ways that you can help keep your site safe and secure. I didn't talk about it too much, but it's more of an annoyance than something that actually can be a direct threat to your website. You have got a blog or you're accepting comments. A comment spam typically is one of the annoyances. You can tell that someone read your post or claimed to have read your post and is making a comment that makes no sense. When you actually look at the comments, their URL is for Louis Vuitton purses or for Cialis. That's spam and it's just annoying. Or you're an English language blog, but there's nothing but Asian characters in the blog comment. The information at that particular site is a curated list of potentially spam words, and within WordPress there's an ability for you to block comments that contain certain words. It's a very easy to use list that you just add into the WordPress admin, and if a post uses any of those words, you can choose to have it block as a comment entirely or have it go into the moderation queue for your comments. So it won't actually get onto your website before you have a chance to see it. And it's a good way of preventing people from being annoyed by comments that don't make sense, but potentially clicking on a link in a comment that takes them to a malicious site. And that essentially is the presentation. Slides are available, and if you've got questions, you'll definitely be able to try and answer them. Okay, within the WP config file in your WordPress installation, it has information related to the database where your WordPress, it has the links or tells WordPress where the database is, usernames, passwords. Within that file, that configuration information are long strings of, I guess, complex letters and numbers that indicate when, you know, they act as a cookie in the process that manages the site. Let's see if I can find it real quick. Thank you for that long complex and... Well, here's the thing. You don't need to know... You don't specifically need to know what the salt does, but adding the salt or adding that salt functionality within WordPress makes it just more complex and unique for every time your password is used. Without it, it's possible that somebody can pick up the password and dummy it for your installation. The salt makes sure that the person using it is kind of authorized or authenticated within your installation. Definitely, if you've got one more question, I'll pull it up and we can show it to you. It's a little harder to pull on this for a moment. It's worth doing. Another question? It does. It enables you to change the salt, right? Because you can imagine one of the companies using the one-click install, they've just got one version of the software, right? So every install that's been used by that has essentially the same salt, right? You have the ability to import that unique salt to your installation also. And it's probably because more people are focusing on WordPress security, these one-click installs are probably doing a little better job of making sure the most up-to-date version of WordPress is used, but doesn't always happen. So they may be operating on a version of WordPress that's like one or two versions behind that still has some of the security vulnerabilities in it but are actually installing it on your site as a clean install. The third thing around doing a manual install is when you do the manual install, WordPress will ask you what's the first admin, what's the first username for the admin? When in the old days, it would actually just use admin as the username, this allows you to put in a username that's different from admin, and that also helps you keep the site a little more secure. Yes? They can be in that you don't know why they're actually browsing your site. When I look at my Google Analytics, again, I have primarily US-based websites for services or organizations that do business in the US, but I constantly am getting probed by sites in the Ukraine or Russia or China. You have to wonder why they're visiting my little website. It's not always with the best intent. So those are reasons to secure your website. Some of these security plugins actually allow you to ban certain countries or certain IP ranges from your sites, which is a help to kind of keep your site a little bit more secure. That being said, if your site is vulnerable, maybe they won't hack you from Russia or Tajikistan, they'll actually use somebody's website here in the US to actually try to breach your site. Yes? I guess with all the technology things, you should probably try to use the most up-to-date version. I'm going to suspect that there have been vulnerabilities in the way PHP runs on site. So in most cases, even the shared host will try to keep bringing the PHP versions up-to-date, but it's important if you can. And sometimes, even in the shared environment, you can kind of force what version of PHP that your site runs. And I would suggest doing it because it also will make some of the plugins work better as well. Yeah, it's a big vulnerability and it stayed for a while, but there really is limited reason for choosing admin as your password or administrator if you don't want to choose admin. Don't choose administrator either, because those are the ones that are commonly used to try to get into sites. Yes? It's actually pretty interesting because then also, I'm guessing you'll also see a big spike in the number of views on your site, unexpected. It just echoes very much the reason to try and maintain security on your site. And to be aware, maybe back in the old HTML days, you could have a site, put it up, and forget it, but your WordPress site does require a little maintenance and attention, and it's important that you do go back and keep an active eye on what's going on on your site in order to protect yourself and your visitors. My first hope is that you actually do have a backup copy of your site. That would probably be one of the things that I would consider doing. If you're not backing up your site right now, definitely do a backup to your site. The way that you typically will find out your site has been hacked is if it's a defacement, your site doesn't look like it used to look. You may find vulgarity, you may find images that you didn't put on the site on your site. That's one clue. The other clue is your hosting company may tell you that your site's been hacked. What you'll want to do as quickly as possible is go to them and find out when this intrusion might have happened and look at the log files as to what has been changed and that will give you some indication. You'll typically delete those sites. There are companies that will actually recover your site for you. They'll use a similar process. They will compare the version of WordPress on your site to a brand new clean version of WordTest and actually go into the files themselves and see if lines of code have been changed. They will replace those sites. One of the things you're going to do is install your current installation and reinstall WordPress. The process is a little complex. Again, on the WordPress Codex it actually talks about how you can recover from a hack as well. To that point, if your site has been hacked or if your site is found to be distributing malware, Google will actually blacklist you. Google and a couple of other entities will blacklist your site and you'll actually get a warning. If somebody Googles your site, the listing will actually say this site has been reported as a malicious site or has been hacked. Your search rankings disappear. People don't visit your site. They immediately run because on Firefox browser the entire browser screen turns red. So it's pretty serious. Once you get your site cleaned up you'll want to go into Google Webmaster Tools and actually submit that the site is clean so that you can begin the process of getting people back to your site. Again, there's a change. That is a good point as well. If you get hacked it's like a violation. If you live in an apartment complex and you get broken into you may not want to stay in the same apartment complex if they're not keeping things up. That may be a time to consider who you host your website after it's been hacked. Particularly in how responsive your hosting company is and how helpful they are in trying to address the issue. Any other questions? Actually, one way or one mechanism for trying to manage that is if you use a tool to monitor and update all of your sites if you own multiple sites there are tools that will actually allow you to update WordPress on several installations in time or check your plugins to make sure all your plugins are up to date. I use mainWP there's managedWP infiniteWP so there's a lot of them out there managedWP there's a lot of software programs that will let you monitor and maintain multiple sites if you have multiple sites and it makes it easier and that's I think part of the drudgery why people don't like to update is that you can have a plugin get rewritten every day to a new version and have to go back into your site to make sure the plugins are up to date. These services kind of let you know in advance that something requires an update and then you can go and make the updates to those pages. Actually WordFence actually does a pretty good job of letting you know when plugins are expired as well or there's updates for a site. That's it. Thank you very much.