 I should probably warn you. When it comes to security, I become really paranoid, really. Let me show you something. These are cyber attacks. Honestly to me, it's really hard to not be paranoid after watching something like this. This map shows in real-time cyber attacks done against devices protected by specific anti-virus software. And believe it or not, one of those is hitting your own website right now. Are you prepared for it? Will your defenses stay and resist the attack? Are you sure? Social security has never been so much critical as it is today. And yet, we often fail doing security well. But in the first place, why do we need security? What do we need to protect? And from whom? As the old saying goes, know your enemy. And that's exactly what we need to do. Know our enemy. Who is attacking our website? The enemy could be a person trying to hack specific websites with sophisticated techniques. But most of the time, the enemy is an automated computer. It's a Neville bot or a powerful botnet. Trying the web and looking for websites to hack based on their vulnerabilities. And these attacks are run automatically. But you could say, okay, but I have just a small blob. Who cares? Why should someone be interested in attacking my small website? The truth is that it doesn't matter the content, the size, the popularity of a website. These bots don't make any distinction. If they find the vulnerability, they attack the end. But why are they attacking our websites in the first place? What's their purpose? Well, they attack to steal data, passwords, credit card numbers, other personal data about our users and customers. They attack to steal resources, computational resources of your own server to run malicious software. They attack to send spam. If your domain is clean, it goes through anti-spam software. So it's easy to send spam mail from your domain to attack other websites. And this is terrible. It means that if my website is attacked, it can become an attacker itself and infect other websites and users to earn money. Maybe it's not always so clear, but they could earn money, for example, by selling the data that they stole from your website. Or they can get money from mining bitcoins, using your server resources. If any of this happens, what would the impact be on our websites? Why do we need to take care of security? In other words, why security matters? First of all, time. Cleaning a hacked website, it requires a lot of time. And time is gold. So why waste it? Reputation. A user is less willing to keep visiting a website that has been compromised. And even more if that website is an e-commerce. This kind of things really affect badly a business, really badly. Real issues. Think about the GDPR, the new European regulation about data protection. I mean, it's not something to underestimate. If our website is hacked, we could run into legal problems. Search positioning. Search engines are very clever. They can tell if a website has been compromised and warn the user about that. Sometimes, and this is the worst part, they could directly remove your website from their results. And believe me, getting back the previous position is really hard. It requires effort, time. And you can't be sure that you finally succeeded. Money. Sometimes it's not so direct or explicit. But after a website compromise, there are some economical damages. So security should be the answer to all of these problems. So the goal of security, what are their goals? And why do we need security? And how do security can help us preventing those bad effects? There are three core security goals. The first one is confidentiality. We want our data to be accessed only by authorized users. Three years ago, there was this website in Australia that allowed citizens to access their own tax records. And under certain circumstances, due to a severe security flow, some people managed to access someone else's tax records. That is against the confidentiality of that kind of information. So it's very important to guarantee confidentiality. Only authorized users can access a specific piece of information, integrity. We want our data to be changed only by authorized users. We don't want the enemy to inject malicious code into our website, infecting our users. That would be terrible. Availability. We want our data and services available up and running when we need them. Last week, I was at work in Torino, I talked with a person whose client was facing some issues with their own e-commerce website. It happens that every time they start a new promotion, a new special sale on their website, the server goes down. And the reason is that a lot of requests come at the same time to the server. They said denial of service attack. And in this case, the enemy was clearly one of their competitors. It means that there was no availability. Actual users were prevented from doing shopping using that website. So we want availability. And these three properties are usually referred to as CIA triad. And they are the core goals of information security. So how can we enforce these properties? Well, that's easy. I have installed a plugin for security. I'm good. Easy. No, you're not. No, not at all. And please don't misunderstand me. Plugins are really great. I myself use some plugins for security on my own websites. But we shouldn't forget what plugins are. Plugins are just tools. We first need a plan, a strategy to secure our websites. Only after that, we can pick the right tools to make our strategy happen. This is very important. And security is not a plugin. It's not a product. It means that you can't buy security. It's not something that you can just install and you're good. It's a process. It's a continuous process. And today, I'd like to tell you five security principles that I selected among the others. And they are not rules to follow just once. They should be part of your daily process to secure your websites and keep them secure. The first one is manage security risks. You know, security is not an absolute. You can't say that a website is secure or is not secure. It's not binary. A website can be more or less secure depending on how many security risks have been managed. And actually, managing security risks is what security is all about. In risk management, we have three elements. Vulnerability is a weakness in a system. A threat is a potential danger. And the risk is the likelihood that the threat will exploit that vulnerability to do some damage. In our case, to attack our websites. Let's do an example. You all know the login page of WordPress. Well, using admin as username for your administrator account is a vulnerability. And we have a high security risk associated to that vulnerability. And we can manage that risk by not using a default username for that. Because the attacker knows about it. If the enemy wants to force a login into your application, they first try using admin. Another step is using a strong password. And maybe also enabling two-factor authentication. There is a fun fact about this. I'm a huge fan of Harry Potter. And looking at the logs of my website, I found out that there was some automated bot trying to login into my application using the username Albus Dumbledore. And it was fun because on my website, there's no trace of Harry Potter. So they use some social engineering techniques to find out something more about me. And use that information, maybe from social networks or other places. And use that to try penetrating my website. So WordPress is not secure. There are vulnerabilities. Don't use WordPress. No, that's not correct. And I'm going to explain you why. You know, there's nothing as 100% security. There will always be risks. We can manage them. We can limit them. But there will always be risks. So the security of our website will depend on how many security risks we manage and how we do that. Without knowing which are the risks, we can take better decisions when we design and develop our website. So we should think about it from the very beginning of our project, not at the end. Always. It's a continuous process. The next principle is about trust. Be reluctant to trust. When you trust a system, a software, data coming from the user, there are some consequences. There are some security risks. One of the greatest features of WordPress is user experience, how easily it can be used. Just by clicking the button, we can install whichever plugin or thing we want. But that single click has consequences. So talking about plugins and themes, be sure that you choose wisely. Use a trusted source to look for plugins and themes. For example, the WordPress.org repositories. And do some research, not only on the source platform, but also on the web. Check for reviews, ratings, number of active installations. What other users say about that specific component. And one important information to check is when it has been updated the last time. Personally, I don't install plugins or themes that have not been updated for more than six months. But it's up to you. It depends on how much you're willing to risk. And this is not enough. Because lately, there is an attack that is becoming more and more popular. It's called supply chain attack. Basically, the enemy selects a plugin that has hundreds of thousands of active installations, buys the plugin from the author, does some slightly changes injecting malicious code, releases an update, and magically, all the installations using that plugin are infected. So if the author of one of your plugins or themes changes, well, think about this, it could be a supply chain attack. If we apply this principle for every element of our web project, we end up with a boundary. A boundary between what we trust and what we don't trust. A trust boundary. So for example, we don't trust user input. As developers, we need to validate data. We need to secure the input by sanitizing any data coming from the user. In this way, we can prevent injection attacks. We need to secure output data to prevent cross-site scripting attacks by escaping data. We should secure HTTP request, validate them, and WordPress provides us with the non-sys feature that we can use to be sure that the user really wants to perform that action. And also third-party services. We need to authenticate every external service. So every communication crossing this boundary should be secured. We talked about the risks and this boundary, but where should we apply these principles? Where is the location? Because we always talk about WordPress security, but our website is not only WordPress, right? So we need to practice defense in depth. By securing different layers in our website, we can guarantee a higher degree of security. We can reduce the security risks, and we can enforce confidentiality, integrity, and availability for our data and our services. Of course, we have the WordPress layer. And notice that I used two different sub-layers. It's important to distinguish between the core and plugins and themes. Failing this distinction means failing security. They are not the same thing. We have a web server, of course, because WordPress runs on a server. So we need to secure the server as well. Same thing for the database, where all the data are stored. And we haven't done yet, because we have the host security. This is usually responsibility of the hosting provider, but still it's there. It's something that we should consider when selecting which hosting provider to choose to host our websites or applications. We have a network layer. And here, for example, we can make sure that we use encrypted protocols like HTTPS and SFTP and stop using the plain HTTP, or worse, the FTP, that is always there. Stop using those plain text protocols, because they are very dangerous. And finally, we have the client layer. Yes. If I use this laptop from managing my own WordPress website and my computer gets infected by some viruses, it's likely that my website will be compromised as well. So we also need to be sure that our own devices are well secured. You can tell by yourselves that a plugin is not enough to protect all these layers. There's something more that we need and have to do. We talked about what to do and where to do those things. But we still have to investigate when we need to do all these things. Security is not binary, I told you before, but security is not static either. A website that has a high degree of security in one moment, it becomes less and less secure over time. It changes over time the degree of security. So it's important to stay up to date, always. It's a continuous process. Unfortunately, we need to take into consideration security from the very end of the project and never let it go. Stay up to date means update the core, the themes and plugins, of course. And it's not just aesthetics. It's really important for security. Everybody knows about that. And still, there are so many WordPress installations running outdated software. So many. Think about the Panama Papers case some years ago due to an outdated plugin. Well, it came out something so big, so huge with severe consequences at a political and legal level just for an outdated plugin. So let's keep every piece of software up to date it. It's important for security. Then we need to preserve the level of security, maintain a website always. So use monitoring to keep trace of everything happening inside your website. And take actions accordingly. And always have a backup plan. Very easily, do regular backups of your website and make sure that you keep them in a secure place, not together with the website. Because if your website gets infected and you have the backup on the same location, well, it's a useless backup. How many of you do regular backups for your websites? And how many of you have ever tried to restore a website from a backup? Very nice. Very nice. It's important to practice this action before you actually get into a situation where you need to restore a website from a backup. Now it's time to answer a very popular question, as I promised. Is WordPress secure? How many of you say yes? How many of you say no? Well, you're both wrong. Because you didn't pay attention. I said before that security is not binary. So there's no yes or no answer about security. We talk about different levels of security depending on how many security risks we manage. So this question requires a binary answer, requires a yes or no answer. So we can't really answer this question. It doesn't make sense. And I'll tell you something more. I said before that security is not static, right? So in this question, we don't have any time specification. So we can't answer because we don't know at which point of time this question is referring to. And it's also ambiguous because what does WordPress mean? I know it seems a silly question. But by WordPress, we mean the core. We mean the whole WordPress layer, so including plugins and themes. Or we refer to the whole application based on WordPress. It's ambiguous. I can't answer this question because it doesn't make sense. Another thing is that this question focuses on a technology, WordPress. But security is not only about technology. Security is a combination of three components, technology, process, and people. And guess what? People are usually the problem because they don't have a plan to secure a website and they don't take care of the technology that they are using. And this leads me to the last security principle. Secure the weakest link. Now, in the security field, this principle is quite general. It means that it's important to secure the most vulnerable component of a system. But in our case, it happens that people are the weakest link. I know it seems not so nice. Think about me. I'm so obsessed with security. But just recently, I poured a glass full of water over my laptop. And I hadn't done a backup for more than a month. I was terrified, not for the computer, but for the data inside it. I could have lost one month of important data. And that was my fault because I had the technology. I had an external drive to do backup. I had a process to follow, do regular backups. I didn't follow the plan. It was my fault. I knew about the vulnerability of my laptop regarding water. So it's not the laptop fault. And the same thing is for WordPress. If I don't update a plugin and then my website is hacked, it's all my fault. We can't blame WordPress. Most of the time, it's not WordPress fault when there are some compromised websites running WordPress. But we can change it. We can change it together. We can stop being the weakest link. Security is a shared responsibility. So let's use our force to secure a website together. We all work on the web in some way. It's our workplace. We should take care of it. We have different skills, different expertise. We should work together. Otherwise, we'll continue being the weakest link. And we don't have time. We need to do this now. Time is running out. Only working together, we can build a better web. I truly believe that. It's our responsibility, and it's in our interest. Taking care of security means taking care of users, of people using the web. And we all use the web. So it's in our interest. It's our workplace. We should protect it. We should secure it together. We can't do this alone. It's not just the developer responsibility or the host responsibility. Only together we can secure a website. Really, build a better web. Every day, every hour, this very minute, perhaps, dark forces attend to penetrate our systems. But in the end, their greatest weapon is you. Just something to think about. Thank you. Don't worry. I'm going to ask you a question. Sorry, can you repeat, please? It seems to me like security through obscurity. So hiding something so that the enemy doesn't know how to get to the website. A common practice is to hide the WP login or WP admin page. It can help, I mean, to slow down the enemy. But in the end, it's just turning off the light of your house. The thief can get in. Yeah, maybe in the dark, it's difficult to find objects to steal. But it's just slowing down the enemy. So it can help, but we shouldn't rely on security through obscurity. Of course, it's a further step in securing our application, but it's not something that we should rely on entirely. But of course, it helps. That's a tough question. I use some of these plugins myself. It's hard to recommend a plugin because it depends on your needs, on your security plan, your security risks. There are several popular plugins. There are all-in-one plugins providing more functionalities inside one single plugin. There are also specific ones. I don't know, in your specific situation, which would be the best option for you. But if I had to mention some, there are the security security that is very good. I think security were friends, but there are more of them. So my suggestion is to try installing them and, of course, do some tests and check if they are the right tool for you, depending on your plan. So you mean the different impact between them. The automated attacks follow some specific patterns. So for example, to force login, they try to access the WP login page, WP Admin. And if they don't find that page because you hide it, they can move on to the next website, trying to the admin username and other data to force the login. And of course, the risk is higher if there is a person behind that attack because you can somewhat predict what these bots do to attack a website and plan for that. But of course, if it's a human in person trying to run an attack, that is more risky, of course, because a human can adopt more sophisticated techniques to attack a website. So not just following the pattern that each WordPress website follows in some way. In a general way, it's not so likely. But in a specific case, for example, when I talked before about this customer from Turing, which had availability problems, that was a human behind it. Of course, there was a botnet behind those DDoS attacks. But there was the competitor of this person that wanted to damage this company. So in that case, it's more dangerous. But it's, I could say, less likely. But again, it depends. If there is someone that wants to hurt you in some way, they will find a way. Think about political or social reasons that could be behind an attack, anonymous, just to mention one. In that case, they, of course, use bots. But these attacks are more targeted to that specific website or application. And of course, it's more dangerous. Thank you for the talk. Obviously, I think most people in here are probably developers rather than server advocates. So are there any almost checkboxes that you think we should check that our hosts are implementing that we can ask them all easily? I have some resources for you for that. There will be in my slides some books and guides that you can follow to make sure that you have taken into consideration the most important areas when doing security. But yeah, they will be on the website, I guess. Thank you. Will you tweet them? Yes, yes. I will tweet the slides. Hi, Thomas. Great talk. Thanks for that. My question is about the supply chain attacks. If somebody can download a plug-in, how does it actually happen? Do they just self-host it? And is that the way they just change the version number and then it updates everybody's site? And the second part of the question is how do you counteract that? I suggest you to check the World Friends website that has several analyses of some of the latest supply chain attacks to famous WordPress plugins. They are really hard to identify. I mean, as a user of a certain plug-in, there's no automatic way to find out if that website has been compromised by a new author. But if we stay up to date, so we keep visiting this website that do research about security related to WordPress, we can identify first these kinds of actions and not prevent them. But before it's too late, we can disable the plug-in or disinstall it altogether. OK, great. So just be aware and keep up to date. Unfortunately, we don't have the moment in an automatic way. But there are people doing research and keeping these plugins and themes analyzed. So if we keep ourselves informed, we can do something before it's too late. OK, great. Thanks. Well, about that, content delivery networks are not so related and fundamental for security. We can do security without them. They are very used for different purposes. One is, of course, security, just to have a sort of proxy between the user and our website. We can implement a firewall so that before coming to our server, some threads are blocked before. But I wouldn't tell that it's fundamental to have it. Personally, I use it more for performance reasons, to deliver static contents to the user. But of course, it can help increasing the level of security. As everything else, I mean, the more the better if we practice defense in depth, of course. So in that sense, they can be helpful. Nothing is mandatory, but also nothing is too much. We just need to make sure that we know what we are doing and following a plan. So for example, I use a CDN because I identify this security risk. I want to manage it. And the CDN provides me the right way to do it. My suggestion is to always have a reason before using a tool, a plugin, or a specific functionality.