 Okay, let's go ahead and get started here in the interest of time. Hi, how's everybody doing? Good, good, good camps so far today. Thank you for coming to my session. This session is called Making Security Make Sense to Users and Clients. So first I'd like to get to know everybody in the room just a little bit. How many of you are actively building websites for clients? Ooh, nice. And how many of you are managing those sites on a monthly basis with a maintenance plan or retainer or some sort? Great. So my intention with this talk is to help provide a few useful tips for growing your business and also adding extra value to your client as it pertains to website security. So I am Adam Warner. I am the open source community manager for SiteLock. It just so happens it's a website security company. I am also the owner of Foo Plugins Plugin Business. I'm passionate about website security and you're going to learn the exact reason why. I'm passionate about security pretty soon and I'm all of these other things. So today I want to cover securing your own site first and why that's important. Securing your client sites, the benefits of your business for doing that, communicating security and the benefits efficiently to your clients including security in the project scope, security best practices that you can implement for yourself or for your clients today and security in your maintenance programs and pricing and reporting options. So let's first talk about why securing your own site is a good first step. How many of us have actively secured our WordPress sites? Great. How many of us are using plugins to do that? How many of us have done that manually through some manipulation of HT access or other things? Great. Okay. So the first reason to secure your own site is really about your reputation as a web development provider. So website hacking attempts happen all day every day and I'll talk more about the how and why of that in a minute. So when I talk about the reputation of your business, imagine that someone is looking for a web developer in Hamilton and they Google web developer Hamilton and they get to your site and Google throws a warning that this site may be hacked. Not very good for your reputation, right? Yep. Oh, thank you. So what are you going to do when that happens? You're going to leave that site immediately. You're not going to trust that person or that business with your own business. The second reason is familiarity with security best practices. So I'd never recommend a service or something to my clients that I haven't used myself with one correction. I mean, I would never do that again. I've been burned by that. I failed clients in the past because I didn't do proper due diligence on the plugin or the theme or the service that I was recommending to them. And so I've since learned my lesson. So the point of becoming familiar with security best practices is really about eating your own dog food, right? If you're going to make suggestions to your clients about how to secure their sites, you should be familiar with A, how to do that. And B, you should be securing your own stuff. And it protects your business. And that's kind of an obvious one, right? It protects your site from getting hacked. Or if you do get hacked, you have a better plan for getting your site back up more quickly. So we have a lot of goals as web development providers, but first and foremost should be protecting our own business. And I'm going to tell you a true personal story of what happened to me and why I became passionate about website security. In 2006 and 2007, I started a WordPress multi-site installation called Indelab. And it was a site geared toward providing websites for creatives, for musicians, for artists, painters, what have you. And it was all free. You could sign up. If you're not familiar with multi-site, it's basically what runs WordPress.com. When you go to a WordPress installation, you can sign up for your own site underneath that. So it's adam.domainname.com. So it was all free. I had many, many people signing up. And then I started to monetize it by adding extra features if you were paying a monthly fee. At the time, I was working full-time for an audiobook publisher. And this business started to take off. People started to pay. You liked the features that we were building in. And I was really, really close to quitting my full-time job. And then one morning, a bunch of emails came in. I can't get to my site. My site is hacked. It has all this garbage on it. It's redirecting to Viagra and Cialis ads. So I dug in. I took that day off of work, actually, dug into that. And at the time, there were no security plugins. There were no security services where I could just call and have them clean it up. So I was on the WordPress and WordPress multi-site forums trying to get help and then emailing individual people. And I had it cleaned. And I thought I was good to go. And the next day, everything was reinfected again. So I went through this for about a week, back and forth. Meanwhile, answering customers saying, hey, this is what's going on, communicating to them. Well, it went on for more than a week. And we were approaching about three weeks of this. And I was frustrated. I was a bit depressed because why can't I fix this? And of course, as you can imagine, my customers were not very happy, right? So what I ended up doing is closing the business, refunding everybody, and calling it a learning lesson. And I went through a period afterwards where, you know, imposter syndrome, I must really suck. And, you know, I'm no good. And what can I provide people, right? But that led to my interest in website security, which is now my full-time job. So I hope that doesn't happen to you. And I hope that that shows you the importance of website security, not in terms of just having a website that doesn't look bad or that's redirecting somewhere, but protecting your business and the business of your clients. So let's talk a little bit about securing your client's sites. Your site is secured. We're good to go. And are you actively implementing the basic security best practices on the sites before you hand them over? Is anybody doing that now and doing basic security steps before you hand over to a client? Great. Good stuff. So the first reason to secure your client's sites is that it's in your best interest. Has anyone ever received an email or a phone call on a Saturday night at midnight that says, urgent, my site is hacked, help me or some other thing, right? Many of us have. I have heard those exact words, as I just told you. So managing your client communications can be taxing when those emergencies happen, right? So now securing your client's sites before the worst happens will save you time, money. It will allow you that much needed time off if you're a freelancer working from home. You know that many of us, if not all of us, basically work 24-7 when we're building our own businesses. But if you have these mitigation steps in place, you will have more time for yourself and therefore it is in your best interest. It also is peace of mind for you and for your clients. So whether it's protecting sites proactively or giving them the education and tools that they need to do it themselves, the end result is you can relax a little bit and so can they. So let's talk about education for a minute. Has anybody tried to communicate to their clients the importance of website security? I have and is it safe to say that the typical response might be, I just blog about my cats, I don't need website security or it's too expensive and why would anybody want to hack my site or that's way too technical and it's beyond me and my eyes are glazing over and I'm not going to even listen anymore, right? So educating your clients or potential clients about website security to me isn't just the right thing for your business, it's the right thing to do period for the betterment of the internet, right? It can also set yourself, set you apart from the rest of the web development crowd. And what I'm getting at is security awareness in general but security awareness very specifically and I'm going to say this again a little later on but when you are first contacted by a potential client whether it's email, phone, my advice to you and my hope is that you will start discussing website security from the very start and not to overwhelm them but just to mention that as the first thing, one of the first things you talk about because by doing that you're going to make someone's security wear, whether they choose to go with you or not but you're also going to set up yourself and your client's site to talk about security through that entire process from the initial contact to the project scope to the proposal stage and the benefit there is obviously for your client's sites for you but there's a potential for more revenue for your business as well. So I look at it as we're the ones who understand how the internet works and therefore it's our responsibility to help secure that. So who is responsible for security? Can anybody take a guess? There you go. Ding, ding, ding. The short answer is all three. Ourselves, your clients, the web host, but to varying degrees. So I'd like to use an apartment analogy. So as providers, as developers, as freelancers, agencies, we're the ones that are creating the apartment building, right? We're the construction company. It's our responsibility to make sure that that website structure is solid. It meets all the building codes. There's no exposed wires. In other words, making sure that building, that website doesn't fall down. Now, web hosts, on the other hand, are primarily responsible for the security and maintenance of their servers, which is like an apartment complex where that building stands, right? They want to make sure that the buildings are protected and safe, all the sites within their network. They want to make sure that the access gates and codes are in working order. They want to make sure that the parking lots are lit and safe, the snow is shoveled, et cetera. As a website owner, the security and maintenance of your website is really your responsibility, just like an individual apartment would be within that building, within that complex. So in terms of communicating this to your clients, you can use that analogy, but also just like if they had a brick and mortar store, excuse me, I'll almost fill over, just like if they had a brick and mortar store, they wouldn't leave for the night and leave the doors open and the windows unlocked, just like you wouldn't do that with an apartment, right? So it's your responsibility, or your client's responsibility, excuse me, to make sure that everything is safe and as locked down as it can be. So I talked a little bit about setting your business apart and mentioning security, but also in educating your potential clients about security. So again, you can start from the very initial email or phone call and then expand that into education of what website security is as it pertains to their business. Again, the brick and mortar store, doors and windows locked. And then security, education and awareness really starts at the very beginning and should be a theme throughout the entire project and then into the monthly maintenance stage. And so even if they don't move forward again with your proposal, at least you've done your part to spread that security awareness. I mentioned additional revenue. There's additional revenue in the form of higher prices and residual income. If you are separating yourself as a business that is focused on the security of the internet as a whole, on the security of your client's business, you immediately separate yourself from the rest of the pack. And I wouldn't recommend but I would offer that you might even make security a required portion of your project when working with you because it shows your clients that you are serious, that you understand the internet and that you're a partner in their business rather than just trying to upsell them on some extra feature that they may or may not need because everyone needs website security. And in doing that, you can demand higher prices for the initial project. So if maybe now you're doing minimum projects of $1,000, maybe some of you are doing $100,000, but if you're doing a minimum amount that is around $1,000 or whatever it is, you can immediately demand higher prices in order to help set yourself apart too. So the key is to provide immense value that they can't get anywhere else. Now, more revenue can also come in the form of residual income, and that again is your monthly maintenance program. You can build in security reporting, scanning, web application firewalls, all kinds of stuff in various plans. And you can even use affiliate commissions to any security company that exists out there. Most of them have affiliate programs where if you can't sell your client on that and they come to you six months later and say, my site is hacked, then you can go get cleaned up with any of the number of security companies that are out there and make some money on the back end. So the struggle is communicating the need for that security effectively, right, to the average business owner who may or may not be technically minded. And we've talked about the typical reactions. It's too technical. It's too expensive. I don't need it for my five page brochure site. So how do you explain the subject of website security into terms that your clients will easily digest and understand or want to understand? So for me, I always communicate these three things. If you break down website security into the most basic questions, it's much easier to understand and communicate, and it helps you communicate that importance and the concepts and the terms in the way that's familiar to them. So the first is why. Why websites get hacked? Does anybody have a quick answer or opinion on why websites get hacked? Like the most popular reason. Say again? That's why. Yep. But why do hackers do what they do? Yes. User data? I was going to say marketing or advertising for whatever. Yep. Yep. Yes. The answer is all of those things. Yes. So they could do it for a little bit of 15 minutes of internet fame. You've been hacked by, you know, so and so. That would be known as a defacement where it's very visible. So a quick side note. We had a presidential election in the U.S. I'm sure everybody is aware. And one of the candidates' websites was hacked, and there was this query string you could put in the top in the big banner that had their slogan on it could be changed. And it was changed to a lot of different things. And one of the nicer things was I like turtles in reference to an internet meme. So there's reasons why people do that, right? For fun, for a little bit of fame. But by far, the most popular reason that a website gets hacked is for financial gain. All right? So one thing to know about website hacks is the overwhelming majority of them are automated. They're automated scripts that people take, tweak, or write themselves, and then they put out into the wild. And what their scripts are looking for are open doors. And open doors can come in many forms. It can come in the form of outdated software. It could come in the form of outdated web server software. And the reason why these scripts exist is a lot of times people will find companies that will pay for just clicks. So if you get to a site and you see what's known as a redirect, you go to a website, you get redirected to a CLS website or excuse me, a pharmacy website. The person who has created that script is getting whatever, a penny, two pennies per click or less. But now imagine that there's hundreds, thousands, hundreds of thousands of websites where people are getting redirected. It's easy money for them, right? So explaining to your clients why website hacks happen and putting it in terms of revenue and why it's an incentive, then you blow a lot of those misconceptions out of the water. Why would someone want to hack my cat blog? Well, because it exists and because there's an open door and because there's a whole bunch of other websites on that same web server that once I get in, it's not easy but it's easier to cross-contaminate rather than keep finding sites that have holes in them. Anybody here of Equifax? Yeah, Equifax, the Equifax hack gave access to personal data, social security numbers, addresses, family members to 143 million Americans and people from other countries. Anybody know how that hack happened? Outdated software. Outdated software on the web server that was hosting the Equifax website. And to rub it in just a little more, that outdated software was known about four months before the hack happened. So I'll get back to that in a minute. So who and how? So when we think of hackers, the stereotype is that it's some angsty, antisocial kid in the basement of their mom's house that's super smart, right? And targeting individual websites. Susie was mean to me. I'm going to hack her website. Well, there probably are stereotypical hackers out there wearing dark hoodies and such. But the majority, again, of those website attacks are performed by those automated bots. So how do these happen? They happen in a lot of different ways. And it all comes down to vulnerabilities found at various access points. Access points can include outdated software. They can include passwords, weak passwords, or newly discovered vulnerabilities in up-to-date software. So again, communicating the how and why to your clients in a simpler way is going to help them understand, again, the importance of website security. So also communicating when website attacks happen. Unfortunately, it's not a question of when a website will experience an attack. Excuse me, not a question of when, because hacking attempts happen all day, every day. We recently published our quarterly security report, and we found that every website on the Internet had an average of 44 attacks per day. Again, from these automated bots, which, for my personal website, is an average of 16,000 attacks every year. This is an automated gift of, I have to go back, North Security. And this is just an example of a few seconds' worth of attacks that are happening every second of the day. So now that you've communicated the why's and the how's to your clients, let's talk about how to implement some simple website security best practices. One are backups. Is there anyone here who doesn't know what a backup is? And that's okay if you don't. Okay, so you're basically creating a copy of your site and your database and your files, and you're doing that on a weekly and or monthly basis to have a good copy of your site if the worst happens. Doing this ensures that, of course, if something goes wrong, you can fix it. Updates. We just talked about outdated software, and I'm talking about WordPress Core. I'm talking about plugins. I'm talking about themes. But one thing that some people miss, and I missed it myself, is any other software that's running on that same web server that your WordPress installation is on. I am a shiny object guy. I'm doing this a lot for different applications. So I install something, I play with it, I see how it works, and then I forget it's on my server. So it's really important to keep all your software up to date. One thing to remember is to always run a backup before you update your software. I don't know if anyone else has experienced this with WordPress specifically, I've seen the white screen of death more than once because of an update. Maybe it was a plugin conflict or something like that. So number one backups, number two updates. Number three, strong and unique passwords for every single login that you have. Starting with your local machine, maybe even starting with your home Wi-Fi router, all the way up to every single site, every account that you have on the internet, strong and unique passwords. And I know what you're thinking, how in the world am I ever going to do that if you just choose one really hard password and then reuse it everywhere? Will that be enough? No, it won't. You have to use strong and unique passwords. I put a URL there on the screen. If any of you have your laptops out, feel free to load that. Have I beenponed.com forward slash passwords. And I will show you the outcome of that. This is what happens when I put in a password that I used to use quite often. You can see there, uh-oh, this password's been used, or seen two times before. It has previously appeared in a data breach. I have a pretty good guess of where that came from. Yahoo got hacked several years ago, 400 million accounts or something like that. And I think LinkedIn also got hacked. And I used that same password in a few different places. So, what is the answer to creating strong and unique passwords for every single site and remembering all of those? The answer are password managers. One password is a tool that I would recommend. LastPass is also a tool that I recommend. It helps you create really strong passwords, helps you remember them. Now, Grain of Salt. Website security is about reducing your attack radius, right? So, you have to have a master password for a password manager. What happens if your password manager gets hacked? It's happened. But at least you're reducing that attack radius by using one tool to manage all of the other ones, right? Number four are firewalls and CDNs to some degree. If you aren't familiar with a firewall, there are two types of firewalls. There are network firewalls and there are web application firewalls. A network firewall is something that your host typically has to protect their own network from web server to web server. And what firewalls do is they recognize and block known bad traffic. A web application firewall is something that as a website owner or your clients, or you would help your clients do that, it's something that you would put on your own site. So, the way a firewall works or a web application firewall specifically, someone's in their browser here and they want to get to your website over here on your web server. A web application firewall is basically a hardware and software program that sits in the middle and again recognizes and automatically blocks that bad traffic. Any provider that provides a web application firewall is constantly adding new rules to that firewall when there's new malware out there and detected and 100% matchable. So, firewalls and CDNs, I would choose a web application firewall of some sort even if you are not continuously monitoring because you're going to lower your bandwidth and your hosting costs just by blocking a lot of traffic. Quick side note, I had a WordPress tutorial blog back in the day and I thought I was the bee's knees. I thought I was so popular because I had tens of thousands of visits every month and then I installed a web application firewall and my traffic went hee hee because a lot of that was from automated bots. So, something to be aware of. Continuous monitoring, what I'm talking about with continuous monitoring is some kind of malware scanner. There are a bunch out there and they all do good stuff and you can continuously monitor your site to look at it as a person would or as a search engine would. So, different types of hacks have different signatures but if you're continuously monitoring every day, then it's more likely that you will discover that there's an issue and be able to fix it before Google recognizes there's an issue and blacklists your site and then your client's revenue goes down. So, that's what we're trying to do at the end of the day is protect your client's business and show them that you have the know-how and skill to do that and that you're a partner in their business. Including security in the project scope. So, you're going to hear me repeat the same thing. Just like discussing security from the first contact including the importance and requirement possibly for security best practices within the project scope can benefit your reputation and the revenue growth of your business. And this can be as simple as adding some line items in that says we've done X, Y and Z. It could be we've installed this security plugin and it monitors this and that. It could be something as advanced as we've taken these steps in the WP config file and the HD access file and we've whitelisted or blacklisted a bunch of IPs based on what your business needs are. It could run the gamut but if you're calling out that those security steps within the proposal you have the second chance there for that visibility of your focus on security. It gives you a more professional image because again you're separating yourself from the rest of the pack who maybe haven't even mentioned security and you're building trust as a partner in their business. You're saying it's important to me that I build something that lasts a long time and meets your business goals. I'm not just going to build you a website handed over and then on to the next. I want to have a long-term relationship with you. The benefits of including security as a service. Security from the first contact again in the project scope sets you up to demand that higher price for the initial build but in addition it also sets you up to include security options as part of your maintenance program or as add-on services. Again if they choose not to do any security other than what you've already built in they come to you the worst happens then you can offer those add-on services for a price and use some other vendor to actually fix it. Maintenance plans. We already have the answer to how many are offering maintenance plan which kudos to everyone who's doing that. That's the way to stay sustainable with recurring revenue. It's the way to forecast your business growth. So you could easily again run this security under your maintenance plans under the umbrella of backups and updates even or call out specific levels of security. So you could have it scanned every 24 hours. You could have a scanner built in that scans continuously more for enterprise clients. Those add-on services and some more examples of that would be the one-time cleanup. It could be the web application firewall setup if they decide to go with a vendor for that you could be the one to set that up. It involves some DNS changes to your domain to route traffic through. Now, automating maintenance and reporting. So if you're automating, if you're offering your monthly maintenance, you're likely offering backups and software updates. So how many of us are doing that manually? Are going into individual client sites and updating, right? And checking, okay, just a few. And how many of us are using a maintenance and reporting tool? Okay, a few more. A couple of really popular and good ones, if you don't know, are ManageWP and Watchful or Watchfully is the address. So basically, if you're not familiar with these, you can connect multiple single websites to either of these accounts and then you can bulk update software on multiple websites. You can bulk update plugins, themes. Both of these offer reporting tools. So as part of your monthly maintenance program, you run a report. These are all the updates that were done this month. And luckily, WordPress Core updates quite often, plugins update quite often. So there's probably, it's probably very rare where you won't have something to report to your client. But include that with the reporting from any security service that you may happen to use or a security plugin will be included with the updates. It shows your client that you, again, are serious, it's visibility to that security on an ongoing basis. So hopefully, they'll refer you to their friends and colleagues. So the benefits of a summary of a presentation. Again, this is only my advice. Secure your own site first. Learn the why, how, who and when of website security. Communicate the business benefits of that effectively to your clients. Included in the project scope, offers an optional or required service and automate the maintenance and reporting of your monthly plans and your security outcome. I'm happy to take any questions if any of you have any. Yes, sir. So the other options would be to use a different, oh, repeat the question. Do I have any advice for other security options other than site lock or security because you have clients who've been burned by both? Okay. My best advice would be to use another security option found within the plugin repo. That would be in the form of a plugin, not a cloud-based service. I honestly don't know. There's us. There's security. There's iTheme security. There's WordFence. My best advice would be to try the others that you didn't have a bad experience with or they didn't have a bad experience with or call us and let us know or call security and let them know about that specific situation and see if... Yeah. Sure. That's not the first time I've heard that. So there are, we do partner, specifically we partner with a lot of different hosts and I would say that that was probably a communication issue more than a technical issue and I can tell you that that is known and that has been worked on. So in terms of that specifically, that would be my response to that but if you're looking for a different security vendor, I believe the ones that I had already listed are the largest ones in this space. If anybody knows of any other providers, call them out. No. There you go. Okay, any other questions? Yeah, and I'm happy to talk with you further about that specific situation this afternoon too. Sure. Yes, sir? Yeah, the question was, can I talk about the differences between services like Watchful and any other security... and a security vendor. So the main difference is that Watchful and ManageWP, those services exist to manage multiple single installations of WordPress. I think Watchful handles Jumla as well and it handles the updates and backups but it doesn't... and both of them include security scans, a light scan, which then again looks at your site as a browser would see it. So it's more for management of multiple areas of individual websites rather than a strict focus on security. Okay, yeah. So a combination of both of those services would be better than one or the other? Well, it all comes down to your personal preferences and the needs of the business but I would argue that, yes, that both working together would be complementary. Just like in terms of the company I work for, there's complimentary features and benefits to having a security plugin and a security service as well. So in terms of site management, yeah, I don't think there's any reason why you wouldn't want to use that with some other security option. Yes, sir? Are there any websites or bloggers that you recommend for information on how to get started on this before you're in console, et cetera? Sure, yeah, there's a few. There's WP White Security as a guy named, I can't remember his first name, Robert Abela. He's out of Malta and he is an avid security person, blogs a lot about it. The guy that runs the site, have I been pwned? Help me out, Troy. Let me see if I can find it. Yeah, Troy someone. I don't know if it's listed here. If you go there and look at the about, it's a guy, what is it? Troy Hunt. And he's a long time, like Microsoft security guy. I would follow those two to start for sure. Yes, ma'am? Well, am I aware of any issues of running more than one security plugin in WordPress? Not specifically, other than to say, well, other than to say if you're using a plugin for anything. So let's say you're using multiple gallery plugins. There's always a chance, the more plugins you have, the more opportunity you have for conflict. Security plugins are typically a bit resource intensive for your server. So if you have two security plugins installed and they're doing some of the same stuff, then I wouldn't recommend it. But I don't know of any conflicts specifically. Anybody? Yes, sir? For initial WordPress core hardening, what do you miss? Boy, what is my, for initial WordPress core hardening, what is my pet peeve and something that gets missed? You know, it used to be the recommendation was to change the database table prefixes in WordPress. But a guy named Aaron Campbell, who you should also follow, by the way, he's the .org security team lead. He and I had a discussion last year about the unimportance of the standard advice for securing your site, like changing the database table prefixes, because his line of thinking is that they don't get in from your database, right? An automated script doesn't get there. If an automated script gets in through a week username or password, they're going to be able to list your database table prefix. So to answer your question, I think my pet peeve would be that there's so much of that that kind of old advice out there that really doesn't apply today that still gets put out there as nothing to do to secure your website. It really has gotten a bit simpler than that. It really comes down to blocking bad traffic and strong passwords at the two most important core recommendations that I would make. Anybody else? Yes, sir. What was the second part of the question? Do we need to use single installation for best for multiple sites, or you can use multi-site? So the question was, in terms of security, what's more secure, WordPress itself or WordPress multi-site? I think the answer to that in my experience is that both are secure, as secure as they can be, right? Because it used to be WordPress multi-site was a separate code base, but with WordPress 3.0 the multi-site features were built in to WordPress core and now you just activate them in order to get the extra administration areas and that sort of thing. So my answer to that question would be multi-site is as secure as WordPress single site is. Anybody else? Yes, sir. You're right. And the question is what about the human factor of security? Unfortunately, I don't have a very good answer for that because as you've just pointed out the human factor is a wild card, right? There will be people who just say I'm not going to use a password manager because that's going to be more difficult for me to figure out. I'm just going to write my stuff down and put it under the keyboard. So one maybe simple way and I should have mentioned it before is to utilize two-factor authentication. So if you can't remember your password or if you want to keep using the same password for other stuff implementing two-factor authentication would be a good step. And if you don't know what that is that means you go to your WordPress site to log in, but rather than seeing your login screen you're presented with a screen by some 2FA two-factor authentication provider that says enter your email and then you press a button and you get a text with a code. So it basically means you have to know this login, you have to have this device on you, you enter the code and then it lets you to your login screen. So that'd be my best piece of the device there. Yes, sir? I thought the quote against two-factor authentication has probably the worst idea that's come along in the webinar. As someone who spent my over a week without my WordPress.com account for two-factor authentication it's a very flawed solution. Okay. What happened was we moved from Ophel from the process I got to myself. Ah, yeah. I've been on WordPress.com for a long time. I went to log in and guess what? It sent an SMS to my phone in Ophel. My phone in Ophel was not long with me of course. Sure. So I thought, oh yeah, I'll just call the person who's calling and say my SMS is coming. Oh no, the phone was out of service. Yeah. So I called Rogers. Rogers said, oh no, we can't give you that phone number because yes it's out of service but it is in limbo right now while we wait to see if it lasts three months before the other person gets it back. So now I'm sitting waiting for three months because Rogers can't give me back my phone number and because WordPress doesn't answer emails or phone calls. Otherwise, I eventually went on to WordPress.com with another account and sent an email off to support people and got a phone call back from somebody who was able to sort the thing out and it took over a week. So if you do use 2FA, make sure you keep the little sheet of backup codes. I will keep the backup codes whilst I see if I move it was in a box somewhere in the basement and so I use those and don't rely on your phone. There you go. So that's one negative vote for 2FA but there's something else to keep in mind also with that story and that's a nightmare story. That is a real risk, right? But there are other 2FA providers too that might offer you a little easier communication path. There you go. That's another good tip. There you go. Well, thank you all for coming. I appreciate it. I'll be around the rest of the day. Thanks.