 So, the first thing on the threat landscape, so according to this website, WordPress vulnerability database WPvolumDB.com, it identified the 11,647 different vulnerabilities in WordPress, the core software in plugins and in different themes. So, there's thousands and thousands out there of different vulnerabilities that hackers can take advantage of in order to gain access to your website. Just as a recent example, you know with the GDPR regulations, there was a plugin that was created to easily help website owners make their websites GDPR compliant and that plugin was found to have had a vulnerability that would allow a hacker to get admin access to the website. So, a hacker could simply scan your website, find out you have this vulnerability, take advantage of it and next thing you know, your website is down and it's been defaced. So, these are some of the threats that are in the WordPress landscape. And WordPress, as we all know, is a market leader in the content management space. It powers almost 60% of content management systems which translates to 32% of all websites on the planet. This is according to WPvolumDB.com and therefore it's a huge target for hackers. Hackers will attack WordPress websites, both big and small, with over 90,000 attacks happening per minute. So, you have two things at work here. You have a software that is very popular, that is used by all sorts of people, that therefore means it's a huge target. If you want to take over a website and you invest in exclusively attacking WordPress websites, your chances of success are going to be higher. It's kind of like why there's more viruses on the Windows platform than there is on Mac and Linux because the target is much smaller. So, because we're using the most popular website software in the world, it makes it a big target for hackers, right? Sorry, go back. So, therefore, it's a huge attack and then we have those 90,000 attacks going on every minute. So, what some of these hackers do is they have automated software that simply scans the entire Internet. So, for example, if you are running that vulnerable GDPR plugin, what these hackers do is they simply have software that is scanning every website. So, it checks, do you have this plugin installed? If you do, it's going to automatically attack your website, right? So, the landscape for attack is huge and as well the people who are out there who want to take advantage of you, they have lots of opportunity to do so, right? So, the top threats that we face, we have these brute force attacks where simply the attacker would try different passwords in order to find one that works so that they can log into your system. There are these file inclusion exploits. This is simply say, for example, on your website you have a facility for, say, it's an application form, say you're running WordPress for a school, for example, and people can apply and they can attach their school certificates as an attachment in their application. So, a hacker can attach a malicious file. So, something that's not what you're expecting. Maybe you're expecting a PDF or a picture or something and they attach something else like a PHP file with code and then that ends up exploiting a weakness in your website and granting them access. And then there's also XSX and SQL injection which are different methods of taking advantage of the way your website is built in order to gain access or to infect users of your website. Right. Next slide. So, in order to protect your website, given this huge threat, what do you do? So, there are a number of different things that you can do. There are a number of different practices that you can use in terms of how you create your website. But today what I'll be addressing because we want this to be useful to people of different skill levels regarding WordPress. An easy solution is security plugins. So, there are a number of different types of security plugins. For example, there's Jetpack. Also, Jetpack being one of the general sponsors for this word camp. Yay, Jetpack. There's security. There's Vaultpress and also WordPress security. Now, this is just a handful of different examples. I tried picking the ones that had the most downloads and the most stars on the WordPress plugin repository. But there's loads and loads of different plugins available for WordPress. So, I would encourage you to also do some research in addition to this list. Right. So, if you do choose to go with one of the plugins on the list or any other one that you find in your research, there are some common features that you'd want to look for that make the plugin as helpful. Right. So, number one is automated site backups. Right. In as much as we may try to protect your website or, you know, implement all the measures possible, you know, sometimes you may still get hacked. So, it's important to always have up-to-date backups of your website so that in the worst case scenario you always have something that you can roll back to. Right. So, that will save you a lot of headaches in terms of, you know, your website being productive for you so you could lose money in terms of downtime or, you know, being a developer and, you know, your clients upset that their websites are now gone. Right. The second thing is also malware scanning. Again, you may already be infected or you may still get infected regardless of the measures that you may take. So, you want to pick a security plugin that has malware scanning features. What this means is that, you know, the different files in your WordPress where you have your different themes, what some of the hackers will do is they'll change some files in your themes or they'll change some files in your plugins. And then those changes are the ones that allow them to continue to hack your website or have access to your website. So, what the malware scanning does is it lets you know if any of your WordPress files have been tampered with by a hacker. Right. So, this will give you early warning of that. The third thing is IP blacklisting. Right. Which I think is pretty useful especially regarding how a lot of hackers use automated attacks. So, with IP blacklisting what that means is the plugin will block access to IP addresses that are known to be carrying out malicious activity. Right. So, an IP address that's been used in other attacks if that's known about the plugin can block it automatically. There's also anti brute force. As I explained earlier, brute force is when a hacker will try password after password after password essentially trying to guess your password. Right. That's why we are advised to not have dictionary words in as a password like, for example, having yesterday as a password. Right. Because these automated systems will try all the words in the dictionary. They'll try different combinations of numbers. So, you want to have a feature called anti brute forcing where after a set number of failed attempts at logging in, that person will be blocked for a certain amount of time. Also, there's the issue of automatic updates. So, again, a lot of, as indicated earlier, there's thousands and thousands of vulnerabilities that are out there and you want, and in order to, oh, I guess. Okay. There are thousands and thousands of vulnerabilities out there and a lot of them are patched. So, for example, if you have that vulnerability in the GDPR plugin, it was updated and it was taken care of. However, in order to benefit from that patch, you need to update your plugin. So, you need a system to make sure that everything is continuously updated and a lot of these plugins do handle that for you. So, now onto the meat and bones. We'll be doing a deep dive into the word friends security plugin. Basically, it's a firewall and malware scanning plugin for WordPress. It's available for free in the WordPress plugin directory. So, it has a freemium model. So, some basic features are available for free and then for other features, you have to pay for it. However, the free features, I think, are quite extensive and you will benefit a lot even if you don't get the premium one. It has over 2 million active installations and it is regularly updated. And when looking for not only security plugins but any kind of plugin for any purpose or any theme, you do want to look for a theme or plugin that has a lot of installations so you know that there's going to be a lot of support. If you run into issues with that plugin, you know there's a big community of users that you can ask for assistance with. And as well, being regularly updated means that the next time you upgrade your WordPress, it's likely that that plugin is going to continue working. So, the first useful feature of word friends is site scanning. So, as I indicated before, it will automatically scan your website and your hosting for things like back doors, vulnerability. So, if there are vulnerabilities that haven't been exploited yet on your website but can be exploited, it will alert you to that danger. It will alert you to other malicious things like, for example, malicious comments. So, there's this technique that hackers use that they can use against your website where they can comment but with a funny link. So, it's not necessarily hacking your website but it was hacking users of your website. So, it's also something that you want to guard against because if people are coming to your website and end up leaving with viruses, that doesn't bode well. This is after a scan and it's basically showing us here that this plugin has a vulnerability and sorry, yeah, this plugin was removed from the WordPress database meaning that you probably don't want to use it anymore which means because it means that it's no longer going to be updated and will eventually become a security danger to your website. Also telling us that the particular theme needs an upgrade. So, basically it gives you a summary and makes it easy to digest what the security issues are with your website. It also has live traffic monitoring. So, you can see in real time the visitors to your website and all the traffic that's going on. So, here you could see someone from Brazil try to access the website, someone from Zim, etc., etc., and the times. So, if you were attacked or an attack was happening, you would be able to see here you can see like funny traffic. If there was a single person or a single IP address continuously accessing the same resource, you can have insights into this and you can then take steps to stop it from happening. Also, WordFence gives you regular updates. I believe you can set the frequency of this to weekly or monthly. I had mine on weekly and it basically summarizes what has been going on on your website and just gives you an overview. This was all of the protection that's happening. It's done automatically and in the background. So, you can even ignore these if you want, but it basically just gives you a summary of what's going on. Well, probably not a good idea to ignore it if you are being attacked, but it's not as intensive in terms of upkeep. So, here in this summary it tells us these are IP addresses that WordFence automatically blocked. You can see this one tried to access 700 times, which is not natural. So, we can tell that this is malicious activity that should be blocked, right? It gives us regular email updates and the status of our website. There's also a useful feature called rate limiting. Again, it automatically blocks users after a certain number of failed login attempts. So, blocking those brute force attacks we were talking about earlier. Here you can see it gives us a summary of the login attempts. You can see successful attempts to login. So, you can even have auditability in terms of who was accessing your website. Are these IP addresses of people you know, people who should have access to the back end of your website? It also has IP address blocking, which is a very useful feature. One useful application of this is if you are really security conscious, for example, what you can do is you can block access to your admin area and say, for example, you can have geographic access. So, you can say if you are based in Zimbabwe and all of your admins you know that they're in Zimbabwe, you can block anyone who's not in ZIM from accessing your back end, which will dramatically reduce the opportunity for anyone to attack your website. It means that any hacker who's not in ZIM can never have access. One also really good feature about WordFence is they have the WordFence network. So, basically everyone who has the plugin installed in their computer is part of this giant network that is powered by artificial intelligence and shares information. So, each website running the plugin shares information about attack threats. So, for example, if I'm attacked by a particular IP address and someone else, you for example, are using WordFence plugin but haven't been attacked because I've been attacked and WordFence has blocked that IP address for me, it blocks it for everyone. So, even attacks that you haven't been subject to, you are protected from as a result of being part of the WordFence network. And you can see here this graph that's showing it blocking about 5 million attacks an hour from the entire network of everyone who has the plugin installed. So, some further resources that you can use to protect your website or to audit the security of your website. There's wpscan.com. Basically, you just put in the URL of your website and it's going to automatically scan your website and let you know all of the different security issues that you may have. For the developers in the house, there's codex.wordpress.org. You should be going there anyway but they have this special section on how to harden WordPress and to make it secure. So, this goes much further in depth than simply installing a plugin but here you're securing it on the server level and on the code level. And we have wp beginner.com. They have this article called the ultimate WordPress security guide. This one being more friendly to users of all skill levels so you don't necessarily have to be a developer in order to benefit from this. Basically, this again guides you on different steps that you can take to protect your WordPress website. Make sure that it is absolutely as secure as can be. There are some sources that are used in compiling this presentation. Thank you very much for your attention. If there's time for any questions, I'm willing to entertain questions. If not, then we can speak during the break. Thank you very much.