 I'm Jim Grant, if you haven't heard that already. I own a digital marketing agency called Simply Creative Media. We're nine years old last month. These slides are from November so they say Global Entrepreneur Week so I'm breaking another rule and bringing in slides with somebody else's logo on them so ignore that. Any expectations about what you want to get out of security today? Anybody? Are we doing what we need to do? Any security experts in here? Yeah there's one. Should be. So so my intent is not to dig too crazy deep into security on WordPress because it's simpler than it looks. There's a lot of things you can do that if you do and their best practices and practice them regularly. You won't have an issue. There's a lot of what I consider kind of overkill and sometimes even bad advice going around about about securing WordPress websites. Why should I secure my website? Obviously you don't want it to get hacked. Confidentiality that's a big one now. You see every other day on the news somebody's data has been lost somewhere. So if you're storing any data on your website in the database even contact forms where you're collecting people's address phone number things like that you have a responsibility to keep that information confidential. Integrity. I don't think a lot of people think about that but you have a responsibility to protect people's data and also as we talk about the ways a site can be infected and what they might do that's malicious. Your integrity is on the line if people are coming to your website and getting infected or things that can happen. Inavailability. So obviously I hope you're checking your website you know regularly or running some kind of monitor to make sure it's up but you know you don't want to come in two months later and realize you know your shop's been offline for three weeks and you didn't know why you didn't have any sales coming in. Anybody seen this guy sitting in the coffee shop? He's always in the corner. Why does a hacker bother with me? So why does a hacker want to even hack my website? It's usually about the dollar signs. So they're either going to convert your site to put their content up there. Link injection. Links to their own sites. That could be affiliate links. It could be just links because they want traffic. All kinds of reasons they might want to link. Hacktivism. That's where you get you know hacked by ISIS or something like that where they're trying to promote their organization. Drive by downloads. That's one of those integrity things. You don't want people coming to your website and getting a bad payload from your website. Malicious redirects. Redirecting to wherever. Viagra sites is the most popular I think. Hidden pages. I run across this a lot. Do you know you have 600 extra pages on your website? No, really? Yeah, they're all Adidas tennis shoes or something. So that happens. And email spam. So a lot of people make a lot of money because they take over your email server and email from your website for a while until it gets blacklisted. But they're spamming people using your email server and your volume to promote their spam. And lately, since I'm really into cryptocurrency lately, they might even put a payload in your website to use your server to mine cryptocurrency somewhere. So it's all about the dollars usually. And a lot of it is robotic. So it's not like that guy sitting in the corner working on your website. They're usually exploiting things that are known vulnerabilities with software robots that try and log into your website. Look for that hole in the database or something you haven't updated to try and get into your website. So these are the three main areas where the weaknesses are. Leaked passwords, software vulnerabilities and your hosting. So we're just going to go through those. So leaked passwords, public Wi-Fi. Who's still working at who's working at the coffee shop a couple days a week? Yeah. Maybe more sometimes. Panera almost put a plaque on a table for me for a few years as my business location. So when you're on public Wi-Fi, if you're not connecting, this used to be a big deal when I first started doing a lot of social media. Facebook wasn't even HTTPS. And if you run an open Wi-Fi at Panera or Starbucks and logging into your Facebook, people could see you logging into your Facebook and get your username and password. So think about when you're out in public at Kauffman, wherever it is, you're potentially in the clear depending on what you're connecting to and whether it's secure. We actually had, I think it was two years ago here at WordCamp, somebody here with another conference had some malware on their machine that was bringing down the whole network because it was hammering every PC, phone, anything it could get to in the venue to see if it could find something to hack. Social engineering, this is the biggest one I see. My mother gets social engineered all the time from India to fix her windows. That's the most common way people get into your system. I literally have a friend who lost $40,000 in a cryptocurrency account because he just wasn't thinking about it one day when the people that said they were from the exchange that he was on and their email had been hacked. So they emailed as the exchange and said, hey, we need your private key for this. And he didn't even think about it, send it off and $40,000 out of his account. No time. Yeah, social engineering. Setting passwords in the clear. I maybe shouldn't even tell this story. Well, I'll use anonymous stories, but someplace we're going for a party this week at WordCamp. And I called up and talked to the venue manager and he's like, Yeah, email over your credit card information so we can put the deposit down. I'm like, Are you kidding me? So think about usually I don't make clients go through too much trouble. But if I need their email password, user ID, I'll say, Well, you know, tell me your user ID, text me your password, you know, or some combination. That's not best case. There are actually some good websites where you can pass those securely if you're dealing with people's logins. Software vulnerabilities, plugins, even the inactive, I'm asking the expert to correct me if I'm wrong, Pippin, that's still true, right? So yeah, even if you've got, you know, when you're building a site, you're messing around experimenting with different plugins, got all 50 of Pippin's plugins on there. And you decided not to use 49 of them, remove them. Because over time, if they have a vulnerability that's discovered, they may still be able to get in. Same with themes. Also, don't leave inactive themes on your website unless you're going to keep them updated. And even then, why leave them if it's just another opportunity to encounter a vulnerability along the way. The WordPress core, we can't do a lot about that one, except report things that we find that may be wrong with the actual WordPress code itself. I will say last four or five years, it's been aside from one or two things that have come along. It's been very secure. You're hosting. So hosting can be a big deal. How many put their website on a shared hosting account? So I do I even put clients on shared hosting, depending on what they're paying. So it's not a bad thing. But and from company to company, it varies greatly, even from account to account. I'll pick on the big one on their sponsor. You take a go daddy who's been in business a long time, they have multiple platforms and legacy platforms, and they're always evolving. You may be on an old server that may not have, you know, all the latest updates, and so forth. So even the big guys. Yes, like that example, say, for example, HP 5.2, 5.4, minimal requirement is 5.6 for PHP. They will not no longer tell you no, they cannot upgrade you. They all introduce a support and they will upgrade you. If you're on your accounts, you should probably have a section. If you have a C panel, type and go daddy, or in Blue House, you should have a section called PHP tweaks. Yeah, most of the C panels now allow you to set the PHP version. Yeah. And also, if you don't know, a lot of times some of your plugins these days will have a little Mac notice and tell you, Hey, you're not on this one. And our plugin requires this. And that's when, you know, you need to reach out to your host. However, on the hosting, you have to be careful going back to passwords. We just had a hack last week at WP fixed it that we were cleaning, where everything else was, they didn't have some malware on the website. A few other things happened. But they had a section on the website where they were using the actual advanced MX records and their C panel. Somebody had pointed a wild hard domains and pointed that to be different, such as possible to do. So they were totally and it was for phishing and they massed email that it was discovered by the host that there was mass emailing going on for phishing for a sub domain. And there's wasn't even a posted on this. So we had to track down where it was coming from. It was we're like, where is this at? Where is this at? And we found it right there. So you have if you ever have something like that, you can't find it. We're looking your MX records and see what's going on. So SSL, we talked about who works from a coffee shop. So you should for your own website. And this is becoming best practice now just because Google likes it to have an SSL certificate for your website and run it encrypted. So there's two sides that coin one, everybody thinks it's really hot and important right now because Google wants it. Well, that's that's important. If you don't have a contact form or anything on your website, there's not necessarily a lot of risk of data or people putting in, you know, their phone number and getting it stolen, that kind of thing. But most, I think most hosts now, I think there's a few. I had a client on the hostgator last weekend, I don't think they were offering Let's Encrypt yet. But that's the free ones, everybody know about Let's Encrypt. So it's a consortium of companies, I think, trying to remember who led that, but large IT companies, CAA, I think, is in there and a bunch of to offer free certificates. It's going to make a comment on Let's Encrypt. It's a phenomenal service. Every now and then you might want to be careful with it, depending on what your site is, if you're running an e-commerce site, Let's Encrypt may not be your best option, only because the certificates you get don't always meet all validation requirements for really stringing e-commerce rules. We have a lot of problems with customers that use Let's Encrypt where their merchant processors say authorize.net to check out or something like that. They won't consider it valid even though it is valid. So if you're running a business, like an e-commerce service that makes money through e-commerce, spend money on your SSL certificate. If you just want an SSL certificate, Let's Encrypt is amazing. Yeah, so let's actually, I don't, yeah, I don't, maybe I took this slide out because of the time frame last time. Question? Oh, well, so I'll give you my spin on what and why too, is so there's multiple levels of SSL certificates. Basically, the Let's Encrypt certificates basically check to see if you're the owner of the domain. I know on my hosting data center that I use, every time you spin up a new account or site, they automatically the certificates there. But it takes about five hours or so for that verification to happen. And that's really the only verification that happens. So then you get up kind of the top of the chain is a company verified and you go through a whole process of proving who you are, and you go back and forth with the certificate company. And you can even get your name, you know, up there in the, in the URL bar, it says, you know, this is simply creative media, and it's secure. So that's very verified. And you can be sure who it is. And then as for cost, what you're paying for when you buy certificates is insurance. So when you have an e-commerce site, you know, it's a good idea to look at, you know, I'm paying $50, am I getting, you know, how much liability coverage basically comes with that certificate and so forth. That's, that's kind of what you're paying for that you don't get at all with this, let's encrypt. So yeah, I as a best practice, I don't, I didn't know that you get turned down, but I always recommend to clients that if they're doing shopping cart, that they buy a certificate. So SSLs.com is one of those places you can do that fairly inexpensively to the questions about certificates. Everybody's got one using one. Get on it. So this is just a little light. I threw in a few techie tips. This one, you know, this whole thing wasn't to be too techie, but in your WP config.php, you can add this statement for SSL admin and what that does is disables some of the admin functionality, like getting to the editor. So that if someone hacks in, well, let's say they do a simple act, they figured out your net your user ID and password, and they got in as an admin. If they can get to the editor, they can now get to all your files. So that's a way to turn that off. Use a VPN. So anybody use a VPN? Besides anything like downloading movies and stuff? Okay, we're trying to get Netflix in Europe. Yeah. Avoid shared or public computers. So I just logged in on this computer to my Google account. Yeah. Maybe not a great idea. We're all weak. Use secure passwords. So there's been some really awesome articles out lately about the latest study on, you know, that you see these published the top 50 passwords that people use and that kind of thing. But it's really interesting that now with artificial intelligence and the bots, they can amazingly guess where people will capitalize letters and things like that. So just, you know, doing caps and lowercase and even sequences and numbers and things that you think are secure. You don't know that you're actually thinking like everybody else. And the bots can figure a lot of that out. So I definitely have started recommending, even though for many years, I had the same password on everything, that you start to use a password manager, let it pick those big Harry, you know, 16 character with Perens and everything else in there, at least 12 characters long, which is more secure. 16 s's or three characters that of your choosing up or lowercase or numerals. 16 s's. It takes the bots longer to figure that out. Then it does a shorter, simpler password. Use different passwords everywhere. Get a password manager. Limit your admins. I can't tell you how many sites they take over for maintenance. Or they've been hacked. I do about, I don't know, a dozen sites a year that disinfect and restore. You know, and they got 30 admins in there. Or they got every admin from every web person they ever worked with. Amazing. And don't use the user ID admin. If you're using a great password, it's still secure, but admins, the first one, the bots are going to try. So they're already one step ahead. One less thing for them to guess. Last pass is probably the most popular and best. I use the Chrome browser password manager. Not the best solution, but easy. One password is if you're a purely Apple user, it works on iOS, iPad, MacOS. If you are Windows, Linux, or Mac, what's the last pass? Last pass. One password is also on the other platforms at this point. Oh, there now? Oh, cool. We're not originally on like, yeah, I remember that. I was Yeah, I like the Chrome manager just because it works on my phone, my laptop, my tablet, desktop. I don't have to chase things around as long as I'm logged into Chrome, hence the vulnerability. If you leave yourself logged in somewhere, people can go into your browser and look through your password list. Which I don't think they can do with a platform like LastPass. Is that correct? That's a little harder to get in and look at your password list, right? Yeah. See, you're talking to part-time hackers here. So we're like, yeah, no, I could do that. Yeah. Matter of fact, it's on a slide somewhere here about using Two Factor. I think it's in my plug-in recommendations too. So yeah, I'm seeing a lot of that, especially I mentioned I do a lot of cryptocurrency trading and almost all those platforms use Two Factor and Google Authenticator and actually Google was pretty good when I logged in here to my Google Drive to get my presentation. It asked me, you know, are you who you are? Look at your phone and then I clicked yes and my presentation came up. I didn't even have to enter anything. It's pretty cool. A tip thrown in, use Captcha on things. Use Captcha on your login. Actually, ignore the first one there, WP login recapture. I just checked it this afternoon and it hasn't been updated for like three versions of WordPress. But the login, no Captcha, recapture is simple to use. It adds, you know, the I'm not a robot. So it's one more barrier on your admin login to slow, especially robots down. You will have to, if you implement that, you'll have to go to Google and sign up for a recapture account. And you'll get a key to put in in the plug-in when you set it up. Software vulnerabilities. Update, update, update. Get on a maintenance program. Many of us have those that sell them. We'll do all those for you and fix any problems when they happen. But it's just like, I mean, if you're a Windows user, right at every Tuesday, get an update, what are most of those security updates? So all your plugins, your themes, WordPress core, they're constantly getting updates and many of them are security updates. So you should keep up with them. Don't use pirated software or suspicious free themes. So I know I get a lot of especially newbie WordPress users, they're out surfing around for free themes. If they're in the repository, you know, when you go into themes and look up through the WordPress repository, those are should generally be safe. But if you're surfing the web and Googling free themes, you may get something with a payload in it, could be plugins. Yeah, people who say, oh, I have Yoast SEO, and I'll log in immediately. I'm not doing any support until they actually either buy Yoast or get the free version. Although again, they do that's because they don't want to pay them for the premium version of Yoast. They still come for just make any sense because if you buy the plugin anyway, you practically, if you go get support, you're getting your money's worth anyway. You pay my $100 to do a few hours of support for you, or you can buy a plugin for $30 and get unlimited. There you go. Seems like a no brainer. There's also, and I don't know that any of you are doing this, but you can get most plugins because of our open source community. You probably could even get a few of Pippin's plugins on some site somewhere for $5. And there's a likelihood, maybe they're just doing it for the money, but it could have a payload in it. So it could not be Pippin's original plugin. So watch, you know, trying to save a buck and buy pirated software. Let me get your exposure by reducing plugins. Now I'm not a big fan of telling you not to run a ton of plugins on your site. If you're using them and you need them, run them. But also be aware, and when I teach about plugins, you know, I kind of talk about how to vet plugins, you know, look at the ratings, how many people are using it. So if you find a plugin out there that happens to do what you're trying to do, and for some reason it entices you, but it's got like 10 users and, you know, no ratings, and Pippin, you write plugins, it's not all coders that write plugins know anything about security. They might have written a really nice plugin that has a great big hole to your SQL database in it or something. So it's just a nature of the open source community. You've got a lot of people that have not been writing code or even taken a security course and know how to write secure code. So there's no good way to check about that, except look at reviews, watch. So my main source, in case I forget to say it later, I think I've got it in here in my plugins. But I use WordFence on all my sites and my client sites that I manage and their website is very good. They have a great blog, they keep up with constantly with everything that's going on, not just with WordPress but across the industry and identifying vulnerabilities. There was a series of plugins this over the past year, I think twice it's happened, that the plugin developers sold them to someone else who then proceeded to turn them into malware and they were still in the WordPress repository at that point. So that kind of thing, that kind of news pops up really quick on WordFence's website, security, another good one, to keep up with what's going on and watch for notifications. Removing active plugins and themes, we talked about that. I got this in here twice. Disallow file edit, true. Move your wpconfig.php. So I'm not big on moving stuff around or changing it to where your admin login is, that kind of thing because there's a limited amount of protection or advantage to doing that. But moving the wpconfig and people will argue both sides of this ardently. Which side are you on, Pippin? Call you out. Depends on the day. So wpconfig if you don't know and you're just, you know, a moderate or beginner WordPress user has stored in it the username and the password for your database. Which is where all your stuff is stored. And so if they get in the database they can destroy your site, they can steal your client information, pretty much anything they want. So there is merit to moving that where it might be more secure. That's about as deep as I will go. You'll want to kind of Google it, look up the procedure. Basically you move it up a level, which on your hosting you may not even have access to. To the parent directory. And WordPress still finds it if you do a few more settings. So there's a little machinations. So if you really want to get deep and are worried about that, I have never, I don't think I've ever run into a problem where that's happened. Except when somebody set all the file permissions on their server to to read that kind of thing. The reason I said that is because of the name we definitely can think, but also any of the other default locations or files, whether it's one of the folders such as definitely content or definitely admin or anything that while it could work great, keep in mind that the moment you do that you have changed the default behavior for WordPress. And there are a ton of plugins out there built by every level developer that may or may not know how to account for that. And the thing is with something like WordPress is there are thousands of configurations and plugin developers have a hell of a time accounting for all of those configurations. So just as a single example, we struggle constantly with easy digital downloads with people that move the locations of definitely content or the files in there because all of a sudden it breaks our ability to do file discovery or processing file downloads. So if you do it, just keep in mind that if something breaks, revert it and find out if that will break it because it's a pretty good possibility it will break something. And it's not to say that you moving it is wrong, it's just that there's a lot of plugins that don't know how to account for it. Yeah, good point. Yeah, there aren't too many, I've only done two technical things because most of the best practices that I'm discussing, if you do you're not going to have an issue. Let's see, don't use the default database prefix wp underscore just because it's known and expected and it's just one step closer as robots are iteratively trying to guess things like your database name. They wouldn't have any effective functionality anyway, but it's just a name. Right, yeah. Don't share database among multiple sites. So I've seen this happen not too often but people will have four or five WordPress websites all saving to the same database, so it's just a single point now of vulnerability. If somebody gets into your database from one of the sites they now have access and can destroy all of your sites. Yeah, well you can't, I don't think you really can't avoid it there. For each table or each one of the sites, right, but they still share a database. Yeah, but it's all in the same database. So it is possible if you really want to. Yeah, you can put multi sites in different databases but it's a little tricky. Yeah, everything about multi sites a little tricky. Is that what Carissa is talking about today? I think it might be. Honestly, you shouldn't really be on your host having multiple websites. We're going to be really about security because I feel really bad when I get a person who's head to all 10 of their websites infected on their same seed panel and 800 bytes. Yeah, well that's usually because they've got a vulnerability that's common to like a file access vulnerability where they're now getting into all the directories. So yep, and you could almost say the same thing for shared hosting in a lot of ways. So hosting, there we go, lead into that. Shared hosting has more exposure. So when you're on a shared hosting account there may be 500, a thousand other websites on the same server with you. Now, you know, generally those are all pretty well managed because of hacking and things. They do a lot of scanning, a lot of monitoring and the risk is low but it's there because you're all operating in the same space. VPS, virtual private servers, anybody run their sites on a VPS type account? Okay, so that gives you some more insulation because it's isolated. It may be on the same hardware but it's software isolated to think it's on its own machine so it doesn't communicate with other websites across the machine. So if somebody's site next to you gets hacked and it's trying to infect the other sites on a shared host, it wouldn't happen on a VPS server. Most major hosting companies, depending on the day, because I do run into streaks with certain hosts. Blue host is one lately. They have their good months and their bad months where they seem to have some vulnerabilities going around provide very secure and updated environments because it's cheaper for them not to have problems but look at their environment. So now I was talking about the earlier latest PHP, what Linux server are they running, etc. So when you get into setting up WordFence, they have a nice firewall now and it'll detect, you know, what Linux is running and set up the right firewall for you, that kind of thing. So those are important. I've got a, I'm probably shouldn't tell on clients, but I've got a client right now with a major site, large site. That's because of a large back-end application. There's written in Perl. We can't really move it and the site, the server's out of date. The Linux version's out of date. Who knows what else is out of date, but we can't really do it without rewriting the Perl application to be compliant with the latest version of Perl. So we're kind of stuck and I live in fear every day about what could happen. So I'll give away my big secret now how I avoid all hacking and vulnerabilities and problems. Run a backup. So if you take anything away today and we're going to talk about backups, if you have a backup in most cases, it is possible your site could be infected for months and you don't know it and if you don't have a really old backup you may not have a clean copy, but when the site really goes down hard you at least have a copy that you can get the site back up, disinfect it and recover. Security or status blog. So I know the hosting data center that I use, you know, they have on their Twitter and they have a website address. You can constantly look and see what the status of their servers are, whether they have any issues. Can you use a certificate? Do they offer WordPress specific hosting? So I have a lot of folks and one of our sponsors, Flywheel, environments like that where they already do all this security monitoring and hardening for you. As a matter of fact they may not even let you run things like WordFence because they're already doing that monitoring and it conflicts with the monitoring they're doing. So you can get a lot of this protection built into your hosting. Who FTPs into their site and all that to get access. So consider SSH. Don't share folders on the website. I see this a lot too. It's more of a legacy thing but people have had a website a long time and maybe they had an HTML site and then they went to WordPress and they've been storing all their pictures in a folder that's open to the public because that's where the person on staff was FTPing up photos or what have you. They may have left other folders open for access from the outside. There it is. Do you have a backup? I use backup buddy. I've used it for years. Works great. There are several good solutions. Who uses something else that they like? Yes they should be. I basically sell what I call managed WordPress hosting which is I I do all that for my clients but part of that process is backing up their site on a schedule. So that's to the next point which is backup as often as your data changes or you can afford to recover from. So if you're on a e-commerce site and you're doing you know 20 sales an hour can you afford not to back up at least every hour. How much how far back do you want to go back and try and figure out who ordered what or reconstruct your data. You know if you're a blogger the average blogger blogs with twice a year I don't know. You know maybe you need two backups a year so I know I'm guilty of that. Store off-site copies so one of the things I do for every site is store three copies one locally. Not a great idea but it's convenient because if somebody does get into your dashboard they can delete your backups because they have access through the plug-in. They actually and this is behind the push and the pull and I won't get too deep into push and pull but if you're using backup buddy for instance and you're storing I store I actually store backups to two remote places Google Drive and Amazon S3 storage. But once they're in the dashboard in the backup buddy interface they can remotely get to those also and delete those backups if they wanted to. So I also store another physical copy that's not related or connected to the site for all my websites. If you're using a C panel or care of a host that has used a C panel depending on your host you have to download it and then get rid of it otherwise all sudden you just you get you are suspended. Yeah it depends on two things how much file space they give you and sometimes but not so much with a backup unless you're storing all the discrete files how many files you can store so backup buddy does a big zip file so it's only really one one file. Schedule them automate them all the backup softwares have automation in them so if you know once a week is a great time to back up set a schedule set it and forget it you can set even the pushes to remote locations have it email you the zip file all that all that stuff. Security plug-in so here's my plug-in list you got to have those it's a WordPress convention right so there's a couple of different types of security plugins monitoring and scanning so that's just really monitoring your site against things that people might be trying and scanning it for things that have already happened to it so wp scan the google search console actually checks because if you've been infected long enough to have your site have the big red google warning that says don't visit the site it's unsecure and it's infected that's no good that takes a long time though jetpack protect security word fence they all have scanning and monitoring word fence may send too many notifications every time you do a WordPress update even it says your core files have changed and then your client gets that too because they've got an admin account and they're like what's wrong am i hacked no no we're just we're just watching defense so these plugins all have active defenses against what's going on vault press word fence i-themed security all in one wp google authenticator cleft two-factor authentication although i'm not sure that one's still somebody told me that may still not be available bulletproof security um but don't install all of them uh one your site's going to be scanning all the time it could affect the performance but they also may interact with each other poorly um find one good one i mean a couple of the top ones on their word fence i-themed security um there is let me look at my next slide yeah i've got it on the next slide another one that i'll mention uh but pick a good one um one like word fence is going to cover monitoring and defense both and word fence includes a firewall um remediation and cleanup um so we won't go through because we only have about five minutes but the depth of what to do once your site goes down has been hacked and how you recover um number one get out your backup just wipe it out and restore uh well you may not even wipe it out i i i'm such a safety nut and don't want to have to go back and reconstruct anything that i'll usually download um all the files even if they're infected the database and everything store it away do a restore just in case you got a bad backup or who knows what um you at least have something that you could clean up later the hard way um wipe the environment clean including a new database uh when you restore um usually when you restore to the existing database is going to overwrite everything but you never know um i've also run into a few situations where um the malware's left cron jobs that a week later come up and re-infect your site so you want to start from scratch um don't have a backup you're going to have to review every file or replace everything you can with new copies so uh we won't go through that process but you kind of start by replacing all the WordPress core files and looking through the directories to see for stuff that shouldn't be there um it's a pretty laborious process i'd say manually cleaning a site takes me an average of 15 hours um um i suppose if you're managing your own server maybe oscron jobs but um any comments unless you upload them to the server okay yeah um i knew we had a techie though back there he might be running his own server uh back in the day i would have done that it's too much trouble now um let's see change all your passwords and your salts again one i've had really good luck with elie anti malware security is anybody using that or tried it uh it's a plug in it's in the repository um if your site is not completely down and you can run that plug in it actually does a very good scan and remediation um you're still going to want to do some third party checks against your site again from people like security and just use three or four tools to make sure it got cleaned up uh but i've had really good luck with uh with that one cleaning stuff up i had never either i don't know what the elie is um elie anti malware security um security if you uh google security free scan they have a free scan on the web they'll scan your site it's somewhat accurate that they don't deep deep scan but it'll give you an idea if you think something's funky you know go do their free scan and see if they return a bad result um check your cron jobs questions we've still got about five minutes if you want to so it is possible that any of those external or internal will can can and maybe at times will miss a lot of for example content injections sometimes even superior will miss seo's ban so or content injections as in a line of java script that may randomly send you to some inappropriate website so sometimes in that instance you may have to check your actual content if you're not if you're not comfortable checking database for some of these things to see if it actually is there or for example checking a lot of very common header dot php of your theme and your footer dot php of your thing very very too common most common places i see for this these type of infections that are actually missed and then the third one i always look for the content exactly for those there are other ways to be where it will be in the database but you have to really find it you have to know what yeah i kind of cruised by it but um you might google and look up you know the wp scan for wordpress it's a black box tool outside of you know running it on your site that'll actually scan the site it's a little more techy to run it you got to download it install it run it but it'll do a deeper scan and a lot of the plugins well anything else the admin user number no this is the thing is it yeah so just for funsies we had a bug that yours truly was once by accident that accidentally gave we admin access to yost.com uh by clicking the internet that was pretty fun well the reason that happened is because your default user id defaults to one um well if your code is set up improperly and you have some plugs in your code and if you do some validation of numbers and you use a particular function called an absolute value what just imagine for a moment that you pass negative one to absolute value what do you get back one well if you just happen to have more bugs in your code that then says when i have a valid user id go ahead and log me in bad things happen so the problem with negative one is that if you have a bug in your code that accidentally processes a login attempt when you shoot you can actually get a login account or whatever user account is number one and so the idea behind what you're saying is change don't like just delete user id number one because if there is a bug like that then it won't happen as it's not really like it happen yeah that gets that gets on my list of obscure things that i was that i avoided in my presentation but they can happen it's kind of like changing the path of your login and stuff like that it's yeah they they're all real things i mean they can all happen but go home back up your site and uh when it goes down just restore it all right thank you thank you