 So first I'll just tell you a little bit about myself. My name is Miram Schwab. I'm from Jerusalem, Israel This is one of my favorite views in Jerusalem. It's from the man Scopus area For the last 10 years. I've been managing. I founded a WordPress development agency called Illuminae We became one of the leading WordPress development agencies in Israel And I've been doing that for the last 10 years. We've worked with many companies startups tech finance non-profits Me and my co-worker Rebecca Markowitz. We write a blog that I think quite a lot of people know called WP garage We write less than we used to unfortunately where we share our journey with WordPress and things that we learn I Have organized word camp in Israel five times so luckily word camp came up with a Regulation that now you could you can only do two in a row be an organizer twice in a row So I'm taking a break from being the lead organizer Which I really need right now but hopefully we'll be able to announce the next word camp in Israel soon, and you're all more than welcome to come and Recently about a year ago. I founded another company called Stratik. We've developed and are launching now a web security solution Which I'll talk about Later on in my talk So aside from creating two companies over the last 10 two years. I've also created a bunch of kids. I have Seven So that's kept me busy And I don't know if we're gonna have a lot of time for questions and answers at the end I hope we will feel free to come up to me afterwards and ask me any questions including about What does a crazy person do if they want to have seven kids and how do you manage all that? So I'm happy to talk about that as well All right, so let's talk about WordPress So it's security is something that we're all aware of when we talk about is it because WordPress is truly a target Yes, it is. CMS is in general like Jumlan Drupal are attacked three times more often than non-CMS sites and WordPress is attacked three and a half times more So WordPress is a larger target Why? If you're a hacker you're looking for the best results for your hacking efforts and because WordPress has such a large install base It's worth it. If you find one vulnerability, you're gonna find millions of sites that you can hack with it It's also because obviously it's open source that means that the code base is available to anyone and also any Vulnerabilities that are published are available to anyone The other reason is that at any given time It's estimated that 70% of all the WordPress websites that are available are have some kind of vulnerability which is kind of scary and Also, it's because as we know WordPress is a Quite a user-friendly platform and pretty much anyone can implement a WordPress site for themselves or for clients But you can do that without having deep coding knowledge or knowledge of security And so a lot of the sites that are oh, thank you a lot of the sites that are developed and launched Aren't necessarily done with those types of things in mind and and that's why they also might be vulnerable So and let's just get into the mind of hackers for a second. Why does a hacker hack? So one is just plain old vandalism. They just want to deface and cause damage same way someone will write on someone's wall That's the same thing here. It's just for the Satisfaction of saying hey, I got into your site and I made you unhappy The other is of course profit Many hackers get into sites In order to let's say redirect the site to affiliate links that they can make money off of those ads Or to try to get credentials out of the site if they're stored within the site A more recent development of hacking is to create botnets. So what happens is? Hackers will take the resources from multiple websites and also sometimes let's say security cameras. That's a different thing bring them all together and Create a powerful botnet that can then attack and they will either use that to DDoS other sites or they'll actually sell it So how does this happen? these days hacking is Automated it used to be that someone would say hey, I want to target that site and so I'm going to do that and It's no longer like that. They're bots that are scouring the web The statistics related to how much bot traffic is hitting our sites is really quite mind-boggling It's at least 50% and some people say even more of the traffic coming to our sites are different types of bots Some are good bots like Google whatever And some are bad bots like these bots that are looking to attack these sites and find vulnerabilities Word fence, which is a great resource for security information. Of course, they have their plug-in which I'll talk about They did a survey to see why Sites were hacked most people didn't actually know why and that's definitely a problem But those who did knew that it was because of a vulnerable and outdated WordPress plug-in running on their site So plug-ins are definitely one of the big weak points in our efforts to secure our sites and today or yesterday The count on the number of plug-ins in the repository is 50,000 over 50,000 so it's 50,000 potential vulnerabilities why because You can't possibly vet and audit every single plug-in for for security and also sometimes they the people behind them stop developing them And it's just it's a lot of different people who are creating a lot of different pieces of code that we are then taking and putting in our sites And that that can create certain vulnerabilities. So Just vulnerable. This is just some stats related to plug-in vulnerabilities 73% of all WordPress installations that he'd had unpatched vulnerabilities 20% at one point there was a study done and 20% of the 50 most popular WordPress plug-ins were vulnerable and The average CMS deployment has four plug-ins I don't know about you, but we often have more than that in the sites that we're developing Another type of attack is brute force Which is where someone also a bot hammers your login page and tries to get in by trying all sorts of combinations of usernames and passwords so a side issue with this type of hacking is Aside from that they might eventually be able to get in is that it can actually DDoS the site We've seen that with clients where the brute forcing happening was so Frequent and strong that just that call to the login form brought down their site. So that's pretty crazy Now I put a picture of cupcakes because it's all so dark and I think we could use some colorful cupcakes in our life So here's some greenish bluish cupcakes, and we're going to talk about DDoS DDoS attacks are when Something like a botnet or some other large resource Hammers a site with requests to view the pages to the point where the site slows to a very painful speed and Or the server crashes So how many of you guys have experienced any of those types of hacking or issues with your sites? Yeah, okay Us too too many times so I'm going to talk about solutions and different levels of solutions there's different levels here for everyone and But before I do I just want to talk a little bit about the security mindset so as I mentioned I'm from Israel and in Israel cyber security is is very big and Through our own work. We just had to learn Security just by nature of the work. We had to keep our sites our client sites secure and plus we are Connected to that industry and so we've learned a lot through the years about this And one of the things that people think about security is that they can achieve this holy grail Security and if I like follow this checklist of things then my site is secure and I you know, I can rest at ease It's not the case every time you build a wall Someone's going to find a way to get over it. You'll make that wall higher same story It's a never-ending cat-and-mouse battle. There's not much we can do about that so because it's there's no way to achieve 100% security what we're aiming for is Low-hanging fruit the things that cover most of the issues and that's what I'm going to talk about So it's just it's never going to be a hundred percent So we're going to do we're going to talk about things that you can do to your sites that cover the vast majority of issues that you'll face Okay, so first of all we're gonna talk about level one and I truly believe and in my experience if you do these things Which are pretty easy to do you are pretty covered. So here we go update You must update everything just update and I know that it might break things I don't care do yourselves a favor and the entire Internet of favor and update and Then you'll have to fix anything that breaks That's just the nature of the beast if you leave it vulnerable your site can get malware your visitors can get malware and Sometimes you might not even be able to recover. We've seen that with people who have come to us So if you think it's difficult to update and remember to update then just set it to do it automatically You can add these these code these bits of code to your WP config file There are plugins that you can install that will automatically update Especially the minor security core updates make sure that that's happening Personally in our company. We don't do the major updates as soon as they're released like 4.8. We wait for 4.8.1 But if you're gonna forget to do 4.8.1 do 4.8 as soon as it comes out seriously Just just update if you have multiple sites under management There are tools now that make it easy for you to like keep an eye on things and see if things need updating so Jetpack is one of them manage WP and infinite WP so these are three options and Jetpack doesn't cost for this manage WP and infinite WP do I truly believe that we need to invest in our web presence if it's valuable to you Sometimes the product that cost is the one that you need to use but in this case you can use Jetpack For this type of thing, but definitely autumn and you can set it to automatically update through jetpack as well So that's very useful backup like I can't believe sometimes how many people I talked to who don't have backups set up and Yes, there are free plugins that you can use for backups But there are a few problems with them and I'm not saying you shouldn't use them But you should just be aware so one problem is that it's using your server resources a lot Sometimes the backups might not be done to the end and you aren't always You can't be sure that they're reliable backups and then when you need them you find out that it's it's corrupted or incomplete So maybe you don't pay for the dashboard to keep your plugins updated because you can do it in other ways Like seriously pay for a good backup tool will save you So these are two ball press and blog vault. We personally in our company. We use blog vault It has additional benefits as well these these tools Easy migration of sites from one server to the next or even to a different domain. You can do test restores Which is excellent. So that's the way to see let's say you were infected which we've had this With malware you need to find the backup that is clean. So you can do a test restore until you find the one that's clean No admin username. I know like we all kind of know this. I'm just saying it just like no, okay, so When you install WordPress choose a different username if you didn't open another like have another admin username that you've created and Delete the admin one and you can move any post that you have to the other user But just like no because that makes it easy for the brute force attackers Limit login attempts again, that's related to the brute the brute force hacking if These types of tools will identify if someone from somewhere is trying too many times to log into your site That's not natural activity and we'll stop them from doing so. So Hopefully that will prevent them from finding out your username and password Even if it's weak. So that's I would say really important and also related to the DDoS effect that I mentioned before So this is WP garage I think we started running jetpack protect on it less than a year ago And this is the number of times that jetpack protect has identified that there have been malicious attempts to Attack our site. So It's happening. We don't always feel it But like I'm so glad that a hundred and nineteen thousand attempts failed And so these types of tools can help with that Passwords obviously we literally had a client whose password was I love my dog like no just don't use sentences and real words One two three four five six seven even with an eight or a nine is still not secure. So just know I Would recommend using a password generator to create a complex one A lot of people recommend using password managers. I personally I am afraid of them because they get hacked I know people say you're ridiculous. You're too paranoid So I have come up with an algorithm that I remember in my head in order to have a different password for each site and I'm happy to explain that to you If you want but basically it's a pattern that changes for every site And that's one way that you can have complex different passwords for each site and not need to use a password manager Yeah, I'm a little bit crazy about that. So you can use password managers if you want. I just don't Reliable hosting provider is key so first of all if you're not hosting on a $2 a month hosting provider and They're a decent one then they are looking out for your security like on the infrastructure level But even more important is their support Because something's gonna happen like very likely and you're going to need support and you want to know that someone good is on the other Side over the last few years. We've been using site grounds and we've been very happy with their support It's like magic. They respond instantly whenever we need. It's pretty amazing. So but there's many incredible and excellent WordPress hosting providers in for the WordPress community and just go with someone who's good seriously All right next level security rock star level. All right, so Users make sure that you have a minimum number of admin level users We've seen sites where there's like 20 users and they're all they all have admin level permissions. Don't okay One maybe two as necessary. Otherwise just don't and all user permissions in general should be as low as possible So consider does this person need editor level or author level? you know just make it as low as possible based on whatever they need to access in the back end of the site and Delete or demote unused users so you can put them to subscription level or make them inactive or just Delete them all together. Which is even better. Every one of these things is a potential gateway into your site plugins same delete unused plugins every once in a while do like a Survey and audit of your site and see what is running in my site that I haven't been using and I don't need and just delete Okay, be a little bit ruthless and only install reliable plugins So how do you decide or identify whether a plug-in is reliable? So here's just a few ways so in the repository you have some data that you can access about every plug-in So in this case you can see that This plug-in was updated Six months ago, so I would say that that's okay generally maybe up to a year ago It's okay, but the thing is and has a lot of active installs But it's only been tested up to four point seven point five. It's not it hasn't been tested on the latest version That's a that's a red flag and I also look at the support section I like to see if there have been responses to people's support questions It's kind of a sign of whether the developer is still actively engaged and involved in there in this project So in this one there was a response two months ago, but before that five months and a year and a year and over a year That would also be a red flag for me Two-factor authentication I think that this should be something that we're all using on pretty much everything definitely things like Gmail Facebook and and your site it's not so hard to set up and You can do it for free I think word friends is actually is not for free, but they have it built into their product and Jetpack does have two-factor authentication for free You can do two-factor authentication either by SMS or with an app on your phone I prefer the app on my phone. I use Google authenticator for two-factor authentication Because I found that sometimes SMSes aren't reliable. They don't always arrive and then you're kind of stuck But there's and there is something that I just discovered about having the app on the phone Which is a disadvantage? I had to do a factory reset of my phone and all the authentication connections were lost and I had to Recover them and that was not so fun. So that is a disadvantage, but otherwise. It's really easy with the app You just you know enter code and you're in so but I would I would highly recommend it Okay level three of security out of sight. So I'm gonna run through it Because a little bit higher level so those of you who are on that level will hopefully get it or you can Google a little bit more Or you can obviously ask me about it as well. So first of all HTTPS. The reason I'm saying it's on a higher level is because you have to redirect rewrite the URLs in your database installation in order to implement it from HTTP to HTTPS But like just do it every site now should have SSL and with HTTP 2 it actually Runs relatively quickly not like in the past. So aside from the security benefit Google has been pushing it very hard and Has made it one of the ranking factors in its algorithm. So if you want to give your site a little extra push in Google search results Like just you got to do it. I'm sorry, but you got to do it. This is really important Obviously only use SFTP when you're fdp-ing into your server. Don't use regular old FTP You know how you can edit actual like theme files in the back in the admin area of WordPress So Don't make that possible if someone gets into the back end of your air of your site in some way You don't want them to have that kind of access to your files. That's just a horror So you can just allow it with this code You can implement firewalls like wordfence has I recommend updating to PHP 7 we found that well It's known that it has security benefits, but it also has speed benefits We found that some sites that we've upgraded to PHP 7 are running substantially faster And that's also a pretty big pain point these days So you could get that advantage as well site ground has a very useful tool where you can like update just the environment of a Particular site to PHP 7 so you can test it out and and see how that goes again It might break things, but in my opinion it's like we got to go there Check file permissions on the server. You can find the recommended file permissions in the WordPress codecs Okay, so database prefixes. This is like a bit of a debate in the WordPress community If the database prefix is the default WP does that make your site very vulnerable? So My opinion is as follows when you're installing the site to start I would change the database prefix to something more complex and not obvious But if you've already got the site up and running with WP I would say you can leave it changing it is a pain and We found that that is not such a significant issue in terms of security I'm sure there are people here are gonna disagree with me. That's just what I've seen in my opinion. So there you go Keep your own computer clean and secure. Otherwise, you can send things up into the web and into your own website you can use a CDN to try to protect against DDoS attacks to some degree. It's not always effective and also to make your site faster and Accessible to people around the world and at a faster speed Hiding the WP version my opinion is meh meaning that's what meh means. I guess That's my translation meh means a like some people say like you can I don't know hackers can identify that your site is WordPress and they're gonna try to get in there anyway, so just so you know and Create WordPress security keys and generate salts and put them in WP config. Okay so That I think is I mean I know that was kind of a lot But it's not rocket science and it's the kind of things that I think we all can do to our sites and really those first The level one stuff if you do it You're in really much better shape and in pretty good shape Actually and as long as you've got backups then if something happens you can just go back to it so Even you know beginner WordPress Implementers or site builders or whatever we want to call them or even developers You can do those things for your clients set them to automatically update. Yeah, they might come back to me six times going. Oh You know my site is broken, but like at least it's not hacked and then it's really difficult to clean up so Just some tools to keep an eye on your site as it's running and alive So wordfence just released a tool called gravity scan you can do once-off scans on their site To try to find malware and things like that and they also have a paid service for ongoing scans Secure the same story. Secure is very well known Also, we'll scan your site and find things. We haven't found that it always finds everything by the way But that was just us and maybe that was a fluke Google search console is my by far my favorite tool for this. First of all, it's free So in any case if you care about how your site is doing online You really should be connecting it to Google search console. You just need to authenticate it and then you get Data from Google that's like gold seriously and data that you don't get from at Google on analytics anymore like keywords That people used to find your site, but aside from that Google wants the web to be a clean place They don't want malware-infested sites in their search results So soon as they identify any sign of anything shady going on your site You will get like a thousand emails from them But that's great because you will know immediately if there's an issue so if you don't want to pay for these other services really just connect to Google search console and and like you know We can rely on Google for this. They care about this kind of stuff. So so do that Jetpack has their monitor tool Which is excellent. We were using paid monitoring tools which would report downtime tests and the results with Jetpack's monitor tool Are just as good just as fast and free and that's obviously a sign of something going wrong with your server or your site So it's very useful and I would implement that By the way with Jetpack when it first came out. I was like, how can they do this? You know, they're like trying to force this on everyone and I don't want a giant plug-in that does a thousand things In the end we use it for all sorts of things. They want over us. It's very useful. It's got some very useful functionality okay, so that was like Standardish Approaches to security if you do these things you're in a pretty good situation Definitely have Google search console at the very least keeping an eye on your site Now I'm going to talk about completely rethinking security. So as I mentioned for the last decade I've been in the WordPress development industry And I've seen a lot and we've suffered from many things along the way related to security and we've learned a ton along the way But over the last few years we found that it was becoming more Time-consuming to keep our client sites alive and well Instead of being able to build the websites for the clients, you know and progress with projects We would find ourselves spending a day or two or sometimes a week You know trying to fix something that happened fighting DDoS attacks We had one client that was on stage pitching to investors a cyber company and then their site with DDoS Nightmare, okay. I have many more gray hairs with different web situations names on them. So I've been thinking about have so a lot of these approaches have to do with pushing back against the status quo And I started learning about a new approach to web development called serverless Have any of you are any of you familiar with serverless at AWS lambda? Crickets yes, but that was me like I also hadn't heard of it It's really fascinating and really interesting and I personally believe that it's the future of web development basically It's called serverless because instead of running a dynamic server all the time to process Like just waiting in case someone needs to process some kind of dynamic functionality It's essentially static sites like in the 90s kind of it's like we're coming full circle circle But the dynamic functionality runs on demand and then shuts down and that's called AWS lambda I recommend that you guys just look it up and start learning about it. It's really interesting Microsoft and IBM also have their own versions of serverless This started only like three years ago So the benefit of going serverless is that there's no database and there's no dynamic server running So all of that attack surface all of those vulnerabilities are actually eliminated they're just not there and The sites run faster because they don't have to do database queries for every page and they're more scalable So many sites are going this way like Coca-Cola is migrating sites through serverless approach but it's very expensive very resource intensive and WordPress is is just it's such a great option if you need your site to get the results for you Generate leads generate traffic generate business Anything like that WordPress is key So how do we marry these two worlds together and I came up with this idea for the new company that I founded called Stratik And there's another company out there that's doing something similar called shifter, which you may have heard of So I'll explain to you how it works Basically disconnect the dynamic code of the WordPress site from the rest of the web And we put the WordPress site behind authentication. So only site owners can access that site But no bots, but they can manage the site as usual So there's no learning curve marketing people can still update content and all that stuff Everything is the same you can add plugins as an agency owner I don't want anyone telling me what I can and cannot do so all that's the same Then you deploy those changes with one click of a button Oh, and by the way the bots that are trying to access the site cannot so they go somewhere else and So then you can deploy the changes that you've made and they get deployed as HTML CSS and JavaScript Essentially the front end of the site so site visitors are visiting an exact clone and replica of your WordPress site without the underlying Vulnerabilities and issues and these bots They're there again They're trying to find the WordPress vulnerabilities or the known open source vulnerabilities And they can't hack them because they have been completely eliminated through this approach and these sites as a happy buy product They're also faster and they scale when hit by DDoS attacks DDoS attacks need much more resources to take it down Or if hit by a lot of traffic So we're just actually launching now We're very excited of them toiling and sweating and crying over the same for a year But it's now working and so I we would really love to talk to you guys about it and see if you You know are interested in which we can show it to you and also get your feedback because I Know that this is something that I want for my agency to solve my own pain, but we'd love to hear what you guys think as well So so that's like a completely different approach. It's very new. It's very Unique but it marries the best of these two worlds of serverless and the awesome world of WordPress Which we love and which is so great for all of us and for our clients and for ourselves. So That's that's it. So thank you. This is a picture of me and the Mona Lisa bonding It's such a hilarious experience. So yeah, that was the closest I could get and I feel really close to the painting now So thank you. If anyone has any questions Thank you very much Miriam. I'll be passing this microphone back to you But I think we're gonna get some questions for our mic runners ready. Yeah, excellent Okay, now we the microphone set up in here is that we've got a couple of mics on stands down towards the front of the aisles Gentleman there, you're sitting next to a Mike saying could you give us a wave, please so that people? Yeah, that's it just that chap those got a microphone on the other end of the row as well There's one there as well So if you want if you near the front, we've got a question for Miriam Pop down to one of those and towards the back. We've got some runners as well So do we have a question from the floor over there, sir. Yes, please Hi great talk one question about the serverless approach How do you handle with like comments very excellent question, which I'm sure a lot of people have yes, perfect Discuss and Facebook comments and for forms at the moment. We're using third-party forms But we plan to develop an integration with the regular WordPress forms like gravity forms, which I love So it has to work for me and everyone else Through a proxy, but at the moment because we have such an initial product. So it's Discuss and Facebook comments Which in any case we found a lot of our clients wants to prevent spam and just make it easier to manage Comments and it also is actually kind of runs faster. So You mentioned the authentication for the client. Yeah, what kind of authentication is it like? Is it a password or is it like a token like what what is the process for the client? So it's a very good question. So at the moment, it's a username and password Again, because we just like we're launching this minimal product But the idea is to make it a little bit more complex But one of the things that I actually I forgot to mention about security is there's always this battle between user experience and security So you don't want to limit your users too much So our goal is to find a balance where it's highly secure. We might likely will use Amazon's Authentication services because they're very high quality and integrate. Well, we're building on on AWS So but at the moment, yeah, it's a username and password does it means that the user the actual admin should Type in its credentials two times Yes, exactly. It's two-time credential. It's possible that down the line will remove that But I think it's worth the security benefit just in case that they log in once to our system And then they log in again to their WordPress installation Hey, do you plan to make it one login system or something? It's possible right now what we really need is user feedback And so if that's a big pain point where it's two steps, then we would definitely consider it But at the moment, it's it will continue to be two steps and you know, and maybe we'll add that to the roadmap Okay. Thank you. Thank you for your question. Is that a person there? Yes, I'm a person I Have a question you you put up the statistics from wordfence about vulnerabilities But one of the things that wasn't on there were the users as far as I could see Which users of the end users of the site the admins for example meaning being a vulnerable point Yeah, exactly. So my question is about social engineering and social exploits What do you do to educate clients on phishing on? What emails they should respond to which websites are actually real websites versus clones of their admin? That's a really good question So social engineering is definitely a threat and we ourselves even us as the site developers can be a weak point In the level of like risk for our clients. It's actually pretty low At least that's what I found over the last ten years if we were a bank like no question There would be a lot of education going on. We do try to educate our clients in general about like safety online In general terms and they often ask us questions You know, don't click on anything that looks even more suspicious. Look at the URL That's basically the main suggestion look at the URL if it says Facebook calm calm. It's not Facebook, you know But it's in the whole point here is like do the most important things and actually that is a pretty low Level thing for our clients and we can always restore a backup if we have to so Yeah, thanks. You're welcome Hello The obfuscation of the VP admin suffix I think that's It identifies any site as being a WordPress site Should not that's a very good point like changing the login URL that ending I'm very surprised that it doesn't come us out of the box by WordPress So I do recommend it But what we found is we started implementing it on sites And then we we had an issue and just to fix the issue We stopped and it didn't make any difference that we put back the URL Because as long as we were limiting login attempts and we made sure that the clients had strong passwords and like what it basically Whatever I said it was okay, but yeah It's an easy thing to do very good point and you can do that like create a different login URL for your clients It's just one more way to What's it called security throughout the suffocation or I can't remember the term, but yeah, thank you good point Oh, there's another person Like I'm looking into hello sunset or something. Oh I'm Tom no And There are a lot of things that people do to try and improve the security on their websites that are good intention, but maybe Aren't so great for their sites and that people have spread online What do you think is the worst the sort of things that are quite popular that a lot of people might want to do that Can actually really destroy the security at this site very quickly really good question I've read so many ridiculous things really some really ridiculous things, but I'm I'm stumped right now. I can get back to you, but Yeah, it's really important It's kind of like the world of search engine optimization as well where you'll read things and they're like if you do this You're gonna do great. So the same here if you do this like don't go overboard You'll find these checklists of like 36 40 50 things to do to your WordPress site make them secure So first of all you'll likely end up messing things up in a painful way You don't want to ruin your own user experience and just try to be smart and also I mean this is based on 10 years of experience So feel free to like not have to go through the pain to learn it And but you can also you'll learn as you're going along like what really makes a difference And what just is too painful to do kind of like changing the URL We just found that it was like messing things up too much and taking like more time than we want to and then when We stopped doing it It was fine. So, you know, you find you figured out for yourself. I guess Hi, I was wondering you put the The dashboard of WordPress behind an extra login Why not an IP whitelist so that you don't have to log in twice good question It comes to the user experience thing like we're all running around a lot and so are our clients like for example our tech clients and our startup clients they're in Tel Aviv and then they're in San Francisco and then they're in Europe and Their IP address is changing all the time Then they would be in touch with us all the time to like update it or someone in their office. It's like It's a cost-benefit thing again if we were a bank Probably but for most of our clients, it's not worth that inconvenience. It would be too frustrating for them That that's why essentially Thank you question Yes. Hi, I have a question regarding database for serverless. How do you plan to handle it? Or how does the user get a backup or something? For serverless, how do they get a backup of the serverless? I mean for the database. Ah, so the original site is in existence and So that is continuously being backed up as well just in case Something happens because things happen So that's continuously being backed up as well as the static site and the benefit of that is that if something happens to The real WordPress site the static site continues to exist and also on WordPress We can always have redundancies so you know if something happens to one static version we can easily quickly point to another one so you can end up with like a whole bunch of Possibilities if anything goes wrong, but the real WordPress site is constantly being backed up just in case But but where does the database stays? Is it in as an RDS instance or? How as a what as an Amazon RDS instance or? Oh the databases are Separated what's that called again? Is that what you just said Amazon RDS? RDS. Yes. Yes. It's RDS exactly. So that's the other advantage that if something happens. We can just reconnect it to files Okay, thank you. Thanks Hello, I'm Phil just right I Have a question about the rest API. Yeah, as far as I know it's enabled by default In what press that it's on by default Yeah, you Can easily for instance a list of a user in your WordPress install that you would you have any? Experience or advice about the API should I disable it? Oh, so you're saying the major issue That the rest API could be a vulnerability, right? So For a long time we would let's say turn off the XML RPC site file we would disable it We were suffering too much from it, but then that stopped being an issue for various reasons. So we stopped doing that With the rest API because it's so new so far. We haven't found that it's a strong point of attack but I feel like we're gonna find a day like we did with XML RPC where Some kind of botnet or something or just general hackers Identify this as a great place to attack and will and we're all gonna suffer from it and then at that point We're all gonna consider disabling it in the meantime. It seems okay We generally don't disable or turn things off that have an advantage until they become Disadvantages, so that's just us But if you're not using it it's not adding any benefit then yeah, maybe consider it It's definitely gonna be an issue like in my opinion. It's just a matter of time like everything. It's the wall that just keeps going Thank you. Thank you. Okay Sure, yeah, it's not even a question. This is a statement. I've seen a lot of WordPress security Talks and this one absolutely was one of the most comprehensive ones. So congratulations. Oh, that's so sweet. Oh Thank you. I really appreciate it You know how it is if you have clients like they can all love you and then one says that they hate you and you're like everyone hates me So that means a lot to me. Thank you