 Okay. Hi everyone. Hope you're all having a good day so far. I think after this talk there is lunch, so I'll try not to take too much of your time. So, coming to securing your WordPress sites. Well, before starting a bit about me, I'm Aithisham and I'm from Pakistan and I work for Automatic as a Happiness Engineer on the WordPress.com team, as Shibangi said. We have other products as well like a chat pack, WooCommerce that some or maybe most of you already know about. And apart from like helping people make awesome websites, I also bit into IP networks, DNS. I like to study how the internals of internet work and obviously cybersecurity as well. I'm also like a really lazy blogger. If I want to like write on something, I'll just keep delaying it to the next day. So my blog hasn't been updated in like months or maybe year. Yeah. So in the earlier talks, you may have heard about this statistic that WordPress now powers more than 28% of all the websites that exist on the internet. Another even interesting fact is that out of all the top 10,000 websites, more than 50% are powered by a website WordPress. So it's a pretty huge number. If something gets this famous, it also attracts bad guys like hackers. And why is that? Because like if hackers are able to find even a small vulnerability in one of the themes or plugins like their lips because all they have to do is build an automated scanner or a bot that will scan all the websites on the internet and they get a huge list of websites that they can target with a click off a button. So no huge effort involved. Another thing is that WordPress is extremely modular. Like anyone can start writing plugins or themes for it. And this kind of exposes the security factor because if someone is not using good security practices in building their themes and plugins, it exposes a lot of the WordPress ecosystem that we have. Now before continuing, I'd like to clarify a few misconceptions that a lot of people have regarding security. Like they think that if you install a security plugin and try and set all your plugins and themes to auto-update, that's all the thing you need to keep your site secure. Well, it is one of the most important factors. You should keep all your plugins, themes and everything updated. But it's not everything. It comes later. You have to start from your base. And the base is like your mind that the mindset that you have about security, the devices that you use on a daily basis to manage and update your website. So that's the first step. And I'll divide this talk into three layers of security starting from your own self. There's a very common saying that you're as secure as the network you're on, the network you're connected to. For example, the Wi-Fi network of this convention center. Well, I got a question for you folks. What method do you use to upload files to your web host or edit the files that already are there on the web server? What tools do you use or what protocol? Most of you. FTP. Most of you use FTP, FileZilla or something else. Yeah, right. And how many of you have websites that are secured by an HTTPS certificate? And the rest, I think, they don't use HTTPS, maybe, perhaps. Okay, so why FTP is a bad thing? Yeah. So the problem with FTP is it's one of the like, as bad as you can imagine, protocols are there today because all the data is transmitted over plain text. If I'm connected to your network, like if you're connected to this Wi-Fi network, right, and you're trying to upload files to your web host, I can come in, intercept your traffic and read all the data you're transmitting to your web host. For example, your username, passwords or whatever files you're uploading to your server, I can read all of that. And with HTTPS, there are two things. Can someone tell me like how HTTPS benefits the client side as well as you as a website admin or developer, like two benefits of HTTPS? Can someone tell me? Yeah, please. Yeah, exactly. Thank you. So if you're not using HTTPS and if you log into your website, into the WP admin panel, again, anyone on the same network can intercept all of that traffic, get your cookies, get your username, password, and your whole site. Even if it's the most updated website, latest updates, world-class security plugin, it's all going to be exposed. So it's just not on your local network. For example, if your traffic is, from wherever your traffic is passing, your internet service provider, they all can see that traffic. And how it's basically done is it's a attack called a man-in-the-middle attack, MITM. So what it does is it's a simplified diagram here. What it does is usually when on your device, mobile device, or a computer, that device is communicating with the router or default gateway that you have. That router will have a switch built-in as well that handles the local clients on the Wi-Fi network or local network. Now an attacker can connect to your network and intercept that traffic. Now it will trick your device into thinking that it is communicating with the default gateway. But in actual, you will be communicating with the hacker's device. And then the hacker will be forwarding all those traffic further to the intended website. So this is the attack that can, like, the risk of it can be minimized if you're using HTTPS or any SSH for managing your website. Better yet, you use SFTP, that's the security network. And if someone is trying to man-in-the-middle, your router will throw a security certificate error. So never ignore those security certificates error because it's mostly someone's trying to intercept your traffic. Another thing that you should keep in mind is no matter where you're using those passwords, even if it's your own WordPress website or other social media accounts, never repeat passwords, like, don't use the same password on all the accounts that you have, and also keep them as long, complicated as possible. Why? It's because, like, it makes brute force and dictionary-based attacks a lot more difficult. And in case the website where you have an account, even if it gets hacked and all its database is dumped online, it will usually be in a form, usually known as a hash. Commonly, people use MD5 hash, so people can go and look up online database, there are different databases for hashes. If you're using a simple password, your hash will be reversed, looked up in merely a few seconds. But if you have a complicated password, cracking that will, like, take forever, maybe forever, yeah. And another bit about the devices you're using, never rely on your antivirus. It's as secure as the latest update that you installed on that antivirus. Now, what about the zero days and viruses or malware that is not detected by those antiviruses yet? How can you secure yourself from those? Use a sandbox. A sandbox is kind of an environment where you're able to run different kind of programs without giving direct access to those programs to your computer directly. So it provides a safe environment for the execution. If you're a Windows user, you can use Sandboxy. It's a free program for home use. And if you're in Linux or Macintosh, you can use a virtual machine for that. VirtualBox is a free VM software. Now coming to hardening the WordPress installation itself, I was reading a report from security that the websites they were studying, at least half of them were outdated WordPress installations. That's one of the factors that contributes to the hacked websites, like they aren't updated. And another interesting fact was that out of all those websites that they studied, 18% belonged to, they were using three plugins that were one of the most famous plugins, but they were outdated. So that also contributed to the hacked websites. Now the first step that you can do to secure the WordPress installation is enable two-factor authentication. Even if your username password gets hacked, the two-factor authentication provides protection in the sense that even if someone tries to log into your website, it is secure, it has no other database vulnerabilities, it has HTTPS connection, but your username password is leaked. The hacker won't be able to log into your website, and it will require a security code to be able to log in after entering the right username and password. You can use different plugins for enabling two-factor authentication. You can use Jetpack, Authy, Google Authenticator, they're different. You can Google for them. And use Captcha. Captcha everything. Does anyone know Sarah Connor? Sky Night? OK. So Google is doing this thing these days, like whenever it suspects that a bot is using your computer, it displays a Captcha. And someone made a funny meme out of it about the Captcha. So yeah, protect your username, the login page with a Captcha, so that automated tools cannot attempt to sign into your website multiple times or 100 times per minute. That will protect it. If you're using any plugins that are outdated or you're not actively using them, please, please, please disable and delete them, because outdated plugins are one of the most leading factors that need to hack websites. Also use a plugin that regularly backs up your site. You can use any plugin for that, because they provide protection in the case that even if your website does get hacked, you can restore to a previous version anytime you want. So the risk factor is a bit mitigated because of the backups. Now, there are two most common attack factors that hackers use to penetrate into your website. One is the SQL injection, and the other is cross-site scripting. If you go online, the link I've mentioned, and if you search for WordPress there, you'll see that most of the vulnerabilities these days coming up are based on third-party plugins and themes. So their developers don't incorporate secure coding practices. For example, if someone finds SQL injection vulnerability, what it does is, how SQL injection works is, basically, if you're accepting user input from the browser and you have to use it in a SQL query. And if you don't sanitize that, someone malicious can inject code that runs its own SQL query on top of it. And it will give direct access to your database to that hacker. Another is cross-site scripting. Again, if you're accepting user input and you don't validate it first at the user side and then don't escape it before displaying it back to the user, any malicious hacker can inject JavaScript code into your browser. What it does is it can help hackers steal your cookies and also execute any JavaScript that you have, any JavaScript that he wants into your browser's context. I've mentioned a link here at the bottom. It is WordPress.org's own resource into how you can build secure plugins and themes. If there's any developer out here and they want to read more about how to build secure themes and plugins, please do give it a read. And you can also search different vulnerability databases to see what are the most common vulnerabilities present in the WordPress ecosystem these days. Now, another thing that can help in securing your website says obscurity. Obscurity, by itself, doesn't provide inherited protection to your code base or your database. But what it does is it can make it difficult for your website to be found by automatic scans and tools. One of the things you can do is change the default path or the URL of WB admin or all the login interfaces. There are different plugins out there that can do this job for you. Another thing that you can do is disable access to the WB config file over the web or the browser. Again, a lot of security plugins can do this job for you. And lastly, for the uploads directory that you have, it has to be writable, right? Because if someone or you yourself want to upload data to your WordPress installation, it has to be writable. But this allow PHP or script execution in that directory. How you can do that? You can Google for HT access code for it. They're different. In fact, even on the WordPress.org website, there's an HT access code for preventing script execution in the uploads directory. So you can use that. Now the third part is how you can host your site on a secure environment. This is something you probably won't have a lot of control over because a lot of people use shared web hosts. And it can be difficult to control the policies of that web host on how you want to implement security features. But some of the things that you can do are go with a web host that has a reputation of taking security seriously. For example, do they install latest security patches on a regular basis? All the PHP, NGINX, or Apache updates that come up, do they do it on a regular basis? And also, do they have PHP shell commands disabled? Because if a hacker gains access to your server, they'll most probably try to upload a PHP shell to that web host. And if a PHP shell execution is not disabled, they will be able to run commands on your server, all the Linux commands that web hosts usually have. And lastly, OVASP is an open web application security project. It maintains updated database of all the vulnerabilities that exist and how to properly mitigate them. I've linked it, so I'll suggest you to take a look at OVASP WordPress security guidelines. It is very detailed and provide in-depth detail on how you can secure your web servers, web application, all those things. So those are the three basic layers of security. And that's all I had for today. If you have any questions for me. Sorry. Thank you, Atisham. Yes, like Atisham just said, if you want to ask any questions, if you have any doubts, yes, the gentleman over there. Can I have the mic over to him, please? All right. I'd like to learn from you. There's a new computer called Quantum Computer. Have you heard of it? Quantum Computing. Because that computer is equals 1 million computers. So I'm not sure if, I mean, pretty sensitive, I hope you all understand, I'm also learning. If a hacker were to build a quantum computer, which is very expensive to build, but they really got the resources to build a quantum computer to hack any important website, how would we like have a counter measure for this kind of powerful computing besides the other one to us? Yeah, so when we talk about quantum computing, it can mostly be used to crack present day encryption. Because with the current computers that we have and proper encryption techniques that we have, for example, AES, it can take forever to crack that encryption. But if a quantum computer is built, such encryption will be rendered useless. There will be a need to develop something that can counter quantum computers. But we aren't there yet, so don't have a definite answer on how we can counter the computing power of quantum computers. OK, thank you. Then don't mind I ask a second question, right? I mean, I saw something called a master key. When all the software of any internet or protocol has this thing called master key, but if it's linked to a hacker, I mean, sorry, I'm asking a bit more deeper question. So have you heard of this called the, it means it has links to all the, it means it's a kind of a key that it links to all the programming and all the codes around the world. No, there's no master key, right? Maybe that's just a documentary, I don't know. Yeah, so there's no universal key that can grant you access to decrypt any type of encryption that you have. Depends on the encryption that you have, for example, asymmetric encryption or asymmetric encryption, you'll have your own private keys for that. OK, thank you. Anyone else? Yes, sure. OK, good morning, everyone. My name is Shahid from Malaysia. I would like to ask about some of the recommendations or things that we implement to minimize the risk of attack or the damages in case of an attack is to obscurity. For example, you mentioned just now to disallow web access to WP config and also to prevent page page execution in the WP content uploads folder. So these are very practical and very easily implemented solutions, not solutions, something that you can do, something that any web admin can do. Why, is there any reason why this has not been made default in WordPress? Well, so when I talk about changing the default WP admin and login structure, as I said, it's obscurity. It doesn't make you automatically more secure. It just makes your site difficult to be found by automated scanners. But if someone does want to target you and they know about your site and they look up your site manually, it is not an issue for them. It's just like making your site difficult to be found by automatic scanners. It's not inherently insecure thing. You just like prevent all the traffic coming to your site in terms of automatic bots. Yes, in that sense, it actually decreases the likelihood of your site being targeted, especially for regular people who are not really tech-savvy or who are not developers. So if we can do something that reduces that likelihood, wouldn't it be good to include it in the default WordPress code itself rather than, yes, because when you install WordPress, these are not applied. You need to actually modify the HTXS and add those. Yeah, I know. But for the bulk majority of users who are using WordPress as a blog who does not know how to do these things, it will not be applicable to them. Yeah, so the core, the WordPress core, like it follows a single pattern, but if you provide too many options to an end user who doesn't know what that option means, it can be a bit of a complicated matter to all set up all this thing. But inherently, changing the path doesn't mean you're making yourself more secure. It just means you're trying to hide your site from automatic scanners. All right, do we have any more questions? Hi, so I have a question. So basically, what you just went, like, brochure or the measures that we can take to help secure our sites. But do you use any, for example, vulnerability scanning tools to actually ensure that your site is secure? OK, that's a good question. So if you want to stay on top of all the vulnerabilities that are being discovered, you can use a tool, WP Scan. It's a free and open source tool. It's regularly maintained. You can use it on Linux, or even if you try and modify things, you might be able to run it on other operating systems as well. So to stay on top, use WP Scan. Or if you're using a security plugin, it will also often have a feature that will scan your installed files for any vulnerabilities, known vulnerabilities that might exist in the code. So yeah, two options for you. That's all right. I'll just pass the mic to you. No problem. The gentleman mentioned about those scanners, right? Do you have any blacklist? Because the scanner must know what to blacklist, you see. If you have a scan, what are the blacklist data bases you recommend? Because I was trying to think of how to input those websites that you can block them from scanning our website. So you're a blacklist because certain websites, they are actually bots. They are actually hitting on our WordPress site. So you've got any blacklist data base that you can recommend that you can buy from or you can get it from a website or forum or anything? Thank you. So if I got your question right, you're talking about how to detect and blacklist if anyone, malicious or a scanner, is trying to scan your website, right? I think what he means to ask is, is there a database out there that you can refer to which has a list of blacklisted services or something? Yeah, that's scanning his website. OK, so I'm not sure if there's a single database for it, but some security plugins like automatically blacklist certain IPs that are known to be found either spamming or trying to attack different websites. I think Jetpack does that built in, and there might be other plugins as well that do this job. I just want to add on to this point. I think these kind of things, right? There cannot be a universal database for what I understand, because there are a lot of new, such malicious things coming up every day. So we had a really serious malicious wear attacks recently, you must have heard, which was huge all over the world. So yeah, all right. I just want to add, there's one like security service provider, that's security.net. You can try their service. They have a free malware scanner for WordPress websites, and they provide page security consultant service for WordPress websites and many other page related websites. So you can try that. They may have a blacklist to some norms, how you can more advance secure websites. That's security.net. Thanks. Thank you. Thank you for sharing that. All right. So any more questions? So I see that this is a very burning hot topic, because everyone wants to have their website secured. So just find your speakers that you are interested to ask more questions during the break. So just find them here. So thank you, Adisham, very much for answering all the questions. Yeah, no problem. Feel free to. Thank you. Yeah, feel free to just catch my side. Approach us, yeah. Before we close, I thought.