 I don't think I would be able to do that. So today I will talk a little bit about the moment that my site has happened. So, let's start it. There's almost like a denial. It will not happen to me. And like, it's not currently happening to me, and well, it's done, but it'll probably never happen. So, a little bit about the story. So, I think set up, like, I believe my site is secure. Like, I have a difficult password. I have, like, 15x to home before I can log in. So, it's really based on IP. If I'm, like, here, then I first need to log in to my home to be able to log in as happened. Files cannot be changed. You can't install plugins or apps to plugins. I need to remain contentful, but it's kind of much scary because people assume where your post folder is. What's the effect of, like, I wrote a lot of my code myself? What happened? That code was not privileged, so people have no code. How's that? I also have my PC, but I'll get with me. And the first time you visit a website, everything will be just all your PC files. And when someone wants to change it, they also need to restart the machine to be able to get all those new files there. And that can never be installed. So, again, my post folder doesn't always mean that it's going to be contentless, upload, slash, set out to 15. There's always, like, a side ID in between. And then it's all up for, like, having things up today. And normally I have. Except there's one plugin that, well, skipped my attention. And I didn't know that I didn't have it updated for a while. And at one point, I worked at a company that got me, like, a few hundred customers that had this plugin and, well, I was like, well, I can check it out. Like, I know this plugin. Like, I use it myself. Like, so, let's see. If I can reproduce it. So I was playing along, taking things out, and I got, like, 200 response bags. Like, something did happen. So I was taking out my site, went, like, a look in my S&P and see what this something happened. And yes, I saw a file uploaded to my post right here. It was getting along. And I already saw that people were already trying to get it. Like, they were already uploading a lot of PC files. So, yeah. You get, like, this day, like, you're completely shocked, falling in denial, and you got this image again. Obviously, one option is you got my log. Nothing happened, right? So, because I'm a developer, I was like, let's talk the long term and see how you manage that line. So I checked things out, and I see that they tried. They also checked the file, and I see they failed. Like, I saw four, because they assumed it was in the send directory. And because it's an Apple console, that plugin was not enabled on the main site. So I have not ever found it, unless they were, like, doing more stuff than, basically, scripting style, go to your website, and do whatever they want. Like, a lot of people, if you're at the web site, they assume you have a new line, so check the log file, and you will see something like that. So they probably found what was in there. So the first item that you see is, basically, try to upload something. The second one is, they checked if that file was there, and in this case, we're checking the content pool. My bad is that, because I have a different one, and I want to be good for Google, I rewrote it by his name, that it will directly redirect the hacker to the right place. Again, the network installs say in my app that it was not in the right place, they should have asked the site name. Then, after that, you have the end of life. Having heard that, so we rewrite it. I got belated at, like, that site was already moved in this kind of infrastructure for like a year. I'm pretty sure they're already updated. And secondly, like, why did I do update my plugin? Like, my server is always updated. It's really easy to go in, update it, and I trust my OSDian to be always, like, testing really well and know what to do. But then again, it's like, why didn't I have, like, any protection in place? Like, because it's my own PGS, I don't have a host to protect me. Like, some host protects you by adding all around those books. Like, when I was working at the host, like, we were already working on finding ways to secure all our customers who still did not have the plugin, and there were quite a few people. And that is, like, okay, working through. Like, start fixing things. Like, what did the hacker do? Like, go up to your site. And in this case, first of all, of the, finally, that one plugin that was spain in the ass, that because of that, it could have, well, you see how? No moment that happens, well, you have zero, so what's going on? You, hackers can add, like, spend links, but they can also delete content or do things that probably convert your business in a bad, bad way. Also, I was, like, checking other schools for more files and I delete all the speed files. Like, even the image of these speed blank ones. And I went into this to also don't allow these speed executions anymore. There are plugins doing this for you, so you don't have to do it yourself. Especially in the case of most of your users, then it really needs to do with Apache, what most hosts bring on. So you can just install the plugin and get that walked out. Now, I was still checking, like, did they change these speed files? Did they add content? And for me, it was pretty easy. Like, I have everything in a repo and all my code is there. So I can just do a one-man say, what's this differentiation? Like, did some people change stuff or files, edit or remove? But I don't want to, because I had that. But what about you? So because of that, I now build a, like, code that helps the regular user to do this themselves. So what I build is, like, I build, like, a whole service with an API that you can say, like, I have this plugin with this version. Please give me all the checks. And checks are like taxes, like, they get all the code in your files and make it, like, one value of two letters or characters. And those values, you can compare on your machine if something got changed. You don't know what, something got changed somewhere. And so it's already a good guideline where it got changed. So now it's not only for WordPress for core, but it also works against your teams. So currently, I'm built in a building space. So user URL for, like, for example, one of my plugins, that goes to the pre-center, what is my website, and I have this API for this case for developers to build cool stuff that helps you out. Currently, it's still there in the building space, but I believe in month or two, we will see the first plugin using this API that you can install a plugin and see on the moment you got hacked what someone did. And honestly, when something like this happens, you'll start wondering, like, how do we have to prevent this from happening again? And it's something called, like, an application firewall. What it does is basically protect you against common attacks, like, in this case, script, cross-script, side-scripting, and shell injection. What it does way more. One of those companies that I personally like is Security, whom also sponsors or helps out WordPress in really good ways. And because of that, they also know WordPress really well. So on the moment there is, like, something going on, they probably already knew it before it was published enough, and they take all the log calls they generate to most people they protect. And because part of the log calls on a weekly basis, they know exactly what is going on. It is a trend, though. It starts, like, around $18 a month. If you want something cheap, then go for Cloudflare, which is also a really good company. But, obviously, they put security not directly on first place, but security that is their main business. Cloudflare is more their second business. They are more, like, getting all the websites available all the time, like, kind of CDN for your website. But if, for example, you want to do more on your own machine, then Minia Fireball isn't a good way to go to. Apparently, I don't use it because I already control machines, and I can figure out most of the things. The reason is that Minia Fireball is usually, but then again, you can't host it, and you have not enough knowledge to do that. Minia Fireball is a way to go. You can install it, depending on your host, it's huge, it's in the bottom, and it works. Security, I mean, security, what is more for development of specific people because you need to write all a lot of links yourself. Then again, there's a website with all a lot of rulesets that you can use. O was the art. And it has a lot of things about security there. I was reading through, and you see a few posts about WordPress, how they think you can secure it. Then again, the moment you go back, how do you think yourself? So, I have to show you a little background of myself that I custom-build it, and it's made from WordPress, and makes the oldest connections to my site. So what you see here is like, I have two websites currently in it, like I maintain a website of the Serbian community, and apparently you see it's 4.3, and you see it's a red bar. If I say it's 4.3.1, the next moment it will check it again, it will be green again. So, this way, I can exactly know when something is not up today. You will see the date of the event of the day, if it's on it, or if it's in, I know exactly where the repo is, so if something is up and then it's fixed, and I don't have it already in my machine, I can go to it to fix it. So you go down back here, you see the same again, and I wrote down some to-dos, like, well, if I want to quickly directly plug in our team from here, like, how can I do that? If I want to release it as some public tool, like, people probably want to use this also to update their plug-in RTE, like, many WP with WP remote, those kind of tools can do it, but then, maybe in a different way, like, maybe you can extend things with plug-ins. For example, if you want to update a really big plug-in, Jetpack, Josephio, but other things are so tight in your website, you want to be sure it works. So you can build someone like me and developer who can build like tools that checks your website for you. If you press update, you'll already check roughly if your website got changed. So you can make screenshots and pair them. You can see the website is still returning responses on random pages. And if developers can build that, that would really help like, tools like this for your website security, because plug-ins, in general, are a really good sport. But if I find your password, I can save those plug-ins, and I can do whatever you want, and I can just track what is going on on your website. Probably the moment you go to your plug-in page, you will see the already activated. But how many people look at their plug-in page, like on even on a weekly level? Like, I'm not even talking about day-to-day. I never do that. Like, the only time I look at it is when I want to activate a plug-in on a certainly website already activated. And then I build like a text. If there is a response, I will get it a year back. I've worked quite a few times again, but I'm working mostly to build like a check-in that will see what is different, so I can get it already a year. Oh, why? I said at the time, nothing. How much data I have on my laptop, the more time I look at it and train what I have in the text, and I'm also looking at adding a missing post. So, this was something I built. So what you see here, really badly, I built a lot of plug-ins, especially on with those addresses I downloaded from here to not put it on. So obviously, there are changes. And it will list that a lot of those files I can read to me and some controllers are not the same as the other workers. So this will really indicate that there's probably something is going on. Another check that I'm working on is checking the load directory. Scanning PHP files if there are C, why they are there, and show you which files are there so you can see yourself and make good guess if that belongs there or not. But an ego might be a step forward. I run my own service, so I probably need to maintain those, too. There are really good tools out there for people like me and my developers at maintaining service. But it's like, well, probably you also maybe want to even if you're like a user, you want to know what is your hosting up to. Do we have the latest PHP version or not? So what it builds here is people list things down. So you can have that list. So here you see a list again with on my old site that is still there. There's quite a lot of things still there. There's some basic sort of things that I need to do. I use for my images that depend on not by PHP or graphic magic. And I see that there are that I still need things to do. But if I look down back here, I see from this to my current one that I run a PHP C set up and I run the latest version of NGIN and I run the latest version of NGIN and there are no updates. So without going into the machine and if I have like 10 questions and I don't need to look at all those 10, even from people like the regular users, they don't have one holding contract. They have way more. And then it's always like, well, except that it happens and it probably doesn't never happen again. Like I made some steps as well as one of my mistakes that are like things like, don't expect like, we'll get any better but to say like, wow, I think it's a security issue and you should write updates. Like people, some people like me it's that thing. Don't tell them how you can reproduce it. If you go home and you do that, people will find out what to do. Find ways to read a lot of files even if you don't understand them. I hardly understand that. But I understand that it's like reading through, it's like you need to find its time. Because of that, I was reading just a short of the requests. Like I know how people request my website and because of that with some basic knowledge I could see why I could do that and find ways to reproduce it. Like, we saw last year before I was working for a local company I had zero problem with security and so they were using it. I started looking at like, what does that do for my website? How can I learn from that? And because I know how to build a tool I'm more proactive in seeing what is going on in my website. See what someone tries to do. And if I want to go a step further I can even parse a lot of files while I know what's going on in social security. They release the, like they're one of the the founders release an open source a variant of Spark, parse a lot of files and see what people are doing. Again, it's probably for most people set before the employee but you know it's out there. So when you have time, you can play and see, can I set it up, can I parse? And that's what I'm currently doing. I'm checking out it online. See what people are saying about security. I don't have to understand it but I know if I can improve and in the end that's always going on. Like you have a website. You should trust your website but you should not trust the state of the house and everyone else will do an old data to protect your website. In the end, if you are at the big house you're one of the one billion customers and you expect that they for you, like in general so the bigger house has security in place. They have like an infuse scene that's on the regular basis, set things out and see for like the bigger house and in this case you have 400 customers but if you are one customer who's got a house with that one not so popular for you you should know about that. So lots and lots of easy some questions for you like do you know what does it always do to protect you? Like what do you do even yourself? Like do you have like what gets enabled to protect you to give you notifications or whatever it can do for you? How good is your good people are getting protected? Like how good is your use name of password but also if someone is trying to break out of your credentials is there some blocking mechanism? Again, a lot of customers don't know what you block the attacker for getting in but then again a lot of attackers have like like my people of a million or down a million but thousands of feet it's also going to take my feet they have a thousand times three the chance to get the password on given hour or day depending on how they predict what do you do for hardly in your side life? A lot of entry on the code is WordPress that shows you how you can do little steps like disabling the editor, disabling enabling plugins to WordPress finding ways to do that. Again what I didn't have to say that I blocked my don't log in with like with HX so that basically you have to fill the password first and get into WBM and burn the item like that. If they want to hurt me they will do the exact anyway so I will protect through P and P on base left like if I'm admin or super admin or even an editor that those people have use IP checks but if they're like a regular person can log in I rather them log in and see what happens and then again how should you carry your back? Like do you have a backup of your site on your machine or do you solely trust your hosting company to always have backup and if your site has or something happens how fast do you think your host can get the backup of you? Like try it out like as hard backup because well you need it and see how host will respond to your request and do you know what even people trying to out apply again the log file do you check them out or do you know exactly if you saw some weirdness but never looked it up? I'm Mark I'm the founder of Co-Diction I'm the leader of our floor press where Translator Workers of Art is built on I am a long time community work press and I'm one of the organizers of work in Belgium thank you for listening so we have security questions would you say that using against is mandatory if you have some so the question is if get is meant to read I was not particularly good enough directly but then again if someone did try to change my website with one command I can see get it or get set to see which files are added what about change so it's not that it is needed it's a really good thing to do like the same that I have it's a little bit more tricky to maintain but because of that the scriptedies who would take your website like the basic attacks they don't take that so having the different stages in your website is always a good thing to do and having to get to making it more easier like if you say like for example it's high ground it's the same artwork that's working so there are some laws doing that like you can already use get it on your machine when you commit to master branch that's already there which means why should you have the feature of adding plugins to our teams through your website so in the moment someone can't find their password they can't install anything they can't edit anything from G1 so they really need to find a way to add the pc file or the hack through the website thank you Marco great talk let's be honest what do you think how many people in this room are actually capable of administering their own servers and actually doing everything you just said and making sure that side is secure is it really something that everyone should learn or is it something you know you should be aware of you should be aware of you should know what's going on to be honest I was up to a poll to even compute back to work for us a few years ago like when I started with 3.0 I did some stuff like but in 3.5 I re-grow the image that's been in place doing time work for us during that time when I was doing that it was like hitting my head on the same level a few times so it's more about knowing that it's there and just even if it's an hour of your time reading through online how you can take the website in a better way like if you've never used editor, popular games and themes it's online in your public file and you can disable that so it's more showing more interest what is going on out there in the world and to be clear that running your website five years ago is completely different than now now people are more eager to have your website because it's more popular and the main side of our main tool to attack doesn't mean that we're persistent in your career but it doesn't mean it seems pretty good time it wouldn't be easier to start from a previous backup than to start from an infected set up yes but the problem is do you know that your backup is not a fact so for example some tools in some whole season back up your site on the same district means if your hackers can find a way to get to your website they know how to find a way if they really want to create you how to find a way to get back so that's the more tricky part now let's begin as I am probably and that's so strong that you on the technical side that I prefer to use the WP in giant for instance and to have backups made automatically and to go to their team for them to help me and they are so secure as a single level and so for people like me it's probably easier than to do all the technical things that you do on your site and subscribe for some as well for the other person correct so for example automatically get back the old set like full press that one also makes backups but the old set often has the old security check and will clean things up for you so there are really good servers I don't know the one you make but yes if you have like servers again the same which query for protecting it but then they do it for backups and they will also check your backups if they are like things have changed or got hacked and they will clean it up and it will look like so for probably most people you like your users there are really good things happening thank you thank you so much Mark thank you