 Okay, now I would like to call our next speaker, who is very passionate and hard-working, and he works as a system engineer at 10 UP. He spent his last 10 years working as a system administrator and support engineer for various web hosting organizations. So I would like to call Mr. Shakir Ali, who is going to discuss WordPress security best practices. So please welcome Mr. Shakir Ali. I'm Shakir Ali, system engineer at 10 UP, and from last 10 years I have been working as a system engineer for different web hosting organizations. And my topic of presentation is WordPress security best practices. I chose the word best practices because due to a story like I want to share with you, I have lost a lot of experience on the system side, but my own WordPress website was hacked in the recent past, just because I did not implemented the knowledge I have on my WordPress website. So if you have a lot of knowledge on how to secure your WordPress website, does not guarantee that your WordPress website will remain secure unless you implement that knowledge on your website, which is called practices. And I will be giving you guidelines and proper tools so that you can practice those guidelines on your website. So first question is why WordPress security is so important? It is because WordPress is most popular web publishing platform, having 58% of the market share on publishing platform. So its websites are constantly under attack. And as an owner, you know the importance of your website and how much a hacked website costs to your business. Can I ask one question like how many of you have faced an hacked website or compromised website? So there are a lot of. It means there might be a lot of hackers too. And hackers can steal sensitive information from your website, visitor computers and users and to make sure that your website is secure, I would like to proceed further. If there is any hacker present, I will be sorry for him. Otherwise, my first question, my second question will be what you need to hack a WordPress website. There will be a lot of things like a hacker can answer best to that question. However, I want to show some statistics that how a WordPress websites are usually getting hacked due to hosting 41%, due to themes 29%, due to plugins 21% and due to weak user names and password 8%. So I will start from bottom to the top. First of all, password security. I don't know that you need to have a strong password, but I would like you to enforce that strong password on your website. Like if you have several users on your website, you can't ask everyone to please make the password strong, please make the password strong, instead force that policy. And you can use for strong password plugin to make sure that your every user on your website is having strong password. And the second thing, whenever you want to share password with someone on the internet, use onetimesecret.com to share sensitive information, including passwords and any other sensitive information. Don't share password in chat and emails because those are unsecure resources. And also, if you need to store password, don't store password in plain text files. There is a free tool available, like LastPass or OnePassword, use that. And I'm telling you these tools because it will not only make sure that your passwords are secure, but also it will save time for you. It is not a time-consuming tool. Like LastPass is having plugins in the browser so that it automatically fills in your username and password whenever you visit your WordPress website admin section. And then one more thing, keep changing your password. And also, again, you can enforce this policy using expired password plugin. Second thing is username. As you know that whenever you install a WordPress website, the default username is admin. So make sure change that admin username to something else. And then my second suggestion will be to use email address instead of username. As email addresses are more difficult to judge as compared to the names. I think there is internet problem. No, it's not a video, it's just presentation. Got it. And then enable two-factor authentication. There are several plugins available on WordPress.org that you can use for two-factor authentication. And also, there is a limit login plugin. You can install that so that it will help you to avoid brute force attack on the login. And then I will move to the next section, that how to deal with theme and plugin vulnerabilities. Everyone of now, if you have development experience or anything on the system side, you know that everyone recommends that whenever you install plugin or theme on your website, make sure that those are from the library sources. But I will go further and also keep your WordPress plugins and themes updated. There is also a plugin available like Wallinability Scanner. Like if you have 100 of website or 50 website or 10 website, it is difficult for you to go on your website and make sure that all the plugins and theme and core is updated to the latest version. So there is a very easy tool, like you can install Wallinability Scanner plugin. And then you can execute a WPCLI command which you have learned in the first session of Hulik to make sure that there is no plugin vulnerable or any plugin containing compromised contents, like WPCLI Wallin status. And also, if you set up a Chrome job, it can send you an email with all the compromised plugin theme and even if there is something compromised in the core. And then there is a WPCLI command again to verify that your core is not being modified. It happens that sometime a developer is modifying the core files. If you execute WPCLI core verify checksum, it will make sure that all your core files are intact and those are not being getting changed. And then, as you know, the 41% of the websites were hacked due to the hosting purpose, so my next topic that I will be going on the hosting side. So it's between makes things like hosting and other security that you can perform. What you need to hide in a WordPress website? Answer is simple, hide WordPress. Like you can hide that this is a WordPress website. That hackers mostly attack on WordPress website. So if you hack that this is a WordPress website then a hacker will have low chances of hacking your WordPress website. You can simply hide WP admin, WPlogin.php, you can do it from plugins, but also you can do it without plugin. Due to time sensitivity, I'm not going further into detail. There is a URL I have mentioned. You can use that. And there is detailed guidelines available that how to hack, how to hide WordPress WP admin section. And also one thing like you need to change database table prefix, which is present in WP config file. The second thing like most important file in WordPress is WP config file. Make sure that your WP config file is well secure. You can change its permission to 444 and also you can perform these actions if you have root access or SSH access to your server. And also one more suggestion that move your WP config out of the WordPress folder. Even your WordPress website will still be able to find the WP config file which is present one up in hierarchy. There was a recent vulnerability on WordPress website. And I want to play a video, please. I want to show you how a last vulnerability that was happened on WordPress website. And how a secure web hosting can deal with even WordPress core related issues. There is a normal user who have author access. It is not having admin access. What he's trying to do, he's uploading an image. And then he goes into the console and uses WP config function and set the value of the image that was uploaded. And then he deletes the image. What happens, it actually deletes WP config file. Because it set its value to config file. So it's back to the database website installation page. Please back to the presentation, please. So this is to tell you that how a secure environment, secure hosting environment can deal with WordPress security related issues and how we deal with on our hosting site. On TANF hosting, we have a separate user for uploads directory and a separate user for core related files who deployed files to their WP content and other files to the WordPress website. So if someone tries to delete this file on our environment, it would have given permission denied error. Because like we have nagenix.nagenix user on uploads directory. So nagenix user don't have access to delete a user file that is owned by something else user. So we have resolved this on our hosting. What are the other restrictions that we need to implement on our WordPress site? Make sure that all the URLs you are having like all the WordPress installation are secure. Use HTTPS. There are several SSL certificate provider which provide free SSL certificate. C-Panel also provide free SSL certificate. Cloudflare if you are using CDN, it also provide free SSL certificate. And also if you are system admin you can use Let's Encrypt SSL certificate. Enable two factor authentication as I mentioned earlier. And also enable CDN that is highly recommended. Enable CDN on your website. It does not only increase the performance of your WordPress website but also it adds an extra security layer between Hacker and your WordPress website. And then restrict access to XML or PC.php. You can disable XML or PC.php on your hosting side like HTXS, Disable access for all the IP addresses. However, if you are using Jetpack you can enable access for only Jetpack provider IP address or if your users are posting content using Microsoft Word then also you can use their static IP address to enable access. And I can provide you detailed rules in Nginx, Apache or HTXS file in Happy Ours. And then the last thing is to disable wp-admin-loadscripts.php. This is also like wp-admin-loadscripts.php concatenates different files and it can cause DDoS attack on your WordPress website and we have found that you can disable it safely and it does not cause any problem for your WordPress website. However, make sure that you are adding a constant in your wp config like concatenate scripts. And also these are something that you need to perform on hosting side like disable several functions in PHP. Disallow file edit so that from wp-admin section you are not going to edit any file, core file or themes file. And that's it. Do you have any question? I'm sure. It was in last version. Currently they have implemented the fix already in wp-core. However, it was prior to 4.7 this vulnerability was present and it was already self-explaned. I'm not developer, I'm on the system side but video itself explained that how he went into the console and executed a function which deleted wp-config file instead of image. He just changed the image value to config file and... Hello. Yep. If I am creating an instance of aws, then the default user name is ubuntu. Sorry, thank you. Pardon? The instance of aws, if I am creating an instance of aws, then its default user is ubuntu. If I want to update the plugins, then that is triple w-data. This is its user group. If I am uploading files through ftp, then I have to change both the user groups. Is there a way to upload a user group and this file as well? Or can plugins be auto-updated? Yeah, we have implemented this on our hosting side. Like we use git instead of ftp. Like we have gitlab runner user, but we have given permission to gitlab runner so that it can write into the nginx on folders and files. And also it can execute files, like nginx can execute files from user... from files on by gitlab user. So I can provide you detail further, like how you can give permissions properly. Even you are using ubuntu user or w-w-w-data user. I can provide you guidelines how you can... Sorry. It should be like you have to... like group permissions and... user name permissions are usually in etc password file. So from where you can perform, however there is also SSH command available, which you can add user to different groups and... Assalam-u-Alaikum. There are two modes. You can host your site on wordpress.com and put a code on your site. Which one is more secure? As per wordpress codex, they say that the code of wordpress.com may be updated thousands of times in the day. Security fixes also come. However, what will happen to ORG, it will be on our hosting. We will have to do an effort to turn on auto updates or whatever guidelines you have given. What is the most secure mode in your view? Move to wordpress.com with the domain mapping or use wordpress.org. It depends on your hosting. There are some drawbacks and some positive features. It depends on your requirement. When you take c-panel hosting, you get affordable hosting or shared hosting. But what are its drawbacks? You get low-performed website, low-secure website. If you set up your VPS on AWS, you will have experience on the system site and you can even do learning. I recommend everyone to create an instance on AWS and AWS is so affordable that you have to pay as you grow. The more resources you use, the more you have to pay. You can implement all the security features yourself. It's not that difficult. You can plan all these features. If you have a requirement, you can use wordpress.org. There are a lot of people who are using wordpress.org. They are hosting. They are managing security issues. Thank you very much, Mr. Shakir Ali.