 Saya takkan tahu. Tapi sekarang, saya ingin bercakap tentang pertolongan, kerana super-fasional dengan tentangnya. Sebenarnya, kita melihat banyak masalah yang sangat mencari tentang masalah secara tersebut dan mengenai masalah CMS seperti berhantar dan orang lain yang tak akan menjual, tetapi orang seperti Juma dan sebagainya. Dan keadaan ini bukan hanya untuk perjalanan peribadi dan peribadi yang mempunyai peribadi. Ada sebuah ekosistem yang diselamatkan apabila sesuatu seperti itu berlaku, dan itu menggabungkan bahagian negara. Jadi, ini sesuatu yang saya lakukan untuk Malaysia. Saya juga berkonsultasi dengan keadaan national securiti. Dan sekarang, saya bekerja tentang keadaan negara dengan hubungan national itu dengan keadaan IT. Berkata-kata seperti di klub, komputing dan sebagainya. Yang satu yang saya ingin berkongsi adalah, kita semua berkongsi bersama. Jika ada, saya boleh lakukan sesuatu hari ini dan itu untuk beritahu orang tentang apa yang perlu diperbaiki pada perjalanan peribadi. Dan tolong jangan berat untuk bertanya apa-apa-apa. Saya akan suka jika anda ingin bertanya di mana saya sebenarnya bercakap. Saya berharap anda dapat berbincang dengan sebuah cara. Okey, tanpa beritahu saya, saya akan lakukan sesuatu yang saya ingin bercakap tentang. Jadi, ia mudah. Sebenarnya, ia bukan keadaan negara. Apa yang saya akan cuba dan lakukan, ia sebenarnya sangat penting. Saya akan beritahu keadaan saya dan keadaan saya dan keadaan saya dan keadaan saya dan keadaan saya dan keadaan saya dan keadaan saya dan keadaan saya. Securiti bermakna, pertama dan yang paling mudah untuk digeritakan. Sebab saya boleh beritahu anda semua perkara seperti bagaimana pakar yang dapat terlihat, bagaimana peluang yang anda dapat, jika anda tidak dapat mengalami, saya menyerah kemungkinan untuk beritahu orang apa yang harus kita lakukan dengan secara secara secara secara secara secara secara secara secara. Jadi saya rasa ia adalah kemungkinan yang besar untuk orang-orang untuk melakukan bahagian ini untuk memastikan bahawa orang yang beritahu orang itu dan menerima sebuah perkara yang saya beritahu. 10 perkara yang anda lakukan hari ini, setelah hari ini, saya telah melakukan kerja saya. Saya telah berjumpa dengan memastikan bahawa perjalanan kerja anda sudah berada di satu tinggi. Jadi saya berharap saya dapat melakukannya. Sebab itu saya minta kemungkinan anda kerana jika ada sesuatu yang anda tidak faham, saya akan mengambil masa sejujurnya, apabila ia berada di sini, atau mungkin di luar, untuk mencari bantuan anda. Dan ini adalah perkara yang paling mudah untuk anda. Okey? Jadi itu perkara yang kita mahu beri. Saya akan beri, semoga kita mempunyai masa untuk menggambarkan semuanya sejujurnya. Semuanya sangat dekat. Jadi, bagi yang anda boleh menolak-olak saya akan beri pembentangan yang dikenalkan, tapi kalau anda mahu menolak pembentangan yang dikenalkan, anda boleh. Jadi, jika anda ada pembentangan yang dikenalkan, mungkin membuat pembentangan yang dikenalkan. Jadi perkara yang anda mahu beri, ini juga perkara yang penting semasa saya mengikuti perkara ini. Kerana tidak hanya perkara yang dikenalkan, bila anda tidak hanya memasukan sifat yang anda mengambil So what does your WordPress asset consist of? It actually consists of everything from if you are into the networking model, if you've gone to college and learned this, the OSI model, so from the physical right up to the application there. So all of these things are your assets. So we're talking about things like the physical server, the network, the switches, the firewalls you put in between, the load balances, even up to the provider that you use. These are all your assets if you look at it. If you just take WordPress itself of the binary software that comes with the firewall file, that's a load one component. It's not everything. There is other components that are interrelated and equally important when you look at an ecosystem of running a WordPress site. And last work ham in KL helped in this particular venue. We also had a lot of exposure, a lot of talk about IoT integration when it comes to WordPress. Which means you take your WordPress site and extend it beyond just a physical server. You put things like nodes around. And I've seen one demonstration where this guy actually use a WordPress site and actually monitor plantation using IoT. And then it fits the data back into WordPress. So when you talk about assets, we have to look at everything that interconnects back to your WordPress site. Not just the actual binary or the server that is running. Okay, so we're going to look into more details and things like APIs. APIs is a big thing today and businesses are created from API. Literally people are selling API as a service. I was just talking to Sam. He did push notification, the beautiful notification to get on the app. He did not necessarily went and asked Google or Apple to allow him to do the push API. Instead, he just render the service that actually does that. So API is also another big thing with WordPress. It's got lots of APIs that can interconnect other websites, can interconnect other services, and also things like IoT devices. If I'm going too fast, somebody just throw something at me. So I'm going to try to slow down. I made sure the bottle is empty. Okay, here's a very important message that I want to bring it out. Really, it's about, I'm just going to quickly adjust the microphone. Sorry about that. So security is for all. Let's just stop there for a while and think about what this slide is trying to say. Okay, actually, I don't officially present the WordPress organization, but I do definitely represent people like you and I who are part of the community. So the responsibility of the community is not, it's a collaboration. It's a cohesion of all kinds of people who use WordPress. For example, if you have deployed WordPress and it's insecure and WordPress gets compromised, people hack, it gets into a statistic and that is that it will say, oh, another WordPress site can hack. So as responsible users, as responsible system admins and also system integrators, it is important that we take this opportunity to not only just secure our site, but also bring the confidence back into society, bring the confidence back into the WordPress community. So that's a message I'm trying to say. So it's for all. So people here, they're developers. I spoke to some developers, they're people who wrote beautiful plugins and themes and everyone needs to be in cohesion to this. Everyone needs to be part of this effort to secure WordPress because it's an ever-growing platform. Like last WordPress, if I'm not mistaken, it was 20-something percent of the world's websites running WordPress and today we hit, I think, 30 percent. Is that correct, Mr. Sam? 30 percent of the world's website. That's huge. I'm saying it like Donald Trump. That's huge. That's huge. That's huge. I mean, if you think about it, that's literally a list of the world's websites. If you take a stone and throw at one website, there's a one-third chance it's going to hit a WordPress site. That's literally the kind. So it's crazy. So in order for us to keep growing, we need to have all of these ecosystems thought of. Things like protecting, in fact. Dare I say, protecting the interests of WordPress itself. And that's people like us, you and I, people who deploy, people who write code, people who build teams, build plugins. We have that responsibility to ensure that our sites are secure so that we contribute to a positive growth of WordPress. And let's hope by next year we get 35 in the same conference today. So let's keep growing that. So what are the things that can happen when you get compromises? So if you run a business, if you run a blog, if you run anything, everything comes down to reputation. And you have things like search engine reputation. You have things like human reputation. You have things like machine learning reputation. So all of these things will contribute to whether or not you are a reliable source for information. See Google's interesting. Google says, I'm not going to put you up in the top ranks because you have a lot of keywords. I'm going to put you up because you have a reputation. Google is all about reputation. So if people visit you so much to get notes, let's say you're a photographer and you use WordPress to put up your stuff there. So if you keep giving good photography tips on how to change the frame rates, how to make this, how to do this, how to do that. And people start to say, oh, he's a very reliable or she's a very reliable source for photography information. But then when you start to get hacked and then malware starts to get in and then people start to get infected, in fact, Google can completely block you out. You don't even end up in the top 10 anymore. So that the implication could go right down to your business. It comes down to economics. So economics matter. I was just talking to a friend from India yesterday. She was just from the US and we were talking about how to get politicians to listen to technology is by telling them what the economy in fact is going to be. That's the only way you can get through them. Otherwise they will just go like, WordPress, security, but if you tell them it's going to cost you 2 million US dollar per year. Oh, let's talk. Let's come to my room. So economic impact is important and we also approach in terms of security. Reliability validity and so on and so forth. And then there's the blacklisting factor. Check this out. This is an interesting statement that I want to put out and people should take note of. Each week Google Blacklist 20,000 sites for malware and 50,000 for phishing. That's the wrong spelling for phishing. But phishing. We've got a list. So don't be part of that statistics. Let's try and do something. Let's see what we can do today in the next 35 minutes that I have. So most statistics are discovered very quickly run through that and this is the one on the top right of yours. That's your statistics and statistics show that more than 50% of online hacks are resulting from websites. Websites are not necessarily just WordPress. Sites that you build from scratch from frameworks. We talk a lot about frameworks now, PHP frameworks and so on. Those are the sites also part of contribution but if you focus and say who are the biggest source of security vulnerabilities that's going to be of a good old websites. If you look at the one below top right bottom that's the OWASP top 10 list of vulnerabilities and they are so consistent. I'll show you some statistics on that as well. So if you look at products top in the ranking of usage there is a correlation. This is pure probability. You know probability how it works, right? If you have 10 things if you have 10 possibilities and each of those possibilities will present a value. Let's say if you go out there's a possibility you're going to have 10 people or 8 people going to speak about for example coding and 2 people are going to talk about infrastructure infrastructure meaning security like what I'm doing 8 people are going to talk to about coding so there is a chance there's a higher chance of you if you walk in blind and walk into a room you will probably hit the higher likeliness of hitting or going to a top that is more code based because that's what probability is the numbers matter so when you look at that and you put that into context of WordPress for example you will always have a high number of security problems will relate to WordPress product that's not because it's super vulnerable but because it is so used it is so used and therefore the probability goes higher the simple mathematics to figure that one out so it's not necessarily it's more vulnerable it's just that it's more useful there's more use there's more statistics that will be contributed the same goes with Linux versus Windows argument because Windows is like 95% of the world's population that use them more like 90% and if you say what are the top vulnerabilities that Windows always comes up because that's where everyone's targeting and if I'm a hacker if I'm a hacker and I want to become famous who do I target do I target ABCCMS or do I target WordPressCMS you see what I mean if I want to be famous I target the famous boys you know girls you know I target the famous platform so that's how it works that's pure probability so that's what I'm showing to some of the popular list of apps and operating systems that you can you will see a lot when you go into CVE databases or security databases and find them showing up everywhere sometimes and if you look at the statistics here this is zooming into WordPress itself by the CVE foundation the CVE sorry, not foundation CVE Vulnerability database so basically they're saying the biggest one is XSS cross-site scripting so I hope you know what that is anyone who's not familiar with XSS call me anyone everyone familiar with cross-site scripting it's actually a big problem although it might not directly it comes down to reputation cross-site scripting can come down to reputation you bring people into you give your users you expose your users you expose vulnerability to your user so that's important and that's like the number one top security problem when it comes to WordPress according to the CVE and so this is what's very important and I wanted to share with you about this as well so those statistics basically mean that we have a responsibility and it's real look at the statistics it's real in 2018 alone there are 10 vulnerabilities that are reported in CVE for WordPress the latest version of WordPress so it is a continuous battle for everyone all parties and so on and also it's not just not just the developers not WordPress not all guys it's also us who actually help to contribute to the number of statistics this is the vulnerability but the amount of hacks that come from the vulnerability is not limited to this sometimes some of the vulnerabilities don't even get disclosed it's hidden so I come to this statement and I love this particular statement from Isaac Newton and he didn't say but he repeats he says if I have seen further than others is by standing upon the shoulders of giants it's a beautiful saying that says if we want to progress we use the success of people before us and that's actually a very powerful ethos of open source open source is built upon the success for example what is PHP's language? everyone? anyone? what is the web language for WordPress? PHP so PHP is not developed by the WordPress people it is developed by the people who develop PHP and PHP runs on what web servers Apache for example Apache is developed by someone else what Apache sits on? sits on Linux operating system or Windows of course Windows being closed source but that's not just the open source part Linux built by people who built the Linux operating system so if you can see the success of everyone depends it's a domino effect so the success moving forward when it comes to WordPress it's the same thing so we sit upon the success of the people before us that's a very important statement so it is a joint responsibility from all of us to ensure that okay so let me very quickly go to the top ten the first thing is choose right choose right meaning you've got two options okay you've got hosted you have some of our beautiful sponsors out there that actually have a one click WordPress deployment you know like you click one and you off you go running or you've got some options to run it bad metal meaning you install it yourself I do both I depends on what I want to achieve if I want it fast I will do it of course with people like exabytes for example or people like your AWS who or running cloud for example who can actually just on a click of a button get your WordPress up and running or if you are like you know sometimes you need to customize it further you want to do it in your own different way deploy it on your own servers for example back in your office then you don't have the cloud function you have a local deployment function then you need to install it from scratch so each of them have their puts and backs so I'm just going to jump straight into the considerations and things that you should be attention of so when you're hosted you have to understand that providers do not necessarily care about you it is generic meaning they care about the servers they don't care about your application what you run on it they won't scan it they won't figure it out so it's something you have to understand but if you do it yourself there's a good chance so bad at in mind providers will not give you extended security will not give they probably give you a baseline security it's up to you to make it better they also share resource now share resource is good and also extremely bad this happened to one of our customers and they actually put some of the servers on a very famous website provider but it's shared so what happened was this website provider had I think about 15 sites running also one of it was another CMS which I'm not going to mention and that got hacked and it dropped a crypto miner into the operating system you know what crypto miner that's right it's going to max out your CPU so what happens is every site got affected so just to bad at in mind if you run into a bigger capacity if you want to run into the biggest capacity maybe it's like to move out of share hosting so share hosting means share of the good things but more importantly to remember it's also sharing okay so there's another problem also that's like share hosting we all know that and that it's difficult to do OS level functionalities because it won't allow you to because it's shared you're not exclusive to that server you're sharing with other people okay so you don't have customize stuff that I will mention in my slides on securing that you might not have with hosted providers so here's another very important point that is the hosted guys likely do not in your site they just maintain their servers they maintain what they provide they will not maintain your site so you need to actively do it so it's do not rely on most people to secure your site alone you have to actively do it yourself the other site biometal it can be quite trivial to make mistakes so if you're not familiar you do not know Linux or you do not know deployment of Linux systems or Windows systems then this might not be the route for you the bigger thing that you need to consider is when you deploy if you don't understand the risk of you causing something security problem is higher than you go with a hosted provider which has some level of security so if I have to compare if you do not have knowledge if you're still learning I would still go with a shared hosted provider just to set that I told you very clearly the difficulty level does get higher as you start installing and if you run into problems you need to challenge yourself as opposed to using for example Plask or Cpanel by provider you just click next next next so you're maintaining it at all levels also so not to forget when you're at a shared hosting environment you just maintain WordPress but if you're in your own environment you're maintaining WordPress you're maintaining your firewall you're maintaining your operating system your databases and your web server so you are I think you're maintaining the whole ecosystem of your site so you need to have some knowledge of all of them I wouldn't say you need to have super deep knowledge but you need to have some knowledge of that entire thing that you are keeping it to your service right so that's a spider-man statement with great power comes great responsibility which means since you have good access I would assume you build yourself you have good access it means you have also a real responsibility to make sure that you do not mess things up it's very powerful to come okay so after you've done all the installation I recommend you to try one of these these are stuff that I'm recommending it's not necessarily the best this is stuff that I use so that I can only recommend things that I'm familiarity with I can recommend things that I've used so these are the things I use and not necessarily the best and not necessarily promoting any but these are the stuff I use if you have not done this so if you have not done them already please immediately try deploy them at the end of the session go into the WordPress marketplace look for iTunes for example install it and do some scans to make sure that whether your hosting provider or your own deployment is good and secure the next thing is authentication authentication is what is authentication everyone will think of passwords obviously right so WordPress has many plugins to introduce something called two form factor what is two form factor there are multiple factors when it comes to authentication something you know which is your password something that is you which is biometrics and something that is that is with you for example like a smaka okay so these three options when you do two form factor authentication so instead of just providing a password I'm also going to send you a tag everyone has used online banking before why does it require you to get a tag when you do a transfer that's only because it's another layer of security yes you have already logged in for example or whatever but if you want to start to do actual transaction when it comes to money you ask for a tag so that gets an additional layer of security so if you've not done that already today go and enable two form factor authentication for your admin accounts at least okay that will just eliminate something called group forcing attacks okay there's already going to eliminate a lot of possible people trying to guess passwords use complex and long passwords I've got a game later I'm going to play with you so that's something to do with the size so a wide or a reading common admin users I'm not a big fan of this but this is somewhat true you see what happens is I would say 98% of the reason why people find vulnerable sites is because people use default settings default setting means my admin user is actually called admin and my database is actually called WP underscore all the tables are called so it's easy to guess so the people who actually want to look for you are not humans they are actually machines they are scanners and when the scanner find something interesting about your site that is using defaults you will be the first to get hacked okay unless you are for example you run a government agency for example and somebody wants to make an active effort to hack you then you will have human doing it but there's a good chance that most of the hacks you see today with WordPress or any other CMS is using bots it's actually just scan an entire IP range and tell them who's vulnerable it's like for example I used to give this example I went short online I put a server onto the desk and I plug it to internet it was less than 20 minutes somebody was trying to force my accession less than 20 minutes that's how fast these bots work okay they just scan and keep scanning keep scanning so don't be part of the easy task don't let them make it easy for them so try and change the name there's also a plug-in to do that don't do it shoot the database don't go and modify it yourself do it through a plug-in okay it's a safe way to do it and try to change the admin URL how many of you okay let's be honest here how many of you still use WB dash admin okay try to change that that's also a plug-in because like I said it becomes a commonality people know guys guys you had me page WB admin right so you open up you make it easy for them security is not a silver bullet security is supposed to be something to make it harder for people to get into your system it's not going to prevent it 100% if somebody tells you that they have a product that can prevent security they're probably just lying there's no such thing it's a matter of time before it gets broken but our job is to make it hard for somebody to oh thank you so much it would have been nicer if it was a beer but you know so change the admin you can log in your L you can okay and sorts everyone familiar with hashing and how sorts work should I just quickly go through what that means hashing is a process of taking a text like say my name is Sanjay that's a text when I put it on to a PowerPoint presentation you can read it therefore it is visible hashing is a process of putting encryption on top of it that it becomes unreadable to machine or human unless you know the password and you use the hashing algorithm to match so what happens is with hash even if somebody downloads the passwords and this I'm telling you there is this very famous movie website I'm not obviously you know there's only two but one of them literally still today 2018 low-end people still store passwords in clear text I'm not going to go there but they don't use WordPress by the way they built it themselves but that's that's not free demo and not free but if you use passwords that are visible if somebody gets a copy of the database passwords are visible and there's a good chance that password is also going to be used from another to another site like for example I'm pretty sure how many of you let's be honest how many of us reuse passwords more than one site we do that's a fact so the problem is when you have at least secure password that same password can then be used somewhere else you see what I mean so obviously your bank password is secure because you've got people you know taking care of security but you also put the same password for another site same username same password and it's not a secure site it's not that well for example that movie site that I was telling you about and somebody hacks that they connect to try and it says different types of website by guessing one of the places you might be visiting you try and use Gmail the second thing I will do is try and use Hotmail for some other common services that everyone likely to use so be careful with that so hashing basically encrypts that hides it away so sort is a process of adding more complexity to it adding more complexity to the encryption so you said enable password policy enable HTTPS this is something you are familiar with I guess and again some of the plug-ins you can take out quick question which is more secure who says 1 raise your hand which password is more is better number 3 who says number 1 let's raise the hand who says number 1 who says number 2 raise your hand who says number 3 raise your hand okay the answer is number 2 it will take a few billion years to crack that password but you see check this out right which password is easier to remember number 2 right alright okay forget about 1 invalidator but number 2 is easier to remember it's a text so the thing is the problem with number 3 is you will not remember guess what you will do post-it notes right right inside your hand on your hand behind your skin so it's actually interesting because people think that the last one is always a secure one number 2 is more secure it's computationally more difficult far more difficult to break the number 3 game over authorization and loading so I'm going to have to speed up a bit when the time is running short but it's important for you to also audit audit your site and use these plugins again turn 5 walls on turn access logs on access logs is full logged in at what time they log in and stuff like that so all of these plugins do already have them you just check logs enable them off you go geofencing for admin folders in which you can actually say I will only allow WPM into a certain region for example just Malaysia you can just limit that in fact one of the things that I did with our systems is I limit because I don't have customers outside of Malaysia I just limit my WordPress site to Malaysia why do I need to serve someone outside so geofencing helps okay you reduce your attack to attack quality coding I cannot stress this enough when people write plugins and themes and so on please follow WordPress guidelines I know some of you watched a brilliant speech by an entrepreneur this morning and he was talking about how to make business from WordPress so it's our responsibility as persons who do these plugins and themes to follow guidelines and to also audit your code because it's our responsibility when somebody installs it they will then inherit the security that you do or don't do okay avoid sideloading of plugins I remember one guy I said oh you know I can get theme forest for our themes for free if I go to this one particular website I wouldn't do that if I were you because somebody could inject code that actually could track stuff download the passwords or decrypt the passwords and send them to to an email or telemetry you don't connect back to the attack server so use proper theme sites do not sideload and do not do anything funny like that try and use the ones from the marketplace that's quality coding in there okay spam prevention is also important spam or your blog can literally reduce your Google ranking so pay attention to anti spamming okay try put an anti spam product in there so these are some of the sample products that you can plugins you can use to prevent spam and also all the other things that I've mentioned there monitoring and visibility although monitoring is definitely not security but what is security security also one of the things of security besides data bridge it's also availability of your site if your site is not online it could mean it is unplugged or it could mean it got hacked so one of those things so it's important for us to know or you to know us to know that you know to know better website is running right now so like for example I ask you right now how many of you 100% confident your site is running right now not by chance not by chance not by oh I think it's running but by fact that's only one person who raised their hand maybe less than 10 so put on monitoring guys there's plugins available put on monitoring if your site has a problem it will have email sent out to you or you can use a third party site I will show you if you download my slides there are some links on free sites that actually give you free monitoring of your website so if your website is index as well you get an email application it's important to keep your site up and running this is part of security monitoring is part of security and here are some of the plugins you can use so if something is wrong with your site it goes down you can actually use one of these plugins will inform you that the site is down you are on the same site these guys do perfectly fine it means you respond on the same site updates amazingly enough I'm not going to set it's too loud but there's close to 80% of government run WordPress sites that are still using version 2 and 3 no kidding and this is huge it just rings all kinds of bells and flags in my head but that's the fact of life do your updates and where do you find your updates it's so simple in WordPress you have that icon that pops up right on the left side that says one update and please click and do the updates they are not to make your site fancier they are meant to make your site more functional and more secure but you do have occurrences where you have big updates like version 4 to 5 and 5 is going to be released soon so you might not want to do big updates you want to do it on your test site first then if you are comfortable go ahead and do it in your production site so some of the plugins that can help of course you have the WordPress dashboard itself which will value some teams or plugins or WordPress itself needs an update it will flag it out it will show you a red card icon and of course if you are running your own servers you need to update will your sub date have get or your updates so auditing your site this is quite new a lot of people are offering this internally from the plugin store or from external they can actually scan your site to see if there is any vulnerabilities so these include free service providers and also some paid ones so I would suggest consider and look for both it's as easy as putting in Google WordPress security scanner or putting in Bing and I'm not a Google advocate but putting in Bing or WordPress WordPress security scanner and look at some of the options and free ones that come up okay I've got some recommendations as well but these are made more for local scanning which means I scan myself from the WordPress itself there's good and bad of this but I would still recommend you to do double prong which means you do local scans using the plugins and also an external scan moving very swiftly this is big I've got people literally crying I'm not kidding you they literally cry and call me at 2 am on Sunday when I had a bit of drinks by a bit means I can't wake up I can't wake up means I'm unconscious my unconscious means I cannot even hear the phone ringing no I'm just kidding but seriously people call me at like huge denial of service distributed denial of service everyone knows what this is someone needs to clarify what a DDOS is distributed denial of service make it simple for you your website runs on port 80 for example or 443 HTTP or HTTPS right so a legitimate request is going to those ports when I access your WordPress site HTTP response back with the data HTTPS response back with the data so a distributed denial of service attack sends thousands of requests to your site causing your site to respond to the attacker rather than to your customer or to your people who patron your website so a distributed denial of service is actually a legitimate access but designed to stop legit people to access your website so what do you do my easiest advice is unplug the cable but you know we can do much more so there are things like anti DDOS options that you can use something like Cloudflare have you heard of those guys so Cloudflare is something you can start to do it's free and they have built it DDOS protection so go right ahead explore Cloudflare at the end of this talk if your WordPress site is part of your pocket it makes money for you then it's going to find for you to consider putting it into Cloudflare so some of the examples AWS Azure and I guess some other providers as well maybe exabytes as well I'm not sure exactly but they might have anti DDOS protection consider using them Cloudflare is the easiest to do you just modify the DNS it takes a bit of knowledge on how to do that but it's super step by step that will help you Number 10 very quickly running through them I think you know these things you are very familiar with these things turn on firewalls no option IDS IPS is an option protection system protection system antivirus even on Linux even on Macs by the way put in antivirus anti malware because you have things like crypto crypto malware you've got things like ransomware that can come and wreck your wall because they don't care about operating system they are actually scripts that run and execute code from your laptop using your laptop as the resource to generate a lot of traffic and data use load balance cloudflare is an example of a software based load balancer once you be on cloudflare you are part of the CDN cloud distribution network which is worldwide so you are not limited to a certain like your server could be in Malaysia but if you deploy cloudflare your server is then replicated and I am putting it in a simple term replicated throughout the world time is up ok I am also done so to wrapping it up to wrap it up let's just go back very quickly just one minute let's recap so first thing is start right choose the right provider or choose whether you want to do it yourself two ensure you have things like two form of authentication three ensure that even after you've done that you have logging and auditing turn on and four make sure you when you do coding especially developers code following WordPress guidelines five make sure you do have some monitoring like I told you there are three tools on-site on the WordPress plugin itself or at the party tool that you can use to scan ok so then they will send you an email backup and restore again the keyword here is restore not backup everyone does backup test your restore as well do updates do updates of course that's the easiest one everyone I think hopefully does that and if you have colleagues or friends who do not be done in development please knock them on the door and on their head not just the door tell them to do their update and on-site there are three tools out there there's one from these guys from my company scholar was it's a free tool you can go ahead and try let them scan and give you a result and how secure your WordPress site is do some level of distributed denial of service prevention things like Cloudflare and of course your local security with that here are the links don't write them down we can download the slides of course you can find and these are really good ones I feel that all of them to make sure it's really relevant and easy to use for our TPL guys ok and special mentions these are the excellent monitoring they were telling me about we can use them for free again don't worry about taking pictures guys you can download the slides you can see it directly from the slide itself so with that I hope we all consider security is part of our responsibility it's not an option I hope it's not an option I hope at the end of this talk you do one of the 10 things and I've achieved my goal of helping the community to be a little bit more secure with that, thank you