 We're talking about website security, the big picture with simple steps to take. A lot of people that think that security is scary. And that is an animated gif that is not animating. That's a bearded dragon behind that kitten. And it's funny. But maybe it's not scary after all. So there's several different types of attacks that can happen to your site. A brute force attack. Basically somebody is just trying everything they can to crack a password or get into your site by trying every password combination, a username password combination they can think of. SQL injections. Cross site scripting hacks. Cross site request forgeries. File inclusion vulnerabilities. Directory traversals and so many more. A lot of this stuff happens if your form doesn't sanitize this data properly or if you're not including secure JavaScript. And a lot of this stuff can be mitigated pretty easily and that's what we're going to talk about today. So here's a few things we're going to talk about to drastically improve your security pretty easily. Choosing a quality host. And we're going to go over all this stuff point by point. Use quality and trusted software. Manage your usernames and passwords. Enable two-factor authentication. And then I have a few quick tips. So in choosing a quality host, a lot of what you want to do is ask for advice from other people you trust. There's a lot of inexpensive hosts like Blue Hosts, which is recommended on WordPress.org. So because of that recommendation, we know that it's somewhat trustworthy. Site Ground is another inexpensive host. These hosts are like $5 a month, $10 a month hosting packages that you get and you can host a couple of sites on there. But they're usually shared hosting, which means that your website is on a server with 100 other websites. Now there have been times in the past where because of some server mismanagement, one site that's completely unrelated to your site got hacked. But because of the insecurities on the server, that caused every other site on that server to also get hacked. That happened a few years ago with WordPress especially. There was a vulnerability, not specific to WordPress, but to some themes that were including some stuff that WordPress users used. And they were on these hosts that got taken advantage of and infected every site that even those sites were secure. There's mid-range quality hosts like Pressable, WP Engine. Some of the hosts that are sponsoring this event would fall in that range as well. And then higher end is like Pagely. iThemes actually has a document. There's a bit.ly link here and my slides are available on the WordCamp website. But that link should link you to an e-book that iThemes put out about how to choose a quality WordPress host. Choosing quality software. There's some things you should seek and some things you should avoid. Get your software from a trusted source. WordPress.org is considered a trusted source. The plugins aren't necessarily vetted by a third-party developer. But if you look at the ratings and reviews of that plugin, that should help you get an idea of whether or not that's trusted. Also, the download base is a good number to look at. If you're looking for a plugin that does something and you see three of them on the WordPress.org website and one of them has one download and one star rating, you might want to avoid that one over one that has a five star rating of 20 or 100 or 10,000 downloads. Back up to the trusted sources. Again, if you ask developers you trust or people you know, Facebook, there's a couple of WordPress groups that are really good places to ask questions like this. Find a place that sells premium themes if you're looking for premium themes or even premium plugin developers. Like iThemes, I would think, is a trusted source. We sell themes and plugins. StudioPress sells themes that you can trust because they have a brand that they're trying to protect and they don't want to put garbage out there. And my last point I already discussed was the recommendations from other WordPress users. A recommendation to avoid is Torrance. Now, Torrance aren't necessarily bad, but a lot of people don't want to pay $50 or $100 for WordPress themes. So they'll go and try to see if it's available for free someplace. And one of those places is by downloading a Torrance. And sometimes you're going to run into somebody who downloaded that theme or even bought the theme, injected their own malicious code into it, put it up on a Torrance, and now you're infecting your site by installing it. Another place that I would avoid is any site that's selling all the things. Every once in a while, every six months or so, some genius developer says, you know what, I've got access to all the Genesis themes, all the iTheme themes, all the whatever plugins. I'm going to sell these for $5 on my site. And I'm not going to support them. That's going to be on the purchaser to figure out how to get support for it. And unfortunately, with GPL, that's perfectly legal as long as you're not breaking any sort of trademark stuff. But you can download those themes for really cheap, but it's not really a trusted source. They could inject an ad on your site saying, bought from this site or malicious code again. So I would avoid those two as major places of getting software. But another thing you need to remember is even quality software can introduce bugs or security holes. WordPress is quality software as far as I'm concerned. Sometimes it's a security hole. We're not perfect, nobody's perfect. The good thing about getting your software from trusted sources is that they're going to respond to security complaints. Hopefully they're going to deal with security complaints before they're publicly known. Even Microsoft and Google runs into this. They'll have a security thing. Usually they're notified, they patch it before they release what that security thing is. Hopefully hackers don't find out what it is before anybody else does though. So one thing you need to do is if there is an update, update it. So WordPress gets an update, update it. Because there might be a security vulnerability that you're updating for, or a plugin, or even your theme. An important thing you need to do is manage your usernames and passwords. And this is across the web, all of your usernames and passwords. Don't use the same password on multiple sites. If somebody hacks my iTunes account and I'm using the same password as on my bank account, then that may be a way for them to get access to my bank account. I recommend using password managers like LastPass or OnePassword. I personally use LastPass. You can use it to generate and store very long, random and unique passwords. And it's really user-intuitive. You go to a website, it has a user form. You put a new username. There's a button to generate a password. I recommend at least 16 characters. And you hit submit. It will save it into your LastPass store. It's very secure, it's encrypted. Not even LastPass can get access to it. If you forget your LastPass password, then you've lost all your passwords. Sometimes my wife will say, hey, what's your Facebook password? I need to log into your account. And I'll say, I don't know. I have to log into my LastPass. Click on the button to show me my password. And say, H, capital K, 3, exclamation mark, E, W, capital Z. And that's great. It's great that you don't know your password. The only password I know is the basic insecure password I use for throwaway accounts that I don't care about. And my LastPass password, which is not basic or insecure. In fact, my LastPass password is longer than the passwords that I have generated from LastPass. But there's a lot of people that don't trust password managers because they're afraid that their password's going somewhere that's insecure. Now, with LastPass, I don't know as much about one password, but with LastPass, a security researcher named Steve Gibson, who I'm going to talk about in a minute here, did a pretty thorough breakdown of how LastPass works and how there's no way LastPass can see your password. But if you don't trust them anyway, Steve Gibson has another method that I have fallen in love with for people who don't trust LastPass. It's called the password haystack method. And basically what you do is you come up with a needle and the needle is your base password. So in this example, my needle is dog D0G with a capital D. And so I'm going to put that in my head. That's my password for now on D0G. It's super easy, super insecure, right? Because it's only three characters. But the secret is to put that needle in a haystack of other things you're going to remember. So in this example here, D0G followed by 12 periods. That's the haystack. It's going to be impossible for a password cracker to brute force that password because even though it's not random characters, they have no idea what those characters are. Unless, of course, you let them know what your haystack is. So a recommendation would be pick a random password that you're going to remember, D0G. And if you go to CNN's website, make your haystack something like CNN-CNN-D0D-CNN-CNN. Nobody will be able to crack that password, but it's super easy to remember. You're at your website, okay, CNN and a dash. That's my haystack. D0G, that's my secret password that nobody knows and no one can guess it. So my question for you is which of the following two passwords do you think is stronger or more secure or more difficult to crack? A sign of hands for this 16 character password with D0G. Anyone think this one's secure? Nobody. One person's my maybe. They think I might be tricking people. And then I have this 15 character completely random password. Who thinks this is secure? More secure. Okay. So this is what WordPress tells me. When I put in D0G, it says it's very weak. And when I put in the random characters, it's very strong. But if you can get one quadrillion guesses per second, it would take the top password, 1.4 trillion years to guess. And the bottom one, only 1.49 billion years to guess. They're both very secure. But the 16 character password is exponentially more secure. The reason being that there's 94 characters per space. Yeah, per character. And basically because the 16 is 94 to the 16 power, that's how many combinations there are for people to guess. Now the WordPress thing I showed you is testing for uniqueness in characters. They think because you did a bunch of dots, it's not very secure because there's not much entropy. But because it's a haystack, nobody's going to know what your haystack is. So it's an interesting test. Just kind of proof like if you don't want to use LastPass, this is a very secure way to do it. Now this assuming one quadrillion guesses per second thing is like an offline NSA-style attack. There's no way you'd get that many guesses on the website. The number on a website for attacks would be the site breaks before you even get to guess any large number of combinations. The site would be expired. We're all going to be dead before they will get your password. All right. On to two-factor authentication. There are three factors of authentication. One is something you know, which is a password. The second one is something you have, like a phone. And another is something you are, like a retina scan or a fingerprint. You can enable two-factor authentication, often referred to as 2FA pretty easily. I think security pro has it enabled. And there's a plug-in on the repo called two-factor. And you can use a number of things to get that second factor. Authy, there's an app on my iPhone. You probably can't really see it, but it comes up. It asks for a password, but it actually takes my fingerprint as well. And then there's a code that generates every 30 seconds. And that code expires after 30 seconds, and basically you type in that second factor after you've put in your username and password. And what that does is if somebody knows your password to your bank account, they type in your username, type in their password or your password, hit Enter. It's going to say, okay, what's the second-factor authentication? They need to have your phone. Or they need to have your fingerprint. Or, you know, your eyeball. And so I have LastPass on my phone, which requires two-factor authentication. So when I pull up my LastPass account, I have to put in my 100 character password. And then it says, what's your two-factor? I have to close LastPass app, open Authy, and it says, what's your fingerprint? I put in my fingerprint. And then it gives me that. So you have to pack through brute force one of my passwords. With my phone, you have to have my fingerprint and my LastPass password to get the second factor through Authy. So it's extremely secure. And a pain in the butt sometimes. So about, I guess, five or four years ago, I started having all these users come to me with hacked websites. It was around the time that Tim Thumb vulnerability came out and a lot of themes were using Tim Thumb. And so I was getting like two, three, four, five sites a week from people whose sites were hacked. And I made a document basically of how I was repairing these hacks. It's more developer-minded, but I decided I wrote it out into a booklet and I put it up on Amazon for $0.99 free to Amazon Prime subscribers. And it's called the concise guide to securing WordPress and repairing hacks. It needs an update. There are some outdated things on there. But if you're interested in looking at it, there's the Amazon link right there. But here are some few things about the securing WordPress part that I wanted to talk about. You can move your WP config file outside of the web route. So when you install WordPress, it's all in one directory, right? The web directory has WP Admin, WP Content, WP Includes, and then a bunch of WP PHP files. One of those PHP files is wp-config.php. If you move that file one directory out, outside of the web route, WordPress still reads it. But it makes it a little bit harder for hackers to get into your system to see that file and to get your database credentials. The number one thing I found to be probably most effective is turning off file editing in WordPress. You know when you go to Appearance and there's Editor or Plugins and there's Editor, those allow you to edit a theme or a plugin. If I get access to your site, I can go to Plugin Editor and add a line of code to download anything I want to your site and basically take it over. I could change all your passwords with a line of code because of that Editor. It's not insecure per se if you have secure passwords or there's no other way for them to get access to your site. But I found that that's one really quick and easy step. You stick that line of code in that wp-config file towards the end. There's a little comment that says add stuff here, stop adding stuff here. And that will protect you from those sorts of attacks. Along with that, deactivating any plugins that allow PHP to code execution. There was a popular one being used, I think it was called PHP Exec and it would allow you to run PHP from a widget. So you have a little widget in your sidebar and you do your open PHP command and then write a PHP code and then it would output whatever you wanted to output. And it was a pretty good hack. There's some of these that allow you to do it in post content. Those codes are another way for hackers to inject malicious code into your site. If they get access to your admin, they can edit that post or that widget and put PHP code that automatically downloads their file to them. So deactivating any plugins that allow that. But also delete any plugins and themes that you're not using on your site. If you've ever developed on a website and somebody has asked you for help but they don't have their FTP credentials and they haven't disallowed file editing yet sometimes you can go in there and make some changes to the code of a plugin that they need help with. It's somewhat risky because if there's a typo in your changes, you can bring down the site. This is why FTP or SFTP is more important. But more importantly is if there's any deactivated plugins, in other words plugins that you're not going to notice aren't doing anything on your site because they're not doing anything on your site. So if they're deactivated but they're still on your site, I'm going to go into the editor. I'm going to edit that plugin and I can change whatever I want and it's not going to take down your site. Even if I have a typo because I'm going to browse directly to that plugin file and it's going to give me an error. If it doesn't give me an error and it runs properly, great. But if I fat fingered something and there is an error, all I need to do is go back into WordPress and edit it because it's not an active plugin. So delete any plugins and themes that are not active on your site. Another thing you can do is enable SSL on your site everywhere, but at least for logins. There's another piece of code here on the bottom that you can add to your WP-config. Define force SSL admin equals true. Basically what that does is at least when you go to WP admin it will redirect automatically to the HTTPS version of your site if you have SSL installed. The reason why this is important, and it's usually important for people who do a lot of work at like Starbucks, you go to Starbucks and you're doing work for your client and you log in in the admin. Well I just happen to be at Starbucks too because it's not a very secure Wi-Fi environment and I'm running a packet sniffer and I immediately get your username and password for that site because it's not logged in through SSL. SSL encrypts the output going both ways really of the connection. So you fill out a form, username and password as a form and sending a post data, that body is encrypted to the site with SSL. Without SSL it's plain text. So even though you see those black dots in the password field it's sending that as plain text. If you're at Starbucks and you log in I see plain text coming through if you're not using SSL. Okay, well I just got WP admin. Oh you didn't disable the file letter. Great, I'm just going to add my code right now, download a payload of malicious code and I've taken over your site. And there are hackers who can automate this stuff so it happens you know within seconds of you logging into a WordPress site. All of a sudden something's wrong, you don't know why. I recommend SSLs.com. It's the place I used to get all my SSL certificates or it was the place I was using to get all my SSL certificates. They're fairly cheap. You can get a rapid SSL cert for $5 or $6, something like that. Buy it for, I think that's if you pay for three years then it's like $15. Let's Encrypt is something fairly new and it requires your host to support it but they're free SSL certificates. Now you can go for the really fancy dancy SSL certs that cost $300. They don't protect you any more than the $5 ones. They're just considered more trusted because the companies vet the person claiming. So if I could, in other words, I could get an SSL cert for Google.com and spend $5 to do it. But if I wanted a $300 really super trusted one that gives you the green bar instead of the purple bar or whatever it is then they're gonna call me and say prove to me that you work for Google and I'll be like well I can't really do that and I'm not gonna give you the SSL cert. But for basic security both SSL certs all every version of the SSL cert will protect you the same way. I was talking to Liquid Web out there and they are actually, I believe introducing a hosting solution that will enable Let's Encrypt but their basic one that they offer now comes with a free SSL cert for any domain that you have, I believe. Don't quote me, I'm not a salesman. Who does? Dream host. Dream host? Let's Encrypt? Okay. I just started using Let's Encrypt on my site. It's really cool that it's still in beta but the search expires every six months and there's a command that you have to run to renew them. It's fairly easy and you can automate it. I assume Dream host automates it. Site ground? Okay, great. Perfect. So, look, free SSL certs, easy way to protect you and then you can work in Starbucks and not worry about someone like me breaking your site. Yes. Let's Encrypt. Like, hey everybody, let's Encrypt. And Let's Encrypt is backed by really big companies like the EFF and Google because they want everyone to use SSL or actually TLS. So the NSA will stop spying on us all the time. So this is a quote from a support rep that works at iThemes. Hackers aren't just targeting specific sites like Ashley Madison. You've all heard of the Ashley Madison hack recently. Instead, they write software that tries to find any weak site and compromise it. They can use that to attack other sites or to make money off ads or by spoofing other sites. They attack everyone and that's true. A lot of people and a lot of your clients will say, why do I need this XYZ security? Nobody's going to want to hack me. And the answer is you're right. They don't want to hack you. They want to hack your site. Because by hacking your site, they can send out thousands of spam messages that hopefully somebody will click on a link and infect their computer with something that will lock down their computer and require one bitcoin, which is $400, to decrypt all their files. Or just Viagra ads on your site. And these malicious codes are pretty smart. They will track like, oh, this person logged in to WP Admin. So don't show them the ads. And then you're going to get your customer to say, hey, I went to your site and this Viagra ad popped up. And yeah. On that note, they can be specific to your zip code or area code or zone of your state or city. They can tailor it for your box sometimes to where you or your customers might not see it if you sell it like a general store in the neighborhood and everybody else will. Right. So you're going to go to your site and be like, I'm not seeing any Viagra ads. There must be something wrong with your computer. And you're going to forget about it. But they're just, they know, this is how hackers evolved in the past 20 years. Let's break crap. Yay, we broke crap. Hey, wait, we can make money. Let's make money. Yay, we're making money. Oh, but they're blocking us because we're making money. Well, let's not show them that we're making money. And that's where it's evolved. It becomes very difficult for you to see the hack because they hide the hack from your eyes because they see that you logged in with your IP or your admin username. And they're like, okay, they log that IP and says, don't show the hack to these people. Your site looks perfectly normal to you. So you can use that example for your clients when they ask, why are you charging me $100 for this service? So it's easy to make it hard on them. And that's really the goal of this talk. It's not really if you get attacked, but rather how you prevent it from being successful. And again, that's to choose a quality host, use quality and trusted software from trusted sources, manage your usernames and passwords smartly and enable to factor authentication. Those are really the four basic things you can do right now that take almost no work and will help mitigate any of your clients from getting attacked. Are there any questions? Yes. For just the files? Yeah. I usually just change them both. If you have those set to HTTPS, it should automatically do HTTPS. Another thing too is if you're working with a server admin or probably any of the number of WordPress hosts out there, there's a way to say, redirect all non-HTPS traffic to HTTPS. So that's what I do on my servers. Anything that's going to port 80 HTTP, redirect to HTTPS. And you can have it so it actually preserves the URL they're going to so nothing breaks along the way. But I believe if you change that to HTTPS in the settings, it'll just instead of doing the WP admin thing. Yes. What is it? WP. WP4, SSL? Okay. Yeah. And I think there's another one that does something similar. Yeah. Right. You need to have SSL installed, otherwise you're going to get a bunch of weird errors because they're not going to know what you're trying to pull up on your website. Yes. Three quick questions. Sure. What is the sponsor list? I don't purchase things from Code Canyon. WordFriends is a pretty good security plugin. Yeah, it's obviously a competitor to iThemes, but they do some good stuff. And there's another security one. I can't remember the name of it though. But WordFriends is a pretty good one. Follow one WP security? Follow one WP security, yeah. And there's some other security plugins that aren't as robust as those three. There's some that like they limit login attempts. So if somebody is trying to brute force you, they'll lock that person out after like five failed attempts. And those... Those are pretty good. Yeah, WordFriends adds that. I think security does. And I'm sure all in one security does. The last question is you said turn off the file editing. Yes. So you would just go edit a different way then. You just go directly to your job. Right. So the safest and most secure way to edit is through SFTP, which is secure FTP. It's not really an aspect of website security, although I guess it is because it has to do with your website. But similarly, if you're at Starbucks and you're FTPing into your client's website, I automatically have access to your FTP username and password. Because FTP is not encrypted at all. All I need to do is sniff the packets and see the username come through and the password come through. And I've hacked your site. Most hosts offer... They'll say SSH or SCP or SFTP to connect. And that is an encrypted protocol. So the password is encrypted through transit. And the files are encrypted through transit. So nobody can see what you're sending. Yes. Can you clarify anything about the job? It's not really going to get you anything. As far as security, it might prevent some brute force attacks. I don't use it. I find it to be more of a pain than anything. Most of the time I can't even read those things. Or I have to hit the refresh button until I get one that I can. It's give or take. It'll probably add a little bit of security, but I don't think it's enough to make that much of a difference. Yes. That's a tough one because SSL is really the server component. I'm not sure. I hope that it would be a standard recommendation if it's not already considered a standard recommendation. Google wants the world to be on SSL because of security. I mean, every security expert wants the world to be on SSL because of security. Not by no means. It's a website. I have to work with it. What you call the great shooting in the house, it's not a good thing. It's over on the website. It's not a good thing to do by yourself. Okay. I'm a worker person. And my question is, do they have anything on it or anything else that you can disguise the names of your image files without going for a hard work of it? Like to rename them? Yeah, because it's kind of, you know... I don't know of any plugins that does that. I think it would be fairly easy to hook into WordPress with some code, write a plugin to do that, to just rename the files. Do you know... What are you thinking would be a security benefit to doing that? They know the name of a folder. They really know what door to find on your chicken is going to get inside. I mean... Yeah, the folder structure in WordPress is pretty standard, though, so... Imagine if you're on a page, is there a page you need to write on? Yeah, you can actually... You can set up your Agi or Nginx to disallow any access to any subfolders, except for web requests. Yeah. I think security has some stuff right now that will rename... I think security. It will rename WP content, I believe. I don't know if it does WP admin. I think they might be removing that, because ultimately that's security through obscurity, which doesn't really give you any security. Because if you think about it, the name lives in WP-content-theme-slash-whatever-slash-your-files. Well, the source code, the HTML source code, is going to be referring to that. So if you change the name of WP-content to Blue Love Security, all I would do is right-click View Source, I see, oh, the style sheet's in Blue Love Security-slash-theme-slash-theme-name-slash-whatever. So it took me one extra second to figure out your folder structure. Right-click's enabled. It's always enabled. You disable the JavaScript, I've already found a way to get around it. Alt, View Source. Yes. Renaming the database, like the table name. Yeah, when you start a WordPress install, you should rename the database from WP underscore to something else. And I think security, as probably the other security plugins do probably have, but I know I think security does, has a way to rename a database that is currently running, but always backup before you do it. Yes. You didn't mention when you mentioned the password to save keypads. Keypads, yes, that's another popular one. I've never used it. I've never used one password. I've only ever used LastPass. Yes. Well, there's not usually, I mean there's not a WordPress log that tells you that you were hacked. Basically, it's knowing the symptoms. You get enough people that say, hey, I'm seeing Viagra spam or whatever. Yeah, it depends on what the hack is. And sometimes Google will alert you. And their webmasters tool is pretty good about doing that. Sometimes, like, I had a site that was old and unused and I forgot about it. And then I got a notice from one of my virtual service providers. And they said, hey, we're blocking your IP because it's been hacked. And I said, that site's still up. And I went and looked and sure enough it was hacked. And I just shut down the server and deleted it because I wasn't even using the site anymore. But it was a very old version of WordPress. They had a security hole in it that had been long known and they found the site. So the host will let you know if they know in most cases. But sometimes they won't know because they don't know if you're intending to show Viagra spam. Yes. So Security has a plug-in that does malware scan. WordFence does. I think Security does. BackupBuddy even includes a security malware scan. Security also offers a hack repair service. So I think it's like $30 a month or something like that. I don't really know. I don't use it. But if your site is hacked, you contact them. They'll go and clean up your site and put it back the way it should be automatically for you. Security. S-U-C-U-R-I. Yes. Yep. So in the WPC-LI talk, he showed us if you use the WPC-LI, which not all hosts will have, but it's pretty easy to install if you have shell access. You can run WPCore, space, verify, dash, check some. And it will tell you any core files that have changed. It won't necessarily be true for plug-in files though. So if a hacker hacked a plug-in, then you still might not know. But it is a good way to see if any of the core files have changed. Yes. Right. If you've been hacked long enough that Google notices, then it'll take a little while to get back. But there's not really much you can do about it. If you don't know, you don't know. I believe it's S-U-C-U-R-I dot net, I think. Or com, I don't know. Google it. Any other questions? I think we're running out of time. Three minutes? Yes. Any side work? But if you send me an email, we can probably... I can give you some tips if you have any questions. Or I can at least let you know somebody who can work on it for you. Anything else? And the link to your slides are? On WordCAM Atlanta's website. Okay. They're going to put them on Slack. They're going to put the thing on Slack. They told us they were going to put our slides up on the site. So, in fact, I can put the link to the published version on Slack. Look, this is last pass. It's asking for my second factor authentication. Any other questions while I'm doing this? No. Is there a WordCAM in Jacksonville? Yeah. So, my 3 p.m. talk. So, that should get you there. Thank you all for listening. I hope you learned something.