 Veliko, sveča. Tukaj je tukaj. Tukaj je tukaj najbolj v engličkih. In... Včetno. OK. In sem včetno, da tegaš nekaj idej. Oh. Now I want to talk about my method to sleep better during the night with no car regarding hacked web site. Here the download link for my presentation preview. Just a quick word about me. My name is Maurizio Pelicone and I'm a very proud WordPress developer. So before starting, let's take a step backwards and ask ourselves what is hardening? If someone doesn't know the meaning of this word, this is a definition from Wikipedia. Hardening is a process of securing a system by reducing its surface of vulnerability. I think that WordPress hardening is an estimated problem and many projects after Go Live are left in the large without love. So the next topic is why. Why within hardening? The answer for me is very simple. All systems are vulnerable. Full secure systems don't exit. Another important thing to remember is that the biggest used platform is the biggest target to attack. So, now let's look the danger. I'm going to start with my list of what I think are the five most important dangers. Number one, human errors. In most case, the things we forget to do, such as forget to remove the admin user or move your old password to a strong password, such as forget to update your system. Number two, exploitation. This is a technique to use a sequence of command to take advance of vulnerability to penetrate in your website. Number three, social engineering. The technique to collect your personal information and use it against you. Number four, brute force attack. You need to know that many automated systems exit the try to access to your login. Any damn day. Believe me or look at your access log. Number one, write permission. If you don't want that anyone is allowed to put a backdoor in your WordPress installation, ask yourself, do you really need to have all your directories 777? So, now let's move to the solution. Okay, maybe this is not the right solution. I think it's better to say my approach, some simple life-saving improvements that are achievable with a very little effort and can make really the difference. A wise man could sum up my approach in this sentence. We are not all security experts, but anyone can reduce some vulnerability. One word yet, the most important things. Remember to keep your WordPress updated because without care, any tips are useless. Okay, now let's move to my 10-step countdown. Test your backup. The key point is test your backup because it's obvious you have a backup. You need to test before a disaster. You have to do it in a fast way. You must be sure to have all you need to recover. If you don't have a backup, you can use one of those. If you don't want to use one of these plug-in, it's not a problem. Do it by hand. Ask your sis admin, ask your provider, but you must have a backup and test a complete restore. Prevent user enumeration. The key word is prevent WordPress to show user name information for the user that have a login in your website of course unless you need to have a user page. Try, try now, try to write in your browser one of this link. If in your, you can read a user name, maybe you have a problem. In this way now anyone can know all the user is able to login in your system. You can stop with these two lines to put in your eight t-assets. User permission, the key is to limit the role to the absolute minimum. Not all user have to be as administrator. WordPress has many built-in role definitions such as contributor, author and editor. Remember to assign only the necessary role. Here I want to show that we can set no permission for the user that don't need it. Standard admin user name can be set to null. I your login, the majority of site don't need have a public login page. So you can hide the assess and move it to customer like this is my login page. Here an example of how you can do it. Put this code in your eight t-assets and remember to change the key. WP login, WP login, unlikely is not the only way to login in your system. After reading an assess log maybe you will find a lot of asex to XMLRPC. If you don't need to use WordPress.com or WordPress mobile app, you can forbid to use in this way with this code to put in your eight t-assets. Don't show error. When you can hide login, maybe you can hide some error information. Here the key is don't show unnecessary info. When you digit wrong login you don't need to know if the error is the username of the password. In your page you don't need to know which WordPress version is running. In your site you don't need to keep the readme page visable and you can forbid the assess using this line in your eight t-assets. Deny PHP execution. I think that in apload directory PHP execution is not important. In apload directory there should be only media file like image, documents and phones. No PHP file, no PHP vector file. Put this line, put this file inside your apload directory and PHP will no longer be executed. I told a little lie. In this code we don't deny PHP execution, but allow only some kind of file like image, docs and phones. Threshable plugin. Thresh, remove, delete plugin is a good practice. Less is more. This is my checklist. Remove inactive plugin. Remove userless or duplicate plugin. For the bravest you can try to integrate some plugin functionally inside your team. But remember this mantra, less is more, less is more. But when a wannabe user is able to install new plugin while you sleep, your breakfast is not gonna be so great. For this reason if you want to keep the control, you can disable automatic installation. Here the line to put in your WP config. Use secure password. Password is a problem. Password is always a big problem. Normal people hate password. But in a normal world we must not be lazy and be brave to use very strong password. This is a tip for memorizable and unforgettable password. You have to use phrase, number and symbol. And mix uppercase and lowercase. Custom directory. Another unknown awesome WordPress feature. Custom directory is a defense line to hide your structures. I explain better with an example. This is a standard structure with the login page is always in the same place. What's happen? If I move my WordPress installation in this way, the first achievement is the automatic bot that try to use brute force, that try to use brute force attack with fail. Another thing is this structure I think is more lovely and you can do more efficient deploy. Here the code to put in your WP config. The last one. Blackhole. One of my favorite tips. Blackhole is a way to set a trap for common ur. One simple example. If you moved your login page from group to customer login ur, well, who is it that keep on going to WP login? Maybe it's someone who should not be there. How does it work? The blackhole watch some kind link, lockdp and blockassess. The implementation is a little bit technical, but you can find more info at perishablepress.com. Are you still alive? OK, great. For those of you who don't like to put your hand under the hood, here I really made a plugin that can do the dirty work for you, but now you can use them with more understanding about what they do. This is security, warfronts and item security. OK, I have to go. Last but not least, this is some link to deal deeper. Thanks for listening and being so patient with my terrible English.