 All right, so my name is Otta Gekalainen, and I'm one of the founders of www.vpepalvelu.fi, which is a premium WordPress hosting and maintenance service here in Finland, and we have hundreds of enterprise-grade WordPress sites, and maintaining those sites and defending them against constant attacks has given me some chance to develop a sense about what's WordPress security like in practice, and what's really important, and what is also not important. So I'd like to start all security talks about with this slide. It's a nice reminder that there's three parts in security. Most of the time people only concentrate on confidentiality, but you also need to think about integrity and availability, and I will post, please follow me on Twitter, and I will post a link to an extended version of my slides that also covers integrity and availability, that is stuff like backups and protection against distributed denial of service attacks, but in this talk I will focus on confidentiality, that is how to make sure that nobody gets into your WordPress site and steals your data. So for anybody owning an e-commerce site, it's obvious why they need to take care of security. You don't want to have your customer database leak, or you don't want to have your order database corrupted so you don't know which orders have shipped or which not, and if you neglect security and have a big customer database, you could even get sued for neglecting privacy laws if it gets hacked, and even if you don't sell something online and don't have e-commerce in that way, your company reputation is of course at stake, so if somebody hijacks your site and starts to redirect all traffic to a porn site and that's very bad for your reputation and all of your investments in marketing are in vain at that point, and somebody might think that okay my site is not selling anything and it's not important for our company, which I kind of doubt in modern society that website would not be important to a company's success, but even if you think that your website is completely unimportant, you are still responsible for keeping it secure because somebody can hijack the site and then mount attacks on other sites, and if you have completely neglected your security you could be kind of held partially liable for those attacks. So WordPress security is a topic, there's a lot of an abundance of guides online everywhere and it's obviously something that people are thinking about, and there's a lot of automated scanners and bots online that constantly bombard WordPress sites trying to crack them, so there's a lot of guides on the topic, but unfortunately many of those guides contain bad advice, sometimes complete bullshit, and sometimes it's snake oil, somebody trying to sell a solution based on having the unsuspecting reader fear, something that's maybe not not the case, so I decided to have this talk to give some balanced advice on what's really important and what's not. So let's start with the avenues of unauthorized access, there's two ways somebody can access your website, through leaked passwords or software vulnerabilities. To protect your site against the first one you need to follow good password hygiene just like you do everywhere online, so keeping your passwords to yourself is a job that you can't outsource no matter how many security experts you hire, so you need to learn password hygiene and if you get it learn it early on it will benefit all of your online life. So remember password hygiene, use passwords that are at least 12 characters long and hard to guess with brute force and length is more important than complexity but of course it's also good if your password is complex and in modern in new versions of WordPress there's this nice password strength meter which will help everybody to pick strong passwords and changing passwords frequently is not relevant, it's just good important that you get get the good password from the beginning and make sure you don't leak it to any other person or to any other website. So you need to have separate websites, unique password for every website you use and if you have more than three passwords please look into a password manager that can store it securely and reliably for you, don't try to remember all your passwords by heart yourself. And also about basic password hygiene every time you log in to some site make sure that you are actually on the correct login site and that the connection is secured with HTTPS. So all of this password hygiene this is not specific to WordPress in any way except maybe the last one because WordPress does not have HTTPS by default. So HTTPS you can see if you have this green lock icon in the address when you enter VP admin. How many of you are sure that every time you enter a VP admin somewhere the connection is encrypted? Whoa, quite a few hands erased. So make sure that in future when you use WordPress and you log into the admin the connection is encrypted which HTTPS and also if you use FTP make sure that you use the encrypted version called SFTP and if you have console access make sure it's SSH to avoid transmitting your passwords over the network in plain text. So how to get HTTPS in WordPress? First of all your server needs to support HTTPS and there needs to be certificates installed and to do this either if you manage to server yourself you need to find out how to buy HTTP certificates or get one for free via let's encrypt or if you don't manage it yourself then ask your service provided to install it for you and then your job is to enforce that VP admin always uses HTTPS by setting this option in your VP config. At VP Palvelu all of our customers by default have their VP admin protected by HTTPS and it's something you should think about when you select your host and related to protecting passwords and logins it's also good to use a CAPTCHA system. This example here is the Google recapture it's very good and in addition to protecting your login making sure that automated bots cannot cannot use this form it will also protect your comments and signups so you don't get commentspan or false or robot user accounts. All right then to the second avenue of unauthorized access so there's software vulnerabilities and you need to make sure do two things to minimize the amount of software vulnerabilities. First of all you need to minimize the amount of software you have in the first play that makes the attack surface smaller and there's a less chance of an attacker finding a vulnerability in your software because you simply have less software. The second step is to make sure that for all the software you really need you make sure that it's updated to the latest latest version so that our security known security fixes are installed. Now some people claim that WordPress is inherently insecure and that's probably because of WordPress reputation somewhere 2007 2008 2009 when there was quite a few big and serious vulnerabilities in the WordPress core but today the WordPress core is very secure and here's some statistics from from the common vulnerability database the blue line shows all all vulnerabilities published for WordPress core and the red line shows all that has the seriousness that is six or higher and also here's some statistics about how many vulnerabilities there are new codes new lines of code written so let me repeat VP core is very secure major sites like time.com and here in Finland amulehti.fi run with WordPress without any major problems the problem relies in the plugins so there's like in in WordPress.org directory alone there's over 40 000 plugins and then in addition to that there's tens of thousands of plugins and themes online somewhere and most of them have been developed by a single developer and there's no no security process and no automated static analysis or anything of that code WordPress.org could implement that but they don't have it at the moment so for every WordPress site owner at this point can only do is to make sure that they update all their plugins frequently that of course comes with the downside that sometimes that in WordPress updates are not separated into security and feature updates you need to you can't choose to only update security things but those will also feature changes and that might sometimes break your site okay then if you're running your own server then you need to also make sure that your operating system and web server and nginx and apache and everything are up to date and properly configured and also make sure that everything you install is from a reliable source try to stick to the linux distribution sources or then directly use the upstream project repositories if you use some third-party repositories then make sure that you find if there's a maintenance policy or something about how stable and how how for how long it will be maintained otherwise that's a source of problems for you okay don't waste time on tips like this it doesn't help to hide your WordPress version automated bots that attack WordPress try to use the vulnerabilities directly it doesn't matter what version you have hiding logging errors will make it only harder for normal users to know what's going wrong if they don't remember their password or username correctly and all of these kinds of tips they are very marginal marginal useful and no matter how many marginal useful how many marginal changes you make they don't sum up to anything more than just marginal and it creates a false sense of sense of security it feels like you have done a lot when actually you haven't done very very little so to sum it up what you should do always follow password hygiene use captures to avoid robot users use HTTPS always when you log in to avoid submitting passwords in plain text and if you have ftp don't use regular ftp use secure ftps ftp for your site remove unnecessary software there's try to use less plugins that you perhaps at the moment do and make sure that your WordPress core and all the plugins and the theme you use are up to date and that you installed it in the first place from a reliable source and depending if you're using shared hosting or running your own vps or whatever you need to make sure at least this six points yourself and then choose a good hosting provider to take care of the rest of the stack thank you