 This is the first time I've ever done this. I've never spoken in a word camp before. I've never been in a security talk before. So bear with me. I also want to kind of preempt everybody with a really bad PowerPoint. I'm practicing. So keep that in mind as I go through my slides. She covered most of what we're gonna go over, but I do want to give you a quick agenda of what we're covering today. First of all, I'm gonna give you a quick introduction to who I am and why you should care about anything I have to say. I'm gonna give you some basics on what themes and plugins are. We're gonna really glaze over that because there's a pretty good shot that everybody in the room has used a theme or a plugin before. I'm gonna throw some pretty scary numbers at you. And then I'm gonna go over how to get around those scary statistics by selecting things that work. Quick guides to selecting plugins that work and are secure. How to stay on top of updates for themes and plugins, which is really important to work across security and website security in general. Some general security tips for keeping your WordPress site secure and safe. Quick conclusion, and then I will answer any questions that you guys have. So first of all, who am I again? She says my name is Jessica Ortega. I'm with Phoenix, Arizona. I am here with sitewalk.com. I'm a web security research analyst and business analyst for sitewalk. My job basically is to study malware trends and vulnerability trends. I am the co-founder and co-host of a security podcast, De-Coding Security, which takes big security topics and makes it more digestible for the small business owner or average Joe. And besides website security, I am really involved with dog rescue. Like she said, I've helped over 60 dogs find their forever homes this year and I love heavy metal. This is a very cute dog. Her name is Francesca. She is wine, one of my rescues. And she is more interesting than anything I have to say today. So let's start with a warm fuzzy feeling before I get into their really scary security stuff. So some basics. What are themes and plugins? Everybody in here is probably used if they were a plugin at one time or another. Basically, WordPress themes are your template. They're your front end. They're what powers the way that your WordPress site looks. They're, in the old days, they would have been a thousand HTML files that tell your site what to look like in individual pages. Now they're primarily CSS and PHP, though there are some JavaScript elements and other languages that you can build themes in. WordPress plugins are a software that can enhance or expand the functionality of your website. Some examples of WordPress plugins would be things like contact form, search engine optimization plugins, social media buttons, photo galleries. There's over 56,000 plugins available for free in the WordPress repository, which is pretty impressive because what that means is that all of this is open source and theoretically anyone can build a theme or a plugin just like the WordPress core is open source. So some scary statistics. The first one that I wanna throw at you is that the average website is attacked approximately 58 times per day. Now what that means is that it's not successful attacks. Obviously your websites are not getting half 58 times per day. That would be both excruciating and a little bit absurd, right? What that means though is that there are automated attack bots or hackers using scripts out there that are trying to intrude into your site about 58 times per day or approximately once every 30 minutes, which is pretty scary to think about. And it only takes one successful attack attack. One intruder or script or bot that can get into your website to wreak absolute havoc. And when I say havoc, I mean blacklisting on the search engines, your site could go down, WordPress, we could be talking the white screen of death. They can completely hijack your website. They can inject their own content into your website, drive traffic to their websites. That's where you see things like pharmaceutical spam, escort service spam. We've seen things at sidewalk all the way up to and including car, car dealerships who are trying to sell things, MNLM for different pyramid schemes, real estate spam, all of that. You can overtake your website and completely destroy your reputation on the search engines. So that's something to keep in mind. I know it sounds really scary. We'll talk about ways to get around it after this. For scary statistics, about 1% of WordPress sites that were studied in Q2 of 2018 have malware on them. What this means is that if you think about the total number of WordPress sites out there, approximately 5.8 million WordPress sites globally could be infected with malware at any given moment in time. That's a pretty scary high number. We found that WordPress sites on average were about two times more likely to be compromised than websites that were built without a CMS or that were built with a custom non-open source CMS. And the reason for that largely is because of the process that we call responsible disclosure. What that means is that anytime a security researcher like myself or like the guys at WordPress or security find a vulnerability inside a plugin or inside the WordPress core or inside a theme, they notify the developers of that theme or plugin or CMS and give them an opportunity to patch, to release a new version that addresses the vulnerability before they actually disclose or publish that vulnerability. What that means is that once the patch is out, a new version is updated, they do publish and publicly announce. Hey, we found this vulnerability. Attackers could get into your site through a VC vector that's usually something like cross-site scripting or SQL injection where they can actually get into your database. And then script kitties or amateur hackers will actually go and build tools to automatically scan for that vulnerability. What that means is that sites who don't go in and update right away are now vulnerable to a security issue that's published that anybody can build a bot to attack. And so what they'll do, if these attackers will build these bots that scan millions of websites every day looking for this one known vulnerability. And if they find it, they will immediately attack it, they'll exploit it, they'll get into your website and they'll upload whatever malicious content, flavor they happen to be into, whether that's phishing or backdoor files or the aforementioned SEO spam. So that's something to be aware of and we think that's probably got a lot to do with why WordPress and other open source applications tend to be more vulnerable or infected with malicious content in higher numbers. What we found was that 55% of the WordPress sites that were infected with malware were running the latest core versions. That means that even if you're doing automatic updates, even if you're on a managed WordPress platform with your hosting provider, even if you've got every security model in place for the core, you can still be infected with malware if you have a weak password or if you have a theme or a plugin that's not up to date. We found that 24% of WordPress sites had a vulnerability and 16% of WordPress sites had both a vulnerability and malware. So if you're not running the latest core version or you're not running your latest plugin updates, you're infinitely more likely to be infected with malicious content than you would be if you were. When we studied approximately 1.5 million sites that were running WordPress in Q2, we found that 6% of those sites were more than likely infected through a vulnerable theme and plugin. What that means is that they had a vulnerability on their website, but they were running the latest core versions of the WordPress core. So they had a theme or a plugin that was likely not up to date or not being updated by the developers. It was code that nobody cared about and it had a security vulnerability that allowed an attacker to get into WordPress. So those are some pretty scary stats. I know it makes it sound like WordPress is super vulnerable, like it's not a useful platform. Nothing could be further from the truth. The fact of the matter is that we know now that one in three sites online use WordPress. So it's a huge platform. It's the largest open source CMS platform in the world, which makes it a big target. It doesn't mean that it's inherently insecure. It doesn't mean that it isn't worth using. It just means that there are people out there who want to attack it and you have to keep security in mind. Great theme. Obviously, everybody's site is gonna be different and the first thing that you're thinking about when you think about a theme is how is it going to look? How is it going to work? Is it going to do everything that I want my site to do functionality-wise? That's a great first step. Your second question should be, is it safe, is it secure? So a few tips for selecting a secure theme. First of all, if you're gonna use a free theme, which is great, they're super customizable, always choose your free themes from the WordPress repository. That's WordPress.org slash themes or from right within your WP admin, which is what this screenshot is. If you click Add Theme and you're inside of your WordPress dashboard, it goes directly to the WordPress repository. So the reason that we recommend using the WordPress repository is that there's actually a team of volunteers who monitor that repository for security issues and updates. If, say, a security researcher reports an updare of vulnerability inside of a theme to the WordPress themes team, so those volunteers, they'll actually remove it from the repository until that theme has been patched and updated. So generally speaking, the repository is the safest place to get a theme or a plugin. You can pay for themes. The issue of paying for themes and plugins is that unlike the WordPress repository where anybody can download the zip file and run it through a code scanner or review the files themselves for vulnerabilities or anomalies, with a paid theme, you have to buy the product before you can actually look at any of the code base. So it can be kind of a mixed back. But it's not to say that paid themes are not good. It's just to say you can't look at them before you download them and pay for them. So if you're gonna use a paid theme or you want to use a paid theme, make sure that you're actually paying for it. I know I feel like that should go without saying, but let's face it, we live in the era of pirating and streaming and free unlocked versions of everything, right? You see a premium theme being offered for free and it's not being offered as a trial or a premium from the actual developers. You're seeing it on say a torrent site or a free download site. It means that there's been malware infected with it preemptively. So attackers will actually download these themes. They'll pay for one copy. They'll make a million copies of it and make that available to you. But before they do that, they'll actually insert their own malware or their own backdoor files. So once it's been uploaded and installed on your website, they have remote access to everything in your code. So that can be pretty dangerous and it's something that a lot of people aren't really aware of. Things inside of the repository, you want to look for things like when they were last updated. Generally speaking, you want to look for an updated date within the last three to six months. What that tells you is that the developers still care about that theme. They're still reviewing the code. They're still monitoring it and they're still taking updates. You want to check on your developers. So inside of the repository, they'll actually have the name of the developer or the development team for every plugin and theme. You can generally click on that and go to look at their website. Do that. Make sure that their website is secure. They're using SSL. They have good reviews, things like that. And then do a quick Google search of that development team. And you can use things like theme name broken, theme name vulnerable, theme name hacked. You can use in a quick Google search to tell you whether or not other users of these themes have actually had issues with them. You can go to the WordPress repository either through your dashboard or through WordPress Tower and actually download the zip file associated with everything. You can then either open it up on your own if you're good with code or you're relatively familiar with it and look for anomalies in the code using a text editor. Anomalies in the code would be things that exist say outside of your opening and closing PHP tabs or things that seem to run off the page. If everything looks relatively uniform, everything is really well-notated. And then all of a sudden, you have to scroll way, way, way, way right to the right or way, way, way down or way, way, way up. And there's random obfuscated or randomly generated code in any of those places. A lot of times that's a symptom of malware. Most theme of plugin developers will keep really good notes. They'll make everything look really nice and uniform because they know their code is publicly available and they want to have a good impression. So looking for anomalies like that, even if you don't understand what they're doing because you're not a malware researcher or reverse engineer in code, it's a good tip that hey, this might be a red flag. Maybe I should run it through a vulnerability scanner or a code risk scanner or just an antivirus scanner if you happen to have one on your computer. You can download that zip file and run it through and it'll tell you, hey, there's no malware or there's no viruses inside of this code. A lot of this advice is gonna sound repetitive because a lot of it is the same across themes and plugins. However, with plugins it's arguably more important. So if you pay attention to nothing else that I'm saying, pay attention to picking your plugins because plugins have the power to do a lot of good, a lot of damage as well. Plugins often access the actual code for your WordPress site. They change the functionality both on the front end and the back end. They gather information, they store information in your database. They're critical to the way WordPress functions and because of that, there's a lot of room for malicious actors. There's a lot of room for bad to happen. So again, if you're gonna install plugins for free, make sure that you're doing it from the plugins repository. That's wordpress.org slash plugins. Much like the themes, there is a plugin team. It's a team completely comprised of volunteers who will actually go and remove reported plugins from reported vulnerable plugins from the repository to ensure that nobody else is downloading that vulnerable code or if malware is found in a plugin, they'll go in and remove it from the repository. Just last week, there was a pretty big plugin, WP GDPR, which was used for GDPR compliance for the European Union, had over 300,000 active installations and a security researcher found a critical security vulnerability in it. Within a couple of hours of reporting that vulnerability to the WordPress plugins team, it was removed from the repository and it was kept off the repository for about 24 hours while the team patched that vulnerability. So keep in mind that, again, the repository is generally pretty safe because there is a team of people who actively monitor and manage that. And again, along the same lines as themes, check reviews and active installs. Generally speaking, if a WordPress plugin has a lot of active installations, it's probably safe. If it's being frequently updated, it's probably safe. Even if there have been security issues with the plugin, there have been a lot of security issues with really popular plugins, things like Contact Form 7, which is one of the most popular Contact Form plugins. That's had reported security issues, but because it's got an active development base, you don't have to worry about that so long as you're running the most up-to-date version. And there's nothing inherently wrong with having somebody report a mistake or a vulnerability in a plugin so long as that team of developers is patching that vulnerability. So again, review your developers. Look at who's making these plugins. I don't know if anybody got to catch Kathy Zant from WordPress yesterday, gave a speech about evaluating the security of plugins as well, and she talked about what happens when plugins change hands. Sometimes the development team will change, and you can go into the plugin's repository and see a complete history of every change that's ever occurred on a plugin. And if it changes development hands, make sure that it's still being actively developed. Make sure that somebody is still actively updating and managing that because it could be a very popular plugin that gets sold and changes developer's hands and the new developer is now inserting malware into it or they're no longer paying attention to it. So keep an eye on the history of those plugins that you're using. Do a quick Google search. Search for problems. Things like plugin name broken. Plugin name hacked is probably one of my favorites because it usually will tell you whether or not issues have popped up. You can also check the WordPress.org forums. One of the best things about WordPress is the community. And I mean, that's what brought us all here today, right? Is the WordPress community talking about it, getting out there and engaging people who work with WordPress. Use that to your advantage when you're selecting your themes and plugins. And search for, scan them for known vulnerabilities. Again, just like themes, you can download that zip file and you can review the code yourself on a text editor. You can run it through a malware scanner. There are plugins that you can use that will actually scan it for vulnerabilities. There are a lot of different companies out there who offer code scanning and vulnerability scanning. And generally they'll tell you whether or not, hey, this is something that we know is insecure. This could lead to your saving hacked. And install the updates as soon as they're available. Unfortunately, unlike the WordPress core, there aren't a whole lot of themes and plugins that have active automatic updates. So you have to check for the updates on your themes and plugins and you have to update them as soon as possible. Now there's a couple of different ways that you can make yourself, get yourself, get alerted to updates that have been released for themes and plugins. With plugins you can go to the WPVolmDB, which is the WordPress Vulnerability Database. They have both an RSS feed and a mailing list that you can get on so that they'll actually send you an email alert or an RSS alert as soon as a plugin's been updated or as soon as vulnerability has been identified. So you know, hey, I have to log in tomorrow and update my WordPress or I have to log in this afternoon and update this plugin. About updates a little bit. This is in case you've never seen it and I hope you have if you're using WordPress. This is the WordPress update page. It's really tempting to go in here when there are updates and hit select all and update all. That's great if your site isn't critical to your business or if they're minor updates. Your site is critical to your business or your major version updates or it's an older plugin that hasn't been updated in a long time. Update these things one by one because if something breaks, you're gonna wanna know which one of these items caused your site to break. Even better if you can and it's your business website, use a staging environment. I'm calling Jamie just had a talk a couple hours ago about using a staging environment for your site to make sure that when you do these new plugin installations, new theme installations or updates that you're catching any errors or issues before that happens before they break your site and take it down. So all of these plugins and themes should be getting fairly regular updates. If it's something that's relatively static, one or two updates that addresses a security issue or a bug fix every six months or so is usually okay. If it's something more dynamic or more critical, you wanna see things every couple of months at least. Updates can be done from your WP admin dashboard. I recommend checking monthly. So at least once a month, if not more often, log into your WordPress dashboard and hit updates and make sure that everything you're running is up to date. That'll keep it so that your site's safe, your site's secure and it doesn't have any vulnerabilities. And once you've completed your updates, you wanna go ahead and clear any cache that you have and make sure that your site's still running the way that you wanted it to. Look for things like new content that wasn't there before. That could be injected malware or injected spam that's coming from a plugin that's recently changed hands. The guys over at WordPress tell a story about a guy named Mason Soiza who was found to have actually purchased several plugins and used them to insert malware into dozens of hundreds in some cases sites. So that's something that you should always look for. Again, if you can, a staging environment is really good for this kind of thing. That's a double-edged short though and you wanna keep in mind that if you have a staging environment, especially if it's, say, a subdomain or a subfolder on your own, it's hosting a counter in your own server like staging.mindsite.com, you have to put those updates on your staging environment and treat your staging environment with all of the care and love that you would your production site because if it's on the same server and you leave something vulnerable or you leave something not updated on your staging site that is updated on your production site, hackers can still get in through that staging site and they can more often than not traverse directories and get into your production site as well. You'll see that all the time in Cyclop. Your inventory of your plugins, you're doing your monthly checkup, make sure that you're removing anything that you're not using. And when I say removing, I don't mean deactivating, that's a common misconception. Deactivating themes and plugins is not enough to remove vulnerable code from your website. It leaves it there accessible for any attacker to see. So if you're not using something, make sure you go in and both deactivate and delete it. There are also plugins available that will do things like optimize your database tables, remove duplicate posts and folders. WP Optimize is great for that. And it'll actually clean up the remnants of anything that is deleted plugin leaves behind. So that's something to keep in mind as well. Most of us use either a managed WordPress site or we have automatic updating on our core enabled already. That's a great first step. If you feel confident with your themes in your plugins and I really don't recommend this but I wanna include it anyway because it is an option, you can actually set themes and plugins to automatically update by including these two lines of code on your themesfunctions.php file. So you can go and add these to your functions.php file if you feel comfortable doing that. And we'll actually update all of your themes and plugins automatically for you. But again, the reason that I don't recommend doing this for a production website is because if a theme or a plugin is updated and it breaks your site, it breaks your site. And if you're not paying close attention when those updates occur, things like maybe overnight or late or early in the morning when you're asleep, you may not know how long your site's been down. You can get a white screen of death because it's something auto updated that wasn't compatible with something else on your site. And you'll have no way of tracking that down. You'll have no logs to tell you what broke your website. So if it's a relatively minor site, if it's your personal blog and you don't care about downtime on it, it's not making you any money. Here's a quick and dirty kind of solution to having a log in all the time and check for updates. But it's something that you really want to be careful using. All right, a few tips. And again, it will be available on the website if it's not already. This is my first presentation and I didn't think to break up this laundry list of homework that I'm giving you guys, so my apologies. But just really quickly, we're gonna run through some quick and dirty WordPress security tips, things like changing your admin URL. So what that is is your domain.com slash wp-admin. Leaving that accessible allows anybody who's looking at your website to try and see if you're running WordPress. So we recommend changing that to something else, whether that's your domain slash administrator or your domain slash dashboard, your domain slash your dog's name, whatever you want it to be to hide that. It gives attackers one last thing that they can look for on your public-facing website. And there are plugins to do that. There's ways that you can do it with custom code inside of your settings. But I personally use a plugin because it's easier. You can change admin. There's a ton out there. If you wanna find me afterwards, I'll give you a couple of lists of specific plugins that I'm using. I would have to look inside of my dashboard if I'm being totally honest with you. Patient firewall. This is a paid option and it's not something that every small business is ready for. But a firewall will actually do a lot of these things for you. It'll limit brute force attacks. It'll filter out bot traffic. It stops specific kinds of attacks. For example, uploads, cross-excripting, SQL injection, a lot of firewalls will actually block that type of traffic before it ever accesses your site. So that's a great proactive solution to keep your website online. And a lot of them come with CDNs like Cloudflare that speed up your website too. So if that's something that you're concerned about, performance is something that you're concerned about, or you just wanna limit the amount of bandwidth that bots are using. A firewall is a great way to do it. Use two-factor authentication. There's a couple of vendors out here who are offering some really cool two-factor authentication options through plugins. Use two-factor authentication. Passwords are not strong enough anymore. Whether you use SMS authentication, whether you use an app, whether you use a physical token, that's all up to you. However you wanna do it, two-factor authentication is available for your WordPress dashboard and you should be using it. Use a malware scanner. So there's free options. There's cloud options. There's plugin options like word fence. There's physical options like site lock, like security. However you wanna do it, use a malware scanner. Preferably one that runs at least daily that can automatically remove or at least alert you to any malware that's found on your website. Ideally, we use all these things. Change the admin. You use a firewall. You use two-factor authentication. Until the end attacker never gets into your website but it's better to plan for the worst than it is to clean up an app, a mess afterwards. Is running weekly an okay practice or should you run it daily? I prefer daily. Weekly is okay if you're okay with your malware not getting caught for seven days. So keep in mind that one of the things about malware, especially like malware changes how your search engine optimization or your search engine visibility works could be sending traffic elsewhere. Reader apps could be sending traffic from your site to other sites for days if you're running weekly. You could have a hack by the Syrian army message on your website for up to seven days. If they get in within a few minutes after your malware scan runs. The same is true of daily scans but typically it takes the search engines and it takes customers longer than a day to find that there's a problem on your website especially if you've got good caching. So I recommend daily, weekly is okay it's better than not at all. There's now as well so I also recommend regularly scanning for vulnerabilities. Now unlike malware vulnerabilities you can scan weekly or monthly for those. So if you don't wanna pay for a daily vulnerability scanner you wanna use something free that you run once a month or once a week that's okay because chances are you're not gonna have a new vulnerability on your website every day as long as you're staying up to date with your updates. Use strong passwords. So the most secure password is the one you don't know. If you can, I always recommend using a password manager. The only password that you should ever really know is the one that you use to get into your password lockbox. If you can't use a password manager use password phrases. So these are things like entire sentences or anagrams made from the first letter of each word in an entire sentence. We're finding more and more that password brute force programs are getting more sophisticated. It's getting easier and quicker to break into passwords and there are entirely too many people still using password one, two, three is their password. Please I'm not gonna judge you. You don't have to raise your hand. You're listening to a security talk and you know somewhere out there you have an account using password one, two, three or password one exclamation point that doesn't make it any more secure. Promise me silently with your eyes, promise me. You're going to leave this room and change your password. I will give you some invitations to free VPNs. I will give you some recommendations so you can sign in over your hotel wifi through the word camp wifi. I don't care. Get out of here and change your passwords right away. It's that critical you guys. They've done studies that last year password was still the number one most used password in the world. Stop it. I can't, I'm begging you. An password that is not any more secure during is change that prefix. So when WordPress sets up by default it sets your prefix on your tables to WP underscore and then whatever the table name is. During setup you can actually change that. You can change it to random letters and numbers. You can change it. I think one of my sites is actually using my dog's name. So it's like lion underscore WordPress tables. So whatever you want it to be that's one more thing that hackers can't guess automatically when you're trying to get into your website. Limit login attempts and avoid group force attacks. So there's actually a plugin that Kathy talked about yesterday called limit login attempts. It has about 150,000 active installs. It hasn't been updated in six years. Don't use that. There's another one called I believe no group force. That's what I use. It's got great reviews. It's regularly updated. And what that does is it locks your WordPress dashboard down for 24 hours or until you reset the password or 30 minutes depending on how you set it up. Once somebody has tried to log into your dashboard say five or 10 times. Check access. So this is something that you can do when you're actually installing new plugins. Sometimes you'll see plugins kind of like apps for your phone ask for weird permissions. They wanna ask for access to things beyond the WP plugins and the WP content folder. That can be really dangerous. Sometimes they wanna do things like change file permissions to 777 or rewrite execute. No plugin needs 777 permissions for anything. Just don't. If they're asking you for that or you see files on your file manager and your hosting provider that have 777 or rewrite execute permissions, run. Uninstall it, delete it, leave a bad review, run. What 777 or rewrite execute permissions do is they allow anybody to view or modify that file without authentication, without permission from you. It's really dangerous. It's a really great way for attackers to use scripts to insert malware into otherwise legitimate files. So something we see a lot of it at sidewalk when we clean malware off of sites is legitimate core WordPress files that have been modified to 777 or 700 permissions. And they have malware injected to the top of them. They have things like cryptocurrency mining scripts that are hitting your visitors resources, your visitors computers when they hit your site. And you don't know that because it's symptomless because nothing has caught it. So really watch your permissions guys. I know that this is kind of bordering on intermediate to advance and this is supposed to be a beginner's talk but there's a lot of guides available both through WordPress.org and through your hosting provider more than likely on how to go in and look at those file permissions. I encourage everybody to learn a little bit about it. It's not as complicated as it sounds. So remove your WordPress version number. This is another kind of more advanced tip. There's a lot of places inside the WordPress core files where it lists what WordPress version you're using. The reason that you want to remove that number is because it's again, one more thing that hackers have public access to that will tell them whether or not your site is vulnerable. In a couple of weeks, we're going to have WordPress version five come out and everybody running WordPress version 4. whatever is probably going to be vulnerable to some kind of security issue. It's going to be easier to break into a WordPress 4. whatever site than it will be to break into WordPress 5.0. And if they can find your WP-admin page and it says running WordPress 4.98, they know exactly what weak points to hit without ever looking at your actual website. And keep accurate backups. Something that we talk about on our security podcast a lot is the rule of three. So if you have a site, you should keep three copies of that site incrementally every time it changes. You should keep one on the same server where your site is for an emergency. You should keep one off site. So in cloud storage, like a Google drive or a OneDrive or your iCloud, whatever flavor of cloud storage you enjoy and one physical copy. So whether that's a DVD, a CD, a thumb drive, whatever. I had a copy of my first couple of WordPress sites that lived on my iPod. I'm not even kidding. It was just a place to keep it that I knew would be secure. So keep backups. Make sure you're incremental. I recommend backing up your site at least weekly and every time you do an update or make a change. Promise you I love work things about it. WordPress makes building a website really easy. It makes it accessible to everyone. It lowers the bar of entry for building a website to anybody, literally. GeoCities and we had bad MIDI files of Metallica songs and that was how we got our websites off the ground. WordPress site on our iPad with no skill. For you, for good, it's equally easy access for back. Work nothing. It's becoming increasingly profitable. It's easy, it's automated. It doesn't require a whole lot of effort from criminals to hack into websites and do things like mine for bitcoins or siphon your traffic to their pyramid scheme sites or their escort sites or whatever. So think about website security. When you're putting your WordPress site together, think about is this theme safe? Is this plugin safe? If you can do that, you're already ahead of the curve. You're already ahead of the average website owner. And if you have the budget and your website is critical to your business, invest in the security. Invest in a good firewall. Invest in a good malware scanner, whether that's through site lock or whether that's through another provider. As long as you're thinking about it, you're being proactive, you're taking those steps. You won't be in that 1%. You won't be in that 6% of a vulnerable plugin that lets somebody get into your website and completely destroy it, completely destroy your livelihood. Let's go out there today and not be part of that 5 million sites that has a vulnerability or that has malware. From inside the various places where it appears or is that a, I'm going to go in and edit some PHP files or something? There's probably a plugin for it. So she's asking if there's a plugin that'll help you go in and remove the WordPress version. To my knowledge, there isn't, but there may be. However, I know that there are tutorials online that show you exactly what files and where to edit and they're really easy to follow. So, that's one of those things that if it takes two minutes to do with an online tutorial or a YouTube video, I recommend doing it that way instead of using a plugin because the less plugins you have, the smaller your attack surface. So if it can be done manually, I recommend doing it manually versus doing it with a plugin. Jessica, your first comment, I don't quite trust it. This is your first presentation. It is. I don't believe that. I don't believe that. Do those come from the same repositories such that they're trusted the same way? Yeah, so the repository has a lot of what they call freemium. So what that is is where they'll let you download, say, a trial version or a version that's kind of neutered a little bit and then they want you to upgrade to the paid version. Those are just as safe as the free plugins that give you full functionality. They are asking you to pay basically so those developers can keep the lights on. So I personally really like freemium because it gives you a way that you can interact with that development team. And if you're paying them for something, there's a pretty good shot that they're actually, they care about that code and they're gonna keep it maintained. So they are equally safe to the free plugins on the repository. So long as you're getting them either from WordPress.org slash plugins or from the admin plugin inside of your dashboard. One thing, as far as what you were talking about discipline of choosing things, I frequently worry I have the theme that I use which is mainly because it's the only theme for my needs. It's very much a labor of love by one guy while he'll give you all the support he can provide, the only guy doing it. But having said that, I always get nervous when on any theme or plugin that doesn't have an update for say over six months. Is that a rational concern? Yes, yeah. Yeah, and I mean, you can always reach out to that one guy and say, hey, I noticed you haven't updated this plugin or this theme in the last eight months or the last year or whatever. Are you still maintaining it? Have you received reports and Google it? You know, do a little bit of research but it could just literally be that they haven't had an issue, they haven't had a bug. So I encourage communicating with developers, get involved in the community. That's again, that's why we're all here today is for the community. And those open source devs, it is a labor of love. And if they can, they'll usually answer your question. But it absolutely is a rational fear. You know, have you mentioned change themes? I would say yes, if you can. There are a couple of options there. If the theme or plugin is no longer developed, you can either start researching and preparing to change that theme. And I know with themes it's a large undertaking because it could potentially mean completely changing the way your site functions or the way your site looks. And I know that that's a huge labor but it's probably still a good idea. Alternatively, if you really wanna put the love into it, you can learn how to keep that theme updated yourself. That's a pretty advanced undertaking as well. So, you know, unfortunately, there's no easy answer to that question. The TLDR of it is yeah, if they're not developing or they're not supporting that theme anymore, it's probably time to find anyone. I mean, you mentioned, okay, people are talking about these paid ones, but is there any data that might be not paid or for years? I've found a lot of good themes in the repository. It's hard to give specific recommendations for themes because it's gonna be different depending on what you do with your website. I use one called WP Spa for my small business site and I love it. And I've never had an issue with it and it gets regular updates. But that may not work if you're not running a daycare, right? So. For WordPress, is there anything? I've not worked with WooCommerce enough to give a good recommendation one way or the other. I would say just do your research, look at the reviews and reviews are kind of a double-edged sword, right? Because you can buy good reviews so they may not be great or one crazy guy who couldn't get his theme to do what you wanted it could leave a one star for no reason. So really dig in and if you have to email and interview those developers and ask any questions that you might have about their theme. You simply moved the version number, how do you do that? So you would actually have to go in and edit PHP files that have that version number in it. Like I said, there's a lot of YouTube tutorials out that you can actually follow. It takes about five minutes to remove it from your site if you're good with a text editor and a TP. Yep. I'm going to answer the question about the e-commerce theme that is the storefront is like the theme that since automatic bought e-commerce their official theme is storefront and it's actively being maintained and people make child theme of it. So like that's like probably the fast one. Anybody else? You said about checking the file permissions. Where do you go to learn how to do that? So I would start with tutorials for your hosting provider on how to get into your file manager or how to connect to your site through FTP. Most WordPress sites run on a Linux environment so you can go in through FTP or file manager and really quickly see a list of all the permissions. The big red flag that you want to look for is 777. So lucky 777, you're talking about Linux is actually unlucky 777. So that's a really easy way to remember it and that's all you're looking for. It's the WP VulnDB or WordPress Vulnerability Database. WP VulnDB or WordPress Vulnerability Database. WP VulnDB.org or if you just go Google WordPress Vulnerability Database it's the first result. So it's made about buying a theme or plugins that they have developers that are watching if it's paid, then when it's free then you can read all the records in a way. Yeah and paying for themes and plugins is a double-edged sword too because just because you know that they have developers that are managing it doesn't mean that they're good or that they're aware of vulnerabilities because unlike free plugins or open source plugins and themes nobody can download that content and research it without paying for it. So they might have an in-house dev that manages that but that in-house dev isn't necessarily a vulnerability researcher. So it could go both ways. I always encourage if you're thinking about paying for a plugin or a theme really get to know the company that you're paying for. And ask them, hey do you have above bounty program or a vulnerability program that will research your code and scans your code for vulnerabilities? Okay we got one minute so I can take one more question. So, one more. The statistics of the meaning of vulnerability it's highly recommended that you keep everything updated. But those who update everything what's the percentage of vulnerability there? So it's hard for us to tell because we can't get updated themes and plugins because there are so many. But for people who have almost no plugins so one to five plugins and one to five themes and core updates, the incidence of hack sites or the incidence of malware infection is about half of what it is for the rest of the population. So where we see 1% infection rate for everybody else as an average for those who are running one to five plugins and keep their core updated we see it at about 0.45%. Thank you. And sitelab.com slash website security insider or just go to our site there's a big banner on the bottom of it you can actually read that whole report too.