 Great. Great. Great. I am Adam Warner. This is an ask me anything session about security. Website security specifically, but if you have any personal internet based security questions, feel free to throw those out. To get started, let's see if anybody came prepared with a question. If you have a question, raise your hand. Yes, sir, we have one to start. Okay, so the question was, how do I make some content available for some users and some available for other users or not seen by other users? Correct. The answer to that question is look for a membership plugin. There are a ton of great ones on the plugin repo. If you go to wordpress.org forward slash plugins or in your WP admin search plugins add new and search for members. That is the solution to that, filtering content. Anybody else? Yes, ma'am. The question is, can I share some security risks? Okay, so to start, I work for a security company. I'm also passionate about website security and I'll tell you why, because I had an internet based business and it got hacked and I couldn't fix it and it basically ruined my revenue, my monthly income. And that's when I gained an interest in security. So the first thing to know about website security is that there is no such thing as 100% secure in life, in websites. The reason websites get hacked is usually for monetary reasons. There are some reasons like defacement hack where you go to a website and it's not what you expect or there's a message from someone on there. Usually those are prompted by political or religious beliefs, but the number one reason websites get hacked are for monetary gain. And there's a whole bunch of different ways that websites get hacked, but the thing to know is that most of them are from automated bots or scripts. And as developers get smarter with developing these scripts, we also need to get smarter with how we're blocking those scripts. So the way that you do that is by doing a few things. And I have a few, there we go. Okay, so it all starts with being aware of security, security awareness in your daily life, security awareness across the board. The one number one reason is to make the internet safer. Who's responsible for security? How many people think your host is responsible for security? Nope. They are at some level, they're responsible for the security of the network that they put your application, a.k.a. WordPress, Jumla, Drupal, whatever application it is. They're responsible for the security of their servers, right? So something doesn't go from one server to another. But ultimately we're all responsible for the security of our own websites. So the benefits of securing your site is to protect your content, a.k.a. how I ruined my business by not protecting my content. And you'll have satisfied readers and customers if you're selling any kind of product. Does that get to the point of your question yet? Okay, we're still going. So let me just tell you a little bit of why websites are hacked, how they're hacked, and who's hacking them. The first thing to know is why, which I've already discussed, for monetary value usually. If you go to a website and you're immediately redirected to a Viagra, Cialis, or Porn site, that is because that malicious script also carries the affiliate ID of whoever created that so they can make a commission on all that traffic going wherever they want it to go. Another why is that someone might want to use the resources of your website server to spread more of their scripts and more of their malware. So who is doing it and how? I already talked about the how, mostly it's automated scripts that are released out into the wild. The people who are doing this aren't your stereotypical black hoodie teenager in his mom's basement drinking Mountain Dew. These are people who many times look on the internet to find malware scripts and then just release them. There are people who specifically target, and that's usually state run entities or individuals. Websites are hacked an average of 59 times per day, every single website. And this is a live, almost live, it's a gift of all of the attacks that are happening. This is a 5 or 10 second gift. You can go to Norse, Google that. It's pretty amazing to see how many hacks are happening at every second of the day. Does anybody have any questions so far? Yes. What is the importance of changing your login URL? Many security plugins and many things you find on the internet will tell you to change your URL. I say it doesn't matter anymore. Scripts are too smart for that. There's a million other ways they can detect your login URL, what application you're using, WordPress, etc. So in my estimation it's not important. The question is if you have HTTPS installed on your site and you're going to your site and it's not showing the green padlock or that you're hitting an HTTPS URL, is your site less secure? Right. There's two answers to that. One, something's not right. When you install a let's encrypt as a free SSL certificate provided by many hosts, many of our hosts here that are sponsoring, when you install that, sometimes if you install that after you already have content, you want to look for a plugin called mixed content fixer, I believe it's called. Install that plugin and it'll identify any content that's being loaded onto your site that is not being loaded through an HTTPS URL. You're welcome. And to add to that SSL does not make your site more secure. SSL makes the traffic to your site and from your site more secure through a browser. So it's more security for your end user, not for your actual website files. Any other questions? Yes, way back there. The question is how does the free SSL certificate compare to the paid ones? I don't know the very specific answer to that other than I believe paid SSL certificates offer a higher level of encryption, more bank level, and maybe some more compliance. If anybody knows the answer, raise your hand and yell it out. Yes. Okay. If anybody didn't hear that answer, the encryption is the same, but it verifies the entity further, which then creates more trust with your brand or website. Correct? Okay. Anybody else? Any more questions yet? Yes. All right. So the question is I have a security plugin installed on my site and I'm getting notifications that people are trying to attack brute force and you're able to block that IP address. Is there a way to just completely block that from happening? Yes. Mostly. I would suggest looking for a web application firewall. And what a web application firewall does, commonly known as a WAF, it basically is a hardware and software solution that sits between someone's browser going to your site, but first they hit the web application firewall and then they go to your web server, which serves up the file. So the web application firewall has the ability to block automatically malicious scripts, IP addresses. Depending on the WAF you're using, you can put in ranges of IPs. You can put in all kinds of rules that will block specific things. You can also only whitelist IPs and then block everything else. So if you're, let's say you're running an intranet on WordPress and you only want people from within the company to access the site, you would whitelist only that IP address range and then block everything else. Any other questions? Yes. It was called Norse, N-O-R-S-E. So the question was, the first question was, are there any specific pain points that we see in the security space and what is the future of security? Is it going to get easier? The single most important thing that I can say is that security education is the single most important thing. Spreading the word about security just in your daily life. I wish I had time. I have a video of a credit card skimmer and that's in use in Vienna, Austria. And someone noticed that it worked for a website security company and notified the people that were actively using it. And that's just an example in your daily life, right? So if your website can be related to that, that's what you want to do with your sites, right? So the single most important thing is security education for yourself, your clients, but then, in addition to that, are strong passwords, right? So let me just run through a couple of things because I'm getting close on time. So there's five simple steps to security as I see it. One is having regular backups of your site. If you're not familiar with backups, you're backing up the databases and files, right? So if something does go wrong, you've got a version that you can restore. Two, software updates. WordPress core, plugins, themes, maybe you're a tinkerer like I am and you've got other software installed in the same root directory as your WordPress installation. Update, update, update. Three, and this probably should be number one, but I put them in order of how you would actually perform them, strong passwords and unique passwords everywhere. Everywhere. Your local machine, your home Wi-Fi, your WordPress login for every single user, your FTP, your cPanel, your hosting account, everywhere. Strong passwords and unique passwords. And I know what you're probably thinking now. How the heck do I remember a strong and unique password for the dozens and dozens and dozens of sites that I log into every day? The answer is a password manager. There are several really good ones. Last pass, one password, key pass, dash lane. And now you might be thinking, well, okay, what if I create an easy password for that one? You could. And back to there's no 100% security. That is still one access point that if someone gets a password, now they have access to everything, right? So security is about reducing the radius, right? Mitigating risk, closing all those open doors as much as we can. Four are firewalls and CDNs, which we just talked about, web application firewalls. I suggest googling that, looking at what they do, and installing one on your site. It basically is a DNS change in your domain name to route your traffic through one of those before it gets to your web server. And then five is continuous monitoring. Look for malware scanners. You'll find a bunch of them out there. There's a bunch of really great ones. You can also automatically remove malware if it's found. Just to refresh, backups, updates, software updates everywhere, strong passwords and unique passwords for everything. Last pass, one password, et cetera. Firewall and CDN to automatically block malicious traffic and continuous monitoring, yes. Good question. How can we check if a backup we've made is good? It's kind of difficult, right? So if you go to your website and all of a sudden it's hacked, how do you know which backup doesn't contain that hack? How do you know how long it's been hacked? That would be through the use of some kind of security service or plug-in, which would monitor file diffs, which means differences in files. So typically when your site is hacked, there will be timestamps on your files. It's not a guarantee, but you can look at that as well. Or you can start restoring from backups and then run a scan. Well, in that case, she's saying, well, how can I test those backups? In that case, I would suggest using what's known as a staging site. So if you have a host, a lot of hosts nowadays have staging sites, which is basically a copy of your live site that is on a URL that only you can view and you can do whatever you want there. You can create updates, you can delete plugins, you can restore backups to the staging site in order to test that and run scans on it. Okay. Okay. We're close. One more question. So what's the best way to prevent DDoS attacks and what's the best security solution? DDoS stands for Distributed Denial of Service Attacks. That's where they take over your server resources. Your site comes to a halt or other sites do. The best solution for that is a web application firewall because if an attack is noticed, it will block it. The best security solution, I'm not going to name one or the other. Every solution is looking out for the end user and the website owner. So it really comes down to preference and the difference in services and benefits. Pardon? There is iThemes, there is WordFence, there is Security, there is SiteLock, who I work for, which we are web-based, excuse me, cloud-based instead of plugin-based, and there are a few others. We do. We offer a web application firewall and scanners. Yes, ma'am. One more. Again, I can't recommend. Yeah, I would just Google malware scanner. I would visit SiteLock and check our ours. I would visit any of the other ones we just mentioned and look at their scanners and the differences between them. Yes, sir. You're welcome. Yeah, so it used to be, if you have to leave, feel free to do it, but it used to be common security practice to lock down a directory access using Chimad. It used to be common practice to change a login URL. It used to be common practice to change the database prefixes, all of that stuff. But in the last few years, it's just become clear that, although those are probably good baseline stuff, it's better to spend your time with the baseline basics rather than all of those technical things because the scripts have become more mature, and there's always a way in, even though you do that. Now, that's not to say it's a bad thing, right? You could put stuff in your htaccess file to deny access to a bunch of stuff, to deny executions of PHP and all that stuff, but when you do that, you run the risk of getting mired down and, okay, this plugin's not working. Oh, it's because of this security rule or things like that. So I think it's good, but I don't think it's 100% necessary. Yep, ready? Okay, thanks, everybody, for coming. Come and find me at our table if you have any other questions. Thanks.