 Thank you for the introduction. Hello, thank you everyone for being here this morning. We have a couple more seats here if you want to sit down with us. No, it's okay. I'm just, because I don't see well far even with my glasses on, so it's absolutely self-serving. So yeah, it's my first time in Singapore. I'm super excited and it looks like a really good work camp, so you should be excited about your community, it's a good one. So my name is Francesca. I'm the WordPress Community Manager at SiteGround, the web hosting company. And giving back to the WordPress community is actually part of my job. And it's awesome, obviously. And I get to do one of the things that I love the most which is sharing knowledge. I think we all have something to share and we're not gonna take this with us in the afterlife so we better share it now. And I do so based on my experience or on the collective experience of the SiteGround team. This talk in particular is based, in my experience as a hosting company employee but also some terrible experiences that I had as a web developer when I was freelancing. I am not a security expert. So if any of you is a security expert in this room, don't ask me advanced security questions because the whole point of this talk is actually talking about security in a non-menacing way for people that have no coding skills, have no security knowledge but if there are some security expert amongst you, luckily I have a colleague attending with me who's an expert WordPress enterprise engineer and it's right outside of the SiteGround booth. So if you do have advanced question please come by the booth but don't ask me because I don't know the answer for sure. So I like to think of myself as a common sense dispenser. I'm full of common sense. So this is what the talk is about. Honestly, it's about not making it over complicated. There are some basic steps that you can take to secure your website and to secure your browsing and they're kind of easy to implement but a lot of time you hear the term security and you go, oh, this is for developers, this is too complicated for me but actually the very basic rules of security can be implemented by everyone. So as I said, during my time as a freelancer I had a horrible experience of being hacked. I run a website for women, for female entrepreneurs in Italy and one day we receive a season deceased email from an American lawyer and of course we panic because what's going on? So what's going on is that a pharmaceutical company added some content to our website that was mentioning the competitor of the company and bashing it and basically we didn't realize any of this at the time because we had a false sense of security. We had a plugin. We had a plugin installed on the website and so we said, all right, this is taking care of everything for us but that's not how it works. This is a sentence that you might have heard a lot when we talk about security, not just in the WordPress space but security is a process and not a plugin. A plugin, plugins, there are awesome plugins, the security plugins out there but you cannot just rely on that. You have to do your homework. You are part of making your website secure. So just a few words on who carries the attacks because when this happened to us with this website, we were like, who wants to hack us? We're a blog about, it's a free blog run by volunteers with no ads and we give advice to women that want to start their own businesses but so hacking is nothing personal. Hackers don't really care about your website unless you're the FBI or any other very high profile target. What happens is that, okay, sometimes attacks are carried by people but this is very rare and unless, as I said, you have a very high visibility website like the White House, they will not care about your blog or my knitting blog, for example but these attacks are very specific and very elaborate of course because they are custom made to attack that specific website. What happens to most of us that get hacked is that bots or botnets which are network of bots will run random script and attacks at a scale. Okay, so nobody really cared about my website. It was just there for the taking because it was not secured in any way. So bot attacks are a lot less sophisticated but they go at scale. They go at millions at a time. At SiteGround we have an anti-bot AI and it blocks millions of accesses every day so that's the scale of the attacks. And botnets are just network of bots where one computer searches the command and control but it controls all the other computers. So as I said, it's nothing personal. So this is something that you really have to remember because maybe you just launched your website yesterday and like who beside my mother is reading this blog? Why are these hackers caring about me? Why they do? Because of a number of reasons because they want to basically gain access to your website and what they can do through your website. So what they can do? A lot of websites get attacked because of spam. So that's exactly what happened to us. They added some content to our website that we weren't aware of and they used basically our website as a vehicle to distribute the spam. They could be upload unwanted content. They could steal your data. For example, as you know, on WordPress when someone comments on your blog or they buy something through WooCommerce, their email is stored actually in the admin area so they could gain access to the website just to build a database of email, for example. They just get all the emails and then start sending spam. That's very common. They can redirect. So as you know, linking is still an important SEO feature so they might link to the website from your website. So your website is still white listed and they put just links to the website so they can increase their index in Google, for example. They could use your website as part of a web... of a webbot... botnet, sorry. I'm heavily jet lagged if you haven't noticed. But I'm doing my best. The thing that I didn't really know still existed but it's ransomware. Do you know what ransomware is? It's digital ransom and it's actually very popular, unfortunately also on social media and Instagram is very popular. If you have an account with a lot of followers, please, please, please secure it because that's very, very common to just receive an email that says hey, I've got your Instagram account. Give me 5,000 euros. That's it. The effects. Being hacked has a lot of effects. First of all, the reputation. How many of you have visited the website that said it's hacked and really came back? If I see that the website has this notice, the website has been hacked, I will not go back there. Even if they clean it one second after I've been there, my trust in this website is done. I don't trust it anymore. It gets this Google safe browsing as one of the many features of Google. It will say this website is not safe for browsing. So again, you have to then get it removed and you have to go through some steps. Your website could be blocked by your hosting company or your ISP at home because no one wants hacked websites on their network. And finally, of course, the cost for cleaning it up unless you're able to do it by yourself. Someone has to clean this and it costs money and it costs time, but in my eyes the reputation is the highest cost because it's really done. Once it's done, it's done. So, there's no chance to reduce this to zero. There is no zero risk of being hacked, it doesn't exist. But you can reduce the possibility of being hacked by using some very simple and common sense rules. The first one which is possibly the most important security issue ever is picking a right password. The password needs to be long and when I mean long I mean at least 25 characters. It doesn't mean if they're random characters or, you know, a sentence that you can read but it needs to be at least 25 characters. Don't repeat passwords. Why? Because if you use the same password for your website, for your email address, for your LinkedIn once these boats get access to one of the services the first thing they do, they try the same password on every other online service. So, if you use your password more than once they will hack more than one services. No one remembers 25 characters long passwords, okay? So, this is why luckily we have password managers. We use one password personally which what the name means is really that you need just one password which is the password, the master password to access the service and then everything else is stored and encrypted so you don't need to worry about but honestly this is probably the most important rule we're going to talk about today. The second one is especially for WordPress keep everything updated. Now, there used to be a time and maybe some of you remember it when there was an update of WordPress it was panic because you got the white screen of death, the so called white screen of death. You updated it, you didn't know what went wrong you just nothing. So, this has really decreased dramatically in the last few years so don't worry about it but it starts also from picking the right plugins and themes so always pick plugins and themes that have been recently updated that you know are kept alive by their developers. So, go see the ratings of course but also go see in the forum if they have open questions and if they reply if they reply it means that they're still engaged with the product and they will be there if something happens and again check that there is support because there are right now I think over 45,000 plugins in the WordPress directory and a lot of them have been abandoned but maybe you installed it like 10 years ago and now you're running old code which might be very dangerous for your website. How do you know if all of this happens you go to WordPress.org plugins or themes and then you check there's a number of parameters that you can check when was updated, how many installations they are tested up to this is something a screenshot that I did a few months ago the ratings, the support this is the important thing that you have to look for so you know that you're getting your plugin from a reputable source but also for someone that cares about their product and they protect it actively and they keep applying patches to it. As I said update everything so don't write in WordPress core don't write in your theme you create a child theme you add a functions .php file but just don't mess with the core files of anything because then the next time you upload it you're losing everything and again there is no there honestly it's really safe nowadays to update everything I am one of the perks of working for hosting companies that you have access to a lot of data you can analyze how many updates go well and how many go wrong and for example last year you might remember the 5.0 update that everyone was fearing because it was introducing a new editor and we were one of the first hosts to update it on every server because we tested it when you have this large amount of data available you test it on a couple of servers and it's already thousands and thousands of customers so if you see that nothing happens you feel safe and you go on and you can update everything before you update this is also very very very important you should always have a backup of your website always look for a hosting that provides backup services but also save your backups in an offline space for example your computer so you will have two copies if something goes wrong also test the restore procedure because don't do what I did with my first website I was probably terrible I'd been a freelancer I don't know how people hired me because the first website that I did was my personal website and I managed to delete everything including the database honestly I went into the customer area and I just deleted everything because I created a bunch of websites to test and I just deleted it and then I did have a backup but I didn't know how to restore it so please test your restore processes so you're sure but also backup your computer this is something that we often forget especially if your website is backed up also on your computer backup the computer as well as I said about passwords applies also to your computer so make sure that also the computer has a very good password to access it and another thing that I would say don't keep outdated version of your backup in your hosting space because there might be some vulnerabilities in that version of the website that you don't know about and then the account could be hacked through that so once you have a few copies that are enough to work with just delete everything older so you don't have the risk of being hacked for something that is not even active on your website anymore one thing that is not about securing your website but it's about securing browsing for everyone is HTTPS so this doesn't secure your website it secures the communication between the client and the website it means that any data that is put in your site your computer cannot be intercepted or it can be intercepted but it cannot be understood by a bot because it's encrypted and honestly there is no reason not to use it I mean when SSL came out people were saying oh it slows down your website and it's a mess and the certificate and a lot of excuses well let's encrypt which is one of the institution I don't know how you call them in English that issues these certificates they're free they renew it automatically every three months and most web-host today use HTTP2 which makes browsing much faster anyway so honestly there is no reason not to use it and I would say that also most hosting companies now a day offer this for free I mean they should it's free so I pay for that and also one click install so honestly there is no reason not to use this just go through the dashboard of your hosting company and click on the sign that says add SSL certificate and that's it you got a secure website well you got a secure communication to your website one thing that came to me a few months ago after I gave the stock is that there are a lot of memes how do you say in English memes or meme in Italian we say meme which is a lot cuter I think I think it's much better and so there are these memes around the web that say what's the name of your pet what's the name of your mom where were you born what's your mom's name where were you born what's the name of your high school stuff like that so basically answering to this kind of meme is like come on in come on in come on in come on in come on in come on in come on in come on in come on in still my password so please don't do it they're really cute I get it especially if you call them meme but no don't do it and now for the very advanced amongst us I hate this but I do it to factor authentication I hate it because it's boring every time I have to sign into something I have to take my computer my phone out and look for the authenticator but do it especially with access so to factor authentication you add a second password basically that it's a randomly generated and it's time based and you do it through your phone so you go does anyone here uses to factor authentication for something okay so I don't have to explain too much what's 2FA is it's boring but it's very it's very useful so I would say especially high level services do use to factor authentication for example for your hosting account use to factor authentication for your Gmail account use to factor authentication because those are services that will give access to other services so be sure to secure this and if you use WordPress which I think you do since you're at a work camp there is in the general setting area they keep changing the name of this membership anyone can register so that's another very common sign that will tell you for sure that you've been act that you have additional users in your WordPress website that you don't know who they are admin 0 0 admin 0 1 and you get hundreds of those is because they were able to register through your website and gain access as admin so on flag that because no one really needs to register to your website except for you and the people you pick one thing I really would like you to walk away from this talk with awareness and the key concept here is that honestly security is a shared responsibility you cannot always count on someone else you have to do your part so core developers keep core WordPress core updated developers keep plugging updates hosting keep server updated but you have to do your part which starts from this very simple rules that I gave you and that I hope you will follow so thank you for having me and I hope it will be useful thank you Francesca open up the floor for few questions we've got a little bit of time a little bit after us does someone have a mind we've got one any questions even though TFA is very boring do you have a regimented plugin or something that you guys are using and sign around for TFA I personally use I'm going to tell you exactly what I need to Authenticator I use Authenticator Google Authenticator which is you know that's a question that I don't know how to answer but sorry this doesn't work on, off, works no yes I am pretty sure that there's a plugin for that like everything in WordPress basically the craziest thing you can think of there's a plugin for that so I use Authenticator and I would say to add a TFA authentication to your website probably there's a plugin if it's not developed by Google itself which is kind of starting to develop a lot of products for WordPress there's one for sure thank you for asking something that I can answer yes other questions hi where? I don't see anything even with the glasses no here maybe if you want to know also about knitting I'm game well there's nobody has a question I have a question is that in Siteground how often do you all take the backups of the website? on Siteground what do you recommend let's say in terms of because if you're going to keep backups on your website how much storage buffer do you need so we do automatic backups every day and then depending on the plan that you have you can do also request additional backups we keep them for 30 days on our servers and if you decided to do something additional I would say so this is already taking care of the daily backups right but I would say if you're going to make a big change on your website first of all never do it live always use either staging or local environment but even if you do it live like I did for a long time do a backup before that and then once you're done with all the changes you can just throw it away I mean I'm also a bit of keeping things very neat I'm one of these people that only has three icons on the desktop so as soon as something doesn't serve me anymore it's gone it's either in the trash or archives somewhere so that goes also for plugins if you have plugins or themes once I got a client that had something like 20 unused themes in our website that has to stop you need your theme that you're using now and if you want for example one thing that I used to do as a freelancer I had the theme that I was in use at the moment and then a backup theme like 2012, 2011 one of the basic WordPress themes so if something went wrong with my backup I still had a base I don't know if a few months ago I don't know if you saw that tech crunch had a problem like that so WordPress VIP servers had a problem so for a few hours tech crunch reverted to 2019 which was kind of funny but at least it was there as a backup theme so I would say use that don't because those are all points of attack so the same with the backup once you're done with it I mean keep it for a few days so you're sure that everything goes do one before the major changes do one after the changes but don't keep too many copies I mean why? that's my thinking but in terms of the storage process we are going to keep set maybe a week of backups when it comes to choosing well that really that really depends on your website there are some websites that are very light and some websites that are major that have also very big DB so it really depends I think at SiteGround the minimum space that we give is something like 10 gigs on the basic plan and that should serve you for quite a few days of backup and it goes up and you can always buy extra storage but for one week of backup that should be enough unless you have a major photography website that weighs tons of gigs so it always depends on the size of your website basically it goes down to the size of your website yes have I replied? is it a good answer? ok I have someone here in front hi I don't have a question for you I am a security professional all of my sites I use WordFence it's a very good comprehensive even the free one and it does have a free 2FA with it it uses the free OTT on your phone there's no need to pay a lot WordFence Word it's very highly recommended and so one of your criteria was it a lot of simple recognition so I've had a lot of good luck with that I use it on all my sites then WordFence Word as in WordPress and Fence as a oh a Fence thanks yes more questions one and two I see one there and one there thanks for sharing thank you for coming regarding let's say you are working with a third party developer do you have any access to for example cPanel or your WordPress how do we ensure that this partnership we are engaging with other parties how do we ensure that this is secure so you want to give cPanel or admin area access to a third person because they need to work on your website ok so there's a question how we solve that at side ground does an answer how we solve that at side ground and an answer on how you solve those in other places so in other places I would say never share your password with anyone even your mother or son or partner your password is sacred and it's yours so if you can add a user add a user and I don't know if you can control the level of access they have to your website I think again there are a lot of tools for that that are not hosting dependent and why would you want them to access your hosting plan not just your website you probably want them to access your website because they need to update stuff I don't know well I think there's there are a few plugins out there that can restrict your management yes but but that's at wordpress that's at wordpress access in terms of hosting well I know that recently we launched a product that solves that but that's for a side ground I wouldn't know for other hosting how to do this but so the general rule would be don't share your access with anyone honestly if you can add a user and then you can see through the logs if they did something that is not right the change again I would say if you work with other people I would go the distributed development environment route version control with git so you know you can approve what's being deployed before it's being deployed so you can prevent anything from happening but this requires obviously having a development workflow that works with that and that you can do with most hosting that will give you SSH key so you can deploy through git we have space for one more question I'm curious in terms of what's the value at when you compare the quality when it's on a managed side versus when I find whether managing myself on AWS I cannot answer to that because I don't know the other platforms I'm sorry but I'm sure even my colleague knows more about this because he also works on the enterprise team so he probably have more more of a knowledge about this I have personally I even before I started working for SIGRAN I always used managed hosting because I cannot be bothered with that that's not my job so unless you receive admin I why would you take that like if you're a freelance developer you already have to wear so many hats because you have to develop and market yourself and deliver and do the accounting why do you want also to manage your servers I mean as long as someone else does it for you but technically I think even it's the best person to reply to this and there are other hosting companies sponsoring work in Singapore so you can get more feedback from everyone I think we're out of time there's a quick one possibly about nitting or Italian food has asked me about I'm kidding I'm kidding everyone please thank you thank you for being here