 Thank you for the introduction. Hello. Thank you, everyone, for being here this morning. We have a couple more seats here if you want to sit down with us. No, it's OK. Because I don't see well far, even with my glasses on. So it's absolutely self-serving. So yeah, it's my first time in Singapore. I'm super excited. And it looks like a really good work camp. So you should be excited about your community. It's a good one. So my name is Francesca. I'm the WordPress Community Manager at SiteGround, the web hosting company. And giving back to the WordPress community is actually part of my job. And it's awesome, obviously. And I get to do one of the things that I love the most, which is sharing knowledge. I think we all have something to share. And we're not going to take this with us in the afterlife. So we better share it now. And I do so based on my experience or on the collective experience of the SiteGround team. This talk in particular is based in my experience as a hosting company employee, but also some terrible experiences that I had as a web developer when I was freelancing. I am not a security expert. So if any of you is a security expert in this room, don't ask me advanced security questions because the whole point of this talk is actually talking about security in a non-menacing way for people that have no coding skills, have no security knowledge. But if there are some security expert amongst you, luckily, I have a colleague attending with me who's an expert WordPress Enterprise engineer and is right outside at the SiteGround booth. So if you do have advanced questions, please come by the booth. But don't ask me because I don't know the answer for sure. So I like to think of myself as a common sense dispenser. I'm full of common sense. So this is what the talk is about. Honestly, it's about not making it over complicated. There are some basic steps that you can take to secure your website and to secure your browsing. And they're kind of easy to implement. But a lot of time you hear the term security and you go, oh, this is for developers. This is too complicated for me. But actually, the very basic rules of security can be implemented by everyone. So as I said, during my time as a freelancer, I had a horrible experience of being hacked. I run a website for women, for female entrepreneurs in Italy. And one day, we receive a season-deceased email from an American lawyer. And of course, we panic because what's going on? So what's going on is that a pharmaceutical company added some content to our website that was mentioning the competitor of the company and bashing it. And basically, we didn't realize any of this at the time because we had a false sense of security. We had a plugin. We had a plugin installed on the website. So we said, all right, this is taking care of everything for us, but that's not how it works. This is a sentence that you might have heard a lot when we talk about security, not just in the WordPress space, but security is a process and not a plugin. There are awesome plugins, the security plugins out there. But you cannot just rely on that. You have to do your homework. You are part of making your website secure. So just a few words on who carries the attacks. Because when this happened to us with this website, we were like, who wants to hack us? I mean, we're a blog about a free blog run by volunteers with no ads. And we give advice to women that want to start their own businesses. But so hacking is nothing personal. Hackers don't really care about your website unless you're the FBI or any other very high-profile target. What happens is that, OK, sometimes attacks are carried by people, but this is very rare. And unless, as I said, you have a very high visibility website like the White House, they will not care about your blog or my meeting blog, for example. But these attacks are very specific and very elaborate, of course, because they are custom made to attack that specific website. What happens to most of us that get hacked is that bots or bot nets, which are a network of bots, will run random script and attacks at a scale. So nobody really cared about my website. It was just there for the taking, because it was not secured in any way. So bot attacks are a lot less sophisticated, but they go at scale. They go at millions at a time. At SiteGround, we have an anti-bot AI, and it blocks millions of accesses every day. So that's the scale of the attacks. And bot nets are just a network of bots where one computer searches the command and control, but it controls all the other computers. So as I said, it's nothing personal. So this is something that you really have to remember, because maybe you just launched your website yesterday and who, beside my mother, is reading this blog? Why are these hackers caring about me? Why they do? Because of a number of reasons, because they want to basically gain access to your website and what they can do through your website. So what they can do? A lot of websites get attacked because of spam. So that's exactly what happened to us. They added some content to our website that we weren't aware of, and they used basically our website as a vehicle to distribute the spam. They could be upload unwanted content. They could steal your data, for example, as you know, on WordPress, when someone comments on your blog or they buy something through WooCommerce, their email is stored actually in the admin area, so they could gain access to the website just to build a database of email, for example. They just get all the emails and then start sending spam. That's very common. They can redirect. So as you know, linking is still an important SEO feature, so they might link to the website from your website. So your website is still white-listed and they put just links to the website so they can increase their index in Google, for example. They could use your website as part of a web... of a webbot, botnet, sorry. I'm heavily jet lagged if you haven't noticed. But I'm doing my best. The thing that I didn't really know still existed, but it's ransomware. Do you know what ransomware is? It's digital ransom and it's actually very popular, unfortunately, also on social media and Instagram is very popular. If you have an account with a lot of followers, please, please, please secure it because that's very, very common to just receive an email that say, hey, I've got your Instagram account. Give me 5,000 euros. That's it. The effects. Being hacked has a lot of effects. First of all, the reputation. How many of you have visited a website that said it's hacked and really came back? Probably, I mean, if I see that a website has noticed the website has been hacked, I will not go back there. Even if they clean it one second after I've been there, my trust in this website is done. I don't trust it anymore. It gets this Google safe browsing. It's a feature, one of the many features of Google. It will say this website is not safe for browsing. So again, you have to then get it removed and you have to go through some steps. Your website could be blocked by your hosting company or your ISP at home because no one wants hacked websites on their network. And finally, of course, the cost for cleaning it up. Unless you're able to do it by yourself, someone has to clean this and it costs money and it costs time. But in my eyes, the reputation is the highest cost because it's really done. Once it's done, it's done. So there's no chance to reduce this to zero. There is no zero risk of being hacked. Hacked doesn't exist. But you can reduce the possibility of being hacked by using some very simple and common sense rules. The first one, which is possibly the most important security issue ever, is picking a right password. The password needs to be long. And when I mean long, I mean at least 25 characters. It doesn't mean if they're random characters or, you know, a sentence that you can read, but it needs to be at least 25 characters. Don't repeat passwords. Why? Because if you use the same password for your website, for your email address, for your LinkedIn, once these boats get access to one of the services, the first thing they do, is they use the same password on every other online service. So if you use your password more than once, they will hack more than one services. No one remembers 25 characters long passwords, okay? So this is why luckily we have password managers. I use one password personally, which the name means is really that you need just one password, which is the password, the master password to access the service, and then everything else is stored and encrypted so you don't need to worry about. But honestly, this is probably the most important rule we're going to talk about today. The second one is, especially for WordPress, keep everything updated. Now there used to be a time, and maybe some of you remember it, when there was an update of WordPress, it was panic because you got the white screen of death, the so-called white screen of death. You updated it, you didn't know what went wrong, you just, nothing. So this has really decreased dramatically in the last few years, so don't worry about it. But it starts also from picking the right plugins and themes. So always pick plugins and themes that have been recently updated that you know are kept alive by their developers. So go see the ratings, of course, but also go see in the forum if they have open questions and if they reply. If they reply, it means that they're still engaged with the product, so they will be there if something happens. And again, check that there is support because there are right now, I think, over 45,000 plugins in the WordPress directory, and a lot of them have been abandoned, but maybe you installed it like 10 years ago, and now you're running old code, which might be very dangerous for your website. How do you know if all of this happens? You go to WordPress.org, plugins or themes, and then you check there's a number of parameters that you can check when was updated, how many installations they are tested up to. This is something, a screenshot that I did a few months ago. The ratings, the support, this is the important thing that you have to look for. So you know that you're getting, you're plugging from a reputable source, but also for someone that cares about their product and they protect it actively and they keep applying patches to it. As I said, update everything. So don't write in WordPress core. Don't write in your theme. You create a child theme, you add a functions.php file, but just don't mess with the core files of anything because then the next time you upload it, you're losing everything, updated, you're losing everything. And again, there is no... Honestly, it's really safe nowadays to update everything. I am one of the perks of working for hosting companies that you have access to a lot of data. You can analyze how many updates go well and how many go wrong. For example, last year you might remember the 5.0 WordPress update that everyone was fearing because it was introducing a new editor. And we were one of the first hosts to update it on every server because we tested it when you have this large amount of data available. You tested, let's test it on a couple of servers and it's already thousands and thousands of customers. So if you see that nothing happens, you feel safe and you go on and you can update everything. But before you update, this is also very, very, very important. You should always have a backup of your website. Always look for a hosting that provides backup services but also save your backups in an offline space. For example, your computer. So you will have two copies if something goes wrong. Also test the restore procedure because don't do what I did with my first website. So I was probably terrible at being a freelancer. I don't know how people hired me because the first website that I did was my personal website and I managed to delete everything including the database. Honestly, I went into the customer area and I just deleted everything because I created a bunch of websites to test and I just deleted it. And then I did have a backup but I didn't know how to restore it. So please test your restore processes so you're sure. But also backup your computer. This is something that we often forget especially if your website is backed up also on your computer backup the computer as well. And of course what we said about passwords is also to your computer. So make sure that also the computer has a very good password to access it. And another thing that I would say don't keep outdated version of your backup in your hosting space because there might be some vulnerabilities in that version of the website that you don't know about and the account could be hacked through that. So once you have a few copies that are enough to work with just delete everything older so you don't have the risk of being hacked for something that is not even active on your website anymore. One thing that is not about securing your website but it's about securing browsing for everyone is HTTPS. So this doesn't secure your website it secures the communication between the client and the website. It means that any data that is put in your site your computer cannot be intercepted or it can be intercepted but it cannot be understood by a bot because it's encrypted. And honestly there is no reason not to use it. I mean when SSL came out people were saying oh it slows down your website and it's a mess and the certificate and a lot of excuses. Well, Let's Encrypt which is one of the institutions I don't know how you call them in English that issues these certificates they're free, they renew it automatically every three months and most web-hosted today use HTTP2 which makes browsing much faster anyway. So honestly there is no reason not to use it and I would say that also most hosting companies now a day offer this for free I mean they should, it's free so why pay for that and also one click install so honestly there is no reason not to use this just go through the dashboard of your hosting company and click on the sign that says add SSL certificate and that's it you got a secure website well you got a secure communication to your website. One thing that came to me a few months ago after I gave this talk is that there are a lot of memes how do you say in English, memes or meme okay in Italian we say meme which is a lot cuter I think I think it's much better and so there are these memes around the web that say what's the name of your pet what's the name of your mom where were you born what's your hobby as it occurred to you that these people are building a massive database of recovery questions because that's what's happening there when you put something to recover your question what are your, recover your passwords what are the most common questions what's your mom's name where were you born what's the name of your high school stuff like that so basically answering to this kind of meme come on in, steal my password so please don't do it they're really cute I get it especially if you call them meme but no don't do it and now for the very advanced amongst us I hate this but I do it two factor authentication I hate it because it's boring every time I have to sign into something I have to take my computer, my phone out and look for the authenticator but do it especially for high level access so two factor authentication you add a second password basically that it's randomly generated and it's time based and you do it through your phone so you go does anyone here use this two factor authentication for something okay so I don't have to explain too much what 2FA is it's boring but it's very useful so I would say especially high level services do use two factor authentication for example for your hosting account use two factor authentication for your Gmail account use two factor authentication because those are services that will give access to other services so be sure to secure this and if you use WordPress which I think you do since you're at a work camp there is in the general setting area they keep changing the name of this but it's membership anyone can register so that's another very common sign that will tell you for sure that you've been hacked that you have additional users in your WordPress website that you don't know who they are admin 00, admin 01 and you get hundreds of those is because they were able to register through your website and gain access as admin so unflag that because no one really needs to register to your website except for you and the people you pick one thing I really would like you to walk away from this talk with the awareness and the key concept here is that honestly security is a shared responsibility you cannot always count on someone else you have to do your part so core developers keep core WordPress core updated plugin developers keep plugging up data hosting keep server updated but you have to do your part which starts from this very simple rule that I gave you and that I hope you will follow so thank you for having me and I hope it will be useful Thank you Francesca so we'll open up the floor for a few questions we've got a little bit of time so I think we'll also start a little bit after us does someone have a mic? Any questions? Even though TFA is very boring do you have a regimented plugin or something that you guys are using to sign around for TFA? I personally use I'm going to tell you exactly what I need to Authenticator I use Authenticator, Google Authenticator which is How long do you use to link Authenticator to the WordPress? That's a question that I don't know how to answer but sorry, this doesn't work on, off, works, no yes I am pretty sure that there's a plugin for that like everything in WordPress basically the craziest thing you can think of there's a plugin for that so I use Authenticator and I would say to add a TFA authentication to your website probably there's a plugin if it's not developed by Google itself which is kind of starting to develop a lot of products for WordPress there's one for sure thank you for asking something that I can answer yes, other questions hi where? I don't see anything even with the glasses no here, maybe if you want to know also about knitting, I'm game there's nobody has a question the question is that in SiteGround how often do you all take the backups of the website? on SiteGround what do you recommend and let's say in terms of because if you're going to keep backups on your website how much storage buffer do you need? okay so we do automatic backups every day and then depending on the plan that you have you can do also request additional backups we keep them for 30 days on our servers and if you decided to do something additional I would say so this is already taking care of the daily backups but I would say if you're going to make a big change on your website first of all never do it live always use either staging or local environment but even if you do it live like I did for a long time do a backup before that and then once you're done with all the changes you can just throw it away I'm also a bit of a keeping things very neat I'm one of these people that only has three icons on the desktop and so as soon as something doesn't serve me anymore it's gone it's either in the trash or archive somewhere so that goes also for plugins if you have plugins or themes once I got a client that had something like 20 unused themes in her website that has to stop you need your theme that you're using now and if you want for example one thing that I used to do as a freelancer I had the theme that I was in use at the moment and then a backup theme like 2012, 2011 one of the basic WordPress themes so if something went wrong when one of the backup I still had a base I don't know a few months ago I don't know if you saw that TechCrunch had a problem like that so WordPress VIP servers had a problem so for a few hours TechCrunch reverted to 2019 which was kind of funny but at least it was there as a backup theme so I would say use that don't don't you get themes and plugins that you don't use because those are all points of attack so the same with the backup once you're done with it I mean keep it for a few days so you're sure that everything goes do one before the major changes do one after the changes but don't keep too many copies I mean why that's my thinking but in terms of the storage we are going to keep maybe a week of backups or 30 days of backups when it comes to choosing a hosting plan well that really that really depends on your website there are some websites that are very light and some websites that are major that have also very big DB so it really depends I think at SiteGround the minimum space that we give is something like 10 gigs on the basic plan and that should serve you for quite a few days of backup and it goes up and you can always buy extra storage so for one week of backup that should be enough unless you have a major photography website that weighs tons of gigs so it always depends on the size of your website basically it goes down to the size of your website yes have I replied is it a good answer? okay I have someone here in front hi I don't have a question for you but feedback I am a security professional okay all of my sites I use word hints it's a very good comprehensive even the free one it handles most everything I need and it does have a free 2FA with it it uses the free OTT on your phone and so there's no need to pay a lot word fence word it's very highly recommended and so one of your criteria is a lot of people recommended this one is so I've had a lot of good luck with that I use it on all my sites then word fence word as in wordpress and fence as a oh a fence thanks yes more questions one and two I see one there and one there thanks for sharing thank you for coming regarding let's say you are working with a third party developer that requests having access to for example cPanel or your wordpress admin while we ensure that this partnership we are engaging with other parties how do you ensure that this is secure ah so you want to give cPanel or admin area access to a third person because they need to work on your website okay so there's a question how we solve that at sideground there's an answer how we solve that at sideground an answer on how you solve those in other places so in other places I would say never share your password with anyone even your mother or son or partner your password is sacred and it's yours so if you can add a user add a user and I don't know if you can control the level of access they have to your website I think again there are a lot of tools for that that are not hosting dependent and why would you want them to access your hosting plan not just your website you probably want them to access your website ah because they need to update stuff I don't know well I think there's there are a few plugins out there that can restrict the management of that so you could probably but that's at WordPress that's at WordPress access in terms of hosting well I know that recently we launched a product that solves that but that's for a sideground I wouldn't know for other hosting how to do this but so the general rule would be don't share your access with anyone honestly if you can add a user and then you can see through the logs if they did something that is not right yeah one thing also you can keep a lock then you know what they change on the website so that you can reverse the change again I would say if you work with other people I would go the distributed development environment route with version control with git so you know who's you can approve what's being deployed before it's being deployed so you can prevent anything from happening but this requires obviously having a development workflow that works with that and that you can do with most hosting that will give you SSH key so you can deploy through git we have space for one more question yes you had a question I cannot answer to that because I don't know the other platforms I'm sorry but I'm sure even my colleague knows more about this because he also works on the enterprise team so he probably have more of a knowledge about this I have personally I even before I started working for Cygrand I always used managed hosting because I cannot be bothered with that that's not my job so unless you receive admin I why would you take that like if you're a freelance developer you already have to wear so many hats because you have to develop and market yourself and deliver and do the accounting why do you want also to manage your servers as long as someone else does it for you but technically I think even is the best person to reply to this and there are other hosting companies sponsoring work in Singapore so you can get more feedback from everyone I think we're out of time this is a quick one possibly about eating or Italian food why no one has asked me about I'm kidding I'm kidding everyone please thank you Francesca thank you for being here