 Hello So I got a call at 2 o'clock yesterday afternoon to come and talk to you guys So this is kind of where I was Luckily, I talk about security and I work in the security field Not that's not me is it? I have a consultancy here in Wisconsin of course like many of you and we have an online service with it Where we manage and update and keep track of all your websites Originally was a jumel project and as of Christmas Day became also a WordPress project So we see a lot of security vulnerabilities We think a lot about why your website might be vulnerable and we try and think about it in a holistic way We are not a company that's going to solve your hacked websites. That's not our business What we try and do is teach you and help you With best practices so that your website doesn't get hacked or is so uninteresting that hackers go past you That's actually one of I think the best it most easiest ways To keep your site safe So what we're going to do is look at kind of a holistic approach But I wanted to back out a little and talk a little bit about the Panama papers And this was a really big news item about ten months ago And for those of you don't know I was all centered around this South American legal firm called Masak and Fonseco and their job was to basically set up Tax havens overseas for the world's rich and famous and elite and powerful So how many of you here invest your money in a tax haven overseas? How would you do it right most people don't have any way to do that? Even if you went on vacation to a country that you might associate with being a tax haven What would you do when you got there? My business partners are in Switzerland. Actually, I have quite a quite good access to something that has been traditionally considered a tax haven But what would I do? I have no idea why it's it's secret right? It's hidden It's just underworld where they don't want they're like your website in a way They don't want attention from anybody. They want to do the little thing hide their money not pay taxes and hopefully nobody notices Well, the internet doesn't like that. Of course the internet hates secrets And the story broke last year that all of these people around the world were involved in this giant basically tax evasion by alleged tax evasion I should say if I forget to say alleged just like inserted in your mind for me. So the prime president I believe or prime minister of Iceland stepped down the Current president of Argentina has been under an investigation for 10 months Tony Blair the former prime minister of the UK was implicated now He didn't stick around long enough probably to get in that much trouble in total over 150 investigations across 79 countries I think to date a hundred and fifty million dollars of un Collected taxes have been recovered. This has been a massive massive security breach the largest ever 146 million files to 2.6 terabytes of data was stolen and Then a team of 400 journalists around the world got together and started putting this information out And it took so many people because there was so much as you can see information to go through and that's what led to this huge massive giant Data breach and a lot of egg on a lot of people's faces Probably a win for governments around the world But why did this happen? Okay? We can look to something that you guys are all familiar with Everyone here uses wordpress which I think is most of you and we can just look right at how frequently people around the world Who use wordpress update wordpress? So this is I say a website security report from a company called security which some of you may know may use and They produce a quarterly report of hacked websites that they as their business Fix on other people's behalf and in Q3 2016. That's this green bar here 74% of the hacked websites that came through their door were wordpress related 17% Jumla and then below that you know drops to the single-digit percentages So that's there just analysis of how many hacked websites there are you know essentially three in every four Right, it's quite high Here we go. Oh, sorry And then if you break that down and you look at out of date core software You see 61% of their hacked sites had outdated wordpress core files Jumla 84% look at Magento 94% of Magento installs in their hacked analysis were out of date right it's pretty 61% Q3 2016 This is available online by the way you can find it at succuri.com I think and Yesterday did anyone notice this came out yesterday morning, right? You all got your update notification who who here got an update notification last night for right? So if you have anything if you have wordpress greater than version 3.7 should be basically auto updating the core And you're getting your email so it was very timely Very timely update for this talk. So I guess I'll thank wordpress for that Right, so they made that change you more press to protect us right and to protect these You know not just the people who are running Legit businesses, but also protecting the people who are you know running these scams around the world botnets You know really terrible advertising sites that you run across all the time if you look deeper. It's not just the core Software that has trouble, but if you look at all the vulnerabilities in wordpress The top but 18% were caused by just three plugins out of date Okay, I've actually never heard of Tim Thumb. Is anyone here use it? Is that popular Tim Thumb? Okay good Gravity forms, you know probably the most popular forms, right? At least it's been the premium level and then rev slider. Who's using rev slider here? one two, okay, so I presumably you're not using Anything below version three point what oh nine five. I think is that where we are right? So anything less than that has a vulnerability and this is a Captured screenshot from this is the Monseco Monseco website, and they were running this really old version of rev slider. No one knows if that was a source of The hack that caused all that international Crafuffle, but clearly this is a major a major problem Okay, and it can affect anybody and I would say that in my experience the core You can see in the news all this site on this CMS was out You know was a security problem often the core takes the you know bad credit for that Coast kinds of things, but most often it's the plugins especially when you might have 10 2050 plugins on your site think of all the little things you might install especially on large sites But it's not just the embarrassment of having your data exposed The big trend these days is ransomware if you haven't heard of that. That's where your PC or your network of PCs Have all their data encrypted meaning that you can't access it anymore And you see something like this when you turn on your computer And it's a screen that says we've encrypted everything and if you want access Please buy these bitcoins which are anonymous and untraceable and send them to us and then we'll unlock your system Okay, so 500 bucks, you know, would you do that for your business? Probably 10,000 20,000 100,000, you know as the companies get bigger these ransomwares these ransoms get higher And what's interesting is a large botnet has recently been Basically, it's kind of like a modified phishing attack. The website gets infected with something that redirects people to a site where they install it actually takes advantage of a browser insecurity and installs for better or worse For lack of a better term a root kit on your computer and that leads to this gonna ransom situation So and by the way just if you haven't been following I'm kind of linking down here as appropriate if you want to follow up on some of these things so Website security may not just affect how your private your data is or your reputation with your clients or within your area But it can you know really have serious effects on very you know a large large number of people You can imagine how many people might be infected their personal PCs by visiting your website. That's hacked Okay, it's a serious serious problem. So kind of is everyone like this right now. That's kind of Okay, well the news isn't all bad right We've got to set set up a really good straw man. So the finish is good What I want to talk to you about today are the way we look at security and Trying to prevent all those nasty crazy things that happen or even the little things that are you know just Painful have you ever had a low-level hack? Maybe a little slight defacement somewhere and it keeps coming back and coming back and you can't figure it out And oh now that's another two hours of my day Okay, sometimes it can be as small as that but it can really have a big effect on your productivity Okay, and your confidence frankly you want to be able to take care of those things But mostly prevent them if possible So we're going to talk about the ways that we look at that and we look at it in this pyramidal structure You see here where your agency is at the base of the pyramid The infrastructure you have the server and services that you use are in the mid-tier and then the very kind of last user-facing air Your application layer is kind of the top of the pyramid. So we're just going to process through those There's quite a bit there. I know I've got well, I don't have a clock in front of me So if I'm running late someone, please tell me But we're going to start at the bottom and talk about your agency and this is I think an area where especially if you have a smaller business maybe you have a sole proprietorship or a young business that You're so busy working and getting everything working and getting your clients and sales and everything else that it can Be easy to overlook some of these policies But in our experience what we're going to tell you it's easier to implement them at the early stage Because then you can scale them as you go instead of trying to retroactively fit those Changes to a kind of a set Process you might you might build So password security of course you need a strong password. That's actually not The main topic here. We talked about password security at the agency level. We're talking about how do you manage your passwords? How do you keep track of them on behalf of your clients and third parties that have hired you to work for them? How do you share them safely and securely among the members of your team and? That includes your the closest team the two people in your office or down the hall, but also maybe some remote Characters you have on your team. Maybe some outsourcing people people who live in other places Or people who work from home Hey, those are super important things to have in your agency that everyone understands how to use them they use them properly and consistently For everyone's benefit and so there are lots of password managers I mean five years ago. This would have been a different conversation, but you could you have your choice these days a lot of people use last pass personally they have a team version as does One password. It's another one that I really like for the enterprise level only out of price Really, it's an excellent piece of software and this is called a team password manager. I think you can just read at the top there Really also super good and the advantage a team password manager has to some of the more traditional ones that really super good control over ACL or Access for different groups to different pieces of infrastructure and secure not just passwords secure notes confidential agreements little sort of things so figure out what makes sense for your password policy and You know adopt the workflow that's going to give your client security But let you do your work also in an efficient way and work generally as a team Strong passwords. I mentioned it. We all know we need strong passwords unique password for every site every service on every site don't duplicate them ever and I always like to not know what my passwords are ever So the only thing that lets me I only know one password the master password For those of you who have not used them that you have a master password to get access to everything that's the only one you truly need to remember put that in your safe deposit box on a piece of paper and You know remember it. Well everything else when I log into any services It's just copy paste in your copy pasting a bunch of asterisks and then you paste it in I have no idea what it was. It was randomly generated. I pasted it blindly and we go from there, okay? There are lots of places where you can generate passwords. I recommend you just so many things on Google obviously I'm not going to replicate them here Find the one you like on Google Set up what that policy is. How long is it? How many how much complexity? How often does it change? Right, so in our at our firm we do annual password Replacements so we have a password day and that day is just everyone takes, you know One of our properties and their response for changing all the passwords Okay, because that's done in one place. It's easy then when people go back to use it Okay, having the same password for ten years not so great changing it every three months like my bank I hate that it's so bad But it's important to obviously change them regularly. So make sure you keep track of that and This password policy you're making a story of the security policy at your agency It applies to everyone right not just the boss and not just the IT guys It's really something I feel we feel at our agency that needs to be a holistic approach Everyone needs to buy in and everyone needs to be part of it Okay, if you have one week link for instance, you might have a remote worker who never ever comes to the office Never really came in never got an email account You never really put them through the right onboarding perhaps and now they're accessing your clients information with their personal Gmail account Probably you think does anyone ever I've done that does anyone else done that use a personal account for work To okay, I'm gonna I'm gonna assume there's more than two But it's a bad thing But do you have a policy for that when you hire somebody or when you're working with somebody do you say if you Want to work with us? You need to follow these the set list of things most small companies don't so I definitely recommend you do that A corporate email address is just one example of that If you use Google Drive to share data, it's really easy and drive to limit access to digital assets By corporate email so you can say everyone in my organization with the same domain name if they're on Their browser with that logged in with that account then they can access or they can't access But there are other of course off softwares depending on how you manage assets and stuff So You keep that in mind when you're developing your own one. We all share our Netflix account probably with somebody Don't do that at work. That's just for home, right? Obviously The other thing a lot of people overlook is disaster planning and Disasters come in all shapes and sizes big and small Could be something as a data center going out or recently there was a very large Denial of service attack on a din, right? Facebook was down Twitter was down. This was about two months ago. I think What is your disaster plan if you have issues at your agency all your sites go out Who does what when do they do it? Who calls who? right What is the emergency contact info? It might not be a server emergency because that's kind of one of the or like say a bunch of hack websites could be a physical disaster Could be a bad storm could be a flood, okay? You need to know where your people are and how to get a hold of them, you know, especially if this happens during work hours For it related specifically. What is your server provider info if your computer where you have your group password manager goes down? How do you get in and say adjust your DNS if you're if you have to redirect traffic somewhere If you're under attack by you know a botnet you've got to redirect that DNS to get kind of back control over your servers How do you do that if you've had some kind of catastrophe that applies to your hosting or your servers data centers backups? Could be all kinds of things depending on the infrastructure you have at your at your agency and Two-factor authentication I'm sure most of you're using that already That's where you have two different ways two different pieces of information to log in So pretty common these days are to have your email address and password as one factor and then either a Dongle with a code or a code that gets sent to you by text message For example that as a second piece to log in all those services have one-time use backup passwords and those are things that You need stored digitally generally in your password manager to keep it secure But also somewhere physically and I mentioned earlier in your safe deposit box We physically have a safe deposit box for that purpose and we keep our codes in there once a year We update them in case there's some disaster, okay? Here's another part that we often skip over and that's some ongoing education for people in our agency When we come out with something new or we change a workflow or new technologies come up or new threats Do the people in our agency are they cognizant of such things if there's a new phishing scam coming out on email is that is do We have a way to tell our Team members that to watch out for that when they get mail in their account So again emails are just a really easy example to talk about here if you go to a website called phishing box What you do is you hire them to test your agency for their susceptibility to phishing attacks So they will generate a mock attack Send it to the people that you Indicate you know by email you give them a list of email addresses and then they measure how many people click through and Fall for the phishing attack They give you that information and then you get to bring it up at your next meeting, right? And that's a it sounds a little deceptive But frankly keeping everyone's mind on the fact that digital threats are escalating and escalating and more and more common We feel that's good. Okay. You can be transparent, of course and let people know that those things are coming It's kind of like a fire drill at school Knowing that you're going to have a couple of year, you know, let you know it be prepared Okay, and so that's kind of how we look at that So I recommend that if you don't have one To prepare one and if you do have one review it regularly and by that I mean a security policy talk about things like email usage access to resources Password strength password duration What's the duration that you keep passwords? What's the client rolls off your billing cycle? How long do you? Keep their credentials for when they're no longer going to be a customer, right? You should have a retention policy for that information. Okay, because you don't want to be someone pointing the finger at you five years down The road. Hey, didn't you have that password back then? Did you do you still have it could someone have stolen it from your computer? You don't want to be answering those questions You want to point them to your policy and the documentation that says oh, sorry sir We deleted all your data four years ago on this date and here's the you know Here's our audit of that information. Okay Team composition disaster planning and ongoing education. So those are all things that I Recommend you think about when you're getting considering or building your own security policy so now we're going to get a little more technical and If things start to get I know we have some beginners in the room or at least attending today So if things are starting to sound a little wonky I've got a couple slides for you at the end of this little part So don't don't get this don't get discouraged So we talk about our server and services we talk about these are our infrastructure pieces upon which we build say our WordPress site or wherever kind of project. We're building for our clients and We break them down into local resources and remote resources So local resources are the things that you maintain either on site or at your data center or with your hosting provider for example And remote are services that someone else is maintaining and perhaps you're buying and using them in the cloud Okay, so we think about the local resources most of the websites probably that you guys work on are built on some kind of amp stack Some Apache MySQL and PHP stack with Linux or Unix or some version of that Okay, all these things are software running on on your server and if we take PHP as an example This is the current PHP usage for WordPress installs WordPress.org installs Okay, self-hosted WordPress. So who knows what the current supportive versions of PHP are somebody here does Five six and seven now there are two versions of seven, but they're both supported I combined them because almost no one's on seven point oh one or point one wherever it is So it's really just these two here. So about 37 percent of WordPress sites host cell phones of WordPress sites are using a currently supported version of PHP all the rest below are end of life security updates are not being put out for that and hosts some hosts the good hosts will be kind of patching them for you But really the best thing of course is for you to be at five six which I believe goes end of life end of 2018 But with the speed increases in PHP 7 start testing your applications for compatibility upwards compatibility now so that When PHP 5 6 goes end of life you can migrate there more smoothly You don't want to be at an end of life situation and realize that half of the plugins on your WordPress site Don't support it. I think we're getting closer to that now than we were six months ago But These softwares on our infrastructure also need to be updated and maintained, okay? Well-known errors occur in these softwares like your most people are running Apache or nginx web servers and Has anyone heard of the Heartbleed bug I mean must be quite a few people heard of that, right? So this is a bug in the protocol on your server that provides the SSL Communication between your website and the end user so that it encrypts your communications and there was a pretty important bug there Last year and actually came up with a Heartbleed checker and you can just check your own website right now at that address And that'll tell you if it's that server is compatible to this SSL problem Even if your website itself isn't running HTTPS You can still check if your server is going to be vulnerable to this because if that server gets Affected depending on how your host is set up their environment your site could be vulnerable also, okay? So even if you're not running HTTPS you definitely want to check if You're you're following on if your server might be settable to to this kind of Heartbleed bug Other local issues that you should worry about or you might worry about Whether or not you're running SSH on the non-default port normally there's a default port for running SSH Communication it's a good best practice not to use that default and to customize something for you specifically disabling non-secure FTP Using strong database passwords and that goes back to our password strength conversation should be unique and strong But also you want to custom? Table prefix so when you install a new Jumla, pardon me Let's all a new WordPress site, of course your database has a prefix in there and there's a default You don't want to use that default and most of the security tools you might be using already probably told you that already Enable logging this is at the server level again most shared hosts Will not enable logging by default because it's more resources for them and more storage for them You have to manually go in and if they've let you enable logging back in the cPanel or plus back in or whatever you're using To manage your hosting account logging is only important When you need it the most okay most of the time you don't care But when your site gets hacked and you're wondering what the source was if you've not enabled logging you've missed the chance to track down and Find the problem if you turn on logging after the hack you've missed the missed the chance now I should just say that it's not a golden Solution because the really really good hackers will delete the logs on the way out after they've hacked your site So it's not always great, but for sure if it's off you have no chance So turn on the logging and magic quotes is another thing that is kind of that's more of a older legacy type tip I guess you'd say Okay, so that's local issues Okay, but there's also remote issues in today's modern on any modern website really you'd have lots of integrated services in general or at least one I mean Google Analytics most people have something that something like that on the website, right? So that's an example of a remote service that you need to make sure is safe At our consultancy, we don't actually run email on our servers on our web servers. So we have all the email Segregated to transactional email service providers some of you especially large organizations would have a separate mail server Which would also serve a similar purpose, but if you're a smaller agency and you're going to send, you know 100,000 or less emails from nothing. I'm not talking about your work email But your website is going to send a hundred thousand or fewer emails This might be for all your clients that'd be more than enough for most small agencies Then I recommend you just outsource that to something. We love spark post by the way. So you might have heard of mandrel in the past Mail gun there's all kinds of transactional email service providers I have tried them all and you should also but I highly recommend spark post We pay twenty that twenty dollars a month for a dedicated IP address That really reduces any spam issues we have we got a hundred thousand emails with that a month And we have no one interested in our web servers as a potential source of sending email spam, right? Because that's a big what's one of the big interest Areas for for spammers and hackers So it doesn't have to be spark post, but I must say I've been very impressed with them the other thing that we Use as a remote service a critical remote service is a remote DNS provider Of course DNS is what converts, you know your domain to your IP address so that you can deliver the content that is associated with that domain The right content when the user requests it now many of you who is using cPanel. There's a quick show of hands cPanel Lots right pretty common the most common back in Oftentimes when you create a new account it says oh what name servers would you like and you generally have a name server running on your shared host That's really great until your host goes down your server goes down Because it's really convenient, but the problem is when your servers down you can't change it So if you have some catastrophic event you can't reroute that traffic somewhere Maybe load your site on a backup server from a backup that you have stored off-site You can't do any of that if your domain server is on the same server as your web server or your mail server Your mail server gets hacked then you can't do that So we I recommend that you look for ways to outsource that or at least put it on a separate server With a different kind of a different access and not the same node as your web server So we use a cloudflare which has a lot of other benefits. I'll mention them a little later One really great feature even if you're not as even if you think all the security stuff is my site's too small Nobody cares The really great thing is if you do make a change in the IP address It it's about 10 second propagation time Through cloudflare and so you don't have to wait for that next day. Oh, let's see if it's done and all that stuff if you can change it literally Moment-to-moment and look at the effects on your you know on your work depending on what you're doing So in terms of development when you're in a development stage, we find it's super super helpful Or you know when you're switching another good example when you're switching from Development to we're going live then you don't have to wait the day either you switch it It's on your client's happy and you can see if you have any errors and get moving So we really like cloudflare and it's free by the way The DNS part is free most of the many many free features. So I recommend that or another kind of DNS provider I said earlier if all those technical things sounded a little bit maybe above your interest level You can consider I don't really like to recommend hosts. There are lots of good hosts There are a lot more poor hosts in terms of security But if you really don't care about managing those things like your lamp stack and you know DNS all that stuff Consider a hosted platform a hosted server. These are more expensive They're gonna run you maybe tenfold more than what you could get at a low-end shared hosting WP engine and page. They are the big ones Scott are the some other ones because I know you guys are experts in this Flywheel, right? That's another big one So those those are more expensive services, but you get a lot with them you get really advanced caching a Lot of patching of security issues as they come in which we'll talk about in a moment But they're you know if you're passing on the price and your client doesn't mind Then I guess you don't mind either, but yeah, so I'm just gonna I have no affiliation with those organizations by the way So the last thing I'm going to talk to you about is Sites and software, so this is the very kind of top of our pyramid if we have a strong Group policy editor agency, and then we have really good secure hardware now We can focus on the things we're using daily, and that's usually the application in this case WordPress its themes and its plug-ins and The very very easiest first thing you should do every day if you're in your back end is update everything You work press makes it super easy if you have many sites that are services that also make it easy to do this in bulk The core is generally for a modern WordPress site updated for you, but the plug-ins are not now I don't really recommend that you auto update the plug-ins. You can automate that with plug-ins ironically So I don't really recommend that because they can break your site, especially if you have customizations But you want to be keeping your eye on the Plug-in and theme updates very very closely. Okay So we set a schedule that we update You know every Friday we only have different tiers of clients but for our tops here every Friday is update day And we start out Friday. I'm sorry Thursday, and we do all our updates post update We do all the tests because we want to make sure the sites still work And then hopefully if anything's hopefully nothing went wrong, but if it did You have about 24 hours before the weekend so you can fix it before you take off So that's also important to have a good balance Yes, so definitely update update update update. I showed you the data earlier Out of date software is probably the largest factor for WordPress plug-ins. So just I mean it's so easy these days Really got a hand at the WordPress for working hard at making sure those updates work well There are other number of known best practices that we could talk about I don't want to go into them a lot. I should say that if you've not done this Listen up and do this like in the next hour or two go search for the top or WordPress security best practices on Google you probably find 10,000 blog posts on that pick the top five and you're gonna get some really good advice Okay, I don't need to reiterate those for you because there's so much out there But just just briefly a couple of things unique administrator account Some of these again are legacy type things. You wanted to save a file editing and PHP execution Limit the number of login attempts so you can't just have a brute force attack This is a big one if you remove your unused themes and plug-ins for one you have less to update and two there's just fewer Fewer vectors for people to use to try and gain access to your site or try and attack your site and Block editing of the config file You don't want people getting in there looking at your hashes and the other things you might have in there You're database password and stuff like that so those are kind of some of the basics I think most people have many people have probably heard of some of those There's not really a good way to enforce strong passwords in WordPress they do have a password strength indicator Right when you make a user, but they don't enforce a Certain strength level so there's a there's not really a really great Comprehensive plug-in where you can set a password strength level that is acceptable for a new user for example But you can set some things in there so you can have a look at this plug-in and see if that helps if you have a lot of new Users, this is helpful or people I run a non-profit sports group Website and their users just cannot remember the passwords ever And so they are hitting that reset password a lot so this comes in handy for us for keeping things safe and secure In the general settings you can control access if you don't have a membership site This should be unselected in your WordPress settings. There's no reason This is an option for membership in the in the WordPress settings. There's no reason to give a Potential attacker or pardon me a hacker a reason to create a new user on your site because if they make that user And they can escalate the privileges to be an administrator then they can really start messing around in your site You do not want that obviously so unless you truly need new members signing up on the front end of your site Just leave that disabled There's also the new user default role so You might say oh Vic. I'm not letting membership. So it doesn't matter what this setting is well Again if someone can get access to even a low-level You know a hack that may not take your site down But gives them a little bit of access and they can manage to create a user If the default of this is administrator now, they've got a lot of access So it's just good policy that even if you've disabled membership to keep the New user default roles and low lowest privilege as possible, which is obviously subscriber Wordpress and Joomla say that word intentionally for the first time They give you a lot of information when you try and log in and you've made an error They say something like that username doesn't exist Or they say I'm sorry that password user combination is not valid something along those lines and The issue is that that tells a potential hacker or attacker that they've got one or the other wrong if they can figure out They've got a proper username. It's much easier for them to perform a brute force Entry attack on your site so you can easily. Oh, I'm sorry You can easily by modifying functions dot PHP just add a little Bit of code in there that means if they give the wrong name username or they give the wrong password They just see the same message wrong username or password. It doesn't give them the extra information that they have got one thing wrong So again, you're just de-incentivizing People of coming in and attacking your site. Okay, I have all these slides online I'll provide a link at the end. So don't worry about writing down this really ugly long URL. I'm sorry. It's so long You can get all these online all these slides Okay, so I should have had the slide a little earlier. Don't update your site until you've got a backup and Make sure you back up your site every x Frequency depending on your usage if you have a static site probably once a week or once a month is enough You have an active site with lots of new content and things like that Then you want to be doing nightly or even by you know two backups a day for example. So there are lots of backup solutions and so You know, although I've used WordPress for years. I've not used it heavily except for maybe the last two years And I can't tell you which of these is best Someone told me the backup buddy was super popular. Is that a who's using backup buddies or backup solution? So I wouldn't say super popular who's using updraft plus Not different. So there's a lot of backup solutions This appears to be the most popular on the plugin directory backup buddy is not on there Does anyone know why that is because I've been asking every word person WordPress person I know why that's not on the directory. So if you know tell me later, please I would love to know But you need to pick one of these if you're not already doing it And if you're if your host is doing backups for you, you also need to do this Okay, essentially we go by this policy Unless you have the backup in your hands and you've verified it you may as well not have a backup That's our policy. Okay And having redundant backups It certainly doesn't hurt right and if you can automate it all of these have automated backups That's great. And then they've automated off-site storage So you can be storing your backup files on Amazon s3 dropbox Microsoft one drive that was called Or remote FTP server. There are lots of options for you to send these backup files we use For legacy reasons something called a keep a backup and that's also not on the plugin directory, which is frustrating But they have a really interesting option. So you can see here. We're backing up to Amazon s3 and There's this thing called an archive integrity check So people who make a backup software will tell you every time you make a backup You need to test the backup because if it's corrupted or it's not complete. You're not going to be able to restore your information Who's gonna who's gonna be restoring backups every day? That's not something I can do and Kind of have a healthy happy life So we really like this option in a keep a backup because it if it fail if this arc if it can't verify its own integrity It sends you a message. So, you know, there's something wrong with the backup, okay? You also in our recommendation should use a series of redundant firewalls Okay, there's no one that does it all. There's not one that's best Jetpack obviously has lots of features the free version includes Basic malicious attack prevention Okay, it doesn't doesn't provide file scanning or things like that, but essentially that's Sanitizing the requests on the website through, you know, wordpresses, you know, very large obviously database of known attack vectors So that's obviously the free version is easy to install and you can whitelist Certain IP addresses for instance of your office so that you never get locked out that sort of thing Oh, yeah, and there's the of course that's on by default blocking the malicious login attempts. Okay, so definitely recommend jetpack The other one that we recommend is the all-in-one WP security and firewall You might have your own favorite firewall. Feel free to insert that here. Okay, we certainly like this one One thing about this prep firewall and the other ones there are a few others that are in this kind of class of You know high feature, you know block everything kind of firewall One thing is you have to find a balance for your agency and this might be part of your security policy talked about that earlier What balance do you need to give security? But people can still log in and do what they need to do. Okay? I'm getting the signal from Scott and I'm almost done. Thank you for your attention This is actually a live screen or a screenshot from one of our sites and we're at about Almost not quite half of what we could get this top score in this extension for locking your site down as 470 We're at about 200 for us that balance makes sense your balance might be a hundred It might be 350, but you're gonna have to figure out what exactly that is for you. Okay? And I mentioned cloud flare earlier cloud fair has a host of Features and you can see them all listed here. There's the DNS one I mentioned earlier They also have a firewall area and it's much like we mentioned earlier with jetpack Sanitizing any requests before it lets kind of attack her in so That's another really great reason to be using cloud flare and that's basically we for every site We run we have those three firewalls jetpack all in one security W security and cloud flare That's the end of my talk as I said my slides are currently here You can get all the links that you want feel free to contact me if you have any security questions Or anything else you'd like to ask me. I'd love to hear from you. Thank you very much It's a bitly link. So it's bit.ly forward slash WCW 2017 hyphen security Right, so this ransomware is not specific for wordpress But word there was a word a botnet involving a bunch of wordpress sites that were already infected with something else that was Spreading this problem. What happened was when you went to the site to redirected you instead of going to the wordpress site You wanted it redirected you to somewhere else and that would actually take a hold of either a flash defect or a Microsoft Silverlight defect from an updated. Sorry an outdated browser And it would use that exploit to download some other nasty stuff rootkits and really take over your PC So it was a multi-layered very complex attack to figure out also very hard to solve Because you could fix it and then still go back to the same website and get it again So in that case it required an outdated infected botnet of wordpress sites and outdated plug-ins in your browser Okay, oh one more. Sorry. Oh two more Go ahead That your site is attacked or or that there's some for instance vulnerable software So that's a basic. It sounds like a basic defacing attack So you would report it first to your host or IT provider And then if you identified the cause say it was a certain plug-in then you could identify the plug-in Contact the plug-in author That's what I'd recommend Exactly right. Yeah, I only someone had told me about backup buddy. That was really popular. I couldn't verify it Actually, that's why I was asking You have to pay for up-draft premium. So of course, that's not on the directory But I wouldn't know why it would get so popular. So maybe it's just not that popular They don't ever write Exactly right. So I'm not I'm not surprised that I'm more small if they did have a free version to get popular Why did they take it off? Yeah? Yes Exactly right manage WP My time is up. Thank you very much