 We're going to go ahead and get started. So we are continuing the e-commerce track here with securing WooCommerce without scaring your customers. So I'm looking forward to this talk. We have Raul Nagari. Raul has been working in the web hosting industry since 2005 and started using WordPress in 2008. Since then, he has helped scale web and cloud infrastructure for companies like General Mills, Saks, CSX, and PetSmart. Raul is now the co-founder and CEO of Scale Dynamics, where he manages 10,000-plus WordPress and WooCommerce sites. Hi, everyone. I'm Raul, and like AJ said, I manage security of 10,000-plus WordPress and WooCommerce sites. I'm on Twitter at enginexreload, and today I'm here to share some of the tips I learned about those managing those 10,000 sites, some the wrong ways, some the right way, and so on. You can download these slides on scaledynamics.com slash wcphx. And if you have any questions, you can just contact me on Twitter or after this session. Back when I was in high school, I created a fake Facebook login page. It would look like just an ordinary Facebook login, but every time someone tried to log in, it would email me their username and password. And I sent this to my teachers. I like your expression. My teachers, my friends, like a bunch of people I knew, and I told them, hey, download this new theme back then Facebook didn't have themes. Click here to download the theme. Everyone tried to click here, login, and everything. I had everyone's passwords by end of the evening. And I did what everyone would do. I changed their relationship status, changed their orientation and such, read their messages. And it was pretty fun weekend. And I thought I discovered this big security issue with Facebook. So I went on some security forums and posted that, hey, I found this big security thing with Facebook. And people were like, yeah, you did phishing. It's called phishing. It's no big deal. And my first thought after that was, what is phishing? So I looked it up. And that led me to reading up on security, web application security, social engineering, different types of hacks. And over the years, I kept up with that. And I found that security is usually implemented in two ways. First is invisible but effective. And the other one is intrusive, annoying, and probably not even then effective. Let's look at some examples. Every time I'm in the Bay Area, I like to visit Google campus. I just pick a building like this, sit on a bench, take out my laptop. And I just continue with my work. I pretend that I work at Google, but I just keep it to myself. And I've been doing this for a couple of years now. And so far, no one has come up to me and told me to leave or asked me what I was doing there. But at the same time, I can't access any of their office buildings. I can't access their Wi-Fi networks or any of their data. And don't ask me how I know this. But if you try to take those orange coffee tables with you, security does show up. And they try to stop you. This is what I like to call the invisible but effective security. And then the other type of security, well, there's this. It's like the time you go to shopping and the store assistant doesn't stop following you. And they may be able to prevent some shoplifting here and there, but would you shop there again? Probably not. And these examples are also visible online. Amazon is a good example. And I took this screenshot last week. And even in this day and age, Amazon will tell you to have at least six characters in your password. So you can have a password like ABC123. And they won't stop you. You can just keep on shopping. They won't even send you an email that, hey, you have an insecure password. But at the same time, if you try to do anything funny like access Amazon from command line or use any sort of automation, you will get blocked right away. It won't even ask you to log in. You're just blocked. And the same thing also happens with eBay. You can have weak passwords, and they won't stop you. But if you do anything automated, you get the page not found message. And on the other hand, this is the invisible but effective security. And on the other hand, does this. Equifax has all sorts of password requirements. They won't let you paste the passwords, use any password managers. And they will make life difficult for actual users. But if you try to access them from command line, you get access just fine. They will also set up cookies thinking you're a real user. And they still manage to get hacked. So as a WooCommerce store owner, you should have security like Amazon and not like Equifax. And we'll look at some of the ways to actually make that happen. Now when it comes to securing WooCommerce, you need some different approaches compared to securing WordPress. Because what happens when WordPress gets hacked? Hackers get access to your cat pictures. They install cryptocurrency miners on your site. They may redirect it to somewhere. And they will post some ads about Canadian pharmacies. At that point, you just restore a backup, update some plugins, and move on. It's pretty simple to recover from that. But what happens when WooCommerce gets hacked? Hackers get access to your credit card processor, your UPS and FedEx accounts, your drop shipping provider. More importantly, they get access to all of your customers' emails, maybe passwords depending on how WooCommerce will set up. And they can do all sorts of things with this information. And it's much more difficult to recover from this than just restoring a backup and moving on. Now, if you're running a successful store, chances are you're using a managed hosting provider or good hosting. Do you still need to worry about security? Well, the short answer is yes, because a good host will be able to do some things like keep your WordPress up to date. They might even update plugins depending on which provider you're on. They will protect you from brute force attacks, DDoS attacks. They may also scan your site for malware. But a good hosting provider won't be able to protect you if you have insecure plugins, if you have insecure themes. They won't be able to do anything if you lose your laptop, and that has all of your passwords saved. And more importantly, they won't be able to do anything about that freelancer you hired last year that still has access to your site. So having a good host is a good start, but there are still some things that you need to do to properly secure your business. Now, what sort of security issues actually affect customers or make it difficult for them to give you money? First one is lack of SSL. It's pretty simple. Everyone with WooCommerce will have SSL in this damage. But if you don't, browsers will show something like this. They will mark your site not secure. And even if you have SSL and visitors can still access your site over HTTP, there is a chance some of them will see something like this and not actually see the secure padlock. Next is mixed content warnings. Even if you have SSL and you update a plugin or theme that tries to load fonts, CSS, images, any external elements over HTTP, it will look something like this. And while it doesn't say not secure, it might still break your site's layout. People might think it's get hacked. The site was hacked. Or it will just not load some fonts. The design doesn't look good. So this also affects convergence. Next one, this one is ironic. Security plugins that slow down the site. So if you have any not well done security plugin, that will log every visitor's IP in the database. Security plugins will more often than not bypass caching. So they make your site slow. And that with e-commerce, slow sites make less money. So that's like a big concern. So you need to be really careful about what security plugins you use. Next one is aggressive captures. So on the checkout page, if your customers have to enter something like this, they may not come back. Next is trigger happy firewalls. These are the firewalls or security plugins that block users if you enter wrong password two or three times. And I don't know about you, but every time I'm shopping online, I will end up on a site that I haven't visited in a while. And I have to try like usual two or three passwords. None of them work. So I try the password reset button. And good e-commerce sites have security questions. But the questions are always something stupid, like what's your favorite song or what's your favorite color? And I have to remember, what was my favorite song three months ago? Then I tried two or three songs. And in that process, if the site blocks me, I'm just not coming back to that site. And sadly, at the same time, if I was a hacker, I would just change my IP address and keep trying. And that plugin would never block me. Next is complex password policies. This happens a lot with banks and financial institutions. But there are plugins on WordPress and WooCommerce that have policies like this. And if you make it too difficult for your users to create a password that they're comfortable with, they will either have to write it down or just not remember and end up with the same things like try different passwords every time. Only banks can get away with stuff like this. And finally, we have emails that end up in spam. So if you're sending important information, like shipping status, order status, coupons, and that ends up in spam, you lose upon repeat business from customers. It also affects the credibility of your site. And because your emails from your domain are ending up in spam, if you do any marketing campaigns, they will also probably end up in spam. It will affect your delivery ROI on the marketing campaigns. Now, so how do you secure all of these issues? First one is use a good hosting provider. And everybody gives the same advice, use a good hosting. But how do you know if your hosting is any good or not? I like to do one or two tests. First one is contact hosting support. And if they ask you for last four characters of your password, just leave right away. And I'm not making this up. There are actually companies that do that to verify your identity. And that's a bad practice. Next is trying to log into FTP or SFTP. And if you see other people's directories, just try to navigate different directories. If you see other users, they can see you too. And at that point, maybe go for more dedicated servers or VPS, or you can look into switching to a different plan. Finally, see if you can download any of the SQL, KIT, or backup files without having to log into your site. Because if you can, then other people can also access your data if they're nowhere to look. And usually, if you have backup plugins, they will have more or less the same format, backup, date, some random number. So anyone can go to your site.com slash wp-content slash updraft slash backups. And they basically have everything, all of the information, without even having to hack you. So if you can download stuff like this, tell your host to block this, and they may be able to prevent any of the data leak this way. Next is using SSL. And if you already have SSL, make sure your site is not accessible over HTTP. It's always directed to HTTPS. You can use plugins like really simple SSL if you have mixed content warnings. And you can also do search and replace on the database. So it always shows the secure padlock. Next is using strong passwords. And by everywhere, I mean your credit card processor, your email, your UPS and FedEx accounts, your email marketing tools. Basically, any service that you use for your business should have a secure password. And you can use tools like the Chrome password manager or the one that comes with Apple. If you need something more advanced, you can use stuff like one password or last password. And these will help you have a different password for each service and not have to remember them. Next is two-factor authentication. Two-factor authentication will need you to install some sort of app on your phone. And that will send you a code every time you log into a service. So even if someone knows your password, they won't be able to log in if they don't have access to your phone. Next is offering two-factor authentication to your customers. And you can do this with free plugins like Auth0, Google Authentication. And the idea is the same. If you offer two-factor authentication to your customers, even if someone knows their passwords, they won't be able to do anything with this. Next is invisible capture. You can use this on the checkout page or the login page with plugins like invisible recapture, advance no capture. And your users won't even have to click the I am not a robot button. But if anyone tries to use any automated tools, they will actually see the capture. So you don't end up bothering your customers, but hackers will have a hard time doing anything malicious with your store. Finally, for emails, you can use services like SendGrid, Mailgon, SparkPost. And pretty much every one of these services will help you set up a DMARC policy, DKIM, some authentication. And that will make it difficult for hackers to spoof your emails or send emails from your domain name. And these will also always end up in inbox. So that also helps with your receipts, coupons, marketing campaigns, and so on. Next is securing WooCommerce code. Every now and then people's website get hacked and Facebook groups still are you using any insecure plugins. And it's easier said than done. But what I like to do is just go to WordPress.org and search for your plugins. And if your plugin said something like this last updated four years ago, even if you have installed all of the updates, it may not be secure. And chances are it will not work with Gutenberg anyways. So just go through all of the plugins. And if you have any plugin that hasn't been updated in more than one year, maybe look for replacement or just deactivate that if you don't rely on the plugin. Next, you can check the theme's functions.php file for keywords like eval, exec, or basically any big chunks of text that don't look familiar. And if you have that, your theme is already compromised. So you can try and install updates for your theme or secure it or clean it up from backups. If you have access to WPCLI, this command will check all of the WordPress core files and tell you if any of those are modified by malware or hackers or bad developers. It looks something like this. The first one is a clean WordPress install. And the second one had some files modified. And it will tell you exactly which files are not secure or they don't match the original WordPress versions. If this happens, you can just restore them from a backup or download the WordPress zip file from WordPress.org. And this will make sure your core WordPress functionality is not compromised. Next one is sort of an extension to WPCLI. You can install this and it will check all of your themes and plugins for any non-security issues. And they use an up-to-date database for this just like the antivirus on your laptop. And even if you're using a well-known plugin that happens to have a security issue this week, this command will catch that and tell you that there is this ongoing issue and you need to fix that. So you can either deactivate that plugin or contact their support and find an alternative. Next thing is blocking hackers even before they reach your servers, just like Amazon does. And you can do that using Cloudflare, Amazon web application firewall, security web application firewall, and there's some other options. And all of these services will learn about ongoing WordPress attacks on millions of sites. And they will update their rules so you don't have to keep updating the firewall every time there's a new security incident or any, for example, WPGDPR had an issue that they were ironically leaking all the private information of their customers. And if you had something like Cloudflare or Amazon firewall, it was blocking that attack automatically. And I like to use Cloudflare because it's free and it also comes with CDN, it had some good options. And signing up for Cloudflare is pretty easy. You just go to cloudflare.com, sign up, add your site, and it starts protecting your site in a couple of minutes. But once you do that, here are some options that you should do to make it even more secure. First is go to CryptoTab and change the SSL mode to full. So it will tell Cloudflare to use SSL between their servers and your hosting provider. Next is HSTS. HSTS forces browsers to only use HTTPS for your site. And this is different than redirecting everything from HTTP to HTTPS. With HSTS, if hackers or any service providers try to inject something on your site, let's say malware or some sort of advertising or airports do that, when someone accesses your site, it will redirect to something else. HSTS will prevent that. And instead of showing the stuff that hackers embedded in your site, your users will see something like this. So they're protected from any potential malware or viruses coming from your site on their devices. Next is minimum TLS version. Make sure you set that up to 1.2. So any devices made within the last five or six years can still access your site. But if hackers are trying any automated tools, like Python Request or Firefox 4 or any older browsers, they won't even see your site. They will get blocked right away just like Amazon and eBay does. Next is the Firewall tab. And here you can do all sorts of interesting things you can block specific hackers or specific services like SEM rush, edge refs from accessing your site. Or you can just go with block all known bots. And this will stop anyone that's trying to scrape your site. But Google and Bing and MSN and any other search engines will still be able to access your site. Finally, when it comes to security, there are things that everybody does that seem like they're improving security, but they just create an illusion, but not actually are effective. First is using robots.txt to block bots. And it's like leaving your front door open with a sign that says, hey, don't steal my stuff. And that may work for some people, but everyone else will just walk past that. And using robots.txt is pretty much the same thing. Only search engines will respect that, but any other block or any other hacker can just ignore it and they can still access your site. So to effectively block bots, you can use stuff like htaccess files. You can block them on Cloudflare or your web application firewall. If you have Nginx, you can block it on Nginx. And instead of using the IP address of hackers, you should try and find out what browser they're using to access your site. And see if you can block that browser, because a lot of the times it's something like Firefox 4 that came out in 2011 or Chrome 19 again at the same time. And no actual users will use that. So you can just block that browser. So even if the hacker changes their IP address, they still won't be able to access your site. Next is using plugins that hide the login pages of your site. And again, this feels like it's improving the security, but hackers can just use XMLRPC or the WordPress API. And they won't even see your login page. Also, if Microsoft can show their login page, you can just go to blog.microsoft.com slash wpadmin. You will see this. If you know the password, you might be able to log in. But if Microsoft can do that, so can you if you have other security in place. Next is, again, firewalls that block users after a couple of failed logins. And if you have installed that plugin, I'm sure every now and then the developer says, hey, I got locked out. Can you unblock me? And these plugins are more effective at blocking actual users or actual customers than blocking any bots. Because they, again, just change their IP and try again. So these will just slow down your site and not actually help with the security. Finally, a good security policy also plans for when things go really wrong. And if you get hacked or if you lose all of your data, and the first step of that is backups. A good backup strategy has three components. Frequency, destination, and verification. Frequency is how frequently your site is backed up. It can be daily. It can be every couple of hours. It can be every hour. And that depends on how many transactions you get on your store. And to come up with a good frequency, you can take the most recent backup and check how long it will take to fill the gap between that backup and now. And it can be having to enter the orders, having to update the inventory, sending emails to customers, invoices, and so on. And based on that, you can see how frequently you should backup. Next is destination. If you use backup plugins and they backup on the same server or at the same provider, that's not really a backup. You should really use stuff like Google Drive, Amazon S3, Backplace, Dropbox. Basically have a backup at a different provider. So even if your hosting provider has any issues with the network, with their hardware, you can still get back online pretty quickly. And finally, verification. Making sure your backup works. And you can do that by taking a most recent backup, restoring it on a staging site. And then you need to check for things like, does my theme have all its settings? Do all of my plugins have their API keys, especially the shipping ones or print and fulfillment plugins? If you restore the backup, a lot of the times they will lose all of their settings or the API keys. And you have to manually enter. And if you don't remember what settings were there, that backup is not really useful. So having this verification step as part of your strategy will help you figure out the plugin that works. And you can also document all of this for when things go wrong and you need to restore backup. You also need to check up the printful plugin, UPS, FedEx, and so on. Next is having a printed copy of two-factor authentication recovery codes. Now that you have two-factor authentication, what happens when you lose your phone or if you leave it at Starbucks or lose your laptop? Having a printed copy of these codes will help you log in, even if you don't have your devices with you. And keeping it printed is important, because if you just save it on your phone or save it in an email and you lose your device, you will get locked out. And finally, better password management for WordPress and WooCommerce. Because no matter what security measures you have, there may be a time you get hacked for any number of reasons. And once hackers have access to your data, you can take measures to make it really difficult for them to actually do any damage with this. And the most important that's been part of all the security hacks is customers' emails and passwords. And even though those passwords are encrypted, hackers can just try all the words in dictionary and see which one matches the password. And people have tendency to use the same password for all of their services. So if they get the passwords from Bob's Donut Shops for their customers, they can still go to Bank of America and try that same email address and same password, there is a good chance it will work. And to fix that, we need to look at WordPress password management. By default, WordPress uses MD5. And this is an algorithm that will convert password to this string. And it's a one-way algorithm. So you cannot enter this in MD5 and get password back. Pretty good, right? Except MD5 has been in use for decades. And it has been subject to a lot of password leaks. So you can go to sites like MD5 Online, enter this hash, and it will tell you the actual password. You don't even have to try all the words in dictionary. So once hackers get access to your WordPress database, they can just run all of these hashes through services like this. And they will have all of your customers' passwords that they can use to log into their net banking, email, and other services. And to fix that, you can use the Bakecript algorithm using a plugin. Bakecript was specifically designed for passwords. And it was designed to be slow. And you might be wondering, e-commerce and slow don't go together. But Bakecript takes 0.1 second to process one login. So your users are not going to notice that. But comparing this to MD5, it will also slow down the hackers. So if a hacker can try 1 billion passwords using modern hardware, in one second, if you have Bakecript, they can only try 100 passwords. So just to crack one user's password, it will take them a couple of weeks compared to a few seconds with MD5. And that makes it not worth their time trying and decrypting your data. So you at least minimize some of the damage. To use Bakecript, just go to this link. Use this plugin, WP Password, Bakecript. Download this file and upload this to your must use plugins. And that's it. Every time a user logs in, their password will be converted from MD5 to Bakecript. And in a couple of weeks, couple of months, everyone will be using Bakecript. And your site will be much more secure than it was now. One thing to remember with Bakecript is if you install this plugin, make sure you don't deactivate it after a couple of months. Or you will have to reset passwords for all of your users. Finally, here are some resources about security. I highly recommend everyone to check the first one. It will ask you to enter your email address. And it will tell you if it was part of any hacks on any of the services like Skype Equifax or millions of others that got hacked in last year. Then there are blogs about security, podcasts about WooCommerce and running business in general. So do check them out. And thank you. So web application firewalls, again, you just sign up for Cloudflare. It includes the firewall. And that will protect your site. And then there are some other settings that you can do to actually improve the security. Right, so with Cloudflare, you sign up to Cloudflare. And they will tell you the name servers. You go to your domain provider, like GoDaddy. Enter those name servers there. So it will protect you at much more higher level than using a plugin or your hosting provider. So it will stop hackers even before they reach your hosting provider. Redirected how? No, it still works. And Cloudflare, you can go to the DNS tab. It will have the same IP address that you have now. And it will work. And if you have any questions, you can just meet me after or you can ask now or just contact me on Twitter. Yeah, so personally, I don't like using plugins because they're like the last resort. If hacker is already at the plugin level, they're pretty close to doing some damage. And if you can block hackers before they reach your servers, it's much more effective. But scanners, they're good to like the Sugary Web Scanner and there are some other services. They're pretty good. You can check them frequently and make sure your site is not hacked or if they're seeing something that you are not. So they're pretty good to catch stuff like that. But security plugins, I prefer using other approaches than using plugins. So again, stuff like having strong passwords, good hosting, and Cloudflare or Amazon or other firewalls. So that will be more effective than using plugins. And again, a plugin will stop hackers if they try something weird or if they enter the wrong password too many times. And Cloudflare or Amazon will do the same thing. But they will do that much more effectively and it will not slow down your paying customers or other visitors. Yes, sir. Strong passwords. Strong passwords and two-factor authentication. If you just did that, even if someone knows your passwords, it will be much more easier for you to secure the services. And if you can use the Bcrypt, that will make your WordPress fundamentally secure. So even if it gets hacked, it will not be of any use to hackers. So using Bcrypt, it will replace all of the Crip functions or hashing functions in WordPress. So even if someone does password reset or forgot password or changed the password from admin, it will still use Bcrypt and it is more secure. I'm not sure. You might have some other hashing plugin that's changing it from MD5 to like dollar sign and the hash and salt format. But the ones I see, they always use MD5 even if you reset the password from WPCLI or WPadmin users. So in any case, using something like Bcrypt will be more effective than just MD5 or other combination of MD5 plus using salt from WPConfig. Yeah, so with password managers, you can have a password this long for each service. You don't have to remember that. And if you use one password or any other managers that provide sync, you have all of those passwords even if you log in from some different device. And it's a pretty good approach than having to remember passwords, especially with banks. But the problem there is most of the banks will not allow you to paste passwords. But there are ways around that. And you can have unique password for each service. And even if they force you to, you cannot have same password from the last five passwords or something like that, it will still work with the password manager. I use one password. It's $50 or something a year, but it's pretty good. So I'm biased that way, but you can go with any, like I said, just try these things. Do they ask for your password? Can you download? And yeah, it's not good. Because in order to, if the password is encrypted like, it never works. But if it was encrypted in hash, they shouldn't have access to last four characters of your password. So they're storing at least part of your password somewhere that anyone can read. And that's just like a disaster waiting to happen. And if someone knows your passwords, last four characters and it's only eight characters, how hard is it to guess the other four? Or you can just probably, every now and then it will be a name of your pet. And you can just figure out what the other characters were. Yes. They're pretty good. I mean, they do a good job at security as well. With WP Engine, your most recent backup from your database is stored in wp-content slash mysql.sql. They block that. But if you happen to be on any server, if you just go to a site slash wp-content slash mysql.sql, and if that server was not properly secured, you would have access to their WordPress database. And I'm not saying WP Engine does that, but if, and this is the policy that's followed by most other hosting providers. So every now and then you will run into a site. You can just try this site domain name.com slash wp-content slash mysql.sql. And it will actually show their database. So you have access to their orders, customers, all of their plugins, everything. And so if that happens, that's why I recommend just switch to a different provider. Customers shouldn't have access to this data without just buying you dinner first. All right, well, thanks everyone for coming.