 Hi, everyone. Thank you for being here. Do you hear me? All good? Perfect. Thank you so much for being here. I have to say, this is the most beautiful room I have spoken into, and it's incredible. I'm stoked. I feel like a rock star. This is really, really good. And this is a fantastic work, and this is my first time at Work & Posey, and I already love it. So thank you for coming to my talk. I know there's a super busy schedule, so I'm particularly happy that you picked my talk. So what are we going to talk today? We're going to talk about securing WordPress without coding skills. Is there anyone here a security expert? Don't stay here. Or, if I say something completely wrong, please say it. All right. So my name is Francesca. As you can hear from my accent, I'm obviously not from around here. I'm from Turino, Italy. I own more than one t-shirt, but it's very convenient to have an outfit like Steve Jobs that people will recognize it. So in my case, it's a blue shirt with pink glasses. Wherever you go to a work camp, you'll find me wearing this thing, so you'll know who I am. As Steve would say, I'm the WordPress Community Manager at Sideground, the international web hosting company. And before doing that, I was a freelancer making websites for other freelancers, mostly. So giving back to the WordPress community is basically my job. It's part of my job description, and I'm going to brag because I worked hard to get here, right? So I like bragging. I'm not a modest person. So what I love is that having this job allows me to do the thing that I love the most in life, which is the sharing knowledge. In Italian, we say when you have money that you need to enjoy it because you cannot use it to, and I don't know the word in English, but you will not put it in your coffin, right? All right, so you do the same with knowledge, just share it. It's the most wonderful thing in the world, and I think word camps are amazing because each one has a story to tell. Each one of us has something to give to the other person in the room. So this is why I love going to word camps around the world and sharing my experience, sometimes my failures, sometimes my successes and what I learned from it, and sometimes I get to share things that I learned from my colleagues at Cyclone. So this talk, it's actually a bit of a mix of everything from my previous life as a website owner and designer, developer, plugging installer, and my experience now with a big hosting company behind it. So I'm obviously not a security expert, but I think that... So becoming a security expert is a different job than making websites, okay? It's a very different job than making websites, but I think as a web professional of any kind, we owe it to ourselves and our customers to make the web safer for everyone because everyone has to get something out of it. If the web is safer, it's safer for everyone. And also if you know enough, it will prevent you from making costly mistakes, which is what this talk is based about. It's my mistake and how I solved it and how much it cost it. So we will not talk about technical stuff. What is your name? Josh. If you have any technical questions, Josh is your man and he's here. If you have technical questions about anything related to side ground, come look for me. And after this we're going to ping my colleagues that know about security and technical stuff. So if you have any really technical stuff, Josh is your man or you come see me and we're going to ping customer support and they're going to reply. But today... So I like to think of myself as a common sense dispenser. I'm really like full of common sense. That's my superpower I think. And I learned this, as I said, from my experiences and I hope it's going to be helpful for you too if you don't want to become security experts but you want to make the web safer for everyone. So how I learned this, during my time as a freelance web designer, there was one particular accident that led me to research security a little bit more. And the keyword here is awareness. Again, it's not becoming a security expert but know enough not to be dangerous, let's say, like this. So one of the websites that I managed, this Chpubi that was mentioned. So Chpubi is a multi-author website. We're now over 80 people writing for it. So imagine 80 people having access to it, creating their own username and their own password. And so at some point this website got hacked. I suspect because someone had as a password, one, two, three, four. I cannot prove that. So the website got hacked. And we got a season to season letter from an American lawyer that asked us to remove false advertisement that was redirecting to a well-known pharmaceutical product. And we're like, what? We're a bunch of ladies reinventing our career and writing about it. You know, like we talk about marketing and personal branding and sometimes cool pajamas to work from home with. What are you talking about? And then we scanned the website and we realized that content was added to our pages as hidden content with advertisement for a pharmaceutical product. Needless to say, we were very scared because, you know, we're in Italy. Suddenly we get a season disease letter from an American lawyer like, oh, are we going to go to jail? Are they going to revoke my visa? I don't know. It was kind of scary. So we managed to get rid of that. And obviously we had no idea our website was compromised. And we also got a sense of false security because we installed a plugin at the time, not even a plugin, actually a module of a plugin that was supposed to keep intruders out. So we're like, we have a plugin. We're safe. No. Unfortunately, that's not how it works. This is like the most used sentence ever when we talk about security. That says that security is a process and not a plugin. So even if you installed a security plugin, which obviously will help, there are things that you need to do that are your responsibility and that will help immensely. And I learned this, as I said, firsthand, because I thought, all right, we have a plugin. We're good to go. No, that's not how it works. So security is a process. Security is a state of mind. And it starts even before you create your website, I would say. You have to get into this security mindset. Safety, I would like to say, even, you know, it's not just about security, it's about safety even before you start your website. So, and this is where Josh is going to help me. Let's do a bit of a background, very easy. We're not going to get into technical stuff. As I said, who is doing these attacks, okay? So we talk about attacks, hacking. And if you're anything like me, imagine those hackers as Neo in the Matrix with the 25 keyboards, 75 screens typing like that, and going to my website. That's not how it works, apparently. I was very disappointed when I realized that. So there are more or less three bodies that carry out attacks. One is Neo from Matrix, but Keanu Reeves did another movie where it was an hacker. The net? I don't know. It's a very old movie. Anyway, so he was there. So when it's a person, those attacks are very rare. And they attack very high visibility targets. Think FBI. Think, you know, government sites. So think banks. Think about these political parties. Think about this kind of thing. That hacker will not attack Francesca Marano.com. He doesn't know I exist. And he is not really interested in my website. So human attacks are very rare, are very sophisticated, are probably the hardest to detect because they're sophisticated. And then we have bots. Bots are programs that are written by humans, but they potentially hit lots of websites at the same time with usually one specific thing like, you know, getting your password and going to the admin area, whatever. They're not very sophisticated, but they're very efficient because they can hit a lot of websites at the same time. And even more effective than bots are bot nets, which are, as you can imagine, network of bots, which is multiple computers attacking. So imagine large-scale attacks, hundreds of thousands of websites coordinated by computer, a server that is usually called CNC, command and control, and those are deadly because they hit hard. They go to millions of websites at the time. They're not very smart, but they're deadly because they attack a lot of websites at the same time. Now you have to understand that it's nothing personal, especially if you're Francesca Marano.com. If you're FBI.com, it is personal. But if you're Francesca Marano.com, it's not personal. What do hackers want? Because I remember when we got hacked, I was like, what do they want from these ladies? Like we're a bunch of ladies writing useful free content. Why are they attacking us? They don't care. So what do hackers want from your new website that just you and your mom read? They want to gain control as admins of your website so they can write files and they can gain control to do stuff. What kind of malicious stuff? What kind of stuff? For example, sending out spam. They can write the scripts that will send unwanted spam or viruses through your website. They could use your website to upload unwanted content. It could be, in our case it was advertisement, it could be pornography, it could be viruses, it could be even pictures that they don't know where else to put, right? But they will use your website as storage, basically. Or data theft of the most basic kind. If someone sends a comment to your blog, their email is stored inside your website. If you have an e-commerce plugin and someone buys something from you, their email is going to be stored in your website and not even encrypted in the database, unfortunately, but like in the admin page of e-commerce or of any content or comment plugin, you'll see the full email. So they can just basically kind of easily get a database of emails to which they can send spam afterwards. And it's not a very difficult attack to carry on because sadly people use unsecured passwords and then you get into the website, you scrape all the emails, it's really a matter of seconds. Or they could use it to redirect. They could upload content, they could work as a redirect. So for example, your website, your domain still has good reputation for Google. Their domain doesn't have a good reputation, so they will use your as a proxy to go through and go to their website. And they can also use this for having a higher place in the search engine results. Maybe they don't have like a malicious intent. They didn't add any spam or virus, but they're redirecting the traffic, thus having more links, thus climbing the search results. And finally, this is something that I didn't know existed. But when I started researching for this talk, ransomware. Do you know what ransomware is? Except for Josh. Does anyone know what ransomware is? Okay. So basically it's digital ransom. They will get into your account. You will not be able again to get into your account and they will ask for money to release back the password and the account to yourself. Now this is very popular and also this I didn't know on social media. About a year ago, there was a massive, not massive, but there was an attack on Italian influencers on Instagram, about 150 of them, which had very good accounts with over 50,000 followers. They managed to get into their account and they sent to each one an email that said, give us $4,000 or you don't get your Instagram account back. Now you have to imagine, for example, in this case, it was a lot of ladies that were selling their arts and crafts and they worked hard to get to those 50,000 followers and suddenly you have someone that said, no, give me $4,000. Luckily in Italy, and I guess in every country of the world, there are police sectors that deal with that. So they were able in about three days to solve the situation but this is a thing that happens and I didn't know. And obviously there are effects if your website gets hacked. Reputation. Did you ever visit a website that was marked as hacked or insecure and went back to it? I don't think so because once you say, oh, this website is hacked. I don't know what's going to happen to me but I'm not going to go there anymore and it doesn't matter if the people will clean up this website 30 minutes after you visited. That's it. Their reputation is done. They're hacked. So you won't visit them again unless you really, really want to visit them. There's a tool by one of the Google tools is Google Safe Browsing and they will put a notification that the website is not secure. So again, people will not visit that. Or your website might be blocked by your hosting provider, by your internet provider or by the antivirus software you have on your computer. How many times did you get the pop-up that said this website is not secure? And you will not go there. It doesn't matter if they sort it out and let's not forget about cost. So when our website was hacked none of us had any idea how to remove these things and at the time we were with a teeny-tiny hosting in Italy that wasn't really ready for this kind of thing so we had to pay someone to clean up our website and the website was down for... Well, in that specific case that website doesn't make any revenue so we didn't lose revenue but still that website was down for over two days and it's not great and we also had to pay someone to take care of it so it could be also, you know, there's a cost for cleaning this up. Now, I think no one can guarantee you that your website will not be attacked ever and that your website is 100% safe. Am I right, Josh, when I say this? OK. Because I know that a lot of companies use, you know, a super secure service and stuff like that and it's true, obviously both hosting companies and servers or anything will put in place all the measures they have to make it secure but there is no such thing as 100% secure. What we can do, and it starts honestly from your computer right now we can try to reduce the chances of being attacked and it starts with the simplest and most overlooked measure that you have to secure your website and your computer. Use a secure password. It means use a long password. How long? 25 characters. Panic. No one remembers 25 characters. I hardly remember my son's birthday. So this is why the internet gave us password managers which are fantastic pieces of software that will allow you to put all your logins inside an app and you will need to remember just one, the master password to go inside the app itself. Now beware, make your research before you pick the password manager because one very popular one was Act Hacked so it gave out millions of passwords. Now I know that one password has never been hacked so my personal preference is for one password. It's called one password, look it up. It works for Mac, phones, Android, whatever and it's not super expensive. I think it's about $50 a year and it's effective. They changed the UI, I don't really like it but I like to complain when UI changes so maybe it's just me. Don't reuse passwords. That's another thing that we all do because we're lazy and we cannot, again, remember one, you know, too many passwords so we reuse the same password. Why you shouldn't? These bots carry on these automated attacks, right? So they find out they attack thousands of services, online services at the same time. So they find out that that specific email with that specific password they were managed to figure out for Gmail. As soon as they figure out that they will check out the thousands of online services to see if you use the same combination of password and email for other services. So you thought they hacked your Gmail account while in a very short period of time also your LinkedIn, Facebook, Twitter, bank account, national health security or whatever it's also hacked. The other thing that I like about one password and it's one thing that I'm doing because I realized that I had 90 over 300 websites using the same password which is not my son's birthday to my defense. So what I'm doing now, I'm going through all these services and find new passwords for them instead of using always the same one. The other thing that one password and I imagine every password manager does they also create, they can generate long passwords for you so you don't have to come up with 25 characters on your own. You just get the app to do it and you just copy paste. The other thing that it's so easy and so overlooked keeping it having plugins and themes form trusted sources. Now if you just started your WordPress website you probably don't really know what a trusted source is. For us that have been in the business for many years you mentioned one plugin and I'm like, you're cool. You mentioned another one and I'm like, you know. But this is because we have the experience for that. If you just started, my suggestion would be install things that are inside WordPress.org. And also in that case you're not 100% secure but let's say it's a bit better than going to unknown sources. So you go to WordPress.org and you have this. Plugins, themes, or you go inside your WordPress websites and you go to plugins, add new and then you will have all the plugins that are in the official repo and the same goes for themes. Now look out for this kind of things. What was the plugin last updated? So WordPress used to be updated about two, three times a year. Then we had a year and a half without updates and now we're having updates about two months I would say. So check when it was last updated because now we are at 5.1.1 that was released a few weeks ago. If that plugin that you're using was updated two years ago I can promise you there's a vulnerability somewhere because in the meantime we upped the PHP version we probably changed three major versions of WordPress and with each of these versions we usually make also some security patches. So check when it was last updated. The active installations I would say it's important but I wouldn't base the whole decision on that because we've got to start from somewhere. So good for these people that have five million installs. Can someone guess which plugin that is? Nope, nope. It's Yoast SEO. And I took the screenshot this morning. So they have five plus million active installation because obviously they're a big player in the industry. They've been around for years, they're trusted but there might be some new plugins that they're also very good as long as you see that the developers are involved with the development process as long as you see that they update it as long as you see that they have the minimum requirements and they're involved with the community and they reply to support question then even if they have 100 installs give them a try, they just started. Also Yoast started with one installation right now they have five million plus but if you want to be mega sure and you don't know still the industry so well stick with something like this it's tested up to 5.1.1 which is the latest release of WordPress. You need 4.9 to work. PHP is a bit low but by the end of the year it's going to be better and it has good ratings. It has five stars but with an incredible amount of reviews. This I forgot to change the slide so it's in Italian but it says that in the last two months they had 580 questions in the forum and they replied and closed 535 so they're active, right? I would say at the beginning stick to this WordPress.org things that you have in your repo the other thing that you have to do is update now when I started working with WordPress it was about 2008 I remember my mentor the person that taught me everything about WordPress was like don't touch an update before three weeks I was like why? Oh because there's a number of problems and they're going to release a security patch and you're going to get the white screen of death and all this kind of stuff and this doesn't happen anymore. Updates are absolutely safe to do immediately after they're released and by the way this is what one of the pillars of managed hosting is that the hosting company will do the update for you basically not immediately because obviously it's millions of customers but within a reasonable amount of time. I'm saying this especially because last year in December WordPress 5.0 came out I don't know if you were involved somehow in this thing but it looked like Armageddon it was like the moment they hit the release button millions of websites are going to go belly up and it's going to ruin and destroy everything guess what it didn't happen and I am very lucky to work for hosting, I love data, I love numbers so this is like porn for me you go and see how many websites there are and how many get updated so the thing is we waited for a few days just to be sure and then we started rolling out updates and guess what nothing happened just super custom developed website had some problems there were clearly edge cases everything else just worked I think especially after WordPress 5.0 we should really trust the system and get the updates as soon as they come out but if you don't have a managed hosting company and you do manual updates do them just after you do a backup God they're so boring I mean no one likes to do a backup right? but not only you need to do it make two I know you're looking like you're in pain I know, I empathize I hate doing backups so do backups two of them one with your hosting again, if you have managed hosting the hosting will take care of it but if you still don't have managed hosting just activate it through the user area and save one cop in your computer which means that you also have to backup your computer if you're a Mac user it's pretty straightforward there is this time machine get yourself an external hard drive it costs basically nothing nowadays and keep the backups the other thing test the restore because sometimes you trust the backup you have 30 days of backup and when it's time to do the restore you don't know where to do where to start, it doesn't work the internet goes down, I don't know like the scene in Blue's Bladders when Carrie Fisher arrives all the excuses in the world that's what happens with backups so please always make two and make sure you have everything in place backup your computer use a safe password also for your computer possibly because I don't know where are the word camp I leave my computer everywhere because I trust this community no one is ever going to touch my computer no one is going to steal it no one is going to look at the content but guess what, sometimes it happens there is a saying also in the security word that says something like humans are the weakest link because you might have put super advanced technical stuff in place to secure yourself, then you go work at Starbucks you leave your website on a table you go to the bathroom and you don't put your computer on sleep and then if I'm someone that has malicious intent I just go and grab everything I need or you put your password again, I did it, on a piece of paper and then the piece of paper falls next to your computer, guess what you're hacked so take care of all these things and finally this is the fifth step I have for you so HTTPS doesn't secure your website that's not what HTTPS does HTTPS secures the communication with your website and the rest of the word, what does it mean again I'm not going to go into technical details but it's a protocol that works both ways so I ask to see an HTTPS website the website yes, hello the user, the client says hello, now we know that we have a secure communication, now it's safe to put data don't ever put any, any information of any kind on a website that doesn't have that green locket that says secure now two years ago this was like a fancy thing to have today there is no excuse not to have an SSL certificate on your website one, Google will penalize you in terms of search results if you have a non secure website so if you still use the HTTP protocol two, it's free there's a fantastic body called Let's Encrypt that issues free certificates a lot of the hosting that are here today support Let's Encrypt is an open source project so you don't need to learn how to install an SSL certificate which is kind of difficult, you just need to press a button most of the time in your website, in your web hosting user area and the other great thing is that most hosting Cygram for sure but I'm sure other hosting now force HTTPS to every page on the website because I don't know if you tried to have HTTPS a few years ago then suddenly you had four pages things that didn't work but now I assume that in most of the big host, managed hosting is just the press of a button just to force HTTPS everywhere around the website so honestly there is no excuse, the other thing that we used to say we used to hear is HTTPS will slow down your computer that's also not true because now today most hosting will have under servers HTTPS 2 which is the second version of HTTPS which is much faster, HTTPS 3 also is coming so don't be afraid that HTTPS will slow down your computer and again it's free we all like free things so just get an SSL certificate I will end by saying that security is a shared responsibility now I don't know if some of you already put in place this kind of measures maybe some of you never heard of this you might be a bit overwhelmed oh my god now I have to think about 25 characters to secure my website and I need to learn what is SSL certificate luckily you're not alone in all of this there are at least three stakeholders in the security process us the website owners we will do everything in our power not to get hacked and to secure the communication with the people that hopefully want to visit our website developers that develop themes and plugins pick the right partners because if they care about their plugin and themes they will do whatever they can to make them secure for you and obviously hosting so hosting is a partner in all of this because all the hosting companies will take care of security at a machine level things that you don't like how many of you heard the not Josh obviously how many of you heard the word WAF okay three over I would say 60-70 people I don't know what WAF is and you don't need to know I know it because I did that for a living so these are firewall rules that are written at a server level you need to be a sysadmin to do that you don't need to be a sysadmin just pick a hosting that will give you the security that you need and that's pretty much it from me thank you for having me questions got a question back here I'm coming around is it for me or for Josh? okay I'll take it a weeks ago a month ago at our WordPress meetup we had a speaker from WordFence and she said something that I don't understand or like which was that using a sub domain is a security risk now I like to use a sub domain for some of my projects what was the argument behind it? I couldn't understand it I cannot understand it either let's have Josh something about common access from the cPanel well I mean if you put they're both HTTPS if you put all the measures that we talked about also in place for your sub domain so you have a long password to access it you have HTTPS you know any of this thing a sub domain is the same thing as a domain I cannot think of a reason why ah if the sub domain can we get the mic to Josh he's gonna explain to us why a sub domain might be not is if the sub domain where do you get compromised it would have access to every site that shares with your primary site so any site that was connected in the folder structure could potentially be impacted by one of those sites getting compromised so that's a problem also in general with shared hosting if so inside the same account there might be something compromised and then the same other files in the same account could be compromised one thing that I will suggest you actually to look out on shared hosting is one thing that I never know what it's called but it will come to me CH root no so at least you know that it's inside your account but if another account is compromised it will not compromise your account which is something that was happening back in the days back in the days when you had like a hundred it doesn't matter how many accounts you had on a server 2 or 25,000 if there was not this pretend it's called it's a quick example no but it has something with root I'll look it up and CH root and this will prevent different accounts on the same machine to compromise each other so look out for that so this is a quick question in shared hosting a lot of times you have an opportunity by a dedicated IP getting a dedicate and it's just a small amount of add-on is a dedicated IP do anything to help with security at all dedicated IP has nothing to do with security dedicated IP is just so you have your IP and it's dedicated so if you access the same services or websites or you are at a there's a number of reasons why dedicated IP could be a good idea but security is not one of them no, no alright a big round of applause, thank you very much thank you