 All right, so welcome, everybody. My name's Micah, and we're gonna be talking about WordPress security today. If you have questions, feel free to post them in the chat. I think we'll try to answer questions as they come in. Also, I think, do we have the hand raise feature or anything like that here? You can unmute and ask questions as well. Yeah, so yeah, if you have the hand raise feature, I'll try to, there's a lot to pay attention to while I'm trying to talk and go through slides, but definitely try to pay attention to all those things. But yeah, so I wanna kinda walk through some of the security aspects of WordPress and I've been using WordPress for, I think it's what, 12, 13, probably more years. I haven't done the math in a while. And run into a lot of plenty of sites that have been hacked and random situations throughout my career. So a lot of this is stuff that I've learned as I've gone along. So let's just jump in. So obviously we wanna kinda start out the conversation by talking a little bit about why it's important. So there's a lot of reasons why security is important. Obviously, information loss is a real thing that we see a lot more and more of that as time goes on. So you wanna definitely make sure they take care of not just your information but your client's information. And as a result, your reputation that goes along with that. But not only that, if Google happens to pick up the fact that your site has been hacked or something like that can severely impact your SEO rankings and cause you to drop in the search results and potentially can cause financial loss as well. So a lot of things that could go wrong if you don't take security seriously. And unfortunately, to be honest, I think most developers don't think about security first. They see it as an add-on essentially instead of a key thing that should be done along the way. So if you are working with developer, try to make sure you find somebody who does take security seriously. So I wanna kind of walk through just some of the different attacks. So these are not all the attacks. These are just some common things that we see a lot. And I'll do my best to try to explain these as simply as I can. But the first is what we call a brute force attack. So a brute force attack is basically where someone, usually using some sort of program that they've written will automatically and systematically guess passwords and attempt to use them on your website over and over and over and over and over again until ideally they figure out your password and then they can log in. And so typically the way that it starts is they say, okay, let me find someone who I am pretty sure is an admin in WordPress, right? So they're trying to find those people who have higher level access. So yeah, so we'll talk a little bit more about ways of kind of mitigating some of these things but just wanna kind of make you aware of the different types of things that do go on. So brute force attacks are usually, they run things like what they call dictionary attacks where they just throw a bunch of words and mix them up and try different combinations and things like that. So that's kind of what's going on here. And a lot of web posts, for example, if they start to detect that there's these multiple, multiple attempts coming from the same location, they'll put a stop to it. But that isn't always the case and sometimes you have to find other ways of dealing with these. So another one is something called SQL injection. So this is where typically if you have a form that's on a webpage, it could be like a search box or if you have all kinds of different forms and things. So typically with WordPress, if you're using a reputable forms plugin, the code is written in such a way that if someone were to try to put something malicious into one of these fields, it wouldn't really do anything to your site. Your site should be pretty secure. But yeah, like if you have a theme that maybe was written by a developer who wasn't familiar with security, it could be that when you submit the form, whatever malicious code was put into that field, it could manipulate your database. So it could inject things into your database, which then could be used to output things that would compromise people who are coming to your site, either their information or their user logins or all kinds of stuff. So super important that we make sure that we keep our form fields properly sanitized so that we don't run into this type of thing. Another one is cross-site scripting. It's kind of hard to describe because there's so many different ways that this could happen. But ultimately it's about being able to inject an executable script into the code of a website, which again could be through SQL injection, which we just talked about. And it basically allows the attacker to gain access. Could be access to information, access to a user's login, all kinds of stuff. So another one is DDoS attacks. So this is called a distributed denial of service attack. And so this is basically where someone is sending a lot of, yeah, I see some questions. So I'm gonna jump back here just to say it. So the DDoS attacks are when tons of requests are made to the server and you will essentially have, if your server can't keep up, eventually the site will crash due to not enough resources to run the site. So I was gonna look at a couple of questions here. So I saw a good one in there. Oh yeah, how and when to sanitize database. So we're not gonna get too much into like the coding aspect of this. We're gonna try to keep this as, you know, we will go into some more like advanced things that developers will probably wanna do, but we won't necessarily be going into the exact how. I do have a whole nother presentation where I talk about sanitization and escaping and all those key things that you wanna do when you're writing either like a plugin or theme and WordPress. So if you wanna go try to look that up, you should be able to Google Micah Wood, sanitizing, escaping and validating. It should turn up something. If it doesn't, you can always reach out to me through WPseller.com contact form and I'll get you that if you want it. But yeah, so another question here, how might one be able to determine if their site was hacked? What does it look like? So actually, yeah, that's future slide. So we'll wait on that one for a second. So kind of the last one here is another big group we call malware. So this is where again, someone's able to install something on your site and it's used to do malicious things, right? So it might be redirecting people who are coming to your site to purchase Viagra. It could be, you know, they're actually inserting ads for random things on your site and they may be just trying to get you blacklisted on Google so that they potentially being the competition can rank higher or something like that. Or they're just trying to provide options, ways to get back into the site to do other things. So that's kind of a general group here. So this webinar, yes, is for kind of the beginner level, but so yeah, so these are some technical terms. Hopefully I'm breaking them down enough where it makes sense for the average person, but yeah. So here's the way that sites are typically attacked. So 51% of all hacks are due to WordPress site being outdated. So this means you need to update WordPress, you need to update things, you need to update plugins. Most, as it says here, 92% of all WordPress sites that are hacked due to something being outdated is because of a plugin. So chances are that's your most likely avenue to have your site hacked. It's pretty small actually with WordPress Core, it's tested, what is it like? 47% of the web now uses it. So obviously if there's a security issue, those get reported and taken care of quickly, but with plugins, you have authors that not as much exposure. And so things slip through the cracks a lot, not as much code review, that kind of stuff. So outside of that group of things that happens because you don't update, another 41% of attacks are caused by a vulnerability at the web hosting level. So this is where it kind of gets a little bit out of your control outside of the fact that you've got a, yeah, someone just pointed out, I don't think these add up to 100%. There are other reasons, but you know, there's always the long tail of things that don't quite make the list. And then there's about an 8% of the sites that are hacked due to weak passwords. So this is the situation where one of those brute force attacks where somebody's trying to guess your password and is running a script to do that actually succeeds. So yeah, so there are some security plugins and we'll talk a little bit about those here in a bit. So yeah, we'll talk a little bit too about the specific things that you should look for in plugins, but typically if a plugin hasn't been updated in say six months, it's, you know, now granted I've got plugins that haven't been updated in six years and they're still just secure and work just as well as they did six years ago. But so it kind of varies, but generally if you're seeing a site or a plugin that's getting updated on a regular basis every three to six months is reasonable. Ideally, every time a new WordPress plugin comes out there would be an update to the, maybe not to the plugin, but to the, you know, on WordPress it tells you, you know, there's plugins compatible with X. And you want to look at the ratings and make sure the ratings are good because if it has like a one-star rating it's probably not a great plugin. And you kind of want to look too at the support level. So somebody who's actively supporting a plugin is more likely to be responsive if there's some sort of security problem. But, you know, none of that is truly going to prevent security issues, but it's definitely good signs, good signals to pay attention to. So, yeah, so this just stating a fact here that most hacking attempts are actually automated. So it's not like somebody's really just sitting down in a computer and trying things, you know, people do that I'm sure, people who are just learning learning that kind of thing. But yeah, most people are coders and they write programs and they run those in attempt to hack sites. Although I do know a couple of people who are like hobbyist hackers, I guess. So one person, I know you would go into e-commerce sites, various e-commerce sites and they would attempt to change the price on the page and see if it would submit it with that price. And in some cases it would. So they got some really good deals. But yeah, so that's kind of interesting. So we're going to talk more about some of these mitigation strategies, ways that you can kind of avoid a lot of these issues. So number one, backups are critical. Obviously if your site gets hacked and you don't have a backup, you're kind of screwed, right? You have to, you know, you could lose data, you could lose files. If you don't have those backed up, then all of that's gone. And some cases, you know, some of the attacks are actually ran somewhere, right? Like I've had someone hack into a site that was built. And this one actually wasn't directly read to WordPress, but when they hacked in, they basically downloaded the database and then wiped it and then demanded Bitcoin to get that database back. So part of the, you know, attack in some cases is to steal the data and then make you pay to get it back. So if you have a backup, you know, you don't necessarily have to pay that, right? You can fix the issue and move on with the data that you have. But obviously you do want to kind of be aware that someone else has that data and you do need to deal with that in some way, ideally. But yeah, so we're going to talk a little bit about how do we mitigate these brute force attacks where somebody's trying to guess our passwords. But yeah, we have a question. What's the best method of backing up sites? There's some good plugins out there. Updraft Plus is a good plugin. And I say that just because it's the only free plugin that allows you to back up to a third party source on a regular scheduled automated basis. And all of those things are important. You want to make sure you're backing it off site because if your backups are on your site and it gets hacked, all those can be wiped as well. So if it's not off site, it's really not going to be any good. So, but there's plugins like backup buddy and Jetpack has a vault press and there's a bunch of different options out there. But yeah, so just because you have a backup doesn't mean that you're good to go. Obviously if your site gets hacked, you have to deal with how they got in. And of course your backup is going to be just as vulnerable as it was originally thought. But it's important to realize that there's kind of this balance between getting a site back up and then actually fixing the hack. So like if your site's making millions of dollars and then all of a sudden, it's got to be down for 48 hours or someone figures out exactly what happened. That's probably not acceptable. So having the backup allows you to get your site up quickly. Typically what I'll do if there's a site hacked and someone's like just get it up, I'll back up the hacked site. So I have something to work from to figure out what files did they put there? What does that code do? How does that work? And then I'll restore the site. And then of course I'll do any updates that might need to be done because we know that's a big issue. Might reach out to my web posts and see how they might've got in. Cause again, that was another big one. And then maybe putting in some things in place to prevent these brute force attacks. Maybe just use a more secure password. But yeah, so here's a few things to keep in mind. Number one, if you use a password manager you're more likely to have more secure and longer passwords. So definitely recommend that. Especially for me and my profession where I end up having logins to lots of different things. It's nice to be able to have that in a manageable way where I can click, you know, I use one password to log in and I can click and it just logs me in. And I don't have to remember, you know, 5,050 character passwords. But the longer your password is, the more secure it is against brute force attacks. So I think that I don't remember the exact statistics here but I believe something like if you have any character password, brute force attack could guess it in about five minutes. But if you have like a 10 character password that increases to like a year or something like that. So obviously if you have like a 50 character password you've extended that timeframe significantly. Especially if it's all completely random and it doesn't use like words from the dictionary stuff like that. So LastPass is a standalone application. They have like a Chrome extension, Firefox extension, things like that, a mobile app. So that'll basically allow you when you're working in the browser then you pull up a site it can auto fill your password for that thing. But, you know, it only works in that browser when you're logged in to that password manager tool. So yeah, so that is a great way of making sure that things from a password standpoint are manageable. And again, you know, we mentioned the longer the password the more secure it is. But the other thing is if your password were ever to be guessed then someone has access to your account and usually it's an admin account, right? So if you enable two factor authentication for an admin account then you basically, you know, once they guess the password they don't have access to your mobile device or whatever you've set up for authentication. So they still won't be able to get in or get access. So two factor authentication is huge in terms of that. You probably don't want to enable it for everybody just because somebody can get in as a subscriber they can't really do much in WordPress. But if you're an admin you can upload plugins which means I can create a plugin that does whatever I want and I can upload it on your site. So it's very important to keep things secure in that way. And again, if you're running like an e-commerce site you don't want to have two factor authentication enabled because if you do that for all your customers it can be very confusing. But again, you know, there's only a handful of things that someone who hacked that particular user could do as opposed to an admin. So the important thing is that admins have the two factor enabled. So then trying to make sure that, yeah. So Google password, that's another good password tool, you know, should be safe to use. Yeah, so on the limiting login attempts. So there's a plugin called limit login attempts reloaded. So there's another plugin that used to do this but this is kind of a newer, more modern updated version. And basically what it'll do is it'll start to monitor when people are hitting your login screen and they will, you know, if it realizes that those requests are coming from the same place and they hit a certain number of attempts it'll basically lock that person out from being able to do any more attempted logins. So if somebody is running a script and it's coming from the same IP address then, you know, it would detect that. And then, you know, after like four guesses it would say, sorry, you gotta wait an hour before you continue. So something like that that slows the person down from being able to do guesses extends the brute force attack from, you know potentially minutes to a year to 10 years to, you know that kind of thing. So let's see, yeah. And yeah, I think WordFence has a lot of the things that we're talking about built in. Some people don't, some people think WordFence is a little too much. So providing some options here as far as like specific plugins that do specific things. So a good number of limits. So really if you like for the average person if you're typing in a password, it doesn't work. You might try again. And then you're like, okay I really need to look up my password. And then you give it a third try. And they may be just for good measure you could give them a fourth try. But, you know, if you, you know typically I think this plugin may attempt may default to something like four, three or four or something like that. You can change it, you know if you feel like you need five just in case so you don't get locked out of your own site just if you mistype things a lot or something. But yeah, it is within a particular timeframe. So we're gonna talk a little bit about mitigating the DDoS attacks. So this is where someone's just trying to overwhelm your server with all of these requests. So, and this is where again, you know we got plugins like WordFence and Security and Cloudflare, which is not a plugin but it's a, you know, it's a service that it's basically a layer between people coming to your site and actually getting to your site. So it provides kind of an application firewall that can stop people before they even get to your site. Right, so when I mean WordFence and Security they're plugins so the requests actually have to come to the site before they can be handled. So WordPress is actually handling the blocking of those requests, even though they've already hit WordPress, whereas something like Cloudflare is before they even hit your site Cloudflare can block a request and it doesn't even load up WordPress. So something to be aware of when you're trying to maybe determine if you wanna use a plugin to do some of these things or a service that, you know, isn't a plugin. To a certain degree, the more code that you're running on your site the more likely it is that it could be hacked. So even WordFence and Security aren't completely, you know, safe when it comes to security they could have a security issue in the security plugin. And since it's running on the site there's a chance that, you know you can still have an issue. Typically, you know, the security companies like WordFence and Security and I think I theme security and security and some other things, they do a good job. They obviously know what they're doing so you can typically trust them but there are chances that things can happen. Yeah, so question is it seems like I need security on my computer and security on my website, is that correct? Yeah, so yeah, that's one thing I don't have in my slide deck but is important to realize is that if your computer gets infected your website login information, for example could get leaked along with whatever other data they might be stealing from your computer. So it's very possible that if your computer has been infected with some sort of virus that could give them what they need to access your site. So making sure that you keep your computer secure using some sort of, you know in a virus security software is definitely a good thing. So I'm kind of grouping everything else under other attacks because some of them you have to utilize those things together to get in and some, you know, there's a big group of things here but there's a few things we can do to kind of mitigate some of these other broader things. So let's see here. Yeah, so obviously as we've mentioned already keeping up with updates is probably one of the biggest and most important things you can do because again, it is about 51% of all attacks is from a plugin that's on the site that's insecure. So keeping those things updated typically will mean that those will be secure. Not always. Sometimes there are security issues with the latest version of a plugin and then, you know, some of the security plugins will let you know like, hey, we are aware of the security vulnerability with this plugin. If you update, it'll fix it and sometimes there is no update to fix it. And maybe sometimes the best option is to find a new plugin that does the same thing that is secure. Is it more secure question here to log into the site's dashboard through the web host or through the admin? I don't think there's a real benefit to necessarily doing one over the other. Typically, if you go through the web host you get the, you know, one click login button but it's basically running through the same code as when you log in on the WordPress login page. So I don't think there's a big difference there. Yeah, so the other big thing is obviously if plugins are the primary vector that people get to your site and hack it is we wanna make sure that we use some sort of reputable plugin, right? So wanna make sure that the source that you download from is safe. So don't just Google something and then when there's a free plugin that shows up download it. Now, if it's obviously on WordPress.org in the plugin, the official plugin directory should be safe because they do well, should be keyword. They do some checks on that. And then obviously if you're working or if you found a plugin and it's a company that offers it, you know, do your due diligence find other people who are using it make sure that they're, you know a decent company or a person who's ridden it. Let's see. So the other thing is we wanna keep our licenses updated. So if you are using some sort of premium plugin if your license lapses that also means that your plugin is no longer going to be able to check for or receive updates. Well, it may still be able to check for them but it won't update which means you may not get the latest security updates which means your plugin then could be vulnerable. So important to make sure that you have up to date licenses so that you have up to date plugin and so on. So again, premium plugins sometimes they don't get as much usage and may actually be more susceptible to the tax. So using WordPress host is gonna make a big difference. Again, we mentioned that was it 41% or something like that of all sites are hacked because of the web host. So if you're using a host that doesn't understand WordPress chances are they don't have those WordPress specific firewall rules or other things that are gonna protect your WordPress site. So important to find a good WordPress host and ideally, well WordPress does have a recommendations page where they recommend hosting. I think it's WordPress.org slash hosting or recommended hosting, I can't remember. I do have a link at the end of this slide deck for that I will, before I wrap this up I will post the slide link in the chat here. The other thing is we wanna make sure that we keep PHP up to date. If you don't know what PHP is it's basically the programming language that WordPress uses and runs on. So if it's out of date, obviously it can cause security issues. Ideally this is something your web host handles but some web hosts give you the ability to run older versions. Now typically those older versions they web hosts do actually maintain security patches and things for them. But there will come a time where you might be running an older version is no longer patched and if you don't update it, that's a problem. Some hosts will do this for you some hosts leave it to you. So you just need to be aware of kind of what your web host's policy is and what you might need to do to take care of that. Typically, if you have something like a VPS service if you don't know how to maintain a server you should probably go back to manage WordPress hosting or shared WordPress hosting or something like that where all that's just taken care of for you. Let's see here. So yeah, so some of the more advanced strategies here I didn't skip anything. Yeah. So file permissions is one big thing that can be an issue. Again, this is more of a developer thing but some hosts do give you tools where you can just click a button and it'll reset the file permissions. So if somehow things got off then I think I have a slide about this here. Yeah, there we go. So yeah, if your file permissions are too loose it actually means that people outside of people who should be able to can actually change files on your system. So it can be a decent, if not configured correctly it can be a big vulnerability waiting to have your site hack. So disabling PHP execution this is again, a developer focused thing but WordPress doesn't, when you upload a file into WordPress it goes into the uploads folder and no code really should end up in the uploads folder but if it does, right? So like maybe you run a website where people can upload photos and share them with each other or something like that but what happens if somebody uploads a PHP file and it goes up onto the server and then they have the ability to go to that URL and load that page? Well, you've got a security issue, right? So good web hosts will block execution of PHP in these types of folders but if they don't there are ways that you can do that yourself depending on the options that the host gives you. So something just to be aware of. Another one here is disabling the file editor in WordPress. So by default, if you're an admin and you log into WordPress you can actually change, I'm sorry, you can actually go into the theme editor or the plugin editor and it'll let you edit the code inside of your themes and plugins. So obviously this is, well, it's a bad practice in general just because if you know how to change the code you really probably shouldn't be doing it there. And if somebody is telling you to paste code in there for some reason that's also a bad idea because hopefully you trust the source that's telling you to paste it but it's just another opportunity where it can get abused. So in the WP config file there's a disallow file edit constant that you can set which will turn that off. And I think some hosts turn that off some hosts don't but it's definitely worth turning off. The other thing is disabling XML or PC. This is not really something that people use anymore. I think there might be a small handful probably less than a handful of things that still use it. I think Jetpack uses it to some degree but depending on what features you enable but this actually the XML or PC it actually allows someone to send hundreds of password guesses essentially to the site at once which means that it can be a significant problem because instead of getting one guess each page load now we get a hundred or a thousand or whatever it is they'll find out your password a lot quicker. So it's a good thing to turn this off. Another one that this little bit more interesting again it used to be everybody by default WordPress gave you your initial user username was admin. So you'd log in with admin and whatever your password was. And so it's important not to use admin because people still use that or it's not a default in WordPress anymore to have admin be the default username. I don't think they give you a default anymore but if you type it in it's Hacker's number one guess of what your username is and because it says admin chances are if you hack into it you get admin access. So some people actually create an admin user that's just a subscriber and then create their admin user just to fake people out. But WordPress also does have the REST API and if you're not familiar the REST API can actually return all of the users and so it provides usernames for people to try to run their attacks against. So on a lot of sites that I work with I actually turn off the user endpoint for people who don't have logged in access to the REST API. So, oh yeah, so somebody's asking my host recently discontinued HT access use is this because of security vulnerabilities? No, a lot of sites basically HT access is only used on servers that run Apache which is a specific software that runs on the server and serves up your web pages. So Apache and Nginx are kind of the two big ones and Nginx doesn't use HT access and Apache does and hosts have different configurations but Nginx is tended to be faster in many cases. So basically they've updated things to be faster but it also doesn't allow you to use HT access. So just something to be aware of but some hosts do use Apache and have other ways of speeding things up because they wanna keep that HT access just because that's kind of the traditional way the WordPress has given you ways of working with creating rules and security rules and different things. Let's see. So the other big one here is you can actually change your MySQL table prefix. So if you're not familiar MySQL is the so the database that you have in WordPress is run on MySQL. And so by default, all of the tables that store your data in WordPress have a prefix and WordPress defaults that prefix to be WP underscore. So for example, if you look in the database you would see WP underscore options which is where all of your sites options, plugin options, all those things end up. So if somebody was wanting to say grab some of that data out of that table they would probably be guessing kind of shooting in the dark and saying well, chances are this table's name WP underscore options but if you change the prefix to something like T34X underscore then it's very unlikely that anybody's going to guess that. So it tends to make things a bit more secure. The WP config file is a file in WordPress that stores a lot of kind of the setup code and things to happen but it stores your database information and your security keys and different things, all sorts. So obviously if somebody gets access to that file it can be a bad thing because you're giving up basically the data that allows WordPress to have all the access it needs to do its thing. So you can actually move that file up a directory which should normally put it outside of the publicly accessible area of your site meaning you can't go to a URL and actually hit that file. So that is one way of kind of making sure that those things are a bit more safe. Another option, and again this is just one example of a plugin that does this but you can actually move your login page. Again, if you're dealing with brute force attack situation you can actually use this plugin and change your login page. So you could say instead of going to WP admin or slash WP-login you can make it go to I love cats, whatever you wanna change it to. So that kind of makes it a lot more difficult too because now someone has to try to figure out where your login pages and chances are, well, so just a little background. I used to, I took a executive protection training course which is essentially a bodyguarding class. And the interesting thing that they tell you about security is that when you're protecting someone else your goal is not to keep them perfectly safe. Your goal is to make them hard enough to get at that the person who would otherwise be the attacker would go somewhere else, right? So that's essentially the idea with a lot of this. You're never gonna be a hundred percent safe but if you can do these things that make it hard for people to, you know, run their automated scripts or figure out where to run their scripts or all those kinds of things then chances are they're just gonna move on. So that's what you want. So again, WordPress actually advertises its own WordPress version in the code and that's visible to anybody who wants to look at it in the browser. So by hiding that, there's a lot of plugins that'll do this. I think even Yoast SEO gives you a way of removing the WordPress version but a lot of security plugins do too. But you can actually remove the WordPress version so that it's not obvious if you're running an older version that maybe has a particular security vulnerability, that kind of thing. And then again, from a code standpoint we wanna make sure that we sanitize, validate and escape. So sanitization and validation is cleaning up things that are put into web forms and stuff like that. And then escaping is making sure that if you're pulling something from the database that you're making sure you make it safe before you display it on the page. So if somebody were to do SQL injection and inject some sort of malicious code into your database, when you go to display a particular value even if it had the malicious code, it wouldn't show which would prevent users from getting particularly malicious code that could impact the safety of their data. So just changing questions, catching up your own questions. Can I change a live site's table prefix? Yes, you can. There's just two things you have to do. A, change all table prefixes in the database. B, make sure you update your WP config to contain that new table prefix. I think there are plugins actually that'll even help you do that. I would have to look, but I thought I recall seeing some that did that. There's changing the SQL table prefix mess up plugins that might access it. So poorly written plugins will assume often that your database tables are WP underscore something. Those plugins are plugins I would recommend you stay away from. So by changing your database prefix, if plugins break, you're probably better off not using them. It is possible that they'll break, but only because they're poorly written. So a well-written plugin will use the correct WordPress standards and then it will automatically use the correct database tables. If you have a login button on your site, then moving login page does not work, right? Right, yeah, so if you have a login button and it takes you to your login page, even if you change the URL for that, if your button takes them there, it's kind of productive. So let's see, what did you say the escape mitigation is? I'm not sure what you mean by, oh, this here, okay. Yeah, so escaping is basically making sure that whatever's in your database is cleaned up before you display it on your website because if you have malicious code in your database somehow and you go to display it, it may actually run code that can trick users into giving up data or things like that. Would buying SiteLock take care of all of these efforts for me? I think any solution is probably not gonna take care of everything. Some of these things are like manual things that you might wanna do to better secure your site. So tools like SiteLock aren't necessarily gonna do some of those things, but they will do a significant amount. But I feel like you can't just rely on a single tool for this. You do have to kind of combine some of these things together. And again, talking about standards, even if you're not a coder, if you have a theme, which often themes may not have the greatest code, there's a lot of times there's designers that learned code and put those together, but you can actually use a plugin called ThemeCheck and it will scan the theme for anything that may be off from the WordPress standards. So themes that go into the wordpress.org theme directory will actually have to go through this ThemeCheck before they can make it up there. So it's a good way of just kind of screen testing, especially if you're in the stage of choosing a theme, it's good to grab a few themes, run them through the checker, maybe use the one that has the least issues. And you could also reach out and say, hey, to the theme author, these things I've run into and they may take care of them or they may not. And again, that's part of just making sure you get good support with whatever you use too. And then for the coders out there, there are the WordPress coding standards. And if you can use that while you're writing your code, the coding standards can actually guide you to places where you're not properly escaping or sanitizing or using nonces or all kinds of things. So highly recommend if you're a coder, checking that out and using it. It's also like having a mentor over your shoulder while you're writing code. So it's a great way to learn too. Also, just being aware of who's on your site and what they're doing is important. So there's some plugins out there that allow you to kind of audit and keep track of activity on your site. So if your site does get hacked, you can kind of look back and say, well, there's some suspicious activity here, maybe we need to look into it and see what's going on there. Activity you wouldn't normally be able to see if you didn't have one of these plugins installed before or something happened. So Stream is a nice one, Simple History and WP Activity Log all kind of do the same thing. And so definitely recommend that even if you don't use it for security purposes, I highly recommend it for troubleshooting purposes. So it'll tell you if someone updated a plugin and if something broke after that, you can know that it was probably because they updated that plugin. So things like that it's also useful for. Yeah, so here's a long list of resources. And we'll try to grab a link to this slide deck and throw it in here as well. Let's see here. Audit trails and privacy policy, I would say you definitely probably would need to take that into account when you're crafting your privacy policy. So yeah, that's probably a good point thing to keep in mind. Yeah, I wouldn't recommend using multiple security plugins. If you have just one good security plugin, you should be good. So yeah, doubling up on this plugins that do the same thing actually commonly very commonly causes issues. So let me grab, well, got too many screens up in here. I'm trying to get to the browser so I can grab the slide link here. So here we are. Yeah, so here is the link for the slide deck. Yep. And if anybody has any other questions, we can answer those. If not, then I think we've got about five minutes left. Yep, thank you. So yeah, I don't know what's what the options are for grabbing all the links out of the chat and posting them maybe on like the meetup event page or something like that. But yeah, I think there are a number of links are in the last page and slide deck here. If you've got that, but we'll see what we can do about the other links that were posted here. So yeah, just another quick question about headless WordPress security concerns with that. If you do it right, there's probably less security concerns there. Although there's, I mean, there's still a significant number. Just depends on your implementation, I guess. Typically you'll lock down all of the front end of WordPress, but you still have a backend login so you can manage your data. And you just use WordPress for the REST API. So it takes away a lot of the potential opportunities. And then, when you're generating a static site, there's a lot less that can be hacked there. So it's typically more secure, but still a number of things you have to be concerned about. Yeah, the source of the stats, be honest. There are a number of places I've found these stats, but I could never find the exact source, but they seem to match from the different places I did find them. So, and some of them were for presentations from actually Adam Warner back when he worked at Side Lock actually had a lot of those stats as well. So they may be a little outdated, but I feel like they're pretty accurate based off of what I was finding. Let's see, is there a tool or plugin you found is better for managing several sites? So there's Blog Vault, which is a service, but also a plugin. And it is really great because it will actually do daily security scans and they have automated ways of repairing sites if they detect malware. So that would be a good place to look. They also make it easy for you to handle updates on a regular basis on multiple sites all at once and to do visual regression testing, which is where they do a visual snapshot of the site before and after, so that it's easy for them to flag and say, hey, this site may have issues you need to look at. So that's a good place to look. Blog Vault, yeah, so I'll type it in the chat here just so we have it in the chat. They actually go under multiple names, Malcare, Blog Vault, Remote WP, that's all basically the same service. All right, well, I think that wraps us up. Anything we need to do to close out here? Thank you very much, Micah and everyone else. I will go ahead and end the meeting for us. Thank you. Thank you so much for sharing all your knowledge. All right, appreciate it. Thanks everybody for coming. Cheers, everybody.