 Welcome, welcome. Have a seat, everyone. Welcome to the first lightning talk in a series of four 15 minutes long lightning talks. Unfortunately, we will not have any time left for Q&A, but you are welcome to find each speaker after their presentations. So, for our first round, may I please introduce to you Javi Gembe, who is our WordPress veteran, WordCamp speaker and 21st WordCamp attendee this year. Not this year? Not this year? Nah, old years, yeah. It could be too much. And he will walk us through how to prevent data leaks in WordPress. So, please give a warm welcome to Javi. Thank you very much for being here and to this talk or perhaps you just don't understand German as me, so you are here because there is the only talk in English. So, well, let's talk about WP leaks. You did a very good introduction about me. As you said, I'm a WordPress veteran. This is a term, a trademark from Rengkust, so it's not my word. And I have to thank him. I'm like Rengkust, but we are twins as you can know. The complex version of Rengkust. I have a, since a month ago or two, I'm running a free project for the WordPress community that is called WP TalkLink. And it's for language change among us, the people from the WordPress community. But my income comes from Universal Summit, that is my own agency. And I have this agency since 2010. And after more than 300 projects, I want to talk to you about some of my experience about this. And, well, I want to talk to you about data leaks. And I will introduce you some cases about this, just to warn you and perhaps prevent it. So, well, the first thing I have to do is to define what is a data leak into WordPress. Well, in WordPress, we have two types of data. The data that visitors see into the web pages, so we could call this the front end. And also, we have the data that we have for the internal use, settings, and also all the things that has sense to the project itself for WordPress. And just in this part, the private, the password or the backend of the website is the data that we have to prevent to leak to outside. For instance, we have the emails of the, in BookCommerce, we have the emails of the users, all the purchases, IPs, and a lot of settings, also security data. So, we have to prevent that leak, it's codes outside. Also, I think it's important the settings and all that type of things. So, well, now the examples are coming. So, well, this is the first case I want to use. This is the only one that happens to us. So, this was a nightmare. And, well, now imagine that you have a client. In this case, it was NGO, a non-governmental organization. That's us for creating a private zone just for sharing the PDFs and how they spend the money and just for the information for the people who pay the bills. So, we decide to put a commercial plugin for that. So, everyone with access has its own username and password and so on. And we gave the keys, we gave the project to the client and I forgot to go to their clients to produce. And after a while, I received an strange email from Google Search Console and I checked it and I found that. What's that? It's Google results with emails. This is an example, it's not a screenshot. I didn't do any screenshot in that moment. But imagine that you have the list, the emails of that people listed on Google. It's hard to take the leak. Luckily, there were no personal emails leaked in this case, but corporate ones, but it could happen. And this is not just a case. So, on Google, you can find more than seven results with this problem, exactly this problem. So, this was my phrase when I found that. And after research, I saw that there were three things that happened at the same time and did that leak happen. So, what happened? So, the client was using the email as the user name that is not supposed to happen. And WordPress has a site map.xm5 since WordPress 0.5 by default. So, every no one has a site map.xm5. So, it's not a site map. So, it's not a site map. So, it's not a site map. It's 0.5 by default. So, no matter if you have installed a SEO plugin or not, you have this in your all your installations. And this is an example. You type this and perhaps it redirects you to the real one, but mostly WordPress websites have this. So, what happened is, more or less, an example like this. You have the user listed. So, for instance, if you can enter into my bank account, which bank I'm using. If you want to enter into a WordPress website, you mostly of the WordPress are using the same blogging page and URL, the Slack part, and you already have the user due to this, and you only have to find the password, so it's very dangerous. And also with a lot of taxonomies or posts or things that we are using just for setting up and to serve the content to the client, but perhaps they are not important, are auxiliary, are not the things. So this is what it happened with this project. The solution what was on MySQL for you is always check your same mat.xml file for all the projects and see if you have to serve these things or not. In this case, the project didn't need an SEO plugin because it was for private people, so we don't need that, but it could be a good suggestion to use an SEO plugin because there are some setups. I don't know if it's anyone from Jaws or any other SEO here. No. Well, they have an option and you can quit and remove the same apps or whatever, and it's very useful. And if not, or just in case, as a fallback, you can use a custom code, a simple PHP snippets, and I have in MySQL account, I have some examples of how you could exclude taxonomies, CPTs, and the user page that always should be removed from the same app. Okay. Well, now imagine, well, this case is another. Now imagine that your client asks you to create a simple format. They have an input for files. So for instance, imagine that you are in your client's medical center and the doctor is asking for a personal test or, and it says a data that you have to protect a lot. So you go, you install a form plugin with the input field, and that's all. What happened, and this has millions of results on Google that a lot of paths into the websites are unprotected. So it's very helpful because you can reach that type of documents. And this is the main path of the uploads, but every form plugin use its own. So this is quite dangerous. So always check if you are listing the directories, the files into the directories. This is something that happens. You can create the index.x html files or PHP as WordPress does, and just to prevent the leak, you can also add to ht access that directive. But for instance, it happens in some projects that the ht access is deleted by, I don't know. So the safest way is always put an index file empty. And also you, there are some people that believe that if you upload a document to the WordPress media, the gallery, you, this document is private because for instance, you, you have put a password into the page or whatever, but be careful. I'll, I'll take you later in another slide, more about that, but all the things that you upload to the media can be reached by anyone. Well, more or less related to that, imagine that you have, you are a content creator and you do the, the common funnel send way and you create the steps for steps or just you give a free PDF just for launching a, for, so the, sorry, the, the visitors give you an email and then they do marketing with that. And you could feel that the thank you pages or the, the step three in the panel are not reachable, but anyone, because it's not listed in the menus or in the navigation of the page, but it can be reached. So, or well, also another good example is while you are remaking one website with a typical under construction plugin, you may think that you are protected and no one can see what's inside, but it can be seen. And for instance, I create this page as an example and you can reach that with the rest API that is already done and activated by default in all the WordPress websites. So, well, the, the solution or the suggestions is the same. Check always the rest API endpoints. I will show you who are always with the SEO plugin also set up well the things. And this is very 10 years or not, but the solution should be this is what the rest API, but perhaps some plugins on the work for specific cells itself could be stop working. So it's quite dangerous. Well, I will talk to you about similar type of leaks. More or less, you are seeing that I'm talking about two, two paths and more, but they care about Google Docs. For instance, when you work in agency and you work with collaborators, you can, you have to share the access for the WordPress websites with them. And I remember one case that I was just playing with Google Docs. And I found one, the first results like I'm from Spain is from Spanish results. And it was there were a trailer leak of what not from tele from an agency that was using trailer for sharing the things. And I recognize the name of one of that agency. So the owner was a puppy in one course. So I had to, to contact him and say, Hey, you are leaking or your WordPress access of your clients. And that's insane. Also be careful, as I said, with the rest API and the permission escalation, I won't talk to you now. And this is the paths. Every WordPress site has this. You only have to type the domain and slash WP. That's Jason. And you have a lot of information, perhaps it's not a personal information, but it's information that you are leaking into your WordPress website. You are selling there very easily. Mostly of the plugins you are using and a lot of things. This is on the pages you have the media you have upload. So you have to be careful with that. Also you have the users, but there are not all the users, but the ones that have published content into the blog. The solution could be against Google Docs. If you share that kind of data that like access, Cypher it first and have the same algorithm for the encrypt that. Disable or not. Be careful with this because there are no good solutions yet. But some friends are working in a very good solution to cover all these parts. And keep up to date. That will be. So if you thought you have following all the guidelines before hitting me of WordPress, I'm sorry, perhaps I give you bad news. And well, if you understand the first sentence, you are to all ask me. Check Cypher.xml, all the things. The Google Docs also check with site, colon, and the domain name. If you are leaking any data or you have some things that has not to be into the WordPress install. And tomorrow there will be a very interesting talk here. I think it's a... Well, tomorrow let's check the schedule and see that there will be one hour with, I think, these suggestions and more. So, well, and the most important part, have fun. So, thank you very much. Gracias and see you. Thank you, Javi. This was indeed an eye-opener. And before you move on to the next speaker, we also have a gift for you. Thank you. Thank you very much.