 And thanks everyone for coming. This is my first time visiting this orange room. And for some reason, it feels like I'm in Star Wars or something because of the seating and all that. So I'm Rahul. I've been using WordPress for 10 years now. I started my managed hosting company, Nestify, in 2014. And since then, I've managed security of around 12,000 websites. And today, I will share some of those security tips with you. I'm on Twitter at nginxreload. And if you have any questions about WordPress or WooCom or security in general, I will be here all weekend. You can just ask my Twitter or just catch me in the hallways. In high school, one of my friends came up to me and said, hey, can you hack Facebook? And of course, that wasn't possible. But I thought there might be a way. So I created a fake Facebook login page that looked like this. And every time someone tried to log in, it would email me their username and password. And back then, people were expecting Facebook to launch themes. They didn't have any options back then. They don't have it now. So I sent a message to all my teachers, friends, people I knew, follow this link, and you can download themes for Facebook. And every one of them tried to log in right away. By the end of the day, I had everyone's usernames and passwords. And I did what you would expect. I read their messages, changed their relationship status and such. I may have also started fights between a couple of friends. And that was a fun weekend. I thought I found this big security issue with Facebook. And I went online to brag on security forums. Hey, I found this exploit with Facebook. Can they pay me or something? And people were like, yeah, you did phishing. It's no big deal. People have been doing this forever. And my first thought was, what is phishing? So I looked it up. And that led me to interesting social engineering aspects of security, how people can implement security and get around security. Over the years, I have found that security is usually implemented in two ways. One is invisible but effective. And the next one is intrusive and annoying, maybe not even then effective. Let's look at some examples. Every time I'm in the Bay Area, I like to visit Google campus. I pick a building that looks like this, take out my laptop, sit on a bench. I just continue with my work. I like to pretend I work at Google, but I keep that to myself. And I have been doing this for a couple of years. And no one has come up to me and asked me what I was doing there. No one told me to leave. I have never seen security. But at the same time, I can't access their Wi-Fi networks. I can't enter in the office buildings. I can't access any of Google's data. And it's pretty secure. And don't ask me how I know this. But if you try to take those orange coffee tables with you, security does show up. And the other type of security, that's what I call invisible but effective security. And the other type is this. It's like the time you go to a fancy store. And the store clerk doesn't stop following you. And they might be able to protect some of their things, prevent shoplifting. But I certainly wouldn't go back to that store again. And this type of security is also visible online. Let's look at the example of Amazon. I took this screenshot this morning. And even today in 2019, Amazon says have at least six characters in your password. So you can create an account with password like ABC123. And they won't stop you. And still, your account won't get hacked. But at the same time, if you try to do anything funny with Amazon or do any sort of automation, like access them from command line, you get blocked right away. You're not even logged in yet, but they just won't give you the access. This is also visible on eBay. The site works. You can have weak passwords. But on the command line, it will say page not found. This is what I like to call the invisible but effective security. And on other hand, there's Equifax. They have all sorts of password requirements. You are not able to use password managers. You can't paste passwords in there. And they still got hacked anyways. And if you use any automation, it works just fine. They will even set cookies thinking this is a real browser. As a WooCommerce store owner, you should have security like Amazon and not like Equifax. But when it comes to WooCommerce, there are some extra steps that are required for security, because it's a bit different compared to WordPress when it comes to security incidents. Because if you think about it, what happens when WordPress gets hacked? Hackers redirect your site to somewhere else. They show some ads about Canadian pharmacies. They install some Bitcoin miners on your site. And at that point, you just update your plugins, restore backup, and move on. But what happens when WooCommerce gets hacked? Hackers get access to your customer data, your credit card processor APIs, your UPS FedEx, USPS, shipping and fulfillment, service provider data. They also get access to, if you do drop shipping, any competitive advantage you may have. Hackers can see all of that. And on the customer side, if your store appears hacked, you have to be really good at or have really unique products for customers to come back. Or they will just go somewhere else. And this sort of damage is much more difficult to recover from than just restoring backup and starting over. Now, if you run a good WooCommerce store, you make good amount of money, chances are you're using a managed hosting provider. Don't they take care of this? Well, yes and no. Good hosting provider will update plugins, WordPress core, keep it secure. They will also protect you from brute force attacks, any malware. Some hosts will also do security scans. And if your site is in danger, they will send you alerts. They might charge you for cleanup, or they might do that for free. But it's still your responsibility to keep WooCommerce secure. A good hosting provider will not be able to protect you if you have insecure themes or if you tried something on Stack Overflow and copied that to your theme. And it created a security hole. They won't be able to protect you if you have weak passwords on your GoDaddy account or your UPS or FedEx or Stripe accounts or PayPal account. Your host won't be able to do anything to protect you in that case. They also won't be able to protect you if you hire someone on Freelancer and they still have your access to your website two years later. So having a good hosting provider is a good start. But you still need to do a bit more to protect WooCommerce. Now, what sort of security issues affect conversions? The first one is lack of SSL. This is pretty obvious. In this day and age, if you don't have SSL, browsers show message like this. They will mark your site not secure. And that's pretty effective in people taking their business elsewhere. The next thing is, even if you have SSL and if your site shows mixed content warnings, if you're loading some fonts on HTTP and not on HTTPS, browsers will still show this site may not be fully secure. And that also affects conversions. This next one is a bit ironic. People install security plugins on WooCommerce to secure their site. But every now and then, a lot of security plugins will try to log every visitor's IP in the database. They will also do some query strings, some interesting things. To protect your site, but they also slow it down. So if you use Facebook ads, any sort of Bing shopping campaigns, Google shopping campaigns, and the visitor, you're paying for that visitor to come to your site, and the site is not loading fast enough, they just go somewhere else. So not only you lost on that conversion, you also had to pay for a visitor that never reached your site. Next one is aggressive captures. If users have to type something like this on the checkout page, they may not come back. Next is trigger happy firewalls. These are the security plugins or hosting rules that block users if they enter wrong password three or four times. And this happens to me a lot. I remember a website I used to shop a while ago. I go to that site. None of my passwords work, of course. So I tried the reset password function. Some sites are pretty aggressive. That I try three passwords, and they just block me. I move on to the other site. Some sites allow forgot password, and they have security questions like, what's your favorite song? And then I have to remember, what was my favorite song in January? Again, I had to go through two or three songs. None of them work. And in that process, if the site just blocks me for two hours, I will just go to Amazon and buy something else. And this is more common than you would think if you have complex password policies, or if you force users to have a password that's too secure, they're not going to remember that, or they will either write it down somewhere, or they won't have that handy if they're shopping from their phone, which is happening more and more these days. And only banks can have requirements like this and still have people buy from them. Finally, emails that end up in spam. So if you run any marketing campaigns, or if you send shipping and payment receipts and that end up in spam, not only that affects your trust, you also lose out on the ROI, on the marketing campaigns, and the conversion rates and effectiveness of your messaging. So let's look at how to fix those issues. First one is install SSL. Every host now has Let's Encrypt. It's a good start. Oh, you need to use good hosting provider. Sorry. So step one is first advice everyone will give you, use a good hosting provider. And how do you know if your hosting provider is good or not? I like to do a few tests. I like to call hosting support from a different phone number than what's registered on my account and see if they ask me for last four characters of my password. And if they do, I just go to a different host. And there are some companies that do that, and no one should have access to your password or part of your password. So that's not a good start. When you log into FTP on your hosting account, you shouldn't be able to see other people's directories. You may not be able to access them, but even if you just see their user names, it's a good start to do some social engineering, contact support, and try to get access that way. So no one should be able to see your directories. You shouldn't be able to see other people's directories. And this usually happens on SFTP. So check if you can see other data on once you log into SFTP. Next is see if you can download SQL files or get or backup files without having to log into your site. And that usually works when you have backup plugins. And you can go to ursite.com slash wp-content. Updraft is a good suspect. And just backup today's date.tar.gz. See if that works. If that happens, if you're on Apache, you can update the HD access rules or contact your host and fix this for you. Next one is using SSL. So you can use Let's Encrypt. And if you still have mixed content warnings on your site, you can use a really simple SSL plugin. I love that plugin. Yeah, it's pretty good. Next is using strong passwords everywhere. And not just your hosting account and WordPress. You should also have unique passwords on your Stripe, PayPal, UPS, FedEx, and your dropshipping providers, your email. And the trick here is using a password manager. I like to use one password. And that allows me to set a unique password for each service. And I don't have to remember any of that. It also syncs with other devices. So it will give you unique and strong passwords for each service. And even if they get hacked, that password will not be usable on any other of your accounts. Next is using two-factor authentication. So even if a service gets hacked and hackers are able to decrypt your password, this won't be usable if they don't have access to your phone. And two-factor authentication will send you a text message or usually have an app that will send you a one-time password that's required to log in apart from your password. And that adds an extra layer of security. Next is you should offer two-factor authentication to your customers. With full commerce and WordPress, you can use odd zero plugin or Google Authenticator plugins. So even if your customer's password is compromised or if they have passwords like Amazon's policy, ABC123, they will still be secure as long as no one has access to their phone. So it adds an extra layer of security without forcing your users to have weird passwords or having them write it down or remembering it. And they will be more inclined to buy from you if you make it easy for them to log in. Next is if you have captures, if you get a lot of bot traffic on your site, you can use invisible capture with plugins like advanced capture or invisible capture. So this will not ask your users to enter anything on the login or checkout pages, but if someone is trying anything automated, they will get blocked and they will have to solve that challenge. And it works out pretty great in keeping the actual users and buyers safe on your site without having to go through extra straps or having them jump through hoops to just to buy something from you. When you send out emails, you should use SMTP plugin and not rely on hosting your hosting provider's email delivery system. So you can use services like SendGrid, MailGun, SparkPost, there's a lot of services now and you can get started for free. And this will make sure your emails don't end up in spam and emails are always delivered. With Gmail, it also shows that this mail was sent securely over TLS and that also increases a bit of trust. Now, how do you know if your WooCommerce plugins and themes and all the custom code is secure? First is you should check if you use any really old plugins that haven't been updated in a while. And you can do that by going to WordPress.org. Just search for the plugins you have and if a plugin hasn't been updated in a couple of months or at least a year, try to find a replacement or just deactivate that plugin. You can also download a backup to your site, open that in a text editor to a search for keywords like base 64, exec, curl, or any of these keywords and see if that shows up in your files. If that is your theme or plugins are probably compromised with some exceptions for curl. But if you find these in your theme, you need to restore that from a backup, get a different theme or install any updates from the theme provider. If you have access to WPCLI, you can use this command to see if the WordPress core files are secure, if they have not been modified by any hackers. And when you run this command, it will show output like the first one if your site is clean. If any of the files are altered or modified by attackers, it will show you exactly which files are not as per the checksum and you can probably replace them from the WordPress.org backup WordPress download or you can just restore older backup and try a manual update. And this is pretty effective in, if you think your site is hacked, this is a pretty good first step to tech. It will tell you exactly if WordPress is modified or not. It takes two seconds to run and it's pretty effective. If you need to check your themes and plugins for any security, even if you're not hacked, but there's a security exploit available for your theme, you can install this package called WPCLI, run this command and it will check all of your themes and plugins for any known exploits. So for example, DV had some issues two months ago, plugins like EZWPSMTP related posts, all of them had one or two issues in the past and you had to update them to keep your site secure. And it's easy if you just follow WordPress news all day or read Twitter all day about these issues, but if you don't, you can just automate this command and it will send you an alert if you are running any plugins or themes that need to be updated because of any security incidents. The next thing you can do is blocking hackers before they even reach your site, just like Amazon. And you can do that with a bunch of options. First is Cloudflare, Amazon Web Application Firewall. Sucre is a good option. They tailor their firewalls specific to WordPress. And all of these services use a lot of algorithms and machine learning and they have millions of sites hosted on those platforms. So when a type of attack happens on one of the sites hosted on these platforms, they can update their firewall rules to protect all other sites. So you are protected even if you are not the target of hackers right away. And if they try to get to your site few weeks later or a few months later, your firewall will already have those rules to block those attackers. I like to recommend Cloudflare because it's free. You get CDN, they have some good options and getting started is pretty easy. You just sign up, you'll see a page like this enter your domain name, update DNS and you're done. And then you need to make some changes to make your site more secure like going to CryptoTab. And change the SSS status to full. This will encrypt the connection between Cloudflare and your servers and it will force it to use TLS. So even in transit, no one will be able to access your data. Next is enable HSTS. And if you do this, this will protect you against DNS hijacking attacks. So if someone is trying to redirect your site for a specific user to something else, browser will show error like this instead of taking your users to some captive site like I did with Facebook in the past. That wouldn't work today because they use HSTS. You can enable this with one click on your site and you will be protected against someone creating a fake page about your site in some certain cases. But this is a good start. Next is minimal TLS version. I recommend setting it to 1.2. So it will not work on really old phones or really old devices. But at the same time, a lot of the hackers use scripts that are found from 2003 on different forums. They will use those two attack sites. And those scripts will also not work or any automated tools. Those will not be able to access your site if you have TLS requirements set higher. And this will also improve performance of HTTPS on your site. And again, faster WooCommerce will make more money. Cloudflare also had some interesting options like this Firewall tab. And you can block a bunch of bots. If your site gets a lot of bot traffic, I recommend blocking them from user agents or using services like this instead of blocking an IP address because bots will just change their IP and try again. Now that your site is secure, it's time to plan for disasters. And what happens when there is a complete meltdown? Because no matter what you do, you can't have 100% security. You can do your best, but it's ongoing process. First step is backups. And for a backup policy, there are three elements. First one is frequency. Next is destination. And finally, verification. Frequency is how frequently your site is backed up. And backups should always be automated. If you have to go in and create backups, that's just not going to happen. And you might end up with a backup that was created six months ago, and that's not usable anymore. Most hosting providers create a nightly backup. But depending on your transaction volume, how frequently new orders come in or how frequently your staff is updating inventory and others, you can back up your site more frequently, like every four hours or even every hour. And to decide if your frequency is good or not, try this. Take the most recent backup, restore that on a staging site, and see how long it will take for you to manually fill the orders or inventory or whatever changes between that backup and now. And based on that, you can decide how frequently your site needs to be backed up. Next is destination. And if you use a backup plugin that backs up on the same server, that's not really a backup because things happen, servers go offline, or some hacks might delete everything on your server. And in that case, you want your backup to be accessible. And I recommend services like Google Drive, Amazon S3, Backblaze, Dropbox, basically anything that's not from the same provider on the same location. So if something happens, you always have access to that backup. Finally, verification. Making sure your backup is usable. And again, you can do that by taking a backup, restoring it on a staging site. But when you restore, you need to check for a few things, like if there are the API keys for premium plugins are still in place after the restore. If the theme has all its settings, sometimes if you restore it on staging, you will miss logo or fonts or something and you need to manually fix that. And once you restore that, make a list of all these things and see what you need to do manually even after restoring that backup. And so you will know if the backup works and you will have a policy in place of things to do after you restore the backup. Again, I also like to time it how long it will take because you're already panicking. You have to restore backup. And in that, you have to follow these steps. And restoring backup always takes longer than you would think. So what do you need to do in that two or three hours it takes to restore that backup, get your site back online. At the same time, filling calls from your customers or your boss or any coworkers. Hey, site is not working. So having a good policy is step one. Or you can also, I shouldn't say or, you should also have a warm standby. A warm standby is a copy of your site that's up to date within two or three hours depending on how you set it up. And setting it up is pretty easy. You should just sign up with another hosting provider, not the same company. Go with another provider, get an entry level plan. Sign up with the same domain name as you have on your production site. And again, it doesn't have to be an expensive plan. It's just for a couple of hours if your site goes offline. But it will give you a good backup option. So you sign up with same domain name. Do not point your DNS to that server. Just leave it there. Then install the WP Migrate DB premium plugin with the WP CLI option. And you need to set it up like this. Enable the pull operation. You can go to WP admin settings and enable that. It will also show you the API key required for the next step, note it down. And go to the control panel of your hosting provider, the new one, set up a crown like this. And what this will do is it will go to your live site, copy the database, all the media updates, orders, inventory, everything. Restore that on the cheaper hosting plan that you have. And you can set it to run every two hours or three hours. So it will go, it will have that site as close as possible to your live site. And you can use that in event something goes wrong or if your host is offline because of any number of reasons. Even Amazon and Google and Azure have outages that last couple of hours, if not days. So in that situation, you can get back online with some steps. It's a bit complicated procedure, so bear with me. Now, when you need to use this warm stand by, first thing you need to do is go to your DNS control panel so it might be good, addy, cloudflare. Update the DNS to point to this new hosting provider and you're done, you're back online. And it takes, depending on how you set it up, it will take you 60 seconds to go from complete outage to certainly you're back in business. With some exceptions, your site will be up to date with the last two hours, you can always backfill that using backups. But this will not keep you offline for days and days and this will cost you maybe $10 a month. So if you're running important enough store, this is a good starting point. After that, when you grow enough, you can look at high availability solutions and other options. Finally, here are some resources. I highly recommend the first one. Go there and check if your passwords are on any of the leaks or any of the list. Other ones are good resources for security. Last one is my blog. We also write about food commerce security in there. So do check us out. And if you run Facebook ads on food commerce, I would like to talk to you, ask you some questions. I have some ideas that will help you make more money. And I'll be here all weekend. Thank you. Thank you very much for giving that critical information. I know it's pretty valuable to anyone who runs a business on top of food commerce. We have about 10 minutes here. About 15 minutes for any questions you might have to hold. If you do have a question, I would ask if you could repeat the question just so the camera can hear it. And yeah, questions anyway. Yeah. Do you have any experience with let's encrypt and do you have any opinion about that experience whether it was positive or negative? So the question was, do you have any positive or negative experience with let's encrypt? So yeah, it's used pretty widely and I highly recommend it. It's just like any other SSL provider. And I don't think I have had any negative experiences. Sometimes it takes longer to validate the DNS and to issue, but that's mostly the user error and not something on their side. So have you used it? Yes, I used let's encrypt on 12,000 sites. Auto renewal works pretty fine. Again, if it doesn't auto renew for you, it's usually how you set it up. But if you set it up correctly, there shouldn't be any issues. Yes, sir. So the difference between Mac CDN and Cloudflare. Mac CDN is good, but they mostly have, they're good for like accelerating static assets. Cloudflare is much more than a CDN these days. You can do things like the security and stuff, the rate limits, they have good firewall. You can block certain countries. You can probably do that with Mac CDN as well, but Cloudflare has a lot more security options that you can configure compared to the other one. Is it too way migration or do you have to migrate back? So the question is what happens if you migrate to the warm standby? Does it also sink backwards to the hosting provider that you originally use? So no, it will not, it's a one way replication. And so this is, this gets tricky because when you switch to a warm standby and then you have to switch back to the hosting provider, at that stage, what you can do is put your store on the warm standby in maintenance mode, create a backup and restore that on the original hosting provider. It's a bit of a process, but again, you get back online in 60 seconds compared to having to be offline for a day. So the question is, does it help secure WordPress more if you have WordPress files in a different directory like app and different web route and plugins or WP content in other directories? So it will work with dumb hackers, but the primary benefit of that structure is if you use Git or any version control, it will not commit the WordPress core files in your Git repository. So only your custom code gets in the Git repository. And I mean, it doesn't have many security benefits, but for development, it's good that you don't, every time WordPress updates, you don't have to update or commit 200 files to your Git repository and have all those changes show up. Thanks everyone for coming.