 So, let me start out by saying I like metaphorses. There are going to be plenty of metaphorses here, but we'll start with the first one. So just imagine as you sleep soundly inside your home at night, there's a robot at your front door. Now, this is a special robot, right? This robot can manufacture and test keys to your lawn, one by one in rapid succession. What do you think is going to happen? Eventually, it's going to get in, right? Because there's only so many permutations of keys. Now, imagine that once it's inside, it replicates itself, and it senses the law of spring out to all your neighbors. And eventually, your entire city is going to be overrun with robots, and then your state, your country is eventually the whole world, right? Like, this is dramatic, sure, but, you know, or a fetch, but it's exactly what's happening right now in a digital sense, right? So, now they're sent to all these servers. They break in, they test every password and every login possible. Eventually, they find their way into a small percentage of machines. They replicate, and they continue to spread. So, this happens on WordPress, WordPress Logins. It's nasty. It happens every day. It's a little less prevalent now, but, you know, it's still good. So, what's the end game, right? Like, what's the benefit of doing that? In a lot of cases, we don't really know, right? We've seen malware sit dormant on people's servers for years. Those are the scary ones, we'll talk about them later. Sometimes it's really trivial, right? Ads are injected, you know, hackers can profit materially from putting ads on your site. So, sometimes sites are defaced or deleted, political protests. Sometimes they're told to mine cryptocurrency. We've seen that. Sometimes they're simply used as, like, nodes in massive, distributed denial of service attacks. That's a really common one. The possibilities are endless, right? Once they're in there, they can do what they want. So, who am I? I'm Rich Collier. I work at Automatic along the Jetpack theme. I focus specifically on Vault Press and Jetpack Rewind, which are two of Automatic's security-focused products. It's been a lot of time looking at and fixing badly hacked sites, and sites that don't even look hacked sometimes, but are very badly compromised. So, prior to Automatic, I was Chief Technology Officer of a fairly large local media company. So, I had my thoughts pretty deep into the security world. Lastly, kind of, I don't know, I feel implied with source-racing drones. So, I'm pretty passionate about the security of those as well. Yeah, don't get me started on the airports. I love security. There's insecurities everywhere. Scared. Yeah, so why should security matter, right? Like, none of us are clueless with Facebook, right? Like, who cares? Well, that's true, but there are hundreds of breaches that don't make the news every year that completely crush small and union businesses, right? Like, reputation damage. Yeah, in fact, the mere mention of a breach like this on, like, Twitter, social media, it can be detrimental to the business. It puts people out of business. What's more, you could be held legally viable in certain cases, right? If you expose user data, like, you know, most of us aren't collecting social security numbers or whatever, but, you know, those of us that do, you know, that's a problem, right? We have to protect that data. Look at the cases probably on Facebook and Google, right? Like, you're not immune because you're a small business. In fact, I'm not a lawyer. I don't really know anything about law, but I would say it's possible your business is more at risk if you are not prepared to defend yourself if something happens. It's a very sensitive time for data privacy and security, and cases continue when you've gotten on judges, you know, all over the world, trying to figure out who is responsible for this stuff ultimately, right? Like, we have laws on the books in some places, but not everywhere, right? We don't know. There's still some arbitration that needs to happen before we know who is responsible for what. Have any of you seen Black Mirror on Netflix? Okay, so this is an interesting one. There is, I think it's the first episode of the third season, maybe, it's called Nosedive. And the premise of this is essentially, like, a society where, like, social status is as important as a credit score or financial status, something like that. So, obviously, it's exaggerated in that show for cinematic purposes, whatever. But we are not that far from a world where Facebook data, you know, is more private than a credit score to people, right? So, I'm using Facebook as a sort of analogy here, but it can apply to anything, right? Like, the WordPress site, you need to light on something, right? What if that's a life that you want other people to see and you don't know what's happening when you put that light on, right? So, again, in a lot of cases, this data, whether arbitrary or not, can be more personal than financial data. As a site operator, developer, designer, we need to think about all of these things when we're putting our businesses and our blogs and our customers online, right? Ask yourself, what personal data are we collecting? Do we even need to collect this data? Are we aware of what that data is, right? Like, it's easy to go, you know, install this plugin and install that theme and you have no awareness of what it's doing in the background, right? There's no simple solution for that if you're not a developer. We'll get more into that later. But, yet, think about your data if you have any awareness of it, right? Like, could this data be damaging to someone's reputation, you know? Could it be used to harass someone during the bank account? Identity fraud? You know, these are mostly string cases, admittedly. But imagine if a hacker tried stealing the Blue Connor's data out of your site, right? Like, what are you selling on your site? Could this be damaging to someone's reputation? I don't know, but, you know, possibilities are endless here, again. So, breaches can be significant. More often than not, they're pretty bad. Sometimes they're not that bad. So, usually they can cause, you know, at the very least cause damage to a reputation, right? Like, once that data is on the black market, it provides an advantage to competitors. I think they're not looking for me. Obviously, I'm talking about the bigger businesses here. But, again, applies all the way down to small businesses. Hacksites is a big one. I'm going to talk more about this shortly. Hacksites can lead to blacklisting on the search engines, right? Like, Google will put you in their crosshairs and it's very difficult to get out of that. Customers, they never trust the business again. Increased bounce insurance because of that. Directly stolen money or, you know, access. We don't see that as often anymore, but it does happen. So, intellectual property, not typical, possibility to, you know, like, again, what data are you storing? What's going to happen if your competitor gets their hands on a statement? So, let me talk about some numbers here. These are pretty rough numbers. There's just no real resource for this aggregate data, but close to 20,000 sites per month have been compromised this year. You can argue about the numbers, but this is the best estimate I could come up with. So, nearly 90%, let me say that again, nearly 90% of compromise sites are running WordPress or June. Okay, let that sink in. Additionally, WordPress, as you have heard, powers more than 30% of the top million sites. It's got a huge market share, right? So, that makes it a great target for the bad guys. For 80% of attacks, or 80% of attempted attacks are brute force type attacks, like I was talking about with the robot earlier. That doesn't mean they're all successful, but that's the numbers of attempts that we're seeing. So, research shows, generally speaking, no one practices certain password security. So, as I said earlier, I used to be the CTO of a media company. I had about 200 employees. I did a security audit one day, and I decided I'm going to find out how secure people's passwords are. So, I pulled up Jack the Ripper, and I pulled up the password caches, and I cracked over two-thirds of these media employees' passwords. So, okay, cool. You tell them to change their password or whatever, send them some supporting information. Please update your password. About two weeks later, I did it again with their password, or maybe some did, but they weren't any more secure. The reality here is people don't even understand what it is to select an appropriate password that is appropriately secure. Random story there. I'll also add my password to the small list. I thought it was good. So, also, WordPress themes and plugins are created in the industry of every day. They're free. They're plenty on the thing when you plug in their repositories online. They don't really go through any sort of substantial security review, right? So, of that, I haven't really seen this happen, to be honest. I'm surprised. In theory, if that guy can upload whatever plugin they want, people can download and use it in their sites now. So, trust no one. Trust not even in that case. Again, I haven't seen it happen, and I do know that if that did happen, I'm going to get pulled pretty quickly. But, yeah. I don't usually do it, but I have no notes on the slide. Like, I'm just going to read the bullet points because these are important points. More than half of the top million sites do not have an SSL certificate, or have it misconfigured sometimes, such that it's not effective to somebody who knows what they're doing. Most of the tats are automated, right? Like, it's not some kid in his basement like hacking on your site. These are literally malware spreading and scanning, doing nefarious things, autonomous. Many of them states are not going to go into that. Attack targets and attack vectors are nearly endless. I'll elaborate on this shortly. If you think you're not susceptible because, like, you're just running WordPress and a couple plugins or whatever, you're very mistaken. Thank you again. Every business is vulnerable. Any business that you think could possibly be targeted has likely already been infiltrated. I will expand on this one as well. Let's talk about attack vectors. Just out of curiosity, like, how many technical versus users? How many, like, developers are there? And then the rest of you are just, like, users or power users? Okay. So I'm going to explain what an attack vector is. It's really just kind of a fancy way of saying, like, this is how an hacker can get it. This is what's vulnerable or susceptible to attack. The definition is it has no means by which a hacker can gain access to a computer or network server in order to liberate halo or malicious outcome. Attack vectors enable hackers to exploit system vulnerabilities, including the human element. So this last point, the human element, though it's the last part of the definition and almost an oversight, this is very important. We're going to come back to this. So here's some common attack vectors. Just throw some more numbers out here. Host vulnerabilities are about 41%. So this includes, like, your host software that they're running. If you have a share host, there's some lead. Sometimes somebody gets attacked and they're on the same machine. Depending on the circumstances, they can find your way. Vulnerable theme code is 29%. Vulnerable plugin code is 22%. And password cracking and things of that nature is roughly 10%. This is in terms of how somebody successfully compromised a set. So, again, look at these numbers between themes and plugins. That's over 50% of attacks get in from a bad theme or a bad plugin. Again, it sounds like you may have to have, like, some obscure combination of things, right? Here's another metaphor for you. It's kind of like how a trained police officer can find something to pull you over for because they are trained to know how to stop these things. Same thing in computer security, right? The hacker to know exactly those weird combinations of things or logic errors or they know exactly what vulnerabilities are in which versions of plugins and themes. But they are the experts at signing these things. So, quickly, let's talk about how to identify a half-second, right? Sometimes it's pretty clear, right? You go to your site, it's been defaced. It's been deleted. It's not there. It's redirecting, whatever. Sometimes it's not really clear, right? Like, there's no apparent change. 10% of major breaches go undetected, sometimes for years. Now, this is the summoning in the Facebook thing. They didn't notice for a while. Here's the defaced site. It's pre-obvious the site was packed. Many times it's pretty cheesy. Here's another example. And another, this one's a little more political. You're going to see something that doesn't look right. Okay? Sometimes you see a bunch of advertisements. This is pretty common. A site will have anywhere from, like, a small ad somewhere to, like, pop-ups or everywhere. And, like, I see this a lot working with Jetpack. Like, when we work on customer sites, I've been happy with it. This is a pretty, you know, common on, I don't know, what else. You see a handful of redirects also. You head to your site and it redirects to another domain. Sometimes that has nothing really to do with your start line, it's your DNS settings or something. There's a ton of different things that can happen here, but you go to your site, it's not there. You've been redirected to another site. That happens. Usually that site's loaded with normally advertising, or malicious software, you know, or you can already explain it. But it's completely crooked. Sometimes an hour is, like, embedded directly on your site, you know, or pop-up. It's kind of like this from whatever.com. Most browsers have, like, protections in place against this now, but, like, perhaps you're kind of always a step or two ahead. Like, you're just going to continue to do these things even if they're only temporary. Performance could decline. You go to your site and it's taken forever to load. It does load. It doesn't look like there's anything wrong. Typically, we don't see this when your site was the target. Like, really, they were after your host, like the server that's hosting your site. They want to use system resources to mine bitcoins. See that one? Or, you know, serve you to deny all the service attacks again. They'll use your computer as a node in this giant, attack this place. And it has nothing to do with your site. Your site wasn't even, like, directed in part. It's just some malware found its way in. Yep. So, or maybe there's no indication at all, right? Like, again, we've seen malware sit dormant for a long time. And actually, seeing a lot of this lately, I'll get into where. But, yeah, we've seen malware sit dormant for ages on other sites. Just waiting for instructions to stream in over the internet. So, I'll share a little story again as I go into the next part of this talk. My team and I recently discovered a large number of sites that had vulnerable plugins and games. And these are premium plugins and games. These are paid plugins and games. Not the ones you get in the .org repository download. The software in question had some pretty nasty backdoor vulnerabilities. And rightly, they allowed the hackers to get in. I'm not going to explain what, you know, all the technical details of that. It didn't make sense, right? Because these are big name paid extensions. These are big names from companies you trust, right? Like, why are these hacked? We did a bunch of research, right? And then we discovered that people were acquiring these plugins and games by going to their fancy tool and searching for three premium press games. It sounds like a completely logical thing to search for if you're looking for a free thing, right? Like, if you have no awareness of security, it sounds like a completely logical thing to search for, right? But, however, if you break it down and contextualize it a little bit, like, you're essentially searching for pirated software here and you're asking for a problem, right? So, they were led to these paid plugins and games and they're a pretty nasty place with malware. So, most of you probably remember, there was a day when you could go online and get clean, pirated software, right? Like, you could Photoshop, like, you could go download it. Listen, I'm going to tell you right now. Those days are gone. Okay? Clean, pirated software is a thing of the past. You cannot and will not find it anymore. Unless you go on some trusted, like, I'm sure there's something about that. Just assume you won't find it. Now, that includes paid, premium, WordPress plugins and games, right? Like, this is software. Just like an executable you would install on your computer. Please, don't ever install software, plugins, themes included, ever if it's from an untrusted source. It will contain malware. Period. Earlier I said that every business is vulnerable, right? Or compromise already. I'm going to elaborate on that now. And it's not scary what I was actually another speaker told me earlier. Like, if your security talk doesn't scare people, it hasn't been a very good security talk. So, I'm trying to be, like, totally freaked out by this. I will bore you with technical detail shortly. This is Roger Grimes. He works with Kevin Mitten, and I don't know if anybody knows Kevin Mitten. He was a famous hacker in the 80s, possibly the most famous hacker. Previous to that, he was a security consultant at Microsoft on the security team. Like, he's a big security guy. You Google this guy, you're going to find crazy stuff, right? So, he's a freaking author on Info World. He's a great guy. Microsoft does a lot more than create windows if you didn't know. They're often hired by businesses and government agencies to, you know, do penetration testing to find where we're going, right? Roger is a really, really good hacker. To tell you he's not, he's a really good hacker at world class. During a 20-year career, Roger has been hired to break into hundreds and hundreds of small, medium, large businesses, government agencies. Does anybody care to guess what his success rate has been? 100%. That's right. This team has infiltrated every single business and government agency that he has ever been hired to break into, and he'll tell you most of them were extremely easy. He said there was one that was particularly hard, and it was only hard because they had already been there. All the rest were unbelievably easy. This sounds unbelievable, I know. I actually called him up and I said, are you actually correct, like, elaborate please? Like, it can't be 100%. He's like, no, it's 100%. It's actually simpler than you think, right? The vast majority of these cases involve a very specific attack factor I didn't mention earlier, or didn't elaborate on at least, the human element, social engineering. These are the effective methods in 2018, and will continue to be the effective methods. Okay. So what does any of this have to do with word press security? I mean, come on, everybody. So you can make your site just technically bulletproof as possible, and if your email is compromised, you're only, what, two clicks away from a password reset. Right? Like, this happens, right? Your social networks, your email, your phone, your instant messages, whatever. Once one is compromised, it's like, you know, an avalanche of things can go wrong. So I've given you the answer. I want to give you some advice that you can take back to the real world to help keep you secure. And I'm betting that most of you have already heard most of this, and just don't fully understand, or, you know, need it elaborately. I'm going to do my best to do that. First of all, and possibly most importantly, choose your host slides. Remember the numbers I brought up earlier. 31% of successful attacks are on a host-level vulnerability that you don't even have control over as a user for a set host. Choose your host slides. Generally speaking, this isn't always true, generally speaking, you get what you pay for for the host. Okay? Make sure they keep their server stack up today. Make sure they do software updates. Okay? Remember, software that you don't control could most likely be the vector that the hacker gets in on. You want your host to be diligent and reliable with those updates. Make sure they have system-level backups and a disaster recovery or elaborate numbers. Make sure you're doing daily, or better yet, real-time backups, right? Like, your host usually offers some sort of backups, but can you even get to that? Can you put your hands on that backup? Can you actually easily restore it? Right? Like, test it before you need it. Nothing is worse than trying to recover an entire site from Google cache. Ask me how I know. I recommend finding a WordPress tailored backup and restore solution. Pay a few dollars for it if you must. There are plenty out there that are fantastic. Plug for Jetpack and Vault address. If you don't like Jetpack, there are plenty of others. Sure. Go for it. Just get some back notes. Keep your WordPress score plugged and things up to date, right? Like, this is a given. When that little message pops up, there's an update available. It could very well be a security update and it often is. The longer you wait, that's that time period. Makes your site warm. Update as soon as you can. Check as often as you can. Or use a managed service. There's a few out there. Jetpack does it. WordPress.com. Jetpack does it. Manage WP. There's a couple others. My name's off the top of my head, but... If you're not diligent about this, get one of those services. Often. Use a malware scanner, right? Like, again, Jetpack. I'm not here to sell jetpack. You just wait a little. Sorry. I want to see you say regardless of what product you use. Right? Like, just get yourself a good malware scanner. Please. This one's a no-brainer. We already talked about you use a stronger character sequence of letters, number of symbols that is adequately long and complex that there's a couple of password tools on them. You can put in some crazy combinations and it's insane how quickly they can be cracked. Use a password manager. Right? Like, personally I use one password and I love it. There are others. Last pass. I think Google Chrome even has one built in. If you don't want a password manager, it's essentially a database of your passwords. You don't have to remember them. So they can be super long and super complex. And I've asked around in the security world because at first I was like, this sounds like a terrible vulnerability leaving all of my passwords in one place. Right? Like, that sounds awful. But I asked around in the security world and the general consensus is that like the benefits are far outweigh the possibility of a breach to that. And usually they're encrypted. Again, use a reputable name. Don't go download through one. Use two-factor authentication. So a good two-factor solution will usually for all password crack intents. I'm not really going to spend any time on talking about what it is. Come find me after the talk if you don't know what two-factor it is. I'm more than happy to explain it and help you. Or do a Google search where I find a solution. Reputable. This is a big one and I don't know if it applies to any one in here, but if you have a site with a lot of users, like maybe audit them. Right? Like do you need to have 17 administrators? Probably not. That's 17 account space that you now need to keep secure. Less is more. Lastly, have a disaster recovery plan. Right? If you're a business owner, you probably already know kind of what this is. Like a lot of insurance and stuff require them. In a nutshell, make sure you know exactly how you're going to respond to a disaster or, you know, a breach, whatever. Know where your backups are. Again. The meetings have tested them. Know exactly who to call if you need to call someone. Test your plan frequently. Once had to, again, once had to restore a site from Google cache because our backup system was literally backing up a snapshot of that database from like two months ago. They tested it. We would have seen that. Don't install entrusted software. We talked about this and it includes Photoshop or whatever on your local computer, but it also includes plugins, non-official copies of WordPress. Be careful what you install on your web servers outside of WordPress. Just writing a quick test program and you need to look at it on a web browser. Be careful about leaving that stuff there. Because usually when you're testing something it's pretty gnarly. This is an interesting one. Hardware can be insecure also. Right? Before you ever connect any device on a more business network, like, take a few moments to think about whether it could have been compromised. And I say this, like, I kind of played a weather-eating act. But I have a personal reason for saying that. So it's funny. Maybe you saw the news recently, like there was, I don't know if it was legit or not, so sorry, but like, there was news that some Chinese company had put some chips into the servers that sent out to customers that allowed them to, you know, hack the servers essentially remotely. Again, I don't know if it was legit or not, but like, this is possible and given it's possible in a political landscape, don't you think it's probable that it is hacked? I've seen hacked firmware on silly little devices, like a security camera and bought for my own. Literally. It was an off-brand thing, ordered off eBay or whatever. Had an hour. Brand new from the factory. This is a real thing, folks. So a couple quick slides for the devs in the room. This is basics, but it's important. Validate, sanitize your inputs. If you're accepting data in from the outside world into your computer program, you need to make sure that data is safe and it's not an attack they look. Okay. Absent is my favorite one. Want to take an integer? Make sure it's an integer. Essentially just cast it into an integer. So you know you're getting a number. Sanitize text field for pretty much any data that's coming in from the outside world. That makes the vast majority of things safe to put in a database. Even if this data wouldn't be used in a context you might think is vulnerable, use these sanitization functions anyways. If you're accepting a static string in, use these sanitation functions. You never know who's going to go back and change some code somewhere. Use these functions. Trust me. Escape your outputs. Okay. Anything being written to a web page should be escaped with proper escaping functions. ESC URL, ESC HTML, ESC ATTR, I think it is. Like there's a bunch of them. I'll have a link at the end. Go look at the document data and use them. This ensures that exploited code that does somehow get in your database. For say you've got an old person that you've let log into your WordPress site with some malicious JavaScript in a post. This ensures that it doesn't get executed for every one of your visitors, right? This isn't talked about super frequently, but check your logic. Logic errors is a whole talk on its own. Hackers do take advantage. Have someone else review your code, right? Like, or write your code together with somebody pure for it. That's actually a lot of fun. I did that with a co-worker recently. If that's not an option, write your code, sit on it for 24 hours and review it yourself. Be amazed what you'll find in your code from yesterday. I believe Jonathan is going to talk about code review at 2 PM. Go check out this talk. It should be pretty good. I'm sure it's going to give you good advice. Lastly, the most secure code you write, maybe you didn't write at all, right? Don't make things unnecessarily complex, right? Leave out what's untended. So, on the same note, a couple quick slides for, like, systems, folks that aren't out there or anything here. If you're going to set up your own postings.com, AWS or whatever, use SSL again. Make sure it's right, because, again, really 50% of that top million sites is not using SSL or using it incorrectly. We all work in coffee shops or on the road or whatever, from time to time, right? If you don't use SSL on your site, you're streaming your password in plain text over the internet. Anyone can see what it is. They're free SSL. If you don't know what SSL is, it's HDPS, you know, where you check-park at your browser when you go to the site. It means your connection is encrypted and usually means it's secure. They're free certificates out there. Take advantage of it. If you're not, like, a sysadmin, talk to your host state. Hope you have an SSL certificate. Usually at a very low cost at anything. Make sure you do software updates regularly, right? Like MySQL, your web server software, your PHP software, even things you may not necessarily be using, like FTP servers, SSH servers, like whatever. Make sure you do your system updates. There are entire talks on all the little, detail-y things that you can do, like changing WP salts, right? Like changing your table presets, removing version number of steps and file permissions. All of those things are very important. Do them all, though. Like, don't leave a few things out. Again, there are whole talks, go to WordCamp.tv, find yourself a good talk on this. Know that you really need to do all of those little things, okay? Privacy is not for the passive, right? And I will also add that security is not for the passive either, right? Everyone that gets targeted by a real hacker is compromised. Okay? For everyone else, let's try to keep the robots out. Become VIP, validating, sanitizing, for the dev, but go check that out. Even if you already know about all this stuff, there's some really cool info on that site. Know before is Roger Graham's company, Kevin Nitton's company, Roger Graham's, works for, if you want to do security awareness training for yourself or your business, these are the guys, check them out. In the WordPress.org security page, it's got all kinds of cool links and useful things. But yeah. Questions? So you talked about password managers briefly, and the importance of trusted versus untrusted software. What, in your opinion, are some really good and trusted passwords that people could use? So I prefer one password. It is a paid software, and it's like 30 bucks a year or something like that. But it's fantastic, actually. It's even better than, like, if I had one short password, I could type in two seconds. One password is better than that. It's one click and you're into whatever site or service you need to. Your password database is somehow secure. I don't know, I never really looked into it. There's a couple others. Last pass, this guy, and this is probably a Linux client. I think Google Chrome has something built into the browser. I don't know how to get to it, but I can try to find out if you like. But I would recommend stay with last pass or one password. Anything else? I don't know. What about institutional password blocks? Institutional password blocks? I don't know a whole lot. I know what you're talking about. I can't speak to it. Certain portions of the browser and I love it. I don't have to talk about it. I know a little bit about it. I do have to log into that site and I have to remember that password. Yeah, I've never, Vault is actually a really, really good product. A little more advanced than, like, most average users take advantage of, but we actually use Vault for certain things. Let's go to the details. So you said a couple of times people are using SSL or they're using it improperly. Can you expand on what you mean by improperly? I mean, are you talking about not getting the little green block or what do you actually have? So you can have an encrypted connection that's got something now a connection such that under the right conditions a hacker could still see this data in plain text. Or whatever reason. I don't personally know all of the details on how that's done. I do know it is a problem. For example, if you go to a site with an HTTPS, an SSL certificate most of the time you're going to get a nice green check mark or whatever it is in whatever browser you're using. Sometimes you'll get like a grayed out check mark that usually means something is broken. It is using SSL. It is encrypting, but something is broken there and it could be a bad encryption essentially. Does that answer that? Thank you. Recommend me for two-factor authentication other than... Again, Jetpack There are a couple others How do I know when I was at an old number? Well again, just make sure so go on the.org make sure you're using one that has thousands and thousands of users. Don't choose the one that has some 14 users. And that's good advice for any plugin, right? shy away from the ones that are a lot of users. So we're just about at one more question. Sure. Sites that have a lot of subscribers. So like a membership site a site that has students on it while you can all have good types of policies, what can we do for people that have a lot of members that have subscribers on the site? I would say probably in the interest of time the first thing you should do make sure that they only have access to check your roles and permissions for the subscribers to do an audit on that. Make sure they don't have access to things that they should. If you are not expanding on what WordPress is already doing, you're probably going to be safe. Check your customers out.