 Well, I'm really thrilled to be here today to talk to you about security. Kitty's kind of a hard act to follow, though. I'm an introvert, which probably explains the security thing. And everybody tweet Kitty, and tweet me, or tweet me, follow me, at Blue Sky Dig Strat because Blue Sky Digital Strategy is too much for Twitter. So this is going to be a lot drier than the last talk. What we're going to talk about, I'm going to try to convince you why you need website security. I still see a lot of people that say, I've got this tiny little blog, hackers aren't going to care about me. Trust me, they will. Talk a little bit about HTTPS and SSSL, four laws of website security, then we'll talk about firewalls. I'll talk about IQ Block Country, which is a plugin that I like and it's free. Then I'll talk a little bit about the security plugins. I could probably talk an entire hour about iTheme security, but we just don't have time for that. And I want to make sure that you're aware of all these different things that are available and the issues that you might run into. And then I'll talk a little bit about how you can test your website security. And then at the end, if we have time, there are a couple of other reputation management considerations that I think you all should be aware of. So Kitty talked a little bit about the font of all knowledge and I just realized I don't have audio for my little video clip, but I'll wing it. Right now you have access to the greatest trove of information in the history of the planet and it's increasing, it's accelerating every single day. You just have to look for it. And I still see a lot of people that don't actually ask. All you have to do is ask. And this is where I kind of lost the, he's saying, who's revolution and if you know the movie, iRobot, that's the right question. So go to Google, Bing if you have to. If you encounter an error message, the chances are really good that someone has had that problem and been kind enough to blog about it somewhere or post it in some forum like Stack Exchange. The caveat there though is to be very careful of code snippets. Don't just copy code without looking at it and without understanding what it actually does. You may inadvertently install a back door to your site or add some kind of security vulnerability. Okay, so why do you need it? First and foremost, you need to protect your digital assets. You worked hard on your website. You put a lot of time into blogging. Like Kitty said, it takes a year. You don't want to lose that. I'll give you some examples of WordPress hacks. They're sort of big ones, but you know, they're there. And then we'll talk about what you can do, WordPress core, backups, firewalls, security. Little bit on HTTPS and SSSL. How many of you all are using HTTPS? Okay, good. It's very important for ranking in Google. It's one of the 200 different factors that Google uses and they're weighing it more heavily. Having an SSSL certificate does not make you secure. It only encrypts the connection between the browser and the server. You have to have it also if you want to use a payment gateway such as Stripe. When you get a secure socket layer, and I forgot to put let's encrypt in here because that's what I use. Make sure you get it from a reputable certificate reseller. Make sure you've got the proper redirects in your .httaccess file. Don't allow both HTTP and HTTPS to be served from your site. That will get you a duplicate content penalty from Google. Like I said, this alone does not make your WordPress website secure. It only secures the connection between the browser and the server. For plugins, there are two SSSL hooked up on SS today. Insecure content fixer is the most popular of the two. It basically cleans up your website to make sure that you're only serving HTTPS. If you started your site before you got an SSL certificate, you will undoubtedly have some conflicts, some images, what have you, that are still being served HTTP. I hope you can see it. The first one here has got 100,000 plus active installations. The second one's only got 7,000. That's a good way to judge out of all the different plugins in the WordPress repository. Choose ones that people are using. The first law of website security. I repeat, nothing is unhackable. Like I said, you need to protect your digital asset. Your investment of time and or money, if you pay someone like Kitty to build content for you. You need to protect your traffic, your ad revenue, your online store, which is real revenue, and maybe most importantly, your reputation. Why? Every week, Google blacklists websites, roughly 20,000 for malware, 50,000 for phishing, and Securi, one of the big security firms, estimates that only about 15% of infected sites actually get blacklisted. So there are 85% of the infected sites still out there freely distributing malware. Being flagged can be devastating. It affects how your visitors access your site, how your site ranks, and the deliverability of your email. And I've listed the sources for some of this information at the bottom. And I forgot to mention, this is all on SlideShare. So if you go to my Twitter account, look me up on SlideShare, you'll be able to find all this so you don't have to write it down. Blue Sky Dig Strat. And I'll have everything listed at the end too. Does anybody know what the most infamous WordPress hack to date is? Anybody heard of the Panama Papers? The data was released in April of 2016. WordFence wrote a big blog post on it right about that time. They believe it was a WordPress hack and an email hack, and there may have been a Drupal hack in there as well. It was a real disaster. The WordPress hack was accomplished through the Revolution Slider, which is notorious for issues. It wasn't kept up to date, and I think it was only about three months out of date. But the vulnerability had been published, so people acted on it. 2.6 terabytes of data were stolen, roughly 40 years of records. It showed widespread illicit financial activities, tax evasion through shell companies. Hundreds of billions of dollars were lost by almost 400 companies. 140 politicians from more than 50 countries were involved, and they're still running WordPress. But they've put up a pretty good firewall. I'm not sure which firewall they're using. I can't see it. And there's one source, another source, and there's the WordFence blog post about it. And somehow I got my animations backwards, so that was Masak Fonseca. So who got burned? Kind of a who's who. I know that you probably can't see the titles, but Prime Minister of Iceland, Iraq, former Iraq, Ukraine, People Close to Putin. I mean, it was a big hack. More recent examples, the CAPTCHA plugin backdoor. Anybody using the CAPTCHA plugin? Good. It was a commercial plugin. It had over 300,000 active installations. It was sold in September of 2017. The new owner installed a backdoor that allowed them to install cloaked backlinks on affected sites. It was taken down from the repository, claiming that WordPress.org said that they couldn't use WordPress in the title of the plugin, but WordFence did some digging because it had such a large audience and discovered this backdoor. So it was a backlink scheme, and it's a company that has a history of that, apparently. Also in December, a crypto mining campaign that was using brute force attacks, and it was targeting WordPress websites using a command and control malware. It used stolen resources to both launch attacks on other WordPress sites and to mine the cryptocurrency Monero. There are other pieces of malware running around trying to grab your CPU in your house, in your office, to take little bits of electricity to do exactly the same thing, to mine Monero and other cryptocurrencies. Instead of the hackers buying tons of time on Chinese servers that are running off a coal. So malware was detected by a WordFence scan. Check your server resources, monitor blacklists, that's the only way to find out if you've been hit, and make sure you harden your site against brute force attacks, and I'll talk about that in a little while. So WordPress Core. It's open source, as I'm sure you all know. It's very secure. It's audited regularly by hundreds of developers, but you must keep it updated. The biggest source of hacks on WordPress sites is not keeping your software updated. And WordPress Core will automatically update for minor security updates. In some cases you might have to upgrade for the major updates, but the biggest source of hacks are the plugins, and you must keep those updated as well. It is a misconception that WordPress is not secure. WordPress is the most hacked, but it's only because it's by far the most used CMS out there. And this is current WordPress market share by w3tex.com, and it's almost 30% of all websites are being run off of WordPress. Securee does analyses. They haven't published one since the third quarter of 2016, but this is a distribution of infected websites based on platform. And you can see WordPress was by far the greatest, but it's very similar to that last graph that I showed you, just because WordPress is so used. And that report claims that 55% to 61% of all infections were due to outdated WordPress Core software. So it's not as big a problem as it is with other platforms, but you still have people that aren't keeping their Core software updated. So I'll harp on update, update, update all day long. The most vulnerable plugins back in 2016, third quarter 2016, Tim Thumb, the Revolution Slider, 46%, and Gravity Forms. But that only accounts for 18% of all the vulnerabilities. I'm sorry? I'm not exactly sure what the vulnerability was. You Google Gravity Forms vulnerabilities, you'll find it. I should find out because I own Gravity Forms. I just haven't really used it that much. Let's see, types of hacks. De-facing and phishing, not that many. It's mostly malware and backdoors. Third party themes and plugins. The great thing about WordPress is there are thousands of plugins with unlimited functionality. But they are your greatest vulnerability. Try to use those that are well used and well reviewed. There are lots of plugins that aren't in the repo that you can purchase. Purchase them from reputable authors. I see people trying to update PHP or your hosting provider updating your version of PHP to a more secure version. And it'll break a theme. And people want to roll back the PHP version because they want their theme to work, right? Make sure your theme authors are keeping up. Keeping things updated so that they'll continue to function. Second law of website security. How many people here have users for their sites? Not that many. This especially applies to you. The principle of least privileges. Roll control. Only give your users the access privileges they need. I've got one site where people were demanding that they have admin access. I'm like, no. If a user can destroy something, they will. Plugins such as Adminimize. Hide what you don't want users to access. Plugins like Capability Manager Enhanced, which is a mouthful, can help you modify the standard roles in WordPress so you can build custom roles to give people the access that they need. Strong passwords and unique nicknames. Enforce strong passwords. Users will complain, but they'll get over it. More and more companies are using two-factor authentication or 2FA. People will have to get used to it. If they have trouble remembering things, have them use a passphrase. Mary Had a Little Lamb is a strong password. Just saying. Never ever allow the admin user account. That's usually me. If you have it, get rid of it. That is the first account that hackers will go after with a brute force attack. And it's one of the most common vulnerabilities that I see. And hackers will use seed lists of common passwords. It's amazing how often the password 123456 is used. Force your users to have unique nicknames. This prevents hackers from harvesting user names from author pages. The third law of website security. Use reliable hosting. How many of you guys are on shared hosting? Come on, be honest. No? Good. On a shared host, you have many websites on a single server. It is a budget solution. They can have well over 100 domains on a single server. You share the resources, which is why you get it at a good price. But you also share the risks. If the server is compromised by just one of those websites, all of those websites will be at risk. Shared hosting, I recommend SiteGround. WordPress.org recommends Blue Host or Dream Host. But they are both owned by Endurance International Group, which has a huge stable of hosting companies under their umbrella. And I was with the Small Orange, which is based in Austin, Texas. And I watched their technical support go down the drain about two years after they were acquired by EIG. So I would recommend them only because WordPress.org does. Personally, I would not use them. And I know that they are sponsors here. Managed WordPress hosting. These hosts specialize in WordPress. They can be virtual private servers, managed cloud hosting, dedicated servers. The recommended ones are WP Engine and Liquid Web. Liquid Web has heroic service. And they deserve that term. And then do it yourself, cloud hosting. Cloud hosts such as DigitalOcean, Amazon Web Services, Google Cloud, UpCloud. Personally, I am on DigitalOcean. And I use server management through serverpilot.io. They specialize in managing cloud servers running PHP. So they do the updates to all of the Apache and GenX and Ubuntu Linux codes. And they stay really up to date on all the different vulnerabilities that are out there in those three areas. And it keeps me from having to, you know, it takes all of that away from me. The fourth law of website security. Back up your website. How many people are using a backup solution? Okay. Half, maybe. The other half. Back up, back up, back up. Always back up your entire site. Back up both your MySQL database and your site files. You don't necessarily need to back up the core files. Make sure you back up off-site. Some plugins do save your backups to your website files. Don't do this. If your site gets hacked and you can't get to it, you can't get to your backup. So back up to Google Drive. AWS S3. Google Cloud Dropbox Rackspace. Even an FTP server somewhere. Just get it off of your site. And personally, I like to duplicate backup sets just in case. And cloud, you know, cloud space is not expensive anymore. Automate your backups so you don't have to think about it. Choose a plugin that will schedule these for you. Frequency depends on how often you make changes to your site. And if you're blogging every day, you probably want to back up everything every day. It doesn't take very long for the server to accomplish it. It doesn't take up that much space. If you blog once a month, maybe you don't need to back up quite as often. But make sure you save... I like to save a couple of months' worth of full backups because often you won't know that something's gone wrong until a little while down the road. Backup plugins. I use Updraft Plus. It's got a million plus active installations, saves zip files of plugins, themes, uploads, other files core separately. I really like that. It has access or has APIs for all the major cloud services. Automated. The premium service allows you to back up multiple... to multiple services. And it's got really easy migration and cloning. I was using Backup Buddy from iThemes Premium... iThemes is a premium plugin. But about a year ago, I finally got fed up with it and found Updraft Plus, and I haven't looked back. It has many of the features of Updraft Plus, but cloning and migration are more difficult. Maybe they've changed it, but I'm really happy with Updraft Plus. And there are many others in the WordPress repository. Things like BackWPUP is a good one. Jetpack, Duplicator, VaultPress, which is from Automatic. There are lots of them. Firewall plugins. There are lots of those too. These are the nine that came to the top of a search in the repo for Firewall. I personally like Ninja Firewall. It's free. It has a few paid add-ons, but the main functionality is free. WordFence Security has two million plus active installations. I haven't used it, so I'm not sure how much of it's free. Usually the Firewall is a paid service in my experience. The BBQ BlockBadQueries is another really light plugin. And then there's the all-in-one WP security in Firewall. And Security also has their version. But I'll talk about Ninja Firewall next, I guess. The WordPress edition has 20,000 active installations. It does add rules to your .htaccess file, so it needs to have right capability. It also adds a file called .user.init, the code for that is up there. And basically Ninja Firewall is loaded and runs before your WordPress site is loaded. So it's in front of your site and the client. Yes. And these are the different options that you have available. I just did a couple of screenshots from one of my sites yesterday. I've got it running in full web application Firewall mode. It's actually really easy to set up. If you have right access to your .htaccess file, it sets itself up. These are the statistics from one of my sites for January to date. It has blocked 1500, almost 1600 hacking attempts. None critical, but a couple high. How it defines critical and high, I'm not sure yet. But lots of medium ones. It allows you to set policies, and that's where it gets complicated. I could probably spend half an hour going through all the different policies here, so I won't do that. But this is the first half of the page for basic policies. So you want to enable it, or it defaults actually to both HTTP and HTTPS traffic. You can disallow uploads if you want. That's what it defaults to. It will block direct access to all of these directories. You can deselect them if you want. I recommend you don't. This is the second half of the page. And the top one is important in my opinion. You want to protect against user name enumeration. There are lots of sites where you can run WP scan, and you get a list of all the user names. It's real easy to set up brute force attacks if you know the user names. And all it takes is one user with a bad password. The REST API is another story altogether. I should probably be blocking it here, but I'm not. Let's see. Post requests to content themes, force SSL for admin and logins. That defaults to no. I've actually got that forced elsewhere, so I don't want to confuse everything. You can disable the plugin and theme editor. This is one place to do it. I have it done in iThemE Security. And you can disable plugin and theme update and installation as well. And you want to make sure you add the administrator to the whitelist. You don't want to lock yourself out. This is another plugin that I really like. It's free, called IQ Block Country. And I was getting all kinds of messages from iThemE Security saying such and such is trying to log into your WP-admin page. And it got really annoying, so I went looking for a solution. And some of the plugins like Sikuri and WordFence have this capability, but it is not free. You have to get their premium version to get this functionality. It currently has 30,000 million. Well, that doesn't make any sense. 30,000 plus active installations. It can block access to both the front end and the back end. It does this based on the GeoIP-like database from MaxMind. You do have to have FTP access to your site files because you need to put that database into your uploads folder. But the plugin tells you exactly what you need to do. The database is free, but you must update it occasionally. You can subscribe to the database and get automatic updates. I haven't seen the need to do that yet. You can block all except the whitelist. I guess I should have done this. You can't see this, but there have been 20,000 visitors blocked from the back end since this site was started. So is that blocked on a country-by-country basis? It is. So mainly you use it to block Russia? Actually, I block everybody. And that's where this next slide comes in. If you go to the back end tab, which is up here, it gives you the option to block visitors from visiting the back end administrator of your website. So I click that yes, and right here you can whitelist everybody that you want to let in. So I typically block everybody from the back end and whitelist the U.S. Now this doesn't solve everything. It's really easy to spoof IP addresses. All you have to do is get on a VPN. It's a lot of fun to get on a VPN and choose a German server and have Google give you local results in German with German maps. Google is that smart. And the one thing you need to remember about this is to invert the selection above. Because you're telling it to block everybody from the U.S. If you check this check box, it inverts that and only allows people from the U.S. And that's only to the back end. If you go to this tab up here, that's the front end. So you can block that as well. You can block pages, categories, etc. And over here there's a logging function as well. To optimize your site just for France. And nobody except France can even see your site. That's right. Yes. And this is just a little bit of data. I'm a geek. And this is different for every site. You can throw up a site. I've got sites that are just there to be a playground, a sandbox if you will. And they get hit all the time. So in this case China is the number one culprit. Then India, then Russia, then France. This is kind of instructive. The most blocked URLs by far. Hackers going after WP.Login.PHP. They're trying to do brute force and it's automated. So they're kind of the anti-Google. They've got bots that are out there crawling, looking for holes. Next is WP.Login lost password. So they're trying to get you to give up your passwords. And then it's XMLRPC. That's another common script that they go after. Okay. And this is I think the last one. The very last set of blocked URLs. Again, all WP.Login. And you'll get four in a row from the same server in Spain, Colombia, Ukraine. Okay. WordPress security plugins. Kind of like the firewalls. There are a lot of them. These are the top eight that come up in the repo when you just search for security. WordFence is by far the most popular. And that gives them access to all kinds of wonderful information. They generally know what's going on in the hacking world. And they've got a live lab. They can go through, you know, all kinds of results. Sometimes they get access to server files. And that's how they're able to report some of these things that I've mentioned earlier. They have had issues in the past with their own plugin having vulnerabilities. So you've always got to take everything with a grain of salt. Then we've got Securee. I don't know too much about shield security. I use iTheme security. Used to be better WP security. And I don't even remember how I got hooked up with iTheme security. But I'm a member of their toolkit. I subscribe to their toolkit, which gives you access to all their themes and all their plugins. If it wasn't for, if they didn't have any of the plugins, I would subscribe anyway for their training. Their training is worth the price of admission alone. And Nathan Ingram will be here tomorrow speaking. And he's actually now in charge of the training program at iTheme's. Very impressed with their training. Okay, so iTheme security. It's not the only solution. There are lots of them out there. Again, it's part of the toolkit from iTheme's. They also have iTheme sync, which helps you keep things up to date. I get an email every afternoon saying, these plugins need to be updated on these sites. I go to the sync site and run through the list. If there's anything that I really question updating, I unclick it and then I tell it to update everything else. You've got to watch a little bit on making instant updates. But it's a really nice feature to have. There are a lot of settings available in iTheme's security. One of the main things it does is prevent brute force attacks. But it can interfere with some PHP scripts that you do want to run. And the really interesting thing about this piece from the dashboard, the WordPress dashboard, is that it has not protected this site from attack at all. Ninja Firewall and IQ Block Country have kept all the bad actors out. So iTheme's security hasn't had to do much. Does that mean I'm going to get rid of iTheme's security? No. The dashboard. How am I doing on time? The first one up here is security check. It will, at the one click, go through and fix all your security issues that it sees. One of those things is enabling two-factor authentication. I generally don't, or go back and turn that off. I don't like putting lots of roadblocks in front of people either, but the day's coming when I will use 2FA. And I use 2FA to access a lot of my accounts, like DigitalOcean, my domain reseller accounts, things like that. And Authy, it's not in here. You might want to write this down. Authy is a great, it's not exactly a plug-in. It's an extension for Chrome. But it runs through the Google Authenticator and gives you all your codes in one place. It's a real handy tool for keeping all your different two-factor authentication. How do you spell that? Authy, A-U-T-H-Y. Okay, then there are global settings. The Notification Center. This is where I was getting all the notifications that people from outside the U.S. were trying to access my backend. Puts me in mind of Raj from Big Bang Theory. Okay, now I'm going to turn beat red. So you can have it send you email notifications if you want to. Sometimes it can get really annoying. 404 Detection, it will tell you if people are snooping looking for holes. You can tell it that you're away to disable access to the WordPress dashboard. It will ban users, so you can ban specific IP addresses. And let's see. People down in the local brute force protection, you can set rules that if somebody tries, if an IP address tries to access the admin account, they're automatically banned. They go to this banned users list. And there are several other different types of rules that you can set. You can actually have iThemE Security back up your database for you and email it to you. I don't do that, it just clogs up my email. And I've got everything set up to go to Amazon or to Google, actually to both. It will tell you if files change. That can get annoying, too, actually. Especially if you're using backup buddy, because backup buddy changes the files. So I usually turn that off. But it's there if you need it. File permissions, it will list the file and directory permissions of areas of your site. So HT access, and it'll give you a recommendation on what your permissions on HT access should be. Then we've got the local brute force protection, network brute force protection. iThemes, and I'm sure WordFence is doing this as well, they have a database of IP addresses that are known to be bad actors. And by configuring that, you have access to that list. So those people automatically are banned from your site. And then SSL, that is where I set, this site is going to be SSL, nothing else, or going to be HTTPS, sorry, not HTTP. The second half of the dashboard, you can choose to enforce strong passwords, system tweaks, their advanced settings by changing the server configuration. And I could talk about those take probably half an hour. But WordPress salts, anybody heard of WordPress salts? Not too many. They are basically, I think six, different strings of characters and letters, kind of like passwords. And if you update them or change them on a regular basis, it will help increase the security of your site. They're actually located in the wp-config file. WordPress tweaks, more advanced settings by changing default WordPress behavior. One good thing, and it's not listed here, I think it's under WordPress tweaks, don't use wp-as your database tables, as your prefix, change your database tables because hackers know what the default is. And the rest of these are pro features. It has a recapture, two-factor authentication. You can check the security of your users, version management, malware scanning is actually through Securee's site check. And you can also tell passwords to expire. So testing your security. Who's heard of wp-scan? Oh, good. This might be worth your price of admission. I only came across this recently. It's a little piece of Ruby code. It is sponsored by Securee. It runs from the command line on Linux or macOS. And it will enumerate plugins and users, among many other things. And it can be used to brute force attack a WordPress website. And this is what hackers are using to take a look to see if you have any issues. And I know that's an eye chart. The main thing is that all the things on the left are green. This site is actually Securee. But it was able to enumerate two plugins. And I've got my user names hidden. So that's good. If you don't want to install this and figure out how to run it, I believe it's a Swedish group that has put this online as wpscans.com. The caveat is that you have to check a little checkbox that says that you have permission to run a scan on that site. I don't know too many people who are actually going to agree. Be truthful about that. But it will tell you if your site is secure. This site check is at sitecheck.securee.net. It undoubtedly incorporates wpscan since they sponsor it. It's built into iTheme security. I don't know what else beyond wpscan they use, but it's another place to take a look. And then WordFence. WordFence has their... Well, they've rebranded this, I think, in the last year to GravityScan. If you go to WordFence, you can find it. If you go to gravityscan.com, you'll find it there. And it'll be very similar to wpscans. Okay. That is WordPress security in a nutshell, in my opinion. We're all on a different journey here. There are five million and one different ways to put everything on the Internet. I've tried to be an open book. I'm very happy to answer any questions. So if you have any problems or questions, just reach out. Now, these are other security-related issues that I think you all should be aware of. Because I've had clients that... I've had to build workarounds because they've run into this in the past. Email security. Your DNS records, very important. And most people don't know about SPF, DKIM, or DMARC. Sender policy framework. Basically, it's a text record in your DNS records. And I'm sorry, how many people know what DNS records are? Okay. I'm sorry for the rest of you, it might be over your heads. But DNS records, domain name system. That is the system that associates your domain with your server's IP address. Okay. There are also MX records. Those are your mail records. If you're on Gmail, which I am, love it. I mean, it's Google, but... You have different... Let's see. Different records for the servers at Gmail. So it knows to route your email over there. Then you've got your text records for SPF. Sender policy framework. That record authorizes those servers to send mail for your domain. And it looks like that text record right here. Then there are DKIM records. They are also text records. It stands for Domain Keys Identified Mail. It's a key-based DNS record. So you have to request a key. So it's 128 characters or 256. And that key is then associated with messages coming from your domains. So it's cryptographic authentication of your emails. And you can learn more at dkimim.org. And then DMARC is Domain-Based Message Authentication Reporting and Conformance. The DMARC record, it's a text record. It specifies the policy for how to handle any email that fails SPF and DKIM authentication. So I have a client that is getting a lot of... Well, AOL, they've got a lot of people still on AOL. AOL flagged their domain a while back as sending spam. Almost impossible to get email from this domain to those people. So I had to do a workaround instead of a .org domain. I had to go to a .com that wasn't blacklisted. So if you get email blacklisted, it's going to be really hard to get unblacklisted. So I recommend looking into getting these records set for your domains. People are really pushing DMARC, but not that many people know about it yet. But basically these records detect and prevent email spoofing. They prevent some spammers from using your email addresses to send mail. It combats phishing and email spam. It protects your email reputation, keeps you off those blacklists. And I actually use the service at DMARCian.com. It's free for three months, I think. But it will tell you what domains are trying to send email off of your domain. And I'll show you some data here. This is an example of the site that I was talking about from November 1st, three yesterday. And basically everything in red is bad. So there are domains primarily from Vietnam and India that are still sending spam email claiming to be that domain. So it's just one more thing to make you aware of. Okay, I know that was a ton of information. If you'd like to have further discussion, you can reach me all of those places. Again, the slides are on SlideShare down here at the bottom. And I'd be happy to answer any questions. And passing that you hide your username, so how do you accomplish that? Ninja Firewall. It's got that setting. I can go back and show you if you like. And it does a good job. We're trying to make that act. They were sending out tons of emails, huge amounts, and it got the whole IP blacklisted on that server. What can they do to recover their reputation so they can send email again? It's really hard. Like I said with that .org domain, I had to build a workaround for the AOL just using the .com equivalent domain. And some of that is their fault because they have users that refuse to update their AOL clients. Unbelievable, but true. There are, let's see, I want to say it's DMX. But there are blacklist services. I get emails from one of them. I don't really use them. But if you Google email blacklist, email blacklist removal services, I'm sure somebody will come up. I haven't had to deal with it that bad. I was able to do the workaround because they had the other domain. Oh, I'm sorry. Can you mention using unique nicknames in WordPress? Could you explain exactly what you mean by that? Sure. In a user profile, you have your username, but you also have a nickname. Usually they're the same. But you can set that nickname to be something else, whether it's their first name, last name, first name, what have you. And you can do that when you create the user account. iThemes just makes you, or forces you to make it a different. And it's mainly if you have users that are registering their own accounts. If you've got public registrations on your site, it'll force them to use a separate nickname. Right, because the nickname is what's shown on the author page. I wonder if you could characterize the amount of overhead or expense that is now being borne by, let's say, substantially large enterprises that have prominent domains to deal with this kind of stuff. I haven't worked for one of them, but I have to agree. I think it's probably huge. A large nonprofit store. Yes, I'm familiar. Maybe we faced that AOL challenge a while ago. We had a facility for sending emails from their database system, and we got the message that it was failing to deliver the AOL. Don't know if they solved it, so... Probably not. That's what I haven't called you for, because it was an annoying thing that we couldn't use that facility. Yeah, it is. And one thing I guess I didn't have in here. There are plugins that will allow you to send email from WordPress. The client that I mentioned had the AOL problem. They had an older plugin, and I updated that to a Google SMTP plugin, which has a key. Google provides you a key, so it's more secure than the other email. Things are just evolving so fast. It's really hard to keep up. No, I'm sorry. Remind me what HIPAA stands for again. It's the... Right, right. Double opt-in. Is that what you're... Okay, I haven't had to deal with that. You might want to find somebody who specializes in that. Yes, ma'am. Gmail and apps should be the same at this point. I am. Yes, I am. I don't think I have on my Gmail account, which I don't use much anymore. I don't... I'm sure they have SPF and DMARC on that, actually. Well, thanks, guys. I know that was kind of drinking from a fire hose.