 All right, so I Love the mythbusters, right? I'm I'm here with my people because you all clearly love mythbusters, too, but for me It's absolutely because I'm an information addict and I like to learn new things And they they address things but not just pull up like random bits of knowledge But then like test figure out and actually decide whether it was you know factor fiction you know truth or myth and I think that we can apply the same kind of system to learning a little bit about Securing our WordPress sites or even better yet just sort of being secure on the internet kind of securing ourselves And so that's kind of how I want to go through it I want to look at it a lot of these things that we hear about security and address whether they're actually helpful or Whether they're not whether they're fact or fiction and and I'm gonna start with Security is scary, right? It's it's this big thing that we we know We have to figure out because we live on the internet and so we start to try to you know Slowly plod through this weird thing investigating it figuring it out but at some point we all make this mistake where we get on Google and we do some sort of search and then the results come and We weren't really prepared It just absolutely overwhelms us and freaks us the heck out, right? It's too much. You think I can do this No, I can't do this. It's Terrifying there's no Possible way that I can take on this whole security thing, but that one's busted, okay? Security's not that Terrifying it's a lot to take in but it's not that terrifying. So I'm Aaron Campbell I lead the WordPress security team So I dig into a lot of these bigger slightly scarier security issues This is Aragon Aragon was a family pet for about ten years or so She is a bearded dragon the exact same kind that was in that video scaring the heck out of that cat and she She's actually super friendly and docile and she loves to just sit on your shoulder or sit on your lap and watch TV She's vegetarian so that cat had nothing to fear. It wasn't actually Godzilla but to be fair she's like an 18 inch long lizard and She does appear a little scary especially for people that don't particularly like lizards But my experience with her did not start like this when we got her She was about two and a half or three inches long and she could sit in the palm of your hand and and these things that look like Scary spikes they were there were these soft little tiny things and and so Handling her and dealing with her sort of every day as she grew. I know that these spikes aren't spiky They're soft. You can pet them. They're gentle. It looks scary But it's not but it's because I started at the beginning I didn't just try to jump in to the deep end so to speak and I think that if we do the same with our Online security if we do the same with Securing our websites if we start out with the basics and sort of grow and build our knowledge base Then we'll be better prepared to sort of handle everything as it comes along We hear all kinds of things like it to me security isn't like figuring out how to secure your site It's not hard because of a lack of information It tends to be hard because of an overwhelming amount of information that contradicts each other There's so much information online so many people saying you have to do this or that to keep your site secure and Those are the things that I want to look at first One of the things that you hear all the time is that you have to update update update update all the things update Wordpress and plugins and themes and if you run your own hosting you need to update PHP and your your database server and whatever it is update always run the latest That will help you stay secure But is that the truth does that actually help keep you secure? Who thinks that this helps keep you secure online updating all the things? Yeah, who disagrees Yeah, so this one is absolutely confirmed. I'm gonna start with the easy one here update update update update always Especially around WordPress. This is one of your sort of Best things that you can do to keep yourself Secure online and the counter argument that I always hear is But when a release first comes out, isn't it more buggy? Isn't it likely to have more? Security vulnerabilities in it shouldn't I wait for the sort of point one release right or the the next iteration? and No, it's usually not could it potentially have more bugs and new features That's a possibility. Is it gonna have more security vulnerabilities? No Every security vulnerability that we patch in WordPress every time we find a thing and we fix it We fix it in the current version Absolutely, so we're gonna you know the release a what you know, whatever point something and then we fix it in Older versions if that's applicable so that people still running some older versions can still update and get the fix And we also fix it in the next version right then at the same time So when that next version comes out The fix is already in the code base. It's already been sitting there We don't have any additional security vulnerabilities that have not been you know that have been handled for our current version That have not already been taken care of for our future version And so this is just how WordPress Functions you can trust the that the updates are going to be the most secure version of WordPress that we know to exist and one of the most common ways that a site is Exploited is through known vulnerabilities in older versions being You know programmed into a system that's just running through and looking for anyone running an old version of WordPress And breaking into sites so keep your stuff up to date Something that I hear Pretty consistently is this idea that no one will attack me This one's a little It goes something like this If I'm running a business site or an e-commerce site, it's really really really important to pay attention to security and Because people are gonna target me they're gonna go after me But on my personal site or on like my mom's blog It's less important because people are less likely to attack me Are these bigger sites that carry? personal private information more likely to be attacked than these smaller sites that don't Is it easier to secure a smaller site is it gonna be attacked less? I get some shaking heads Absolutely not We all tend to picture when we think about hackers breaking into sites. We tend to picture a person sitting at a computer Saying this is the site. I want to break into I'm going to break into it and actively attacking that site Those kinds of attacks do exist But they account for a fraction of 1% of overall attacks on the web The 99 plus percent of the rest of the attacks are scripted attacks It's bots it's software that someone has written to crawl the web and try to break into every site It doesn't care if this is a business site or a personal site It doesn't even know it just attacks every single site As a matter of fact if you've had a site on the internet for more than about five minutes you've been attacked You have Hopefully not successfully, but you absolutely have been attacked and that sounds scary, and I'm sorry But it's also a fact. I wish that this weren't the case. It would make my job a lot easier But it is you're going to be attacked the good news is Because most of these attacks are these scripted software attacks all we have to do is be better than that software we are our security practices need to Detour this piece of software That's trying to break into our sites and if we can accomplish that Then we can beat 99 plus percent of attacks on the web. That's huge and achievable like We can do that and it's not even all that difficult as we work through the rest of these myths and facts around Security if you can follow the general principles of the ones that are actual facts that actually help you Then you will be able to deter this huge percentage of attacks The the guy that I feel like put it the best Gerald Baron I used to work with him at iThemes He said it's not if you get attacked But rather how you prevent it from being successful and that's what we have to focus on because we can't actually stop the attacks But we can prevent them from being successful and that's where we focus The next one that you hear pretty often is that we need to lock down our files and the way this one supposedly works right is that if if an attacker gets Partway in if if they're trying to they've gotten far enough in where they can try to Write some sort of backdoor into a file on my server If I have all those files locked down so that they can't be written to Then they won't be able to a succeed. They won't be able to leave that backdoor for them to use later In compromising my site. We all see the the file permissions. Sometimes it's like read write execute read write execute Sometimes it's numeric 777 right we all see that what The question is does locking those down preventing them from being written to Does that make your site more secure? I see I see all kinds of all kinds of different responses This one this one can be this one can have some specific Situations where things are a little different, but in general this one is busted and here's why I think that there's actually a few reasons and one is I think it's putting security in the wrong place First of all to me This is like if you put in a security door between your living room and kitchen So that if someone breaks into your house, they can't steal your china, right? Let's just keep them out of the house Completely that's where I want them to stay So if they're in far enough where they can be writing to your files We've failed somewhere else along the way Additionally WordPress needs to write to some areas right we have uploads for media and things like that So if they can't write to one specific file or directory They're gonna try another until they find one that they can write to and chances are one Exists because you like to be able to upload an image to attach to your Post right that's normal use case so between those two like that that's One whole side of the argument and the other side comes more from like my point of view on the security team around automatic updates Because if you've locked down your files so that they can't be written to then that means WordPress can't automatically update itself and I said that updating is extremely important to staying secure and For security releases We can do that for you when I push out a security release Whenever the next security release comes out anyone that hasn't specifically gone in and locked down their files or disabled that You're automatically gonna get updated to the most secure version and Usually I'm pushing that out because there's a vulnerability. We need to fix I Want to be able to secure your site whether you're you know having a meeting with a client or Sleeping or it doesn't matter your site is updating and becoming more secure Just sort of magically without you even having to worry about it And if you lock down these files you limit us from being able to help you and we have a team of like 30-something people that are Particularly good at security and are constantly worrying about the security of WordPress and keeping it as secure as possible We'd like to help you By keeping your site as secure as we can too But if you try to lock things down like this you lock us out as well The next big thing who's heard this one before don't use admin as a username, right? You hear it all the time and It's actually sort of a variation of your username should be secret You don't want people to know what your username is because if they know what your username is Then they're halfway to breaking into your account because you only have a username and a password So if they know what your username is they're halfway there Does avoiding using admin or any other known username? Does that make you more secure? No Smart people in here busted the who here uses Twitter Yeah, I do. It's it's at Aaron Campbell. Now, you know my username for Twitter, right? I Use Gmail when I give you my email address which we all give out to everybody here left and right Then I know your username for Gmail, right a username is not part of your security a Username is you claiming who you are? It's like if I walk in my bank, and I say I'm Aaron I want money my bank says Okay, prove it like they expect some form of ID or something like that as proof I come into my website login. I say I'm Aaron Campbell, and it says okay prove it It wants a password the password is where the security lies the username is just a claim for who you are and one of the reasons that I Try to address topics like this Having a username that no one knows it doesn't hurt your security It just doesn't particularly help it because there are a lot of ways to discover a username or figure it out programmatically so these scripts that are Crawling sites that maybe used to be hard hard coded to try the username admin are now just Figuring out what your username is and using it Spending a lot of time trying to keep that username secret To me that's you wasting time that you could be putting into efforts Actually make you more secure So these things that are myths. It's not they're not all So bad that they're gonna make your security worse But when you spend time working on things to make yourself more secure and it doesn't make you more secure You're less likely to do the other things that actually do make you more secure if you're gonna do Five things to keep yourself secure online. I want them all to be effective because if four of them aren't Then you're less likely to do more What about changing your database prefix who has seen the database tables in a WordPress install? They're usually WP underscore users WP underscore posts like all that right that WP underscore That's configurable. You can change that in your config file. You can make it anything you want. That's a valid valid in a database table name and The idea here is that as people are trying to break into your site And they're trying to send commands to your database to Pull a list of users or to sneak in a user that you didn't want or whatever it is That you don't want them to know what your table names are You you want to hide them from them does this make you more secure? No, I get I get a I get a resounding. No, correct It does not make you more secure again This is one of those things that if you want to change your database prefix because You're running several sites in one database or because you have a particular naming convention that you like That's fine. But if you're doing it to keep yourself more secure That's not helpful because Similar to the the admin username thing the scripts that we're up against now these automated systems that are going through and trying to Break into our sites. They're more intelligent than they used to be and They no longer hard-code in database table names if they're Somehow in your WordPress already then they're using the WordPress functions to pull the username just like the rest of WordPress if they're just directly querying your database, they're asking it Hey, what tables do you have great? I'll use those ones That's how these systems work now. So again, this isn't making you more secure What about moving or hiding the admin of WordPress every WordPress site? You can go to either Wp-login.php and you get your little login form or to Wp-admin and it redirects you to your login form if you're not logged in Right every WordPress site and there's millions and millions of them online Doesn't that make it easier For hackers that are trying to break into your site or these scripts that are trying to break into your site to Try to log in because they just know where to do it so Could you move that to some other URL and make that one that it used to be at you know 404 or something like that In order to keep your site more secure. Does this keep you more secure? You hope so. I Am sorry. You were so good with some of them busted um Let's say that you build a Brand-new house like it's just this beautiful house, but you don't want people to break into this house, right? So you're on a nice street You've got this beautiful manicured lawn and you've got this little winding pathway up in a porch and no door No door because if people are trying to break in your house They're gonna try to come right to that door and break in and you have fooled them Except they know you have a door somewhere, right? they know that you get in and out of your house somewhere and They're gonna find it These scripts are pretty similar. They're they're very intelligent and they are capable of doing all kinds of tricks to try to find Your login page. They are pretty successful at it and that's Okay, let's just secure the login and not worry about hiding it and We can do that The other thing with this one is WordPress was not really designed from the beginning to move Admin somewhere else and it breaks a lot of stuff that the Number of sort of external tools that struggle with this It can be pretty frustrating when you move your admin all the other things that that sort of as a rippling effect Tends to Bother and you will definitely hear plug-in developers Probably many of them hear that curse the fact that plugins exist to move admin because it makes their jobs So much harder. So this has a tendency to break stuff, but it also doesn't keep you more secure What about SSL we've been hearing a lot about SSL over the relatively recent past Especially as chrome has pushed harder and harder to have SSL be like this big thing that's necessary We see all the SEO people talking about how it dramatically affects your your search engine rankings Which we know it at least affects them some because Google has said it does But that's SEO and a lot of people claim that this also helps with security does it is SSL on your site is having your site be HTTPS instead of HTTP Is that important does that help your security a little bit more tentative on the answer, but it eventually came? Yes Absolutely SSL every site. I want the entire Internet to have SSL I want every site everywhere to have it it absolutely should and his prices have dropped dramatically to where Many hosts are offering SSL for free or extremely inexpensively It should absolutely be on every business site every client site Every fun site every meme site every like, you know persons site about their collection of thimbles like every site should have SSL and the reason is that what that does is It encrypts all the traffic Between whatever computer is accessing your site whether it's yours or one of your visitors and the server that terminates the SSL usually the actual web server and That's huge because that traffic goes through a lot of places There are a lot of routers between you and there that you don't know if those have been compromised and someone's listening in on traffic Some people are accessing or logging into a site through coffee house Wi-Fi, and you don't know who's on there listening an SSL means that even if that traffic is looked at between point a and point b It's encrypted so they can't just pull a username and password and go I'm gonna save this for later Which is a very common thing to do these these Systems that are trying to break into your site are also trying to break into routers along the way Just to listen so that they can break into your site easier like that's that's a thing that they do SSL Really dramatically helps with that Passwords, right? I'm not even gonna play with this passwords are important right I Mean I even said it earlier right user names not so important passwords are important So why even put this in here and well? Passwords are really really Really important and we all know that we should have good passwords The biggest thing that I see around passwords is that a lot of us don't really know what makes a good password There is just as much like Totally terrible information about choosing good passwords out there is anything else So instead of just saying passwords are important. I want to talk a little bit about what makes a good password long passwords The idea here is that longer is better always longer is better Passwords are measured in something called like password strength is measured in something called entropy that Roughly translates to number of guesses it takes to break your password and the idea is longer means more guesses That's better. Does longer make your password better Yes, yes longer makes your password better assuming everything else is equal Everything else is not always equal But assuming that that that everything else is equal longer is better more characters is better long doesn't mean like 8 to 12 characters long is like 20 plus at this point. That's the kind of computing power that we're at my passwords tend to be 50 characters unless the site won't allow me to do it And then I grump about that site and I get really frustrated and sometimes I just leave and go It's not worth it and sometimes I grump a little bit more and then pick whatever max link. They let me What about substitutions? We've all seen this right the idea here is that you can pick letters that Can be replaced with a number or a character that looks kind of like that letter And it makes your passwords so much more elite so much more powerful. It's absolutely right. Does this make your password more secure? No, it does not I am amazed most people say absolutely. Yes for that one, but you all came right in with the no It doesn't and the main reason again is that these scripts that are trying to break passwords there They know that people do this so this kind of substitution is built in to trying to break your password And there's really only a handful of characters in the English alphabet that are easily replaceable and only a handful of Replacements so while it may increase the number of guesses required a little bit It's not very much and it increases the difficulty of remembering your password a lot Right you're like was this was this L a one or an exclamation point? Oh, no, I just left it in L I had you know, I mean you can never tell you can never remember But substitutions are not particularly effective. They make it harder for humans But not harder for computers at least not much harder and that's really what we're up against What about past phrases So this is this is my dog king air by the way I was this picture was taken while I was on a video conference call. I'm sitting in my chair I'm talking to my computer. She thought I should be talking to her And so for like a 30-minute conference call This is what I saw the whole time just sitting there Staring at me and the idea of a past phrase is that we can take something that's memorable to us and turn it into Basically like a password is a sentence and so maybe I would make my password something like king air watches me on calls And this is a thing that I could remember pretty easy and it's long 27 characters long So do past phrases? Our past phrase is good. Do they make our passwords better? Do they keep us more secure online? I? Love the air because I said plausible and here's Here's why Length is good length is good But raw length isn't absolutely everything Just a raw entropy measurement is is based on kind of the raw brute force method of trying low What we see in movies right trying a B see right a a a b a c trying to eventually get to your password That is rarely used that anymore because it's very inefficient a much more common attack is what's called a dictionary attack they take most commonly used words and the good scripts are Hitting your site and going I want to break into air and decamble calm And so it scans my site sees that I have a link off to Twitter, so it scans my social Feed and it builds a dictionary based on words that I use So my dog's name which is really the only unique thing in here king air Is probably going to be in the dictionary because I've probably tweeted about her before and so they build this custom dictionary and then they use that to attempt to break your password and With this comes a lot of the common things that we do who has Numbers in their password, but they're at the end right we all do it like you're like oh dang It makes me have a number at it at the end when you have to have a special character It's an exclamation point at the end. Isn't it it always is it's like my password is no longer password. It's password, right? and These systems they they know that they and so they will build these dictionary attacks They try things like substitution spaces and no spaces when building sentences Using punctuation at the end numbers at the end like these are the common things and so while This may take a long time to crack Using sort of what we see in movies that rob root force kind of the adjusted entropy of Only five words and it being kind of common words that I would use is Not great. You can make passphrases that are really good You can combine them with some special character things I've done things like pick a Mathematical formula and put that in the middle of a passphrase or something and that can dramatically Increase the strength of a passphrase and still make it pretty easy to use but The best thing that you can do is Just use a password manager Who here uses a password manager I Love that this like the percentage is getting higher every time I give this talk I love it over like the last year or so in variations of these security talks I'm always trying to find out who's using a password manager Because passwords are so important and the only way you can have good password practices online is to use a password manager Because good passwords are long random and unique Long being like I said at least 20 characters Random being actually randomly generated like that's the best case scenario because you would Force these scripts to use the least efficient method of breaking your password as possible that sort of raw brute force and Unique meaning it's only ever used in one place So if you log into a hundred different places you need a hundred different long random passwords And you're not going to remember those so you need a password manager to do that I use last pass a lot of people use one password. I don't care which one you use There's a lot of good ones out there But you need a password manager So if you didn't raise your hand you were surrounded by people that did talk to one of them learn about password managers I'm Basically out of time, but I would like to see if anybody has like other things that they've heard And see if we get a minute or two to squash some myths right now I think that in the in those situations where you know They're using social engineering and they're getting some sort of key logger in place whether that's on your system or somewhere between You in the end point That could be the case The number of attacks that we see doing that kind of thing compared to the ones that are just brute hacking Like that's a small fraction. So you're kind of Hedging your bets that you're going to be hit by this little Percentage whereas it's much more likely to be hit by the bigger thing If the key loggers somewhere not on your computer then SSL is going to help protect you against that because they're not going to be able to see it If it is on your computer and that's a thing that you're really scared of Two-factor authentication is the actual answer to that one not pass phrases And that's because even if they log that six-digit code that you type in it changes 30 seconds later By the time they get the chance to use it because most of them aren't taking action immediately It's going to someone else. They're using it later by then. It's no good Last question If you're on a terribly unreliable server that may serve up raw PHP Probably but in general Not especially The only risk there is if something has happened to your server to the point that it is Serving that PHP and plain text to a person when they visit it and that should never happen So Generally speaking no it doesn't necessarily hurt anything again, but it's not a dramatic increase in security I'm Aaron Campbell. I am employed by GoDaddy to work full-time on the WordPress project I do that by leading the security team I am going to be around for the rest of the day because I see that there's more questions I would love to take them, but I got to seed this to the next speaker