 All right, thank you for coming out. Can everyone hear me okay in the back? Can you hear me perfect? All right All right, has has anyone been the lucky candidate of being hacked? Yeah Me too Apparently that's a requirement to get good at anything is to be the sacrificial lamb whether you signed up for it or not but unfortunately, I've been hacked more times than I want to admit and As a result, I've gotten pretty good at not getting hacked So and what I'd like to share today is how you know some of the things that happen When an unfortunate situation like that happens how to you know ensure that that doesn't happen But more importantly, we'll talk about planning. You know, it's better to plan To be hacked and be prepared to handle it and pray it never happens and Take extra steps as time goes on to ensure that that day never comes So so what if your website gets hacked, you know well your website's either going to be down it's going to be defaced or Probably at a minimum it's not going to be functioning quite the way that you expected it to Sometimes even websites that get hacked. They don't even know it for a long time Depending on the type of hack it could be malware and it may be that your users are getting infected And that's purely the purpose of the hack. So it's it's a really difficult situation to be in and a difficult one to you know address But what happens to you, you know your revenue your revenue for your website if your website does indeed produce revenue for your organization or you individually that's probably either going to stop or Be affected in some negative way and that can be affected in multiple ways it can never negatively affect your SEO ranking So if you've ever went To any of these other talks and you know about SEO. Well SEO is not an overnight thing. I Know SEO very well, and it takes time. It takes a lot of effort and if all of a sudden one day your website gets hacked and Tomorrow you're no longer in the top 10 much less the top three Standings and we talk about revenue being affected. Well, your traffic just went away and That's going to affect your revenue So that's a big deal and that may be harder to bounce from bounce back from then Maybe your reputation or other things because SEO is not an easy thing to do It could also damage your reputation or importantly your company's reputation and that's That's honestly Maybe if you're smaller, it's easy to bounce back from as a large organization That reputation has something that you have been building for years possibly decades How much money how much time how much I mean it's like It's like insult to injury you've already lost revenue your website went down your playing damage control You're trying to get back up and oh by the way, you have a reputation for an unsecure website that's ouch, so That's a that's a bad bad scenario and Unfortunately, you could be liable for damages if your website got infected with malware Well, then that malware is possibly being spread to your users who are visiting the website What does that look like are you going to be liable, you know get legal advice Maybe you should have insurance if you get to a certain level in your business These are things you need to be asking yourself is at what point do I need to have insurance because you You could do everything right. I mean my goodness NASA's been hacked the FBI gets hacked Name a company they've probably been hacked unfortunately it happens But the key here is in Wordpress land you don't want to be an easy target And you want to take additional steps the more serious you level up in your business in your website of Things to prevent situations like this from happening But even when all else fails There is insurance out there that can handle those financial burdens that come with that So these are things you may want to you may want to talk about with your insurance agent talk about with your attorney And maybe you stair step that in later as time goes on and time progresses build a budget to pay for those things Things to think about oh And by the way, you know you plan on going out to dinner tonight Or you got a fancy date on Friday Hacked website matter might ruin that those plans unfortunately I've had a hacked website ruin my week It happens it depends on how big the site is and how intricate and involved it is So it's very important that You have a plan in place In addition, how does that make you feel? You know we talk about the damages we talk about all my websites down and You know It's not working your eye. Oh, but how does it make you feel? You know, it's like someone broke into your house and Graffitied your bedroom and then left ooh So violated You know But just to make sure that it's not just me that feels violated or me that feels This is bad. I decided to consult an expert in the field of feelings My wife of course, you know, she's an expert. She actually is she's a psychotherapist And so I asked what her opinion as a professional psychotherapist in neuroscience Her opinion on hacked websites and here's what she said When someone gets hacked they go into a neurological Disorganized mental state This instinctive response causes the brain's neocortex to go offline momentarily Thus their decision making and problem-solving abilities are temporarily inaccessible Security is so much more than just technology It's also Psychological and I was blown away. It's like wow, and it's Shannon O'Neill. She's a psychotherapist here in Asheville and I was just like wow, I never really thought of it like that, but it's true, you know when my website got hacked I Was in a state of freeze what you can fight, you know fly or freeze That's the three things they teach you and you know as an instinctive response Well, I go into what do I do? You know well That's not the time to start planning on what to do come come to find out because your mind is well apparently it's temporarily inaccessible, but It was interesting that she didn't focus on the website because she doesn't care about someone's she doesn't care about your website By the way, she didn't care about my website either She has a website too, and she doesn't care about that what she cares about is people And people's feelings and you thought this was going to be a technical talk It will be I promise She you notice she said when someone gets hacked you're violated and there's no way to turn that off unless you're just not human and As far as I can tell everyone in the room is here human so How do we safeguard against this? What do we do with you get hacked and you're in that position of? I'm overwhelmed. I'm frozen my jaws hit in the ground And even if you are a developer and you are capable of doing the things that it takes that I'm going to talk about I'm capable of doing it, but am I really the best person to do it in the moment where I'm Temporarily inaccessible of my problem-solving and decision-making abilities well How about we have a plan before you get hacked and that's the key. It's an emergency plan I guarantee you that there is a plan. There's an evacuation plan for this building if there's a fire If there's not there's a big problem with this facility. I highly doubt that that's the case There is an evacuation plan if this place catches fire They say go out this door go straight out stand near the tree out there and we'll do a head count Whatever there is an actual written plan That exists for a reason if you don't plan to succeed you plan to fail and there's no doubt in that and So it's important to implement as part of your plan not just hey Here's what we're going to do when it goes bad But let's do some things proactively to hopefully prevent that from happening and let's even implement things At certain intervals hey, let's audit ourselves. Let's look at this annually Let's look at this ever so often and see is our plan out of date. Is it still viable? You know, maybe have someone else look at it. That's not so close to the project and get their perspective Have someone externally audit you The key is you need to have things in place Before things go bad and then when they do go bad. What do you do have a plan? And create an incident response plan as part of your plan and that's what you're going to do is Okay, that place is on fire. All right, we go out that door. There's a that exit sign over there It's lit up nice and red. That's that's by the that's per the plan And that's what we're going to do as well keep in mind a lack of planning on your part Doesn't constitute an emergency on mine so if you decide that That guy over there is part of my plan You probably ought to let him know that Because if he doesn't know He's you know him he gets a phone call. He's gonna it's it's gonna slow down the time frame To getting your website back up and running and damage control That's it's gonna slow down the progress and maybe he's not available. So who's your backup plan? That needs to be in your plan So implementing security measures First of all use better hosting, you know, I've heard this three times today. Well hosting company. Do you suggest? and You know and I say The first thing comes out of my mouth is what kind of website do you have? There's not a hosting company unfortunately that is the hosting company Every website is different everyone's needs are different what works for one website May not work for another for various reasons and that's a whole nother talk The reality is you should be focusing on what are your needs and Then figuring out what hosting meets those needs So anyone that wants a quick what company do you suggest we go with? I'll tell you who I use but That's meeting my needs in this moment and those needs may change down the road so The needs for your website or websites will be much different Keep in mind your hosting is the first line of security So if you've got cheap five-dollar hosting or the cheapest hosting and Things go wrong and you call up hosting company XYZ and say hey guys My website got hacked. I really don't know how good the service is going to be considering You're paying five dollars a month for your hosting Maybe they'll be good Maybe they won't Maybe the security is not that great because they're trying to cater to a Cheap hosting plan that doesn't involve security. That's something to keep in mind So when you start getting serious about your business and about your website You need to get serious about your hosting And part of part of the serious hosting aspect is they have to keep their servers up to date No different than the fact that you need to keep your website up to date one of the most The first thing that'll is a red flag in my mind when someone goes all my websites. It just got hacked I'm a wreck. What do I do? They're calling their neighbor who knows nothing about websites and they're calling You know Jim over here who you know is an airplane mechanic. He don't know you know He's not a web developer then they call me and I said well. Did you update your website or your website up to date? Well, I got to do that Yes that Keeping your website up to date as it doesn't require you to be a developer, but it does require you to do that So and you can automate some of those things too. So there's great tools out there also use strong passwords the The other part that is a big factor is people will Use scripts to brute force their way into your website now good hosting will prevent the brute force attack Use better hosting But if you use a strong password, it's a lot more difficult to get into your website And you don't recycle your passwords don't use them in multiple places multiple accounts or ever again Use them once make them unique, but use strong passwords and change them periodically Change your database prefix now I will go into detail a little bit more detail about this in just a minute, but your database is prefixed on each table So that when someone tries to do a database injection if they don't know the name of the table where your users are It's gonna be difficult for them to create their own admin user So we want to make that as hard as possible if they are able to get To a certain level of access We want to make we'll make those hurdles as tall and as many as possible And that's what security is security is nothing more than a huge layer of hurdles for someone some Intruder to jump over. I like to think of it as an onion also implement local and off-site backups now Most people that have a website that are not techie and never really experienced any issues They go, oh, you know, that's what my hosting company does that might be true Ask them ask them if they do local and offside. You don't necessarily have to have local. That's more for convenience but you probably want off-site backups because what if the server goes down hard and They they may be able to restore you or You get hacked and you need to go back a month ago because you just now realize that you were hacked And it was a pretty embedded hack that was pretty hard to discover until it started creeping up so You may need to go back pretty far and a hosting company depending on the type of hosting you have the type of plan the company itself They may only have maybe seven days worth of hosting or 30 days They may not have long-term hosting because that's not part of your plan But it needs to be part of your plan So if they don't provide it find out someone who will and for everything else if you're running word plot wordpress these days, you probably want to have some sort of Security plug-in now there are a lot of security plug-ins out there. I have one myself That's free, but the reality is again not one-size-fits-all Depending on the type of hosting you have if you've got cheap hosting you may have to compensate more with a security plug-in Or if you've got fantastic hosting you may not need a plug-in at all So that really that's again coming back to hosting that's really where most of your security is going to be security that's handled on the security that's handled on the website itself is what you would consider hardening and Shoring up the things that the software itself create vulnerabilities But you don't want your website. You really don't want your website to try to be a security server Because it needs to be the blog or whatever your website's purpose is So I mentioned changing a database prefix when you install WordPress. Did anyone go to the pre-camp yesterday? Okay, so and they did a an example install of WordPress from scratch correct, okay, so When you're installing WordPress for the first time you'll have the screen right here And this is your golden opportunity to make it easy Change that WP underscore to something else now. I haven't done a recent install on WordPress So they might be changing it by default these days someone mentioned that to me, so I'm not sure but if you get the opportunity Make sure that that does not say WP underscore because Obscurity is not security, but it's just another layer in the onion of security and we don't want to make it easy now if you if you want to know what your current prefix is you can actually go to your WP dash config dot PHP file in the root of your website and There'll be a setting in there that'll tell you what it is if you're using WP underscore do not just change that You actually have to change your database and that's a little bit more involved So there are plugins that do it, but back up your site if you plan to go that route There is a to I think I reference a tutorial on how to do it in here, so WP beginner if you had a web WordPress site for any length of time You've probably been on WP beginner comm which is a great resource for learning How to do a lot of things from basic to pretty advanced things? And so if you're not if there's anything on here that you're like, I don't really know how to do it either find a professional or Go to WP beginner or somewhere online that'll have a good tutorial on how to do it YouTube's another great resource As far as security plugins security safe is a plug-in that I built I did not build it for you guys I actually built it for myself because I was managing a tremendous amount of sites Implementing security features, and I'm going gosh This is a nightmare to manage and so I thought well, it'd be great to just hit a button and update them all That'd be fantastic. Well, it's easy to do that if you have a WordPress Plug-in in the WordPress repository, and so I just start installing it on the websites. I use I'm my biggest customer So when things break I fix them, but there are of course other people that use them Use the plug-in and many of these other plugins. I actually use some of these other plugins as well Actually, I use every one of these plugins it depends on the website it depends on their needs and so You got to figure out what works for you Security is a great plug-in. They also have a They have a web application firewall that goes with their service So they're they are a little bit different than the other ones and I think security all in one and work fence are very extensible security plugins So I recommend checking out all these and figuring out what your needs are and going with the one that makes sense for you With your incident response plan The point here is this is going to be the plan that you made while you were mentally coherent hopefully so basically Your website gets hacked you get the nasty email going. Oh, no A client just told me that their websites hacked or maybe it's your personal website and you're freaking out Grab this plan. This is the plan you're going to grab It's not the time to change the plan or revise the plan This is a time to execute the plan. Hopefully it has already been revised and Shored up and made and reviewed regularly But it needs to be a step-by-step plan on what to do who to call And so I always recommend Don't just call me or call john or fred or sherry or whoever Have multiple names in there and phone numbers and emails in your plan So you're not completely reliant on one person because maybe they're on vacation and They're nowhere near their phone or internet service or whatever or they're traveling You don't want your website or your client's website to be down for an extended period of time because You didn't have a backup plan and a backup to the backup so and maybe I say three developers and you know, and then I hear someone say well, I have a company that that takes care of that for me Well, that's okay. That's actually fantastic. Hopefully they have at least three developers if they don't Maybe you need to implement some developers in your plan As a backup in case that falls through I just want to be prepared. I do not like unforeseen Problems in a moment of crisis I want to know that I know exactly what to do and I'm going to do x y and z and we're back up and running And now the only thing I got to worry about is damage control on the other things that are not technical so By the way, make sure they know about it. So just because you're here at this talk today and You, you know, I I you know my name and you find out my phone number and email and everything And you add me to your plan But I don't know about it That that's kind of an issue because if I'm not actively Or have history with doing development on your site or another developer doesn't either There's going to be a delay as well one. I might not be available or they may not be available And you still got to get them access to your server or whatever resources that they're going to need to get everything back up and running Maybe it's your off-site backups So you're going to want to have access to those types of things such as your hosting Know what is your login? What's your password? You want to have access to those assets very readily available and together When you're in the moment of crisis jumping all over the board trying to gather all this information together Is not the time to be doing it so If you can have all this information together that process of getting everything back up and running is much smoother And you don't have to think about it. You just follow the directions and also you've got to have backups available for restoration and The other day I had to do a backup restoration and we had never done a backup restoration on this particular site and I was a little nervous about it because it was a big site and We we decided to do it On a staging server not live just another server to see if it would go well It did not go well However, that's a good thing because I want to know that my plan failed Before I need it So if you once you have your plan in place and you go well, okay We've got our backups are here and there and did it all right. Let's do a test run Let's throw up a dev server or a dev site and let's let's trash it and redo it and run through the process How long did that take? Are we looking at 30 minutes here? We're looking at an hour. What are we looking at? You know, I want to know what to expect When the house is on fire so Now that your your website's hacked and your your knee deep in it I mean you've got your backups already available You've contacted whoever you need to contact to get things moving forward This is where your developer or if you are that person This is what they're I would suggest they do Biggest mistake someone makes on a hacked website is they delete it Well, we don't want a hacked website. Well, you actually do Because we want to zip that hacked version up So that we can look at it later in a controlled environment so we can figure out what went wrong But we don't have time for that right now. We just need to zip it We zip it we download it And then we delete everything, but if you delete everything before we have a copy of the contaminated version And then they ask you well, what happened? How did you get hacked? I don't know no idea Well, if I have no idea, how am I going to prevent it from happening again? You don't you don't know and so At least when you have the hacked version you can spin up a vps or a virtual a virtual Website locally on your machine and play around with it and see what went wrong If it's got malware, you might want to do it in a more Containerized environment a virtual environment so that your computer is not affected or anything like that So be be cautious when getting to that aspect, but you want to hand that off to someone who knows what they're doing From there, I don't like to and this is why I say delete everything I don't like to assume that my backup has a good version of wordpress. Honestly, I don't backup wordpress Why If you know, what if my backup is contaminated? What if the core is actually contaminated? I'm going to be restoring a backup from yesterday that's contaminated No, I don't want that. I want to make sure that I'm running on a clean slate So I'm going to install the newest up-to-date version of wordpress on a fresh install So that I know without a doubt. I don't have to worry about scanning my site to make sure it's clean No, it's clean because it's brand new And then you go through the manual process of creating a new database do not use that old database You'll actually want to delete that old database and the user and the old database username create a new database name and a new database user And this is something I found out that's a problem too and I've just I never really thought about it before until I saw it. I don't know about a year ago Sometimes people make their username and their database name the same Well, that's that's not that's not hard to figure out because someone will try it. They'll go. Well, you know And they'll sometimes make their password the same Don't do that The key here is you want to make it hard for someone to get in because we don't want them to get in, you know So make sure those things are different Make sure they're not predictable What's great about cPanel if you've done any form of web development in the past you'll notice that there's a There's cPanel and mysql and they will create A database for you. Ah great. You'll you type in a name and they'll they'll use your domain name to create part of your database name That's predictable Don't do that make it unpredictable same thing with your user make it unpredictable And don't just add usr after your database name Guilty But you know, that's the things you got to that's why it's important to review your website Because maybe when you made it you were tired. It was two o'clock in the morning. You've been working all day and you had a moment of Poor judgment and you were in a rush because you're tired or someone was So it's good to review things Either with a second set of eyes or even just fresh set of eyes the next day Or periodically I highly recommend regularly on a schedule either every year or six months depending on your Dispending on your type of business and how scaled it is So that you can catch things like this At this point once you have a new database and you have a new database user and that user has access to the database With all permissions You're going to go ahead and import your backed up database now Well, how far do you go back on your database on your backup? That's hard to say I don't know it depends When did you notice it? That's the frustrating part about Importing a backup So if you import you go through this process you create a new WordPress site you get it going And you find out you restore your backup and your backup is contaminated from yesterday We're going to have to do it again But guess what you're going to get good at it or someone is Not really ideal, but Maybe I like to say If I can go back a week I want to actually go back as far as I can go back That I know that the data will be okay So if I haven't edited the website In about a month, I'm going to go back as far as I can go Because I want to ensure that this website is not contaminated Because I don't want to do this again. I'm already emotionally distressed You know Doing it a second time is just Not I mean you're probably going to be really upset about it so Once you've got your backup database in place you'll put your backup files in place now keep in mind I said I don't backup WordPress itself. I only backup the wp content directory Or specific folders within that directory More specifically the active theme If you're a child theme, you probably want to bring the parent theme with you Important to do also Depending on the type of plugins you're using if you're using premium plugins You may want to backup all your actual plugins But if you're not using premium plugins Back up the list of plugins and install new ones Because maybe they're contaminated I like to take as less risk as possible Because I don't want to do this again And unfortunately I say that because I have done this again I've done four restores on one website because it wasn't right on any of the first three And that's why I say I hope you didn't have plans on Friday because your week might have been ruined My week was ruined and it was And it kept and I kept reliving it and so we don't want that to happen Once you've got your website back up and running You've got your files in place that you just downloaded you zipped them or you got them from wherever They were probably zipped or in a tar file an archive file You put them on your website. Well It's important to check Your actual file permissions and this is not something I used to do And I ran into a scenario where I had migrated a site. It wasn't hacked But I had migrated a site from one server I downloaded a backup of it To my local desktop Then I uploaded it to the future server It was all said and done My permissions were a wreck. They were all wrong Meaning they were vulnerable People who could see files that they shouldn't be able to see could write to files that they shouldn't be able to write to And I say people like you people All the people that don't have access to my website could write to my website And I was just wow, that's I mean, how can I prevent this? Well, if you have command line access to your server A good system admin will write a one liner Hit enter and it'll recursively change all your file permissions and fix them Well, but if you don't have access to your server, how you gonna do that? So I decided to make a handy dandy tool because I don't always have access to the website server that I'm working on It may be you know, it may be it's I don't have access. Whatever the reason is It's not my server. It's not a server. I have access to it's on shared hosting whatever I wanted a tool to be able to audit that very quickly and be able to correct those issues. And so Security safe, which is the plugin that I built Does have this ability. I don't know of any other plugins that do this That's kind of why I created it. There might be some out there. So if there are please let me know I'd love to know But this is a free tool even if you don't use security safe for a your security plugin Install it do a quick audit on your files. Make sure they're good Make them right and then uninstall it And I do that a lot So that was extremely handy to me and a really big eye opener Because that was a blind spot as a blind spot for me when restoring and migrating sites You learn the hard way. So hopefully you won't have to experience that In addition Once your website so once you've got your you know, your files are good You've got your theme back up and running and you're like, I'm out of the I'm good, right? Not yet Your website's back up and running Everything looks good But now we need to do a little due diligence here We need to make sure that everyone that's logged in needs to be logged out and you can do this if you go into the wp config file in the In the actual public html directory your root of your website There's this you see all this stuff right here all that Whatever that is They call them keys Or secret keys or salts You can actually go to that httpsapi.wordpress.org secret key And it will if you go there in your web browser, it will generate a new Crazy little key for you and you can delete that whole section and paste it back in there and save it And once you do that Immediately everyone will be required To log back in In addition to that You want to probably force everyone to reset their passwords as well But I like to do it. I would probably force everyone to log out. I actually had to maybe a little backwards Maybe have them change their passwords first and then force them to log out Because if they change their passwords and they're actively logged in they're still logged in So But regardless If your website's been hacked even though you did have a new prefix that wasn't wp underscore This would be a golden opportunity to change it again Just for good measure You'll have to but I would because if someone got into your database now they know the structure of your old database Change it There's plugins that do it But I will warn you that This is this can break things And so you want to make sure you you're either you know what to expect and you know where to go and fix it I get nervous every time I do it But I eventually get it to work and I always forget where one little thing is and depending on what plugins you have Some plugins may rely on that prefix So it could be kind of harry on changing a prefix after an install of wordpress So if you're reinstalling wordpress Be sure to Actually change it before You get everything back up and running If you want to know how to do it here's a link I forgot to mention it earlier But there's actually a link at the end of this presentation and at the beginning that you can go to to reference all these links and reference this presentation at a later time So But this is a reference to wp beginner has a video and it's very it's pretty Pretty in depth. So it's it's very helpful I find myself going there all the time and I don't really consider myself to be a beginner Force all users to change your passwords. Well, how do I do that? I don't know. That's why I have a link here that I used to reference because I'd rather focus on remembering to do something else Because I don't do this all the time either only do it when I need it So maybe part of your plan when you're making your written plan is you have links to these things that are easy Maybe it's a google doc that you just have and you share with developers and they have access to that So have these links in there too Just because they know how to do it doesn't mean that they have to remember it We want to cut down that time from Your servers your websites down to the time it's back up and running as if nothing happened like surf pro We want to make that as small as possible And don't forget to clear your cache You might be looking at that hacked website a couple times, especially if you're using security or cloud flare Bots me all the time. So once you realize your website has been hacked disable cache Is usually the first thing that I like to do I don't know if I mentioned that earlier, but that'd be smart to do You don't want to go round and round for an hour and then realize you've been looked at The wrong version this whole time because it was a static cached version A lot of times people forget, you know, they don't change their password on their hosting account after they've been hacked Probably not necessary, but I like to think that I like to consider everything tainted Everything's bad. Everything that you had in place. Something didn't work. We don't know what didn't work So we're gonna we're gonna start over I just like to be sure Do they have your password? I don't know. Let's make sure they don't So change your hosting password And some people say, well, why would you change your email password? Well, probably because you emailed your password to somebody and they had access to your email Use one time secret dot com fantastic little tool. I use it all the time to share credentials Don't email passwords. It's not encrypted email is very it's about as secure as me yelling across the room Same thing with text messages not secure So do not use and I don't care if it's gmail or not. It's not secure technically And also change the password of your computer, we don't know how your website got infiltrated Was it your computer? Was it your email? Was it something else? Let's just be sure now it's funny normally the first thing someone wants to do when they get a When they get they're they're like, oh my website's hacked. They want to scan it They want to install a security plugin and scan it and that sounds like The right thing to do on one hand But that takes a while to do And depending on your hosting if you've got your own server Fire rocket fire away, you know, you're going to eat up a lot of resources running that scan And if you've got your own server, that's fine But if you don't if you're on shared hosting with someone else Your website might get kicked off the server as a result because you're using too many resources And it affects the other websites on that server So i'm very cautious about scanning a website For malware. I liked again. I like to just be sure not just say well the scan didn't show anything But are you 99.9 percent sure? I don't like to be that sure I like to be 100 sure. Is WordPress infected? No, I installed a new version Perfect. Is your plugins infected? No, I installed new versions And I went and downloaded the premium version that I did have and installed it fresh. Everything's fresh It's not infected. Great. So at that point the only thing that could possibly Be infected is your backup No scan needed Now if if you've exhausted everything you've you've installed your website and you're on round four You know and Your website is still hacked Then you may have to scan your site There is a there is a reason to scan your site at a certain point, but I prefer that's like my last resort so I would that's my advice when it comes to scanning a website for malware So how do we keep these things from happening again? You know we put things in place so that they don't happen and then unfortunately thing bad things do happen Bad things happen to good people But and to good websites and bad websites, but regardless we don't want it to happen again So how do we keep that from happening? Well one remember that file that we said don't delete package up that contaminated version If you do know someone that is a developer that has any slither of experience dealing with hacked websites See if they will take a look at it and give you This may be worth investing in If your website's important to you Hey, can you give me some advice take a look at this backed up hacked website? install it on docker or vagrant or whatever you're using and tell me Elevator speech why it got hacked Maybe worth it to you Because it's it's important to figure out why you got hacked and maybe it's as simple as you know You know I've been using the same password on my bank account and my You know my computer and my facebook account and my twitter account and my twitter account got hacked and guess what? So to my website because I didn't I was recycling passwords Don't do that If you know what for the most part why it got it happened and you know, you may not you could probably skip that but Again, I don't like to just assume Uh, again, it also depends. What's your budget? What you got going on? How big how important is this site? You know if it's just a small site then maybe you just you know Take a little bit more due diligence in the future on securing your site and move on But one thing people forget to do is have you looked at the users Currently in your website I wouldn't do that until you actually Restore your backup because you want to make sure that all the users are actually supposed to be in there And if you've got inactive accounts get rid of them If you're not sure if an account is active here's how you find out change their password If you don't hear nothing for a while. Yeah, you know like a month or so Believe it Worst-case scenario you have to create a new account when you get a phone call or an email worst-case scenario So I would rather know that I would rather know that I accidentally deleted someone else's real account Than to and keep in mind their emails on there too. So you could email them and say, hey, are you using this account? And they're like, no, okay trash it I'd rather know that I deleted someone's account by accident than to leave one in there that someone's got a back door to get Back into my freshly installed clean website that they're going to wreak havoc on in the next week or so Because a lot of times if your website's been hacked the chances of it being hacked again are pretty high So audit the list of users also What kind of permissions do they have do you have other administrator? Users in your in your account Should they be administrative users? If you don't know if they should Downgrade their user make them a subscriber and see what happens see if they complain about it If they don't let it ride You'll find out. I mean worst-case scenario. You got to change it back not a big deal I'd rather I'd rather make a mistake like that and just say oh, sorry about that We got hacked and I'm just trying to tighten up the fence make sure everything's working So Also remove any unused themes on the site. So you're probably familiar if you install WordPress you you've seen or you've installed WordPress years ago And your web your your websites are a few years old. It's 2018 now Well, there's a theme called 2017 even better yet There's a theme called 2010 And if there's a vulnerability in that theme They do roll out updates for them, but if you're not using it Why haven't The lead unused themes it's a risk that you're taking that's just unnecessary Unless your theme is built on that and you're using it as a child theme I mean you're using it's the parent theme and you've got a child theme That's the only reason why you would have another theme Anytime that I ever need to go. Okay. I've got a problem and I don't know what it is But I need to test it to see if is it the theme or is it a plugin and I'll install the latest 2017 or 2018 theme Switch to it. Nope problem still there switch back Delete the theme that I'm not using Purely for testing. That's the only reason I would ever have an extra theme around Temporarily other than that you don't need it So Get rid of things you don't need Change your passwords on the schedule. This is probably the hardest thing and the easiest thing to do and I say hardest because no one does it Uh, maybe no one does it. Some people do it I don't do a good job at it. Um I'm I'm doing better. I'm going to meetings, you know, I'm going to WordPress meetings and But in reality you need to do You need to have a schedule of changing your passwords and I'm not saying just for your website I'm saying for everything and that's a task. It is not a fun one either but There are things like last last pass out there that can manage your passwords for you and you can set up expiration notifications for you Use something like that last pass is free There are some paid features that you can get if you're starting to get into You know like sharing your passwords with other agencies or other developers if you're a company But if you're not a company or even if you are you can use the basic features for free There's it makes no sense to me to try to remember all these passwords Because the only one you're going to remember is the one you use on every website And that's the wrong way to go about it. So make your passwords unique and make them Managed by some type of management system and last pass is a great one. I only say that I say that because I use last pass. I'm not affiliated with them whatsoever, but you can set up expiration dates for your passwords And just follow through with that This is a big one and this doesn't happen as much with newer sites But it does happen with older sites WordPress sites sites that have the username admin If your username is admin Log in as admin and you're probably an administrator Which means you can create a new a new user create a new user with your email You'll probably have to use a different email than the admin's current email because it won't let you But nevertheless create a new account. That's administrator log out Log back in as that new account and delete that admin account Because that is the number one the first Attempt that a hacker is going to try to log in with on your website is admin And a in about 14 million plus versions of a password So that's an easy one to mitigate Also do not email as said before Do not email or text passwords Don't I mean and I guess it goes without saying but I'm going to say it anyway Don't send credit card information or any type of sensitive data That Should be that you wouldn't just share with a stranger Because someone that would have access to email you probably don't know them So use something like one time secret. That's uh, that's temporarily stored and it's encrypted so to share credentials Does anyone have any questions or scenarios with security that they would like to talk about or ask? Correct. Yes. Here you go. All right. We've got about we've got a few minutes Um, I'll talk a real quick about some issues. I've ran into with security um I'd say the biggest ones would be Not in an emergency scenario Once you have a plan and Your plan really doesn't have to be something crazy unique. Um, but One issue that you'll run into is people try to compensate security on their website for lack of security and they're hosting and There for a while. I didn't have a security plugin at all on my website Now I currently have a security plugin and I implement it and I don't always use mine It depends on the website What their needs are but There's and it depends on the server Because I have security implemented at the server level to take care of things from ever hitting my website. So for example Tomorrow i'm going to talk about page speed optimization And if you want your website to load faster then you probably The less things that you have loading as far as security the faster it's going to run And I think that's a that's a big attraction there so the question is Do you try to take care of security at the website level? Or do you try to take care of security at the hosting level which is a level above Where you probably have access and so It depends depends on your budget it depends on Who you're talking to also Maybe a hosting company I mean ultimately if if a hosting company ever says well, that's not our problem of your website got hacked I mean technically it is that's actually their job I provide hosting for my clients and I provide it You know Using another hosting company providing the server for me, but I take care of the customer and so on forth, but It's my responsibility, but it's also their responsibility to ensure that things are Updated and maintained security patches and so forth So if your website is running old versions of say php for example that we do know are vulnerable Then you need to contact your hosting company and say hey, this is a problem And say we need to upgrade that if they're not I mean maybe maybe that's there for a reason Maybe it's outdated for a reason find out why Hey, you're what my website's running on php 5.3. Why? That's a known vulnerability that is no good or anything less You need to be running at least five six. Yes absolutely, um What I would recommend What the question he just said is could I talk about the ht access file? Um, because once you reinstall WordPress it may not be there I would recommend that when you're reinstalling WordPress if you've not done it a lot if you're the one actually doing this Follow a guide make it part of your plan and um Of course ht access if you're using now that's only if you're on an Apache server So ht access will not be really in play if you're on an nginx server And again, this is a conversation you have to have with your hosting company because it does matter So you can implement you'll at least have to have the rewrite rules in your ht access file So that your WordPress actually is displaying those pretty URLs forward slash Whatever uh words with hyphens in it and so forth and not just a bunch of you know cryptic stuff in the url address however Another aspect if you want to take security more into your hands you can prevent people from logging into your site or brute forcing your site by using ht access to find rules To define rules that will limit access either by ip address or by a password That's a tactic that happens a lot um I don't really go into that for this talk time doesn't really allow for it. However do uh You know do search there's uh, there's a talk that I did a year ago that kind of talks about some of those things That gets more specific in uh, wordpress security Um, there's other talks that plenty of other people have done about wordpress security Watch as many of them as you as you can you know find time to do and implement what makes sense for your site but I like ht access for a point that I can really cut down the load of my site Especially the bandwidth and even my hosting bill because your hosting could be based on your you know You could get maxed out on your what your bandwidth is Especially if you're getting intact every day, you know So Implementing ht access security is a is a really attractive thing, but I would google for more information on that. Yes I do follow quite a few people. Um You can actually and I don't have it on here, but my website is uh, sovstack.com But sovstack is my twitter uh account. It's also the same uh, Same user handle for my wordpress account and I like to share that information on you know on twitter Because I've got I actually you know follow jonathan over here because sometimes he shares things that are affect me And if he's not really focused on security I like to share things that he's going to find useful in the moment So I try to share as much of that information as I can Obviously security is a huge topic and so I follow other people Um, I I follow follow other leading plugin developers in the industry and in the in just the security field in general You probably won't want to do all that Unless you're really into security However, um I would Try to figure out who is that person and that knows what they're doing that's really good at security And make them part of your team the key is Have a team that's going to handle this don't try to go solo on fixing your website I actually don't always fix my own problems for various reasons Web development is a team sport and it works better that way Anyone else Everyone thank you for coming out. I hope that this was helpful and if you uh, if you want to reference this presentation in the future This little url at the bottom corner Will take you directly to this presentation in the in all the links that are in it as well If you ever have any questions, please Please tweet me on twitter or send me a message Uh on my website and I'd be uh help I'll be more than happy to answer any questions. Uh later on at the happiness bar. Thank you