 So, I'm going to cover misconceptions, understanding vulnerability, and then best practices. So number one misconception, actually the main misconception is WordPress is insecure. This is wrong. WordPress is written on top of PHP, and how secure it is depends on what kind of plugins you use, what kind of themes, what kind of posting you are on. So I'm going to put an analogy for you. So imagine a nice, beautiful apartment like this, I would love to have such an apartment. You know where the doors are, one is to the balcony, one is to the front end of the corridor. It's easy to secure those doors, or if you get windows, they are grills and so on. This is like WordPress, it is small, it is secure, it is good, it works, everything for you. You don't have to care. But as you start installing plugins and themes, and then you start doing all the random nonsense, but you want to improve your website, it becomes a little bit like a huge castle. So it's grand, and then someone visits your site, they think, well, this is a beautiful website. But it becomes a castle that probably has, say, a 5,000-year history, and then you have no idea whether they are hidden tunnels, you have no idea which rooms are locked, which rooms are not. You have no idea whether there are more than one entrances, there's probably more than one. So the point is, you are one tiny person inside this huge castle that you have no idea where everywhere leads to. So WordPress websites that get hacked are usually WordPress websites that become like castles, where the user or the web maintainer doesn't actually keep it up and just keeps installing stuff, yeah, and stuff like that. So there's only one single way, which is, I think, a common topic that all WordPress people talk about, to keep your WordPress site absolutely 100% safe is to take it offline. It's like just a big wall around it, and no one can access it. If you take it offline, you're probably not, maybe even back then, you're not 100% safe. If you want, so WordPress itself is as secure as the plugins, team, and hosting combined. I'm going to skip one slide. So what I want to talk about, the choice, sorry, how do WordPress websites get hacked? And I like to say this actually by choice. So by choice of choosing a bad hosting, by choice of choosing a bad password, which is actually quite common, choice of choosing a random plugin that you've seen over the net that someone says, this is awesome, please download it and install it into your website, and by not upgrading your WordPress. So this is actually what we do at the WordPress.org support forums, we see these four issues all the time. And then some guy is going to say, I got hacked, what do I do? And then he's going to, first thing he's going to say, this is my admin password. He's going to paste it on the forums, and he's asking people to log in to check it for him. Right. And then more often than not, here's the terrible thing, they'll use something like ABCD1234. Right. So just to quickly run through, why is it bad, why is a simple password bad? If I were to guess 1234 ABCD, probably easy, but if you maybe you just do something a little bit more complicated, I can guess it, but I could write a script that continue versus to try to guess your password. And that actually can go through, say a thousand iterations per 10 seconds, maybe even if you do it on a slow server, if you do it on a multiple setup, you can iterate through hundreds of thousands of passwords per hour. So strong passwords are important, and you don't have to think about very complicated like a crazy number sequence plus symbols plus text, those are good, but it could use a good makeup. For example, what is your favorite person in the world plus your favorite date plus, you know, your favorite dog's name and so on. Make a story around it, they'll help you remember, and as long as it's long enough, with a good mix of numbers and whatnot, it's going to be safe, it's going to be secure. But that's the kind of password you want to choose. I'm going to show you a quick demo on the, not the demo yet. So then teams and plugins, if you actually download a plugin from WordPress or RG, at least about 95%, 99% maybe safe, but bear in mind at WordPress or RG, we allow plugin authors to update their plugins. So if they make a bad decision after our first evaluation, we don't always catch it because in the end the plugin team is made up of five people to cover 37,000 plugins in the plugin repository. So we don't always catch it. So you have to be a little bit careful about what you're downloading, but definitely try not to download some revenue plugin hosted out of WordPress or RG, because that probably isn't safe. Upgrade the WordPress, that's key and I'm going to tell you this that we have an auto security update system right now. So if you realize your version 4.5 websites are updated to version 4.5.1, those are what we do to patch the security issues, but if you actually have say 4.4 to 4.5, there may be security bugs that we are trying to fix, but we cannot tell you to you because if we tell everyone that, oh, we are going to update the 4.5 because there's a big security bug, all the hackers are going to attack all the version 4.4 sites. So we probably hide it inside one of our updates. So it's good to update to make sure that you get it all. And then the last thing, bad hosting, this is actually one of the key, key issues. People go online and they say, oh, this is a $5, $1.99 per month hosting and then you think that they're going to get something good out of it. If it looks too cheap, it's probably bad. So don't go for those, go for reputable hosting companies. And if your website is actually a money generating website, or it's very important to you, maybe get one that's not shared hosting because if a website, for a host to turn a profit around, probably has to put about 200 websites into one server. If they don't set the server up properly, one website gets hacked, the rest of the websites go down the drain as well. So it's good for you to make sure that if you are actually having websites that generate money, put it into a more secure server that's guaranteed by one of the hosts out there. So I'm going to show you one very quick demo. Oh, I need internet connection. Is there a free one? I don't think you'll ever log in. Okay, I might use mine. I've seen your password. Bing, yeah, Bing. So if you don't like passwords, there are various ways to get around it. So I'd like to recommend this clap. So it's the same thing you log in through the WordPress backend. But you have this mobile app called CLEF. And then you can actually use a fingerprint or you can use a passcode on your phone to unlock it. So let me log that first. So you get this barcode kind of thing that moves around. And then you can sort of just point it at the screen and then log it in. So you never ever need to use a password again. It doesn't show this, all right? No. They'll still be able to log in. Yes. You can, of course, choose a dual login system. So for example, one of the cool things that I like to do here is actually I use one single system to log in to multiple websites. So if I'm at home and shit I didn't log out with one of the computers, I can press log up here and then it's logged out. So let's see whether it's logged out. So you see I'm logged out again. So if you want to use a password, you can just click log in with a password. And it goes to the normal screen. So what I usually do for my clients is I secure the administrator with this. And then it can't be hacked. So that's one way to get a good secure login. The other way is you can use two-factor authentication. And I would like to let you know that a call, a WordPress call, is going to put in two-factor authentication by default very soon. Maybe in version 4.6, as soon as version 4.6, maybe. So I'm going to quickly share with you types of vulnerabilities. And there's a lot of code behind. I'm going to skip those. But if you want to know about it, talk to me. So that's the cross-site request directory. There's cross-site scripting and SQL injection. There's actually a lot more. But these are the three main types. So what's CSRF? So imagine this. If you look at this code, I'm not going to go through the code. Imagine you have a piece of code. But it's supposed to forward you to the PayPal website. But because you didn't secure your website properly, I managed to put something in that forwards all your users to my fake PayPal website. So that fake PayPal website records your login and I'm going to record your login. I'm going to copy that login and then I'm going to go PayPal.com and I'm going to start buying myself a big TV and so on. So this is what cross-site request folder is. You don't have to really understand this, especially if you're a user. But one thing that you could talk to a developer who is going to make your site and so on is your site CSRF safe. You don't have to really understand it. So for developers, there's an easy way to prevent that. We use this number used once. Overpass generally is a secret code, secret length of string that takes this number of items and generates that string. So that string is so random that it cannot be duplicated. So which means you cannot forward me to a wrong place and so on by using this with, say, user capabilities. So one way to get around CSRF is by using the numbers used once. Okay, I'm going to skip that. Okay, then we have cross-site scripting. The most common type of vulnerability. So the thing about cross-site scripting is that I can insert the JavaScript code to do anything that I want. So the key thing that what people would do is actually they would steal login passwords. So after they steal your admin login password, they can actually go into your admin panel and buy just normally because they know your login password right now. And then they can create a new administrator for Percon for themselves. After which, if your website is not that secure, they can actually write files into it to hide the admin account, then they forever have an American account into a website. And I want to let you know that cross-site scripting, SQL injection, CSRF, they are not WordPress specific. They are web specific. So you have a website online, they are all open to all this. So actually a lot of times WordPress websites can hack. It is not because it's WordPress. It is because of this and it applies to all websites in the world. So I'm going to recover the code again. So what can cross-site scripting do? It can allow you to create a new administrator account. It can change your password without you knowing it. I can start installing new plugins and themes. And if you have your file editor available in your WordPress website and when you go home, maybe one of the things you should do is disable the file editor on the WordPress admin. I can use that file editor to add in secret lines into the code and you will never know. So actually as I was telling you, I had this first client a long time ago. And then one thing that the hacker did was actually if I visited the site by typing the name itself, no issues. But if someone found their website through Google, it will check the referral. Like if the site knows that you're coming from Google, you redirect them to another website. So as the site admin and my client, they will never know because they will type the name in. So this is to prevent you from knowing. But people who are looking for the business, yes, they will actually search that and then you'll find out. And then they'll get redirected. They have no idea why they're redirected but now they're screwed as well because the site probably has thought something on their computer. So that's cross-site scripting. And then... Sorry, it's cross-site scripting. Going into the site itself already activates malicious software. For example, if the site itself... Okay, when you actually go into a website, what your browser does is actually it downloads all the JavaScript, all the HTML required items, the images and so on. So let's say the JavaScript is really infected and so on, which is not so bad because it doesn't run on anything else. But it could very well ask you to download a file that looks okay. And then people who are actually typing fast, they press Enter fast. That's what they're aiming for, a chance. And then you install the file or you download the file and then one day some guy clicks it. That's it. So by actually visiting it, it's not going to be like that but if you say using a very old browser and it's got a lot of security holes, they could attack those security holes. So meaning to be infected by malicious software you have to click. If you are on a modern operating system and modern browser, you probably have to click it to be infected. So we have SQL injection. It doesn't bother about the code but imagine this, you have a text box. The text box contacts the database. So now instead of you me searching for something in the database, I'm actually putting in a database code. So by putting two database code together the system thinks that you're running a special line. So actually with this SQL injection I can maybe download a full list of all your users without you knowing. I could download a full list of all your admin passwords and so on. I could download a full list of all your e-commerce content e-commerce purchases and so on without you knowing it. I could also be very mean. I could write an SQL statement to contact the database and drop your entire database. And you have no backup, pretty good. Especially if you're running e-commerce website I could drop all your users, all your purchases so you have no idea what's going on. So that's what SQL injection can do. All these slides are going to actually be on the speaker deck. So you can actually download it from there. Don't worry about that. And a lot of this code if you are actually interested in starting you can look at it. This code is actually provided by one of my fellow WordPress co-committer guy who actually gave a talk about security at WorkCAM, the Lancaster actually. So I'm going to skip the whole SQL injection thing. So there are a few ways to avoid this. If you are a developer, really there are very little use cases to actually write your own SQL statement in WordPress because you could use the WordPress class objects and query system like WordPress WP query which will effectively write the SQL statement for you. So you don't actually have to write your own SQL statement. And therefore, users, if you're developing a new website, you're hiring a new developer, make sure they use WordPress native functions because a lot of these developers they don't actually know WordPress but they know PHP. So they write PHP and then they will write their own SQL statements which are usually not safe because the truth is most programmers understand PHP but to write an effective good SQL statement or to actually even if you don't talk about security to make sure the SQL statement is actually optimized, you probably need a database engineer who's going to write a very nice statement or so on. And in a lot of times actually some plugins will create their own tables and so on and usually it is not needed unless it's a massive plugin like WooCommerce as an e-commerce system. They will run their own tables. They may have their own SQL statements and so on but those are usually better by professionals. So the takeaway for the... I think I skipped some stuff. So takeaway for you if you're a developer, don't trust user input. Always assume that someone's going to abuse the system and so on. If you're a user, ask the developers just remember this if they have taken appropriate CSRF, XSS, SQL, iPreventions. Just send them this line and then it's like asking a local butcher if they have gotten a mid-check. It's a simple thing to say and if they assure you they've done it then at least you can hold them to that statement. If your stack gets hacked, you can screw them upside down. So... You can go through the XSS solutions. Sorry? XSS. So XSS solutions I'm going to go through the best practices which actually helps with that. So best practices and I'm going to go through them a little bit fast. Number one, keep upgrading. Like I said WordPress sometimes hides security updates without telling you. So there was a major version, version 4.2.4.3. I think we hit a huge security update in the form of emojis. Yeah. So a lot of people were upset with emojis but actually those were security fix. So fix like that. And then you need to check for intent. For example, did they want to edit the post or did they want to delete the post? And you can do this with what I call the numbers used once. And then you need to do sanitizing and escaping. So I have more slides on that. So keep upgrading. So I want to point out I'm going to go through sanitizing and escaping later on but I want to point out a use case that I went through. So on forums, on the WordPress R&D forums this guy will say that after he developed the website the developer told him that he cannot update WordPress. So which is fairly quite common in developers worldwide because they have edited a call file or they have done something really wrong and they are maybe just scared that their customizations will not last against the new WordPress versions. So they told him you cannot update and then they actually sort of said a white line and they say that it will return it to a virgin install. So which is not true. So I went ahead and told him that with WordPress that we encourage you to do it properly. Use child themes and if you need to override a plugin write another plugin and say and then the key thing is that we strongly encourage people to update their WordPress installation. So what I want you to take around here is that I told him take this line and then send it to your developer and tell him to fix it. So what happened was that send him replies and he updated the site to the latest and back then the latest version was 4.4.2 and he got it centered. So of course the developer is going to fix the three plugins that stopped working but the key thing for users to take around here right now is that if you go out and hire a developer he's going to tell you that do not update if let's say you get a developer who tells you not to update WordPress do not trust the developer tell him to make your system safe for updating. So that's one key thing. So one of the things that people are worried about is that if I update my WordPress core system what about plugins are not ready for it? So I wanted to show you that actually the plugins team they sent email to all the plugin authors all 37,000 of them and say that WordPress 4.5 is ready to be released in the next few days are you guys ready to update? So a lot of times actually during this period a lot of plugins are updated because we know this because the server starts getting really slow and then commit start slowing down everything like that so all the plugin authors they will tell them so your plugins that start up to version 4.2 do you want to check it sure that it's updated to 4.5? So which means plugins that you download from the WordPress.org repository are more or less usually safe for updating. And if you are not sure don't worry because just wait a few more days they will update it. So one of the key things that you should learn as a developer is that love your users but don't trust them on using the system correctly because one of the things that could happen they say you have an infected browser that's secretly inputting a bunch of malicious code in all your text boxes that you visit so you don't know that it's inserting that but it is doing it so that could happen so while your user is a nice person but his computer is infected so you would never know so don't trust your user and maybe it's not even your user it's just a hacker running a bot and testing all your text boxes so a few ways to prevent such stuff you can do a sanitization so if you do sanitization you will sanitize early because you will pass a variable around and when you do sanitization you want to understand what content do you want for example if I'm searching for say phone numbers there's only numbers inside it then maybe I can just run it through an integer value function which then checks and converts all string into integer so effectively it lets me know that okay whatever value that I get out of this is bound to be a number then it should be safe there are many sanitization functions that you can use say sanitize text view and so on there's sanitize html and various other functions that you can use you can check this web page and it will give you actually the list of all sanitization functions that you can use in your system so sanitization is effectively just taking whatever user has inputted and cleaning them it doesn't always necessary clean them at 100% but it does to some level so you should also escape so escaping is for both encoding conversion and also to maybe drop certain things so if you're escaping you should always escape late because while you're running the system maybe in the middle the variables still get passed around if you escape them too early then they are now converted and they cannot be used for any other functions anymore or even if you use them they are not accurate anymore in escaping you then understand the context what is the thing is going to be used for for example if you are going to print out a link you should use escape URL it will convert the html entities for you if you are going to print out something like the commands with the nice formatting the bow and the bullet points you should use escape html it will allow the save html text to go through and then it will probably help you deter the unsafe ones again you can look at this link for all the related escape functions so I did not include this into the slide itself but there is a very important WordPress function called WP underscore KSES KSES means Queue Silver Scripts so it is a very powerful sanitization tool you can use it to clean about anything that deals with user input so you can use that to clean before you insert into your database so I think last two things I am going to talk about number one is SSL so if you notice some sites if you visit especially e-commerce websites they have Https and I am just going to show you a quick demo so this is my client's site so if you have an SSL one you say Https and then you have a green lock so this lets people know that your site is secure so why is SSL important so SSL is important because if you are a public wifi you are a Starbucks you are using public wifi if you are typing your password in it is your own computer but it passes through the public wifi someone can actually intercept the data you can steal your password and login same thing you can then login to your website and you can start doing some random nonsense to it and if you are smart you will never know you will never know that your password is stolen you will be constantly logging in as you and you will never ever know so to prevent that you should install SSL on your website so with SSL which turns your Https and your Https as has been secure all the stuff for example your passwords and so on will be encrypted so even if he intercepts it he gets an encrypted nonsense that no one understands so you will never have to worry about your website the data your login especially let's say your e-commerce website it's not just about you it's about the 5,000 e-commerce shoppers that are using your website so they are what do you call that passwords cannot be stolen and you may think if you go to a coffee shop and you go to Starbucks you probably wouldn't log in that much it's a very small risk but it's not true because if you think about it in the Starbucks context one of the actually biggest places to steal data is actually at big conferences on big fairs and so on so they will go there people who want to steal passwords they will wait there they will start getting notice data later on when they go back they have a huge amount of logins that are passed to various systems so it's important to make sure your site is HTTPS and then it's not just about making it secure the cool thing about SSL now is that it allows you to have HTTPS-2 which actually makes your site really really really fast so it doesn't work with normal without SSL but with that actually allows you to load a site very fast this is how right now most websites work you get to the the new request for the website but the website sends you one file by one file admittedly very fast but it's always one file by one file before you get everything but with HTTPS-2 I can do multiple requests and get them at the same time which means that if I have a file in the middle that's huge it doesn't actually wait for the file to finish downloading before I load the rest of the site and I'm going to show you a demo effectively websites should work fast like this if it's slow it's not my business it's the Wi-Fi but let's say if you select this and you look at Singapore it should look immediately with many many images it doesn't matter if let's say I look at Buffetware it should load immediately as well and this is all because of SSL and HTTPS-2 so I'm just going to show you one last example so this is the e-commerce website it's another of my clients and then if you click on a product it should load immediately if you click on another product it should load immediately sorry the same product if you click on another product it should load immediately so you should this is the kind of experience you should get through all of your websites if you actually implement all this properly and as is the quoting by SSL and actually Robert presented about two months ago or two months ago SSL now can be gotten gotten through Let's Encrypt it's free so with Let's Encrypt and let's say you get a host that supports it it's all free your site will become blazing fast so the cool thing about that is also it is not just about the site being blazing fast that is if your site is really really fast as Google ranks you higher and then you get more visibility as well so it's a plus pass situation it's secure it's fast and Google ranks you higher so it's free so please if you go back one of the things that you can do if you are on a shared host or anything like that maybe just ask your host how can I get SSL onto my site and then how can I enable HTTP2 for the site so they'll settle on this for you if your host doesn't do this for you switch to a new host switch to something else okay the last thing I want to talk about is reporting security exploits so if you are actually find a security problem whether it's a plugin or a theme or WordPress itself there are few places that you can go to sorry about the title so if it's a plugin try to contact the plugin author a lot of the authors on WordPress repo they are quite responsive especially the very big plugins the very popular plugins they'll respond to you you can usually go to their website and use the contact form and they will contact you if they don't respond contact WordPress sorry plugins and WordPress.org so you just send them how you manage to find out about this exploit if it's a theme contact the theme author but don't worry too much because themes that you download from WordPress.org or RG pretty much only allow display code they are not allowed to do database stuff and things like that so they are less likely very very less likely to have security issues and if it's WordPress core send an email to security at WordPress.org and if you are a developer sometimes you will realize actually I've done this before with other content management systems I've done this with other communities but they don't actually reply me they don't let me know what's going on the cool thing about this is that they do so I actually send this last year one of the security issues and I send it to the security at WordPress.org and then straight away in the same day if you notice the reply they say that the security issue is a bogus don't worry about it which is good for us because now we can tell the users that that's a fake security issue and everyone can relax so this is actually really meant there's many people watching the security email that you will send of course in private and the cool thing about maintaining security for WordPress is that if we find out we fix it you guys get an update your sites are protected too so it's a good thing to do so that's the email I'm going to talk do you have any questions or would love to listen to them yeah about the WP admin page and you said you have club right but there's still the option it says click here to log in with password so I guess I haven't been able to understand so far how does is there a way to secure WP admin from brute force attacks because I mean you could make a right of script to just click the password and then try hundreds and thousands you can so Clav allows you to disable passwords entirely yeah so this one second thing if you are a server level person you can install fail2bend and then by making fail2bend with WordPress logs you can detect multiple logging failures and then you can bend the IP so that's one key way of protecting this brute force attacks so unfortunately about brute force attacks it's not that easy to protect against but there's a very good plugin called Jetpack and a lot of you might have heard that Jetpack is bloated but actually Jetpack allows you to switch on and off multiple modules Jetpack has now this very powerful brute-protect function built into it so you can just install Jetpack it's free register with WordPress.com for an account to link Jetpack and you're done so WordPress.com will use their servers to protect raw installation against brute force attacks so I have Jetpack on almost most of my sites and I have something called WordPress are they pretty good too it seems like the features they were offering in combination I couldn't think of how much more security could get because that was the thing that you could after three login attempts fail login attempts you can block the user but you see the tough part about that is that WordPress works at the PHP level so it's higher than the server level which means that by the time you realize the attack is going on or by the time it started to block people it could have been attacked for a while already and by then PHP may have been text like crazy and it started using a lot of RAM and then maybe even going out of memory which is not good so if you are really right there's so much brute force attacks you should do it at a server level so fail to ban would be one good way to start off to do that so if you say moving your site to a VPS you can ask them to install fail to ban and ask them to monitor WordPress and fail to ban will actually handle all this banning for you and so on and there's no way to sort of hide the WP admin directory from a front end like right blog state that move the WP template file out of your folder but I don't know what that would do cause I so I'm a proponent against okay I'm open against security via obscurity so by pretending there's no issue for example like hiding WP admin essentially like the Auschwitz putting the head in the sand it doesn't really do anything because if they wanted to they would still fight the login and they would still attack so the only thing it does is actually it gives you a false sense of security so my view is that hiding WP admin does nothing at all and if essentially this is a website that you want no one to login to put a server level password to that patient's head so before you login to the WP admin you actually have to put a password that's accepted by the web server so they cannot attack that no matter how much they attack that it doesn't do anything because it doesn't load WordPress without resources the server first detects it and does nothing except do you have a password so why is attacking WordPress itself so taxing on the server because when you load the WP-Admin page you usually load a lot of WordPress resources even though you only see the password page so when they attack that over and over again they're just forcing the server to load WP admin over and over again so if you're happy about this you choose go at the server level because doing it at the WordPress level is not going to help you like I said your site is only as secure as your server which is your server hosting WordPress, plugins and themes combined so if plugins and themes are really secure and you are sure that everything else is okay go at the server level okay cool yes server level so if you're on the share hosting you might be quite limited so you need to have a dedicated server you don't need to have a dedicated server but you can get an inexpensive virtual private server virtual private server and those can actually be quite good so if you're running a website say like e-commerce website or a company website even if your company is not a big massive company and the cheapest vps go for $10 USD per month actually the cheapest is $5 a digital ocean but those are you have to understand servers to actually set it up the next cheapest manage vps that means you get the staff at the company to manage the virtual private server for you to set up everything for you the only thing you have to do is watch your website those the cheapest I know is $29 USD per month and host so to me if you want to run a website $29 USD per month especially if the website is important for you because you must understand that hosting virtual private servers used to be $100 USD per month now it's $29 so think about that because you can get them to secure the servers and if there's any issue they will fix it for you which is cool if you go for share hosting they will not do anything to help you they will just let you die any more questions $10 USD is lean note you can go there it's actually quite a popular virtual private server hosting company but the same thing you actually need server knowledge to actually set up it's like they give you a blank hardware kind of a thing and then they ask you to write all these commands that you have to set up your web server database to install PHP to secure it and everything like that not an easy task to do but if you want to learn you can start learning with that but if you want something to manage you can try Dreamhost manage VPS service and they actually build that service specifically for WordPress so Dreamhost is the $29 USD host so I don't work for them I just know one of my fellow WordPress colleagues work there so I quite trust them as a hosting entity so you said U.S. company U.S. company but nowadays all these VPSS are built very well so you will not find much latency issues and if actually your site requires very very fast speed you can build low balances around it the same way you can just tell them I'm from Singapore now I'm visiting this website I will do something to improve the speed for you as well oh you can do that but maybe they will charge you a little bit more to do that but usually even if your website is hosted in America and if you set up your stuff properly you will be very very fast it's possible I have a client who is doing it one of the sites is in France speed is reasonably good to access from Singapore they set up the servers how they do the carrying if they cannot do it the alternative is to put your site on other low balancing services like Cloudflare where they actually distribute the content worldwide on their own networks so that when people serve the site they just sit their servers first which might be located nearer to your end users rather than but of course this is all for static files so then there will be less pings right less pings less latency so it's a service that you have to subscribe to the loop some of them are free like Cloudflare it's a content delivery network it's free, you can use it and I want to show you this like WordPress.org this is in the US the site is actually very fast so it can be faster but we really need such a fast site so this is actually very fast and this is hosted in the US so that's my talk when you go back I would like you to take a few things into mind WordPress is actually very secure there's no vulnerability that we let go if we discover anything we fix it almost immediately plugins themes on WordPress.org here are usually very safe we at least do the first level of check when we first submit the plugin we check it quite thoroughly so after that the plugin authors are given the authority to actually update the plugins so it's up to them to secure the code after that and we'll keep your WordPress versions updated try not to use plugins and themes that you find randomly of other websites and if you are a developer make sure to use good WordPress native functions and other security stuff that you need to secure your code last thing you need to take off is a developer don't trust your users think they're going to mess it up and secure your code against them and as users if you update your WordPress versions all the time you update your teams and your plugins your site should remain relatively safe so that's all from me and if you need any help with any specific questions doesn't need to be related to this topic maybe we just related to WordPress or web development feel free to talk to me and thank you for coming