 Okay, it was the 19th of March this year and it was only a few days until a launch of a major membership site that I'd been working on for what seemed to be forever for a not-for-profit. Now that project was one of those projects that it wasn't so much as a scope creep, as a scope gallop with the hounds of hell after it, I was really looking forward to launch when the first email pinged in my inbox. Excuse me, Uptime Robot. Okay, commercial air conditioning site is down. And that's it, and that's it, and that's it. For those of you who don't know, Uptime Robot is a really cool free tool. And you can set it to ping your site periodically just to tell you whether the site's up or down. So Uptime Robot sent the first alert for me. Okay, all of those sites are with never-to-be-named hosting. Let me discuss never-to-be-named hosting. Never-to-be-named hosting is a small Brisbane IT company that have their own servers based in Brisbane and they were my hosting company. I've been with them for years, so I started originally as a copywriter and then morphed into web design, as a lot of us do. And over the years, as I grew, never-to-be-named hosting were my business partners. They had this amazing help disguise, Matthew. Matthew had my back for everything. If I had an issue, I'd call and Matthew would sort it. Had a problem, I'd drop an email to him, Matthew would sort it. Everything was perfect until Matthew left. And then suddenly, never-to-be-named hosting got on the nose. It had got so bad that three weeks before, I'd actually gone and had a meeting with the CEO. Now, listen, I want to talk to you about your help desk. We have a bit of a problem. I'll send an email and they're not answering me. It can take three weeks to get an acknowledgement. I ring and the phone just rings out. I really want to talk to you about your server, like Web Server 4. Most of my clients are on that Web Server 4 and it's running an ancient version of SQL, my SQL. Look, it's so bad, I can't even spin up a testing site. What are we going to do about it? Yeah, mate, I had trouble with staff the last couple of months, you know. And it's a legacy server, mate. You know what it's like. It's so much painful to update things. But yeah, look, leave it with us, mate. You can trust us. We'll get it sorted for you. Okay, not a problem, I thought. Uptime robot, sites are back up. Fantastic. It must be looking, it must be finally doing some work on the server. Uptime robot, sites are back down again. Right, okay. But then I also had another email from the not-for-profit client. Hey, want to expand the scope and still keep the actual launch date in two days' time? Can we do that? Fine, I can do this. Padded the cat who was sitting in my intray. Uptime robot. Okay, sites are back up. Brilliant. Uptime robot, sites are back down. Uptime robot, sites are back up, up, down. It felt like a 1970s aerobics class. Uptime robot, up, down, up, down. It was actually getting worse. It was like an all-you-can-eat curry night at the local pub and the toilet seat was going up and down and up and down. Okay, this is a bit of a worry. So I've dropped an email to all of the clients who are in the Uptime Robot alerts. Just letting you know, guys, we have a bit of instability at the moment with your sites. It's all good. I got it under control. I'll be chasing it for you. See, I've learned over the years that it's always better to be the bearer of bad news than to be at the receiving end of a client yelling at you. I also sent a note to Never To Be Named Hosting. Dear Never To Be Named Hosting, have a bit of instability on that web server before we were talking about before. Anything I should know about? Nothing. Up, down, up, down, up, down. I left it for the night. Finally, nine o'clock at night, I just gave up and went back to bed. That was it. And I thought, okay, I'll have a look at it in the morning. Morning came and all the sites appeared to be stable. Put the air conditioning site into the browser. Site was up. Two thumbs up. I thought I can finally deal with this not-for-profit yet again expansion of their project. Well, I was trying to find words that didn't have swear words in them as I was responding. But you get the idea. So I spent the day just dealing with that not-for-profit site. I thought, tomorrow, tomorrow is going to be the day I'll have a look at all of those sites. Next day came and I tried to log in to the air conditioning site. Okay, slight problem. Okay, back a bit. Slight problem. Username and password not recognized. Interesting, I had WordFence installed. Maybe there's a problem there. There's a paid version of WordFence. Okay, I'll just send a note to never-to-be-named hosting. Didn't ever-to-be-named hosting. Seems to have had some problem. Can you just reset the password on the commercial air conditioning site and have a look in the front end because we have that instability? Ping for once they answered. Woo-hoo, two thumbs up for me. Yes, not a problem. Here's your new password. Site looks fabulous. Okay, cool. I can do this. Log into the commercial air conditioning site having a look. Don't recognize any of those usernames. Let's have a look at WordFence. WordFence, absolutely nothing. Everything's clean as a whistle. The only lockout was me. Okay, that's interesting. But it's clean. Hmm. Okay, I'll just log into Plesk and have a look at this back end. Logging into Plesk, having a look at the files. I have no idea what I'm looking for. Let's just pretend I know what I'm doing. Let's have a look at the files. Let's see if there's anything stands out. Okay. There's a file I don't normally install on commercial air conditioning. HTML. Yay, I think that might mean that they're hacked. Two thumbs up, I spotted it. Oh, dear. If the commercial air conditioning site's been hacked, what about the other sites that are on that server? Breathe, breathe. Logging in. HTML. Logging in. HTML. Logging. HTML. HTML. Excuse my language, but that's what the files were called. Every single site on Web4 had been hacked. That was 80% of my clients from the last five years were on that server. And every single one of them had been hacked. I can do this, I can do this. I now know that it's been hacked. I'll go and check into WordFence. I'll do a deep scan because every one of them had the paid version of WordFence. Let's do a deep scan, deep scan. Clean. Okay. I'll go to Secure. I'll run a deep scan with Secure. I'll see if that's picked up something because that'll fix it. Deep scan, deep scan. Okay. They're not picking up anything. I'll go to a single search console. Everything says it's clean. But we know it's got a HTML site. Not a problem. Not a problem. I can honestly do the backups. Restore from the backups. You see, I used UpDraft Plus. And I did backup to UpDraft Plus Vault. And I restored 30 days of backups. Fantastic. Logging in. I can just do a restore. Logging in. UpDraft Plus. Have a look at these logs. Okay. Let's go. They were there the day before yesterday. Shit. The hackers had deleted every one of my backups from Vault. Now what happens with Vault is when someone deletes from Vault, it's gone forever. All my backups are gone. I can't do any restores for any of those sites. Okay. Breathe. Breathe. I can cope. I can cope. I'll just send a note to Never To Be Named Hosting. Never To Be Named Hosting. Just letting you know that the hack was real and all of the sites were hacked. Can you please restore from two days prior to the hack? Dear Ingrid. Yes. Happy to restore from your two days before your backups for you. Only trouble is it's going to cost you $570 plus GST per site per restore. Let's go back to there. That was me. Drinking a lot more. But oh my God, $570 plus GST plus restore for all of my clients for the last five years. Right. What any other web designer do besides a lot of swearing? Google. What do you do when your WordPress website is hacked? So what I did was started off with a quick repair, much like a boarding up a broken window. I started with a commercial air conditioning site and I deleted all of the users the word me. And I set up a new user me because I didn't trust anybody and deleted everybody. I changed the passwords into hosting. I changed the salt keys and the WP config file just to log out everybody who wasn't there. I changed the WordPress database passwords and I ran high sensitivity scans on WordPress. Everything was still clean. Five minutes later, I was locked out again. User names were changed one more time. They had a back door into the site. Okay. Determined to jump ahead. So then what I do? I then said, okay, okay, I can deal with this, I can deal with this. Let's start with triage. I went through and created a list of every single client that I'd sent to never to be named hosting over the last five years. I looked at who are on maintenance plans with me and who weren't on maintenance plans. I looked at my contracts with each of them to see what I'd actually said as to who would pay for hack repairs. While I had great contracts, they're a little bit gray. So I actually rang my lawyer as well and said, hey, let's have a chat about these contracts. What does it actually say? I also rang my professional indemnity insurer just to try and see what they would say, just saying, hey, we might have a problem. Checked everybody's contact details and I checked to see which of my clients were going to be affected by the mandatory disclosure of data requirements or data breaches. If you're a web designer, a web developer and you've got a number of clients, you need to know that. You need to know what you have to do in case there is a breach under the mandatory reporting of data, mandatory disclosure of data requirements. Luckily, nobody on that server was caught up by the reporting. If it was another server, it would have been a whole world more of pain. It was a triage. I knew who was affected and I knew what we had to do. Things when I was talking to the lawyer, they said, here's a heads up, Ingrid. You recommended never to be named hosting to your clients. You said, hey, when we build a site, we build with never to be named hosting and you set them up. Yes, the thing was in the client's name, they took out the individual accounts, but you only recommended one person. Guess what? So all web designers have a WeChat to your lawyers and check if you only name one host, similar to me, and there's a dirty great hack, you may also be liable. Something to have a think about. So I decided that what I was going to do was wear the cost of all of the hack remediations for every one of my clients. The only costs I would pass on was any new hosting costs and if there's a specialist that was beyond the scope of our agency. Some are hacked, some hosts are lovely and they include hack repair like Kinster. Never to be named hosting wasn't like that. You can go to somewhere like Securee, WordFence, Sitelock and they'll do a clean for you. Works really well if you've got a couple of sites. Numbers really start to add up when you've got five years worth of hosting. You can hire a specialist hack repairer. What I did is I'm a web support agent, a web group, a really good group called BlogAid and BlogAid the web master group is probably my ultimate support network. They don't just teach you how to do web design, that's somewhere else. This is more about the Teco stuff and if you're new into web design BlogAid web master group is a really useful one. So I logged a thing onto the Facebook group and said hey help, I need emotional support calm me down, talk me out of a tree and has anybody got any references for really good hack remediation specialists. And I also hired an external security auditor put out a poll for an external auditor just to do a double check once we've got everything sorted. And I put together some recommendations. So I rang each one of my clients and I said you've got three choices. You can either pay the blood money to never to be named hosting you can either get Securee, WordFence or Sitelock to do it. Here's the costs or we've got a hack remediation specialist. And what did they choose? I'll tell you that in a minute. So what can you learn from this so far? Websites get hacked. It's a fact of life. At any given time about 1% of all websites have malware. It's 18.6 million roughly. Websites at any given time have malware in it. Even the tiniest, tiniest website the smallest little one gets on average 62 hack attempts a day per day. But what about WordPress? Well 34% of all websites are driven by WordPress are powered by WordPress and about 60% of all content management sites use WordPress. So does that mean WordPress is bad? No! WordPress is bloody wonderful. The trouble is hackers go where the money is. So if you think about pick pockets if there's only me and Bill and Bill's a pick pocket and we're both staring at each other he's not going to pick my pocket. But if there's a crowd that's where the pick pockets go. All the pick pockets and all the hackers are doing are following where the crowd goes. So if you use WordPress you're just a crowd. You're just in the crowd and they're trying to get you. So what are some of the signs that your site has been hacked? We'll just cover that one first. Number one, if your site is hacked and they do a little G-hardy thing or suddenly there's people not wearing very much and they're very athletic and very noisy about it your client is going to be the one who's going to spot it first and they will ring you. Always. Guaranteed. Particularly the client you've spent ages wooing. You might get a particularly red shade from your browser from Crime or Firefox might tell you hey, malicious site ahead. Your host might pull your site down. If they're nice, they'll give you a warning. If they're not nice, they'll take your site down faster than a kid who sees a puddle when they're trying to remove their clothes. Oh, God. Google might flag that it's a deceptive site in searches. You might not be able to log in similar to what we had. Google search console might give you a flag. Security might, your plugin might have an alert like your WordFence group. Unknown admins will appear. Just take it as one of your things to check in periodically to see who's the admin on your site. Random new files and pop-ups suddenly appear. You might suddenly find that your site is now advertising Viagra and other little benefits. Your site might take ages to load. When the hackers get in they just shove so much stuff in that your site might take forever to load. So when we're talking about speedy sites might be this is actually contributing to it. Your site might be unstable like we experienced. Your site might suddenly take up being a pen pal for it and four million of its friends around the world. If it starts sending email, you've got a problem. You might find that you've got extra pages and blog posts appearing and you might suddenly find that you're strangely popular in places like Bulgaria, Brazil. Get over your ego, it's not you. It's probably that you've been hacked from somewhere along those sites. So when I rang my clients the number one question they said was why me? I'm only a tiny little tradie. Why me? The reasons that sites get hacked, number one is usually political motives. We're finding that there's a lot of political based hacking and they're trying to spread their message to raise awareness. They're trying to bring your site into, for example, the DDoS bot. So they're conscripting you into their cyber army. That's the most number, that's the number one reason that sites get hacked these days. Quite often another reason is that they want to steal identity and use the identity of things in the back end for money. So yesterday there was some speakers that were talking about things that you could do on WordPress that you didn't know. More details that you've got in the back, the more potential that you are for creating a lovely little honey pot for people to steal identity. They might want to skim credit card details if you've got an e-commerce site. So they're trying to do it for money. Theft of personal info. We talked a little bit about that. That's particularly important if you've got a medical type site. Theft of personal info is a very common reason for hacking and just so you know that your personal details are worth $4.50 on the black market. So don't think that you're actually worth a lot of money. $4.50 and your details can be bought by the lowest bidder. Hobby or lulls as the odd person who still lives in their small little bedroom. Not that many these days. To leak information. The Panama Papers was one of the biggest leaks in the world. 11.5 million pages were leaked from this Panamanian law firm. It was hacked by an unpatched revolution slider according to wordfence. You find that the people are trying to steal information and they're trying to get messages out. That's a common reason to expose people and governments. Cryptocurrency mining has dropped down in the last 12 months. We're seeing a lot less of that but in the past they used to just harness your website to try and access or to mine their cryptocurrency. To redirect to their porn sites is another reason and SEO spam to try and rank their sites higher, injecting all of their links back from your site. So there's some of the reasons that you get hacked. It's got nothing to do with you. It's got to do with your clients. It's got to do with your systems and it's got to do with what you can do for the hackers. You're just the person in the middle. So let's have a chat about, well how do you secure your website? Okay. People forget that being online is actually like the real world. I'm just going to ask Bill because he's just handy here. Come and join me for a second Bill. Now Bill is a standard web designer. He's wonderful. Now Bill, I want you to think about your house at your home for a moment. Your home has got doors I'm assuming? Most of the time, yeah. And your doors lock? Yes. And you lock your doors when you go out? And you shut your windows? Okay, with your web, just your normal house you shut your doors and your windows? You've got to do the same with your website. Now with your keys at home for your front door have you got less than five keys and you know who's got those keys at all times? Fantastic. I forgot to tell you, I actually took some of your keys yesterday and I had them cut. Hold that. Now we're going to look at how many keys you've actually handed out on your website. And every time I ask about a key I want you to drop it into my fishbowl. I'm a child of the 70s so keys have got to your own fishbowls. Okay. Have you got a theme on your website? Do you use Divi for memory? Drop in a key. Have you got a child theme? Probably. Do you have WordPress 2019 running? Yeah, fantastic. Trouble with WordPress is it always brings its cousins. And when you have a look at them so we've probably got 2018, 2017, 2016, and 2015. Fantastic. That's just your themes. You've got plugins. Every plugin is another key to your door. Yo, Stessio, please. Thank you. Gravity forms, please. You've got an e-commerce site I think we were talking about. Can you add WooCommerce? WooCommerce doesn't work unless you've got another five plugins, please. It's great. Fantastic. Have you got a slider? Probably. And if you're like most small business people, you've had to try a couple of plugins and you haven't really used them for a while. Can you add another five, please? Can we have Hello Dolly? It hasn't been deleted. Feeling secure? Okay, but then your web designer added another couple that they didn't tell you about. They're just testing things. Yeah. This is your average website. These are the keys to your front door. You trust that every key is going to somewhere safe. The problem is, I forgot to tell you, one of those plugins that the web designer tried and just left, yeah. What happened is the web designer went back and got a J-O-B and left their plugin in the repository and they abandoned it. It was just fine except that this lovely Russian man went to them and said, I don't have a plugin. I don't do accents. I'm going to buy your plugin and I promised not to add any malware or spyware to it and so the web designer sold their plugin to this person from with a lovely Russian accent and this particular plugin is now full of spyware and it's in your website. What I'm trying to say, thank you, Bill, you can add, yeah, go on. Every theme and every plugin that you have on your site is a key to your front door. So the basic rules, if you're not using it, delete it. If it's removed from the repository, delete it. And if it's something that's been abandoned, delete it. Each key, you need to know who's got the keys to your front door. Okay. Next thing, secure your house. Who knows what these are? Let's move. It's a little kid's diary. If you're a mum, you've probably seen these. You give these to your children. And I've got these little tiny keys and your child fills it full of important information like which of their friends' farts and which teacher do they not like. Your username is another key to your front door and unfortunately, a lot of people's user names and passwords are as secure as this. A website with WordPress the default username is admin. If you have admin and the name of your website or one of the top 100 hacked passwords in the world, if you have password as your password, it'll take exactly zero seconds for the hackers to get in. If you have admin and you decide to be really strong and you've got the first name of your child and their date of birth, it takes 30.8 seconds feeling such strong and secure, admin is as secure as this little tiny padlock and this little tiny key. First thing you do is get rid of all admin user names. Get rid of manager, get rid of test, get rid of the name of your website as a username, because that will increase the security. All of my clients had really complex usernames and passwords. They all had 16 character passwords that had four factors of complexity they had upper and lower case, they had numbers, they had symbols. A lot of them had dual factor and it wasn't enough. Okay, a few other things to do. Make sure that things are updated. According to site luck, 36.7% of hacked websites were running out of date versions of WordPress. 61% of hacked websites were running out of date versions of themes and plugins according to WordPress. All of my client's stuff was updated. I go in twice a week and manually update everything. I check. It used to be something if you do once a month, not anymore. I go in twice a week and check, update and watch every single thing that we update to check to see that things are working and aren't breaking and it wasn't enough. Back to this one. Just another thing while we're shutting the windows and shutting the doors. Untick the little boxes at the very top pin backs and track backs. These are primarily used in denial of service attacks. Quite often on your site, they can just hack out of your site. It's just a little tiny thing. Just untick it. Your ego doesn't need to have that stroke anymore. You might have a few years ago. These days you don't. So just untick it and it just helps to increase your security. It's just another window to shut. Make sure you've got quality hosting. Do your research. When I'm saying research, don't go to Facebook and tell me a good host because all you're going to do is get every single affiliate link under the sun. Do your research. Ask other web designers. Go outside and talk to all of the sponsors. You can't go wrong with most of our sponsors outside. When you're looking for a host look for 24 seven support because if they're going to hack it's always at the stupid o'clock and spread your risk. We've talked about that. Never just recommend one hosting company. For me now I would never ever ever go for a small hosting company. For me I will always go for multiple large companies and I always recommend minimum of two for my clients and let them make the choice from here on in. It's called spreading your risk. Never doing that again. And let your clients choose. They've got to be the ones that make the final decision. Let's talk about PHP. Another door to shut. One of the things that runs Power's WordPress is the PHP that runs on your site. Unfortunately only 4.7% of all WordPress sites are either running unsupported versions of PHP. Unsupported means no security patches or 7.1. Now 7.1 reaches end of useful life first to December this year. So if you haven't done it, update to 7.2 buggy as it is or 7.3 and just hope like hell that your plugins work. But PHP is something that you've got to look at. It's more secure and it's faster. All of my clients are running 7.2 just as an aside. Another thing to shut. Your WordPress table prefix. This is something when you're installing WordPress for the first time for your clients. Just get rid of the WP table prefix, call it anything else. All you're trying to do is to break a common attack vector. It's a little tiny thing. Two seconds on you doing the install makes life easier. Some good security plugins will change that for you if it's done post install and there are other plugins on the available market that will help you do it. Just all you're doing is shutting doors. Gets back to this one. SSLs aren't just for your clients. Your security, your SSL certificate they're also for you when you're logging into your admin. An SSL all you're doing when you're logging into your admin is sticking your hand over an ATM and hiding the number that you're keying in. That's all it's doing. But it still gives you that little tiny bit of security. All of my clients had SSLs installed. Back up, back up, back up, back up, because you haven't heard this back up. Now as I said, I use updraft plus. I use the paid version of updraft plus. And as you can see there's a little red column that says delete. That's what the hackers did. They just went down that little column, hit delete, delete, delete, delete, delete, and boom, all my backups were gone. UPDraft plus has got some really funky things. If you go to the advanced tool section there's a section where you can actually password protect it. I didn't do that before. So if you go to updraft plus and if you use it as a tool make sure you lock down updraft plus. Put in your password and lock it down. So hackers get to it, they get to see that screen in future. Also with your backups. Back them up somewhere that even if they are deleted because it's easy enough to get around passwords, we all know that. Go somewhere that you can get your stuff back. I used to back up to updraft plus. If you're old, don't anymore. Now I back up to Dropbox or Google Drive. Peel you because if someone deletes it I can always get it back now. It has its limits but that's just one of the things that I can do. And do not rely on your hosting as the only source of your backups. A2 for example recently this year. They had ransomware. Fantastic. All of their sites got hit by ransomware. Everybody got done. And all of the backups got hit by ransomware from A2. So all of the people who were relying on their host to get the backup got nothing. You need to have hosting backups and your own ones that you have control over and make sure that you have the capacity to get them back again. Okay. All we were doing the first stage was shutting the doors and the windows. Next thing we have to do is add a security alarm to your website. Now I'm going to feel a lot more comfortable if we have Bill wearing our security alarm. I don't know about you but every burglar alarm we have to have a nice safe... We feeling safer now? We've all got our burglar alarm? Stand up and show everybody how amazing you look. Every website needs a burglar alarm. Thank you. All the burglar alarm does is stand at the front door and says you can come in, you cannot come in. It goes through the house and looks to see if things have broken. That's a security plugin. Now there's lots of free and paid ones out there. Word fence, I theme security all in one security, secure eye, secure lock. All of those do something similar. They're going to look at the people coming in and they're going to monitor to see what's happening to your site. Now with my stuff I had paid word fence on everything. It's the first thing I install on every site for one of my clients. I love word fence but now things that I had fixed on word fence I had things like hide my WP version I disabled the code execution and the uploads directory I had an alert that if anybody from admin from a different location logged in or anything I had an alert set that it was going to tell me if there's a large increase in attacks, nothing. I have immediate lock out if there's a wrong username or password for two months nothing. I have it locked down so that anybody who tries to log in other than Australia can't log in the page doesn't show, nothing. I have tight rules for bots they're either blocked or delayed I have country blocking, I have dual factor for a lot of my clients nothing's got triggered. Not one thing got triggered from my paid version of Word. Word fence and any security alarm can lull you into a false sense of security and I will still to this day install them on everything but if a hacker can get and burrow through it's no good okay. We need to add a wall. So you've got your security alarm in fabulous security alarm what we need to do to add security is to add a wall. Can we have a chance to build that wall please? I know we're in the wrong country but you've got to have a wall. We've got a wall for Bill. We've got to have our wall feeling safer? But it's no good unless you actually have some sort of some border security guards. My security domes from the International Spy Museum so we'll add them to the collection. Beautiful. So we've now got a lovely security alarm we've got our fence and we've got our border security guards. A wall or web application firewall helps stop the bad guys before they even get to your house. They're like the guy in the airport who scans your luggage before he even gets near the plane and says hey mate, can't come any closer which is what these security dudes are doing and they're just stopping the people from getting close to your place but if you use Cloudflare most people use the free version of Cloudflare that's just a CDN content distribution network it's great to stop you from denial of service if you want a wall you've got to pay for Cloudflare Pro $20 US a month and it puts in that little wall for you you can also have secure eye it's another thing that has the wall added to it adds another layer of security Now I'll be honest and even now I can't sell a wall to my clients because they're tiny tradies $20 US a month is a big sell for them I have it on my sites but my clients it's a hard sell just something to be aware of that you can add a wall you can also add in access security so if you think about buildings if you go into the Brisbane CBD and I'm not going to read these out because it'll bore you to tears if you go into the CBD if you get given an access pass that you beep yourself in to different places and that lets you go to some places and not travel to other floors you'll be able to get this slide when we do the downloads these are all things that you can add to your WP config or your HT access files like every rule with tech stuff know how to do a backup of your HT access before you fiddle and know how to put it back at least one of these will break your site it's just all it's doing is saying dear potential hackers you can go here but you can't go over here you cannot touch these bits you can't go wandering now some security plugins will do these for you so you don't have to think of code other ones won't it's just being aware of what is actually in your code and what you're doing and just know that some of these will break if you send that or Zapier some of these will stop those from working so you need to know just try one thing at a time and just test your site constantly to see what's going to work so you've got your wall and that will increase security on your site go back there and it still wasn't enough I had basic security I had paid wordfence I had some of the access controls and it still wasn't enough doesn't matter what you do if the hackers have a backdoor they're going to hack into your site potentially could have been the actual server remember we talked about that it was running a really ancient version of MySQL when I did a clean install after the hack we got this alert so you can get to see how old it was that even turned off the order update we want that to be set to true you never want it set to false you always want it to be set to true see with websites you're only as safe as your neighbours if you've got good neighbours you're safe, if you've got a dodgy one not so good increases the risk of being hacked so potentially it's the neighbours potentially it was shitty hosting we don't really know to this day how the hackers kept getting in the point is it's what you do about it that matters and the whole thing is it's all about recovery so the worst that happens is all about how you recover from the disaster your clients don't give a stuff who caused it, they just want it fixed so for me remember I talked about my clients and I gave them three options blood money, secure AL word fence scan or to have an external person to do an audit and then a migration they all chose the third one none of them wanted to be named hosting again and it took a couple of weeks to get everybody cleaned and migrated hacks have costs so I had one client who was a small car repair service he lost 50% in sales for that month alone we had two tiny, tiny clients who that was emotionally enough so they actually closed the doors to their business that was their last straw for them they shut the doors and left for my side of things I didn't lose a single client even the ones who actually closed their business so for coffee now and it was mainly because I think I was the emotional support for all of them I rang every minute I rang every night to tell them hey we got a problem, let's fix it I was there, because when someone's hacked they feel like they've been burgled it's the same emotional drama and so I supported them through it so the thing you've got to remember with word press security you're trying to secure you're trying to stop the issue, hence our screen and then you've got to help them recover at the end because that's what really matters as a word press security or a web developer okay all I can say is thank you and I hope that none of you go through is what I went through but it was a good lesson and I'm conscious of timing so I don't know whether we'll have time for any questions do we have any questions one question maybe we can do one quick quick quick question yes a question up there yep so as you mentioned a while ago most of clients especially those startup they cannot afford monthly subscriptions and all that stuff for their security so among all those websites, say for example they're just like a brochure type websites like is your recommended what do you call this like plugins or the minimal things that we could install as a security for the website so the minimum would be all of those things that I said to start with the free ones like keys I still have word fence paid that's a non-negotiable and every site that I do I build that into the cost build and then the main thing is I do the access control I do all of the access control things because they're free but they're my absolute bare minimum I always keep back ups and back ups and back ups now I'd like to say thank you to Bill for being our wonderful security support thank you and please give a big thank you to Ingrid as well