 All right, Tim. All right. Good morning. Nice to see a full crowd here this morning. Welcome to Albuquerque, Albuquerque work camp. Just a couple of announcements. A couple of announcements. Please silence your cell phones. Bring plenty of water, tide, desert. And in a related dose, the rest of them are down the hall. This is a presentation but with that in order called the personal website, personal and website security mindset. Adam first discovered WordPress in 2005 and has since found several WordPress-focused businesses to provide education, plugins and consulting services for online business owners. In 2016, he brought his passions of WordPress to Sightlock as a product evangelist. Adam since delivered and sealed for WordPress many work camps and other events all over the world. And he was one of the people who had been at one of the 70-some work camps. In addition to WordPress, Adam is passionate about his family, robots, and of course life, the universe and everything. So I have 30 minutes for the presentation and then 10 minutes for questions at the end. Thanks, Tim. Hi, everybody. Good morning. Thanks so much for showing up to a security talk. I'm going to make it as fun and non-dry as possible. So this is a talk about personal and website security both. And it starts with mindfulness. Mindfulness is the quality or state of being conscious or aware of something. And I want to show you an example of being conscious or aware of something online and offline. This was at WordCamp Europe 2016. Some guy, this is not me, some guy posted this during the camp. Pretty tricky, huh? Okay. So you get it, right? Being aware, being mindful daily in your personal life and then we're going to talk about websites, how that applies to website security. So did you know that $16 billion was stolen for more than 15 million consumers in 2016? And did you also know that identity theft and fraud complaints have increasingly been on the rise? And this is even old data. This is three years ago. And it's only gone up from there. And did you also know that a lot of that identity theft data is directly related to government documents and benefits fraud? So let's talk about that. There are 3.26 billion users on the internet as of 2015. Again, that number has only risen. And that's 40% of the world's population. That's a lot, a lot, a lot of people. And of those numbers, only 44% of that web traffic was actual humans. The rest were automated scripts, bots, scrapers, spammers, et cetera. So today what I want to cover is personal offline security, why and how websites get hacked, what we should all be doing as a best practice baseline, going above and beyond with your security and then what to do after the hack. Because I want to be very clear, and it was at Kim Coleman yesterday that did the security talk. There is no such thing as 100% security, whether in your personal life or online. It's just how it is. So again, I'm Adam Warner. I'm all of these things, most of all, a proud dad. So offline security, I want to tell you a little story. I was in Chicago in 2005. And I went to see a Harry Connick Jr. concert with my wife. We were walking back to the hotel, and I got this kind of that feeling. You know that feeling when your hair stands up on your arms or on the back of your neck. And I looked behind us and there was someone following us. So I went to the other side of the road. He went to the other side of the road. I went back to the other side of the road. He followed us, getting closer and closer and closer. So I got some pretty negative vibes, if you will. And we ducked into an open bar, and he walked by. And maybe it was nothing. Maybe he was a near-do-well. Maybe we were in trouble. I don't know. But that's the kind of awareness that I'm going to challenge you to take into your daily life. So let's talk about offline. That gift just keeps going and going, so I'm going to pass it. So lock it up. Simple things you can do. It doesn't seem like common sense, but again, this is about awareness. Lock up your financial documents and records in a safe place at home. Have a safe fire box. That's all your social security cards, your house documents, your passports. When you go to work, lock up your wallet or purse in a safe place. Keep your information secure from your roommates if you have roommates. All basic stuff. Limit what you carry when you go out. I wish I had one of those. It'd probably be worth some money, maybe. And I'm talking about not carrying your social security card, your banking account number, your routing number. And the reason I mention that is because I'm guilty of that. I've been guilty of that. So only take what you need. Take your identification. Take your debit card. Leave your social security card at home. Ask before sharing, and this is not about not sharing information. And what I'm talking about here is when you go to a new doctor's office or dentist or any professional office, the first thing they're going to ask you to do is fill out a bunch of personal information, including your social security number, your address, all that stuff that if someone had access to, they could use against you. So whenever I go to a new physician, I always ask them what their policy is on personal information. Do they shred it after they enter it into their system? Do they keep paper files? And not because I want them to not take my information or shred it in front of me, but because I'm trying to spread the awareness of the people who work there and maybe the policies that they have in place. Shred all the things. Don't put your shredder under your printer. Things like receipts, credit card offers, insurance forms, physician statements, bank statements, et cetera. A good shredder is a good investment. Prescription labels. If you have prescriptions before you throw them out, it's been known and documented that people can use the information on prescription labels to impersonate you and get prescriptions in your name. It's a good practice to just take the labels off before you throw it out or shred them. Opting out of offers. So we all get credit card offers in the mail. And take this one with a grain of salt. You can use this number to opt out. You can use this website to opt out. But guess who owns the website and the phone number to opt you out of these offers? Anybody? Yep, the three big credit bureaus. So, again, grain of salt. Maybe you just get moved to a different list. So let's get digital. That's all the offline stuff. Anybody remember that? Or am I aging myself? Okay. So let's talk about hacking techniques. There are several. One is vulnerability scanning. And this is typically done by automated bots and scripts. They're looking for vulnerabilities across the internet. Looking for a way in. It doesn't have to be across the internet either. It could be your local machine. Server disruption. Usually there's one goal with server disruption. Has anybody ever heard of a DDoS attack? Distributed denial of service. That's where a script or someone will take over basically the resources of your server and bog it down so much that it stops working. All the websites that are served from that server no longer can load. Monetary loss. That's pretty obvious why someone would hack to get money. Credit card numbers, et cetera. Information leaks. This could be personal information like social security numbers. First names, last names, family names, et cetera. And then finally, vandalism or defacement. This is not the most popular one, but it is sometimes the most visible one. And I'll show you some examples of that shortly. So why do websites get hacked? That's the how-why. So they can install what are known as drive-by downloads. And this is where you go to a site that is hacked and in the background without your knowledge it downloads a software program to your local machine to log your keystrokes. Or to then spread more malware from the machine, from your machine to all the other sites you visit when you're logged in, that sort of thing. Redirections, that's when you go to a site and you're immediately redirected somewhere else. Which is probably not a place you want to go. System resources, again, that's the server disruption. That is taking the resources of a server or a bunch of servers at the hosting level and using that power to spread their malware or other bad stuff. And finally, because they don't like you. Again, not the most popular reason of why things get hacked, but it happens. So you may be asking yourself, now why my site? I don't store credit card information. I use a third-party service for that. I don't have a defamatory site. I don't make people angry. My web traffic is low. I just blog about my cats once a month. Let's talk about that. So why your site? It's about opportunity. It's not you, it's them. And it's because it's possible and it's because we give them openings, open doors for them to get in and do what they do. So again, most hacking attempts are automated. It used to be easy to block automated scripts, but they keep getting smarter and smarter as the people behind them creating them get smarter and smarter. So pathways to a successful hack. And this first statistic, I don't want to scare you with that. 41% get hacked through vulnerabilities in their hosting platform. It's not the hosts I'm talking about. The hosts aren't bad. There's a lot of great hosts. There's a lot of great hosts here, Liquid Web and others. What I mean by that is if one site gets hacked on a web server at a host, then it's much easier to go from site to site to site to site to site, right? 29% insecure themes, vulnerable plugins, and 8% from weak passwords. Now you think of all the millions and billions of websites on the internet. 8% of weak, due to weak passwords is a pretty large number. So as I see it, there's two categories of security. One is access control. And I don't know, but I really think this is creative. He's the doorman, right? He's getting into his phone. And what I'm talking about access control is basically anywhere that you log in, whether that's your phone, your local machine, your Facebook, your Twitter, your WordPress site. And the second are software vulnerabilities. So anywhere there's a system, there's a potential for software vulnerability. And there's a whole bunch of examples of this recently, not the most recent, but one of. Anybody remember this? This number is wrong, actually. It went from 143 million to 178 or something like that. And that was due to software vulnerability. The software on their server was not patched, even though they knew about it four months prior. And that's what started that whole mess. So what do hacks look like? This is the fun part. And this is not a political statement at all. This is just simply a real-world example. We had an election a couple of years ago. And during that election, this website was hacked. And basically anybody could put in a certain query string and you could change the title on the header of that website to whatever you wanted. This is definitely the most tame of all of the examples that you can find. But that is an example of a defacement. If you have a message that you want to get out or you don't agree with someone else's message, you can make moves as a hacker to do that sort of thing. This is a redirection, which we talked about. I want to look at some real estate, but I'm looking at something else. And this is an example of what Google does when it finds a hacked site. Now, Google does a pretty good job, but it's not their main focus to protect your website. Because your website is your responsibility. So this is an example when I was looking up some information for this talk. This site may be hacked. And it just happens to be on a security business website. So it's an old post, as you can see. But I wonder if they're still in the business. So where do you start? This was me when I first started thinking about security and I first started thinking about security when one of my WordPress websites was hacked back in 2007, I think. So you start with yourself, as I've said. It's about being security-minded, being diligent, it's not paranoia. And we can all take some simple steps. And that's about closing those open doors. That's a really long gift, so I'll just go past that one. So strong passwords everywhere. I'll give you a minute to read that, because it's pretty funny. So when I'm talking about strong passwords, I'm not just talking about your WordPress website. I'm talking about your home Wi-Fi, your local machine, your hosting account, your FTP, SFTP, or SSH, your social media accounts, your website logins, any third-party service, anywhere that you have a username and password, please make your password strong. Now you're probably thinking, oh geez, how am I going to remember all those passwords? Am I going to write them down in a piece of paper and put them in my drawer? No, you don't have to do that. I'll get to that in a minute. Don't ever reuse passwords, please. I am guilty of this and have been for a number of years. Please don't email passwords to people. Use a secure way to transmit usernames and passwords, because if your email gets hacked, what's the first thing they're going to search your email for? Your login, password, username. So these things can help. Password managers. These are some of my favorites. For lunch, I use LastPass. It allows you to generate strong passwords and usernames. It allows you to share that information securely with other people, and automatically pre-fills those login screens for you. So you don't have to remember those big, long, complicated passwords. Now, grain of salt. There's a few of these. There's no such thing as 100% security. LastPass did have a hack about two and a half years ago. So there's always, it always comes down to one thing, right? But it's about mitigating risk. Your computer, your local computer. If you don't have an antivirus software on it, please get one. And I had examples there, but my PowerPoint skills are not sharp enough. Okay, so public networks. I want to tell you another little story. When I was three Davies, her dad showed her some YouTube videos on how to create a spoofed Wi-Fi network. She went to the local coffee shop as an example and set up a spoofed Wi-Fi network with the coffee shop's network name or a derivative of that in about seven minutes and started sniffing traffic and devices from everyone who was connecting there. So how do we avoid that when we're on public Wi-Fi? Well, you either have a secure Wi-Fi and or you get a VPN. And a VPN is known as a virtual private network. And it basically further encrypts the communication between your device, whether that's your laptop, your phone, whatever, and that Wi-Fi network. There are a slew of different VPNs out there. So if you search VPN for iOS or Android or Mac or PC, you're going to find a lot of results. Does anybody know what this is? Those are the core files in WordPress. And I mentioned this only because I've seen it recently. Someone acquired a site, an agency acquired a site from a client, and a developer had been changing core files for years to get what they want. And it was on a very, very old version of WordPress. So if a developer ever says to you, I need to change core WordPress files, run. Run away really fast. It's not secure. So you'll probably hear this repeated a lot of times. Back up, back up, back up. If you don't back up, you'll probably get a snarky reply like this. Backing up your website. Does anybody not know what backing up entails? OK. So basically, you can use a bunch of different free WordPress plugins. Just go to the plugin repository and search backup and you will find solutions like updraft plus and others that will automatically back up your site files, your database on a daily, weekly, monthly basis, however you schedule it. So if your site does get hacked, you can go back to those backups that you have and reinstall your site. Updating all your software. That includes WordPress core plugins, themes. Whenever there's an update, make sure you have a backup and then click the update button. If you're using a staging environment, which a lot of hosts offer now, they basically copy your live site to a staging environment. You can do your updates there in case you're afraid that it's going to break anything, any custom development you've done. So update your staging site first. But please always update shortly after they're available. And that brings me to removing inactive software. I'm a shiny new object type of person. I have had WordPress sites with probably hundreds of different plugins installed, which I had installed, played with, deactivated, and thought, eh, I'll get back to that later. All of that inactive software, whether it's a plugin or a theme, it's code that's sitting on your web server. And it's code that could be exploited, especially if you've installed it years ago and it's just sitting there. So if you have any, not just plugins and themes, but anything that you might have installed on your web server, like some open source photo gallery or something. Only install software from official sources. I recommend, obviously, WordPress.org for plugins and themes. If you're tempted, or if anybody you know is tempted to bypass.org to get software that may be a premium software, well, .org doesn't sell premium software. But if you are looking for a premium solution like Gravity Forms or Caldera Forms or any other of the well-known premium plugins, don't go to a site that's offering them for free, because typically they'll have malicious code in there. Choose a secure host. And I won't recommend one over the other, because that's a very relative statement. I can safely say that probably 99.9% of hosts want to be the most secure host ever, right? That's their business. So I'll just simply refer you to WordPress.org or there's a bunch of Facebook groups related to WordPress. One is called WordPress Hosting, where you can get a lot of recommendations for hosts. I know that brown rice hosting is here, liquid web is here, and maybe some others. So go talk to them. SSL, you probably know what that is. This is a bit of an old meme. It is here. It's not coming anymore. It is here. Google uses this as a ranking factor now on your site, so not only is it important for your site and your business in the search results, but it also encrypts the traffic between the web server and the browser, which is just an extra layer of protection. And I should mention that Let's Encrypt, many hosts are using Let's Encrypt to give you a free SSL certificate, because prior to that it was very technical to install an SSL certificate and kind of expensive. Make sure that if you're looking for a host or you want to check with your current host that they at least give you the opportunity to upgrade to the latest version of PHP, which now I believe is 7.2, at least 7.0, make sure you're on. It's about twice as fast as PHP 5.6. And you can see that we're still moving toward it. These two slices are 7.0 and above. These are old versions. We still need to do better. So, security plugins and services. Let's kick it up a notch. Many, if you search the plugin repository, just search security. You'll get a slew of results. There are some very, very popular ones there with millions of installs and hundreds of thousands of installs. But do your due diligence, but make sure that they all have something like this in there. This is a simple step. Limit login attempts and login lockdown. This basically allows you to block an IP address or a username and password if it detects that it's continually trying to login to your site more than three times, five times, 20 times, whatever it is. And it will lock them out for whatever time period you specify. If you have forms on your site, and everyone does because we have login forms, use CAPTCHA or RECAPTCHA. CAPTCHA started out looking like this. Now it's more like this, much better user experience. And I believe Kim also mentioned that there was a CAPTCHA security issue, but this is provided by Google, so they're pretty quick to fix that sort of stuff. Two-factor authentication known as 2FA. If you're not familiar with 2FA, basically when you go to your WordPress site before, and this is what I do, before you're able to log in, you have to put in your email address and it will send my phone a text with a code. I have to put that code in, and then it allows me to get to the login screen, which then I have to put in my username and password. So 2FA is connected to a very specific device that you own. So 2FA, there's a bunch out there. Google Authenticator, Jetpack also includes 2FA capability now. And then there's a bunch of other ones like Authy and Duo. If you search 2FA for WordPress, you're going to find some solutions. One of the things that I always do and like to share is that in the back end of WordPress, if you go under Plugins and Editor, if you're an administrator level and if you have other users that are admins for some reason, you can use this dropdown to load any plugin and all the files included with that plugin and then edit here. If you have an extra white space and you hit Save, your site's down. So I do recommend disabling file editing, just as an extra security precaution, and there are plugins to do that or you can do it with code. Just search Disable File Editing. XMLRPC, does anybody not know what XMLRPC is? Okay, so XMLRPC comes built in with WordPress. It stands for Extensible Markup Language Remote Procedure Call. Basically what that means is if you're using like a standalone blogging software on your desktop, your Windows or your Mac, you can connect your WordPress site via XMLRPC so whatever you type there gets pushed to your WordPress installation or any number of other reasons why you would want to do that. Most people don't use that. It's on by default. You can install a plugin that says Disable XMLRPC if you're sure you're not going to use it. You're just mitigating risk. You're making that security risk smaller and smaller when you do things like this. Also, the WordPress Rest API. If you go to your domain name and forward slash WP-JSON, you will see that the WordPress Rest API is active in sharing information. If you're not using the Rest API to connect to your site or pull data for some web app, why should you expose that information? It's not necessarily insecure, but again, mitigating risk. You can learn more about securing WordPress at this address and these slides will be available where you can just go to .org and search hardening WordPress or security. Finally, install a firewall. Yes. Sure, yeah. It's codex.wordpress.org forward slash hardening underscore WordPress. It's going to have a lot of tips. Code-based stuff, plugin recommendations, that sort of thing. Firewall, you got it. Firewalls, there's two types of firewalls. There's a network firewall and there's a web application firewall. Your host is responsible for network firewalls. That's basically how they separate their servers to protect groups of servers. A web application firewall is something that you're responsible for because you're responsible for WordPress because it is your web application that you've installed on your web server. Basically, a web application firewall is a hardware and software solution that blocks traffic. It blocks automated bots. It recognizes, detects them, blocks them before it ever hits your web server. So you're saving bandwidth, but you're also securing your site in that way because you're not letting those automated scripts get to the login screen or elsewhere. CDN, so just to back up with web application firewalls, also known as WAFS. So, again, if you search security in the plugin repo, you're going to see a lot of security plugins, but you're also going to see that some of them offer web application firewalls, or if you just Google web application firewall, you'll find a bunch. And basically what it is to set up, you change some DNS settings in your domain name to run your traffic through this WAFS first before it gets to your web server. CDNs, content delivery networks, these are mostly for reducing latency or basically page load time, but it also has some inherent security built in. So I would recommend if you have some good traffic coming to your site to get a CDN, it will load, look at a split, and you'll be that much more secure. So how to detect a hacked site? These are all pretty basic. Visit your site, search for your site, unexplained spikes in traffic, investigate anyone who has said, hey, your site looks funky. Use Google search console and email alerts. It was formerly Webmaster Tools. They will alert you if they find something. Use a remote scanner, a malware scanner, a source code scanner, and a service that detects site changes. And again, Jetpack has some scanning capabilities built in, some brute force protection built in. I work for a company that also does that kind of stuff. So what to do if you're hacked? First thing, don't panic. Don't panic. Clean it yourself. That's what I tried to do, and this was the result. It didn't work out very well. So my recommendation is to use a plugin or a service. It's because it's their core business. They can remove malware warnings. They can remove you from Google black listings, et cetera. So what to do after the cleanup? Change all the passwords everywhere. Again, Wi-Fi, local machine, all your logins. And that's where password managers come in to play. They're very helpful in helping you do that. And finally, I don't know if anybody is a fan of this, but my friend Shia has some good advice. Just do it. It's not that hard. It's pretty basic stuff, and it really comes down to mitigating risk. So I'm happy to answer any questions. You can find me at WP district or WP modder or any of those sites. Yes, ma'am? Yeah. The question is WordPress will automatically generate a strong password as you're adding a new user. Yeah, that's great. That's really, really good. And if you're using a password manager, you can save that too, even if it's auto-generated by WordPress. Anybody else? Yes. The question is, do I know anything about becoming HIPAA compliant or using forms that will match the HIPAA requirements? I don't know very specifically. I can tell you that a lot of advice I hear is to use not a WordPress form plugin, but a third-party form service that specializes in HIPAA. I don't know. I would look at Caldera forms because they're super popular, Gravity Forms and WP forms and see if they have anything about HIPAA. Any more questions? Yes, sir? You mentioned PHP 7 as the shared hosting services. I mean, my hosting services is at 5.6, probably. Yeah. 6 was never released. Right. So it's like, I imagine most of the hosting services are still at 5. That General Form 7 seems to be a big relief. I mean, is it that big of a security issue when it comes to WordPress in general? So the question is, his shared hosting still is on PHP version 5.6. How important is it to upgrade to 7.0 or to be on a host that's PHP 7.0 or higher? My answer is I think it's pretty important. For one of my own sites, which is a digital download e-commerce site, when we switch from 5.6 to 7.0, our traffic spiked, our exits stopped because our pages were loading that much faster. That was, and we didn't change anything else, except to go to PHP 7.0. Now, 5.6, again, version 6 was skipped, but 7.0 includes a lot of security fixes and updates too. So my advice would be to either get your host to go to 7.0 or higher or... Well, you're probably not switching up to 7 because it's going to customer site. I would say maybe look for another host. Yeah. Sure. Okay, yeah. That's a good advice, yeah. Sure. Right. Make sense, yeah. Okay, any other questions? Yes, ma'am. No. No, it basically, it works from your mobile device or your laptop, and it does all the work. It does all the traffic through a proxy. So there's no real technical setup at all. Yes, sir. The question is, he's heard some bad press about bad VPNs and where is a reliable source for a VPN? I don't have the answer to that. I know that I use one called Cloak, which have rebranded to encrypt.me, I believe it is. That's what I use on my mobile device and my laptop. And I've been happy with them. I also have one, of course, because we're a security company, we have our own VPN that we use. So if I had to recommend, I would use encrypt.me. Yeah, well, I mean, that's the risk, right? That's the 100% security discussion. It all comes down to one entry point, whether that's password managers or a VPN that's presenting themselves in one way, but really doing another. Yeah. Yes, sir. Does it make sense to change the default login from WPNIN to site lock admin? You mean the login URL? Right. So the question was, does it make sense to change the login URL? That used to be one of the standard security practices that were recommended. However, I believe that's outmoded because these days these scripts are automated. They're going to find other ways to find the login screen rather than just looking for the URL. I talked to Aaron Campbell, who is the WordPress.org security lead, and he had actually asked me to take that out of my presentation because it's a false sense of security. Changing the URL doesn't do anything in his opinion, to which I agree. Yes, ma'am? Sure. They are now. Okay. All of those sites are, but not at the time I wrote that. Probably late night in the hotel room at some point. Good catch, though, see? There you go. Security awareness right there. 101. So the first question was to talk about local antivirus programs. So basically it's a software program you download on your Mac or PC, and it will scan your files, every file on your computer on a regular basis, looking for known malicious scripts and malware. Clam AV is one I use myself on a Mac. AVG Free is another one. They do not have a local machine virus scan. This is about the local machine, not the website files, right? So not the server files. Clam AV. AVG Free is another. And then there's, of course, Norton antivirus, Kaspersky, which of course, again coming down to that one security risk, there's a lot of information out there that maybe points to Kaspersky antivirus not being so good. Maybe collecting all that data and using it in bad ways. I don't know. Does that end? Yes. You mean to... Well, I would certainly recommend following wpdistrict.sitelock.com or the sitelock.com forward slash blog sites. We post about security issues all the time and best practices and that sort of thing. But you could also go to wordpress.org. I think it's forward slash security. And they post all their security updates there, too. And when those updates come in at the back end of your WordPress site, an update to WordPress, read the change logs, read the notes. Because once you keep doing that, you'll start to get an idea of what kind of security issues are being fixed and are present, and then it'll kind of connect all the dots. At least it did for me. Yeah, that would be my best recommendation. Yes, sir. What's it called? Security. Security has a very, very good blog. They post a lot of information all the time. Okay, one more question. And wordpress as well, yes. This is of this, or does anyone in the room... Has this happened to anyone else? So last week I was in my Gmail. G-Mails are all down here. There's a red bar at the top and it said, warning, Google may have detected government-backed attackers trying to steal your password. Sounds like a hack in either in your Gmail or your machine. Really? Yeah. Just because it seems odd to me that Google would mention government-backed, they would probably say, your account has been compromised. Take these steps, et cetera, et cetera. So I do... There were two products that I was prompted to buy. That's a redirect. That's a redirect hack. Either your local machine is hacked or your Gmail account is hacked. Yep. So there you go, prime example. If anybody else has any questions for me, I'll be around all day. Also here for contributor day tomorrow. So thanks again for coming to my presentation. I really appreciate it.