 round of applause for Tim Nash. Okay, I just want to say, this is really, really cool. And I really do just want to sit here and watch myself being mentioned on here. So if I stop halfway through, that's what I'm doing. Just probably remind me. So my name is Tim Nash. I work for 34sp.com. As you can see, I'm the developer advocate. I'm also the WordPress platform lead, which most people think means I do stuff with servers, which I sort of do a little bit. That really is my finger, genuinely in a data center. It's the only time they're ever going to let me in again. I nearly burnt it down. It was terrible. And today I want to talk to you about how you would deal with a hacked site. But before we start with that, how many people have actually had a site that's been hacked? Hands in the air. Were they all WordPress sites? Oh, some went down. That's good. Okay. Was it a real pain? Yes? Oh dear. I'm not going to tell you it's going to get any better. In fact, I'm going to tell you it got worse and you might have done it wrong. Sorry. But let's start with a more simple question, which is, is WordPress secure? And of course, we all know the answer is yes. So that's the end of this talk. There's clearly no problems with hacked sites at all. And on the whole, WordPress itself is very, very secure. This is a piece of software that's being used by a significant portion of the web, day in, day out, if there was any major security vulnerabilities, which from time to time they appear. But when they happen, they're patched very quickly. As long as you keep WordPress up to date, you should be doing absolutely fine. It's just WordPress out the box. It's not quite perfect for everyone. I know. There was a gas. Someone genuine. Really? Sometimes we want to make it look pretty. Maybe we want to install a theme or put a plugin that does some sort of functionality. And when that happens, security framework sort of goes out the window. Because the wonderful thing about WordPress and wonderful thing about languages like PHP, CSS and JavaScript means it's very accessible, very easy for people to get started. It's very easy to do anything. And that's good and really bad. Because you can do anything, all of you. You know, you all look very competent in this room. But from time to time, people make mistakes, they get sloppy, and they tend to break things. And when you start putting in mistakes into code, or whether that's configuring your server, whatever it is, mistakes happen. And then people who are a bit more nefarious, not as nice as me, may come along and do nasty things to your site. Or if you're really lucky, someone as nice as me comes and does nasty things to your site, because I'm testing it for you. And I promise to tell you that I broke it after I've laughed a bit. And when it goes really, really, really bad. Sorry. Good. Bad. Good. It can go really bad. Now, I'm not suggesting in any way that WordPress was to blame. I mean, it could be Drupal. It's almost certainly something to do with their mail server. Obviously, for those of you who are perhaps don't know, certain media sites have certainly suggested that potentially a plug-in was at cause, that at least allowed some partial access to an awful lot of very personal information that I'm sure shouldn't be in the public domain. But again, it doesn't really matter which one of these are, because all of these are being maintained by developers. And at some point, somewhere along the way, there has been an exploit that hasn't allowed a hack, or it could have been an inside job. Who knows? I'm going with it's a hack. And now I want to show you how easy it is to hack someone's site, but I'm not brave enough to do a live demo. I was going to do a live demo right up till about 2 in the morning, and anybody who's seen my Twitter feed will know that 2 in the morning I was walking the streets of London. I'm not saying it was because I was worried about doing a live demo when I'm really just going to be copying and pasting a link in, but I recorded a short video. I will talk you through it because it's very complicated. I'm doing really, really hardcore sort of think of this black hat hacker approach that I'm taking. This is a WordPress admin interface. You can see it's got an administrator. That was a silly thing to call my user. Oh well, it's not really a problem. I just refreshed it just to make sure that you don't think I'm doing anything sneaky or tricky, you know, with my video and not doing this live. This is a login page. You might notice that there was no register user here. Well, let's paste in something. We're making an admin Ajax request and we're saying, let's say users can register in default role administrator. Ooh, something's come back. That's interesting. What happens if I go to the login page now? This is the hardest hack I've ever had to do in my life. Oh look, there's a register user option. Gee, I wonder what happens next. Shall I just add a user? Oh, got to get the email address in there, fit4sp.com. This is not on one of our servers. This is on my local box. I think I should emphasize that. Registration complete. We're all shocked and amazed to discover a test user. Seriously, that's how easy hacking something to someone's site is when they have really bad code. I didn't have to do anything. When you think of people hacking, you're thinking of them writing complicated scripts, et cetera, et cetera. I had to paste in one thing. And I'm going to show you the code that caused that in a second. This is just me still showing off that, look, this has happened to, and for anyone. Bad plugins, and more importantly, in many ways, bad fields, fields, themes, can cause chaos. That was this function. I put this in a plugin, and this came directly out of a theme. I know this because just before one of our clients went on national television, we found this particular exploit in their theme. Sorry, feature, feature. Why he did this, the theme needed to do this, we don't know. Frankly, they updated quite quickly the theme. The people who published the theme updated it. If you don't, you might still be thinking, Tim, that was ridiculous. There is the escalation exploit. It was really hard to do, copying and pasting. There you go. You've all witnessed life hacking. It wasn't that hard, was it? When you have tools like WP Scan, it's ridiculously easy. If any of you haven't come across WP Scan, go talk to the guys at Securi, who are sitting next to us in the other sponsored area. Get them to have a chat with you. It's a free tool. You can go download it. Basically, it's very basic. Pretty much everybody in this room can use this. You can just go, start off the scan, give it a URL. It will come back and it will tell you all sorts of information. Information perhaps you are a bit scared of. This isn't even script kitty level stuff. We are talking you have downloaded a piece of publicly available software for penetration testing purposes. Now you are discovering all sorts of problems with your site and only your site you would not go to somebody else's site and do this. If we want to start getting really scary, we can go and look at things like Metasploit and there are plenty of other solutions out there which are basically a set of purl scripts that will roll through and go and look for various attacks. If anybody's got Revslider on their site, chances are someone's come and done this for you at some point. That's the last dig I'm going to do at Revslider because the guys actually get a huge amount of stick for what is effectively not their problem. They made a mistake. They ended up in a scenario where they made it possible that people could get hacked and unfortunately their plugin got bundled with themes and those themes couldn't update or didn't update or wouldn't update and so everybody blamed Revslider when really they probably should have been blaming the themes that couldn't do the updating in the first place. So that was the last dig at them. Maybe. Just by the end of it. So, what do we do when we have a hacked site? And who just beeped? It's all right. Obviously one does not simply fix a hacked site. You first have to actually know that you have a hacked site. The good news is the internet tends to tell you this quite quickly. Failing that, Google definitely will tell you quite quickly. Only its way of telling you is aggressive. Very aggressive. Sadly, so many website owners find out that they've been hacked by this message appearing in their browser when they go and visit their site and when every other visitor comes to visit their site and also sees this message forever and ever and ever until they convince Google that they promise they're not hacked anymore. It's not a nice message. The good news is because of the types of hacks that occur normally, and we see this a lot on our network people aren't actually trying to deface your site. They're not trying to get into your site. You're just not interesting enough for them to actually want any of your information. You probably aren't storing credit card details. You're not storing credit card details on your site. So they're not interested in that. Actually what they're trying to do is get a nice little relay going and normally the first sign of it going wrong is either the mail service start filling up like there's no tomorrow because there's now lots of mail being sent out either by your container, by your server or maybe even through an SMTP server or worse still the script kiddies got their actual function wrong and your PHP warning error logs are just filling up and you crash the server. Seriously? These people aren't actually that clever. They're normally copying and pasting and when you copy and paste things you tend to break stuff. So hack sites tend to break servers quickly. If your host contacts you they're probably going to contact you by saying we've turned off your site if they're generous or more likely we've turned off your account if they're not. That's harsh. Please don't do that. But chances are as an admin unless you're taking proactive looks to see what's going on it's either going to be this or it's going to be your hosting provider who's going to be telling you. You might start noticing weird things on your site. You might go to your site and suddenly go that's interesting, that wasn't the homepage. What? That may be a good thing or a bad thing but for a few seconds but it's definitely a bad thing after that. If you're being really clever you've got some sort of monitoring in place. There are services that will do this for you. If you've got plugins and services like using people like WordFence or Securee they provide methods to detect if there's been changes and if there's been malicious changes your host may have something similar. A lot of the managed WordPress hosts will provide as a basic service this idea of we actually some intrusion detection or at least some sort of notification during wrong. So hopefully you've found out you've been hacked and it's quick. This is a scary stage. If you can catch before this you're doing alright. If you get to this stage everything's much harder. It's going to take a lot longer because if Google is blacklisting you chances are quite a lot of other people are too and mainly because the moment Google blacklists you they announce to the big wide world that they've blacklisted you so now you are blacklisted by everybody else whether you're blacklisted or not. So we've detected it. The next step is very much isolation. You know that whole thing in high school where you you had to go to the sort of class about STDs and how you shouldn't share? Your website is now like that. It's rude to share in this scenario so you need to get it offline as quickly as possible. That doesn't mean put up maintenance mode. It's a WP plug-in. That's simply putting a bit of sticky... this analogy is going to go downhill very quickly. Needless to say the damage would be already done and could be overridden anyway so you need to take that site down properly. That means taking everything out of your HTTP docs or your public HTML root get it out so it's not web accessible. Absolutely everything. You don't want to just delete and start again. Because if you delete and start again and we're going to come to this thing called backups which it's going to be a weird word for many of you. But we'll get to there in a minute. But even if you restore from your backup unless you know what's happened and what's going on it's just going to happen again and again and again. So you need to take copy isolate it. This is a good time to put a little HTML page up. That always makes people feel better. You know, haha we've been hacked. That works. Back soon. Wish you were here. All those sort of things will work fine. But just make sure that you take those sites and those files and put them in complete isolation. Damn, I just said that. The next step is to identify what has actually been hacked. And you may think this seems like a really simple thing to do. It's not. You see, even if you find the initial cause that just means someone's now got access and is starting to do nasty things. What they've actually done will take a lot more force and care to forensically analyze. This is normally the point where most people give up and just restore from a backup and pray. Because why wouldn't you? You weren't hacked before. You're now hacked now. So if I go back to the restore and then I update everything, I'll be fine. As long as that the hack happened in those two time periods and not three weeks ago and then the bot forgot about you because it was running through 10 million other sites and then it goes, finishes the loop, comes back to the start and now starts exploiting. In which case a couple of days time we're all going to be back in exactly the same scenario. So we want to try and find the hack. If you have a nice shell access, the very first command that would ever run on these sites is I'm assuming you've all got WPCLI installed. If not WPCLI wp-cli.org it will change your life. Seriously, it really will change your life. If you're a sysadmin or if you're a PHP developer and you haven't heard of WPCLI, go look it up right now. Actually 20 minutes time. Cool. The very first command you'd actually run, WPCore by checksums, which goes off, it goes to WordPress.org, it goes, hey, I want to know what each one of these files are and I want you to tell me if the file size matches the file size that you've got on your server by doing an md5 checksum hash against each other. It will either come back clean, that's okay, that means that nobody actually has to call WordPress files or something like your WPC settings file is going to come back with a big red X. Trust me, red on command line is even more scary than it is in a browser. It means something bad's happened. Somebody who has actually made this tool is so scared that they've made it in red. It's that bad. If you get that, then you're screwed. So at the very least, you're not going to be updating your WordPress, you're going to be putting on fresh new files. Next step is to go and look, by looking at four files that have been recently modified. This gets rather awkward. Especially if you're like fiddling with your site, you might be a designer or web developer and you might upload things from time to time and tweak things and you might not have version control and you might have forgotten and you might not be 100% sure. Now it's time for perfect recall of memory. But seriously, you can go through the command line or if you've got something like an FTP client, most FTP clients will allow you to search at least sought by last modified from the command line, you can find files that have been recently modified in the X period back. Look through them. In particular, look through to see if only one file and a plugin got updated or your theme got updated. I'm not suggesting that themes are the main course of these sort of problems and it's nothing to do with the fact that they're done by designers and developers. That's not fair. Some theme designers have the most complicated job of all. They've got to make something look pretty, so they've got to be actually good designers and then they've got to become coders to work with WordPress. They have to understand how WordPress works, understand WordPress themes and the way to interact with plugins safely. If you're a good theme designer, you're a kick-ass developer as well. So if anybody goes and says that theme designers are not good they're not going. However, most of them are rubbish. It's their fault. Sorry. The next problem is that we also have these users and users are also a terrible point of problems. So even if... See, this is it. I've gone. I've looked. She changes the screen on me. It's not my fault. Come on. I'll let you catch off of your life. Oh! Yeah. So once we switch from looking at actual files, we look at users. Users, they have access to the database, databases. Databases are problematic. Databases, we can't just go and look for time stamps particularly. We can manipulate time stamps in database. Databases are really not... I was about to say tangible, but since we're talking about a virtualized world, tangibility is just a weird concept in the first place. But inside the database, once we've added a user or once we've got access to the posts, we can leave stuff in there. I dealt with a hack site last week where one of my colleagues came over and said I cannot make this hack go away. Every time I restore from the backup, it looks perfectly fine and two minutes later, it stops looking fine. He couldn't work it out until I pointed out that in every single post on his WordPress site was a meta-refresh one-minute delay. He genuinely had the page open and then two minutes later it was a viagra site. That's mean. That's like it's set to torture somebody. Look, I fixed it. Don't. So, you have to look into your databases, make sure that there's nothing in your database that you don't expect to find. Wouldn't it be great if we could version databases? Does everybody know what I mean when I talk about versioning files? There's not. Feel free to shake your head as well if you don't. We can spend like 20 seconds explaining it. So, there were some shakes. So, version control, basically, you have things like Git or SVN, CVS if you're hardcore or something else. And you can put files in and these files are given a stamp, whether it's a timestamp, whether it's some sort of hash. Basically to say, it is this version. You then, next time you commit files in, they become a different version. You can roll back to your old version, you can move forward, if it's really complicated and you can have like branches, you can do all sorts of stuff. But more importantly, you have a centralized location or a distributed location of files and you can roll back and roll forward and you can see changes. If you have version control, a lot of problems that you have with hack sites are very easy to deal with because you have what should be the clean untouchables in your versions control. The exploit might be there but the hack isn't itself. So, the code that could be causing the problem might be there, but it's not been exploited while it's in the version control. So, we can patch it and move forward. If we don't have version control, we live in the dark lands where we do things on the seat of our pants. And that's where most people are. Don't worry. If you don't use version control, you're not alone. I reckon at least half the room knows about version control. I reckon only about one in five people actually use version control for all their projects. They will all say they do, though. And you all signed up to GitHub to some point. There won't be many things on you. You might have some stars, but repost much. So, if you're doing a new site going forward, have a look at version control. Make sure you're getting these things into Git. Once we've found our hack, once we've found our hack, we look for more and more hack points, we then look to do the restore. Because we can restore from our backups. Backups. These are strange things. These are things which you take a version every day of your site and you store it somewhere else. Ideally, not on your server. Ideally, far, far away in another galaxy. And then when you want them, you can return them back to the version they were before. Daily backups are something you really should be doing. Because, ultimately, you can replace the individual files, which is the other way of doing this. But going back to a point which you know is fine, and then fixing the problems going forward, the way you do updates to your plugins to core, et cetera, et cetera, is a lot easier. Of course, this comes with big, big issues. For example, let's say I run an e-commerce site and my backup was last week and it was the busiest week of the year. It's Christmas. Ah. If I back up to that backup, I don't have the busiest week of the year. I have people shouting at me about things I know nothing about because I just restored a backup and have no idea who these people are. I don't even know if they're telling me the truth. I'm bit screwed. Daily backups, good. Weekly, not so much. Anything belong a week. Terrifyingly bad. You don't have backups. You have prayers. Different things. Very different things. So, take backups, take daily backups. You can go really OTC. Take your own backups as well. I'm going to repeat this later on in this presentation. But I work for a hosting company. Take your own backups. We do them. Our backups are good. They're in Chinese things many, many miles away from other things. It's all good. But you still should take your own backup because if you trust somebody else to have taken your backup and it hasn't worked, you're screwed. And here comes the next important step. Test your backups. Every so often go if I take a backup and then try to restore from this backup, does it work? You'll be surprised. The number of times that I've gone to a backup that a client has made and gone, you've backed up a text file called IOU1Backup. Okay, so that actually hasn't happened. But you get the general gist. If your backup is a zip file and it's zero bytes, that's not a backup. If it's 16 bytes, it's still not a backup. I'm trying to work out how many bytes it would be in a compression header. It's probably 64 bytes. Anything beyond that, you might have data in it. That'd be good. But yeah, make sure you backup. Test your backups. Test your backups regularly. Take them down onto your local machine. Vagrant. Do whatever you like. Just get those backups and make sure you test them. Once you've restored, we then need to take care of some other little business. We need to check that we've got rid of the problems. We need to look for the files that were corrupted. We need to make sure that we've got correct files. We need to verify the checksums. We need to make sure that we're using scanning tools, doing antivirus scans, all the good stuff that you probably thought, I really don't need to do any of this. I don't want to do any hacks, and you really do want to do it. And once you've checked all of this over and over and over again, and you've got your friend to check it, and his friend, you then make your site live again in your HTTP docs. You breathe, you're fine, everybody. Congratulations. You've restored a hack site. This doesn't sound hard at all. Why is the problem with this? Then we remember that perhaps just to be on the safe side, we will try some new passwords. Maybe that should be passwords, should it? Passphrases, people. Passwords are bad things. Passphrases, they're big, long things. Long is good. We like long. You can make your own jokes. You all are going to make sure that your WordPress plugins and themes are kept up to date. That's because any changes you make, ladies and gentlemen, you're going to do in a child theme, aren't you? Unless you're writing the theme from scratch. Good on you. Hardcore, guys. Don't do that. Unless you're a really good developer and a designer, in which case, go for it. I want to see your theme and please can I pinch it because I really need a new theme for my site. But yeah, for WordPress core plugins, themes, use a child theme if you're going to make changes. If you're going to make changes, don't make stupid changes that allow me to hack your site. Be clever. Go to the Codex. Start reading through the Codex. The Codex is your friend. Make sure your file permissions are correct. Make sure that absolutely everything is up to date. That you're capable of doing, including the software on the server if you have access. How many people in here have an unmanaged VPS? Some sort of VPS that they do the management of. Cool. That's more than I expected, to be honest. Cool. Now, leave your hands in the air. You are the admins of the world. How many of you ran some sort of apt-get update in the last 24 hours? Be honest. Be honest. Be honest. Okay. How many of you did it because you have it set up to automatically do it? Okay. Most of you kept them up. Who actually did it manually in the last 24 hours? About five of you. Okay. But do you have some sort of automatic updates between you? If you still have automatic updates as well, keep your hand up. Oh. So, actually, about half of those people every day they're logging in to do their updates. Let's hope they don't get hit by a bus or have internet connection problems. Why are you doing your own update? You might get a parrot. You know one of those things from... It just hits return. Seriously, guys. You don't need to be doing this. You can automate this process. But if you are automating this process, check the automation. So, the rest of you who have just laughed and gone, okay, I don't want automatic updates. When was the last time you checked they actually ran? Yeah. All right. If you manage software, keep it up to date. Make sure it stays up to date. Have a look at your users. Should they be there on your WordPress database? Should these users really exist? Should they all be administrators? Was that employee you sacked five years ago? Did you actually turn off his account? Not suggesting he had a grudge, but... Same with files. Make sure that the files are there. You don't need them. If you've got plugins that you don't need anymore, the deactivated, take them off. It will make you say faster. It's all a win. And then we need to get you removed from some blacklists. Yeah, I have no advice here. You have to go fill in the form, pray, get a response, fill in the form, pray, fill in the form, response, pray. And at the end of this, you sit there going, I'm just going to give up. And that's the moment. There's some psychic connection between you and the Google servers. And at that point, the automated system goes, yeah, all right, we'll let you back. We're warnings. So it drops you down a tier. But if you ever do something wrong again, bad things will happen. And do remember, it's not just Google. So quite a lot of the companies that you know as antivirus scanning companies, so all the big antivirus vendors, they nearly all maintain some sort of blacklist. Quite a lot of these antivirus companies have plugins that install on things like Firefox and Chrome. Now, you not only have to wait for them to clear the blacklist, you need to wait for them to update the plugin so you can get back in. So this is a long process. I'm slightly concerned that they don't know what time it is because they keep putting different cards in front of me. So this is a really, really, really long process. I want one minute. I like the five-minute one that you didn't put up. Oh, well, that's okay. So we'll go to the prevention pit. This is basically, I'm going to drill this into you. You will have no choice. Your plugins, your themes, and core must be kept up-to-date. If you are not capable of doing this, find a company that will do it for you. It doesn't have to be your hosting company. There are services out there that will automatically update. Do it for you if you want. So just enable it, make sure it stays up-to-date. There is nearly never a reason that themes, plugins, and core cannot be kept up-to-date. And if core cannot be kept up-to-date, you are a bad, bad, bad person. Puppies died because of you. I certainly could have done depending on what your WordPress site was running. You like their food supply via the REST API. Just think about that. I hope you feel really bad those of you who just made changes to core. Plugins and themes. I understand some people's hesitancy to keep plugins up-to-date. If you are going to make changes to plugins, you can normally hook into them. You can make changes not directly to the plugin itself if possible. Obviously, if you're the plugin maintainer, some of this goes out of the window. Please keep it up-to-date by making patches and changes yourself. But for everybody else, keep your plugins updated. Keep everything else up-to-date. Keep everything else up-to-date. Guys, PHP 5.6 is out. PHP 7 is out. If you're on 5.2, you're bad. And it's you are bad. Not anybody else to blame but yourself. So make sure PHP and MySQL stay up-to-date as well. So make sure PHP and MySQL stay up-to-date as well. Or, as I would like to put it, update it all the things. Update it all the things. Well, are you there? Two-factor authentication. Yay for two-factor authentication. Two-factor authentication on your email as well. That's the thing that you reset to. If you end up being hacked and you get hacked badly and you use the same password for everything, your email is screwed, your PayPal is screwed, your banking details are screwed, your bank password reset probably goes to yes, your email. Don't give the keys to the castle away. Please, please, please use two-factor authentication on your email. Please use past phrases. Don't make me bring out an XKCD article. I said, don't make me bring the XKCD out. And finally, please take back apps. Never trust someone else to back up your content. Especially not your host. I mean it. I will tell you, before I worked for PHP, I used a different hosting company to do some of my sites. It was a lovely horror story. I'm quite happy to do it. No, we've run out of time, haven't we? Come find me and I will tell you the worst and terrifying horror story. I've been Tim Nash. I really hope you found this useful. If you haven't found it useful, come and talk to me and I will give you some really technical blurb. If you want to have some fun, if you find an old site with WP Scan, and it has Rev Slider in it, Metasploit has this beautiful little hack. WordFence showed it off a couple of days ago, which will put a shell directly onto any shared hosting company. It will only let you get to the web root, but it's good fun and terrifies anybody. Sorry, guys, from Rev Slider. Thanks very much. Have we got time for questions? We have time for questions. See, we had loads of time. Hi, Tim. Hello. Imagine for a minute that you go into a shop, you buy a big bar of chocolate. Inside that big bar of chocolate, and it says, you're allowed to put one thing in WordPress Core right now, no questions asked, that would benefit people in these circumstances. What would it be? A button that makes WordPress go away and a little note saying you shouldn't play with things you don't understand. No, that's really wrong. That's so wrong, and that's not true, and I wouldn't do that. Two-factor authentication into WordPress Core. It's coming anyway. Just give it a bit of a kick. The audience might actually be here. I might go kick him. See if we can get that in Core as quickly as possible. Because a lot of hacks we see are very simple brute-force attacks. So they just guess your username and password. Once they've guessed your username and password, they can upload things to your site. Any sort of hardening you've just done, you're now an authenticated user. It's sort of irrelevant because you are now that user as far as your site's concerned and you can screw it up as much as you like. Two-factor authentication. At least requires them to know not just a password, but some sort of secret information that only you are meant to be able to access. Some two-factor authentication is better than others, and obviously if your two-factor authentication is sending an email to your email that's probably been hacked, not so good, but things like Google Authenticator are absolutely fantastic. Please use them. Thank you very much, Tim. You hinted at version control for databases. I sort of vaguely know of some things that sort of do that, but that seemed like the one-week link in all of the suggestions you have. The example you gave right at the start, where someone has changed the privilege escalation thing, what would you recommend for diffing between a database version from yesterday to one from a week ago, or trying to find an exploit in that way? So there are actually some diff tools for MySQL, but they are very process-intensive. They require you obviously to have a localised copy of the database, and they use Java. That's not a negative. That was just me saying something out loud. There are actually a couple of version control systems for databases, and I used one for a while and the name has gone straight out of my head, but I will tweet it out. But yeah, you can actually get version control for your database. It's just that it's really hard to do, because unlike your file structure, in theory you can have a version control, you can push your files out to the server, and someone can come along and modify it, but you have some sort of audit control over that. You at least know it happened. With database, the way that databases work, and particularly in MySQL works, really what stuff goes in, you can audit what queries have happened, but there's nothing to actually prevent something else making a change immediately afterwards. So your version controlling on databases is a much more complicated thing. Lots and lots of people have tried and failed. But I have used version control for databases in the past. I'll tweet out the link to which one I used. Again, it's a Java application. The reason I stopped using it was because I don't think it was related. You have to be really quick. How do you feel about, and do you have any recommendations for audit logger tools for WordPress? The word WordPress in the end was the mistake. If you're actually using a plugin to do the auditing, you've sort of failed, because obviously anything that can manipulate WordPress and edit WordPress can also manipulate and edit your audit logging tool. What you want is an audit logging tool that is still making, noting down the changes, but pushing those changes to a remote logging server somewhere else. When you find one like that, please tell me. I'd love to see it. There are some good auditing tools out there. Again, I will push out a couple of links to some good ones that you can then shove into an elastic search cluster and similar. There isn't anything specifically for WordPress, and in fact you almost don't want there to be specifically for WordPress because it sort of defeats the point. You should never really be inspecting yourself, which is sort of why some of the security plugins you sit there going, well, you're sort of too late now. You're doing your own job. Yeah, not so good. At what point do you say a website is a write-off if it's been hacked? As soon as possible. No, you actually want to do a serious answer. About 10 hours into the stress, I think, and you've lost it depends on how much gray hair you had to start with. There is no right or wrong answer. When we do get certainly as a hosting company, we do see clients who just over, over, over again, who insist on using the same theme over and over again, and you're there going, but it's that. At which point in the comes the time when you have to say it's a write-off, whether they agree with it. I think for many people, the idea of starting again terrifies them. But if your site's got to a stage wave, actually, sometimes sites just get hacked, and I should have really prefaced this with getting hacked is not necessarily the end of the world. It's a lot of work. It's a lot of stress. It's scary, but it's not the end of the world. You've not become a bad person because your site's got hacked. You're not in the minority either. You probably are in the majority. There is a time where actually site getting hacked is also almost that little push to go do something different, do something new with your site. Maybe the next time your site gets hacked, think of it as an opportunity to start a fresh, get that redesign out, pass it through to management, say, well, we're going to see a little dip in revenue. I've got a great plan to put us back up. I don't really have an answer. How long you can just dump a kit for? I think that really is it. Thanks, Tim.