 So today, we're going to be talking about online threats, specifically to any platform. WordPress, of course, is very prominent and very important. But website security is much larger than just WordPress. Quickly, who I am, obviously, I work at Suguri. I've been there for about five years, and we focus predominantly on all types of website threats from attacks to malware distribution, malware incompromises, things like that. And what I've learned there is, over the years, I have really two main philosophies, right? We always talk about the responsibilities that we have as WordPress users or open source users and the freedoms that we have with those platforms. But we rarely talk about the responsibilities that we have being online, right? We have a responsibility to ensure that the content being distributed is safe, that the users coming to our site are being safe, and that we have a responsibility to be good stewards of the internet. And I think you'll get that overall trend as we continue this conversation. And so I was thinking of a conversation I was having with the marketing team recently, and they pulled this image up, and I remember looking at this and thinking to myself, oh my gosh, what's going on in this image? And it wasn't until they explained it to me that I realized what it was. And it's actually a grocery store, and those are lanes of information. And you notice this overwhelming feeling or this concept of sensory overload. And I feel this is where we're at in website security these days. There's a threat, there's a compromise, there's a hack. Oh my God, we're press security, it's falling apart, right? And this continues to go through our mind and this is a concept of sensory overload. It's messing with our emotions, maybe we've been blacklisted, maybe we've been hacked, or maybe somebody just scared the shit out of us and said, you may get hacked, right? Either way, we don't feel what's happening. And the challenge I think comes that we always think very one-dimensionally. We think of WordPress by itself, but in reality, WordPress is but one component of a much larger environment. And in many instances, for you ages and developers, your environments look more like this. You may have a server, an account, and one of these shared hosts, and you have multiple sites and multiple applications in that environment. And you think one-dimensionally and say, hey, I'm focusing on my WordPress environment, but you don't think about anything else that's sitting within that same environment that may be contributing to it. So with that being said, let's go get ahead and get our top 10 tips out, right? We go on Google, we search, this is what's gonna find, right? Update everything, watch your version, watch your admin user backup plan, have a good host, cure a PHP execution, perfect. Everybody feel pretty comfortable with those things? We've heard them, probably regurgitated over and over again. Now let's talk about what's really happening, okay? And the first thing I always like to start upfront is let's get to the root of the problem. And in case you're wondering what the root of the problem is, it's every one of you in this room. Not to sound aggressive about it, right? But it's every website owner, because the fact is that all of us have been educated to get online quickly, five minute installs, get up-line, create a business, you can sell, you can push content. Nobody's taking the time to say, hey, there's a responsibility for this. Hey, once you get online, you're part of a much larger ecosystem, and you can contribute to the overall experience in that ecosystem. Nobody's told us that. The hosts don't tell us that. Our agencies don't tell us that because nobody wants to scare you. But the fact of the matter is that most of the compromises happening are because we as website owners are not taking the time to understand what our responsibilities are with that site. Things like basic administration and maintenance. Those are the things that lead to compromises. They aren't the vulnerabilities, they're just the results. But if you just do basic things, you would improve your overall security posture. And so I always like to talk about the how, how are these things happening? And I always start with kind of the environment. WordPress is at the very top. It's part of multiple layers of infrastructure and environmental and configurations. Every one of those act as a potential attack vector to your environment. Time and time again, we deal with reinfections, sites being compromised, and we ask ourselves, why is that? And then we look, oh, it was probably FTP. Or, oh, maybe we use the environment for multiple purposes. Maybe we use it as an email server, as well as a CPAN or environment, as well as a database server. Yet we don't focus it strictly as a web server. Yet there's all these other components and we always think, oh, it's WordPress. But it's so much larger than that. And we have to remember that when we work with complex environments, complex things break in complex ways. And you cannot just pinpoint one thing. And in many instances, it's the website owner. Oh, I did, I forgot to upgrade. I use password 123 one more time. We should not be having that conversation. So now let's look at some other vectors that you may not think about, right? We have access. I just talked about that, username and password. Things like brute force attacks. Things like access controls. But access controls extends beyond the application. It goes to the server. It goes to your CPAN or administration. It goes to your account. It goes to your DNS. Anywhere you can log in is a potential access point to your environment. And any one of those can manipulate your environment. We have things like the environment. Things like poor isolation. How many people have one account and a shared host with 100 sites on there? Maybe you have a dev environment in there. Maybe you have a staging environment in there. That doesn't work like that. If you're dev and your staging environment are in your production environment, then it's all just one big dev and staging environment. You're gonna deal with things like cross-site contamination. We do very poor functional isolation. We use the web server for multiple purposes. We have to stop that. We have things like the software. Of course, the software's a lot harder. Even developers can't keep up with the challenge in the software. But that's why we have maintenance strategies. That's why we update. That's why we back up. Things like that. Those are all things that reduce our overall risk and ensure that we're prepared in the event of an incident. And then lastly is the awareness. Because let's face it, right? I'm probably the only one in this room that really cares about security, right? You guys are all here because you heard there's an issue and somebody said you gotta go to this talk. But awareness is very important. What are you protecting? Why are you protecting it? How do these things happen? These things help educate you. And through education and awareness is how we combat this. Taking a few minutes to come and sit here is the first step in that process. I do want to talk about one thing, denial of service. We're continuing to see an increase in attacks around denial of service. Denial of service is a little bit different than the attack vectors I spoke of. Because the attack vectors I spoke of are ways to manipulate and gain access to your environment and use it for other purposes. But what if individuals can hold your availability of your site hostage? What if you're dependent on selling, you have e-commerce site and the attackers can take you down or hold you hostage and say, you'll pay me $10,000 or I will take your site down all of Cyber Monday. It's happening more and more. Attackers are using this to overwhelm your resources, overwhelm the servers and take control of your environment and force you to pay them. And hey, they don't have access to your environment, they're just overloading your resources. So with that, how are these attacks happened? And mostly they're automated. Whether it's a targeted attack or whether it's a targeted opportunity, most of them are targeted and they all follow the same linear process. There's a step of reconnaissance. What is the website built on? What kind of server is it? What do they have on the server? We then identify, oh, okay, it's WordPress. What version is it? Oh, it's 1.5, perfect. I know there's a hundred different vulnerabilities that I can exploit. We then make an attack and we say, hey, this is what it is, they have TimTum, I'm going to exploit it, I'm going to upload my file, I now have access. Now I have access, what do I want to do? Do I want to distribute malware? But maybe I don't want to distribute malware. Maybe I want to add your website as part of my network so that I can attack other people. Hey, maybe I want to use your website to fish other accounts. Maybe I'm interested in Sony and I'm going to attack them via a fishing lure and I'm going to use your website to push it through their domain because your domain will get whitelisted. That is how critical we are to the overarching internet ecosystem. Once that decision's been made and they understand what they want to do, there's always this piece of sustainment. How do I make sure that I can regain access to the environment without using the same steps? Because if I use the same steps over and over again, I'm more than likely going to get figured out and I don't want to get figured out as a bad guy. So understanding this helps us think, what do I do through this process? Do I know who's logging in? Do I know if files are changing? These are things you should be asking yourself and these are important questions. You could even ask your agency. How do I know if something changes in my environment? The very common question I get is why? Why would anybody hack me? I only have a little website. Nobody cares about my website. But you're wrong. Somebody does care about your website. You. And maybe it's you and one other reader. You know what? But it's two of you now. And it grows. Okay? And so let's look at the why. The very obvious one is revenue, right? Everybody wants to make some cheddar, right? And that's what that allows them to do. You have an audience. Not everybody sells. I get it. But you're online for a reason. Either to push content, brand awareness, brand evangelism. All of you love SEO. You all want to be a number one in search rankings for whatever it is you're writing. If not, why do you have a website? Unless you're a Fortune 100 that just feels like I must because marketing is complaining. Happens all the time. But for us in this ecosystem, we have websites for a purpose. We share information. We engage with our audiences. That is valuable. We rank in search engine result pages. Those are very, very valuable to the attackers as well. There's the lows. I can almost guarantee you that one of your teenagers are at home trying to hack somebody right now. A majority of them are between 16 and 18 years old. Look at the kids that just hacked the CIA directors and the FBI director's emails. They were bored at home. Why? Because we made it too easy. Because we used admin one, two, three, four, five. Why not? Ask your kid, why do you do something? Why not, dad? Well, with that kind of rationale, how can you argue? Resources. Your resources are just as valuable as your website. If I can gain control of your server and use your server added to my network, I can attack other environments. And guess what? It doesn't affect me. You get knocked out. You get shut down. What do I care? At least I used you for a little bit. And so what are some of the effects of this? So I talked to you about the attacks and how they happen. So what can they do? Why do you should you care? You have things like search engine poisoning. Search engine poisoning is where I can take advantage of your search engine result page rankings in Google, in Bing, in Yahoo, and abuse them. So somebody goes and searches, I don't know, happy cats. And maybe you ranked number one for happy cats, right? And you just write a lot of stuff about happy cats. Well, now it's happy cats with Viagra. And you're like, that's not where I was going with it, right? And here's the thing. Google now is saying, hey, you know what? We're done playing around. And they're coming out with new rules that are saying, if you get caught with this site may be compromised, or that you may have an issue, they're going to start removing you off the search engine result pages. And there's one thing that I know about Google is that they love to take you off the search engine result pages. And they're never too eager to do it at the same pace in the reverse. I don't know why they do that. But this is going to impact you. Now think, how would that affect you as an organization if you depend on that website, either for an audience or for engagement, or maybe even e-commerce? Maybe they can't find you anymore. You have things like drive-by downloads. Drive-by downloads is the distribution of malware. And their emphasis is a target of endpoints. These are the things that we hear about. Trojans in your environment that steal your financial information. How horrible would you feel if your mom, your daughter, your child went to your website and they got infected? Because I can tell you right now, my mom always calls me, I click install, and I'm like, that sucks. I hope you don't do banking on that computer. I can guarantee you, we all use the same computer for everything. We go on the same computer for our finances as we do for Facebook, as we do for social, as well as we do for whatever else we do in our private time. Right? And here's the thing. It's highly conditional. These days, mobile is a huge target. And we know this. We see it in our traffic, right? Everybody's coming mobile. Everybody talks mobile. Everybody's got to be responsive. Everybody's got to be secure, right? And it's happening more and more. And things like droid are a high target. And so we can put payloads that say, hey, if you come in from a droid device using this configuration, using this browser, target them. But you, looking at your site, like, I don't know why people are complaining. I don't see anything wrong with this. And it's growing. And what happens is this then leads to things like blacklisting. Did you know that Google's blacklisting about 10 to 11,000 sites a day now that they've seen over the past year 180% increase in the number of infections that are occurring and the number of blacklists that are resolving? Did you know that a blacklist can kill your traffic up to 90, 95% for about 48 to about five days once you get blacklisted? Now, I don't know what kind of websites you guys have. But I can tell you if my website went down for that long, I would have a problem. The board would be yelling at me. There'd be a lot of angry people. Then we have things like defacement. This is usually associated with the Lowell section of kids, like, oh, I got x, and gain access. Let me just show you how weak your security is. The bigger the organization, the better it is to do the defacement. The more credit. It's about street cred, right? Like, yeah, I did that. I mean, I've never done that. I'm just letting you know that that's what they do. And so security is about risk management, right? It's about reducing risk. But we have to understand it's about expectation management. I know all of you that have projects in here understand expectation management. And what I want you to manage is that risk will never be zero. If you come to me and you say, oh, how do I make this stop forever? I said, we can't even have a conversation, bro. We're not even on the same wavelengths because it will never be zero. All you can do is implement things to help reduce that risk. And so I want you to think of security in terms of an onion, multiple layers, specifically this concept of defense and depth. In defense and depth, you implement multiple controls throughout your entire stack. Maybe it's simple auditing to understand who's logging in. Maybe it's simple monitoring. Maybe it's a protective layer of some kind. Maybe it's just having your host online or understanding what it is. All these controls mesh together, reduce your overall risk. No one singular event does that. And I always start with this concept of people, process, and technology. The pillars of security that we've failed to talk about, what do we talk about? We talk about technology. What plug-in do I install? How do I configure this? But the technology is nothing without the people. The processes are nothing without the people. It's you who configures it. You know how many people have signed up for a product and said, I'm set, I'm good, that you never configured it. And they're like, why'd I get hacked? I was like, you know what, I don't know. I have no idea. I know someone who can relate with that. We have to start educating on the basis of security. I got the note like the 10 minutes, so I'm gonna push it a little bit. And so security starts with good posture. And I always like to focus on five areas when we talk about posture. We look at things like protection. How do I make the attack stop? And we already understand how the attacks happen. So now we can start looking at implementing things to help that through that process. We look at things like detection. Do I even know that I'm compromised? If I do, what am I gonna do? And that gets into our response. How do I ensure that if something happens, and if I'm being attacked, I know what to do? And maybe it's just about talking to your host and saying, what are the protocols for this? Your host may happen that. If you have a managed environment, they may do this for you. But do you even know? That's the question. In basic security, I don't have to really discuss this. I don't have to talk about things like maintenance because it's an understood thing. But in this environment, I have found that more and more we have to bring up this point of maintenance, the point of administration. Because website owners have always been told it's easy, you get along and you're done. But it's not that simple. You have a responsibility. And then best practice and principles. And what I mean by that are things like least privilege, the idea that you give people the access that they require, only when they're required and when they're done, you remove it. It's a pretty basic idea. And I know what some of you aging guys are gonna tell me. You don't understand, Tony. I have this client and he wants to be an administrator. I found the plugin that allows you to manipulate permissions. You can create an administrator role, take all the administrator privileges away, and then give that to your owner and say, you are now an administrator, sir. Works every time. They're like, I'm an administrator? I'm like, yep. What can I do? Everything you want. That's what I'm talking about. There are no absolutes in security. I want you to go home with that, right? There are no absolutes. This is a constantly evolving space. But I do wanna leave you with a few notes. First is access control. Focus on your access control. How you access. Things like multi-factor authentication, two-factor authentication. These are really important concepts. It's why you see them being employed. Things like strong user names and passwords. Very important. Software vulnerabilities. I'm not gonna lie, they suck, and you're likely not gonna be able to handle them. So look for tech that's gonna help you with that. You really, I can barely stay up with it and we focus on security 24-7. How are you gonna do it on a part-time basis? It's not a DIY project. Lastly, this is something you can easily do. Backups. I can't even tell you how many people we've seen compromised and have no backups. And they come in and they're like, hey, because you know what they love to do in the Loles, just a quick side note? They love to go in your environment like, oh, how much permission do I have? Right click, oh, I can delete? RMRF? Shoot. That's what I'm talking about. RMRF, gone. And they come in like, hey, can you fix this? Like, I'm sorry, we don't fix through osmosis. Right? Backups will save you. And the last thing is search console. This is a great tool. Google loves to tell you they're about to give you a bad day. They're like, hey, check this out, bro. In 48 hours, you're gonna get blacklisted. And they say it with a smile. And you're like, it doesn't sound very fun. But at least they tell you. But if you're not registered, you'll never know. And every other search engine does this. Yandex does this. Google Search does this. Bing does this. So subscribe, they're free. They'll scrawl you and they find the issue. They'll notify you. And so before I end, I wanna leave you with these six questions. Questions just to ask yourself to understand what your security posture is. What will your host do in the event of an incident? Did you realize that most of the hosts will shut you down? And then they'll notify you. They'll shut you down and say, hey, check this out, your site's dead. If they notify you. And then you freak out. Then you don't know what to do. And you're like, the hell with this? I hate this internet thing. Why do I have a website? Do you have a plan in the event of an incident? Just knowing who to call will be important. Who can you call? Is it your developer? Really, is it? I can tell you, I talk to a lot of developers and they're like, they better not call me. Right? It's just the way it is. How do you protect against the known and unknowns? Do you have the resources for that? Maybe you do. I can tell you that even the largest of organizations don't have the resources for it. And how important is your online investment? So you have an online investment. Maybe you paid 100 bucks. Maybe that's the only 100 bucks you had. Maybe that meant everything for you. Maybe that can change your life. Does it? And so with that, I always leave with this note. Security is not a singular event or action. It begins with good posture and good posture is attained through appropriate risk management. Risk is appropriately managed through a layer defense model and the responsibility starts and stops with every one of you. Don't threaten me with five minutes. I got this. I got this. And then lastly, we've been doing a competition on Fine Tony and these fine ladies win. Susan Reed designed, so come up and we have your gift later if you're in here. And then lastly, you know, Daniel and I thank you for all the support. This community has always given us. And that's it. That's all I got. Questions? I promise I won't yell. No, not now. You don't have to come over right now. I'm not gonna give you guys hugs right now. We're in the middle of a conversation. Later, ladies, later. My goodness. Sit, sit, sit, sit. What questions can I help answer? Or maybe just make you more confused. I don't know. Don't be scared. Okay. Everybody wants to get up to Matt. I don't see any questions. So thank you guys very much and I'll see you guys upstairs.