 is four, no, it's not 430. According to my Atlanta computer here, it's 430. But all right, let's dive in. So I can't really see how many people are in here. But anyway, I'm gonna assume there's lots of people in here and that's awesome. So thank you for coming in. And I was just gonna dive in. So, all right, topics. I'm gonna explain why this topic and it'll make sense in a little bit. But why people hack? I'm gonna try to cover that to a certain extent. And then I'm gonna talk about some tools I use like Cloudflare, firewalls, and then things you can do with WordPress to secure your site. Little about me, father of four been married for 24-ish years and have four kids from age nine to 19, been in Atlanta almost my whole life. I lived in Grand Rapids for a little while and Birmingham for about a year. So it's changed since 97, 98. So real interesting. I run an agency called Clockwork. I used to run an agency called Sideways 8, sold that and started this one, been running Clockwork for about three years. And then I am an organizer for WordCamp Atlanta. I got Mike is in here too. He's another one of the organizers, but we do have a WordCamp Atlanta, hopefully gonna be in October. We pushed it back a little bit. We were shooting for spring, but it just wasn't gonna work out. But anyway, so that's coming. Keep your eyes open for that. There is gonna be a venue. So, and no, I'm just, it's probably gonna be at KSU or Southern Poly Tech, what used to be Southern Poly Tech. So in self promotion, I have this talk on YouTube. So if you guys wanna just leave, go watch it at home, you can. But anyway, check it out. I've got that in some other videos on there too. And like the talk I'm doing tomorrow, I actually have that one on YouTube also. All right, disclaimer. I am a self-taught networking web guy, like probably many of you are. I'm sure that there's better ways to do this and I'm probably not doing it like the best way, but I'm doing something that tends to work. So I'll just put that out there. I do use a lot of these tips on, I host a, I don't know, about 250 or 300 sites on some on WP Engine, but most I've got about 30 servers on Digital Lotion. And so security's kind of important. If you're on something like WP Engine, they do the security for you and things like that. If you have your own servers, that's a totally different story and you're on your own. So there's a lot of things you need to, if you do something like that, it's important to have some kind of plan. If you just set up a server and never do anything to secure it, you're probably gonna have a problem pretty soon. Why this topic? I was looking for how do other people do this because I was kind of curious. And on YouTube, there are a ton of videos on, oh, you just go download WordFence, install it, boom, and your site secure. And to me, that's the last step that you should do. There's a lot of pieces that you can do upfront before you start even dealing with WordPress. And that's what I'm gonna start off with here. So why do people hack? They kind of don't. A lot of people will ask, we use, what's it called? Limit login attempt reloaded, which is a good plugin that keeps track of how many people are logging in. And if they mess up three times, it'll log it for like 60 minutes or so and they can't log in for 60 minutes. And it slows down a hacker. There's not someone sitting there, chances are, there's not someone sitting there typing admin, admin, one, two, three, enter, dang it. You know, and doing it over and over again, they write scripts. They write a script that grabs a list of 1,000 users and then a list of 1,000 passwords. You know, and they will just automate it and just start hammering your server. So it's not, rarely is it a personal vendetta against that website. I mean, I'm sure that that does happen, but the majority of it is just people poking holes like, did they secure this, did they secure that? And they just run through, you know, their script. So why do they do it? Why not? I mean, I remember when I was a kid, my brother and I sneaked out of the house and rolled a house, thought it was awesome. We had fun, you know, really annoying for the owner of the house, but, you know, we have fun. And that's kind of like, I kind of equate hacking, you know, to that it's just something that people like to do and you can claim, I took this site down, really obnoxious, but that's how it is. And then there is some that's a little more, a little more dangerous, you know, where they're actually trying to get data and sell, you know, credit card information and stuff like that. But I mean, the majority of it are just these little bots that are running and hitting your site over and over and over again. I have to start off and say the first thing and the most important thing for you to do, if you're gonna secure your site is make sure you have a good backup. I once had thought I had daily backups running and then I realized that none of the zip files were, they were all corrupted. And so my backups were useless to me. So make sure you have a good backup. Managed WP has a basically for $0. You can get one backup a month, which if that's not enough, you know, really, but I mean, if all you have is that one backup and it cost you nothing to have that, that's a good thing to do. But if you wanna do daily backups, it's real cheap on managed WP, it's $1.40, give or take. So to me, that's really cheap if you spent so much time in it. So make sure you have a good backup. And if you don't wanna use that, there's a plugin called Duplicator that I use that can give you a backup real quick. Probably it'll take less than five minutes. So that's important. And then most importantly, make sure that that zip uncompresses and you can take that site and get it up and running locally with your backup. So that's kind of like disclaimer there. Just that's the most important thing. All right, Cloudflare, how many of you guys, I don't know if I'm gonna be able to see, but how many of you guys use Cloudflare for DNS? Raise your hand if you use something else for DNS. Couple, all right. I'm gonna just walk you guys through some simple stuff that I do when I set up a Cloudflare or a site on Cloudflare. There's some bot-blocking tools that are really cool. There's some rules that can, where you can block a specific country if you want to. You can also block your login path, basically, based on your country. So if you're always in the United States and no one ever needs to get into the admin side, you might as well set it up where no one outside of the US can get in. So I'm gonna just show you guys how to do that. And I don't know if it means anything, but I mean, lots of people are using it now. WP Engine using it, Convecio, Kinsta, I think is using it. It's becoming more and more common. And I promote it mainly because it doesn't cost you anything to have to use Cloudflare's DNS. So let's dive in here. So I'm logged in here on imlo.co, which is for sale. But I just need to have some kind of domain here. So, but basically when you set up a site on Cloudflare, you always wanna make sure you have the proxy on here and this is not the right IP address for that site. So if you're trying to go to it right now, it's not gonna work for you. But make sure that you are proxying. If you turn this off, you hit edit over here, hit edit and turn that off, you're no longer using Cloud, you are using Cloudflare for DNS, but you're not using it to secure anything because it's just bypassing all of the filters and all that stuff that they have. So make sure you have the proxy on. And then if you were trying to block, let's say, let's walk in, let's say we're getting a lot of traffic from, give me a country. Turkey, thank you. Get a lot of traffic from there. So we would look at it when you'd go to analytics and you'd go over here to security and see, oh look, we're getting traffic from, let's just pretend Turkey here. Obviously, United States only, I've probably the only person that's ever gone to the site. But if we were getting a lot of traffic there, we would wanna stop that. And firewall, the firewall tools here are pretty impressive. So let's go to security. We go over here to the WAF, which stands for web application firewall. And we set up a rule. And why can't I hit add? Oh, there it is, I'm blind. All right, so I'm gonna call this secure, like, doesn't really matter if I spell it correctly. Let's say WP login. So this would only apply if only admins are gonna get to the site. If you have a comments, where people are making comments all the time they need to log in, don't block all everyone, but the majority of the sites that I build are marketing sites where we don't have a blog where there's a lot of comments. And so I normally will set up this rule. So I'll do this rule. I'll do if the country does not equal, I'll get to Turkey in just a minute. United States, if the country does not do that and the path URL path contains WP-login.php. And then I can do a couple things here. The more dangerous thing to do here is to block it. That way nobody can get, it'll block them completely. But you could also use a JS challenge where it'll pop up and say, are you a human? So normally when I'm setting up rules, I'll test them first using the JavaScript thing. And if it's doing what I think it should do, I'll go back and block it if that's the appropriate action. In this case, I'm gonna block it because nobody should be logging in to my website because I don't have a blog where they can comment. So do that. Okay, and then you'll have this little blue dot here that will be there for probably 10 seconds or less. And then basically it's applying the rule there once the dot disappears, your rule's there. Another great rule, blocking a country. If you're getting tons, block these countries. I was getting a ton of traffic from Singapore and there was this thing called pedal bot, which was just hammering my server where it was up to 100% CPU usage. And I was able, I started off first trying to block the bot, but then I just wound up blocking the whole country because it was a mess, but I'll show you how to do both. So real simple country. If the country equals Turkey, then you just block it or do a JS challenge, whatever you wanna do, but this is absolutely free. So if you're not using it, highly recommend it. And then let me show you the blocking based on, like if it's a bot. So you guys, web browsers have, what are they called? They're strings where your agent. So every browser has an agent. And so when you look at your logs, you'll see it was a Chrome, this version, web kit, blah, blah, blah. Bots will also have a string, most of them will. We'll have a string saying what it is. And so if I were getting tons of traffic from Petalbot, which I was, you just go over here and say, block these bots, assuming I'm gonna find more. Because once you start looking at your logs, you'll find, you'll start seeing things and you're like, that looks not good. That looks not good. And you just start blocking them. But you just look for user agent, not equals, because there'll be versions of bots. But you wanna do, if it contains Petalbot, you can either give it the JS challenge, which is the safer one, or block them. To me, it's worth a ton. Because if you're on a hosted somewhere and your site's really slow and you're getting hammered and you don't have a tool to block this type of string. At least not that I'm aware of. And Cloudflare just to me does an incredible job. I'll see the CPU on the server just plummet once I start applying these rules. It's kind of addictive if you're geeky like me. On one of the sites I was getting, trying to think how many hits we were getting. But it was over a million hits and just watching that every time I applied a new rule, it just dropped down a little more, a little more, a little more. It was kind of cool. So anyway, Cloudflare is awesome. Start there. If you're not on it, highly recommend it. All right, and actual firewall is also important. I know if you have shared hosting, if you're on WP Engine, if you're on something that does the server, maintains the server for you, you shouldn't have to worry about it. In theory, they would have things blocked. I have my things on DigitalOcean. I spin up servers there using spin up WP. And Cloudflare gives us a couple, not Cloudflare, DigitalOcean gives me a firewall. And I just set up a rule that says block everything except for which two ports? Somebody, yeah, yeah. The web traffic, because I don't host mail on my server, so I don't have to keep port, whatever, I don't even know what they are. Now, 25, 110, what, there's lots of mail ports. All of those can be blocked if you have your own server. Obviously, if you're hosted at Bluehost or something like that, they're gonna have mail on that server and you don't have the rules to do that. But if you are hosting on something like, does Cloudways, does Cloudways give you a firewall? Does anybody know? Any Cloudways people here? We'll never know. So, all right. Anyway, I think something like Cloudways, they're gonna, I don't think they give you a firewall, they may or may not, but it's important to just block the ones you don't need. So, to me, Cloudflare is first, then your firewall, and then we get into lots of things that I'm going to kind of rapid fire hit you with here. So, first, always get NSSL certificate. They're cheap or free at this point with Let's Encrypt. So, and they're a lot easier to install now. I mean, normally it used to be kind of tedious to get an SSL certificate, but a lot of services now you just, you can either pay for it or there's a plugin that does SSL and it'll talk to Let's Encrypt and install the SSL certificate, totally free. So, I recommend that. Secondly, PHP, how many of you guys look at this regularly? Got some geeks over here. So, yeah, if you guys aren't watching this and keeping up with this, this is gonna be a problem. I talked to an agency owner this week, actually, and I said, what are your plans to move to version eight? And he said, I have no plans. And I'm like, oh, okay, let's talk about that. PHP is, I mean, I wouldn't say it's moving fast or anything, but there are, there's always new versions and we're already at the point where version eight is in kind of maintenance mode. They're not adding features or anything to it. It's just a, it's getting security patches, basically. So, I mean, version eight is old. So, if you're on, or it's getting old, it's still what is, I wouldn't recommend going to eight one yet. I don't think plugins are fully compatible with eight one yet, but I mean, you should be targeting eight at this point. That is gonna be a major security problem if you guys, and I'm guilty. I've got plenty of sites where I've gotta fix the theme because they bought a theme on Theme Forest. The person doesn't maintain it and I've gotta figure out how to do that. It's either move the site to a different theme or something like that, but that's really important that you guys keep PHP up to date. I don't really use security plugins in the aspect of, like I don't have word fence on my servers. If I do see activity I don't like or it looks like I'm getting hacked based on what I see on Cloudflare and the logs, I might install word fence. But if you're on shared hosting, I think it's almost a no brainer throw word fence on there or there's iThemes, which I've never used. I know a lot of people like the iThemes security plugin. Word fence to me does a good job, but it does, maybe I'm crazy, which I've been called that before, but word fence tends to suck up a little CPU usage a little more than not having it. So I could be wrong, but I saw about like a 10 to 15% slowdown on processing. I can't prove that that's a true statement, but that's what it felt like. So I don't install word fence unless I get a lot of activity, but one thing I do like about word fence is they took one part of word fence and wrapped it around into one plugin and it's the two factor authentication plugin. That is, if you guys aren't using a two factor authentication, you really should. I know it's a pain in the butt and I'm getting to the point where I have, what's it called, authenticator or whatever where I have like this massive list that I have to scroll through to find the six digit code and it's only gonna get worse and worse as time progresses. But two factor authentication is super important and again, free, it doesn't cost you anything to install that plugin and it will stop a hacker if they get the username and password, they also will need that code. So good plugin. I also use limit login attempts reloaded. I don't know what happened to the original limit login attempts, but the reloaded one's the newer version. And there are a couple of things that I do in there. By default, it sets something that is, I think you get three tries and then you get like 20 minutes then you get locked out for 20 minutes. I go in there and I set it for like a day like because chances are if it's someone trying to get into my site, they're a client of mine, they have my phone number, they have my email, things like that. If they failed three times, it's probably not them trying to get in and I'm a phone call away or they can send a support ticket and we'll all go in and let them out. But I set it to something a little more extreme and if they do that, they come back 24 hours later or two days later and they try it again, I'll set it where it's 40 days or something obscene like that. But it's really cool because it'll log the IP address. So if you're always getting hit from the same IP address, you could do something at the Cloudflare level to block that IP address or that subnet or whatever. I probably don't need to even talk about keeping your plugins up to date to this group of people. If you're here, you probably know the importance of that but I have not seen, I'm trying to think, I think I've only had, I don't wanna say it because I'm gonna get jinxed. Anyway, I haven't had many attempts to hack but I did get one get hacked on my servers and it was just through a plugin update. There's services out there that will run them. I mean, WP Engine does it, GoWP does it or you can hit the auto enable auto update which scares me a little bit if it's a plugin that I'm not that familiar with but if it's something like Gravity Forms because normally when something gets hacked, they will, where's my water? Sorry, getting very thirsty. All right, sorry about that. What was I talking about? Plugins keeping them up to date. Gravity Forms, thank you. So a lot of times when people get hacked, they get hacked by submissions of data. So I always keep Gravity Forms up to date in plugins that I'm real familiar with that I've been using Gravity Forms for 12 years or so and it's never broken anything so I have no problem telling that one to auto update and that's true with Yoast or something like that. Some of the obscure ones, I won't do auto update on them. I'll do those manually but it's a good thing to do. Another thing that I see a lot of unwanted traffic is things trying to hit XML RPC. How many of you guys use XML RPC? I've yet to see anybody ever use XML, oh wait, one person? I want to talk to you later. What do you use it for? Well anyway, I always, okay, so there's a couple different things. What do you use it for? Is it, do you log in through the mobile phone? Okay, okay, yeah, I mean that good use for it. Don't delete it off of the site like I'm about to tell you. That's funny, I've never seen anybody actually use XML RPC and I'll look at Apache logs or IngenX logs, web server logs and I'll see they're just trying to hit XML RPC and probably they're trying to authenticate and that's a way for them to hit and submit username and password in rapid succession and so either there's a plugin called disable XML RPC which I don't like to just add plugins when I can just remove the file and when you update WordPress it won't install the XML RPC but that's a file that's in the root and you shouldn't have that file on there unless you're that guy. So it's just not used that often so be careful though before you delete it make sure you understand what you're doing there but I maybe start with the disable XML RPC plugin and then if you don't get any complaints from anybody then you can remove the XML RPC file. Next, how many of you guys audit your users on a regular basis? Micah does, of course, of course Micah does he probably has a script to do it and that's not, now audit your users because a lot of times websites and I inherit websites all the time a client says my web guy left and can you help and I'll look at it and I'll say why do you have 25 admins and walk them through keeping that clean and there's nothing wrong with editing a user and changing them from administrator to a subscriber all they're gonna do is lose the privileges and they'll reach out to you and say hey I can't edit anything and you'll realize okay well that user is still in use I'll switch him back to admin so always audit your users because and also I don't know if I would say recommend forcing people to change passwords but if you've had a breach and you know your site was hacked you always wanna reset all of the passwords so that's an important thing to do audit your plugins and themes I'll say it, I don't like theme forest I don't like anything that you buy there because it and I apologize if I have those developers in here but it tends to be most of the plugins just aren't updated and they're not maintained maybe you get a good run for a couple years but they kind of disappear make sure that you're keeping them up to date and that they're good plugins avoid dumb plugins I don't know why I have that in there but you should know which plugins to use and not to use I did this originally for my YouTube channel and I was kind of doing it more for people that aren't gonna be going to a word camp but anyway, just try to use plugins if there's only 10 active installs chances are there's probably a plugin that does the exact same thing but it has a lot more users so there's some just be smart and then this one doesn't really matter disable comments if possible a kismet is cool like the fact that you can pay for a kismet and it'll keep the comments clean think about it though, do you really need comments if you're just doing a marketing site I mean, that's just I run an agency and we build websites for site for clients and none of them ever wants people to have comments on the site and so I can disable that there's a great plugin called disable I think it's just called disable comments and you can tell it to disable it on post pages but it'll also do on via XML RPC and REST API so you can stop them because I'll have comments disabled completely on the site and somehow some bot submits data that to me screams disable comments plugin needs to be installed on that one and then lastly I like to use managed WP or some kind of service like that for my backups and for notifications so if a site goes down I set it up where I get notifications when sites are down that's not really a security thing it just comes in handy and I flew through that stuff I'm always worried when I do this if I'm gonna have enough time like this was a 45 minute talk on YouTube and now just flew through that so we'll have lots of time for Q and A but lastly, it's a never ending battle so make sure that if you set something up in Cloudflare go back later and make sure that you still need to block these people or look at your logs and make sure that there is there might be new traffic that you're not aware of so it's important and then that's it so I flew through it but do we have a, I think William you've got awesome maybe questions does anybody have any questions and does anybody completely disagree with me because that'll be a, no just kidding I can't help myself how about the clean talk plugin I use that on every site oh clean, oh for comments spam comments just blocking random is it free? I think there might be a certain number of sites free and then it's paid but I know Melanie uses it to clean talk it's pretty effective okay clean talk it's another option okay, cool all right, next I just wanted to double check when you're talking about using Cloudflare for DNS would that be a complete replacement for hosting DNS records on something like Namecheap? Absolutely, yeah, yep and honestly migrating from wherever Namecheap, like Namecheap to Cloudflare it sounds like a daunting task but hopefully if they can if you can export your records which I know GoDaddy can and probably most of them can you can export them and you can upload it directly into Cloudflare so you should be able to get a carbon copy man, I'm old if I actually use that and you guys know what a carbon copy is you'll get an exact copy of the record so it sounds daunting moving DNSs but it's a five minute thing so and if you can't do that Cloudflare will also try to detect the records too and it does a decent job it doesn't grab every record so if you go down that path and you can't upload the file let Cloudflare do that and then just compare with two screens and just make sure they all match up perfectly so if you use WP Engine how much of the stuff is done for you if you're using WP Engine already? so a lot so like firewalls and stuff WP Engine is going to cover it they're also going to block ports they use Cloudflare if they have a I haven't pushed all of my clients over to it yet but they have I forget what they call it but it's some kind of advanced network in it basically they should just call it Cloudflare basically they're they did that probably in the past year or so they switched over to Cloudflare and so they do a lot of that stuff that I like the I like having access to block that stuff so I mean I like DigitalOcean and stuff like WP Engine does a good job and you're probably safe you know on on that stuff because if you've done the advanced stuff because they're gonna they're gonna block stuff because Cloudflare they're using Cloudflare to do it so man sorry about that go ahead have a comment and a question first of all I completely agree managed WP is amazing we actually use a lot utilize that we have so many different websites that we do that it's so nice to use to manage WP worker to actually just be able to log in to manage WP and access all the websites there and that's what I do to use a lot to go in and update my plugins on a weekly basis I'll just go through on their overview page and just update the plugins which is amazing but the second the question I had that was this sometimes we'll find where we've done a website and we just forgot to mark disable comments when we first started the website so then we start seeing all these spam comments coming in on these really old photos yeah does anyone do you or anyone know of like a plugin does the disable comments plugin worked where we can actually retroactively go back and say hey disable all the plugin disable all the comments on the old photos or what not um I mean disabled disabled plugins will completely delete all the com comments and and get get rid of it um I'm not sure about um if you're trying are you just just trying to retroactively like instead of having to go through eat go to the media library and go to each individual photo and say disable comments if there's a plugin that will allow us to actually go back and retroactively do that if we just forgot to disable I'm not sure I mean I would probably use a kismet for that get get a license for that and then just push the button and let it process all of them I mean it's going it's going to find which ones are which one are flagged as uh spam and which ones aren't and a kismet I mean great service it's and it's pretty cheap I just I just don't I don't need it but a kismet I think is probably the the tool I would use to to do that I was just going to comment to that that when we've had to do that it just gives you the option to reassign comments past ones so if like you need a blanket option you don't have to go through each post it gives you the option to just move them over essentially so I don't know if that made sense keep them coming keep them coming I get some good exercise here I'm going to keep myself slim and tender for Aida hi um I'm an absolute infant and a baby when it comes to doing anything developer or back-end WordPress I'm sorry that I talked or spoke because it was probably a lot of information I'm a graphic designer who has found herself in a position where I'm kind of in charge of things and it's daunting so I have a project that I'm working on and they want to use WooCommerce how would setting up firewalls and managing things like that work when they potentially will have customers who need an account and how do you prevent things like that that's hence the problem um sorry my ear fell off dangerous all right um so if you have WooCommerce chances are you're not going to be able to block any any of the the comments and things like that because I would assume I mean I guess you could um I'm not I don't know if I could answer that question like on on the because I'd have to look at the site and there's not a lot because you have to keep things open you know for for transactions but I mean you're you're gonna have you know the normal ports blocked and as long as you have I mean is it you can get real picky and are all the customers in the United States you know you can you can put a JavaScript challenge on anything that's outside of I mean but that it's it's dangerous that's where to me just my experience is mostly marketing sites you know where where I don't use WordPress as a as a blogging tool with that um and I don't do a lot of e-commerce so I'm sure I'm sure there's someone here that specializes in Woo though um I mean there's Bob uh what's I I'm looking at Bob Dunn I mean he I'm sure he could answer that question um I'm just I don't feel qualified because I just don't do a lot of um a lot of Woo I have a second question can't I'm just gonna okay go ahead what is a DNS so um DNS is uh domain name system um and basically it's I'm gonna date myself here but you know what a phone book is yes it's basically a phone book but backwards so it anytime you go to if you try to go to Fox News or CNN or wherever uh anytime you type in CNN.com and hit enter your computer goes and talks to a domain name server um and it says hey I'm trying to get to CNN.com what uh what server is that on and it gives you the IP address because we're not we can't remember IP addresses it's a lot easier to type in CNN as opposed to 192.168.37 you know like so so it's just a way to translate human words or I guess vice versa IP addresses to words you know so it's just it's just a mapping mapping system thank you so that was a good question because I didn't know what that meant for a long time any other questions I think we're good okay all right well thank you very much everybody