 So I'm Aaron Campbell. I'm going to be talking about how to secure your site. I'm a bit of an information addict. Like, I love to know things and learn new things. So the internet's kind of an amazing place for me, right? I can go there and I feel like I can learn practically anything. And I really love that. On a seemingly unrelated note, I also really enjoy fire and explosions in a safe kind of controlled way. But they fascinate me. I very much enjoy them, which is probably why I'm like the perfect viewer for The Mythbusters show, which I absolutely love. Who else loves The Mythbusters show? Yes, like every time I get to learn something new or confirm something that I knew. And I really enjoy it. I get to see fire and explosions while I do. And over the last few years, I've focused pretty heavily on kind of the internet security arena. And as I did, one of the things that really stood out to me is that one of our biggest struggles in that space isn't like the most complex hacks or even these really big things that we're seeing in the news that are happening. A lot of it comes down to people need to have a better understanding of how to keep themselves secure online, how to keep their own websites secure. We all, all of us, have a decent bit of learning to do around that. But my first thought was, that should be easy, right? We have the internet. We can all just go learn that if we want to until I tried to just go and type in how to secure my site or how to secure my WordPress site into Google. And I just got this massive flood of information, plenty of information to learn from, but also ignoring my kind of background insecurity and trying to just look at it and say, how do I know what of this information is actually useful and important and what isn't? This piece of information seems like it knows what it's talking about. And then that piece also seems like it does and contradicts the first one. How do we get that base knowledge so that we can better understand security? And I immediately thought what we need is like security myth busters. We need to look at all these pieces of information, take these assumptions that we all have based on these things that we read, and see if we can figure out what we can confirm and what we can bust as myths to help us better secure our websites and to help us focus in on the things that are actually useful. So that's what I want to do today is look at some of the most common things that I hear and talk about whether they are actually useful or not and why. The first thing is that security is a little scary. It's big and it's complex, but it's also so important. We understand that we need to know more about it, but it's confusing. And so we try to take it slow and easy and we're investigating it. But then at some point, we do one of those Google searches that I'm talking about. We go and we type something in and we think that we're getting close to figuring it out. But in reality, we get this massive dump of information and it just freaks us out. It seems like it's too much. We're like, wait, maybe I can handle this, maybe I can. No, I can't handle this. This is just too much. Security is scary. But luckily, this is one that I get to bust. This is not true. Security doesn't have to be scary. This is Aragon. This was a family pet for many years. It was my son's lizard. She is a bearded dragon just like those two lizards that were picking on that poor little kitten in the previous video. But she's not scary, contrary to what that kitten thought. But people that came to visit us often thought she was. And my son really didn't understand that. He didn't get it at all. And I would try to explain to him that those people were getting a different experience meeting her at this size at 18 plus inches long is kind of a giant lizard, if you will. Then we had, because we started with Aragon, we got to know her when she was only maybe two and a half or three inches long and would sit in the palm of our hands. And she certainly wasn't scary then. And as she grew, and we got to know her, she ate insects when she was very young. But eventually, they become vegetarian. They eat fruits and vegetables. And so that cat was not on the menu, even though it may have worried that it was. And even those big spikes that you can maybe see that look all terrifying and scary coming out the back of her head and protecting her neck, they look terrifying, but they're actually soft. And she loved it when you would pet her right there. She would close her eyes and turn her head like, yes, pet me there more. But it wasn't scary because we had kind of grown with it. We had had this base understanding of her as a lizard and what she was, and then grew with it. And I think we can do the same thing to sort of curb the scary parts of security. We can get some base knowledge and understanding. We can focus on the easy, actionable things that we can do that can make a big difference on our sites. And we can use that as a foundation to help us then eventually learn more, but with a base understanding that prevents that from being scary. It lets us better understand things as we move forward. So that's the main focus here is as we bust some of these myths and confirm some of these truths, we can build that base knowledge so that hopefully everyone here will have a less scary journey as they learn more about security in the future. So one of the big assumptions, one of the things that I hear all the time about how to keep your website safe, is saying that you need to update. We all see this all the time. You need to update, and in the WordPress space, they're talking about updating WordPress and plugins and themes, and that you can't be secure if you're not constantly updating and staying up to date with your software. Is that true? Does that really help improve the security of your site? This is participatory, people. Like someone's got to. Yes, it is absolutely true. This one is confirmed. Updating your software is extremely important. Every time that a vulnerability is found, and people like our WordPress security team put time and effort into fixing it and pushing out a release, we want you to be using that. We're trying to help secure you. Plug-in authors, theme authors, a lot of times they're pushing out new versions because they're trying to responsibly fix problems, but they can't help you if you don't update. But it goes even a little further than WordPress and plugins and themes. If you're running your own server, a VPS or something, and you're not relying on your host to do it, then you also need to update whatever software is running that server. The web server, Apache or InginX, and your PHP, and your database version. And you should also be updating the software on your computer that you use to access your site, your operating system, and whatever software you use, because those are patching security issues as well. And anywhere along the line is a potential place for out-of-date software to be compromised and ultimately result in a compromised site. So yes, absolutely update all the things. It will help keep you more secure. As a general rule of thumb in pretty much every software project ever, the most recent version is the most secure version. This is another one that I hear a lot. To varying degrees, this is maybe a bit extreme, but the idea here is that not all websites are targets. If you don't do e-commerce, if you don't have personal information, if your site isn't especially popular, then maybe it's not a target. And so you don't need to worry about securing it because no one's going to try to hack into my blog on pottery, right? Is this true? Are there sites like this? Is your site maybe small enough and simple enough that it's not being targeted? No, it is absolutely being targeted. And this comes, I think, this assumption comes a lot from movies and TV shows where we get to see hackers that pick a target and they sit at their computer and I'm through a firewall, right? That's not how most attacks against websites happen. It's great for TV and movies, but in the real world, most of what happens is those bad actors are writing scripts, bots that crawl the internet and look for vulnerabilities and just try to break into every site. They are programmed with known vulnerabilities for out-of-date software especially, which is why updating is so important. They're programmed with sets of user names and passwords that have been gotten from these breaches with the most common passwords that you can see that actually hundreds of thousands of people use. And the only thing it takes for your website to be a target of one of these bots is for it to be on the internet. That's it. If your website is on the internet, hint it is. It is absolutely a target. And if it's been on the internet for more than about 24 or 48 hours, you've probably already been through your first attack. Most of them are unsuccessful and that's okay. The good thing, I don't want to scare everyone by saying, hey, your site is constantly under attack. The good thing is because we're mostly facing these automated bots that have been programmed and that there's some sort of delay between them being created and them getting to your site, that's, if we can defeat those bots, if we can win against these pieces of software, then we can stop like 99.9% of potential attacks. Like that's huge. So this is actually kind of good news for us in the long run. Another assumption that I hear all the time is that locking down the files of your site will improve the security of your site. And what this means is like going in and changing the permissions on the files to make them not writable. The idea, you would usually have to do this through like FTP or your hosting dashboard. The idea being that if someone kind of breaks a little bit into your site and is trying to add some sort of backdoor to a WordPress file, they wouldn't be able to, because they can't write to that file. So they wouldn't be able to leave that nefarious code behind. Does locking down the file permissions increase the security of your site? A little bit of mixed response there, but a decent number of no's actually, and this one is busted, but there's actually a lot of reasoning behind this. I'd like to explain this one a little bit. First of all, I think that locking down your files is a little bit like putting the security in the wrong place. We like having layers of security, but to me, this is a little bit like putting a security door between your living room and your kitchen, saying, hey, if someone breaks into my living room, they won't be able to get in the kitchen and get the China or whatever it is, and I would rather just not let them in the house at all. That's where I want to draw the line. I want to put my last line of defense at not getting into my site period. But locking down your files can actually have a very adverse effect as well. I talked a little bit about updating, and we have this amazing thing in WordPress called automatic updates, meaning that when the security team for WordPress fixes some sort of vulnerability, when we patch it and when we push out a new security release, your site will automatically update and close that vulnerability. We can push out a release that patches a vulnerability and protect tens of millions of sites in a single day without any one of you having to interact with your site in any way. We just do it for you. But if you lock down your files so that WordPress can't write to them, then we can't update your site, which means that you have to do that yourself. And honestly, you are far more at risk of something bad happening to your site, of your site being compromised because you didn't update fast enough than say automatic updates breaking your site, which is the thing that I hear people worry about sometimes. Our failure rate on automatic updates is 0.001%. You are way less likely to have a problem with that, and even some of those are able to roll back and at least not break your site. And so you are way less likely to have a problem with automatic updates than with having your site compromised because you didn't update fast enough, and one of those scripts was able to get to your site before you were. There we go. What about changing your username? This one I hear a lot. In WordPress, it always sounds like don't use the username admin. That's a thing that you should avoid. But as you spread out to the rest of the internet and all these other services, it's more about don't use an obvious username. Don't use something that people can guess or know because if you do and hackers can know your username, they're halfway to breaking into your account because it's just your username and password that protect you. They're halfway there if they know your username. You don't want them to have that. Does avoiding using admin or some common username keep your site more secure? It does not. It does not keep your site more secure. There is a little bit of historical context to this, to why this advice tends to be so prevalent. In the earlier days of WordPress, every WordPress install had an admin user automatically added with the username admin and it just asked you for the password to put on that account. And so the very early bots and scripts that crawled the internet to try to break into WordPress sites tended to have that hard-coded in. That's just not the case anymore. They're more sophisticated. They've gotten better and so they can just discover what your username is. That's pretty normal. But that's not really scary. My username on every one of my WordPress sites is Aaron Campbell, no space. My username on Twitter is also Aaron Campbell and it's up on my slide, right? Every time I tweet you know that. My email address is Aaron at erendecampbell.com and that's my Gmail username for that account. And none of those are private. I don't keep any of those secret but that's because those aren't actually part of security. Your username is more like public information. It's making a claim that you are this person but then your site is asking for proof and that proof is the password. It's not that much different from if I walk into my bank and I say I'm Aaron Campbell, I want money from my account and they say prove it and I say, oh, here's my ID, right? The password is the ID, the password is the proof. And focusing too heavily on trying to keep your username private, I feel like distracts people from actually concentrating on having really truly good passwords which is where your security really comes from. But about changing the database prefix, who has heard that this will keep your website more secure? Who has no idea what this is? If you look in your WordPress database, you probably see a list of tables and if you have made no changes, they probably all start with WP underscore. WP underscore posts, WP underscore comments, WP underscore users. And you can change that. It's a setting in the WP config file. You can set that to essentially anything that you want. And the idea is that if someone's trying to break into your site, if they're trying to send queries to your database to try to get maybe a list of users or anything else, you don't want them to know the table names that they need to use to pull that data. And so you can change it to something less known and it will protect your site. Does this protect your site? Does this make your site more secure? No, it does not. This is one of those things where this doesn't hurt the security of your site, changing the prefix in the database. But again, scripts have just gotten a lot more intelligent over the years. They don't need to have pre-programmed in table names. They can discover them. But even though this won't hurt the security of your site, if you wanna change that, that's fine. Like there's other reasons to change it. Maybe you're running multiple WordPress sites in the same database or maybe you just like naming things pretty, that's fine too. But I wanna focus on trying to bust these things that don't actually improve security because I feel like most of us do some set number of things to try to secure our site. And we may not have purposely set that number but subconsciously there's a number somewhere. Some of us will do two or three things to try to keep our site secure. Some of us may do six or eight or eight or 10 but at some point you subconsciously feel like I have put in the effort, I have done the things, I hope that I'm secure now and you kind of stop. And so I don't want any of those things to be something that you only think is making you more secure but it's not actually having any kind of effect. And so this is one of those things that if you wanna change it, fine but don't think that it's for securing your site. This one is busted as a security measure. What about hiding the admin interface or hiding the login page? WordPress powers over a third of the internet now. So roughly one in every three sites that some bad actor goes to on the internet is a WordPress site. And with basically all of those if you add slash wp-admin to the end it will redirect you to a login page or you could go straight there by putting slash wp-login.php. And we don't necessarily want bad actors to be trying to log into our site so maybe we don't want them to see that. And moving that to some place that a third of the internet isn't using would that make our site more secure? No, it will not. This is kind of funny, I like to try to put this in the context of like real world security like securing your house, right? You want your house to be secure to be a place that thieves can't get into but this would be like having a walkway up to your house and like a porch and no front door. But a thief knows that you get in and out of your house somehow, right? They'll just walk around and look for your door. This is not especially difficult and with modern day scripts that are trying to break into sites it's not that difficult for them either. They will find the login page but just like a real world thief trying to break into a house might also try a window or a back door. Scripts will do that too. They might try to log in through the XMLRPC interface which is another more programmatic way of logging in toward press or the JSON API another way of trying to log in toward press. And so trying to hide this from them is not very useful at all. Instead, focus on making sure that when they do try to when they do find it, when they do try to break in they just don't succeed. And we'll talk a little bit more about how to do that in these next couple or a few things. What about SSL? This one has gained a lot of popularity over the last couple years and in the amount of time that it's talked about on the internet because, well first of all prices dropped dramatically on SSL certificates. That's obviously a good reason for recommending them to people but also we've had some things like Google coming in and saying that this is a thing that they consider for search engine rankings and stuff like that but like search engine rankings are not the same as security. So the question is, does having an SSL certificate on your website keep your website more secure? It absolutely does. This one is 100% confirmed and I look forward to the day when every single website has an SSL certificate on it. I really think that that's where we need to be. Yes, e-commerce stores and things like that have needed them for a very long time but now if I was doing that pottery blog that I had talked about, it should have an SSL certificate too. And the reason that this is so useful is because when you try to access your site whether you're logging in or if you're just a regular visitor accessing your site the traffic actually goes through a lot of places before it eventually gets to your site. It goes through your home router or maybe the coffee house wifi if that's what you're connected to and then through a bunch of other routers as it makes its way to its final destination and any of those places that it goes like all of those are potential targets for a bad actor. And hopefully those are secure but if someone gets into one of them the reason that they want to get into those is to look at the traffic that's going through. And if they look at your traffic coming through and they see your website name and your username and password, that is gold. They love that. That's exactly what they're looking for. But with SSL that traffic is encrypted from the time it leaves your computer to the time that it gets to the endpoint, to the web server. And so even if they are able to break into one of these places that's totally not under your control the data that they're seeing essentially is not useful to them. They would then have to break some sort of encryption and the modern encryption for SSL certificates is quite good. That would take an awful lot of effort and time and is just highly unlikely. So this keeps you much more secure. And this brings me to the last of the things that I specifically want to talk about but I want to dig into it a little bit. What about passwords? Are passwords important? Of course they are. We don't even need to talk about that one except that they're so important that I think we need to dig in a little bit on what actually makes a good password. Like we all know, everyone here knows that you need to have a good password. But what does that mean? What is a good password? Because you get lots of different advice from lots of different people. So I want to look at some of the things that people say make good passwords and see if they really do. Long, right? A lot of people talk about how your password needs to be longer. It used to be six or eight characters. And people are saying, oh no, it needs to be more than 10, more than 12. Do longer passwords make better passwords? Is the thing in the house? Yes. Is the thing in the house? Longer passwords make better passwords if everything else is essentially the same. There are some caveats to that, yes. But all other things being considered equal, longer is better. Passwords are generally measured in what we call, in entropy, which is essentially the number of guesses that it would take to break your password. That's what you can think of it as. And if everything else is basically the same, then a longer password means more guesses. More guesses is good. Like, that's what we want. We want them to have to work really hard to figure out what our password is. What about substitutions? We see this one a lot, right? Someone's password is like their dog's name, but the one is an exclamation point, or the I is an exclamation point, or a one, or a pipe sign, or something like that where they've replaced letters with symbols. Does this make your password better? This one's tough, but I'm going to say busted. And here's why. First of all, there really are only a handful of letters that look like some other symbol. And for each of those, there's only a handful of symbols that look like those. And in most of the modern password cracking tools that I have seen and audited and such, they take this into account. When they're trying a word, they try the word, and then they replace the letters with these symbols, and they try the iterations. And it really doesn't add that many more guess attempts to breaking a password with substitutions. But what it does do is make your password much harder to remember. And because of that, people that use this method tend to have shorter passwords with those substitutions in them. And losing the length, oftentimes you lose more entropy because you have lost some of the characters than you gained by adding in these substitutions. So in theory, if you could do this and keep nice, long passwords and not have it causing you to make shorter passwords, then maybe. But that just doesn't seem to hold true with most people. And so I cannot recommend this one. What about past phrases? This is my dog, King Air, by the way. She is a rescue, and she is very needy at times. And I was on a video call when I took this picture of her. And she sat there the entire time with her head right up next to the armrest of my chair, just staring at me. Like, you should be paying attention to me, not that screen. And the idea of past phrases is that we take something memorable like this, a moment that we will remember, or a thing that we will remember. And we turn it into a password. My dog's name is King Air, so it might be King Air watches me on calls. This is 27 characters. Much better than just making my password King Air, right? So it's nice and long. Do passwords made from past phrases, like is that a good password? Yeah, it's a lot of entropy. It has special characters in it, it doesn't have spaces. And it's super easy for you to remember. This one is extremely plausible, but I think not the actual winner of how to have the best password. Longer is better, 100% right. Spaces are good. Don't take those out if you're doing passwords this way. But there are even better ways. Let's look at the three things that it really takes to have a great password. Great passwords are long. We touched on that. They're random. Randomly generated passwords are better. And they're unique, meaning that they're never used in more than one place. And the problem with past phrases is that, again, we sort of see password cracking as happening much like it does in the movies, where you see this thing on the screen going through A, then B, then C, and eventually A, A, A, B, A, C, until it eventually cracks the password. That is raw brute force hacking. And it's the least efficient way of cracking a password. But it will always get you there eventually. Now, it may be decades from now, if it's a good password. But in theory, that should always get you there eventually. Most modern bots and scripts that are running around attacking all of our sites are never trying that type of password cracking. Now, they may do that if they have already compromised some site and got a set of credentials down, but those are encrypted and they're trying to undo encryption, then it may happen. But in the vast majority of cases, they're never getting there. But some of them do get to what are called dictionary attacks, which is where they take words and put them together to try to make passwords, combining them with common use cases, like an exclamation point at the end or a number one or two at the end. And they try to make passwords that way because it takes fewer guesses and they might get it. And this is only five words. And if they were to come to break some of these scripts that I've seen, if they were to come try to break into my erendekamble.com site, they would see my link to Twitter. And it would immediately follow that and pull downwards and make a dictionary for me. And I have definitely tweeted about my dog King Air, which is the only unique word in this. And so that would be in their dictionary if they were building an attempt to break my password. They would have that. Would they be able to get to this? Eventually, most of the scripts probably wouldn't take enough attempts to actually get all the way to a phrase this long. But it's not as good as having an actual random password that forces these scripts to use the least efficient password cracking method possible brute force. And so instead of doing this, we can go with long, random, and unique. And the only way to do that, my passwords, by the way, when I say long because I realize I didn't qualify that, my passwords are all 50 plus characters. But I recommend at least 20 plus. Like the 10 or 12 that we see recommended a lot of times, that's older information from when computers weren't quite as powerful as they are now. So I would recommend at least 20 characters. How can you have passwords that are 20 characters long, completely random, and a different one for every site that you use? Like my password for my website is not the same as for my email, which is not the same as for my computer. And they shouldn't be. That is the only way to do it is with a password manager. Everyone should be using a password manager. Who here uses a password manager? I love this. As I've given more and more of these talks, I have seen that number slowly increase. If you didn't raise your hand, your homework for between now and the next session, it's that important. Talk to somebody that did and find out how you can get set up on a password manager. I used LastPass personally. A lot of people use one password, especially if you're pretty heavy in the Apple ecosystem. But I don't care what password manager you use, just use one. It's the only way to have good password practices online. So that was all the assumptions that I brought to the table today. I'm Aaron Campbell, by the way. I work for GoDaddy. I'm focused heavily on the WordPress ecosystem. Most of my, I guess, a lot of the data that I bring to the table around this talk is from having led the WordPress security team for 2017 and 2018. I'm not doing it anymore, but I'm still a part of it. But I want to take the time to hopefully either clarify things if anyone has questions, or better yet, if you've heard something, let's see if we can confirm or bust it right now. Yeah? A couple of things. Limit attempts, two-factor authentication, or capture? So there was actually like three parts to this question, I think, which is, is limiting the login attempts a good thing? Is two-factor authentication a good thing? And is capture a good thing? I'll take them, well, I'll take the capture one first. I am not a fan of captures. Generally, I guess that I would say that it's maybe plausible if I'm going for the confirmed busted plausible thing. It can potentially protect against these automated attacks if you were to somehow roll it out to also the other interfaces to your site, not just your one login form. It would also need to somehow cover, and this is where it starts to get impossible, your XML RPC interface and your REST API interface. And so without those using it, it quickly becomes less functional, but still a burden on your users that are trying to validly log into your site. For limiting login attempts, that is great. If you can do it pretty reliably, most people with individual sites really can't. If you can get some sort of limit login functionality that's supplied by a bigger company that's kind of outside your WordPress site and is seeing a much broader range of things, then that might be helpful. What happens is most of these scripts, they're not coming from a single location. They're not necessarily trying only a single username. As a matter of fact, these scripts are hitting from lots of different IP addresses from various countries, and they're trying different user names. So limiting the login attempts, even if you just give them, say, three login attempts per IP address, they'll just use thousands of IP addresses to still get as many attempts as they really want. And so in theory, limiting the number of chances someone has to try sounds useful, but it's actually really hard to do in any kind of useful way with the limited picture that a single website gets. Two-factor authentication was the other one, and that is 100% confirmed. Two-factor authentication is absolutely amazing for increasing the security of your site. It's a thing that I felt like went just a little beyond what I was talking about in this talk, but since you brought it up, I'm gonna talk about it anyway. Two-factor is a form of multi-factor authentication, and essentially, there are like three things that you can use to prove that you are who you claim to be. There's something that you know, like a password. There's something that you have, like your phone in your hand or one of those little key chain things that a bank might give you that generate tokens, and there's something that you are, like your fingerprints or your facial recognition. And two-factor means that in order to log in to your site, you are basically have to prove using two of those methods. In most cases, that is something that you know, you give it your password, and then something that you have. It will ask you for a six-digit code, and there's probably an app on your phone that gives you that code, and that code changes like every 30 seconds, and that's fantastic, because then, if there was something in the Wi-Fi that was pulling down the things that you were typing, or if someone was even looking over your shoulder and like read your password and your two-factor code, that's good for about 30 seconds, and then it's not anymore. So two-factor authentication is really fantastic, and there are plugins that let you add this to WordPress really easily. There's a free one in the WordPress plugin repository called Two-Factor, and it's one that I helped author, and it will work with, uh-oh, it will work with almost any two-factor app on your phone, which you can download pretty easily. Yeah. No. So the question was, does your mother's maiden name count as two-factor? But the funny thing is that that's clearly talking about security questions, right? If you forget your password, we're gonna ask you these other questions to verify that you are who you say you are, and then we're gonna go ahead and reset your password. And I despise those, because they are either so impossible that you can't remember them, asking you things like your favorite song, and you're like, well, what was my favorite song whenever I answered this question whenever that was? And did I type it right, or is it, you know? Or they're so standard that anyone can find them out about you, like your mother's maiden name, and none of that is any good. Instead, use a password manager so that you don't forget your passwords, and then do like I do, and answer those questions with things like, you're not me, and then a bunch of random characters. Like, that is, there is no way that I could ever get the answer right to any of my security questions, but I also will never need them. Yes, go ahead. There are, so she did mention about secure notes in last pass. Most password managers have this, and that can be useful even for things like backup two-factor authentication codes so that if something were to happen and your two-factor app was no longer working, you could use a backup code to get into it. But yeah, I don't store my answers in there. I just make them completely pointless. Yeah, there was a couple hands over here, yeah, right here. It is, the plug-in is spelled out T-W-O, T-W-O factor, yeah. So the concern is that if you put all your passwords into a password manager, it feels a lot like putting all of your eggs into one basket. Doesn't that seem a little dangerous? Is there some sort of backup or contingency plan for that? It's one of the reasons that I like last pass, and I think that a lot of the password managers are starting to do some form of this now, although I'm a little less familiar with them because I kind of just settled in on last pass and have been using it for a while. But last pass pulls your encrypted database of passwords to the various devices that it's being used on. And the encryption levels are very high and also completely configurable. You can actually go into settings and change the way it encrypts and all kinds of things. So it's not easy to break into that, but that database exists on my laptop because I've used it from my laptop and it exists on my phone because I've used it from my phone and it exists on the last pass service. So if everything went terribly wrong with that service, I still have all of my passwords on my two devices that's accessible right now. And for me, that is good enough. I mean, everybody has to make their own decisions on how much contingency planning you want to do. That is acceptable for my level of that. How much more time do I have? OK, I do still have some time. Yeah? I'm talking about contingency planning. I'm concerned it's like, if really something happens to you and you only want to know these passwords and this access to your digital life and some fact counts and everything, just make sure to push the instructions in your little RPO. So the question is a little bit, well, it was more of a comment, but actually I have something to say about it anyway, so I'm going to treat it like a question, was that was around contingency planning if you lock all of your access in something like last pass and you were to pass away. If something were to happen to you, how does someone else get access to that? And something that LastPass has built into it is actually the ability to designate a person that will be able to just click request and get access to that. You've given them the allowance and the way it works is you can either set it up to give them immediate access, to give it with a one-week delay or a one-month delay or a three-month delay, I think, are the options. And essentially, if they request it and you don't deny it within that time frame, they essentially get your LastPass vault of passwords and get access to it. My wife has that for me. And so if something were to happen to me, she would just click I need these passwords and she would get them immediately. Yes. OK, security plugins, firewalls. Man. Yes, so the question is around WordPress plug-ins for increasing security, things like firewalls. Are there things that we can do outside of just our own kind of best practices to help increase security on our sites? And yes, absolutely. A lot of those are extremely useful. The WordPress plug-in is particularly good. And they're here. And you can ask them specific details about that. And that's probably the best people to ask that question to. But beyond that, things like a web application firewall or a WAF, those are extremely useful. They're a little bit more advanced tools in some ways. And they are the best ones, I feel like, are generally paid options as well. A Cloudflare has a free option that's pretty good, but their paid option is dramatically better. Securi has one. And these are things that filter, essentially, the traffic requests that go to your site go through them first and then to your site. And they can watch for potentially malicious traffic and filter it out before it ever even gets to your site. Like someone can't break into your site if they are caught before they ever get there. And so that is extremely useful. What about passwords for your computer because that connects to your last pass? What about passwords for your computer? So good password practices need to happen absolutely everywhere, not just your WordPress site. The specific question about getting into your computer can be a little bit of a different answer, I guess, because last pass can't auto-fill that for me. I'm not in there yet. And so this comes down to when I don't use last pass, which is really only for the password to get into my computer and the password to get into last pass, which also I have multi-factor authentication on. But for those things, how do I come up with passwords? I use kind of a modified form of pass phrases. I will use something that is not a real word that contains unique symbols. It could be a mathematical formula. For me, I love math, so that is often a go-to for me. But it can be anything, something that contains symbols and is not a word, and then also a phrase. And so I will put in this mathematical formula and then a phrase like King Air watches me on calls. And I combine those to make the two passwords that I need to actually know. Maybe one last question. I will also be around. I'm going to be heading straight over to the happiness bar. So if other people have questions, you can certainly find me there. But I think I have time for maybe one more. No? Awesome. Thank you.