Guide to WordPress Security Part Two

On November 2, 2020, I conducted Part Two of an online presentation on WordPress Security for the Portland Oregon WordPress Meetup Group. It was a conversation on all-things WordPress Security including firewalls, two-factor authentication, HTTP Response Headers, running a VPS, and more.

The original Part One presentation was done on August 3, 2020 and can be found here on my website.

If you enjoy this presentation, please Subscribe to my YouTube Channel, give it a Thumbs Up, leave a comment, and be sure to share it with others!

Let’s Connect

If you like what you’ve seen in this video, then you’ll like what I can do for you 1:1. Reach out to me for a free consultation so I can lend you a helping hand.

View & Download the Slides

YouTube Transcript

You are much better watching the video with captions on than you are reading the text below.

As I briefly said as we were getting started this is the part two to the earlier presentation that was done it’s you know to a large extent it’s just not even possible to do a quick review of the previous two hours so if you are now watching this presentation after the recording date of November 2nd 2020 you want to stop here you want to watch the other one first go through the other slides here first and may make things a lot easier to go through here the as as people know I’ve been doing security for quite a while the there’s so many topics in security I happen to be very opinionated about a lot of them you’re going to hear me only making one or two maybe three recommendations on any given topic I can explain some of those if needed but you know this is one of those things that just over the years of doing so many different types of primarily I.T and system administration and WordPress since version 2.2 you start saying all right this is the plugin I want to use this is the tool I want to use yada yada yada so hopefully everybody is going to be able to ask questions along the way if you have other questions that you want to ask don’t don’t hesitate all right remember how I said I can’t easily summarize the first part oh yeah how can I summarize it so here’s here here’s the reality there’s a lot of aspects of security they go from the mundane issues with social engineering and people you know working you in some capacity or just even the simple phone call that leads to somebody trying to extract some information out of you but I want to try to start focusing on the end of what happened in the part one which if you look on the lower right you see firewalls because in the end the the firewall start becoming the biggest biggest wall that you can put up in front of everything that’s going to possibly cause you security concerns I mean passwords is a big big thing but firewalls let’s let’s go there so what’s a firewall it’s it’s I’m oversimplifying this by saying it’s like this crazy filtration system it it takes data that is running across the internet or an intranet inside and it kind of like categorizes it and it sifts through it and it throws these packets this way and those packets that way and all of a sudden it has a rule set that it goes through and at one point in those rules it says all right this is this is not good we got to throw this out or this is destined for this other location which is the dumpster it’s it’s traffic cops essentially not only on the internet on your website within WordPress in your house you have firewalls all over the place but the the primary firewalls that are out there you and don’t see them they exist at the network level the infrastructure level there’s a lot of traffic that’s filtering that’s happening out there but the key is now how do we get this down to where are we going to take advantage of the firewall capability so we’re going to do that with a with a plug-in to WordPress or we’re going to do this in the cloud if we can are we going to rely on our host to do it so the network level stuff when they say in the cloud that usually means cloudflare to a lot of people securi. encapsula is another type of massive firewall out there and the host this is now when it starts becoming fairly technical because this is put in by people who are maintaining the servers the network administrators they’ll have stuff that they’ll start slinging around all this I don’t know iptables ufw CFS lfw failed to ban mod security there’s a whole bunch of things that happen there and at the server level now not talking about at the actual Hardware level up above or this OS level but at the server itself the stuff that gives us the internet Apache is what most people are familiar with there are firewalls that are there the popular one is Jeff Stars 6G firewall now there’s a 7g firewall and people a lot of people do manual manipulations to Apache files these HT access files or nginx conf files even you know it’s interesting because even I themes security there are even plugins that will alter your htaccess files so as to give you some protection there at that server level before it even gets close to WordPress the application Level is where let’s see you know I’ll give you the best idea of something that’s right there if you install word fence and you get this little warning that says you need to actually alter your HD access file and point to a special piece of code that is that little piece of code that is running right before it hits WordPress and then once it gets into WordPress there are firewall capabilities that you can run within there so you know I’ve actually I think BBQ BBQ Pro actually provides within the plugin itself firewall access so where do you filter that’s what it comes down to and the best place to filter traffic the best firewall is at the very top Network next best place is the host next best place down and down and down and down and you want to make sure whenever possible that you are taking care of as much firewall oriented security outside of WordPress if you can and the way that it’s done with a lot of a lot of people are buying into this idea of a web application firewall so web application firewalls by the way I want to point out that not all of the web application firewalls have these features that you’re looking at here but essentially a web application firewall knows very specifically about a given application in this case it’s WordPress and it will go out of its way to protect word fence a WordPress at a much more granular level so it can go out of the out of its way to say oh we know that this particular exploit exists in this plugin let’s filter it right then and there web application firewalls not required though they are a really really good thing if you don’t do a lot of security stuff so it’s sometimes it’s like one of those cheap entry points you just dial a web application firewall especially if you can get one that does not run on your server or one that doesn’t run right before WordPress or one that doesn’t run inside of WordPress and then you have a much higher level of projection so the thing that came up over the last couple of months since the part one presentation as well as I’ve been asked for so long like what do you what do you do what do you do security was so I have come up with a with with some ideas I got some some ideas in mind I think by the end of this entire presentation when you mix and match all the other things that I’ll show you and and and more importantly if you have the time to implement them you’ll probably find that there will be enough you will not need to go through these particular items but if you’re you know I give you an idea you can get away with no plugins whatsoever if you’re the only user and you know administrator or auth editor on a site if you have multiple people that you need to to get onto a site you can get away with having just one plugin and so this is my all-time summary for the two hour presentation we had before how to wrap up what you should be doing depending on price level so MFA I’ll get into it in the following Slide the multi-factor Authentication number two Factor authentication quite quite quite important it just gives you that extra level of password and one-time password protection and now I actually you know what before I even get into multi-factor authentication plug-in so let me tell you something here there’s a base assumption my base assumptions before going into this is that you have a great web host not a good web host you have a great web host you are doing frequent backups you’re doing updates to the core to the plugins that you have to the themes you have installed you’re using strong passwords then you can do the multi-factor authentication the two-factor authentication you can also for free do cloudflare cloudflare has a number of wonderful built-in security features that will get you very very very far and we’ll also speed up your website for not the first couple of viewers but it’s because it’s not a true CDN or content delivery network but subsequent users will actually get it a little bit faster and there is this idea of using an activity logger from the earlier presentation you might recall that you know a word fence to a large extent is really just think that alerts you to what is going on it logs all these activities it’ll then tell you this administrator signed on this particular plugin has been activated Etc et cetera there are free activity loggers that are out there so if you want to do things for free there you go you can get away with it with a few page rules as they call them by the way if you’re using cloudflare right now do not set the security page rule higher than medium medium you know the secure the high security just won’t get you there it’ll it’ll lock out way way too much so cloudflare automatic platform optimization is now a one-click feature that they added onto all of their offerings this is cloudflare specifically normally they’re free plan completely free to get in there but now you can actually add on a five dollar a month plan that is a little bit different than that twenty dollar big step up and What it lets you do is essentially provides a one-click turn on everything within cloudflare set up all this the rules you know you no big deal here’s all your rule sets if you want a crazy speed boost it’ll give you that as well it’s really kind of like one of these set it and forget it it does not however include a web application firewall you need to step that up to the next level at a ten dollar a month or you know right around ten dollars a month is what it works out to and that is security is my current recommendation here at the end of 2020. it is a web application firewall plus a plug-in that has the web application firewall running in the cloud and you can actually spend the same ten dollars a month and have something like word fence or web arcs or there’s a number of other options that for that amount of money you can run a web application firewall on the server on your host right before WordPress in some cases within WordPress but you might as well just take advantage of the fact that everything is being filtered before it even gets close to your server before it even gets close to WordPress big step up from there twenty dollars from at that point cloudflare Pro if you’re cons if you have high traffic for your site if you’re concerned about competitors jumping on you hiring little Bots having Bots attack you in some capacity other security concerns you you are already aware of what cloudflare Pro does you probably even use it for for pushing data to the edge it does a whole bunch of other features it comes with rate limiting web P polish it’s it’s a whole big thing it’s a it’s one of those you put this in you don’t need anything else you really don’t it’s crazy how good that is I wish that all my clients would just say let’s go ahead and do that I wouldn’t have to worry about other stuff and and I’ve been asked multiple times what is the one thing if I had just to spend one one bit of money a few years ago I bought a limited lifetime description to blah blah blah there’s something called bulletproof security pro that is actually quite quite impressive for the one for the one-time payment of 69 and change so backing up for a second I want to get back to that free aspect there the the the plug-in multi-factor authentication two-factor authentication this is the best easiest lightweight and free plugins that you can utilize in order to get that second Factor authentication where somebody has to enter a limited time code it is by far the most important thing in my opinion to add in a lot of sites that I work with that’s the only additional security feature that they will have besides the free cloudflare plan so I want to say that again this is the only plug-in I have running on a number of client sites without any kind of problems plus using that free cloudflare plan now getting into cloudflare it’s it it’s I say here change over your DNS that is not the simplest thing I hope everybody’s realizing I feel like this is the roller coaster ride we’re going to start getting faster really quickly here you have to change over your DNS and make sure that the proxy that little orange cloud is lit up once it is then you can use those blue icons that are below it and and I’m not going to spend a lot of time here on the next few slides you can always come back to view this information you can always download the slides my website of to get the information that thing but here’s the thing you get what are called three page rules specify how traffic can proceed in and out of pages you get five firewall rules you can block countries it’s a if you don’t do business in Vietnam China Russia Indonesia I can I can name about another dozen others you can just eliminate all that traffic coming to your website and one Fell Swoop and there’s also a feature that they have called scrape Shield which will do hot link protection for you click jacking protection as well as obsukate any kind of email addresses you have on there so that this is a whole bunch of additional security things in one big shot but those firewall rules are what really make it interesting again I’m not going to linger too much on them here if you are familiar if you know from that previous video previous presentation you probably remember some of these things these are the actual rules that you can employ Within cloudflare to protect the majority of things you can do it in five rules you can alter them a little bit there’s you know there’s a debate whether you want to you know eliminate all refers that are coming off of your site coming off of sub domains for example you have to start paying attention to any type of plugins that might have issues where they’re self-reflecting upon themselves but I am not giving you is if you copy and paste these into your Cloud Fair firewall rules and test them to see how it how they’re making out you’d be kind of surprised by how much stuff is not going to get anywhere close to your to your WordPress site and don’t just blend me copy and paste make sure you change to your domain that would that would help that wouldn’t it so I feel good about these I felt good about these over the last number of months I think that you can actually get away nowadays at the end of 2020 with having an ultra cheap plan on a on a Ultra cheap web host and utilize that five dollar a month cloudflare plan and be shocked that it is performing as well as one of these thirty dollar and months plus plans the users will be thrilled about it that’s until you try to access the back end and start editing things in your in your GoDaddy I mean bad daddy account and then everything’s slow the users get a great platform optimization they get all the speed they get all the security what’s up I hope this is a good start for people now let’s graduate pretty heavily here most people would actually start saying there are things that you can do within WordPress that will provide security by essentially hiding things changing them just a little bit I am going to tell you that this is an unsound strategy these things that are on the screen right now people are doing left and right there are even plugins that do these things these are just things that just hide things from the outside world they really don’t do much most of the Bots that are good out there most of and almost all the hackers that are WordPress specific this is nothing to them they get past this right away and by the way the third item demo says moving the wp config file to the directory above your WordPress install you can do that without any problems most people think it has to be in that very specific location you can move it outside your WordPress install there are there are things like Roots the Bedrock project other types of implementations of WordPress that do that for other reasons not necessarily for security so separating your multi-factor authentication from your password manager I imagine a number of us have LastPass or one password and you have a new all of a sudden that new QR code that you can scan in immediately into your favorite password manager I would start suggesting that you don’t do that keep your passwords separate from these authentication things passwords are what you know one-time passwords multi-factor authentication is what you possess what you have look into authy or Google Authenticator if you really are concerned about about things you can start doing yupikey or Google Titan security key and if you do use all these types of systems just please please please only buy them from the people that make these things don’t don’t go onto eBay and start buying your UB key buy it directly from them so passwords so many different ways of having passwords some you know you know I mean by passwords policies their length or history I can’t reuse it they have complexity I have to add at least three characters no underscores those types of things there are ways of doing this within WordPress if you feel you need to it gets a little tricky for people that are being forced to do this if they’re using woocommerce or a learning management system or a membership site these sometimes early on the strong password policies just turn users off going down the list some of these may be familiar with people except for probably that last one which I’ll cover a little bit later your email also has security issues that you’d be a little shocked by how much how often they appear in plain text that anybody can actually start diving into once they get access to your site recently we’ve been hearing a lot about how we’re impressed now wants to make sure that everything is a minimum version of PHP 7.2 with a preference for 7.4 I know the belief that January 2021 is PHP version 8. things on WordPress should work on pip 5.6 but from a security standpoint what do you run and I’m going to suggest that you don’t run the latest and greatest stick with one version behind in this case today it’s version 7.3 and a lot of that is not necessarily from a security concern it’s for a compatibility concern interactions of plugins the way that different themes were set up originally that may not be going forward 7.3 is fast enough it’s secure enough I would just go with it by the way it says aggressively limit IP access you can do this also on cloudflare you can actually specify the individual IPS or ranges not just do it based on countries or big big places theme editor us being turned on Starts Now becoming a security issues for your signed in users so the best way to potentially get around that is to just start setting up better user roles from a security standpoint there’s a strong wisdom to doing your major major site design edits as an administrator but when you start doing blog posts or start doing any kind of content simple stuff just have yourself have yourself as a regular author but if you now have to start playing around with somebody’s a shop manager but shouldn’t do this on the site or somebody who has just limited shop manager access to woocommerce there is a a plug-in user role editor that gets you going really really fast on that I am not a big fan of logging out idle users I think that if you ask yourself right now if you do I need to log out idle users automatically then you can do that you know that’s a it’s a security issue potentially you can force everybody to log out if you need to in a couple of different ways but that’s something you have to ask yourself and where I don’t know if anybody here is doing a multi-site installation of WordPress it’s some security plugins if you choose to use them just don’t run at all under multi-site I would suggest generically avoiding the multi-site networking features unless you are unbelievably sure that the themes the plugins and all the passwords are can be maintained over time on the other hand you can just use the multi-site for the exact same benefit keeping all the themes in the plugins and align the exact same way and update it it says here if you’re using woocommerce I’d like to say again it’s learning management systems it’s membership systems it’s something that’s really really specific for Dynamic WordPress websites not necessarily brochure websites or static websites register your website with these search engine tools and there’s a lot of them now you know Google search console is what we most people probably know but Bing has something called webmaster tools and so does Yandex y-a-n-d-e-x and those free webmaster tools you can use their systems to you know use leverage their infrastructure to tell you the health of your website as as time goes on you know it’ll start telling you something’s problematic these Pages can’t be accessed things like that without you even have to go to that website and backup you know we hear about backups backups backups backups and then backups but there’s also this idea of archiving them shifting them away for a long term storage it is incredibly cheap to do these things it is incredibly easy to do these things there’s even ones that are you know Amazon has something called Deep Glacier Wasabi’s out there and how about this just take your dad and put it into a safe or safe deposit box just get it into a deep storage archive the stuff you never know when you have to turn back to something you had a few years ago and and that could be for a number of reasons and and by the way give you an idea about how inexpensive this kind of stuff is I think Amazon deep Glacier is around one US dollar per terabyte it’s obscenely cheap not to be able to toss stuff out there every once in a while so all right so let’s take a pause before things really get faster how’s everybody doing out there Doug we have any questions yep Doug Noel I believe has a question I knew if I took a bite of dinner you guys would ask me a question always happens hi everybody yes going back to the whaps the web application firewalls David what do you feel is the comparison for some of the wafts that come with our hosting plans some of the better hosting plans out there versus the cloudflare product you are suggesting all right excellent question so I’m gonna answer in a slightly different way the web professionals that keep track of malicious plug-ins people that keep track of problematic potential signatures that may indicate future problems those people that do those zero to exploits they’re all talking amongst each other they all communicate amongst one of each other and the primary contributors to that group is in capsula number one is number two word fence number three security and number four cloudflare it seems to be those are like the big group of people who know what are going on you can use depending on who your host is or what their Network infrastructure is somebody who is utilizing one of their systems to great effect so I’m sorry that was a very generic answer there for you Doug but it really depends on what they’re utilizing and then what people trust and I just trust in that little I feel like the little cabal of people who know more about viruses and malware than than should no got it thank you all right assem is next David is this the right time to ask about a DDOS attack or are they going to cover that later I will get into that a little bit so come back come back to that with possibly even a more specific question as we get further okay by the way what what he’s referring to is called DDOS attacks distributed denial of service attacks oversimplified this is where a whole bunch of other computers or servers that are out there on the internet are all flooding your particular website or your server or your shared host with a lot of requests where it just simply cannot answer sometimes even any of them DDOS it brings systems to a crawl Cloud flare has built into it free DDOS protection at their basic level and at their Pro level they add some additional DDOS protection so cloudflat covers the bulk of it okay Doug Ryder is next it did I had a question regarding like if you’re having an issue with your server are you not your server but your WordPress site and a developer needs to come in and get admin access I usually set up an admin access for them but I’ve been using a little tool called reveal it dot me which can securely send them the other username password and all that credentials I hate sending it to them in emails you know so I was just wondering is there another service that you know that can do similar things I don’t really the one that I’m talking about is reveal it dot me is by the same people that do WP rocket yeah so I’m actually familiar with reveal it dot me I think that if you really are concerned about passing any type of secure information across the internet channels there’s a couple different ways to do it the cheapest way to do it I think is actually to take half of it I saw this with a with a credit card recently where they sent half of it via email and have a via text message it was it was lame but it worked they split it across two things there is something that I strongly recommend for people that is referred to as key base k-e-y-b-a-s-e and keypad key base lets people send you not authenticated information not just things that are signed from you meaning they will know that it truly truly came from you it’s a derivative of pgp for those that are technically inclined it’s free keybase it was actually just recently purchased by Zoom so okay all right thanks all right Dean is next two quick questions one I noticed on one of your slides you said disable account ID one the the administrator what’s what’s the basis for that yeah so you know a number of older installs of WordPress that go back years and years and years always started the first user as just user number one it was the default administrator user it always had administrator access it almost always started with a name like admin or administrator and you did not have to determine the name of that user in order to start going after it you can just simply look for user ID one and take a good hope that it was the administrator user so the idea here is not necessarily to delete that user but more so just to neuter it just cut it down to size meaning take that user number one or possibly even for a lot of us the original administrator account that was set up there the first account that was set up create yourself a brand new administrator account go ahead and create it login is that and then take that first user hopefully it was user ID one if it’s an old install and make it a editor or an author permission level okay then you’ve taken care of the whole issue okay so so it’s not really about account one with current versions of WordPress so that kind of leads depends on the install it actually depends on the install if because there is some install like quick installer software that still does user number one okay which leads to the second question you talked about passwords and passwords are managed by WordPress itself so are are you implying we just need complicated passwords or that there is well memberships and woocommerce and those sorts of things they’re using the WordPress password system so there’s no you don’t have underlying concerns about WordPress managing passwords do no I don’t yeah boy I hesitated now everyone was probably wasn’t what I’m hesitating about so if you if you do all the other security precautions I would not be concerned that WordPress has any current known exploits for that but all that being said WordPress uses a fairly insecure md5 based password hashing and be Crypt is now considered to be the more modern secure password hashing so I wouldn’t be shocked that the folks at the folks in WordPress would probably remediate that in the upcoming year boy that was a long answer for a simple question and people are reversing the hashes now because they find that information and do the correlation elsewhere and that helps them it’s more social engineering yeah well so yeah there’s there’s there’s something I keep on a lot of sites that is it’s called WP password decrypt you have to install it really early and it replaces the insecure md5 password hashing it’s not a required thing right okay okay thank you okay I think that’s it Doug Ryder I think you still have your hand up from before does anyone else have any questions all right all right sounds good so email security I am going to be really quick about this particular one so I can move on to potentially more interesting things but the fact of the matter is that email that is going out of out of WordPress has issues you need to pay attention to the types of emails that are being sent and whether they’re being sent from the server or SMTP which is the other protocol that most of us use every data to send email but sadly from an SMTP standpoint a lot of these plugins put that information into the database in plain text and and the concern there is that if WordPress does get compromised that people do have access to your to your database they now have access into sending emails on your behalf potentially but it’s something that they can get into so there are ways of talking into that SMTP information away and functions and WP config files that you never have to worry about you want to go out of your way to add in at a DNS level the most important policies that are needed for sending emails that is a big big security concern that SPF which is a shipping policy that just simply says which email which server emails you can be sent from if you’re going to send your you know you can send you’re going to send something from Google then that’s a that’s a shipping policy dkim is like a digital I think if this is a digitally signed your email this way the recipient will verify that it came from you dmarc is the current big one it’s really really important that people have that essentially prevents people from sending an email on your behalf is what that does and and you know that there’s things at the bottom should you use send great mail gun should use these things yes yes yes yes yes yeah you have a low volume site yeah sure why not use a Gmail it is a good idea to get your transactional emails these things that send out orders or receipts and things like that get that off of the the regular WordPress email system you’ll have a a lot more of an ability to make sure people see those things in the Inbox and not have the security across the internet concern security of course the internet also takes place in the DNS side of things DNS by the way is one of the oldest protocols on the Internet it’s like the phone book of the internet you know I need to have everything being looked up you know it’s what when you type in it’s what translates that into the you know 16.2. that IP address the there are now security extensions that have been added on since it was not designed with any thought towards security initially the big one now is the domain name security assistant security extensions that second one that’s listed down there this will essentially make it it’ll make it harder for people to hijack a request that you’re making out there and you’re returning to you a little bit of fraudulent website information that that’s been happening out there privacy is something that you can actually set in most of the domain things it’ll make sure that somebody looks you up they won’t say that this particular site is owned by you with your home address potentially if you’re cons if you have not locked your domain with your registrar that prevents transfers from going out and there’s this new stuff a Doh I love that I love that that’s my favorite it’s my favorite new acronym by the way [Music] it stands for DNS over https oh [Laughter] an acronym that contains two other acronyms DNS and they say oh my God I’m sorry I’m sorry I’m geeking out here there’s also by the way failover strategy from a security standpoint you can actually it’s just kind of I feel like this is the poor man’s High availability of your website solution if you want to make it so that if your web host goes down completely you know you can pay a lot of money for what they call ha or high availability however you can use like a feature like DNS made easy as an example they have something called a DNS failover and it’ll immediately when it sees the site is down it’ll switch over to a completely different you are host that is running essentially the same URL very very clever for doing that so from an email standpoint from a DNS standpoint any any stuff before I get into Master levels Doug Doyle’s got a question yeah just on that last point the failover strategy you mentioned DNS Made Easy is that automatically in there do we have to go in and activate it you do need to activate it within DNS Made Easy and it it does cost something with them there are other there are the people that provide those types of Solutions as well as actually there’s actually a couple of organizations out there that will and that will switch over DNS automatically through either cloudflare or DNS that made easy without you having to set it up on those systems I suspect that over time you’re going to see a number of other people coming out with this type of feature it’s it’s like I said it’s poor man’s High availability and second part when do you think the Doh fixes are coming what kind of time frame Doh is is already out there actually the Firefox people have been leading this program called The Trusted recursive resolver program and you can actually go right into Firefox browser and just turn on that experimental feature right now and it’ll fully work without problems I actually had used it on a phone with Firefox and it was built in so websites came up so I assumed it was working it’s going to take time to implement at a browser level and then hopefully at an operating system level I would be shocked if it does not get implemented by Apple computer or Microsoft or Google by for Android or the Linux providers I’d be shocked if it doesn’t come out very very quickly thank you okay that’s all right you guys ready to hold on to your hats a little bit here okay so we were touching on this whole idea of enumerating visitors you know going users user number one user number ten you can actually start looking at users for their at their author Pages you can get it through other mechanisms you can start finding out usernames and then you’re almost halfway home you can start getting to start working on passwords you can stop that with HT access and nginx conf rules if you’re the only user on a website you can set up something called basic off and known as HTT password it completely locks to actually I think I mentioned very very briefly that if you’re the only user on a website you have that good host and backups and updates you can actually get away with only having basic off protecting a couple pages and do no other security and do very very very well there are fail-to-band plugins that communicate with the servers fail to ban meh there’s mechanisms by which to check something called the Quran events that are going on there are security related crime events they’re timed or scheduled events that maintain WordPress in the background you can actually check them control them low volume websites especially ultra low volume websites do not have events triggering because they’re not getting visitors and there are ways around that not that I don’t want to sound like a cloud cloud flare Fanboy right now but cloudflare has free Quran triggers that you can run on their server for free just keeps on continuing your website if you’re really clever about it you can have it start hitting up certain pages and it automatically starts putting them into the cloudflare cache so that when people visit it comes up really quickly these these ideas of this allow URL and a real URL include those are things for PHP more than anything else most web hosts have completely disabled this and you know I it says here if you ever mucked with file permissions here’s the thing listen you know you could have maybe used a poorly set up FTP client maybe you did it by accident where you tried to get some files on there and all of a sudden it’s like oh man I had a problem with this and so you know if you feel like you had a problem with these things especially you know especially over time these are the simple things that you can do most important at the very very bottom I wish I made it stand out a little bit is make sure that everybody has every file has the right user and group it’s a Linux specific thing however if if the user is called for example you don’t want to all of a sudden have root you’ll have something I will just be just problematic and at worst people can start getting access to your files that you don’t want them to have access to if you maintain your own host you know they get if you know your own web server or if you brought one to Cloud ways or run cloud or grid paying those types of services you may want to do your own types of server level backups you hear about things called MySQL dumps and auto MySQL backups and rustic and duplicity and Borg those are the types of systems that people turn to WordPress salts these are authentication Keys you’ll actually see these things tucked away in your WP config file you can actually update them every once in a while the upside is that it logs everybody out the downside is it logs everybody out these other things I think you’ll see around there you know if there’s other things you can do besides just ping back some track backs there’s you can there’s other Discovery things you can remove RSS there’s editing you know little little things you can remove the functions dot PHP you can also remove you know get rid of those emojis that’s not a security concern but you know listen unless unless that clown Emoji just haunts you to no end then then you got a security concern but other than that I don’t know and then a this whole thing that says HTTP response headers this is the doozy and this is where I want to kind of really cover and get into you know whenever you make a request to you click on a link if your browser requests data and then what comes back to the browser are two things it comes back with a header that describes what’s being sent and where it was sent from metadata if you will and then it also has the body itself the actual contents it actually has seen some trailing data but those are the key things right there you can see it in Chrome inspector you can see these types of this is where this particular screenshot came out of from a while ago and if you look at the very very bottom right above where it says body it says X frame options deny that is very specifically a HTTP response header for security so if you’ve never seen these things before you can check them out it starts getting a little Technical and all of a sudden it’s like oh my God there’s like this one there’s like what does that do and they got this one and now all of a sudden everyone’s saying you got to add feature policy and say you don’t have this and that and it just goes on and on there’s a whole whole bunch of response headers that you’ll see but the the thing is that in the end there’s only very few security related ones and of the security related ones I you know I’ll get into the into the details of the most important ones here what’s happened nowadays is now places are giving scores that you can easily look up just like you can score your page speed just like you can start seeing that type of performance information you can now start getting a security score on your website and I utilize there are the tools that you have out there this is the one that just seems to be easiest to use if you take a moment you look right in the middle of that screen there not if you see that big red big red f here that’s a security score right there and when you go to when you specifically go to this sorry about that when you go to this particular web page test function and you click on that F hopefully it’s not enough it’ll bring you further information about what it needs to have it is over time you add enough things in there you go from an F to an a which is typical I will run most of the sites that I have family have friends at where I can control those websites and the content that goes on there over time I will have them at a A plus security score so what becomes that a plus security score I mean you can get these response headers onto your website using a plug-in there are plugins that do this there are plugins that add head headers remove headers it is not the way to go oh you can even put code in to your theme you can put code into your theme that will do it as well you can put oh but you can use meta tags to insert this information as well not the right way to do it you want to stay away from doing the server manipulations these HTTP responses keep them as much as possible in HT access in engine X cont files keep them in places where the Security Professionals expect them to be so that in case a plugin has to be disabled your security doesn’t go to hack so I’m going to cover the top five six of these the important ones so all right now all of a sudden this is getting a little crazy here strict Transport Security that is does everybody understand what I’m doing here I’m just trying to break down the security response headers that come out this one here essentially just tells the clients how long they should cache https policy information the client itself your web browser will make sure that it doesn’t have to keep on checking back to see if it’s https trustworthy they’ll call these policies will also be referred to as hsts policies big group I mean they’re so good to use except if you serve up any of the older HTTP traffic you can set it for how many years you want to be there this right here those at 315 that’s one year you can have a maximum age up to two years of the data being served you the interesting thing about this also is that there is a thing called preload it is not something that you want to play around with what preload does is it actually literally tells every browser as it updates that this site is completely secure the bummer is that if all of a sudden you’re doing troubleshooting in your site and you have to turn off anything for a little while https all of a sudden your site will not appear at all at all to people who are using those browsers so the removal of those preload directives is slow and it’s painful and it cannot easily be undone so first first one to try to shove in there second one something that deals with click jacking click jacking is is how do I says it’s it’s an attack that kind of tricks the people your users into clicking something that’s on your web page that is either invisible or something that’s disguised as another element on the page and it’s it’s some people would say it’s like the inserting of frames or I frames onto a website but one of the things is that you have to get specific on the information that you display here if you are embedding Facebook or YouTube or if you’re using something called WP Ultimo for multi-site you want to be very very specific to allow something called an allow Dash from specifier here so you can say allow from a specified location Facebook can display on my website that’s okay no one else can only people coming from the exact same origin the same website could do it some people even put the word deny d-e-n-y in place of same origin just a little bit more aggressive medium severity to that one compared to the previous one which is a high severity one low severity one not as important is the X content type options this particular header is you know it is they have these things called mime types m-i-m-e and what happens is that you can upload content to a website and you could actually disguise a file type as another file type and all of a sudden you can potentially compromise a website by performing something called cross-site scripting compromise it bring it down that way by getting through it and essentially you’re just sniffing through some some data in order to allow that to occur it it’s very prominent under some old Microsoft products it actually is there’s exploits that are now out in the wild we’re doing this with chrome when downloading extensions within Chrome you can actually do exploits to to websites now I don’t think they have an easy way around that from what I understand that whole idea by the way about this cross-site scripting gets gets taken care of in large part with this http P header it’s a high severity error again that cross-site scripting is kind of like where code is injected and these they kind of I should say interesting thing the sad thing is that code can get injected to to perform actions in the user’s browser on behalf of another website it can happen with a user clicking around but it can actually happen in the background the user will not even necessarily know that they were infiltrated by a across a cross-site scripting attack this header does not necessarily prevent that from occurring however it enables the filter for this that is built into most of the modern web browsers the next one I should have saved this one for the last I should say this one’s the last because this is the doozy if you’re taking screenshots or if you’re looking at these later on in a slide or a presentation oh man easy does it with this what you’re looking at the screen right now are security starter policies I would not necessarily just copy these and paste these in verbatim yeah the top one maybe but you got to be careful so content security policy HTTP header allows you to actually restrict what resources will actually get utilized when the browser loads this is kind of clever because all of a sudden you can start saying that JavaScript that is coming from some other page other other website CSS it’s coming from some other location cannot be loaded that’s essentially what this does if you notice the bottom one which is a very specific copy and paste from an engine x conf file that particular content security policy does allow for Google fonts to to occur it also allows for icons to appear in the gravatar for users the one that is above does not allow for that that content to appear if you do this right you take care of cross-site scripting to take care of Click jacking you take care of a lot of other code injection attacks it’s it’s it’s actually kind of impressive except you have to White list you have to come one by one by one to go through each and every particular thing you want whitelisted that gets a really crazy over time this happens to be a working one I wish I can show you what non-looking it just it can get out of hand oh interestingly enough going back one slide this policy was actually set in wordpress’s default theme 2019. the theme itself very explicitly set the content security policy to to allow only its inline scripts and CSS that it allowed for dynamic code evaluation to be done it had a data source specifically for the fonts it was utilizing it’s actually was kind of impressive that that it can be set in a theme like I mentioned it can’t be set in a plug-in but this particular code is specifically oriented towards servers yeah that just makes my head hurt right there that does and probably the the lowest type of HTTP header alteration that you should do is it’s a low severity one it’s called referrer policy it essentially lets it lets users know where the inbound visitor came from you know when you click on a website it tells the other website where you came from we all use this in Google analytics you know all the metrics that come from Google analytics sales is where the data where it came from I know that 4 000 users came from Twitter this week because it said my website said the analytics said that it had this referrer header in it so there are ways and times that you may want to control or even restrict the amount of information that’s presented in this type of header or you can actually even say I don’t want that header to appear at all in some cases there are particular reasons for it so HTTP response headers those top five will get you to an A plus score the sixth one is no longer counted in a lot of scores simply because there’s other the other ones can take care of the majority of it the other ones that are listed are also security related as well so there are other ones that you can look into oh my gosh okay all right that’s a lot it’s a lot how are you guys doing all right Dean’s got a question I’m drowning hey so just help me understand the response headers these are coming from the server to the browser and we’re it’s there’s a mixture in there I believe of of things that describe how the server will perform but also instructions to the browser is that correct that is a hundred percent correct I wouldn’t necessarily say these are instructions to the browser those are usually the HTML are instructions on how to render things these are no you know what you’re correct there are instructions to the browser for how Limited they can be or how open they can be from a security standpoint there are other types of response editors that are just more in informational while these are security so so that that leads to my question which is if if someone really wants in can they hack a browser and ignore the at least that half of the rules that are that are sent out to the browser is that kind of the next realm of where hackers are going to be headed hackers have been there for quite a while they call those types of things man in the middle attacks so somebody can get in between you and the server that you’re trying to communicate with have you been doing anything wrong there Dean that we should know about no hear my brain spinning sorry all right you say we need to prevent against something I’m trying to think well what are the other guys thinking well how are they going to get around it you know what what what are the holes so yeah I do hosting so I worry maybe a little more than some other Funk okay okay so you’re the next section will will be in your realm then for hosting okay Doug Doyle’s next so so those went by pretty quick I could probably figure this out by going through it again but can’t some of those eliminating some of those response centers screw up your Analytics I’m thinking about the answer for that can some of them script your analytics no actually they would potentially that refer that last one that I showed can potentially muck with other people’s Analytics more than anything else meaning it won’t tell them where it came where your length came from right but not my own like say Google analytics reports and stuff like that okay no none of that yeah thank you okay Laura’s next hi I wondered let me get rid of my hand what you think of Mal care malcare two big thumbs up I I I there’s two aspects of malcare one of which is the the software that they have and the other thing that they have is their ability to remediate a hacked website as far as people taking care of a hacked website there is no better team that is out there that is responsive than the malcare and the word fence people to do it actually security I think is now their turnaround is really really quick the software malcare is fairly similar it is not in itself a web application firewall it is much more of a reporting type of tool good reporting but it’s not a web application firewall okay I don’t think we have anyone else with questions all right I feel like I wrote this slide here for for Dean yeah so this kind of stuff now gets really heavy this is you know it is now possible to go out and purchase a VPS a virtual private server you can do it for three dollars and fifty cents and get yourself a fairly decent web server as long as you maintain it yourself right that’s that’s the key behind it I’ll tell you something for for five dollars you can get a really really decent digital ocean droplet as they call them and be Off to the Races and and have a really powerful system out there but there’s lots of reasons not to do it and and this comes down to like I think there’s nine slides that are possible but I only have three you know in the end the key here is just making sure that you have the technical capability of maintaining the systems this is not necessarily like oh this is my checklist for what I need to do I mean it could be but in the end if you have your own server your own VPS and these things that I’m showing you here in this Slide the next one so if they look foreign you’re not in the right place you should not be maintaining your own VPS or you should expect that it’s a Honeypot people are going to come fishing in your direction and start taking stuff out of your little website so there are a lot of different techniques that are out there for hardening a VPS I would start there the the thing is that you know there’s this setup instructions you can go to or you can go to all these different sites and they’ll tell you exactly step by step by copy and paste and copy and paste no look at this all of a sudden you have a website running copy and paste and copy and paste look at this you have PHP running copy and paste hey look at that the database hey copy and paste oh WordPress boom and look how fast it is it’s really nice the thing is that that only got you to a certain extent it doesn’t get you the updates down the road it doesn’t keep your your server secure by any character imagination it doesn’t mean that your PHP is going to be up to there is a lot to it this you know and then from a firewall standpoint there are firewalls that you can place at your VPS level on your server that don’t have to necessarily be the things that are intended for HT access for Apache specifically so this famous 6G firewall that’s out there now 7g this even was 5G for a while little bit of limitations for implementation you’re best off going right to the bottom of this slide here and going right for you know the the true firewalls IP tables and ufw that’s you see that a lot on Debian and Ubuntu systems CSF lfd you’ll see that a lot on Centos Linux systems fail the band is Almost all over the place with stuff there are also ways of getting into the ability for you to type onto the server do command line typing onto a server they refer to that as SSH into your server secure shell into your server there are steps that you can take very explicitly to lock those down usually some of the first steps that you would want to take when having that new server a lot of these hardening techniques begin there on cloudflare you can actually tell your server to always pay great attention to these particular Cloud Fair things you know what cloudflare we’re going to work hand in hand together with your server let’s let’s do a little dance matter of fact you know I have something called fail to ban that’s running on my server let’s make it talk to cloud cloudflare and all of a sudden they’re banning everything together all of a sudden somebody starts attacking cloudflare next thing you know your website’s protected against the exact same stuff even if cloudflare gets taken offline unused ports are a big big thing unused ports if you know for people that don’t understand what these are AV is web internet traffic across the web http tcp443 is https you want to keep very limited ports open very limited on servers as well I hope people who are maintaining their own servers occasionally run a server based malware detection there and then after you run the malware detection you go out of your way to to do your updates then make sure you have the backups it’s back and forth back and forth kind of thing this is a big one for a lot of people that maintain their own web hosts that just first time doing it they have all the sites that are running under the exact same Linux user or Linux group and next thing you know one site goes down and then all of a sudden all the other sites have the same problem for years and years and years a lot of web hosts suffered from that somebody’s site was hacked and started bringing down other other people’s sites the there are ways to expire passports rotate passwords on sites and that thing it’s at the very very bottom is one of my current favorites right now there are these really really simple little pieces of code Snippets that you can run that will block a lot of bots that are out there including people are maintaining these collections of hunting Bots that are coming from known gray hat and black hat actually won the list has white hat hackers it very specifically blocks them and one of the nice ones is something called WP scan which lets somebody or bot scan your site to see what version it’s running what plugins are going on form stuff things like that you can block all of that with with a relative amount of ease somebody else we were talking earlier about mod set m-o-d-s-e-c mod security I promised somebody that I would put into this presentation that mod SEC is a and the one thing I’m looking forward to is sending them this recording because mod SEC is a it is one of the best web application firewalls that you can get for free but if you don’t set it up exactly correct with the right rule set for WordPress it can be problematic it was seriously overkill for most sites by far Overkill so if your particular host allows you to do a 6G or 7g as for free versus a mod SEC for free pick one of the other ones if you’re doing your own VPS and you have the time to go through mod SEC you will lock down the vast vast vast majority of most attacks a crazy amount I think some of these other things in here are things that you might want to try to do I don’t think you have to do them there is this idea here about WP scan I mentioned one slide back which is a system that you can run on a website as well as a command line that will start scanning your site every once in a while why not just go in there and see what your site shows on these reports I think it’ll tell you a lot about not only the server you’re running on but each how each individual site what they have on it and that last one that Deni lists you can start collecting up a previous [Music] aggression IPS even ones that are out there and known and start limiting them pretty successfully and then you can throw that into mod SEC and all of a sudden you’re really really blocking a lot of the crappy traffic out there and then you throw in country code blocking with cloudflare or other things you’re blocking another bunch of crap and then you throw in the nginx OR Apache ultimate bad bot blockers and in the end you’re ending up with a lot of like real traffic the sucky part is your Google analytics are going to look really bad for a little while because you could be like oh my God that was all my bot traffic what was that all about so Doug we have any questions about those last things I don’t mind going back a little bit also I went through those pretty quickly no one’s got their hand raise anyone David I have a I have a scenario around DDOS attack which one of my clients faced so is this the right time to ask that yes please do okay so basically my client is in cyber security industry so they get targeted attack quite a lot so it’s like it’s it’s kind of everyday what what we have done is that we have put their website behind sukuri firewall and that protects us quite a lot even the API is XML our PC and also the traffic most of the traffic does not come to our own server because because sukuri also caches our files or pages and it sends it so most of the traffic is actually from sukuri to the browsers and not from our server to browsers but once we faced an attack where it was a DDOS attack and the person was hitting a lot of requests from various IPS so one single IP was not used more than five to six times and he was attacking like thousands of requests per minute from various IPS okay so first he tried to do that with the valid you URLs that did not reach our server because those pages were delivered from sukuri itself to the browsers or the bonds then what he did was that he then the attackers started requesting for the invalid URLs and as those URLs were not present on the sukuri they were sending it to our server and we were getting hit by all 404 requests our server went down because the attacker was requesting all invalid URLs one more than thousand per minute so what could have been done at that point of time all right so I hope everybody understood the nature of what was happening there so I think what a team is referring to here is that there was a distributed denial of service attack that was targeted towards a specific website and there was a a broker a web application firewall security that was not am I correct that they were not filtering at all or were they making a whole bunch of different 400 status code bed requests or do you know what that is all right so they were not able to filter it because one IP was not used more than five to six times and the attack was happening from a whole whole range of ips so they could not identify that it is a DDOS attack so if the if the URL is valid they would deliver the page from their server and request will not reach to our servers but if the URL is not valid then sukuri does not know whether they are not able to deliver the web page from their server and they come to our server to request for that web page and as hitting more and more invalid you URLs or server got and it actually went down yo that’s exactly the nature of a malformed request for a distributed denial of resource so the question is how do you prevent that Sakurai is is a web application firewall with limited DDOS protection I don’t think it has any runtime self-protection I know it doesn’t have any bot protection or attack analytics that come with it it’s mostly for the web application firewall so my suggestion would probably be again probably be without knowing the exact case is to look into a really strong reverse proxy system that will make sure that security is not the reverse proxy but one that is quote unquote stronger is in place of that one of the ones that is most popular amongst the high volume sites is encapsula very very popular there’s imperva and by the way these types of systems they will fail for a little while usually they have when all of a sudden you get flooded with traffic either targeted or not targeted the the mitigation time can be anywhere between 1 and 10 seconds and if your server is on the higher end about you pay for that if you want a universal DDOS protection that’s taking one second to mitigate you pay for those Services you know like I think encapsular is like it’s like three second mitigation time but once you start going higher than that and this may be what you’re facing a seam is that the server is just in a position where it cannot do anything with the requests that are being filtered through so essentially the mitigation the time for mitigation at the DDOS level is not fast enough and probably not getting the right DDOS protection it’s only getting web application firewall protection oh my God I need a beer after that one okay yeah did that make sense I I understood what you are saying and I’ll just tell you what we did what we did is that our server was fetching I was sending the information to the sukuri and we actually put a cloud fair in front of sukuri as well so browser was accessing the request to Cloud fair for DDOS protection then it comes to sukuri and then it comes to our server what do you think of that are you paying for cloudflare or are you using no no it’s just it’s the free one the free one the free one who actually the the free one actually does it fairly well it doesn’t block all of the attacks you can actually read what a tax it does block for the mitigation and and for what it’s worth they recently made it unmetered mitigation so it used to be they only limited for a certain time but now their free plan lets you keep on going so I would think the Bible Your solution will work because what cloudflare really is it is a reverse proxy it’s not a CDN it is a reverse proxy so you’re inserting a reverse proxy into it I would be shocked if that 20 if you if you’re willing to pay the twenty dollars per month for the Pro Plan with cloudflare you can completely eliminate security unless you need their you know that they’re fixing right when they fix the websites you know hacked websites but you may be able to move fully over to the pro cloudflare and not only worry about the DDOS side of things but take advantage of everything else that comes with it I mean I’m not just talking about the the web application firewall and the the DDOS medication but you get some special SSL certificates you get you know web piece or you get a lot out of their plan but it’s more at the professional level right this is not for a simple blog or a simple brochure site okay so the another Advantage which I’ve seen with sukuri is that it understands WordPress pretty well so it blocks all the different apis XML XML and PC all these kind of things WP config all these kind of things is inbuilt taken care by supporting so but that Advantage is not available with cloudflare as far as I have seen no they are available under cloudflare in the network level architecture they have a WordPress so what you’re looking for is a cloud provider that has WordPress specific rules which is that web education firewall that knows about WordPress and more importantly knows about its current you know current current plugins that came out yesterday cloudflare I think I had mentioned briefly encapsula cloudflare word fence those those particular systems are constantly constantly being updated web arcs is also something being constantly updated but they’re not at that same level yeah and the other by the way the other nice thing the other nice thing about the downside is that security has a really beautiful dashboard as you notice right tell you a lot of information you will not get that some kind of reporting out of cloudflare security reporting thanks a lot David thank you yeah yeah all right anyone else with questions hmm nope all right all right so is anybody want to start their own VPS now after it’s it’s a constant maintaining type of thing you need to do you can now buy these vps’s and you can take them to places like cloudways and run cloud and grid Pane and they will do all the maintenance of those servers for you and a lot and most of them do a really exceptional job of setting up all those little bells and whistles that I just mentioned so yeah so let me let me ask a question here does anybody have any questions anything because I you know now I’m getting into the home stretch here and I want to make sure that if you know I didn’t really spend a lot of time on two-factor authentication and spend a lot of time on plugins is there any any other questions that people feel like they maybe didn’t get answered in the previous presentation or in this one Doug Doyle yes thank you so I maybe I might have asked this in the previous presentation too but now it’s servicing again after seeing all this information so with some buddy like grid pain or run cloud or any of those that you just mentioned and using the firewalls that they provide the just quick click turn on stuff like say mod SEC or 6G or whatever soon to be 7g is there any issue or any thoughts of interference between those and running additional measures like cloudflare or or the like to see me right now I’m laughing here yes there is there are issues with that I’m trying to think of an easy way to answer this so most if not all of those providers that I mentioned there the the Run Cloud the cloud ways and the grid pane they know how to configure their servers to work properly when they see traffic coming through cloudflare if you to set up your own Service I mean if you just went in there and started copying and pasting command line stuff into your brand new server and you keep online back and forth and you configure things and then you add your let’s encrypt onto that type of stuff like that you may then start having hassles with cloudflare but otherwise with most of those configured ones I can’t I can’t say that I’ve used run Cloud a lot so I can’t answer for all of them but I have not seen any of those professional products that did not work with cloudflare properly okay thank you yeah I think I even briefly mentioned that if you do have problems I think I didn’t say it that way white list your cloudflare IP addresses like you have to go go into the highest level firewall that you have running and tell it that cloudflare is cool to go and then it eliminates most of the problems cool thanks yeah and then not just for cloudflare but then capsule they all provide the public they they put out the list of their IP addresses so that you can whitelist them yeah oh you know what allow list I’m gonna start saying allow list all right a seam is next I’m sorry I’m asking too many questions but but I guess the slides are over right so I can ask now go for it yeah yeah okay so as you just mentioned that we should not we should try not to have our own VPS have you ever tried a package by bitnami normally we use that to host on on our own VPS any any feedback on that vietnami plus automatic has a package which they provide on Amazon or maybe gcp or even digital ocean yep so for people that don’t know what we’re referring to here is that a number of these Cloud providers Microsoft Azure Google cloud services digitalocean vulture Amazon web services they they have these one click deploy a whole server functionality so with one click you can actually get a whole server running with the security with the firewall with with the speed with everything with WordPress running one click for for 5.95 and bitnami is one of the most popular ones out there b-i-t-n-a-m-i but not me it’s kind of like a pre-configured ready to go one-click WordPress install it works really really really really well you have to still keep it updated so what that means is you have to go in you have to go in there every once in a while and I think they’re running under Ubuntu you got to do an app update an app upgrade you have to make sure the server needs to be if it needs to be restarted you have to make sure that it’s so restart the down you have to do all those types of updates right that makes sense that way for so big Nami rate start you have to still do all those maintenance things that I had just shown over those last three slides so after after this I’ve seen one other thing if I can mention one I have a pet peeve about the name a bit Nami is that the servers it creates for you the default username is bitnami all right all right that is I just I just that just rubs me the wrong way that they took their own username and they escalated all the Privileges and everybody out in the world knows that that username exists with escalated privileges is just not it’s not I don’t like it makes sense okay another question in one of the slides you mentioned about the basic authentication for the admin pages and login pages so you mentioned that we should not have a basic authentication I think I am assuming you are talking about the htxs the the the Apache password the Apache ID password that is correct that’s exactly it so that was the go ahead yeah so if if not to use the basic authentication then what type of authentication would you suggest suggest for it so from so if you have all if you are the only user or somebody that you truly truly trust you can use basic off because you have very very few people signing in if you have more than one user or you don’t want to use basic off then you want to use a two-factor authentication of some type usually the timed one password ones are the most effective but there are other types of other things that you can use captcha is a popular one matter of fact if you’re using cloudflare I think you mentioned using cloudflare cloudflare has something in it called Challenge and JS challenge yeah you’ve probably seen JS challenge you can set JS challenge to your WP Dash admin directory and ain’t no one getting through unless they know what they’re doing right you know what I mean by that so that’s the other ways around it but it’s still some sort of additional Authentication besides the username and password okay and by the way the downside for everybody here the downside to multi-factor authentication the two-factor authentication is learning how it works number one and then number two is convincing others to use it that it’s that it’s easy to use you know I have a number of people that are reluctant to use it you know and they just that’s hard it’s another step I gotta do this I gotta want I gotta pull out my phone now and get a little that’s a very fair point it’s it’s very hard to convince clients to use that it’s very hard did you have another question to seem I think you were about to get on to something else no no that’s fine thank you all right anyone else oh come on there has to be more you got a question yeah hi David what do you think about the plug-in WP server as far as using it or using it on the word crash sites do you feel it secure I’m familiar with some of the other ones you brought up but when I researched the other ones on security I for some reason end up going up WP server and have liked it it does require some setup some configuration but it does a lot of what you’ve recommended in your slides now you’re talking about WP c-e-b-e-r Correct server yes that is correct but the C got it yes so they’ve been around for a long long long time I happen to like that they have a a good pricing but you know it’s like a one-time kind of pricing bulletproof security pro is less expensive and has more functionality and that’s why I recommended it it was that simple okay good enough thank you yeah the downside by the way to bulletproof security pro is its interface is you know it’s it’s like you know 1979 dos has come back to haunt you all right thank you lawyers got a question hi so is is the free Cloud flare which it sounds like is what you recommend for free is it awaf so it is not a web application firewall unless you pay for their pro version which is twenty dollars per month it’s it’s the pricier of the web application firewalls that are out there additionally that five dollar APO feature that they have which provides a little bit more one-click security is the way to call it one click optimization that also does not include the web application firewall all right I don’t see anyone else with questions you know I just I’m really sorry never mind I love all things I’ll get to Doug in a second here I was gonna say you know cloudflare provides a heck of a lot of other functionality besides just that security aspect of things and I think that is easily that’s why they can easily get away with charging 20 per month and getting it from from a large large number of companies all right Doug noyles got a question okay yeah what was my question oh so just a point blank in your opinion if you are going to use I think you made the comment about you can get away with using one of the cheaper hosts and using one of the either the free cloudflare or the five dollar cloudflare or whatever on top of it you can get yourself into a pretty good secure situation and I was just wanting to get reminded of that what what do you mean by cheaper hosting because if you’re gonna pay what eight to twelve dollars a month for cheap hosting and then you’re gonna add five dollars onto it you’re into the 13 to 15 realm then you’re running into getting into manage toasting anyway if you might as well jump to 20 bucks a month so I was I was trying to have that debate in my head so I thought I’d ask that question if that makes sense is that clear as mud it is so super clear so yeah you know I actually it is really really clear because this becomes now where do you start spending your dollars the wisest right you know what I mean exactly could you just ignore it all and just go for a WP engine or kinsta 30 minimum plan or should you start splitting it up and whatnot so you know it let’s see for instance I was just extremely impressed how I was able to take a 3.95 plan and add five dollars to it and and have it test really really well in Austria I’ve never seen that before and and it was Secure also when I remotely tested it and so that’s why I was impressed with that new APO functionality that cloudflare has I also see it as a it’s kind of like an optimization and partial security one you literally installed you set up cloudflare you install a plug-in you flip one switch and it does all the work so I happen to appreciate things that do things that easily I don’t know if that’s partially answering your question you know to a large extent there is a you know I’d rather pay for a lot a lot of to a large extent for a really good activity logger you know like a WP audit log or something like that like the professional version that gives me all the information about who really did get through or or my real security concern sometimes comes from within who the heck added you know who the heck just all of a sudden added that plug-in there you know I really didn’t get into this whole idea about you know limiting automatic updating right there’s this whole realm of what you can put into your WP config fire to you know the file to prevent in internal security side so in some cases it’s worthwhile spending money on that security so for my personal and my small and one medium-sized customer I have my own servers that are running on something called sent Min mod it’s a it’s a variation it’s a whole setup of of Linux that provides all the functionality and very very easy and all the high security and without cloudflare we’ll do it at speeds that are comparable if not faster than the best like the Kinston the word fence and stuff like that but here’s the big but in the end I still have to turn cloudflare on and in the end I have to still I have to do all those updates you know yesterday was November 1st and that’s my first of the month it’s time to hunker down and update all the people I have on maintenance planned all the websites all the plugins check it out do all the backups update the servers it is it’s like so it doesn’t get rid of of the time that it takes to do that for me right you can do that all in one day wow no I didn’t say that did I that’s the way I took it no no the worst the worst part you know it was gonna say the worst part is I have I have two servers that are out there that are honey pots that are sitting there with like they’re broken and I’m hoping that somebody’s gonna hack on them or something like that kind of thing and every once in a while I’m like oh I should go update that server I’m like no don’t update that server that’s the purpose of it that’s her being out there don’t update it let somebody bring it down cool thank you yeah anyone else oh who was the 3.99 service you chose to test with sir say that again hetzner hetzner is a service that is out of out of Europe they have servers that are looking lots of other different locations and they’re cheap and easy to sign up for and yeah and I can be anonymous with them also so I didn’t have to worry about all of a sudden if the server did come crashing down then I would get in trouble but of course you know listen it was definitely one of those like you can pay 3.95 cents a month for the first three months it was one of those plans right wow anything else so anything we didn’t you know it’s kind of funny we didn’t talk about security plug-ins that much any quite questions about about those I think I mentioned I’ll keep on saying there’s no 100 most complete Security plug-in I also mentioned that you can get away with having one security plug-in on your site which is a two-factor authentication a multi-factor authentication that’s the minimal low-hanging fruit as long as you have those backups and good practices and great hosts and stuff like that so let me let me talk about things that you can pay attention to the security glossary there’s so many there’s so much in this world of security and so many codes and acronyms and this this one thing from WP white security is really extensive really good and they actually update it which is kind of impressive as not not just as like new things are coming out but expanding all the knowledge that’s there there is a database called WP scan vulnerability database it is free for you to sign up on it and they have a very very interesting monthly newsletter it’s interesting is the wrong word totally the wrong word a very very geeky security once a month WordPress specific a newsletter that goes out and you can actually scroll through the list and say gosh dang it I was using that plug-in and now it’s it’s on this other website blah blah blah so the at the very bottom here it says think like a hacker podcast this is from the folks over at word fence they do a really nice Outreach job every Wednesday morning at 9 A.M Pacific time they have something called office hours where you can actually join them on their YouTube channel and ask them any type of security question they I’ve seen the range beginner to to them actually finding a brand new exploit during the Wednesday of YouTube session so things to pay attention to there’s a lot of other a lot of other things so listen everybody thank you again thank you thank you thank you I really hope I didn’t cause too many headaches with this second part two presentation I really do hope that you go back and replay it hopefully it’ll make more sense as time is going on if you think that you need to do any types of improvements that you haven’t taken care of that I had mentioned before with the backups multi-factor authentication maybe maybe take a moment and start looking into how to get those security headers in there see how far you can take the the web page test from going from a very typical D up into a a plus even if you can do that one so here’s my contact information thank you for letting me do this with you guys there will be this presentation that is being recorded on the website within the next week week and a half the slides will also be up there but you can always shoot me an email and um

Tell me how I can help!

Ask Me any questions