Guide to WordPress Security Part One

I’m going to give you a highly opinionated view of security especially when it comes down to plugin recommendations and things to do I’ve been doing security at the i.t level as well as servers and WordPress for a number of years so I’m only going to have a couple of recommendations for certain things it doesn’t mean that it doesn’t mean that there’s not going to be other options available I’m not a I’m actually not a big fan of adding plugins to a site especially willy nilly so the ones that I will mention would be pretty judicious you know every plugin you add into WordPress just requires more resources no matter what it is it can be lightweight but it still had resources so the it’s also going to be a pretty in-depth presentation I hope I don’t overwhelm you it’s going to be simple things will be touched on a few times over and then it’ll be more complex over time I really do hope that you’ll stick around even if it goes over your head because I’ll throw in a couple of things later on that may be helpful some resources or tools to use and as doug had said raise your hand when there’s questions I have very specific times that are ideal for answering questions but don’t be concerned if it gets overhead here so you know security has a lot of things a lot of different levels it’s a doozy it’s not the most straightforward thing it really isn’t the you know there’s there’s topics that people usually bring up what plugin should I be using and then you know what do I do if I’ve been hacked and you know all these other types of things that just come up and I want to make sure I cover the majority of it and I think from a lot of these meetups especially for people that are going to play this in the future I want to cover some of the basics so I’m going to go through terms two-factor authentication whether it is brute force how people actually get in and if you need to elaborate on some of those items again just just simply ask so why is it important I feel like I should be that’s a silly one so security is is one of these things that is ridiculously important on multiple levels not only in the WordPress realm or internet realm I don’t you know sight lock is a major security firm and they recently said that every single small business website is attacked about 44 times per day you know that it’s it’s 152 million times a week of some type of attack and it’s one of those things we just you know you read in the news all the time there was this whole big thing recently about garmin having ransomware where everybody was wearing one of these garmin watches or garmin gps got locked out and and a lot of these things are just active from hackers and a lot of these things are just bots that are out there and the important thing is just making sure that you know what getting into and what your level is so let me tell you about who I am a little bit I’ve been using computers for way too long I think my my bald head may show my my age I was very very heavy on Mac and today I’m primarily linux and a little bit of windows based I still have a Mac when I saw Mac back in 1984 I jumped right into it and a number of people actually ran into software that I had participated in most notably stuff there’s any old-time Mac people here you’re like oh my god I remember that and I’ve since gone on to start a bunch of other companies but WordPress is something that I visit every single day in some capacity the you know I do a lot of it work I am strange and that I maintain my own servers so a little bit later on in this presentation I’ll be getting into some of that you know more technical I t side of things so WordPress secure not secure so WordPress itself it gets hacked by by people on a regular basis even you know it’s it’s it’s an easy target it is literally you know what they say it’s 37 right now in august of 2020 37 of all websites are running WordPress and you know it’s it’s safe it is secure inherently but the fact of the matter is that whether it’s secure or not really depends on you I mean it depends on the website on how far you take it and security is is risk reduction it’s not risk elimination there’s I I’m of the belief that there’s no perfect secure system out there that’s not hackable I mean maybe not hackable through technology but maybe through social engineering like we heard in the you know that july 2020 twitter attacks that was mostly social engineering with people so I think the key is just how far do you want to do it how far do you want to take it and and whether you get into the aspect of I can only do so much there’s so much common sense that comes in with security and and I would just don’t do this stuff just because other people are doing it they’re just like oh my god I got to do this because everyone is saying I have to do this because you may end up finding yourself into a position where it is it’s untenable for you to maintain and that could be trouble down the road so hacks for websites specifically usually come down to a very very few things you’ll hear a lot of the technical terms you’ll hear about brute force and you’ll hear cross-site scripting and security headers and all this other stuff but when when you get right down to it it comes down to problems with the software and you know that can be old versions of stuff it could be third-party integration stuff that you’re tying into these brute force attacks and something also known as spray attacks are usually people just for hammering onto a website and eventually they break straight through hopefully they don’t and then there’s access control you giving up your passwords administrators getting compromised something along those lines and then social engineering I briefly briefly mentioned it that’s like what got twitter just recently phishing attacks you know by emails people clicking on these links and getting sent to other places vishing is becoming quite popular nowadays with the covid thing going on those are you know where people are making voice phone calls to people and trying to trick you into into things but WordPress itself tends to have some very very specific what they call attack vectors or attack surfaces or places where people can get in and I think that a lot of that comes down to how do you go about making sure that you minimize those attack vectors there’s there’s a couple of them that really really stand out this is a slide from the folks over at word fence from early 2019 and I found this really fascinating that plug-ins were listed as number one by far you know talking about over half of the compromised WordPress sites that they obviously saw and I’m you know I don’t know if you know word fence has I believe around 30 million installations so they’re seeing a good portion of what’s going on so as you can see right off the bat right at the top plug-ins and and themes when you have themes into it these are two things that need to be updated frequently it adds up and then the core so right off the bat when you add these things into here you’re looking at almost three-quarters of all the attacks that will be levied onto WordPress are coming out from those particular items so I’m breaking this presentation down into a number of different levels I’ll have basic and then some more advanced and then eventually we’ll start getting into college level and masters and doctorate level and see how far we can actually take it here so let me just go through the basics and I think a lot of you probably heard these things before but it’s never a bad thing to hear them again and and one of the big things is you can never have enough backups and older backups as well just don’t necessarily feel that you’re that your backup just because you have a current one does not necessarily mean the end-all be-all it could easily be that your site was quote-unquote hacked months ago and it’s been sitting dormant this little malware and you may have to go back to what was a couple of months ago and a good host a good host should keep backups for you but make sure that you download them you know it’s worthwhile to keep your own WordPress themes plugins up to date that’s a doozy that is you know I i I have that on the vast vast majority of my clients when I sign into their websites and I see this big you know the the big red orange number that’s hovering there and I i just shuddered I think oh my gosh is this already has somebody already compromised this and a lot of them just also leave plug-ins just they detach them and they just leave them sit there and sometimes they don’t even update them now I thought it’s not turned on but why should I bother updating strong passwords I just pray that everybody’s using strong passwords and I wanna strong passwords statistically are better the longer they are you don’t necessarily have to have a lot of complexity numbers symbols all these other things but the longer our password is the less likely it is to to be able to be attacked and definitely you know have everybody that you know also don’t use the basic passwords don’t use the the one two three four five six don’t use the word password or now people like okay so I shouldn’t use the word password so I’m gonna put an exclamation point and the number one at the end of it but password you know and yeah I think that’s also one of those things just not for you but as many people as I can possibly educate on passwords I just do it all the time and there’s by the way I don’t know if anybody heard of something called password day I think it’s the beginning of may kind of like this annual little event that comes up in my calendar and says all right time to change passwords I do it on computers as well my wife does it you know my mom and dad will do it as well two factor authentication I’ll touch on that in great great detail in a little bit that is the where you’re relying on not only your password which you know you will always have for everything but also on something that you have in your possession that you prove to the system that it’s not just the password that you have it’s something that you actually physically have with a cell phone yeah and this last one on this slide here make sure your site’s in SSL it used to be such an old thing to say you know you always have to have SSL I think that nowadays if you do not have a host that automatically provides SSL certificates tls certificates and provides them for free something is wrong you don’t have a good web host and you may want to start looking for others now that does not necessarily mean that you don’t have issues with what’s called mixed content you may still have some images or some other items that are on your site that will have the SSL not showing up properly but that’s slightly a different thing just make sure you have that basis and try not to use a functionality to get that you know don’t use a plugin to get that kind of functionality the earlier you start your website security better off you are it’s a building block and I you know I can go on and on and on about website hosts cheap I want to point out sheep does not mean crappy uh I i wouldn’t necessarily recommend the the you know the $2.95 plan to sign on but you need to have a general sense where your responsibilities are where their responsibilities are whether begins where it ends good hosts should have their own security they should keep stable versions of software they should be backing up for you on a regular basis they should tell you ideally what they do for free when you look at their sites you know what they charge for same way and also some great great you know there’s a couple of great great hosts that are out there actually say exactly what they will do for security so I need to talk about pirated plugins don’t use them don’t use them I’ve actually seen one being used in the past two months I can’t believe you know Elementor pro is not that ridiculously expensive don’t go to a free website and download Elementor pro it’s you don’t know what you’re getting and and I briefly said this also how much time and effort do you want to put into this you know you can only go so far and sometimes you do some of these basics here and you’ve accomplished a huge portion of it you know having backups updating WordPress and themes plug-ins having two-factor authentication and you’ve remediated easily a good huge portion of it so this idea of updating things is going to become easier in about two weeks time on on august 11 2020 what they’re expecting the ship version 5.5 of WordPress and later versions will also have an auto updating feature and that auto updating feature is not going to be as simple as wow my WordPress has it now I’m all safe it does require a little bit of an extra step for you to go in and actually say these are the plugins that I want updated so it is very very easy to update WordPress names and plugins I would suggest that you go back to that whole idea about having a backup first before you do your updates there are some people that use a plugin called wp rollback I personally I love making sure that I will update as many plug-ins and WordPress itself on staging sites on development sites seeing if it works well especially some of the commerce sites that I work on you know I’ll visit a little visual regression and visit the pages make sure they look good filling up fill in a form try to make a purchase and then I’ll do it on the live site just gives you an extra little point of safety on me so did I mention backups yeah yeah yeah all right two-factor authentication a lot of people are actually using this right now but I think a lot of people don’t really know what it is and how it gets implemented onto WordPress it is a mechanism to stop easy assignments to your backend now if you’re using if you have people who are buying through Woocommerce or easy digital downloads sometimes they will have access to your back end but you you may not want to have that two-factor authentication turned on for everybody I would suggest that you’re starting with two-factor authentication that you definitely do do that essentially it’s an additional login feature it is where it relies on something that you know together with something that is in your possession so this is something that you know is your password your username and password something in your possession would be a mobile phone as an example I think a lot of people have seen it in banks you know before you sign on to a bank you have to enter your username enter your password says we’re going to send you a limited time code to your mobile phone please enter this item that’s a two-factor authentication anytime you use something that has multiple factors not just two but multiple factor authentication because there’s other ways of doing this you’ll be way ahead of the game you’ll you’re going to do an easy job of keeping what are mostly humans off of your site with ease and a lot of the bots that are out there won’t be able to get through those back ends through your backing they may be able to do it through a plugin that is dangerous but otherwise it’s not going to be something that they’re going to be able to get into easily a couple months ago march 2020 microsoft publicly stated at the rsa security conference that the the number they used was 99.97 of their customers that got compromised were not using multi-factor authentication so to give you an idea that is a crazy I mean listen they’re hosting I think in upwards of 30 billion accounts they have a huge number of accounts so these numbers you know when you when you hear that in one month they had you know 1.2 million accounts compromised oh my god 1.2 million accounts compromised that’s just because of the sheer number of things they have but the thing is that 99.97 according to them in march of 2020 were compromised by people who did not have multi-factor authentication I think that’s such a huge huge argument for it setting it up is not always the easiest thing and that I think is what keeps people away from it it does take multiple steps to get it installed it’s not just the getting the plugin onto the website and configuring it you do have to have a two-factor authentication application running you then have to go through the process of entering your username and password verifying it and then ideally you should do a log out and log back in a lot of these two factor authentication systems have backup codes because you want to be able to utilize them just in case for some reason you don’t have those at hand and two-factor authentication is a free process you do not have to pay for a WordPress security plugin to allow this to happen these on the screen here are just a handful of the free options that are there and there are more these are the three that I have actually personally used I I want to point out that the one that the first one that one that’s pulled by plugging contributors does also allow for two-factor authentication via sms text messages as well as for emails so it’s a nice little thing where you go to sign on you enter your username and password says please check your email box not every plugin will do that for you the one that’s listed here third that WordPress in security that is not the word defense primary plugin that is a very specific free minimal ads I might add plugin that the word friends people supply that only does two-factor authentication and these three things should be these are I call these minimal viable plug-ins if you’re not doing two-factor authentication just get started with then you probably yeah all the plugins do this it’s not just these these I just want to present the free options so basics cover some of the basics how about questions so far so our first question’s from dean hey good evening thanks david and thanks for stuff it used to love that on two-factor authentication I mean I understand the mechanics of it and how important it is but yet for those of us that are always into the same website it’s a pain in the neck too because it’s one more thing to keep track of and to enter and to have to go pull up your phone when you just want to use your keys you know keyboard and stuff so is there maybe an equivalent sort of a plugin or ability or or an approach that might be ip based if you are at home or at the office having a fixed ip and you can use that to at least provide one channel into your website that is that’s not quite so cumbersome to get to yeah good question I will actually touch a little bit more on that allow list and deny list for ips that is something that most people with most web hosts can actually implement themselves the key with that is for people that don’t understand what this means an ip addresses the address of usually one one internet connection at a home sometimes multiple computers out of business and it signifies the access that can or cannot be provided through to a website you can actually allow or deny ip access to servers as well as to WordPress itself another option to potentially use is something called basic auth b-a-s-i-c-a-u-t-h some people call it ht password and that’s what I actually use and what that does it takes a little bit of a setup not that hard and what that actually does is that will put an a special additional username and password in front of your back end where people will not have any access to it period it’s actually one of the harder things to attack it was vulnerable a number of years ago but it’s very very difficult to get through so I think those two items are safe on the first one I just hope your ip doesn’t change right if you’re on certain internet providers that will change your ip address and there’s a number of internet providers even in you know in and outside the united states that provide what are called dynamic ips where you may never know what your ip is at any time you may have to be a little knowledgeable about the former yeah but even just for what it’s worth if the ip is is changing and most people at home do not have a static ip it changes infrequently and so that would be like doing two-factor authentication once a month or once every six months or something so yeah but thanks appreciate it yeah no problem I have for what it’s worth I don’t know why but every time I unplug my comcast net connection I get a new ip address I’m not complaining but I just you know comcast likes that I guess all right our next question comes from doug neuel hey guys hope you’re all having fun david thanks for doing this nice to hear your voice again with regards to two-factor authentication you touched on word fence’s focused plugin for 2fa are you suggesting that that is a better solution than the 2fa that comes in their free security plugin good question I think that no matter what you do want to have something that provides two-factor authentication if a lot of people who put that word friends the primary word friends plugin and install it actually don’t configure its most valuable feature which is the the firewall you have to take extra steps to configure the firewall and so I don’t think there’s a downside necessarily to using it other than the heftiness that you may have I have suggestions for people that use word friends like turn off the logging a logging of everything there are other things you can do but I think my main point here is use some type of two-factor authentication for a long long time I think you were using itheme security as well as I was and that provided two-factor authentication but there was a certain heaviness that came with that gotcha thank you okay our next question is from lee yang that is actually marcus in this room so I had a question we recently did a new setup and one of the plugins that came installed by default was the loganizer and I understand that in their pro version they include two-factor authentication would that be worth considering as an option in your opinion like combined with other like login security that they offer no I i did not catch the name of that particular plugin it’s a login izer oh loginizer yes yeah there’s no reason not to use it I wouldn’t use multiple ones that’s something you would want to stay away from so for for example if you did have word fence at some point installed the security installed or web arcs or you know fill in the name of another one just make sure you’re only using one two-factor authentication functionality thanks and this is lee I have a additional question and so on WordPress they suggested to have the child theme and the one builder of the website I’m wondering and currently we have a staging the staging for the word press then we still need the child team to pray to prevent one team is upgrade and then we lost the original it’s a customized team I am unsure if I understood your question there I’m just wondering it’s the currently is I have the child theme and also we have the staging staging like website yes yes yeah current website I’m just wondering if we have the staging we need to have the child team and yeah when you launch one one the theme is upgrade and the front one way for purchase the theme and why it’ll automatically upgrade if it’s a way of the staging website can we just don’t build the child don’t don’t don’t need the child team I i think that by far you want to keep as much parity as possible between any type of local development you might do and your staging site and your live site so if for some reason you have a child theme that is on your that’s different on your development site that’s on your your live site you’re going to want to make sure that they have parity right they’re the same things at some point child themes inherently need a manual update by you it’s the primary themes that will often be updated by the providers it’s a real bummer by the way it’s a real bummer when you don’t have the parody meaning that it’s not the same thing on your staging site versus your live site and then going backwards also you know if you want to take your live site move it to staging you just want to make sure that it is as picture perfect as the main site sometimes that even includes the amount of disk space or amount of memory that word presses and things like that okay okay thank you okay sir anyone with questions all right I think you’re good to go excellent brute force attacks we hear them all the time I’m not sure if people understand them and and also what is coming what’s what’s now popular is a lot of what are called spray attacks are becoming more and more popular so the idea of a brute force attack against a server and or against a WordPress site is essentially a trial and error method where password and user combinations are just done over and over and over and over and over until one is one is successful and when that one is successful it gets in they’re almost always coming from automated tools botnets they’re usually not coming from people but there have been brute force attacks that have been levied by actual people the these automated tools that people are using they just have these massive lists of usernames and passwords and and it says you know it says here that they’re random usernames and passwords it’s not random for the most part they you know people know that on some site that I’ve had in the past one of my user names was probably had the word david in it all right now there are already five letters into my username that’s not a random thing that’s something that somebody can figure out now what about do I have an administrator account do I have one called admin do I have one called test admin do I have you know these types of usernames and then passwords there is a long list of frequently used passwords that are readily available I believe that there’s actually a list that’s 37 million usernames and past username and passwords that are readily out there and people have sorted them out and know which ones to actually plug into their bots and control so brute force attacks are not just against WordPress I think I mentioned also against servers but a lot of people don’t recognize as well that brute force attacks can be against your host control panel login it doesn’t have to be against the actual server itself it can be attacking your other logins that you have if you are using my PHPAdmin for looking at your database and if it has a separate login then that is another attack vector for for doing this and I mentioned spray attacks it’s not on this slide here spray attack in case people don’t know it is where these bots will hit a lot of websites one after another for another using very few commonly used passwords so they will look at a particular hosted shared hosting server they’ll see on this particular host there’s 70 particular websites that are on this one small server and what they’ll do is they’ll just spray the exact same username and spray the exact same password and hope that one of them will hit one of those 70. and you don’t actually see these attacks coming through because you only get hit once or twice with these things they’re not really brute force attempts but close enough very very common and microsoft announced that the vast majority of their compromises which I would imagine is true for amazon and google as well apple are spray attacks backups I I’m gonna I feel like this is gonna become a running joke here I’m gonna keep on talking about backups over and over and over restoring backups let’s touch on this for a second I i don’t know yeah I’ve been paying close attention to security for a not exaggerating available down over 4 000 servers and 56 000 workstations were all locked out and it ends up that their backups were not easy to come by and it’s a questionable whether they actually paid somebody to to actually do that but the the the ransomware people asked for 10 million dollars and I personally wouldn’t be surprised if a security firm in the seychelles or the bahamas that was under the employ of garmin actually probably put forth that money because it got restored very very quickly processes can take a long long time to restore big big big companies I think was a 2017 maersk the huge shipping company you see a lot of those huge container ships that are out there they got hit massively brought down also for them tens of thousands of servers and hundreds of thousands of workstations it ends up that no one there had actually tried to test their ability to restore any of their backups they had backups not at every level within the company these are distributed companies but the core core backups no one actually tried to see if that would actually work so this third item down there at some point check to make sure that your actual backup is able to be restored it’s I would easily argue that the restore is more important than the actual backup itself and there’s a three two one rule of backups that’s been around for for decades three different versions or copies of your data having them on two different forms of media it can be one that you download on your computer another one you put onto time machine on a remote drive onto a network attached storage and one of them is off-site I personally do computer backups onto external drives and I send them to my brother and he does the same so I know that in the event of an earthquake here in the pacific northwest united states my dad will be I was about to say safe no he’s in san jose california it won’t be safe there either but at least it’s off site right it’s somewhere else so yeah backups backups backups all right so WordPress now has this thing it was provided for a while in a plugin and it is now a built-in it’s it is something that you can find easily in a dashboard by default in your main WordPress dashboard but if you don’t see it in your dashboard for whatever reason you go to tools and then site health and it lists a number of things there mostly performance issues but it also does some security things and actually I think there’s even a crossover on on some of these being both performance and security PHP warnings for example older versions of PHP like for example PHP version 5.6 which is commonly deployed still to this day on a lot of websites it is not only non-performant but it does have security issues so it’s a combination but when you actually go into this health feature you can actually run it and all do a reasonable job of keeping what what I probably call you know the continuation of 101 for the basics of of knowing how your particular site is running the one thing on here that I would always want to make sure that anybody ever sees it where you see anything it says potentially public files if you see that warning pay attention to that one sometimes it may be simple files that are exposed that are no big deal like readme’s and sometimes it could be a bad configurations bad configurations all right so there are the basics let’s go up a step plug and use I told you how much I try to keep minimum plugins keeping minimal plug-ins not only is a good best practice just from a coding standpoint and functionality standpoint but it provides also a level of less attack vectors every single plugin that’s out there has administrator access so since most of the WordPress hacks involve the plugin keeping the fewer is the better user names these are attack names all the time changing these especially that test admin one may be a little touchy on some hosts there are some web hosts that provide one click login you actually go into their their control panel and you say click the button that says log into my site and a number of them are actually dependent on one of these usernames being there if it does require one of these usernames it may be time to find a new host cloud flare or true firewall I’ll touch on that a little bit later on but these are actually things that will cloudflare is a reverse proxy it kind of hides things from you and provides a little bit of firewall protection at the same time and then a firewall just keeps things away expired and premium plug-ins oh my gosh okay so if you’ve been using a premium plugin a paid plugin or theme and you are no longer paying that annual fee they will quite often not only not auto update but they will also show up as being up to date in your system sometimes the functionality is still there you’ll be using it you’ll say why do I have to pay for the upgrades well you never know necessarily that they did a security fix you were not subscribed to that service any longer and next thing you know you do have a hole in there so pay a little bit of extra attention to those types of plugins and this whole thing about mixed content warnings this is that you know you have on top of in your in your address bar in a browser it will actually tell you that you’re not secure every every single browser nowadays does that it’s kind of like a basic thing more beyond the basics password keepers one password lastpass is popular bit warden if you don’t trust others to host you can actually host your own bit warden the nice thing about using password keepers is it encourages you to keep better passwords they will generate passwords for you they will save passwords for you they can do long ones and complex ones and the other thing about them is that you don’t have to remember a whole bunch of passwords or new patterns sometimes it’s the patterns that will get to you if you have a a particular password that is such as medium box over time you might be tempted to to change that password to medium dashbox and then it becomes medium box one and next thing you know you’re like oh I know that password so now let me go on to my bank and when I set up a new account over there I’m gonna make it medium box exclamation point two and sadly if one of those gets compromised it’s a house of cards potentially software I briefly mentioned is is out there a lot of it is pirated they called it nulled getting stuff off of the WordPress repository is considered to be safe there’s so many reputable reputable developers out there look for highly rated theme forest stuff if you need to if you if you happen to see any type of thing that is too good to be true not necessarily a sale from the actual provider but like wait wait this does not look like the actual true astra pro then you know stay away limiting access if someone else is going to maintain your site for you create a new user don’t give them your password limit their access it gives you an ability down the road to actually cut it off for every time I sign on with somebody new and start working with them I always feel and I think I get the impression that they’re always a little weirded out when I’m like okay before I get in there and make a backup and set up a new user and give me a password just in case you need to cut me down the road and I’m just wondering if oh what are they thinking this is just good security practices I can’t mention backups backups backups and another beyond the basic thing not that hard to do actually is to limit failed attempts this is this is that brute force type of thing it ideally should be dealt with by your host or a cloud firewall or all the other types of remediation but you can be done with the plugin yeah easily can be done with the plugin so moving up a level a little bit beyond the basics things I hope that everybody catches I’m gonna while you guys are raising your hands for questions I’m just gonna go back to these slides so you can see what they were all right doug newell’s first hey what did you say about theme forest I didn’t catch that I was saying that theme forest I would consider that the the vast vast vast majority of the stuff that’s there is a trusted source so I often tell people only take plugins from reputable developers and from the WordPress repository but people who are on and evaluated decently by you on theme forest I would consider that to be a trusted source okay thank you all right alicia is next hello this is really fascinating one of the things that perturbs me about WordPress is if you haven’t put your excuse me if you haven’t put your name your first and last name in and you write a blog post it’s authored with your user id and the whole world could see half of the login is there a way to have that not be default or something or say you can’t publish this post until you give us a real name [Music] all right I’m going to give you a little bit of a long answer for that okay there is a safety into making sure that you do you do not use your administrator login whenever possible there’s a strong wisdom into creating a having a a clean administrator account and then creating an editor account or a contributor account or author account for you and logging in that way that’s one thing the there is throughout WordPress even so that may not be exposed publicly and ability to what’s called it’s called user enumeration you can actually walk through a website and start seeing what people authored what pages and quite often you can actually see oh this is user number two this is user number three this is user and and their name as well and I don’t think it’s thinking that far out to be able to say well if this particular person’s name is patrick moves that maybe his username is patrick m or p moves and that makes a little bit easier for these bots to be able to get in through that user enumeration it is possible to do things to stop user enumeration boy that was one long ass answer okay I just want to make sure let’s make sure I got that was clear what I’m seeing is the past the user id not the person’s name I’m seeing your actual user id is the author on the publicly facing yeah that depends on how the site is actually configured and how it’s displayed okay and so what I’m finding is that if the author didn’t go into their user profile and actually put their first and last name in those fields they will always get their their user id used as default and I just think that’s like really silly and we’re pressed to not actually have a safeguard for that yeah I have not seen anywhere that any other anything that I have run into plugin wise that forced you to have that information in a regular user account most e-commerce solutions uh in particular Woocommerce easy digital downloads they do force the users to have a certain number of names in their system that comes over to WordPress okay right maybe maybe you should write a plugin [Laughter] if I could just add something there’s a when you edit a user there’s an option display I think it’s display name publicly as or nickname or something like that where you can change it so by default I think it’ll it depends on your theme but it’ll try to use the first and last name if there’s nothing there then that’s why I was talking about well those fields are blank until you have the first and last name and most people don’t yeah so if you if if that doesn’t exist then it’ll try to use the username because there’s no other thing to use but if you don’t want to use either of those you can actually put a custom name in there it’s yeah if you just edit your user account you should see there’s like a drop down you can change it yeah so it again it depends on your theme but I think most decent themes will use that nickname or whatever it’s called as long as you remember to do it yeah that’s look that’s the point it’s like most people don’t so yeah so what I have some of my clients actually they wanted to appear as by administrator but you know I don’t want them to have administrator as the username so we use that as the nickname so you know they can put their first and last name or you know they can use the different actual username but it shows up as administrator okay all right so our next question is from larry yeah I’m you’re probably gonna get to this but haven’t yet so I’m a little surprised and I’m gonna ask a question security plug-ins and you know which one you recommend and preferably free I know there’s at least three kind of big ones out there and in particular I’m interested in limiting logins but you know for general first just as you’re a basic security plugin what do you recommend so I will get to that I i may sound a little schizophrenic when I get closer to that because I don’t have one clear recommendation it’s for me WordPress security plugins are not an easy one fits all type of approach especially on the free side so in a little bit I have a couple of slides in there that will talk about the features that are available and I can speak a little authoritatively towards which ones which plug-ins have those features but I’ve only seen I’ve only seen one clear premium plugin that has almost all the features and then and another one that has the vast vast last majority but those sadly are paid so ask again if I don’t answer the question in in a little while okay all right thanks all right no problem okay and then we’ve got rob rob tanner I have this feeling it’s something you’re gonna cover in a few minutes or 20 minutes or whatever anyway on I originally was running a site for a religious group and I’ve had word word fence to provide security and I’ve recently taken on another client and the previous administrator there is arguing that they preferred secure I he said they used word word fence before and it loaded the site down and they had compromises from it and I think it was misconfigured WordPress word word bench I can’t even I can’t get the word ward fence excuse me sorry about that stunt twister oh yeah yeah it is okay can you uh speak different between secure I and word fence in their free versions I would say that word fence is a little bit better in its paid version I would say security is a little bit better mostly because they provide a a better reverse proxy firewall that they have so I you know it’s well also one of these it’s hard to know what features they’re looking for there’s also this whole idea about just appeasing the boss with one it sounds terrible but you know if they want to run this particular plugin if it’s the free one then the their feature sets are so so close that it may not be problematic yeah because one thing I like about word fence you mean getting that right is it will scan my site and tell me issues the secure eye does not as far as I can see do actually secure I that’s that’s one of the most common security does do that and as a matter of fact a number of other security plug-ins that are out there actually use the secure eye scanning functionality I’m of the belief that also in the very very early days word fence even used a variant of the secure eye scanning I could be wrong on that but okay I would trust them both for scanning no question about it because my impression was that secure I was mostly based on a server on a on the network somewhere rather than on your host correct yes even in their free version but their premium version is almost all about the cloud and there are some advantages to doing that no question about it that’s one of the reasons I said in there that’s why I was briefly saying in the paid version I would probably say security is a little bit better on that end of things the protection have fat protection will happen in the cloud before it happens near your WordPress site because I like the fact that word fence I’ve been deliberate there so I don’t say it wrong a word fence would let me know I have misconfigured PHP files and things like that that I don’t here I can find I know exactly what you’re talking about there yeah again that’s that free versus paid thing you know okay all right well thank you yeah no worries thanks for coming all right are we ready for more brains to start hurting I think that’s all so larry I think your hand is still up from before unless you have a new question okay all right you’re good to go david all right SSL mixed content for people that are not familiar with it is that little green lock icon that will appear on browser since 2018 all these browsers are now actually going out of their way to say you’re not protected the the bummer is that you may find that the this thing called mixed content where you just have some old data quite often that is also that’s only using http colon slash not https that sometimes can just throw a wrench into it and then you start having that lock icon not showing up properly there are scanners that are available to be able to find that there’s also plugins that are out there that will fix quote unquote fix this for you I do not recommend using them long term I think it’s much much better that you actually find where the problems are and fix them if for some reason these things are not obvious to be fixed show up at one of the help desks that are out there online and other people maybe they’ll find it for you and give you a really good idea for where to go it may just be in your database that somebody’s going to have to crawl into to try to fix that I think to a large extent that patch that you will do with a plugin doesn’t it it helps but it’s not necessarily the ideal solution so we were we were briefly touching on this whole idea about how to get the good plugins and I mentioned themeforest and WordPress repository but how do you find the right ones I mean like how does it come down to actually doing this on the right hand side of this slide here I have here just some of the most common things that I look for when was it updated how often is it being updated also I’ve seen sometimes where the update was three weeks ago but it was not updated for the past nine months and I was like oh that’s interesting did it need to be updated possibly or is is is there was there a need for a patch just was there a frequency issue quite often when you go into the WordPress repository it may say to you that this plugin this theme was not verified with the most recent version of WordPress that’s not always problematic because quite often WordPress has features security features that will update itself so when you see somebody tested with 5.4 and then next thing you know it’s 5.4.1 and then 5.4.2 they may have only tested with one older version looking at the ratings and and understanding the ratings not playing this what what I call the amazon.com game you know like you know you read five star reviews they read the one star reviews and then you’re good to go kind of thing it’s like you know you know how it’s like sometimes wait it’s all five stars it doesn’t seem possible is that right kind of thing but question why that may be maybe maybe they really do have something really really good behind them there and and maybe when you start reading those two star reviews you start finding out that the people who are complaining about it have other reasons that complaining about it and you know is the author out there answering questions about it when those things come up that’s another big big thing sheer number of installations goes a long way however quite often it is not showing you the most recent things there’s a a plugin that I will sometimes use called ppp a profile or plugin that has not been updated and I’m going to guess seven years a number of installations show an old old number and it still does things that I occasionally needed to do so number of installations are old it’s not true and correct and you know what’s not on here also is the person who’s writing this do they even have a a privacy policy on their own website do they state terms of service at all it kind of ups the game if you start seeing people who pay attention to oh better yet you know do they have on their website a physical address in their terms of service you know you know when you get to their contact pages they’re you know having having an address actually lends credibility to a WordPress plugin and then the same kind of things go this is just when checking the repository similar types of things you want to employ with premium plugins and premium themes it’s it’s a it’s a good thing to to start doing those things so all right moving up moving up 301 hope everyone is doing well here getting better two-factor authentication quite often limited by bosses by customers it’s too hard to do it’s really in my way it’s a pain for everybody to use it at the least at the least if you can’t convince somebody else that it’s a great thing at the least enforce it for administrators if it’s a pain in the butt for regular users enforce it for all the administrators administrator accounts I mentioned briefly a little bit harder to guess I don’t want to have an administrator account that has the word david in it that’s not going to be helpful my last name is not going to be helpful this principle of least privileged if you haven’t heard this before not everybody needs administrator privileges that’s a common thing for people that are new to WordPress oh I have somebody who’s going to work on my website they’re only going to be doing blog posts but ah what the heck I’ll just give them administrator access because that’s what I have and the principle of least privileged is just you know not everybody needs to have these privileges just give somebody the least possible user role the least possible privilege that you can do and I i also put in here this idea of creating a new administrator disabling the other one that’s so if people who do bots that do this looking for user number one if it’s not set up or what alicia was talking about potentially with user numbers user number one is really easy to go after and quite often it has the username at some point of administrator and easy easy to get through there’s also outside of the regular plugin aspect and when you go and you look at installed plug-ins at the very very top you’ll see where it’ll say all plug-ins active plug-ins disabled plug-ins and then it says drop-in plug-ins and must use plug-ins it is worthwhile for you to check in with what those are and consider whether they need to be there why they are there and if quite often those will be updated by your host it is also an issue with these must use plugins and drop-in plugins that if you move from one web host to another a lot of this migration software will automatically bring over those plugins and you will actually find that you are on bluehost and it was running this endurance page cache and you installed it on grid pane and next thing you know my site’s not up and it was because this little hidden drop-in plugin that godaddy put in there and it’s yeah so pay attention to those I’ll refine those a little bit there keeping two-factor authentication codes away from your password keeper for a long long time I was using my own password keeper and I would start like using lastpass and I would all of a sudden scan my my two-factor authentication codes into this and it was pointed out by by somebody who I really really trust for for security that that is how he lost bitcoin somebody actually got a hold of his one password they got into his account they went through a two-factor authentication because they had everything and that was it he lost tens of thousands of dollars and what he started doing because now all of a sudden he’s super paranoid that he kept everything in one bucket he actually started using a cheapo disconnected from the cloud phone in his pocket that’s how that’s how paranoid he has since become however it’s actually a really good practice it’s called air gapped you don’t have to go that far but keeping it out of your main password keeper has a as a victory there allow lists we were talking before about that with the the ip addresses having them so on this this these ips are the only ones that are allowed to get in something that I’ve gotten bitten by is this wp config file I i have actually before I get into a brand new site I duplicate that file I start editing the file and next thing you know I have a file sitting on the I used to have a file sitting there that was called wp config.original or wpconfig.orig right like like and wow those things that that’s easy attack vectors for bots it ends up that bots look for that kind of stuff I won’t make that mistake again hiding a WordPress version not necessarily going to get you that that far but it doesn’t hurt if you’re trying to get the next step there again these are just things that are kind of like getting a little bit further trying to refine you hiding a WordPress version is quite often useful if there is a WordPress security urgent fix and you are not able to deploy it quickly to a live site having that version hidden will actually keep a lot of the bots guessing as to what version of WordPress you’re using however the good ones the good bus that’s a terrible word good bots the ones that are out there can actually figure out ways around that to find out if you’re problematic or not so all right getting tougher 301 I hope this is good hope people are getting something here I think this goes up to 601 by the way if we have the time I don’t see any questions yet all right all right it’s a big filtration system it’s it’s what it is hey people ask me all the time what’s a firewall what are you gonna do with the firewall it’s just like it’s it’s just something that sifts data and categorizes incoming and quite often outgoing internet traffic based on a set of rules the think of it as a traffic cop if you if you are not familiar with it and you know it’s it’s something that’s just going to be sitting in between a big filtering filtration system and and it’s important to recognize that firewalls are kind of like layers of an onion they’re layered there’s different things they have to peel off different it can happen at one level versus another level then there’s web application firewall it’s just boy this is where security starts getting a little hairy here so there are firewalls before WordPress and then the next slide will talk about firewalls that are within WordPress or just before just before so firewalls that are before WordPress are quite often that the big big boys at the amazons they actually have hardware firewalls that are running that keep out that filter out traffic infrastructure based crazy huge there’s dns level firewalls I employ that regularly cloudflare I adore cloudflare except when they go down I think vast majority of the internet went down recently because cloudflare went down too much too much in one bucket I guess is a potential problem there but there are other things besides cloudflare that are out there that’s dns level firewalls they’re actually they provide what’s called a reverse proxy which looks like it’s a content delivery network a cdn but actually isn’t then at servers or network levels there’s other firewalls that are run quite often people will you’ll hear people talking about all these like ip tables and csf and lpw failed to ban and mod security and 6g now that’s a 7g from jeffstar and all these types of things those are sitting at the actual servers themselves that is ideally where you want to try to have all of your security deployment you ideally want to have it all at an infrastructure level at a dns level and at a network or firewall level if you can cover the vast majority of your stuff at those levels you actually do not you do not need to have a WordPress plugin running with potentially the exception of a two-factor authentication and maybe something that will disable something called xmlrpc that’s literally about it you can take care of the the vast vast vast vast majority of it however not the easiest thing to set up you know if you if you don’t like cloudflare you go with encapsula and then all of a sudden it’s like oh my god I mean this is all gibberish to me I don’t know what I’m doing here and you know there’s there’s a provider out there that provides 6g or mod security as two different options and you flip one on and everything is going hey look at this it’s all protected it seems like it’s protected and you turn on mod security which is better and also everything’s not working you have to just know what you’re doing in these cases there so ultimate firewalls there’s other things that will actually happen there’s also web server configuration files I think I prefer these are like generally the modifying of htaccess files or dot com files for nginx that’s where you restrict access at a level this is that idea of banning or allowing ip addresses to come through that will actually happen at the web server htaccess files dot h t a c c e s s or dot c o n f if you’re running nginx or your host is running nginx and those actually you can actually get into with most web hosts and then there’s the firewalls that are within WordPress or or just right before WordPress they’re actually taking place in your PHP what’s executing WordPress they’re technically called application player firewalls that’s what they’re referred to as some people call them web application firewalls however over time wafs have been a little hybrid and a little confusing so I will just say yes yeah they’re often referred to as web application firewalls this is something that word fence as an example provides web application firewall something that security provides is actually a one level up from that they actually have the firewall in the cloud before it gets to WordPress the the nice thing about the ones that will happen right before WordPress I think you know in wordfence specifically there’s a feature that you need to manually turn on you need to go and configure manually configure some files that will actually filter out WordPress stuff before it actually gets to WordPress it’ll do a lot of its filtering right up right beforehand and then these WordPress specific rules are how things get played out WordPress secure I web arcs malcare is a very popular one these are these are really popular systems that maintain updated rules for what the exploits are word friends is probably the most popular one that’s out there every 30 days they will send you an update based on the rules that they have generated over the past 30 days for specific plugins or themes that have been exploited in some ways now if you pay for their premium service they will send you that rule set every single day so if a plugin went south the next day that particular site will now have be protected through a really interesting virtual patching that takes place where hopefully it’ll keep everything at day so hacks are not always obvious it’s not really clear to a lot of people how you know you’ve been hacked especially especially nowadays that people can hack websites and then they they just stay dormant they just don’t do anything they just sit there and they wait for a future date and then they become active so these are the ways that you would actually see things coming up out of nowhere you know quite often the most popular ones are defacements something changed in your website it said terrible language a lot of people start seeing things where all of a sudden emails my website’s sending these emails that I didn’t send and it’s asking for you to buy a viagra how did that happen well something somebody got into somewhere could be that they got your password for your email not necessarily a website but there’s not many things that you can know about quite often and sometimes you don’t want to find out too late google I am of the belief I think it’s around 10 000 sites 10 between 10 and 12 000 sites that they take down per day that they put on their denied list per day so to give you like that these of course are not necessarily hacked sites these can be sites that shouldn’t be out there or they don’t want to have indexed but the last thing you want to do is find out that your site has been suspended by your host where they say you can’t be running on our server you’ve got to move to another server and or you’ve been denied by google the this is another wonderful little slide that was provided by the word fence people this one goes back to 2019 early 2019 and I believe I wouldn’t be surprised if this is still correct if you notice the the third item down says seo spam seo spam is where people are putting in information into your site that’s redirecting and providing enhanced information to other sites they want to redirect you to a little bit different than a malicious redirect that’s just like when you get to a site and all of a sudden it just dropped you over somewhere else or you you visit your site and it looks good then you click on a link and all of a sudden it’s in a different site in a different language so that’s the nature of it now people were asking security plugins so I don’t want to deny this we’re getting on here so so the role of security plug-ins and I mentioned without hesitation for me is that if you can take care of your security before it gets to WordPress you are way ahead of the game a good deal of plug-ins you know I shouldn’t say this some of them provide false hope like I got to plug in there and it’s working because it keeps on telling me that I get brute force attacks and wow I keep on getting these notifications and that’s cool that means it’s working well maybe maybe not maybe it’s just giving you an update maybe it’s just notifying you that something’s going on a good plugin when you do your evaluations a good the role of a good security plugin should be future hope not the false hope that things that happened in the past so I’m going to flip through a couple of slides quickly here so you can hopefully look at the headings to give you a sense about what I want to touch on security plugins provide monitoring and reports they do alerts and notifications they do active security some of them do prevention and protection that’s the future hope stuff right and and some of them not all of them do these web application firewalls so backing up to monitoring monitoring is to a large extent that false hope it’s things that are this is not exclusively false hope but we’re just logging information we’re telling you what’s going on but you know all of a sudden you’re gonna get this thing saying oh my god file integrities have been violated these following things have been hacking your website and it’s already now too late this is just monitoring your your aspects here it’s it’s telling you what’s going on it’s alerting you to it now there are times that alerts are very very important you don’t want these alerts to end up in your mailbox and then even potentially worse to have your email provider shove it into your spam box and then you don’t see these things it doesn’t make a difference if these are incursions that have happened in the past or things that you need to deal with but I have listed here for people that are in the united states and I think a couple of our canadian friends here these are actual special email addresses that you can utilize that will send an email to your phone and you just plug it in as an email address it says notify what email address you plug in this email and that email will now come to your text messages and I do have a couple of sites that are configured that way where they will actually send an email directly to my sms text messages one of them I am sick and tired of getting notified by and then I start getting the next thing which is notification fatigue over time sometimes a lot of these alerts and notifications they just get to you it’s like all right enough enough and then you just don’t pay attention to them so that’s when you need to start paying attention to the next step up here what’s active they call it security hardening these are plugins that will start telling you [Music] that oh look at this this sub this plugin hasn’t been used in a long long time I can keep you away from these brute force repeated logins and limit the access to the logins I think we said that there are multiple plugins that provide that two-factor authentication even a couple of other login protections that are out there most notably a captcha type of protection that happens at a login then of course the whole idea is that you when you actually have a threat these active things will do something about it and if they do they usually have some type of firewall capability these firewalls managed web application firewalls are the ones that you will usually get notified by obviously are a WordPress plugin that we’re talking about here but they’ll provide other things they’ll do the allow list and block list monitoring deny lists they will allow you actually to restrict the ip address it’s another mechanism to restrict it but as the question came up before can I restrict my only let my own ip address in there preferably you do that at the server level you do that in ht access for apache or a conf file for nginx and this way you’re getting it before it even touches gets anywhere near WordPress and if you and and all these things at the bottom there a lot of these security plugins start providing it so web application firewalls these are very specific towards how cloud oriented ones work but do apply to a lot of the the local ones web arcs and word fence these do apply to as well takes the traffic looks at what’s going on dumps the traffic that shouldn’t be coming in and sends you the good traffic good traffic is determined by these firewalls they’re looking at a lot of different information to try to figure this out sometimes that when you have a compromise plugin that they know about that you don’t know about sometimes a lot of these plugins are compromised and occasionally cert the plugins become compromised and the author does not release a new version for a few days a lot these systems actually provide you with this virtual patching to actually get you protected before it’s publicly announced it’s one of the features that you pay for with a lot of these premium plugins and additionally a lot of the plugins that are out there that are premium provide you with cloud dashboards that is where you can actually log into their website you get this one interface that provides you if you have multiple sites hopefully you have at least a live site and a staging site at the minimum it’ll actually provide you with one way to be able to look them all over there they also provide an outside view into your website so when you visit your website it’s just not coming up it’s blank does that mean that that somebody hacked your website or is that just your internet connection or is that just maybe the you know the cookies or the cache that’s on your own browser sometimes you whip out your cell phone and you look at hey it’s looking good on my cell phone but not looking good on the desktop well something is up there but sometimes your site will completely go down it will be not available maybe your host maybe WordPress went south could be a number of reasons these cloud dashboards will actually do a little bit of that information to you and quite often they’ll actually tell you over time how often your site was actually up you don’t have to be using a security plugin to do these things manage wp main wp infinite wp those are all actually it’s wp manager I think those those also provide cloud dashboards for you so in the end I think the question I was asked is how do you pick them like oh my gosh there’s so many of them how do you pick them you you go with what your boss said you should you should do yeah all right so you try to get one that has a two-factor authentication you try to get the one that has the true firewall and most likely those are the ones you’re gonna have to pay for with the true firewalls there are a couple of them that are out there that provide a decent true firewall that you don’t have to pay for I think word fence is probably the most popular of all of those do the research based on your own ability to to know this this is interesting because quite often people are asking me well what do you what do you recommend what do you think should I get should I get this one or should I get this one and I’m like okay so how often are you going to be able to check in with this do you want to get a notification every month every week if something happens do you just want to set it and forget it do you not want to how much do you want to pay do you want to pay per month you know and that’s the kind of stuff that you have to start sizing up you know you know these things they all have prices attached to them and there’s varying prices you know I’ve seen it from seventy nine dollars per year up to thirty dollars per site per month cloudflare just to get in the door the cloudflare does have a free version but if you wanna get the really decent security with page rules with them it’s twenty dollars per domain per month and for a lot of people if you’re willing to pay thirty twenty dollars that is one of the you can actually probably easily get away with well depends on this nature of your site and how much traffic is getting but you would want to put on a 20 per month cloudflare paid account and have minimal plugins running so oh yeah choosing don’t don’t choose the 100 percent most complete security that they all say we got the fanciest and bestest security plugin that’s the most complete it has every feature that no one else has that that’s yeah I wouldn’t buy into that that’s a lot of hype but again do the research your own research and ideally don’t use multiple ones or you know don’t we use ones that duplicate functionality if you can help it right if you can help it so free ones this is the big thing free I want free I already put up this idea for the three potential free two-factor authentication options there is a plugin called disable xml rpc the next potential thing is that finding a a plugin if you want that will provide you with logging and notification sadly a lot of that is the false hope and and I want to give you a bad idea here false hope I mentioned before that you know small businesses 44 attacks per day it’s not that you’re gonna get 44 messages from them but every single site is getting attacked it’s just this the way it is so having the logging and notification that tells you that something was good doesn’t necessarily mean that you had effective security and the other two really interesting free plugins are there’s a couple of different options but these are the two that I’ve personal experience with that will limit login attempts it’s kind of that brute force elimination that takes place at the word fence level notification and logging is easy to find stream wp activity log is one bow care is another bulletproof security has been out for a long long time and there’s a lot so size them up see what your friends are using see what your support people are using what you know people who you trust what do you hear when you go into those online help desks all right so how are you doing there doug you doing okay yeah are you taking notes all right well which turn you’re talking I still go to you there all right what kind of questions do we have so another doug doug has a question yeah okay yeah I think I could take another hour with the volley of questions I’ve got now I looked through I didn’t see any other hands up so maybe I’ll see how fast I can get through these so going way back there you’re talking about your backup of the wp config file and I was curious what do you think about the practice of moving the wp config file out of the normal spot like to the root so it’s not normal okay good question I am very highly opinionated about this about this particular topic I i do not recommend moving the WordPress functionality around even to the extent of renaming your wp login.php file definitely not the wp admin moving out the wp config these are all potential for problems and if not an immediate problem with a theme or plugin that is not happy about that potential problems down the road should somebody have to inherit your site and to understand what happened now there is one notable exception to that there is a free piece of software that is out there from the people called roots roots dot io is their website and they provides a framework called the bedrock framework and the bedrock framework provides a much more modern approach to where WordPress should be storing its files and my own experience with that bedrock framework has been exceptional I don’t think however that it provides additional security okay so can I read into that based on your experience of grid pain that you do not condone the way they’re doing it grid pane two thumbs up because they’re doing it the right way because on their systems they’ve configured engine x to handle that perfectly okay all the stuff gets handled way beforehand but if you start doing that on a godaddy or a bluehost or even on a wp engine it’s potentially a recipe for disaster okay gotcha well that’s why I asked because of the grid paint connection there but okay great yeah now grid pain one of the most we’ve had this conversation before doug you and I it’s one of the best and most highly optimized WordPress stacks that are out there okay yeah cool can I ask another question go with it all right so with regards to security at the server end versus at a in a plugin I’m a little bit confused when we were talking about web application firewalls because I’ve always associated that with plugins but yet on my server I have the 6g or the modsec waff or whatnot were you hinting that you would be comfy comfortable with using the 6g or the mod stick at the server level in lieu of plugins forget and forget the the the second factor authentication so as far as word fence itheme security pro plugins are you saying you don’t need them if you’re going to use a 6g or a modsec waf on your server level I would confidently say 100 especially if you use cloudflare or encapsula properly at the dns level those two at the dns level combined with a 6g or a properly configured modsec eliminates the need for almost every single plugin no question about it okay that was cloud player or what was the other one in capsule okay it’s encapsula is it’s a competitor to cloudflare that provides similar types of functionality yeah okay reverse proxies is what those are called that’s like another server that sits between the internet and you I’m oversimplifying that’s what it is okay I see another hand up I’ll leave my hand up you can come back to me if there’s time all right all right mike noter yeah david do you have more presentation because my question is I can catch you another time is there more in your presentation because I hi mike sadly there is like another two hours worth so I’m only as far as I can go right we’re gonna see how far we go so you can always hit me up you know how to get me mike okay I’ll do it that way then thanks yeah and for anybody else that wants to reach out to me and my my email address is in the lower right feel free to to reach out to me okay larry is next yeah I’m gonna come back to the question I asked earlier and I guess I’m kind of you know I’m kind of thinking you know I don’t want to do a lot of this you know server level stuff and all these complicated things and firewalls and all that stuff but what I do want to do is you know try to reduce the brute force attacks and and just kind of install a general security plugin and there are three that seem to be the most popular that I’ve looked at before and I’m wondering if you would choose one of them kind of for that purpose a word fence all-in-one wp security and I themes or maybe you have another one instead I would of those three I would say word fence as long as it is properly configured one of the nicest things about word friends itself is there is safety in numbers there’s enough people out there who are using word fence that can probably help you should things go awry and additionally because they’re installed on over 30 million websites they are seeing a great great great deal of the word fence specific attack traffic that they know how to deal with things the the vast majority of keep on saying fast the craziest largest amount of of plugin vulnerabilities are found by them and securing so word fence would be my choice of those three okay all right thanks appreciate it okay alicia was that a joke that you had two hours more of this presentation are you you should you should know me by now alicia well can you do I can definitely do a part two I think the part two stuff will probably be much much more technical I’m trying to stay away from the technical stuff till later but let’s see how far we go today you know you don’t if listen this is being recorded and you can always touch back but yeah there’s other you know what how about this I’ll throw up a couple of slides and tease you for the next couple of stuff that we can talk about okay there’s a couple things I can skip like image security how about that yeah that’s a good idea yeah these are like security things that people aren’t thinking about quite often yeah somebody get a screenshot quick so I can move on the uh by the way copy write and copy left notices copy copyright notices people know what I copy lefts are things like creative commons this is you are allowed to use this image but you cannot use it for commercial purposes this image you are allowed to use but you cannot change that image this image you can use but you have to give me permission you know give give credit to who did it I work with a number of photographer sites and these are the these are the requests and it’s it’s interesting how security comes up for them as well another thing that I may not spend a lot of time on is the whole social oh boy I feel like now I’m going to breeze through this here in leisure social engineering this is this is the the way that you get in it’s you know if you if you’re targeted how about this it’s one thing to have botnets and spray attacks and brute force attacks is one thing but if somebody really wants to get in to whatever it is they want to get into your bank accounts let alone your website this is the way to go about doing it it is people just sharing too much information out there just on social media people can find out so much about you they can give a call in they do you know very very specific things that are like very specific to you spear phishing that just seemed like listen you know what don’t open up emails I’m saying this all time to people around me if it looks like if it’s in the spam folder if you didn’t request it it may look good don’t don’t open it don’t open up attachments how long we’ve been hearing this for use good anti-virus software on your local computer and for years and years and years people would say you don’t need an antivirus on the Mac you need anti-virus software on a Mac you do they’re you need something good on a windows machine you need something good on a linux machines there’s something called maldet clam av you need you need respectable antivirus to help out with these social engineering things as well so yeah social engineering by the way also is ransomware there’s this aspect to it of you know you you do a backup to an external drive you leave it connected to your computer next thing you know you get the phone call for somebody saying I have your keys and even you’re not even going to get into your external drive there is software that’s out there backup software that will prevent that from being locked out on I want to make some antivirus recommendations briefly on windows and on Mac there is a software called silence c-y-l-a-n-c-e silence unbelievably inexpensive for consumers unbelievably expensive for businesses it stops attacks dead dead stop on that and as far as backup software just disconnect your external drive after you’re done backing it up I leave them plugged in on my windows computers I’m on one m two of my servers and I use something that is called macrium m-a-c-r-i-u-m macrium and that actually protects my external drive so that no one would be able to get me from ransomware all right so clients I think a number of people here have clients that they’re doing sites for others and there are certain things that you can do to save them from themselves you know stopping them from uploading plugins is is one thing but that or sometimes if you don’t do it the right way you’re actually stopping the updates that can come through for the plugins or for the themes the other thing that I find that really gets to me with my clients is that I inherit websites from other people that need fixing sometimes and there’s no documentation for what came before and you know just do yourself the courtesy of documenting for yourself changes you made but also for people down the road and you can use these other things for for monitoring it so let’s see that was or three three or four oh going up there okay so I’m not going to spend a lot of time on these things other security things I want to touch on this one that’s on the second one down on the left trust signals by the way are showing your users that you cite is secure a lot of e-commerce sites will say protected by symantec this site is using a little like on the site this site is using SSL protection this site has been certified as being pci compliant those are trust signals that are actually just as important as the security themselves to have people know that you’re legit but that second one down that ecommerce security if you accept payment cards credit cards or venmo or paypal or these types of systems you need to be compliant to what is called pci dss a lot of people don’t think about that in terms of WordPress security but you need to do a lot of practices to make sure that credit cards that you see are being stored properly and that you do not save or store those little cvv2 you know those extra three digits or four digits on american express cards another big security consideration that I want to do say out loud is that second one down on the right is quite often there are people in our lives that really don’t know what security means and how much they need to pay attention to it and then what do you what do you you know you know don’t talk to strangers is what you say to to the to the three-year-old was there as they began to understand that concept but now later on don’t put up the tick tock videos right you know like so those are also other security concerns that I want to make sure that I i got a chance to at least spit out because I think that those are those those are potentially doozies you know all right okay doug ryder hey david just a quick question regarding e-commerce you mentioned that not storing credit cards on a website which I absolutely 100 agree with and so why would anyone do that because there are payment gateways that could handle the pci compliance so the vast majority of modern software does not store that data but there’s a lot of applications that have been used in the past i’d say even things going back only four years old that do store that data and sometimes people just are using these things I wouldn’t even call them legacy systems but they’re out there being used but that that that portion also there are people who you you give me a phone call and you say hey david I want to pay this bill for you here and I i take your credit card and then I type it into a form right and that form is ending up on the website and I put it into your c I put into my crm right where your name and your contact is and right off the bat I’ve now violated that pci compliance so it’s bad practice I mean it’s just a bad practice yeah just tokenize it like all major payment gateways do nowadays so okay but again that’s a lot of it comes down to just the individual saying I’ll just throw it into a form right yeah oh I’ll email it to you how about that one I’ll just email you my credit card yeah I’ve had that okay all right you ready for the brain to hurt bring it on all right moving on here this has a lot of info I’m not going to spend a lot of time on it and to a large extent I’m not going to spend a lot of time because I think it’s talking to a narrower group as we’re moving on so I’ll touch on only a few of these things I do want to point out that almost every single thing that you’re going to see in these next three slides are available for you to do or for your web host to do for you they just take a little bit of effort in some cases and some takes they keep a little bit of monumental effort to do the strong passwords there’s a way to enforce that if you have a commerce site that the thing called password apology manager boy they just got hacked a few weeks ago themselves like like the worst kind of hacked an elevated privilege hack that they had the but they’ve corrected it they actually corrected it before it was publicly announced these are things that will keep make sure that people have to have a certain length in their password they can’t reuse the password so that keeps history it has to use special characters it has to be over 12 characters long those types of things are actually really really useful especially on commerce sites this thing here about PHP versions the latest pa PHP version which is 7.4 which is actually what now the WordPress site health dashboard will actually say you should be using does not work does not play well I should say a lot of plug-ins do not play well with it right now I would recommend somebody using a 7.3 variant I think right now they’re up to 7.3.9 as of a few weeks ago this idea of aggressively limiting ip access is that actually you can lock out traffic ranges from large swaths of geographic regions something that you can actually do without that much difficulty with a lot of hosts you can do it easily with cloudflare and I think WordPress has some functionality about that for those who don’t know amazon deep glacier is a a place to store backups that costs you obscene pennies it’s unbelievable how cheap it is to store on an amazon deep glacier account unbelievable the downside is you pay a lot of money to get it out it’s kind of like this safe deposit box approach or even a physical safe deposit box right and you know this webmaster tools at the bottom here google has one called google search console bing has one called webmaster tools it’s actually kind of shocking how simple this stuff is that will actually you leverage their infrastructure to tell you the health of your website low-hanging fruit for that kind of stuff but one of the things you know doug brought up here this idea of changing the changing my wp config file a lot of people if it is even like I theme security will or one of our features we’re going to change your WordPress database prefix and we’re going to help you a lot of these things are called security through obscurity and I’ll tell you as a security professional obscuring security is not adding security it adds complexity not security and the large reason of that is all these bots that are out there know how to accommodate for it they just do email security is also something that should be considered at this nut at this level there are a number of plugins that you type in your smtp information that’s your smtp is outgoing authentication for emails you put this into a you put this into you just type it in and it stores it in plain text in a database in WordPress and then if your site gets hacked that means that your email can now be hacked and now it’s this falling you know like this little cascading effect here so I feel like we’re on a roller coaster we’re getting faster and faster here okay we got a couple questions alicia hi okay so this kind of one goes back to the storing of the credit cards now this is an unusual situation that a client I might be taking on they’ve got 25 years of client information on filemaker on their local machine 11 000 clients they’ve everything they’ve ever bought through their website which is 15 years old which is why we’re chained working on it it’s not even responsive it’s like the plugins it’s just waiting a ticking time bomb one of the things that I thought was really peculiar though is there’s it’s massage therapists and they’re like really not tech savvy so some of them like this like hard copy or email thing so when people sign up for one of their workshops you can do it online or there’s a pdf flyer or brochure that they download and then they fill it out with their credit card number and everything and either put it in the actual mail or email it back so that’s that where are we going that that seems to me a little bit not safe yeah and you know you’d be shocked by how popular that is it’s shocking I just I need you to tell me some shocking words that I can relate back shocking words to relate back I think you know this there’s so one thing is that you can potentially say to them that if we ever get reviewed or audited by our credit card company they are going to shut us down without any type of recourse we will then have to seek another credit card provider that’s one thing I think there’s a scare tactic towards that but that’s just the truth that it’s just the truth you know actually ever if you ever looked at the pci compliance for for online stuff it’s a doozy of a list technically from a lot of these companies when you go to paper without electronic you’re under a different set of circumstances okay you’re not you’re not under the pci dss standards which are digital standards but it can be argued if they downloaded the form it was an implied thing it actually says like there’s an option a button there’s a button that says download this form it’s like encouraged on the site you know the other thing you can do is is ask them to show you ask them to bring out their merchant card agreement that they got you know that stuff that’s in three point type and show you where in there it says that’s okay you know what I’m talking about those huge huge documents that are like you can hardly read because it’s in there show me where this is okay I don’t know so is there a way so you don’t know offhand how that violates the pp is it pbi at what point like one of the more glaringly obvious things in the whole you know process that I told you where it was all of it I i believe it also depends on how bad does the credit card company want to go after them right you know if if it’s if it’s the grange that is out in lewis county washington where they’re just getting together for pancake breakfasts they’re not going to get you know the company the credit card companies are going to go after the big fish you know what I mean okay yeah I should encourage them not to continue that I don’t know if I’m going to be able to convince them but at least I won’t be yeah you know ask them to write out their best practices for how they’re going to ensure that that eventually gets gets shredded yeah okay ah that’s a good one you know potentially list have them have a little thing on their website saying how we’re going to protect your credit card once we receive it but you know it depends on tech you know whatever okay all right doug newell okay I got a quick one so if topic is the website mailing out information so if we’re holding deacom and spf records in our smtp plugins which is probably what everybody’s doing to to not have to be subject to the standard PHP mailing stuff in a WordPress site right so we want successful emails coming out of our site notifying us what’s going on what are the alternatives if that’s bad what do you suggest so all right I’m going gonna give you a little bit of a longer answer here and hopefully I’m not gonna go that long so you can generically safely store smtp information in both functions.php your own plugin a custom made plugin as well as the wp config assuming that your files don’t get exposed that information is harder to get to than the database itself that’s number one number two is there are a number of plugins that are out there that actually don’t allow don’t have your password in plain text they very specifically don’t have it that way there’s another one that is another approach is to use a third party provider for email some people use mail grid or send grid especially especially for higher volume sites and those particular providers give you an api connection and don’t expose the username or password and you can cut that down you can cut that api at its knees when you need to it doesn’t expose a lot and if you use amazon something called ses on amazon which is what I use for most of my stuff they have what are called iambs where you can also very specifically limit it and you put that information into the wp config but I use a plugin for that actually I use something from delicious brands holy crap that was a weird answer I hope you got that yes thank you all right yeah and the other thing I’ll probably for people that use mail poet a male poet uses their servers for sending out emails if you use their service so that’s another mechanism potentially mail poets usually primarily used for newsletter or blog post emails but you can use it for transactional emails and it’ll go through their servers without you having to put in any of that information cool thank you all right we’re at 803 and I’m going to tell you what we’re gonna go through next time all right when we have another presentation I will touch on what to do if you’re hacked the steps to actually take and it’s actually only one step by the way it’s hire a professional no no there are things that you can do but it’s better to have somebody else handle it I will also in in a future thing I’ll get into the really advanced stuff this stuff goes on there’s a lot I talked about user enumeration and there’s other things that I promise you in the future I will cover I just don’t want to keep people going past what we said we were going to go past here but there are things you can do and now let’s bring up this here things to jot down things to pay attention to this is this is where I should end it here I’ll end it with leaving up this slide and answering some left hanger on our questions these are some great things to pay attention to if you were overwhelmed or didn’t understand some of these things I brought up that security glossary of wp white security and they by the way if they have their own plugin it’s one of the best security glossaries that are out there for explaining all the stuff and a couple of blogs that are out there think like a hacker podcast is done by the word fence people it is done once a week by them it’s usually fascinating if you’re a WordPress person all right guys thank you thank you thank you