three months at this point uh we develop a number of plugins mostly related to W press security and management our biggest plugin is WP activity log it’s the most welln uh before meta press I had different roles mostly systems Administration so that’s my sort of background love literature so I eventually moved into writing what’s the turn now me me okay so I’m Mr Angulo um I have been working as security Analyst at suuri uh until 2023 and then started um in pack which is a company who uh Works towards the making more secure the world just trying to uh uh identify control and inform give information about Babi in WordPress so at this moment I’m working as a security uh in the security uh Department as the data and research lead so making all the tools for identifying storing and uh making aware all the users about these vulnerabilities go ahead Eric are you mute this kind of comments that is normal in this kind this new full remote Society right do you hear me you’re mute maybe you can go for mil present yourself one or two things uh first I would tell them it’s not enough but but then if that’s like uh the most you can do um I would say uh secure your passwords and enable to factor authentication for start and uh you know make sure your website is using the SSL okay I I’ll I’ll stop there if it’s only yeah if it’s only two things sure so not to repeat what mil said which I agree with 100% those definitely should be done uh keep everything up to date definitely uh that’s one thing and uh session management so look at the active sessions on your website on your WordPress uh make sure that there are no people who are logging in with the same account multiple people the same account from different countries that could be a sign of fraud uh especially if you have an e-commerce website that’s very very important um and activity monitoring so keep a l of what’s happening so whatever happens you can always refer back to understand what happened and when and whom I don’t hear if there is any any question yeah actually I didn’t get the question I was in the middle of my troubleshooting um mil can you repeat the question because I can’t hear the question or someone yeah okay so give me a second sure M mine’s a real easy one uh installed mify 360 uh so uh yeah that that one’s that one’s quite simple it’s a it’s a great way to pay a little bit of money and and get some security software out of it that that can just basically make sure that you don’t have to put effort into to doing the security every day on your system uh the second thing I would do is make backups um if you have a backup plan and and you’ve got it remotely uh not All Is Lost sorry I was he I wasn’t here in the question so I just had to refresh you know F5 Absolutely I’ll check that cables uh well I think it was uh mentioned before but I’m a huge fan of getting everything up dated so one of the things should be that one uh definitely and the other one will be I don’t know there are too many but uh maybe just installing a security plugin that will help a lot because there is a lot of aspects we have to to take into account so I would say that those those things if you are an expert just um those things I mean everything updated and install a good security uh plugin all that sure so as you mentioned um uh previously look at last updated look at the reviews if there is feedback go through it see what see what other users are complaining about if it’s possible at all depending on how Mission critical the website is have a staging environment a lot of Hosting providers are offering that now which comes in package so it’s very easy to uh maintain it you don’t need an extra server or anything like that is there use it get the plugin install it see if um it plays nice with all the other plugins that you have and once that’s fine you can roll it back to life well the very first thing I would do is uh is run it through virus total just kind of get and see if anybody else has anything that they’re complaining about and just before I even go anywhere any step further in my research process that’s the first thing I would do yeah um I mean uh taking for example our reputation is also interesting I mean uh you can in WordPress you can check uh into the um into the plugins were repository about their reputation also checking Googling about that but uh the main the main thing for me the main uh key points to check is as mentioned from Eric I will pass it through virus totals but also I will check uh how many styles it has stars if they have been active in there uh and the uh support uh phot or also in the if the code has been updated those are more or less the key points about that just I’m not going to get into the comparison which of the plugins are bested or not is something different but at least that you know you might know that the uh development uh Team behind the plugin is active uh well first I I would like to add for the first question um I often see people you know when they start thinking about security then they get paranoid and then they still own the all the plugins that they find uh please don’t do that please first assess what you need and then see what exactly is which plug-in offering uh and and then well before even choosing the plug-in I would say someone said in in chat and I tend to agree everything you can do on server level do it there and then the things you cannot do there if your hosting provider doesn’t allow then look for the plug-in and all that people said like you know see the reviews and and uh how many issues they have resolved and and all of that uh that would apply but first like research what what is that you need and which plug-in has the most of that like don’t don’t install 16 security plugins because this one is doing this and that one is they will Clash they will you know break your website they will be they will impact your performance and all the other uh uh different issues so uh please you know uh give it some time and do the real research don’t just read two blog posts these are the best I will install all and that’s it uh now wpli can help uh uh I just have published a article about security and using wpci at wordpress.org uh so wpci can help a lot with the specifically in this area uh with verifying uh you know if the plug-in is um that you have that those files are actually uh uh the real files from wordpress.org you can verify files for core and plug-in and team uh you can also do uh a lot of stuff with um uh user management uh this is also very important for for the security um you can uh see the updates you can update plugins and and core and themes and you should do it regularly especially for the you know security patches um and many other things I can’t recall all of them it’s just a lot you can you can profile your website you know you can see uh how how it behaves and what is the performance and there is a doctor uh command that you can used for many things so I you should stop me because I can talk about WP like for weeks so just so yes mhm right than for no because it’s every time I typing or something like that I just make annoying noises yeah um uh yeah it’s a tricky question because it depends on the audience right if it if you are not an expert uh how you can uh defer if the hosting provider is taking security into seriously right so I will say that um in the very in the very moment you get into the the hosting if they provide uh recommendations about strong passwords second Factor identification if you see that they uh apply by Thea TS SSL uh they apply some um minor not minor but uh you know details about security like for example disabled uh BP config file or um they talk about database security these kind of things are good marks for taking to to realize if the hosting provider is taking security into very seriously the thing is probably all SEC all hosting providers out there will will tell you that they are leaders in everything but also in in in security they the more secured as the most secure uh hosting out there so the thing is how how can defer from there so in the moment you get in boarding if you see these kind of details and these things of um these marks probably H they are at least they are taking it seriously well it it’s also it’s a bit of a niche group I mean it’s different from keeping customers you know Business Systems and client system safe it’s it’s finding like the very specialized malware that likes to live inside of a WordPress uh Javascript file that’s uh you know very popular so we we have a very uh a very good malware scanner that’s uh really fast and hooked into the Linux kernel it reads every single file as it would get written um and and then batches it up to just just immediately run it through every new file that touches the file system right through the malware scanner and just immediately knows that this is a good file or this is this is known to be sus and so we’re going to you know do what we normally would plan to do which is automatically remediate uh so that the the administrator can go in and un remediate if necessary which is very seldom but for the most part the default action is to clean up the the nasty file because we know what it looks like and uh you know get the customer website safe and never ever have a downtime outage with it yes yeah that’s what it’s doing on uh for cloudways right now yes yeah I would recommend scanning every day um I scan every week um it’s it’s yes it’s uh super important yeah before you find out you’re in the lucrative you know secondhand roll Rolex industry um you know you you can take care of this yourself instead of somebody coming into you and saying I didn’t know y’all were selling Rolexes this week um well um I I would say again spend some time there you know research ask questions there there is some person like entry point to answer the questions ask questions Google what does that mean uh but also from for me as a developer when I want to host a website that is WordPress first of all I want wpci there and I want some kind of GitHub integration I want hosting that doesn’t give me any file manager on the uh hosting you know so you cannot access any other way other than your GitHub uh that that means a lot and that says a lot about you know uh accessing those files on the server uh to build on what everyone said which very valid point yeah um uh check their socials see what people are complaining about if they are responding socials tend to be not uh if it’s on their blog they they can restrict it but if it’s on social they can’t and check how easy it is to get in touch with them so if something happens can you reasonably get in touch with them very fast to fix any issues that you might have check their knowledge base if they have a chat system they have a telephone try to give them a call how easy is it how easy is it to get through you have wait five minutes or five hours do they get like because ultimately no system is 100% so you need to make sure that something happens you can fix it quick yeah the thing is um for the sake of the audience I don’t know what’s the how technical they are so on but the the thing is we have to to separate two parts that is important in security right the before and the after right so the before getting any kind of infection or any kind of um malware in is all the proactive measures we have available to get into the to avoid attackers to get into our website or to to to access sensitive information and then we have the after so if the wor scenario come in then you have tools for cleaning up like for example IM munifa 360 or suuri this kind of um mware scanners and so on so the thing is um from my point of view one of the things I wanted also to enforce is from you all is the support from the hosting company is super important as well because they can solve more or less 80% of any security issue that they can solve directly right and right way they in the support uh system so um just wanted to clarify this because we have been jumping into different uh things related with hosting but it would be interesting to to Gap that and some of the measures that hosting can provide for avoiding being attacked or being hack and then when you get hack if you if the hosting provider has Solutions or has um uh at least a support uh Forum a responsive support uh Channel for um the main one from my point of view is that the W Commerce is has payments right so the thing is uh one of the things that you have to U um to take a special attention is into the payments process uh that you comply with the new uh regulations that also you uh take care about the communication between the you know the the payment uh the payment process and also um how you uh store information in your in your website right so those are the main key points related with W Commerce or Commerce e-commerce places using WordPress uh with the new regulation that are coming in Europe it will be even more um not important it will be more enforced so the thing is um mostly all the Commerce websites are very uh vulnerable to be hack but also to get fine because U uh by these authorities of uh of um of regulations so you can check for example there’s a there is a a website that is coming that’s enforc tracker.com I think something like that so there you can see a lot of uh cases of uh companies e-commerce and big companies and small companies that have been fine because they didn’t uh follow all the gdpr in this case ER gdpr rules so in in this situation so for me that’s the the the main uh the main thing to get into um when you are into e-commerce using Wordpress yeah sure so uh keep in mind that everything that applies to WordPress applies to e-commerce so what Milana said uh to a face strong passwords offer toofa to your customers make sure they are using strong passwords as much as possible uh one thing that maybe is more important on woocommerce sites or e-commerce sites rather uh is fraud that’s something that you need to be on the lookout for it is a form of security as well um so monitoring user activity and keeping logs so that uh for example there are cases um someone makes an order it ships out it ships out and then they will go in and they will change their address so you need a record of what changes happened and where that you can always refer refer to to ultimately protect yourself sorry I get really excited and I don’t want to talk over somebody so I mute a lot sorry about that uh the the first thing I would always recommend is just just keep updated everything that you can without breaking the website um WordPress core files uh PHP versions Apache versions mod SSL everything in your stack that you can and that goes uh on top of the the actual core which would be the plugins for WordPress itself and the themes everything that can get updated uh to just the safest version that that we know that’s out there uh so having that in into a very good situation and then um block known Bad actors if you know you don’t do business in a certain region you’re not real popular in in Hong Kong or Cuba just don’t don’t waste the resources on those Bots uh go ahead and add those to your list of Bad actors and and don’t waste the time you’ll get back those resources for for Valley customers right um well I I don’t have much experience with e-commerce but there is one thing that comes to mind like you have a lot of users and their data and you are doing because you’re a good owner you’re doing regular backups so uh first thing to come to mind like you don’t want to lose money so if something happened when you restore that backup are you sure it’s working backup so are you testing that also when you are restoring are you sure you have the correct data that you still can have like maybe some users deleted their data in in in between so you know what what uh uh what how regular are you doing backups and uh what data do you have there is it first and foremost like the is is the backup working when you is your uh shop is is going to work or break or you know how is that going to mess with the uh orders and all the other info that you have in there so maybe something to keep in mind yeah MH I have a lot a lot of experience about that I mean when I was working at secur it’s a you know incident response system and yeah you know hack sites oh no yeah I have a backup okay yes uh send it to us and it’s corrupted or something like that yeah happens mhm [Laughter] uh well okay so regular update and different uh forms of updates you want your backup you want your database but you also want your files uh regularly scan the changes on the file you can do it with wpli and you can use some more serious tool for from the server but you can do it every single second with wpcl so you know do do it um another thing uh regular update your core your themes your plugins be careful about the compatibility so first update plugins and themes and then core and then see if there are still more updates um and uh use to factor authentification please that that’s just multi two Factor authentication is a great tip I would also uh limit uh exposure to the the apis uh to somebody who’s not an authenticated user um because with the a API just kind of dangling out there that allow allows somebody to kind of fast track trying every user imaginable and uh see what they get um uh yeah to factor indication easy win low hanging fruit uh doesn’t take a lot of time to implement it definitely worth it uh to not repeat what uh the other uh people have said um ofer new advice um maybe check security headers like H HTTP headers Implement hsts to make sure that uh uh your visitors are uh always being served https through TLS if you have uh team members make sure that they are aware of security best practices uh do take the time to train your staff um and uh for your customers uh if you can offer them tips maybe have a page how to make sure that your password is secure uh we do have a plugin that uh allows you to enforce password policies but uh what we also do is we offer the user uh some tips on how to achieve a password that meets your policy requirements uh aside from that you can limit uh the login attempts and uh one last thing I would add update and yeah sorry just one more thing on my head uh speaking of updates do not leave updates on the same server as you have WordPress save them somewhere else take a copy on your yeah yeah in the pick up exactly exactly exactly we we all know the crowd strike uh example right yeah definitely even even in that case I think uh updating is always the key I have like a formula something like um change my mind is something like the cost of a hack site is always was more than the cost of a downside because of a incompatibility or um update thing so I just uh through the challenge changed my mind so um seconding back with that with that thing H yeah for sure I would recommend if your site is H has some kind of high impact because you you are e-commerce or you have a lot of traffic or you are uh sharing important information like apis in the saber or something like that try to uh make the updates in a staging server first then when everything goes okay just apply in the production so I would say that that that’s one of the things related with that but the other will be just linking back with my when I talk about the measures in security that that are separated um in in a ra mode in before and after um in the before part so where doesn’t get infected because of the thin air right it’s um it’s infected because they are vulnerabilities so it would be a very good uh um practice for all the site owners to get their site scan via bavi um scanner right so uh there are Services out there like for example patack is one of them and then you can get your website there then then we scan all the plugins all the code you you have in the website and we just match with our database of vabi so if there are vulnerabilities in any of the plugins you have in your website you are exposed so H having your website free of vulnerabilities with everything updated or uh if you find that there is a plug-in and you it has a vulnerability you have to find an alternative plugin instead of uh get getting along more with that with that plugin so for example having your website free of vulnerab will be one of my uh best uh recommendations as well you thank you you bye by bye byebye bye