Introduction to the Bootcamp hey everyone what’s up my name is Moise and I welcome you all to day one of the security boot camp uh I’m super excited to have everyone over here uh and over the course of two days we’re going to be having some amazing guests who going to take us through uh WordPress security and how to make your online businesses more secure i can already see a few people joining in in the comments i can see people people interacting and engaging i would love if people could you know give their introduction and tell us where they’re from what do what do they do so that we get to know each other well uh apart from the sessions we’re going to be having some fun activities as well in which you can participate and get a chance to win some exciting prizes now before we begin I would like to uh mention that everyone who has joined in we also have uh a prize for the most engaging participant as well so I would encourage everyone to leave comments ask questions uh leave comments for our guests for our organizers and for this event if you want to win those prizes so winners will be announced by end of this event tomorrow uh and before I move on to our first session of the day I would like to thank our partners as well uh who have helped us in making this event possible so we have had patch stack melress WP umbrella and limit login attempts uh who were who have been with us uh over the past few weeks and made this event possible now uh so the first moving on to the first session of this event um I personally am super excited for this session uh not only because the topic is so interesting but because who the speaker is so many of you might know him as WP Alex I I call him Alexander because and I I I would I’m super happy to have Alexander Sarovich over here with us i’ve have learned from him i have traveled with him i have worked with him and I’m super excited for him to be here today and present his topic alex uh I I don’t know exactly how to introduce you because uh you run your own agency you you sell motorcycle helmets and I don’t know how to to how to those align i’m sure you must do a lot of different things as well uh but before we begin Alex why don’t you you know give you an introduction and you know enlighten us on what you are up to nowadays yeah hi Miz and thanks for inviting me for this session uh and uh thanks to my old team in in Cloudbase which was Muise and Danish who also uh took a part in in organizing this i like your fancy microphone you have now well we didn’t have that one earlier when we organized sessions um yeah well uh let’s say that partially I I left like hosting business and u in general IT business uh I’m running uh I founded actually WP playbook it’s uh WordPress web agency uh but it’s communitydriven web agency so the idea is that only 10% of incomes uh are uh going to agency for marketing and other other uh needs like to to cover server costs and and stuff we need for for for the agency and the rest is actually being share being shared between QA and developers so that’s that’s the way how how the the agency is functioning on on my side let’s say that it’s not like a profitable thing but maybe one day if someone decides to acquire us we have like the way how we will split the the the acquisition money between uh all uh developers and and QA and people now working for for the agency so I’m not like 100% involved there it’s like part-time involvement helping with bigger problems with bigger issues when they need something like to unblock them when they are fixing something and one of the things like the biggest pain points in indefinitely in maintaining WordPress websites and and hosting industry and WordPress itself in general is uh hacked websites security Importance of Cyber Hygiene uh those are always worst case scenarios like when the website is hacked the time you need and uh the damage to to reputation of your business is uh significant especially if if those hacks are like Japanese hack when they inject thousands of of URLs which being uh indexed by Google then your website shows up in Google with with with Japanese letters one of the worst hacks and they’re like really persistent hacks that you that is really hard to find where where was the problem uh and the other business uh you mentioned is yes I’m I’m importing actually I’m official dealer and importer of three uh motorcycle brands uh it’s Kiwi uh so I am official dealer of LS2 uh motorcycle helmets suits shoes and we have also mechanic service like for three motorcycles at the same time so we are doing maintenance for the motorcycles as well and to be honest the maintenance is not much different from from website maintenance like if you if you keep your motorcycles somewhere in the shed uh in the rain without maintenance the probability that you will uh fall from it and break your neck is really high so you need to take care of of of of all your possessions definitely i love how you have uh you know drawn comparison between website maintenance and motorcycle maintenance i only know so many people who can do that so Alex I’m super excited for to have you over here and for your session and uh I can’t wait to get started so you know you have the floor take it away thanks and uh do I have to click presenter or so or you will you will play the presentation yeah that’s it that’s it uh okay the the the point of this presentation was like to touch things that maybe you have never faced these things are happening they’re a bit hidden it’s not something usual it’s not something you see every day and uh very often these hidden threats are um waiting somewhere in some dark corner of your website and you don’t even know when it will activate and when you will have the problem with with with a specific malware or or specific virus you contracted um and uh let’s start from the logically very beginning uh who am I i explained that WP playbook and let’s talk a bit about uh why we have issues with website especially uh WordPress websites and how to how to fight those hidden threats uh poor cyber hygiene is the biggest threat ever like like for everything else in your life if you’re not maintaining something if you have a website and you think you can set and forget you someone created a website for you and you now have the website and no one is maintaining it no one is updating it uh just don’t you don’t you don’t need the website actually if you’re not maintaining it you don’t need it uh if it makes uh money for you if it uh makes business if it brings customers then uh put some effort into maintenance uh because in uh physical businesses like my other business you need to clean the floor every day you need to uh clean windows every day uh to present your business the best in the best possible way because if your main window uh watching the street is dirty no one will watch through that window to see what you’re selling inside and uh it’s the same with the website if it’s hacked and if there are some uh unwanted content and that content can be really nasty uh often we we saw like hacks with uh I don’t even want to use word but with kits and and the stuff like that and imagine how how bad impact to your business can be when any anyone who funed you on the internet visits your website and sees like something like that if you invested money to bring people to your website which is really expensive these days it’s really expensive to bring someone to your website uh PPC is like skyrocketing Example of a Real-World Cybersecurity Disaster prices for uh price per click for specific keywords etc etc so you’re spending money you’re investing into SEO you’re investing into everything else but uh cyber hygiene is bad cyber hygiene is not just updating your website it’s not just um taking care of uh plugins WordPress themes PHP version etc etc cyber hygiene is also where you’re connecting to Wi-Fi your laptop are you logging into your website from cafe from public networks cyber hygiene is which kind of passwords you’re using uh all of that is cyber hygiene and if we don’t have cyber hygiene definitely we are the problem and the second problem is if you think you know everything about cyber security you must be the biggest threat to your company because the moment you think you know everything about cyber security u you actually know nothing you maybe know 0.00001% of everything that hackers and u cyber criminals are doing so uh what poor cy cyber hygiene includes it includes various risky practices such as weak passwords uh I saw million times with million customers uh passwords like admin admin uh the name of of the website owner one two three 1 2 3 4 5 6 7 8 or something like that uh neglecting security updates very often we have updates in WordPress maybe even multiple times per week not like uh once per month or something like that uh also we had situation here with the government in my country where uh someone clicked on link inside of an email and uh they got a ransomware uh and uh hijackers uh requested uh 20 million uh 20 um bitcoins to uh give back all the documentation and believe it or not it was the documentmentation for um commonal services of the city for 20 years for all uh citizens like it’s not a big big city it’s 300,000 people but imagine having the leak of 300,000 invoices 300,000 names addresses etc etc because someone clicked on suspicious email link uh this is not the part of my five hidden threads but uh my suggestion is to highly avoid having shared hosting with your email inside of the same server where your website is because any uh malware or ransomware can jump between folders and hijack hijack your your website and your email and everything else uh implement proper security measures like use one password or last pass or something like that to store your password so even you don’t know what the password for the website is and make it as complicated as possible and um definitely the recent studies reveal that the significant part of those breaches is because of the poor cyber hygiene so it’s not like someone is extremely smart and knows how to hack your website and they put like a huge effort into it but the most of hacks are actually because of the poor cyber hygiene and it was really easy to hack those websites so pri prioritize strong password creation use use unique credentials for different accounts don’t use same password for all of your emails websites etc etc and uh maintain regular cyber security housekeeping like update your plugins update your u anti- virus or spy uh etc etc uh softwares on your Top 5 Hidden Threats Identified computers use uh always uh secure networks do not connect over insecure public networks to anything that is really important to you uh we have five I I I made a list of five hidden threads and something not as common uh but uh possible and um something that is really hard to detect but there are mitigation strategies for each of these possibilities so number one is a fav icon based malware injection because files iico can be hacked and can contain malware or [Music] uh malware or spyware or whatever inside uh fake WordPress plug-in updates uh where supply chain attacks can happen uh the third one is abandoned admin accounts ghost admins uh fourth uh problem are fake admin login pages and the fifth one is hidden malware in media files uh so not to waste too much time let’s start from the first one to explain each one and how they are functioning uh number one is f icon based malware injection so attackers can disguise malware um and malicious uh JS into ICO fav icon files uh these files are often cached and uh they’re not that you won’t be checking like uh ICO file iconico on your website like no one does that even me like I would never I would never check or or see what’s inside the file or or check that file often it’s not something any any of us uh will be doing but they provide that that way to execute malicious code and that code for example uh this is one of the examples uh for this scenario is that attacker gains access to a website and replaces the that five icon IO and the problem what what uh that code is doing is that it’s logging keystrokes so when you log in or any of the users logs in uh their login credentials get stolen so they can like literally sto uh store uh all the all the usernames and passwords of the people logging on into your website imagine when it’s a e-commerce WooCommerce store or something like that uh if they steal admin or u vcommerce manager store manager or so like for that role they will instantly have access to all the customers uh you have on on uh on WordPress or WCommerce with all their details like names surnames their emails even phone numbers addresses um everything they ever ordered so it’s like a valuable uh asset to steal uh and uh sell to your competitors and uh maybe even worse just to uh ask from you money uh otherwise they would report to GDPR agencies etc etc and we know uh how how huge uh are the fines for uh for having that kind of um data data leaks uh what are the mitigation what is the mitigation strategy for for this scenario uh the first one is to always use content security policy or CSP headers to restrict which domains can load JavaScript uh regularly verify theof files on your server by using check sums or any kind of monitoring tools um good thing u also and I think this is also possible with with u clouds with CDN uh to store fav icons and other assets in secure CDN or trusted repository instead of uh keeping them on your main server uh and restrict file upload permissions to prevent unauthorized users from moni uh modifying static assets so static assets are are mostly uploads so those are not files which are been executed like PHP files etc etc but more like media files PDFs ICO files and and files that will be just served by the server as is uh without uh without uh using uh PHP and without running any scripts or JavaScript uh the second one is u fake WordPress plug-in updates or supply chain attacks uh before before I uh explain uh this in in details it’s a very uh rare occasion that something like this happen in in uh WordPress repository like the the official repository almost never maybe not almost but never um this uh very often happens with uh GPL3 sites uh these are the sites from those uh I don’t want to use the word because uh Moyes would have to beep me uh and he can’t do that uh so I will uh just leave the word but you can guess which word I would be using and uh on GPL free sites you can actually buy like for I don’t know 20 bucks or 30 bucks you can buy a yearly membership and get like access to 50 pro uh plugins like Elementor like uh WP Bakery like Visual Composer uh Breezy Pro whatever just name it and it’s there and you will get that for like 20 30 bucks by doing that you will maybe save 40 bucks 20 30 40 bucks by not uh purchasing directly from the vendor but you you you want to you’re a cheapkate and you want to to buy from some uh GPL free site and to get like multiple plugins for for free and then when those plugins start getting updates you don’t know even even with the plug-in you downloaded even with the plug-in you bought you don’t know what’s inside because in inside can be whatever they want like can be malicious uh malware can be whatever whatever the the the owner of GPL3 site wants uh firstly if you expect them to be um to have a moral they don’t have because if they had a moral they won’t they won’t be doing um GPL free they won’t be stealing plugins and and themes and sell them as their own uh so you don’t expect them uh from them to any any ethic from from their side so what attackers do they trick WordPress users into installing these malicious plug-in updates by compromising legitimate plug-in repositories or creating fake versions of popular plugins exactly what what uh GPL3 sites are doing they’re actually down they buy or download the plug-in like pro version from somewhere and then they modify the plug-in as they like so you think you installed uh WP bakery or you think installed something else and that is a legit source of the code but it’s not and once installed these updates uh are injecting malares they are stealing user data create creating hidden back doors for hackers just name it whatever you like when you install the plug-in with PHP files inside and JavaScript you just you don’t know what will happen and you don’t know in in in how many ways your website will and can be can be hacked because it’s already hacked the question is just the moment when you will see the results or or damage the malware is making to your website example is simple you see update notification for a plug-in use it’s a hacked version uploaded by an attacker it’s not like what what you what you want to to update you just click update button you think it’s safe but the new version adds a hidden admin user and steal information from your WCommerce store that’s just one of uh attack scenarios uh but it can even uh redirect your website to some other site so if you have big traffic good traffic uh you invested a lot into SEO etc etc They just inject scripts which will be redirecting people from your website to their website which can be actually the the identical copy of your website with uh payment gateway where people will order uh goods and products from you but they will be actually ordering products from the attacker and they will be connecting their credit cards and paying for those products or services to attacker uh then your business is on the line because people you made that disturbance uh you’re not it’s not your fault the people will will will have to sue someone else like someone who stole their money but they will never buy again from your website because they don’t trust you anymore and they will tr never ever trust you again and we mentioned earlier how expensive is to bring one customer over uh mitigation strategy is quite simple download plugins only from trusted sources like repressor official developer websites uh reputable marketplaces like cod canyon uh for teams it’s team forest on Invato uh so only from trusted sources whenever you see a ugly website with ugly design like uh did in paint uh or something like that you should know that those are not trusted sources uh and you shouldn’t be even using your credit card buying some subscription for that kind of of sites uh enable automatic updates only for trusted plugins of course uh use WP CLI or safe updates from tools like Cloudways you can use WP CLI through Cloudways and you can use safe updates also on Cloudways to test updates before applying all of that uh you should also monitor plug-in changes using any of like I just mentioned the the most popular ones like Word Fence or WP activity log to get alerts when files are modified uh but there also if you have some other preference I’m not like pushing you to use this like telling you these are the best ones uh every like plug-in of of that type is is is good and they they all do do the trick uh also check plug-in reviews and update logs before installing updates if something seems suspicious b wait before updating uh what we tend to do uh especially WordPress users is that when we see update we just click update and that’s it update plugin click update plugin update this click update this uh it’s not always just click and update sometimes you need to to to be careful and to see what is being update why it’s being update is it um uh synced and uh is it compatible with your other plugins is that version of the plug-in compatible with your WordPress version so it’s not like just running around like a chicken without the head and and clicking buttons update uh that will be also risky as much as as keeping them out of date uh number three is abandoned ad admin accounts or ghost admins uh over time website owners and teams create like multiple accounts there are developers there are designers there are contractors there are copywriters SEOs um so the uh by if this website is like couple of years old like two three four years like a few years old uh there will be a lot of a lot of accounts there if it’s a uh e-commerce if it’s WooCommerce store and you have regular uh customers there you will have thousands and thousands of users on your website uh attackers uh can target any computer any um phone and check for uh usernames and password that can be old account someone who hasn’t been logged in for couple of years two or three years and that is security threat uh that is the possible bridge and you should be deleting those accounts uh regularly so one of the examples for this one is that one of the former employee had an admin account that was never deleted attackers finds it and use leaked passwords because they’re occasionally uh you can see that there are like databases with leaked passwords showed somewhere like even Last Pass was hacked once and they use from completely another bridge they use uh login data and take over your website uh for this there is also way to to uh mitigate mitigate this uh just to say hi to people in chat just to take a short break because I’m uh I I would say running fast uh hi Tommy from Mitigation Strategies Serbia from my country and hi all other people here i hope you you uh I prefer doing major updates manual um yeah well you shouldn’t be keeping plugins waiting for update for too long like it’s always like don’t do it the that very moment when the plug-in is live it’s not safe to do it wait day two days three days check forum check comments check on WordPress or what’s happening and uh let me see Tyler is asking is there any merit to having more than one admin super admin on a site so if one gets compromised password loss you still have another way in or is that just brought in u no you can have more than more than one admin or super admin however you like uh it is um I would say super useful to have more than one because if one is uh hijacked then you have then you have the the problem because you can’t access the dashboard there is a way uh maybe uh people here uh don’t don’t know how to uh regain access to to the website in cloudbase you have the button uh access the database database access you go to database access uh you find the table uh WP users and inside WP users you will find the list of all admins without access to to to WordPress dashboard if you see uh new uh admins which is not your account you can just select them from WP users table select them and drop when you drop them they will instantly lose access to your website and if they change the password to your original account you can change the password like uh resetting password through your email but if they managed already to change email you can easily change email username and password uh through the uh WordPress database you just have to uh type in the new password in the field t password you select uh hash MD5 click update and then you will have you will have your your uh access back and then you can delete and and block all other users uh in a way is is bad to have out update enabled yes because you don’t know uh we we are the witnesses especially with page builders and and uh WordPress builders that uh just keeping out update enabled can destroy the website then you need to go back and forth like asks the support to restore your website if you’re not well uh technically educated to know how to do it yourself so it’s it’s definitely smarter not to have out update enabled for WordPress the let’s say the the the core yes because you should be updating WordPress core as soon as it’s live but I’m also skipping that one i always wait for two or three days before I update uh anything on the website so mitigation strategy for for this kind of of um old old admin accounts is to review all user accounts like regularly delete or downgrade old admin accounts to lower roles like subscriber if they are subscribers they see literally nothing inside of the dashboard and the possibility they can over take something is zero uh oh yeah cloud support is really good uh I had like couple of days ago uh experience I was a bit uh pissed to be honest because couple of times we we did some migration and it and it didn’t work we did it ourselves and then uh one of the of the girls girls from cloudbas did the trick she figured out what what happened and and we sorted out like in in in 15 minutes everything uh so use a plug-in like WP security audit log so you can track login and see if uh some inactive admin suddenly logs in because it can happen that some of your old like employees or whatever uh logs in again after two years why they will log in after two years you’re not paying them to do that so there it even if it’s them their intentions are not good um unable to factor authentication for all admin users so there there can’t be any login with leak credentials because you need an extra step like when you’re logging to clouds you need to enter your username and uh your email and password and then you need to wait for an email with six-digit code so you can actually log in and implement automatic log out for inactive accounts using a plug-in like inactive logout to set up pass keys with WordPress um yeah I guess you can find some cool plugins for that but there are things that the that I would say Tyler would be overengineering uh like once uh one person I don’t like as a person much which is Elon Musk uh I Overengineering Warnings think he’s like ego maniac but he said one really good thing he said u that the biggest problem of uh software engineers that they’re actually uh fixing things that shouldn’t be existing and that’s that’s the the major thing don’t overengineer things like lesser you engineer things uh the smaller number of of uh problems can happen um next one is fake admin login pages this is very often and uh I don’t know why how um why and how people are not paying attention to this kind of stuff uh it can happen that uh hackers are injects uh fake login pages fake login pages are pages which are not the pages uh the regular ones likewpadmin but they’re mostly like uh /wpadmin 2/wpadmin 2314 like those fake accounts uh sending you a link on your Facebook to uh threatening you that your ad account on Facebook will be terminated you need to fill out some form and then you see the website is Facebook admin something something dot whoever knows and people are not paying attention they they just click links and that’s it uh good thing hola Miguel Kstas uh and um what what also we we do we are like sometimes we’re doing things blindly especially when we are panicking and we are panicking when we receive some email with uppercase letters like your website is in danger uh add your username and password to confirm your identity otherwise we will delete your account in 72 hours whatever it won’t happen like no one will delete your account ever in WordPress but people who are not technically well educated like just website owners store owner own owners like uh they are not they’re not prepared to for for scenarios like that imagine that your mother or or someone is like retired and they have their own like web shop for some handmade uh items they would click and and leave their credentials there yeah but uh that is that is one of the Kevin that is exactly one of the mitigation mitigation strategies so what they do they do what we what we said like they they uh change and uh send this send you to to uh fake admin admin page the good thing is when you’re using uh managed hostings like uh cloudways you have the button and the button inside the dashboard is taking you to right place to login so you never use something that is not the place uh except the button you click on to take you to login page on on cloud this so mitigation strategy is be smart uh check the browser URL before logging in and your WordPress login is and mostly will be uh your website.comwpadmin or yoursite.comwploin.php uh good thing is to rename these WordPress login URLs using plugins like WPS hide login to prevent attackers from easily creating a fake pa fake page and of course plugins like WordPress Word fence to detect and remove unauthorized uh login pages also use password managers to fill out autofill login credentials and this will prevent you from entering credentials into a fake form because uh one password or less test wouldn’t uh offer you username and password because you never logged in uh on on that URL and then you will just see the blank uh blank fields and you will be asking yourself why these fields are blank why it doesn’t want to populate them and you don’t know the password because password is autogenerated by one password or last pass and when you check address bar then you will figure out that someone is trying to steal your uh credentials and the fifth one uh this one is not that rare it’s kind of often uh that hackers often hide malicious code inside images PDFs or other media files SVGs uploaded or uh these files are mostly sleeping somewhere inside of the uploads folder and wait to execute malicious scripts when it’s when there is a best moment or when it’s trigger triggered by someone uh why it’s inside of the media because inside of the media we now because of all the optimizations like uh making new image formats to uh consume less uh storage to consume less uh space in in uh loading the web page inside of the browser to in to make the uh website perform better we are using newer formats newer formats are um I would say well I don’t want to say less secure but they more rely on the code than the the the physical form of the website of the of the files itself i’m using only one WP security um as I said uh as I said Martin um the most of the of the plugins security plugins are are doing uh the job well so I just took word fence as an example because word fence is with us for I don’t know how many years like probably 15 or so so it’s like the the most the most popular it would be like I was using Ford or Harley-Davidson if you’re talking about motorcycles just to refer like the most the the the most known brand in motorcycles is Harley-Davidson the best one it’s questionable uh what do you prefer so yes definitely you can use all-in-one WP security um so these files mostly sit unnoticed and uh what attackers do they infect PDF or image uh they upload infected PDF or image via contact form or they use some user upload area uh especially if you have like a a jobs page or something like that where people need to attach PDF uh with with their with their application and these files can contain hidden scripts uh when accessed and those they create a back door or inject spam links into your website so this is not rare this is something uh I saw many times uh happening uh it’s not hard to mitigate this kind of kind of u situations uh but it can be tricky because it’s PDF like when you see those are like PDFs Muhammad Mu’s CV PDF and you think it’s actually Muhammad Mu CV pdf but it’s not it’s actually malware uh waiting and sleeping somewhere to attack your website and uh Moise is also a suspicious person so it can be it can be detected as as as a malware i would detect it as a malware because I know him personally uh and for this there is a mitigation strategy of course is to limit file upload permissions and only to allow trusted users to upload media files uh to use malware scanner again I mentioned WordPress or Sukuri to scan media files for hidden scripts uh to regularly review and delete unused files in the media library to reduce the risk of hidden threats what is happening often and we see that on uh our customers websites they upload the image and then then they don’t like it inside of the uh in in the gallery or whatever they then the attach that one upload the new one and then you see like u hundreds of or thousands of media files uh detached which are like detached means they are not used anywhere on the website And then you figure out they actually remove those images but they never deleted image from uh media library they just removed the image from from u elementor from uh some gallery plug-in or whatever but they never actually removed remove that media that is good practice because you don’t want your website to be uh extra huge it doesn’t affect uh loading whoever tells you that uh having a lot of media on your server is slowing down your website it’s not uh it will be telling you like the uh that the the the truck is moving slower because in your backyard you have a lot of things on your trailer but that trailer is not attached to the website itself so the truck is only pulling things which are inside the truck so media that that is being used and that is being u generated into HTML CSS sent to a client browser but media that you have in storage or somewhere on the website doesn’t affect loading speed uh and uh disable PHP execution in the uploads folder using htxs why because there is no need to ever execute PHP in uploads folder apple’s folder is a storage the place where uh you are storing media files there is no PHP and there is no need that any PHP execution is happening inside of that folder so how do you do that in uh Apache or uh Lightseed or whatever you have you add uh one directive which is directory WP contents uploads files match PHP PHTML S HTML CGI PL exit etc etc you set order allow deny deny from all files match close directory and this will prevent any PHP uh code or code execution inside of the uploads folder uh by this simple uh directive you will be actually for for forbidding an any any PHP action or execution so uh malware will be uh dead and you will even get a notification in word fence or sakuri if some script is uh activated but it won’t be executed have some question no okay yeah Alex that was that was very insightful and uh thank you so much for the kind words in the middle for uh I was I don’t know why but I was I was I was expecting that somewhere in your presentation that knowing you personally and uh you know so I I sort of had this feeling that you may come up with some sort of a comment but anyways so we we do have u some questions but but before I take those questions I would like to appreciate everyone who are who is engaging in the comment section I can see we have people from Spain from Pakistan from the UK from US uh from Nigeria from from Adidaba from Toronto so Mississippi Netherlands i’m so happy to have everyone over here and uh you know excited to spend this day one of of security boot camp uh with you guys so let’s take some questions first um let’s start with this one i mean um so we have we do we did have some questions in the start so I’m going to start with the ones who were asked earlier so Matt had this question on how often should WordPress plugins update be done is it still is it safe to install minor updates frequently and doing major updates less frequently uh okay Matt this is this I have a simple answer to this uh I won’t say I’m 100% right i’m always sharing only my experience so uh whatever I tell you doesn’t mean that this is 100% uh correct or this is like uh carved in stone and you should do it like I’m doing it my my background is manage WP uh GoDaddy uh Cloudways NRT so mostly uh hostings and uh WordPress like WordPress hostings so how often should WordPress plug-in update be done as I uh mentioned earlier uh I always wait for a couple of days after uh update is being released to see which kind of problems will happen like just just visit Facebook groups like if it’s Elementor Pro go to to Elementor Pro users group on Facebook there are like 100,000 people and check after a day if someone is complaining about something is something broken does header or footer being killed like global elements are not working so if you see that just don’t update wait for wait for a patch or for a fix and of course before any before any update back up the website before any update it’s like like a golden golden rule yeah I think that’s backup that’s update 101 i mean if you want to update anything on your website take backups before doing that uh so next question is from Anto how can website owners educate their customers to spot fake login pages uh force them force them to use um if you are um uh maintaining their website so if you’re an agency and you’re responsible for for the website you’re charging them for monthly for maintenance so uh you are responsible for the security as well uh make them do use two factor authentication that is number one uh and make them use uh softwares like uh one p one password or last pass because as I said uh if it’s a fake login page then last pass won’t work and they they can’t login so you need to force them you you shouldn’t be educating them it’s it’s really hard to educate Yeah especially on on technical things like try to educate my mother you don’t educate people you just set procedures you just set procedures so they have to use secure way to to login and to use the website and one of the one of the procedures is like setting setting for them or with them uh last pass so they don’t know their password yep uh next question we have is from Ralph as mentioned changing WP admin login URL can help but can it can also cause issues with some plugins any suggestions or uh I don’t know with which plugins it can cause issues uh Ralph if you’re there can you can you give us just just an example for that so just mention in the chat R that if there are any plugins that you have come across who uh are affected by by this then you do mention that and Alex will be happy to answer yeah because because I I I never had like situation where where changing the login login page uh actually uh had conflict with any any other plug-in it there was a problem with manage WP let’s say some early versions like 12 years ago while they they you haven’t used tokens to login and file uh for auto out login but they we used actually um username and password for uh migrations etc etc yes in those cases it could cause issues but now these days uh everything is using APIs so I don’t I don’t see a reason why would any plug-in use uh login URL but if if there is if there is a case please share with us yeah um Tyler seems to have another question maintaining WB sites manually reading change logs testing on staging can feel like a full-time job has AI become helpful in some of this process may be this testing maybe the testing phase i would love to have an agent that check change logs for me to tell me if I should update based on aggregate feedback for example AI & Auto-Update Concerns well AI AI is a tool of today and tomorrow i won’t say future because we are all Homer Simpsons we don’t know what is what future is bringing to us because we are dumb mostly we have too many information available so that that made us being dumb yeah don’t laugh like you’re checking me you’re check you’re actually using well Tyler Tyler is asking if I is helpful or not and you’re well I would say I would say yes if you’re using it correctly and if you make a good bot that could actually aggregate some uh change logs etc etc and based on some data give you advice is it it would would it be good or wait for something to be uh updated yes why not i’m I’m for for the I’m for the uh new technology 100% perfect so Resty has a question how do malis codes in PDF five icon and images get executed do they rename them or some some kind of manipulation yeah JavaScript code inside it’s simple javascript code inside and then JavaScript code can actually uh hijack hijack the client uh browser and the keyboard whatever you like when when you’re typing anything on the website they know that you’re actually typing username and password because that is like the most common way is first type something then type something else so it’s two fields it’s username and password and JavaScript knows that and JavaScript reads the field username and password um so Tyler actually had another question that I sort of missed uh he’s asking is it possible advisable to set up pass keys with WordPress yeah I saw the question um and that was the answer I I had during the session like do not over do not overengineer things u so Philipe had a has a question uh is it bad to have auto update enabled yeah I think it is it is if it’s not safe update so if you don’t have uh safe update activated so it detects that something is broken or uh after auto update and reverts those changes then you shouldn’t be having out updated enabled and you never know i mean you you you’re what if out update happens at 3:00 a.m when you’re sleeping and your customer is in a time zone where when they are already selling their products it’s working 100% full on and you’re sleeping and some nightmare scenario happens and actually the fix for that scenario is two clicks but you’re you’re in in your warm bed and you don’t want to uh have that kind of experience so don’t just don’t use update perfect let’s take one last question alex uh let’s see okay so yeah so Anto has had a question earlier that is it enough to simply delete a potentially compromised GDPR plug-in or should additional security measures be taken as well uh it’s never uh enough to simply delete because because you don’t know you don’t know how many new files are being created generated how many files are being infected because if the GDPR plug-in was compromised then probably index php ht access and who knows how many other files are being eject injected with the same malware and it spreads around the Perfect i think this is pretty much it we are on time for the session alex uh I we do I can see I can still see more questions over here but I think I will And it’s a wrap just forward them to you and uh you can get back to me over email and I can give those answers to to these to these attendees uh I just want to thank Alex for for being here today taking his time out of his very busy schedule as as you have heard before that he is involved in multiple projects and doing multiple things at the same time so thank you Alex for being here thank you for making this presentation and you know presenting it to us i’m sure the people on this call listening to this would have learned a lot from from you and your presentation today uh so yeah any any final thoughts Alex on the security boot camp or any any final thoughts before you leave uh be smart so uh security these days is common sense don’t do stupid things uh don’t act stupid and and everything will be fine like update regularly check your website regularly don’t open uh emails from uh people you don’t know uh don’t click on links inside emails there are so many filters now inside Gmail inside any email provider so like the technology is helping us as as much as it’s possible to help us not to do stupid things and we still just like a bit more common sense and everything will be fine all right so basically you’re saying don’t be stupid yeah yeah don’t be Homer Simpson got it thank Thank you Alex thank you so much for being here and I wish you all the best for your current and future projects so thank you so much Alex see you bye-bye thank you bye