WordPress security for everyone

1. http://lynt.cz WordPress security for everyone Vláďa Smitka vladimir.smitka@lynt.cz @smitka Lynt services s.r.o.

2. http://lynt.cz Content • Some facts • Common attack types • Recovery after infection • Security chain • Security plugins 27. 5. 2015 2 „WordPress = Plugins“

3. http://lynt.cz27. 5. 2015 3 The most serious vulnerability Question: „What is the most serious WP vulnerability?“ Answer: „Outdated Slider Revolution.“ http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html verze 4.1.4 are vulnerable • Probably the most stolen plugin • Included in many premium themes (sometimes no chance to update) • No auto-update in older versions • Easy to detect

4. http://lynt.cz27. 5. 2015 4 5 + 2 security tips Update Backup Use a security plugin Be careful Delete unnecessary stuff, don‘t provide sensitive information Update! UPDATE!!!

5. http://lynt.cz WordCamp HACK campaign • I found more than 400 vulnerable Czech WP sites in an hour • I was finding common (and just patched) vulnerabilities in 3 popular plugins • I informed creators/owners by mail and invited them to the WordCamp 27. 5. 2015 5

6. http://lynt.cz Who? 27. 5. 2015 6 Bots „Anonymous“ hackers Motivated hackers Script kiddies PhotobyLisa,CCBY-SA2.0

7. http://lynt.cz How? 27. 5. 2015 7 Vulnerable plugins and themes Brute force on administration Comment Spam (+pingbacks) Password and cookie tapping „Neighbour“ sites on shared hosting Indirect ways– phishing, malware (keylogger, saved FTP password)Vulnerabilities in WP core

8. http://lynt.cz Why and What? 27. 5. 2015 8 • „Alien“ code – Spammy links, adverts, redirection – Malware downloading – DDoS to other targets • Info stealing – E.g. Personal information of your customers • Out of service – web/server shutdown (DOS)

9. http://lynt.cz Facts 27. 5. 2015 9 http://www.akamai.com/stateoftheinternet/ 43% of attacks have origin in China Do I need Chinese traffic? How about to block the whole China? Block USA? Rather not (search engines, CDN,…) Block everything except the Czech Republic? Definitely not - IP geolocation isn‘t 100% accurate. Corporate users sometimes connect from a different country (proxy). How about vacation in foreign country?

10. http://lynt.cz27. 5. 2015 10

11. http://lynt.cz How to block China? – homework 27. 5. 2015 11 List of IP address: http://www.ip2location.com/blockvisitorsbycountry.aspx • Iptables – Don‘t use generated configuration from previous link – thousands of rules for every packet – iptables -A INPUT -m tcp -m state --state NEW -j CHINA_WALL – Advanced: optimization – more chains for different octets • .htaccess/nginx • mod_geoIP • Plugins (e.g. Premium Wordfence) • HW box (WAF appliance, Smarter firewall) • Another possibility – redirect to CAPTCHA instead of blocking //mod_geoIP in Apache GeoIPEnable On GeoIPDBFile /path/to/GeoIP.dat SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry Deny from env=BlockCountry //mod_geoIP in .htaccess RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^(CN|RU)$ RewriteRule ^(.*)$ - [F,L]

12. http://lynt.cz NEW WEB 27. 5. 2015 12 NEWS: 1.4.2003 our new web is running!

13. http://lynt.cz User Development Priorities 27. 5. 2015 13 Beauty Must have, right? Speed After launch Security After incident

14. http://lynt.cz What happens if… • Web is hacked? • Loss of sensitive data, loss of trust, out of service, penalization • Web is incredibly slow? • Visitors are annoyed, search engines don‘t want to index your site • There is no cool slider? • Nothing? 27. 5. 2015 14

15. http://lynt.cz Real priorities according to business impacts 27. 5. 2015 15 Security Speed Beauty

16. http://lynt.cz Demo time! 27. 5. 2015 16

17. http://lynt.cz Slider Revolution - LFI • Version 4.1.4 and lower • Enable to download any source file • Cause: Ajax call registration for all users (privileged/non privileged) • /wp-admin/admin- ajax.php?action=revslider_show_image&img=../ wp-config.php • Details (CZ): http://lynt.cz/blog/zranitelnost-ve- wordpress-pluginu-slider-revolution-4-1-4 27. 5. 2015 17

18. http://lynt.cz FancyBox for Wordpress - XSS • Version 3.0.2 and lower • Enable to include an alien javascript into all pages • Cause: using admin_init hook without appropriate privileges check (it is activated by all requests to the administration – admin-ajax.php, admin-post.php) • /wp-admin/admin-ajax.php?page=fancybox-for- wordpress + variable mfbfw[padding]=</script><script>evil code</script> • Details (CZ): http://lynt.cz/blog/zranitelnost-ve- wordpress-pluginu-fancybox-for-wordpress-3-0-2 27. 5. 2015 18

19. http://lynt.cz Mail Poet – Upload PHP • Version 2.6.8 and lower • Enable to upload PHP file and execute • Cause: Misuse of admin_init again + use of $_REQUEST in the first patch • /wp-admin/admin- post.php?page=wysija_campaigns&action=them eupload + variable my-theme = evil zip file • Details (CZ): http://lynt.cz/blog/zranitelnost-ve- wordpress-pluginu-mail-poet-2-6-8 27. 5. 2015 19

20. http://lynt.cz Wordpress Video Gallery - SQLi • Version 2.7 • SQL injection – enable to get any data from database • Cause: Insufficient user inputs sanitization • /wp-admin/admin- ajax.php?action=rss&type=video&vid=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21, 22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,3 9 FROM wp_users ;-- • Details (CZ): http://lynt.cz/blog/zranitelnost-ve- wordpress-pluginu-wordpress-video-gallery-2-7 27. 5. 2015 20

21. http://lynt.cz Wordpress 3.9.2 - XSS „Wordpress version 3.9.2 is safe.“ Vladimír Smitka, 4th WP community conference, December 2014 27. 5. 2015 21 „Secure today != secure tomorrow.“ Vladimír Smitka, 4th WP community conference, December 2014 • Allowed HTML tags bypass in comments • [<blockquote cite="]">[" onmouseover="alert('evil!'); " style="background-color:red;position:absolute;top:0; left:0;height:100%;width:100%;"][<a href="]>hi there

22. http://lynt.cz What might reduce impacts? • Turn off PHP processing in /wp-content/uploads .htaccess in this folder: php_flag engine off 27. 5. 2015 22 Different option: <FilesMatch .php$> Order allow,deny Deny from all </FilesMatch> • Updates • To block requests including „wp-config.php“ global .htaccess: RewriteCond %{QUERY_STRING} wp-config.php RewriteRule ^(.*)$ - [F,L]

23. http://lynt.cz How do I know that I also use a vulnerable plugin? • Read all news • Plugin Vulnerabilities • https://wordpress.org/plugins/plugin-vulnerabilities/ 27. 5. 2015 23

24. http://lynt.cz How does the attacker know that you use a vulnerable plugin? • He performs reconnaissance • WPScan – very popular tool to do it 27. 5. 2015 24

25. http://lynt.cz I was hacked! 27. 5. 2015 25

26. http://lynt.cz Recovery after infection • Restoring from a clean backup – Delete everything and upload pure data from backup • Reinstall + disinfection by hand – FAR • If all php files were infected by the same evil code – SQL dump examination • Try to find <iframe, <script, x-shockwave-flash, eval, base64_decode, gzip_, preg_replace • Try to identify the evil ones • Malware removal isn‘t the final solution! 27. 5. 2015 26

27. http://lynt.cz FAR 27. 5. 2015 27

28. http://lynt.cz Checklist • Disinfection, imitate the cause (update) • Change FTP password • Change DB password • Change user passwords • New salts: https://api.wordpress.org/secret- key/1.1/salt/ – WP before 3.1.: define('AUTH_SALT', 'put your unique phrase here'); • Check files by a security plugin (Wordfence, Sucuri Scanner) 27. 5. 2015 28

29. http://lynt.cz Backup „Backup is the alpha and omega of Computing“ 27. 5. 2015 29 By hand Sometimes I copy everything somewhere. Not ideal but better than nothing. By server Unattented - ideal situation (ask your webhoster). By plugin Also a good solution, it can provide some benefits.

30. http://lynt.cz Backup plugins • BackWPup – Only backup – no automatic recovery – Backup to more places – You can trigger backup by external request • UpdraftPlus – Backup & recovery – Only one place (but there is Pro version available) • BackupBuddy – Not free – Complete solution (migration, per file recovery, …) 27. 5. 2015 30

31. http://lynt.cz How to backup via plugin • External storage is better • If local storage: – Check if backups aren‘t accessible from web browser – Check if folder with backups is excluded from backup (backup loop) • Backup scheduling – WP-Cron – almost in all plugins, it is triggered only if there is some traffic (you can check settings via Crontrol plugin) – External trigger – preferred way (server‘s cron, minicron, cron service e.g. http://www.webcron.org/, https://www.setcronjob.com, https://www.easycron.com) • Email notification after backup 27. 5. 2015 31

32. http://lynt.cz Defend ourselves! 27. 5. 2015 32

33. http://lynt.cz Power! 27. 5. 2015 33 Jeremy Clarkson

34. http://lynt.cz How to improve security by performance? • WP Super Cache – prevent (D)DoS attacks which consume all resources – dynamic pages to static • Autoptimize – hides „revealing“ js and css – reduces HTTP requests • Side effects: faster site, happier visitors, tastier SEO 27. 5. 2015 34

35. http://lynt.cz Security Chain 27. 5. 2015 35 HTTP Server (Apache/Nginx) PHP Internet log What can affect security?

36. http://lynt.cz Cloud 27. 5. 2015 36 HTTP Server (Apache/Nginx) PHP Internet Cloud security services (WAF)– attack is blocked before it reaches server Block bad behaving IP, common exploits, DDoS,… Incapsula, Sucuri, CloudFlare log

37. http://lynt.cz Webhoster 27. 5. 2015 37 HTTP Server (Apache/Nginx) PHP Internet Security appliance/firewall – some provides another security level, some not. Reduce DDoS impact, block some kind of network attacks, etc. log

38. http://lynt.cz Server 27. 5. 2015 38 HTTP Server (Apache/Nginx) PHP Internet Firewall, WAF, configuration – block some network attacks, IP addresses (whole ranges, countries) WAF – block exploits (XSS, SQLi,…) – mod_security, naxsi. Restrict file permissions, detect file changes. Backups log

39. http://lynt.cz Server – homework • Detecting changes in PHP files during last 24 hours: find /srv/htdocs/my_web/ -name '*.php' -type f -mtime -1 > output ; mail -s „Today changes" "vladimir.smitka@lynt.cz" < output 27. 5. 2015 39 root directory 755 wp-includes/ 755 .htaccess 644 wp-admin/index.php 644 wp-admin/js/ 755 wp-content/themes/ 755 wp-content/plugins/ 755 wp-admin/ 755 wp-content/ 755 wp-config.php 644 Permissions by All In One WP Security:Another country IP list: http://www.iwik.org/ipcountry/ Basic mod_security settings for WP: http://blog.erben.sk/2015/02/11/p rotecting-wordpress-with-mod- security/

40. http://lynt.cz HTTP Server & PHP 27. 5. 2015 40 HTTP Server (Apache/Nginx) PHP Internet HTTP server & PHP configuration – site isolation on shared hosting, filter suspicious URLs, restricting access, HTTPS enforcing, block countries (mod_geoip), logging log

41. http://lynt.cz Log analytics 27. 5. 2015 41 HTTP Server (Apache/Nginx) PHP Internet Realtime log analytics – if someting strange happens you can perform actions. One log record isn‘t a clue. Logstash, ElasticSearch, Kibana log

42. http://lynt.cz Realtime log analytics - example 27. 5. 2015 42 Something wrong?

43. http://lynt.cz Countermeasure 27. 5. 2015 43 HTTP Server (Apache/Nginx) PHP Internet Actions – block after many 404 logged (scanning), many failed logins, … Ban in firewall, notify Fail2Ban log

44. http://lynt.cz Fail2Ban – homework 27. 5. 2015 44 • Fail2Ban can replace some functions of security plugins – brute force/404 detection • filter.d/wp-auth.conf # WordPress brute force auth filter: /etc/fail2ban/filter.d/wp-auth.conf: # # Block IPs trying to auth wp wordpress # # Matches e.g. # 178.63.72.184 - - [16/Oct/2014:11:40:50 +0200] "POST /wp-login.php HTTP/1.0" 200 1531 "-" "-" [Definition] failregex = ^<HOST> .* "POST /wp-login.php • jail.conf [wp-auth] enabled = true filter = wp-auth action = iptables-multiport[name=wp-auth, port="http,https", protocol=tcp] sendmail-whois[name=WPauth, dest=vladimir.smitka@lynt.cz, sendername="Fail2Ban"] logpath = /var/log/wordpress/access.*.log • Be careful with logrotate - /usr/bin/fail2ban-client reload wp-auth • To log failed WP logins: https://wordpress.org/plugins/wp-fail2ban/

45. http://lynt.cz WordPress settings 27. 5. 2015 45 HTTP Server (Apache/Nginx) PHP Internet Good WP setting – everything is updated, well written plugins, usage of a security plugin (blocks access to administration, scanning attempts, dangerous URLs, monitors files for changes, searches for malaware, hides some sensitive data) iThemes Security, All in One WP security & Firewall, WordFence log

46. http://lynt.cz Security plugin 27. 5. 2015 46

47. http://lynt.cz WordFence • Active protection • Bot detection, traffic limiting (HTTP 503) • Live traffic • Scan – files, common infections, blacklists • Notify about updates • Cache • + Naturally: – File changes detection – Brute force protection – 404 limitation – Blocking spam in comments 27. 5. 2015 47

48. http://lynt.cz WordFence – after installation 27. 5. 2015 48 Level 2: failed login limits, more notifications Level 3: traffic limiting Level 4: more traffic limiting, block invalid user names

49. http://lynt.cz WordFence – Live Traffic 27. 5. 2015 49

50. http://lynt.cz WordFence – changes detection 27. 5. 2015 50

51. http://lynt.cz WordFence – traffic limitation 27. 5. 2015 51

52. http://lynt.cz WordFence – login security 27. 5. 2015 52 Tip: block username discovery via .htaccess: RewriteCond %{QUERY_STRING} author= RewriteRule ^(.*)$ http://screw.you? [L,R=301]

53. http://lynt.cz WordFence – other options 27. 5. 2015 53

54. http://lynt.cz WordFence – other options 27. 5. 2015 54

55. http://lynt.cz WordFence Premium – Country blocking 27. 5. 2015 55

56. http://lynt.cz WordFence Premium – other 27. 5. 2015 56 • Better spam protection • Early warning during scan 2 factor autentification via SMS: Your Wordfence code is ABCDEF. – password + space + code Better solution: WP Google Authenticator Scan scheduling – more frequent scan, triggered externally

57. http://lynt.cz Security plugin 27. 5. 2015 57

58. http://lynt.cz iThemes security • Prevention • Hides administration, changes DB prefix • Evil URL filter • + Naturally: – Brute force protection, 404 limitation – File changes detection – Comment spam reduction 27. 5. 2015 58

59. http://lynt.cz iThemes Security – after installation 27. 5. 2015 59 One-Click – failed login limit, strong password enforcing, hides some sensitive information

60. http://lynt.cz iThemes Security – API Key 27. 5. 2015 60

61. http://lynt.cz iThemes Security - dashboard 27. 5. 2015 61

62. http://lynt.cz iThemes security - configuration • Global Settings – Write to Files - Allow iThemes Security to write to wp- config.php and .htaccess – if disabled, I can copy config from dashboard to relevant files by hand – Lockout White List – set my IP to prevent lockout – Log Type - Database Only (small sites, available from administration), File Only (large sites, it can be used in fail2ban) – Path to Log Files – set path outside web if possible • 404 detection – Enable 404 detection – block scanning for vulnerably 27. 5. 2015 62 RED = important settings

63. http://lynt.cz iThemes security - configuration • Away Mode – e.g. to disable administration outside working hours • Banned Users – Default Blacklist - Enable HackRepair.com's blacklist feature – add known bad behaving user- agents to .htaccess – Enable ban Users - banned IP and user-agents by hand (it is also connected to the Enable Blacklist Repeat Offender in Global settings) 27. 5. 2015 63

64. http://lynt.cz iThemes security - configuration • Brute Force Protection – Get your iThemes Brute Force Protection API Key – access to global IP blacklist by iThemes.com – Enable iThemes Brute Force Network Protection – to use global blacklist – Enable local brute force protection – block attempts to guess passwords (table _itsec_lockouts in DB) – Automatically ban "admin" user - Immediately ban a host that attempts to login using the "admin" username – good honeypot trick  27. 5. 2015 64

65. http://lynt.cz iThemes security - configuration • Database Backups – Backup Method - Email Only, Save local only – if it is possible to save backup files to public inaccessible folder (Backup Location) – Schedule Database Backups - Enable Scheduled Database Backups – automatic backup/by hand on the Backups tab – Notice: it is really only DB backup • File Change Detection – File Change Detection - Enable File Change detection – Split File Scanning - Split file checking into chunks – consumes less RAM, generates more mails – Files and Folders List – exclude folder contains cache when you use a caching plugin • Hide Login Area – Hide Backend- Enable the hide backend feature – redirect /wp-admin to different URL – Login Slug – new address, e.g. admin5547 – Enable Theme Compatibility - Enable theme compatibility – turn on if redirection caused problems with some plugins 27. 5. 2015 65

66. http://lynt.cz iThemes security - configuration • Malware Scanning – Enable Malware scanning - API key fromVirusTotal.com – you can check your homepage against about 60 blacklists (Sucuri SiteCheck, Google Safebrowsing,...) • Secure Socket Layers (SSL) – Enforce https to access in the administration – try if https is really available before enabling this option • Strong Passwords – Strong Passwords - Enable strong password enforcement – new passwords must be strong – Select Role for Strong Passwords – Set to „Editor“ at least (he can put JS in comments) 27. 5. 2015 66

67. http://lynt.cz iThemes security - configuration • System Tweaks – System Files - protect System Files – disallow access to sensitive files (readme.html, .htaccess, readme.txt) – Suspicious Query Strings - Filter Suspicious Query Strings in the URL – prevents simple SQL injections (be careful with nginx , see next slides) – Long URL Strings - Filter Long URL Strings – block very long URLs (over 255 chars) and URLs containing „eval“, „base64“ and „union select“ (like Block Bad Queries (BBQ) plugin) + you should also add rule to block URLs containing „wp-config.php“ – Non-English Characters - Filter Non-English Characters –not good for Czech environment – File Writing Permissions – set right permissions for .htaccess and wp- config.php – it is better to do so by hand – Uploads - Disable PHP in Uploads 27. 5. 2015 67

68. http://lynt.cz iThemes security - configuration • System Tweaks – Generator Meta Tag + Display Random Version – hide WP version – Windows Live Writer Header & EditURI Header – they are used rarely – Comment Spam – check comment origin (your web or wordpress.com), block comments from clients without user-agent – File Editor – similar to define('DISALLOW_FILE_EDIT', true ); in wp- config.php – XML-RPC - "Completely Disable XMLRPC" disables all XML-RPC requests e.g. Trackbacks (if you want to use trackbacks securely, try https://wordpress.org/plugins/simple-trackback-validation-with- topsy-blocker/) – Login Error Messages – hide „wrong password“ notice – Force Unique Nickname – prevent users to take the same login and „real“ name – Disable Extra User Archives – hide users without (e.g. admins) 27. 5. 2015 68

69. http://lynt.cz iThemes security – advanced • Advanced – Admin user – tool to change admin login name • Better way is to create new admin user • Login as him and delete old admin user (there will be a form to move content under the new user) – Change content directory – rename wp-content, may caused some troubles and brings only little benefit (you can see renamed folder in HTML source) – Change database prefix – tool to change default prefix table wp_ to something else (to prevent some kinds of automatized attacks) 27. 5. 2015 69

70. http://lynt.cz iThemes security – homework Suspicious Query Strings in Nginx: set $susquery 0; if ($args ~* "wp-config.php") { set $susquery 1; } # + block query do download wp-config.php if ($args ~* "../") { set $susquery 1; } if ($args ~* ".(bash|git|hg|log|svn|swp|cvs)") { set $susquery 1; } if ($args ~* "etc/passwd") { set $susquery 1; } if ($args ~* "boot.ini") { set $susquery 1; } if ($args ~* "ftp:") { set $susquery 1; } if ($args ~* "http:") { set $susquery 1; } if ($args ~* "https:") { set $susquery 1; } if ($args ~* "(<|%3C).*script.*(>|%3E)") { set $susquery 1; } if ($args ~* "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") { set $susquery 1; } if ($args ~* "base64_encode") { set $susquery 1; } if ($args ~* "(%24&x)") { set $susquery 1; } if ($args ~* "("|'|<|>|\|{|||%24&x)"){ set $susquery 1; } if ($args ~* "(127.0)") { set $susquery 1; } if ($args ~* "(globals|encode|localhost|loopback)") { set $susquery 1; } if ($args ~* "(request|insert|concat|union|declare)") { set $susquery 1; } if ($args !~ "^loggedout=true"){ set $susquery 0; } # <= bad logic, correct: ~* if ($args !~ "^action=jetpack-sso"){ set $susquery 0; } # <= bad logic, correct: ~* if ($args !~ "^action=rp"){ set $susquery 0; } # <= bad logic, correct: ~* if ($http_cookie !~ "^.*wordpress_logged_in_.*$"){ set $susquery 0; } # <= bad logic, correct: ~* if ($http_referer !~ "^http://maps.googleapis.com(.*)$"){ set $susquery 0; } # <= bad logic, correct: ~* if ($susquery = 1) { return 403; } 27. 5. 2015 70 Block query do download wp-config.php in .htaccess: RewriteCond %{QUERY_STRING} wp-config.php [NC,OR]

71. http://lynt.cz iThemes security – homework Better version hiding: functions.php / plugin in mu-plugins: function remove_wp_version() { return ; } add_filter('the_generator', remove_wp_version'); 27. 5. 2015 71 Off topic: MU-plugins (Must Use Plugins) There is a special folder: /wp-content/mu-plugins Skripts/plugins in this folders are interpreted everytime, you cannot disable them in administration. It is useful for some security settings, e.g. automatic updates of plugins and themes: add_filter( 'auto_update_plugin', '__return_true' ); add_filter( 'auto_update_theme', '__return_true' );

72. http://lynt.cz Users 27. 5. 2015 72 HTTP Server (Apache/Nginx) PHP Internet User and admin behavior – strong passwords, connect from trusted networks only, backup, antivirus software, certificate checking, phishing-proof log

73. http://lynt.cz Tips for WP admins • Use HTTPS in administration – https://wordpress.org/plugins/wordpress-https/ – VPN is also a good choice • Backup regularly – both: files and database • Don‘t test plugins in production environment • Remove unnecessary stuff (users, themes, plugins, content) • Set up appropriate permissions to your users • Use tools for bulk management if you administer more WP sites (InfiniteWP, ManageWP), for a smaller number of sites use WP Updates Notifier plugin • Maintain list of all used plugins and themes • If somebody tells you: „don‘t update this “, ask „Why?“, there is usually no serious reason! (if somebody did some changes in original files, ask him for a patch file) 27. 5. 2015 73

74. http://lynt.cz Tips for everyone • Use strong passwords (use password manager e.g. Keepass) • Be careful of bad certificates • Use good and updated antivirus software • Don‘t use unknown Wi-Fi • Delete all saved unprotected Wi-Fi networks from your cellphone/tablet/laptop • Don‘t believe everything that comes by mail 27. 5. 2015 74

75. http://lynt.cz Useful sites • https://www.owasp.org/ • https://wpvulndb.com/ • http://blog.sucuri.net/ • http://packetstormsecurity.com/ • http://www.rankwp.com/ 27. 5. 2015 75

76. http://lynt.cz Homework due tomorrow □ Check for vulnerable plugins □ Check hashes in wp-config.php □ Make a backup □ Remove unnecessary plugins □ Remove unnecessary themes (keep one default template and parent theme if used) □ Lower user rights, if they don‘t need them □ Update everything possible 27. 5. 2015 76

77. http://lynt.cz And that's all, folks  27. 5. 2015 77 Update, backup, use security plugin, be careful Also check my research about WP in the Czech Republic!