Explore key insights from the WordPress Security Team's experiences in this 52-minute conference talk delivered at BSidesLV 2018. Delve into the challenges and strategies of maintaining security for open-source software, with a focus on WordPress's journey. Learn about the evolution of security practices, including the shift towards automatic updates and the complexities of user education. Discover the team's approach to assessing needs, building relationships, and implementing effective tools. Gain valuable knowledge on code review processes, bug bounty programs, and incident response techniques. Understand the delicate balance between security measures and feature development, and uncover important warning signals for potential vulnerabilities. Walk away with practical lessons learned from one of the most widely-used content management systems in the world.