All in one Security Plugin - WordPress Tutorial & Setup

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey how's it going Alex see from idea spot and in today's WordPress tutorial you're going to learn how to set up the all-in-one security and firewall plugin [Music] now the all-in-one WP security and firewall plugin is an excellent free security plugin for WordPress and extremely popular as well 800,000 active installations and it genuinely is free these guys are tips and tricks HQ they do a lot of great free wordpress plugins I'm not sponsored by them at all I just I'm really am a big fan of what they do and this is probably one of their best pieces of work this security and firewall plugin so we're just gonna head over to our plugins and we're gonna add new and from here we just search for the word security in the search bar there and when this search loads up we can see the most popular security plugins so word fans we've already covered word fence and we've already covered security and we're gonna have a look at all-in-one WP security and firewall today so let's go ahead and click install so the top four plugins are really these three along with our themes as well so I'm gonna look at our themes a bit later but as we said we can look at all in one today and let's could activate that these I will actually do a little bit different kind of things so they're all kind of worth looking at so there I've got gone ahead and activated that I've got my little message that says activated and now we've got a WP security option in our WordPress dashboard menus so the cool little thing they've done with this is of kind of gamified the security dashboard by giving this little meter so we start with a little meter saying that our security strength is not very strong well that's not true WordPress is actually quite secure out of the box this just goes ahead and adds lots of layers of hardening on top of WordPress so as we go through we'll see this little strengthen here to increase and the more intermediate and advanced features you implement the further this little meet it's gonna click along so we're not going to get right to the end but we'll take along into the green area and we'll get most of our points sorted out so first thing we'll do let's head over to settings and we can have a look at this one called WP version info so this is one little security tip you can do you can just check that little box and it will remove the version from all the WordPress pages because robots like to scan across the internet and find different versions and if a version has a specific vulnerability on that day they might be able to attack that vulnerability so if you just hide the version that just hides one vector that hackers can attack you from now the next way we can get some of these little points are from the user accounts section so that's going to say basic 15 at 15 I'm not using an login name that's called admin that's the first thing you never want to do is user admin as your username my username is idea spot so here 15 out of 15 for doing that let's go ahead and check the display name now I've got 0 for this because idea spot is my login and it's also the name of the display name so we're going to want to edit that so you just click on the link there and it'll take you to the user edit and we want to change the nickname to something else other than what we actually login with so I'm going to call it say IDs book class you could decide whatever you like for your website but I'm gonna change it just so it's not exactly the same as what I login with so ideas book class then we scroll down to the bottom and click update profile so now that's that's all saved let's go back to the user accounts and let's reload this and see if we've picked up five more points which we have that's pretty cool let's have a quick look at the password thing here this is just a little password tool that teaches you the strength of your password the trick to making a strong password is just making a nice long password so you could sort of see here 1 2 3 4 5 6 7 8 9 10 any sequence like that it's not going to take very long to crack at all you need a nice little random sequence of letters and numbers and by the time you get a decent length on the password it's going to go into the thousands and thousands of years to crack so make sure you've got at least 1520 characters in your password and you've used some combination of capitals lowercase and some numbers at least so just check your password check that it's strong enough you want to get that you want to get that sort of into that green area there for your password I think most people by now using a password manager and you can use a generated password from Google Chrome or wherever and you'll get a strong password by default by doing that okay the next thing we look at is user login so here we enable the login at lockdown feature so this is an important feature that stops people trying to brute force their way into your admin area all we want to do here is go ahead and check these off and save settings the only thing I wanted to ignore was the notifications because I just hate getting email notifications because there's always some robot scanning the web and trying to randomly log into websites and you just don't need your email box getting filled up if you've got a fairly popular website you'll get login attempts all the time and that will just generate way too many emails so I don't really recommend clicking that one okay the next thing we look at is save the settings there and whitelist settings I would not really need to use this you can probably just leave this blank if you really want to get into the really advanced features of this software and you kind of risk locking yourself out by making it to secure sometimes you could put your IP address in there and that will allow that IP address to always log in no matter what so you could try that but I think we're just going to leave that blank for now and go over to our next option here and we can look at failed login records so this will just check if people have been trying to log in and failing and we'll trying to brute force their way in it'll show them I've just installed that so there's nothing here yet but that might help me trace anyone who's trying to attack you force log it out now you could check this and it would force users to be logged out after a certain amount of time that could be a bit annoying if you want to leave yourself logged into the web site all day on on your own computer that you trust I think it's okay to leave that off I think but up to you if you want that one it's not essential account activity logs again nothing in the logs yet but you can use that logs to help tracing any security issues if you come across any okay the next thing we'll look at is user registration so if we click this this will require manual approval of new registration so just make sure that when people are registering for your website that you as the admin approve it first so no automatic registration now this might not work if you're running a membership site that where you want people to be registering all the time so this can be annoying but in most cases if you're just running your own private blog and you only have yourself or maybe a few other editors or authors this is probably okay so I'd probably recommend this in most cases and let's save our settings the next thing we've got here is a registration capture now this is cool this lets you use google capture to enable people to register and they have to actually use the capture to register so this is pretty good I'd click that and the registration honeypot is just a little security hardening thing for the registration page it stops robots from registering because it will give a hidden field that robots will be able to fill that out but humans won't notice it so go ahead and check that one as well and don't forget to click Save Settings with any of these now let's go ahead and look at the database security this one can be good or bad like a lot of people really like changing the table prefix of the WordPress database but it can affect some plugins that don't work if it doesn't have a standard database prefix so I'll probably leave that for now you could test it but make sure you backup your website before you try doing this one this is more of an intermediate to advanced one so I might leave that one for now database backup this is kind of cool that WP security includes a little database backup system I actually use updraft plus already on here so I don't specifically need it but I will take it for now just to show you that this feature is available you can have a backup every four weeks of your database and it'll keep up to two you might have more you might want a full year of backup databases and every four weeks so that might be okay now let's go ahead and save that one and you can actually get a copy of the database emailed to you so as long as your database isn't massive probably will work okay and getting an email but if you've got like a massive WordPress site that might be a forty megabyte mail or something so it might not work but you just test that anyway if you don't check it it'll still save the backup databases in a folder in your WordPress install so you'll be able to go in an FTP or use the file manager in your control panel and get the backups out of there so either way you'll be able to get your backups let's have a look at the file system security so file system security is just about the permissions and make sure this is all green in this case I've got one where the recommended permission is a little bit different from the current permission so let's just set those recommended fare missions and make sure these are all green and you'll get some points for doing that let's let's reload that and check if I've got my 20 points cool there's a few things we can do in here like PHP or file editing check that to make sure that people can't edit PHP files WP far access prevent access to the default install files let's go ahead and check that now just make sure the tests your website and doesn't break any of your plugins because some of these some of your plugins do rely on be able to do these things so depending on the website sometimes getting security can cause issues so like I said before it's good to have backups I'm using an updraft plus I'd recommend taking it back up before you start fiddling with too many advanced features here just for just for your own peace of mind in case you end up breaking something if you're not too familiar with what these things actually do all right now let's look at the blacklist manager so you can actually ban specific IP ease if you like you know if you're under attack by a certain range of IPs you don't need to find out what they are and add them in here but we're not under attack at the moment so it's not really gonna be of any use putting things in there but just be aware that this exists it might lock you out of admin if you don't use this correctly so maybe we'll just leave it blank for now to be honest I think it says you must import at least one IP address so if you mess that up and put the wrong IP range in and block out your own IP address you might have to go back into your database and manually remove this and that's going to be a huge hassle so maybe just skip this step for now let's go have a look at the firewall now this has a basic firewall it's not as powerful as say using the word fence Web Application Firewall or some of the paid fireballs that you might get from someone like security or from say a cloud for a professional plan but it's it's a nice little basic firewall that will stop some of the common threats that might you might face and it does a few little things there so it's worth it worth taking that one and these ones here I'm not really sure I think most people will will not need these so not it doesn't really matter if you leave them blank and debug log file definitely check that because some robots will scan the debug log file and find any functions that they might be able to exploit so it's good to just block access to it you can always get access to it through your own FTP or File Manager so you don't really need to get access to that through WordPress now let's go ahead and look at the additional firewall rules there's some pretty good ones here like disable index disable trace and track forbid proxy comment posting bad query strings that will help against malicious cross-site scripting and advanced character string filter these are all really common exploits that people use to attack some insecure plugins so it's pretty cool that it includes all these features so go ahead and save those the blacklist firewall rules this is a like a a common sort of exploit that was in use no need to go into the exact details of how these works but definitely check both of those and save it Internet bots let's have a look at that one block fake Google BOTS this one doesn't really matter I'd leave that aren't it to be honest I think there are other BOTS that you might be blocking out incorrectly if you use this so I mean up to you you could test this out if it causes problems with the way that some of your plugins work then maybe turn it back to off but I'm just gonna leave it off for now prevent image hot licking I would I think generally most sites you don't really want image hot linking it might be you might have some reason to hot link images from your website if you don't want that clicked but I'm gonna click that one in this case and for a for detection I can leave that on tick for now I don't think we need to go into that and custom rules we can go ahead and make custom rules on our HT access I think that's a bit advanced for this tutorial so we can leave that as it is let's go ahead and look at the brute force protection here and renaming the login page you can rename this WP admin a lot of people are fans of renaming their admin login page but it can break a lot of plugins and it can lock you out of your own website if you mess something up so I think it's probably not worth checking it at this point it doesn't give you it like that much extra security you've got to be honest login capture now this is kind of cool but you do need to sign up for Google recaptured for this to work so if we check it we'll have to have a site key and a secret key we can get that by going to Google recapture and setting up CAPTCHA but I mean there's a lot of ways that capture prevents BOTS from attacking your website so let's go ahead and look at setting this up right now so all you have to do is go to google.com slash recapture and I'll just delete that out and show you how that loads up so it'll take you here and you have to click the admin console there and it'll allow you to sign up so my website was just called was a dev idea spot site and I think it's using capture - let's have a look here so I'll close that one and it says recaptured v2 widget so we're going to choose recapture - and you can choose what kind of capture you'd like I'm not a robot tick box I think that's quite cool and invisible recapture badge does just as a background check and recapture and rely and wreak validate requests in your Android app so I'm gonna go with it I'm not a robot tick box and the domain we're going to be using here is the dev idea spot site so let's pop that in you don't need the HTTP you just pop that in like that you put your email address accept the Terms of Service and let's click Submit okay then you will get a success message here and you will get your site key and your secret key I'm just gonna go it and copy both of these your secret key will be here I've removed it from the video so you can't copy mine but you'll get one in here anyway so let's go ahead and paste those keys into the settings there and then we can go ahead and enable the captures on all these pages so login forms lost password forms and custom login forms so go ahead and enable it on all of those and click Save now the other things here are login whitelist I don't recommend login whitelist just because it restricts you to logging in only from a certain IP range and you might want to travel or you might want to use a mobile phone or a different SIM card or something to log in and you might not know your IP address and you might get locked out and locked out from your own website so don't use that one I don't think honeypot I think is worth selecting go ahead and check that just another way to stop robots trying to log into your website let's have a look at the spam prevention options again we can enable the CAPTCHA on the comment forms and block spam box from posting comments let's save that spam IP monitoring we don't really need to mess with that all these ones I think I think the the captcha thing does most of the work there let's have a look at our scanner now this is not really a malware scanner this is just a change detection scanner so I mean it's worth checking it but it's not really as good as having say the word fence malware scan or the security malware scanner so just be aware of that it will scan and it'll tell you if anything's changed if you didn't mean to change anything it might give you a clue if there's been an attack but probably there might be automated processes running on your site and it might look like something's off but actually everything's fine so you will probably get a lot of false positives by doing this but test it out for yourself and see if you like it it'll email you if you check that box I don't really like getting lots of emails but now I'm up to you now there was a malware scanner there and like what I was sort of saying was that you really need a dedicated malware scan and they do offer one and it's not part of this bug in but like I said you can go ahead and check out site scan Escom that they recommend or like I said word fence or security has a very good external malware scanner so definitely have a look at using a malware scanner let's look at maintenance now you could just make this during when you are working on your site during the development phase you might just want a a blank page and it will just say page is not currently available so if you've got problems with your website or if you're working on a brand new site and hasn't been launched yet you could use the front end lockout I'm actually using a plug-in called come ins coming soon mode which does the same kind of thing while you're developing a website you don't want to open to the public so that allows you to do that and then let's just have a look at the maintenance I'm copy protection that's that annoying right click block way if you wanted to block people from right-clicking and copy pasting things I think that's really annoying because I'd like my readers to be how to copy and paste like the address or phone numbers or bits of information that they'd like from my website and make your website user-friendly for actual readers so that's annoying I wouldn't take that one frames someone might try to iframe parts of your site and use it for their own purposes you can check that if you wanted to doesn't really matter uses a numeration it's not critical either and the WP REST API a lot of common WordPress plugins need the REST API so I wouldn't bother checking that either so that basically wraps it up let's go back to our dashboard and see what we've got now we've got 375 points out of the total points so we've got a lit match hider to crack WordPress website thanks for this free plugin so hopefully that was useful I mean I mean go ahead and test all these things to see what works for you make sure you take it back up I really love updraftplus take a backup before you mess with anything too advanced if you're a beginner definitely take a backup before you try these security features because sometimes you don't know exactly what you're getting yourself into especially if you've got an established website with lots of plugins and lots of content and you don't want to risk messing everything up so that's my only word of warning but I actually really like this security plug-in it gives you a lot of extra little features that you don't get in a standard WordPress thing and it doesn't really cost you anything in terms of performance or anything like that so I think is a good option and definitely check out this all-in-one WP security and firewall plugin so thanks for watching I'm gonna come back with look at the ithemes security plug-in as well so stay tuned for that one but I hope this has been useful give us a thumbs up if you've enjoyed it and I will see you next time
Info
Channel: IdeaSpot
Views: 3,285
Rating: undefined out of 5
Keywords: all in one security plugin wordpress, wordpress security plugins, wordpress security, all in one security and firewall, all in one security setup
Id: 5LeRBa4pLuE
Channel Id: undefined
Length: 21min 38sec (1298 seconds)
Published: Thu Apr 09 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.