How to Secure Your WordPress Website from Hackers & Attacks using iThemes Security Free Plugin 2020

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Halperin Sam Nash a canted in this video I'll teach you how to properly secure your WordPress website for absolutely free so to do this we'll be using a free plugin now first of all this is the website that I'll be using for this example as you can see this is an e-commerce website so you might also have an e-commerce website or a blog or a website whatever kind of website it is this tutorial will help you to secure that website now first of all before you proceed further if you don't already have an e-commerce website or any kind of website you can go to youtube and you can search for anything like that for example if you want to create an e-commerce website search for Nia shake ecommerce you will get many different tutorials very now I have explained how to create different ecommerce websites if you want to create a membership website search for Nia shake membership you will get different tutorials on membership websites similarly if you want to search for or if you want to create a blog if you want to create a listing website whatever kind of website you want to create you can just go to youtube and search for Nia shake and the name of the website now what I would recommend you to do is search for news shake ecommerce website why if you want to create this ecommerce website for free because this professional ecommerce website that you see on a screen this is created using only free resources using a free theme and all free plugins and this is an amazing website because as you can see this is 100% professional this is the single listing page or the single product page this is the shop page of the archive page your users will also get a my account page wherein they can see that orders they can see all the different details and in that tutorial I have also explained how to accept payments on your website so you can accept cash on delivery PayPal payment or you can directly accept credit card and debit card payments on your bank account or in your bank account so if you want to create this e-commerce website search for news shake e-commerce and watch this tutorial that you see on your screen all right now let's see how we can secure our website so first of all you have to go to your dashboard so whatever type of website you're using if you want to go to your dashboard simply type in your website name after that put a forward slash WP - admin you will land on your dashboard now to do this we will first need to install a new plugin a free plugin so to do that from the left hand side you will see this option plugins option however that n click on add new now there are many different plugins for this but what I'll do is area and the one that we'll be using is this one I themes security so just search for items and you will see the first result item security formerly known as better WP security this is by I themes you can see it has more than 900,000 active installations great rating last updated very recently and compatible with your version of WordPress so if everything looks fine so just click on this Install Now button now once this plug-in is successfully installed just click on this activate button and obviously this plug-in will be activated once it is activated you will see a new option at the left-hand side so if you see at the left hand side when you scroll down at the bottom you will see this option the last option security option you can hover that and click on settings now firstly you will see this screen so this is a quick setup kind of thing so first this will do a security check on your website and this will you know enable these options for you banned users database backup Local brute force protection network brute force protection strong password WordPress tweaks you know these settings now obviously we can just go ahead and do more changes in these websites or in these settings now for now you just have to click on this button secure site now this will run this security check and you should see a page like this now most of the things should be tick mark for you these two things might not be tick mark for you first option is if your site has SSL certificate so if you see your website if you see this lock pad over here and if you click on that if it says connection is secure it means that your website has SSL certificate so you can click on this option redirect HTTP request to HTTPS now what is this SSL certificate and what does this option mean I'll explain you later on because we will be seeing all these settings in more detail this is just a quick setup now you will see the network brute force protection and you will have to enter your email address and after that you have to click on this link activate network brute force protection this thing will also be fixed for you and now you should see everything is checkmark over here now you can close this option now as you can see when you do that thing most of the things are already activated for you or ready enable for you so what this has done is this has you know done some basic settings on your website now you can go ahead and do some more changes to this website or you can tweak these changes for example the first setting over here is that is this global settings so this will configure the basic settings that control how this plug-in functions so you can click on this button configure settings so let's see how this thing works so the first option over here is this option right to files so we have to allow this plug-in item security to write to these two files WP config dot PHP and dot HT access so make sure this thing is stick mark then after that we have host lock out message user lock out message and community lock out message I'll show you our la I'll explain you this message later on first let's understand the lockout and after that we can understand the message so what happens is you will see these settings so here so many a times the hackers or the person who is trying to attack your website they will come to your website and they will try to search for different pages and many a times they will they are looking for a specific file or a specific page on your website and many times because they are looking for that they try many different URL structures and they see the 404 pages page not found things secondly they can also try to attack your website by trying to login to your website for example they go they see your dashboard page or your login page and they type in username admin they type in some password and after that they try many different users name and many different passwords just to try to log into your website and once they log into your website they can attack your website now what we are doing over here is we are blacklisting them so whenever some user or an IP address tries to hack your website or tries to attack your website we will lock them out so here is the lockout threshold so for example let's see from here see the lockout threshold is 3 lockouts blacklist lockout period is seven days and lockout period is 15 minutes now let me explain you this thing so within 7 days if a person or an IP address is trying to attack your website for example they were trying to log into your website but they were unsuccessful so they will be logged from your website this will autumn happen in you will understand more about this setting later on when we do some more settings okay so if they're if they are locked out of your website first they will be locked out of your website for 15 minutes now whenever they are locked out they will see this message okay so error or you have been locked out due to too many invalid login attempts these kind of messages so what you can do you can just delete they delete these messages and type in some message from your site like don't try to hack this website no any type anything like that now let's continue to these settings so this person for example is just locked out for first time now within seven days if this person again tries to attack your website again strives to you know login to your website again they will be locked out that will be second logout and again they will be locked out for 15 minutes now within seven days again this person tries to you know login to your website invalid login attempts they will be locked out for the third time and when they are locked out for the third time as you can see because the blacklist threshold is three lockouts within seven days they will be permanently locked out to your website which means that they cannot visit your website even if they just go to your website for example even if they just go to homepage they will not see this page like this they will just see a message which would say error you have been locked out duty to many invalid login attempts so I hope you understand what does this thing means now what you should do is you should scroll down and always make sure you click on this button when you click on this button you will see as you can see your IP address will be entered over here so if you are using or if you are visiting your website from multiple computers for example you have your PC then you also have a laptop from which you you know visit your from issue visit your website what you can do is you can go to your laptop you know go to this page click on this button so that you it generates or it gets your IP address for the lock for your laptop and also go to your PC click on this button so that it also gets your IP address for the PC now this will whitelist this IP address which means that this IP address will not be locked out okay so that is what it does so make sure you click on this button and enter your IP address so you now when you scroll down who can manage item security who can manage this plugin don't do anything by default it is administrator and that should be the setting now log type now many many things for many settings over here are not very important so I'll be skipping them but over here it says log type which means that it will generate the event for example at this time someone tried to attack your website he was locked out you know those kind of events so where do they want to save you can just select the first option database only and for how many days you want to keep these log details not 60 days that is just too much type 30 days okay and he also just make it 60 days now this is the path where this files these log files will be saved all right now you can just scroll down at the bottom and just click on save settings so these were the main global settings okay you can again go to configure settings later on if you want to do some changes you can do it very easily now let's move on to second setting which is this Notification Center not very important this is only for notification purposes so if you click on this button configure settings now from which email address do you want to receive notifications so I would recommend you most of times just leave it blank don't type in anything now what this will do is if you enable this thing which is which in this case is enabled so whenever there is something on your website this will send notifications to you and as you can see you can select if you have multiple administrators you can select who all will receive this notification if you type in or if you just select all administrator all the administrator will receive these notifications and those notifications will be your database your database backups or all the different details like someone tried to hack your website or attack your website at this time from this location this is the IP address of that person now those kind of notifications so these all should be basically to default no need to change anything from here just go ahead and click on save settings now user groups he also you should not be doing anything but let me show you what this thing does click on configure settings so here you can I know you can control who all can do what for example contributor can do what if you you can see password is required strong password is required by everyone whether it's contribute or administrator whoever it is okay so if you enable this thing now whoever uses or whatever users are present on your website now because you have enabled this thing because you have installed new plug-in when they login to their website or when they log into this website now they will have to change the password because this time this requires a strong password and if they have already selected a strong password then they don't have to change that and you can just go ahead edit this group like what contributors can do you can use some more capabilities to the contributor for example you can give some admin capabilities to the contributor obviously you should not be doing that so basically don't do anything over here just close this thing now 404 detection very important setting make sure to enable this thing and let's see what this thing does so once enable click on this configure settings button so many times what happens is as I explained to you earlier that a person who is trying to you know attack your website they are looking for someone vulnerabilities in your website and they are looking for specific links and specific pages or files so many a times what happens they try to you know see that website or they try to go to that link and if there if they don't find that link they will see the 4:04 which is page not found link so if a person if a user or a IP address is getting many many 404 errors many page not found errors we suspect that that person is trying to attack a website that person is trying to search for a page that does not exist on this website so if they do that they will be locked out now here we have some exceptions now first of all let's understand the setting minutes to remember for 0 for error so within 5 minutes if they get 20 errors they will be locked out and we have already set the lockout setting in the global settings okay so a person will be locked out if they within 7 days if they are locked out for 3 times they will be permanently locked out oh no if you remember the global settings there we did this setting so here what happens is if a person within 5 minutes is getting 20 of page not found we will lock them okay so if you if you want you can increase or decrease this number for example within ten minutes if a person gets maybe seven a page not found error we will lock them out now here we have white listed few pages or a few files why because you know your Google Adsense your Google search console these things also looks for some file like you know this robot dot txt these kind of files and your caching plugins will see this file so we are white listing this file because this can create some problems so make sure you don't delete anything from here make sure these files are white listed and we are also ignoring these file types so if anyone tries to you know see your CSS they cannot do any harm to your website or these just JPEG images files so not very important so we are ignoring these file types mostly the person who is trying to attack your website they're looking for PHP files okay so make sure you don't by mistakenly type PHP over here so this will basically what it will do is this will ignore the PHP files as well so make sure don't do any changes so here don't do any changes over here if you want you can just increase or decrease these numbers all right and after that just click on save settings now we have the away mode option let's understand what this thing does so click on enable now what this setting will do is for example I know for the fact that I'll be visiting my website and I'll do a I'll be doing my changes on my website only from this time to that time for example if I wake up at 8 a.m. and if I first visit my website you know if I know for the fact that I visit my website at 10 a.m. or after 10 a.m. and if I sleep at maybe 10 p.m. then I know that I have to visit my website only between 10:00 a.m. to 10:00 p.m. so what you can do is you can restrict your dashboard access after you not visit your website let me let me just explain you for example type of restriction you can select daily and you can select to 10 p.m. over here and end time you can select maybe 9:00 a.m. okay so what this will do is this will risk strict access to dashboard from 10 p.m. to morning 9:00 a.m. so within this time period whenever someone even if you or even if anyone tries to visit this dashboard they cannot do that this is just to protect your website so that whenever a person if the person is able to go to your dashboard they can do anything to your website they can corrupt your website they can simply delete your website they can harm your website so this is what this thing does now if you want to understand these things more better you can just read these you know different text which is given at the top just to explain these options all right so if you if you want to enable this thing you can save this thing another option here can be one time for example if I know that I'm going for vacation for seven days so what I can do is from that day maybe from 20th to 27th so now what this will do is from 20 to 27th of me this will lock this dashboard so no one can visit this dashboard so this is what this setting does I'll disable it because I am NOT going to use it now banned users it is automatically enable for you just click on configure settings now just one thing just click on this option just take mark this option hack repairs a hack repair calms blacklist feature so this website has a list of all the blacklisted IP so we want to import that list so that if those IP address try to visit your website we will automatically already block them okay and rest everything you don't have to do anything just click on save settings now database backups click on configure settings now what this will do is this will send the database backups to your email address so you can select whether you want to receive this on email address and also on locally or only email address or only save locally basis basically just select email only and how many backups to retain I you can type maybe 3 or 4 or maybe 10 so 10 latest backups will be restored and after that all the old backups will be automatically deleted and you should be selecting zip file and just don't do anything just click on save settings so basically this will send you the backup file to your email address then after that we have file change detection you can enable this thing let's see what we'll do click on configure settings now this setting is useful when for example here as you can see first of all the file sent folder so whenever there is any changes to these files and folders for example whenever there is any changes to WP login file or WP settings file or WP includes folder wp-content folder you will get a notice that this file was changed so if you change that file or if you did some changes on your website you know that it was you but if you did not do any changes on your website and if you get a notice that wp-content folder was changed or it was edited some more files were added or some files were changed then you will get a notification and you can then know that someone is trying to attack your website and you can do some most things from your site like you can block that user you can block that users IP address so you can do those settings now click on save settings now whenever you come to this thing once you have enabled this click on configure thing and click on scan file now so this will scan all these files that is given over here and this will tell you whether some changes were done to these files or not alright then you have the file permissions no settings related over here so don't have to any do anything then we have the local brute force and network brute force let's understand these two things first let's understand the local brute force so click on configure settings so this setting is selfi when someone is trying to log into your website for example as I said earlier your username can be different but because many people don't change the username which is given by the hosting which most of the times is just admin so many people don't change that username so what these have attackers and hackers try to do is they try to enter that username they try to know enter some password and they try to attack your website so this thing this local brute force setting will block those users will lock out those users will lock out the website for those users and for those IP addresses and you can control the maximum login attempt per host per user and all the threshold from here now automatically ban anyone who is trying to use admin ok so if you go to your website let me do one thing let me show you if you see over here at the top right corner you will see your username or you can do one thing you can just right click and open this in a new tab now when you scroll down this is your username make sure your username is not admin because if you take mark this thing you will be basically locked out so you don't want to do that now here as you can see this is our username many people try to you know log into your website using this very common username so whenever someone even tries to use this username we want to immediately lock them out so this is very important and your attempts so within five minutes okay five minutes to remember within five minutes if our user or if ur IP address gets five attempts five bad attempts five wrong attempts we will lock them out okay and similarly maximum attempts per user so within five minutes if a person gets five error five login error they will be locked out from this website okay click on save settings again now let's see the network brute-force and let's understand the difference between these two click on configure settings basically you don't have anything to do here but I just open this just to explain you the difference now we have the local and the network so in network what we do is there is a network of nine hundred thousand websites so all the people who are using this high item security plug-in they have a network so maybe someone tried to attack my website so this plug-in will get the IP address of that user or IP address of that computer and what this will do is this will spend this or this will spread this IP address in the network now all the people who are using this plug-in now that IP address will be logged out from everyone's account okay I hope it is understood let me let me explain you again for example there is we are in this network because this is enabled so we are in a network which is a network of all the people who are using this plug-in now if there is a website that is using this plug-in a hacker or an attacker tries to attack that website this plug-in will get the IP address of that attacker and it will enter that IP address in this network so what happens is every person who is using this plug-in for them this IP address will be automatically blocked because this plug-in knows that this IP address is trying to attack different websites so I hope again this is cleared so very important setting again then after that we have the password requirement so if you click on configure if you enable this thing everyone will have to choose a strong password strong password is just a lengthy password which has alphabets plus numbers plus special characters like Asterix you know those brackets and also that is a strong password now let's see SSL certificate so we already have SSL certificate installed on our website as I said if you want to see whether it is installed click on over here in if it says connection is secure and if you see this lock pad which means that SSL is installed for you let's click on configure settings now you should always make sure this that this thing is enabled now what this will do is it will you know filter all the data or all the visits on your website from HTTP to or to automatically to HTTPS from the non secured version to the secured version all right again you can just read this thing you will understand it much better now system tweaks now let's enable this thing take on configure settings now let's understand these settings so first of all system files so there are very important system file so here like this config.php wp-config.php WP includes and this dot HDX is so if you want to prevent public access obviously you should do that you should take Mac over here and now also you should take mark this thing directory browsing so that no one can see the directory browsing if there is a no pH no index file so if there is no index file ID if you delete the index file from your website anyone can see the directory browsing which means that they can see all the different files on your website and they can attack that file so very important make sure you take mark both the system files and also the directory files now these things are also important but tick marking them sometimes might create some problem for some other plug-in that you're using on your website so I would recommend you to not take mark this but tick mark this one upload PHP and upload so no one can upload a PHP file on your website in the media folder you can have a PHP file in the backend but not in the front end because most of times when someone uploads a PHP file in the back in the front end they are trying to attack your website so make sure you tick mark this system files directory browsing and PHP in uploads now click on save settings now WordPress salts click on this option configure settings this is automatically enabled for you so there is a secret key in built for WordPress if you want you can simply go ahead and you can update that key and even once that key is updated it will make your password something like this very big which is very difficult to crack so once you tick mark this thing now remember once you take mark this thing you will be logged out and you will have to login again so I would recommend you to update your WordPress salts tick mark this thing click on save settings now as you can see you are logged out you lock you will have to login again and if you yeah this is what I was talking about if your password was not strong now because we have enabled strong password and because we have enabled this plug-in we have activated this plug-in now every user must have a strong password like this so this will automatically recommend you few password if you like this you can have this or you can just type in some password from your site for example most of people just type in the phone number now as you can see that is a very weak password and if you add some alphabets over here this will make it strong ok so make sure you have a combination of alphabets and numbers and these kind of special characters ok so I have set a new password a strong password and now I can click on update password now you will see this page now let's again see some more settings from the left hand side security settings all right so we have seen the final thing is just WordPress tweak click on configure things now here just make sure these two things are enabled now first of all this is the most important one file editor now let me first do one thing if you how our appearance right now you don't see theme editor over here and that is very important if I just untick this thing file editor if I don't disable file editor let me show you safe settings if I again refresh this website let me show you what happens now you will see under appearance there is a new option theme editor and once you click on theme editor now you can see all the PHP files from here and anyone can come they can attack your website they can you know they can have or they can just paste in some script that will display different kind of ads on your website oops on your website that will really make your website very irritative so you should not have this thing enabled we should always hide theme editor so again very easy to do that from the left hand side again go to security settings and make sure under WordPress tweaks this thing is tick mark okay so that no one can see the file editor now click on save settings now again if i refresh this thing under appearance now as you can see that file is now hidden now let's see a very important and advanced setting so this was all under recommended now let's go to advanced so click on advanced now don't touch these things admin user content directory these things just go to hide back-end because this is very important so go to hide pack and click on configure settings now we all know that whenever website is using WordPress we know how to go to the dashboard let me show you this website is using WordPress you should always know that but if you don't know let me explain you if I open this website in a new private window now if anyone sees that this website is using WordPress they know how to go to the dashboard or how to go to the login page they can type WP / WP - login dot PHP this is the login PHP file they can go to this page and they can see this login thing and now they can just try many different username many different password and they can try to log into your website or they can go to WP - admin it will redirect them to the login page so we want to hide this page so that no one can see this page so to hide this page this is where this thing is important hide backend make sure to first enable this thing and now change your login slug so instead of that WP - admin W - login what you want to make maybe I want to make a turn a yours one two three four five six or maybe let me just type in near one two three all right you can type in more things over here alright so make sure you do this thing click on save settings now let me show you one thing again let's go to that file over here now if I go to my website and let me show you now if I go try to go to WP - admin let's see what happens if I go to WP - admin now as you can see I'm getting off zero for page not found page now if you remember we have first of all what is happening we are not able to see that page we are not able to see the wp-admin page let's see we can see let's see whether we can see the WP login page WP - login dot PHP now as you can see we can also not see this page and also if you remember we had a setting for 4 0 for error if you again go back to this setting first let me just click on save settings we had a setting in the recommended option related to 4 0 for detection so within 10 minutes if I get 7 such errors like these errors I will be locked out because I am trying to look for a website or look for a page or a file that does not exist or may be hidden so this is a very useful plugin and now let me show you whether I can visit that page with the new thing that I have checked ok with the new slug so it was in a year 1 2 3 if I visit this link now I can say this page so as you can see this is working absolutely fine all right guess over this this tutorial is completed so if you follow these steps your website will be very much secure you know at least more secure than what it was before this plugin and with this this tutorial is completed I hope you guys enjoyed this tutorial I hope you guys find this thing helpful if you find this thing helpful make sure to subscribe to this channel and click on the bell icon so that you can watch more videos more useful videos like these ones always make sure to go to youtube whatever website or whatever video you're looking for just type in my name now your shaken after that you can just search for that for example if you're looking for amazon affiliate website you can see that website if you are looking for maybe ssl related thing just type in that you will see this thing if you ohh if you want to improve the speed and performance of your website just type in your shake speed or something like that now as you can see how to improve your website speed so all the tutorials related to WordPress are available on my website so make sure you check them out now please don't forget to give a thumbs up to this video and throughout the video if you have any doubts any comments any suggestions for me you can leave them in the comment section below thanks a lot for watching this video guys see you in the next one
Info
Channel: Nayyar Shaikh
Views: 51,792
Rating: undefined out of 5
Keywords: ithemes security wordpress, ithemes security tutorial, ithemes security setup, ithemes security change login url, ithemes security file change detection, ithemes security review, what is the best security plugin for wordpress, wordpress security plugins, wordpress security tutorial, nayyar shaikh, wordpress, wordpress security tips, how to secure wordpress website, wordpress security, wordpress security 2020
Id: iFn6x4-qtR0
Channel Id: undefined
Length: 31min 14sec (1874 seconds)
Published: Sun May 24 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.