Hey guys what's up? You don't want to get hacked,
so let's get started by securing your WordPress website. And in this video we will be securing my
latest website which you can see in this tutorial which shows you how to exactly create this awesome
website. So be sure to check that out. So first we go to login to the dashboard, and then you go to
'Plugins' -> 'Add new'. Because the only plugin we will need is this one: "iThemes Security",
just press Enter. And this is a completely free plugin. They have a pro version but for
now the free version is perfect. press 'Install Now' and then we press 'Activate'. Now our plugin
has been activated. So the first thing we're going to do is we're going to press this 'settings'
button right there. Do you have a webshop? You have a Network website with a forum for example?
Do you have a nonprofit website with donations? Do you have a blog with a lot of interactions
with comments? Do you have a portfolio just with a lot of pictures for example, or do you have
a brochure website: a simple website to promote your business. Well choose the one that fits you.
Why? Well, because there are different features going to be enabled if you choose a different
one. Because for eCommerce we need different security settings than for a brochure. We
are now going to use the brochure website: simple website to promote your business. We are
setting the website up for ourself. And yes, I want to enforce a password policy. Why is this?
Well, the entire security of your website could be compromised with just a weak password. So guys,
this is really important. Use a strong password. Press 'Next'. The next step is enabling two factor
authentication. This is powerful. If you enable this combined with your strong password, then
your website is pretty much unhackable through the front gate. So if you enable this - let's push
on this button- then you need a app on your mobile phone or a text message or anything else that
will prevent users from logging in without using a second authentication factor. This is great. So
we're going to enable this and we're going to press 'Next'. You want to keep this enabled.
This is just when people try to login they have guessed your username right and they trying
to login by guessing your password. Well, it's pretty hard if you don't have your mobile phone
with authentication, it's pretty much impossible. But if they're trying to do so they will be
locked out when they try five or six times. Also network brute force protection is all IP
addresses will be scanned throughout a database so they know exactly who to block and who not.
So press 'Next' on this one. And if you want a security check pro just when I said, enable
this one because this is a powerful feature. Press 'Next'. Now this is useful if you
have different authors on your website. If you're the only one, just press 'Default'.
If you are the only one using your website, you can press 'Skip user groups'. If you're not
the only one and you have multiple people work on your website. You can actually configure this per
user. So let's say you're the administrator and you have a couple of editors or authors and you
don't want the editors and the authors to change the iThemes Security settings. So you can disable
the global settings in a security dashboard for that group of people. It is very very useful. We
don't have different user groups on this website. So you can press 'Skip user groups'. If you
don't have any other people who are going to your website, press 'Recommended configure site'. This
is the place where you can add your IP address to WordPress security so you will be never blocked
out of your website. This is very useful. Just press 'Add my current IP to the authored host
list'. For me, this is not going to do anything because I use a VPN so nobody can track what I'm
doing and I have security tunnel set up. So this changes for me every day. We're going to change IP
detection to 'Security check scan (recommend)' and we're going to press 'Next'. We want the network
brute force protection so we have to fill out our email address the@WPressDoctor.com. If you want
to receive email updates every week -well I don't- but if you want just enable this one and press
'Next'. Email notifications are very important, so enter your email address. I only want to
that I receive those emails. If you have more administrators on your website, don't click this
box because they will all receive the daily digest and they will receive all the mail's every single
day. We got to disable it because it drives me actually nuts. How many hackers how many bots
has been disallowed and blocked from the website. So just select the users you want to receive
the emails and press 'Continue'. This is just an overview of what we have already setup. You
cannot change anything here so press 'Secure site'. And now it says our site has been secured
so press 'Finish'. Good work! Now you go back to 'Settings' because there are a couple of things we
still need to configure before we are completely secured. So let's go over all the settings one
by one to set up your security once and for all. So the two factor authentication, if you press
on the 'Edit Settings', you can change the method of how you can secure your login with two
factor authentication. You can use all methods of course you can do all except email or select
the methods manually. Now you can change that the only one to use the mobile app, email or
backup code as well. This is user independent so they all can choose which one they want. If
you only want to use mobile apps for your users, then just only select the mobile app for example.
Its the most secure way. So we're going to set this up later on. So just press 'Save' right here.
Let's get back to the settings using 'Features' right there. Alright, we have the lockouts, this
is the way to ban users. Press on 'Edit settings'. You can change the ban list that will enable
banned IPs in server configuration files. There is a limit of 100 IPs. That is more than enough so we
can just leave it right there. Local brute force, this is a very powerful feature I always enable
this one. Automaticly ban admin user. Because automatic bots will always try to login using the
username admin. However, if that's your username, you need to change it right now. Change
your username if you're unable to change it because there is only one and it is
admin and you can't change your username. Then you just need to add a new user make it a
administrator, and use another email or your own email. Just create a new user with a different
username because the username admin is the worst username you can ever have on a website!
This is the max login attempts per host I change always this to three times so you get three times
and then you're out. The max login attempts per user, I put this on five. And the minutes to
remember a bad login, I always change this to 10 minutes, so if you are locked out, after 10
minutes you can try again. Press 'Save' and then we go to Network brute force. We have already
banned report API's. We have a API key which is great. Alright, let's get back to our features and
we were at the lockouts that goes to site check. This is a powerful feature that lets you
constantly monitor the file changes on your website. Because when hackers infiltrate
your system, they are going to change different files in your WordPress installation. And that
way they can easily change different scripts to add malicious code to your website, so people
download Trojan horses or they get redirected to poker websites, or porn websites, or pill websites
(the 3 p's) and you don't want that. However, the files change monitor is really thorough.
That means every time you update something, you will get an email because files has been
changed. Even when the cache has been emptied. You will be notified that certain files has been
changed. If you want to enable this one you can just press 'Enable it' and then you can press this
gear icon, to whitelist certain files and folders. For example: your caching files & folders should
be not be included into the file change monitor. For example, if we want that we go to wp-content,
we go to cache and then the cache file we will press 'Select' so now, /wp-content/cache/ will not
be actively monitored. And also with /et-cache/ from Divi. We have to whitelist this one to
exclude it. Let's go any further and also the /uploads/et-temp/. You don't want that one
included. Alright, after you have added this one, press 'Save' and now we have a file change
monitor setup correctly. Then we go back to features and we were with the site check right,
thats all good. Let's go to utilities enforce SSL. Enforce all connections are made through
SSL/TLS. Enable this one! This is important. If you use SSL -and I strongly recommend you
do- then enable this one. Your database backups, this one we are going to edit these settings. So
now you have everyday backups of your database. However, I am still convinced that your hosting
company should do your backups from your files, your emails and your database. But better to
be safe than sorry. So if you want this to be emailed to you, then press 'Schedule database
backups' and use the backup interval.... well, you can do three days between them or you can use
seven days. The normal security guys would say: "No you need every single day, you need one
backup!" I totally agree, but if your website doesn't change that much, then maybe you should
put it on seven. It's completely up to you. I prefer to have it saved locally and email it
to you, because when you have your email it is disconnected from your WordPress website. So if
your website got hacked, you always got backups in your email and not only saved on your hosting.
Because when they infiltrate your website, well they are in and they're going to really
screw up your website and your database. Now the number of backups to retain. I think 30
backups is the max that will be great. If you don't visit your website often or not every once
in a month, than I should suggest you change this to 360. So you have backups the entire year
of your database, which is very important. This is all good. So let's press 'Save'. And
then we go back to features and utilities. And we were at the database backups. Thats
allright and the security check Pro is enabled, so that's awesome. All right. Then we go
to the next step: 'User groups'. Well, I've already explained this. If you're the only
one just leave it like this. If you have multiple people on your website, you can change this. That
is really useful. Let's go to 'Configure'. The global settings - allow iThemes Security to write
to your files, this is important because or else you have to do to changes manually, and that is a
bit of a hassle. Alright, 15 minutes to lockout; I would say what changes to 10 minutes and how
many days will a lockout will be remembered? I think this is perfect. Ban repeat offender -
of course if you are three times banned in a row, you get banned permanently. This is great just
keep it on three, this is awewomse. The lockout message is just a error: "You've been locked
out due to too many invalid login attempts." You can change this of course to anything
you want. "Your IP address has been flagged as a threat..." I would suggest you remove the
iThemes Security Network, as that is a security risk because now they know which plugin you are
using for your security. So remove that one. Authorized host, we have already enabled that this
is your own IP address. Dtabase logs, you can see whatever happens on your website you can change
this to: File only, Database only or both. I would suggest to use database only. IP detection, we
already did that. The security menu in the admin bar, they're talking about this little thing.
And it is useful when something happened that you want to know but it's also pretty annoying
that with every new feature you get a message right up there and it is a bit of well it's
just what you prefer. I would suggest you press 'Hide security menu' press 'Save' and then we go
to 'Login security' right there. And then actually the login security we already have done this.
Lockouts, we've already done this. Site check, we've already done it and the utilities, we have
already done that so it is pretty awesome. Let's go to notifications. In the notifications you
will see... lets press on 'Security digest'. If this is enabled, you will get every single day
a email with what is happening to your website. In the beginning it's interesting, after a week
you are saying "STOP EMAILING!" so I would suggest you just disable this one, and press the 'Save
all'. Site lockout notifications - that is really annoying to see all those bots trying to get into
your website and getting all those emails. If you want to receive them, keep it enabled, it is
your choice. Database Backup. Where does it will be sent to? It will be sent automaticly to the
email of the website owner. That is in this case divi-doctor.com If you don't want to use this
email address change it to another one. Let's go do 'File change', here you get emails when your
files has been changed. You can enable this one. Let's go to two factor email. Here you can change
what the email is when you want to use the two factor authentication with a email. And this
is the mail that's been sent to you: "Hi [and then your name] click the bottom to continue
or manually enter this code below to finish logging in." You can customize this email, choose
whatever you want. I think this is a good email. So we'll just leave it right there. Yes, the two
factor email confirmation. This is very important if you want to use it for your email because this
is the setup for the two factor. I don't know why they have this where you can disable it, but I
think this is pretty useful email so just leave it in right there. Alright, that was all the normal
settings let's go to the 'Advanced settings' right here. At the advanced we have some important
tweaks to be made to your WordPress installation. For example, the system tweaks. You want to
have these system files protected. You want to disable directory browsing -this is amazing,
important stuff. Disable PHP executed in uploads, in plugins, in themes. You can read all about
it what it does on this site. I don't need to read it out loud because you guys know. If you go
to WordPress tweaks then this is a important one that you sometimes want to change. Disable file
editor. This means if you go to 'Appearance', now the 'Theme editor' has been removed from this
menu. If you ever needed because you need to add some custom snippets or anything, you have to
go into 'Advanced' -> 'WordPress Tweaks'. and disabled the checkmark. And now if you press
'Save' and we reload this page, now we go to appearance. And now we have the 'Teme editor' back
in its place, as you can see. Know where it is, remind it, because you will not find it anywhere
if this is enabled. It's a powerful feature. So you should leave this on. Right, the API Access
- XML RPC: well I would say you disable this one. Because this is the most common way how
hackers find your username and try to login automatically using different bots. However,
there is a drawback to this. Some plugins won't work when the system is turned off. For example,
the Jetpack plugin (I never use it because I think it's bloated with all kinds of stuff you
never need in your website), and there are some different other apps. If you want to use your
mobile app to change your WordPress website using your mobile... in all my years of website building
I never actually use the XML RPC function because well, I just don't use it. So this is great. Just
use disabled now there is another one. The REST API is a bit tricky. Because if you use software
for example, to manage your finances, this could cause problems. Well, they are keeping trying to
add your orders to their back office anything, so leave it on default access if you are using
that kind of systems that are using your website. Or press restrict access. If you don't know what
I'm talking about. And you think like "Well, there's nothing integrated with my website so..."
press 'Restricted access' its the most safest way. But if you encounter problems in the
future this is a function you first want to turn on again and also the XML RPC. Users, they
can login with their email address and username or only the email address or username. It's
completely up to you. 'Force a unique nickname' that will be very useful and 'Disable extra user
archives'. I always turn this on because it is so annoying when you have different users on your
website or your own, and you have no posts at all. And they can actually get the page where it says
the author page of you when you have no posts it is not logical. So we're going to disable this
and we press 'Save'. And then the last advanced feature that I completely like and I enjoy is the
'Hide backend feature'. It is unique to iThemes Security, other plugins don't have this. So we
press 'Hide backend'. We're going to change the login slug. Because /wp-admin/ is the most
common way to log into a WordPress website. Everybody knows that in the world, even hackers.
So you want to change this to something else. We're going to change this to well,
let's say wordpress-login-secure-page. For example. It is enormous long, and if someone
can guess this, then I would be impressed. Just change this to anything you would like
but never forget it because if you forget it, you cannot log into your WordPress website
anymore. Unless you change this again, by disabling iThemes Security using your FTP
program. If you don't know what I'm talking about, then write this down, mail it to yourself or
whatever. Because if you forget it, you cannot enter your website again except by changing some
other things. So just copy this and save it in a safe secure place. Alright, then we need to enable
the redirection so people will be get redirected to a page. I used to use a page like not a
chance dude. And then I create a different page where people see this and they're like, "Oh, this
guy has actually secured his website well done". When you have done all this then press 'save'.
And now we have completed all our settings with iThemes Security. However, there are a few things
you still have to do: Always check your updates: 'Dashboard' -> 'Updates'. Your WordPress
website has to be completely up to date. If you see this current version, latest version,
all plugins up to date, all themes are up to date. That is awesome! Good job! Then trying to hack
you using this way is pretty much impossible. Always keep that in mind. The security of your
website has to do with a couple of things: Password security, two factor authentication, your
hosting company, your updated website. Keep it all updated. Make sure you got a good hosting company.
If you're still looking for someone, there's there is link in the description. Now if I now go
to my user and I press 'Logout' and now we're going to set up two factor authentication. So go
through your new login URL and just login with your credentials. As you do that, this is what we
see: "Set up your two factor", press 'Continue'. Use your mobile app press on the arrow right
here. And you choose your device. I have a iOS then you open your authenticator app, I always
use the Google Authenticator app because I use it with a lot of services from Google and for other
websites, for my hosting and for everything. And then you go to scan this QR code with your mobile
phone. When you scanned it, you will receive a code. So press 'Continue'. Now we have to
enter this authentication code. Be quick. Because this one refreshes every 30 seconds. Press
'Verify'. And now we are enabled. This is great! Our mobile app two factor authentication has
been enabled. Now you can press 'Skip', and now when I want to try to login I have to enter
my authentication code. So this is where you get your app with all the codes on your mobile phone.
And we're just going to enter the code which is on my phone and press authenticate. When I press
this, now I can login easily. So if you ever lose your mobile phone, then you have a little bit
of a problem. So you better make a backup of your phone on your computer, so when you lost your
phone, you can always place it back on a new phone and then you can log in your website again. Is
two factor authentication the best way to secure your WordPress website? Well yes, it is definitely
very useful and I would really recommend it to add it to your websites. Because this makes guessing
your password and even logging into your website if you have the password pretty much impossible
because you always need this little thing to login into your WordPress website. If this was useful
for you hit that like button so I know we were on the right track and if you want to know how
to create a WordPress website, check this video out because it will really change the way you were
building your websites. I wish you a awesome day.
