How To Secure Your WordPress Websites with iThemes Security - 2021 Tutorial

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Hey guys what's up? You don't want to get hacked,  so let's get started by securing your WordPress   website. And in this video we will be securing my  latest website which you can see in this tutorial   which shows you how to exactly create this awesome  website. So be sure to check that out. So first we   go to login to the dashboard, and then you go to  'Plugins' -> 'Add new'. Because the only plugin we   will need is this one: "iThemes Security",  just press Enter. And this is a completely   free plugin. They have a pro version but for  now the free version is perfect. press 'Install   Now' and then we press 'Activate'. Now our plugin  has been activated. So the first thing we're going   to do is we're going to press this 'settings'  button right there. Do you have a webshop? You   have a Network website with a forum for example?  Do you have a nonprofit website with donations?   Do you have a blog with a lot of interactions  with comments? Do you have a portfolio just with   a lot of pictures for example, or do you have  a brochure website: a simple website to promote   your business. Well choose the one that fits you.  Why? Well, because there are different features   going to be enabled if you choose a different  one. Because for eCommerce we need different   security settings than for a brochure. We  are now going to use the brochure website:   simple website to promote your business. We are  setting the website up for ourself. And yes,   I want to enforce a password policy. Why is this?  Well, the entire security of your website could be   compromised with just a weak password. So guys,  this is really important. Use a strong password.   Press 'Next'. The next step is enabling two factor  authentication. This is powerful. If you enable   this combined with your strong password, then  your website is pretty much unhackable through   the front gate. So if you enable this - let's push  on this button- then you need a app on your mobile   phone or a text message or anything else that  will prevent users from logging in without using a   second authentication factor. This is great. So  we're going to enable this and we're going to   press 'Next'. You want to keep this enabled.  This is just when people try to login they   have guessed your username right and they trying  to login by guessing your password. Well, it's   pretty hard if you don't have your mobile phone  with authentication, it's pretty much impossible.   But if they're trying to do so they will be  locked out when they try five or six times.   Also network brute force protection is all IP  addresses will be scanned throughout a database   so they know exactly who to block and who not.  So press 'Next' on this one. And if you want a   security check pro just when I said, enable  this one because this is a powerful feature.   Press 'Next'. Now this is useful if you  have different authors on your website.   If you're the only one, just press 'Default'.  If you are the only one using your website,   you can press 'Skip user groups'. If you're not  the only one and you have multiple people work on   your website. You can actually configure this per  user. So let's say you're the administrator and   you have a couple of editors or authors and you  don't want the editors and the authors to change   the iThemes Security settings. So you can disable  the global settings in a security dashboard for   that group of people. It is very very useful. We  don't have different user groups on this website.   So you can press 'Skip user groups'. If you  don't have any other people who are going to your   website, press 'Recommended configure site'. This  is the place where you can add your IP address to   WordPress security so you will be never blocked  out of your website. This is very useful. Just   press 'Add my current IP to the authored host  list'. For me, this is not going to do anything   because I use a VPN so nobody can track what I'm  doing and I have security tunnel set up. So this   changes for me every day. We're going to change IP  detection to 'Security check scan (recommend)' and   we're going to press 'Next'. We want the network  brute force protection so we have to fill out our   email address the@WPressDoctor.com. If you want  to receive email updates every week -well I don't-   but if you want just enable this one and press  'Next'. Email notifications are very important,   so enter your email address. I only want to  that I receive those emails. If you have more   administrators on your website, don't click this  box because they will all receive the daily digest   and they will receive all the mail's every single  day. We got to disable it because it drives me   actually nuts. How many hackers how many bots  has been disallowed and blocked from the website.   So just select the users you want to receive  the emails and press 'Continue'. This is just   an overview of what we have already setup. You  cannot change anything here so press 'Secure   site'. And now it says our site has been secured  so press 'Finish'. Good work! Now you go back to   'Settings' because there are a couple of things we  still need to configure before we are completely   secured. So let's go over all the settings one  by one to set up your security once and for all.   So the two factor authentication, if you press  on the 'Edit Settings', you can change the   method of how you can secure your login with two  factor authentication. You can use all methods   of course you can do all except email or select  the methods manually. Now you can change that   the only one to use the mobile app, email or  backup code as well. This is user independent   so they all can choose which one they want. If  you only want to use mobile apps for your users,   then just only select the mobile app for example.  Its the most secure way. So we're going to set   this up later on. So just press 'Save' right here.  Let's get back to the settings using 'Features'   right there. Alright, we have the lockouts, this  is the way to ban users. Press on 'Edit settings'.   You can change the ban list that will enable  banned IPs in server configuration files. There is   a limit of 100 IPs. That is more than enough so we  can just leave it right there. Local brute force,   this is a very powerful feature I always enable  this one. Automaticly ban admin user. Because   automatic bots will always try to login using the  username admin. However, if that's your username,   you need to change it right now. Change  your username if you're unable to change   it because there is only one and it is  admin and you can't change your username.   Then you just need to add a new user make it a  administrator, and use another email or your own   email. Just create a new user with a different  username because the username admin is the   worst username you can ever have on a website!  This is the max login attempts per host I change   always this to three times so you get three times  and then you're out. The max login attempts per   user, I put this on five. And the minutes to  remember a bad login, I always change this to   10 minutes, so if you are locked out, after 10  minutes you can try again. Press 'Save' and then   we go to Network brute force. We have already  banned report API's. We have a API key which is   great. Alright, let's get back to our features and  we were at the lockouts that goes to site check.   This is a powerful feature that lets you  constantly monitor the file changes on   your website. Because when hackers infiltrate  your system, they are going to change different   files in your WordPress installation. And that  way they can easily change different scripts   to add malicious code to your website, so people  download Trojan horses or they get redirected to   poker websites, or porn websites, or pill websites  (the 3 p's) and you don't want that. However,   the files change monitor is really thorough.  That means every time you update something,   you will get an email because files has been  changed. Even when the cache has been emptied.   You will be notified that certain files has been  changed. If you want to enable this one you can   just press 'Enable it' and then you can press this  gear icon, to whitelist certain files and folders.   For example: your caching files & folders should  be not be included into the file change monitor.   For example, if we want that we go to wp-content,  we go to cache and then the cache file we will   press 'Select' so now, /wp-content/cache/ will not  be actively monitored. And also with /et-cache/   from Divi. We have to whitelist this one to  exclude it. Let's go any further and also   the /uploads/et-temp/. You don't want that one  included. Alright, after you have added this one,   press 'Save' and now we have a file change  monitor setup correctly. Then we go back to   features and we were with the site check right,  thats all good. Let's go to utilities enforce   SSL. Enforce all connections are made through  SSL/TLS. Enable this one! This is important.   If you use SSL -and I strongly recommend you  do- then enable this one. Your database backups,   this one we are going to edit these settings. So  now you have everyday backups of your database.   However, I am still convinced that your hosting  company should do your backups from your files,   your emails and your database. But better to  be safe than sorry. So if you want this to be   emailed to you, then press 'Schedule database  backups' and use the backup interval.... well,   you can do three days between them or you can use  seven days. The normal security guys would say:   "No you need every single day, you need one  backup!" I totally agree, but if your website   doesn't change that much, then maybe you should  put it on seven. It's completely up to you.   I prefer to have it saved locally and email it  to you, because when you have your email it is   disconnected from your WordPress website. So if  your website got hacked, you always got backups   in your email and not only saved on your hosting.  Because when they infiltrate your website,   well they are in and they're going to really  screw up your website and your database.   Now the number of backups to retain. I think 30  backups is the max that will be great. If you   don't visit your website often or not every once  in a month, than I should suggest you change this   to 360. So you have backups the entire year  of your database, which is very important.   This is all good. So let's press 'Save'. And  then we go back to features and utilities.   And we were at the database backups. Thats  allright and the security check Pro is enabled,   so that's awesome. All right. Then we go  to the next step: 'User groups'. Well,   I've already explained this. If you're the only  one just leave it like this. If you have multiple   people on your website, you can change this. That  is really useful. Let's go to 'Configure'. The   global settings - allow iThemes Security to write  to your files, this is important because or else   you have to do to changes manually, and that is a  bit of a hassle. Alright, 15 minutes to lockout;   I would say what changes to 10 minutes and how  many days will a lockout will be remembered?   I think this is perfect. Ban repeat offender -  of course if you are three times banned in a row,   you get banned permanently. This is great just  keep it on three, this is awewomse. The lockout   message is just a error: "You've been locked  out due to too many invalid login attempts."   You can change this of course to anything  you want. "Your IP address has been flagged   as a threat..." I would suggest you remove the  iThemes Security Network, as that is a security   risk because now they know which plugin you are  using for your security. So remove that one.   Authorized host, we have already enabled that this  is your own IP address. Dtabase logs, you can see   whatever happens on your website you can change  this to: File only, Database only or both. I would   suggest to use database only. IP detection, we  already did that. The security menu in the admin   bar, they're talking about this little thing.  And it is useful when something happened that   you want to know but it's also pretty annoying  that with every new feature you get a message   right up there and it is a bit of well it's  just what you prefer. I would suggest you press   'Hide security menu' press 'Save' and then we go  to 'Login security' right there. And then actually   the login security we already have done this.  Lockouts, we've already done this. Site check,   we've already done it and the utilities, we have  already done that so it is pretty awesome. Let's   go to notifications. In the notifications you  will see... lets press on 'Security digest'.   If this is enabled, you will get every single day  a email with what is happening to your website.   In the beginning it's interesting, after a week  you are saying "STOP EMAILING!" so I would suggest   you just disable this one, and press the 'Save  all'. Site lockout notifications - that is really   annoying to see all those bots trying to get into  your website and getting all those emails. If   you want to receive them, keep it enabled, it is  your choice. Database Backup. Where does it will   be sent to? It will be sent automaticly to the  email of the website owner. That is in this case   divi-doctor.com If you don't want to use this  email address change it to another one. Let's   go do 'File change', here you get emails when your  files has been changed. You can enable this one.   Let's go to two factor email. Here you can change  what the email is when you want to use the two   factor authentication with a email. And this  is the mail that's been sent to you: "Hi [and   then your name] click the bottom to continue  or manually enter this code below to finish   logging in." You can customize this email, choose  whatever you want. I think this is a good email.   So we'll just leave it right there. Yes, the two  factor email confirmation. This is very important   if you want to use it for your email because this  is the setup for the two factor. I don't know why   they have this where you can disable it, but I  think this is pretty useful email so just leave it   in right there. Alright, that was all the normal  settings let's go to the 'Advanced settings'   right here. At the advanced we have some important  tweaks to be made to your WordPress installation.   For example, the system tweaks. You want to  have these system files protected. You want   to disable directory browsing -this is amazing,  important stuff. Disable PHP executed in uploads,   in plugins, in themes. You can read all about  it what it does on this site. I don't need to   read it out loud because you guys know. If you go  to WordPress tweaks then this is a important one   that you sometimes want to change. Disable file  editor. This means if you go to 'Appearance',   now the 'Theme editor' has been removed from this  menu. If you ever needed because you need to add   some custom snippets or anything, you have to  go into 'Advanced' -> 'WordPress Tweaks'. and   disabled the checkmark. And now if you press  'Save' and we reload this page, now we go to   appearance. And now we have the 'Teme editor' back  in its place, as you can see. Know where it is,   remind it, because you will not find it anywhere  if this is enabled. It's a powerful feature. So   you should leave this on. Right, the API Access  - XML RPC: well I would say you disable this   one. Because this is the most common way how  hackers find your username and try to login   automatically using different bots. However,  there is a drawback to this. Some plugins won't   work when the system is turned off. For example,  the Jetpack plugin (I never use it because I   think it's bloated with all kinds of stuff you  never need in your website), and there are some   different other apps. If you want to use your  mobile app to change your WordPress website using   your mobile... in all my years of website building  I never actually use the XML RPC function because   well, I just don't use it. So this is great. Just  use disabled now there is another one. The REST   API is a bit tricky. Because if you use software  for example, to manage your finances, this could   cause problems. Well, they are keeping trying to  add your orders to their back office anything,   so leave it on default access if you are using  that kind of systems that are using your website.   Or press restrict access. If you don't know what  I'm talking about. And you think like "Well,   there's nothing integrated with my website so..."  press 'Restricted access' its the most safest way.   But if you encounter problems in the  future this is a function you first want to   turn on again and also the XML RPC. Users, they  can login with their email address and username   or only the email address or username. It's  completely up to you. 'Force a unique nickname'   that will be very useful and 'Disable extra user  archives'. I always turn this on because it is   so annoying when you have different users on your  website or your own, and you have no posts at all.   And they can actually get the page where it says  the author page of you when you have no posts it   is not logical. So we're going to disable this  and we press 'Save'. And then the last advanced   feature that I completely like and I enjoy is the  'Hide backend feature'. It is unique to iThemes   Security, other plugins don't have this. So we  press 'Hide backend'. We're going to change the   login slug. Because /wp-admin/ is the most  common way to log into a WordPress website.   Everybody knows that in the world, even hackers.  So you want to change this to something else.   We're going to change this to well,  let's say wordpress-login-secure-page.   For example. It is enormous long, and if someone  can guess this, then I would be impressed.   Just change this to anything you would like  but never forget it because if you forget it,   you cannot log into your WordPress website  anymore. Unless you change this again,   by disabling iThemes Security using your FTP  program. If you don't know what I'm talking about,   then write this down, mail it to yourself or  whatever. Because if you forget it, you cannot   enter your website again except by changing some  other things. So just copy this and save it in a   safe secure place. Alright, then we need to enable  the redirection so people will be get redirected   to a page. I used to use a page like not a  chance dude. And then I create a different page   where people see this and they're like, "Oh, this  guy has actually secured his website well done".   When you have done all this then press 'save'.  And now we have completed all our settings with   iThemes Security. However, there are a few things  you still have to do: Always check your updates:   'Dashboard' -> 'Updates'. Your WordPress  website has to be completely up to date.   If you see this current version, latest version,  all plugins up to date, all themes are up to date.   That is awesome! Good job! Then trying to hack  you using this way is pretty much impossible.   Always keep that in mind. The security of your  website has to do with a couple of things:   Password security, two factor authentication, your  hosting company, your updated website. Keep it all   updated. Make sure you got a good hosting company.  If you're still looking for someone, there's there   is link in the description. Now if I now go  to my user and I press 'Logout' and now we're   going to set up two factor authentication. So go  through your new login URL and just login with   your credentials. As you do that, this is what we  see: "Set up your two factor", press 'Continue'.   Use your mobile app press on the arrow right  here. And you choose your device. I have a iOS   then you open your authenticator app, I always  use the Google Authenticator app because I use it   with a lot of services from Google and for other  websites, for my hosting and for everything. And   then you go to scan this QR code with your mobile  phone. When you scanned it, you will receive a   code. So press 'Continue'. Now we have to  enter this authentication code. Be quick.   Because this one refreshes every 30 seconds. Press  'Verify'. And now we are enabled. This is great!   Our mobile app two factor authentication has  been enabled. Now you can press 'Skip', and   now when I want to try to login I have to enter  my authentication code. So this is where you get   your app with all the codes on your mobile phone.  And we're just going to enter the code which is   on my phone and press authenticate. When I press  this, now I can login easily. So if you ever lose   your mobile phone, then you have a little bit  of a problem. So you better make a backup of   your phone on your computer, so when you lost your  phone, you can always place it back on a new phone   and then you can log in your website again. Is  two factor authentication the best way to secure   your WordPress website? Well yes, it is definitely  very useful and I would really recommend it to add   it to your websites. Because this makes guessing  your password and even logging into your website   if you have the password pretty much impossible  because you always need this little thing to login   into your WordPress website. If this was useful  for you hit that like button so I know we were   on the right track and if you want to know how  to create a WordPress website, check this video   out because it will really change the way you were  building your websites. I wish you a awesome day.
Info
Channel: WPress Doctor
Views: 3,656
Rating: undefined out of 5
Keywords: wordpress doctor, wordpress, wordpress toturial, toturial, how to, websites, wordpress expert, ithemes, security wordpress, security, two factor authentication, two factor wordpress, advanced settings, securing wordpress, free security plugin, hacking wordpress
Id: BqR4odrHIss
Channel Id: undefined
Length: 22min 36sec (1356 seconds)
Published: Fri Sep 10 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.