How To Secure Your WordPress Websites With iThemes Security - Review & Setup Tutorial

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
In this video many teach you how to secure your website using the free plug-in iThemes Security hi my name is Adam from WPCrafter.com where I make WordPress videos for non-techies if you enjoy the cut in this video consider clicking on the subscribe button if you want notifications there's a little bell off to the side of that you can click on that new tube will let you know when I got some new videos out so this is a another video in the security video series that I have going on right now for WordPress in the first video in the series I took a look at all the various security plug-ins and I gave some food for thought on those plug-ins that enable you to make the best decision for you this video those just to be about one of those plug-ins I talked about and it happens to be the one that I personally use on my websites and it's called iThemes Security now there is a free version and a paid version the free version can be downloaded right here on WordPress.org and I'll have a link down below to this in the paid version is right here and there some additional bells and whistles although like I said in the first video of this series even though I have the Pro version installed on my website I don't really use a lot of the pro features so it's not one of those must've by type of things and one of my favorite features and I talked about this in depth in the first video of this series is to have a security plug-in where you can link into a shared database of resources of hackers that are trying to hack into websites so that you can kinda be proactively secured by the plug-in and that is something that iThemes Security has let me scroll down to show you what they actually call it it's right here they call it the iThemes brute force attack protection network and that is what you want to something just like that so anyways idling down below let me just go over the pricing of this real quick I don't think it's that expensive and I'm scrolling down it's right here they have a single site version are two side versions 80 bucks a year or you get a lifetime version for 300 bucks that's perfect if you're an agency and you are you making websites for people or you work on WordPress websites for people to offer this as a service and that's only 300 bucks lifetime but you get a year of support I've never needed support so here we are on the go to plug-ins add new and let's go ahead and install this sucker I write someone to just do my search for iThemes Security and here it is now this used to be called better WP security and this was actually plugging that was acquired by iThemes and I'm glad they did that because ever since I did that they've added so much more to it it's definitely a great solution okay so go ahead and click on in stall and then I'm going to activate it now I did consider in this video adding the paid version but I will just go over the free version in this and you can look at the sales page to see the features that come with the paid version of the plug-in I do have a course on security though or I do go over the Pro version of the plug-in summit go ahead and activate it in order to go through it all to gather for the first time so actually is one thing I really don't like about web plug-ins and stuff like that where they put big notifications here but I get it so right here is a notification that let you know what's new with the plug-in and then this right here is actually going to be super important and it says right here take your site secured to the next level by activating iThemes brute force network protection this is a feature that I was saying and I keep saying you want you want you want to go ahead and click on this right here to get a free API key it doesn't cost any money so let me just go ahead and close both of these notifications now and will go through that in a moment going ahead and getting that API key it's a super simple process alright so right here is this a new option right here that was added to the menu system and we only have a couple options in here our settings as a security check logs and a link to get the Pro version however if you do want to get the Pro version please do through my website if you did purchase it through the link on my website I give you access to my security training programs called WordPress security essentials I give you access to that for free it's normally hundred dollars okay so this is what I like you click on settings you haven't been here before and there's this easy one click option word saying these are the things that this plug-in brings the table that you need to enable in order to secure your website so it's literally like one click Solomon go ahead and click this here and part of what it is going to do is get me that API key and that's actually the first thing right here it says so essentially to get the AIPAC API key just to give him your email address I gave him my email address may be years ago they don't spam you or anything like that they're totally legit company iThemes is right here if you want updates like informational updates via email you can leave this on yes or you can put it on no irony get those updates via email so you want to go ahead and click on this button here to activate the brute force protection and it's good to go ahead and pull an API key in now the reason I'm getting this red warning is because this WordPress website that I'm on right now is actually on my local computer you can see in the URL to security.dev that means it's a local WordPress installation on my machine iThemes Security knows that in the spaces and whoa you don't need an API key there's no reason to give you an API key because is not a public website but if I did have this on a.com or any of those type of website addresses it would know I'm not on my local machine and it would've given me that API key thing is he here it did a bunch of the other things that it said it was going to do and we can just go ahead and click on close so right now you are way ahead of the game you could stop right now if you wanted it now if you want to know all the fine details of this plug-in I'm in a continue going on but just what you've done so far you've connected into the brute force network you secured your login form from someone trying to try a bunch of different usernames and passwords you there's just a whole laundry list of things you just secured your site from with one click and I really like that so as you notice right now there's quite a bit of settings here are for this plug and that's a whole bunch now there's two different views and they at least try to make this easy by grouping them together so right now you see him in these groups and then you can just click on these buttons and see the specific settings on it but here's a little icon you can click and it just shows them in the list if you like this this might be a little easier to process one thing I don't like is it's not like sorted alphabetically it's kind of sorted by priority or what they feel priority is so I'm looking at the recommended there is also some advanced in right here I can just click on this and it just to show me all of the various settings now here are those of Pro ones that you only get if you have the Pro version installed that's malware scan scanning privilege escalation that's if you want to temporarily allow a vendor to fix something in your website password expiration I don't like that personally recapture is actually very cool that's going to help reduce the spam that your comments section might get but there's also other plug-ins for that I really like settings import and export two factor authentication don't like that user logging don't like that user security check in version management so you can decide if the paid version is for you or not so now what I'm to do is I'm in is just start blasting through these different sections and telling you some of the things mean I want to try to go in depth but not so indent that this is a superlong video I know we all have other things to do we just want secure websites so with that said let's get started so I believe this security check one when I click on configure settings it's really just that first step that we went through so it's kind of showing you so these are the things that it enabled by default a for us let me go ahead and click on cancel and collapse that that we have our global settings here that you can take a look at now a lot of this is just your general setting so here's a notification email that the plug-in will use to notify you of things this there's actually gotta make sure I get this setting right there is a setting that if someone tries to log into your website and fails you get a notification those things will drive you nuts so we gotta make sure that we disable those so here's that enable or disable the digest that's going to be just kind of a email letting you know that the plug-in is doing what the plug and supposed do backup delivery email this doesn't back your website but it will back up the database of your website which is really good so next we have some messages that people would get when they're trying to do things that they shouldn't do or they're making mistakes and so this will be what happens if someone is trying to log in and there's problems with that the message is that there and get here's even the lockout message so you can make it say something fun or friendly or just go with what it says right here this is actually really cool so this is the message I guess relate if someone's attacking some other website that has iThemes Security and then they try to go in and do some hacking on your website this is the message that they're going to get now when we scroll down we've got some thresholds here so this is where you define how many times someone can try to login before you identify them as someone that's trying to just hack into your website now typically if you have a website where you're the only one logging in is the admin you can set this number on the low side but if you have a website like mine more people are login and people are bound to unfortunately forget their passwords from time to time and you don't want to make it an administration nightmare for you for a customer try to log in your website but then they get black blow locked out and then they contact you and then you have to take some your time to fix something or to remove their ban it can be a bit of a pain in the butt so you might want to set these thresholds based upon how you use your website and there's also how long they'll be locked out for right now by default it's 15 minutes so for me I said this days to lot longer in the lockout. A lot longer because typically someone maybe on my website people good about remembering their passwords is very rare that they don't remember their password and there's also a password reset option and right here you can actually add People's IP address is there's a white list and a blacklist feature here and this will explain how that works that's a little on the techie side in this what you don't want okay email lockout notifications you're gonna want to disable this thing because it's going to get annoying getting an email every time someone can't login properly or some is trying it's not that those are emails are finest but is when some try to hack into your website and they're trying every username under the sun there to get all kinds of different emails it's going to get annoying really quick so right here it will do logging you can choose to have a log in the database or file or both it's up to you how long you wanted to log things and a link to those log files this all be set by default you might want to just leave that the same if you want iThemes Security to be able to see how using the plug-in you could check this box right here I would check it and to these are some other settings here that you might not need but this you might want to enable and I do it's as tight security in the menu admin bars you can see it's a security here I don't need a shortcut there this area gets a little crowded so I like to disable that myself let me go to save settings and see if that that disappears I bet if I refresh the page that would disappear okay so 404 detection this is actually I think good to enable so this let you know if someone's going to a page or searching for patient that are going to a URL on your website that doesn't exist typically your website will show was called a 404 page and this will kind of track with those guys are doing and you can even ban people based on that so a second look at the settings when we enable it so we have the same thing we have these same thresholds here now what I've noticed is actually surprise it doesn't enable that by default what I've noticed is if a plug-in that has a vulnerability that the way it's exploited is going to a specific URL yet the scanners out there looking on that specific URL to see if whatever exists and then they'll hit a 404 page so this helps monitor that and secure you for that as well now the away mode this is that thing I was telling you about let me enable it to let me expand it and then enable it right here the enable mode you gotta make sure you set the time right and you have to have the time zone set properly in WordPress for your website you just go to general settings but this will make it so no one can log in at all during certain hours is good if you know you're going to be sleeping during a certain period of time and no need to be logging in it just you that logs of the website you might want to enable this however if you do enable this and you want to log in your website it's going to be a major rear end up are a pain in the rear end because you won't be able to log into your websites on the go ahead and cancel it and that's definitely up to you so that was the away mode band users now this right here is where if say you had someone's IP address and you want to ban them from your website you just put their IP address right here and it will ban them specifically and you can also opt in right here to and on the line the blacklists and these are you know computers that are known or are websites that are known to be spam he hacking all that you can just globally Banham by clicking on this checkbox right here I do have that enabled and I haven't seen any problem no one said hey am trying to reach your website and I can't do it so that is this option hear the band users and I like that they have that and there have been times where someone's may be harassing me and I have their IP address I'm just in a pop IP address in here and then they can no longer access my websites I do that a lot local brute force protection right here this is where you're going to set the attempts of someone trying to hack into your website and how long to remember those attempts of putting in a password wrong I like this feature a lot of someone ever tries to login with username admin it's good to be an immediate ban and you shouldn't have admin or administrator or Webmaster anything like that is your username obviously if your username is admin and you enable this year in a bad spot but I would go ahead and recommend always making sure you don't use that is your username and then go ahead and enable this that's how I do it now here is the database backup feature if you wanted it to I suggest going ahead and having a full backup I do have a video on that doesn't cost you anything though the plug into facilitated but if you wanted an additional resource for backing up just your database you can do that here I don't enable this because I do backups elsewhere so doesn't make sense for me to enable that here is file change detection I do like this but sometimes it can be annoying if you're using caching on your website because it changes files and that's normal but what's nice about this is this will kind of notify you if someone has say hacked the server that your Webhost is on and tries to modify any of the files in your core WordPress this is can actually send you email notifications of that size can it be a good first early indication that some of us tried to hack into your website and so I do have this enabled myself and I do really like the feature and right here we have file permissions I don't recommend you modify any of the settings here in the file permissions hide back end okay so what this is going to do is when you want to login you go to the name of your website/WP-login.php and this is if you actually want to hi that and I'm kind of not so sure I like this feature because there might be other plug-ins you have on your website that need to look in those locations so if you enable this and you hi your login and the back end of WordPress it could cause some problems now so when you enable it you could choose the login slug so won't be that the WP-login it will be what you said here and this will be what happens if someone goes to the wrong location I'm kind of iffy on this one I would recommend not enabling it but if you know for sure it's not to cause a conflict in anything that you are using this is guaranteed the best way to not have any login attempts on your website because there's no way of really knowing what the login URL is because you've changed it okay here's a network brute force protection and when I click on it my API key isn't good because it knows I'm on the local these in my websites on my local computer okay is there some SSL options here let's take a quick look at that essentially what this is saying is it will try to make your website more SSL friendly security certificate friendly I do have a video I usually use really simple SSL for that so I don't use these options here here's the strong password enforcement now this actually up to you how you want to use this it could be kind of a pain in the rear and I know on my website I have normal users creating accounts and logging in and I want to make that process really simple and easy so I tend to stay away from these plug-ins there are any of these methods to force them to have capital letters multiple numbers strange characters and all that because I can personally I find it a little irritating when some of those are a little too restrictive having to reset it up over and over and over so your some system tweaks let's enable that intake a quick look at what it is offering us so a lot of these I actually have enabled on my website so protect system files I have that enabled disabled directory browse and I am browsing I enabled this as well the request method suspicious query strings I have that enabled this one has cause me problems in the past the filter long URL strings I have noticed some plug-ins for example a real state plug-in where it pulls in the real estate listings and someone clicks on it and generates a really long URL with this enabled the causes problems it thinks it suspicious and it unfortunately will cause a problem with that plug-in so you do want to be careful with this right here the file writing permissions your Webhost already has so set properly you don't need to enable anything right here I do disable PHP and uploads and plug-ins and themes and so those are good to have so were almost there we only have a few more these the go so let's go through them quick we have some WordPress tweaks here I do have most of these enabled myself especially this one right here this XML RPC there are some vulnerabilities in here and this is so you can have say maybe a desktop application push content into your WordPress website that's one of the things that this enables you to do now I keep this disabled right here I actually have this right here this is the option that I choose and it's also the recommended option here but what you wanted do is if you enable this and you notice some app you have isn't able to work the way work with work with your website the way that you think it should go ahead and leave that one enabled right there I keep this one on block and let's see okay so these are just some other things here I actually don't keep those enabled right admin user let's take a look at this and this is you can enable this if you want it's essentially gonna make a change in the database it's pretty safe to to do this and not have a problem it's up to you though it's not definitely I may not being a security a deep security expert and I am my my thought is is this is an so necessary WordPress salts that's a pretty technical thing right here I've had to I do know the times I've use this is what I wanted to force everyone to be logged out of my website I enabled this save it and it's going to reset something in your WP config file that's can force everyone to be logged out have to re-log in at sea change content directly I do not recommend this do not do this it's can all your content basically in a folder called WP content it will change that to something different I don't like changing anything that deals with the core of WordPress change database prefix you can do this I have done this myself I really don't know how vulnerable your website is when you have that when you don't have this enabled so I can't really speak to it however my guess is it's not super crucial but you might want to change that prefix your comfortable looking at your raw data and database you'll see what I what that does server config rules that can be left and this can be left that's all automatic and then you have these settings right here so this is pretty much securing your website I mean literally if you installed it and just activated that a quick set up there and the things that it activated you to be so ahead of the game but if you pair this with a good backup solution were your websites being backed up on a schedule off site your you're pretty much bulletproof you really don't have a lot to worry about at all and I've been using this plug-in with fantastic success for a long time and it has not slowed down my website one bit and like I said a lot of these things the biggest security threat is just that brute force hacking and when there is some form of a widespread vulnerability on on a WordPress plug-in this is going to protect you from just about all of that but you still need that backup sump anyways if I went over anything to quicker you had any specific questions about this plug-in I'd like to encourage you to ask me down below in the comment section I will have links to everything in the video description box if you did purchase the professional version of iThemes Security do through the link on my website I'll be more than happy to give you access to my full security course WordPress security essentials thanks for watching
Info
Channel: WPCrafter.com WordPress For Non-Techies
Views: 59,137
Rating: undefined out of 5
Keywords: ithemes security wordpress, ithemes security tutorial, ithemes security setup, ithemes security change login url, ithemes security file change detection, ithemes security review, ithemes security pro review, ithemes security pro, ithemes security pro vs free, ithemes security pro coupon, What Is The Best Security Plugin For WordPress, wordpress security plugins, wordpress security 2017, wordpress security tutorial, wordpress security plugins 2017, wordfence vs ithemes, wpcrafter
Id: 8Mef9ARq0Og
Channel Id: undefined
Length: 25min 3sec (1503 seconds)
Published: Tue Jul 18 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.