Sucuri Setup Tutorial - WordPress Security Plugin

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey how's it going Alex here from idea spot and in today's WordPress tutorial you're going to learn how to set up the security security plugin for this security security plugin tutorial we are going to be using just a blank fresh install of WordPress and we're gonna install security from scratch and just do it all step-by-step so first step is we go into our dashboard plugins add new when you search for security you'll notice that these are your most popular security plugins so obviously you've got word fences the most popular and then right behind that you've got these couple of plugins here and I themes as well so secure a very popular 600,000 installations at the moment let's go ahead and install that one okay and let's activate that after you've activated you'll notice you'll get your security or security plug-in in your list of installed plugins you'll also get this security option on your WordPress dashboard menu so let's go ahead and click that one so the first time you load this page up it'll take a minute and it will scan your website and with any luck you'll get your site is clean this is just a fresh install so everything looks all good no malicious JavaScript or any nasties on here not blacklisted there are some security recommendations that we will touch on later to make your WordPress install a bit harder to penetrate so let's work on that later it did pick up a little thing indexed to HTML saying the core WordPress files were modified depending on how your website was set up it might pick up some things like that depending on plugins or things you're using in this case index 2 was just a little your account is ready page that the host provided when I installed the the website on here so that's fine if you pick up any little false positives like that one you just flag it and say I understand this is fine and market is fixed and click Submit there but from here we're more or less good to go all your WordPress files are correct now it says the site is clean and secure II will automatically scan your WordPress files periodically so and it does that remotely so it doesn't use any resources from your web-hosting which is really nice especially in a free version so briefly we can quickly have a look at the settings here and see what we get in this free version first thing we'll look at here is under settings and scanner you'll see that this scanner is scheduled some parts of the site is scheduled to see an hourly sum twice daily some daily all depends on the priority there if you feel like doing a scan at any time you can just click and highlight them all and then click Submit and it will execute a scan if you're feeling like you need a scan just because if you installed something new or I just want to test something that's how you do that the next thing we can look at is hardening there are some additional options you can add on here but by default it works just fine firewall protection you don't get that in the free version anyway so you can't turn it on in the free version these are already turned on and you can test some of these but I've found that some plugins actually need access to these directories so now you'll you can read the option in here and see it'll say that many plugins and themes which rely on the ability to execute PHP so especially some backup plugins particularly need to be able to execute so I'm you can use whitelist tools to get around that but I think it's just easier to leave it as default the one thing we can turn on without any risk really is this information leakage that just blocks the access to the readme file where people can get information about your software from the readme file yeah it doesn't do a lot but turning on doesn't hurt you can also turn off the plug-in and theme editor just because you're not going to be editing your plugins and themes constantly and one way you can get injected with malware is is is if this editor is enabled so we can apply hardening to that as well the final one with the secret key is updater if you've had some sort of issue and you want to just reset everyone's account you can just apply that it'll make everyone log back into their WordPress accounts and generate new cookies for everyone it's just if you feel like someone's left their computer logged on and they can't get back to their computer and you're worried about leaving people logged in so that's just for emergencies you don't need to use that in most cases and finally like we talked about before earlier you can whitelist certain blocked PHP files so if you wanted to block all these PHP files with this hardening then you might run into trouble with some of your maybe um backup or caching plugins having some issues so you could whitelist those particular plugins while still blocking everything else from being able to be executed so I'm not going to get into that here but if you're interested in that you can go ahead and add your certain backup plug-in PHP file to here all you have to do is put the file path in there and then submit but it's just fine leaving those off for now so in our next step let's have a look at alerts because security likes to send heaps of alerts so to your admin email so you can change the formatting of what the actual subject looks like the default one is fine maximum alerts per hour you could just say unlimited alerts per hour or five per hour I think is fine and there are alerts for all these different events most of these you don't really need an alert for so let's just go ahead and turn some of these alerts off so the one yet most email alerts from is the post status every time you're working on your blog you'll get a security alert just because you changed a draft or published a post you did go ahead and turn that off you could any time you change settings or modify anything with a theme or plugin you could turn those off the other thing you could do is just leave them on and set up a dedicated email address so change the email that it sends to and just add a new email on there so let's just delete the admin email from there and then we could go ahead and just add a new email on there so we just put like a new security new security at idea spot space and just put a new email address set up an email just specifically for all these alerts to go to and then you can just check them periodically rather than having them mixed up with all your important emails you know the other thing you could do is just use an email filter and filter them into a specific folder in your email so a couple ways to deal with it but it does generate a lot of email so just be aware of that now the last thing we can look at here and this is optional is generating an API key now this API key will help your WordPress site link to security and security will help store your log files for you and so if you did get the disaster of getting hacked or getting malware and you want to recover secure it can help you recover from the hack and that is done through their premium service but you can get the API key in the free version and then if you ever need it in the future they've got all your logs and they can support you straightaway so you'll get full value straightaway if you ever need it to buy that premium version so let's try this out let's click generate API key and it will say ok webspot website is at our dear spot space email is ideal spot to class and I agree and understand and click Submit so if that all works perfectly then you'll get a success message and you'll get your API key sitting here so that will be all setup so that's all looking good to go so at this point we're pretty much done setting the plug-in up we can go back to our dashboard and let's look at some of these recommendations in terms of hardening our wordpress install a bit more let's cover these one by one so security header XSS protection of missing you can just click on that and it'll load up a little article about how you address this particular issue so this one is done by editing the HTS file and adding this line to it so let's just copy that line and get one of your favorite text editors notepad or whatever and just paste that in there and let's use that later let's head back to our dashboard and look at the next one security header X content type options no sniff so let's look at that same thing we just need to add a little bit of conflict to htaccess header so let's copy that and pop that in here and let's go back to our dashboard the last one is strict Transport Security this depends on your hosting and your SSL certificate so I'm going to cover that one in a second I'm using CloudFlare for my SSL so this is fairly simple to address but I'll do that in a minute let's do these two first and edit that HT access file so for this we don't actually use the WordPress dashboard we'll need to go to a hosting control panel and you'll need to find your file manager or you can FTP or secure FTP into your files but in this case I'm just using infinity free for the free web site for this demonstration and the file manager is just there your hosting will be a little bit different or but you'll just need to find your file manager and find where WordPress is installed and you'll know because there'll be WP content WP admin and they'll be one calls HT access so let's go ahead and click that and click Edit this is where we just need to add those couple lines of configuration to the HT Access file so let's just grab those lines that we copied earlier place them in there I'm gonna add a little comment in there and say it was a security recommendation and just so I remember why those lines are there if you ever look go and look in there in the future and then click Save and then with any luck those messages should be addressed by now so back on our dashboard let's reload the page it still thinks that we're missing those headers even though that we changed them and it can take up to 20 minutes for it to actually reload that that checks so you can either be patient or if you want to be impatient we can go and do this manually under your settings and general settings just scroll down in the data storage here until you find that one called secure site check you can click that and then click delete and then when you go back to your dashboard you can just click reload again it'll regenerate the scan and then hopefully that message has disappeared which it has so those headers have been set up properly you don't need to do that you can just wait 20 minutes and those messages should disappear by themselves when it reloads but that's just a way of speeding it up let's have a look at fixing up this security header strict Transport Security in many cases you won't even get this had a security strict Transport Security message but if you do you can enable it through your SSL management in your web hosting control panel but if you're using CloudFlare like I am you then I'll show you how to do that right now so I'm in the class led dashboard and I'm on the SSL and I'm looking at the edge certificates and if we scroll down you'll find the strict Transport Security there you click enable and then you've got to click I understand and go to next and now you have to configure it the max age I think we want to set it to the recommended six months and that's pretty much all we need to do we need to click that to enable it and you just have to be careful here to make sure you've always got your SSL working during that otherwise you could get locked out for six months so just be careful about that so let's go ahead and click Save now as we scroll down we can see in our dashboard for security those recommendations have all disappeared now there's just a few general WordPress security recommendations here that you shouldn't always be using the admin if you're just editing post just create an editor account and use that instead of using admin all the time any unwanted themes or plugins you should disable them and maybe actually delete them if you're not using them so let's go ahead and do that we can see how it's got Akismet anti-spam installed but it's not activated so let's just go ahead and delete it I don't really intend to use the anti-spam on this website and then same with the themes we've got 20 20 active but these old themes are still on here as well so let's just go ahead and delete these 20 19 and let's go ahead delete the other ones as well I'll just skip ahead and do that so that's worked out any theme some plugins that we're not actually using let's go back to our security dashboard again it can take time for these things to update in this case it looks like these things have already updated so it's just saying don't you always use the admin and we can harden the content and WP includes directories if we want to again that's that's pretty optional but we can do that through the settings here I might just go ahead and do that for the sake of this demonstration so that is under hardening and we can do apply hardening to the content and apply hardening to the WP includes directory on this website because there's not many plugins operating I don't imagine it's going to cause any dramas for us but like I said earlier if you're running a backup or some caching plugins you might get some errors but this looks like it's going just fine so let's head back and let's go back to our dashboard and now the only recommendation I've got is not to always use the admin which I'm using an admin now but you could easily use an editor and you wouldn't get any of these recommendations popping up let's just cover that off just for the sake of completeness go to users I'm going to add a new user and let's just add a let's add an editor on here so I'm just going to call it um edit guy I'll make that ideas pop class Gmail I'll make it obvious but class editor and then that should all be cool let's just make up a strong password there we go and let's add the new user I just save that password and let's go back to the dashboard of security so all right we can scroll down we can see security recommendations your wordpress install is following the security best practices so quest completed guys we've done all the security measures that are recommended for our website we've got our malware scan and working the only thing we don't get in the free version is this firewall that's that's an important thing to have on a WordPress website you can get the firewall for free by using word fence or by using one cord I think it's good and ninja firewall I haven't tested that yet but that might be something for a future video otherwise you could just sign up and get the security firewall I think the prices start from 200 dollars a year so they're under pricing yeah that you get the basic one for $200 a year and it scans every 12 hours and you can get your malware and removed and cleaned up it's included in that so that's pretty cool you can submit support tickets and let security handle any problems that you've had so you don't need to buy that straight away like if you run into problems in the future and you need help cleaning up your website then go ahead and join if you've set up that API key like we did earlier in the video they'll have all your details and they'll be able to help you so that might be a good way of doing it without actually having to pay for it straight away so anyway let's sort of wrap this up thumbs up if this has been helpful I'm just gonna go over the pros and cons obviously the free version is free so that's a great Pro it's got a good malware scanner and there's no performance issues with this plugin because everything's done remotely the security servers handle all your scanning and you don't have to scan the website using your own service so it doesn't slow your website down like some other security plugins do notably I think wordfence is one where what scans regularly and it does use up a bit of your processor on your website so that's a good advantage but there is a bit of a disadvantage with that as well because it only can access the files that it can access remotely so it won't get access to your full website but it'll be enough to pick up most common intrusions so the major con is there's no firewall in the free version like I said before you'd have to sign up to get that firewall with the basic plan at least so you'd have to go and use something like wordfence or ninja firewall but these firewalls have run on your server rather than remotely so again rather than paying with money you're paying with some performance issues that might slow your website down but honestly I've tried wordfence for a while and the performance my website hasn't really been affected too badly so just try wordfence out if you really want that free firewall and don't mind a little bit of extra usage on your web server and I just want to note that security was a really cool way of introducing me to some header security and also that strict transport header as well that was something I wasn't like fully aware about because I'm not a cyber security expert but I'm just a dumb engineer who was able to learn by going through those security recommendations so I thought even if you don't end up using security those security steps that harden the head improve the ssl those little steps were good anyway and even if you don't use the plug-in you can still implement those security measures and get a good result for your website so hopefully this has been really useful for me I liked it even though I don't want to use the free version because I'd like the free firewall and some of these other options but it's still a great plugin thumbs up if it's been helpful subscribe because I'm gonna come back with some more good WordPress tutorials next week and thanks for watching I'll see you next time

Info

Channel: IdeaSpot

Views: 8,459

Rating: undefined out of 5

Keywords: sucuri wordpress plugin, sucuri plugin wordpress, wordpress security, sucuri tutorial, sucuri setup, wordpress security plugins, xss protection, wordpress security headers

Id: -brxiDRsiIw

Channel Id: undefined

Length: 18min 16sec (1096 seconds)

Published: Fri Mar 13 2020