The Ultimate WordPress Security Guide To Prevent Hacking & Malware Attacks

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
this is the most important video you'll watch if you own a website it's about security and more specifically how to keep your website secure unfortunately security can be a complicated topic but in this video i'm going to make it perfectly digestible for all of us non-techies out there and they'll be different sections in this video and it'll all be broken up in a table of contents so if you want to know how to keep your website secure this is the video for you so let's start by taking a look at the four things that can cause your website to be insecure number one is going to be weak passwords this is when you set your password to password or one two three your password one two three weak passwords and also you login accounts to your website that you might have given to a developer that helped you in the past but is no longer in the picture maybe some former employees or people you had hired to help you with your website so it's going to be the first thing that is going to make your website insecure now the second thing is going to be insecure plug-ins themes and maybe even wordpress itself insecure software and this would be parts of your website where a security vulnerability has been discovered and has been disclosed and has had a fix or a patch issued out but it never got updated on your website so this could be an old wordpress version i'll talk about why that is less likely but old themes or old plugins that you haven't updated now the third thing is using pirated software this is getting themes or plug-ins from some random place on the internet and not the official source of or the creators or developers or the company behind those products you're getting it maybe to save some money but what ends up happening is they install key loggers they install credit card skimmers and i'm going to explain what that is later in this video as well as different hacks to be able to gain access to your website and now the fourth thing is using bad hosting so what ends up happening with web hosting companies and you mostly gonna see this with the small mom and pop style hosting companies anyone can go and get a server and start a web hosting company but they don't have the money or the resources to have invested in partnerships or some kind of licensing of security software that will run on the web hosting account in order to keep their customers secure so sometimes when you go with these small mom and pop companies to maybe save a buck or maybe you might know them they don't have the money to invest in the infrastructure to mitigate security issues and oftentimes a server itself might get infected or it might have a security vulnerability and some form of malware gets on it and it can affect all of the different websites that are hosted on that server so now we've gone over the four things that can cause your website to get hacked let's now talk about what happens when your website gets hacked the ways that you're gonna see and notice that it's been hacked now the most common thing that you're gonna see is links on your website have changed and now go to other websites that you do not want to have anything to do with so this would be say on your website you have the menu navigation at the top and someone wants to click to go to your about page and then it goes to some pornography page or some kind of organization page that you don't want to be associated with this is what ends up happening most of the time and it's usually pornography or something like that your website when someone clicks on a link it goes there or you might see it someone visit your website and then after a few seconds then it redirects to some uh adult related uh or worse type of website now the second thing that happens often is a software will be update uploaded to your website and it will have a link to download the software and it might be some pirated software or something like that and basically the bandwidth on your web hosting account gets wiped out because it's being used as a file sharing hub now and i've seen that as well the next one is actually one of the worst things that can happen and unfortunately commonly happens is some software will get installed on your web hosting account so that it enables from your web hosting account tens of thousands of emails to be sent out unfortunately from the website domain name of your website and what this does is it harms the reputation of your email addresses which essentially means when you want to send legitimate emails they're going to end up in spam folders or not get delivered at all now usually when that happens your web host is going to notice it hopefully they're going to notice it and they're going to let you know or you're going to get a whole slew you'll wake up one morning and you'll go into your inbox and you're going to see thousands of bounce email messages where it sent the spam message out and that person's email server sent that message back saying the email couldn't be delivered and lastly this is one of the most frightening things that happens is credit card skimming so if you have an e-commerce website where people are coming to your website and entering in credit card information well now what their these hackers are doing is they're installing credit card skimming software so when the visitor enters in that credit card number it's being captured and sent off to the hackers which is pretty much credit card fraud and i think if this happens to your website you could be held liable for that because it's your responsibility and obligation to keep your website secure so hopefully i've kind of terrified you a little bit to know what is possible if you're not vigilant and with with regards to the security on your website now there's some simple things that you're going to be able to do to make your website much more secure we're going to go over those things right now step by step so here's some of the things you can do to prevent something like this happening your website being hacked now the first thing i've covered so many times and no matter how many times i make a video or suggest this there's always going to be a certain part of users that don't ever get around to it and so the number one most crucial thing that you need to make sure you do is have an off site backup of your website do not trust your web hosting company to make a backup of your website it's nice if they do that and you can try to use that if an issue occurs however you cannot trust that they get that done i have had websites on hosting accounts where they dropped the ball they blew it and i got screwed in the deal and i don't want that to end up happening to you especially when having an automated off-site backup cost you nothing but a few minutes of your time not going to show you how to do that in this video i'll have a link down below but there's a free plug-in that you can add to your website to easily be able to do this so i'll just walk you through the name of the plugin so you'll just go to plugins click on add new and you will search for wp vivid i never like the name of the plugin but the plugin works it's right here migration backup staging wp vivid backup what this is going to do is allow you to automatically have a backup created and pushed off site to say dropbox or something along those lines so it's off site in case you need it now the second thing you can do is very easy and there's no reason you shouldn't do this and this is to remove plug-ins and themes that you're not using on your website so that's simple you can go right here for example to themes and here's a theme i'm not using i can click on it on the bottom right i can click on delete then confirm and that's deleted and the same thing for your plugins you can go here to plugins and you can just delete any plug-in that you want now it might look like i'm not practicing what i'm preaching here on this site this site's actually installed on my local computer it's not on a web hosting company account and it's not a publicly accessible so i do practice what i preach now the next tip is really the best rule of thumb it's something that i follow myself and that is not to install themes and plug-ins from just random third-party developers so i tend to stick to themes and plugins that are made by reputable developers that have a real business behind what they've created and the reason i do that is because i know their rear end is on the line their reputation is on the line so if there's a security issue or something's not done right there's more eye balls on that software and people using it maybe people purchasing things uh from them they have every single incentive to deliver a secure product and if there is ever security vulnerability quickly and rapidly patch it and that's why on this channel you don't see me talking about every little plug-in here or plug-in there and that's because i'm extremely cautious of what things and plugins i talk about on the channel probably a little too cautious but if i made a tutorial around a product you installed it and your there was some vulnerability and your website got hacked and then you come back to me i don't want that situation i would much rather just stick to the reliable reputable stuff that uh when when there is an alternative for my website so it's actually quite simple to do this so if you want to install say a new plug-in on your website you click on add new there's some indications uh of whether or not you might want to feel safe or not feel safe installing this on your website so for example if i go to woocommerce so let's see here it'd probably help if i spelled it correctly but when you enter in a plug-in or a search for a plug-in and you see a list like here we have a couple indications so when you see the grid on the bottom here we have reviews and that's kind of an indication this is a big indication how many people are actually using this and when you click where it says more details we get this little pop-up and we get some more information you can read maybe some of the negative reviews on this uh this is very important right here when was the last time this plug-in was updated uh that means that they're sticking with this product so for example if i was scrolling down and here's an interesting product maybe it meets what what what i need but look at this like no one really uses this product it's only being used by 200 people what that ends up meaning is the developer has no incentive to keep updating it and to stay on top of it and make sure it's secure uh there's no incentive for them to do that so i'm super cautious of which plugins and themes i put on my website the first thing you could do is enable auto-updating on wordpress your wordpress themes and your wordpress plug-ins but sometimes that can also cause some issues and i'll talk about that in a moment now enabling this is extremely easy so if i go right here to where it says updates here on the left and i'll click on that this is where you can choose right here with this link whether or not you want wordpress itself to auto update so that's for wordpress for themes you would go into themes right here i'll click into theme details and you can see there's an option right here that says enable auto update you click on that and the theme will then auto update so you can do that for your theme and also for your plugins when you click into them you see this column here on the right if i want this plugin right here to auto update all i have to do is click on it and now it will auto update as soon as there's an update available this is really good because what ends up happening is uh usually the developer will get notified of a security vulnerability they'll patch it issue out an update and this is before the information gets public and you'll be covered pretty much now it can cause some problems if you're using a theme or a plug-in from a developer that's not super reliable and they push out updates that can be problematic so you do have to be careful when it comes to auto updating but i personally auto update most of my plugins and and certainly my theme and i don't typically have any issues what happens is when an update auto update happens your website's gonna send you an email notification saying this this this was automatically updated for you so you get those notifications you can hop over to your website and take a glance to make sure everything's working fine the next thing you do is audit the users on your wordpress website this is super easy so i'm going to go down here where it says users on the left i'll click on all users now we have some filtering options up here so if you have users with different user roles subscriber editor author and administrator you'll be able to filter through them now i only have one user account on here and it's an administrator account so if you have multiple accounts you'll want to go here click words as administer administrator and just do a quick glance to see if old employees still have access or old development companies or an old um you know whoever that doesn't need to have access to your website also look to see if there's any suspicious user accounts there you can easily go and hover over a user account and delete it this is the only user account i have on this website so i can't particularly delete this one but you get the idea now the sixth thing is to just say no to using pirated software on your website they install back doors they do credit card skimmings that's a big thing that started in 2020 what credit card skimming is is say you have a woocommerce store and you want to save a little bit of money instead of buying the extension you find some random place on the internet to download it well number one you don't get support but we don't always need support number two you don't get access to updates when they happen so if there is ever a security vulnerability you won't get access to that but a lot of times what happens is these pirated softwares will automatically add user accounts to your website notify the hacker and then they can log in and steal data the scariest thing though when it comes to e-commerce is that they have credit card skimmers now so it's a little snippet of javascript that gets added and so when someone's on your website making a purchase and they're entering that information in a credit card or something like that that information gets captured and sent off to the hacker and this makes you liable because you're the one that decided to install this pirated software on your website and now credit card information of your customers is getting stolen uh you can get in some big trouble doing that and this is a big problem that started surfacing last year 2020. now i know we have to live in a world of reality and sometimes people are going to take some pirated software if you insist only use it for testing on your local machine on a local installation not on a public website make sure when you install it on your site you're not using your real email addresses inside of your wordpress website because a lot of that information can go straight on over to the hacker number seven is be careful which web hosting company that you use i do have some web hosting recommendations and i'm going to mention a couple web hosting companies that have partnerships and integrations with security providers if it's not a reputable company that has a budget to invest in security and proper infrastructure then you're going to be in a bad you ha you potentially could be in a bad spot i did that once in my early days of using wordpress i was using this smaller web hosting company and they're also the ones that were automatically backing up but then screwed that up i ended up losing my website it's just not worth it it's not worth it for the just tiniest amount of money you may save if you save anything at all i prefer to just go with reputable web hosting companies i don't want to have to waste my time and spend my time uh doing something um to fix a hacked website when i could have just spent a little bit more money now the eighth thing you can do is to stay plugged in to wordpress and the way you do that is you can subscribe to this channel and also give this video a thumbs up by the way but subscribe to the channel join the facebook group that i have going on when i get an alert about a security update and i know i might have talked about this on my channel i post that on my facebook group but the amount of effort that goes into making a video i don't usually make a video to post it here on youtube so unless it's really big unless it's really big like the woocommerce one a few months ago or a few weeks ago so join the facebook group stay subscribed here and uh click on the community tab on this youtube channel and i'll do my best to keep you updated but for sure in my facebook group people are posting when there's serious vulnerabilities that just get discovered and exposed so you'll have the advantage of knowing as soon as everybody finds out about it now the worst thing is even if you do everything i just outlined above it still might not keep you safe now i have done everything i just listed above and my own website got hacked a few years ago and what ended up happening was something called a zero day attack and what a zero day attack is is when a vulnerability is discovered and the information to exploit this vulnerability is published on the internet it's not instead given privately to the software developers so they have a week or so to solve the problem come up with the fix security hard in their software and then release an update know this this information goes out immediately and this happened to me i was using a plug-in called social warfare uh i don't think it's that popular anymore i got rid of it and um i would never use it and i would never even mention it after this but at the time i think it was like 2018 it was a very popular social sharing plug-in to add to your website well there was a zero-day attack and it i just remember that day people coming to my website clicking on links going to like pornography websites it's the most embarrassing thing it harms your brand and it wasn't just me it was a lot of people this was happening to because a lot of the larger blogs were using this product and so that is when there's these zero days you can have everything lined up but you still end up having a problem now there is something that you can do about that now these are paid services but i'm gonna tell you how you can get some of the benefits of these paid services without having to actually pay but let me tell you about these paid services right now i'm gonna go through three of them and four of them sorry and they all pretty much do the same thing and what they're doing is a real time threat patches and protection so what it is it'll be a plug-in you install on your website and it puts a real-time protection layer between your website and the open internet so when they find out about one of these vulnerabilities they can pass zero day vulnerabilities or any vulnerability they can patch it before the software developer has actually patched it so let's take a look at these four but i'm going to tell you how you can get some of the benefits of these four without paying anything extra well it depends okay so the first one is patch stack now patch tech used to be called web arcs when i had that zero day i just got to disclose this when i had that zero day thing happen to me and my website got hacked i actually had patch stack on my website but it was called web arcs now i'm gonna cut them slack they were a brand new company i think they were saying things that they weren't yet doing uh and they screwed up they completely and utterly screwed up however that was a long time ago and they have since really built the company and i i'm actually very impressed at what they do i think they have been probably the most aggressive at discovering threats and vulnerabilities before anybody else so even though i had a bad experience years ago i think that they've recovered and i will cut them some slack so it was a zero day and they were saying they were protecting against that but they weren't um and they were so behind the eight ball uh anyways uh no no sense of rehashing that so there's patch stack uh and this is has a monthly fee to it uh let's go ahead and look i'll have links to all this down below so you're going to see these are all kind of pricey so you can see for a single website it's like 15 bucks a month uh here's security which is probably the creme de la creme of real-time protection like this let's take a look at their pricing now security i believe is owned by go daddy i think go daddy bought them i could be wrong and you can see just their basic plan is 200 a year for a single site you're going to see these are all expensive one you've all heard of is word fence i don't really like word fence that much now don't get confused word friends has a free version and it doesn't get you this protection it's only in the paid version so uh word fence let's see the pricing of this really quick um so it looks like a single license is only 99 per year next let's take a look at malcare i kind of like malcare and some of what it does let's take a look at their pricing so malcare is uh 99 a year so you're seeing that they're all about 99 per year to 2 200 or 300 per year for a single site that can add up really quick now the good news is some of the larger web hosting companies already have a degree of this protection in place at the server level so you don't have to pay for it and you don't have to install a bunch of things on your website so let's take a look at two of those hosts and it's pretty much the only two hosts that i really talk about here on this channel now the first web host is going to be cloudways and i've got a discount down below for cloudways you can visit wpcrafter.com cloudways i have the coupon code down below it's going to save you 20 sent off for a few months i personally use cloudways now cloudways last month announced that they have a special partnership with none other than patch stack so i just showed you the cost of patch stack it's what 15 bucks a month so they have a partnership agreement in place now the services haven't been integrated yet but i hear that it's gonna probably happen by september of 2021 so if you're using cloudways already so many people on this channel already are you've got this to look forward to and i'm glad that they are doing it now cloudways already has an integration with some of malcare's features as well so malcare has a really good system of preventing bot attacks on your website and it's one tiny click inside of cloud ways to enable this on on your apps as well there's one other big thing coming to cloud ways i don't think it's my place to disclose it yet in this video but it's going to solve all the problems as it relates to updating your website and there being unreliable updates and preventing kind of an auto update from breaking your website that's something that they've been building i have been talking to them about it and i've actually seen it but i don't know when they're going to release it i think it's going to be this year so that's going to be another benefit of using cloudways and i'll be making a video on that when they finally release this enhancement that'll be something unique to them that you really don't see on other services so that goes back to what i was talking about using a web host that has some scale to it so that they can invest in the technology and you just benefit as a customer now the second web hosting company that i talk about in this channel is name hero and you can save 70 off signing up for name hero they're a really good web hosting company and they have a really solid service i've got a link to that below or go to wpcrafter.com name hero now let me tell you what name hero has for you so they have this integrated service called immunify 360. and this is a security suite that runs on the server that is going to detect if there's ever like modifications of files on your website and it contains code that will make your website get hacked it's going to catch those prevent those and also be able to roll those back there's a ton of things that it does you can read about it right here on the imunify website now what's weird is when you're here on name heroes page you don't see them specifically mentioning immunify but actually here let me do a search i am you and yep they don't even mention it here however if you have an account with them so here is what the cpanel looks like we can scroll down actually it's easier i don't like cpanel but type i am you and there it is immunify360 so this is integrated for free inside of their web hosting plans so you're going to get a lot of this protection and it's just included with what you're already paying for web hosting and you can see here with the discount that they give to wp crafter subscribers it's not expensive web hosting i mean it's less expensive than siteground and it's also using lightspeed technology which allows you to use the lights the ls cache plug-in the free caching plug-in that comes from lightspeed now also include links to tutorials on how to set up cloud ways or set up name hero with the lightspeed cache i've got videos on those here on the channel and i'll include links to them down below if you've been on the channel for a while you might have already seen them so lastly let's talk about what can you do if your website is hacked and unfortunately if you find yourself in this situation i know it could be very stressful and it's ultimately an emergency situation and you're really left with three different options here so the first one is if you heeded my advice about creating an off-site backup you can try to restore a backup as far back as you know when the website or you suspect when the website was hacked so if there's a notice that went out that a certain plug-in is vulnerable you know that that's probably how your website was hacked well look at the date of that notice and then restore a backup prior to that this doesn't always work it has worked for me it's worked for people on this channel but sometimes it doesn't always work in k in the situation where uh the your website's been hacked and then the hack included back doors throughout your web hosting account so it might not fully solve the problem but that would be the first thing that you want to do now the second thing would be to pay a service so if i had to pay a service the one that i would pick out of all the ones i talked about i would go with malcare malcare has really good technology in place to identify a file with the problem and also something was inserted into your database malcare will just do it most of the time it could do it all automatic and if you try malcare and say word fence and security mild care is gonna do a better job than those other two services and so i feel pretty confident in malcare and that's where i'd go first also patch stack has a malware cleaning service attached to it and then the third one is you can hire someone i don't have any recommendations but i know in the wp crafter facebook group uh there are people there that have the capabilities of doing it but you only want to use someone reputable with a reputation with reviews the reason why is if they don't know what they're doing the hack is just going to come back so you definitely want to make sure that there's a guarantee in place and you want to make sure that their butt is on the line through reviews and they care about that stuff so basically don't just jump over to fiverr and hire someone for ten dollars they don't really have their neck on the line to make sure they do this thoroughly so you want to choose a reputable company and unfortunately you might be looking at eighty dollars to maybe a hundred and fifty dollars in order to have someone do that now lastly i'll just throw in some of the free things that you can do there are security plug-ins inside of the wordpress plugin directory a lot of the free plug-ins will give you a false a sense of security or they'll give you security through obscurity that's by trying to hide things but your site is just as vulnerable as it was everything i've outlined in this video or the best practices that if you follow you are going to be fine and you don't have to worry about it wordpress is very safe and secure it's not wordpress that's the issue at times it's the third-party plug-in the third-party theme from some random company unfortunately and i hate to say it like this it's the decisions we make for our site that can make our website insecure it's not that wordpress itself is insecure so it's like the balls in our court for me i have to be responsible for my security for you you have to be responsible for your security so anyways that's all that i have in this video it's pretty exhaustive uh there's some other things you could do i'll probably cover in another video i didn't want to make this one too long if you have any questions for me you can ask in the comment section down below thanks for watching if you can give this video a thumbs up right now it's going to help this video be shown to other people that need to see it so if you could do that i'd really appreciate that thanks for watching this video and i'll see you in the next one
Info
Channel: WPCrafter.com WordPress For Non-Techies
Views: 8,655
Rating: 4.8941398 out of 5
Keywords:
Id: xQJeZgtEtdE
Channel Id: undefined
Length: 31min 26sec (1886 seconds)
Published: Thu Sep 02 2021
Related Videos
How to Setup Cloudways The Right Way - The Fastest WordPress Hosting Service For The Best Price
WPCrafter.com WordPress For Non-Techies
45K
How To Secure Your WordPress Websites with iThemes Security - 2021 Tutorial
WPress Doctor
1.1K
How To Write 10X MORE Blog Posts In HALF The Time Using AI Artificial Intelligence 🔥
WPCrafter.com WordPress For Non-Techies
24K
How To Make a WordPress Website - 2021
Tyler Moore
1.1M
Stop Selling Just Websites & Unlock Multiple Streams Of Agency Revenue WordPress
WPCrafter.com WordPress For Non-Techies
9.3K
How to Secure Your Website From Hackers in 2021 (WordPress Website Security)
Create a Pro Website
13K
10 Most Common WordPress Security Mistakes
WordPress Tutorials - WPLearningLab
30K
How To Speed Up WordPress Tutorial Using LiteSpeed Cache
WPCrafter.com WordPress For Non-Techies
79K
Web Hosting Secrets Revealed - Make Cheap $6 Hosting FASTER Than Expensive $60 Hosting
WPCrafter.com WordPress For Non-Techies
55K
Wordpress Security Tips for 2021 (that don't require paid plugins!)
All Things Secured
5.3K
How to use Slack
Kevin Stratvert
144K
How to Remove Virus/Malware from Hacked WordPress Website for FREE using WordFence Plugin Tutorial
Nayyar Shaikh
96K
How To Mine Ethereum & Make Money 2021 Tutorial! (Setup In 10 Minutes Guide)
Franklin Hatchett
1.1M
Overlapping Columns in Elementor 3.0
Tyler E Morrison
5.1K
Best Free WordPress Theme for Affiliate Marketing (w/ Built-in Schema)
Jack Cao
2K
WP Optimize Tutorial 2021 - How To Setup WP Optimize - WP Optimize Best Settings 2021 - WP Optimize
SERT Media - Wordpress Tutorials
823
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.