WordFence Security Plugin - The Complete Tutorial

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
well hello and welcome to the web monkey show my name is Alex it's a pleasure to have you here and today we're talking about what press security and specifically how you can make use of the word foreign security plug-in to protect your WordPress website what we're security is such a big concern and a major issue today and this is why it's very important that you take the necessary steps to protect your website against hackers and malware so today we're talking about what fence security this is one of the most powerful but also one of the most popular WordPress plugins with over 2 million active installations this is a very robust plugin that provides lots of features with which you can protect and enhance the security of your website so today I'm going to show you how you can completely configure this plug-in to protect your website it's gonna be a bit lengthy so I'll have all developments timestamps in the description box below so sit back relax and learn how you can protect your waterís website by using the word fence security plugin alright so the first thing we have to do obviously would be to download install and activate the plug-in so please do so the plug-in is what fence security by what fence now once you're done you will see this message from what fans which is part of the installation ask you to provide your email address where they will send you security alerts this is extremely important so please make sure you use an actual real email address that you have so I'm gonna come in here right now and just add one of my official email addresses all right oh I'm sorry Alex add the movie characters calm Wow it should be Alex at the movie characters calm I so that's my email so it says would you like to join the mailing list yes I would recommend that you do so they do send very useful tips every now and then I'm gonna check the box here and I'm gonna click on continue all right so what fans does have a premium version of the plug-in but we're gonna deal with the free version and if you're interested always get the paid version later I'm gonna click on no thanks and let's take a look at this fantastic plugin you will see what fans at the bottom right here let's go straight to the dashboard and see what what friends have to tell us ok let me just close this I let me scroll all the way to the top so in here right now you will see this message asking that what Finn's be allowed to update automatically whenever there's a new version so yes go ahead and enable the auto update I think that's very very useful and then in here you will see this message saying to make your site as secure as possible take a moment to optimize to what fans web application final wall just click here to configure all right now depending on your web host you might see a different value in here so don't be concerned if your fellow here is different for mine adjustments that your web host is using a different kind of a web server so what fans automatically will detect the kind of server you have on an end that would enable it to run as efficiently as possible based on your servers configurations right just to be on the safe side I would recommend that you click on your download dot htaccess file so you have a backup of this particular file which is very very important once that's done just click on continue and click close and that is it that's all you need to do to optimize your file wall ok so let's take a look over here right now note that we are under the firewall section now so in here it says well you've got the Web Application Firewall and it's currently in learning mode mmm ok let's cool down here over here it says learning mode and then it will automatically be enabled one week from now I am recording this video 2nd day of February 2009 teen so what exactly it is learning mode see think of the firewall think of the what fence firewall as a bodyguard that's been assigned to protect a client for the very first time now the bodyguard needs to understand what the client does for a living where they go to the kinds of places they visit the kinds of people that visit them this way the bodyguard knows what to expect the bodyguard knows the routine and the bodyguard is in a better position to identify any sort of unusual activity that's basically what the firewall is doing in the learning mode it's learning about your website the kinds of contents you produce the kinds of traffic that you typically typically get onto your site the things that people typically do when they come to your site maybe your site is the type of site where users can upload files download files so basically your firewall is just learning as much as it can about your site before it actually begins to act this is why you want to go with the learning mode first of all you could come in here and just disable the firewall which would not be a good idea you could just go ahead and say enable and protect him but at this point your firewall doesn't know much about your site so it's best to just stick with the learning mode and as you can see automatically one week from today the affair will be or will immediately switch to the enabled and protect and so you really don't need to do anything in here all right let's scroll down and over here we've got the advanced firewall options I know if you're watching this video you're probably not a security goo so what I'm gonna do is I'm only gonna focus on the most important parts and not wear you down with too many technicalities thankfully our old fence by default actually does a very good job of providing you with some good options that you don't even need to configure that much so over here right now you've got the delay IP and country and country blocking until after WordPress and plugins have loaded only possess firewall rules early in here this is useful if you have certain people that you trust maybe it's your web developer or one of your admin so you trust if they're having issues logging into your site or accessing your site for one reason or the other you can ask them for their IP address and can come in here and put the IP address this way that IP address will automatically bypass your firewall and will give the user access to your site so this is where this is actually very very useful let me just close this all right let's go all the way down here so over here you've got this section that says immediately block IPS that access these URLs this is a little bit tricky whenever a hacker tries to hack your website there is set in URLs maybe like four slash WP dash admin four slash login dot PHP there might be certain kinds of levels they try to access in order to find out if there is a particular vulnerability with your site and so on if you are familiar with such area you have a security expert this is where they can come in and add such levels so that if anyone tries to access such URLs they'll be blocked however I all just recommend that unless you know what it is that you're doing don't come in here and add and if and just leave it blank as it is all right that is pretty much it for the advanced firewall options let's take a look now at the brute force protection what do we have here all right if you don't know what brute force is basically in a brute-force attack the hacker will try to guess your password and will try different combinations of letters numbers and they do have software they can actually try thousands of combinations per second so that's basically what a brute-force attack is it's just basically a hack at trying lots of combination of letters and was just to guess your password so you really want to protect your site against such users so any right now what I like to do here is lock out after how many failures I'm gonna go with five okay we go with five and then lock out after me after how many forgot password' attempt again I'll go with five and then count for those of our time period four ask for hours I think this is this is perfect this are the settings all the command so basically if anyone fills more than five times to correctly access the backend of your website they will be locked out for four hours that's basically what this means and I think this is actually pretty cool now over here you've got this very very powerful feature that what this provides and that is the immediately lockout invalid user names if anyone tries to use a username that isn't on your site they will be locked out immediately this is perfect I'm gonna come in here right now and take this now let me open up my users in a new window or in a new tab and show you something right now you can see I've got two usernames I've got developer and I also have movie however I do not have user name such as admin or admin straight or so if I come in right now and I say yep I'm gonna block anyone that tries to use the username of admin and then oh not ad sorry ad mean is straight oh cool the reason why I'm doing this is because many times whenever a hacker wants to access your back-end they will typically go for user names like admin and administrator because a lot of people have such user names on their website this is why I'll recommend you don't have any user name or an account that has admin on or administrator as the user name don't just have generic user names and also don't use your first name as your user name it is a very bad idea so right now you can see I've added Alex Emma I'm also gonna add Alexander just in case anyone tries to hack this website because they know my name is Alex so you can see admin administrator Alex Alex and out all that when you do it exactly the same thing add admin add administrator in an add your first name block any IP address that tries to use any one of these usernames to access your back-end okay let's scroll down in here we've got the prevent the use of passwords linked in data breaches for admins only you can go with for all users with publish post capability I'll go with this one what this does here basically is if the plug in the text that there has been a security breach it will immediately render any passwords as sociated with the accounts that have the published post capability useless so basically most accounts that have the published post capability are your admin your editor as well as your author those are three kinds of accounts that have the published post capability so this is a good setting for this particular section and then you've got the additional options and for strong passwords you can force your admins and the publishers to have strong passwords or you can just go with force all members also come and you go with the force all members and that is pretty much it for this section I'm just closed this for protection let's now go to the rate-limiting alright what exactly is weight limit in this controls just how much traffic a particular IP address can get or how much requests they can make on your site per a minute that's basically what late limiting is it's basically you regulating how much traffic you are allowing a particular IP address to get on to your site so in here you can choose to be immediately block fake a Google quality yes let's do that how should we treat Google's our colors I like to give very fine Google colors unlimited access because they're verified there from Google and you typically want your callers to Google colors to access your site unless for some reason you don't want to be optimized and Google so I like to give variable colors on limited access and now over here you've got the if animals requests exceed everything here is set to a limited but this is bad I'm gonna go over here to 240 requests per minute what this means is is if anyone's IP address has made more than 240 requests per minute and by requests I mean page access posts access basically them doing stuff on your site that's basically what requests mean so if it exceeds 240 per minute that's typically very very suspicious and I'll just throttle it you can either through a tool or block throttle means you legal aids Mitch means you denied them access for a while and then give them access again after a period of time block just means block they're banned from accessing your site so I'm gonna go with 240 per minute and then throttle it the second if a colors page views exceed again I'll go with 240 per minute and then throttle and now over here you've got the iffy color speed is not found for for succeed what this means is if a crawler has found more than a certain amount of not found pages per minute what do we do in this case right now I'm gonna go as low as 10 typically if any color or any person is looking for booking links on your page that's typically a very bad sign it could it could mean they're looking for vulnerabilities I'm gonna say if they find 10 modern 10 per minute I'm just gonna go ahead now and block it all right you also want to make sure that your set is actually well configured you don't have too many broken links on your site just letting you know if a human's pageviews exceed okay this one again we can make this 240 nothing too harmful here and now if a human's page is not found for for exceed again I'm gonna go very very low here basically if a human being finds more than 10 broken links per minutes on my site well I'm gonna go ahead and block them why are they looking for booking links as typically are very very suspicious and now over here it says how long is an IP address blocked when it breaks all wool I'm gonna go with one day so basically if an IP address breaks any one of these rules are set in here they will be blocked for one day you do have the option for one month which is the highest but I'll recommend one day because remember that when people use the internet they're using dynamic IP addresses one IP address today might be a sentiment it shows user who tries to hack your site but then the very next day that same IP address could be a scientist so on who legitimately wants to access your site and do good stuff that's why you don't want to go with our 1-month because you could deny valid users from accessing your site simply because they've been assigned an IP address was previously used by a hacker so one day and that is that whitelisted urls this is a little bit complicated so I'm not gonna delve too much into this okay let's go ahead now and save changes and that is it for part 1 for configuring our what fans security plugin so previously we already talked about the firewall and how you can configure your rate limiting brute-force attacks and so on let's go straight to scan all right and with this particular plugin you can actually scan your site for vulnerabilities or any sort of malware so you come in here right now just click on start a new scan manually and right now you can see that it's running in the background you can see it says contacting what finish to initiate scan and so on so you could do that if you wanted to I'm just gonna go ahead and stop the scan for now let's close and let's take a look at the options for scanning all right so again you will see the link that says can options and scheduling I'm gonna click in there and let's see what we have all right you got scan scheduling right here now I'll recommend that you enable these scheduled wordfriends scans it's better this way and then let what fans choose when to scan your site that is typically the recommended or feature now over here you can choose the kind of scan what fans should want your ideal option here would be the standard scan Limited means that well it's not going to take up too much of your resources but then this Canon would not be so low you don't want to go with high sensitivity either because unless your sight has actually been hacked or you feel your site has been hacked there is really no point in going high sensitivity because this will use a lot of resources and a lot of times it could generate something known as the false positives where the plug-in tells you that hey this is malicious file whereas in fact it's actually not malicious so you want to go with these standard scan most of the time now you've got your general options in here there isn't anything much to change in here I'll recommend you leave all these as they are no need to check or uncheck any of the boxes in there so let me close the general options let's go to performance options now over here you can actually use something known as the low resource scanning so I'm gonna go ahead and choose this what this does is it will limit the number of resources the plugin would use from a web server but at the same time it will also extend the duration of the scan so this is very useful especially if you're on a shared hosting plan with your web host and now over here you can limit the number of issues sent in this scan results email the limit here is a thousand which I think is a little bit extreme unless you have like a really bad dysfunctional website I don't think you should have more than five hundred issues max like even five hundred is like a lot but I'm just gonna go with five hundred you've got the time limit that the scan can run in seconds zero or empty means the default of three hours will be used this there is really no right or wrong answer to this one I'm just gonna leave it blank as it is just go with the default of three hours now over here very very important you have the how much memory should what friends request when scanning this will depend heavily on your server configuration and how much memory you actually have 256 is pretty standard but if for some reason you realize that whenever what fence is running in the background you that becomes very slow you can do certain things you might want to come in here and reduce the amount of memory that the plug-in requests or you can do this you can do something else which is actually the better option you can request that you have more memory provided to your website by your web host that would be the ideal option to go with now over here I have set the value here to 15 and what this does is it says the maximum execution time for each scan stage what this means is you wanna set a period of time where a scan can fully complete these objectives but then it isn't assigned access time as well so you don't want to come in here and go with something like 40 for example because most scans might take maybe a value of 15 maybe 18 so if they were able to complete their scan within 15 or 18 seconds then why I give it 40 seconds does it be too much so for most servers as recommended by the plug-in you want to go with somewhere around 10 or 20 I'm gonna go with 15 as my option so let me close this and finally we have the advanced scan options this is pretty advanced and unless you know what you're doing I will not recommend that you play with any of the options in it or add any sort of text in here okay that is it for the scanning let me go ahead now and save my changes for the scan now let's go over to the tools what do we have on the tools lots of pretty cool stuff all right unfortunately one of the really cool features is the two-factor authentication but this is only available with the premium version of the plug-in but you do have live traffic and this becomes actually very useful once your site begins to get lots of traffic and you can see the pages that have been visited when the page was visited the IP address the host name and so on and so forth you can also expand your results which show you more information depending on how much traffic you've gotten you've also gotten this you also have this very useful I'll always look up tool where you can actually look up the credentials of an IP address so as an example I'm just type in a random IP address in here I'm 64 29 maybe so if you've noticed a particular IP address that seems to be accessing sets and pages that you don't like all you feel kind of suspicious you can simply come in here and access that IP address and see who owns the site let me try another random IP address and oh this doesn't seem to be working come on give me an address let's try this one and oh there you go thankfully the plugin has been able to figure out who owns this IP address so what do we have here looks like it's someone from Finland Jill Jill geological surveyor Finland okay not too much information here this is the person's name associated with this IP address Hanna Kyra Kerry we've got Vassallo Heller and and so on well anyway you can always just check the IP address of any person whom you feel might be engaging in malicious activity on your site that's the whole point of the whois lookup feature you've got the import and export option so let's say you fully configured what fence on your website you're happy and you want those exact same settings on another website you can simply come in here click on export what fence options and this will provide you with a token which you can copy all right this is the token right there and then you can go to the second website and then go to this box right here paste it talking from your site and then simply import the word fence option so that's how you can export and import your WordPress reference options from one website to another and then you've got your Diagnostics well let's take a look so over here right now you can get reports on your email based on setting kinds of configurations on your site this page shows information that can be used for troubleshooting conflicts configuration issues or compatibility with other plugins themes or a host environment so for the most part hopefully you would not need to access this particular page but if one is not the other your chance to do some troubleshooting this is basically in here where you'll find a lot of information about your plugins your settings and so more and so much more ok that is it for the tools let's now jump into the last option which is all options thankfully so in here again you've got the firewall options down here which we've taken a look at you've got your blocking options and you also have the advanced country blocking options which unfortunately is only available with the premium version of the plug-in you've got the scan options which we've taken a look at the ready and you've also gotten the tool options which we've just taken a look at already as well but over here at the very top you've got your water fins global options so in here you have access to your lion sands in here you can customize whether you want to display the blocking menu item display your lap traffic menu item if you want it to you've got the general what fence options where you can choose to where you want your email alerts to be sent to this is the default email address and then how does what fans get ip's just go with the recommended option in here don't change anything in here let's scroll down here you've got the hide WordPress version our highly recommend that you do this this is a great way to protect your site from hackers because hackers typically one in the world version of WordPress you're running so they can see what possible from a booster might exist so by hiding the authorized version it's a great way to further enhance the security of your WordPress website disable code execution of opposite victory yes you want to disable code execution here and so because basically this directory should only be reserved for images video files audio files basically known executable files so yes do this this would be a great way to protect your site and let's come down here where you've got your dashboard notification options again I'll keep these as they are and then you've got your email alert preferences email me whenever defense is automatically updated sure why not let's crawl down here you've got other options in here I let on one ends when an IP address is blocked yes give all these information to me I want to be notified whenever something major happens on my sides now over here you've got the eye let me when someone with admin access signs in this is useful if you're the only admin on your sides but if you have several admins I would recommend that you only get a letter when one admin signs in from a new device or location this way you limit the number of times you get unnecessary alerts when one of your a genuine admin stretch to log in alert me when a non admin user signs in again this will depend on the configuration of your site if all the accounts in your sight our admin accounts and obviously you want to make sure that you're notified when someone with known admin rights gets locked in alright maximum email to send per hour in this case I'll go with maybe 20 hopefully you're not going to get more than 20 or less per hour and then finally we've got the activity report once a week is pretty decent you could go with once a day but that may be a bit too much once a month might be too little once a week would be ideal in my humble opinion let's save our changes and that is pretty much it for the what fence security plugin whoa well there you have it we've come to the end of this tutorial on how to configure and make use of the word French security plug and I hope you enjoyed it and I hope you found value into this tutorial if you did please hit the like button and subscribe to the channel if you haven't and be sure to hit the bell so that you're notified whenever I upload a new WordPress tutorial thank you so much for watching my name is Alex it's been a pleasure and I'll see you next time bye bye
Info
Channel: Web Monkey
Views: 16,583
Rating: undefined out of 5
Keywords: WordPress, wordfence security plugin, wordpress security, wordpress security tutorial, wordfence review, wordfence security wordpress
Id: 7C7k596Vgv4
Channel Id: undefined
Length: 28min 37sec (1717 seconds)
Published: Wed Feb 06 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.