WordPress Security - How to Secure & Protect Your WordPress Sites

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome to this video course on wordpress security so what i want to do now is to give you some basics we're going to talk about the video course as a whole and then of course we'll talk a little bit about the reasons why most wordpress websites get hacked so this is video number one the introduction so let's talk about the reality the reality is that most businesses do not think about wordpress security until it is too late and the reason being is that a lot of times you're just not thinking about that but the reality is that online business is just the same as offline business now whether you use your wordpress website for running your business or either maybe a informational website it doesn't matter as long as you have a wordpress site this includes that so you see in offline businesses where criminals will come in and steal their stuff on the online realm it's a lot much worse because people have automated bots or automated systems that their goal is to go out there and to hack your wordpress sites now one big question is is wordpress secure and the big answer to that is yes if you install a wordpress site the wordpress code is secure the reason why wordpress sites get hacked is because of several reasons so what i've done here is for the next videos two three four five six seven and eight i'm going to dive in to each individual ways to protect your site so video number two we have back doors back doors are basically plugins or themes or any type of third-party code that you bring in to your wordpress site and what that does is it opens up doors especially if the plugin was not created correctly or the theme was not created correctly or they just are not updated so we're going to talk more about that in more depth video number three we'll talk about wordpress hosting and why if you run a wordpress site it's better off to have a wordpress hosting web host and we'll go into the reasons why that is the case in video number four we'll talk about brute force attacks on the login page now this specific attack is generally done by robots or computers and they're very intelligent computers so they will guess and guess and guess until they can find your username and your password and of course video number five will talk about different security plugins there are different security plugins that solve different needs and we'll go into more depth in that video video number six is two-step authorization basically what that means is you are creating a way to log in and then a way to log in in the secondary way and there's many approaches to that sometimes you're using things like google authenticator or something else to basically verify that you are who you are so what you're doing is a lot of banks use this so you're bringing in what banks use into your wordpress site video number seven we'll talk about hot linking video number eight will talk about password protection so here's what you need you're going to need to have wordpress web hosting it's not necessarily mandatory but you definitely need to have a web host that supports wordpress sites and of course most do but some don't and of course last but not least you will need some money to invest better now than later there have been many companies who have not invested in wordpress security simply because it costs a little bit of money but if you see your website as an asset as a business asset especially or a non-profit asset that's very important to you you should protect it so with that said let's move on to the next video okay welcome back in this particular video we're going to talk about back doors back doors are basically any type of plug-in theme or any type of third-party code that is inserted into a wordpress site after the initial wordpress install now this is kind of going to open your eyes a little bit but wordpress plugins the more you install the more at risk you become and here's the reason why the reason why is because wordpress at its core a lot of times they will come out with updates and major updates over the years to come and those updates often include security patches now bear in mind that the plug-in or the theme so let's say for example that you buy a wordpress plugin or a theme and it hasn't been updated over the years what ends up happening is it creates backdoors and if the code has not been created correctly then it also creates back doors as well back doors are essentially what it sounds like you're in a house and your back door is open so somebody can simply walk in a hacker can walk in and they can hack your site they can point your site to different other sites and so forth so that's just a gist of what we're talking about here now how do you know if a wordpress plugin or a theme is good or not or is secure or not so number one do they update frequently if they update frequently that is a good sign number two have you figured that out okay so how do we go about figuring out so a lot of times what you can do is you can look at the plugin and you click on view details and any type of wordpress plugin that is uploaded to the wordpress depository will have what we call a change log so you'll go here you'll click on change log and you'll be able to see all the changes that has happened over the years now do you need to do this for every single plug-in and theme not necessarily the third thing is is the company that has built this plug-in widely known or well-respected if that is the case then probably and most likely they have a group of coders that are constantly updating their plugins or themes and or third-party code if we take a look at this particular plugin which is a kismet anti-spam plugin this is actually created by the parent company of wordpress so obviously they have released a lot of updates so we can see may 2019 january 2019 november 2018 so it's a good thing when you begin to see updates at least several times per year or at least once or twice per year over time but if you go and check out a wordpress plugin and you see that it has only been updated once for the past three four years that's probably a bad sign it doesn't necessarily mean that that wordpress plugin or theme has a backdoor it just means that the possibilities are there and it's also anyways good to find a coder that has constantly updated their theme anyways so what you want to do so let's say for example that we head on over to a site called codecannon.net that's codecanyon.net so if you go to the site this site basically sells wordpress plugins and wordpress themes now if we go under code and we go under wordpress and we go down here most of these are most likely to be updated frequently especially wp bakery which is a page builder plugin now as we scroll down if we just use this as an example let's just open this up and take a look at it okay so we see that there are a large amount of sales and a large amount of reviews that's a good thing but we want to do is we want to figure out have they updated the site frequently or the plugin in this case or theme so if you scroll all the way down in code canyon you will see the change log so we can see here it says july 2019 july 2019 may 2019. so that's a good sign when you see that a vendor has updated their plugin on an ongoing basis now if we scroll down we can see 2018. so most likely this vendor has been going on beyond 2018. so maybe even 2015 but they don't want to include too much of the change log because the old updates aren't as important as the new updates or that's something that you might not really want to know so that's that and let's say let's pick another plug-in let's go down here and let's look at one with no sales now i'm not necessarily trying to pick on a specific plugin i'm simply just showing you what to look for and that way you can do your due diligence so let's just take a look at this one maybe this one and there we go so if we scroll down there's no change log there's no sales and as we go through here there's three comments so as we can see there are problems right off the bat the demo is not working how can i trust your product and so forth so generally speaking from the perspective of reviews most of the time you will have typically one out of a hundred or even one out of a thousand people will actually leave reviews but in this case we can see that it has zero sales so that's an example of perhaps something you want to stay away from all right so i want to give you practical examples so this one here it has a change log back in 2015 so obviously right now it's 2019 you might be watching this video in 2020 regardless if that's the case i would not buy this plug-in so i wanted to show you this as an example of plugins that are updated constantly and evolving over the years versus plugins that are static that haven't changed or anything like that so that's basically what you're looking for and as you can see that's pretty simple so the same goes for themes as well so if you go under let's say this is code canon so they actually have another site called themeforest.net so let's go over there right now and wordpress so go to the wordpress and let's apply the same exercise that we applied earlier so we can see best sellers so let's just go ahead and open these up like so and scroll down let's see if they have a change log now as i am scrolling down i do not see a change log so if you don't see a change log you can simply go to google.com and type in change log and of course the name of the plugin and the theme so in this case we see the avada change log we go to here and let's see if that's what they have so there it is if we scroll all the way down to the bottom we can see that it has evolved beyond 2015. now if we scroll back to the top we can see that there are tons and tons and tons and tons of updates and that's a good sign that means they most likely have a team of coders that are coding this particular plugin or theme so we can see 2019 august 28th that's just two months ago or actually one month ago so that's the technique that i would use in terms of practical terms of finding a reliable theme or plugin so you can do the same thing with wordpress plugins that are inside the depository so if you go up here you click on add new and let's pick one of these and i did a search on comment moderation and we can see some of these have a good amount of reviews but then some of them don't really have a lot of reviews at all so let's just take a look at this one click on more details right here go to change log and we see that there's not really a whole lot of information now sometimes you might not find the change log on that page so you'll have to go do a little bit research to go to the plug-in homepage and get an idea based on that now not everybody re leaves reviews like i said so 29 reviews but 1000 plus active installations so you can't really look at this you have to look at the change log so i hope that makes sense we're gonna stop right there before we give you way too much information and we'll move on to the next video hello and welcome this particular video we're going to talk about web hosting for wordpress now before i talk about anything related to web hosting what i want to do right now is to give you an analogy so let's say for example that you're sick your heart's not feeling good and you have heart problems if you go to a general practitioner and you tell them about your heart a lot of times they may know a little bit if they're really experienced but if it's a very specific thing about your heart then most likely they are not going to know because a lot of times general family physicians a lot of them know a lot of information because they see a lot of things but they don't know in depth detail about specialized areas so that's why we have what we call specialists for example you have a cardiologist in this case so what he would do is normally do a lot of tests and over time if he can't figure out what you have then he'll send you to a cardiologist and the cardiologist you'll go to and he'll look at your heart and he'll know exactly what to look for most of the time and he'll run some tests that are related to the heart such as an echo cardiogram a treadmill test and other tests that are related to the heart now if you were to ask the cardiologist about something related to your kidneys that are related to a cardiologist they may not necessarily know so in that case they will begin to send you to a urologist makes sense so the same goes for web hosting and this is the best way to explain it now i start with knownhost.com because this is one of the sites that we have used over the years and it's great now i'm not necessarily saying that if you host on a specific web host that is not specialized in wordpress that it's not secure i'm not saying that at all what i'm saying is that most of the time if you go to a host that specializes in wordpress their team are going to be highly specialized on wordpress they are going to know everything or at least everything about wordpress so a lot of times if you run into an issue with a plug-in or something's not working on your wordpress site or you might get malware or you might get hacked they are going to know how to fix it whereas if you go to another web hosting company that is not specialized in wordpress a lot of times you'll ask them questions about wordpress and they may not necessarily know the answers to that and that's based on our experience not to say that any generalization or anything like that that's just based on our experience so what we have begun to do over the years is simply to move our wordpress sites over to specialized web host that specialize in wordpress so that's the reason why we recommend finding a web hosting company that specializes in wordpress so i know i'm going around saying the same thing but i really wanted to drill that into your minds mines so with that said there is a particular web hosting that we have tested called wpx hosting they're actually fairly cheap compared to that of other web hosting companies now i want to make sure that you understand if you have a wordpress site and then of course you have other scripts on that site that are not related to wordpress at all then you might want to stick with a web hosting company like this or a web hosting company that is more of a general practitioner slash family physician type kind of analogy if that makes sense now if you simply have a wordpress site you don't have any other scripts or anything like that that are outside of the wordpress folder then this is the way to go and the reason being is for speed security and support so we've tested wpx hosting very very cheap pricing so if we go here to pricing you'll get an idea of what it costs so as you can see here it's 20 per month that of course may change based on the annual plan and the 41 dollars for the annual plan and it gives you about five websites and 15 websites for this now i want to say up front that we are in no way connected to wp hosting we are simply users of this web host now another great thing is a lot of times you will have to connect your wordpress site to some sort of cdn or content delivery network such as cloudflare but with wpx hosting they actually have their own version of cloudflare built in so instead of having to pay for web hosting plus cloudflare and all of that the above as you know cloudflare cost about this amount per site sometimes or per several sites so this is why this is a no-brainer so as you can see you got this now the nice thing about wp x hosting is that it also offers backups it offers daily backups now most of course web hosting companies they offer backups but a lot of times only do once a month or once a week what's nice about wpx hosting is that it will actually allow you to backup every single day so if you let's say for example let's pick out a calendar month let's say december and you decide that you want to let's say it's december 31st and you want to move and revert back to december 12th because you remember that's around the time that you installed a plug-in and maybe the site screwed up or anything like that so you can simply click a button and it'll revert back to that state for that day and that's nice because to be honest we haven't really seen that with a lot of other web hosting companies in addition to that their support is phenomenal if you have any question related to wordpress they will actually help you and if they don't know they'll research it as well but most of the time we found that they are very experienced they know a lot about wordpress so think about this as the cardiologist or the specialist so this is why we recommend wpx there are other hosting that specialize in wordpress such as wpengine.com this is a phenomenal web hosting company they are well known they are huge and they run a lot of wordpress sites now one thing that i forgot to mention was that wordpress sites a lot of times they will use a lot of server cpu or resources so that's why a lot of these companies they have servers and virtual private servers or they just have an environment that was made for wordpress whereas the other web hosting companies it's just a general thing so you might have to upgrade your plan to a higher plan in order to match that of a lot of these wp engine or wpx hosting now in addition to that a lot of these sites will actually offer free malware cleanup so if you were to get hacked you have malware somebody is using your site to redirect to another site or they've maybe defaced your site wpx will go in there and they will fix it for free that of course included in your plan we'll talk about other services that you can use to connect to your web hosting company let's say that you have a web host that you really love and you don't want to go this route we will show you other ways to go about getting your malware cleaned up but bear in mind that those cost additional costs such as anywhere from ninety nine dollars to about two hundred dollars per year so i wanted to give you different options to go different routes and this is it so with that said let's move on to the next video hello and welcome back in this particular video we're going to talk about how to hide your wp-admin login page now why would you want to do this well if you think about why people hack or how people hack a lot of times they're using bots to go to your wp dash admin login page so here's what i mean by that if you go to www.yourdomain.com slash wp-admin that's the page that we are talking about so you have to go to that specific url to log in to your wordpress administrator dashboard so if you have automated bots that are going to that particular page and then of course they are trying to guess what your password might be then that's a problem right and not only that they may not guess it but the fact that they're hammering your website over and over and over again that's not a good thing so it could be using your bandwidth and they could potentially do what we call a ddos attack and take down your website if they really wanted to now because most of these systems are bots and they're not really a live human being a good way to get around this is to change the wp-admin so instead of having wp-admin you could have anything that you want so we don't recommend that you use your name your website name or anything like that because that those are common usernames that these bots will try to hack so in essence what we can do let's say let's say we have a blog about scuba diving so we can say something like scoop diving something like that that's it it's as simple as that so now what we need to do is get a plugin that does that there are many different plugins that can do this but in one particular wps hide login it's free you don't have to invest any money you can do it with this this is a really good plug-in to use so as you can see if we click to click on screenshots and scroll down looks like this is in a different language but in essence all you have to do is simply click on the settings and then enter what you want it to be so in this case it's login but we don't want that you want to enter whatever is right here so if we go back to our wordpress administrator dashboard right here it's wps hide login so type in wps hide login and that's it so go ahead and activate that install it choose your folder and that's all you have to do so now the bots will not know where your login page is and you don't have to worry about it going to your wp admin and it's as simple as that hello and welcome back in this particular video we're going to talk about different wordpress security plugins and i really want to emphasize the differences between each one of these because a lot of them they tackle different things because we have malware there's a firewall to protect against attacks and there are other plugins as well to protect against other things so without further ado let's jump right in so if you go to the add plugins page and you type in security you will find these plugins wordfence is actually one of the most popular ones they specialize in firewall malware scan and what i really like about word friends is that a lot of times they will update you about specific plugins that have been hacked or that have back doors all right so that's important because you want to stay on top of that you might not even know but these sites are that's all they do they focus purely on wordpress security so they're constantly figuring out different malware different loopholes and different backdoors another one is all-in-one wordpress security and firewall it's kind of similar to word fence then we have another one called i theme security that's actually pretty good as well and a lot of these things actually do the same thing but then specialize in different areas maybe they do a lot of the same things but they specialize in something like xss which basically just means that somebody can hack you because you're utilizing a specific feature in your wordpress site so without actually going into all that just get yourself a wordpress security plug-in now there is another plug-in called security that's s u c u r i so s u c u r i this is free you can go ahead and click active and install an active this is basically a malware scanner now the reason why security is very reputable is that's all they do all they do like workfence day and night is to find malware and secure it now the difference between word fence and securian and word fence might change over the years is that security specializes in cleaning wordpress sites that have been hacked or that have malware so this is what i was talking about earlier where you have additional services that you can pay anywhere from a hundred dollars to two hundred dollars to get them to protect your site so this is security this is the plug-in here and on the review page i'm not going to go there now but it'll tell you all the details about your site any malware all the checks that is made and all that now bear in mind you do not necessarily have to have security the the paid version in order to use the free version now if you get an alert you get hacked or anything like that then that's where you will need security now if you go to the pricing you'll get an idea of the costs as you can see here that the bare bone minimum is about 200 a year and of course the 300 a year is the most popular the the main differences between these are the scan frequency so how many times you want to scan more frequently for malware and hacks and all that so if you were to get somebody to hack your site then the system would not know until 12 hours later or the system would not know until six hours later so it also includes firewall which is great and there you go so security is a very wonderful service that's something that we have used and tested out as well but i also want to say wpx hosting includes the malware cleanup and if you get hacked they will clean your site so that's just something that you'll need to test out but security definitely specializes in malware so it's kind of like going to norton virus antivirus and them having a service that cleans up your computer so that's essentially what this is so now you know the differences between the two you got firewall you have security and you have all that i highly recommend that you go ahead and install one of these right away hello and welcome back in this video we're going to talk about the two-step factor authentication so what does that mean basically this is kind of what a lot of banks use but what it does is it will either send you a text message or it will give you a code that you'll need to enter into the login page so a lot of times the reason why it's called two factor is because you'll have to log in number one but once you've logged in you'll have to use some sort of app so this way you really protect yourself from actually getting a brute force attack a brute force attack is basically somebody trying to log in to your wordpress site but in order to do that they have to guess hundreds of times or even thousands of times what your password might be now we're going to talk more about password and things to avoid in the future videos when we talk about password protection but for now this is basically what we recommend there are two different plugins that we recommend using number one is sec sign s e c sign so you can find this under the plugins section by typing in sec sign the way this works and the way that this is a little bit different is that it allows you to use your phone to in your fingerprint to actually log in so you don't have to remember your password or anything like that you simply use this to log in so that's one and it's all very very easy to use i'm not going to show you how to use it because they are really really easy to use so this is going to be a fairly quick video so definitely recommend that so if you go over here and you type in sec sign this is what it is now the second app that we highly recommend that is actually by google now the app wasn't made by google but it utilizes google's authenticator now let me explain how this works so let's say for example that you log in you enter your username and password and then you're presented with this now you're not going to see this this is actually on your mobile phone and i want to say i just grabbed an image from the google play store so this is not really mine but this is what it looks like so you're going to have a mobile app and then on your computer you're going to see the login page so what it's going to ask is it's going to ask you to enter a code now the reason why this is really good is you see this little circle here it looks like a pie chart but it's actually a circle this is a timer it's a 30 second timer that once gone this number changes so basically every 30 seconds the number changes and you get a unique code so you need to make sure that you can wait till the zero it changes and then immediately enter that number into your wordpress login page and you'll get in the reason why this works really well is because unless somebody really is there they have your phone and all that they can't log in now there are other ways that somebody can hack your site they can do it via other ways but that's why we highly recommend that you follow this step by step and you install a wordpress security and firewall plugin and to install that plugin you simply go to your plugins page type in google authenticator click install now and that's it now you do need to connect things but everything is fairly self-explanatory and that's it hello and welcome to this video on hot linking so let me explain to you why you want to hot link your files this includes any type of file on your website could be audio files could be video files could be images what this does is it basically says and tells the system that the only way that let's say a video or an audio can load on your website is if it is actually coming from your website so in other words what that means is when somebody clicks on the video the system will detect that that click is coming from your website or let's say you have another website and you want to allow people from that website or that website itself to access your images your videos and load it so that is what hot link protection is hot linking is the opposite of protection obviously but that basically means that somebody else who has not gotten your permission has placed your images your videos on their website now if you have hotlink protection enabled they will not be able to load your images or your videos unless of course they download it and upload it to their web hosting company but for the most part most people are lazy that do that so they'll simply try to link to that particular link but if you have hot link production on then you'll will be able to protect yourself now if you think about it and you might think well that's not a big deal the reason why it's a big deal is because if somebody else has a site that has a lot of traffic or maybe you have videos and the videos add up to about a gig so if they send let's say they link to your your zip files or your audio files and your video files they are using your bandwidth so as you know if you're utilizing a web hosting company that you pay for bandwidth so you might only let's say for example gets about a hundred gigabytes of bandwidth if somebody else is using that they're basically taking from you and stealing from you and you're having to pay for it so that's basically what hot linking is and this is the protection now this method only works if you have the cpanel and if your web hosting company does not use cpanel they may have some sort of hotlinking protection you'll need to contact them and contact the support but for the majority of you who are utilizing the cpanel web hosting panel this is going to work for you so all you need to do is simply log in and look for the hot link protection link here go ahead and click on that and here we are so now what you need to do is simply go down to this box it says urls to allow access so you can enter your domain so you're going to want to enter www.yourdomain.com so obviously whatever your domain is you're also going to want to enter http colon slash slash and then we're going to copy this over yourdomain.com so just in case somebody links the http version or without the http version now if you use https you might want to do that now what other urls would you want to allow access to so maybe you have a sister site so your sister site.com and you want to allow your sister site to access the images the videos the audios and all the above or the zip files you can do that so basically this is kind of the white list or the safe list that has access to your files now if you scroll down it's going to say block direct access to the following extensions so even though you have this you're still going to need to enter the extensions so for example if you upload mp3 files you'll need to include that there if you have zip files include that there if you have mp4 video files you'll need to include that there so whatever extensions that you want to protect you need to enter that here the way you find that out is simply by going to your mac or your pc and it'll tell you the extension and you simply enter that here and that's it all you have to do is that and once you're done you just click enable and that's it and you're good to go hello and welcome back let's talk about password protection there are two ways to look at this number one you'll need a strong password and a username that is not admit okay so let me give you an example and we'll talk about other ways to protect your password okay so most people when they create their wordpress website and they create the username and their password they use admin for the username that's a no no because a lot of brute force bots will use admin as the username you might be thinking well they don't necessarily know my password why does it make a difference the difference is because once they know your username they have one less thing to figure out but if they don't know your username they they can't figure out your username they can't figure out your password then that's a problem so we don't recommend admin in addition to that if your domain is let's say for example yourdomain.com you don't want your username to be your domain so without the www dot and then without the dot com so in other words your domain you don't want that as your username because we have seen bots evolve and begin to get smart and they know that you're not going to use admin so you're probably going to use your domain you're probably going to also use your name so they're going to try to gather tons of data about you and use that as your username so the next thing would be your name your first name they'll try the last name you'll they'll try and they'll try your first name and last name together and of course it's gonna evolve so your username you want to figure out may not necessarily relate to you but maybe something random and then of course your password you're gonna want it to be very very strong by that i mean you don't want it to be your birth date you don't want it to be your dog's name you don't want it to be something that is relatable to you you want it to be something very complex so let me give you an example of this typically with a very strong password you want to use numbers you want to use capital letters so you could do something like this put a bunch of numbers and then lowercase numbers and then you're going to want to put some characters so characters we're going to put shift these are the characters so those are characters so the bot is going to try for the password different things different numbers different variations different combinations so you want to make sure that it's very complex now bear in mind you're not going to remember this very strong password so what do you do you write it down on a piece of paper or can you use maybe a password manager password managers are actually what we're going to talk about next there are two that we actually recommend the first one is lastpass so lastpass.com for personal use it's actually free and there's you don't have to pay anything but you can also upgrade to the premium the reason why lastpass is very secure is in order to get access to your account you have to log in with your master password now if you're utilizing the the chrome extension the mobile app or anything you have to have that master password now what's interesting is you cannot retrieve that master password from the site so if you ever were to forget what that master password is then you may as well say goodbye to your all of your logins so what i recommend that you do because this has actually happened before is to put lastpass on your mobile phone all of your computers your laptop your computers everything and that way you keep it back up because if you were to ever forget the master password on your computer for example you can still log into it via your smartphone or your other computer so that's the big difference with lastpass and other password managers now lastpass is very secure especially when you buy the premium version is extremely secure now what's nice about lastpass is it will analyze your passwords and it'll actually tell you if your passwords are weak and it will tell you a lot of things so you can actually store a lot of private information such as bank cards bank accounts driver's license passwords passports and more so it's not just passwords alone now when it comes to passwords there's another service called roboform roboform does cost money however based on our experience roboform has been very very well just like lastpass you can install this on all of your computers on all of your smartphones and it's very very easy to use now you might be asking well what's the difference between robo form and lastpass to be frank and honest both of them are very very similar except like i said lastpass focuses on other things other private information so i recommend just go ahead and pick one of these lastpass or roboform either one is good because we've actually tested them out and that's it you

Info

Channel: IM and SEO Tools

Views: 1,704

Rating: undefined out of 5

Keywords: how to secure wordpress website, wordpress security, how to secure a wordpress website, wordpress security tutorial, secure wordpress website, protect your website from hackers, how to protect wordpress website, wordpress security without plugins, wordpress security best practices, wordfence tutorial, wordpress security checklist, wordpress security course, how to secure wordpress, wordpress website security, how to secure a wordpress site, wordpress security plugins, wordpress

Id: eiFQq0YES8g

Channel Id: undefined

Length: 52min 2sec (3122 seconds)

Published: Thu Jul 08 2021