A Complete Site-Owner's Guide to Securing Your WordPress Site | David Hayes | Skillshare

A Complete Site-Owner's Guide to Securing Your WordPress Site

David Hayes, WordPress & PHP & more

Play Speed
  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x
14 Lessons (50m)
    • 1. Understanding WordPress Security

      2:23
    • 2. Why Your WordPress Site Needs to Be Secured

      7:20
    • 3. Setting Your WordPress Password

      3:10
    • 4. Password Managers in Brief

      2:17
    • 5. User Roles and Capabilities in WordPress

      3:53
    • 6. Backups -- How to Make Them, and Why

      2:56
    • 7. Trust Signals for Plugins

      4:32
    • 8. WordPress Updates -- What to Do and Why They Matter

      2:34
    • 9. Why/How to Visit Your WordPress Site

      1:50
    • 10. Security Plugins Overview

      4:28
    • 11. iThemes Security Quick Summary

      3:00
    • 12. SSL Part I: What and Why

      4:30
    • 13. SSL Part II: Setup for SSL

      4:39
    • 14. Final Step

      2:39

About This Class

A lot of advice about WordPress security is based on too-little evidence and over-complicates what can be a pretty cut-and-dry topic. In this course we cut through the clutter and get you all the details you need about WordPress security.

We’ll cover topics like:

  • What the actual threats to most WordPress sites are
  • Creating secure user accounts
  • Why you need backups, and how to do them
  • How you can know what plugins to trust
  • How to run WordPress updates
  • And what, if anything, a “WordPress security plugin” can do for you

Your class project will be a secured WordPress site. As such, as a prerequisite we’ll expect that you have a WordPress site that you would like to make more secure. This class is geared toward people with some understanding of the use of WordPress, install plugins and themes, create content, etc. There’s no expectation that you’ve written code before, or that you’re really technical enough to know JavaScript from HTML.

Transcripts

1. Understanding WordPress Security: Hello. My name is David and welcome Thistle. Course all about securing a WordPress site. We're going to cover the most common and easily avoidable problems that cause people to get their site hacked and will also cover what that hacked thing actually means in practice. Who am I? My name is David. As I mentioned full name David Hayes. You can find me on Twitter, etcetera, as David B. Hayes, because David Hayes is a pretty common name. Um, at least in America, who I am. I run a WordPress site that is all about creating better WordPress developers. This isn't a course about WordPress development, though. I have created course all about secure WordPress development, but that's called WordPress security of confidence. And it covers way more than this course can or should, given that we're aiming for. I've used WordPress for 10 years, and I've developed professionally it in e commerce and membership and so on sites for more than five. I've never had a site taken over or hacked, as we mentioned earlier on, and that's because of the things I'm gonna teach you in this course. For this course, you will need a WordPress site you're hoping to secure our project will be securing an existing WordPress site. There. Tons, of course. About to set one up eso we're just going to talk about now that you've got one, how do you make it even more secure? And that's really the reason. Take this course. Every WordPress site is at risk online, not saying that to scare you just to be clear about the actual reality of the situation. And as such, we're gonna cover why that is, and then we're gonna cover how you could mitigate that risk. We're gonna talk about things like user security with passwords and making sure that users have the access that they need and no more. We're also gonna talk about backups and how to get them. Why they're so important. We're gonna talk. How to know what wordpress plug ins. You actually want to use their so many out there, but it's hard to know what to trust. People worry a lot about the security there plug in, so we'll cover that in some detail. We'll also talk about why it's so important to update plug ins and everything else more impressed and finally will touch on briefly both security plug ins, which are big category and WordPress and the kind of complicated topic of how to get that green lock icon https set up on a WordPress site for those last two things. We can't go into exhaustive detail, but we should give you a very good grounding for how to think about those things and what it would look like to do that. So with that, we're ready to get started. I'm looking forward to it. 2. Why Your WordPress Site Needs to Be Secured: in this module. We're gonna cover why your WordPress site is at risk, even if you'd rather think that it's not. And the reason I say this is I hear a lot of people when it comes to security, excusing themselves from it, thinking about it because they're like, Well, my site is just a hobby. Or while I just get for peace for visitors a month, whatever it is, there are so many reasons that people try to escape responsibility for keeping their site secure. But they just aren't viable. They are reasonable. They aren't accurate because there's so many different reasons that a site gets compromised and very few of them have to do with how many hits you get or how important your site is toe to your toe. Other people they just aren't are beside the point. So there's so many reasons that people on take over your WordPress site any computer, really. But this is specific toward press site. One of them is it because of WordPress site is public, it's on the Internet. People will try to do what's called drive by downloads where basically they're just trying to shove mount where viruses bad stuff, worms, lots of different terms people will use. They're just trying to shove bad stuff, it people. And they want any site on the Internet that can shove bad stuff that people in a WordPress idol do. They might also be trying to do what's called a ransomware attack, where they take over your site, and they're like, Well, give us 0.4 Bitcoins and will give it back Whatever it is, that is a very common attack, especially on personal computers. But it's also something that can in might, well happen to you on a WordPress site. Some people just want to take over WordPress site to show off that they can, that they were able to get a leg up on someone and take over. That's really all there, after so any site will do, they might want to actually use your server. Resource is to mine crypto coins like Bitcoin or Ethereum there many crypto coins there, obviously far beyond our topic. But essentially mine crypto coins on any computing hardware and a server that's running a WordPress site is computing hardware, so they're happy to take it over to use it. For that, it's not a super common attack but does happen. They might want to borrow your search in ranking. So this is where it matters a little bit your prestige. But if you're say is well known to Google, it's very nice for a hacker to be ableto borrow that by sliding a few innocuous lengthen to your text, for example, it's not a super common tech could totally happen, making political statements. This is definitely I think I have seen where this free Syrian Army air, some Russian hackers or whatever wants to just take over some sites and say, Hey, person, we were here and we matter politically. You should pay attention, tow us. That's kind of like showing your skills, but at a different level for a different reason. They might just want to hold your site for future use, and this is underrated. But you know, backdoor ing sites where you have access to them but you aren't currently exploiting them is very common and one of the more common and pernicious ways that a site gets taken over. They might just want to serve ads in your account. You know, if you've got a site with high traffic. It's worth it to just, like take it over for the sake of getting, you know, a few $1000 out of an ad provider, They might want to send spam with your account. Most WordPress sites have email hooked up in a way that WordPress consent email, and as such, if they couldn't get other emails to go out from that box, it's useful to them. Uh, the last one is the one I held for last that they want to use your server as part of a botnet. And the reason I want to talk about this is botnets are important from both directions. Well, what is a botnet in general? But in it is just a network of computers that someone you know, one team or single bad actor controls eso, you know, personal computers, Windows, computers that have been taken over. It can be parts of botnets. So can actually, you know, bought commercial computers that someone just gets from Amazon or Google or whoever. But so can WordPress websites. And generally you just want to think of a botnet as a network of computers that can be used by a bad person to do bad things. And so adding your WordPress site to a botnet is really helpful. But the other side of the botnet that's really important when we think about WordPress security is that the most common way that WordPress sites are attacked is that these botnets that exist that may or may not include other WordPress sites are turned on WordPress sites in order to get into their accounts or, you know, use whatever method of compromise they want to try to take over it. Most WordPress take over their complete by botnets, not humans. It can happen that use fire, Steve or Susie or whoever, and they're really angry at you, and they decide to, like, use, you know their existing account or, you know, their skills of hacking to get back at you personally one on one by guessing that you know your password is your address. That happens. It's not like it could never or does not happen. But on the scale of WordPress, sites weaken round it nearly 20 It's almost guaranteed. That's what's happening, instead, is just so many swirling computers are sent on so many WordPress sites, and eventually years gets caught in the middle and compromised. They're really two very, very common methods of takeover for WordPress site where a botnet is, you know, set against a WordPress site in this WordPress site is compromised because of one of the many attacks that the botnet tries. The most common thing, I would say three easiest for someone to do against most WordPress sites is that you just have out of date software with known exploits. You're either running an old version of WordPress or an old version of a plug in gravity forms had a big exploit revolution. Slider had a big exploit. Tim Thumb is pretty pot famous in the WordPress community for being out of date, but they're just like hundreds of these plug ins that have had at various times a way that someone could do bad things on your site through an old version of them. Because software's made by humans, it contains errors sometimes, and those are sometimes security errors. So that is a very common way, just out of date stuff that things get out of date. Once update has been made, then it becomes possible for someone to back solve how they can exploit the update so it's really important that you keep your software up to date. The other thing that happens very regularly is that people aren't thinking and they make their password, password or some other very weak, very obviously bad way of securing a single account. And if that account also has administrator rights on the WordPress site, which, let's be honest, most accounts on most WordPress sites have administrator rights. That combination of a high access account in a low protection safeguarding that account just is ripe for trouble. So it's very common that bad account security practices let people do bad things on a WordPress site. Those are by far the two most come. There are other ways that a site gets taken over by a botnet or by an individual actor, but these are by far the most common. And I've told you all of this because I think now that you know your risks in security, we often talk about threat models. Now that we know are threat model, we know what we can do to fix it. We know that we don't need to worry so much about Susie, but instead need to worry about this. The sick botnet that Susie's built up over time. Uh, now that we understand that, that is really the thing we need to protect against most of all, we can be more thoughtful and clear about why we're going to take the steps we dio. So with that, we can get into the steps, see in the next one. 3. Setting Your WordPress Password: Okay, So you've just logged in your WordPress site. How do I change? My password is the first question we're going quickly deal with so in the left side. But I want to go from down to users, and then I'm gonna click on your profile, and in there at the bottom, I will find this account management. New Password box. What's really cool about WordPress today is that it no longer gives you just a blank field . It actually makes you generate a password that it regards as strong, and it regards it a strong because it's highly random and has a large character space that is, say it has symbols and capital letters and lower case letters and numbers all inside of it . And given that that's a pretty good password, the hard thing about a password like this for most people is remembering it. We'll talk in the next video about why you probably want to password manager. If you aren't able to just say yes, I'm going to use this password that word presidents generated. That it says is strong. You need to think about how to make a password. Password is a terrible password and some people like to do these character substitution for It'll just be like, Well, I could make that that and that that. But you've barely increased the security of that at all. Even if you did a to truly random number in here where press correctly tells you this is still weak. So your goal is to make this box say that your password is strong. The two most common recommendations that I think are actually pretty solid are if you just type in a literal sentence. This is a literal sentence. That's a pretty strong password in general. Just because it ends up being pretty long. You know, humans have, ah, pretty easy time remembering sentences. And if you're putting spaces, that's a special character. So even all lower case, no punctuation, which there's no reason to exclude it in a password field like WordPress is you still get a pretty good password. The other way is ones like the WordPress does, but they're harder to remember. There is also the way, the option of figuring out a way that you can remember a sentence but encoded into multiple types of symbols so some people will be say things like there were nine horses and they remember that there is a word they always spell out were gets abbreviated, as are capitalized. Four horses for is just the numeral horses becomes, uh, capitalized word. If you come up with an algorithm like this, it's pretty easy for you to remember sentences which were pretty good at as humans, and turn it into something that's a little more high security than that. But in general, you just wanna have a good password on your WordPress site. People will recommend that you don't have an account label admin, but I think a better password is so much more important than whether or not you have an account. That about Net is going to guess like admin. So definitely, definitely, definitely have a good password on your WordPress site. Password is just not acceptable. In neither is beer or whiskey or Denver Broncos or Chicago Bulls or whatever your favorite sports team is like. You need to have a good password, and we'll talk about why password managers help with that. But come up with a sentence and use it on your WordPress site. And don't use it anywhere else, and you'll be way ahead of the game. So once you've set that password, you can click update profile and will change that password for you. And just make sure you remember it. Put it in your past, Commander. Put it in your head and you'll be all set. That is just a huge win that is very easy to get. 4. Password Managers in Brief: so I'm using. Ah, password manager called one password on and it's got a browser extension lets me quickly log onto a site like my WordPress site right here on the left. And what's really impressive and great about that is that I didn't have to know what that password was. So the password for this site that I'm using as an example here, I'll show you real quick, so I'll change it. But there's no way in my head. I remember this password among the thousands of other passwords that I have in my life. But because I know that one password that I use for one password, I can have a unique password very similar to this on basically every site I use. So that's the big power of a pass. Remainder, one password is just one of them. Last pass key pass, etcetera. They're just dash Ling comes to mind really quickly. There are lots and lots of password managers and because of the risk of a compromise to say Facebook or, you know, some site you had to put a credential and you stack overflow are stock photos or whatever any of those things, a compromise of one of those sites where they were storing passwords poorly, which, unfortunately does happen, can compromise your WordPress password because you might use the same password there and want to tonalist. It's bad news, so having a really unique password on every site is great in the easiest way to do that is to not have to remember them by using a password manager, so you don't have to use this one, and you don't absolutely need to use them. But I think it's so beneficial to know that every WordPress site that you have a few if like you've had a lot of can have its own unique password. And so no compromise of any of them is going to compromise the other ones on the password level. It's one of the easiest things you can do to make your site more secure, so I definitely encourage you to to do it or at least think hard about why you should. They typically have, ah, some cost per year for, like, sinking features in that kind of stuff, but they're typically pretty reasonable when you consider the cost of, you know, a common tool uses a professional like WordPress. You know, they're just so cheap relatively that it's it's such a obvious good choice. So I really, really recommend you get a password manager, and that's the logic. 5. User Roles and Capabilities in WordPress: want to talk about how you should give your friend Susan. Let's call her access to your site. So, you know, Susan wants to write an article for you about the same topic as your site or she wants to help you with some technical stuff or she just wants to. You wanted to proof, read all the content on your site because she does, like, s E O R. You know, just proof reading, whatever this. So there are a couple different ways people would think about giving Susan access One is that they haven't account, and they just give Susan access to the account for security reasons. I think that is the worst possible situation. So there's this idea called the principle of least privilege and the principle of least privilege, a k a principle of least access is another thing I often call our principal police authority is the idea that you want to give people only as much information as they need. So, for example, famously here in the United States, there exists this thing called Area 51 which is some kind of military site that maybe has to do with extraterrestrials. We don't know And the point is, we don't need to know That's the whole founding principle of it. And that kind of security thinking is why you know only the president in certain other people who have the need to know on that or anything else get to see it. That's why classifications happen inside intelligence agencies. WordPress deals with the same sort of thing. You what it calls user roles and capabilities. So if I go to my add new user screen, I see at the bottom of this drop down it is important that you pick good user names that you give. You know Susan a good password. But these roles air really the important thing that I want to cover here. So on WordPress dot or guy can see this roles and capabilities. You're all I'm just a Codex that wordpress dot or access rules and capabilities. It's got this really, really useful table. We can pretty safely ignore the super admin account because that only exists for, like WordPress multi site, which is a thing you don't probably have her need to worry about. What is really important is that you can see that administrator role, which is what my current user is and what most people will have when they set up a WordPress site has the ability to activate delete plug ins and themes that can important export the site. It can remove users. It could do a ton of stuff. Well, so Susan, probably unless she is like, you know, a developer you're hiring. Susan probably doesn't need all of that access. She probably just needs to maybe manager comments. That's a common thing on a really popular site. Someone just needs to go in there and manually approve comments on a regular basis. So if Susan just needs to moderate comments, an editor role is sufficient for her because she doesn't need the ability to update your themes and plug ins but does need the ability to moderate comments. So in that drop down, you're just gonna pick editor if that is the role that Susan will need for you. You know, in the as we go down, we're getting more and more constricted. So an author basically has the ability to completely create a post, including putting new images and all of that stuff on there. So author is great if you need to give someone access to create a post ah contributor can edit and delete posts. But there is this weird hiccup in WordPress for editor. A contributor cannot upload images, and so and then a subscriber is what you need with someone just needs to be able to log in to your WordPress site but has needs to have no other access. Membership plug ins and WordPress almost always create subscriber accounts for people because none of the common WordPress roles they need. They just in that account and then the membership plug in ads on other features there when you need to collaborate with someone to give them the correct role WordPress user role for them. So that that way you know when you don't need them to have access anymore, you can just remove them that way. You know that they can Onley do the things you want them doing. It's really a pretty simple principle, but it's super super impactful with respect to security, because if Susan changes her password to be a bad one, you should definitely give her a good one. To start. You want to limit the amount of damage that someone who has access to Susan's account could do, and you do that by creating the correct role for them 6. Backups -- How to Make Them, and Why: so backups are super important, and the reason they're so important is because from a security perspective, if you've been compromised, you have a need for what I would maybe called time Security and a backup provides time security because you have a backup from day or a week ago. You have some time security. And this is one part of the reason that you want what people call rolling backups, where you keep multiple versions over Tunney. Time Machine famously does this on a Mac operating system. There are lots of other programs that do it on different environments, and Web hosts actually typically provide one. So I believe that site ground. Who is who I have most of my sites hosted with. They do. I believe they store one per week for 30 days, and they store one per day per for a week. And so this is really good, because it gives you the benefit of if something would about a week ago, you still have a backup, but it may not be as good as specifically that one, so people basically can rely on their host having one of these. But I believe very strongly in the idea that if you back it up one place, you have a copy of it. If you back it up to places, you, you do actually have a real backup. And so this is sort of the paranoid person in me. But I've had the experience of bad backups when I got went to restore, and it was only because I had that second backup available that it saved me. So definitely, that's the logic of it. I personally am running a plug in on this site called Backup Buddy, which I think is a pretty good paid backup service for WordPress. Other ones that come to mind immediately or volt press slash wordpress dot com Jetpack. Those are all that's three kind of brands that mean the same thing under the hood. There's also blogged Vault, which I've heard a lot of good things about recently. But if you aren't looking to pay, there are a fair number of backup plug ins in the WordPress free plug and repository that work up golf. Plus is when I have a lot of experience within have had on Lee good good experiences with where basically, you can set it up toe to shove your data to Dropbox or Google Driver Amazon as three or anything like that. And then you have it creating your rolling back up file stories that you're probably already paying for. If you pay for Dropbox or Google Drive, you have plenty of space. Their relative. The WordPress site, which is typically a big WordPress site in my experience, is about five gigs, and it only gets that big if you put a lot of media in it or it's quite old. There are tons of other options, so and I honestly have no experience with any of them. But I really recommend that, First of all, you want to make sure that you are hosting does provide a backup, and secondly, you want to run a backup plug in. The other advantage of back of plug ins is some of them make it pretty easy to migrate sites around. If you do WordPress development training of those kinds of things. Not that I'm necessarily expecting that you do. I just think backups are super important, regardless of whether or not you have a secondary use for them Beyond, I can restore it when my site goes down. That's it 7. Trust Signals for Plugins: So where we left off in our backup discussion is looking at plug ins. And so a common question is, how do I know that a plug in is secure? And unfortunately, there isn't a way that a nontechnical person can easily judge a WordPress plug in security . The code can be judged by qualified experts. But if you were not familiar with PHP, for example, it's very hard for you to judge whether or not a plug into secure. So the best proxy that we have for how secure a plug in is is honestly its reputation in general, in the ecosystem on. And it's not a perfect signal. It is definitely the case that very popular plug ins. I mentioned gravity forms in revolution cider and a couple other ones that have had issues in the past where those had issues but one of the better proxies you can have for assessing the WordPress, the security of a WordPress plugging where you can't read the code to judge it because you don't understand code well enough is really this reputation. And so four Free WordPress plug considers distributed in the WordPress plug and repository . They give you a ton of useful information right here in this little box at the bottom. So this is all stuff that the plug and author creates where they say what they're plugging isn't what it does. And that's not super high quality with respect to assessing whether or not it's secure or what its reputation is. But this box is so this star rating is just like every other star rating you've seen on Yelp, Burr, Foursquare or whatever rating system in the world. I judge Amy Star rating system as much by the quantity of respondents as I do the quality of them. So you'll notice X Kloner down here in the bottom right of my screen has four stars in 85 reviews. Where's Updraft? Plus has five stars in more than 2000 reviews, So I take that as a good quality signal that a lot of people have reviewed it and they thought highly of it. That is like two good things combined in this little box. The next one is actual active installation, so every WordPress site effectively phones home to the WordPress plug and repository to ask about updates, which we'll get to in a second in. When doing that, WordPress collects how many people actively are running the plug in so you can have a plug in as your pride family. You can have a plug in installed in WordPress but not active. So this is counting the actual active installations and plug in. So if people are continuing to run it, it's probably a good sign that it is good and has a good reputation. Updated is the one that's most relevant to security because updating is one of the better proxies you have for how much a plug in is actively developed in that they're thinking about its security on an ongoing basis. If they're updating regularly, it's probably the case that if they got a report of a security issue, they would quickly patch it. So it's kind of a weak signal because there are, I know of on recommend a five plugging that hasn't been updated in five years. Where I've looked at the code, I thought it was very good, and it has all the features I need it toe have as someone who can't go look at the code in assess its quality. I think you do have to kind of trade on proxies like Is this version updated recently? And does it say that it itself is compatible with version of WordPress is a self reported, so you may have issues of incompatibility, even if you, ah, see this chap mark here, But in general it's pretty good. So those air kind of the primary signals that you get to use the other thing is just like our people recommending it to you either online or in person. You know, if you go to a WordPress, meet up where if you go to a conference, do people talk about a plug in? If they do, it's a good again reputation signal, which is our best proxy as non code writers for how good a plug in is. Some plug ins aren't even in the WordPress repository. Gravity forums, as I've mentioned a couple times, is a form plug in that people love that has a good reputation but is not actually in here. So you don't get thes specific trust signals available to you with a plug in like that. But if you've heard people tell you that gravity forms great, probably it is, and so you can kind of rely on that as well. Again, reputation is the best proxy we have when we can't assess code quality. So it's what you trade on and what lets you have some confidence that this plug in is probably pretty good and probably going to be secure if it's updated recently. If it has good marks, chances are good that it would be maintained in a way that when someone says like, Oh, wow, I found this weird problem where I can actually see all the credentials like they will fix it in time. 8. WordPress Updates -- What to Do and Why They Matter: So we talked about plug ins and how to know that they're good. The next thing I want to talk about is why you need to update your plug ins and also WordPress itself and more so I currently have in this installation and update version of WordPress, and it's really important to keep WordPress up to date. You'll notice that I'm on 4.9 point four and 4.9 point four is a continuation of the 4.9 release Siris of WordPress. And I think that four was a security release. And if it wasn't three year two or one WAAS, I feel confident about saying that at least one of them was, and you need to get each of these because small errors were made in the process of writing code. And it's really important that you update in general because people need time inability to fix those errors. And WordPress has in the last few years made it so much easier to update these things that I really just cannot recommend enough coming to this screen dashboard updates in your sidebar and updating WordPress When you get a new version available, it is the case of host like site ground have now kind of made it a habit of we will always keep your your WordPress version. So this one, the main WordPress up to date for you automatically without you asking because they understand how important it is for the security of not just WordPress your specific version , but the entire Internet that there aren't a bunch of out of date WordPress installations floating around. It's also important, important for exactly the same reasons that you keep your plug ins into a lesser extent because themes have last security implications up to date. So running updates on this screen is super easy. There is a one button update. WordPress. If you've got a backup, you're probably going to be in good shape because rarely willen update to any of these things. Break anything for you. But that is the most common direction. So I'm gonna go ahead and hit update on all of these plug ins, and they're just going to run through you know where press is gonna make sure and do for you the hard part of downloading a zip file, putting it on the file system and all that stuff So with that, I just uploaded six plug ins. It is pretty easy to do. It doesn't take a lot of time. The paranoid among us will goto the front side of our site and be like, Yeah, it still seems to be the same medicine waas, but you don't absolutely need to do that. It's just something that the paranoid of us will probably want to do from time to time and again. The reason that backups are so important is for exactly this ability to quickly do the updates without having to think about it. So that's why updating is so important and how to do it in very short time. It's amazing the future of WordPress that we live in today. Cheers. 9. Why/How to Visit Your WordPress Site: So one of the most under marketed things about keeping your WordPress site secure is simply this. I have a site called Thoughtful Code, and I want to make sure it's secure. So I go to a thoughtful code. Let's say I'm not logged in and I look at the website and it's not. These pop ups are mine. I created them and everything. All the pages otherwise look good. And if I goto log in the log in page looks like I expect and I log in and everything hopefully looks like I expect I see plug ins that I've installed. I see jetpack that I've installed. I have no updates. And I'm good just doing this on a regular basis. One of the simplest things you can do to make your prostate more secure. We've already covered why you need to update. Well, when you do this check on the like weekly monthly basis, come in here and head of all the updates, you know, coming down here and make sure that your backups are running. Come down here and make sure that, um nothing weird is happening on your setting screens or like there's like a new thing under this tools menu or something, just simply doing this stuff of making sure that you're, you know, nothing strange has happened. Nothing unexpected is happening on your say. It's so valuable from a perspective of Okay, so something did bad happened. You do have a backup that's recent enough that you don't only have bad backups oven unsecured site that has been compromised in some way. So it sounds so simple that it barely ever get said. But it's so important to just check up on the site, even if it's something that isn't court of your business. If you care all about it, you just need to check on it once in a while. Makes a huge difference in the overall security of that site. 10. Security Plugins Overview: So there is a large category of WordPress plug ins that I feel like we have to talk about with respect to WordPress security. And this is what I would generally categorised as WordPress security plug ins. There are various plug into either go inside of WordPress or that our service layers that you, it run outside of WordPress that give you extra security benefits beyond just not making the obvious mistakes of not updating your impress A having bad passwords and what have you so a lot of them have a free tier. As I mentioned in this chart that I've put on my screen, almost all of these have a free tier in general. You want to pay for some features on some of them, so the best ones all include with almost no exception. Except this one is a kind of an outlier. It's on a full fledged security plug in. It's just for audit logs, which tying back to that last video audio logs air Great. If you aren't able talking to your site regularly, it can give you a sense of what every user on your entire site has done. But in general award press security plug in one of its biggest things that will prevent what they call brute force attacks, which is where someone guesses a password a lot on your site just really tries to hit you really hard. And almost everything that calls itself security plugging will block those, in part by blocking specific eyepiece that it noses are hostile to you. Eso those air come some of the two most common features. A more advanced version of that is what's called a Web application, firewall and Web application. Firewall is something that either works on your server or sits between your server and the public Internet and blocks requests that it thinks are bad intended to do harm essentially things like requests for is this plug in out of day on your site? Ah, Web application Firewall can stop those requests before they even hit your server. Ah, lot of security plug ins offer what they call now, where scanning, which is where they will go through and essentially look at all the files on your entire system and check the signature of all your files for things that they consider bad things that they consider for the distribution of malware to drive by downloaders or anything like that. That's kind of what malware scanning doesn't. Typically, these air services that you pay for that will look over all the files on your site and do it. Audit logs, as I started to mention, are great for I don't actually have the ability to watch my side as regularly as I would like, but I want to know what's going on in their audit logs air away, where different plug ins do it at different levels, but they will do things like, say, this plug in was turned on. This plug in was added. This plug in was turned off. Those sorts of things could be tracked by software for you, and you go in and look at it. And as long as the log has fidelity, which it hopefully does, then you know exactly what's happening in your precise and you also know what isn't happening on your WordPress site. Some of these plug ins also give you help with doing more complicated things that might harden your WordPress site, so maybe guide you through things like making sure that file permissions, air correct or even getting two factor authentication set up, you've probably had some exposure to two factor authentication. If you log into a bank website today, chintz or good, they send you a text message with a code that you have 10 turn and different your password . You can set that up on WordPress, and it is better, just a secure WordPress password. But it is hard to get. It's harder to set up, so some some of the security plug ins have that feature. So this table is kind of how I think and how I've compared WordPress security Plug within the past. Thinking that I will is at some point in 2018 released a site that is just this table because it's really helpful for people. But this is the sort of how I think about different WordPress plug ins that exists so you might have a friend who already has a copy of word fence and would love to, you know, add you to their use. You know, their multi user license, and if that's the case, I think it's really beneficial to have a WordPress security plug in. The one thing I would say, though, is it's important to realize that all the stuff we've talked about is still very relevant for having a secure WordPress site, even when you install one of these plug ins because none of them do everything that you would want for a site to be made secure. In fact, almost none of them knew backups, for example. So you still need to think about backups independently of getting a WordPress security plug in as a full fledged solution. But a WordPress security plug. It is a great step. You can take that without too much hassle without too much slowdown will almost certainly make your site at least a little more secure. 11. iThemes Security Quick Summary: So we just talked about this kind of matrix I've made of different WordPress security plug ins and so really quickly. I just want to highlight kind of what the experience of one of these is like, as I mentioned, they vary a fair amount. Some of them include a Web application firewall, some don't. I've chosen to highlight real quick I theme security. It's not the one that I think you absolutely need to have. I think every single one that I have in this Matrix is good for various reasons. It's just happening to be the one that I've got installed. Eso I've set up. I think security have just installed and activated the free plug in, and it's checked that a lot of things were good to me. So database backups are on brute force. Protection is enabled. Magic links are enabled. So I've said this plugging upto be, uh, you know, essentially secure enough that I'm happy with it and I can run different things like it's just run my security check. I can also turn on what's called in a way mode, which is a way where Onley during scheduled times can anyone log into my WordPress site, I can enable filed change detection, which is great for exactly what we've talked about, where we want something to alert us, that someone has tried to change a file, say, by hacking a out of date plug in or something like that. So all of these things these individuals steps in I theme security are good practices that you can do. They have some advanced ones in some recommended ones, and it takes care of kind of all of the different steps for you and helps you kind of explain a little bit more about what they do. So what's really great about I think security in particular is this screen is relatively user friendly. I think it is user friendly in the way that a developer has built it a little bit. It's a little, I think, not super intuitive. I wouldn't argue that this is the greatest interface of all times, but I think it's pretty good, and what's really nice about it is it just gives me quick checks about how my doing security wise and what further steps can I take. So, like I said, I don't think you need to use I theme security. I think any of the ones I have in this whole matrix are a good step and give you some benefits that we covered in the last video. But I theme security is one of them, and it gives it shows pretty clearly to me. Some of the good and the bad of Security plug in. So I do have automatic logs of various events. Since I just turned this on, I already have it. I haven't empty, but since I just turned this on its it's currently empty for me. I know over time these will build up has more and more people use the site, control things in it, or just I make changes to the plug ins that air on and off. And it's really good to have this sense of, you know, added beneficial security that I get almost for free. But it is not a complete solution. I still need toe. As I said, make sure that I check it on my site regularly. Make sure that I'm running back ups because the plug in itself doesn't do those things for me. 12. SSL Part I: What and Why: So if there's one thing that most people regard as fairly synonymous with security online, it's this green lock icon. This one's in in, Ah, Firefox. But most browsers will do a similar green lock icon, regardless of what they are. So my website that I've been playing with for this course is called thoughtful code dot com , and you'll notice that I've gotten https here at the beginning of its address, and I've got the screen lock that says I'm on a secure connection. This is called SSL or TLS or https, variously on defy Click More information. Here I can see that I have a let's encrypt certificate, which is, ah, free consortium that gives free tickets that my certificate that verifies that essentially it secures the connection between my visitors and meet expires on May 31st 2018 that I've gone to this website a whole bunch of times on dso on so I can actually see in here the certificate and the big thing to know about this certificate is that it's got essentially a fingerprint in a way to trace back the origin of this whole, secure the security of our connection essentially because of this SSL certificate. So you've got various ways no one ever digs into these, typically, of assessing the validity of certificates and what a certificate allows for is basically the connection between me as a visitor on ah home network connection and the security relative to this thoughtful code dot com domain and server. So that connection between me as a home user and that remote website is secured via this little padlock icon. So this is really important for e commerce, for example, because it almost verifies in the robust way that no one can snoop even on power public. Not very secure WiFi connections your connection to, say, your bank. If you're using https and you have a valid certificate in, there is much more secure from people prying on, you know, the hops that your traffic inherently takes through the Internet. That said, this green lock icon doesn't verify that I haven't been, you know, the site can't force malware or that it it doesn't make sure that the site hasn't been taken over, that it isn't showing ads. Like all of the things we've covered so far about why security matters on your site about why it's important to check on your site about why it's important of backups. None of that is verified by this secure, lock kind of thing. That's all totally separate from it so quickly. If I think of a bank, US bank is a big one. They have what's called an extended verification certificate, so their name is there, and that's actually the name of a legal entity. So if I click through their certificate a little bit more, it says that there in Minneapolis, Minnesota, and that they were verified by Entrust Incorporated. So that is stuff those air further features that you can get on an SSL certificate that I don't have on mine, because mine's basically just for that encryption layer rather than US bank. If you're you know, if you go to us bank dot com, you see this certificate, whereas it would be very hard for a hacker to not to get a certificate to actually be verified, to say, u dot s dot bank National Association, us. That's a lot harder for attacker to do that to just they're just make something that looks vaguely like the correct you are l here so that is basically what SSL certificate to do and what they're good for, so you can have a WordPress site that is not secure because it's got old code because it's not running. You know, a patched version of WordPress like that totally happens in his independent of that https thing. All the nation tps about that connection between a brown, a browsing user and your server. So it's important, especially for e commerce sites to have https connections. It's honestly increasingly regarded as a good practice for everyone on every site, always tohave because not only from like that cough insecure ish coffee shop right WiFi perspective, but also from like governments, New Ping and other perspectives. It's a good idea to have https regardless of what you're doing with your site, but it's not absolutely required, and it's not complete security. It's just helpful. And so in the next video, we'll talk about how you can, how I will set that up on one of my site s so you can see the process of how I've gone from having a non https connection to an A C. D. P. S. One. So we'll do that 13. SSL Part II: Setup for SSL: So the thoughtful code site I've been using to Demo everything so far is already on an https connection. So it's not a very good thing to show off to you how you would move a site to a T. T. P. S because already there. So I have this old site which in my browser has no grain lock icon. I see no https, and this is hosted at Blue Host, which is a We have a very reputable and very large, more importantly to me, Web host. So I'm going to try to use whatever set up Blue Host has to upgrade this domain to be https . We'll see what happens. So if I come in here and my kind of this is what they call a C panel, it's got a lot of icons. And there's a security pain down here which I noticed has an SSL in it. So if I go in here, I know that they're offering what they call a WordPress free SSL. I think that's a similar but distinct from the let's encrypt certificates that I am amusing on thoughtful code. So I'll go ahead and pick my domain out of there and I'm gonna click. Get started and we'll see where this goes cause I don't actually know, All right, so it'll protect link banana dot com. That's perfect. And I'm gonna stop. Well, it's installing. I will mention, uh, Lincoln is kind of like my version of cocky. If you've ever seen Conquistador gets like some random guy's collection of cool things, I love it. It's a fun site. You have successfully ordered a free SSL. If your domains can be verified automatically, you can expect the new certificate to be insults soon. If not, you'll receive an email with instructions. All right, so hopefully were in the process there because I think we should be set up. Let's go ahead and log in to the site that I haven't in to my embarrassment. There will be plenty of log in opportunities here. Another reason to, uh, get https is that increasingly, browsers are telling you that you shouldn't enter any log in credentials on non https forms , and this is very reasonable on, you know, open networks like coffee shop WiFi, where someone could snoop. If they do intercept the request that involves your user name and password, they can see it. It's transmitted roughly in a pretty backwards, compatible way so they can see. That s so it's bad going to diddle around a bit. I can see that I'm out of date. I'm currently in WordPress 4.3 point 4.9 point three. So I want to update 4.9 point four. Well, we're waiting. Okay, so it seems that I'm all set up to get this ssl from Blue Host. They're obviously trying to up sell me, but I'm not interested. Well, we're waiting. Blue Host is working away on the security of my sites right now, but I've just had some progress updates. I went for a little walk and, you know, got ready for the weekend and it still is showing me pending here, but I decided to try. What? What happens if I go to https? And what happens is that my wordpress a is now basically updated to work on https. So if I look here, I'm seeing that I'm on a secure connection. I noticed that this is a commode comodo certificate rather than let's encrypt that I have on thoughtful coat. But just by using their set up their dashboard and waiting a little while. It did require some patients. I will not like you. Blew Host has upgraded life site to use https. Most good host today will be using a similar. We will automatically transition you set up as what Blue Host has here. So it's basically a matter of it will be a different interface because this exists outside of WordPress. I can show you a single WordPress interface. I've shown you the blue host interface, which is when I have easy access to in a site that I needed to upgrade https. It is worth mentioning, but now that I've upgraded takes you to be a certain things might not work in the way. Expect Google Analytics. And that whole suite of Google Webmaster tools comes to mind as something where you might have to explicitly go in and manually change it to say, my side is now https rather than http. But on the whole, suddenly I've got that greater security between all my visitors and my website, my Loggins, or more secure when I submit my log inform all of those things were great benefits of upgrading. And if you're on go daddy or site, ground or anyone else. The upgrade process might look a little different, but I highly encourage you to get on https if you can, and in general is just a matter of finding the right support docks or the right support agent at your hosting company to help you with that transition. 14. Final Step: So with that, I think we've covered all the key points that I think are is central to understanding with security of WordPress site as a non developer, I think that https is really vital for instilling trust and for good reason. I think that security plug ins give you such a leg up with respect to just that core experience of WordPress is security. If you do that core things you talked about good plug ins. Make sure you stay up to date and having backups. You can trust that that WordPress experience will be good for the long run. But security problems give you that leg up of knowing that someone else has thought even harder about what other things you could do to make that site more secure and is helping you out along the way. We also talked a little bit about why having password and user role control is so important in WordPress and how easy it is to do, because as long as you give all you know your friend Frank, who you're giving access to your site as long as you give him his own account and make him have a good password you're pretty much all the way there. We also covered why every WordPress security. Sorry. Every WordPress site is has security risks because it on the Internet and nothing more than so. The parting thing I want to leave you with is the understanding that WordPress security. Wow, it is a series of steps that we've covered. It is also on ongoing process and the threats will change. And you cannot trust that the things that you do today will not be insufficient at some point in the future. Because quantum computers come and have breached every password on the Internet, those things can happen. And the last thing to really keep in mind about security is that it is not a single process in time even to keep doing it all the time. Hopefully with this class, you know, feel confident that your existing WordPress site is totally secure. You're happy to say, Hey, hackers come out because you trust that WordPress itself secure and you've taken the right steps to make it so. But I just want you to keep in mind. Security is premised on an eternal vigilance on, and I know it would be better if I told you could just relax and you're all good now. You don't need to worry about anything. But one of your plug ins will in the next five years almost certainly have been found out to be insecure. Even though you selected wisely, it's just almost inevitable because these air human endeavors So as long as you're aware of that in conversant of it, you'll do great. You'll be updated and plenty of time. But you just have to remember, that knows, process of security is ever complete. It's an ongoing mission, and with that cheers in good fortune.