The Ultimate Step-By-Step Guide to WordPress Security | Christine Maisel | Skillshare

The Ultimate Step-By-Step Guide to WordPress Security

Christine Maisel, Designer, SEO & Founder of Portable Entrepreneur

Play Speed
  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x
36 Lessons (1h 14m)
    • 1. WordPress Security: The Difference This Course Will Make

      1:06
    • 2. Why Securing Your WordPress Website Is So Important

      1:44
    • 3. Am I Really At Risk? Why Would Someone Want to attack My Site?

      1:38
    • 4. Most Common Type of WordPress Website Attacks

      2:42
    • 5. Section Into: The Techniques You're About to Learn and Apply

      0:31
    • 6. How Many Seconds Will It Take For a Hacker to Guess Your Username and Password?

      6:35
    • 7. Are Hackers Finding Your Admin Usernames By Doing This?

      2:42
    • 8. Don't Let Hackers Know When They Have The Right Username or Password

      1:48
    • 9. If At First You Don't Succeed, Try, Try, Try Again

      2:26
    • 10. What File Permissions Are You Using?

      3:56
    • 11. Are You Password Protecting Your Most Vulnerable Directories?

      2:29
    • 12. Hackers Love This WordPress Default You Probably Forgot to Change

      2:27
    • 13. Easy to Update Security Keys for Authentication

      3:38
    • 14. Is Your Computer The Problem?

      1:15
    • 15. Don't Give Hackers Easy Information - Remove This Info From Your Site...

      1:15
    • 16. Are Your Website Files Open For Public Viewing?

      2:18
    • 17. How to Keep Hackers From Accessing Your Site Via Comments

      0:42
    • 18. Do You Know What Your WordPress Users Are Doing?

      1:57
    • 19. Properly Setting Up New Users For The Least Risk

      1:22
    • 20. Section Intro: Let's Talk About Hosting

      0:25
    • 21. The Importance of a Good Host

      2:28
    • 22. Section Intro: These Tasks Couldn't Be Any Easier & Make a Huge Difference

      0:28
    • 23. Free vs Paid Themes & Plugins When It Comes to Website Security

      3:02
    • 24. How Many Themes & Plugins Should You Be Using?

      3:51
    • 25. Are You Keeping Up With WordPress?

      0:54
    • 26. Disable Theme & Plugin Editing

      1:06
    • 27. The Best Thing You Can Do For Your Website That You Probably Aren't Doing

      2:08
    • 28. Section Intro: Yikes! My Website Has Been Hacked. Now What?

      0:34
    • 29. The Importance of Using This Google Tool for Website Security

      2:33
    • 30. 7 Signs Your Website Has Been Infected Without You Realizing It

      2:12
    • 31. Has Your Website Been Black Listed By Google?

      1:29
    • 32. What to Do If Your Site Has Been Hacked

      5:26
    • 33. Where to Get Help If You Need It

      1:11
    • 34. Section Intro: Understanding The Tools Available To You

      0:47
    • 35. The Different Types of WordPress Security Plugins Available

      1:42
    • 36. Is Your WordPress Website Now Better Protected?

      0:58

About This Class

bcb37a11

You've put so much time and money into building your WordPress website. Now It's time to protect all your hard work and make sure hackers can't take full control of your website.

An unprotected WordPress website is a gold mine for hackers. They target easy to access and vulnerable websites so they can inject their spam spam links, redirect your website to theirs and even take over full control of your website for financial gain. 

When this happens to you, you can get blacklisted by Google, lose your organic rankings, have your site taken down and even lose your website completely. If you're not prepared, you may have to start from scratch. It's scary what hackers can do and it's an extremely bad position to be in.

Spending even an hour on website security by implementing a handful of easy tactics can greatly improve the security of your WordPress website and encourage hackers to go elsewhere.

In this course you will not only discover the exact steps to take, you can follow along step-by-step and start protecting your website as you go so by the end of the course your website will be much safer. 

Every single day tens of thousands of WordPress websites are attacked. Don't let yours be one of them.

Transcripts

1. WordPress Security: The Difference This Course Will Make: with every latest update of WordPress, Security of dates are being undressed. But if you're serious about protecting yourself, your website, all your hard work and your time spent on your website, you should be taking security into your own hands. Most website owners I come across fall into one of three categories when it comes to securing their website. They either don't know to do it or they know to do it, but they don't take the time to make it happen or they know it's important and they do it. And my goal is to take you from knowing that it's important but not doing it. Actually implementing it, I want you to know how to best protect your site, how to detect when something goes wrong and what to do if something actually does happen in this course, I'm gonna cover several things you can do to protect your WordPress website, and I'll show you how to do each one. You can implement each security measures at the end of each lecture. By the end of this course, you will have a secure WordPress website, so let's get started and make it happen 2. Why Securing Your WordPress Website Is So Important: where press makes up about 25% of all existing websites today. The popularity of this platform alone makes it a huge target for hackers. We're presses promoted as simple to use. But with this comes the pros and the cons alike. It's easy to overlook these imperative security task and Onley focus on setting up your website. This is something large companies take very seriously, but many smaller companies just brush it to the side or don't realize it's important. Now we can completely prevent a hacker, but we can do our best to make their job as difficult as possible and to encourage them to go elsewhere. Tens of thousands of websites are blacklisted every single day and this can happen toe website owners who don't take proper care of their website. It is a responsibility as website owners to avoid malware infection. Avoid getting penalized by Google so we don't have to answer to our visitors why they're being redirected to another bad site or why they have had software downloaded on their computer and we certainly don't want to lose Organic ranking is either. As website owners, we really need to make security requirement and just not an optional task that we will get to when we have time. This is very serious. Our job is to do our best to secure our website and deter hackers. The number one vulnerability in Web site security today is the website owner in this course work going to remove that vulnerability completely. 3. Am I Really At Risk? Why Would Someone Want to attack My Site?: you may be thinking, I've just got a small site here. There's nothing really here. Why in the world would attack or want to get into my sight? Unfortunately, that's the type of thinking that keeps a website owner from taking any action to prevent these attacks from happening. You see, most attacks are automated. It's not your Web site in particular that there after they're looking for websites with vulnerabilities that they can take advantage of. So if you leave the front door to your website wide open, so to speak, the likely just come right on in. This could be something as simple as you have a plugging with a known security vulnerability installed so your website shows up on the list. Some website owners have tried to take down their competitor websites. Some hackers just do it for fun, and a lot are doing it for financial gain. They get paid by adding affiliate links to your site, installing downloads on your visitor's computers or redirecting your traffic to their own website. So there are all types of motivations for these attacks. These attacks are often automated, as I mentioned, because the attacker is more likely to succeed in getting access to sites, and it's so much cheaper and faster for them to do. If your site is attacked, it will cost you time, effort, business money and leave you with a lot of headaches and frustration. The best thing that you can do is to try not to take it personally and to be prepared as possible. 4. Most Common Type of WordPress Website Attacks: before we get into how to properly secure your WORDPRESS website, I think it's important to spend a few minutes talking about how hacker can actually gain access to your Web site. The main ways they gain access is through the websites environment, the server it resides on. That is where you have chosen to host your website. If the server has not been configured correctly or it runs older versions of certain software, that's where you can run into trouble. Do your job here is to make sure you are the best host you can be, and then to take the security measures that your host doesn't turning into your website, hackers can gain access to your site B A. Your administrative log in or even ftp log in. They can figure out your log in information as I'll show you later in the course, and use that to take over your site. Inject malware or anything else they want. Lastly, hackers look for vulnerabilities in your site that allowed them to sneak in undetected. Here they look for out of date themes, plug ins or other scripts and software that allow them to get in. It's scary enough that someone can get into your site. But it can be even scarier. What they can do once they're actually in, they may include a spam link. Inject malware which redirects your visitors to another website or even delete your websites database completely which is not reversible unless you are prepared. Otherwise it's over for you. Not only are you facing the damage to your sight, your website can get dropped from Google. Now you've lost your rankings all the time and energy you spent into building and ranking your website. The Prophet the website generated you and all your traffic. Believe me, this makes for a really, really bad day. Remember, most of these attacks are going to be completely automated, so you have to protect what could be targeted by hackers to have the best chance of preventing attacks in the first place. If the worst case scenario does happen, you can be better prepared, have minimal downtime and be back up and running and often times the same day. Now that you see how someone can access your website, we'll start looking more closely at exactly what you can do to prevent these attacks. Now that you see how someone can gain access to your Web site, will start looking more closely at exactly what you can do to reduce the likelihood of a new attacker gaining access to your website. 5. Section Into: The Techniques You're About to Learn and Apply: I'm glad you're still with me. Now we're going to get into the details and talk about the exact steps you can take to better protect your WordPress website and reduce the risk of an attack. Here you'll be able to follow along and double check the security of your own website as we look for security vulnerabilities so you can correct these as you go through the course. I'm also available to answer any questions you have, so don't hesitate to start a new discussion. I'm here to help. 6. How Many Seconds Will It Take For a Hacker to Guess Your Username and Password?: we're going to start off by talking about one of the simplest and quickest things that you can do to protect your WordPress website and that is taking a look at your user names in your passwords. Because the most common WordPress attack is focused on gaining administrative access to your website, and they're going to do this by attempting to log in with your admin user name and password via the WP admin or WP log in screens. So if your admin log in looks like this where your user name is admin, you have already given potential hackers half of the information that they need to gain administrative access to your Web site. This is the most common admin user name, So now all they have to do is guess your password. So there's a couple of things that we can do here if you have not yet installed WordPress. When you go to do so, of course, you're going to want to choose and more unique user name. But if you already have installed WordPress, you've set up your users. You can make a change if you go into your dashboard and you go down to users and all users . You'll be able to see everyone here who has an administrative role here. I have to administrators. One is named admin, and one is named Vernon. Now, both of those user names I would stay away from because first admin is very common, as I mentioned. But Vernon, that's also a name. You can see the name of the person here. The user name is Vernon. You can see the name of the person. Here is Vernon Smith. Their user name is Vernon. That's also not a good idea, because if you are commenting on your website, if you have posted your bio, let's say on your Web site, then the hacker now knows your name. So if they've tried the user name admin and that's not working, they're going to try your name next. So you again, you want to stay away from those two names. Now you'll notice that if you click on a user that the user name here cannot be changed. So what you'll have to do is you're actually going to have to add another administrative user if you do not already have one, like I do here and you'll do that by just simply clicking. Add new. You'll throw in the user name here and again. Just make it something difficult. Make it something that's not easily going to be guest. You put in user name arm started the email rather and the persons name here just again. Make sure that the name that is going to display publicly on the website is going to be different than the user name. Now here in the most recent version of WordPress, you're going to be able to click on show password, and it's going to generate a password for you. That is a great password if you can use that password now, if you don't, let's say I just use the password. 123456 It's going to tell me that that's weak. And then I'm going to have to confirm that I'm going to use a weak passwords, so just stick with the one that they give you role. You want to make sure that you select administrator and then go ahead and click. Add new user. Now I'm gonna go back to my screen here. Now this is my main admin. Now note that you are going to have to long out with that user and back into the other administrator in order to delete it. You obviously can't delete the user name that you're logged in with you'll be able to delete. And now, if you have content that you have already created with that user name, don't worry where press is automatically going to prompt you to either delete all that users content or just attribute it to a different administrator, which will be able to do here and you'll be able to click. Confirm deletion, and that's all you'll have to dio now. In this instance, I would want to go back and create a new user name for Ford Administrator That is going to be more difficult than Vernon, and I'm gonna want to come back and delete Vernon because that is not going to be very secure. Now. Another thing that you can do is with your passwords. If you have a password like password or 123456 or your actual name, your birthday things that are very common like that, you're gonna want to stay away from that you saw in the previous screen how unique the WordPress password was that they generated. You're going to want something very difficult like that. You can easily go in, and you can generate a new password for every user in here. Now that's a good idea to do on a frequent basis anyway. But this is going to give you a much better password. There is a site called How Secure Is My Password? So if you have a password currently, I encourage you to go here, type it in, and this is going to give you an idea of how strong your password is. So let's say I'm using the 123456 password. As you can see, it says, my password would be cracked almost instantly. Obviously not a good password. Let's say I type in my name as the password again instantly. Now let's say I go back and I grab this password here from WordPress and I type it in that shows you 14 knocked illion years. It's going to take to crack that password, so that is obviously a password that you want. Now I can try something that's maybe just in between and this and the one that I just use has a mix of letters, numbers and symbols and that same from a desktop PC that would only take about three hours to crack. So this is definitely something worth checking out and playing with to see how secure your actual passwords are. Now, one thing I know you're probably thinking is, well, great. I cannot possibly remember all these crazy long passwords. What am I gonna do with that? I strongly suggest that you use a password manager. There's a lot of them out there. Last pass. You have robo form. There are plenty out there. You can do a search for them and see whichever one you like best. And go ahead and use those to save your password so that you don't have to remember all of these and you have them in a secure location. But you're also even when you have secure passwords. Please do come back to your users and please do update your passwords on a regular basis that is going to protect you from one of the most common WordPress attacks 7. Are Hackers Finding Your Admin Usernames By Doing This?: we talked about making user names more unique and not using something generic like admin or your personal name. But in addition to this, you also want to hide user names from being found. So take a minute and go to your browser. Type in your website name and then, after your domain put a forward slash, followed by a question mark. Author equals one and hit interns. He would happens Now. You'll see all of the post for that particular author. If you now look at the girl, you will see the author name. So here this site is using admin, one of the most common names, so it's not very secure, but that is just how easy it is to find the administrative user name. If that is what you are using toe log into your site. So if you yourself are making post, this is something you can think about. You can actually just create a non administrative account for you to create post from. But you also want to make sure that you hide this a little better. Now we want to go ahead and block this user name from being found. And this way, if anybody does this type of search, they will be redirected to their home page, and they're not going to be shown the user name to block. This will need to add a bit of code to the functions that PHP file. If you're not familiar with this file, you're functions dot PHP file adds functionality to your site. And as this is a core WordPress file, if you don't know what you're doing, be careful as one wrong move could make your entire site stop working. I don't want to scare you, but I don't want you to mess up your site either. So I want you to realize how serious the file is. But whether your experience with this file and PHP or not, you should always make a copy of the file before making any changes. Worst case scenario. You can upload the original file to restore your website. Another option is to use a plug in like code snippets that will allow you to insert this code without actually putting your hands on the functions that PHP file. So it's a bit safer, but it's still a good idea to do. A backup of the file first though. So if you use the code snippets file or you just want to add this to your functions that PHP file directly, this is the code here that you want to add in. So if anybody does the search for the author, this says that is automatically going to redirect them to the home page. You, Earl, this way your user names are better protected. 8. Don't Let Hackers Know When They Have The Right Username or Password: you may have noticed if you type in the wrong user name or password, where a press is going to tell you what's wrong. If I enter the wrong user name, it tells me that I have the wrong user name, but my password is correct if I go back to using the correct user name, but I type in the wrong password. It tells me my user name is correct, but my password is wrong, as that's helpful for you. That's also helpful for hackers because they now know which part of the equation they have right. So removing these error log in messages will make it harder for them to know if they've guessed any of the right log in information. To do so, you're going to need to edit your functions that PHP file to remove the air from your log in screen. You need to add the following code to your themes. Functions that PHP file. If you don't feel comfortable doing so, there are a couple of things that you can dio. Some of the security plug ins available will handle this for you, so that's one way to tackle it. Another way is to you this the code snippets plug in that we have discussed. And you can also enter that line of code here as well. So you can paste that in here. You can give a name. You can give it a description, the same description as the title. And I'm gonna click. Save changes. No, and go back to my website and try putting information and you'll see that the error message has been removed. Now, this tactic won't completely prevent a hacker from accessing your sight, but your job is to make it harder for them and deter them from attacking your site. 9. If At First You Don't Succeed, Try, Try, Try Again: Another way to deter potential hackers is by limiting the number of failed log in attempts one single user can make that way. If a hacker is trying time after time after time toe, enter incorrect password, they will not be allowed to continue attempting. Many people use the limit log in attempts plug in in order to prevent this from happening and to stop users from continually trying to enter a new password. There are some hosts that when you actually go to install WordPress, it will ask you if you want to install this limit log in attempts. There are other host that if you have WordPress on their host, they will actually un install this plug in from your site because they don't feel it secure . I personally am not going to recommend this particular plug in because it hasn't been updated in over two years. So even though it works, it hasn't been updated. It's not up to date with the current ward press version, and we've talked about the risk of that before. There are other options. There is brute protect, which is now owned by the creators of WordPress, so it's definitely something that's worth looking into. They've actually put brute protect as part of Jet Pack, which, you may know is pre installed when you install WordPress now. So you already have that all you have to do is go into jetpack and activate that from your plug ins. This plug in will protect your log in when it notices to. Many log in attempts. If you'd like to avoid using another plug in and don't mind a few lines of code, you can paste this code into your dot h t access file again. Just make sure to make a copy of the file before making changes. So you can see here that they're going to deny anybody from logging in to your WP log in screen. Except for this I p address that you insert here. So this is where you can answer your particular i p address, and you can also include any other I p addresses of anybody else who is going toe access your log in screen. If you work from any other offices, you want to include those a swell. If you don't know what your I P addresses, you can go to the site called what is my i p dot com and it will tell you right there you simply copy and paste that into the code and you're done. 10. What File Permissions Are You Using?: if you've played around in your files and directories either via FTP or in your C panels file manager, you may have noticed that PERMISSION column with various numbers. We don't want hackers to be able to do either of those things, so we need to double check our permissions to make sure they can't access the files. Essentially, this is like going on vacation while leaving the front door to your house wide open versus shutting the front door and locking it with a deadbolt. Let's look at how to change these permission so you can avoid having anyone upload or change your files. Who shouldn't be? If you want to do this, the FTP you can use a free program like File zilla. Now here you can see the permissions on the right. You'll be able to right click on the permission number pulled down to file permissions, and here you'll be able to enter a new numeric number. No. Likewise, in your C panel, you'll see the permission column and you'll be able to click on the permission number and you'll be able to enter the numeric value and click save. But now you know how to change a number, but what number should you change it to? What should you be looking for? Generally speaking here, the lower the number that you have for your permission, the more secure it's going to be. But of course, the more secure it is, the less that people can access it and even yourself. So you want to be careful with your numbers. What you're looking for for your files and directories is to make sure that absolutely nothing is set to 777 This vile permission will allow a hacker to gain access to your files . They can modify a file, upload militias code and take over full control of your website. So that is definitely something to look for and to stay away from a quick skin here. I don't see any 77 but if I do go back to this other site here, make this a little bigger and I scrolled down. I already see a 777 I see another one here. So those are some of the directories I need to take a look at. Now, if you're using a shared server, WordPress themselves suggest that your WP config dot PHP file permission be set to 7 50 So you want to look for your WP config file and you want to see what the permission is there. Now, you see, this one is lower. Others were going to tell you that using 644 is better and more secure, and it will allow you as the owner to modify the file and other user with server level access would be able to read the condoms. So it depends on what you need. Using 7 50 will still keep outsiders from reading and executing anything in your file. Some say to use 600 which is even lower, more secure on shared hosting. So others who share your server can't read your file. But with some host, your website may not work with these lower their missions. So, in general, a good rule of thumb here is to just use the most restrictive permission that you possibly can for the host that you were using so that your website will still work. So for directories in particular, you want to look for either 7 55 or 7 50 Those were going to be fined again as long as you're staying away from that 777 for files. Those are more typically 644 or 6 40 If that's in place already, then you are good to go. If this is a topic that interests you, you want to know more about specific file permissions where press does have a lot of information about that, and you can look through the Codex to see what they suggest. Otherwise, just double check your current permissions and make sure you're not unintentionally giving access to your files and directories. 11. Are You Password Protecting Your Most Vulnerable Directories?: hackers will also attempt to access your website in order to change your administrative settings in order to change your themes or your plug ins or any files where they're going to be able to insert anything that they like into your website. One way to prevent them from doing this is to password protect some specific directories on your website that you want to make sure that no one can access. If you have a host that uses see panel, you can easily do this by going to password protect directories. Now clicking on that, you're gonna be able to select your domain and click Go! And here you're going to see a list of directories that you have on your website now before moving forward. I want to make sure that you understand that you do not want to password. Protect your main root directory your www directory, because this is going to not allow your website to display correctly. But we want to focus on some of the other folders you can look at your WP admin. You could look where your themes and your plug ins are stored, and those are the ones that you can password protect really any directories that you do not want anyone toe access. So to do that, I can simply click on the directory, and on the next page it is going to prompt me to enter a name for the directory. I'm going to need to click to confirm that I do want to password protect the directory, and then I can enter a new name for the directory that is going to be displayed If anyone is looking for my files after saving that, I'm also going to want to create a user name and a password here again, just as we talked about before. You want to make sure that your password is very secure. If your C panel gives you the option to generate a password, that's a good idea to use that you can also go back and throw that into how secure is my password. To see just how secure it is, make sure that looks good and you can use that password if you like. You want to create this user name and password because the person attempting to log in, and if that is you, is going to be prompted to enter the user name and password that you create here. So again, this is just a very quick fix that can take you 60 seconds to do. But it can prevent hackers from accessing the's in file thes files where they're going to attempt to inject anything that they want into your website. 12. Hackers Love This WordPress Default You Probably Forgot to Change: a WordPress website consists of both files and a database, and all of the information that is on your website is actually stored in this database. So that means this is one of a hacker's favorite places to target because they can actually do a mass attack where they target multiple WordPress websites simultaneously. It's a bit scary, but they can do this running automated codes for SQL injections, where they will actually inject code onto your website as well as other websites. But there is a very easy way to prevent this When you are are installing website. The default database table is WP underscore, so these hackers run automated code looking for that default database table. So when you're installing WordPress, what you can do is you can switch that to something more secure, so you'll find this under database settings under table prefix. You'll notice here, just a zay said it's WP underscore. It doesn't really matter what you rename this to. Just make sure that you pick something unique and make sure that you stay away from WP underscore. You can go through the rest of the process anti in your information, and then you can click install, and you'll be good to go now if you have already installed WordPress and you did not change your table prefix, you can still go back and do that will require a few more steps. And you do want to be very careful when changing the table prefix, because you're going to need to change that in several places. So if this is something that just sounds way over your head, I would recommend working with a programmer who understands how to do this. It would not be a very long fixed for them. They should be able to do this in 30 minutes. Ah, and you'll be better protected. We're also gonna be talking about how to secure your W config, that PHP file, which is going to contain a lot of information about your site. So it's definitely something you want to protect because you do not want hackers gaining access to any of information. If you do go look in your WP config file, you will notice that the table prefix is actually listed within that file, so that's why we'll be looking at how to secure that as well 13. Easy to Update Security Keys for Authentication: WordPress also uses a set of security keys for authentication and these security he's better encrypt your WordPress sessions. The whole idea behind these secret keys is that they will make your sight harder toe access and therefore harder toe hack. Now how this works is it adds random elements to the password that you have generated. So this is a super quick and easy way to secure your website, so it's definitely time well spent. It's very easy to do. I'm going to show you exactly how to do this. You do have to play with a little bit of CO, but it is literally copy and paste. So let's take a look at first how to get these security keys and then how to actually add them to your website. The first thing I want to do is show you where these actually are. Now you can go in through your hosting company and go to your file manager. Likewise, you can do this through FTP, so if you're using any FTP program, you can also do that as well. Now, when you first log in, you want to look for your WP dash config file before you do anything. You always want to download a copy. That way, if there's ever any error, you simply just delete the file that you edited and add back the original file. So you never want to edit the live file. So to do that, you can simply select the file and then you can download it. It's gonna download it to your computer, Then you'll be safe to edit. So say, I'm gonna go ahead and edit it, and what I'm going to do is I'm going to look for these keys. I'm just gonna do a quick fine for this authorization key. You'll notice here that there are eight keys and they all start with. Define these air Very random keys. Now, what you can do here is you can actually generate thes keys either manually or I'm gonna show you a tool that's gonna do automatically for you. So you're gonna want to use about 60 characters that are complete completely random, and every single one of these should be different. Now, if you're using an older version of WordPress, you may only notice four lines and we're gonna update that eight now. So if you only have four. It is completely safe to replace that with the eight that I'm going to show you. So what you can do is go to the secret key generator that is created by WordPress and simply by going to that Web site, it is automatically going to generate thes queues for you. So all you have to do is simply copy these. Go back to your file and you can paste them in replacing the ones that you have and you can click save and that's it. You've now updated your security keys. Now you can do this from time to time, and the reason that you're going to be doing this is yes. It's going to secure your website better. But WordPress uses cookies that actually track when users log in and who is logged in. So if a hacker is able to no, your salt, which these air referred to, it is easier for them to gain administrative access to your Web site. So it's really important that you keep all of the's unique as I mentioned, and you don't ever want to give these out to anybody. And as I also said, just make sure to change these from time to time. This will clear all cookies on your website and you'll be starting fresh 14. Is Your Computer The Problem?: when we think about protecting our WORDPRESS website were often focused on just our website and we don't even consider the computer that we used to access our website. Your personal or your work computer or wherever you log in to your site can harm your website if that computer has been infected. This is also something to consider if you work in a public place or you ever log in using an unsecure connection, this is pretty straightforward, but something I want to make sure you are aware of by running an anti virus or malware software, you can scan for any viruses or other malware to make sure your computer is safe is really all you'll need to do. This will help keep hackers off of your computer because once they gain access to your computer, they can gain access to your WordPress password. So there are lots of software options available. There's free options. There's paid options available. So go ahead and look at the different types of software options that are available to you that you can install on your computer to make sure that your computer is safe so that that is not infected, which can in turn, in fact, your WordPress website 15. Don't Give Hackers Easy Information - Remove This Info From Your Site...: hackers are always looking for vulnerabilities in order to get into sites, and one way they can do this is by taking advantage of sites that have not updated to the latest version of WordPress. They can easily look at the WordPress security long to see the loopholes that have been fixed and take advantage of the sites that aren't staying up to date. Ben can do an automated search for websites running these older versions. Unfortunately for you, the WordPress version number you are using is stored in your code and is extremely easy to find. The good news is this is easy to remove. You'll need to add a few lines of code to your functions at PHP file, and you can do this manually or using ah, plug in as well. There are a few ways that you can remove this tag, but this code that I'm going to provide you is the best one to use because you will be removing it from your RSS feeds as well. Other code will not remove it from your feeds, which means a hacker can still get this information. Ideally here. You're always going to be staying up to date with the latest version of WordPress to reduce any security risk, but this is just one extra measure that you can take. 16. Are Your Website Files Open For Public Viewing?: Let's look at something else that's a bit scary. Take a quick second, go to your browser and type in your domain name. Now after your domain name, put in a forward slash, followed by WP Dash includes. Now, If you have just been redirected to your home page or nothing happened, you're safe. However, if you typed in that and you are now presented with a list of your files, you are not safe. Your files and directories should not be open for public viewing, and that's what happens is if. If you see this particular list of here, So what can we do about this? We'll need to add to quick lines to your dot h t access file again. Don't forget to make a copy of this file before making any changes, so you can always upload the original if need be. So here's the code that you're going to need to add in. So let's take a look at how to actually add this in. You can do this. Be FTP. You conduce this in your C panel just by going to file manager now. One thing to note is when you select the document root for your particular domain name, you'll notice below. There's a boxes as show hidden files and in parentheses dot files. You need to click this or you're not going to see that dot h t access file. That dot means that it is going to be hidden, so you'll be looking everywhere if you don't check that, so make sure toe check that box. Now we'll go into this see panel and you're going to see it here, right up top again. Download a copy of that. So you have that just in case, and then you can go ahead and edit the file. No, all will need to do is throw in that code. We can click on Save and tells me I have successfully saved it. Now I can go back. I can try to type that into my domain again. And now it says that I am forbidden to access that page. So now I can no longer see that list of files in directories. So just go back after you've added that coat in, make sure your site still looks good. Make sure that all of the files now cannot be accessed and you're done 17. How to Keep Hackers From Accessing Your Site Via Comments: believe it or not, the comment section of your website is also vulnerable to attacks. It's just like any other access point to your website. An easy way around. This vulnerability is to use 1/3 party like discus to handle comments. Discus acts like a proxy, which means comments won't actually make it to your website. If they have been filtered as spam or identified as having any malicious code, everything has looked at off of your site, which greatly reduces your risk. You can also use a plug in like a kiss. Met toe. Help prevent spam comments Either way, this is a common WordPress vulnerability that you can easily close the door on. 18. Do You Know What Your WordPress Users Are Doing?: If you run a website with multiple authors, you should regularly be reviewing what users air doing to look for any suspicious activity . This allows you, of course, to make sure users or authors are doing what they're supposed to be doing. But it will also help you see if something looks completely off or if there may be any suspicious activity going on. So what are you looking for? You want to pay attention to who is logged in, but not only who is logged in, but when are those users longing in our they logging in at odd times? Is it late at night when somebody is on vacation? Or you think they would actually be sleeping, not working any time that they probably shouldn't be logging in? Also, what are those users doing? What are they changing? Adding D leaving installing. So if there's anything that looks out of place or any users that you have assigned to do specific tasks are doing something else, you want to look further into that so you can see if it is actually that person or if somebody else has their user name and password. There are is the plug in called WP security Audit log, and this is a good plug in that actually will show you the history of what all of your users are doing. You'll be able to see if new users have been created. There's any been any change in roles. Anybody has deleted any files uploaded any files, added New post so and the list goes on. So this really will help you identify what your users are doing. And if there has been any suspicious activity, you'll be able to jump on it a lot faster. So it's a really good idea to go in, set this up and also set up some email alerts for any potential suspicious activity so you can jump on it immediately before any real damage is done. 19. Properly Setting Up New Users For The Least Risk: If you have others do work for you or you run a multi author website, it's likely that not everyone will need administrative access. Giving users on Lee the permissions that they need to access and is absolutely necessary will keep your site the most secure. The more administrator accounts, there are the more possibilities a hacker has to gain access. The WordPress Codex has a list of roles and capabilities for each user type, so you can select and Onley give users that permissions that they absolutely need. So if you're not familiar with the different roles, you'll definitely want to come to this capability and roll table so you can look at the different types of users and you'll be able to assign a specific role based on what you need that user to do. If you're setting up the new user account for someone who will Onley be working on the site for one time or a limited amount of time, make sure to delete their count as soon as they're done and on a side note in addition to what we just discuss. If you're having others work on your website, you should always back up your entire website before giving them access. This way, if anything happens, you can quickly and easily restore your full website. 20. Section Intro: Let's Talk About Hosting: your website can only be a secure as its weakest link, and that's why website security starts with your Web host. This means how good or bad your Web host is handling security issues makes a big difference for your site. We'll look at some of the best hosting companies that will keep your website secure and what to actually look for when selecting the right company. Let's have a look. 21. The Importance of a Good Host: hosting can play a big part in just how vulnerable your website is. Host. Running an old PHP version or other service can leave your website Vulnerable to attack was shared hosting. You are also at the mercy of your neighboring websites. If they use a bad plug in or theme, let's say in your site gets infected. Your website can become infected, too. It's pretty scary. Luckily, there are a few things you can do, though. First you need to know what to look for in a host. You want to make sure that the hosting company working for is supports the latest versions of software out there that they're using the latest PHP and my sequel versions. It's also good to make sure that they are isolating your account, that they have put a firewall in place and that they have some detection system in place for seen when there are intruders on your account. Now, if you're not sure there's couple of things you can do first, don't be afraid to ask a potential hosting company what they do about security. You can also use some of the suggested host that I'll suggest in this course as well. But if you're not sure how secure your hosting is, you can also install some security plug ins, such a security scanner or the all in one WordPress security and firewall plug in a swell. You can also opt for a managed WordPress hosting account, so you don't have to share space with other website owners. As you start looking into more secure hosting, especially managed hosting, the pricing will start to increase. But don't panic here. Just do the best you can pick the best one you can afford to, and then use the rest of strategies we've discussed in this course. I'll provide a list of some Web host that are known for their security for you to consider . But some takes security very seriously into a lot to protect their customers. Websites, while like others WP engine, for example, automatically disabled plug ins across all their customer sites. If they see a potential vulnerability, the also update WordPress automatically, and they are so careful about protecting their customer sites they even after to fix a hacked website for free. So the host that you use can definitely make a difference when it comes toward press website security 22. Section Intro: These Tasks Couldn't Be Any Easier & Make a Huge Difference: some of the biggest WordPress security loopholes are actually the easiest to protect yourself from in this section. We're going to take a look at the themes and the plug ins that your website uses to make sure that the hacker does not gain access through your theme and plug in files. Here, you're gonna find out how to make sure you start off on the right foot by selecting the best themes and plug ins from a security standpoint. 23. Free vs Paid Themes & Plugins When It Comes to Website Security: when selecting themes and plug ins for your website, you may be debating between using a free or a paid theme or plug in, and you want to think carefully about that now, just as with anything, there's going to be the good and the bad, so you just need to make sure that you're paying attention. Some of the free themes and plug ins that are out there don't get updated regularly. Some of them are not correctly set up, so they're not as secure. And depending on where you actually download these free themes or plug ins, they may not have gone through proper security checks. So really, you just want to make sure that you are using reputable sources so you can download a lot of free themes in the WordPress theme directory. Likewise, you can download a lot of free plug ins in the WordPress plug in directory, or, if you're looking for some paid themes and plug ins, you can use resource is like theme Forest Code Canyon that are also reputable sources as well. If you're in WordPress, though, you can take a look at each individual theme or plugging. You can take a look at the ratings that are there to see if people are reporting that they're working or not working. Of course, more reviews the better. But if you are using one of thes featured or even latest themes, they may not have as many reviews for you to go by. However, if you click into some of the older themes, you'll see that they have more five stars. But you can look down into the 23 either these 12 or three stars here, and you can read what those reviews say to get an idea if of what the problems are that these people are running into. If you see bad review, that doesn't mean stay away. It just will help you identify whether this is going to be a good thing for you to use a swell. If you already have a theme installed, you can use a couple of plug ins like this one that's called theme check, and this one is going to make sure that your theme is up to par with the latest WordPress standards. Ah, but all of the themes and plug ins that are in the WordPress directories go through a review process. But this is still a good idea, and it's especially a good idea. If you have downloaded a theme from another source and you're not sure if it's reputable or not, this will just help give you a little bit more of a sense of security. There's also another plug in called the theme Authenticity Checker, and this plug in will actually take a look at all of the themes that you have installed. It will scan all of the coat, and it will let you know if there are any signs of malicious code that has been found within your theme files. So in the end, you really just want to make sure that you are using some reputable sources that you stay away from any themes and plug ins that have not been updated. You'll notice that if you look through some different themes and plug ins, they'll say when they have last been updated. Sometimes you'll come across some that haven't been updated in two years or more, so they may still work, but you have to understand what the risks are of using some out of date plug ins 24. How Many Themes & Plugins Should You Be Using?: Another quick thing that you can do to make your website more secure is to make sure that you are keeping your themes and your plug ins up to date, and also that you are using as few plug ins as possible to get the job done. Obviously, you can only use one theme at a time. So what you want to do is you want to uninstall any themes that you are not using because, as I've mentioned, hackers try to get into the theme and plug in files in order to inject code. So the less that you have, the fewer the chances are that they will be successful in doing so. So as you can see, I have my active theme here, and all of these are obviously inactive themes. So what I can do is I can click into the theme details and in the bottom right hand corner I can select delete, and I can confirm that I would yes like to delete this particular theme. Now I can go through when I can do that on all of these themes that I am not using. So in the future, if you ever decide to switch themes. You can install several themes as you play around with them, see which ones you like. But once you have confirmed the theme that you want to use, do go back and delete all of those themes so that no malicious code can be injected into any of those theme files without you even realizing it. Likewise, you'll be able to go to your list of plug ins and you'll be able to look through all of the plug ins that you have installed, just like with themes. We often install multiple plug ins just to see what we like. What works, what doesn't work. But then we've sometimes forget to go back and delete those. This leaves yet another loophole, So when you take a look at your list of plug ins, you can scroll through and you can see which one of these you are not using. If you are not using, let's say Buddy Press. What you'll need to do is if it's activated already, you'll first need to deactivate it, and once it has been deactivated, you will now see the option to delete that plug ins. You conceivably click, delete and confirm that you are OK with deleting the files and you'll receive the confirmation that, yes, the selective plug ins have been deleted. Now, in addition to deleting the themes and the plug ins that that you are not using, you also want to make sure that you are keeping the plug ins that you are using up to date a lot of time. These developers will release new updates for the plug ins, and they include security updates. So if they've found any loopholes, they will include that. In the next round of updates, you'll be able to easily identify if a plug in needs updated. You'll see either this little icon up here, and this tells you how many plug ins or themes or even WordPress needs to be updated, says one. Plug in here or over on the left hand menu. It says plug ins. And one, you'll notice that there's a menu across the top here that says update is available. I can click on that to see which one actually needs to be updated. Now you may have noticed that back on my full plug in list, it did show this icon with this note that there's a new version of backup WordPress available, and I can update that. So all I have to do is simply Click update here and apply, and my plug in will be updated. So to recap, make sure you're only using one theme. You want to use as few plug ins as possible to get the job done. If you were able to do the job without using plug ins, that's even better because you reduce the risk of being hacked through that particular plug in. I'm not saying be afraid to use plug ins. Just use them as necessary. Also, make sure that you do keep your themes in your plug ins up to date. 25. Are You Keeping Up With WordPress?: just as with your themes and plug ins were press regularly comes out with an update, and more times than not, there is a security update that is included with each release. This means where press has identified a vulnerability and has created a solution for it. If you don't update your website where press has just told every hacker out there about this loophole, so it's a good idea to make sure that you stay on top of your WordPress updates. You will be notified in your dashboard, just like you would a plug in when WordPress needs to be updated and you can automatically update it from there. Of course, you also want to make sure that you have first completed a full backup of your website before updating any plug ins themes or WordPress. 26. Disable Theme & Plugin Editing : being able to edit theme and plug in code from admin panel is very convenient for us, but it is not necessarily the best idea. On top of that, this could be a security issue. And you don't want hackers editing this coat, especially as it's a common target. So the idea here is to remove their ability to edit this code so that they're not able to inject anything into your theme, and your plug in code to accomplish is all you need to do is add one line to your WP config file. This one line will remove the hackers ability that when they gain access to your site, they're not going to be able to edit the theme or the plug in code from within that admin panel. This also means that your clients would not be able to access it, and it also means that you would not be able to access it. So that's something to keep in mind. You would be able to still do so. Be FTP. You'll be able to gain the files that way, which may be a better a way for you to do it anyways. 27. The Best Thing You Can Do For Your Website That You Probably Aren't Doing: hopefully, by this point in the course, you can see why having a copy of your entire website could be useful. If your website goes down due to attack, you may or may not be able to fix it. If you can't fix it, your website is only going to be Aziz good as your last back up. And if you don't have a backup, well, you'll be starting over from scratch. Backing up your website means that you are making a copy of your website files and data base. You should be doing this on a regular basis. How regular depends on how frequently you update your website. If you're not sure, ask yourself if you're last backup was a month ago and you had to revert to that version of your website and everything else would be lost. Would you be OK with that? You can set up your website toe, have daily, weekly or monthly backups. You can store these files anywhere just off of your WordPress hosting account, of course, and you can upload them to Dropbox or even set up a dedicated email just to store your backups. Whatever works for you so long as you have a copy there. So many options, both free and paid today. There's really no excuse not to do this. You must take the time to do this. This will save you so much time, so much money and so much frustration down the road. Another option that you have is backing up your WordPress website manually, although it's a little bit more involved because you have to back up your site database. It's a good thing to try out, though, and it certainly is never gonna hurt you to know. But these are your options for backing up your website. So take a look at what the different options are. You can compare the free options to the paid options. Some of the paid options are going to make it a little bit easier for you. Automate the process a little bit more, but read through the different options, and I'll include some of those as well, and make a decision about what's best for you and your website and move forward with it. Don't put this off 28. Section Intro: Yikes! My Website Has Been Hacked. Now What?: when the unfortunate happens and your website is attacked, it is an awful failing. The panic sets in, especially if you're not sure what to do to get your website back. My goal here is to help you to be better prepared. So in the event this worst case scenario does happen, you'll know exactly what to do, what to look for, where to start and how to get help. If you do need it this way, you can be back up and running with minimal downtime and get back to doing business. 29. The Importance of Using This Google Tool for Website Security: the Google search Consul or Google Webmaster Tools. As you may know, it has a security section that alert you of anything suspicious or unusual happens to you have an opportunity to fix it. So let's look at where to actually look for issues in your search council before an issue is detected. You can keep an eye on the content keywords for your site. To do this, you can go to Google Index and click on content keywords, and this is going to give you a list of the most common keywords that are on your website. Now. If you see keywords that are completely off, that's something you want to look into right away. And it's a good idea to check this list occasionally for anything that might look out of place at a quick glance. All of this looks like it is similar to the website I, except for this one, which is arts so I can click through. And this is going to show me how many times that particular keyword is on the website and then it's also going to show me which your L's actually have that now I can go to those actual pages and see where it is. But that's not really Ah, spam keyword. It's not something that I'm really worried about. But if you start seeing any terms that have to do, like pharmaceutical industry or gambling or things like that, for example, that's when you're really gonna want to take a closer look. Now, let's say that Google has detected some malicious code on your website. They will notify you immediately in the search. Consul. Of course, you want to take care of the issue immediately before Google has to take further action against your site to protect users. But in the meantime, you should know that they will identify your site as infected in the search results, and you can see here what that actually looks like. When your site appears in the search results, there will be a little line that tells potential visitors at the site may harm their computer or that the site may be attacked. So, of course, that's something you don't wanna have sticking around for too long. You're able to look for any security issues in this security issue section. Right now, this particular site doesn't have one, but if it did it would give you more information about that here, but you'll notice that immediately when you log in, if there's something big like that, they'll let you know right away. We will take a look at what steps you should take in the event your website has ever compromised in just a bit. 30. 7 Signs Your Website Has Been Infected Without You Realizing It: The scary thing is that if your website has already been infected, you may or may not know there are some signs that you may be able to see. There may be things that happen that others will alert you to or your website could be infected and you may not see any signs at all. So that's why it's very important to do all of the other things that we talked about in this course. So you will be able to identify when your site has been infected. But if your site has been blacklisted by any of the major search engines, one of the things that can cause that is because your website is infected. It has some sort of spam or malware on it, and the issue is never addressed. If you find that suddenly your website that was ranking well is no longer indexed, this could also be the issue. Now you may have start having your site visitors or even clients of yours come to you and complain that their computers antivirus software is flagging your website when they go to it, or that when a visitor goes to search results that they see a message of said the site has been hacked or that it may be compromised because Google is doing that to protect visitors . So that is definitely another clue and also within search results. Sometimes you'll see that the description is not of your site, but of another site, such as like a pharmaceutical ad or something like that. Also, if visitors go to your website directly and they are redirected to another website that is not associated with you or that has not meant to be redirected Teoh, that is likely due to some sort of malware. Now it could be something else that is not listed here. It all that I didn't mention here at all. This could be some sort of other unusual activity pop ups or something else. So if you notice anything that is different, anything that you did not set up or is just unusual, this could be a sign that your website has been infected 31. Has Your Website Been Black Listed By Google?: Google actually blacklists around 10,000 websites every single day. Unfortunately, this can happen to website owners who don't take proper care of their website. If you own a home, a car or anything else of value, it's your responsibility to take care of it. And if you don't do it yourself or hire someone to do it for you, you'll pay the consequences. At some point, Google has to protect searchers from harmful websites, and if your website has malware that hasn't been addressed, Google can and will blacklist your website. This means your wife's I will be removed from its index and you'll lose your organic rankings and traffic. So if you think your website has been blacklisted, there are a couple of things you can dio. First. You can use the curry site check, which will tell you if your site has been blacklisted. You can also check Google to see if they believe your website is harmful. To do this, you simply put this your L into your browser, replacing your domain dot com with your actual domain, and then this will show you what your status is with Google. And if Google has seen any malware on your site. Although being blacklisted doesn't sound fun and concerned permanent, that isn't always the case, and you often convicts the problem. So let's look at what you can do if your website has been hacked and even blacklisted. 32. What to Do If Your Site Has Been Hacked: if the unfortunate does happen and your website gets hacked, although you may still panic and get frustrated, knowing what to do and being prepared is your best defense. Of course, you'll have a backup of your entire website, as we've discussed, so you'll be able to use that if necessary. But let's look at some of the first steps you can take. Every situation could look a little different, depending on what has occurred on your website, but these air some general steps. First, you want to reset all your user passwords while at the same time making sure no new users have been created. That could be part of the problem. If you come across any, you'll, of course, want to remove those. We also talked about security keys earlier in this course. This is when you want to change your security keys. Doing this will automatically kick in the users out who are logged in, and since you just changed all the passwords, no one will have access unless you want them to by giving them the new password. Next, you're gonna want to visit this Google your out, and this is where you can determine what Google has found on your site. From here, you're going to be able to better diagnose what is wrong, which files are corrupt and move forward to address those. Now that you see what's going on on your website, we actually want Take a step back and take a look at your actual computer and do a thorough skin for all content, including images to see if your computer has been infected. Because if your computer's infected and all you do is concentrate on giving your site back up, you're gonna have a reinfection, very likely on your website. Once your computer's clean now we're gonna head over to the Google search Consul or Google Web master tools to take a look at the specific your L's that have been infected on your site. Also, in this search console, you can use the fetches Google tool. Define any malware that users can't see but that Google can. If you have other websites hosted on the same account, make sure you double check them as well to see if they have been infected. This could be a good time to change the passwords and security keys for all the sites that you host together as well. Moving on. Checking your dot H T access file to see if there were any changes is also a good idea. As this is one of your core files. You can also take a look at your server logs to see when files were hacked or if any suspicious activity jumps out at you. So this can give you a better idea of what has taken place on your site. Hackers can alter these files, so if you don't see anything here, that potentially could be the reason why. So keep that in mind. Now you want to clean up your site content. You want to remove any spam content or bad pages, clean up the code or whatever the problem. Waas. If you believe a theme or a plug in is the issue, you can and reinstall those at this point. But if you have the handy backup we talked about, you can also delete your site entirely and upload the last backup you had. Of course, make sure this backup was from before the attack, so you are uploading a clean version. Once you believe you have completely cleaned your website, you go back to the search consul to the fetches Google tool and make sure the site is completely clean. As you can imagine, this is we're having a backup. Convey a huge time saver now that you have a clean website instead of just waiting for Google to revisit your website, you want to let them know you've taken action, and your website is now ready to be shown again to searchers. This will prompt Google to recheck your site much, much faster and remove that awful warning label at the show. To do this, you want to go to the search consul homepage and select the site that you want from there. You're going to click on security issues, and if you've had a security issues before, you'll now be able to select, request a review. Once Google reviews your site, they see that you have cleaned up any malware. They will go ahead and remove the warnings that searchers we're going to see, and everything will go back to normal within about 24 hours. If, however, your site has a manual action against it, meaning that a human actually discovered the issue and place the action on your website. You'll have to go to search traffic, main your actions. And then from there you will then go through the same process of Google reviewing your site to make sure that it is malware free. Okay, now you're all done. You should be good to go. But at this point, you want to go ahead and change your passwords one more time. Very serious. You go do it one more time. This make sure that your site is completely clean and you are starting from a clean slate. Go back to the security measures we've discussed in this course and make sure you have everything in place. Did you install a couple new plug ins, for example, that you're no longer using Things change over time, so it never hurts to go back and double check what you have in place to make sure that your site is as secure as possible. 33. Where to Get Help If You Need It: if the unfortunate does happen in your website desk, it attacked their different ways that you can get help and handling the issue so that you can get your site back up and running as quickly as possible. We're going to walk through exactly how you can do this yourself, and so you can certainly choose to do that. If you don't feel comfortable or you feel overwhelmed once it's going on, there are a couple other places that you can go first. You can start out by checking with your hosting company. If you're using shared hosting, it may have happened to other sites on the same servers while, and they may be able to better direct you. Some host will even clean up the mess for you, depending on who your host actually is and what the problem is. So that's something worth looking into. There are also services like so curry that offer malware cleanup and can go in and get the job done for you as quickly as possible. Or if you have someone that you work with another professional, they can also go in and do this for you, so you certainly can do this yourself, but don't feel that you have to. There are options for getting support when your site has been hacked. 34. Section Intro: Understanding The Tools Available To You: There are so many security plug ins and tools available that can help you with many aspects of security. But as you might imagine, they're not all created equal. It's important to evaluate the purpose off each security plug in so you know exactly what you're getting and what you're not getting. You can certainly take security measures into your own hands as we discuss in this course, but there are some plug ins and tools that can help you get the job done as well. Whether you use these tools or not, it's still important to understand what's involved and to be able to take matters into your own hands. With that being said, let's have a look at some of the tools and plug ins available to you so you can better determine which ones to use. 35. The Different Types of WordPress Security Plugins Available: there are many WordPress security plug ins available that you can use. What's important to take into consideration here is not only the quality of the plug in, but also what the plug INS function actually is. For example, there are prevention plug ins available that are all about preventing attacks, as you've probably guessed from happening these air tools like Cloudflare or so curry that we've discussed. There are also security detection tools and plug ins whose sole purpose is to detect any malware or other security issues. These air tools, like word fends this anti malware brute force security plug in or the site jack security scanner. Then you also have the utility plug ins like I theme security that help high in certain areas of your website, some of which we discussed in this course. Protect certain files and a lot more Utility plug ins can also consist of backup plug ins, which we talked about like I think backup buddy or updraft. Plus, there's a lot of different ones. Some of those WordPress security plug ins or services tools that you come across may handle different issues from prevention to detection or other services, but this is only a very small handful of security plug ins available that I just mentioned . I'll provide a better list for you so you can see which one will work best for you in your sight and what you're trying to accomplish. But I want to make sure that you understand. Just because it's called a security plug in doesn't mean that it handles everything. So do look closely at what you're actually getting. 36. Is Your WordPress Website Now Better Protected?: where press website security requires you to be active and make security a priority. When you stop making it a priority, you will likely be hacked at some point. But the measures we've discussed in this course will deter hackers from messing with your site. Goffman, download the WORDPRESS website security checklist that I've included in this course. Keep it handy and use it for all of the WordPress websites that you carry in the future. Following the tips in this course will help protect your site from the most common vulnerabilities and access points for hackers. I hope you've taken the opportunity to secure your website as you went through this course . I know this is a lot of info, so don't hesitate to go back through if need be. And of course, if you have any questions or you just run into any challenges, don't hesitate to start a new discussion. I'd be happy to help you. Great John, making your way through this course I'll talk to you soon