Website Security; Protect it from bots & hackers (WordPress) | Saujan Man Pradhan | Skillshare

Website Security; Protect it from bots & hackers (WordPress)

Saujan Man Pradhan, WordPress Designer and Graphic Designer

Website Security; Protect it from bots & hackers (WordPress)

Saujan Man Pradhan, WordPress Designer and Graphic Designer

Play Speed
  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x
19 Lessons (1h 15m)
    • 1. Introduction: Protect your WordPress website

    • 2. Background - WordPress

    • 3. 1. Backup Your WordPress

    • 4. 2. Change the Username and Password of your website

    • 5. 3. (i) Restrict access to login page via IP address

    • 6. 3. (ii) Control access to wp-admin via Country

    • 7. 4. Secure your Database

    • 8. 5. (i) Disable XML RPC

    • 9. 5. (ii) Disable PHP Error Reporting

    • 10. 5. (iii) Prevent Image Hotlinking

    • 11. 5 (iv) Disable File Editor

    • 12. 5. (v) Protect wp config file

    • 13. 6. File Permission : Learn how to assign the correct file permission

    • 14. 7. Change the default wp-admin page to ur-site/any-name

    • 15. 8. Hide if your website is build using WordPress or not

    • 16. 9. Basic Precautions: How to setup comments

    • 17. 9. Basic Precautions: Be cautious about Login URL and using Nulled themes and plugins

    • 18. 10. Solve Internal Server Error or critical

    • 19. 11. Restore Your Website from the backup

  • --
  • Beginner level
  • Intermediate level
  • Advanced level
  • All levels
  • Beg/Int level
  • Int/Adv level

Community Generated

The level is determined by a majority opinion of students who have reviewed this class. The teacher's recommendation is shown until at least 5 student responses are collected.





About This Class

More than 30,000 websites are hacked every day, thus it's very crucial for all website owners to protect their sites from being attacked. Most of the hacks are the result of poor security on the site or the absence of basic configurations, thus these videos will provide stepwise guidance to protect your WordPress Websites.

Here's what's included :

The main objective of this lesson is to improve the security of the WordPress site, thus adding an extra layer of security.

  1. Backing up WordPress: This is the safest way to protect your website, in case anything doesn't work as planned (you'll also learn to restore it)

  2. Protect wp-admin / wp-login.php page by restricting access via country or IP or both

  3. Protect wp-config, Disable PHP Error Reporting, Hotlinking, Disable XML - RPC, manually approve comments

  4. Know about File permissions, and make the necessary changes as required

  5. Database security by changing the table Prefix

  6. Customize or rename wp-admin or wp-login.php URL (change it to something like your-website/any-name

  7. Hide your website site detector such as wpthemedetectordotcom. If bots can not find on the CMS your website is based on, it will certainly not easy to crack it

  8. Take some basic precautions to protect your website

Meet Your Teacher

Teacher Profile Image

Saujan Man Pradhan

WordPress Designer and Graphic Designer


Greetings everyone!

I am a WordPress Developer, Graphic Designer and a Social Media Marketing Expert with a Master Degree (MBA) from Nepal and more than 8 years of experiences in Designing & Marketing.

I have been working as a WordPress Developer for more than 5 years now. I have worked for both back-end and front –end development including WordPress themes and plugins. I do themes customization, designs and many more. Being a Graphic Designer helps me to play with color choices and as well better communicate with the clients as sometimes I use the image form to showcase the actual design before it is made.

For Graphics I mostly use Adobe Photoshop to implement my concepts to reality and also use Microsoft PowerPoint to present the ideas through presentat... See full profile

Class Ratings

Expectations Met?
  • Exceeded!
  • Yes
  • Somewhat
  • Not really
Reviews Archive

In October 2018, we updated our review system to improve the way we collect feedback. Below are the reviews written before that update.

Your creative journey starts here.

  • Unlimited access to every class
  • Supportive online creative community
  • Learn offline with Skillshare’s app

Why Join Skillshare?

Take award-winning Skillshare Original Classes

Each class has short lessons, hands-on projects

Your membership supports Skillshare teachers

Learn From Anywhere

Take classes on the go with the Skillshare app. Stream or download to watch on the plane, the subway, or wherever you learn best.



1. Introduction: Protect your WordPress website: Greetings everyone. My name is Saujan Pradhan and I will be your instructor for this course. I have been working with WordPress for more than a decade now. Thus, would like to share my experience and knowledge about protecting WordPress. Anyway, did you know, that more than 30 thousand websites are hacked every day? Thus, it's very important to protect your website. But don't worry, in this course, you will learn how to secure your sites. The primary objective of this course is to improve and enhance the security of your WordPress. What is WordPress? In a few words, WordPress is a free and open-source content management system written in PHP and paired with the database; a platform to develop your website. What will you learn in this course? In this course, you will learn to enhance the security of your WordPress website. You will be introduced to simple codes and plugins that will do a great job in protecting your site. Here's the brief outline of the course. You will learn to backup and restore your WordPress website. Learn how you can change the URL of the default login page and also even hide WordPress. You will know how you can restrict access to the login page via country or IP, or even both. You'll learn about protecting important PHP files and also learn about file permissions. We will secure the database by changing the default table prefix. Know about some basic precautions and many more. If you're wondering what skills or coding knowledge is required for this lesson. Well anyone with the basic knowledge of computer, the internet, WordPress and plugins can use this course to protect their website. No special coding skills are required. We will be using some simple codes, but your job will be mostly copying and pasting them with minor changes, which will be properly explained in the video. So after this tutorial videos, you will learn about some codes and plugins that will add an extra layer of security to your WordPress website, protecting it from bots, hackers, and attackers. And in the end, this lesson will give you more insights about WordPress security. So let's get started. 2. Background - WordPress: How many websites use WordPress? So according to the latest survey, approximately 35% of the websites are powered by WordPress. Let's Google to find out the stats. So as you can see, over 455 million websites use and that WordPress shares 35% of all websites. So is WordPress secure? WordPress is definitely secure as long as the website owners take basic security measures otherwise, any website builders or CMS can be hacked if the security is not properly taken care of. Imagine if WordPress was an insecure platform, it would not capture 35% of the market, nor many popular sites would use them. If you are more keen to find out what website uses WordPress in 2020, simply Google it and you'll be given with many popular site links. So what to worry about? More than 70% of WordPress installations are vulnerable. If I Google this, you can see this, thus, it's very important to take some basic security measures for your WordPress websites. But don't worry, this course will provide lots of information to secure your WordPress website and protect it from getting hacked. See you in the lesson. 3. 1. Backup Your WordPress: One of the most important thing any website owners should do is backing of the website regularly. With the proper backup, you can easily rest or your website in case of any catastrophic situations, such as if the site gets hacked or if you are locked out for any reason. While there are many plug-ins such as updraft or WBD view manager to backup decide. Here we will learn to manually back a WordPress. We will backup all the necessary WordPress files, database and theme settings. The website we are going to backup is, Let's learn slash table. So this is our website, which is basically a demo import from enfolding. Nothing has been modified. Lets back up the website. The site can be backed up with or without cPanel. In this tutorial, however, we will backup using cPanel login to your cPanel, and enter your username and password. So this is my cPanel. Please note, the cPanel might look a little different as per your hosting provider. However, you cPanel looks like find file manager and look at your website files usually under public on the squares d m. So these are all loops at files. We don't need to backup everything. We need WP Content Folder dot CSS file and WP config dot PHP file. Wp Content folder contains all themes, plugins and images and files. While dot S dx's file and WP conflict files are created by us. Risks are usually workers default files here dot FBX file is Eden. So go to settings and Soviet and files. So now here's dot axises files, WP Content folder and the WP config file. Right click on it and compress it to G format clothes, and reload the base. So here's a zip file that's downloaded, right-click and download. This file has been downloaded. Let me close this. You can delete this GIF file to now let's backup the database. For that. Let's again go to the panel and click on PHP, my admin. I am using a Sid hosting. That's why there are lots of database it. However, if you're not using a shared hosting, you'll possibly see one or two if you're unsure which is the right database for your website, again, go to your website files, find WP config file. Right-click on it and view. Here you can find the database name. This is the username and this one is a password. So search for helots underscore name on our database. Let's go to the database and find this name which is over here. Click on it. So let's just reconfirm. The other confirmation is you can also go to WPS options. Here you can see the URL of the website, site URL and home URL. So this is the database we want to backup. Let me close this. We don't need the file manager now, close this. Let's backup the database. Please remember, if I only highlighted this and click export, it will only export WB options. So we need to click on the whole database name. It's it looked like this. And then export. And then go my default save to SQL format. So the database has been downloaded. Let's close this. We can log out off RC panel too. So we have backed up these two files. One more thing is we need to back up the theme settings. Theme settings basically contains all the settings you have done for you website. So while restoring your site with the help of theme settings, you can get all your customized settings back. Most popular themes do have this options of saving it anyway. In order to do that, let's go to the WPS admin. Enter your username and password. I am using n-fold. Click on it. This is the n-fold settings. Please look for the theme settings as per your theme for n-fold, it's down here at import export. And then I can exploit them savings. Again, a reminder that everything will have different places to restore theme settings. Let me explore the settings. It's normally small size. So these are the basic three things to restore our website. If I saw in folder, these are the files. I'll put them on the Dexter. Let me close them. Give it a name and a date. With this files, you can restore your whole website. So here's WP Content folder dot S dx's file and WB config file. And here's the theme settings and the database. So these files can help you restore your whole website to the stage. Thank you very much. 4. 2. Change the Username and Password of your website: So here we are going to change the username and password for our WordPress website. The sounds obvious, but most of the sites are actually hacked cause of weak username and password. Never use a default admin username and choose a strong password as weak passwords can be easily guessed, an attacker can brute force it, use longer-lived password with special characters and numbers. We will quickly change the username and password are far website in this tutorial, let's login to the dashboard of our sample site. Enter the username and password. First. Let's change the password, go to uses. All users. Click on the username. Scroll down, click on Generate Password, and write the new password. Always use longer password with mix of lower and upper cases, special characters and numbers. And of course, remember or copied and update your profile. So we have changed the password, however, to change the username, it's not that easy. We can only change the nickname or display name from the dashboard. Plug-ins which can change names. But I'd like to do it manually, not adding much of the plug-ins for that, we need to access the database. So let's log into the cPanel, enter your username and password. Then go to PHP, my admin located database, and click on it. Please check the earlier video. If you have a shared hosting and are unsure of the database name, the database in four can be found at WBD as country.csv file. Anyway, click on WP underscore uses is the username and email. Click on edit. And here's the username. Simply change it and write something unique. If you had forgotten the password, you can change the password here to write a new password and choose MD5. I'm not changing at the moment, so we'll just leave it. Anyway. So we have changed the username. Here's a nickname and email too, if you want to change and click on go. So as you can see, the username is Kathmandu. So we are automatically logged out. If I try with earlier username and password, it won't recognize. Says unknown username. Let's use a new username and password. And here I am logged in. So if I refresh this, the username he changed. The name displaying is my nickname. If you write blogs or display author name, it is highly recommended to have different login name and display name. Like here, I have the login username as Katmandu and display name S ozone, the display name Susan did not allow me to sign in. Having same display and login name makes it easier for any attacker to find your site's username as it's publicly visible. Like the blogs mentioned something by your name, and thus have a different public name and username, and never use admin as a default username. Thank you very much. 5. 3. (i) Restrict access to login page via IP address: Hello everyone. In this video tutorial, you will learn how you can allow or deny specific IP address to access WPS amine base. This can be very useful for security purposes as you can allow only certain IP address to access the login page, we will use both the methods via dot SDSS and adding a code on functions dot PHP. Open the browser and log into your dashboard, WBD as admin. Enter your username and password. To know better, let me open Oprah and using VPN, two chains, IP, let's find the IP address by going to what is my So this is my IP address. And the first example, we will allow access to WPS Admin Only from this IP address. All of the IPs will not be able to access it. For that, let's go to Appearance and theme editor. I'm using a child team. If you're not using a child theme, then you can as well go to appearance and theme editor and functions dot PHP. In both the cases, we will add the code at the bottom. Anyway, here's the code. Simply copy this and paste it here. Just to make it clear. The IP address here can access the WPS amine base, all of the IP address one be able to. So let's copy this address and paste it here. I'm only using one IP address, so we'll delete this. You can add multiple addresses. If somebody from other IP address tries to access it, it will be directed to this URL update file. The file has been updated. So from this IP address, I will be able to go to the login page. As you can see. Now, if I open Tor browser and find the IP address, what is my So you can see this is my IP address. So if I try to log into the dashboard from here, WPS Abby, I am redirected to the homepage. This means all the IP cannot access their login euro. However, if you're already logged in like this, and if I go to WPS admin, I'm not logged out. Instead we'll go to the dashboard even if this is from the different IP. But if I try from cognitive mode, I am not able to login. So please note, logged in user will not be logged out even by specifying the IP address. Anyway, this is one method. Now let's do it from the dot as the access for that. Let's delete this code and update the file and go to the plugins. I will be using WP File Manager to access dot CSS file. If you don't have it, go to Add New and search for WP File Manager. And simply install and activate. The plugin will come over here. Click on it. Look at dot SESS file. If you do not want to install this plugin, you can access the dot s dx as file via cPanel. Right-click and coded data. Here's the code, copy it and add it at the top. Make sure this is closed. Please note if you make any mistake here, your website may not be accessible. Please check the other video to regain access to the website. So to allow from IP address. This is the IP address. I'm going to waitlist additive. I'm only using one, so I will delete other. You can add as many. Save. This is different IP address. So if I tried to access WBD S amine, the page not found, because the IP address is different. So only this IP address can access the login base. So if I try WPS admin here, as you can see, it walks it. So this is how you can allow certain IP address to access WPS admin bays. Please note the login user will not be logged out despite from different IP. Let's delete this and save. I'm not restricting anything at the moment. Now I should be able to login from here as well. It's working. Let's go to the dashboard. Now we will learn how we can block sudden IP address to access WPS am in Beijing, I will try Bodhi methods using dot as the axis and functions dot PHP. Let's go to Appearance and theme editor. And Francis dot PHP. Scroll down, copy this code, and paste it here. So this is for the blacklisted IP address. For our example. Let's block this IP address. This IP address won't be able to access WPS admin, adding the IP address here and removing other update file. So now if I tried to login WPS amine, I'm redirected to this page. Here's a mistake. Let's try again. But yes, I'm redirected for any other IP address. For example, this one. If I tried to go to WPS amine. So as you can see, I can access. Now let's do with dot St. access method. Let me delete this and update file and go to File Manager to access dot SD access file. Here is the file. Right-click and go to code editor. Copy the code, paste it over here. So here we are writing deny from. So this IP address we are denying copy and simply paste it over here. We can copy this and add to block more IP addresses. For now, we are only doing it with one save changes. So this is the IP we have blocked. Let's go to WPS amine. The base is not found. For other IP address. We can simply login. As you can see. This is a very useful security method to block or allow specific IP addresses to access to WPS amine base. Also please note if you made any era to dot SD Access file or functions dot PHP, you site may not be accessible. You will need to go to cPanel and make the changes or please check the other video to regain access to your workers dashboard. Thank you very much. 6. 3. (ii) Control access to wp-admin via Country: Ip restrictions may not be feasible if you have a dynamic changing IP address. But you can also choose to restrict or allow access to your login page via country. You can block all countries except yours to access WPS amine base using a simple code uses from all countries accessing to WP. Admin can be redirected to any other pages. Please note, uses from all countries can access your website, but not the log in base. In order to do that, let's log into your website dashboard. Here let's learn slash tables last WP DSM ID. So at the moment, the login page is accessible from every country. To make it more clearer, let's find the country. I mean, what's my So this is from Nepal and I can access the login pays. Let's open Tor browser. And let me find what country this will be. The country is Germany. If I tried to access a login based, now, it is accessible from Germany to block access to the login praise from all countries except Naipaul. For that log into your website's Dashboard. We will be adding a very simple code to functions dot PHP, go to appearance and themes editor, and go to finance dot PHP. The location is exactly the same even if you are using a child theme. Scroll down. Here's a code you need to add. This will be provided. Simply copy the code and paste it at the bottom. Now we need to add the country is good. We want to allow axis. So let's find the country code for a nipple. Search for two litres aggravation for Nepal. Simply copy it and paste it here. So now if we try to access the login page from depart, then we can access it or else they will be sent to this link. Let's update it and then try tasting it from Germany. So we were able to login earlier. This is Germany. So let's refresh the space. As you can see, we were redirected to this link. Let me try again. So we are really directed again. You can change the link to anywhere. Maybe you can send it to 404 dot BSB object file. And try it again from Germany. Nothing found. We have been reelected. Even WPS login dot PHP is not accessible. The pace can only be accessed from Nepal. Let's try in cognitive mode so I can access it. Now suppose if you want to allow to countries to access, it's useful if you work as a freelancer or want to hire a freelancer from other countries for your website. For that, simply copy this code and paste it at the bottom. Let's try allowing it to Nepal and Germany. Let's find two litre every aviation for Germany. So it's D. Let's write D and update fire. Now, anyone from Nepal and Germany can access the login pays. So anyone from other countries will be redirected to this URL. Let me write for a, for an update file. It we tried to login from Germany. As you can see, we can easily access the login base just to make sure again, let's open Oprah and go to what's my country. So this source, Netherlands. So from Netherlands, no users would be able to access WPS admin Bayes. Let me copy and paste. I will try WBS amine. So we are redirected. This with this simple code. You can protect access to WP dash admin pays or WP desk login dot PHP pays from attackers. Please note, the code will not affect the access to the website, but we'd only effect on the login bayes. Thank you very much. 7. 4. Secure your Database: Database are like the vital part of your website, does. Its very important to protected spammers and hackers run automatic codes for SQL injections. So when people uses the default prefix WP underscore, it makes it easier for hackers to attack. Thus, we need to change the table prefects of our database and protected. We can manually change the prefix, but it might be a little tricky. Thus, we will use a plug-in to do so. We can let me remove the plugin. However, after changing the table prefix, please do check your website. If there's any issue, you can revert back with the backup database and WBD S config file. To get started, Let's go to our sites dashboard, WPS admin. Enter your username and password. So let's add a plugin to change the table prefects go to plug-ins and add new and search for chains table prefix. So we are going to use this plug-in, Rosemead DB prefix and tools add-ons, install and activate the plugin. Once activated, go to Settings. This plugin shows that the existing prefix is WP underscore, which is the default. Let's change it to new prefects. You can take the default or use anything you want, write anything unique, but please make sure it's lowercase and ending with an underscore. You can also add a number if you want, and then click on table prefix. So everything has been successfully done and table prefix has been changed. Please make sure the website is working good because if you see an issue, you can always restore. The website looks good. So we have changed the prefix. You can see it here two. After changing the prefix, you can actually delete the plugin. Simply deactivated and delete the plugin. Okay? Even after deleting the plug-in, you will have the new table prefix is this screenshot. If in case you faced any issues on a website, then you can restore the database and again, change the table prefects to WP and the score in the WPS config dot PHP file located in new root folder. Thank you very much. 8. 5. (i) Disable XML RPC: So what is XML? Rpc dot PHP and why should we disabled it? Xml RPC allows communication between WordPress and other blogging platforms. It enabled trackbacks and ping backs. But since the wrist EPA was integrated in WordPress, XML RPC file is no longer used for this communication. Is time XML RPC makes a request. It sends the username and password for authentication. If an ethical sense, enough requests to your website, each with a different username and password B, there's a chance they could eventually hit on the right one, giving them access to the website. To know if XML RPC is active on your site and now go to your website. But this is our site and go to slash XML, RPC dot PHP. So as you can see, this is active. If you're not using it at all. There's no point of having this active. So we will block access to this base. For that, let's login to our cPanel. Enter your username and password. So here we are at our Z ban UC panel might look a little different. Anyway, go to file manager and go to your files, usually under public underscore SEM. And so here are all our website files. So we need to add a coding dot txt file since it's hidden, go to Settings. So he didn't files and save. So here's our dot as the access file, right-click and edit edit. So we need to add a simple code here. Is the code. Simply copy this and paste it over here, and then save changes. Now if I refresh this space, it is not found. Let me check the website. All good. As you can see, one thing to be careful is if you make any mistake in not as access file. Suppose if you mistakenly wrote some random texts and save changes, your website will not be accessible and display this dealer. So all you have to do is go back to your cPanel File Manager and access dot SESS file and make the necessary corrections. If I save changes. And if I refresh, this site will work. So this is how you can block XML, RPC dot PHP. Thank you very much. 9. 5. (ii) Disable PHP Error Reporting: So there's a default era reporting function, built-in PSP function, which displays either of your website. So we will be disabling it. To understand more. Let's go to our next up, following the earlier video. This is our site. Anyway, let me close this dot as the access file. And these are all our website files. So to know more about PHP reporting, simply Google, PHP will report in WordPress. So this is what we are talking about. Our username is exposed. As you can see, this can be an unnecessary trade to our server and side. Thus, let's avoid displaying this either. It's very simple to do. You'll have to go to file manager for this website. Of course, you just need to locate WP conflict file rightly and click on edit. Edit. Now we need to add a simple code over here. So here is a code which will be provided, copy this and basicity and Save Changes. Recheck your website. Is looking all good. So we have successfully disabled PHP you're reporting on a website. Thank you very much. 10. 5. (iii) Prevent Image Hotlinking: So here we will learn to prevent emails hot linking. What is emails hot linking? In simpler words, it is hot linking is when someone uses or m is your emails on their website by linking it directly from your site. This definitely have adverse effect on your website as it takes up your hosting resources and might cause a website to be slow. So basically it hits your server for no reason. Additionally, it also means using your media without permission. So we are going to disable that as we are already logged into our cPanel to file manager, these are all our website files. So we simply need to add a code on not as the access file. Open the dot as the access file, right-click and edit and edit. And then copy this code. And then place it over here. Here we need to write our website address. So these are the sites where we want to allow to use our images. You can copy and add much websites as you want. I will delete this for now and click on save changes. Check if your site is working are good. So this is how you can prevent images hot linking. Thank you very much. 11. 5 (iv) Disable File Editor: So to find out more, go to your WordPress Dashboard. Wp does admin enter your username and password. So what basically file editor is, if you go to appearance and theme editor, here I can see all my crucial website files. Here's themes, functions, and all other necessary files. So in case anyone get access to our website, they can add a code and infect our website. Also this plug-in editor. So here one can easily add codes to the plugins and harm your website. So we are going to disable both these options from our dashboard in order to do that, login to your cPanel and go to file manager and open your WP config file, which is here, rightly NAD, NAD. And we need to add it. Very simple code, which is this one. We need to add the score to over where it says, that's all. Stop editing it here, paste it over here, and Save Changes. Now if we refresh, this page is not accessible. So if I go back to the dashboard, this neu editors, so we have done this. However, now there are so much advanced plugin that actually does not require to access editors. We can simply get access to the whole website. For example, let's add a plugin, go to plug-ins and add new and search for file manager. So this is the plugin, install it and activate. If I click on WP file manager. You can see this is all my website files. So it has almost all useful files that otherwise could have only be accessed via cPanel. So even if we tend to dissemble editors, all files and contains are accessible. So it's all up to you if you want a disability or not. Disabling, however, comes handy if you have another amateur user who might accidentally do something on deem files and plugins. And if you do not use these editors, then it's recommended to disable it. Anyway. Hope this lesson was helpful. Thank you very much. 12. 5. (v) Protect wp config file: As you all know, WP config file contains all vital information about your website, including the database details. Thus, we need to protect our WP config file. So to do that, login to your cPanel and then File Manager to access file. And here's our WP dash config file. So to protect WPS config file, we need to add good at DOT SDSS file, right-click and edit the file. Edit. I can close this. So we can add the code here and Save Changes. And double-check the site. It's fine. Slash WP des config dot PHP file is not found neither. We can either make changes to dot SESS file via cPanel or via our dashboard. Log into your WordPress dashboard. And then go to WP file manager we installed earlier. Click on it. So here also we can see the dot St. access file right-click and code editor. The code is here. If you do not want to do it via cPanel, you could have added the code from here to simply copy, paste and save changes. And it can be done. However, if you make any mistakes in dot SDSS file by adding or missing some cause, let me write something. Save this. Now, there will be an internal eater. In such case you won't be able to revert back. You are locked out. In such case, you will need to go to the cPanel, go to file manager and open the dot as the access file. This is the era, we mean simply delete this and save changes. And then our website will work. And also the dashboard will work. Anyway. So instead of login to see panel, every time you can use this plugin, you can make all the necessary changes. Here's the dot S DEX file, WP Content file, which has all the plugins and themes. Themes, functions, dot PHP, etc. However, if you make any mistakes in quotes here, you will have to go back to your cPanel and File Manager and make the necessary changes to solve DC. Thank you very much. 13. 6. File Permission : Learn how to assign the correct file permission: Here we are going to look at the file permissions. There are recommended permissions for your WordPress files. Weapons file permissions determines who can access the files on your WordPress sites. File permissions are essentially a way to organize and manage files and folders. Normally, a good hosting automatically does this for you. But having an understanding of it is always a good idea. To know more login to your cPanel and enter your username and password. Go to file manager and go to your website files. So these are all live website files. So as you can see, these are the permissions for your files and folders. 755644 are the file permissions is normally recommended file permissions, all directories are recommended for a 755 or 750. So we already have 755. These are directories. And so for the files, the recommended are 644, R6, 40, which looks all good. And for WP config file, it's 644, Rs 600. Here it's 666 chains permission rightly, and click on change permission. So the recommended settings for WP config is 644, Rs 600. You can tick around and noise value. So you can keep it as 600 and change permissions. Depending on files you may give, right, permissions or not. If right is undid, new codes can now be written. So anyway, let's go with 644 for this, allow me to read but not right, and click on change permission. So now it has been changed to 644. So this is all the permissions. If you wish to change the directories permission, right-click on it and choose Jan's permission and do the needful. Thank you very much. 14. 7. Change the default wp-admin page to ur-site/any-name: Hello everyone. In this tutorial, we will learn how to hide our default WordPress login pays. This is an important security meso as hackers or attackers will not easily find the logging address. There are many plugins to do so. However, we will be using the plug-in, which has the restore options in case anything goes wrong. Also, I have been using it on many websites. Let's open our side. By login page. We mean WP does and in paste or WP Login dot p as rebase. So we are going to change this. To do that, let's login to our dashboard. Go to plug-ins and add new and search for a WP Haydn security. So this is the plug-in installed the plugin and activate. Now click on WP hide. The plugin also has the approvers, but free version also had lots of features Anyway. So to rewrite this WPS admin, let first click on rewrite. Please copy this link. If there's any issues in your website because of these changes or are locked out because of the plugin, you can restate it with this URL, copy this link, and keep it very safe. Anyway, I'll come to this details in the next video. But before that, let's first hide the admin page. Click on Admin. Replace the name for WPS login dot PHP, give it any new name. I'll just write desk and save it. Now we can login from slash stays as well. However, WP does login dot PHP is still accessible. So let's block access to this space. Click on show before blocking WPS login and clicking on yes, make sure our new URL, that is slash test works. So last demo's last test. So this space works fine. And if I login, it works fine. So now we can block WP does login page Yes, and click on Save. Sometimes you might be locked out, but that's fine. So we have now blocked slash WP Login pays. Now for the admin URL, which is WBD as admin. So this one, let's give it a name. Nepal for now. Save it. I might be logged out. Okay, I am slash WP does admin, we can still login. If you notice, it has changed to Nepal. So since WBD has admin is still accessible, Let's block it to go to WP hide, and go to Admin, and then go to Admin URL. Now let's block WB. Does admin pays show this and yes, and save. So double-check, this has been done. Now if I try from in cognitive mode, if I go to WPS admin base, it is not found. Likewise, if I go to WP, does Logan pays? Its not found too. So to login, we either need to go last Nepal or we can also go to slash test. And then we can easily log in. As you can see, this, we have successfully changed the login URL. Suppose if anything happens and then you cannot log in. And the good thing about this plugin is we can get back with this URL, which we saved earlier to demonstrate, let me log out. Suppose we cannot get access to this space. So what we can do is we can simply paste this URL. So this recovers websites to default. That's about it. Now if I go to WP does admin or WP Login dot PHP, it will work. Let's login to the website. If something is wrong. This recovery link is a lifesaver, so keep it safe. Anyway, click on WP, hide, and go to admin. So this has been automatically removed, as you can see. And if you wish, you can write it again. And the text desk block, WPS admin pays. Go to Admin URL, right? Nepal. Blog the space and save. So now the URL works. So this is how you can change your login URL. And you also have the recovery link. So if in case you are either locked out, alternatively, you can go to cPanel file manager located files, go to WP contained. You will find plugins folder there, find WP and security plug-in, rename it. This will disable the plug-in. You should then be able to login. I hope this was a good lesson for you. Thank you very much. 15. 8. Hide if your website is build using WordPress or not: Greetings everyone. In this tutorial, we will be hiding our press. So basically from this to this. So let's open our website. This is our site lists. Try to detect it on WP theme is the URL and search. So as you can see, it tells me that I am using n-fold theme and gives lots of information about the website. Imagine if you could hide this so that the BOD would not easily identify on which platform the website was built. If a hacker cannot identify where it's built, the chances to get it hack is minimum. So for that, let's log into our dashboard. As you remember, we changed it to slash snippet earlier into your credentials and go to WP hide and click on right. Now as you can see, it's clearly shown the thin part. If I open the website and view bits, wars, and search themes. So this is by default we're perspective. So we can change it. Let me write template to it, or you can use anything. Likewise, there's style.css. Give it any name, let's call it class dot CSS. I will not restrict this as it might break the website, but the fair proper backups of the site, and you can try this. Let's give it a reminder again, like in earlier video, please copy this URL. In fact, do it before changing themes and style.css names. This link will clear all sittings to default in case there's any issue. Let me again copy this and save it. Anyway. Now comes the WPS includes folder, so let's change it and write my files and save it. You can blog the WP into path and make it inaccessible. Meaning your site's less WP include would not work. If you do nothing, then would the names will work. Hence the site one break or else it may break. So I will not change this. Now let's rename WP desk content folder. Let's rename it to contain. Or you can write anything you want and save. Likewise, we can block the party WB content from the option below, but it might break the site as well. So we'll leave it again. You can change the plugin spot. We can run apps and change it. We can also block the plugin URL. But if we do that, some plug-ins may not work properly, but it really depends on how the plugin settings have been made. So let's not block it, but change the potty. Well, you can also change the path URL for each plugins if you wish to, but let's not do it for now. Now again, cheesy or port folder, right? Any name for now, media and save it. You can block the path as well. Or comments. You can write reviews and save it. Likewise, you can block depart. For author. You can write contributor, save it. You can also block the link if you want. For shuts. You can read, find, and save it. Xml RPC, we have actually worked on this via dot access file. So no need to do anything for Qishan risks. Let's not do anything. For root files. You can block licensed or dxdy, block readme dot HTML, and also blocked WPS activate WB crown is how workers handled scheduling time-based tasks in WordPress, several workers score files such as checking for updates and publishing schedule post utilize WP cron, WB crown works by checking on every base load a list of scheduled tags to see what needs to be run. So let's leave this. You can block sign-up east to block new register and block other dot PHP files. Let's just leave it for the moment. And save it. We can just leave this. Now let's go back to WB theme detector and recheck the website if it detects outside or not. Now you can see WP theme detectors is that decide does not seem to be using WordPress. But as you know, we are using WordPress. So thus we have added another layer of security by hiding our WordPress website. So with this plugin, you can hide plugins as accordingly. You can check around the names if you wish to. Anyway, secure website to if everything is working fine or not, everything should work fine though. Everything should work fine. However, a reminder if anything goes wrong whatsoever, then by simply going to this link, we can restore things back to default. Every chances will go away, including for admin longing URL, which reaches earlier. Let me close this and logout from the website. So if we are locked out for any reason, simply place the recovery URL. It will lend me read elected to home base. And now again, if I go to Tim detector and decide, so now it can again detect. Now everything is restored. So we have to go to WP deaths admin to login their base into the username and password. And if I go to WP height, all settings have been removed. And final load, just be careful on blocking any URLs is a lot indications as well, because this sittings might actually break the website. So try it and make the necessary changes. And touchstone WP theme detector or other similar sites. If you liked this plug-in there is approvers is two. But the F31 has worked great for me. This, this can protect your website from Watts and attackers. Hope you enjoyed the lesson. Thank you very much. 16. 9. Basic Precautions: How to setup comments: Comments on websites might look harmless, but sadly, they do play some roles on your website. Many spammers may comments and add links and backlinks to your website. Now why this could be a risk, hackers may add a malicious JavaScript code to your comments. This might give them the right to change password or even add new admin user. Or they can also tricky you to click on their link to sign in. Because of those unwanted manages links, which search engines like Google considers as spam might also negatively affect your website. So what can be done if your site do not require comment? Disable it. If you are using block sites or where comments matter that manually approve them. Let us login to the dashboard. Wp Das amine, and enter your username and password. Go to settings and discussion. So here are many options to choose for your comments. Please take on comments to be manually approved so that you can know if the comments are genuine or fake if you do not take manual option, but this one below, then spammers may write a genuine comment at first, which will then get approved later at malicious links, which then will be auto approved and be thread to your website. Thus, it's better to manually accept comments. You can filter by word as well. Please look at the appropriate options for you. You can disable comment and being back as extra. After making all the changes, click on Save Changes. Hope this video did make you aware about comments. Thank you very much. 17. 9. Basic Precautions: Be cautious about Login URL and using Nulled themes and plugins: Undoubtedly, it's very important to take care of your websites. Taking some basic precautions can actually save your sites from being hacked. Here are a few things you should be cautious. When you login to your WordPress Dashboard, WP Das admin. Please do not forget to check the URL. Make sure that domain is correct. Because sometimes you may be sent a similar looking URL via email or comments as a QRA. The trick is to convince you to enter your username and password. And once you do it, you are at high risk of suicide being hacked. Here's one example of Instagram. Couple of days back, someone misses us, said that they were from Instagram and our verifying our account to give us a blue as this is the website link they send. While opening this Lincoln is smallest screen. There's least chances that people would look at the URL on the phone. It was quite deceiving. Design look good. So it was really confusing. Luckily, we double checked everything, but did not enter our username and password or else our Instagram could have been hacked. Likewise is very important to look at your URL while entering your username and password. Because if the menu URL is wrong and you enter the details, your site may be hacked. Please do not use cracked or null themes and plug-ins. They might be tempting as normally they are free or at the lowest cost, but please avoid them. If you Google Now themes, there are loads of themes and plug-ins you can find. Imagine why would someone give it for free when installing crack themes and plug-ins? In most cases, a malicious link or a backdoor Coser added. Because of this, they can access your website and get full control of it. They can display ad, get your customer information, or even delete your site. Basically, they can do anything displeased, not use these kinds of themes and plug-ins. You should always purchase from trusted sources like theme forests. These are the very legit sites. Obviously are genuine with free plugins and also free themes. And he codes here are legit and you can use them. Workers also takes them so that these plugins are safe to use. And they're all safe and nice teams. So please do not use null themes are plugins as it can make all efforts go waste. Be careful. I hope this video gives you some insights. Thank you very much. 18. 10. Solve Internal Server Error or critical: Hello everyone. In this tutorial, you will learn how you can regain access to your WordPress. If by any mistake, there was an era on a code. To know what I mean, let's go to our dashboard, WPS admin. Enter your username and password. For instance, if you're trying to edit your dot SD access file via WP File Manager. Lets go to WP File Manager and locate dot as the access file. You'd right-click and code editor and paste the code over here. So suppose by mistake, you forgot this line and save changes. If you check the website, you will see an error. If you try to undo it. You won't be able to do it as back-end is not accessible. If I again try to access the website and go to WBD as admin, I will not be able to do so. And this will be the error. As mentioned earlier, I will not be able to make any modification here because the dashboard is not accessible. Anyway, you don't need to worry much. Simply go back to your cPanel, enter your username and password, and login. Go to the File Manager. And then look at a website. So this is my website. So here is a dot SDSS file where I did a mistake. So if this is not visible, simply go to the settings and make sure the soil hidden files is take, suppose if this is not Digg dot SDSS file is hidden, go to Settings, Show Eden files and save. Rightly conduct SESS file edit. So this was an era. Please look at the code and verified and make the necessary corrections. Save changes. So if I reverse it, I'm able to get back to my dashboard. But please be very careful while making any changes to dot SESS file. Now let's look for the other possible cases. If you go to appearance and themes editor and functions dot PHP. Suppose you pasted the code here and there was a mistake if I added some extra bracket or anything. If I tried to save it, normally Francis dot PHP will not allow me to make any changes, unlike dot S dx's. However, by any chance, if it accepted the wrong code, then you can always go to cPanel and you Files go to WP contained, go to Themes. Since we are using a trial team. This is the foxes dot PHP edit. And make the necessary corrections. Let me make an era here, adding random brackets, save changes. B closes. Let's try if I can access the dashboard. As you can see, there has been a critical error as I made some mistakes on functions dot PHP. So simply I need to delete this, save changes. And if I refresh this, I can access the dashboard. If we are unsure what changes have been made in the function dot PHP, we can simply edit this and then delete everything below this, got this unsaved changes, and then add the quotes one by one, unless you find the IRA. For those who are not using the child theme, go to your theme folder in folder. And you will see functions dot BSP over here. So you can simply editor and then make the corrections. If you're unsure whether cuz was there or editing on parenting backup defaults and dot PSU file by downloading and simply delete this function dot PHP. The website will not work after deleting it. Then download your theme will Punnett and look at, for instance, dot PHP are dragging it to the deck star and then upload it. If I refresh the website, it works all fine. So this is how you can correct if there is any mistake in functions dot PHP, make necessary changes and then install it again. So this is how you can regain access to your WordPress website if you make any mistakes on dot as the Access file or functions dot PHP file, but please make sure you have access to the cPanel. Thank you very much. 19. 11. Restore Your Website from the backup: Now in this video, we will learn to restore the website from our earlier backup. This will be helpful if you want to recover your site after a hack or if anything did not go as planned. We will restore it to the point where it was backed up. While there are many plug-ins to restore sites, we will do it manually. So here's a backup of our website, which contains WP Content Folder, theme settings, and the database. With these three files, we can restore our website. For that. We need to login to cPanel. Enter your username and password. So this is our cPanel. And then click on file manager and locate your corpus files. So these are all all workers files. At this time. I am unaware of any issues on the website or if the hacker added any malicious links are whatsoever. So in order to restore the site, let me go to Settings. So he didn't files and save. I will create a folder and write all website. Create New Folder, set it all and put it inside the folder. So now my website obviously will not be working. As again see, it shows the old website folder. After doing this, let's upload first newer bus here to download the latest version, go to In fact, you can directly write slash downloads. So here's the Lidice Wordpress version. Simply click here and let the download begin. So the file has been downloaded. Let me put it on my deck stub. Close this, will close this. I will put it here. Now let's upload whereby said click Upload, Select File and upload the WordPress files. The file has been uploaded. Extract work best, right-click and extract clothes and reload. I can delete the zip file. In fact, you can also delete the old website files, but I'm just keeping it as a backup. Anyway. Open workers folder, select all and move to the extract location. Now here's all the frist WordPress files. Workers folder is empty, so deleted. Now WP Content full days already here, but we don't have WP config or LTE access file. Now if you go to the website or slash WP does admin, new WordPress installation Bayes opens. So now let's upload our backup WP Content folder. Upload select file and select WP Content folder, which has WB config and dot as the access file. So the file has been uploaded. Lets go back. And extra detail. It will merge with the existing WP Content folder. Let's reload the base. The WB config file is a check the WP Content folder. So themes, our theme is here. Plug-ins here too. So we can delete this. The dot SD access file is also here, and so is the WP config file. Now after doing this, we also need to replace the database for that. Go to PHP, my admin from this cPanel. Since this is the shared hosting, there are lots of database here. I need to figure out the right database. So let me open WB conflict file is the database name here. Let's underscore Damo. Let me close this. Here's the one. Click on it. For safety, you can also export the database and save it as this process is not reversible. So have a copy of a database just in case. Anyway. So select all and then click on drop. Again before the final confirmation. Please check the database name, which is over here. So it's confirmed. And click on yes. Now everything is empty. If I go to the website, it is still in this space. Let me close this. And if I click here, my database is empty. Now let's import the database, choose file. And here's our backup database, open. And click on go. So it has been imported successfully if for some reasons it solves any Ir, please repeat the process like on database, check on, and then drop again and conform and do the input again. In our case, everything was imported successfully. Now everything should be alright. Now again, try to open our website. Ok, it seems to work. If I go to my website, the website is looking good. So the final thing is to restore the theme settings. So let's login. The user name and password is the same as you had earlier. That is before the backup. Please restore the savings as per your theme. This one is n fold. As per your theme, the location will be different as everything has different options. Scroll down for n fold, click on import, export, and upload theme settings. Upload files, select files. This is the setting. Click on it and insert. And wait while it works. After it loads save changes. Now have a final look at the website. We have successfully restored our website. So this is how you can restore your website from the backup if there's any issue or is hacked. Please note, you can only restore to the date it was backed up. I hope you can restore your website now from the backup. Thank you very much.