WordPress Security 2020 - Destroy Malware & Defeat Hackers | Alexander Oni | Skillshare

WordPress Security 2020 - Destroy Malware & Defeat Hackers

Alexander Oni, Web Developer & Cyber Security Expert

WordPress Security 2020 - Destroy Malware & Defeat Hackers

Alexander Oni, Web Developer & Cyber Security Expert

Play Speed
  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x
35 Lessons (2h 40m)
    • 1. Welcome to the Course

    • 2. First things First

    • 3. Connect with Me

    • 4. How to take this course

    • 5. Why Would I get Attacked

    • 6. The Role of Web Hosts

    • 7. Plugin maintenance

    • 8. HTTPS and SSL

    • 9. A Trick to Fool the Bad Guys

    • 10. Changing the Default Login URL

    • 11. 2 Factor Authentication

    • 12. Backups

    • 13. Introduction to FTP

    • 14. Restricting Access via IP Addresses

    • 15. Password Protecting the WP Admin Folder

    • 16. Disabling PHP Execution in Certain Directories

    • 17. Protecting the wp config File

    • 18. Protecting the .htaccess File

    • 19. Blocking Author Scans

    • 20. Banning an IP Address

    • 21. Disabling Hot Linking

    • 22. How to Hide the WordPress Version

    • 23. WordPress Security Keys

    • 24. Changing the Default Table Prefix

    • 25. 7 Signs You have been Hacked

    • 26. The Google Transparency Tool

    • 27. How to Fix a Hacked Site

    • 28. How to Remove Malware Manually

    • 29. Plugins Section Introduction

    • 30. Akismet

    • 31. Expire Passwords Plugin

    • 32. Sucuri Security

    • 33. User Role Editor Plugin

    • 34. Loginizer

    • 35. WP Security Audit Plugin

  • --
  • Beginner level
  • Intermediate level
  • Advanced level
  • All levels
  • Beg/Int level
  • Int/Adv level

Community Generated

The level is determined by a majority opinion of students who have reviewed this class. The teacher's recommendation is shown until at least 5 student responses are collected.





About This Class

WordPress Security is a critical topic among website owners. With the increasing number of vulnerabilities and attacks that are happening every minute, anyone can be a victim of these breaches—both companies big and small as well as individuals. 

Below are some shocking statistics on why WordPress security is such a big issue

  • Each week, Google blacklists around 20,000 websites for malware, and around 50,000 for phishing.

  •  Hackers attack WordPress sites both big and small, with over 90,978 attacks happening per minute

  • 18 million WordPress users were compromised during the worst breach of WordPress security.

  •  73% of the 40,000 most popular websites that use the WordPress software are vulnerable to attack

  • 52% of reported WordPress security vulnerabilities relate to WordPress plugins

The objective of this course is teach you both basic and advanced techniques that you can apply to properly secure and harden your WordPress website against hackers and cyber criminals. 

We'll cover steps you can take to better protect your website including:

  • Two-step verification

  • Using security keys

  • Changing WordPress defaults

  • Hiding, password protecting & denying access to core WordPress files and directories

  • How to use HTTPS and SSL certificates

  • Selecting the right host

  • Selecting the right themes and plugins

  • Banning an IP address

  • and many other security measures

Not sure what these are? Not only will you learn about these security measures here, I'll show you exactly how to implement each one.

On top of that you will also learn

  • How to use 9 of the best WordPress security plugins

  • And the exact steps to take if your website is hacked

The course is perfect for both beginners and advanced users of WordPress and it also comes with a 30 day back money guarantee so you have got nothing to lose.

Enroll today and learn how to secure your WordPress website.

Meet Your Teacher

Teacher Profile Image

Alexander Oni

Web Developer & Cyber Security Expert


My passion is teaching people through online courses in a fun and entertaining manner.  I have been teaching online for about 3 years now and during this period, I have created over 25 different courses on different platforms including my own personal platform - The Web Monkey Academy.

What would you like to learn?

Would you like to learn how to build and manage your WordPress website? Would you like to learn advanced skills that will make you a true WordPress developer? Would you like to learn how you can establish a successful career as a web developer? Would you like to learn the basics of information and cyber security?

 If you want to do any of these things, just enroll in the course. I'm always improving my courses so that they stay up to dat... See full profile

Class Ratings

Expectations Met?
  • Exceeded!
  • Yes
  • Somewhat
  • Not really
Reviews Archive

In October 2018, we updated our review system to improve the way we collect feedback. Below are the reviews written before that update.

Your creative journey starts here.

  • Unlimited access to every class
  • Supportive online creative community
  • Learn offline with Skillshare’s app

Why Join Skillshare?

Take award-winning Skillshare Original Classes

Each class has short lessons, hands-on projects

Your membership supports Skillshare teachers

Learn From Anywhere

Take classes on the go with the Skillshare app. Stream or download to watch on the plane, the subway, or wherever you learn best.



1. Welcome to the Course: In 2017 Google reported that they blacklist around 20,000 websites from all way and around 50,000 for fishing every week. It's also reported that always 7% off the 40,000 most popular what percent sites are vulnerable to attack. These are just too shocking. Examples off White. What press Security is such an important subject in the world we live in today and why you must involve in this course. The objective of this course is to teach you both basic and advanced techniques that you can apply to properly secure and hard in your triceps side against hackers and cybercriminals. In this course book of us. Very important security concepts such as the two step verification process using security keys have to change what does defaults, how to pass, protect and deny access to call whoppers, files and directories. I will also teach you the seven critical science that your site has been hacked and how to fix a site that's been hacked by cybercriminals. Plus, as a bonus, you will also learn how to use mine. What persecuted plug ins. The course is ideal for both beginners and advanced users of the press and it comes with a pretty laid back morning guarantee. The security off orders website is not something you should take for granted. So why not? They've all in course today and learn how to properly secure and safeguard your personal upside. Thank you for watching. 2. First things First: Well, hello. Thank you for enrolling in the course. And before we get started, I wanted to spend a few minutes to introduce you to a few tips on how best to take this course here on skill share. Now I've pulled up one of my courses, which is the absolute beginners Gate of Cybersecurity. Just as an example. So don't worry if you taking a different course this video festival event to you. Now, if you go to the main course page, you should see a few tabs down in here. You should see the about tab, which is basically a short description of what it costs about reviews. If this class hasn't reviews, you'll find them in here now. Community is very, very important. This is where you can either aesthetic conversation. You can ask a question. So please, if there's anything that took the boat in this class that you're not comfortable with, maybe you didn't quite understand. This is exactly where you can ask a question. So please make use off this future. You can also share a project. So if have access to do something, maybe quitted project to do something like that. This is where you would be able to do so. All right, and then finally under Thank the teacher, which is under the committee tab. This is where you can leave a review for the course, and I really hope that you will enjoy the course and you will be motivated enough to leave a review. Just click on thank the teacher, and then you'll be prompted to write a review about the course of Please do that. If you really like the course now, your project is also a very, very important tab. This is where I will provide you with an assignment that you may have to do dependent on the course you're taken. Not all causes on Scotia will have in a 7% but if there is a product that you have to take for this course, this is where you would find the description of that project. Now, to the white, you can see I have attached files. This is very, very important because in this cause she about to take I will make a reference to the resource is or the downloads. Whenever I say seven things like that, I'm referring to the attacks files here on the your project. So please go right now to your project and then download all the attached files. That could be pdf's files that you'll have to read to improve your knowledge on the topic just discussed. Or you would also have zipped files contain images or logos or your father, maybe even video files. You can download them in all likelihood you'll have to use them and this particular course . So please take a moment to download all the attached files that you have in your pocket and finally, under all projects, have other students have done the project or something like that. This is where you would find such our products. That's of course, if they chose to share their projects. So that's basically how to make use of the features here on skill share. Now, if you'd like to connect with me outside of school share, I'm on LinkedIn. You can sit for Alexander only send me a request to connect, but just please make sure that you what time is it saying you a student of mine from school share so they know who you are? I'm also on Facebook. I have a page for my Web monkey, which is the monkey online. So if you're taking any of my what press or Web development courses all the commitment, you like this pitch because in here I upload tutorials are shared lots of useful information about what? Press some of development. So if you're interested, you can like my page on Facebook. I'm also on YouTube have YouTube channel, which is the Web monkey. I upload tutorials on the weekly basis, so as regularly as I can anything regarding website creation. What prayers With development. You will find such cereals in hip. And finally, I also have an about me page if it interested in learning more about me both as a person and as an instructor. I have an about me page on my period platform, which is the Monkey academy. Calm. Just go to the mechanic will come four slash pages for slash about and here you can basically read my life story about my family, my education, my work experience, how I stayed teaching online soon and so forth. So that's it. Just wanna learn more about meat, so that's basically it. Thank you so much. Full choose into in wool in this course and ah, let's get started 3. Connect with Me: thank you so much for enrolling in the course. But before we continue, I wanted to provide you with four different places where you can connect with me outside off the platform where you're taking this course. And the very 1st 1 here is going to be on a link then. So if you have an account with linguine and you want to connect with me just such for Alexander only and that's me right there. Just send me a connection of requests and tell me that you're a student of mine would be more than happy to have you in my network. I am also on Facebook for my what press students just search for Monkey online. I invited to like my page. I do post constant updates and tutorials and there so you can learn more about what press. I also have a YouTube channel called the Monkey. And again, this is for my wordpress students. So if you're interested in learning mawr outside of my courses, I invite you to subscribe and hit the bill so that you notified whenever I upload in new tutorial. And finally I also have my own blawg, the Web monkey Olindo calm. I invited to subscribe to my newsletter, where I send out tutorials, discounts on my courses and so on. So all you need to do is just to click on any of the block posts. And at the bottom of the blood post, you will see the box where you can subscribe to my news letter. So these are the four different places where you can connect with me outside or you to me or skill share wherever it is the particulars Course. So thank you for watching. And now let us continue with the course. 4. How to take this course: all right. Welcome to the course and limiters Festival. Say thank you so much for registration. And it is my sincere hope and believe that by the end of this course, you would have lend all the necessary techniques needed to protect your purse website. Now, before we jump into the course proper, I just give you the brig down off how this course it's structured and also how best to take the course now. First things first. The course is divided into three main sections, right? So the very first section we'll cover the basic security measures. These are the measures you can take within the next 15 to 20 minutes to improve the level of security off your purse upside and then in Section two will cover the more advanced security measures. This would require you to be able to use at least one type off a file transfer protocol softer with its file zilla or no pet possibles no more. We will cover this when the time comes, and in Section three, we'll cover the major What? Press security Plug into the public. A guide on how to configure all the major WordPress security plug ins out there now. I also would like to inform you that every now and then some of the videos would have. Resource is these resources could be in the form off a link Teoh, an external website where you can do some more reading. It could be the link to a file that you can download. So whenever any off the lectures of videos have resources available, us see at the top left hand corner of your screen, you will see a text saying Resources available. You can click in there and you'll get access to the resources now. Also, please ask questions. If you have any questions about the you know anything with covered in a particular lecture and video, be sure to which out to me, you can either send me a private message or simply use the Q and A forum for the course and our treasure. Answer your questions as soon as possible. So once again, thank you for enrolling. Welcome to the course, and now let's jump right into it. 5. Why Would I get Attacked: before we jump into the course proper. I would like to talk on a very, very popular question which a lot of people ask whenever you mention security to them in respect to the L websites. And that is loud and don't want to attack male hold attack me. And the fact that you're taking this course already suggest that you don't share the same kind off attitude as this people, and I'm very, very happy about that. But I was too like to talk about this, this particular question. You know who would want to attack me world? Anyone want to attack me? Well, the reasons why a lot of people believe that they don't need security on the website is because, first of all, they don't have a popular website. So they believe that because the website isn't getting thousands and thousands of hits a day, no one is going to be interested in attacking them. The second reason is usually well, I don't make much money. You know my sites, I don't sell stuff. We don't make millions like all the websites, like in the Amazon or Facebook or whatever. So why would anyone want to attack me. And of course, finally there are other websites. There are more attractive websites out there for people to hack. So why would anyone be interested in hacking my small, very unpopular website? Well, I'm gonna give you two major reasons why hackers will still hack you up site even if Dylan person who knows about you upset is you yourself okay. And very first reason is what I like to call tag get practice. What do I mean? Well, one thing is understand is that lots of hackers as they begin to hold the craft and land new methods off attacking websites, more advanced methods, methods of a second websites. They typically look for websites that they can attack. Experiment with websites like the ones who are not secured will be prime examples off such they will go into the websites and see how they can attack the website. See the cans of damage they can do. Basically using such upsets to horn their craft to improve discos before the name for the day. Move on to the more attractive sites. So don't let you upset be one of those sample experimental upsides with which Sarah criminals and hackers used to improve their skills. The second major reason here would be bragging lights. Ah, lot of hackers these days. They're not exactly the try hard, hardened cybercriminals that go after our multimillion dollar industries of websites. A lot of them are kids. Hello, them. I just kids who just, you know, do very immature, stupid things on the Internet. And then they tell difference. Hey, look, you know, I hacked this upside. Look, this is my code. Look what it did. A lot of people out, people out there who do things like that that so it's bragging rights and it's, you know, just for kicks. They do stuff like that just for kicks. So these are usually the two main reasons why the most on popular websites still get hacked no matter what. But again, like I mentioned earlier, the fact that you're taking this course means that you already know that it's very important to secure your upside, and I'm grateful for that. So let's not jump into the course. Proposal begins took about the different methods off protecting your WORDPRESS website 6. The Role of Web Hosts: Let's talk about the role of Web hosts and why the Web poster to choose goes a very long way to determine how secure your website is going to beat the first things first. We all know Web hosts are primarily responsible for making sure that your website is life and accessible on the Internet. However, Web hosts should also be able to provide security for their clients. Now you think of Web holes like a sieve. Think of them like a bank right here. You stole your money. You don't use a bank that has very lax security systems where anyone could just walk in still your money and that's it. You want to make sure you choose a bank that has really good security, a bank that can ensure you or cover you should in case your money gets stolen, something with post you want to you on the shoes of where pose that goes the extra mile to making sure that they are websites. The cleanse. The websites of the clients are well protected and secured against criminals. Now my favorite Web host company in the world is site ground. I absolutely love this guy's mail using them for the past six years, and I have never regretted using them. If you are already hosted with psycho on by all means skip this video and pretty sure you really know how awesome they are. So you don't need to listen to me talking about how really, really good they are. However, if you're not a client offside ground all if you are currently not happy with your posts, please. What's on now? Before I begin to tell you why I have a command side ground. Let me be clear. I am. And a fuel it for Saigon, which means I promote them. And if anyone buys, they were posting through my link. I get a small commission, so I need to be upfront about that. But the reason why I am and I feel it for them is because I use them and I highly highly recommend them. They are, in my humble opinion, the best were posting company in the world. They're not the most popular. The most popular would be probably go daddy or blue hosts. But being the most popular doesn't mean you're the best. And in the case of side ground, they are the best, but they're not the most popular posting company in the world. Let me give you a few reasons why they are actually pretty awesome. In addition to providing excellent speeds for connectivity, they do provide free SS else defecates. Now we will talk about SSL certificates later on in the course and why they're very, very important but to provide them for free. They also automatically updates all outdated WordPress installations on their client's websites. So if you have what present solution on Europe's side, that's the idea. Dated said Gunnell automatically opted them for you and they also provide automated monitoring and Dele backups. This is absolutely golden. They mon, it'll your websites And if they noticed that there is some sort of a malware or virus on one of the websites, you will be elected. They will let you know that Hey, someone has infected your website. Check it out and they also provide daily backups. So even if a mile away and fix you upset today, you can simply go into the sea panel and we stole a backup from yesterday or the day before and you would be fine. So these are some of the reasons why Saigon, the absolute best opposing company in the world. I'm actually gonna provide two links for you in the resources link. The first link would be my affiliate link. Which means if you decide to put his were posting with side ground and you use my link, I appreciate it. I'll get a very small commission. The second link would be Illing to my personal blawg, where I have written an extensive article on why I said ground are the best web hosting company in the world filthy to read the article and potentially be convinced by the end off the article. So please go ahead and choose wisely if you don't want to use side. Glad you want to use another word posting company. By all means, feel free to use whoever you want to use. But just make sure that that we're posting company goes the extra mile to make sure that they provide at least some basic security features to ensure that the clients the websites of the clients Ah, safe and secure. So thank you very much for watching the video. I will see you in the next class 7. Plugin maintenance: the way you manager plug ins is absolutely critical to the overall security off your WordPress website. Now you may be wondering what's all the first about plug ins? Why at this so critical to the security off our websites? Well, according to WP scan, which is a very reputable complete that deals with what for security, 52% off all WordPress security vulnerabilities come from plug ins. That is an astonishing amount off vulnerable. There's more than half off all what press vulnerabilities come from plug ins. And this is why the way you manage a plug ins is absolutely, absolutely important to the overall security or fuel. What person? Upside. And we're gonna list three major ways how you can better manage your plug ins. And the very 1st 1 would be to use legit plug ins that what am I talking about, What we mean by alleged plug ins? Well, there are certain criteria that is to be satisfied before you can use a plug in the very 1st 1 is you get plug ins from reputable developers and example will be my theme shop. Just don't go around installing plug ins from people that have no credibility people that you're not familiar with. You can install plug ins from reputable developers like my theme shop, W P M Death. There are many of them out there. The second would be used plug ins that have plenty off downloads. Once a plug in has gotten thousands, tens of thousands, hundreds of thousands of dollars, then it is certainly a good plug in whenever I plug. It has less than 1000 downloads. All the command that you look for. A more popular alternative thought is plug ins with good reviews. Reviews are important. You don't use a plugging that has mawr one star reviews and five star reviews that can sort of give you an idea off. What's wrong with the Parliament? Has Mawr One stars than five stars and finally use well maintained plugging That is plug ins whose last update was no more than a year from the current date. Whenever plug ins and longer maintained snow, let that they're going to become vulnerable to hackers and the beauty about what press is that for every plug in that you have out there, there is probably one or two at least one or two other alternatives that you can go for so you don't have to stick with the same plug in. Look for better alternatives now, the second major way off practicing good plugging maintenance is to use plug ins as needed , which means that install only necessary plug ins. Just don't go around install. Important just for the sake of installing them all, you instill a plug in because you feel in the future you're going to want to use that plug in No installed on Lee. The plug ins that you are going to use and second on install all the activated plug ins have worked with so many clans before in the past. I go to the back end and I see 345 deactivated, plugging on accident. Why at his pockets deactivated, the men are just removed them and say, Oh, well, it's because I might need to use the plug in later. Well, in such an instance, you can always download the plug in again. We install it and activated on install all the activated plug ins. There's no point in you keeping them and finally updates. It goes without saying that you must keep all plug INS updated. Whenever you have an orbit available for you, plug in, go ahead and updated. Do not wait and secondly, find alternatives for all dated plug ins. Let's say you installed the plug in today. It's well maintained. But then you discover that nine months later, nine months in the future, the plug in still hasn't gotten an update. It might be time for you just are looking for an alternative. Do not stick with the same plugging just because you're comfortable walking with it sooner or later that all the Republican is going to become a liability to you. And the bottom line here is to use as few world meant in plug ins as possible plug ins are like windows. The more you have, the more vulnerable you become toe what press hackers and several attacks so use as fear of them as possible and ensure that those that you're using ah well maintained when you achieve these two objectives about at this main objective, you will keep Bob, whose picture you can see on the left, but way from being able to hack into your purse upside. Thank you so much I'll see in the next class 8. HTTPS and SSL: Let's talk about Https and SSL now, in Web terminologies, H T T P simply stands for hypertext transfer protocol. And it's the method by which contents of the website are delivered to your computer system . Now you have HDP, but you also have something called the H T T. P s https. Is this secured version off? Http? So basically stands for hypertext transfer protocol secure. Now, the difference here is that the information that is sent via https is encrypted. It is secure. The one sent by http is just in plain text. Now you can tell whether or not a website actually is using http or Https by simply looking over here at the very top where you have your you are Luo address bar. Right now, you can see we have this icon here where we can view the site information. If I click on it. It says your connection to this site is not secure. You should not enter any sensitive information on this side for example, passwords or credit cards because it could be stolen by Attackers. So this tells anyone that this particular site is simply using the h, t, t, p and not https. Now let's take a look at em. Amazon Now with Amazon, you can see we now have the green padlock. And it's also say is secure. Any Consider we have H T T P s. If I click on this icon, it saves your information. For example, passwords Critical numbers is private when it is sent to this site. So you need https on your side and not http, age The PS helps to encrypt whatever information is sent through Europe site. So whenever anyone comes to your side and if they have to use maybe passwords or they have to use a credit card numbers or things like that, it will be encrypted. So even if it hackers somehow gains access to that information, there will not be able to read it because it is encrypted. The question right now is how do you get https on your website? You can get https by simply contact in your web host. Tell them that you'd like to change your ah political from http to h T T. P s. Now. Here's the thing, though. When you switch two https the very first time, you are likely to have this problem right here. So you can see right now? I do have. It just appears, but it's in lead. And I also have the messages saying not secure. Never click on it. What it sees your connection to this site is not secure. You have chosen to deserve a security warnings for the site. Blah blah, blah, blah. Now, what is the difference between this one right here and this one? Well, this one simply means we're using the http. But over here we are trying to use https. But there is a way. It's in red. And we have this danger sign here is because we haven't added something called S S L ssl sensible, secure sockets layer. And it's actually what encrypts the data on our website. You see, http and https are simply used to transport the data from our websites to anyone's computer . That's the main function off Http and https. They just simply transfer the information. S s sale, on the other hand, is actually what encrypts the data. So basically, right now, we do have https white table. We don't have an SSL certificates, so basically, it's the PS is confused. It's trying to transport secured data, but it doesn't find any secure data. Doesn't find any encrypted data. That's why this one is in red. So how would you actually fix this kind of issue? Well, you can go to your post once again and tell them you would like to install something called an SSL certificates. I'm gonna give you a quick, tall offside ground and I'll show you how I would normally install SSL over on the steep. I'm gonna come all the way down here, but we have Let's encrypt. Let's encrypt is a service with which you can use to install as a so certificates for free . So I'm gonna click on, Let's encrypt and I'm gonna come down here. I'm going to choose the sub domains of the men's where I don't have a necessity certificates. So I'm gonna go with 14 test the task abated dot com And of course, I'll just change my email address to my kind one comb and let's go ahead now and install the SSL certificates. So if you're not very comfortable doing things like this, you can always contact your web hosts. They should be able to help you install on SSL certificate and also help you change from http to https. So just gonna give this a few seconds. Right now, it's trying to install its installed and stolen, so it says, Let's inclusive gets in solution success. It's successful. Okay, let's click. OK, now let's go back in here now. I'm going to do a hard refresh and ah, let's see. Oh, it's still saying Okay, What I'm gonna do right now is just the type this all over again. All right, All right. So it was my cookies will simply my cash in. Ah, Blessed I was given the message earlier, So right now you can see right now it's no secure. And that's because I have just installed SSL on my website. So once again, you need to change from http to https and Dan Unit to install an SSL certificates on your wordpress website. If you have questions about this, maybe there's something they're not clear about. Be sure to reach out to me. Remember that any December post your web host should be able to do this for you. But it is very, very important that you switch from http to https, So thank you for watching. I will see you next class 9. A Trick to Fool the Bad Guys: I want to show you one of my favorite tricks for fooling hackers and cybercriminals and all these other punks on the Internet. Take a look at the screen. You can see I have two accounts. I have one with the user. Name off admin and have another one for the user. Name off X man one. Now, if I axed you to tell me which one of these twos and names would you think is the user name for the admin account? Naturally, you would say Oh, obviously it's the one with these name off admin, but you'd be long. He can tell from the role that the one with the user name off admin hospital off a subscriber, while the more with the vadas pommy x munn one user name heritable off an administrator tour. So here's the thing. Ah, lot of people tend to use admin, admin, admin, admin as the user name associated with their administrative account. That is very, very bad. You want to make sure that the admin using him if you're using it is not associated with the administrative account. There are other people, many of them who say, you know what? Just get read off the admin, his name once and for all. Don't use the admin name for every reason. That is actually good practice. But I tend to fall in the middle of both camps. I say used the admin user name, but make sure it is associated with the subscribers account. Why? Well, here's the thing. You see all this cyber criminals and hackers and all these guys on the Internet, they have their ways off figuring out what user names are associated with a particular website. The very first user name they always go for is thes the name off admin. Why? Because so many people use admin as the user name off their administrative accounts. So when they try figuring out whether add mean these name of admin exists, and then they get a positive result saying, Hey, this is named doors exist. It must be the user name for the administrative account. So they're going to spend so much time trying to figure out what the password is, and if eventually they're able to figure out what the password is and they look in Guess what, Theo on Lee going to get the subscribers account, which is just gonna pace them off because they would have wasted so much time trying to figure out what the password is for the admin account, not knowing that. Hey, this is just a subscribers. I can't even that of the admin. So have the reason why I always recommend using the admin user name. But make sure you downgraded to the wall off a subscriber. One other thing to point out here is the user name that you're going to associate to associate with you adminstrative account. Make sure that the user name is one that cannot be traced to you. Ah, lot of people would use may be their first name or the last name or something like that. With the administrative account. You don't want to do that. You can see right now I have X Man one. This is a completely it even sounds like spam. It sound like it's Pam. User X men one. What does that mean? However, that is the user name before my administrative account. So all the commend you using a rather bogus spaniel like user name for your administrative account used the admin user name, but make sure the account associated with it. Is that off a subscriber? So if you have any questions about this more than happy to answer them. If not, I will see you next class. 10. Changing the Default Login URL: Now let's talk about a very simple and yet a very effective way of protecting your personal upside. Now, we all know that for every one person upside if you want to look into the back end, all you need to do would be to go to the U R L type in your ford slash at the end and then WP dish admin and then you're gonna be presented with the log in page which you're looking at right now. Now, one thing you could do would be to change this default log in, um EL so that instead of WP dish admin, you can have something like enter all Sesame Street or Cartoon Network or something. You know something random. And we can do that by making use of this plug in called the WPS Hide Logan. Plug in It is by Let me pillow now four WP server and it is a plug and I have used for quite some time now is very effective. It is very, very lightweight. Now I have a really installed and activated it on these other sites here called Skippy Dia . Ever come down here to sit ins, click on General down here. You're going to see the section for the deployment. WPS hide. Log in Now the default you are. Well, that comes with the plug in would be forward slash Look in. As you can see right now, what I'm gonna do would be to change the lug into Let's say something like Bat Cave. I'm a huge Batman fan. So bad gave All right, I'm gonna save my changes. And now I am going to look out. What now? Let's go back to the front page, Skippy. DEA ups, Not Tuscumbia U E task Apia. So now if anyone else wanted to look into the back end, they would come in here. They will try the default for slash WP dish. Airmen depressed. Enter. But guess what it say's This has been disabled. Hahahaha. So now they have to figure out that the the log a neural is actually four slash and then that cave. So unless it's someone in the news, you very, very well and knows that. Okay, it's likely this guy might use bat cave, as is default looking you are? Well, I don't think anyone else would be able to figure out what the new log in your eye Will is so. This is a very effective way off. Protecting what percent cite changed the default. Logan are onto something else, and you would have taken a huge step towards protecting you. Orchestra upset. So once again, the plug in is WPS Hide Logan by Miami Parana for the deepest river. If you have any questions, feel free to act them. Thanks so much fortunate video and as always, I'll see you at the next class. 11. 2 Factor Authentication: Now let's talk about something called the multi factor authentication or the two factor authentication methods. Now, typically, whenever you try looking into your workplace back and you'll just have to provide your user name and your password, and then you'll be given access to the admin back end, however, it is advisable to add an extra layer of security so that have pat from the user name and password. Whoever strength look into your past beckoned would have to provide some sort of other information as well. And that is where multi factor or two factor authentication methods come into place. Now a multi factor. Authentication is a method of computer access control, where a user is gonna access Onley after successful presenting several separate pieces of evidence to an authentication mechanism. So basically they will have to have some sort of knowledge in this case, maybe a using the minute password. But then they might also need to be in possession of something, maybe like a mobile phone, and I would receive a code which still doesn't have to provide, or maybe even something that they are. In this case, you're looking more towards bear magics where you might need to use, like a fingerprint scan on ice can before they can get access to your piss back end. Now, what I'm gonna do is I'm gonna introduce you to a plug in here called the Google Authenticator. Two factor authentication Plug in. All right. It's a very, very good plug in, and it's by many orange, and it's a plug in you can use to create to enforce a two factor authentication methought on your WORDPRESS website. So please go ahead, download and install the plug in, gets by many orange and you can see it's will updated. It's a pretty good plug in now. I have already installed and activated the plug in on my what? Purse website. Let me come down here and show you. How was it actually where was buried with many college, right There it is. Many orange, two factor authentication, right? So once you've installed and activated it, you would see the tabloid tamimi orange to facto. Go ahead and click there. All right, now, over here, you would first of all have to register your account with them so you can add your email. I'm just gonna add my own email over here. Uh, Alex 14. And my phone number. I'm going to changes to Thailand, because right now I'm entire land. I actually don't need to do this right now, so I'm just I'm just add some handle numbers over here, all right? And then, of course, I'm going to add a pass Would very, very important. And I'm gonna go ahead now and submit that. Okay, so there's a very first you'd have to do. Just do your account with them. All right? I'm gonna go ahead. Never. I understand. All right. So once you have successfully credit your account, you would see this page, Nan, you can then go into your set up to factor over here. Let's go ahead and click there before I jump over. You might actually see something like the Allies. As in plans Page, you might actually be redirected to this particular page over here. You're just gonna have I am telling you about the extra features available with licensed plans. Right now, we're going with the free plan, and I don't think you need to license plans. It all depends. Feel free to take a look at the extra features that they have. They have other things like multi side support, customer direction and so on. So if you are into things like this, you may want to give them a try and see if it's useful for you. But for now, we're gonna stick with the free plan. So let's go back to the set up to factor. And over here right now, you can see we have the various methods off introducing a second factor authentication. So the very 1st 1 which we're gonna use right now, would be the email verification. Where once you've provided your user name and password, you'll then have to click on a link in your email. The partners send you an email, you'll have to click on the link and then check out the code that you provided. So let's try that. Actually, I'm gonna go ahead right now and click on email verification. Okay, let's go ahead and do that. So, in a verification, IHS said, as your to factor method, right? What? I'm gonna do it now. I'm gonna go ahead and I'm going to look out all right. Seldom go ahead and I tried to log in again. Let's look in. So either you can see that an email has been sent to. My images were waiting for your approval. So right now I have to go to my email and see the link that they have. All right, so here I am right now. You can see it. Now that I've got in the email from many orange, their customer, you initiative the transaction. What? Pressed? Effective in the kitchen. Plug in to accept, accept transaction, to deny, deny transaction. So right now, I'll have to go ahead and click on Accept transaction, and I'm gonna get this message. Now if I go back to my tab, you consider that I've been locked in automatically. So we have just successfully enforced a two factor authentication method on our what purse website. In addition to these in the past sword, the user would also have to click on a link that they will be provided in the email address . Another method you can try and my actual personal favorite is the knowledge based security questions. K B A. This is the one that actually really like, Let's go ahead and click on it. Let's try that one. All right, let's go ahead and Ah, reconfigurable. It's over here right now. I'm gonna choose my baby. First question. Ah, let's see in what city or town was your first job? I'm just gonna get Go ahead and add. Ah, Baltimore second question was childhood nickname Favorite sports. Let's do that one. Ah, football. You can also enter your costume question here. I'm going to say what is t t t h and it's gonna be talk to the hand so you can go ahead here and add your own custom question. Provide a very funny answer, something only you would know. And by the way, these regular questions like what city or town was your first job? What's a favorite sports and stuff like that? You don't have to be honest. In fact, out of a command that you are not honest with this question. So, in fact, my favorites, But I'm gonna go ahead and say, ice skating, ice skating and ah, my first job. It was in Paris, right? These are obviously not true. So the reason why I recommend not providing genuine answers is because look, you can never really trust people. There might be someone who is close to you. Who knows you very, very well who might actually want to do something naughty to you. So even though you very well and you've been very honest with this questions the answers to these questions, they will probably know them. They'll probably No. Oh, yeah. Your favorite sport is football, you know, basketball, golf or whatever. So do not be honest. Houthis questions, OK, and definitely your custom question. Make sure it's something that only you would know the answer to. All right, I'm gonna go ahead now and save all this. All right? So right now you can see that the active method right now is the K B A s against seats and green. It's in green. So let's go ahead now and log out again. All right? I'm gonna go ahead right now and try located it once more. First and her. Okay. And what's in the town was a first job. It's Paris. My favorite spot is ice skate in. Let's validate that. And OK, so now you can see we have successfully looked in. So the K b A. The knowledge based questions is definitely my favorite method because the thing about Imo verifications is, it is still possible for hackers to gain access to your email so you can never be 100% sure that your email account has not been compromised, however, with the knowledge basic 02 questions. Unless the hacker or cyber criminal has a way off reading your mind and getting to know what's in your head, it's almost impossible for them to figure out the answers to your questions. So how old absolutely command the sicker two questions? K B A. There are other methods. Methods you can also try again, such as the self token. You could also try the Google Authenticator Cure code authentication, present Indication as well as the author. Two factor authentication. However you can see right now, these are only available with smartphones. So if you are interested, it's very, very easy. Just click on how to set up Let's try with the Google Authenticator how to set up, and over here you will have the description of how you can set it up. So over here right now, you have how you can go ahead and do it. Let's tell. Come to stop right here. Let's start off with the the one over here. All right. Have a set up. Soft talking cure. Could authentication push notification? The very first thing, you're gonna have to do what he would beat. You download the app so you have to download the mini orange authentication app from the play store Insert on your phone. And then, of course, the next thing would be you have to scan a cure code that you would have. You can see light here. You would have to add your account first of all, with the authenticate. Oh, and then you have to do this. Can you scan the care record by focusing the phone on your kill off code and you will be done? Registration was successful, and that's exactly how you'll be able to log in from that point on. So basically, you provided some sort of talking or cordage after scan, using your phone before you can then get access to the weapons back end. The reason why I don't necessarily recommend this particular methods the ones that involved using a smartphone is because you could lose your smartphone like you never know what could happen. You couldn't special smartphone. You could be in an area where you don't have good fun connectivity. Maybe you have only one bar or something, so it's not the most reliable in my humble opinion. But then again, if you are comfortable using a smartphone installed in APS and stuff by elements, you can go ahead and try that. But once again, my preferred option, my most recommended option, would be the security questions K B a method. So that's it's for the two factor authentication. If you have any more questions about their so you feel maybe you need, you know, people explanation. As always, feel free to reach out to me thinking fortune. I will see you in the next class. 12. Backups: to one of this section. Let's talk about back hopes and why they are very important. I like to think of backups as insurance insurance against something in case something bad happens to your perception signed. So let's say you have backups on your side, and on Monday, the 21st your side contact and you've discovered the evidence of malware. If you had a backup form of the 20th on the 19th you can always go back in time, and we store your website back to those dates. And, of course, you wouldn't have the same mile way any more. That's why backups are so important. They help you restore your side back to the point where things were normal. Nothing was booking on your side. This is why backups are extremely important. Any decent Web hosts out there should be able to provide automatic backups off your site for at least 30 days. Now it's sad ground. I do have that. So if I discovered that today that my sites has been hacked, I have malware. I can simply look into my C panel, come all the way down, hit away half the back office manager I can either created backup, of course, if my said has not yet been hacked. But if my son has been act, I can click on backup store and in premiere at all. I have to just to choose the date when Dwight 12 how we store, you can see. Right now it goes all the way till the 15th of December 2017 so I can restore on anyone off this dates. I can choose the day, Let's say the 10th Wednesday I can click in there. And then from here I can choose either to store files specifically or databases or just restore every thing. So this is a tool that your Web host should be able to provide you for free. You can restore your backups, and your set will return back to normal. But just in case you're using a Web host that doesn't provide free backups, I am going to teach you how to use to off the best What press plug ins specifically for creating backups on your purse upset. You can check them out in Section four. I believe way I've listened out plug ins, the best secret applicants to use. I will include, maybe wanted to plug and specifically used for backing up your WordPress files. So thank you for watching and let's jump onto development Vanek section 13. Introduction to FTP: Alrighty. Welcome to Section two. We're gonna cover the more advanced measures you can take today to protect your WordPress website. Now, in order to be able to perform most of the steps and this particular section, you would need to learn about FTP and how to use at least one type off FTP soft herbal worries. FTP FTP, as you can see from the screen, stands for the file transfer protocol. It's basically what allows one computer to transfer files and data to another computer. It could also be transferring files from a Web server to a computer and vice versa. That's basically what FTP is now. In order to be able to use FTP, you do need to have an FTP account contact your were post and let them show you. Or they can even create an FTP account for you, which means you basically have a host name. It could be an I P address or a website address. You would have to have a user name and then a password, which would allow you to gain access into the FTP account. I'll talk about this a little bit later, but then the two major ftp softer taken use would be filed zilla and then also the note pad plus Plus these at the two older commend the difference between Final Zillah and no place no pet plus Plus, is this file zilla allows you to actually upload files to your observer or even download files from the Web server. Once you've installed configured fouls, alert and all that, this would be the icon down here file zilla. So I know you can see I have connected to my Web server. This is the I. P address that is my using them idea and that's my password. And then I connect right now This is my computer. This is the site of my computer on the left to the right. Right now this is where I have all my websites and my sub domain. So if I wanted to you upload a file from my documents to, let's say task a bit dot com, I was simply double click on the computer dot com. And then from here right now, I can just double click on any one of this files in here, and that will automatically be uploaded to the computer dot com. So, for example, I can just click on phone number and let's see. Come on, come on, come on. You can see for number dot Txt has been applauded. Teoh Escobedo dot com That's basically what Fazlullah is great at. You can also download files from you, observant your deck, stop make changes to the file and then we upload them back to the website. You can do that. It file zilla now. No pet plus plus is a little bit different with no pet possibles. You cannot download files in Europe's ever or even upload files to your observer. But the reason why not pad plus plus can be superlative files like is because when it comes to making changes, whatever fails you have on the, um, service. So let's if example it was really connect to test commedia. I could give you a very quick demonstration, right? So if I went Teoh, let's go to you. Have a blogger dot com Ah, that will be content. Let's go to my themes. Let's go to child. All right, if I wanted to make it change to my let's if example my head, it'll PHP file all. I'll have to just double click on the file and it opens off right here. As you can see now, if I wanted to make a basic change, like just come in here and type in that say, text after text. Right now, all I have to do to your put it back to this particular Web civil right here. We'll just be to click on the save button right here and headed a pitch. B has been saved back to my child directory on the task. Apia. It's very, very, very simple and straightforward, and that's it. I did not have to download head of the pitch p onto my deck. Stop open it, make the change and then we'll put it back to my Web server with no purpose. Oppose all I have to say. Double click on the file. It appears in here. Make the change. Save it goes straight back to the Observer. It's favorite straightforward, with files a lot. On the other hand, if I wanted to do something like that, I would need to go to, if applicable, Come over here, go back to my table, be content and then go to the themes, go to child and then from here or the have to double click on header PHP, which would be to download it to my documents. And then I would have to go to my documents, open up the file edited and then come back here to put it back. So it's a bit it's longer. If only it even just edit files. No better place. Post would be the ideal way to go. If, however, you want to upload files or download files, Fazlur will be the better option. So when it comes to actually configuring and install in and getting older stands in place, I do have tutorials on YouTube channel on how you can configure Fazlur on hiking Koffigoh a note pad possibles as well, so I will provide the links to the videos in the resources and be sure to check them out. If you have any questions about this, please be sure to let me know. It is critical that you learn how to use no pet possibles off files like before. You can take any of the videos in this particular section, so thank you for watching. To be sure to check out you tube videos and let's jump right into the very next video 14. Restricting Access via IP Addresses: All right. So the very first tweak we're going to perform on our daughter HT access file is going to involve always protect in our admin folder by restricting access on Lee to specific I p addresses. So if anyone trust again, access to our WP admin folder and their I p address is not on a white least, there will be denied access. Now, take a look at this. I have connected to my UFO blogger dot com website. I am using a lapel plus plus And because I know that we do have a daughter 80 access file, But this is the file that is, and I would folder We don't want to tweak this particular file. Okay, So do not, under any circumstance, tweak this particular one. What you want to do is to double click into your WP admin folder. And now in here. If you don't see the dot HC access file, you can go ahead and create one. I don't have any. What I'm gonna do is I'm going to right click on WP admin, create a new file, and let's go ahead and name. It's dot h t access. Not It's the access mine that it's the access. Okay, all whites. And now I am going to double click in it. Now, I do have some cold that I've already created, and I'm just gonna pace that court over here. Now you can find this code in the resources, so be sure to check that out. But basically what this is doing here, it's saying First of all, deny access to the WP admin Fulda from all I P addresses. That's basically what this does. However, we now have some white lists I p addresses that were going to accept. Now I have Alex. That's my name, of course, and I'm going to add my i p address over here. And if there are any additional I p addresses that you want to allow access charitably be at in folder, you can also add them just below. Simply change the name off the person so that it's more recognizable. Be sure to add the I P addresses in places off in place of the excess that you see. And you could also add additional I p addresses. Maybe, maybe from your walk place. Ah, maybe from wherever you you hang out normally and you normally access your what is backing from there as well? So this is the code. There will allow war purse to deny access to your ability Have been further from all I P addresses, with the exception off the ones that are listed in here. Now, what I'm gonna do is I haven't added any i p addresses in here. That you can see. What I'm gonna do is I'm gonna go ahead and save this file, okay? I'm going to save this. And now let me bring over here the actual site. You have a block. Unwto com. Now what I'm gonna do is I am going to try and access the admin folder. Press enter. And now you can see that I'm being given this ever message saying it's forbidden for three . You're not allowed to access these address, and that is because I have not included my actual I p address in here as well. So this is a cool way to first of all test and ensure that it's actually working. You can just pay this could directly save it. Try logging into the back end of your site and then if you get that 43 forbidden Able. You can then go back. We place the XX xxx and all that stuff with actual real I P addresses and then test to see it should work. So thank you so much for watching the video. If you have any questions as always, feel free to reach out. Thank you so much. I will see you at the next class. 15. Password Protecting the WP Admin Folder: in a previous video took the ball tweaking the dot h T access file so that Onley certain I p addresses are given access to the WP admin fold up. It is a effective way off protecting your site. However, it is not the most effective. If if you're somebody who travels a lot, you're somebody who works for multiple locations constantly. It's not really the most effectively, because you will have to constantly go into your daughter. It's Texas file. Add the new I. P address may be removed the old API address, and you will have to do that constantly. So if you're someone who works from multiple different locations with different I P addresses tweaking your daughter, it's Texas fell so that only certain I P addresses have access is not necessarily the best way to go. A better way in such an instance would be to password protect your WP admin. Fold up. Now take a look at this site. Tesco peter dot com. Normally, if I wanted to look into the back end, all I would do, as you know, would be to add a Ford Slash and then WP dish admin. And then I am presented with this look in page and better will will be to put will be to password protects these actual logon page that you're looking at so that before, before you are presented with the option to add your name and password, you'll actually have to provide a norther using him and password first before you get to this page. Now there are two ways how you can password protect your WP admin. Foley can do the manual way or you can do from your C panel. Doing from the sea panel is my preferred option because it's safer sometimes whenever you're tweaking things manually from the back end. Oh, via FTP seven Things can go long. You can maybe typing something wrong or name the long directory or something. Something bad can just go long. However, whenever you took things from your C panel, it's often a lot easier itself. It's often a lot safer now. I am using side ground. Okay, if you use inside gone well, congratulations. This is gonna be very easy for you. If you are using a different Web hosting, never mind. As long as they are a decent Web host, they should have the features and tools that you can use to password protect our set in directories. Right. So what you can do is if you're using a different web hosting and contact them, tell them to show you how you can pass it. Protect your WP admin folder for your site. Very, very important. If you are using side ground, let me just quickly show you how you will do this. Now in the sea panel, I'm gonna come all the way down here to, but I have security. All right, I'm going to click on password protected victories. Let's click in there. And now from here you will have to choose the A document. Good. Now you can say I have so many websites and so many sub domains, but I'm going to go ahead with the very 1st 1 which is Tesco PD oclock Com. All right, click in there and then I'm gonna click on go. And now from here, you can see I have all of these directories and so many of them. However, the one I want to pass a protect is the WP admin folders. I'm gonna click on the actual name itself and Now, from here, I am going to click on password protected directory, and then you can add a name, something that will pop up. So in this case, what I'm going to say, Ah, it means Onley, Which is kind of like the default. But you can tweet this if you want. I'm gonna go ahead and save this. Let's go back. And now here I am going to create the using them and passwords. I'm gonna go ahead and say Bob, and then I'm going to add my password. Let's confirm that password and you can see it's very strong. So now I'm gonna go ahead and add the user. Let's go back. So now let's try and see if this would actually work, right? So I'm just first of all, actually, I'm gonna go ahead and open up a new browser because sometimes I do get lots of cashing issues with Koum, which means no reason right now. So open up a new browser. Let's go ahead and say Tesco, Pia, don't calm ford slash WP dash Add mean press enter and now you can see I am presented with this box that say's authentication required. Add means only so gonna go ahead now and say Bob and I'm going to type in my password for Mr Bob Press enter. And now I am presented with the actual look in page recognize Add my real user name my password Enter. And now I'm given access to the back end of Tasca PD Ato comp. So this is a very effective way off protecting your WP admin folder. And in all honesty, I actually prefer this method toothy previous one male. We took the boat out. The week ended up each Texas fall so that only certain I p addresses are given access. So thank you so much. Fortunate video. If you have any questions as always, feel free to ask them if you're not used inside ground. If using different with post contact them, tell them that you want to be able to pass a protected ability WP admin folder If they can't do that for you, If they don't have features for that, you might really want to consider switching their posts to maybe side gone. So thank you so much for watching. I'll see you in the next class 16. Disabling PHP Execution in Certain Directories: all right, so the very next week we are going to perform would involve preventing the execution off PHP code and set in directories. Now take a look at this over here inside my WP content folder. I do have the folders for my plug ins, my themes and a few other functions and programs as well. But I also have the uploads folder now, many times enough. Send this, assuming it as before, whenever it would put site gets hacked. If you open the operas folder, you'll typically find lots off gibberish code in it that's usually wear lots off. Hackers will paste the code in the A Petri files in order to execute the malware. Now your Opals folder is meant to contain Onley. Uploads could be images, audio files, videos and things like that. It is not supposed to have any sort of PHP code, or it isn't. Of course, that could be used to execute some sort of a function or program. It is not meant to house of that, So what you can do is to tell war press to prevent anyone from trying to put in any executable code in signed off your uploads directory, and there's a very simple way to do this. We are going to create eight it. It's the excess file light. So let's do that. Dots H t access press end her. All right, So now I have my each Texas fellow here. What I'm gonna do is I am going to paste some code 1/2 over here. That's paste. That's and you can see right now it's very, very simple. It's basically saying, Prevent any execution off PHP files inside off District Victory. All right, that's all we need to do. Let's save this and we are done. That's all that's needed. So moving Ford. Now no one will be able to put in any PHP files that have malicious code inside of the open directory. You're safe and secure, and you have just prevented our anyone from hacking your side by uploading malware Theopolis directory. Now other people would recommend also put in the same thing inside off the WP includes folder. I would not recommend this because I have traders before, and it has broken quite a few sites. Sometimes it actually works in other situations. It doesn't work, and I think it has a lot to do with maybe something involved in, Ah, the theme using the plug ins using or something else. So I will not recommend doing the same thing inside of a WP includes folder. Just do it in signed off your Ophuls folder that you have inside off your WP content for them. So thanks so much for watching. I will see you next last. 17. Protecting the wp config File: Now let's talk about what is probably the most important tweak that you can make to your daughter HT access file. And this is going to involve protecting our WP config file. Now, if you don't know what this file is, it is arguably the single most important file in your entire WordPress directory. And the reason why this is so is because the WP config PHP file controls the communication between your WORDPRESS website and your database. It's basically the Lincoln File that connects your database with all your information, all your polls, all your content to your actual what press website. So if anyone gets control of this file, they can do some serious damage on your website and you can see right now just over here you can see we have the basic configurations off. What press? You can see the database, name, the database, user name password as well. And going further down here, we have so much more important information. So it goes without saying that you must absolutely do whatever that you can to protect this file. And thankfully, there is a very easy way to protect your WP config file. Go to your main dot HD access file and I'm talking about this particular dot It's Texas for that. You have inside of the wood folder off your a website can go in there and then you can paste this coat down here. As usual, I will provide the code into the sources. We can go ahead and downloaded and uploaded to your daughter. Hdx file. Basically, it's saying over here that just deny any access to anyone trying to modify the WP dash config our file. So I would recommend, though, that you make a copy off your daughter HC access file. Download a copy to your deck, stop to one of your folders and keep it as a backup because usually whenever you're walking with the main North etc. Access file. Seven. Things can go long, so it's always advisable that you have some form for backup. So go ahead, make a fresh copy off your daughter hdx file. Get this cold right here, paste it into your dotage Texas Fallon and save it and then go back to your site and make sure that everything is still working. But if you can do this, you'll have taken a huge step towards protecting your what personal upside. So thank you so much, I will see you at the next class 18. Protecting the .htaccess File: So we were talking so much about making tweaks to the 0.80 access files that would make our personal upside more secure and more protected. But we haven't actually talked about how we can protect our dot HD access file. How can we prevent unauthorized access and modification? Well, we can do so by simply paste in this cold down here. All this Assane is restrict any unauthorized access or any unauthorised modifications to this particular file. So you can see it's pretty straightforward. Nothing too complicated about it. Don't bother yourself about the very first line that you have in here. This is basically just saying prevent any sort of unauthorized our configurations or access . Now, one thing you could do to better identify each particular block off court would be to add some text to let you know that. Okay, this cold below is supposed to do this. And I probably should have mentioned this in the papers video. I apologize for that. So the very first block, of course we have over here. This is basically for protecting the WP config file, so I can say to protect the WP dish config file. All right, and then down here you can quit another space. And then I can also say to protect the H T Access file NYT. She can also add additional hashtag as well. Let's do the same thing. Both you as well. Just follow the same format. OK, let's just add another one. Another one in here as well. Some space, another one in here as well and some space. Awesome. All right, so that's all you basically need to do. Be sure to check out the resources for this particular block of gold. Let's save that and we have successfully protected about a sea access file from any on authorized access. If you have any questions about this, feel free to act them. Thanks so much for watching. I'll see you in the next class. 19. Blocking Author Scans: a very common technique used by hackers to gain unauthorized access to adverse up sites is called the Brute Force Attack. Now you may have heard of this before. What happens here is basically a hacker would use something more software to scan A were upset specifically for for vulnerabilities. And then we'll try to gain access by exploiting anyone of those vulnerabilities. Now there is a particular from a brute force attack known as the author scan. You see, in another scan, a hacker would try to figure out a user name associated with your purse. Upside warns. They can get that user name. All, though belittle. Be to figure out the password that is connected to that user name. Now how they get their user name is by simply one in a brute force attack. They use bots basically to run multiple user names and then see which one of them actually exists on your site and with the kind of sort of that exist today, they can try thousands and tens of thousands in a matter of minutes. So one thing we can do to prevent such from happening is by tweaking, are not HD access file you can see the cold right here. And of course, as always, check out the resources link. You will find the good right there. It's basically basically preventing bots or robots from scanning the war purse upside for user names that exist. So what happens there right now is that whenever, what? Chris says that Oh, okay. Sonus, trying a brute force attacks on is trying multiple user names to try to see if those exist . I am going to block this operation. That's exactly what this court is doing. So this is a very effective cold for preventing brute force attacks on your purse. Upside. No, I should say that this doesn't Gavin T that you're said will be completely secure from brute force attacks. There are other ways again, how hackers can try to figure out your user name your password, but this will go a very long way to discourage in a hack. It's on Lee. If they're really desperate to attack you, that's when they might proceed, even when the authors cans have been blocked. So go ahead paises into adult ht excess file. Save it and you'll have taken yet another step towards securing and protecting your purse website. If you have any questions, feel free to act them. Think is much for watching. I will see you in the next class. 20. Banning an IP Address: one more quick tweak I wanted to show you involves banning a particular AP address from ever getting access to your purse website. Now you consider coat down here. It's basically saying, Ban, he's I p address it saying, allow all connections from all the I P addresses with the exception of this particular I P address. And then, of course, we place the x x x with the actual were I p address. So this is something that you may never ever need to use? Hopefully not. But in the future, if you're getting lots off bad requests. So lots of militias traffic from a particular I p address. Now you have the cold with which you can use to ban that I p address from ever getting access to your purse upside. So again, be sure to check it out in the resources link. Thank you so much. Fortunate video. I will see you at the next class. 21. Disabling Hot Linking: in this video, I'm gonna show you how you can prevent something called Hot Lincoln Hot Lincoln is extremely annoying. It is irritating, and it comes very, very expensive for you. So what exactly is Holt? Lincoln? All right, take a look at this post, right. You can see the title is we just close new up. I've got my man image right here. And I have two images. What now? Usually whenever you or I want to display images on our posts, but typically would upload the image to our media library and then link the image from our library to the post where we want to display light. However, if I click on edit post and I assure you the back end for this, you can see right now that the source of the very first image right here you can see the source is you have a blogger dot com for slash WP content uploads, and so you can you can see that this is contained in my media library. Right? However, take a look at the second image. This source is from another website, which is the dawn of justice film dot com. This my friend is what I refer to as Haute Lincoln. What's happening here is rather than me download in this particular image, saving It's my media library and then Lincoln and for my middle library to the post. I am just Lincoln. It's straight from the website where the image actually exists in and this is the website right here. Let me actually show you the image itself. All right, So this is it right here. So am Lincoln. Straight from my own youthful blood got off calm upside straits to this image that's on a different website, which is the dawn of justice. From dot com. This is hot Lincoln. It is extremely annoying. It is irritating because not only am I directly still in this image, I am actually also using the band with off this particular website because the fact that this image is now been displayed on my post on my websites these are the website is actually I'm actually using that websites banned with to show this image. I didn't upload this image to my media library. It's not safe to my server. I am just Lincoln directly to it on the website where it's situated in So not only am I have I stolen the image, I'm also used in the other websites banned with as well. Now take a look at the reverse. I tried hot linking this image right here on this website and let me show you the results I got you can see like now that this this was an attempt to hot link this particular image with the with the soccer players, they conceive another. It's not displaying. And if I read, click and tried to open the image in a new tab, I have a 43 forbid in Evel. And that is because I have disabled hot Lincoln on my own. Ufo blogger dot com Upside. So while I could hot Ling Tau other images people from all over the Web site's cannot Hot Ling to my image is now off course. You should never, ever hot link Our only did this to show you as an example. Police don't halt link. It's annoying. It's bad. And to prevent people from hot link in your images, this is the court you're going to use right here. So be sure to check out the resources link. You will see divide there, but it's very, very straightforward. It's basically saying OK, let's hot link Let's be event Houghtaling it hot clinging from all websites excluding you ever blogger dot com which is the actual website way than preventing Houghtaling. Inform right and then also from Google as well, So be sure to change. If applicable, come to your own websites. You are L and then also include google dot com as well, because you don't want to prevent Google from from showcasing assuring your own images because that's the way I'm getting more traffic to your website through Google, right? So that's why I included Google in there as well. So this has been how to prevent other people from hot link into your images. If you have any questions about this off course, ask. I'm always here to answer your questions. Thank you so much for watching and as always, I will see you in the next class 22. How to Hide the WordPress Version: All right. So the next I'm gonna take a look at now is how to hide the what? Pres version off. What purse website? Now I am on Google. Come right now I want I want to do is to press control you and just do that Once I do that , I now have access to the source code that makes up the website right now if I go ahead and press control F and a typing and the search by type in meta I was gonna come down here, Click down, Click down Now over here we have some sort of code. It say's meta name. Nichols generator Akane tentacles. What press? 4.9 point one right now. Anyone can do it. Others don't and they would know the WordPress version off the waters. I'm running on our website now. Why is this important? Well, if a hacker or a several criminal knows the version number off your weapons website, he or she can then begin to look for exploits Ways of exploiting that particular war press version. So one way of protecting your purse upside is to hide division of workers that you are running. This is more like security through obscurity. The less is known about your perception by hackers, the better for you and definitely preventing them from knowing your pa's vision is a giant step towards improving the royal security off your what perception? So how can we prevent this from showing? Well, what I'm gonna do is to come over here to my note pad plus plus software, and I am using the child theme. So I'm gonna come over here to child double clicking signed, and I'm going to open up my functions. PHP file. It is very, very important that whenever you're making changes to your functions PHP file, make sure you make these changes in the child theme or for your WORDPRESS website. Do not make such changes to the main theme off your present that if you don't know much about child themes, be sure to check the link that I provided. You can learn more about child themes, how to create them and why they are very, very important. So I'm gonna double click on the function of PHP file for my child theme. What I'm gonna do is I'm gonna go ahead and I'm going to copy this code right here. Our provided. Don't worry. Check the resources. Let's copy this code. And I'm gonna go ahead right now, and I'm going to peace that over here and that is it. I'm gonna go ahead now and save All right, Now, let's go back to file over here or what does? Upsides. I'm gonna go ahead right now and control out to the first page. Okay? Now let me go ahead and press control. You control f once again. That's such for meta. Now let's come down. It's come down and now you can see that we no longer have that metal line Dys plane. The what? Prez Vision off our website. So we have now successfully hidden the workplace vision off our what person upside. So let's go back and take a look at this. What exactly is this doing? Well, I know that if you're watching this video, the chances are you might not be a what press developer. So I will try to explain this in as simple terms as I can't basically the WB headed they're looking at right here. This is a particular function that generates things like the waters version off your way off the website and so on and so forth. So basically all this line off code is doing right now is simply we move in the functionality off this particular function, which is to generate the WordPress vision off your what purse upset. And that's all that it is doing. It's a very, very simple and, of course, and it is very, very effective, so you can go ahead right now and add this line of code to the child theme off your perceptive. Also, I wanted to remind is dependent on the theme you are use, and some things provide ways off. Add in such code within the war present back, so be sure to check with your team if it overs are special. Areas where you can paste are called like this. If you have any questions about, be sure to reach out to me thinking fortune. I will see you in the next class 23. WordPress Security Keys: Alright, guys, let's continue with all what press security enhancements and the next topic I won't talk about here is the topic off cookies, authentication, keys and salts. Now you can see I am locked into the UFO blogger dot com website. If I go ahead now and close this window and I open up another one and I go back to you if applicable calm, you can see that I am still locked in. So why is it that whenever I close this window and that opened up again, I am still locked in? Well, the reason is because what press creates something called a cookie? Cookies are water. Keep track off whether or not a user is locked in or locked out and also keeps track off the user's password and user name. So that's why whenever I close this up and I decided to open a people blogger, come again. I am still looking because the cookie right now has tracked that Old X men one, which is my his name was actually locked in before he closed the window. So now that he's opened up again, them just go ahead now and we look him in so that that's cookies working behind the scenes . Now it is important as a what procedure to protect these cookies. Now, what was by default? Protect these cookies by making use or four authentication keys and full salts. Now, if you want to figure out where these are stored, let's go to our ability Conflict file. All right, I'm gonna go over here to mine. WP config. Not PHP file. You can open up yours as well, and ah, come on. So now you wanna look for something called the authentication. Unique keys and salts. You should find a section just below your database settings. Now, over here, Right now, you can see the four keys and the four salts You have authentication key, secure authentication key looked in key nonce key and then the equivalents for the salt versions. And, of course, to the light, you can see something called hashes. These are basically in corrupted forms off each one of these keys and salts. So by default, workers already protects your cookies by authenticating order by hashing Theo authentication keys and salts. But it is still a good at it for you to change them. Once you have installed What purse? For the first time, you haven't changed your keys before your salts. It's always good to change them at least once. So to do this, all we have to do is to visit this site off here. I will provide a link for you, but basically our A p a. That what? Ogg four slash secret stash key. So right now, you can refresh this page as many times as you want, and every time you refresh, you would get a new set off keys and assaults. I'm gonna go ahead right now and copy this. Be sure to check the resources link for the link to this particular Pedro provided for you . Let's go ahead now and copy. That's let's go back to ah note pad. So I'm gonna do is very simply going to copy office. I am going to delete that and I'm going to pace that. So now we have a fresh set off keys and sold. I'm gonna go ahead now and save. Okay, let's say that and it is saved. I'm gonna go back now. Take a look at this. I'm gonna go ahead now and a fresh this page. But Now you can see that I have been looked out. The reason is because every time you change your keys and your salts, every user who is reluctant to your site would have to re logging against automatically. Whenever a ginger sorts, you get locked out. This is also very, very useful. Whenever you feel that may be sown may have gained unauthorized access to your site, you can simply go to a double, become thick file, changed assaults and keys. There will then need to look in again. So there's basically a very good way to kick out any unauthorized users that that might be on your side. Just changed keys and, of course, creating New Year's and then create a new password. Delayed the old one, and you should be fine. Now. You don't need to change your keys assaults regularly. In fact, you can just do it just once, and you should be fine. But then again, if you feel that sun, maybe again access to your site on a threat access, you can simply go to the conflict file. Argentine. New keys. Save them. They're creating new account, and you should be good to go so That is the concept off the world. Prayers, authentication, salts and keys. If you have any questions about this, of course, feel free to each other. Me thinks fortune. I will see you Evidence class. 24. Changing the Default Table Prefix: Okay, Now let's talk about a rather interest in a topic when it comes to what their security. And this topic involves one off the most popular commendations, which is to change something called the default war Press table prefix for your database. Now, if you're not a weapons developer, if you're not experience with databases, let me give you a very quick crash course. Whenever you have a war purse website, you have two major confidence. You have all the files and did that make up a website. But then you also have the database that stores all these files and your data, your images, your text, your posts, your user accountants on all these are stored in your database. So whenever you install what pressure? Also creating a database, our house, all the files and data that mix up your website. As a result, warp is databases are highly targeted. They're very attractive targets for our what press hackers. Now, to give you an idea what I'm talking about, I'm over here on site ground. My C panel. I'm gonna come all the way down here to PHP my admin. Okay, Picture madman is a truly could use to modify the databases for you. What? Purse upsides. Right. So now keep in mind, we are still on the UFO blogger dot com groups that it will be using charts this course over here to the left. You can see all the databases I have. I have all sorts of databases for each one of my websites. The one for UFO blogger dot com is over here. This is it, Mary 61 it on the school, you fr I'm going to click on it. And right now, to the right, you can see these are the tables I have in my UFO blogger database. Each one of these tables represents a particular kind off information. Whenever you install war place for the very first time, you're gonna have 11 tables by default. So you have one table that would take care of your posts. You have on table specifically for comments you have on table for posts and so on and so forth. However, right now I do have 137 tables. That is because sometimes whenever you install sitting kinds of plug ins, the Mukri ate their own tables in your workplace database. So some players will do so while other planets would not. So don't be surprised if you went to your one database and you discover that you have a lot of tables is because of the plugs that you've installed. Now take a close look at this tables. You notice they have one thing in common and that is the perfect. The perfect share is UFO on the school. Every single table year has starts with your phone on the score. UFO on the school UFO underscore a quickly to discover what your table prefix is would be to go to your note pad on a good, suitable be conflict foul for your site right now on UFO Blogger. As you can see, I'm gonna come all the way down here and you can see that this is my Table Pacific's equals . U f er on the score. The default table perfect for WordPress is WP on the school that is the default 14 purse. If yours is the baby on the score, then you are one in the default table prefix For what business solution. However, the chances are it's not gonna be like that. And why? Because if you're using a decent were post. For example, Let's go over here and I'm trenching store workers with very, very first time. If I come all the way over here to wear have my advanced options, you can see the by default side ground is giving me this table perfects off the lippy inch seven on the school so they've added each seven to the default. Perfect suited Have being WP on the score. So this already helps in protecting my database. Against what? Press hackers. So the good news here is that if you need to install it place again on the website, the commission there would be to change the default table perfect you're given If it's the rupee on the score, change it to something else. It could be B g 123 underscore Whatever it could be. The BP want to 39 10 on the score. Something like that. Make sure your table prefix is not WP on the score. That is a bad idea, However, okay, after the what? How you can change the tilapia fix before you and so what? Press? But what if you already have a war purse website? It's full of functional. And you've discovered that Oh, my tailor perfect is actually double P on the score. How do I change that table prefix? My answer to you is you don't do not change the telephone perfects. Just leave it like that. Now I know this sounds counterintuitive like, Hey, wait a minute. I thought you said change into perfects helps. Yes, it helps to a certain extent, but it's not a foolproof way of protecting your what press database. Because the truth is, if a hacker has already gained access to your pet's database, changing the default table prefix is not really going to deter them that much. There will eventually discover a way to get the perfect that you've chosen. I think over this way. Okay, think it. Think of it this way. Imagine eight bagua. Who wants to get access to your house now as a means of determine the burglar, you decided to enough all the lights in your house. OK, but here's the thing. If a burglar does gain access to your house, I know the lights are off without really deter the Bagua. I don't think so, because the chances are the Berola brought a flashlight, or you might even be able to find a switch in your house to turn on the lights. So changing the default tell graphics. Often existing war press installation is not really a good idea, because during the process of changing it, you can actually break your said because of the little things that you have to do. Natural three steps and the second step usually very, very difficult. But you have to manually change the prefixes off the individual tables on your WordPress database. And like I showed you earlier, sometimes your arm or persons legend may have so many tables, and this guy's been that I have wanted his own tables. So if I wanted to change the perfect right here for your follow underscore to something else, I will have to change it to 187 times, which can cabin Temkin zoom in. And of course I can end up breaking a little things. So at the end of the bottom line, here is this trenches to what part of the very first time on the new up science, by all means change the defaults Tim picks Perfect. You're given doing the installation process. If you already have a war purse upside, it's fully functional. That does Have the default WP on the score prefix Just leave it as it is. Take all the other steps have shown you change the default looking You are. Well, it meant all the cold for hardening mutability conflict. File your H Texas file. You will be fine. I think I can almost guarantee that you will be fine. Changing the double perfects helps, but it's not that great off a deterrent again, if a hacker, as when you get access to a database changing the perfect, is not really going to do that much to deter them. So I know this sounds kind of controversial, and many, many developers are. They would argue against this, but this is my own experience, and I just don't think it's worth you Spending all the time. Changing your table prefix is and then again division off breaking something whenever you are trying to changes. However, if you still want to go ahead and change your default, double perfects. There is an interesting article right here from WPP com. You can check it out. It is how to change the world president of Base Perfect to improve security. You can check it out. It's put extensive, but my bosom additional would be. Before you do anything, make sure you have a backup or feel what perception and make sure it's a food backup. If for back up off your files and backup off your database. So group of that, if you have any questions about this place full for Twitter to me, I'm always here to answer questions. Thank you, Fortune. I will see you in the next class. 25. 7 Signs You have been Hacked: alrighty. So far, so good. We've talked about all the different kinds of steps you can take to secure and protect you . What per strip Site against hackers and malware. But what if your site has, in fact already been hacked? How well do you know? How would you possibly know that some hacker in Pakistan Iceland already has access to your user name and password. How can you know? So it is. But I'm gonna give you seven signs that your site may in fact have already been hacked. And the very first sand would be a very obvious one. You begin to see our pop up ads on your site whenever you go to your safety steps in public ads. Appearing some sort of ad in advertising via grow is something like that. You know, that's one of the very obvious science that hey, my site has has been hacked. Why do I have all these problem ads showing up on my Web site? That's a very one of the very first signs, and it's a very obvious sign. The 2nd 1 would be you might get an e mail from Google. Now I did get this email about two years ago, and I spent so much time searching my inbox trying to find that email so I could give you a live example of what it looks like. But I couldn't find it. But basically it will be an email from Google's support team telling you that your site has been blacklisted because they found malware on your sides. So that's usually the second saying that OK, your set has been infected with malware, and you need to take the necessary actions the third sand would be. You get in an email or Mr directly from your Web host, and I do have an actual example off that Take a look at this. This was way back in January 2nd 2015 and I'm guessing this is also about the time I got the same kind of message from Google as well. But this was some said gun. They said The Alexander this is can report genital by arm album monitoring and detection service for your up up science. This can has detected that just scripts that may be hosting Mal where, So when you get a message like this from your Web host, that's a very good sign that in fact, your site may have already been infected by malware. So you might get a message from Google. You might get a message from your web hosts. The fourth sign here would be you having some very suspicious accounts. They go to all the users and, uh, open up. Open up, open up. Come on. Common. Uh, my web service is a little slow today for some reason. Okay, Now, over here, you can see I have all sorts off different kinds off accounts over here. A Adams. I have a H. Y. S and I have all these suspicious accounts from hold these kinds of email addresses. Now there's a reason why actually have all of these. These are not small babies and north suspicious accounts actually created. There's a cancer, But just to give an example of how it would look like So, if you ever come down to your users and you start finding people's names and email addresses that you've never used before, that is a definite sign that in fact, your site has been corrupted. It's a very, very, very clear sign. Another sign would be the fact that you can't look into your whoppers, backhand. You put issue using device user name. You're using the right password and for some reason you can't look in it. Could be that someone has already hijacked your account and change the password. That is another surefire sign that your site has been co opted. Another sign would be your side being very slow, unusually slow for long periods of time. Sometimes your host might be having some issues, so that's understandable. But if you notice that in fact your site is running very slowly, you could send an email to your Web host saying, Hey, why is my said one in very, very slowly. What's happening? If they tell you that, Oh, our systems are fine, there will not be in a heaven and issues here then obviously your site has been co opted. Just that has been infected that mall way. That's one of one of the key ways how one of the key things a moderate doors to your website, it slows down access to your site. So that's another sign that you're said may have been hacked. And the final sign, which is not easy to detect, would be unusual activity. This is my seat panel account. Now, over here, we have stats. These are the steps for my main hosting account with side gun dot com. So you can see we have different kinds off stats. We have the disc space usage. I'm using only three gig out of 20,180 MB. So if for some reason like I wake up tomorrow and I discovered that this now has 4.6 gigabytes, Inspector, fact that I've not added any new first on a website then Obviously something is going on something that place to the node usage as well. If this stuff too move towards red and I have not been doing anything along my science, then I know that something is happening also as well. You have other things like your email accounts. Number of sub domains add on domains after P accounts, SQL databases. These are a few things just to be a whale off, so that whenever you got your sea panel and use all of a sudden, is that saying unusual numbers in here? You can tell that something is going on, so once in a while, it's good to go to your C panel and just take a look at what you have under your stats. If you notice any significant change in numbers, that obviously something might be going on. So those are the seven signs that your site may have been infected. Thank you. Fortunate video. If you have any questions about this, be sure to each other to me. Thank you, Fortune. I will see you next class. 26. The Google Transparency Tool: I want to very quickly show you how to make use off a fantastic free tool from Google. And that is the transparency report tool, which you can use to check whether or not your site has been flagged by Google as on safe to visit. And you could also use the tool to determine whether or not another site has been flagged on safe by a Google to visit. So I will provide the link. Of course, in the resources, it's basically transparency reported Goto com Force like safe dash bells in for slash search. So in here right now you can tap in the u R l off the site you want to visit now if I come over here right now and I type in u f r blogger dot com Press enter. It's gonna tell you current status, no available data. And that's because this is a very new site I just installed a few weeks ago. I just crediting a few weeks ago so Google hasn't gotten any sort off conclusive data yet from my sight. But if I come right here and I grabbed my one of my other sites, my actual block itself that's me, By the way, if I come over here right now and check the city is off my blawg, let's press enter because right now that no on safe content has been found on my site. So that's Ah, that's pretty good. So you could always use this tool just to see what they were not. Your side may have inflect Google, and then again if there is a site that you're trying to visit, but you are a bit suspicious about what that site may be all about, you could use this tool to the tumor whether or not Google would give you the go ahead Teoh visit such a site, and they do have other very interesting our stats and reports that you can read off. You can click on the moderates have over here, and you can read about how they scan sites, give you some very interesting statistics over here as well, and it's a pretty awesome tool just for making sure that you're not having departments on your Sancho said has not been flagged, making sure that some other city on the visit has not been flagged either. So it's a pretty cool tool that you can try using from time to time. Thank you for watching. I will see you in the next class. 27. How to Fix a Hacked Site: I don't want our Okay, So you've just discovered that your site has in fact being hacked. It's been confirmed. What do you now do? I forgot to mention in the previous video. These is another example to note that your site has in fact been hacked. If you're trying to visit your site and you start seeing thesis of messages saying the side ahead contains malware or phishing, that's like ahead. These are signs that your site has been flagged by Google, so just take note off that. But anyway, yes, that has been hacked. What do you do? One thing to keep in mind is that whenever you've been hacked, there are two things you have to do. One would be to clean out the malware and kick out whatever hacker has gained access to your site. The second step you now have to take is to ensure that that hacker does not have any further access to your site. So it's not about you just cleaning out the malware and living at that. No, you have to clear them away and make sure that whoever put him away into your upside cannot do so again. So it's a two step process. Now the steps you have to take all determined by how infected you are. What is the threat assessment? But the very first step to take would be to contact your Web hosts can contact them and tell them that Look, you feel that your site has been hacked. You're saying all this sort of messages on unusual activity? Can they do a scan for you? Now here's an example. Over here, I message side ground. Excuse me back on fourth of March 2016 and I said, I get a warning that my domain might be infected. I wouldn't start an old backups. I'm not sure why I'm still having this warning. So some people like to be store backups. First they go to the backup manager, be straight back up from some time ago. That's not always the best option to take wanting. You want to do first of what would be to scan First of all, verify that you, in fact, do have mile way on your site. Sometimes is not just about having Mother. You may not have any malbert on your side. It could be that some hacker as simply get access to your account has changed your password . That's all it might be. But in most cases, you're usually gonna have mulberry on your side. So you wanna contact your post? Tell them that Look, you feel your set has been had. Can they do a scan for you to check all the militias? Files of me have been inserted into your web. The victory. So, Simona, your see former, she was kind enough to scan my site and you can see all the malicious files that were added to my lip signed. And it is right now that the number of infected files here we're city eight. So this is not really that bad. You can actually clean out all of this within the hour. It could take an hour, an hour and 1/2 and you clean it. All this files. So in such a sin, everywhere you've got in this kind of report and you discover that you have 24 TB, even 55 have infected. You can decide to manually use file zilla or even know part possibles to go into Europe directory and begin to trace where all these files are and begin to delete them on by one. That's one of the ways to go. If it's a lot of files that you have to clean out and you don't have time, you can make use off security. These are the guys I would highly recommend for cleaning out your site. They also do have a free scan checker to scan your site and check if you have any malware so can tap in your your well over here. It's kind of upside and will give you all the father Vinko opted so you could hire them to clean out your side for you. Notes that most Web hosts, like, said, Gone. All they would do would be to scan for you. They can identify the files that have been corrupted, but they will not clean out the fouls for you. You will either have to do it manually or hire professionals. Professionals in this case would be security, as I've mentioned, so you can have security to help you do this for you. I think they charge for one time clean up. I think it's about $99 or something like that. Amateur, you'll have to confirm, but these are the guys I would highly recommend that you go with should. In case you don't want to manually cleaned out the fells yourself. So that'll be the very first step. Clean up all of the malware that you have on your site. Now, you could decide to go with a backup. That's another option. If you don't want to clean out your science, you don't use a cool. You don't pay for it. You could use your backups. You could restore a backup for a few days past. However, if you are going to restore a backup as soon as the backup has been restored, make sure you scan your site again because you don't really know how far back your site was hacked. You really don't know. So if you're gonna restore it back up, make sure you do a scan after the backup, as many stored. If you don't have animal weather reports, good. If you do have Molly reports, you can set and I'll go back even further back in time again. Maybe, like if you are extra days backwards and check to see again if you have any malware on your website. So that's another thing you could do. Now it is going to a point where you successfully claimed older model way. You want to make sure that the hacker, the malware, will not be able to get access again. So you have to do things like changing your passwords. That is something you absolutely have to do. You have to change your account, your user name, change your password. Make sure the passage of a very strong you can also change the keys, the authentication keys and hashing salts. You can change them and ensure that whoever might be locked into your site has been kicked out. So those are two things out ahead of a commend you Duke Ginger passwords Change your sorts very, very important. Obviously, of course, if there any other secrets of measures that have mentioned in the past, which you haven't yet implemented, obviously you want to go ahead and implement them. That's one thing you absolutely most do now, and the very critical scenario where you've discovered you have Mallory in your sight and you can't even log into the back end off your what purse upside you can get access to. You have to be accounts your best bet he would simply be to contact your Web hosts at the end of the day. Your Web hosts are the go to people. That's why you need aware Post that has really good customer service and really good support that can help you in terms of in terms of need. Contacted where polls tell them that. Look, this is critical. I can get access. Smelters, backhand. I can get access, and I have to be accounts. I don't know what's happening. Please help me. There will be the ones to direct you to the best course off action, I hope. I sincerely hope you never faced that kind of situation because it can be really, really bad en vivo. Next lecture. I'm going to provide you with a security checklist. Checklist of things to do. If, in fact, you've been hacked and then the responses that would be based on the threat assessment, how bad the threat is? She can take a look at the checklist and that should you can use it as a guide should in case in the future. Or you, unfortunately do get hacked. So thank you very much. For what, Shane? And as always, I will see you in the next class. 28. How to Remove Malware Manually: a question I got recently from a student is how can he manually remove malware from his website? And I thought this was a pretty interesting question. So let's say you found out that your site has been hacked. You've been able to identify the files have been corrupt. How do you actually remove them from the website? So what I've done here is I have extracted it tutorial. Where Actually show you headed this from another course? I'm gonna attached the material to this particular video abortion. The total in a few seconds. However, there a few things to note here. I used to file Zillah in this particular tutorial. So you can either use fouls allow or simplistic with no pet plus plus which we've been using throughout this course. Either one of this to softer will allow you to trace the files and manually remove them. All right, So sit back, relax. Enjoy the tutorial. And as always, if you have any questions, please let me know I am more than habits. Update this course in any way that benefits you as a student. So sit back. Relax and I will see you in the next class. All right, so we've connected Teoh FTP account. Now let's assume that I wanted to remove this first file in. Hey can say this is one of the co op files and you consider path after public. HTML, it say's the movie characters dot com. Four slash tablet play includes four slash customize. So this is basically the path towards the file that is corrupt. So let's bring in file Zillah. And from here I'm gonna go to the movie. Characters don't come double click inside the folder. Okay? And then after that, it say's WP includes Let's go to a blip includes. And then I'm gonna come down to customize and then from customized Let's see, what does it say? Say's class. All right, so after customize, this would be the file. They'll be caught. You can see it saves Class Dash WP Dash customized such themes that section underscore dot PHP. So in such a scenario where this file actually was in here, all I will do is just to come in here and trace where that file is. So let's say, for example, this was the file right here. I'll just click on it by click and then simply delete the file. That's all I would need to do. That's how to manual every move files. My hope Files from the Web site now actually went ahead to creates some mile win on exactly not real mileage per se. But just as a demonstration, I wanted to show you exactly how you'd deletes uninsured. Did the little posits itself. So I'm going to do here is I'm going to go to my website called The Thinker. Double click Open this. So in here right now, you can see I added this file called J D F ks Edel PHP. So what I'm gonna do here just to right click? He deletes it. Say's really the Lisbon from from several. Yes. I'm gonna go ahead and delete that file. And I believe I created another one in here. Two more. Actually. You can see I have the why our a e 84 little, blah, blah, blah. I'm going to go ahead and the lid this file as well. Let's delete that one. And then the 2nd 1 is actually inside. Here in the WP content folder opened that one. It's in the plug ins folder as well and this is it right here. It's the four. Q. Four Q five dot PHP. I actually wasn't thinking when I name this file. Four. Q. It sounds like I'm Christian, but this was a known as the mistake. I'm not trying to curse here anyway. I'm going to go ahead and click and ah, he leads. And ah, that's it. So that's basically how you'd manually remove sorts crop files from your server. It can be, ah, bit of, ah, lengthy process, especially considering that sometimes you may have up to 100 files corrupt, as you can see mine here. This was to over two years ago, and overall there were 41 files that were corrupt. So you can imagine actually had to go and trace every single on of this files and then begin to manually remove them. So that's why it's always best to secure your website, make security a priority. So you don't have to go through this hustle of, haven't you, uh, quit here to be account, log in and then begin to trace all this files and I manually removed one by one. So that's basically how you can manually remove Corp files from your website. And by the way, our files a lot also allows you to transfer files from, say, your deck stop to your Web server. That's another thing you can do with Fazlur. It's not just about tracing far. So you can come in here, for example, double clicking a Dropbox folder. And then from there you can simply just right click, and it can upload, and this will go straight to the directory that is currently selected in your files account . So that's how it doesn't on the way how you can use fouls like and download files from this former of survey, transfer them to a deck stop and vice versa. So if you have any questions about this, please let me know. I'm always happy to answer questions and help and assist you in any way that they can Thank you for watching and ah, good luck 29. Plugins Section Introduction: All right, welcome to this bonus section, but I'm gonna give you tutorials and how to use some of the most popular herbal press security plug ins. Now, I need to let you know that some off this plug ins are what I like to call all in one security plug ins where you have a plug in that provides ah, bunch off function off functionality like the world Friends Security. This one provides a firewall malware scan block in life traffic. Logan Security, very similar to security, Also offers monotone main model detection, security hardening. You have the only one doubly basic rights and firewall, and so on. Use only one off these major security plug ins. You don't want to install more than one of such plugs because when you begin to have one secret to plug in, that does malware scan blocking firewall, and then you install another plugging that does something very similar. You might end up having clashes, so make sure you choose one major security plucking, and then you can begin to install all the secretive plug ins that offer a very specific function like accuse Mitt accuse. Mitt, for example, focuses primarily on taking care off spam on your what press comments. So once again, choose one major all in one cigarette, a plug in. And they could begin to install order secretive plug ins that offer very specific functions not covered by the all in one security plugging, thinking fortune and let's jump right into it. 30. Akismet: Okay, so we all hate spam messages. They are very annoying, the very irritating. And they make our websites look very unprofessional when we have spam comments on our posts . And if you are going to do it in post articles and what does website? It is very likely that at some points you're gonna get spammed and the best way of fighting against promise to have plug ins that will help you fight against Spam. And one of the best, in my opinion, is a kismet. And it is by Matt Mullen, Weg Land, Bullen and a Skeleton, Michael Adams and seven all the developers And I have a very soft sport for this plugging because it is actually one of the very first plug ins I ever used on what press. So maybe a little bit sentimental and biased when I say that this is one of the best plug ins for fighting against Pam. But it does a very, very, very good job, and it's also incredibly lightweight, and it's also very, very easy to use. So when you install and you activate the plug in, you will see on the settings you will see a kismet click in there and you will see this page as can you to get your a p I key for this begin to walk. You are going to need an epi, a key. So let's click on the blue button in here to get our key and to get your key, you do need to have on account with what press and it looks like I automatically got signed in, which is kind of annoying. I didn't want that to happen, So let me just cancel this and let me just sign out, okay? And let me try and repeat the process all over again. I'll get you a P. I keep so in here you will just click on get an accuse mitt ap a key. And over here you have the two plans that they have. You have the basic and then you have the get Plus is well again. I'm already signed in for some reason this plug, it likes logmein. But if you are not looked and if you don't haven't accounted, what press you will see the sign up page or something like that. You can easily just quitting accounts with what press and you'll be good to go. You should be redacted about this page where you simply click on get basic. And this is the Pedro I call the guilty Make me feel guilty page And the reason why I call this picture. That is because over here to the light you have this face kind of like you know, Stillman at you. So, you know, begging you pleading with you to donate some money to the developers of a kismet. And of course, if you drag this bar all the way, you step sitting, smiling his face gets more yellow. He goes to the very end and is also happy. But if you drag this deal the way you're going to see his face become less yellow, it almost looks like his sick. And then you called him a down here and then you see, he's not smiling. There is no cone on his face at all. So please, if you can afford it, I actually do doing into this guy's every year. So please, if there's any amount you can donate to these guys, especially if you're using the plugging, please go ahead and donate some cash to them. But for the purposes of this video is gonna drag this down here to the end. So So it gives Mitt, I'm just gonna click on and continue, and we're going to get ah kee in just a second. Okay? So basically, the plugging has already connected with my WordPress account and it knows I'm trying to activate a kismet for my websites. I'm gonna click on, activate the site. Either this or you can see. I do have my a p a key in here as well, so I could do that either way. All right, so now accuse Mitt has been activated because we have connected our site with a kismet. We have our MP a key and now we can make some very simple changes. We can show the number of approved comments beside each commit awful if you want to. Now, in terms of the strictness, you can either tell the kismet to just get rid off this pain messages without you even actually seen them. Or you could tell Accuse me. Hey, put all the comments you consider to be Spar Minutes setting folder from Italy. View and an album decide for myself other than all those comments. Actually, spam. I have tried both and I can honestly tell you that accusing it does a fantastic job, a fantastic Jill off taking chaos, Pam. So I would even recommend you going with the are selling. We discovered the worst and most pervasive spam, so I never see it. Let's go ahead and save changes and basically that's it. So now accuse Mitt is walking fully. And I actually wanted to show you a kismet in action because this is a brand new website. And if I come down here to comments, there are no comments for you to see. But you will actually see this tablet sales check first. Pam, this is a future off kismet. So what I want to do is to drag an actual old said. I have a We have comments and you can see now on the kismet. We do have some of it dashboard off comments. The number off messages have been blocked in the past six months. It's 12 all time. Is 22 there? Kruesi isn't in a 6.96% Just one Mr Spam, so that's pretty good. So this will be the kind of like the dash, but that you see as soon as the kismet stars to begin to block. I asked my messages and comments on your WORDPRESS website. So that's it for keys met again. They do have a pro vision that has more features. So you could always check that out if you're interested. So thank you for watching that will see you in the next class. 31. Expire Passwords Plugin: One of the best ways to protect a WORDPRESS website that has lots of accounts is to make sure that the owners of those accounts change their passwords on a regular basis. And you can enforce these by making use of this plug in called Expire Passwords. It is by Frankie Jarrett, and with this plug in, you can make it mend a tree that after a certain period of time, accounts that belonged to setting the goals will have to change their passwords. And this is a plug and I have used on several websites before. These were mainly websites for hospitals and companies that had many, many accounts. Most of their employees had them accounts on these websites, and the owners wanted me to figure out a way how I can get them, the employees to regulate change their passwords. And this is the plug, and I very often use. So when you install and you activate the plug in, all you have to do is to come down to users. Click on expire passwords Now in here, you can choose the rules that you would like to enforce this rule for, and then simply change the number of days, and typically Io very often go with 30 days. That's usually how I do it. So at the end of every month, the users will have to change their passwords. But in the own situation might be different. You can go with for the five days, 60 days, 90 days. It's all up to you. But this is a very good plugging for enforce in such a rule and a Haley highly recommended . It's a very good plug in. So thank you, fortune. I will see you in the next class. 32. Sucuri Security: a discussion on the best. What press security plug ins wouldn't be complete without mentioning security security? And this is one of the open common plug ins for securing your what percent site. It is actually by a company called Our Security Aldo. The offer here is credited, as Daniel said, but there is a company called Our Security, and they specialize in what press security and a considerate here it's saying securities a global it recognized authority in all matters militate toe to upset security with specialization In what press security. I have personally used security before several times, and it is a very, very good plug in for securing your purse website. So it is a mega plug in for security, and, as always, it has a ton off different options and futures and settings. So we are going to only focus on the settings that matter, in my opinion. So when you install and activate a plug in, you'll see secure security down in here, you can click on settings to begin with. All right now, of course, this brings out this page this overwhelming Pedro, You have all of this settings. Don't worry, we'll take a look at the most important once, but on the the settings tab, we do have the plug in a p a ki available, and what you can do is to come all the way down here and you can enable the audit lock statistics. You can go ahead and enable this, and there isn't why I like enabling audits is so that you can at a glance c the recent activities on what purse upside. And then you can easily check if anything militias is happening so you can go ahead and enable the audit look statistics and this has taken a while. All right, So once you do that, if you click on your dashboard by the Bolivian here and are awesome, so right now you can see we do have the order to report and you can see everything at a glance. The successful filled Loggins So far, the audit looks per user. You can secretly I am Alex and this is my I P address and I look, then much 19th 2017 at 12 a.m. You can see what's happening in here at a glance, so that's pretty much what the audit statistics setting does it shows you at a glance the most important aspects. We got a security for your WORDPRESS website. All right, let's go back to sit ins. Now that's for General on this canna. This is one of the best features off the security secure plugging. You can actually scan you upside for militias files. All you need to do is to come right down here and you can see we have theme all west canna . You can simply click on scan it now and then the portable status can. Your pursuits are looking for any militias, files. And, of course, depending on how large your site is, this could take quite a while. It could take a few minutes. It could take up to an hour. And I have clicks can now. And it doesn't seem to be running just Okay. Okay, So it's actually then and you can see it Say's no mile. Where was identified? Of course, because this is my website. More websites are always free off militias files and you can see what it's can. It's can form militias. JavaScript it scan for malicious I frames. Check for any suspicious with directions as well, and you can see. I do have a clean bill off health. So whenever you feel so species that there's something wrong with your site, maybe your site has been hacked. You can always run this Kanneh any tool, identify whatever files have been co opted, if any. Let's go back to Assitance tab. So we've don't General Bay on the scanner. There were a few other things in here as well, Such as the mall West. Can a cash You should only reset the cash if you want to own a second scan almost immediately. Because what happens is when you on a scam for the very first time. The results will be stored for 1200 seconds, as you can see. But if you need it to, one is s can before the 1200 seconds expires. You can come in here and we said the cash and you can in one a fresh us can. All right, that's it. Over here. We do have the option off having a background scan running, and we do have They'll go with them to the different types SPL, open directory and globe. The recommended is SPL high performance. You can go with that now for this cannon frequency. I will definitely never comment twice daily. I think that's a bit excessive. You can either go with once daily, which which will once every 24 hours or just simply go with never. And then you would have to van along the scans yourself. And really, I don't know. It's really up to you. Me personally, I never want bygone scans on my websites. I always do them manually because I do have other securities since in place. And I'm always confident that my site is secure, so it really depends on you. You can choose to just disable the backgrounds, can completely, or you can go with one's daily every 24 hours. Of course. All right, so that's it for General and scanner. Let's jump down here to alerts. And of course, this means that you can add an email address to receive notifications whenever anything major happens in your side. With regards to security over here, you can restrict the number off, a less to receive per hour. The minimum is set to maximum of five per hour. You can go with 10 2040 81 60 are simply or limited our past. What gets input force attacks? I will definitely recommend setting into teddy filled Logan's per hour. No more than that. You can also configure the outlet sentence to your needs. All these are the possible events that can take place on your side, and the once ticked are the events that when they happen, you will receive a notification so you can go ahead and add more defense if you want to. But I I personally feel that they want strict by default. Should do the job for you already. Just go ahead and save this. So I'm just gonna ignore AP. I service Log Exporter and ignore us Cannon. Let's jump down to ignore alerts, and this is pretty interesting if certain things happen. Teoh. Anyone of this costume post type, you can choose to ignore them. All you need to do is just to click. Ignore right here, and if any one of your posts are edited or published on published, you will not receive a notification for them. So this is basically what ah, the ignore All its is four Trust I P. As the name suggests, you can add an I P address there will always be trusted by the by the plug it and you'll never received any notification. Even if that I p address is doing something militias to your site, you can add the I P address in here. That's it for the settings are worth taking. A look at the Dashboard Ramallah, West scan for the firewall. If you have a service with Cloud Proxy, you can add the A P I key in here and save this world. Provide you with the firewall service. If not personally, I won't sweat over it. I think this blogging already provides many other settings for securing your site, but you can click on hardening. This is a very, very important tab that I want you to pay close attention to. Over here. I would recommend that you harden your Protect Ophuls directory. The Mystery WP Content Access WP includes access as well and also the information in the cage and the plug in and theme editor. I will definitely recommend that you click hardened for everyone off this setting, so just click Hardin right here and ah, that's it. So just click hot in here as well come down here and then click Hardin and so on and so forth. All these hard and methods would secure your purse upside against militias. Hackers I, Haley recommend hardening as much as you possibly can, coming down to post Hack. There are quite a few interesting settings available in here, but I will not recommend you use them as an example. We do have the ability to visit to reset all the user passwords on your purse website. But rather than doing this from the plug in settings, you can simply come down here to users and do that instead simply with the plug ins. If you install it installed a plug in and it seems to be breaking your side rather than community here and resetting the plug. And you can do that from the plug ins are paid itself and, of course, available updates. You don't have to download the updates for your plug ins or themes in here. You can do that simply from the themes or plug ins pages. I think it's better that way. We have last Loggins and, of course, over here. This will tell you the last time someone looked into your site and you can see those. Alex, this was the I P address, and the last time was two months a goal, right? You can also take a look at all the admin users so far who have looked in the corner looked in users, the failed Loggins that we've had and the blocked uses that the plug it has blocked so far . And of course, we've taken a look at the sentence already. And finally, we do have the site in four, and this will give you a lot more information about your side. So should in case you needed to troubleshoot and send details about your side. To the developers, this typically will be the kind of information that they ask for. So that's it for the security security in a nutshell. It off course has a lot more features and sentence available to further enhance your what purse upside. But I feel personally that we've covered so far should be more than enough to secure your purse website. I should mention, though, that the guys at security do have their website. It's right over here. It's security dot net, and these guys can help to not all this. Can you know what perception, but actually clean the malicious files that they might find. So with the plug, even though the plug edibles can your site and identify the militia, the militia xfiles, it is not going to clean those files. You will have to pay the gas to security to claim those fouls for you, or you can manually remove them so you can visit the site to learn more about this plug in and other services that they provide. So thank you for watching and I will see you at the next class. 33. User Role Editor Plugin: another excellent plug in for your what per security is the user will ed. It'll plug in This Blogging is by Vladmir Goglia, and with this plug in, you can modify the capabilities off the existing user Valls that you have in your WordPress website by default. We know that we have the admin. We have the editor, the author, contributor and the subscriber. Those are the five default rules that comes with WordPress. However, with this plug in, in addition to being able to modify the capabilities off those default rules, you can actually go on to create your own costume rules as well. So let's take a look at how to use this plugging menu. Install and activate a plug and come down here to users. Click on user wall Ed it'll And now in here you will see the selectable and change its capabilities column so you can choose the kind of off roll that you want to edit. You will notice, though, that the Adam this administrative role is missing. You cannot are modify the capabilities off an admin because the admin he or she is the boss or the website, so we can't make any changes to that. But we can modify the subscriber all or even the contributor of all as an example. So we have chosen the contributor of all. And in here you can see some off the capabilities off the contributor. But to make this easier to lead, you can see we have lots off underscores. You can simply check this box right here that saves show capabilities in human readable form. So let's check that. And now you can see it's a lot easier to read the capabilities. However, that's changed the rollback to subscribers. So let's go back and change this country, Bootle. All right, so what we can do is, let's say, for example, we know that contributors can not our publish their one posts, right? We know that. But just to make sure we can click on granted on Lee and now this would shows all the default capabilities that the computer has. We can see that they can read posts they can edit and also delete posts as well. So if we wanted to give them the ability to publish their own posts over here to the left, you can see that we have like a breakdown off the different kinds of capabilities. So we're looking fork abilities on the post so we can click on posts. And now in here, we can simply go on to check the books that say's published posts and then update the role confirm. And now anyone with the role of a contributor on our side can publish posts Now. I said that you can create your own custom roles and to do this, it's pretty easy. Begin coming here, click on Add role and let's just say, for example, we wanted to create a will cold special so I can say special underscore Role will be the i D for this playful name. Let's just say special. You can use different names, of course, but it's often good practice to have Hey, come on wood that exists both in the I D. And then the name. Okay. Now you could choose to start from scratch when creating this new bowl and add the abilities and the capabilities, or you can simply stat form. An existing were already so If you chose author, for example, this new special will have all the capabilities off the author, but in this case, Let's just imagine, wanted to create a special where whoever has that will will be able to update themes and plug ins. That's essentially the only thing that they can do. So let's start from scratch and saying none at the low, All right, so now he can see Special has really been chosen. So we want anyone with a special to be able to update themes so they can come here to the left. Look for themes we can choose update themes. Let's update that confirm. And now let's go to plug ins as well. Check up late plug ins. Updates confirm. So now anyone with the special wall can now update both themes and plug ins, and to assign the walls is very straightforward. Does go down to your all users and in this, because I do have a fake ad minute. Cand it's actually a subscriber. So what I can do is just a click on edit. Wait here and then simply changed the will here to that over the special roll and come all the way down here and then updates. And that's pretty much it for the special vault. So that's how to use the use of all editorial to modify existing roles and capabilities. And your WordPress website. Thank you so much fortune. If you have any questions as always, feel free to contact me. Think is much fortune and I will see you next class. 34. Loginizer: okey dokey. So let's kick off our security plug ins by talking about the law organizer. And it is by Logan Isa. And they claim that this is the best plug in to protect your what? Chris website. And of course, they're going to say that. But, um, how I personally will not say that this is the best pour gin to protect you. What person up said I will say, though, that this plug indoors in a maze and job off protecting your what person upset against brute force attacks. There is a pro version of the pregnant has more features. We'll talk about that by the end of the video, but when you install and you activate the plug in, you will see the law organizer Security tap in here. Click on dashboard, first of all, and in here you have just basic information about your system. You can see your service. I p address your an I P address as well. You can write a review of the plug in and down. He can also tweet to your millions of followers on Twitter telling them that you're using. I'll organize a plug in. There were some information here about your file permissions, but you really don't need to go into that at all. Just live that live this as it is, let's take a look at the actual brute force tab itself. And this is where you can make changes to the actual I'm not plugging itself. Now, one of the really good things about this plug in is that it actually keeps a log off all the filled Logan attempts. So in here you will see the recorded I p address. You will see the date when the I p. I just tried to get access to his website, the number filled attempt and of course, the lockout's counts as well. Down in here, you have the option of blacklisting sets an I p addresses. So if you notice that a set an I P address is constantly trying to again accessed you what pressed back end, you could always come in here and block that I appear just completely so there would not be ableto trade to even try logging into the back end of your peers website. You could add the start of the I P address in here. You could also add the end off the I P address. If you're talking about a range of I P addresses of trying to sabotage your WordPress website, you could also white least I P addresses, which, of course, will be the exact opposite off our blacklist in I P addresses. Over here we have the actual boot force settings maximum, which lies for Phil Logan. Attempts is set to three. That is the default amount. You could always change this now if an individual tryst Logan Teal what this website and feels three times there will be a local temple 15 minutes. So which means they will have to wait an additional 15 minutes before they can try logging in again. There isn't here now, called the Max. Look out. So if they've failed, five times are in fact this will be 15. That tends because each local time is set to three attempts, so the Max Lookouts is certified. I'll be five multiplied by three, which will be 15 attempts overall. If the maxim accounts is reached, then don't be an extended look out off 24 hours. So after 15 filled attempts, the pressure will not be able to look into your prescription for another 24 hours, and then everything, of course, would be set after 24 hours. You could also get email notifications after it's set in a month off. Look out. You can add the number in here as well. So by default, when you install and activate the plug in the brute force prevention feature comes into play immediately. There is no checkbooks to take. Okay, stop the brute force prevention or or stop the brute force prevention. There is no such thing. So let's take a look at how it actually works. I'm going to look out now, all right? So when I'm going to attempt to look in using, uh, Jake, okay, and now you can see it's his arrow, you only have two attempts left. Let's try Samantha, Samantha and no. So now I only have one attempt to log in, which, of course, I'm going to use my actual user name to log into in. My wife is upset, but basically that's how the plug it looks. So I would definitely recommend its plug in for prevention against brute force attacks, if that's what she'll after. But like I said, a Leo on they do have a pool version, you can go to organize a dot com. This is the actual website for the plug in and over here they have pricing, and it's actually surprisingly very affordable. It's just $24 for a whole year. If you want to secure one site, they do have Blogger for two sides at $40 per year. And if you're talking about the features that they pro vision offers, it's a lot more you have recapture. You have the passport less log in via email. You can also, we name your WP admin area. You could use the Logan Challenge questions who we named the log in page, and you have all the officials in here as well. So okay over here to do have a table clearly are telling you the differences between the free vision and the pro version of the plug in Seoul. If you're interested, I will definitely recommend you taking a look at what they have to offer. Like I said, it's pretty always nibble. The fee is just $14 a year. If it's for one site and they have a whole year off ticketed support. So If something isn't working popular, you could always send them a ticket. And, hey, I'm having issues with this. Could you please help me out? And of course, there's also extensive documentation that comes with the well. I don't think you actually need the poor vision. You could always read the document issue even without the pro vision the plug in. So that's it for the looking as a plug in. Thank you for watching, and I will see you in the next class. 35. WP Security Audit Plugin: another way how you can protect you? What Chris website is by keeping track off all the events that take place on your website. We're talking about events like someone looking in. So in looking out a plug and been installed, a post being edited and so on and so forth. Basically, you're keeping a security audit off whatever it is that happens on your website and one of the best plug ins to do this is the WP security audit log Plug in It is by white security and orbit 681 And it is an awesome, awesome plugging for keeping track off everything happening. You know what, Chris? Website now my new install and activate the plug and you will see this tab in here that stays audit log. Now, if I click on my log viewer, you can see right now that I already have a record off things happening on my site form setting plug ins being installed and uninstalled from someone requesting for a non existent page for me looking out successfully and so on and so forth. So this way I can keep track off everything that's been happening on my site now you may not see this right off the bat because the plug in hasn't yet recorded any info. Well, basically, which want to do is you want to First of all, come down to your settings in here and now in here, you can configure how the plug in actually works. First of all, the very first option India is available only to the premium version. But now, in here, you can either choose to enable or disable on a let's dashboard widget. What we're talking about here is if I come down to my dashboard and now all the way over here, we have the dashboard for the plug and you can see all the top five now audits. Also five things that have happened in the last hour. So plugging, being deactivated, another plug in being uninstalled and so on and so forth. So when you enable this option right here, it gives you a dashboard widget with the latest five security alerts. Now, for the next two options in here, I'll recommend that you make sure that you know what you're doing. If you're not sure about his options, either contact your Web hosts or your developer or someone who knows more about security there new to be on the safe side. I'm just gonna leave both options and checked. Now, In here, you can choose the people who can manage the plug in I My name by default has been added because I am the admin, but you can choose to add additional users and rolls in here. Now, the restrict, plug in access option walks hand in hand with the can manage plugging option. Basically, when this box here is ticked, only you and the other people that you specify in this box in here can manage the plug in. Now, over here as well. We can also choose to hide the plug in from the plug ins page, how ever to manually reverted, stating you would have to set a an option in the W P options table. So all the command that you don't do this unless, of course, once again you know what you're doing. They could also choose to disable all plug in log in, which means that anytime anyone on installs a plug in the installs, a plug in the plugger would not record that event. I recommend that you don't do that. Live this off as it is. And, of course, finally can also choose to move all of the data. When you choose to install the plug in, I'll just leave this box on checked as well. Lindros. Save my changes. Now let's come down to the audit log now. In here, you can decide for how long the plug. It should keep track off audits. As an example, you can delete alerts older than a. That's a one month or two months. How many ballots should be kept before they're cleaned? Should they let's be cleaned manually. Automatic? Who can view the let's as well? Is it just you or the people down here as well? You can change the columns. They'll show up in the audit log. Viewer them. Just quickly show you this right here. This is the ordered log viewer. So we have the cold type date, user name and then we have the message. So we can also go ahead and add the source i p as well to give us even more information. And we can also choose to hide the activity which wordpress conducts in the back end. We're talking about activities like or what press we move in or old draft. So auto drafts or things like that. There are many things the world press doors in the back end that honestly, you shouldn't even bother yourself about. So I will recommend that you live this box ticked and now four for requests. A 44 request is basically a request for a page that doesn't exist, so you can decide how many of such requests that you want to keep track off. The default is 99 but again, who has changed our to whatever you want to change it to Let me see if my changes and I'll finally we have the exclude objects now in here, you can exclude set in users or certain rules from being monitored by the plug in. If you want to. Old recommend not to use that. You want to keep track off everyone and what it is that they're doing on your site. You could also exclude setting custom fields from being monitored by the plug in, and you could also exclude set in I P addresses from being monitored by plugging if you choose to. All right, that's it. I'm not changing anything in here. Let's just go ahead and take a look at the enable slash Disable alerts. Now in here we have the ah, let's for every single possible kind of event that could take place on your website. The very 1st 1 is for body press. If using body press over here, you can choose the less such once keep track off and those that you don't want to keep track off. We have a block posts as well. We have comments. We have a custom posts, database menus, multi side pages, plug ins and themes. So in here, for example, if you don't want to be informed whenever a user installs a theme, he cannot check this box in here. And we moved the cold 5005 Ah, system activity user profiles widgets. Every possible event that can take place in your set is being monitored by the plug in telling you just how awesome and how thought this plug in is when it comes to monitoring whatever it is that happens on your WordPress website. So finally, let's go back to the ordered look viewer, and once again in he can see right Now we have the source. I p we have the message. What? What it is that happened when this person tried to do something? We have the codes, and generally the ones in lead are kind off significant. This basically happens whenever it plugging gets the activated or applicants on installed or a new user was created stuff like that. So this is definitely one of the very best plug ins for keeping track off. Whatever it is that happens when you what? His website, they do have approved version which you can take a look at if you're interested. But this has been how to configure all and walk with DWP security or that look plug in. Thank you for watching the video. And as always, I will see you in the next last