A Complete Site-Owner's Guide to Securing Your WordPress Site | David Hayes | Skillshare

Playback Speed

  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x

A Complete Site-Owner's Guide to Securing Your WordPress Site

teacher avatar David Hayes, WordPress & PHP & more

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Lessons in This Class

    • 1.

      Understanding WordPress Security


    • 2.

      Why Your WordPress Site Needs to Be Secured


    • 3.

      Setting Your WordPress Password


    • 4.

      Password Managers in Brief


    • 5.

      User Roles and Capabilities in WordPress


    • 6.

      Backups -- How to Make Them, and Why


    • 7.

      Trust Signals for Plugins


    • 8.

      WordPress Updates -- What to Do and Why They Matter


    • 9.

      Why/How to Visit Your WordPress Site


    • 10.

      Security Plugins Overview


    • 11.

      iThemes Security Quick Summary


    • 12.

      SSL Part I: What and Why


    • 13.

      SSL Part II: Setup for SSL


    • 14.

      Final Step


  • --
  • Beginner level
  • Intermediate level
  • Advanced level
  • All levels

Community Generated

The level is determined by a majority opinion of students who have reviewed this class. The teacher's recommendation is shown until at least 5 student responses are collected.





About This Class

A lot of advice about WordPress security is based on too-little evidence and over-complicates what can be a pretty cut-and-dry topic. In this course we cut through the clutter and get you all the details you need about WordPress security.

We’ll cover topics like:

  • What the actual threats to most WordPress sites are
  • Creating secure user accounts
  • Why you need backups, and how to do them
  • How you can know what plugins to trust
  • How to run WordPress updates
  • And what, if anything, a “WordPress security plugin” can do for you

Your class project will be a secured WordPress site. As such, as a prerequisite we’ll expect that you have a WordPress site that you would like to make more secure. This class is geared toward people with some understanding of the use of WordPress, install plugins and themes, create content, etc. There’s no expectation that you’ve written code before, or that you’re really technical enough to know JavaScript from HTML.

Meet Your Teacher

Teacher Profile Image

David Hayes

WordPress & PHP & more


Hello, I'm David. I'm a passionate WordPress and PHP developer. I regularly speak at conferences on those two topics, and dabble with tons of related technologies to keep my skills sharp.

Among many project, I run WPShout, which is all about making you into a better WordPress developer. If that's interesting to you, check it out! I also explore less-WordPress-y code topics on Thoughtful Code.

Outside of code, I love playing board games, making coffee, reading, cooking, and volunteering. I'm really meditation and good communication practices as well. I'm not perfect though, no one is.

See full profile

Level: Beginner

Class Ratings

Expectations Met?
  • 0%
  • Yes
  • 0%
  • Somewhat
  • 0%
  • Not really
  • 0%

Why Join Skillshare?

Take award-winning Skillshare Original Classes

Each class has short lessons, hands-on projects

Your membership supports Skillshare teachers

Learn From Anywhere

Take classes on the go with the Skillshare app. Stream or download to watch on the plane, the subway, or wherever you learn best.


1. Understanding WordPress Security: Hello, my name is David and welcome. This is a course all about securing a WordPress site. We're going to cover the most common and easily avoidable problems that cause people to get their site hacked and we'll also cover what that, "Hacked" thing actually means in practice. Who am I? My name is David, as I mentioned, full name David Hayes. You can find me on Twitter, etc as David B Hayes because David Hayes is a pretty common name at least in America. Who I am, I run a WordPress site that is all about creating better WordPress developers. This isn't a course about WordPress development though. I have created a course all about secure WordPress development, but that's called WordPress Security of Confidence and it covers way more than this course can or should, given that we're aiming for an hour here. I've used WordPress for 10 years and I've developed professionally in e-commerce and membership and so on sites for more than five, I've never had a site taken over or hacked, as we mentioned earlier and that's because of the things I'm going to teach you in this course. For this course, you will need a WordPress site you're hoping to secure. Our project will be securing an existing WordPress site. There are tons of course about how to set one up. So we're just going to talk about now that you've got one, how do you make it even more secure and that's really the reason take this course. Every WordPress site is at risk online, I'm not saying that to scare you just to be clear about the actual reality of the situation. As such, we're going to cover why that is and then we're going to cover how you can mitigate that risk. We're going to talk about things like user security with passwords, and making sure that users have the access that they need and no more. We're also going to talk about backups and how to get them, and why they're so important. We're going to talk how to know what WordPress Plugins you actually want to use. There are so many out there, but it's hard to know what to trust and people worry a lot about the security. There plugins and we'll cover that in some detail. We'll also talk about why it's so important to update plugins and everything else in WordPress and finally, we'll touch on briefly both security plugins, which are big category in WordPress, and the kind of complicated topic of how to get that green lock icon that HTTPS setup on a WordPress site. For those last two things, we can't go into exhaustive detail, but we should give you a very good grounding for how to think about those things and what it would look like to do that. So with that, we're ready to get started. I'm looking forward to it. 2. Why Your WordPress Site Needs to Be Secured: In this module, we're going to cover why your WordPress site is at risk, even if you'd rather think that it's not. The reason I say this is I hear a lot of people when it comes to security excusing themselves from it, thinking about it because they're like, well, my site is just a hobby or while I just get for visitors a month. Whatever it is, there are so many reasons that people try to escape responsibility for keeping their site secure, but they just aren't viable. They aren't reasonable, they aren't accurate, because there's so many different reasons that a site gets compromised and very few of them have to do with how many hits you get or how important your site is to you are to other people, they just are beside the point. There's so many reasons that people want to take over your WordPress site, or any computer really, but this is specific to WordPress site. One of them is that because of WordPress is public, it's on the Internet. People will try and do what's called drive-by downloads, where basically they're just trying to shove malware, viruses, bad stuff, worms, lots of different terms people will use. They're just trying to shove bad stuff at people. They want any site on the Internet that can shove bad stuff at people and a WordPress site will do. They might also be trying to do what's called a Ransomware attack, where they take over your site and they're like, well, give us 0.04 Bitcoins and we'll give it back. Whatever it is. That is a very common attack, especially on personal computers, but it's also something that can and might well happen to you on a WordPress site. Some people just want to take over a WordPress site to show off that they can, that they were able to get a leg up on someone in takeover. That's really all they are after. Any site will do, they might want to actually use your server resources to mine crypto coins like Bitcoin or Ethereum. There are many crypto coins they're obviously far beyond our topic, but essentially you mine crypto coins on any computing hardware. A server that's running a WordPress site is computing hardware so they're happy to take it over to use it for that. Sounds super common attack, but it does happen. They might want to borrow your search engine ranking. This is where it matters. A little bit, your prestige. But if your site is well known to Google, it's very nice for a hacker to be able to borrow that by sliding a few innocuous links into your text. For example, it's not a super common attack could totally happen, making political statements. This is definitely, I think I've seen where this Free Syrian Army or some Russian hackers or whatever wants to just take over some sites and say, "hey person, we were here and we matter politically, you should pay attention to us." That's like showing your skills, but at a different level for a different reason. They might just want to hold your site for future use. This is underrated. But backdooring sites where you have access to them but you aren't currently exploiting them is very common. One of the more common and pernicious ways that a site gets taken over. They might just want to serve ads in your account. If you've got a site with high traffic, it's worth it to just like take it over for the sake of getting a few $1000 out of an ad provider. They might want to send spam with your account. Most WordPress sites have e-mail hooked up in a way that WordPress can send e-mail and as such, if they couldn't get other e-mails to go out from that box, it's useful to them. The last one is that they want to use your server as part of a botnet. The reason I want to talk about this as botnets are important from both directions. Well, what is a botnet? In general a botnet is just a network of computers that someone, one team or single bad actor controls. Personal computers, Windows, computers that have been taken over can be part of some botnet. So can actually bought commercial computers that someone just gets from Amazon or Google or whoever. But so can WordPress websites. Generally you just want to think of a botnet as a network of computers that can be used by a bad person to do bad things. Adding your WordPress site to a botnet is really helpful. But the other side of the botnet that's really important when we think about WordPress security is that, the most common way that WordPress sites are attacked is that these botnets that exist that may or may not include other WordPress sites are turned on WordPress sites, in order to get into their accounts or use whatever method of compromise they want to try to take over it. Most WordPress takeover completed by botnets, not humans. It can happen that use fire Steve or Sousa whoever, and they're really angry at you and they decide to use their existing account or their skills of hacking to get back at you personally one-on-one by guessing that your password is your address, that happens. It's not like it could never or does not happen. But on the scale of WordPress sites, we can round it nearly to zero. It's almost guaranteed that's what's happening instead is just so many swirling computers are sent on so many WordPress sites and eventually yours gets caught in the middle and compromised. There are really two very common methods of takeover for WordPress site. Where a botnet is set against a WordPress site and this WordPress site is compromised because of one of the many attacks that the botnet tries. The most common thing I would say, the easiest for someone to do against most WordPress sites is that you just have out of date software with known exploits. You're either running an old version of WordPress or an old version of a plug-in. Gravity Forms had a big exploit. 3. Setting Your WordPress Password: So you've just logged in your WordPress site. How do I change my password? Is the first question we're going to quickly deal with. In the left sidebar, I want to go from down to users and then I'm going to click on Your Profile. In there, at the bottom I will find this Account Management, New Password box. What's really cool about WordPress today, is that it no longer gives you just a blank field. It actually makes you generate a password that it regards as strong. It regards it as strong because it's highly random and has a large character space. That is to say, it has symbols and capital letters, and lowercase letters and numbers all inside of it. Given that, that's a pretty good password. The hard thing about a password like this for most people is remembering it. We'll talk in the next video about why you probably want a password manager. If you aren't able to just say yes, I'm going to use this password that WordPress has generated, that it says it's strong, you need to think about how to make a password. Password is a terrible password. Some people like to do these character substitutions where they'll just be like, "Well, I can make that and that," but you've barely increased the security of that at all. Even if you did a two truly random number in here, WordPress correctly tells you that this is still weak. Your goal is to make this box say that your password is strong. The two most common recommendations that I think are actually pretty solid are, if you just type in a literal sense, this is a literal sentence, that's a pretty strong password in general, just because it ends up being pretty long. Humans have a pretty easy time remembering sentences and if you're putting spaces, that's a special character. So even all lowercase, no punctuation, which there's no reason to exclude it in a password field like word presses, you still get a pretty good password. The other way is ones like the WordPress does, but they're harder to remember. There is also the way, the option of figuring out a way that you can remember a sentence but encode it into multiple types of symbols. Some people says things like, "There were nine horses" and they remember that there is a word they always spell out. Were, gets abbreviated as R capitalized, four horses, four is just the numeral, horses becomes capitalized word. If you come up with an algorithm like this, it's pretty easy for you to remember sentences which we're pretty good at as humans and turn it into something that's a little more high security than that, but in general, you just want to have a good password on your WordPress site. People recommend that you don't have an account labeled admin, but I think a better password is so much more important than whether or not you have an account that a botnet is going to guess like admin. Definitely, have a good password on your WordPress site. Password is just not acceptable and neither is beer or whiskey, or Denver Broncos or Chicago Bulls or whatever your favorite sports team is it. You need to have a good password and we'll talk about why password managers help with that, but come up with a sentence and use it on your WordPress site, and don't use it anywhere else, and you'll be way ahead of the game. Once you've set that password, you can click "Update Profile" and it will change that password for you and just make sure you remember it. Put in your password manager, put it in your head, and you'll be all set. That is just a huge win that is very easy to get. 4. Password Managers in Brief: I'm using a password manager called 1Password and it's got a browser extension that lets me quickly log into a site like my WordPress site right here on the left. What's really impressive and great about that is that I didn't have to know what that password was. The password for this site that I'm using, as an example here, I'll show it to you real quick, so I'll change it, but there's no way in my head how to remember this password among the thousands of other passwords that I have in my life. But because I know the one password that I use for 1Password, I can have a unique password very similar to this on basically every site I use. That's the big power of a password manager. 1Password is just one of them, the LastPass, KeePass, etc., Dashlane, comes to mind really quickly. There are lots and lots of password managers. Because of the risk of a compromise to say, Facebook or some site you had to put a credential in, use Stack Overflow or stock photos or whatever, any of those things, a compromise of one of those sites, where they were storing passwords poorly, which unfortunately does happen, can compromise your WordPress password because you might use the same password there and once it's on a list, it's bad news. Having a really unique password on every site is great. The easiest way to do that is to not have to remember them by using a password manager. You don't have to use this one and you don't absolutely need to use them, but I think it's so beneficial to know that every WordPress site that you have a few, if like me, you've had a lot of them, can have its own unique password and so, no compromise if any of them is going to compromise the other ones on the password level. It's one of the easiest things you can do to make your site more secure. I definitely encourage you to do it or at least think hard about why you should. They typically have some cost per year for sinking features and that kind of stuff, but they're typically pretty reasonable when you consider the cost of a common tool you use as a professional, like WordPress. They're just so cheap relatively that it's such an obvious good choice, so I really recommend you get a password manager and that's the logic. 5. User Roles and Capabilities in WordPress: We're going to talk about how you should give your friend Susan, let's call her, access to your site. Susan wants to write an article for you about the same topic as your site, or she wants to help you with some technical stuff, or she just wants to, you wanted her to proofread all of the content on your site because she does like SEO or just proofreading, whatever it is. There are a couple of different ways people would think about giving Susan access. One is that they have an account and they just give Susan access to the account. For security reasons, I think that is the worst possible situation. There's this idea called the principle of least privilege and the principle of least privilege, aka principle of least access is another thing I often call it a principle of least authority, is the idea that you want to give people only as much information as they need. For example, famously here in the United States, there exists this thing called Area 51, which is military site that maybe has to do with extraterrestrial, we don't know. The point is we don't need to know. That's the whole founding principle of it and that kind of security thinking is why only the president and certain other people who have the need to know on that or anything else get to see it. That's why classification happens inside intelligence agencies. WordPress deals with the same thing via what it calls user roles and capabilities. If I go to my add new user screen, I see at the bottom of this drop-down. It is important that you pick good usernames and that you give Susan a good password, but these roles are really the important thing that I want to cover here. On WordPress.org, I can see this roles in capabilities, URL, I'm just at Codex dot WordPress.org slash tools and capabilities, and it's got this really, really useful table. We can pretty safely ignore the super admin account because that only exist for like WordPress multi-site, which is a thing you don't probably have or need to worry about. What is really important is that you can see that an administrator role, which is what my current user is and what most people will have when they set up a WordPress site has the ability to activate, delete, plugins and themes, it can import and export the site, it can remove users, it can do a ton of stuff. Well, so Susan probably, unless she is like a developer you're hiring, Susan probably doesn't need all of that access. She probably just needs to maybe manage your comments. That's a common thing on a really popular sites. Someone just needed to go in there and manually approve comments on a regular basis. If Susan just needs to moderate comments, an editor role is sufficient for her because she doesn't need the ability to update your themes and plugins, but doesn't have the ability to moderate comments. In that dropdown, you're just going to pick editor if that is the role that Susan will need for you. As we go down, we're getting more and more constricted. An author basically has the ability to completely create a post, including putting new images and all of that stuff on there. Author is great if you need to give someone access to create a post, a contributor can edit and delete posts. But there is this weird hiccup in WordPress editor where a contributor cannot upload images and so then a subscriber is what you need with someone just needs to be able to login to your WordPress site but has needs to have no other access. Membership plugins on WordPress almost always create subscriber accounts for people because none of the common WordPress roles do they need, they just need that account and then the membership plugin adds on other features there. When you need to collaborate with someone, give them the correct role, WordPress user role for them. That, way when you don't need them to have access anymore, we can just remove them. That way you know that they can only do the things you want them doing. It's really a pretty simple principle, but it's super, super impactful with respect to security, because if Susan changes her password to be a bad one, you should definitely give it a good one to start. You want to limit the amount of damage that someone who has access to Susan's account could do and you do that by creating the correct role for them. 6. Backups -- How to Make Them, and Why: Backups are super important. The reason they're so important is because from a security perspective, if you've been compromised, you have a need for what I would maybe called time security and backup provides time security because you have a backup from day or a week ago, you have some time security. This is part of the reason that you want what people call rolling backups where you keep multiple versions over time. Time machine famously does this on a Mac operating system. There are lots of other programs that do it on different environments and web hosts actually typically provide one. I believe that site ground who I have most of my sights hosted with. I believe they store one per week for 30 days and they store one per day for a week. This is really good because it gives you the benefit of if something went about a week a go you still have a backup, but it may not be as good as specifically that one. People basically can rely on their host having one of these but I believe very strongly in the idea that if you back it up one place, you have a copy of it. If you back it up two places, you do actually have a real backup. This is the paranoid person in me. I've had the experience of bad backups when I go went to restore and it was only because I had that second back-up available that it saved me. Definitely that's the logic of it. I personally I'm running plugin on this site called Backup Buddy, which I think is a pretty good paid backup service for WordPress. Other ones that come to mind immediately or voltpress/wordpress.com, jetpack. That's three brands that mean the same thing under the hood. There's also a blog vault which I've heard a lot of good things about recently. But if you aren't looking to pay, there are a fair number of backup plug-ins in the WordPress free plug-in repository that work. Updraft pluses when I have had only good experiences with where basically you can set it up to shove your data to Dropbox or Google Drive or Amazon S3 or anything like that and then you have it creating your rolling backups and file stores that you're probably already paying for. If you pay for Dropbox or Google Drive, you have plenty of space there relative to a WordPress site, which is typically a big WordPress in my experience, is about five gigs and it only gets that big if you put a lot of media in it or it's quite old. There are tons of other options though and I honestly have no experience with any of them, but I really recommend that first of all, you want to make sure that your hosting does provide a backup. Secondly, you want to run a backup plug in. The other advantage of backup plugins is some of them make it pretty easy to migrate sites around if you do WordPress development training of those things. Not that I'm necessarily expecting that you do. I just think backups are super important regardless of whether or not you have a secondary use for them beyond. I can restore it when my site goes down. That's it. 7. Trust Signals for Plugins: Where we left off in our backup discussion is looking at plugins. A common question is, how do I know that a plugin is secure? Unfortunately, there isn't a way that a non-technical person can easily judge a WordPress plugin security. The code can be judged by qualified experts, but if you're not familiar with PHP, for example, it's very hard for you to judge whether or not a plugin is secure. The best proxy that we have for how secure a plugin is, is honestly its reputation in general in the ecosystem. It's not a perfect signal. It is definitely the case that very popular plugins. I mentioned, gravity forms and revolution side or in a couple other ones that have had issues in the past where those had issues. But one of the better proxies you can have for assessing the security of a WordPress plug-in where you can't read the code to judge it because you don't understand code well enough is really this reputation. Four free WordPress plugins that are distributed in the WordPress plugin repository. They give you a ton of useful information right here in this little box at the bottom. This is all stuff that the plugin author creates where they say what their plugin is and what it does. That's not super high quality with respect to assessing whether or not it's secure or what its reputation is, but this box is. This star rating is just like every other star rating you've seen on Yelp or Foursquare or whatever rating system in the world. I judge any star rating system as much by the quantity of respondents as I do the quality of them. You'll notice XCloner down here in the bottom right of my screen has four stars and 85 reviews, whereas UpdraftPlus has five stars and more than 2000 reviews. I take that as a good quality signal that a lot of people have reviewed it and they thought highly of it. That is two good things combined in this little box. The next one is actual active installations. Every WordPress site effectively phones home to the WordPress plugin repository to ask about updates, which we'll get to in a second. When doing that, WordPress collects how many people actively are running the plugin. As you're prior familiar, you can have a plugin installed in WordPress but not active. This is counting the actual active installations of a plugin. If people are continuing to run it, it's probably a good sign that it is good and has a good reputation. Updated is the one that's most relevant to security because updating is one of the better proxies you have for how much a plugin is actively developed and that they're thinking about its security on an ongoing basis. If they're updating regularly, it's probably the case that if they got a report of a security issue, they would quickly patch it. It's a weak signal because there are I know of and recommend a plugin that hasn't been updated in five years where I've looked at the code, I've thought it was very good and it has all the features I need it to have. As someone who can't go look at the code and assess its quality. I think you do have to train on proxies like, is this version updated recently? Does it say that itself is compatible with versions of WordPress? This is self-reported, so you may have issues of incompatibilities, even if you see this check mark here. But in general, it's pretty good. Those are the primary signals that you get to use. The other thing is just like our people recommending it to you either online or in person. If you go to WordPress meetup, or if you go to a conference, do people talk about a plugin? If they do, it's a good, again, reputation signal, which is our best proxy as non code writers for how good a plugin is. Some plugins aren't even in the WordPress repository gravity forms, as I've mentioned a couple times, is a form plugin that people love that has a good reputation but is not actually in here so you don't get these specific trust signals available to you with a plugin like that. But if you've heard people tell you that gravity form is great, probably it is. You can rely on that as well. Again, reputation is the best proxy we have when we can't assess code quality. It's what you trade on and what lets you have some confidence that this plugin is probably pretty good and probably going to be secure. If it's updated recently, if it has good marks, chances are good that it would be maintained in a way that when someone says, I found this weird problem where I can actually see all the credentials, they will fix it in time. 8. WordPress Updates -- What to Do and Why They Matter: We talked about plugins and how to know that they're good. The next thing I want to talk about is why you need to update your plugins and also WordPress itself and more. I currently have, in this installation, an update version of WordPress, and it's really important that you keep WordPress up-to-date. You'll notice that I'm on 4.9.4 and 4.9.4 is a continuation of the 4.9 release series of WordPress. I think that four was a security release and if it wasn't three or two or one was. I feel confident about saying that at least one of them was. You need to get each of these because small errors are made in the process of writing code and it's really important that you update in general because people need time and ability to fix those errors, and WordPress has, in the last few years, made it so much easier to update these things that I really just cannot recommend enough. Coming to this screen, dashboard updates in your sidebar and updating WordPress when you get a new version available. It is the case of hosts like SiteGround have now kind of made it a habit of we will always keep your WordPress version; so this one, the main WordPress up-to-date for you automatically without you asking because they understand how important it is for the security of not just WordPress, your specific version, but the entire Internet that there aren't a bunch of out-of-date WordPress installations floating around. It's also important for exactly the same reasons that you keep your plugins, and to a lesser extent because themes have less security implications, up-to-date. Running updates on this screen is super easy. There's a one button to update WordPress. If you've got a backup, you're probably going to be in good shape because rarely will an update to any of these things break anything for you but that is the most common objection. I'm going to go ahead and hit Update on all of these plugins and they're just going to run through, WordPress is going to make sure and do for you the hard part of downloading the zip file, putting it on the file system and all that stuff. With that, I just uploaded six plugins. It is pretty easy to do, it doesn't take a lot of time. The paranoid among us will go to the front side of our site and be like, it's still seems to be the same as it was. But you don't absolutely need to do that, it's just something that the paranoid of us will probably want to do from time to time. The reason that backups are so important is for exactly this ability to quickly do the updates without having to think about it. That's why updating is so important and how to do it in very short time. It's amazing the future of WordPress that we live in today. Cheers. 9. Why/How to Visit Your WordPress Site: So one of the most under marketed things about keeping your WordPress site secure is simply this. I have a site called Thoughtful Code and I want to make sure it's secure. So I go to Thoughtful Code, let's say I'm not logged in. I look at the website. These pop-ups or mine. I created them and all the pages otherwise look good. If I go to login, the login page looks like I expect, and I log in, and everything, hopefully, looks like I expect. I see plugins that I've installed, I see jet pack that I've installed. I have no updates, and I'm good. Just doing this on a regular basis is one of the simplest things you can do to make your WordPress site more secure. We've already covered why you need to update. Well, when you do this check on a weekly, monthly basis, come in here and hit up all the updates. Come down here and make sure that your backups are running. Come down here and make sure that nothing weird is happening on your settings screens or there's a new thing under the tools menu or something. Just simply doing this stuff of making sure nothing strange has happened, nothing unexpected is happening on your site is so valuable from a perspective of, okay, so something bad did happen. You do have a backup that's recent enough that you don't only have bad backups of an unsecured site that has been compromised in some way. It sounds so simple that it barely ever gets said, but it's so important to just check up on a site. Even if it's something that isn't core to your business, if you care at all about it, you just need to check on it once and a while, makes a huge difference in the overall security of that site. 10. Security Plugins Overview: There is a large category of WordPress plugins that I feel like we have to talk about with respect to WordPress security and this is what I would generally categorize as WordPress security plugins. There are various plugins that either go inside of WordPress or that our service layer [inaudible] situ run outside of WordPress that give you some extra security benefits beyond just not making the obvious mistakes of not updating your WordPress, say having bad passwords and what have you. A lot of them have a free tier, as I mentioned in this chart that I've put on my screen, almost all of these have a free tier. In general, you want to pay for some features on some of them. The best ones all include, with almost no exception except this one is an outlier sound of full-fledged security plugin and suggests for audit logs, which time back to that last video. Audit logs are great if you aren't able to login to your site regularly, it can give you a sense of what every user on your entire site has done. But in general, a WordPress security plugin, one of its biggest things is that will prevent what they call brute force attacks, which is where someone guesses a password a lot on your site just really tries to hit you really hard and almost everything that calls itself security plug-in will block those in part by blocking specific IPs that it knows are hostile to you. Those are some of the two most common features. A more advanced version of that is what's called a Web Application Firewall. A web application firewall is something that either works on your server or sits between your server and the public Internet and blocks requests that it thinks are bad, intended to do harm. Essentially, things like, Requests for, is this plugin out of date on your site. A web application firewall can stop those requests before they even hit your server. A lot of security plugins offer what they call malware scanning, which is where they will go through and essentially look at all the files on your entire system and check the signature of all your files for things that they consider bad things, that they consider for the distribution of malware to drive by downloaders or anything like that. That's what malware scanning does and typically, these are services that you pay for that will look over all the files on your site and do it. Audit logs as I started to mention, are great for I don't actually have the ability to watch my site as regularly as I would like, but I want to know what's going on in there. Audit logs a way where different plugins do it at different levels, but they will do things like say this plugin was turned on, this plugin was added, this plugin was turned off. Those things can be tracked by software for you and you go in and look at it in as long as the log has fidelity, which it hopefully does, then you know exactly what's happening on your WordPress site and you also know what isn't happening on your WordPress site. Some of these plugins also give you help with doing more complicated things that might harden your WordPress site. They'll maybe guide you through things like making sure that file permissions are correct or even getting two-factor authentication set up. You've probably had some exposure to two-factor authentication if you log into a bank website today, chances are good they send you a text message with a code that you have to enter in addition to your password. You can set that up on WordPress and then it's better just to secure WordPress password, but it is hard to get, it's harder to set up. Some of the security plugins have that feature. This table is how I think and how I've compared WordPress security plugins in the past. At some point in 2018 released a site that is just this table because it's really helpful for people but this is how I think about different WordPress plugins that exists. You might have a friend who already has a copy of Word fence and would love to add you to their use, their multi-user license and if that's the case, I think it's really beneficial to have a WordPress security plugin. The one thing I would say though is it's important to realize that all the stuff we've talked about is still very relevant for having a secure WordPress like even when you install one of these plugins because none of them do everything that you would want for a site to be made secure. In fact, almost none of them do backups for example. You still need to think about backups independently of getting a WordPress security plugin as a full-fledged solution. But a WordPress security plugin is a great step you can take that without too much hustle, without too much slowdown, will almost certainly make your site at least a little more secure. 11. iThemes Security Quick Summary: We just talked about this matrix I've made of different WordPress security plug-ins. Really quickly, I just want to highlight what the experience of one of these is like. As I mentioned the very affair amount. Some of them include a web application firewall, some don't. I've chosen to highlight real quick iTheme Security, it's not the one that I think you absolutely need to have. I think every single one that I have in this matrix is good for various reasons. It's just happening to be the one that I've got installed. I've set up iTheme Security, I've just installed and activated the free plug-in and it's checked that a lot of things are good to me. Database Backups on, Brute Force Protection is enabled, Magic Links are enabled. I've set this plug-in up to be essentially secure enough that I'm happy with it. I can run different things like my security check. I can also turn on what's called an Away Mode, which is a way where only during scheduled times, can anyone login to my WordPress site? I can enable file change detection which is great for exactly what we've talked about, where we want something to alert us that someone has tried to change a file, say, by hacking out-of-date plug-in, or something like that. So all of these things, these individual steps in iTheme Security are good practices that you can do. They have some advanced ones and some recommended ones. It takes care of all the different steps for you and helps you explain a little bit more about what they do. What's really great about iTheme Security in particular is the screen is relatively user-friendly. It is user friendly in the way that a developer has built it a little bit, it is a little I think not super intuitive. I wouldn't argue that this is the greatest interface of all times, but it's pretty good. What's really nice about it is, it just gives me quick checks about how am I doing security wise and what further steps can I take. I don't think you need to use iTheme Security, I think any of the ones I have in this whole matrix are a good step and give you some benefits that we covered in the last video. But iTheme Security is one of them, and it shows pretty clearly to me some of the good and the bad of security plug-in. I do have automatic logs of various events since I just turned this on, I already have it. I have it empty but since I just turned this on, it's currently empty for me. I know over time these will build up as more and more people use the site, control things in an orbit. Just I make changes to the plug-ins that are on and off. It's really good to have this sense of, added beneficial security that I get almost for free, but it is not a complete solution. I still need to make sure that I check it on my site regularly, make sure that I'm running backups because the plug-in itself doesn't do those things for me. 12. SSL Part I: What and Why: If there's one thing that most people regard as fairly synonymous with security online, it's this green-lock icon, this ones in Firefox. But most browsers will do a similar green-lock icon regardless of what they are. My website that I've been playing with for this course is called thoughtfulcode.com, and you'll notice that I've got an HTTPS here at the beginning of its address, and I've got this green-lock that says I'm on a secure connection. This is called SSL or TLS or HTTPS variously. If I click more information here, I can see that I have a Let's Encrypt certificate, which is a free consortium that gives free tickets that my certificate that verifies that essentially it secures the connection between my visitors and me. Expires on May 31st, 2018, that I've gone to this website a whole bunch of times and so on. I can actually see in here the certificate. The big thing to know about this certificate is that it's got a essentially a fingerprint in a way to trace back the origin of this whole the security of our connection, essentially because of this SSL certificate. You've got various ways no one ever digs into these typically of assessing the validity of certificates. What a certificate allows for his basically, the connection between me as a visitor on a home network connection and the security relative to this thoughtfulcode.com domain and server. That connection between me as a home user and that remote website is secured via this little padlock icon. This is really important for e-commerce, for example, because it almost verifies in a robust way that no one can snoop, even on public, not very secure Wi-Fi connections. Your connection to say your bank, if you're using HTTPS and you have a valid certificate in there is much more secure from people prying on the hopes that your traffic inherently takes through the internet. That said, this green-lock icon doesn't verify that I haven't been, the site can't force malware, or that it it doesn't make sure that the site hasn't been taken over, that it isn't showing ads like all of the things we've covered so far about why security matters on your site. About why it's important to check on your site. About why it's important to have backups. None of that is verified by this secure lock thing. That's all totally separate from it. Quickly, if I think of a bank, a US bank is a big one. They have what's called an extended verification certificate. Their name is there and that's actually the name of a legal entity. If I click through there certificate a little bit more, it says that they're in Minneapolis, Minnesota and that they were verified by Entrust Incorporated. That is stuff, those are further features that you can get on an SSL certificate, that I don't have on mine, because mine's basically just for that encryption layer rather than, US Bank if you go to usbank.com, you see this certificate. Whereas it would be very hard for a hacker to, not to get a certificate to actually be varied to say U.S.Bank National Association US, and that's a lot harder for an attacker to do than to just, just make something that looks vaguely like the correct URL here. That is basically what SSL certificates do and what they're good for. You can have a WordPress site that is not secure because it's got old code, because it's not running, a patched version of WordPress like that totally happens in this independent of that HTTPS thing, all that HTTPS about that connection between a browsing user and your server. It's important, especially for e-commerce sites to have HTTPS connections. It's honestly increasingly regarded as a good practice for everyone on every site always to have.Because not only from that insecure coffee shop Wi-Fi perspective, but also from like government's snooping and other perspectives. It's a good idea to have HTTPS, regardless of what you're doing with your site. But it's not absolutely required and is not complete security. It's just helpful, and so in the next video, we'll talk about how I will set that up on one of my site so You can see the process of how I've gone from having a non HTTPS connection to an HTTPS one. We'll do that. 13. SSL Part II: Setup for SSL: The thoughtful code site I've been using to demo everything so far, is already on an HTTPS connection, so it's not a very good thing to show off to you how you would move a site to HTTPS because it's already there. I have this old site, which in my browser has no green lock icon. I see no HTTPS, and this is hosted at Bluehost, which is a very reputable and very large, more importantly to me, Web host. I'm going to try to use whatever setup Bluehost has to upgrade this domain to be HTTPS and we'll see what happens. If I come in here and this is what they call a cPanel, it's got a lot of icons and there's a security pane down here, which I noticed has an SSL on it. If I go in here, I know that they are offering what they call a WordPress free SSL. I think this is similar but distinct from the let's encrypt certificates that I am using unthoughtful code. I'll go ahead and pick my domain out of there and I'm going to click get started and we'll see where this goes because I don't actually know. All right. So it'll protect link banana.com. That's perfect and I'm going to install, well it's installing. I will mention, link banana is kind of like my version of Kottke. If you've ever seen kottke.org gets like some random guys collection of cool things. I love it. It's a fun site. You have successfully ordered a free SSL. If your domains can be verified automatically, you can expect the new certificate to be installed soon. If not, you will receive an email with instructions. All right. Hopefully we're in the process there because I think we should be set up. Let's go ahead and login to the site that I haven't in. To my embarrassment, there will be plenty of login opportunities here. Another reason to get HTTPS is that, increasingly browsers are telling you that you shouldn't enter any login credentials on non HTTPS forums, and this is very reasonable on, you know, open networks like coffee shop, Wi-Fi, where someone could snoop if they do intercept the request that involves your username and password, they can see it, it's transmitted roughly in a pretty backwards compatible way, so they can see that. So it's bad, I'm going to dental around a bit. I can see that I'm out of date. I'm currently on WordPress 4.9.3. So I want to update to 4.9.4 while we're waiting. Okay. It seems that I'm all set up to get this SSL from Bluehost there, obviously trying to upsell me, but I'm not interested. While we're waiting. Bluehost is working away on the security of my sites right now, but I've just had some progress updates. I went for a little walk and got ready for the weekend and it still is showing me pending here, but I decided to try what happens if I go to HTTPS? What happens is that my WordPress site is now basically updated to work on HTTPS. If I look here, I'm seeing that I'm on a secure connection. I notice that this is a Comodo certificate rather than on, let's encrypt that I have a thoughtful code. But just by using their setup, their dashboard, and waiting a little while, it did require some patients, I will not lie to you. Bluehost has upgraded my site to use HTTPS. Most good host today will be using a similar. We will automatically transition you set-up as what Bluehost has here. It's basically a matter of, it will be a different interface because this exists outside of WordPress. I can't show you a single WordPress interface. I've shown you the Bluehost interface, which is when I have easy access to when a site that I needed to upgrade HTTPS. It is worth mentioning that now that I've upgraded to HTTPS, certain things might not work in the way I expect Google Analytics and that whole suite of Google Webmaster Tools comes to mind as something where you might have to explicitly go in and manually change it to say, my site is now HTTPS rather than HTTP but on the whole, suddenly I've got that greater security between all my visitors and my website. My logins are more secure when I submit my login form and all of those things are great benefits of upgrading. If you're on GoDaddy or site ground or anyone else. The upgrade process might look a little different, but I highly encourage you to get on HTTPS if you can and in general, it's just a matter of finding the right support docs or the right support agent at your hosting company to help you with that transition. 14. Final Step: With that, I think we've covered all the key points that I think are essential to understanding the security of WordPress site as a non developer. I think that HTTPS is really vital for instilling trust, and for a good reason. I think that security plugins give you such a leg up with respect to just that core experience of WordPress as secure. If you do the core things we talked about; I'm going to get plug-ins, make sure you stay up to date, and having backups, you can trust that that WordPress experience will be good for the long run. But security plugins give you that leg up of knowing that someone else has thought even harder about what other things you can do to make that site more secure and is helping you out along the way. We also talked a little bit about why having password in user role control is so important in WordPress, and how easy it is to do, because as long as you give all your friend, Frank, who you're giving access to your site. As long as you give him his own account and make him have a good password, you're pretty much all the way there. We also covered why every WordPress site has security risks, because it's on the internet and nothing more than that. The parting thing I want to leave you with is the understanding that WordPress security, well, it is a series of steps that we've covered. It is also an ongoing process, and the threats will change and you cannot trust that the things that you do today will not be insufficient at some point in the future because quantum computers command have breached every password on the internet, those things can happen. The last thing to really keep in mind about security is that it is not a single process in time. You need to keep doing it all the time. Hopefully, with this class you now feel confident that your existing WordPress site is totally secure. You are happy to say, ''Hey, hackers come after me. '' Because you trust that WordPress itself is secure and you've taken the right steps to make it so. But I just want you to keep in mind, security is premised on an eternal vigilance. I know it would be better if I told you, ''You can just relax and you're all good now, you don't need to worry about anything.'' But one of your plugins will, in the next five years almost certainly have been found out to be insecure, even though you selected wisely. It's just almost inevitable because these are human endeavors. As long as you're aware of that and cognizant of it, you'll do great. You'll be updated in plenty of time but you just have to remember that no process of security is ever complete - that's an ongoing mission. With that, cheers and good fortune.