7 Security Tips for your WordPress Website

7 Security Tips for your WordPress Website


Hey, y’all. Welcome to another
WordPress Wednesday. My name is Kori Ashton. Today I want to walk you through 7 awesome things that you can do today to actually go back to your
current website, make some changes, and be sure that you have great
security in place. It’s super important that you do
these things. They’re things that you might not have thought about.
Maybe one or two of them, but maybe not all of them.
They all can make a great difference in your WordPress website. Before we get started,
just want to give some love over here to three of our incredible
partners. WP Engine is an awesome hosting company. I’m going to
talk a little bit more about their services later on in this list because
they’re hosting provides incredible security that really will help
tighten up your website and be sure that nobody is getting into it. WP Elevation. If you’re an
entrepreneur, a freelancer, somebody using WordPress to
make a living, you need to jump over to their website. Check out
their different tracks. Invest in all of their awesome resources
for you because it’s going to make a difference in your company,
how you sell you product, how you offer your services. WP 101. If you’re doing WordPress
tutorials, you’re trying to watch through some YouTube tutorials,
maybe you’re not finding the quality that you want (other
than our channel, I’m sure) but maybe you’re not finding
the exact quality you want. Jump over to WP 101.
You’re going to find some incredible, up-to-date
tutorials. Just an incredible, fantastic team over there.
Check them out. Tell them Kori Ashton sent you.
I would appreciate that. That’s kind of how I show them
my appreciation for what they do for us here at WebTegrity. 7 things. Here we go. 7 things that you might not
have thought about. The very first one … You’re probably
wondering why I’m not mentioning updates first. Updates is going
to be our second one. Our very first one is your
user name and password. Whenever you establish your
account—whenever you start to build your WordPress website—
you’re going to be entering in your user name and password.
If that is something you’ve set to a generic mindset, or very
easy to hack user name and password, you’re going to get hacked.
You might think to yourself, “Why would anybody ever want
to hack my website?” You might say, “I have a website about cats
who like blogging. Nobody would ever think about hacking
my site? It doesn’t matter. There are robots out there geared
to look for outdated WordPress websites. There are hackers out
there looking to just be malicious and cruel and take over your
website. It doesn’t matter if you think, “I’m an obscure website.
Nobody is ever going to bother me.” I promise you, if you leave these
seven things that I’m talking about untouched or untended to,
you’re going to end up with a broken website at some point.
I want you to be sure that your user name and passwords are
set in place. You certainly don’t want to be using Admin as your
user name. And you certainly don’t want to have password123 or
ABCD or 123456 or whatever those passwords are that generically
get set. You want those to be locked down and tight. That’s one of the
new updates that happened in 4.3. As you can see, our website is
our of date on the updates. That is my second tip. We want to
be sure and go in and have all of our updates in place.
Let me shrink down for a minute so you can watch
the screen a little bit more. It’s saying that 4.3.1 is out.
That actually was a really huge update needed for security
purposes. They released it with an alert saying, “Please update now.”
You want to be sure to click update. Before you do all that though,
of course, you want to have backups in place so that we know
our website is secure again, and that we know we’ll have a backup
in place in case anything goes wrong or breaks. 4.3.1: Super important
that you get here if you’re not already updated to this level. There’s been a big
security issue that was release notified. Please be sure to go in, have a
backup in place, and click update. Once you do that though, now in your
profile area, they’re giving us the ability to generate a password. Whenever you
generate that, look how long this is. They’re not expecting you to remember
it. They know that you’re computer will do that for you, or that you
should be having a system that allows you to remember to automatically
save that password. They need something in your database that is locked down,
difficult for hackers to be able to get in and have. Be sure that you’re
accessing this so you don’t have to try to figure out a long involved one.
It will do it for you now. User names and passwords:
be sure that they’re tricky. You also want to be sure that all
your updates are in place, not just your core, but also you
can see this alert. It says that I have two plug-ins that need to be
updated. I want to go ahead and be sure that all of our plug-ins at all
times are completely up to date. Again, you want to be sure that
you have a backup in place so that in case any of these updates, by chance,
would break your theme or your website, you would be able to revert back
very quickly and be up and running without any down time or any loss
of edits that you may have made. Now that all of our updates are in
place. It’s still saying I have two updates. Let’s go see what it’s griping
at me about. I think I’ve got some Themes in here. Okay. So. I’ve got
some Themes sitting over here that I have installed on our server space
that are just needing to be updated. It’s not a bad idea to keep these
up to date. They’re still files that are sitting on your server space,
so it doesn’t hurt to come through here even if you’re not using the
Themes. Either remove them completely, or go ahead and update
them since they’re sitting here with their most current secure version
on your server. I do recommend having at least one extra Theme
sitting here. We’ve talked about that before for security purposes.
In case anything were to happen to your current Theme, you can
easily activate your other Theme and you’re back up and running
and at least have an access point to get back into your website
in case it breaks. Argh. That’s always frustrating. Some people ask me,
“Why are you always looking down?” I try to do these tutorial videos
in a one-take wonder so that I’m fast for you, so I have notes.
That’s why I’m looking down here. I can’t always remember things. I do want to talk about your
comments and your spam. A lot of people, especially if
you’re using your website as a blog, struggle with having a
lot of spam hit their comments area. There are some things you can
go into with your settings. You can go into Settings and
go into Discussion. You can just read through these things.
You need to see that it starts over here. The sentence starts on the left side.
This is a little difficult because sometimes people just read down through here.
It says, “Anyone can post a comment.” Yes, we want anyone to post a comment,
but that’s not the full sentence. It says, “Email me whenever anyone
posts a comment. Email me whenever a comment is held for moderation.”
The sentence starts here. Read through all these. Be sure that “Before a comment appears,
comments must be manually approved.” You can click that. You can do all sorts
of things where you’re hiding certain comments if they contain certain
words. You can black list certain comments with any sort of words.
You can require that the user have an account and be logged in to comment.
You can require all these things. I would just suggest go through here,
see exactly how you want to work these, and make those suggestions, and
click Save Changes. And, also, any comments that do come through,
be sure that you’re moderating them. Go to your Comments section and be
sure to approve or spam them. You’ll have a whole list here and
typically an alert that says, “Yes, approved.” Or “Yes, we should
trash that comment.” Okay. Keep that in place. If you’re using comments in a comment
section, or you might have a contact form as well, what I would like to
suggest you do is a lot of people don’t like the captchas. You know
those things where you have to fill in the numbers for the code and
prove that you’re not a robot, that you’re a human. One of the things
that Gravity Forms has … If you don’t know what Gravity Forms is, check out
our tutorials. I’ve got a whole list of Gravity Forms videos that you
can figure out this awesome premium forms plug-in. You can go to Form
Settings. Each individual form you have to do this. Go to Form Settings and
there is an anti-spam honey pot. If you click that and enable that,
what it does is (it will tell you right here if you hover over the little
question box here) it will tell you that it basically gives you a hidden
field that robots don’t realize is hidden. The robots will fill it out.
And you’ll know automatically that it is a robot instead of a human
and it will trash it/spam it and not allow it to publish. That’s brilliant!
And well worth the premium price that you pay for Gravity Forms. The last few things that I want to
run through. We want to talk about a plug-in that you can throw on your
website. It’s a free plug-in. It does have a pro version but it’s
phenomenal even in its free version. You’re going to go to plug-ins and
add new. I’m going to slide off the screen so you can just watch
and see exactly what I’m doing. You’re going to do a search plug-ins
for Sucuri. That’s the name of it. You want to be sure and get the one
that has the 100,000+ installs. You install that one. And walk through
all the settings and be sure that you’ve got this locked down, in place.
It’s totally free to use. It does have an upgraded version, but this is
phenomenal. Immediately you’ll start to be able to run tests and be
sure that your website has not been hacked, that you don’t have any
malware sitting on your site, and that everything is good to go.
You just have to generate an API key. Again, it’s free though for
you to do that. That’s a great plug-in that we highly recommend. The other
thing that I wanted to mention about is WP Engine. If you don’t have really
great hosting in place, they’re not going to alert you to things that are
going on in the WordPress world. That’s why we love WP Engine.
I’ll take you over to their site really quickly so you can see
how incredible they are. These guys are just fantastic.
They only do WordPress websites. Their server support guys are just
amazing. If you have any questions, you can come over here to the Chat
and start chatting with them. It is more expensive than an average
$5 [US] hosting. It doesn’t matter though. This alert that came out that 4.3.1
that was a huge security alert, they automatically pushed through
all the updates on our websites that we knew for a fact that they
were locked down and secure. If there’s a plug-in out there that
the WordPress world alerts and says, “Hey. This plug-in is now susceptible
to hacks. It’s bad if you’re running this version,” WP Engine watches WordPress
and they will lock down that plug-in. Or send you an email really quickly
and tell you, “Hey. You’re using that plug-in. Did you know that it is
susceptible to hacks? You need to update.” It’s fantastic service. Well worth the
invested money. If you’ve ever called your hosting company and they go,
“I don’t know how to help you. That’s a WordPress issue.”
That conversation will never happen inside of WP Engine.
They will always tell you, “We know exactly what’s going on.
Let me help you.” because they only know WordPress. That’s incredible, right?! We love them. They’re amazing. If you don’t want to change
hosting companies, I’m going to challenge you to go after a secure
socket layer, or SSL (secure server license). Whatever you want to call it,
that’s what you need to go after. It’s about $50-$80 [US] a year.
Invest in that. Put that on your website. What it’s going to do is it’s going
to change your address to be https:// and then whatever your
domain name is. It puts a secure lock around your website so that
any sort of interaction that happens on your website—somebody sending
you an email, somebody typing in their contact information, somebody
typing in a registration form or a credit card or a donation amount—
all that is now a secure transaction coming through email. Really important
to have that on your website. Google likes seeing that as well. Last but not least, the 7th thing
that I want to talk to you about is your backups. That’s another reason
why we absolutely love WP Engine. They’re allowing you to do all sorts
of really great stuff when it comes to backing up. They automatically
backup not only your files but also your database. You can set that to
be backed several times a day, or daily, or weekly, or however
often you’re making changes and you want to have a fresh backup
in place. You can set that up automatically to happen with one
click [snap of the fingers] you can restore your website back to where
it was. No more freaking out about “I’ve lost my website!”
They’ve got a safety net in place that’s just phenomenal.
If you don’t want use WP Engine, I’m going to give you a free opportunity
with a plug-in called Updraft Plus. Let’s go over here and Add New.
You’re going to be looking for this plug-in: Updraft Plus is the name of it.
It is free. It does a backup for you. It’s pretty fantastic. I’ve got to say
it has saved some of our clients who are not hosting on WP Engine.
Pretty fantastic. Plug that in. Walk through the setup on that.
And be sure that you have a backup in place. If you love this video, be sure to click
this little bitty Play button right here. Click that. You’re going to subscribe to our channel and every single Wednesday
we’re going to be releasing a really cool WordPress video for you to
watch and hopefully help grow your website. If you have any questions,
be sure to put them in the description box below. Share this video. Help us out.
We’re going to keep coming back every single Wednesday. Have a great day, y’all. Bye bye.

About the author

Comments

  1. Hi Kori, I have been tuning into your Vids for a while now. Learned a lot a lot on the Gravity Forms series – even although I have been using them for a while!! Great tips on security. Thanks.

  2. Hey Kori, you did not explain how to change the username if we did use admin. I researched it and found out how to do it, but you may want to add this info to this video. 😉 Thanks for the great info!!

  3. Hi, I know this is not exactly WP related, but how do you record your video and screen? That's pretty cool that you can move yourself in and out of the screen. What kind of program is that? Is it free?

  4. I've gotten notifications from Sucuri about brute force attacks on my website, which I have neglected. Is this related to the security update you mention? Since my website is not really in active use right now, should I shut it down for a while?

  5. would you know why this is showing on my site Warning: mysqli_num_fields() expects parameter 1 to be mysqli_result, boolean given in /home4/dvojce/public_html/wp-includes/wp-db.php on line 3021

  6. Your advice on Updraft. The only problem is if the website crashed you often dont have access to the CP hence you dont have access to Updraft to restore website.

  7. Kori, I am SO THANKFUl for your help – i get you are affiliate but i am feeling SO FRUSTRATED at moment. I took advice went to WP local meetup, talked about SSL …just did with siteground (wildcard ssl) and they messed it up! no padlock, not displaying www, ..you get the idea. I hope to make some money from my site (and help people), and may switch to WPengine on their cheapest plan next year, do you know if it includes SSL wildcard? what you say at 9:49 is SO IMPORTANT people! for newbie with 3 posts, it shouldn't be this hard. I want to make things better.

  8. Kori, thank you VERY much for recommending succuri, it's so strange, someone has tried all night from 3:30am-8:30am to login in site thanks ot succuri fo telling me now, do you have advice what do when this happens?i m asking sitegroudn but another video on ok so you isntalled it,and now its being ATTEMPTED 9not happened) what to do about it. 🙂 nervous…

  9. I use hostgator for my hosting and am somewhat disappointed in what they told me. I contacted them about updating MySQL and since I am on a shared server they said that they would not be able to do that at this time because it would affect all the other customers on the server. Ok..no problem. Since I am new at this I asked what do I do now since my woocommerce plugin needed a more updated MySQL. They said…why don't you just use an old version. I questioned them about wouldn't pose a security risk? They said…well, we don't think so. We have not had any trouble so far. I am new, but I at least understand using the most up to date software will help for security purposes and is essential for my ecommerce site, right? or am I not understanding something….that would not be the first time..hehe

  10. What does this mean this is in my settings 404 Redirected: There are 2063 captured 404 URLs that need to be processed.

  11. I always love you and your videos.I'm facing some problem that hackers are constantly attacking my website by hacking through wp-config.php. So my question is how to protect your wp-config.php from hackers ??? They can easily hacked web through that source 🙁

  12. This is the fitting weblog for anyone who needs to find out about this topic. You understand a lot its virtually arduous to argue with you (not that I truly would wantHaHa). You undoubtedly put a brand new spin on a topic thats been written about for years. Nice stuff, simply nice!

  13. Great video on WordPress Security. We liked the different suggestions you gave to strengthen security and the suggested plugins. We also like to use the Wordfence plugin for additional security.

  14. I am currently with Bluehost and they have an affiliate called Site Lock. It is like $599 a year. Is their really necessary for me if I do all the things you say above and use like a simple Carr like PayPal me or PayPal links?…by the so not happy with Bluehost

  15. Hola Kori, Thank you for your awesome work! It does help everyone a whole lot. I know this was posted a while back but I am doing my refresher courses, so I am not sure if you will still get this question, so after you update core and themes and plugins, when is your recommended time to flush cache? Thank you and love your videos and energy!

Leave a Reply

Your email address will not be published. Required fields are marked *