00:00now if you're a WordPress user you'll
00:01know that security is a very very
00:03important thing lots of Wordpress sites
00:06get hacked every single day which is
00:08understandable with 43% of the internet
00:10powered by WordPress this has already
00:13been brought home recently with what's
00:14happened with quickly and with bricks
00:16Builder no disrespect to those guys they
00:18acted incredibly promptly and updated
00:20the software accordingly but it does
00:22bring home the need for security when it
00:24comes to Wordpress and just a little bit
00:26extra peace of mind now first of all let
00:28me quickly say I am by no means any kind
00:31of security expert what these recent
00:33events have done is they've made me look
00:35into and reinforce what I do on a daily
00:38basis with my websites and what I want
00:40to do in this video is just go over some
00:42of the things that I think you should do
00:43I'll give some software recommendations
00:45where I think appropriate but please do
00:48your do your own due diligence and if
00:50anybody knows that anything I say isn't
00:52100% correct or there's some nuances or
00:55they just want to expand upon what I've
00:57covered please do put comments in the
00:59comments section down below and I will
01:01collect and pin those just to make sure
01:03that everybody can check out that first
01:04comment and get as much useful
01:06information as possible okay so without
01:08further Ado let's take a look at the
01:10eight different areas that I think we
01:12need to address to help improve the
01:14security when it comes to Wordpress so
01:17number one good quality hosting with
01:19security measures in place I think this
01:21is probably one of the most important
01:23things because if there's one thing I
01:24learned from the comments around the
01:26recent problems that we've had with some
01:28of the tools that I use lots of people
01:30that had great hosting companies that
01:33proactive didn't have any issues
01:35whatsoever so it just highlights the
01:37fact the good quality hosting is vitally
01:39important but there are a couple of
01:40things I do recommend you look out for
01:42when you are looking for hosting or if
01:44you want to review your current hosting
01:46to see if they up to scratch for what
01:48you need for security first of all you
01:50do need to make sure that they have some
01:52type of WF which is basically a web
01:54application firewall this is more at a
01:57server level you can still put things on
01:59your own website and we'll come on to
02:00those a little later but a server level
02:02application firewall is going to be more
02:05effective than having a plugin sitting
02:07on top of Wordpress I'm not going to go
02:09into technical details why this is the
02:11case but just consider the fact that if
02:13you have a host that has a web
02:14application firewalls part of it that's
02:16going to give you an extra level of
02:18security that you may not get by using
02:20standard plugins next up you want to
02:23make sure that any of the sites that are
02:24on the server that you're using whether
02:26they're your sites or the other people's
02:28sites are siloed now what exactly do I
02:30mean by that well Silo basically means
02:32that each one of them is an
02:34independently protected website so if
02:36something happens to one of your
02:38websites all of your other websites
02:40don't get affected this is something
02:42that incredibly important to make sure
02:44that you have included as part of any
02:46hosting company just means it gives you
02:48another piece of mind that if one of
02:49your sites or a couple of your sites get
02:51hacked or insecure all of your sites
02:54don't get affected thirdly when it comes
02:56to hosting companies make sure that you
02:58have regular updates it's a bare minimum
03:00you want to have a daily update in place
03:02because sometimes it's too late your
03:04site has been hacked and the only way to
03:05get everything back up and running is to
03:07find out the last date that there was
03:09nothing wrong and then roll back to that
03:12and update accordingly that way you cut
03:14out any issues in between and again this
03:16goes hand in hand with that Silo side of
03:18things if you've got sites siloed if one
03:21gets compromised you know you can roll
03:23back to where everything was okay and
03:25other sites are not going to have been
03:26affected and therefore you don't have to
03:28go and retrospectively go and a or
03:30backup all of those sites moving on to
03:32my second point this goes hand in hand
03:35what we've just said this is having
03:36backups now you've already got your
03:39hosting company doing daily backups for
03:40you which I hope you have anyway next
03:43you want to make sure you've got another
03:44line of defense which basically means
03:46you have something on your own account
03:48inside your own website that's doing
03:50backups automatically I use wpv Backup
03:53Pro and I have this set up on my sit to
03:55do daily backups that are pushed to
03:57cloud storage off the server why because
04:00if something happens to the actual
04:02server itself then your backups could
04:03become corrupted or we're still lost so
04:07if you've got something that takes a
04:08backup on a daily or hourly basis if you
04:10have a very busy site and it's offsite
04:14in cloud storage if you had to move your
04:16site restore the server whatever it is
04:18you've got an independent backup copy of
04:20that that you could put back online very
04:22quickly even if your main backups inside
04:26your Hosting account have been corrupted
04:27or lost next the agenda point three is
04:30to have a security plugin like solid
04:32security this also ideally would have
04:35some type of firewall included but like
04:37I say you're still always better off
04:39having that web application firewall on
04:41your server as well what we're trying to
04:43set up here multiple lines of Defense
04:45not just one hopefully to catch all
04:48everything solution because I don't
04:49think there is one you need multiple
04:51lines of Defense to help if one gets
04:53compromised you can still have
04:55additional lines of Defense in between
04:57and like I say worst case scenario
04:58you've got fresh back CS stored over the
05:00last 10 14 28 days that you can roll
05:04back to should you need to but making
05:06sure you have something like solid
05:07security installed gives you very useful
05:10tools including things like monitoring
05:12file changes two Factor authentication
05:14which will come on to a little later
05:16lots of different options included and
05:18like I said if you got a firewall even
05:19better once you've got those set up
05:22you've got a nice line of defense but
05:23again these all work in conjunction with
05:25each other always keep that one in mind
05:28so two Factor Authentication what
05:29exactly is it and why should you use it
05:31well my tool of choice solid security
05:34has two Factor authentication included
05:36in it and what this basically means is
05:38when you go to log into your website
05:40you'll have one of a couple of different
05:41methods of confirming it to you it could
05:44be something as simple as you put your
05:45username and your password in and then
05:46it will send you an email with a
05:48dedicated code that changes every few
05:51seconds or every time you try to log in
05:53you have to put that code in before you
05:55can access the site another way of doing
05:57it is you can have authentication apps
05:59on your your phone and this will pop up
06:00a little sort of QR code that you have
06:02to scan in and that will confirm that
06:04it's you there's various different
06:06methods in which you can use two Factor
06:07authentication but I do highly recommend
06:10you have this as part of whatever setup
06:12you have again it's another level of
06:15security that you have in place to
06:16complement all the other ones you put
06:18into place as well now let's go back to
06:20firewalls because firewalls as their
06:22name suggest will help to block incoming
06:25kind of attacks and so on and various
06:27different things that are being done to
06:28try to get access to your website and
06:30find vulnerabilities that may be there
06:32especially when it comes to plugins
06:33themes or maybe even server level
06:35insecurities that you may have in place
06:38this is where another level comes in
06:39handy and this is a very popular way of
06:42handling things it's called either 6G or
06:457g or now 8G firewall and these are
06:48basically a set of rules that handle a
06:51lot of different ways that your site is
06:52tried to be accessed via the URL and
06:55various different methods and you simply
06:57add this to your HD access file it's
06:59totally free doesn't cost you a single
07:01penny takes no more than a couple of
07:03minutes to set up and it adds in a lot
07:05of additional protection like I say
07:07adding this to everything else is where
07:09the benefit comes in it's totally free
07:11it's very simple and if you want me to
07:12show you exactly how to do it let me
07:14have a comment down below I'll take a
07:16look at creating a quick video to show
07:17you exactly how to get everything set up
07:19using either 6 7 or 8G firewall 8GB in
07:23the latest at the time of this video now
07:25another tool that I brought into my Tex
07:26T very recently that gives another level
07:28of security and peace of mind is patch
07:31tack now patch tack is well-renowned for
07:33knowing about vulnerabilities and so on
07:35informing the developers making sure
07:37they get things patched and then
07:39notifying their users before they make
07:41it publicly available is it perfect
07:44absolutely not nothing like this
07:45actually is but it does give you an
07:47extra layer of security because not only
07:49can you use this to have hardening like
07:51IP block lists and advanced Hard in like
07:54using the WordPress mod just to handle
07:55various different things as well as
07:56generic oosp it gives you vpack patching
07:59now V patching is very useful you can
08:02use this to automatically patch what you
08:05want in your site if there's a
08:07vulnerability in it it's an optional
08:08option you don't have to enable it and
08:11you can set it on a site by- site basis
08:13but what it means is for example with a
08:15bricks vulnerability was recently once
08:17that update was brought out if I hadn't
08:19seen the email wasn't checking I could
08:20have been on holiday or something I've
08:22got it set up that is there any
08:23vulnerabilities on any of my sites being
08:25monitored by patch Tac it will
08:28automatically install all that updated
08:30plug-in theme whatever it is or core to
08:32make sure that I've got that in place
08:34and I don't have to worry about it now I
08:36can set that up to be for themes and
08:37plugins and so on for just general
08:39updates as they come out but as a bare
08:41minimum I've got this set up to do the V
08:43patching side of things so this adds an
08:45extra layer of protection alongside the
08:47sort of options for firewall hardening
08:49and so on there's a lot of different
08:51things inside you I've done a video on
08:52this which I'll link in the description
08:53so you can check that out but that's
08:55another tool that I've added into
08:57another layer of protection to our
08:58website sites now talking about the
09:00plugins and so on and updates the most
09:02important thing you can do when it comes
09:04to Wordpress is make sure that you have
09:06all of your themes your plugins your
09:08WordPress core are all up toate why well
09:11because as we just already talked about
09:13there's always vulnerabilities WordPress
09:16is notorious for having vulnerabilities
09:18when it comes to plugins and themes
09:20outdated plugins plugins and themes that
09:22are no longer being supported or being
09:24actively developed there's a million
09:25different reasons why but if you've got
09:27plugins that are no longer support
09:29get rid of them find Alternatives or
09:31unfortunately maybe lose that
09:32functionality but as soon as the updates
09:34come out take a backup of your website
09:37and update if you can now obviously this
09:39isn't always ideal or perfect so you may
09:41have different plans in place but it's
09:44always worth bearing in mind even if you
09:45don't update there and then if there's a
09:47known vulnerability bypass what you do
09:50normally and update that plugin but make
09:52a backup beforehand a manual backup so
09:54you can test it out even use a stageing
09:56site if you got the time to do it but
09:58try to keep everything up updated it's
10:00most one of the most important things
10:01you can do when it comes to Wordpress
10:02and finally some basic Good Housekeeping
10:05don't use things like admin for your
10:06username don't use silly passwords don't
10:09use easily recognizable names and things
10:12like that try to use things that are
10:15obscure you know minimum of like eight
10:17characters of uppercase lowercase
10:19numbers and symbols for example for
10:20passwords the longer the better the more
10:22random the better and what I would also
10:25recommend is making sure that you have a
10:27plug-in like solid security does this
10:29that enforces the use of strong
10:32passwords doesn't allow to use
10:33duplicates you can have ones that'll
10:34check for compromised passwords and then
10:37if you try to use that password whether
10:39you it's yours that's been compromised
10:40or not it will tell you you can't use it
10:42and you have to pick something else same
10:44thing goes for Unique usernames or
10:46unique sort of nicknames when it comes
10:48to Wordpress lots of different ways you
10:49can handle this solid security does it
10:52for you but you can probably find
10:53plugins that also enforce their side of
10:54things but combining all of these types
10:57of security measures in place which may
11:00seem absolute Overkill but the whole
11:02point is to have multiple different
11:03layers and once you set these kinds of
11:05things up create your standard blueprint
11:08website with all these things basically
11:09set up even save out the standard sort
11:12of settings that you use with them and
11:14you can get all this up and running in a
11:16matter of 10 15 minutes and your site is
11:18probably more secure than it probably is
11:20now for 99% of users out there at the
11:22moment that don't necessarily know or
11:24understand the security things we have
11:26to put in place anyway as I said at the
11:29top of the video if anything I've said
11:31could be expanded upon improved upon let
11:33me have in the comments down below and
11:35like I said I'll combine these and pin
11:36them to the top of this video and then
11:39you can check those out to get
11:40up-to-date information should you need
11:41to hopefully you found this useful all
11:43applicable links are in the description
11:45my name is Paul C this is WP TS until
