1
00:00:00,540 --> 00:00:05,640
In this video you'll learn about protecting your Wordpress sites with an additional layer of monitoring

2
00:00:05,640 --> 00:00:08,310
and security settings using plugins.

3
00:00:08,550 --> 00:00:09,740
Will open the live site.

4
00:00:09,740 --> 00:00:14,490
We've been working on in previous chapters and add two different plug ins to manage your options for

5
00:00:14,490 --> 00:00:20,790
security within WordPress including locking down the log in page hiding the admin area and using two

6
00:00:20,790 --> 00:00:24,880
factor authentication which is stronger than usernames and passwords.

7
00:00:25,110 --> 00:00:29,820
By the end of this lesson you'll have added several layers of security to your Wordpress installation

8
00:00:30,060 --> 00:00:34,830
and you'll have several free security plug ins to explore and choose from.

9
00:00:34,830 --> 00:00:40,560
Let's start by opening up our WordPress dashboard and website that we've been working on in the previous

10
00:00:40,560 --> 00:00:41,610
chapter.

11
00:00:41,610 --> 00:00:45,080
Mine is at Greg Davis dot com slash MailChimp.

12
00:00:45,120 --> 00:00:50,940
As you remember we set up the MailChimp bulk and marketing email program with this Web site.

13
00:00:51,030 --> 00:00:55,110
And then we converted it into a womb commerce store.

14
00:00:55,260 --> 00:01:02,630
Go ahead and pause the video now and open up your live Web site in your browser.

15
00:01:02,680 --> 00:01:07,720
The first thing I want to check out with you is how we access the log in page and the administration

16
00:01:07,720 --> 00:01:11,230
area or the dashboard inside of wordpress.

17
00:01:11,230 --> 00:01:15,980
My setup has the default sidebar widgets set up on my sidebar here.

18
00:01:16,090 --> 00:01:21,300
And one of the sidebar widgets called Maira has a log in link right here.

19
00:01:21,340 --> 00:01:26,800
If I roll over that log in link and look at the bottom left hand side of my screen in Firefox I can

20
00:01:26,800 --> 00:01:32,350
see that accessing a page called W.P. dash log in Dot ph.

21
00:01:32,710 --> 00:01:40,630
That's one way to access the log in page and it will redirect us to the slash W.P. admin folder which

22
00:01:40,630 --> 00:01:44,610
is our WordPress dashboard and administration area.

23
00:01:44,720 --> 00:01:52,640
It's common knowledge that WordPress sites generally use the WP log in ph P page and the WP dash admin

24
00:01:52,700 --> 00:02:01,930
folder for their dashboard areas because anyone including hackers and computer based bots can access

25
00:02:01,930 --> 00:02:03,400
these log in pages.

26
00:02:03,400 --> 00:02:10,420
It's important that you keep a very secure password and avoid using the admin username which is the

27
00:02:10,420 --> 00:02:19,270
old default username in wordpress WordPress now allows you to choose a secure password and some of the

28
00:02:19,270 --> 00:02:25,540
security plug ins will be experimenting with can allow you to force secure passwords on your WordPress

29
00:02:25,570 --> 00:02:27,070
users.

30
00:02:27,070 --> 00:02:30,970
Now put yourself in the place of a hacker.

31
00:02:30,970 --> 00:02:36,070
If you came to this site and you wanted to try and guess the log in for someone site you might try that

32
00:02:36,070 --> 00:02:38,500
admin username at first.

33
00:02:38,500 --> 00:02:42,320
But what if you wanted to try and guess someone's username.

34
00:02:42,490 --> 00:02:45,760
You could go to lost your password.

35
00:02:45,790 --> 00:02:51,850
We have a special newcomer's store last password page built into our theme right here in the storefront

36
00:02:51,850 --> 00:02:52,340
theme.

37
00:02:52,540 --> 00:03:02,170
But if I place any kind of a username or email address here and then click reset password I should get

38
00:03:02,170 --> 00:03:03,670
an error message.

39
00:03:03,670 --> 00:03:09,460
Now this error message tells me that that is not a valid username inside of this account.

40
00:03:09,730 --> 00:03:16,330
So if you had a computer based bot that was going to log in pages all over the internet trying the admin

41
00:03:16,610 --> 00:03:23,500
username until they found it to be valid that bot could return to that log in page and try and guess

42
00:03:23,560 --> 00:03:26,390
the password of that website.

43
00:03:27,300 --> 00:03:33,240
So a simple way to tighten up security would be to limit the display of error messages here in the log

44
00:03:33,240 --> 00:03:34,760
in page.

45
00:03:34,800 --> 00:03:41,340
This type of log in credential is called One step authentication or one factor authentication where

46
00:03:41,340 --> 00:03:45,840
the username and password is checking one thing from the user.

47
00:03:45,840 --> 00:03:52,640
It's something that you know the username and the password to step authentication or also known as two

48
00:03:52,640 --> 00:03:54,920
factor authentication checks.

49
00:03:55,040 --> 00:04:02,300
Two out of three possible factors in the user before it allows them in the admin area or dashboard of

50
00:04:02,300 --> 00:04:11,270
the Web site something you are is potentially your voice print DNA retinal scan fingerprints is the

51
00:04:11,270 --> 00:04:18,140
most popular thing which is something you are and the touch ID system on iPhones using your fingerprint

52
00:04:18,470 --> 00:04:21,610
is a something you are authentication method.

53
00:04:22,430 --> 00:04:28,010
If we're going to be setting up two factor authentication for getting into a WordPress site we'd be

54
00:04:28,010 --> 00:04:35,180
setting up two of these three items something you know which has a username and password combined with

55
00:04:35,180 --> 00:04:38,920
something you have which might be your smartphone.

56
00:04:39,260 --> 00:04:45,560
One of the most convenient ways to harden up the security of your log in in wordpress is to use two

57
00:04:45,560 --> 00:04:53,960
factor authentication with something you have which is most likely a smart phone or even an e-mail address

58
00:04:55,130 --> 00:05:01,250
plug ins for two step authentication are freely available in the Wordpress plugin repository.

59
00:05:01,310 --> 00:05:08,140
And one of the free security plug ins will be looking at in this video called word fence offers two

60
00:05:08,140 --> 00:05:11,200
step authentication within their free version.

61
00:05:11,210 --> 00:05:17,750
We'll also be installing clefs a very interesting two factor authentication plug in and experimenting

62
00:05:17,840 --> 00:05:18,910
with how it works.

63
00:05:19,690 --> 00:05:26,560
So let's go back to the log in page of our WordPress dashboard and log in ourselves and we'll start

64
00:05:26,560 --> 00:05:32,510
looking at the free plug ins available to harden the security of our WordPress installation if you're

65
00:05:32,690 --> 00:05:39,560
a plug ins and add new We're going to be searching for a couple of different plug ins the first one

66
00:05:39,560 --> 00:05:43,210
is called I theme's security.

67
00:05:43,350 --> 00:05:48,600
We look at themes security formerly known as better WPA security.

68
00:05:48,600 --> 00:05:55,590
I theme's is a great company that comes out with theme's security plug ins and backup plug ins.

69
00:05:55,770 --> 00:06:01,350
And if you install it seems security and go ahead and activate it we can check out all the features

70
00:06:01,680 --> 00:06:06,570
and the benefits of using a plug in like this.

71
00:06:06,570 --> 00:06:12,470
A good way to start with security is just to go down and click the Settings button here on the plugins

72
00:06:12,480 --> 00:06:19,410
page and they direct you to their first modal window that pops up called the security check.

73
00:06:19,410 --> 00:06:27,570
So if you just click secure site go and look at what is enabled and it will enable the most recommended

74
00:06:28,260 --> 00:06:31,150
parts of theme security.

75
00:06:31,170 --> 00:06:37,470
Now one of the great things about the theme security network is they have this network brute force protection

76
00:06:37,740 --> 00:06:44,400
where they have known IP addresses and country codes that always do brute force attacks and then block

77
00:06:44,400 --> 00:06:49,100
them before they're even able to reach your site and slow it down.

78
00:06:49,140 --> 00:06:54,900
And so I already do have an account with their network Bruce brute force protection with my e-mail address

79
00:06:55,200 --> 00:06:59,370
and I'll just click activate network brute force protection right there.

80
00:06:59,550 --> 00:07:05,280
And then if I close this window now I'm looking at the same security settings page and I can look at

81
00:07:05,280 --> 00:07:09,150
all the different items that they use for security.

82
00:07:09,150 --> 00:07:12,330
Go ahead and follow along with the setup I'm recommending here.

83
00:07:12,360 --> 00:07:16,010
First thing I might do is just close their little notification tab there.

84
00:07:16,170 --> 00:07:22,650
And I like to look at these in a list and I like to look at all of the different different security

85
00:07:22,830 --> 00:07:29,250
items that they have in I theme's security all in a list here and you can see what's enabled where it

86
00:07:29,250 --> 00:07:35,730
says configure settings and what is not what I'll usually do is go through a few of these that I always

87
00:07:35,730 --> 00:07:38,790
use on Web sites and I'll leave the others alone.

88
00:07:38,910 --> 00:07:40,770
The security checks been done.

89
00:07:40,950 --> 00:07:48,390
The global settings let me look at notification e-mail addresses so that if I go into my e-mail you

90
00:07:48,390 --> 00:07:55,440
can see that I'll get a notification message when a certain IP has been locked out of the wordpress

91
00:07:55,440 --> 00:08:01,260
site due to whatever they did that I theme's Security has blocked it makes me comfortable that this

92
00:08:01,260 --> 00:08:08,970
host has now been locked out permanently because they went and they did too many bad things.

93
00:08:08,970 --> 00:08:14,880
And then down here the default is that when they're locked out three times within a certain time they

94
00:08:14,880 --> 00:08:16,730
get locked out permanently.

95
00:08:16,740 --> 00:08:24,360
And what I always said here is that my current IP from my home computer is on the white list so I can't

96
00:08:24,360 --> 00:08:29,300
be locked out myself by forgetting my password or something like that.

97
00:08:29,520 --> 00:08:36,900
So now I click save settings and now when I'm working on my home computer I can never be locked out

98
00:08:36,900 --> 00:08:42,140
of my own site because my IP address is on the white list.

99
00:08:42,540 --> 00:08:49,590
I want to set up 404 detection for a for is just a page not found and I'll enable that.

100
00:08:49,590 --> 00:08:55,380
And then if you look at the configuration of the settings it just gives you a standard looks back if

101
00:08:55,380 --> 00:09:01,650
there's more than 20 errors within a five minute period that it locks out that IP address.

102
00:09:01,780 --> 00:09:07,080
And so that's a good thing to have because you'll have bots coming to your site using up your bandwidth

103
00:09:07,080 --> 00:09:13,710
costing you more money by looking for ways to exploit your Web site.

104
00:09:13,750 --> 00:09:17,480
There's a whole bunch of other settings right here.

105
00:09:17,620 --> 00:09:22,120
I usually set up band users local brute force protection.

106
00:09:22,120 --> 00:09:29,260
You can see that by doing that security check it's already enabled these and then go down and let's

107
00:09:29,260 --> 00:09:32,230
look at Hide the back end.

108
00:09:32,230 --> 00:09:38,080
Now this is a good way for you to offer an easy way for your clients if they're going to be logging

109
00:09:38,080 --> 00:09:42,230
into their WordPress dashboard to remember the log in page.

110
00:09:42,280 --> 00:09:47,590
You can set it up with something like Slash W.P. log in.

111
00:09:47,590 --> 00:09:56,010
Often times I use the word dashboard or access is a good one for people to remember.

112
00:09:56,110 --> 00:10:03,790
And basically it hides the W.P. dash log in and the WP admin areas and so it just makes it harder for

113
00:10:03,790 --> 00:10:06,610
those bots to find those errors.

114
00:10:06,610 --> 00:10:12,910
Sometimes I'll leave this alone until my site keeps getting these notification emails over and over

115
00:10:12,910 --> 00:10:19,660
and over again that I'm getting a constant barrage on my W.P. admin and my W.P. log in page and then

116
00:10:19,660 --> 00:10:23,240
I'll go and hide the backend and that stops these attacks.

117
00:10:25,360 --> 00:10:33,910
So back inside of the themes security settings the last thing I might set up is a strong password enforcement

118
00:10:34,510 --> 00:10:37,990
and then the other things I usually leave the same.

119
00:10:37,990 --> 00:10:43,990
One of the things I'll do under the global settings is make sure that write to files is allowed.

120
00:10:43,990 --> 00:10:51,820
That way I don't have to copy and paste the security rules that I theme's needs to put in my H.T. access

121
00:10:51,820 --> 00:10:52,550
files.

122
00:10:53,990 --> 00:10:59,840
There's a lot to know about internal WordPress security and you can read more at the themes security

123
00:10:59,840 --> 00:11:08,200
plug in page itself where they do have a paid pro features version where you can get a whole lot more.

124
00:11:08,210 --> 00:11:11,380
I usually use the free version for all my client sites.

125
00:11:11,540 --> 00:11:19,010
And let's look at word fence which is a second version of a word press security plug in one of the great

126
00:11:19,010 --> 00:11:27,290
things about word fence is that it does include two factor authentication in the free version and word

127
00:11:27,290 --> 00:11:34,030
fence also has this great WordPress security learning center as a part of their web site.

128
00:11:34,190 --> 00:11:36,200
This is a great thing to keep up with.

129
00:11:36,380 --> 00:11:43,220
For the latest WordPress security news they put out great blog posts and they actually track when certain

130
00:11:43,220 --> 00:11:46,610
plug ins or themes have security holes.

131
00:11:46,610 --> 00:11:50,690
So they really keep up with wordpress security in the modern world.

132
00:11:50,690 --> 00:11:57,530
Lastly let's take a look at a two factor authentication plug in this clef two factor authentication

133
00:11:57,530 --> 00:12:03,550
plug in is really pretty neat and it works very well and it's super easy to use.

134
00:12:03,650 --> 00:12:08,750
Your clients might appreciate logging in with Cliff instead of having to remember their usernames and

135
00:12:08,750 --> 00:12:09,680
passwords.

136
00:12:10,440 --> 00:12:17,430
So let's go back into our website dashboard and let's go to plug ins and add new and let's install the

137
00:12:17,430 --> 00:12:20,270
clef two factor authentication plug in.

138
00:12:20,610 --> 00:12:25,720
So just type clef in the search bar there and here's cleft two factor authentication.

139
00:12:25,880 --> 00:12:30,370
I'm installing it here and now I can activate it.

140
00:12:30,540 --> 00:12:30,840
Great.

141
00:12:30,840 --> 00:12:37,740
Now if I just click Finish setup it will help me to get set up so that I can use my smartphone to log

142
00:12:37,740 --> 00:12:40,000
in to WordPress.

143
00:12:40,080 --> 00:12:45,480
You can see in this little graphic the way that it works you just line up your camera phone on the screen

144
00:12:45,810 --> 00:12:49,190
and it matches the little bar code that's there.

145
00:12:49,230 --> 00:12:59,580
So I'll start out just by authorizing my own phone number and I'll click download and now I'm opening

146
00:12:59,580 --> 00:13:07,090
up my smartphone and it looks like with that beep I've received a text message.

147
00:13:07,170 --> 00:13:10,960
And then here's a link to download the app opens the video.

148
00:13:10,980 --> 00:13:20,480
While I do that and now I've opened clef and I'm just holding my phone's camera and matching up the

149
00:13:20,490 --> 00:13:28,880
little clef wave there my phone beeped and my web site responded and I'll just click Continue to confirm.

150
00:13:29,340 --> 00:13:35,660
And now I just need to click which website address is there in my browser.

151
00:13:38,810 --> 00:13:45,050
All right so it's setting me up says I'm all good and I've successfully connected my account with clef

152
00:13:46,020 --> 00:13:50,970
and I can invite other users if I want to but I can no I don't need to do that at this point.

153
00:13:51,110 --> 00:13:57,800
And there's one thing that I'd recommend you do when using cliff you'd want to set up a separate you

154
00:13:57,800 --> 00:14:02,420
are out just in case you drop your phone in the ocean or something like that and you need to get into

155
00:14:02,420 --> 00:14:04,520
your web site.

156
00:14:04,600 --> 00:14:09,970
So just click got it here and you can see that cliff is giving me a little message down here on the

157
00:14:09,970 --> 00:14:13,280
menu bar needs set up.

158
00:14:13,300 --> 00:14:18,490
Now you can leave it set up this way where you're showing the clefs way of as the primary logon option

159
00:14:18,760 --> 00:14:24,430
but you can then click in with a password in this little link right here on the log in form.

160
00:14:24,670 --> 00:14:29,570
Now more secure is to disable passwords for clef users.

161
00:14:29,830 --> 00:14:32,080
And then you can see down below.

162
00:14:32,170 --> 00:14:34,220
It showed an override Jarrell.

163
00:14:34,360 --> 00:14:37,560
Now it's a good idea to set up this override.

164
00:14:37,560 --> 00:14:44,350
You r l so that in case you lose your phone or something like that you can go to that u r l and log

165
00:14:44,350 --> 00:14:46,540
in with your username and password anyway.

166
00:14:46,660 --> 00:14:53,320
You just keep that you are as safe and secret and then your web site is using two factor authentication

167
00:14:53,500 --> 00:14:55,580
and it's the most secure.

168
00:14:55,790 --> 00:15:01,710
They give you an easy way to generate a secure override you are all just a random code here.

169
00:15:01,880 --> 00:15:10,250
And then they show you how you can take the URL for your store and drag this button up to the bookmarks

170
00:15:10,250 --> 00:15:12,190
toolbar of your web site.

171
00:15:12,200 --> 00:15:14,740
And this is in them another tab on my web site.

172
00:15:14,900 --> 00:15:22,940
But you can see that now that I placed this you r l here in the address bar it gives me the log in username

173
00:15:23,090 --> 00:15:28,190
and password area as well as the clef plug in button.

174
00:15:28,190 --> 00:15:32,930
If I didn't have that override your L there and I went to the log in page.

175
00:15:32,930 --> 00:15:38,430
The only thing that's shown is my clef wave right here and I'm already logged in.

176
00:15:38,450 --> 00:15:40,070
So it's not showing it to me.

177
00:15:40,170 --> 00:15:44,290
I can log into the newcomers store web site just by clicking that button.

178
00:15:44,630 --> 00:15:50,540
But now the great thing is if I walk away from a computer and maybe it's a public computer and I've

179
00:15:50,540 --> 00:15:59,320
been logged in and I forgot to log out I can just open up my phone here go to the clef app.

180
00:15:59,330 --> 00:16:03,830
This is what I'm doing right now as I'm speaking to you and I can click log out.

181
00:16:03,830 --> 00:16:11,510
Now I just hit the log out now button and now the Web site should respond if I hit another button inside

182
00:16:11,510 --> 00:16:13,070
of the website.

183
00:16:13,120 --> 00:16:17,260
You can see that it's logged out and it goes back to the clef logon screen.

184
00:16:18,550 --> 00:16:23,830
In this lesson you set up your live web site with wordpress level security by using a free plug in from

185
00:16:23,830 --> 00:16:25,780
the Wordpress plugin repository.

186
00:16:25,870 --> 00:16:29,180
Themes security is not the only option.

187
00:16:29,200 --> 00:16:34,250
So explore which security systems you like and install them on each of your Wordpress websites.

188
00:16:34,330 --> 00:16:39,340
You also installed a two factor authentication plug in and set it up to strengthen your log in page

189
00:16:39,340 --> 00:16:41,540
security in the next video.

190
00:16:41,620 --> 00:16:46,720
We'll set up automatic backup systems instead of Wordpress so that we can have more than one automatic

191
00:16:46,720 --> 00:16:52,390
backup happening all the time even though your web site hosting company should be keeping backups for

192
00:16:52,390 --> 00:16:52,920
you.

193
00:16:52,930 --> 00:16:58,360
It's important to save your own secondary backup files in a separate location in case you can't access

194
00:16:58,360 --> 00:16:59,290
the hosts files.

195
00:16:59,290 --> 00:17:00,010
For some reason