In 2016, it was estimated that only 44% of web traffic came from genuine visitors. The rest was from bots, hacking tools, scrapers and spammers. With that volume or dodgy web traffic coming to your website, are you confident that your website can withstand a hacker attack? What if I told you that an estimated 37,000 websites are hacked EVERY DAY. How confident are you now?
Securi, a top internet security service, reported that in the first quarter of 2016, they dealt with 500 website infections a day, 7 days a week. Out of 11,000 infected sites they dealt with, 78% were Wordpress sites.
Once a site is hacked, it can be used for all kinds of malicious purposes, such as directing your traffic, stealing customer details, deleting files, changing your login details to lock you out, sending spam emails to millions of people (which will label your domain as spam and remove any chance it has of ranking in Google), you get the idea?
And hackers don't just target large, popular sites. They'll use computer software to scan millions of websites for vulnerabilities, and then attack the soft targets. There is no softer target than a newly setup Wordpress website!
There is obviously good reason to be concerned about your website security. However, I don't want you to think that Wordpress is an insecure platform that should be avoided, it isn't. Wordpress is actually very secure and if a security hole is found, it is usually plugged very quickly by the Wordpress security team and pushed out to all Wordpress installs - automatically. The real security issues come from the people running the websites. They often don't have enough knowledge to make educated decisions about the content they put on their site, the plugins they use or the themes they install.
This course has two aims:
If you are not very technically minded, don't worry. This course assumes no technical ability and no programming skills.
About the Course
The course starts off with an introduction to hacking. Why hackers hack, and what makes some Wordpress sites more vulnerable to hackers than others.
We'll then go through the main ways that you can harden up your Wordpress installation, and I'll show you how to manually set some of these up on your site. You can try out some or all of these techniques yourself if you want to, but it is not essential (see lower down). You may just want to sit back and absorb the information so that you have the knowledge you need to make informed decisions on your Wordpress website going forward.
In the second half of the course, we'll install a Wordpress Security Plugin that covers all of the major security weaknesses outlined in the first half of the course, and work our way step-by-step, configuring the plugin to make our site virtually hack-proof.
By the end of this course, you will have both the knowledge and the skill set to secure a Wordpress website against hackers.
This lecture introduces the Wordpress Security course and your instructor. There are a couple of ways you can use this course, and this lecture will cover those.
This lecture looks at whether or not Wordpress is a secure platform. Can you trust Wordpress with your website?
Why do hackers hack? There are a lot of reasons, none of them good. This lecture looks at a few of the reasons, but also reassures you that your website will be very secure after following this course.
Everyone should backup their Wordpress website. This lecture explains what you need to backup, and offers suggestions for tools that will allow you to do that.
There are a number of security plugins for Wordpress. We will install and setup a good one later in this course, but for now, let me just introduce a few of the more popular plugins.
Passwords need to be strong and random. Weak passwords are one of the main ways hackers gain access to a website. You'd be surprised how many people use the word "password" as their password.
Usernames are another weak area for many Wordpress users. Pick a username that cannot be guessed.
Know the URL that you use for signing into your website. A simple hacker trick could get your username and password without you realising you've been tricked.
PHP error reporting can give hackers some sensitive information. You can easily disable this though.
The file editor built into the Dashboard is one of the first ports of calls if a hacker gains access to your site. It's therefore a good idea to disable it.
You need to be careful about code embedded into Wordpress posts or pages. If you don't trust the code 100%, leave it out.
Wordpress security is only as strong as it's weakest link, and users may be that weak link. This lecture looks at correctly assigning roles to users, to give them just enough security clearance to perform their job.
Inserting any kind of code in your site can open up security holes. You have to be very careful, and this lecture explains what to look out for.
Plugins can be another source of security holes. This lecture looks at some common sense measure to ensure your website is secure.
Themes can also provide backdoors to hackers, so make sure you use themes from reputable sources, and that those themes are regularly maintained and updated.
A good measure to take is to stop someone repeatedly trying to log into your site on the login page. If a user fails to login a couple of times, they are probably not authorised to access the site, so block them.
You may already be familiar with 2-Factor authentication. Your Google account may use this, or your online banking. You can add this layer of security to your Wordpress site if you wish.
The login page is the gateway to your Wordpress Dashboard, so protect it!
A simple security measure you can take is to change the default Wordpress table prefix. This is typically done when you install Wordpress, but you can change it at a later date as well.
Wordpress security keys are an extra layer of protection for your site. If you install Wordpress using a one-click installer, you don't need to do anything as these will be created for you at the time of the installation.
XML-RPC is a programming interface that developers can use to "talk" to Wordpress. It's also a potential security threat.
A good web host can help increase the security of your website.
This is an important configuration file that contains sensitive information about your site. You may want to protect it.
The files and folders on your server are given permissions, which basically control who can read and write to those files and folders. There are specific permissions required within your Wordpress installation.
Find and install the plugin in the Wordpress repository.
Before you begin, we need to backup important Wordpress files. If anything goes wrong with the configuration of the plugin, you can always use these to restore access to your Dashboard and site.
As you secure your site, you should keep taking backups of important files as mentioned above. However, it is possible you will get locked out. This tutorial shows you what to do if that happens.
If you want to just play it safe, you can only enable the security features that are safe to implement and not cause your site problems. If you are more adventurous, you can try activating all measures. This lecture explains how to identify the safe from the "adventurous".
The Dashboard gives you a birds eye view of your security setup on the site. Check out how secure your website is.
The settings screen gives you quick access to a couple of useful tools. We've already used two of the tools to backup files, but let's see what else is here.
Your username, display name and password settings are accessible from this screen. Do you need to change them? Are they secure enough?
Stop brute force attempts by locking out users that consistently try to login, but fail.
If you allow people to register on your site, then these settings need to be selected as well.
Remember we talked about the table prefix and how Wordpress liked to use a default of wp_ ?? This lecture shows you how you can change your prefix if you need to, or just want to. Don't forget to backup the database first (instructions included in this video).
Files and folders need the correct permissions set, to keep them secure. This lecture shows you how to make sure everything is correct, and also how to disable the PHP editor if you didn't do that earlier in the course.
Check out details of people trying to access your site.
Blacklist IPs so that they cannot access your website.
Setup a firewall on your Wordpress website, to add an extra layer of security.
The plugin has some great tools to help prevent brute force attacks. This lecture shows you how to set these up.
This section of the plugin helps to deal with spam comments by adding a math captcha to the comment form. It's not the greatest spam eliminator, but it is quick to implement and will help a little. A more useful feature is the auto-blocking of repeat spam commenters.
One way of detecting whether your site has been hacked is to monitor the Wordpress files on your server and compare them to the original Wordpress files from Wordpress.org. This is a built in feature of the plugin.
If you need to, you can block all access to your site front end while you do maintenance. This lecture shows you how to do this.
A final few security measures for your website, and you are done. What is your final security score?
What is your Security Strength after completing the security settings?
I have created a Checklist for you to follow as you secure your Wordpress websites. I've made it available as a PDF file which you can download as the resource for this lecture.
I have written and published a number of books that are available on Amazon, including best selling books on Wordpress ("Wordpress for Beginners 2017") and search engine optimization ("SEO 2017 & Beyond"). I also run a website called ezSEONews, where I teach my visitors and newsletter subscribers a number of skills required for running a successful website.
As an ex-schoolteacher, I hope I can make complicated topics simple to understand. I certainly enjoy trying!