Customizer, And finally, exploring AMP, Accelerated Mobile Pages, plugins to enhance the user experience when they're accessing your site from a mobile device. Now this course is designated for anyone new to WordPress or who is self taught on the product you would gain from taking this course. You don't need any prior web development or programming skills..
It's designed for non technical users who are more interested in content management and search engine optimization than the technical aspects of website creation. Looking to support our channel and get a great deal? Become a member today to unlock ad free videos. That's right, your favorite courses without a single ad. Interested in a specific video? Purchase one of our ad free courses individually. Looking for even more? Gain access to exams, certificates, and exclusive content at learnitanytime..
Com. More information can be found in the video description below. Module one is all about securing your WordPress website. Now, I should mention that this slide deck is in the video description. It has some good information in it for your future reference. So this module has a total of seven lessons. And I'm going to divide them into two groups. So the first three lessons are in group one. And this is going over the principles of WordPress security..
And then you'll learn best practices for WordPress security. And then after that, you'll learn some security plugins. that can be used to help secure your website. And after that, we'll go ahead and put these principles and practices in action on our site by grabbing those plugins, activating them, and upping the security on our website..
The second group of lessons deal with user accounts. So when we get to the second group, you'll learn how to set up secure user accounts. You'll learn about user roles and abilities, how to manage users, and then we'll use some user management plugins that can help you manage your users. So let's start by reviewing the principles of WordPress security..
I have about five of them in this slide deck. So the first one is integrity, and that means that you ensure data is not tampered or altered by. unauthorized users. Your hosting provider has some responsibility as the files and database are on their servers. So you want to look for a host that offers up to date server software, malware monitoring and removal, firewalls, and other security measures..
Making sure that you get all of your WordPress plugins and themes from trusted sources lends itself to integrity on your site. You want to avoid them if they haven't been updated over the last year or more, have less than a few hundred installations, or receive low ratings. And I've included on this slide links to two different WordPress. org sites. where you can find the approved plugins and the themes. Another way to ensure integrity on your site is backing up your site..
Your host may offer backups and WordPress itself includes the updraft plus plugin. which you can use for backups. The second principle is availability. And this means that you ensure systems and data are available to authorize users when they need it. Using solid hosting with good uptime is one way to ensure this. Your host should have measures in place to reduce the damage of denial of service.
And distributed denial of service attacks. These are attacks in which your web server is inundated with traffic in an attempt to knock your site offline. Not only do you need to have backups, you need the ability to restore the backups when you need them. And ensuring users can access what they need requires that the site be online online. and that users have appropriate permissions. The next principle is minimize attack surface. The attack surface describes all of the different points where an.
Attacker could get into a system and where they could get data out. For a WordPress website, that means all the software that makes up your website, the data it contains, and the ways the software and data can be accessed. So, one way is to remove unnecessary plugins, themes, and users from your website. And by the way, deactivating plugins and themes is not enough. You would also need to delete them to minimize attack surface..
- Utilize process mining in process advisor
- Create Target Line for Excel Charts (Noob vs Pro Excel Trick)
- Microsoft Power BI - Service Requests Management Dashboard Tutorial 1
And you would want to check your web server for unnecessary files via your - ID Card Make
Hosting provider's file manager system. We have two principles left. This one is defense in depth. The principle of defense in depth means that you have multiple layers of defense. Even if a hacker gets through one or more layers, there are other layers that will stop them..Your web host should have multiple layers of security. If you're not comfortable with your host security, you can consider a WordPress security plugin as well. Our last principle is confidentiality. And it simply means that you only allow access to data for which the user is permitted. You would ensure that legitimate users can only access as much as they need to, and illegitimate users cannot access anything. Ways that you can do this are by using strong passwords and.
Two factor authentication. Cryptography is a tool to protect confidentiality as well. You encrypt data and only authorized users can decrypt it. When you add SSL slash TLS to your site, That encrypts data flowing between the user's browser and the web server. Don't save your WordPress password in an unencrypted file. And access control protects confidentiality. Each person who needs access to your site should have their own separate WordPress account and confidentiality in WordPress..
Acts off of the principle of least privilege. Do not grant a user account, process, or program more access rights than it needs to accomplish its designated task. In terms of a typical WordPress website with a blog, think of your editors, authors, contributors, and subscribers. Each of them needs access to more or less of your website's back end. The Principle of Least Privilege is also known as the Principle of Least Authority, the Principle of Minimal Privileges, or the Least Privilege User Account..
And you can also, to ensure confidentiality, And enforce user accountability, you can use an activity log plugin to keep a log of all the changes that users do on your WordPress website. It helps you with troubleshooting as well as with user accountability. So now that we have the principles of WordPress security behind us, just a reminder, the slide deck is in the files for the video description, so you can always reference it on your own..
We need to discuss best practices for WordPress security. When we get hands on later in this module in WordPress, we want to have these options under our belt, and you'll see that when we start doing exercises, we will be enabling some of these best practices. So, best practices, you can see them here on the slide. You want to have secure hosting. You know, the host has the responsibility for a lot of your security..
You want to be able to back up your website in case it's necessary to have to restore it. You want to avoid certain usernames, like admin, your real or nickname. Anything based on personal information, or the title of your site. You want to have very strong passwords. You'll learn how to lock down your login page, and you can enable two step authentication for further security. You can also automatically log out idle users, add security questions.
To the WordPress login, and have it scanned, have your site scanned for malware and vulnerabilities. You want to update themes and plugins, and you'll see how that's done. I have the asterisk next to some of these items, like Disable File Editing, Disable PHP File Execution, Change WP Database Prefix, It automatically starts with WP underscore and also disable directory indexing and browsing..
And that is because we're going to discuss those in more detail. Just to expand on these best practices that I asterisked on the previous slide. Disable file editing can be done two ways, as well as disabling PHP file execution in certain directories. So, disable file editing. Within WordPress itself, you have a set of theme and plugin editors that you can use..
Now many WordPress users aren't programmers and will never use these editors.
Hackers, however, can use the editor to execute malicious code or delete entire parts of your website. So disabling that file editing function, if you're able to, and if you are not going to be editing any themes and plugins on your own through coding, it's wise to disable them. So again, there's two ways to do it..I will go over both ways with you when we get hands on. Now, the disabling PHP file execution in certain directories Let's break it down a little bit. PHP stands for Hypertext Pre Processor, and it's a scripting language. Hackers can upload malware to your website in an attempt to break in. Disabling PHP in certain directories will stop the malware from running. So, it goes on to tell you about how there are multiple PHP files in your WordPress website, and These files exist to allow users to enter in custom PHP code to execute on pages. So if you want to disable PHP file execution in certain directories,.
There is a link there that will show you the long way of doing it, but there is also another way that I'm going to show you to do it as well. And both disable file editing and disable PHP file execution, can be handled with a plugin that we're going to use on our site. Now at the bottom we have directory browsing and indexing. It means that people can view the content of the individual folders on your website..
So for you to see if directory browsing is disabled, first of all, this is what it looks like when it's enabled. You will have an index and it shows all of the folders, right? And so you may have been on websites where you can actually see that. We want to disable that functionality there. And my hosting provider, I'm using Bluehost. Automatically disables directory browsing. If you want to check to see if it is enabled, in your address bar you can type https: yourdomain..
And in this example, it's example. com and then slash WP hyphen includes slash. So if you type that in and press enter, if you see a list of folders, it means that directory browsing is enabled. If it is disabled, you will see a forbidden page. So when I use that in my browser's address bar with my domain, I get forbidden, and it was done at my host level, I didn't have to do anything to make that happen..
Meaning that it is disabled. And last but not least, another thing that you can do as a security best practice is to change your WP database prefix. So, Everything is stored in your WordPress database, which means it is every hacker's favorite target. Spammers and hackers run automated codes for SQL injections. Many people forget to change the database prefix while, when they install WordPress..
This makes it easier for hackers to plan a mass attack by targeting the default prefix, which is wp underscore. So, you can change your database prefix and you can do that while you're setting up your site. But, if your site is already established, you can do it after the fact as well. Now, I have a link on this page that will take you to step by step instructions. I'll show you part of the way of doing this. But if you want to do this on your own, you can follow these instructions.
From the link on the slide. Now, my hosting provider has also automatically done this for me. So I don't actually have to go through this process. Sometimes you'll find that your provider automatically takes care of this for you. So the way that we are going to enable our security best practices is by using a variety of plugins, some of which are included in WordPress core. and others we will actually go in and find and download..
So the plugins that we're going to be using, we're going to be using the free versions. Many of them have an upgraded premium version for a cost. So the first one we're going to use is UpdraftPlus. It comes with the WordPress core and it's going to be used to back up your site and also to restore your site if necessary. Then we're going to use SecuriScanner. That's an auditing and monitoring system that keeps track of everything that happens on your site. And through its screens, we will be able to disable file editing.
And disable PHP file execution. And then we have a series of plugins that we're going to use to lock down the login page. We're going to use Limit Login Attempts Reloaded to limit the number of login attempts. Mini Orange Two Factor will set up both two step authentication and it has the ability to ask security questions on the login screen. Um, there are a bunch of separate plugins for two step authentication..
There are plugins for security questions. This is one that includes both components. We're going to use inactive logout to automatically logout inactive users. We are going to use WPS Hide Login, which allows you to change your URL to whatever you want. I actually have a link there where you can get all the information about how to use it. We will discuss it when we get hands on, and you'll see the difference between that and something else that we're going to be doing. And then we're going to use the WPActivityLog to log all user activity..
And, you know, it ensures user accountability. And then Jetpack is also one that's included in the core. And that's overall security. And it includes Akismet anti spam. To get started, this is my site as I left it at the end of the WordPress beginner course. So it is a simple. blog site. It doesn't have a lot of posts. It doesn't have a lot of pages. It has some media and already has a theme applied to it..
I'm going to start this by giving you a brief tour of my site in case you didn't take the beginner course and build this site. So you'll know the starting point that we're working with in this course. Now, Later in this course, we're going to change this from a blog site to multiple different kinds of websites, as you saw in the course description. So for right now, it's a blog site only. And on the left, I'm going to start by going to my pages..
And you can see that I have an About Me page, which is my front page. I have an Articles page, which has links on it. And I have a Blog page, where my blog posts show up. That's it. This Privacy Policy page is, comes by default. I haven't enabled it at all. So, those are the three pages that I have. Now, just to get a quick view, my site has not been published. If anybody goes to my URL, they just get coming soon at this point. So you see my site status up here, coming soon..
This is my About Me page. I have some media there, picture there. That is not my garden, I wish. And you'll notice as I scroll down at the bottom, there's a search box. This is all part of the theme that I have selected. It's showing the recent posts of Any recent comments. And then I actually have a secondary menu that shows at the bottom based on my categories. So I can go to Vegetables down there and get my category page,.
Which also I have assigned. pictures to categories, and so both of my posts have all three of my categories attached to them. They're just generic posts at this point. Now, at the top I have my main menu, which if I want to go back to that About Me page, I can also go to my blog page from here, from the main menu, and it just shows my blogs. And then I have that articles page, which I said has some links.
On it that open in a different window to articles about gardening. And now I'm back on my site, and I'm on my post page, and I just want to point out again, if you didn't take the beginner course, because of the resolution I need to use for this video, for some reason my post page is weird. So all of these options, like I'll go back to my pages page. When I hover over a page, you see these edit, quick edit, trash, view, blaze options. On my post page, they are vertical..
Well, they're horizontal, but it's just kinda skewed because of my resolution. But I only have a couple of posts, as you saw on my blogs page. Then I'm gonna go over to categories. And in the beginner course, we added all of these categories. We made some of them hierarchical. So under fruit, for example, is strawberries. Under herbs, there's basil, cilantro, mint, so on and so forth..
And we actually added some media representing those things. I used a question mark for the uncategorized category. And you can see that I have the vegetables category. That's the picture that shows up on the vegetables category page. And then each vegetable in the hierarchy has its own picture. And I'm going to just go here to Appearance. And the theme that I'm using on this is called the 2021 theme, which you saw has the two menus, the primary and then the secondary menu at the bottom of the page..
And lastly, and I included this in the files for the video description, all the media that I used in the beginning course. So, it's all in the files in the video description if you want to add them if necessary to your media library in WordPress. So the first thing we are going to do before we begin implementing our best practices for WordPress security is create a backup of our site. Now WordPress core comes with a plugin called updraftplust..
So if you go to your plugins on the left. And you scroll down, you'll see your installed plugins. Updraft Plus should be in that list. And it may not be activated. So where mine says deactivate, you may have an activate link to click on so that you can go through and activate it. And then you can go through its settings so that you can tell it where to store your backed up files. So in my case, You can store them locally, you can back up to Amazon S3, Dropbox,.
In my case I'm using Google Drive. In Google Drive it creates a folder called UpdraftPlus where it stores my backups in it. There's more places that you can store as well. So if you need to take a moment, you can pause the video, go ahead and get your UpdraftPlus activated and set up to where you want to store your backups. Now, while I'm still on the Installed Plugins page, I'm going to direct your attention to the column where it's talking about automatic updates. And you'll notice that my host, Bluehost, automatically.
Updates any plugins that I have. So, from my Blue hosting site, my updates for all of my plugins are automatically enabled. And that's one of the things you want to keep an eye on because you want to make sure that you have the latest version. of a plugin, and that's mostly for security purposes. If you do not see updraft plus in your list of installed plugins on the left sidebar, you can go to add new under plugins. And then you can just type it in the search box.
And it will give you, if it's not already installed, that's why you would be searching for it here, it will give you an install now button like on this WP optimize one. Mine is already active, so active is dimmed out. But just so you know, you can always grab it again. It's a free version, but you can upgrade to premium if necessary. Now, once you have it installed and activated and you've gone through the settings, you should have updraft plus on your top toolbar to the right of your need help. And you can look at that dropdown. You can go to backup, restore, migrate, clone settings..
I'm going to go to backup, restore there. And all of those other options from that dropdown, I can get to from the form of these tabs running across the top. So, the first thing I want to do is go to the settings tab. So this is where you can set up your files backup schedule and your database backup schedule. It defaults to manual, and it retains two scheduled backups for each type. So you can change that for when you want your backups to happen. So everywhere from every two hours to monthly, you can change it.
Too, for both files and database. And I would encourage you to give some thought to this. When do you want your backups to happen automatically, and then now you know where to go, where you can set that schedule and how many backups it should retain. Now, you would need to upgrade to Updraft Premium, updraft plus Premium if you want to fix the time at which a backup should take place. Or if you want to take incremental backups, or to configure more complex schedules. Here you can't set a time, you can just set a when, and how many to retain..
If you scroll down on that settings page, this is where you get to choose your remote storage. You can see that mine is set for Google Drive. And underneath all of those options, it lets you know that you would also need to upgrade to premium if you need the ability to send a backup to more than one destination. You can do that through Updraft Plus Premium. So here's my Google Drive information. So it's putting it in a folder called Updraft Plus, which I'm fine with..
You would need to upgrade to Premium in order to set a custom folder name. I'm already authenticated with Google. I have a privacy blocker over my email there. And as I continue to scroll down, you'll see that it's including plugins, themes, and uploads in the files backup. I can add some exclusions if I want to, add exclusion rules. So at the bottom, it's offering you premiums so you can have encryption on your database backup..
You can have a email sent, a basic report sent to your site's admin email address, which I have blocked there. And then you have some expert settings that you can go over. So I'm back on the Backup Restore tab. And I'm going to just show you my last log message. I deleted a file a little bit earlier today, so That's what's showing there. Just a little while ago actually. I deleted a backup file. So I have my last log message showing that..