WordPress Security – How To Stop Hackers

This lecture introduces the Wordpress Security course and your instructor. There are a couple of ways you can use this course, and this lecture will cover those.

This lecture looks at whether or not Wordpress is a secure platform.  Can you trust Wordpress with your website?

Why do hackers hack?  There are a lot of reasons, none of them good.  This lecture looks at a few of the reasons, but also reassures you that your website will be very secure after following this course.

There are a lot of common hacks on Wordpress sites.  This lecture introduces a few and also points you to an authority web page if you want more details.

Everyone should backup their Wordpress website.  This lecture explains what you need to backup, and offers suggestions for tools that will allow you to do that.

There are a number of security plugins for Wordpress.  We will install and setup a good one later in this course, but for now, let me just introduce a few of the more popular plugins.

Passwords need to be strong and random.  Weak passwords are one of the main ways hackers gain access to a website.  You'd be surprised how many people use the word "password" as their password.

Usernames are another weak area for many Wordpress users.  Pick a username that cannot be guessed.

Know the URL that you use for signing into your website.  A simple hacker trick could get your username and password without you realising you've been tricked.

PHP error reporting can give hackers some sensitive information.  You can easily disable this though.

The file editor built into the Dashboard is one of the first ports of calls if a hacker gains access to your site.  It's therefore a good idea to disable it.

You need to be careful about code embedded into Wordpress posts or pages.  If you don't trust the code 100%, leave it out.

Wordpress security is only as strong as it's weakest link, and users may be that weak link.  This lecture looks at correctly assigning roles to users, to give them just enough security clearance to perform their job.

Inserting any kind of code in your site can open up security holes.  You have to be very careful, and this lecture explains what to look out for.

Plugins can be another source of security holes.  This lecture looks at some common sense measure to ensure your website is secure.

Themes can also provide backdoors to hackers, so make sure you use themes from reputable sources, and that those themes are regularly maintained and updated.

A good measure to take is to stop someone repeatedly trying to log into your site on the login page.  If a user fails to login a couple of times, they are probably not authorised to access the site, so block them.

You may already be familiar with 2-Factor authentication.  Your Google account may use this, or your online banking.  You can add this layer of security to your Wordpress site if you wish.

The login page is the gateway to your Wordpress Dashboard, so protect it!

A simple security measure you can take is to change the default Wordpress table prefix.  This is typically done when you install Wordpress, but you can change it at a later date as well.

Wordpress security keys are an extra layer of protection for your site.  If you install Wordpress using a one-click installer, you don't need to do anything as these will be created for you at the time of the installation.

XML-RPC is a programming interface that developers can use to "talk" to Wordpress.  It's also a potential security threat.

A good web host can help increase the security of your website.

This is an important configuration file that contains sensitive information about your site.  You may want to protect it.

The files and folders on your server are given permissions, which basically control who can read and write to those files and folders.  There are specific permissions required within your Wordpress installation.

Find and install the plugin in the Wordpress repository.

Before you begin, we need to backup important Wordpress files.  If anything goes wrong with the configuration of the plugin, you can always use these to restore access to your Dashboard and site.

As you secure your site, you should keep taking backups of important files as mentioned above.  However, it is possible you will get locked out.  This tutorial shows you what to do if that happens.

If you want to just play it safe, you can only enable the security features that are safe to implement and not cause your site problems.  If you are more adventurous, you can try activating all measures.  This lecture explains how to identify the safe from the "adventurous".

The Dashboard gives you a birds eye view of your security setup on the site.   Check out how secure your website is.

The settings screen gives you quick access to a couple of useful tools.  We've already used two of the tools to backup files, but let's see what else is here.

Your username, display name and password settings are accessible from this screen.  Do you need to change them?  Are they secure enough?

Stop brute force attempts by locking out users that consistently try to login, but fail.

If you allow people to register on your site, then these settings need to be selected as well.

Remember we talked about the table prefix and how Wordpress liked to use a default of wp_ ??  This lecture shows you how you can change your prefix if you need to, or just want to.  Don't forget to backup the database first (instructions included in this video).

Files and folders need the correct permissions set, to keep them secure.  This lecture shows you how to make sure everything is correct, and also how to disable the PHP editor if you didn't do that earlier in the course.

Check out details of people trying to access your site.

Blacklist IPs so that they cannot access your website.

Setup a firewall on your Wordpress website, to add an extra layer of security.

The plugin has some great tools to help prevent brute force attacks.  This lecture shows you how to set these up.

This section of the plugin helps to deal with spam comments by adding a math captcha to the comment form.  It's not the greatest spam eliminator, but it is quick to implement and will help a little. A more useful feature is the auto-blocking of repeat spam commenters.

One way of detecting whether your site has been hacked is to monitor the Wordpress files on your server and compare them to the original Wordpress files from Wordpress.org.  This is a built in feature of the plugin.

If you need to, you can block all access to your site front end while you do maintenance.  This lecture shows you how to do this.

A final few security measures for your website, and you are done.  What is your final security score?

What is your Security Strength after completing the security settings?

I have created a Checklist for you to follow as you secure your Wordpress websites.  I've made it available as a PDF file which you can download as the resource for this lecture.

If you are new to Udemy, please watch this lecture that shows you around the Udemy interface, and how to get the most out of your Udemy experience as you take this, and other, courses.

A final lecture with some information and resources you may find useful.