 This is this is Wolf Bishop with pressable and he's going to talk about the five most essential steps to wordpress security Thank you guys. I hope everybody enjoyed word camp Atlanta 2018 So first of all just real briefly a little bit about myself. I've got 13 years wordpress experience been working with wordpress since 2005 I am a wordpress educator absolutely love teaching about wordpress. It's kind of my biggest passion when it comes to wordpress is teaching Imparting the wisdom because I think this is the best platform in the entire world For building a website. So I as I mentioned before I do work for pressable. We are a managed wordpress web host And I am an avid outdoorsman. I love spending time outside on my four-wheeler or or Hunting with my air rifle or my crossbow. I live on 19 acres of off-grade homestead in the Ozarks So it's it's really awesome. And I've got sick my backyard of 63,000 acres of national forest. So I'm also an avid bicyclist. I bicycle 10 miles every single day I'm a husband and father to an amazing wife and three equally amazing children All right, so first thing I want to do is say this if you never do anything else to secure your site Do these things? These are those things that are the most important are gonna give you the bare minimum of security that you need Obviously, there's a lot more you should be doing than what I'm gonna talk about today But these are the ones that are the absolute essentials Without these things. I can almost guarantee you at some point. You will be hacked. All right, so Let's put on a little fact People have a habit of blaming their host when they get hacked I can't tell you how many times I get I see a ticket or a chat come in and Somebody's I rated the host because their site got hacked And then you find out that they're using passwords like admin or password 123 and they in and or Every user on our site is an admin and they can't figure out. Well, why am I getting hacked? So something to keep in mind is that the vast majority of compromises well over 95% of compromises are a direct result of improper deployment configuration or management This is kind of borne out by the 2018 security hacked website report, which just came out last week And then they said and this is a direct quote from there in most instances the compromises which are analyzed had little if anything to Do with the core of the CMS application itself more with its proper deployment configuration overall maintenance by the webmasters In other words people are not taking proper care of their site They're not making sure that they have strong passwords not making sure that they do these five things We're gonna talk about today So let's get into it and go with number one And I consider this to be the most important because if you have this one covered then no matter what else happens to your site You can recover it 80% of all websites have little to no backups or very inadequate backups. What do I mean by inadequate? Well, one of the biggest things is Keeping your backups on the same server as your website The logic of this is simple somebody gains access to your server Where your backups are stored where your site files are stored? They're not only going to screw up your website They're gonna delete your delete or screw up your backups and then how are you gonna restore your site? So it is extremely essential to keep you sir your backups Remote or off your server. There are really great plugins that will make this very very easy Things like updraft plus a backup buddy, etc. Etc. They allow you to back your site up to Myriad of different platforms from Amazon S3 to Dropbox to Google want Google Drive, whatever Just about every platform out there supported in one way or another from one plugin or another so You can definitely have a lot of options some are better than others. So definitely do your research on them So backup plugins are important in that sense It is also important to take a manual backup on occasion This is not if you have a good backup plugin This is not something you necessarily have to do on a regular basis the cool thing about doing a manual backup is What a lot of people don't realize is you don't necessarily have to back up everything Okay, you have to back up basically two things your database and your WP content folder Because if you have those two things you can always restore your website host backups Most good hosts provide backups most good hosts will also tell you flat out not to rely on those backups You got to keep in mind that hosts are backing up thousands upon thousands upon thousands of sites every single day So inevitably some of those backups may not be viable some of those backups may have a mistake in it Something may happen that those backups are not effective so While it is great to have those as an absolute last resort Don't count on them don't rely on them, but also do make sure that your host does provide them Right second one So I mentioned bad passwords like admin and password one two three you'd be surprised how many times in this industry I see this and Here's a few examples of good passwords. We're gonna get into more detail here of what makes up a good password but the One of the top three causes of a compromise on a website is a weak password We'll get into the other ones as well, but one of the top three is a weak password So make sure you have a nice secure password and here's how to do that So these are what I consider the absolute bare minimums for a password if you can do better than this great But these are the bare minimums that every single password you use and don't just use do this on your website Do this on every online account that you have whether it be Facebook Twitter, whatever Always these are general guidelines that fit everywhere. Okay? So you should have a minimum of 12 characters 16 is even better Your password should be made up of a nice combination of upper and lower case letters symbols and numbers It should be randomly generated with no dictionary words and no personal identifiable words So don't use your pets name or your dogs or your kids name or your anniversary or anything of that sort anything that can be tied directly to you because a hacker Can be may very well be somebody that you know and If they know you well enough or if they can find enough information on you online They can figure out your password fairly easily Granted that is not the standard way that most passwords get discovered, but it can be it does happen So here are a couple of resources that are very very helpful Number one is how secure is my password not net? so this site what it does is you enter in your password and It will test it and to give you by on a timescale. How long would it take? The typical algorithm to hack that password to figure out that password The second one is password generator comm or dot net. I'm sorry This one is exactly what it sounds like it generates random passwords and it has all kinds of features You can control the size of your password. You can control whether or not it has special characters So and it really helps with generating a nice secure password it's number three this is the number one cause of Compromise sites Out of date plugins WordPress core and themes It is absolutely essential to keep everything within your WordPress site up to date at all times Failure to do so will result in you getting Hacked at some point or another Number four User permissions So I mentioned earlier how many times I've seen sites where everybody on the site is an admin Or there's you know five or six admins your site typically should have one to three admins your host may be an admin if especially if you're in a managed host then your host will typically have a a Admin account pressable for example on every site. We are an admin This allows us to allows your host to get in there and work on your site and help troubleshoot problems that occur Without you having to share your passwords with us every time on an insecure network connection. So Your pat you should limit admins to only those who absolutely need it number one Set your minimum user role to what that individual needs your average visitor Who's just subscribing to your blog and wants to read your articles doesn't need to be an admin They don't need to be an editor. They don't need to be an author make them a subscriber. Okay There are also user role plugins that you can use to customize. So let's say you have a particular Editor for example who needs a Certain set of privileges you can use user role editor type plugins to Kind of fine-tune that and give them exactly the permissions that they need and that allows you to make sure that they're not having access that's not needed because Even though that person may or may not be trusted and there's two reasons which brings me to two reasons Actually, why this is important number one is if you're working with a third-party developer That you don't really know very very well. You never know what they might do to your site if they have the wrong permissions Okay, you never know what kind of backdoor they may put into your site and then later on you're out of luck if they screw your site up the other reason is simply that They may get in there and be doing their job and make a mistake mistakes happen people are human beings we make mistakes and That may miss that mistake may completely destroy your website. I actually had a client one time who Had a user get in there and was doing their job and they deleted something that they should not have deleted and it deleted thousands of user accounts off of their website and There was no way to back those up. There was no way to trace them or recover them So they had to go the client had to go in there and manually recreate every single one of them Needless to say it cost them a lot of time and money so No, actually they did not it's a little hard to fire the owner or a co-founder This one here is is security plugins number five. I want to Do a disclaimer on this before we go into it in depth It is always better to manually secure your website at the code level if possible however Most people that even designers and developers do not know how to do that They don't know how to go in and write the code that is necessary to secure your site properly So there's an alternative event and that is security plugins Good couple of good examples is I think security word word fence the word fence guys are here today in fact These are just a couple of examples. There's many a really great ones out there bulletproof is another good one and It's a very easy way to secure a website They come with a very wide range of features that allows you to do just about everything you need to make sure that your site is secure However, you should use these plugins with caution if you don't know what each feature does Don't enable it until you figure out what it does because it very well may break your website Depending on because every website is different. There's different configurations. There's different setups different themes different plugins in place Maybe you have some custom code and you enable the wrong feature and You could literally lock yourself out of your website best case scenario worst case scenario you completely break your site and now you've got to restore it if you're lucky enough to have a backup so so Make sure that if you are going to use a plugin Make sure you research the features. I think security is a very good example of this I see people all the time who have gone in there they've installed the plug in and just started click click click click click click click enable everything and Then they come to me like I can't get into my site or my site's gone or Well, yeah, you didn't know what you were doing. So Read the documentation is I guess is what I'm saying read the documentation Before you enable something and this should be Kind of a standard practice with any kind of plug-in whether it be security or anything else Because the same thing can happen with other types plugins obviously so all right All right, so like I said you keep in touch with me My blog is will Bishop comm feel free to email me at any time Timothy at pressable comm and if anybody's got questions I think we got to come Yes We do not currently in our knowledge race There are a couple of articles that are in the development phase right now that should be released hopefully fairly soon To do exactly that right now. There's not but there are Do a Google search how to make for manual secure manually securing web WordPress and you'll come up with a lot of really great articles Mm-hmm, right So when you first set it up do a complete okay once you're done once you're you've Got it already set up and configured Then just do the data the exception is well the exception is when when you add a new plug-in Because data will back up any changes you make to your posts and pages It won't data back up any backups or any changes you make to plugins or themes or anything like that So if you make any plug-in changes do a complete backup Yes Yeah, so curious is primarily a security firewall plug-in So it's it doesn't have as many it's you should actually this is For most for the most part I tell people don't ever use more than one security plug-in at a time the exception is Security using that alongside of word fence or I think security is very complimentary and I Do recommend that so yes, you can use word fence and security There are a couple of things number one is hiding your WP admin There was a point when that was an absolutely great practice to do Now it it doesn't hurt anything But it really doesn't help because the algorithms have gotten smart enough to be able to figure that out and Find a new admin URL The other big one is to change your WP database Prefix still somewhat helpful, but it doesn't help to the degree that it that it used to Because again the hacking algorithm the hacking scripts that people use have gotten to the point where it can figure that out It can find it