 Just a little bit about logistics, I've never actually given a presentation in a room set up like this where I was actually beside the people and the screen was up that way. So it's a little bit disconcerting for me, but you know, we're going to do it. And I apologize right away because I'm going to be in front of you and you for most of this. So, okay, WordPress security, that's what we're going to talk about today. It's more than a green padlock. What do you mean by that, Matt? Well, you've seen a lot recently with SSL certificates, an HTTPS, and everybody says you've got to have this little green padlock on your website so that you know that it's secure. Well, that's part of the discussion. We're going to take a little bit of a walk past what I'm going to refer to as the Let's Encrypt Cloak of Security. Let's Encrypt our free SSL certificates that you can get from many hosts. But we're going to talk a little bit differently than that. We're going to see what you could really do to protect your website and anybody else that's living on your website's host from any kind of malicious attacks. I'm talking about no programming required here. I'm talking about entry-level type stuff that we can do to protect our websites. I don't want to get into any heavy-duty coding and playing around with PHP and stuff. We're not going to do that. A little bit of common sense, maybe a plug-in or two, and we'll put together some straightforward steps that's going to protect you from the public interwebs. Okay, I'm going to give a little bit more of an introduction. My name is Matt Ryan. I've been at IT for about 40 years. I have a couple of computer science degrees from the pre-WWW days before the internet was actually a thing. And I did a lot of programming, and then I got out of it. I did network infrastructure and network design. I built some of the first wired phone wire type networks in Maryland when I was working down there. And then I got out of it, got into that management stuff. And then my manager said, we don't need you anymore. Go do something else. I said, okay, I'll do something else. And I came back to doing programming because I always love programming. It's something I had control over. And I found WordPress in 2013, and I opened my own WordPress development design company in 2014. So I've only been doing WordPress per se for about four to five years. And I like doing these types of introductory level talks because I know what it feels like to come into this infrastructure, into this community, and not be maybe completely comfortable and still trying to fill your way around. So that's why I'm in here. I want to give you a couple of steps that you can take to get your new WordPress site off the ground and get some things going. So I'm not sure why it's adjusted that way. On my screen up here, it doesn't have that black bar, but let's ignore that for now. Let's first refer to that SSL certificate that I talked about in the beginning. What does that really give you? Okay, this is the Let's Encrypt insignia I was talking about earlier. Let's Encrypt provides free SSL certificates for websites. Okay, if your server host does not allow that. Look around for one that does because they're very prolific. GoDaddy does not give free Let's Encrypt certificates. You buy one from GoDaddy. But what does the SSL certificate get to me? Well, what that allows you to do is allows your website to talk HTTPS. This little thing right in here, HTTPS. You got the little green lock that says HTTPS on it. Before you had that, it said HTTP slash slash my website dot com. Well, given that little bit of security there, what that does, that encrypts the communications, jumbles it all off, that's going between your laptop and your website host. So that wire that goes through there, that Wi-Fi signal that goes between your PC or your phone and your website, it encrypts those communications. Well, why is that important? Well, think about it. Not a single person in this room right now has a wire that's going from their device to the wall that's connecting to the internet. Everybody in here that's connected to the internet is using Wi-Fi. And if you're not connecting to an HTTPS site, all that Wi-Fi traffic is available. I could turn on my network scanner and I could watch what you may be doing on your Surface Pro, what you might be talking to. Okay, that's called network eavesdropping. It's a man in the middle type of attack because I can take a look at your communications with HTTPS and an SSL certificate on your website, you can't do that. You can't see what I'm saying. So what you're doing as a website owner, when you have that SSL certificate on there, you're giving your visitors a little bit of a sense of assurance that you care about their data. You'll care what they're doing on your website and you're taking responsibility for that. And it makes Google Apple happy. Well, what do you mean by it makes Google happy? Well, a few years ago, Google came out with a little blog post that said, hey, we really like HTTPS sites. We're gonna start rewarding site owners that have HTTPS sites. We're gonna reward them by bumping their rankings just a tad, if they're running an SSL certificate on their website. It was like in 2014, 2015, just a little blog post. They called the initiative HTTPS everywhere. You can take a look on that, see what it's about, read some history on it. Well, fast forward to August of 2018. Earlier this month, Google released the latest version of their Chrome browser. It's the most popular browser by far that's installed and actively running right now. Well, one of the things that's happened with that latest release is that, if you go to a website that is not running an SSL certificate, could be your site, it's gonna say, not secure. That's when it started happening, within the last two weeks. And your customers, your visitors are gonna say, what the heck? Why am I at this site? I gotta find somebody else's site to go visit. Nothing else has changed on your site. You haven't started letting any hackers into it. Nothing's gotten broken. It's the browser. They switched it over to run Firefox or Internet Explorer. Then they're not gonna see that message yet. I expect others to follow suit. But most of the browser users in the world are using Chrome. And they're seeing that if your site doesn't have SSL, they're seeing the words not secure. So what has Google done? They basically said, hey, we're gonna punish you if you don't have an SSL cert. So go out and get an SSL cert. I'm gonna be at the happiness bar. Does everybody know what the happiness bar is? Does that make sense? Think of it as a help desk. When I first got in the WordPress, they said, well, give me the happiness bar. I was like, well, really, I don't drink. I'm not in that kind of stuff. It's like midday. And they said, no, man, it's the help desk. I was like, OK, all right, I can deal with the help desk. I'm gonna be at the happiness bar, having a bottle of water, and we can talk about security after lunch. I'm gonna have lunch before we do that. So we have our SSL certificate. And let's get past that. So we all know what we need that. Let's get into basic WordPress security. What I'm gonna talk about here today is what I'll refer to as low-hanging fruit. The low-hanging fruit, the stuff that you don't need to get in and really muck with the code, Andy, we're just gonna get down there. We're gonna talk about usernames and passwords, talk about updates to all aspects of WordPress, the core, the plugins, the themes. We're gonna talk about how to protect your login page a little bit. And we're gonna talk about backups because that's kind of a nidgy thing I need to talk about. All right, what that should say up there, protect your website and others on your host. Oh well, all right, I'll have to read them to you. All right, protect your website and others on your host. I mentioned earlier that on shared hosting, which if you're running on, say, Bluehost, or HostGator, or GoDaddy, you're probably on a shared host, which means there are dozens or hundreds or possibly thousands of other websites running on that same host as yours. So by protecting your site, you're also protecting everybody else in that server, and you hope they're doing the same thing. So we're gonna talk a little bit about protecting your own site, which means protect your neighbor on the server out there. Users' names. It's probably back in version three of WordPress, early version four. When you set up a brand new WordPress install, they create the username, first user name of Admin for you. They have since stopped doing that. However, some of these one-click installs that you'll get from some of the hosting companies still use that and drop that in. They create a user for you, allow you to log in so you can start doing some stuff on your website. Admin, in combination with WordPress, is one of the most hack things there is out there. And you think, well, if WordPress is so insecure, why are we doing this? Well, it's not that WordPress is insecure, it's just WordPress is so prolific. It's everywhere. More than 30% of the world's internet sites are running on WordPress. So it means there's a lot of targets out there. Think back when Windows computers were coming up and they were blowing up and getting bigger and bigger and it was like, don't go to Windows, everybody's hacking Windows. Well, that's because there was so darn many Windows computers out there. We're not running that same boat with WordPress. There's so many out there. So Admin used to be one of the first usernames they were put in there. Well, you don't want to do that. If you have a WordPress website right now, and if you look at the users that are using it, and any of them say Admin, the first thing you should do tonight before you go to bed is change that. And it's a really easy thing to do. You can create another user and you say, I want to delete the first user, the Admin user, and it'll come up with a little block that says, where do you want to put all this content? And you select that new username, Matt. I want all the Admin content that'll be associated with Matt and WordPress handles that for you. It's really clean. It's really easy. And- But if you just delete it all at once, then all that stuff goes away, so be careful. Yeah, yeah, don't just delete it because it'll up in kind of an orphan type mess, but create a second user. But you can't create a user that you're logged in on dirt, either. The other thing with that is, we talked, I mentioned Admin as a username. The other option is don't use your site name as a username. So you have joescoffee.com. Well, don't make your username Joe's coffee. And the reason is, is because that's one of the second most hacked methods. It's when a hacker's out there, they're going to say, well, if Admin's out there, let's try the name of the domain. Don't do it that way. All right, so we've gone over username and password. I mean, user names, Admin and your site name. Passwords, four strong passwords. Here's a nice plugin here, four strong passwords. You can, when I mention plugins that are available, I'm going to mention free plugins. Free plugins can be found by going to the plugins menu in your WordPress dashboard. On the left-hand side, it's going to say plugins, add new. You come up with a button, it says search. You put in four strong passwords and that one will pop up and you can install it right from inside your WordPress dashboard. It's really easy. So that's what we're going to talk about. Whenever I mention that, unless I say it's a paid one, we're going to install it this way. So four strong passwords and why do you want to do that? Well, you want to make it a little bit difficult for someone to hack your site. When I'm talking about somebody hacking your site, we're not talking about somebody sitting down in their basement just banging away on keys, trying to figure out your password. They just found out, oh, this is joe'scoffee.com. Joe's coffee is the username. Let me just keep trying passwords. I've already looked at his Facebook page. I know his dog's name is Charlie and his wife's birthday is on February the second. I'm going to try those real quick. That's not the way it happens anymore. You have automated bots, robots, that are just banging away hundreds or thousands of times an hour at your site, trying to guess that password. And even with a really long password, they can do it pretty quickly. If they have the username, they can bang through that very quickly. So try to make it a little bit difficult. Here's another thing. Instead of using just a strong password, and by strong, I'm talking about things with characters, upper and lower case, got some numbers in there, got some characters in there, like exclamation points and that signs, you're going to have to use a password manager. You're really going to have to do that because you're not going to be able to remember these passwords, because you're going to have a different one for every site you touch. Your bank, your Starbucks card, your Wawa card, everything's going to have a new password. Use a password manager, so you don't have to do that. But take it a little bit and step longer. If the garbage password is difficult, think of a pass phrase. I have a couple of sites and one of them is, I do not remember the password to this damn site. It's, what, nine words? And I intermixed a couple of capital letters in there, but that's a much harder thing to guess than even a string of 15 characters that is random. It's called a pass phrase instead of a password. So think about using strong passwords. When WordPress creates a new user in your website, it's going to suggest a strong password. It's going to give you 15 characters that is all messed up. Say that as your user's password. Well, Matt, well, then I got to tell them what that password is. I said, no. There's a little check mark in your WordPress dashboard that says, email my new user about this password. Well, what could it say? They're sending the password? No, we're not. WordPress sends you a link via email that you click on and you come back to your website and you send a new password that password never gets sent to your user. There's no passwords being sent around by email. Well, Matt, what if my user doesn't remember their password and they can't get logged in and I have to look in and set a new one for them? No. On the login screen, there's a line that says, forgot my password. And what they do is they click that line, it asks them for their username or their email address, whichever one they want to use. And then it sends them back that same reset command so they can reset their own password. You don't have to touch their password. Now, you are going to have a user that's a little bit challenged about doing that kind of stuff. And that's some social engineering that you have to work with. But technically, you do not have to send a password via email with WordPress resets and new users. Is there a recommendation for a password manager or a password method? I personally use LastPass, but I like OnePassword, my son, who's much smarter than I am because he's a web genius at 24. He likes OnePass. But they're the top two, either one of them, and people are gonna say, well, what if they get hacked? Well, you know, something's gonna get hacked along the way, but OnePass and LastPassword are really good options because they allow you to store a bunch of passwords in there. You have to remember OnePassword that you can get in there and see all the rest of them. They can do automatic fill-ins for websites that you're on. You can share sections of those with another user. If a spouse, you share the section of the spouse that has all the bank accounts, is that here's the bank account information, things like that. Take a look at those. The last item on here, delete first user. Now, what does that mean? Well, one of the things I mentioned earlier was about WordPress use to put admin in as your first username. Well, there's a way with your WordPress site that you can do something called enumeration of users, and you can do it from the command line, example.com, and there's a little bit of a command that comes out there that you can get a list of, show me user number one. And it comes back and pops up and shows from the username. Anybody can do that. It's a query. It's called a query. Now, you can also put that in a loop that goes show me user number one, number two, number three, but we're trying to stop the casual hacker and put any kind of a roadblock in front of him. So we want his little program to stop when it comes back and says user number one does not exist. We want to say, okay, next, I'm gonna go to the next site. So what I recommend doing is create that user number one. Matt's dummy user. Create user number two. Matt's good user. Log in under Matt. It's good user. I delete Matt's dummy user. So what I've done is I've deleted user number one and now I'm gonna be using user number two. User number one in the database table is gone. Doesn't exist anymore, but there is no user number one now. They start off at two. And as your website grows with users, whether they're subscribers or they're contributors or editors, everyone gets assigned a new ID and it's just a number that keeps going up. And as people come and go from your website, those numbers are not gonna get out of order. They're still gonna be going up, but there's gonna be holes as users get deleted and they don't get scrunched up. If you delete user number one, then you can enumerate user number one and the hacker will go on to the next thing. Okay, talked about user names, passwords. Let's talk about keeping everything updated. What you hear all the time is, well, you have to keep your WordPress core and your themes and your plugins up to date. Who is not familiar with the term WordPress core? Anybody? Everybody knows what WordPress core refers to? We just learned about it. You just learned about it? Excellent, okay, WordPress core. We just recently had a WordPress release of 4.9.8 that came out within the last three weeks. It had some security updates, it had some maintenance updates, and it had a couple little tiny insignificant features that got dropped into the middle of it too. You should be updating that. You should be updating to 498. Why? Well, because there was some security vulnerabilities that were addressed by that update. Well, why does that concern me? Well, the reason it concerns you is once an update gets dropped, it means they publicized what the vulnerability was. The vulnerability that is being fixed is now documented on the internet. So it means is that how the vulnerability is exploited. It's also documented. And if you're not updated within now, this many more people know how to hack your 4.9.7 site if you had that plugin or if you're using WordPress in that mechanism. So don't take a chance. Just update it to core. I'm not gonna say update automatically. If you have a staging area or a testing area available to you, do an update there. But get it done as soon as possible. Plugins and themes, the same thing. You have a developer that's writing a plugin for you and it has been identified that there's a security vulnerability in that plugin and they fixed it and they've released a new version of it. Update the plugin. Don't let it sit in an old version. I'm talking about both activated and deactivated plugins. Why deactivated? Well, a deactivated plugin, which is not live and active on your site, is still sitting on your site. The files that are available for that plugin are still sitting on your site. Depending on how you have your permissions set up on your folders and files, someone could put that entire URL string in there that gets down to broken plugin file.php and execute it even if it's not running. So update the deactivated plugins. Better yet, get rid of them. If they're deactivated, they're not running. You don't need them. Maybe you were testing them out. Maybe you were looking at a mailing plugin or something like that and you tried out three of them and the other two were still there. Delete them. You can go back and get them if you need them later on. One thing that you can do with the WordPress repository and the repositories where all these plugins live is that you can mark some of those items as favorites. So you create like a little account on there and if I like these two mailing plugins but I don't want to have one I'm installed right now to use that in another case, I'll mark that as a favorite. So I can go up and look at my WordPress.org favorite plugins and I know, hey, these are math favorites. So that's a good way to save it without sticking it on your site. Okay, themes, the default theme too. All right, themes are the same thing. Themes are not gonna be updated as often as plugins or core but occasionally there's an update. One exception, when WordPress updates major versions they almost always update their default themes. And what the WordPress default theme is called, you may see it 2017, 2016, 2015. They have very clever naming system that can help you remember them and why they stand out. They get updates too. When 498 came out, I think there was 17, 2017 got updated. Update that theme. Periodic user cleaning. What am I talking about there? Well, periodic user cleaning, we talked earlier about the numbers of users on your website and what username you should be using. Well, how about cleaning out those users? If your site allows people to become subscribers to it or you add editors or maybe you add additional admin users because that one guy that's providing tech support says, hey, can you give me backend access to your dashboard so I can get in there and check some things out? Oh, and by the way, it's gotta be admin. Don't share your admin credentials. Create a secondary admin account. Give him access to it. And when he's done next week, you delete it. This periodic user name or user review, take care of those extra people that have access to the inside of your WordPress website. They don't need it anymore. And if they do, they're gonna contact you. So that's what I'm talking about with periodic user cleaning. The other thing is keep going back and say, hey, does this person still need to have admin access to my site? He used to be an admin. He was updating some of the plugins and stuff. And now I have this person who's just writing some blog posts for me. Okay, so they don't need to be an admin. They could be a contributor. They could just add blog posts. So we can knock them down a couple levels. That protects, that gives one last opportunity for somebody to come in and change plugins and themes that I don't know about. Reliable, regular backups. We'll get into that a little bit more, but reliable backups mean, can you restore from that backup? Have you tried it? You're doing backups. What happens when you want to do a restore back? Does it work? Regular means do it often. Do it based on how often does your website get updated? If you have a very active blog where there's lots of users making comments on it, people doing a lot of interchange, you don't want to lose any of that stuff should your website go down. So if you have people commenting and making content additions every day, then you want to back that up every day. Maybe a couple times a day. Maybe you have what's called a brochure site that's just describing this is my business and these are the services I offer and it doesn't change until maybe once a quarter. But then that backup doesn't have to happen every day. It can happen weekly, monthly, because your content's not changing that often. All right, let's go talk a little bit more about security plugins. I mentioned earlier that we can do a lot of these things with free plugins. Security plugins, when I'm looking for a security plugin, I want a few basic things. I want to be able to ban certain users right away. If somebody tries to log into my website with the admin user, I just want to block that, ban them from coming back. When I say ban them, what I'm banning is the IP address they're using to connect to my site. Everybody has an IP address and they're coming to my site. I want to ban that. We say, well, he'll just switch to a new one. That's fine. That's a pain. He's got to do something. And if he decides that I don't feel like switching, I'm gonna go to the next site and try to hack it. That's my goal as a website owner, is get him to go to somebody else's site. So I want to ban people to try to log in immediately as an admin user or maybe using the name of my site. That's something I look for in a security plugin. Set login limits. One of the things that automated bots will do is they'll throw a lot of passwords. Once they identify the username, they'll throw a lot of passwords. Or they'll try looking at certain URLs in your website. And by URLs, it's a long query string with all these characters in it that they're looking for a certain page in your website. And they might do this hundreds of times. Well, you know, that's not a normal person trying to do that. Nobody is sitting in there trying to look for all those pages on my website. So as you see that kind of activity, it's like a brute force attack. I want to shut that down right away. So once I start seeing that kind of activity, I'm going to cut off that username, that IP address right away. 404 detection. I mentioned that earlier about the long query string where they're going to come up. They're going to look for a certain page in your website. They're not going to find it. Your site's going to throw back a 404 error automatically to that query person. Well, if there's a lot of 404s coming in a course of five minutes, it's probably an automated bot trying to get in. We want to shut that down. So if the number of 404 errors comes in, you want to shut it. Now, one, maybe two, you can understand somebody trying to type contact, myexample.com slash contact, and they forget to put the last T on it. Or they drop out the C, the second C in contact. How many times have you done it yourself? Well, it's going to give you a 404 error. If you do one or two of those in a minute, that's understandable. But 500 of them in an hour, no, something's wrong there. Email notifications. I like my security plugins to be able to send me email notifications when things go really bad. Not every time, but when they go really south. And a lot of users are starting to get banned. A lot of admin logins, so I can see what's going on. Something's being attacked. And then I can talk to my hosts about helping me out a little bit. But if it sends me an email and that's happening, then that's a good thing. These security plugins here, these top three, iTheme Security, WordFence Security, and Security Security. All of these are available, free plugins, available in the WordPress repository. And they all have paid versions available too. But the free versions, they give you a lot of options of things that you can lock down on your website. Sometimes you look at those options like, oh my god, how many things I got? Take the recommended defaults. Start from there, and then work backwards. See, what can I live with? What can I live with with my users? What do I need? What am I seeing? Try these out. It will be. Yeah, with all links to everything. I'll try to get a paid version. I'll try. But leave me your card afterwards. I'll give you my card. The last one, iTheme Security Pro is a paid product. It's a paid version of the top one there. I've used iTheme Security Pro on a number of sites. It really is nice, some of the additional capabilities of it. But I run a WordPress maintenance business, and in some cases I need some additional notifications about security issues. But any one of these three, any one of these listed up here are going to be reasonable security plugins that will get you rolling. Now I will tell you WordFence. I host a lot of my sites on WP Engine. WordFence is a prohibited plugin on WP Engine. They don't like using it. They don't like your site using it if you're hosting with them, just because it duplicates some efforts that they're already doing for you. So they say, don't install this, or it'll conflict with what we do. So, which is fine with me, I'm cool with that. All right, backup plugins. When I'm looking for a backup plugin, I want something that's going to do it automatic. I want to set a schedule, and I want it to just go and do that backup. I don't want to have to go back and watch it every day, once a week, once a month, and remember to do it, put it on my list. I want to set a schedule. So a backup plugin needs to have a schedule setter. Also, I want it to go, I want to be able to set that back up to multiple destinations. Why? Well, I don't want my backup to be saved at my host, where my website is sitting. Why? Well, if my host goes down, and I can't get my website available, well then they also have my website backup that now the host is down, I have no backup and I'm sitting here twirling it in my thumbs and seeing this site not found there when I try to go to my website. Send that backup somewhere else. You can set up a free Dropbox account. I think I can give you 500 megabytes out the door, which is pretty good for a small backup, I mean a small website. And the plugins that we're gonna see on the next slide, they all offer that as a destination option where you can send that backup right out to your Dropbox account. What you do then at your Dropbox account is you set how long you want those backups to stay there. I only wanna keep four weekly backups. Why? Well, I don't want a weekly backup from June. I want weekly backups from July because anything before that is useless to me because I have a monthly backup from June if I wanna go to a monthly back. So have the multiple destinations, they're free. Think Amazon S3 is not free, but it's extremely cheap. I mean gigabytes for pennies, if you send it out there. But if you have a Gmail address, that means you have Google Drive for free. If you have an Outlook.com email address, you have some space on Outlook.com to store files. All of these things are good destinations for your backup. Don't store it on your hosting server. Various backup types. What I mean by that is sometimes you wanna do a full backup of your site. Sometimes you just wanna do a database backups of your site. Maybe sometimes you just wanna backup the media library. If you're running WordPress website, everything in that lives in your database. The database is the most important part of your website. That's what you wanna protect at all costs. If it's changing once a week, all right. Back it up once a week. Maybe you're running an e-commerce store and you process 10 orders a day. Well in that case, you wanna back that up several times a day. Because if you have to restore, you don't wanna lose any orders. If you're doing hundreds of orders a day, then you just wanna keep backing up. And then you wanna do something that's gonna do a synchronous backup. That it's constantly feeding changes to your backup as well as an off-site storage. But I wanna have various types of backups because sometimes I wanna back up my database much more often than I wanna back up my full backup. Than I wanna do a full backup, which would include files, media, and database. Also wanna make sure I can do a one-click restore. It's gotta be easy to do that restore. I don't wanna go through a lot of hurdles to get that restore done. And other thing is I want some email notifications on failure. Most of them will also tell you when it succeeded, but I get tired of seeing that because it's supposed to succeed. I only wanna get an email when it fails because that's why I know I gotta do something. Some good backup options here. Updraft plus, back WP up, and backup buddy. Backup buddy is a premium one on that list. This picture here is showing you what updraft plus has as options for its free version of where it can send your backup files. A lot of different options here. Updraft plus also has a vault that they offer. Dropbox, Amazon S3, you got Google Drive. We talked about Microsoft's OneDrive. A lot of options here. Take a look at these. You won't be disappointed. Updraft plus, I put that on every one of my customer sites I deliver out the door as a good free option for customers to start with. They wanna upgrade to the premium version. Then they get a different additional scheduling options and some additional notification options. Excellent source to try with. Okay, we're gonna go a little bit more into a little bit heavy duty beginner security. Again, we're just trying to interrupt the flow of the hackers. And we're trying to, sorry, what else can I do to make my site a little bit secure? So I'll consider it to be a little bit magical. Okay, first thing we'll call is privilege escalation. And we've talked a little bit about this with our usernames. Just don't give your users more power than they need. If they can be an editor or a contributor, set them that way. This post from WPBeginner about user roles and responsibilities, that's actually a link. You can click on that if, but it's in the resources that'll come out at the end. I send this link to this article to every new website owner I send out a new site to because it does an excellent job of explaining what user roles and responsibilities are on WordPress. WPBeginner, if you haven't visited the site, go there because it's a wealth of information and they're constantly updated. You don't have to worry about evergreen content because they're constantly updating it. We talked about not sharing an admin account with your tech support folks. Give them a new one and when they're done, when they're not working with you anymore, get rid of the account. You don't need to leave that open the door. Use a password reset, don't email the passwords. Just send the person a reset link. Sir. What I do when I deliver a website to a client, I give them two logins. I give them an admin one and I give them an editor one. And when I instruct them and when I deliver the turnover training, I say, I want you to use this one, which is the editor one for your everyday work. And then if you really need to do something that could destroy your website, log in here. I mean, it's a little bit dramatic, but I gotta put that kind of fear. I want them to know that they can mess things up if they're not comfortable in here. But I always give them two updates because they have to be able to log in and kick me out. And I'm okay with that. If they kick me out, well then if they want me to come back, you know, we got some cash go, we can talk. So, all right, the next thing, what that says up there is lock down your login page. And updraft plus two factor authentication is what that little picture is. Lock down your login page. What that means is I want to make it hard for people to go through my login page if they're not supposed to be there. Two factor authentication. You may have heard a lot about that. Your bank might offer it that when you try to log in in their site, Amazon offers it for when you're gonna log in to order something. What it allows you to do is that you run two factor authentication on your site. When you log in with your username and password, it puts up a challenge box that basically says, dump a six digit code in here and you have to look at your phone or look at your smartwatch or somewhere and get that six digit code and drop it into the website. I use two fact, in fact, I use updraft plus on the site I use to control about 50 websites that I manage. So once I put a username and password in there, then I have to put my challenge code in there. And I go into that site several times a day. So I'm doing this. It is a little bit of a nuisance, but I feel it's worth it to experience that nuisance because if somebody gets, can crack that username and password, they have access to 50 sites. I don't want that happening on my watch. So look at two factor authentication. I say it works with Authy and Google Authenticator. Both of these are smartphone apps that you can run on your smartphone that allow you to have access to a multitude of services. I mean, you could, if you use Dropbox, you could set up Dropbox to have two factor authentication, so it will challenge it. You could set up, if you use Cloudflare as a DNS service, you could set up Cloudflare to do that. You could set up your Netflix account to do that if you want to. So you make sure you know who's logging into your website. Think about two factor authentication. Limiting login attempts. We talked a little bit about the brute force protection and banned users because they used the wrong username and 404s we got to the wrong URL. And I'm getting a lot of hurry up mats. So I'm going to try to hurry up. And actually I have 20 minutes. No, I got 20. I got till 12. We're good. You're still going to eat. We might run over and if we don't have enough time for Q&A, I am going to be at the happiness bar for an hour after lunch and find me at lunch. You could find me. There's not too many people here to look like this, okay? Overlook WordPress security errors. Know what's going on in your site. Don't allow people to edit files from the dashboard and take a look at your file permissions. Now what I'm talking about when I say know what's going on in your website is, all right, you're a one person owner of your website. Nobody else logs in. Matt, I know what's going on because I'm doing everything. Well, really? Are you, when you do a plugin update, are you seeing what files are being updated? When you do a core update, do you know what's being updated? Maybe not. Or maybe you forgot. Oh, that's when it stopped working. Last Tuesday, when I updated a kismet. Maybe I got it back up before there and see if it works then. Think about putting a security log and audit log on your website. This one right here, WP security audit log by the group WP white security excellent plugin. Gives you a lot of detail on what's going on your website at any time. What I like about it is it allows me to limit how much I keep in a database. For websites that don't have a lot of activity, I'll keep two months of data in there. For websites that are very active, I might only keep 1,000 entries in there because they whipped through 1,000 entries in a day and a half. That many changes going with users commenting and things going on their database. So it gives you a lot of options. It also checks to see what files might have changed in the last week. Can give you alerts on that. So take a look at an audit log to help you maintain control of what's going on your website. Prevent file editing from the dashboard. Okay, there's a little bit of a thing here. You see this? No, all right. Well, what that says is editor and it's the bottom of your appearances menu and your plugins menu. Your default WordPress install out of the box is gonna have that option there. And what it does is it allows you to get in and edit your theme files and your plugin files. Anything you want to, right from the dashboard. That's a bad idea. Because if you make a typo while you're editing a file that they all say, oh, drop this in your functions.php file. This snippet will solve your troubles that will make WooCommerce do everything you wanted to do. And you drop it in there and it's like, oh, I converted smart quotes to non-smart quotes that had kind of tilted it this way and it didn't drop in as text. And now you just white screen your site because you edited it from the dashboard and you can't get to it. Because now the only way to fix this is to log in through an SFTP client, going through the back end and dig that stuff out because you can't get to this screen anymore. Well, I'm gonna tell you, put this line of code. Define disallow file editing true in your wpconfig.php. Matt, you said we weren't gonna do any coding. Well, this really isn't coding. Because you don't even have to have to figure out what these codes are. You're just gonna drop this into one file and there's a line in the bottom of your wpconfig.php file. That file is at the top of your WordPress website. Okay, it's right up there with the wp-admin folder and wp-includes folder. And it's one of those 13 files that are up there. Has a lot of configuration information about your WordPress website. This line here, that's all, stop editing. That's a comment they insert in that file that says, don't do anything below this line because you'll screw up your website. There's some code that has to happen at the very end of that config file. You don't wanna put anything after that. So anything you're gonna add to your wpconfig.php file is gonna go in above that line. It could go in a couple of lines above it. It doesn't have to be the last one in there. It just has to be above it. What it does is it turns off that editor menu that's in appearances and in plugins. If you get into a site and you see this is the one, turn it off. If you go to your friend's site, turn it off. If you go to your neighbor's site, just turn it off. Just don't ever even show somebody how to use it because then you're passing along the disease. You know, this is one of my soapbox things that I really hate this, you know. And whenever I get into a site that I'm having any kind of responsibility for, the first thing I do is turn that off. I have had a couple costs. Man, I can't do this anymore. I used to go in and edit the styles file all the time, you threw this. I said, well, don't use that. There's a neat thing in the customizer called custom styles. Use that to edit your styles file safely. And if you edit it in the customizer, then those styles change. We'll stick with the theme when you change. They're locked into your theme, so. All right, what do we got here? File permissions. We'll do this real quick. File permissions, the correct file permissions on WordPress, they recommend 755 for folders and 644 for files. What does that mean? Well, that's telling me what users can access, what areas in my WordPress website. The time this might change is if you upload a bunch of files using an FTP client, some of those will make changes in your permissions and get your permissions a little bit out of whack. Sometimes they might change the permissions all to be 777, which means anybody can get into any file in your site just by typing that file name in. And you don't want that to happen. You wanna be able to get in there and set the file permissions properly. I even have this really cool graphic that I spent way too long putting together about how to unwrap what a 644 is. You know, sick, everybody's up on binary, right? You talk binary. Ones and twos and fours. Okay, zero and two and a four make a six. A zero and a zero and a four make a four. A user is anybody who's associated with my website. They can do a one, means they can do an R, which is a read, a one, which is a write. A zero means they cannot execute. The group, anybody outside of the current user can read, but they can't write or execute. Others, the public, they can read the files, but they can't write or execute. That was a real quick thing. I just, I really like the picture for some reason. I'm a developer, I'm not a designer. I'm just saying that. Okay, we're going to pull it all together here. What we've talked about are some common sense things. Don't make your website easy for hackers to get into. You have a couple of plugins we've talked about that can lock down a few things and make it a little bit harder, because what we want to do is we want to put those little speed bumps in the road so they hit a speed bump and they say, all right, I'm going on to the next one. That's all we want to do. Slow them down, move them to the next guy. Use the free tools. We talked about security plugins. We talked about backup plugins. We talked about auto trail plugins. Use them to protect your website. Take the time, try it out, and see how it's going to help you out. It's important. You got to WordPress website. You're part of the biggest population on the internet. Take control of your website.