If you enjoyed this video don't forget to the like it and subscribe! Then check out this playlist about WordPress security: th-cam.com/video/bXnDaXVtBKM/w-d-xo.html
You mention not having too many addon domains, but what's the alternative? I've only ever created extra websites this way. How do I go about creating other websites if they're not in the public_html folder as addon domains?
Hey, great vid as always! It made me think of my next planned website. Can you tell what exactly is needed, how many plugins to make a (smallish) e-commerce website secure? Like what is needed to make a website secure as possible: SSL, Sucuri and so on. It would help lot of viewers to ease their minds as website creation or making a website as secure as possible can be really overwhelming.
Hi Stefan, that’s a great idea for a video. To make a site as secure as possible without slowing it down too much you’ll need an SSL (which you can get through your host and some types of SSL are free), an Web Application Firewall (WAF) (Cloudflare is a good source and they offer lots of other security features), a solid automated daily backup/restore process, and a good daily malware scan. That’s a pretty solid setup.
@@wplearninglab Hey thanx for the superfast reply :) Yeah I was searching the web and youtube but most people only look at one aspect and dont cover the whole range. Is there any provider that offers/covers most of these things? Or would it be like Cloudfare for 1, SSL for 2, Wordfence/Ithemes for 3 and then a backup provider for 4? Thats a lot of different plugins/prices.
I always discourage using a security plugin and handle security on server/hardware level instead. One time my client got hacked because they had a security plugin installed but forgot to update it for a while. The hacker basically had access to everything the security plugin would have access to trough a vulnerability exploit. Also, that is one ancient version of WHM/cPanel you are still using man :3
Thank you so much for this video! It opened my eyes to things I hadn't really thought about! I want to know if you can tell me about the salt keys in the config file. I know what they do basically, but I want to know exactly which files they protect and how. Do they only protect the config file or all of your files? I appreciate how you really explain things because if I don't know exactly what, why, and how, I can't seem to wrap my head around it as well. So thank you for the way you teach! I'm starting my own channel and I want to be as good a teacher as you. So i really need to know what I am talking about! :) Thanks so much!
Hi Linda, The salts and keys protect only usernames and passwords. When an account is created on your WP site, the salt is added to the end of the username and password that the user entered. And then the resulting string when combining the username and password and the salt is encrypted using md5 encryption and put into the database. Basically, it just makes it harder for a hacker to brute force the usernames and passwords. As far as teaching on a channel goes. I was not great when I started, I’m better now but I still have a ways to go. The best advice I can give is get started and improve as you go.
Very informative. Thank you Im having a problem i don t know how to solve. All my posts are out of line. Only posts. I ‘ve tried yoast but it looks ok. I dont know What to do
I believe that people do also make the mistake of not considering the right hosting solution because solutions like Cloudways managed Wordpress hosting also provide the right security features to manage Wordpress securely.
WPLearningLab Please Answer:- 1) Please make a video comparing Wordfence , WPCerber, Sucuri from non techie point of view. Which one is easiest to use ? Example if there is an attack a non techie can get clean up from Sucuri expert so does this really help Non-techie? Are other plugins useful for Non-technical people (Cerber/wordfence)? Because not everyone can understand weather the code is malicious or not & they may delete essential files. Use paid plugin features for comparison if possible. 2) will there be a problem if I use paid Sucuri + WPCerber both in 1 website? Although you might say its not necessary.
Hi Bjorn I have a question regards "roles". I thought I'd raise it as you mentioned roles in the above video. I've built a site for a friend who is a retired scientist but now an artist. I've built with Elementor Pro and OceanWP. She would like to be able to add new artwork but the only option is to make her an admin. I say this because if I give her the role of an Editor then she can only change items that have already been posted and so is unable to add new artwork. Making her an admin could introduce its own complications and possibly security ones.
Hi Andy, the Author role allows people to add new posts. I'm surprised the Editor role doesn't allow it, since that role is above Author. Must be something to do with the Elementor roles. If the Author role doesnt work, you can try this user role customization plugin: th-cam.com/video/ny_A9begIU0/w-d-xo.html Let me know if any of those work for you and your friend.
I installed the multilingual plugin.... I started setting up but then after ended up uninstalling the plugin, now when I update some plugins (like yoast) it shows the update for the other languages. Can you tell me how can I purge the languages that were installed with the multilingual plugin? Thanks
I'm sure it happens, but it's not common. Most hacking is done by bots that find the 'WordPress' footprint on sites and then try to find a login page. cPanel login pages aren't listed publicly or in search engines so bots aren't able to easily find them. But if they could find cPanel login pages I'm sure hackers would set up bots to find then to try to crack them.
Cloudflare provides a pretty good firewall and does some cool things like prevents hot-linking but you'll need to take further security measures. Most of my own security I have done myself with code snippets. Bjorn (WPLearningLab) has some good tutorials on security plugins. I would seriously consider the following plugins ... Blackhole for Bad Bots, Block Bad Queries (BBQ), Limit Login Attempts Reloaded and SF Move Login
I second +Vintage Heavy Metal. Cloudflare's security is primarily their firewall. They have lots of other features are great, but they're not for security. On all sites I have Cloudflare or another firewall (like Sucuri), a security plugin like iThemes or Wordfence, the 4 plugins VHM listed, and lots of code snippets like you'll find the WP Security Lockdown course you have. I hope that helps :) Let me know if you have any further questions. Thanks for watching!
@@wplearninglab How do you charge clients for all security inclusions? Do you quote for hosting and have all these included in that quote as part of their hosting package?
Hi Andy, That is how I do it. I call it 'secured managed hosting'. But I also say that their site could be hacked, and if it is I charge $200 to $500 to clean it up. I hope that helps and let me know if you have any further questions!
Threat: HTML/Scrinject.B trojan........This is the error node32 show me & block the pages when I try to open 2 urls of my site which are shown in google search results. I scan the host but nothing found. I'd really thank U if you can help me with that.
You can email me, but it's not the best way of communicating at the moment. I've been in a serious time crunch and I haven't logged into my email account in 2 weeks 😬
Oh the add-on domain names are a threat? If one gets hacked then the virus script is on the server and hack all the websites on the server! Importance of the Hosting company. Thank you for the lesson!
Here's a PowerShell script if you want to create a password locally on your computer: github.com/victor405/powershell/blob/master/New-ComplexPassword.ps1
Mate - your .htaccess file is not secure. WHY? Simple - Why do you save your ZIP files in a location anyone can download and ALSO, why demo your main website contents on youtube for all to see said files? I would show u the contents in the .htaccess file to prove the point but reluctant to do so on youtube. Be warned amigo. Must as well ADD this Mistake by you as number 11 on your list of common security mistakes.
If you enjoyed this video don't forget to the like it and subscribe! Then check out this playlist about WordPress security: th-cam.com/video/bXnDaXVtBKM/w-d-xo.html
Bjorn’s tutorials are absolutely THE BEST WordPress tutorials.
Awesome video! Absolutely the best website security overview I've seen!
thanks to the wp core team, we have automatic updates for themes and plugins available for about 1 or two years now. I use it almost allways
Nice wokr!
well detailed . thank you .
You mention not having too many addon domains, but what's the alternative? I've only ever created extra websites this way. How do I go about creating other websites if they're not in the public_html folder as addon domains?
Excellent and to the point...I am gratefull.
Thanks Robert and thanks for watching!
The brick and natural wood background looks RAD!
Thanks man! Makes for faster recording too :)
I've seen break-in attempts with an email address I have not used in 15 years.
Hey, great vid as always!
It made me think of my next planned website. Can you tell what exactly is needed, how many plugins to make a (smallish) e-commerce website secure? Like what is needed to make a website secure as possible: SSL, Sucuri and so on. It would help lot of viewers to ease their minds as website creation or making a website as secure as possible can be really overwhelming.
Hi Stefan, that’s a great idea for a video. To make a site as secure as possible without slowing it down too much you’ll need an SSL (which you can get through your host and some types of SSL are free), an Web Application Firewall (WAF) (Cloudflare is a good source and they offer lots of other security features), a solid automated daily backup/restore process, and a good daily malware scan. That’s a pretty solid setup.
@@wplearninglab Hey thanx for the superfast reply :) Yeah I was searching the web and youtube but most people only look at one aspect and dont cover the whole range. Is there any provider that offers/covers most of these things? Or would it be like Cloudfare for 1, SSL for 2, Wordfence/Ithemes for 3 and then a backup provider for 4? Thats a lot of different plugins/prices.
You are amazing. Thanks for the information.
I always discourage using a security plugin and handle security on server/hardware level instead. One time my client got hacked because they had a security plugin installed but forgot to update it for a while. The hacker basically had access to everything the security plugin would have access to trough a vulnerability exploit.
Also, that is one ancient version of WHM/cPanel you are still using man :3
Thank you so much for this video! It opened my eyes to things I hadn't really thought about! I want to know if you can tell me about the salt keys in the config file. I know what they do basically, but I want to know exactly which files they protect and how. Do they only protect the config file or all of your files? I appreciate how you really explain things because if I don't know exactly what, why, and how, I can't seem to wrap my head around it as well. So thank you for the way you teach! I'm starting my own channel and I want to be as good a teacher as you. So i really need to know what I am talking about! :) Thanks so much!
Hi Linda,
The salts and keys protect only usernames and passwords.
When an account is created on your WP site, the salt is added to the end of the username and password that the user entered. And then the resulting string when combining the username and password and the salt is encrypted using md5 encryption and put into the database. Basically, it just makes it harder for a hacker to brute force the usernames and passwords.
As far as teaching on a channel goes. I was not great when I started, I’m better now but I still have a ways to go. The best advice I can give is get started and improve as you go.
Very informative. Thank you
Im having a problem i don t know how to solve. All my posts are out of line. Only posts.
I ‘ve tried yoast but it looks ok.
I dont know What to do
Brilliant video really really interesting. NEW SUBSCRIBER!
Thanks for subbing, much appreciated! Hopefully every video I make is as interesting as this one!
@@wplearninglab Your TH-cam marketing is bloody awesome your videos keep coming up in the search Hehe :)
Haha, thanks. That's what I like to hear :)
Incredibly informative. Thank you so much!
You're welcome Kat, thanks for watching! Let me know if you have any questions :)
Good info brother. Thanks
You're welcome, thanks for watching! Let me know if you have any questions 🙂
Great video!!!!
Thanks Rodrigo and thanks for watching!
So informative.
Thanks Sepideh and thanks for watching!
Man I love your contents! Really good info.
Thanks Stuart and thanks for watching!
Thanks
Thank you!!! Such a great video!!! Exactly what I needed! I see now some of the mistakes I made in the past...
I believe that people do also make the mistake of not considering the right hosting solution because solutions like Cloudways managed Wordpress hosting also provide the right security features to manage Wordpress securely.
What if i add cloudflare access to the login page of my wordpress site? Do i still need a security plugin?
Great content, like always, thank you!🙏
You're welcome, thanks for watching! Let me know if you have any questions :)
WPLearningLab Please Answer:-
1) Please make a video comparing Wordfence , WPCerber, Sucuri from non techie point of view. Which one is easiest to use ? Example if there is an attack a non techie can get clean up from Sucuri expert so does this really help Non-techie? Are other plugins useful for Non-technical people (Cerber/wordfence)? Because not everyone can understand weather the code is malicious or not & they may delete essential files.
Use paid plugin features for comparison if possible.
2) will there be a problem if I use paid Sucuri + WPCerber both in 1 website? Although you might say its not necessary.
Hi Bjorn I have a question regards "roles". I thought I'd raise it as you mentioned roles in the above video. I've built a site for a friend who is a retired scientist but now an artist. I've built with Elementor Pro and OceanWP. She would like to be able to add new artwork but the only option is to make her an admin. I say this because if I give her the role of an Editor then she can only change items that have already been posted and so is unable to add new artwork. Making her an admin could introduce its own complications and possibly security ones.
Hi Andy, the Author role allows people to add new posts. I'm surprised the Editor role doesn't allow it, since that role is above Author.
Must be something to do with the Elementor roles.
If the Author role doesnt work, you can try this user role customization plugin:
th-cam.com/video/ny_A9begIU0/w-d-xo.html
Let me know if any of those work for you and your friend.
@@wplearninglab In the end I gave my friend admin access.
I installed the multilingual plugin.... I started setting up but then after ended up uninstalling the plugin, now when I update some plugins (like yoast) it shows the update for the other languages. Can you tell me how can I purge the languages that were installed with the multilingual plugin? Thanks
Yes ur right, this is a most valuable information🙂
Yep, security is key Subin. Thanks for watching!
11 point security list not available ...
Does the cPanel login ever get targeted by hackers ?
I'm sure it happens, but it's not common. Most hacking is done by bots that find the 'WordPress' footprint on sites and then try to find a login page. cPanel login pages aren't listed publicly or in search engines so bots aren't able to easily find them.
But if they could find cPanel login pages I'm sure hackers would set up bots to find then to try to crack them.
If a person is using CloudFlare service does that mean they still need a security plugin or is using CloudFlare on its own a good security measure?
Cloudflare provides a pretty good firewall and does some cool things like prevents hot-linking but you'll need to take further security measures. Most of my own security I have done myself with code snippets. Bjorn (WPLearningLab) has some good tutorials on security plugins. I would seriously consider the following plugins ... Blackhole for Bad Bots, Block Bad Queries (BBQ), Limit Login Attempts Reloaded and SF Move Login
I second +Vintage Heavy Metal. Cloudflare's security is primarily their firewall. They have lots of other features are great, but they're not for security.
On all sites I have Cloudflare or another firewall (like Sucuri), a security plugin like iThemes or Wordfence, the 4 plugins VHM listed, and lots of code snippets like you'll find the WP Security Lockdown course you have.
I hope that helps :) Let me know if you have any further questions. Thanks for watching!
@@wplearninglab How do you charge clients for all security inclusions? Do you quote for hosting and have all these included in that quote as part of their hosting package?
Hi Andy,
That is how I do it. I call it 'secured managed hosting'. But I also say that their site could be hacked, and if it is I charge $200 to $500 to clean it up.
I hope that helps and let me know if you have any further questions!
Good stuff!
Thanks Paul and thanks for watching!
Threat: HTML/Scrinject.B trojan........This is the error node32 show me & block the pages when I try to open 2 urls of my site which are shown in google search results. I scan the host but nothing found. I'd really thank U if you can help me with that.
can you list the secure host 0:47
Hey can you help me with an issue with the WP Hide plugin? Can I email you?
You can email me, but it's not the best way of communicating at the moment. I've been in a serious time crunch and I haven't logged into my email account in 2 weeks 😬
Oh the add-on domain names are a threat? If one gets hacked then the virus script is on the server and hack all the websites on the server! Importance of the Hosting company. Thank you for the lesson!
I have never had problems with any of my Adons!domain
our website got hacked because of the security plugin^^
Bro use cloudways.
Here's a PowerShell script if you want to create a password locally on your computer: github.com/victor405/powershell/blob/master/New-ComplexPassword.ps1
「ビデオサウンドは、私の想像を超えて、かなり良いです」、
Mate - your .htaccess file is not secure. WHY? Simple - Why do you save your ZIP files in a location anyone can download and ALSO, why demo your main website contents on youtube for all to see said files? I would show u the contents in the .htaccess file to prove the point but reluctant to do so on youtube. Be warned amigo. Must as well ADD this Mistake by you as number 11 on your list of common security mistakes.