did you know that almost half a billion websites are run on wordpress that’s estimated to be about 35 of the internet and since you’re watching this video my guess is that you use wordpress as well welcome to the club which is apparently a very big club while their strength in numbers the way that wordpress allows users to customize and add plugins also adds a lot of security issues so what are the most important things you can do today to secure your wordpress website well there are plenty to choose from but i’m boiling it down to these settings every wordpress install needs no matter how big or small [Music] hey thanks for joining me on another all things secured video my name is josh and my goal here is to explain where your website might be vulnerable i realize that most of us don’t have the ability to hire a full-time web developer so we end up piecing together a website that looks good on the front end but often has plenty of vulnerabilities we’re sometimes not even aware of on the back end i’m going to walk us through each of these changes i’m going to describe most of which are completely free all right enough of the chit chat let’s get started now before we get too deep in the weeds let’s start with the most hackable part of any website the login page in my opinion there are four things you need to do to lock up this part of your website remove admin as a login option create a stronger login password limit login attempts and most importantly move your login page to a custom url let’s look at each of these individually first in some cases a wordpress install automatically creates a default user named admin this makes an easy target for hackers and just isn’t a good best practice in general unfortunately getting rid of an admin user isn’t always intuitive and depends a lot on the host you use if i were you i would create another user under a different name and email address and then give that an administrator role when you log in with that new admin user try to delete the old one and transfer everything over to the new one while you’re at it make sure you create a strong password for any administrative user you can use the tool shown here or mentioned in the description to test whether your password is strong enough the two file changes can be made with the use of two recommended wordpress plugins wps hide login and wps limit login the hide login plugin allows you to change the login url while the limit login does exactly what it sounds like it limits how many times a user can try to log in with an incorrect password both of these tools are meant to mitigate the risk of brute force attacks that can your website links to these free plugins are in the description below as is pretty much everything else okay next we’re going to move into changes you can make within the wordpress backend to make your site more secure let’s start with an easy one unused plugins and themes even if they’re not active these files can still have security bugs that can be exploited and can even hurt your site’s performance remember you can always reinstall these plugins and themes later so just go through for a few minutes and delete the ones that are inactive next i recommend you go through all your current plugins and check when they were last updated you can do that by clicking the view details under the plugins page which will show you when it was last updated personally i don’t want to keep a plugin that isn’t updated at least once every six months but for most people i’d say that even if it’s been more than a year you should start looking for a way to replace that plugin finally it’s worth taking a moment to double check the users you have on your site you know sometimes we create user profiles for other authors team members or for customer support and if you’re like me you don’t always remember to delete unused profiles so go ahead and do that right now that is a security risk finally i want to touch on a few preventative measures you can take to lay a stronger foundation for your website both now and in the future the first is simple keep your plugins and core wordpress install updated to the latest version the problem a lot of people run into here is that they’ve had a bad experience with an update breaking their website i get it it’s happened to me too but there’s a reason that these updates happen and a lot of times it has to do with patching up security bugs that they find some hosting companies allow you to create a staging site which is basically a clone of your current website where you can test the updates and then if that works push them to live other hosts and agencies offer a plug-in updating service where they do all this for you for a fee whatever you choose try your best to keep everything updated and while we’re on the subject of website hosting it’s worth pointing out that as you grow this is not an expense worth skimping on paying five dollars a month for hosting is fine if you get 10 visitors a day but if you’re getting any significant amount of traffic you should really consider upgrading to what’s known as managed wordpress hosting this kind of hosting has a number of benefits that usually include daily backups firewall protection managed updates with new php versions ssl certificates forced https etc etc instead of spending money on a security plug-in like sakuri which is really popular among affiliate marketers if you’ve been doing your research online you really ought to take and invest that money into better hosting i recommend something like wp engine flywheel siteground although there are plenty of other good ones out there if you’ve made it this far congratulations i hope you’re walking away with some actionable changes that you can make to secure your wordpress install if you have any questions leave them in the comments i promise i’ll do my best to respond if this video was helpful give it a thumbs up and subscribe for more security related content on all things secured
