WordPress Security – The Circle of 5 – Tutorial 2020

Aug 22, 2020 | Security

Your WordPress security is very important. In this video you will learn about the Circle of 5 that will keep you safe! It will teach you the context of securing your website.

?????? Start here ??????
I want you to succeed with your website, so lets get started.

⏱️Timestamps⏱️
0:00 WordPress Security – The Circle of 5 – Intro
1:37 Why hack your website?
2:27 Hack reason #1
2:40 Hack reason #2
2:55 Hack reason #3
3:05 Hack reason #4
3:16 Hack reason #5

3:38 #1 Circle of 5
4:39 Password manager ➡ https://wpressdoctor.com/passwordmana…
5:03https://haveibeenpwned.com/
5:17https://howsecureismypassword.net/

6:02 #2 Circle of 5
6:55https://wpressdoctor.com/nr1webhosting/
7:04 #3 Circle of 5

12:24 #4 Circle of 5
13:14https://wpressdoctor.com/nr1anti-virus/
13:28 #5 Circle of 5
14:50https://wpressdoctor.com/nr1vpn/

15:27 If you have been hacked
16:03 Word from the Doctor – Outtro

✅For tips and tricks on getting the most out of WordPress, don’t forget to subscribe: https://wpressdoctor.com/sub

WordPress Security – The Circle of 5 – Tutorial 2020

?Transscript?

You wake up one day and all is good. The sun is shining, the birds are singing, you feel great. But then you open up your website. And then you see this and this and this. Oh no, you got emails from customers. And on top of that, you are sending spam emails – 600 per minute. WHAT IS GOING ON!? My friend, your website has been hacked. Could you prevented it? Yes, you could have prevented it. And I will show you in this video how you could have done that. This is the WordPress Security – ‘Circle of five’.

In this video, you will learn how to stay safe. I will teach you – very practical = WordPress security and what you can do to keep yourself safe. And I will also tell you at the end of this video what you can do if you already have been hacked. This video should be watched before you install any security plugins, so you have the right context so you know what you are doing. Because your website security is totally dependent on the ‘Circle of five’. The weakest link determines your entire security, so make sure you watch the whole video to stay safe from those CRIMINALS. Why I can help you? Because I have my national hosting company, and my web development agency. So I have the responsibility for a lot of traffic, a lot of websites and a lot of clients. So, I do know what it takes to keep you safe.

Okay, first of all, why would anyone with a normal brain, try to hack your WordPress website? You don’t have credit card information, you don’t have any Bitcoin stored, and you certainly don’t have a lot of customer information on your website! Oh well, maybe you do because you have a webshop… Well let me assure you, it is nothing personal. Most hacks are just fully automated scripts that go through the internet, every single day trying to sniff out if your website could be easily hacked. Then they send a signal to the hacker who try to manually hack you, or if you have a front gate wide open, they would just walk in, change your pages or post or whatever. Now why would they do this? Simple, the top reasons to breach, your WordPress website are these:

The first one is offcourse: for the money. They redirect visitors to phishing websites or fake webshops, so they could spend their money, and then the hacker would steal it. The second one is they wanna spread malware using your WordPress website. So now they can add these visitors computers to their botnet, and they can rent it out to the highest bidder to do, for example, DDoS attacks. The third reason is: they can use your website for blackhat SEO, they will enter links in your websites, so their websites get pushed up higher in the search engines. The fourth one is activism, they just want to spread a religious messages – most of the time – or a political message and put it on your website. And the fifth reason is just for fun and practice, because it gives the hacker a feeling of importance if they breach your website. Whatever the reason is, these are still CRIMINALS. And we need to harden our websites, harden our stuff before they hack you and you have to fix it all. Now let’s start with the Circle five to keep your website, safe and secure.

Okay, the first one in the ‘Circle of five’ are your passwords, if you use the same passwords for your WordPress then for anything else, change them ASAP. Now these passwords are VITAL and need to be very, very strong. I’m talking about WordPress admin login, your FTP login your hosting login and your database login. If I can get my hands on one of these login credentials, I can hack your system and completely take control of your entire WordPress website. Now what is exactly a strong password? A good question, I’m glad you’re asking me. Just let it be auto suggested by a password manager. Those things are created to keep your passwords safe and are pretty close to unhackable. They use military grade encryption. So, you should be safe by using those things. I use a very popular one. There is a link in the descroption if you’re still looking for a password program. Don’t write your password down, don’t email them to yourself, don’t Whatsapp them to anything, don’t text them to anyone, just keep them in your password system. If you want to check if your password comes forward in a list of hacked websites, hacked logins from years ago up to now, you can go to this URL: haveibeenpwnd.com. Here you can check your password in a known list of leaks from years ago till now. If you are in doubt how secure your password is, you can go to this website: howsecureismypassword.net, and you can type in your password and it will calculate how much time it would take for a brute force attack to guess your password. Now one thing I can’t stress enough, I always tell my clients, and I still see them doing it: they are giving their passwords and login credentials to someone else to change just one thing on their website. Please never ever do that. Just make a new user, give him a new username, with a new password and after he’s done, just delete the entire user. That is the safest way. Please, never, ever give your admin privileges, give your password to someone else.

Allright, the second in the ‘Circle of five’ is the hosting. I have seen many clients who just got unlucky. Really, their security was okay -it wasn’t perfect- but it was okay, but they got hacked, because someone else in their shared server got hacked. Now, that is a hosting mistake, that you could never do something about it. Because they have created their website, their shared server in such a way that is easy for a hacker to just jump from user, to use, to user. So, it’s not your fault. But what you can do, is you could switch to a hosting company that does it in the right way. Now, I have my own national hosting company but no, I don’t host any websites I don’t know, I only host my own websites that I created for my clients. But if you’re still looking for a solid hosting company, there is a link in the description. You won’t pay any more if you follow this link, but I’ll receive a small commission, thank you in advance.

Alright. The third one is WordPress itself. Now, WordPress itself is the most used content management system in the entire world. Thats why WordPress is a target for hackers. Now if another system was the world’s popular CMS, than that would be targeted the most by hackers, but it is WordPress, simply because it’s such a valuable and awesome system. Now the standard WordPress security is pretty okay. There are a few vulnerabilities and I will tell you them. The first one is using /wp-admin/ to log into your website. It is the world’s most known URL to login a WordPress website, you should change that. If you don’t know how you should do that, hold on. Don’t go install any plugins or anything, wait till the end of the video and I will show you how you can do it by using the best plugin in the world. We should change this URL to something only you would know. The second one is that WordPress does not limit your login attempts. So if you have all the time in the world, or you could just let a computer try out usernames and passwords, they could just hack your website if your password is not fully secured and if you didn’t limit the login attempts. This is called a brute force attack, and they could easily do that by guessing 500 passwords in 24 hours. They have the time, and you have the time to be hacked because your website needs to be online, every single day. The third one is: there is a system in place in WordPress called xmlrpc.php which is used for example to put content online using other third party services, or your mobile phone for example. Now, that is very handy thing, but in the last few years it’s become more of a curse than a blessing. So, we should definitely restrict access to that file as hackers try to gain access to your website using this simple way. We should disable this or disable the temporary, if you don’t need it and activate it when you do need it. For example, I have a few webshops of my own. And if I want to sync all my orders and invoices with my accountancy company, then I have to turn this function on, and then they can hook into that function. They can download all the invoices and information of my webshop, so I can pay my taxes. But after the download I disable the function, because it is just too vulnerable. Another problem with WordPress itself is that people tend to use nulled and free themes. If you have – for example – a free version of Divi, a free version of Elementor Pro, or a free version of -I don’t know- WP Bakery. Please, shame on you! You should definitely buy the original one because now you have a big problem. You have probably bought it is using a company which says: “Well just pay once and you get 500 premium themes and plugins just for free in this offer”. Nothing is for free my friend, they sure have added somewhere a code that gives hackers access to your website. Even if you’ve downloaded just one from a torrent website or anything, stop it, delete it straight away! Go to the original owner/developers and please buy it! If you like it, buy it! This way you support the developers, and the other way, you are keeping yourself safe because most of those themes are having scripts injected to it so they can just push a button, and your website will be transferred to their ownership. Please never ever use nulled or free premium themes. There’s no such things as free. The other one is, of course, update your WordPress plugins and themes. It’s the most common feature why websites for WordPress are being hacked, because people just don’t update it. If you have a good hosting company, then your plugins and your themes will be updated automatically. If they don’t, you should do it manually. Don’t forget! Because it is very important, and never ever leave a outdated plugin in your WordPress website. There have been a lot of times in the past where theme owners and plugin owners, just push out security updates because they are vulnerable, they didn’t do that on purpose, but someone discovered something that they can hack your website using a method. Please update it all the time, very important! To do these final things we have just discussed, we are going to use a security plugin to secure your website. Not in this video but in another video, I will show you at the end which plugin it is. And no, it is not Wordfence, because I am not so enthusiastic about Wordfence. They are just skipping a few steps that I think is way too important. And they lack a few features also.

So if you have learned anything new today, hit that like button so I know we are on the right track. Alright let’s continue.
We are at the fourth in a ‘Circle of five’. The fourth one is your own PC. Because if someone just can watch you logging into your WordPress website, then you are lost my friend. Then there is no use in securing your website at all. So your computers are most important because if your computer is infected with malware, or some kind of a virus, then your website will be compromised in the upcoming days. In the past years I’ve used a lot of different antivirus solutions, but I was not so enthusiastic about McAfee or Norton, because they just slowed down my system -and I’ve pretty powerful system- and they lack a couple of features. Now I have put a link in the description if you’re still looking for a antivirus solution that could really help you out. It stops connections with malware, even before you download it on your PC. It’s pretty amazing. It has saved me a lot of pain in the last few years.

Alright so the last one in the ‘Circle of five’ is your connection. We live in an age where you WiFi can be spoofed, hacked, or even imitated by someone in your backyard with a strong enough sender, so it can relay all your data, being transferred between you and the modem of your home. Now I’m not being paranoid, but we live in an age where this is fairly easy to do if you know what you’re doing. And you say, “Well, I’m not a target I only have one WordPress website”. Yes you do. But as WordPress websites keeps on getting harder to hack, people will use more advanced technologies, just for fun or to really do some damage to your business. Now it’s pretty easy, what you need my friend is a VPN connection. Now, if you do not have a VPN connection or you don’t know what it is. It’s very easy: when you are connected to the internet it creates a highly encrypted tunnel that you could use to send your data through that tunnel and back. There is no way people can look in your tunnel. You even get another IP address so it looks like you’re from another country or another city in your country, so that they can’t track you, they can’t see who you are, they can’t see where you’re from, and you are entirely safe. If you are still looking for a VPN solution, again, in the description of this video there’s a link for a VPN solution I use on all of my devices. On my smartphone, on my laptops, on my computers, I have this VPN solution because it is very cheap but it works really fast, it’s 100% reliable -I never had any problems with them-, and it works, installing is like a breeze. It’s very easy, even on your smartphone. It is easy because they have a very good app.

Alright, those are the ‘Circle of five’ things you need to change your live to be very safe. Now, if you’ve already been hacked, and you are too late, just learn from your mistakes, call your hosting company and ask them to place a backup to your websites so you’ll be up and running in no time. And please apply all those things we talked about of the ‘Circle of five’. If you don’t have any working backups or they’re all crumbled and infected with malware or with a hacked version, then sent your website over to me and I will try to fix it and make a video about it. I’ve done it several times, never made a video yet. So, if you have one, send it to me and I’ll be glad to fix it and make it a video about it. So, the next step is to install a security plug: this one. So, you can be very safe. If you already installed this one and your settings are okay, then you should watch my SEO tutorial because your website deserves to be found. I wish you a awesome day!