On today's episode we are going to talk about ten different ways that we can help to secure our WordPress website right here on Your Website Engineer Podcast Episode No. 278.

Hello, everybody. Welcome back to another episode of Your Website Engineer Podcast. My name is Dustin Hartzler, and today, we will be talking about WordPress. What else would we talk about on a WordPress website or a WordPress podcast? Now today we're going to be talking about different ways, ten ways specifically on how we can secure our website, and this is going to be the first of a three-part series. We are going to be kind of diving into this in the springtime season. In the United States here sometimes we talk about, on this show in the spring, we talk about spring cleaning your website and doing a bunch of other things to help to clean up your website and make it run faster and things like that.

This year, and this time of year, for the next three weeks, we're going to be talking about how we can secure our website. And so this week we're going to talk about the easy steps. There's ten easy ways that we can really up our game when it comes to keeping our site secure. Then next week we'll talk a little bit more about more intermediate changes, things that are just a little bit tougher. And then the last week, we'll go all pro on you, and we will make sure that we are doing some of the most intense things that we can do to help secure our WordPress website. In the announcement section today, I do have one small announcement, and it is for WordPress 4.5 release candidate.

This is Release Candidate No. 1. There's normally a couple of release candidates before we see that new, bright and shiny version of WordPress, and it looks like that they are ready to go. Basically release candidate means that they're not going to add any more features. WordPress is pretty much ready, all set to go, and they're just waiting to see if they find any more bugs. Now they've fixed 49 things since the last version that came out, and they're all set to ship on Tuesday, April 12. Of course, they're saying that it's going to ship in a day that I am out of town, and so it never fails. It seems like I'm always traveling when WordPress releases their newest version.

So April 12, WordPress 4.5 is getting ready to ship, and so I highly recommend just giving this a whirl, testing it out to make sure your site – maybe you can update your development site to the release candidate version, see if everything works perfectly, if there's any plugins or things like that. That way you know on release day you're ready to update to the latest version of WordPress. If you want to read all about it, I have a link in the show notes for this episode that you can go in and check it out. Alright, in the is there a plugin for that section, I always like to highlight strange and unique plugins, or ones that you may never have a use for or maybe you've never heard.

And this one today is something called Publish to Apple News. And this will enable your WordPress blog content to be published directly to your Apple news channel. So if you set up an Apple news channel for maybe your business, you're keeping people updated within the Apple News section of iPhones and iPads, then this plugin is for you. It's got more than 800 installs. It's a very new plugin, but it basically gives you the ability to convert your WordPress content into Apple news formatted content. And it basically just does everything for you.

So if you have an Apple news app, I guess, or if you are publishing your content to an Apple news app, then you'll definitely want to check out this to make everything automated and make it much easier to get that content to the Apple devices. So that's WordPress – or I guess that's called Publish to Apple News, and you can find that on the WordPress repository. That is a completely free plugin for you this week. Alright, let's move on into the securing your website, securing your WordPress website to be specific. And today we're going to talk about ten different ways that we can secure our website. Or these are easy ways to make sure that we are doing a good job in our front line defense against hackers.

And a lot of people think that – or they say, "Oh, my website gets ten people that visit. Or it's a very low traffic site. There's not a lot going on. Why would I worry – why would hackers want to come and hack me?" And in reality, it's not that there's actually people that are trying to hack your site in specific, but they're going out there and hacking IP addresses, and they're trying to get into one piece of the hosting puzzle, and then they can get into multiple sites. So if you're on a shared hosting environment, and one of the other sites on that same server gets hacked, like that malicious software and code, can get into the other partitions of that server.

So your site could be affected. That's why we're really always urging to make sure that we are doing a good job of keeping our site secure, because of the fact is, it's not that some person is trying to target our – we don't have targets on our back, like, oh, somebody's going to try to take down yourwebsiteengineer.com. No, they're more looking to take down any website, and they've got bots and crawlers and things that can just crawl along the Internet and find vulnerabilities and software and things that are outdated, and just kind of get in there and penetrate, and then just wreak total havoc across your website, which is – it's a really big pain to clean up a website that has been hacked.

Maybe I talk to you about that in an upcoming episode. But the first thing, the first point is back up your site. And this isn't a very – I guess that's not going to help you from being hacked, but this is probably the first, best thing that you could do to keep your site secure. Because backing up your site will help you in the case that something bad happens. If there's some big catastrophe that happens, then backups is going to save your bacon, if you will. They're invaluable. If you have a recent backup of your site and your site goes down because of some sort of malware on your site, it is very simple to roll back to a previous version, and then just completely wipe out all of the bad stuff that was on your server.

So back up your site. I know the one time that I did get hacked, and I didn't have a very good backup – I had one, but it wasn't the greatest. And it took me forever to scan through all the files on my server to see and remove any bits of malicious code. It's a really big pain, and I wish I would have an updated backup, so I could automatically just roll back to a previous version. Back WP Up is a free plugin that I'm going to recommend. And make sure that if you are backing up using a plugin, you're going to send that to an offsite location.

You don't want to have your main backup be on the same server as your main site because if somebody could hack into your backup, then they could get your passwords, then they could get – you know, basically open the front door and walk right in to your website. So Back WP Up is one. The other one I'm going to recommend today is Vault Press, and you can find out more at vaultpress.com. And that is the product by Automatic, and that allows you to – you just basically turn it on and it backs up your site, either once a day or every time that you make a change on your website, depending on which package level that you choose for your backup solution.

So that's the first point. Back up your site. The second one, and this one's important too, is invest in your website. This is something that you want to do. You want to spend as much as you feel comfortable with, with your web host. Now you can go out there and you can buy like 99 cent per month hosting. You can get $2.00 per month hosting, and that's really not going to be the best solution. That is going to – it's just setting yourself up for a potential catastrophe. Now I pay like $30.00 per month to host yourwebsiteengineer.com, and I haven't had any big attempts of people trying to hack into my website.

And it's worth the extra assurance of, oh, okay, I don't have to worry about it. I'm using a WordPress hosted company, so the company is Fly Wheel, and they're all about making sure that WordPress is safe. They're doing some extra things behind the scenes to make sure that people don't hack in and they don't get into my website. So that's something that I really appreciate. The $5.00 a month plans, they're not going to do those types of things for you. Fly Wheel has lower priced plans. They start at $15.00 per month, and it's definitely worth the step up performance-wise.

But you also get that peace of mind that if something goes wrong, we've got WordPress people behind our backs, being able to help us out. But they can do some really awesome, quick things with the terminal to figure out what's going on and how they can easily clean up some of the malicious code, if that ever happens. So the second point is secure your website by investing in your web host. And the next point is secure your administrator account. So you want to make sure that you're not using an administrator account with the name admin. For example, you want to call yourself whatever you want to call.

You know, you can call yourself master and commander – I wish I could think of something funny off the top of my head, but you know, master WP or Dustin is a WordPress genius – whatever that is. Like you can pick something that's not admin. So the only problem is if you've already picked something that's super easy, you know, you also don't want to be like, if your website is Your Website Engineer, you probably don't want the username of Your Website Engineer as the username. So that's something else to think about. But if you've already created this, the only way to rename the name administrator account is to create another one.

And then once you've created that new one, then you log out, and then log back in with the new account, and then delete the old account. And that also gives the ability to make sure that the main user account does not have a user account I.D. as No. 1 – because that's another thing that people look at, and they can do some crazy stuff if they know what number in the database the admin record is. So that's something that I recommend as well. So secure your admin account.

Another thing that you can do – and this is extremely important if you are doing a lot of things on a Wi-Fi network, you want to make your main account that you log into your website an editor account. And this makes – I mean if you're doing just mainly publishing and moderating comments and things like that, especially if you're doing this at a coffee shop or if you're out and about, you want to make sure that you are in this type of account because if somebody would be able to be sitting in the same coffee shop and they're watching and they're what they call sniffing for passwords and things, they may see your username and password come across that Internet Wi-Fi, but they're not going to be able to get into your system to do any damage.

They could add posts and stuff like that, but they're not going to be able to get in there and deactivate plugins or turn things off or delete themes or things along those lines. So make an editor account your default account is a really good idea, especially when you are working out and about. The next one is, Tip No. 5 is strengthen your WordPress passports – or passports – passwords – we want to strengthen our WordPress passwords. We want to make sure that they're not simple, or they're complex. If you have a simple password, you can just go in, when you're logged in to your WordPress dashboard, go to the user section, into my account, and you can go in and you can change and set a new password.

You also can turn on the ability for people to set a secure password or a strong password. This is extremely important, especially when you are allowing people to create an account maybe when they purchase something with Wu themes or Wu Commerce. You want to be able to – you want them to have strong passwords, and you can set that up as the default setting, as strong passwords as default. So that's something to think about as well. Another plugin that I recommend, or another thing that I recommend is limit your login attempts, and password guessing is a real threat.

Basically a bot or a human, eventually they can get to a password. It may take hundreds of years, but they may absolutely get to it. And with all of those password trines, you know, even if it's a bot that's coming to your page and it's trying a username, password, enter, no good. Username, password, enter, no good. You know, it's going over and over and over again. That's taking CPU resources from your website, which may decrease the performance on the front end that people are actually visiting and seeing your website. So that's something to think about.

There's a couple of plugins that can do this. The one that I recommend is called Better WP Security. And this allows you to set a threshold or a total amount of how many times somebody can try a username and password, and if it fails, then you want to lock them out, lock that IP address out from trying for another 15 minutes or an hour or whatever that looks like. So this is something that I think I have set up on my website, so if they tried more than five times in a five-minute period of time, or I don't know what that threshold is, but if they try more than five times and have forgotten, then they get locked out for an hour.

And it sends me an email and says so and so has been locked out. Or this username has been locked out or whatever. And so I can see those attempts, and I get those emails probably every other day, if not every single day, that just notify me that somebody's trying to get into my site, and that just makes me feel a little bit more secure. Some people are like, "Why do you want to get those emails?" I say, "Well, I enjoy learning that Better WP Security is keeping people out of my website." And so that's something that you can look at.

There's another called Limit Login Attempts, I think, but that one hasn't been updated in almost two years, and so I like WP Security because it's got a lot more other features that we'll talk about in upcoming weeks and upcoming shows, on things that we can do to secure our website. Another thing that we want to do, and this one may not be as obvious, but one thing is protect your computer. So besides making your site secure, you want to make sure that your computer is being secure as well, especially the computer that accesses your website.

There's a lot of crazy things that can be installed on your computer that could potentially give away your hidden credentials for your website. There's different ways, there's different key trackers that are out there that will be watching your computer. They see you log in to certain websites, and you know, your WordPress website is probably the least of your worries. It's the bank account websites and some of these other websites that would really create chaos in your life. But the bots or these viruses or malware are going to do it anyway, so you might as well try to invest in a little bit of virus protection.

Maybe you are very secure with your website. With a Mac you don't need virus protection nearly as much, and just make sure you know where you're clicking on links and things like that. Don't click on SPAM links and stuff like that. So just do your best to keep your computer safe and secure, and that is that recommendation as well. Now of course I'm going to recommend to keep WordPress updated.

And as we just heard at the top of the show, in a few weeks, we'll have WordPress 4.5. It's got a lot of security fixes in there, and those are things that probably aren't exploited yet, but maybe people have the ability to figure out, oh, there's a security hole in WordPress, so the next version – always when the big version comes out, and definitely when the point revisions come out, you want to make sure that you're updating WordPress. You want to make sure that you're always running the latest and greatest version of WordPress.

The next point is make sure that you keep plugins updated. Just because you have WordPress updated doesn't mean that you don't have to keep the plugins. The plugins are just as important because there's probably more vulnerabilities in plugins, just mainly for the fact that plugins are developed by people like you and me, and people who don't have a lot of knowledge when it comes to security type things. So you want to make sure that you always keep those updated as soon as possible. So that's another thing. So keep themes updated, and plugins, and WordPress core, of course.

Then the last thing that I can think of for this easy way, or the first day of the security checkpoints, or the ways that we can improve our security on our website, is only download themes and plugins from known sources. We want to make sure that we aren't downloading a version of Backup Buddy that's on some bit [inaudible] [00:14:46] site that says it's a free version. That's probably got some sort of malware in it and it's going to do something bad to your site. So you want to make sure that you're not doing that. You want to make sure that you're sticking to the WordPress repository.

That's a great place. All plugins get scanned before they get uploaded, to make sure there's no malware on them, make sure there's no hidden trackers or anything like that, installed in the code. That's probably the best place to do it. The premium themes, the premium plugins, you know, things that are coming from ithemes.com for Backup Buddy, or Wu Themes or Elegant Themes, these big name theme shops that have lots of customers, they have lots of testimonials, stuff like that, you can be pretty safe and secure that those bits of code, those themes, those plugins, those are all safe and secure.

You also probably are okay with the folks over at themeforest.net or codecanyon.net, and those are usually pretty safe, especially if they've got hundreds of downloads. Those are something that you're probably okay with. You know most of the time it's going to be anywhere that you can find a reputable source or a plugin that's got a lot of – you've heard about it in the media before, you've heard about it on this show before, those are good places to get WordPress plugins and themes, and definitely don't just Google free version of whatever.

You're more than likely to get some sort of extra tracker, extra something or other that you don't need on your WordPress website. So those are the ten that we talked about today that I wanted to share. And next week they're going to get a little bit more in-depth. There's going to be a little bit more technicalities or a little bit more technical things that we want to do. But these again, in recap, are the ten things that you need to be doing to keep your WordPress safe and secure. The first one is back up your website. The next one is to invest in your web host.

You want to secure your administrator account. We want to make sure that our editor account is your default account when we're out and about. We don't want to be using the admin account when we are working from coffee shops and whatnot. We want to strengthen our WordPress password, and we want to make sure that all of our WordPress passwords for other accounts are strong as well. We're going to limit our login attempts with the Better WP Security plugin. We're going to protect our computer to make sure that there's no malware on our computer, nothing tracking our keystrokes or things like that.

We're going to keep WordPress updated, keep plugins updated, of course, and we're also going to download plugins and themes from reputable, well-known sources. And that is the rap for the first week. So call to action is just if you aren't doing any of these, make sure that you take the time this week and spend the 10 minutes, the 15 minutes going through and looking at each of these items piece by piece and making sure that yes, Dustin, I've got these taken care of. My site is as safe and secure as it can be after this podcast episode.

So that's the main things. Those are the main ten that I wanted to share. Next week, again, like I said, we're going to go a little bit more in-depth. We're going to continue this journey for the next couple weeks, and by the time it's over, it's going to be springtime, and we're going to have safe and secure sites. That's all I've got for you this week. Take care. Bye-bye.