On today’s episode, we are going to talk about why you need a security system with your website right here on Your Website Engineer Podcast, Episode No. 378.

Hello and welcome to another episode of Your Website Engineer podcast. My name is Dustin Hartzler. I’m excited to be here with you today because we’re gonna wrap up this month. We’re wrapping up February of 2018, which is hard to believe, but we’re gonna wrap this month up talking about one more service that we need. And most of the time it’s not a service. We can accomplish what we need for the most part with plugins, but the whole theme of the month has been different systems or different services that you’ll use along with or alongside of WordPress.

So, three weeks ago we talked about how we needed an email list. That was a service that we needed alongside of our website. We also talked two weeks ago about a backup system, and a backup solution, and what that looks like. And then last week we talked about why you need Google Analytics and the service behind that to collect all the data, and let us know about who is looking at our website, and how our website is functioning.

So, today we’re gonna talk about security and why you need security. And why you need to make sure you’ve got that piece of the puzzle wrapped up along with your WordPress website. But first I’ve got two pieces of news and a plugin that I wanna share.

The first thing I wanna share is about Jetpack Version 5.8. And this now adds a feature for focus on speed with faster search and lazy loading images. So, the new search service is now out of beta and you’re gonna see a lot more significant improvements with search on your WordPress site that’s powered by Jetpack. And so that’s one of the great things that you like to see. I’m excited to get yourwebsiteengineer.com updated to Jetpack 5.8. And then you should be able to search and do things on my website much, much quicker.

The other thing that they are working on, or they have added in this version, is lazy loading images. And what does this mean? This is a feature that – images don’t load until somebody starts scrolling up the page, which is really cool. You don’t necessarily have to – if you’re running a travel blog or a food blog, something that has a lot of pictures, you don’t need to load all of those images if somebody doesn’t actually load more of the page, or even scroll up past the fold, or past what they can see on their computer screen.

And so that’s what they’ve implemented in 5.8. It significantly reduces the page load time for end users. And then as long as somebody starts scrolling, then that’s when those images start popping up before they are visible. It’s not like you have to scroll and then wait for the images, but that’s the way the Jetpack works now with lazy loading images. So, I thought that was really cool. I wanted to point it out if you are running Jetpack up to Version 5.8.

Alright, the other piece of news that I found this week was something that WordCamp Orange County’s doing. I think more WordCamps should do something like this. But they are running something called Plugin-A-Palooza. And it has three different cash prizes; a $3,000.00 first place prize, a $1,500.00 second place prize, and $500.00 cash for a third place prize. This is the fourth year that they’ve done this.

Basically, you can have teams up until three people, so you can have three participants on a team, and they’re required to build their own plugin and upload to the WordPress Plugin Directory by May 18th. Teams will present their plugins to judges at an audience on June 10th as part of the WordCamp. And so it’s just a neat thing that is helping to drive the community, and build the community, and build a plugin that’s helpful for audience members that are at the WordCamp, but just overall, the WordPress community in itself.

So, it talks about the past three winners; one was called Simple Event Listing, WP Documenter was the 2016 winner, and in 2015, WP Rollback. So, all three of those were the main winners of the Plugin-A-Palooza. And I just think it’s a really neat idea. It’s a great way to help drive that community aspect within the community itself. If we would do something like this at WordCamp Dayton, it would be really neat to get people outside of just the WordCamp event, that two-day event, to get working and doing things together before the WordCamp. I don’t know, it’s just a really cool thing and I thought this was super interesting.

And so if you are a WordCamp organizer or if you think this would be a cool thing to do in your local WordCamp, definitely recommend it to the people that are organizing. And I’m sure that they would – I don’t know they could come up with – let’s see, what is that – $5,000.00 worth of extra cash just laying around to sponsor the thing, but it would be kinda cool to have a cash prize or a little cash prize and be talked about at the WordCamp. So, that is the Plugin-A-Palooza and if you live near Orange County, you could definitely check that out.

Alright, today I wanna talk about a plugin as well because there’s more than 50,000 plugins out there. And so I try to each week just highlight a few of the cool ones that are out there. And this one is called Custom Login Page Customizer - Login Designer. It has the longest name for any plugin that I’ve heard of on the WordPress repository, but it is probably one of the coolest ones that are out there.

And I talk about these login customizer pages every once in a while because I think they’re interesting. I think it’s a really neat way to customize that experience when somebody logs into WordPress for the very first time. But all the other plugins that I found for customizing that login page are a little on the clunky side. And this one, the Login Designer, is probably the best one that I’ve found. And it is the one that is built all throughout the Customizer. You go into Appearance and then Customize and you can just tailor your entire page based on that.

So, they’ve got some templates and they’ve got some layouts. So, if you want the login page on the left, or the right, or the top, or the bottom, it’s got some really cool features built in. You can change colors. But since it’s in the Customizer, as you change things, it automatically changes visually so you can see them right away. Other plugins, you put settings in and then you have to save, and then you have to log out of WordPress so you can log back in and see it. And it’s just a strange experience to try to design these things.

And so there’s no refreshes and it contextually displays options within the plugin settings and it’s just really cool. It’s really, really neat. It is probably the best one I’ve seen. It’s got more than 2,000 active installs. And so this is one that you definitely want to check out if you want to get a little bit nicer of a login screen. I think that you could have a really cool background picture to log in or you could make it completely black. Or you could put the login page on the left side and then you put some sort of image that reflects what your site is all about on the right side. So, they’ve got three or four different templates. And I am going to dig into this and see what it looks like to design one for yourwebsiteengineer.com because I keep seeing these plugins. I think they’re so cool and, of course, it makes more work for me, but I think it’s a really cool idea.

So, okay, let’s go ahead and talk about why you need security. And it’s not all about some – the thing is when I first got started with WordPress, it was oh, well, I just have this website. I have 100 visitors per month. Why would somebody try to hack me? And that’s not really the best mindset to have because it’s not that somebody is physically trying to attack you, it is somebody that’s trying to find some sort of vulnerability on the server.

And then if you’re using shared hosting; then if they get into one aspect of – if on your shared hosting account there’s 100 websites and they can get into one website, then there’s a potential for them to get into the other 99. But if you’ve got some nice settings or you’ve got some of the secure settings that we’ll talk about, then it’s going to be much, much harder for somebody to actually get into your website and start messing things up.

I’ve had a couple websites over the years that have, let’s say, gotten ripped off at some point and it’s been a complete nightmare to try to get them back. One of them added an extra three lines of code on every file within the WordPress directory, so it was in all of my themes, every theme file, in all the plugins, every file. There were files upon files upon thousands. And it took me forever to try to clean that up.

And so what I wanna talk about today is just the ultimate WordPress security guide. How do we get this thing set up so it will run over and over again without us having to worry about tweaking settings all the time? And just be worried about our website and people being able to hack into your website. So, WordPress core software is very secure. It’s audited regularly by hundreds of developers, but there are still some things that we can do to make our installation just a little bit harder for outside people to try to get in.

So, there are a number of steps that we can do to improve our WordPress security. Now, let’s go ahead and we’ll dive into them. We’ll talk a little bit about just the basics of the security, and then some of the steps that we can do, and then some of the security things for DIYers. If you know you wanna do some things without a plugin, you can do those. So, let’s go ahead and dive right in.

A hacked WordPress site can cause serious damage to your business. Think about your business website. I think I remember from a few years back; Pat Flynn from Smart Passive Income, his website was – he had a DDoS. He had hundreds of spambots attack his website to the fact that it took it down. And he ended up – I believe at one point, if the story goes right, he had to redirect his domain to a YouTube video to say, “Hey, sorry, you’re coming to smartpassiveincome.com, but it’s down right now. We’re working our best to restore it.” and whatnot. And I think he went ahead and averaged – he figured it out. Over the ten days that the website was down, and all the work it was to get it back up and running, he lost, I don’t know, $22,000.00 or something. And that’s just on affiliate sales and some of the other things he’s doing on his website.

But if you’ve got an e-commerce site that you are making thousands of dollars per hour, or even minute or second or whatever, then website security is important. Because you don’t want that money-making machine that is your website to go down in any way, shape, or form. So, the stats are out there. Google blacklists about 20,000 websites for malware and about 50,000 for phishing sites each week. That’s each week. That’s a lot of websites that are getting blacklisted or taken off the search results of Google.

That’s another thing to think about. If you get the warning that there’s some sort of malware on your website, then most of the time, all of your search rankings – Google is not going to serve up those because if Google is the one that tags them as malware or they’re blacklisted for some reason, it takes a lot of effort to get them back into those Google search rankings. So, that’s something to think about as well.

So, some of the steps that you wanna do to make sure that you have a real secure version of WordPress or your WordPress site, you wanna keep WordPress updated. Every time a new update comes out, you wanna make sure that you’re doing that, and it’s regularly maintained and updated. And all those minor releases, like the 3.9.3 or 4.9.3 and 4.9.4, those automatically update and your website just updates. You also wanna make sure your themes, your plugins, everything else within your website – if there’s an area that says this needs updating, you definitely wanna make sure that those are updated. You don’t only just get new features with updates, and plugins, and themes, but you also get security patches. And just makes it much more difficult to log in or somebody to hack into your website.

You also wanna use strong passwords and make sure that you’re giving the correct permissions to the correct people. And so for the most part, you can get by with giving no one admin access to your website; making sure that the admin username and password is very, very secure to get in. And then anybody else that needs your website, give them a lower permission. And WordPress has these built right in. So, you wanna do that so you’re not letting somebody that’s just writing articles on your website be able to access everything and delete your entire website. Not that they would, but you just wanna make sure that the right people have the right details. If you are working with somebody that needs FTP access or access to your server, give them access to only the folders they need. And as soon as they’re done with the work, make sure that you delete those credentials and make sure that they cannot log in anymore.

You also wanna think about your website hosting. A lot of times the host can do a lot to protect your website as well. I know that for a while, I bounced around from hosting companies to hosting companies, but some of them do a really great job of making sure that there’s no one trying to log in to my site except for me. But then others will allow those attacks to happen all day long. So, if you’re using a managed WordPress hosting company, somewhere like WP Engine, or Flywheel, or some of those ones that really focus in on WordPress, then they are gonna do a great job of making sure that other sites on the server aren’t gonna cross-contaminate and get to your website. And they’re also gonna do a good job of keeping as much bad stuff away from your website as they can.

And so if you wanna do some of the recommendations for plugins to install – and these aren’t plugins that you need to install all of them, but they’re some of the ones that I thought of when it comes to security. But the best security plugin, one of the best security plugins, is having a backup system. We talked about this two weeks ago, about having a backup system in place. Because if something happens to your website and you have a solid backup, it makes that a minor inconvenience.

And if you don’t have a backup and now all of a sudden you’ve got to try to manually get rid of all the junk that’s in the website, that takes a lot more time and it’s a lot more painful. But if you can just say okay, I have a copy that is two days ago, and it’s perfect, and it’s not infected, I can just roll back two days ago. And I’ve only lost two days’ worth of content or data that’s on my website. So, that’s really, really important. So, that’s gonna be the first recommendation. Just go back to two episodes ago, No. 376, and listen to how to set up a backup system. So, that’s the first way to have a secure site.

The second batch of plugins that’s gonna help to secure your website are ones that are going to do scans on your website and make sure everything looks okay behind the scenes. The one that I use right now is VaultPress. VaultPress does a great job and it emails me every time that there is something that doesn’t match up. It basically will take the code that’s on the WordPress repository, and it takes the code that’s on your website, and does a scan of it real quick to make sure all the files are exactly the same.

There’s also one called Security Scanner and Wordfence. They all do the same thing. They scan through and make sure the stuff that comes from the WordPress repository is exactly the same as what’s on the WordPress repository. These are great plugins to install and always have running on your site. I use VaultPress because it’s a dual system. It backs up and it checks to make sure there’s not any malware. I do see that – I got an email just the other day saying that the Ninja Forms plugin had some sort of code that needed updating. And then I went in and the plugin needed updating. So, I knew exactly; okay, that was fixed with this update of a plugin. So, that’s really nice. So, VaultPress, Security Scanner, and Wordfence; those are ones that I recommend.

Another one that I found, that I haven’t tried but I found in the research for this topic, is one called Defender Security, Monitoring, and Hack Protection. It’s a newer one that’s out there, but it does the same thing. It will make sure – it’s got some of the pieces of some of these other ones, but it will go through, and scan your website, and make sure that the code on your website is valid. And it looks for anything that looks like a malicious attack injected into your code. So, that’s something else to think about.

The plugin that I run on yourwebsiteengineer.com, along with VaultPress, is called iThemes Security. It used to be called Better WP Security. And this one does a really great job of helping you check those boxes to make sure you’re doing some of these things correctly; so that you’re making your installation different than everybody else’s WordPress installation.

One of the things that I recommend is having different prefixes. So, within your WordPress database, there are a lot of tables in there for WordPress. And they normally are wp_post, and wp_postmeta, and wp_options, and you get the drift. There are a lot of them like that, but you can go in there and you can change these database prefixes so it can be – you can even call it dustin_post, and dustin_postmeta, or usually it’s a bunch of gibberish. It’s ten characters of just numbers and letters, and it’s just random. And it just makes it harder to get into the WordPress database.

iThemes Security; what that does is it’s got a checklist of 20 to 30 things and it goes through and it scans things. And it’s like oh, you are using the wp_post. That’s your prefix. And so you probably should update that. Or oh, you’re using admin as a username. Oh, you should probably update that. And oh, you’re letting everybody in the world have access to your login page. Maybe you should lock that down a little bit and only let people from certain geographical areas or from different time zones have access to that. It’s got a lot of settings in there and, basically, it’s one of those ones that you just kinda work through.

All the settings are in there in different colors and they’re color-coordinated. And if you haven’t done them, then they’re red. And if they’re partially done, then they’re yellow. And then if they’re completely done and you meet all the criteria, then that is green. And so that’s the way it works and you just work through. And you can update and you can do a lot of really cool things to make sure that your website is much more secure. So, that’s iThemes Security.

A couple of other plugins that are out there; there’s WP Limit Login Attempts. And that’s a good one that you can install to make sure that if somebody logs in your website after three attempts, you can just kick them off and block their IP address. Or if somebody uses the word admin to try to log in as a username, you can block their IP address completely. So, you can set up the different credentials. You can say if they’ve tried three times and they fail, then they have to wait five minutes to try again. Now, that really discourages the bots out there that are trying to brute-force attack your site and just try username after username after username. With a plugin like WP Limit Login Attempts, this will eliminate those things.

And then another one called Idle User Logout; I’ve never used this one, but this was interesting, as I was researching for this show as well, that it allows you to set a time limit. You set the time in seconds, I believe, and you can say if a customer is on the website or somebody that’s logged in is idle for more than a minute or 60 seconds, then automatically log them out. It’s kinda like the bank websites that cause people to log out very quickly. And that’s just basically – somebody may be working in your dashboard, they’re in admin, and all of a sudden they walk away, and they leave their computer unattended. And somebody could just log in. They could change usernames. They could delete passwords. They could do all kinds of things. So, this will just log somebody out if they have been idle too long in your website. So, that’s another plugin that I found.

So, like I said, you don’t need to install all of these plugins. A couple of them are recommended, especially one of the scanning ones. Some sort of tool that’s gonna go through your site regularly; make sure that there’s no injected code or anything that could be malicious. A lot of times this injected code, you won’t even see, but there will be hidden links across your website for different things. You may see this in the metadata that shows up in Google search results. Instead of Your Website Engineer and talking about WordPress stuff, it may say designer handbags and different things that don’t even make any sense. But it’s just code that’s injected into the theme or injected into the plugin of some kind and it’s going to display badly or do something.

Those are certain minor things that could happen, but I’ve seen websites that have been hacked and they have this big – it kinda looks like the terminal, and it’s all black, and it’s got different graphics on there, and it’s like people from Ukraine saying that you have to pay money to get access to the site back or whatever. You don’t want that to happen for sure and you wanna make sure that your website is safe and secure.

I honestly can say I’ve taken some of these precautions. I do have a backup of everything. I use VaultPress and whenever I get alerted that something may have changed on VaultPress, I take action on it. But then I’ve configured iThemes Security, and I did that a few years ago, and I haven’t done anything really since. So, in the back of my mind, I know that my website is secure. But it’s not something that I have to think about constantly and try to figure, okay, what do I need to do now to secure my website. What do I need to do now? And so that’s what I wanted to point out. That it’s not something that you have to always be on the front of your mind. If you set it up once and you have a good solid host, you’re not gonna have to worry about it too often.

So, that’s something to think about. Some of these plugins have options. I know iThemes Security has an option of emailing you when you get people trying to log in to your site. That’s kinda helpful every once in a while until you get 100 people or 100 attempts all at the same time, but it’s nice to see that. Okay, somebody attempted to get in, and then iThemes blocked them out, and they can’t get in anymore. So, I like seeing those as well.

So, that’s what I wanted to share with you. That’s the update of why you need security on your website. And I strongly urge taking some time this week; spending some time on iThemes Security, or Security Scanner, or Wordfence, any of those. Install those to your website. Configure them; take some time to configure them and make sure that your website is locked down.

And, of course, as always, remember that backup system we talked about a couple weeks ago. That is one of the most important pieces of a security system, is to have a solid backup. So, that’s what I wanted to share with you this week. I’ve got more great stuff in store for you for the month of March and I’m excited. I can’t believe it’s almost March already, but I love the weather’s getting warmer. It’s getting so nice here in Ohio and I’m just really excited to see sunshine again. That’s super nice. So, I guess that’s it and I’ll talk to you next week. Take care. Bye-bye.