2.7 Additional Security
We’ve already put a number of security measures in place, but there is still more we can do. In this lesson, we’ll go through some additional security techniques as well as looking at some plugins that can automate several security tasks for you.
1.Introduction1 lesson, 00:34
2.Wordpress Secure Setup Guide13 lessons, 1:29:18
3.Conclusion1 lesson, 03:01
2.7 Additional Security
Hey, welcome back to the WordPress secure setup guide. This is gonna be the last lesson, where we're looking at security measures that you can put in place. We've done a lot so far but there's a couple of little extra things that we're gonna add into the mix. Now, the first thing we're gonna talk about is this alert that you've probably noticed on the dashboard since we installed Wordfence. Now, it's asking us if we want Wordfence to stay up to date automatically and we're gonna to hit yes, we do want it to order update. And that way, if there is some type of new exploit that Wordfence hears about, they could roll out security measures to deal with them as soon as they have created them. There's one other thing in Wordfence that I wanna point out. So, we're just gonna jump into Wordfence and into options. Wordfence does a lot of different things, but one thing in particular that you're likely to hear a lot of people recommend that you do with your WordPress sites, is to hide the version of WordPress that you're currently running. So, we're just gonna find that in these options. So, here we go here, hide WordPress versions. Now, there are actually standalone plugins that you can use to hide the version of Wordpress that you're running. So, I just wanted you to know that that is handled in here by this plugin. By default, somebody can simply view the code of your website on the frontend and see what version of WordPress you're running. If they know what version you're running, they know what security patches you have installed. And what security patches you don't have installed. So, let's say for example, a really nasty vulnerability is discovered, and WordPress puts out an update to solve it. They announce the update solves this security vulnerability, but now all of the hackers who target WordPress know exactly what that vulnerability is and that any WordPress site that's not up to date is a potential target. So, for that reason, you should always have your WordPress version hidden in your card, so that it's not possible to use that to try to figure out what vulnerabilities exist in your site. Next up, we're gonna install a new plugin. So, we're gonna go up here and we're gonna search for block bad queries. Now, this plugin, Block Bad Queries, here, it tries to detect dodgy looking URLs. So, if you look in the address bar right now, you can see there's a bunch of extra text added onto the wp-admin URL. And that extra text is communicating instructions to your WordPress site. So, in this case, it's giving the instruction that s which represents search equals block bad queries. That the tab we're in is the search tab and that the type of search we're doing is a term. Now all of that combined is called a query string. And query strings have the ability to interact with WordPress in different ways. Now, it is possible for hackers to create query strings that can try to target vulnerabilities in your WordPress site. So, what Block Bad Queries does, is it tries to identify query strings that are potentially coming from hackers. And Wordfence does also do some of this itself, but it's definitely worth having both of these plugins in. Block Bad Queries is very focused on this one specific task, so it's quite good at it. And the developer has tested it and made sure that it works with Wordfence, so there's no problem in having both of those in. So, we're gonna install that and activate it. That's all you need to do. Now, that plugin is just gonna help try to protect you from these bad queries. Next up, we're going to install another plugin. This time we're gonna be installing one called Bad Behavior. Now, this plugin is more focused on spam prevention. But in a lot of ways there is a crossover between security and spam prevention. And this is another really great complement to all of the security settings that you've already put into place. So, we're going to install this plugin and activate it, and that's it. Now, Bad Behavior is all set up and running and that's gonna help you fend off spam bots from your website. Now, I've got one more plugin to add, and this one is called Really Simple SSL. We spoke earlier about SSL and about enforcing logins and use of the admin area via HTTPS rather than HTTP. The purpose of this plugin, Really Simple SSL is to make sure that HTTPS is used all throughout your website because sometimes you might find that plugins or themes have inadvertently left a couple of HTTPs in there. So, by installing this plugin and activating it, you make sure that you never have any of these errant HTTPs in your site, that it's all HTTPS. Now, don't worry about that warning that's up there, that's only coming up because I'm offline on a MAMP setup. So, I don't have SSL, obviously. But as long as you make sure that you have a site which is all set up with SSL then that plugin will work perfectly. Now, we have one last thing that we're gonna do for additional security and that is disabling file editing through WordPress. Now, built into WordPress is the ability to edit the files of themes and of plugins. So, if you go to Appearance> Editor, and down here, you can see that we've got the ability to make changes to these files. We can change PHP files, CSS files, JS files. Basically anything in a theme or plugin that's not nested deeply into too many subdirectories. Now, if somebody does manage to get into your admin area, and they can go into your theme and edit your PHP files then basically they can wreak havoc. So, rather than allowing editing of theme files through this interface, you can just decide in advance that any editing that needs to happen, will happen offline. You download files, change them and then put them back up. So, we're going to disable this file editing interface. And the way that we do that is with another one of these code snippets. That goes into our WP config file. So, we add that in right under the last addition that we made. And I'm just gonna quickly comment it out, forcing SSL in admin, given I'm offline, so I can't use SSL. Now, if we refresh you can see that editor has disappeared. So, now just in case, somebody does manage to get past all the security that you put in place, they're not gonna be able to use that editor for anything nefarious. All right, so, that is now all of our security is set up. Now, we're gonna move on to the rest of the setup process. Coming up next, we're gonna look at themes. How you can install them? And a couple of things that you should think about when you're deciding which theme to use. So, I'll see you in the next lesson.