Hello, this is Rob cabin. Now keeping your website software up to date is only half of the story, you have to perform good home directory and web root hygiene. What I mean here is the WordPress and server software being up to date is the software that you know is running your website because your website wouldn't run without it. However, there may be other things like old backups or other folders and files hanging around on your website server that just don't have any reason to be there. And if that's the case, as time goes on, it's much more likely that that will contain vulnerabilities as it will contain our software. So this is just as important as keeping your website software up to date.

So you have to observe the root of the sites and the home directory using two methods that I'm going to explain now, in order to access your site files to perform home directory and web root hygiene, you need three pieces of information, the server address, username and password. The server address will look like one of these three things it'll either look like an IP address with four numbers separated by three, four stops or three periods. Or it would be something like FTP dot your site comm or something like something dot something else.com it really can be anything and you'll get this information from your host. You will also get from your house the username and password to access either via the FTP client or via a control panel in a browser. Unfortunately, the username given to you by your web host may not be a very good one.

However, if you have been using it for a while, it's quite difficult to change. But if you are setting up new accounts I would always advise you to choose a difficult to guess username as well as definitely choose, as you know, a very difficult to guess password. As I've mentioned before, it should be over 16 characters long with random computer generated upper and lowercase letters, numbers and special characters. the secrecy of this information is just as important as the secrecy of the username and password to access your WordPress back end. So the first way you access your website's files is using some sort of FTP client such as file Zilla, I very much recommend you try files that are if you don't have an FTP client already, and you can get this free software at file Zilla hyphen project.org. When you use this software, you should use SFTP protocol, which is the secure File Transfer Protocol and I'll show you how to do that.

Later, the other way of accessing your website's files is via a control panel such as cPanel, which is very common, a lot of hosts use cPanel. But when you access the site's back end through cPanel, always make sure there's a secure SSL connection. And you can tell that by viewing the secure padlock icon in the address bar in Chrome, and I'll show you how to do that now. Okay, so I've logged into cPanel using my username and password. And in order to have a look at the site's files, we go into File Manager. You'll notice on both of these pages, both the main access panel to the cPanel and the file manager screen, they both have the secure green padlock there meaning it's a page that is viewed via SSL secure socket layer, so it's encrypted at both ends.

Therefore, there's no chance of a man in the middle attack someone who is eavesdropping on your conversation with your web host, and therefore having a look at the files you're uploading or even uploading their own files. So always look out for that secure padlock. When you first get on to file manager, it may give you an option, what you want to look at. For this purpose, we want to look at the home directory. And we will be looking at the web route as well. But the home directory is the top directory that you have access to on your server.

So this contains everything. It contains the logs the mail, other software like Perl, FTP, SSL, TMP, these are all access logs, and everything on here is what you'd expect to find on a home directory of a website. And if you're not familiar with all of these files and folders, the you should make sure with your host that these are, in fact something that they've put there and something you need rather than something else. Because if you see a folder that has a weird name, something you don't recognize, then you really want to talk to your host and ask them what it's therefore this is what I'm talking about when I say home directory hygiene, because if you have been hacked, and a hacker has left a backdoor, or any other malicious software, this is one of the places may they may leave it because the wordfence security plugin which I recommend you use will not scan this area of the site it will scan the public HTML which we're about to look at.

So if you do find anything suspicious, then I would tell you not to delete it because If you don't delete it, then you can ask your web host about it, they may say, No, this is this is an important folder, you want to leave it there else, something on the website won't work. Or if it is malicious, then they can find when it was placed there. And then you will know when you were attacked, and you will know which backup to restore from. So that's the general rule. If you find something that shouldn't be on your website, don't immediately delete it. So you go into public HTML, and I'll show you this on on the FTP client as well.

But this is the web root. So this is where the files that serve your website are housed. When a browser connects to your, your host, they go to this folder and immediately look for an index dot php, or an index dot HTML or an index dot htm file, and they read that file and then that file tells To read another file and and after they've read God knows how many files, then they serve the website and also access the database of course. So that's all the WordPress website files, which you should be familiar with. And there's some other files there, but I'll talk about them in a minute. So now I'll just show you the WordPress website files and I'll also show you the home directory and the web root on the FTP client.

So here is WordPress installed that I've just downloaded from the WordPress websites. And remember there's always those three folders WP admin WP content and WP includes and the WP hyphen dot PHP files and the index dot php and the license txt and then the readme HTML and that is your WordPress installation. Okay, so when you've downloaded the files or software Just go File site manager and then go new sites. And there you need to enter the host address, the username and the password. The login type should be normal. And the protocol as Remember I told you should be SFTP.

You might get the port's information from the host as well, but you can leave that blank as well. But as you remember, you just need the host address username and password in order to access the site's files using the file Zilla FTP client. So now we are on the home directory, which I showed you on file manager and it's showing us exactly the same files. So same again, now that we're satisfied that all of these files and folders should be there. We're going to go into the public HTML. And here we should see just the WordPress install files which I showed you just a minute ago.

However, as you will rightfully see that we have a little bit more than I showed you just a minute ago. So this is an example of things that should be here. So I'm going to run through them with you Just so you have a good idea of what should be on your web root. This folder should be fine, it's blank. This folder dot well known is peculiar to my site and my host, but they tell me it should be that the CGI hyphen bin is always there, it should be on your site as well. You should have a.ht access as well that would have been created when you installed WordPress, you may have a user dot ini or a PHP dot ini or something like that.

These three images that dot png s, these are the fav icon, a very small square icon that appears next to the address bar in the browser. And this one is the same as that the error logs should be there as well. That's something that my host put there. The robots. txt also should be there at something that is very important for SEO and that should be there. So wordfence hyphen, w h f dot php, that should be there because we got the word fence security plugin installed.

And then the others are just what was on the WordPress install files that you get from WordPress. This one again is peculiar to my host. Now, there are a few things we can throw away, README, and licensed txt, they're generally not doing anyone any good and therefore they should be deleted. Now, in all of these, what you should be looking out for is anything that says backup on it. So what can happen so often is some Freelancer or a Anyone can perform a backup of the site, just in case they make a mistake. They've got something to restore from, and then they leave it lying there and forget about it.

When that happens, as the time has passed, it becomes more and more of a security vulnerability. And that's why you should pay particular attention to Webroot hygiene. Have a look at the files on your server that is housing your websites and see if you know everything that is there and find out very quickly why something is there that you don't know should be there. I hope that helped. My name is Rob. I'll see you in the next video.