Hello, this is Rob coming here now one of the most important things you can do to secure your WordPress website is to ensure some sort of WordPress security plugin. Now there are many security plugins out there. And these will do various tasks for you. They will add a firewall, they will block IPS when people have tried a brute force attack or for some other reason, and they will scan your WordPress install to look for files and code that shouldn't be there. They will scan your website for known viruses and vulnerabilities. So the WordPress security plugin I recommend is called wordfence.

And I would recommend anyone who doesn't have a WordPress security plug in to activate the free version of wordfence. And this is what we're going to do now and very Importantly, there are a few settings that you need to make after you've activated this plugin, which I'm going to show you and they won't take very long. So this is an exercise you can do to secure your WordPress website. And it will only take you five minutes and it will make a huge difference to stopping a number of potential attacks to your website and to your business. So let's get going. So, of course, the first thing we do is go into plugins and add new or we click on the plugins link in the left hand sidebar, and go add new up there.

And now we search for the plugin on the right hand side here wordfence and there it is over 3005 star reviews and it's been updated very recently, and this is an exceptionally good plugin. So we'll install now and of course after we've installed we activate Okay, upon activation, we get a pop up here that suggests we start a tour and asks for our email address, I'm not going to enter my email address, although I would say if you do that you do get some very interesting information from word wordfence, including the latest news of the latest on vulnerabilities and hacks that are attacking WordPress, but I'm not gonna put it in here. Also, there's a tool you can go through, but I'm not going to do that now. So we'll close that. And immediately on the left hand side, you see that there's a wordfence link there in the sidebar, and you can see the flyout they're showing you a list of the functionalities of this tremendously powerful plugin.

So you can see the scan the firewall blocking, etc. But we're not going to go into any of those at the moment, although I will do in other videos. What we're going to do now is just make a few changes to the settings so That this plugin is set up correctly. And we'll do that in options. But before we do that you'll see here to make your site as secure as possible. Please take a moment to optimize the word fence web application firewall.

And there's a link here that says click here to configure what the firewall in wordfence does, it actually filters out malicious requests to your website before they even reach your websites. And once this firewall is enabled, it runs before WordPress itself because it works on their cloud computers. And it filters out attacks before plugins and themes can run any potentially vulnerable code. So let's hit Click here to configure and make sure that the firewall get set up correctly. And there's a new pop up here and we're just going to click and the tour there and now you'll see See we are in the firewall, link in the drop down underneath the word fence link in the sidebar. But don't worry about that, all we've got to do is set up the firewall.

And here it will give you a recommended server configuration. And I would go with what they recommend there and just press Continue. And then they ask you to download a.ht access and a dot user dot ini. And this is because the plugin is going to append these files, add some necessary code into the file for the plugin to work. And it's just taking precaution for you to download a copy of these two files just in case anything goes wrong. So all we got to do is download one, boom, download the other and click Continue.

Okay, this is actually all done now for the WordPress application firewall. So what's actually happening now is the website is going from Through a learning phase, the plugin gets to learn what your normal traffic is like during one week. And it's going to log that in this learning phase before it actually sets up the firewall and the firewall starts working. And during this one week period, it's quite important not to make any huge, great editorial changes to your website. So don't write a post and publish it. Just make sure that your website has fairly normal activity.

During one week, I'll go back to this website and show you that the firewall has in fact, been activated. So notice that there's still that alert that you have to set up the firewall. Again, you just need to ignore that because we've already set it up with the process I just explained a few moments ago. So that's it for the firewall for now. Now we go into options just to change A few settings to make sure your WordPress site is secure with this plugin. So, in these basic options, I will keep most of the things as default.

However, I think one of the most important thing is to put your email address in here. And this means let's just put it in. This means once you've done it, you will find that you get emails every time there's a problem with your website. Now you might find some of these emails will come too often. And in which case, you can change the options here to make sure you're not bombarded with emails. But with the options I'm about to tell you, I think you'll get a good amount of emails for example, an email every time a plugin means updating.

This is phenomenally useful when you have multiple sites that you need to keep your Eyes on and make sure all the software is up to date. It's usually quite easy to remember to update WordPress, usually it's updated automatically. But there are plugins and themes that don't get updated automatically, that you have to go in and manually update. You only have to click the mouse a couple of times in order to do it. But it's important that you do it soon after the software is updated. And if you don't get an email alert, then you don't know when to do it.

So I do find that email alert, very important. I usually check this checkbox to make sure that wordfence is actually automatically updated. So it gives me one less thing to do. And then you can check this checkbox, which will if you want to give you an email and tell you that it's been automatically updated, but these alerts are incredibly important. Email me if WordPress is deactivated, alert me when someone is logged in. From login, alert me when there's a large increase in attacks detected on my site, I sometimes like to check this one alert me when a non admin user signs in.

So just scrolling down here, we'll keep all of these options checks. And now you can see the scanned information about the scans. And this is so important showing you what is happening during all the scans that happen every 24 hours to your website after you've loaded this plugin. And it scans the core WordPress files against repository versions for changes. So what does that mean? It means if a hacker has put some malicious code on your website, wordfence will actually find it for you tell you it's there.

So you can stop the hack in its path. It's very unlikely. Once you've activated this plug in You'll get hacked To be honest, but this is a great thing to scan for anytime. And as you can see, there's a lots of other important things that are being scanned for scan for signatures of known malicious files, scan file contents for backdoor Trojans and suspicious code. I usually check these two as well to scan the theme files and the plugin files against the repository versions. The reason they're not checked by default is because they do come up with a lot of false positives.

You'll find if you update a plugin, you'll actually get an alert saying that the file is different against the repository version. So I'll leave that up to you but I usually check those and scroll down. I like to check this one as well scan file outside your WordPress installation for any malicious code. I also like to scan these this one as well, but not the next two because they may give false positive at the rate limiting rules, I usually don't have these set to unlimited, I set these to 960 per minutes. So unlimited is giving crawlers and anyone that's out there unlimited access to your website. Now of course there are a lot of crawlers that you want, you know, you want Google to crawl your website, but it's rare that somebody is going to crawl your website more than 960 times a minute, unless they have some sort of malicious intent.

So I put this to 960 on all of these to give us a little bit more control. And here how long an IP address is blocked when it breaks a rule. I don't think five minutes is very much so I usually put that right up to 10 days. Great to have this one for sale. admins and publishers, the people who use your site your site users to use strong passwords. So if anyone puts in a bad password wordfence will not let them create that password.

Again, I just want to bump up their security here. How many times do you want to let someone fail a login, you know, you don't make a mistake more than four times when you're trying to type in a password or copy and paste something in. So I put these down to four. And again, I put the count failures over the time period, I put that right up to one day. And the amount of time a user is locked out, I put that right up to the maximum. Because remember, if you get yourself locked out, all you have to do is go into the back end and disable the plugin.

And you can do that by FTP or by the file manager on cPanel. So there's no chance of you getting logged out if you know how to do that. If you don't know how to do that, then of course, maybe put that on a shorter period of time. And I also check this, immediately lock out the invalid usernames. And so that's the end of my changes that I make to wordfence security plugin. I'm just gonna save options now.

So I'm just going to go back onto it, because the ones at the beginning were really so important. And the ones at the end weren't really that important at all. So I think the most important thing is just to put your email address in there. If you just do that and set up the firewall, then I think you're using the wordfence security plugin to its maximum capability. Congratulation, that's all you need to know from this video. The other options that I put in, remember, they were just strengthening the security and they were pertinent to my situation, you will have a different situation.

And you may want to check and uncheck the boxes differently to how I've done it. Also, you will receive emails now from wordfence. And you might find these emails too distracting for you clogging up your inbox, in which case, you'll go back into these settings under wordfence options and change some of them. And then at the end, click Save. But the most important thing is again, I repeat, is to activate this wordfence security plugin, which does so many things, and I'll tell you about what it does in other videos. The other important thing is to activate the firewall, make sure the firewall is up and running and I'll come back to that to show you that that is all done.

And lastly, enter your email address. So you do get those alerts if anything is wrong with your site. My name is Rob carbon. I'll see in the next video.