You wake up one day and all is good.
The sun is shining, the birds are singing,
you feel great.
But then you open up your website.
And then you see this and this and this.
Oh no, you got emails from customers.
And on top of that, you are sending spam emails
- 600 per minute.
WHAT IS GOING ON!?
My friend, your website has been hacked.
Could you prevented it?
Yes, you could have prevented it.
And I will show you in this video how you
could have done that.
This is the WordPress Security - 'Circle of
five'.
In this video, you will learn how to stay
safe.
I will teach you - very practical = WordPress
security and what you can do to keep yourself
safe.
And I will also tell you at the end of this
video what you can do if you already have
been hacked.
This video should be watched before you install
any security plugins, so you have the right
context so you know what you are doing.
Because your website security is totally dependent
on the 'Circle of five'.
The weakest link determines your entire security,
so make sure you watch the whole video to
stay safe from those CRIMINALS.
Why I can help you?
Because I have my national hosting company,
and my web development agency.
So I have the responsibility for a lot of
traffic, a lot of websites and a lot of clients.
So, I do know what it takes to keep you safe.
Okay, first of all, why would anyone with
a normal brain, try to hack your WordPress
website?
You don't have credit card information, you
don't have any Bitcoin stored, and you certainly
don't have a lot of customer information on
your website!
Oh well, maybe you do because you have a webshop...
Well let me assure you, it is nothing personal.
Most hacks are just fully automated scripts
that go through the internet, every single
day trying to sniff out if your website could
be easily hacked.
Then they send a signal to the hacker who
try to manually hack you, or if you have a
front gate wide open, they would just walk
in, change your pages or post or whatever.
Now why would they do this?
Simple, the top reasons to breach, your WordPress
website are these:
The first one is offcourse: for the money.
They redirect visitors to phishing websites
or fake webshops, so they could spend their
money, and then the hacker would steal it.
The second one is they wanna spread malware
using your WordPress website.
So now they can add these visitors computers
to their botnet, and they can rent it out
to the highest bidder to do, for example,
DDoS attacks.
The third reason is: they can use your website
for blackhat SEO, they will enter links in
your websites, so their websites get pushed
up higher in the search engines.
The fourth one is activism, they just want
to spread a religious messages - most of the
time - or a political message and put it on
your website.
And the fifth reason is just for fun and practice,
because it gives the hacker a feeling of importance
if they breach your website.
Whatever the reason is, these are still CRIMINALS.
And we need to harden our websites, harden
our stuff before they hack you and you have
to fix it all.
Now let's start with the Circle five to keep
your website, safe and secure.
Okay, the first one in the 'Circle of five'
are your passwords, if you use the same passwords
for your WordPress then for anything else,
change them ASAP.
Now these passwords are VITAL and need to
be very, very strong.
I'm talking about WordPress admin login, your
FTP login your hosting login and your database
login.
If I can get my hands on one of these login
credentials, I can hack your system and completely
take control of your entire WordPress website.
Now what is exactly a strong password?
A good question, I'm glad you're asking me.
Just let it be auto suggested by a password
manager.
Those things are created to keep your passwords
safe and are pretty close to unhackable.
They use military grade encryption.
So, you should be safe by using those things.
I use a very popular one.
There is a link in the descroption if you're
still looking for a password program.
Don't write your password down, don't email
them to yourself, don't Whatsapp them to anything,
don't text them to anyone, just keep them
in your password system.
If you want to check if your password comes
forward in a list of hacked websites, hacked
logins from years ago up to now, you can go
to this URL: haveibeenpwnd.com.
Here you can check your password in a known
list of leaks from years ago till now.
If you are in doubt how secure your password
is, you can go to this website: howsecureismypassword.net,
and you can type in your password and it will
calculate how much time it would take for
a brute force attack to guess your password.
Now one thing I can't stress enough, I always
tell my clients, and I still see them doing
it: they are giving their passwords and login
credentials to someone else to change just
one thing on their website.
Please never ever do that.
Just make a new user, give him a new username,
with a new password and after he's done, just
delete the entire user.
That is the safest way.
Please, never, ever give your admin privileges,
give your password to someone else.
Allright, the second in the 'Circle of five'
is the hosting.
I have seen many clients who just got unlucky.
Really, their security was okay -it wasn't
perfect- but it was okay, but they got hacked,
because someone else in their shared server
got hacked.
Now, that is a hosting mistake, that you could
never do something about it.
Because they have created their website, their
shared server in such a way that is easy for
a hacker to just jump from user, to use, to
user.
So, it's not your fault.
But what you can do, is you could switch to
a hosting company that does it in the right
way.
Now, I have my own national hosting company
but no, I don't host any websites I don't
know, I only host my own websites that I created
for my clients.
But if you're still looking for a solid hosting
company, there is a link in the description.
You won't pay any more if you follow this
link, but I'll receive a small commission,
thank you in advance.
Alright.
The third one is WordPress itself.
Now, WordPress itself is the most used content
management system in the entire world.
Thats why WordPress is a target for hackers.
Now if another system was the world's popular
CMS, than that would be targeted the most
by hackers, but it is WordPress, simply because
it's such a valuable and awesome system.
Now the standard WordPress security is pretty
okay.
There are a few vulnerabilities and I will
tell you them.
The first one is using /wp-admin/ to log into
your website.
It is the world's most known URL to login
a WordPress website, you should change that.
If you don't know how you should do that,
hold on.
Don't go install any plugins or anything,
wait till the end of the video and I will
show you how you can do it by using the best
plugin in the world.
We should change this URL to something only
you would know.
The second one is that WordPress does not
limit your login attempts.
So if you have all the time in the world,
or you could just let a computer try out usernames
and passwords, they could just hack your website
if your password is not fully secured and
if you didn't limit the login attempts.
This is called a brute force attack, and they
could easily do that by guessing 500 passwords
in 24 hours.
They have the time, and you have the time
to be hacked because your website needs to
be online, every single day.
The third one is: there is a system in place
in WordPress called xmlrpc.php which is used
for example to put content online using other
third party services, or your mobile phone
for example.
Now, that is very handy thing, but in the
last few years it's become more of a curse
than a blessing.
So, we should definitely restrict access to
that file as hackers try to gain access to
your website using this simple way.
We should disable this or disable the temporary,
if you don't need it and activate it when
you do need it.
For example, I have a few webshops of my own.
And if I want to sync all my orders and invoices
with my accountancy company, then I have to
turn this function on, and then they can hook
into that function.
They can download all the invoices and information
of my webshop, so I can pay my taxes.
But after the download I disable the function,
because it is just too vulnerable.
Another problem with WordPress itself is that
people tend to use nulled and free themes.
If you have - for example - a free version
of Divi, a free version of Elementor Pro,
or a free version of -I don't know- WP Bakery.
Please, shame on you!
You should definitely buy the original one
because now you have a big problem.
You have probably bought it is using a company
which says: "Well just pay once and you get
500 premium themes and plugins just for free
in this offer".
Nothing is for free my friend, they sure have
added somewhere a code that gives hackers
access to your website.
Even if you've downloaded just one from a
torrent website or anything, stop it, delete
it straight away!
Go to the original owner/developers and please
buy it!
If you like it, buy it!
This way you support the developers, and the
other way, you are keeping yourself safe because
most of those themes are having scripts injected
to it so they can just push a button, and
your website will be transferred to their
ownership.
Please never ever use nulled or free premium
themes.
There's no such things as free.
The other one is, of course, update your WordPress
plugins and themes.
It's the most common feature why websites
for WordPress are being hacked, because people
just don't update it.
If you have a good hosting company, then your
plugins and your themes will be updated automatically.
If they don't, you should do it manually.
Don't forget!
Because it is very important, and never ever
leave a outdated plugin in your WordPress
website.
There have been a lot of times in the past
where theme owners and plugin owners, just
push out security updates because they are
vulnerable, they didn't do that on purpose,
but someone discovered something that they
can hack your website using a method.
Please update it all the time, very important!
To do these final things we have just discussed,
we are going to use a security plugin to secure
your website.
Not in this video but in another video, I
will show you at the end which plugin it is.
And no, it is not Wordfence, because I am
not so enthusiastic about Wordfence.
They are just skipping a few steps that I
think is way too important.
And they lack a few features also.
So if you have learned anything new today,
hit that like button so I know we are on the
right track.
Alright let's continue.
We are at the fourth in a 'Circle of five'.
The fourth one is your own PC.
Because if someone just can watch you logging
into your WordPress website, then you are
lost my friend.
Then there is no use in securing your website
at all.
So your computers are most important because
if your computer is infected with malware,
or some kind of a virus, then your website
will be compromised in the upcoming days.
In the past years I've used a lot of different
antivirus solutions, but I was not so enthusiastic
about McAfee or Norton, because they just
slowed down my system -and I've pretty powerful
system- and they lack a couple of features.
Now I have put a link in the description if
you're still looking for a antivirus solution
that could really help you out.
It stops connections with malware, even before
you download it on your PC.
It's pretty amazing.
It has saved me a lot of pain in the last
few years.
Alright so the last one in the 'Circle of
five' is your connection.
We live in an age where you WiFi can be spoofed,
hacked, or even imitated by someone in your
backyard with a strong enough sender, so it
can relay all your data, being transferred
between you and the modem of your home.
Now I'm not being paranoid, but we live in
an age where this is fairly easy to do if
you know what you're doing.
And you say, "Well, I'm not a target I only
have one WordPress website".
Yes you do.
But as WordPress websites keeps on getting
harder to hack, people will use more advanced
technologies, just for fun or to really do
some damage to your business.
Now it's pretty easy, what you need my friend
is a VPN connection.
Now, if you do not have a VPN connection or
you don't know what it is.
It's very easy: when you are connected to
the internet it creates a highly encrypted
tunnel that you could use to send your data
through that tunnel and back.
There is no way people can look in your tunnel.
You even get another IP address so it looks
like you're from another country or another
city in your country, so that they can't track
you, they can't see who you are, they can't
see where you're from, and you are entirely
safe.
If you are still looking for a VPN solution,
again, in the description of this video there's
a link for a VPN solution I use on all of
my devices.
On my smartphone, on my laptops, on my computers,
I have this VPN solution because it is very
cheap but it works really fast, it's 100%
reliable -I never had any problems with them-,
and it works, installing is like a breeze.
It's very easy, even on your smartphone.
It is easy because they have a very good app.
Alright, those are the 'Circle of five' things
you need to change your live to be very safe.
Now, if you've already been hacked, and you
are too late, just learn from your mistakes,
call your hosting company and ask them to
place a backup to your websites so you'll
be up and running in no time.
And please apply all those things we talked
about of the 'Circle of five'.
If you don't have any working backups or they're
all crumbled and infected with malware or
with a hacked version, then sent your website
over to me and I will try to fix it and make
a video about it.
I've done it several times, never made a video
yet.
So, if you have one, send it to me and I'll
be glad to fix it and make it a video about
it.
So, the next step is to install a security
plug: this one.
So, you can be very safe.
If you already installed this one and your
settings are okay, then you should watch my
SEO tutorial because your website deserves
to be found.
I wish you a awesome day!
