WordPress Website Security 2017 – (561) 822-9931

(Webmaster For Hire jingle) – Hey, everybody, it's Elizabeth Varian here with Webmaster For Hire It's been a while since I've created a video, but this topic is one that I just know that everybody needs

We had imported over so many new clients' websites into our servers last year whose sites were hacked, and they had no clue, and so, that took thousands of dollars out of their pocket, hundreds of hours of our time over the various sites, cleaning up all of the hacked malware code, SQL injections, JavaScript coding, and, you know, it's not a topic that should be a mystery to people, it should be one that you should be aware of with what's going on in the world Of course, like with anything, you know, everyone thinks, "It can't happen to me," unfortunately, it is more common than what you realize So the topic of this video is, Are You Vulnerable? And keeping your website secure should be top priority, it should be your priority So let's just jump right in, we're gonna stick with a PowerPoint video this time I've kinda compiled everything to keep it easy for you

But, how secure is your website? And let's cover some of the myths out there The number one myth is once you've built it, it is now forever flawless, and that is definitely not true Even if you have basic html websites and you're on a shared server, where your hosting is shared with other websites, you know, there is a possibility of getting hacked That is the easiest way not to, of course, it's the least appetizing or appealing look by staying basic html, but, most sites are built with a database system, like WordPress, Joomla, or proprietary, where someone has used a database to build using their own coding So, just because you built it doesn't mean it's forever flawless and it was built perfect

It may have been secure at the moment that it was built, but things change, and life happens, so, technology changes, hackers get smarter, and it doesn't matter where you are in the country, yes, Americans get hit, but everybody gets hit all over the world WordPress, WordPress is a CMS system we're gonna talk about a lot more in a moment, but if you have a WordPress site, you might be receiving monthly emails, or the sporadic email, and it reads, you know, WordPress Update There's actually a problem in that a lot of servers aren't set up for the actual updates to be automated, and there's a reason for it, your site may break if there's an update and there's a plugin that hasn't caught up to it So, you know, that's point number two, you don't want the auto-update, because if it breaks, you're kind of S-O-L You know, you really are out of luck if you don't know how to fix it, or you have to get your webmaster in there

But many of 'em, if you read the email, it is an auto-generated email that is just notifying you that there is an update, and the problem with this is many of our clients get that warm, fuzzy, secure feeling of, "Oh, my site's updated," but it isn't, it's just the wording in the update that's letting you know, "Hey, there's an update, "you need to go in and click to update it" And, again, if your site is set up for auto-updates, like, your programmer or developer has used a plugin to do an auto-update, you really wanna be careful because if the plugins that you have in the site don't correlate with the new update, like in April of this year, just a couple months back, there was a major update with WordPress that Wordfence sent out a notification saying, "This has a couple of major security updates "as part of this latest structure update, "please get on it and do it" The problem is, is many of the plugins didn't get caught up with the update, so some of 'em became obsolete, some of 'em broke, and others just needed a minor tweak to make 'em work So, you wanna be cautious with believing the email that there's an auto-update, and, B, check with your support company, whoever's taking care of your server, your webmaster internally, or if you're doing it, make sure that, you know, you know when these updates happen, and if you have it set auto, you check the site immediately so you know if something's broken or not The other thing is, a lot of people say, you know, "Why would I get hacked? "The site's supposed to be secure

" And I just kind of grabbed a couple of headlines, because there are tons out there, but basically, what I tell our clients is, "If Target, Microsoft, and many hospitals "around the world can get a breach, "why do you think you're safe from the attack?" And Microsoft, many people didn't realize, they actually had one just, like, three days ago, I didn't grab that one, but I grabbed another one just to give you a headline, and, actually, within this week, Target, for the 2013 hack, was just fined $185 million, because if you have an eCommerce site, or eCommerce structure, you have to keep your credit cards, what they call, PCI compliant and secure You have to have an encrypted database if you're gonna store them, which we recommend people don't do for this very reason And then, there was ransomware, we found a headline just for 14 hospitals that had been attacked in 2014, that was as of October, 2016 Now, two days ago, there was a major ransomware attack that has hit numerous nations, and has been hitting large corporations, and we'll explain a little bit more

Well, I guess we can explain it now, ransomware is where they go in and they encrypt your files, all your necessary files, and you can't get it unencrypted unless you pay a ransom, and half the time, the ransom, you know, paid does not give you an encryption key, the other times it gets paid, but like a couple of hospitals found, they find out, "Oh, this hospital's willing to pay the ransom," they get hit by someone else, and you'll be continually being charged with it So, we're gonna talk about brute force and some other types of hacks momentarily, but, ultimately, to think that you're site is secure after you've built it once and you've done nothing else to it, you're really living with your head under a rock There's no nice way to really put it

Your site is not secure unless you keep it secure So, let's talk about WordPress and other CMS systems Basically, a CMS system is a content management system A lot of you out there want to be able to update your sites, add/edit/delete pages, posts for your blogs, images, documents, videos, you know, whatever you want You don't wanna be charged every time you wanna add a new article to your site, you just want to have that power yourself, have someone within your company to fully be capable of updating it

The problem is, is you're not willing to take the time to learn the code that we know to be able to do what we do So, systems like WordPress, and Joomla, and there's Mambo, and other sites out there, but Joomla and WordPress are more commonly used, WordPress even more than Joomla, they allow businesses the capability to do what I do without knowing code that I know, and that creates a lot of functionality that is needed because you're not just adding text to your site You know, you might a have a builder, a page builder, like, we'll use Visual Composer, other people will use other builders, there's a Divi builder and other builders out there, so you can create columns, you can do so much functionality in your site without calling your programmer Well, that functionality is added to the base system through things called plugins or extensions WordPress calls 'em plugins, Joomla calls them extensions, and, they're not all created by WordPress, they're created by other programmers, and when you start adding code upon code upon code, that's all these programmers coming together, it has the benefit of allowing someone like myself to create a website in two to three months, you know, actually, you could do it in two weeks if you get all the content

Most of the time, it takes three to four months because we're waiting on content getting approvals to build it out But, that gives us the benefit because we're not hand-coding everything anymore like we did back in the day The downfall is when you get code upon code upon code, you open up holes A database is like Excel on steroids, you know, it has columns, and rows, and tables within tables so that the file goes to this section of the database to call the content in that square So if you think Excel, rows and columns, row B-2 has image 1-A in it, and in your photo gallery, if you wanna pull up image 1-A, it knows to go to that section of the database

So, there's a lot of interaction between the browser and the database, and all this code, all coming and pulling from this one database, can open up a hole to your files on your server, your server itself, which opens up access to the email section, unless they're stored separately, it can open up ability to change and manipulate files, unless it's kept secure And so, WordPress, as you can see on the screen here, has 40,000 different plugins Now, that's just in the WordPressorg site, there are other places, you know, like CodeCanyon and other third-party sites where you can download plugins from, so it goes even beyond that And Joomla has 8,000 extensions just in the Joomla extension library, and then it goes beyond that for third-party sites

So, you've gotta keep this in mind when you have a website because all that coding can create problems So, they're also called modules, I forgot, there's others that call 'em modules So, plugins, modules, and extensions, when do they become vulnerable? When they're not updated That is actually the highest level of entry, is they are either not updated, you're using an old plugin that's no longer being updated by the developer So the developer doesn't care about the new WordPress updates, and so old code on a new WordPress structure can create a hole, and holes are bad

They can also, if you download them from a site that's not reputable, of course, you know, we prefer going to org, WordPressorg, or CodeCanyon, and even those aren't always reputable WordPressorg isn't always checking out every plugin, and CodeCanyon, they have so many developers that are coming in, you wanna read the reviews, because people will come in and complain, and so reading reviews are important

Plugins represent, you can see on the screen, 559% of known entry points for security breaches, bugs, and viruses So keeping the plugins updated, and we grabbed this from Wordfence, we live off security and Wordfence We are daily keeping up with everything that they are doing, because this is what they do, is focus on breaches And you can see that the plugins are the number one way that hackers are getting into your site

And now, this is by people who knew how their sites were hacked They had a larger number of people who had no clue how their sites were hacked When we clean up a site, we don't just try and clean it up, we gotta figure out where the hole was so we can plug it and make sure it doesn't happen again And brute force, you can see, is the second Brute force is the number one way we've been having problems, and it's a way that you can actually help prevent

So, just kind of know about that in the back of your head, we'll talk about it here shortly So, the number one thing that people say when they get hacked is, "Why me?" You know, it's kind of like if someone robs your house, if you get robbed on the street, or attacked, or if someone violently comes at you, and you don't know them, the first question is, "Why me?" Well, in the hacking world, it isn't personal, it is very rarely going to be a competitor hacking you Now, I put on there most of the time, because does that happen? Sure We see competition attacking competitors more in reputation marketing, with negative, false reviews, than we do in actual hacking Now, if you're a fan of Cyberwars, like I am, the television show on Vice, Viceland, Vice, excuse me, you'll see that Ukraine and Russia, there's wars and hacks going on

It's known, or suspected, that Russia attacked Ukraine's electrical systems, all the hubs, and took out all their power plants for a short period of time through brute force, actually, through a hack So, there you see it's personal, it's wartime, but when it comes to business websites, it isn't personal at all See, they find your site in various ways They either type in specific code in the search engines to look for known plugins, and known versions, that will bring your site up amongst thousands, that they know has a hole in it, and they're like, "Ah, makes it easy," boom, gone in, now they've attacked your site You know, so your site is downloading malware any time a visitor hits, Google is now marking in your search results that this has been hacked, and it is just wreaking havoc on your server, they may be hitting 10,000 emails a second off your server, all because they did a search, but they don't know you from anybody else, it's not like they're searching specific businesses

If you're on shared hosting, so, like, HostGator, or Bluehost, 1&1, any of these servers, and I'm not saying these specifically, but they have the cheaper, shared hosting They also offer, many of them, where you can have your own server space, a virtual private server space, dedicated server space, so that you're not sharing with other people in the same server component equipment So if you're sharing and someone on that host gets it, and they hit server level, they can ultimately find you as well One of the things we found, are, actually, our last client that we moved over to our server, that had been hacked, they were on Webcom, and we found out through customer service that they were on a legacy server, that they weren't updating the PHP

So when we updated the WordPress, which requires PHP version 7 now, it broke the site, and they say it, they're not updating it So it sounds like they're not paying attention to that server, and with all the files and the JavaScript in his WordPress site, it was no wonder He hadn't updated it since 2014, and it's 2017, (chuckles) a little late, so for him, and them, not knowing it, it was probably on a server in the back room with dust on it So, you know, being on shared server's not always easy So someone else could've been hit, so it's not always personal

Okay, I've mentioned this word, brute force, a couple of times, and brute force, I basically put a Wordfence definition of it, because it's the best one out there, it's a password guessing We found several times in ours, and I'll show you an image of it, while I was putting this PowerPoint together, how many people trying to attempt to break in to WebmasterForHireus's site Now, all they're doing is assuming usernames and attempting passwords, and there's other ways of getting passwords through phishing emails So if you see, on the second point here, a computer with a site access is hacked, so if your computer has been hacked, a phishing email, so it looks like it's from PayPal, you click the link 'cause it says, "You've just been charged $2,000," or some absorbent amount that triggers the brain to go, "What?" And you click the email link, you go to a site that looks like PayPal, you type in your username and your password, the problem is, you're not looking at the link in the location bar, and you are now on a fake site, and you're giving them your PayPal username and password

And just kind of on a side note, one of my friends here, locally, had someone get into her PayPal account, she has a debit card from PayPal, and they requested a new one with a new address, and they went to town charging money orders and gift cards, over, I believe it was a couple thousand dollars So always update your PayPal user/pass, don't click links in PayPal bank/credit card emails, social security, IRS emails, those are fake emails, and it only takes one to then get into that account Opening attachments can download software on your computer, which then puts your computer into attack of any open connections to your server, your website, anything So, these are definitely ways that hacking happens Boy, don't say that three times fast, right? So I said, you know, while I was recording this, this was this week

Or, not recording it, while I was creating the PowerPoint Just this week alone, our software has blocked this many attempts, brute force attempts, 145 from the UA alone, which is Dubai area, Japan, 22, the US, 22, from these specific IPs, and these were just the top five, so this isn't the total amount We had one day we had 745 attempted brute force attacks, and our site's been around for a while, and it's WordPress, so, this shows you the top countries blocked, and the See, they're trying admin, don't use admin as your username, change it for WordPress, or Joomla, or anything But 129 login attempts for admin, and then they're trying webmasterforhire, webmasterforhire, and webmaster, and all your common tools And it's no big deal for them 'cause they can set software up, or, you know, different countries pay, and they just sit and keep hacking So, how to prevent, you know, this is why we're really here, "Okay, Elizabeth, stop scaring the crap out of me," excuse my French "Stop scaring us, how do we prevent it?" Number one, create email rules for your employees

They're not allowed to click links in an email unless they absolutely know it's trusted Look in an email, on the header, look at the actual address, there's a lot of emails that are from people you know, but they actually happen to be They got your email address from your Facebook account, they see who your friends are, or friends of friends, and they'll send you an email that looks like it's from your friends, like I get 'em from my mom all the time, or my dad all the time, and if you look, the email has nothing to do with their actual email account

My mom has called me and said, "It looks like you've been hacked," and I'm like, "Nope, look at the address, that's not me "They're just spoofing, they're pretending that it's me "And they know your account from Facebook, "and they see us as a connection, so they grab my name" So that's kind of a tricky thing that they've been doing, so make sure email rules, don't even open from friends and family unless you check that email address and you guarantee that it is their actual email address Don't allow employees access to a server if they don't need it

You know, not every employee needs the access to the server, or see if your server can be where they have limited access Have a secure monitoring and updating system or program And I am gonna tell you, we do have a Security Maintenance Program, and we're gonna talk about it shortly, but make sure you have some sort of process in place for security, for monitoring the site regularly, for updating your plugins, extensions, and modules, and make sure you're on a secure server We use CloudFlare as an overlay protection on our server, that's just one way that you can help keep your server secure Not everyone agrees with it, but we do

I think you're gonna find more comments on this video with people disagreeing with certain aspects because there's so many different thoughts out there The number one thought is, you know, have a basic html (chuckles) website, or don't have one at all But that's not good for business these days And the last thing is, have difficult passwords We hate those difficult passwords, but don't store them in a Word document on a Dropbox file, or something that can get hacked, or sitting in your Google Gmail account, or Yahoo Mail account, which can easily get hacked

Serve it somewhere printed, somewhere that they can't get it, but have the long, 16, 32, 16 is what we typically do, 16 to 32 figures of letters, uppercase, lowercase, numbers, symbols, et cetera Make it difficult Because people can go onto your Facebook account and find out your mother's maiden name, they can find out all of these security questions that you could potentially come up with, your kid's name, and there's so many times that I'm telling people, "No, you can't have that password "I can figure it out without knowing you, "you can't have that password" And you may be surprised (chuckles) to know that password, or password123, is still the number one used password

Ah! Nothing with your business name in it, no password, you know, you're thinking you're being tricky by adding a dollar sign, you're not tricking anybody at all, that's common thinking, so, make sure you have difficult passwords for everything So, no security is foolproof, but having the pair of eyes monitoring can give you a peace of mind What happens if your site actually gets hacked? Because I just stated, no site is 100% secure, your site can still get hacked I showed you, Microsoft, you're thinking Microsoft, the company, is gonna keep their sites and secured, hack-free, but they got hacked I know my brother is all about Apple, but Apple can get hacked as well

They just don't as often Therefore you do need to have regular monitoring Now this isn't about your computer though, it is about your website You still should have some system of monitoring your computer, Malwarebytes, antivirus together, having an IT professional making sure your server that you have internally in your company is secure But your website is what we're talking about specifically, you should have eyes monitoring your site 24/7

You can't be looking at it, but your server should be monitored A lot of people say, "Oh, well, my hosting company, "they have monitored it" Well, we've had those companies, people on those servers, still come to us, and we still have found that they've been hacked And it's because they're not updating your structure, your plugins, and if they do, it's auto, and we already discussed that it can break, and so they're not fixing it, 'cause they're not watching it, they're not manually updating it for you And backups, some of 'em charge you to do backups

So you need to have the WordPress structure, Joomla structure, whatever your CMS system is, plus the plugins and extensions, updated regularly So I said we were gonna talk about our security program, now we don't charge as much as a lot of our competitors because we want our clients keeping 'em updated So for our clients, we actually, as an add-value, include hosting in this fee Because if we're building your site in WordPress, I want my server secured and I want your site secure So, the first thing we do is we go and take that initial backup

Well, actually, very first thing we do is make sure you're not hacked, because many times we start this, we have found sites were actually hacked, so we clean up anything that's been hacked We run the manual backups and we store them off your server So if your server gets hacked, and you have UpdraftPlus, and you're not using an add-on, or you're not storing it third-party, you're storing it in your local host file, and your files get hacked, they can corrupt your zip files, and your backups, or delete them, and so then you're really screwed because you don't have where you can restore the site quickly, you have to rebuild from scratch, or go to the host company to try and go back to their last data point for image backup

So we run the initial manual backup, and then we install the security plugins, such as Wordfence, Simple History Simple History shows us, you know, what's happened to the site, and many hackers, we've found, they don't go in and delete anything, so we can see if they got in through a username, what username they got in through, if it was through a plugin, plugins that were added We had a site that was recently hacked, they were on this program, and it was a plugin conflict that we hadn't been notified about, the client didn't have to pay us thousands of dollars to clean it up, we just did it for them, it was part of the program Kind of an ouch to us, but, big deal, that's what this program is for We went in, and it took us 10 hours, cleaned it up, found the plugin, found that it had recently been abandoned, we contacted the owners, there was no responses, so we found a better plugin to replace it with

But it was the Simple History plugin that helped us find it, but there's other plugins that we add We secure the site and make sure that we get any holes fixed that we can find Monthly, we go in and backup all the sites manually, so we keep manual backups We do updates manually, and we have programmers do it Why? Because if anything breaks, underlined, we fix it immediately

Now, we may not see everything, 'cause some things may be a break that's on a lower page, or our eyes don't catch it, and you might catch it, and our clients just let us know and we go in and fix it right away The other thing is, is a lot of times, you're in your CMS system and you forget how to do things, and our clients will call us and say, "How do I do this again? "I forget how to add an image to the gallery," you know, as an add-value, we add in one hour of telephone support, answering your questions, each month Now we don't worry about rollovers and things like that, but we know that this is an insurance policy, and we know that to keep you secure, if you, you know, go in and you forget how to do something, it's in our benefit, in our security system, or process and program, to make sure you remember how to do things so it makes it easy for you You don't have to worry about, you know, you haven't been in there in a while, et cetera, et cetera Some of our clients use it, some of 'em don't, again, it's add-value

So, we would definitely love for you to come onto our system, you can go to our website, WebmasterForHireus, or give me a call, I answer the phone, I own the business and I still answer the phone, (561)822-9931 Again, WebmasterForHireus, not com,

com was owned by a Canadian company when I very first started the business, back in 2001 So, you know, just make sure you type in us, and under the menu, you can actually find the Security Maintenance Program We go into more in-depth discussion about it I really hope that this video has been helpful, I mean, it's a little, you know, PowerPoint-ish, 'cause it is PowerPoint, but I wanted to cover some of the tips and the main points

I'm gonna try and create some more videos on security, because it's becoming a big deal on the internet There was a major one recently, I'm think Pagulus, I forget what the name of it was now, that's just off the top of my head, but it just was day before yesterday, it just came out and hit, it was ransomware Brute force has been very common, we've sent out an email that brute force is happening through home routers, you know, you need to call your Comcast, your AT&T, or whoever has the routers and modems, and make sure you have the most updated versions So, also, sign up for our email list if you wanna get notices, we try and send them out as we can But, we would love to help you, we would love to help keep your site secure, and just check us out

Thank you so much for taking the time to listen to this really long video, I didn't realize how long it went, I hope you found it informative, and until next time, Build, Rank, and Grow with Webmaster For Hire Bye

Free Email Updates
We respect your privacy.

wordpress plugins for gdpr

affiliate marketing