In this episode Lee unpacks 12 areas of WordPress security to help you with your installations. Ranging from plugins, services and best practices, sit back, relax and enjoy.
Don’t forget to come catch up with us at the WP Innovator Facebook Group:
Keep Innovating
Note: This transcript was auto generated then some poor soul sat and listened to it, and followed through correcting any mistakes they spotted. Please however expect human error and shout if you spot an issue. Email: lee [fancy curly symbol] trailblazer.fm.
Lee Matthew Jackson:
Hi and welcome to the WP Innovator podcast, the WordPress podcast for design and web agencies. Let’s make WordPress work for your business. Hi and welcome to the WP Innovator podcast. This, this is your host, Lee Jackson. And today it’s just you and me. Now we’re going to be talking about security and what I’ve done is I’ve repurposed a document that I hand over to clients, that’s my design agency clients, which explains to them how to better handle their WordPress security. And what I’ve done is picked out 12 items that I’d love to share with all of you to help you in your day to day WordPress security. Now, before we carry on, let me just remind you to head on over to the Facebook group.
Lee Matthew Jackson:
It’s growing now. It’s great. We’ve got about 67 members, which is awesome. And that’s all web designers and developers who use WordPress and we’re able there to have conversations and to help each other out. So that’s the Facebook group. If you just type WP Innovator into Facebook or you can head on over to leejacksondev.com group and, and you’ll be automatically redirected to the Facebook group. If you just apply to join, either me or Larissa will approve you and get you in. And it’s great as it’s a private, closed environment, the public can’t see the questions.
Lee Matthew Jackson:
Your clients aren’t going to be able to see them. And you can go in there and just have fun. Obviously, share pictures of cats because that’s what the Internet’s all about. But also ask questions about WordPress or share value, share something amazing that you have learned or that you want to help others out in the community. And let’s just have a generally awesome time. I’ve already made some great friends through there. Alrighty, so let’s crack on with the show today. So we’ve only got 12 points.
Lee Matthew Jackson:
That’s 12 points of security that I reckon you guys should be checking out. And this is definitely not an exhaustive list. This is just 12 of the most important. But there are certainly other areas of security that you should be considering. And it’s always advisable to read up on the latest and greatest information about security and also to get people in who know what they’re talking about, get in those experts as well. Now, funnily enough, this episode which I had planned comes in at the very same time as another episode that has gone out by our friends over at WP Chick Podcast, and that’s Kim Doyle and she’s interviewed a young man all about security in there and what people are doing wrong. So I definitely recommend as well, you head on over to the WP Chick Podcast and go ahead and listen to that as well. That’s rammed full of amazing advice.
Lee Matthew Jackson:
All right, let’s crack on then with number one, and number one, this sounds sexy now is use SFTP FTP. Yep, told you. It sounds really sexy. Now, essentially what this means is if you are using FTP, that means that your username and password is being transferred, transported, whatever you want to say, over the Internet to a server to say, hey, let me in. And the server’s like, yeah, come on in, let’s have a party. Now the problem with that though, is that username and password is not encrypted. And if your website is a target or your network is a target and someone has got some form of sniffing software on there, they’re going to be able to see that username and password. That also means as well that all of the Internet traffic as well, between the two points.
Lee Matthew Jackson:
So that’s between your computer and, and to the server itself. It’s all unencrypted. So if you’re transferring documents, you’re transferring code, which has obviously got copyright on it, et cetera, if you’re working on something for a client, that’s all, in theory, accessible as well. Now obviously, don’t be scared. This is, this is not a fear mongering thing. It’s probably unlikely anyone’s snooping on you, but you don’t know, do you? So we have to, as developers, as agencies, go to all reasonable steps to ensure that we’re protecting our client’s data and our client servers, etc. So it’s always a good idea to switch over to sftp. And if you’re using something like Filezilla, then it’s no biggie.
Lee Matthew Jackson:
It’s just a case of changing a couple of items on your server, might even already be set up, and then switching on, say, Filezilla or your FTP program. Just the profile to, say, connect via sftp. And that means you’ve got a secure channel. I think it’s 256 bit encrypted. And that means even your username and password is going to be encrypted. And all the traffic in between your computer and the server is awfully encrypted. Nothing, therefore is viewable and it is highly recommended. So that’s the first one, just A reminder, use sftp, not FTP.
Lee Matthew Jackson:
Now, before we carry on, if you’re driving, you’re thinking, oh man, I need to make notes. Don’t worry, I’m going to put all of these into a document, a nice pretty PDF that you can download. Essentially, I’m going to grab the paragraphs from the document that I sent to clients and I’m going to put it all into the Show Notes as a downloadable PDF so that you can access this after you’ve listened. So just carry on, sit back, relax and enjoy as we rock on to number two, which the child in me now wants to say that I said poo, but I don’t know which. You know whether that’s a phrase in your country or not. It certainly is here, but let’s move on. Correct file and folder permissions. Yeah, this, this one sounds exciting as well, but it’s really essential that you have the correct file and folder permissions on your server.
Lee Matthew Jackson:
Now, this means that when you’re connected to your FTP program, when you’re uploading files, you need to ensure that the files you’ve uploaded have been given the correct permissions. Your server will essentially set permissions for all the files, and if you have an incorrect setting, it could render the contents of that file visible to the world. So could you imagine if your WP config file was visible to the world, which included the username and password of your database? So that’s a really good example of how we need to be very, very careful on what we’re doing with our file permissions. Now, in most cases, when you’re dragging and dropping, everything’s going to be the correct permissions more than likely. But it does depend on your server setup and you need to make sure. Now, the two server. Sorry, the two settings that are the most recommended are on folders would be 755-I- think it is, or 775 I can double check and I’ll get that in the Show Notes. And then for files themselves is 6, 4, 4.
Lee Matthew Jackson:
Now, what you might find is now. And again, you may need to reset the permissions to 777, which means write all. Or 666. Yes, that number to allow WordPress to write to a specific file. But then always be sure to change that over. Now, if you’re not sure what I’m talking about with regards to file permissions. This is all to do with Linux servers and most websites. Most WordPress websites are running on a Linux server server.
Lee Matthew Jackson:
If you go into filezillette just right click on a folder and click on permissions. You’ll see the permissions of a folder or a file and you’ll see what I’m talking about. But also head on over to codex.WordPress.org and run a search for changing file permissions. And in there you’ll see a full description of what it’s all about, why it’s needed, and also you’ve got in there the recommended file permissions in there that you should be setting your files to now. Quick Disclaimer Some servers are a ball ache when it comes to file permissions. They may have some restrictions and you do need to check in with your host if you’re having some problems with the file permissions. I’ve seen some people not being able to set their files to 644 without the entire site just going offline. So if you have any issues, do put in a support ticket.
Lee Matthew Jackson:
It’s really important that you get them right again. You don’t want people being able to see access private files at all. So there you go. Check out your permissions. Hey, if you’re using Windows I would love to hear from you. We don’t have file permissions quite in the same way on a Windows server. I’ve only run one WordPress install in a Windows environment and I think it took about three minutes before I then managed to convince the client to move over to Linux. So I never got as far as file permissions.
Lee Matthew Jackson:
So if you are running WordPress sites on Windows, I would really love to hear from you. Because hey, you know, Windows got a bad rap over the years. Maybe it still does, I don’t know. But we need to cater for everyone. Some people do have to run things on a Windows environment that might be due to the business that they’re in, etc. So it would be great to hear from Anyone that’s using WordPress in a Windows environment. And let’s get chatting. Let’s get some security information down for those people as well and also performance enhancements as well.
Lee Matthew Jackson:
So cool to hear from you. Head on over to leejacksondev.com contact Alrighty, let’s move on then to number three. I’d really love to hire the guy here. We’ve got a program called the X Factor. I think in America that’s probably just finished, or American Idol, I think it’s just finished. But in the UK they have this guy with an amazing voice and I just love to hire him right now for this podcast. But till then, until we’ve Got the finances, it’s just me. So number three is install antivirus and firewall.
Lee Matthew Jackson:
Alright, this might have pricked up your ears because you’re thinking it’s a website. Why do I need an antivirus? What’s a firewall? I’ve learnt the two in together for a reason. You’ll understand why in a minute. But let me just set the scene. You have got a computer check, you want to go onto your Internet banking check. What’s the first thing you think of? Well, hopefully it’s is my antivirus software up to date? So you’ll go ahead and check and you’ll probably hit update, update. Make sure you’ve got the latest version, make sure you got the latest database of viruses and you might even if you’re like me, run a quick scan just, just to be sure. I don’t want to access the bank and know that there is something untowards on my server.
Lee Matthew Jackson:
I’m sorry, on my computer whilst I’m connecting to the bank. Now really it should be the same with your website. We should be actively ensuring that our website is clean of viruses. That’s to not only protect ourselves but also to protect the people that are accessing our website. And it also has a knock on effect as well. If a virus is to be found on your website that you’ve not removed, Google are probably going to find it as well and then you’re going to have issues with SEO. You’re going to have maybe a little message at the top saying this site may have been hacked or your site may be temporarily blacklisted for a while. Which means when people are in say the Chrome browser or another browser, depending on if they subscribe to the same blacklisting database, it’ll actually come up and say we’ve found some a problem with this website, it might harm your computer if you access it.
Lee Matthew Jackson:
Are you sure you want to continue? And that’s obviously going to stop people from accessing your website. Also on the flip side as well, if it’s not yet detected and there is a virus on there, then you could be inadvertently infecting people’s computers etc. So it’s a really good idea to get on with some form of antivirus software for your website. So out of the box the free version would be clamav, which I believe is built into quite a lot of the CPANEL installations. So if you’re using some form of reseller hosting or something that uses cPanel or WHM, you should be able to find in There some antivirus software to be able to scan your website and then maybe you could set up a schedule of scanning once a week to see if there’s any untowards issues. And if it finds anything, it’s going to flag them up, tell you what files they are and then you could action those. If you can’t find them, go ahead, call up your hosting company and ask them what services do they provide with regards to antivirus. Now I did mention firewall as well.
Lee Matthew Jackson:
Your website, sorry, your. Your server will hopefully come with some sort of firewall protection, but that’s usually provided by the host, probably set to a few industry standards, etc. But no further thought has gone into that. So this is where I want to take you on to Sucuri. That is S U C U R I Sucuri and this is a very, very cool service. What they do is they lump antivirus and firewall together all in one. So what this means is, yeah, you’ll still have your hosts firewall, but you can redirect your domain through Sucuri and Sucuri will act as your firewall that you will have full control of. So that means you can do all sorts of things, for example, like restricting WP admin access to only your Internet connection.
Lee Matthew Jackson:
That’s pretty cool. And it will also do things like detect if there is a denial of service attack happening and put all of the relevant things in place. It will also detect if someone is essentially trying to hack into your WordPress site using a WordPress vulnerability of some sort, and it will reject that type of activity. On the flip side, it also offers you all of the antivirus solution as well, so you don’t have to set anything up yourself. It’s all automatic. Once you’ve repointed your domain through Sucuri, filled in their settings, etc. It’s going to automatically scan your website every single day for viruses. And if a virus is detected, they will look after the full process of removing that virus for you, ensuring your website still works.
Lee Matthew Jackson:
And they will also deal with any blacklisting as well. So if your site has been blacklisted by say Norton Antivirus or Google Chrome, etc. They’re going to make sure that your site is back on the whitelist. And I’m telling you, this is an amazing service. It’s a service that we as an agency recommend to all of our design clients and all of our customers as well. We essentially put this forward as you have to have this and you need to design a disclaimer if you don’t want this, and we found that everyone does, it’s $199, I think $199 starting price. And then there’s a few other options on there for faster Turnaround. But for $199, divide that by 12 months is actually not a lot of money.
Lee Matthew Jackson:
Probably around $16 if my maths on the top of my head is right. And if I’m wrong, just laugh. So around 16, $17 a month you just paid in one year. So it’s a yearly transaction. But you get automatic antivirus scanning, you get that firewall protection, which is pretty much the preventative rather than the cure as well. So it’s going to stop 99% of all hacks or viruses as well. And the beauty of it is for that $199, you’ve not had to set up a schedule yourself to go and scan. You don’t then have to try and clean something up.
Lee Matthew Jackson:
If your site has been hacked, everything is done for you. So as an example, I’ve used wordfence in the past, which is an awesome plugin, absolutely fantastic plugin. But it hasn’t always cleaned out the problem. The problem has still reoccurred. I’ve then had to go in and find files and delete them and then I found that then my WordPress installation won’t work. So I could have spent half a day cleaning a website before I’ve even got to the point of having to then try and go to Google and say, hey Google, the website’s all right now. And then Google might reply and say, well actually it’s not, you’ve missed something. And then that whole process carries on again.
Lee Matthew Jackson:
And that for me as a non antivirus expert on a WordPress website, that could take me two or three days. So the cost of that versus the peace of mind of $199, it’s just a no brainer for us. Now what you can do, if you’re happy to do the antivirus side internally, because you’ve got the staffing resource that is awesome. What I would recommend though is that you at least then route your website through some form of firewall. There’s two options here. There’s cloudflare, they’ve got a firewall service within their CDN which is pretty darn awesome, essentially will make your website perform a lot faster. It includes caching and I think the first site is $25 a month and then any add on site is $5 a month. So it’s obviously very cost effective in that range and it gives you then the waf, that’s their, their website firewall.
Lee Matthew Jackson:
And within that there are then items or settings that you can do for WordPress compatibility. So definitely something worth checking out. I do have some clients that are using cloudflare for their protection and then they do have internal services who are checking for antivirus. And then finally, I don’t necessarily recommend this. This is probably a last port of call. If you don’t want to use a third party pay for service, maybe your client is pushing back saying they don’t want to use Pay for service, then you could use something like Ninja Firewall. So if you go ahead and type in Ninja firewall into WordPress.org or all in one WordPress security or Word fence or iThemes. So they’re just a short range of WordPress plugins that will essentially act as firewalls for your website.
Lee Matthew Jackson:
So that means they’re going to trigger before anything else does and then they’re going to go ahead and decide whether or not it’s okay for this transaction, as it were, this activity to happen and then it’s going to block things. So if you want to do that, that’s fine. Head on over to those. What we’ve found is that they do tend to add a little bit of speed degradation to a website and we’ve always found that having a third party like Sucuri or cloudflare handling all of that with the power of their servers has always been a much better situation for us and for our clients. And again, I can’t stress enough how much of a just weight off the shoulders that Sucuri has been. And they’re not paying me to say any of this, by the way. I don’t even think we’ve got an affiliate program with those guys. We just, we just so appreciate what they’re doing.
Lee Matthew Jackson:
If you have any sites as well, by the way, just a quick one on Sucuri that are not WordPress, they cover a whole wide range as well. So go ahead, check them out. All right, so let’s move on to having a separate database. So that would be number four, having a separate database. So what do I mean by a separate database? I don’t mean just simply having the database installed on your server, but I actually mean having the database on a completely separate server. So, yep, you need to probably talk with your tech team on this because there are times when this probably isn’t appropriate or required, but definitely for the larger installations then we’ve often recommended that the database server be totally separate to the web server itself. And it’s particularly useful for the high traffic sites or sites that are at risk of, say, spikes during online campaigns, or even sites that are having a heavy denial of service attack. It can be really helpful to have load balance solutions and that sort of redundancy.
Lee Matthew Jackson:
So it helps keep the site online, it helps keep things stable and secure. Now, one of the main reasons as well to have this separate server for the database means that if the web server, which is kind of the front facing area, is compromised, it doesn’t necessarily mean that the hacker will have access to the data straight away, because again, you need to get your techs involved here, but with the setup of the database server itself, that in its own right will also have some extra protection, maybe firewall that will only accept certain types of traffic. So the two reasons to have this is for load balancing and for redundancy, just ensuring that your site can stay up if there is a heavy traffic. And also if your main web server is compromised, there are extra security features that you, you can have in there to protect your MySQL database. So I’m totally not going to go into detail here. This is something you need to talk with the tech team on and see whether or not you think this is worthwhile for you guys to explore, especially for the heavier traffic sites. But this does lead perfectly on into number five, which is restrict database privileges. So you can actually do this regardless of whether you’ve got a separate database server or whether you just have everything all loaded on the same server.
Lee Matthew Jackson:
Now, in WP config, you declare the database host, the name of the database, the username and the password. So it’s really good practice to set up a database account that only includes the privileges that are needed to run the actual WordPress website. So if you’re setting up a database, you’re setting a username and password and you’re just giving flat out all privileges. If somebody does get access to the username and password, then you’re giving them the ability to do absolutely everything. So in many cases, a WordPress website can run quite effectively just with a few privileges enabled that would be select, Insert, Update and delete. So that’s just select, insert, update and delete. So what we would normally do is we’d set up a new username and password for the MySQL database, which is separate from our admin access, which is what we would use in the WP config. So for example, you could call the username WordPress Access and then give that account only the ability to select, insert, update and delete.
Lee Matthew Jackson:
And that’s really going to limit what a hacker can then do with the database. So if they’ve got into the WP config file, they’ve been able to put up some of their own files to, I don’t know, put viruses or whatever, but then they also want to have a look at your database. They are limited on what they can do. I mean, they can still delete pages, they can still do damage, but there are limitations on what they can do. What I’d also recommend as well is that username and password is only for that website. So don’t be tempted to put up, say, a root, MySQL username and password into your WP config on a server that also has multiple WordPress installs. Because you’re essentially giving that guy access to everything. So he’s got the root, username and password, he can access all of your server.
Lee Matthew Jackson:
Sorry, all of your MySQL databases. So again, it’s not cool. If you are not the tech in your design agency and you’re wondering what the hell I’m waffling on about, please don’t worry. Just hand over the document or maybe pass this podcast on to whomever is looking after tech in your business and they’ll know what I’m talking about. They’re probably already doing this, but hey, if they’re not, that’s fine. They can follow this advice and update their servers accordingly. All right, so let’s move on to number six. Now, all, all of these now are pretty quick ones, quite snappy, so don’t worry, I’m not going to chew your ears off on all of these.
Lee Matthew Jackson:
But number six is monitor and patch your servers. This is something that’s really, really important. If you don’t keep your servers up to date, then you could believe in yourself. Open to a vulnerability. If you’re using, say, CentOS, which is a Linux server, it was a Linux operating system, and many websites around the world will use CentOS as the operating system. Now, if you don’t keep that up to date, there could be some known issue. Just like in Microsoft Windows, if there’s a known issue that people can exploit, they will exploit it. So you really need to make sure that your servers are regularly kept up to date.
Lee Matthew Jackson:
Now, in most cases, if you find a hosting partner that will provide all of that as part of the service, then you’re good. They’re going to look after that. You don’t have to worry about it, but just go and check your documentation, make sure that you are covered with regular updates, regular patches to your server that are all managed by your hosting company. If you have a team that are doing it internally, then you do need to make sure you have a conversation with them. It’s going to increase performance because if there is a bug that meant the server was not running at capacity, then the latest patch or latest update is going to fix that. But also if there was a vulnerability, it’s going to patch that as well. So if you are worried about your servers potentially getting hacked, instead of coming in through WordPress, they could be coming in through a vulnerability on the server operating system itself. So it’s really important that all of those are kept up to date.
Lee Matthew Jackson:
Now then, number seven is secure daily backups. This is a no brainer. We need to keep backups. But don’t just consider keeping the backups with your hosting company. What you probably should be doing is using some form of third party or plugin that will create a backup of each website on either a nightly or a weekly basis that will then store it in a secure location, say on a Dropbox account or some form of password and encrypted service that is not your host. The reason I say that is recently a web hosting company in the UK accidentally, I think, deleted a whole load of websites backups. I won’t name who it was, but I heard it in the news on the register.co.uk and they essentially said to everyone, hey, we’re really sorry about that. You might need to recover from your own backups.
Lee Matthew Jackson:
And obviously most people were not doing that. They weren’t. They were just assuming that they were going to be looked after by their hosting partner. So bear in mind, your hosting partner may also go bust. It’s always worth making sure you keep at least a weekly update in a secure location. And also be sure as well to check where are the backups being stored by your hosting company. Because if they’re not in a secure location, if they’re easily accessible, then somebody could in theory just access those files and just grab the username and password of your MySQL database if they need it. So you need to make sure you know how are your backups being stored with your hosting company.
Lee Matthew Jackson:
And also can you automate some sort of off site backup yourselves in a secure location. So that’s something encrypted like Dropbox where you can keep a zip of maybe a weekly version of that entire website, which includes the MySQL database and includes the files as well. So if worst case, you can then recover. All right, let’s rock on. And number eight is store your logs for WordPress, your database server and your web server. So this is a real simple thing. It’s not really a preventative, this is more part of the cure. But this will allow you to identify any attacks that might have happened and it will allow you to see how far the intruder got.
Lee Matthew Jackson:
Okay, so again, this might be something that you need to talk with your tech or with your hosting partner, but you just need to make sure that some form of logs are activated. And I would recommend that they are flushed out probably after so many weeks or months, because you don’t want those logs to get too big and use up loads of space. But they’re really useful for just identifying any potential weak points in your system. If you ever got hacked, you can then find out, you know, where was it from, perhaps, or what files were compromised. All those sorts of things are really, really useful. So making sure that some sort of logging is active on your web server is super helpful and I definitely recommend this as part of your whole security package. Okay, let’s rock on through to number nine, which is force SSL for login and admin areas. So you will have seen HT on a URL that’s super helpful if you are logging in to your WP admin.
Lee Matthew Jackson:
If you’re sending usernames and passwords, etc over the Internet, it’s really a good idea to be doing that via HTTPs. So, same sort of premise when we were talking about FTP and SFTP etc. And it’s a real simple way of ensuring that you’ve, you’ve protected yourself and all of the items in WP admin are being loaded securely. You’ve got a secure and encrypt connection, your passwords being passed over safely as well. All you need to do, go into WordPress.org, run a search for WordPress HTTPs. That’s WordPress HTTPs, cool little plugin in there that’s going to sort you out and ensure that you are forcing people through to HTTPs when they’re in the WP admin section. Not really much else to say about that other than if you are a WP config editor. Go ahead in there, you can do that yourself.
Lee Matthew Jackson:
Go and look at the WordPress Codex. All right, number 10. Apply two factor authentication. So a password is only as good as a password can be. And Frankly, a password can be compromised, even if it’s the most complicated password in the world. If that person did happen to write it down on a piece of paper, that’s a vulnerability there in its own right. So what you probably want to be looking at is some form of two factor authenticity authentication. And I’m not going to necessarily recommend a whole ton of plugins here for you.
Lee Matthew Jackson:
I’m going to point out two, but then go ahead and check out what you think works for you. The idea though behind two factor authentication is despite someone having a password, it will then require, like Google or like Facebook, a code to be generated on your phone that you then need to fill in that will then finally approve you access. So that means that not only does the person who is accessing the website need to have the password, they also need to have the authorized device, the smartphone, tablet, whatever it is, that has some special authenticator software on it. Or it could be that it receives an SMS message with the code in. So you can use the Google Authenticator service, that’s a free service from Google and there’s a plugin. Just tap in Google authenticator into WordPress.org and you can go and find that. Or if you want some form of pay for solution, CLEF is really gorgeous. That’s WP Clef.
Lee Matthew Jackson:
They’ve got a free version and they’ve got a paid version. But with that you can actually use an app on your smartphone and frankly it looks really, really sexy. So go ahead and check that one out as well. And there are a whole range of other two factor authentication tools. For example, like I said, there’s one where it will actually just send an SMS as a text message to the relevant mobile phone. So it’s not not relying on any particular app or authentication software, it’s simply just sending a text message saying hey, you need to tap in this code as well and then we’ll let you in. So definitely highly recommended. Remember that means that people can only get into your WP admin if they have the password and the device.
Lee Matthew Jackson:
That’s two factor. That’s going to help keep you really, really secure. So let’s rock on to number 11. We’re nearly finished. It’s number 11. Brute force protection. Obviously two factor authentication, highly recommended. That’s probably going to take this totally out of the equation.
Lee Matthew Jackson:
But if you don’t have that for whatever reason, you can’t get that set up yet, at least activate brute force protection. What that means is it’s going to stop people from trying a million times your different password combinations to get into your website. So out of the box, WordPress does not limit you from being able to tap in a password 1 million times until you get it right. Whereas if you activate a plugin like all in one WordPress security or brute force login protection, you can find both of those via the WordPress.org plugin directory, then that’s going to detect each computer IP. And if it detects from that computer’s IP that there have been more than say four or five and you can set this login attempts is basically going to block them out. So the next time they trace, try and get to the WP admin section, it’s just gonna say bye bye, go away. So that does obviously mean you need to make sure you remember your own password, but this is something that will at least stop those bots that are trying to automatically guess and number crunch your password to get in. It’s gonna block them.
Lee Matthew Jackson:
And if you set the notification up, it’s actually gonna send you a notification email as well to let you know that that happened. And that is actually really helpful. Excuse me. Because you’ll find out how often your site is being hacked and perhaps you might need to be doing something about that. That. Okay, we’re moving on to the very, very last one and then a top dip. Now, this last one is probably something you’re going to need to hand to your WordPress developer. If you’re not a developer, feel free to just temporarily switch off.
Lee Matthew Jackson:
If you’re driving though, just, just still concentrate on the road. And if you’re running, I probably recommend you still concentrate as well. But if you’re a developer and you’re creating a WordPress theme or you’re creating custom fields, then you need to make sure that you’re preparing those statements. You need to make sure that those statements are being validated by WordPress as real correct input. What I mean by that is that if you just create a text box that will automatically input some information into the database, then you’re putting yourself open to what’s called SQL Injection. And this is something that has got some of the big boys over the years. That means that somebody could actually insert some untowards code which would then be echoed onto your website, which could include viruses, it could be calling JavaScripts from other places, or it could be some sort of code that’s going to allow them access into the website. That’s SQL injection WordPress from 3.5 onwards.
Lee Matthew Jackson:
So if you’re not up to date hey man, I suggest you update it. They have the prepare function. So with all of your code, make sure that you’re passing things through the prepare function that’s going to check has the person just entered clean code, it doesn’t contain any unusual characters, doesn’t contain any potential viruses, etc. And it’s going to essentially reject anything. Now if you want to know what I’m talking about, just go over to codex.WordPress.org and go into the section that talks about class. Underscore is class reference, sorry. And if you scroll down, you’ll find a section that says protect queries against SQL injection. Again, this will be in that PDF.
Lee Matthew Jackson:
So that’s it. If you were not tech and that was all beyond you, I still recommend you talk to whomever is developing your plugins, whoever is developing your themes, make sure that they are validating anything that is putting data data into your database. So if you’ve got a contact form on your website, if you’ve got anything where somebody can input data on your website, it needs to go through the Prepare function from WordPress and that’s going to double check. There is nothing in there that could be hazardous to your database, to your website. Alright, so finally, Top tip number 13. I don’t like to use the number 13, so I missed this out on, on the documentation, but number 13 is penetration testing. This is actually the last one. I’ve told you there’s 12, but there is a 13th.
Lee Matthew Jackson:
We’re just gonna call it the Top Tip. Top tip is penetration testing. So if you’ve done all 12 of these, you’re already way ahead of the curve. You’re making sure your site is pretty secure and obviously go and fill your brain with as much information on security. We’ve only picked out 12 from our original document that we send to clients that we really feel that are worth people check out or things that people maybe often overlook. But penetration testing is kind of the top tip. What you need to do is look for a third party tester who will then try and hack into your website for you. So that’s you’re actually paying someone who’s good at hacking to hack into your website to see is there any vulnerabilities there, is there anything that somebody could take advantage of.
Lee Matthew Jackson:
If you’ve done everything right, you’re going to get a nice clean report, or if there are a few issues, you’re going to get a report back from the hacker to say, yeah, I got in here, or I can see there’s a vulnerability here that I could exploit, you may want to patch that up, etc. And they’re going to give you a full kind of end to end test of how secure is your website. So it’s not an actual physical action you do on your WordPress website. This is something that you pay for. And you can find some really low cost solutions out there for penetration testing where somebody externally who’s got no experience with your website is going to come in and see whether they can get in, whether they can hack into your website and they’re going to give you a report of anything that is an issue that you can then resolve and that might be resolving with your developer. So for example, preparing that statement I talked about earlier about SQL injection, or it could be something to do with your server operating system not being patched to the recent version and the penetration tester was able to get in through a vulnerability there. So always a good idea once you’ve got everything set up. And again, this is something like any of this, especially with security, etc.
Lee Matthew Jackson:
You know, these are things that you can charge on to your client ads as extra reasonable costs to ensure that they are being protected. So it’s not something that you should be expected to pay out of yourself. This is of value to you and also the client to ensure that their website is secure. And this is something I do believe that you should be able to pass on the charge to the client. Just make sure though, right from the very beginning that you’re setting expectations and you’re getting your clients to agree that they want to ensure they are fully protected. All right, these are 12 steps that we currently use with our websites with clients. This is what we recommend. Some of them clients choose not to do, that’s their imperative.
Lee Matthew Jackson:
But we always make sure we provide them this sort of document so you can go ahead to the show Notes. Download this from leejacksondev.com Episode 24. You’ll be able to download the PDF of these tips with a few paragraphs on each as a reminder and some links and go and look at your existing websites, see whether or not these apply to you and to your clients. If you do want any further advice, I’m a web developer. We work with design agencies all around the world and help them in this. So do go ahead and go to leejacksondev.com contact if you’re a web designer, you’re a plugin developer, theme creator or design agency and you would like some extra advice with us, then go ahead and get in touch and we would totally love to have a chat with you. And finally, please, please come and join us on on the Facebook group and share your security advice or even your stories of what may have happened with a website and how you resolved that. That’s over on the Facebook [email protected] group.
Lee Matthew Jackson:
That’s leejacksondev.com Group. Thanks for listening to me. I have no idea how long I’ve been waffling on. If you’ve got to this, here’s your medal. Thank you. Have an awesome week. We’ve got some really exciting interviews coming up again next week in episode 25. I’m gonna put that out on social media with some teasers.
Lee Matthew Jackson:
So keep your eye open on Twitter at Lee Jackson Dev. And keep your eye out on Facebook as well. Feel free to add me as a friend. I like making new friends. That’s Lee Jackson. You’ll find me through the WP Innovator Facebook group. Have an awesome day. Have an awesome week.
Lee Matthew Jackson:
We’ll see you next week at episode 25. And until then, don’t forget to keep innovating. Cheerio.
