The PodCraft Podcast: Series 3, Episode 17
Today we're looking at security – not the most sexy of subjects, but vital if you want to run a good Podcasting website long term, and particularly if you want to make a living from it. WordPress itself is not an insecure platform, but it's massive popularity makes it a big target for hackers. Lucky for us, there are a few steps, and a couple of tools, that can make a huge difference to how safe our website is. I'm looking today at updates, backups and plugins to help harden WordPress up. Let's have a look!
Resources Mentioned on This Show
This plugin allows you to remotely manage your WordPress sites from one dashboard. It allows you to manage not only one website but up to 5 separate websites. It also helps you with updating versions, plugins and backups.
This is a simple tool which hardens your website quite a lot and stops the chance of being hacked. It detects subsequent logins, if somebody tries to login on your website too many times using one IP address then Login Lock Down will lock down the page. Login LockDown also records the IP address and timestamp of every failed login attempt.
Securi is a security toolset for security integrity monitoring, malware detection and security hardening. If the plugin sees anything unusual on your website, it will inform you right away so you can get rid of it. And it also does server site scanning, it scans your entire web server on a regular basis to see if there are viruses or malwares.
For a full guide to installing plugins and working with WordPress in general, check out the LearnDen Website Course.
- Go into your website and make sure your entire website is up-to-date.
- Setup back-ups
Let Me Know What You Think
What do you think of the plugins mentioned on this episode? Let me know what system you use to secure your website?
Finally, if you’re enjoying the series, I’d really appreciate it if you’d give me a review on iTunes. It really helps to get the show out to more people and grow the PodCraft community. Just pop over to PodCraft on the iTunes website to do that.
Thanks for listening and I’ll see you on the next episode where we’re talking about error pages.
Hey folks! I’m Colin Gray and this is PodCraft.
Hey folks and welcome to another episode of Series 3 of PodCraft, this is a series on looking at creating a great home for your podcast on the web, creating a peerless podcasting website as I called it. Yesterday, we talked about SpeakPipe. So, SpeakPipe is a tool that lets you take voicemails from your listeners. Great tool for building out engagement, making your listeners much more loyal and giving a lot of content for your show. So, do pop back and have a listen to that if you haven’t already. If you have though, thanks very much for listening along. Coming on to the next episode, this time around we’re talking security. So security, not most exciting, sexy of subjects, I know. But WordPress, while really super popular and a brilliant platform as far as I’d concerned, one of the things that can be talked down about sometimes is security. And actually, it’s a victim of its own success because of the fact that WordPress is so popular, because WordPress runs so many websites around the web, it means that the platform – the system itself is a little bit of a target for hackers. By that, I mean, if a hacker can figure out how to hack into WordPress in general, it means he has so many different websites around the web whereby he can use that trick. So, that’s why it’s so popular and such a heavily targeted tool. But have no fear, don’t start taking down your WordPress site already after the last fifteen, sixteen days of building it. There are ways to get around that. There’s lots of ways whereby we can make our WordPress site much more secure, much less hackable and simply make it a lot safer for us to use it as our platform.
So, I’m actually going through a few different tools today. There’s a few different options, few different things, different levels of security that may suit different types of websites. So, I’ll go through and we’ll see what will suit you. Step one, the basics of having a secure WordPress website and that is updates. Because WordPress is so popular, and as I said, is targeted by hackers, it’s always very quick to emerge when a vulnerability has been found. So, people discover that people are hacking WordPress websites very quickly and WordPress as a company, are great to putting on updates, to actually close those holes, to secure those vulnerabilities. So, the best thing that you can do to make sure that you’re not vulnerable to hacking is to update WordPress regularly. So whenever you see the message at the top of the WordPress window that says “Update now to version something”, click that as soon as you can, as quick as you can, just do the auto update and make sure that you’re WordPress website is always up-to-date. If you do that, you’re much much less likely to be hacked than if you don’t, so if you’re running now on a WordPress version which is like 3.4 something which is years old, even just a few months old then it’s a lot more likely that you’re going to get hacked because vulnerabilities are known about for those older versions whereas hackers are having tools to keep up to find vulnerabilities in the new version. So, if you’re on the newest version that means you’re as secure as you possibly can be without any of the extra add-ons. So, yes, make sure you update regularly.
And that goes to your plugins and themes as well. So, always go into your plugins window once a week, even once a day if you want to, it doesn’t take long. Go into your themes window as well and check which ones have an update available. The plugins, particularly, if you go into that, you can always see plugins that have updates available, just click all of the, just click the thing at the top that says “Updates available” then click to select all and do a bulk update and it takes you maybe thirty seconds to a minute to update them all. Do that once a week and you’re golden, you’re very up-to-date and secure. So make sure you do that, keep the main WordPress up-to-date and keep your plugins and themes up-to-date as well. And that does count for plugins that you’re not even using right now or themes you’re not even using right now. The fact that they’re installed in your platform means that they are a doorway to your system. So, if you’re worries about something or you’re not using it anymore, it’s not enough to deactivate that plugin, really, if you’re not going to use it, you want to get rid of it as quick as you can. You’ll only want the really essential plugins on your WordPress website because they a doorway in. Like I say, the WordPress system itself is updated a lot, it’s monitored a lot but plugins are not so much so if you use less well-known plugins, you can have an old plugin that gets out of date but it turns out as vulnerability in that plugin then people could get into your WordPress website that way. So, that’s why it’s good to really monitor the plugins you use, make sure you’re only using really popular ones, with good reviews, with their updated often and really be purposeful over the plugins that you do use. Okay, so that’s updating.
On to step two, step two is back-up. Now, everyone knows that they have to back-up, everyone knows that they should be backing up their own computers, their home computers, their laptops, their phones, their everything, you know you have to back-up but so many people just don’t do it. And it’s because actually you don’t need to use it very often, I mean it’s not that often that your computer falls over and you’ll lose everything. So you don’t really have this incentive as motivation to do it and it’s only when you actually do lose everything then suddenly you realise how important it is. So, what I recommend is backing up your website at least once a week, probably even more than that, maybe even every couple of days, depends on how often you update it obviously. I mean if you’re putting on new articles every single day, you probably want to be backing up every two or three days. But if you’re only updating your website every couple of weeks, then you can get away with just backing up that often.
Now, the way I do my back-ups is through a system called ManageWP. So, it’s a website that you can find at podcraft.net/managewp, just spell it out, no spaces or anything MANAGEWP that will take you to the website. ManageWP is a system that lets you manage WordPress websites. It helps you with updating versions, it helps you with updating plugins, it helps you with back-ups. Back-ups is the really essential thing in here that I use it for and it helps you with a whole bunch of other stuff as well actually. You can get a free account with ManageWP if you just go to that web address that I said, podcraft.net/managewp and you can sign up for a free account which handles five separate websites. So, if you have more than one WordPress website, you can actually manage them all in there. But the thing that I use it for is the back-ups. So with the free version you can do the manual back-ups, so you can actually back-up your website with one button click to any web space that you have, so, to another hosting account or to a dropbox account or something like that, you can do that manually. If you do choose to pay for ManageWP which isn’t too expensive for a smaller bit of websites then you can do auto back-ups as well, so you can actually set it to automatically back-up WordPress to whatever space you like, whenever you like on an automatic basis, so every day, every two days, every week, whatever choose. Now, some systems, for example Hostgator, which I recommended at the start of the series, do allow for certain types of back-ups. You can pay extra for better back-ups, for more regular back-ups, for more easy-to-use back-ups. I would not assume whatever system you signed up for including Hostgator, including Bluehost which I recommended at the start that those back-ups will work very well because sometimes the basic back-ups are quite hard to get back to, you don’t really know what you’re getting. I would be very purposeful with your back-ups and do it manually yourself, make sure you’re using like something like ManageWP or talk to Hostagor, talk to Bluehost and either sign up for some extra back-up assurance. Or talk to them and see what’s offered and make sure you know exactly what you’re getting. Make sure you’re happy with the back-up system that you’re using so if there’s something does go wrong, if you’re hacked or if just your server just goes down and everything’s lost, you know where you’re going to find a back-up for your website and everything is not lost. I mean, this step isn’t so much about making your website more secure, it’s about making sure that if you are hacked, if security is breeched then you have a back-up plan. So, if you are hacked, all you need to do is to change all your security details, re-install your website and you’re all good, you can get going again within hours. Okay, so back-ups, make sure you’re doing that.
Next step and this is a simple tool which hardens your website quite a lot, stops the chance of to being hacked, a great deal and this is called Login LockDown. So, the login page is probably the place where you’re most vulnerable, this is where most people hack in. You get lots of hackers out there that have tools that let them go on to our WordPress login page and basically just spam that page with logins, with passwords, all that kind of stuff and they can force their way in, in that manner. But the tool Login LockDown means that you are protected against that because it detects subsequent logins, if somebody is trying to login too many times from the one IP address and it locks down the page if that happens too often. So, basically somebody can only try and login a few times from the same place and then the login form is locked so they can’t get in. So, it’s just as simple as that, there’s really not much more to it, it’s just a plugin. You can find it in the WordPress plugins directory, so you can search for Login LockDown in the directory or pop over to podcraft.net/loginlockdown and that’ll take you to the entry for it in the WordPress database. Now, that won’t cover all the possible vulnerabilities within the WordPress by any means but it does take out a good chunk of it, it does make a big difference to your security so worth going and getting that and it’s basically no effort to do at all. I would recommend doing that. So, I would say if you’re doing that, if you’re updating regularly, you’re always up-to-date, you’re always backing up and you’ve got something like Login LockDown installed that is a massive step towards being secured, you’re much more happy about being secure. If you’re running a hobby podcast, I would say that is plenty enough so if it’s something that you don’t massively rely on, it’s not like your income is coming from there and if the site fall over for a day then you’re basically out of business. If that’s your position then you could stop here, so, that would be enough I would say. For those who want to go a step further though or if you’re a hobby podcaster and you do want to just have that extra bit of assurance, a system that I use on all of my websites is Securi, spell S E C U R I, you can get to at podcraft.net/securi, so podraft.net/SECURI and that’ll take you to the Securi website. Essentially Securi is a full security system with a whole bunch of tools in there. What you get is a website monitoring system, so it actually monitors your website for malware, for hacks, for all that kind of stuff. So, if it sees anything unusual in your website, it will check it every few hours. If it sees anything unusual at all like links off to viagra sites or anything like that, it will tell you straight away. So, you’re not going to find out days later when everything’s already on pear-shaped. It also has some hardening tools in there, so you can install a plugin on the back-end in your WordPress site which closes a lot of vulnerabilities like permissions on certain folders, like document files that give away vital details, all that kind of stuff, version files, that kind of thing, it hardens all them up, it gets rid of them or it changes permission so you’re much more secure. And it also does server site scanning, so it actually scans your entire web server on a regular basis to see if there’s any viruses, any malware on your server and it will tell you so you can get rid of it. It’s only $99 a year so 60 quid a year for a website it’s a pittance compared to what you can lose if you have a problem with hacking and the best thing about it is if there is a problem, if something happens to your website, part of the services that they will clean it. So, they’ll get in there and they’ll get rid of the malware, they’ll get rid of the problems and help you out with it. So, I’ve paid for that, I actually paid for it a couple of years ago for the first time because one of my websites was quite badly hacked and they, I paid my hundred dollars and they basically sorted out everything for me and I went on to pay a bit extra so that I can get all my websites included on Securi in the future. So, I use it, really recommend it, great tool. Keeps me a lot more happy, a lot more secure from hackers. So yeah, if you do want that extra little of insurance, if you rely on your website for income, there’s a big difference if you do lose your website for a day then I’d get on secure, just go to podcraft.net/securi and it’s an affiliate link just to let you know. So, I would get a small commission if you did buy thru that but I would thoroughly recommend and obviously you’re free to find Securi on Google if you want to by-pass it.
So, that’s it for security today. That covers a few steps you can take to be a lot more secure on WordPress to make sure that your site is a lot more safe, safe from hackers and safe long term.
So, your tasks for today. It’s a bit of a strange one today because I’ve covered a few different things. The main thing I would do, your main task for today, I think, is to go into your website, make sure you’re updated. So, go ahead and make sure you’re entire website is up-to-date; plugins, themes and the WordPress version as well and then setup a back-ups. Even if that’s the only two things you do today then that’ll make a massive difference even if you are hacked then at least you’ve got a back-up that you can fall back on and you could quickly get your website back and running. So, once you’ve completed those tasks, pop over to podcraft.net/317 you’ll see the show notes for today, links to all of the resources and of course you can always go and check the course that helps you with installing plugins, all that kind of stuff which I’ve talked about many times in this series at podcraft.net/websitecourse. Okay, that covers it. I’d love to hear your feedback though, pop on to the show notes, as I said, at podcraft.net/317 let me know what you think, pop in a comment and I’ll see you for tomorrow. Tomorrow, we’re going to be looking at error pages, so how you can use error pages to your advantage, plugins for that. This is a wee trick that I’ve used on many of my websites and it gets a whole lot more value out of something that is generally seen as inactive i.e. somebody not going to find what they come looking for. So pop back to tomorrow’s episode for that. Anyway, in the meantime, thanks again for listening today and I’ll talk to you then!