Welcome to episode #30 of the SubscribeMe show from SubscribeMe.fm.
I’m your host Ravi Jayagopal. This is THE podcast to listen to, to learn about creating membership sites & online courses, making, marketing and monetizing digital content, WordPress, eCommerce, digital marketing, and tools, techniques and tips that you can use to create a long term, profitable online business.
I am the co-founder & co-developer of DigitalAccessPass.com, easily the best membership plugin in the industry, fondly known as DAP.
In today’s episode, I wanted to tell you about 3 must-have tools that you absolutely need, to help secure yourself, as well your web site.
What is the first WordPress plugin I install on every new WordPress site I create? Nope, it’s not DAP. It’s Wordfence. It’s the #1 security plugin for WordPress, and I will not do anything with a new WordPress installation, until I’ve installed this plugin. And the makers of the WordFence plugin have discovered a vulnerability in the Ninja Forms WordPress plugin. So if you’re using Ninja Forms, make sure you upgrade to the latest version. Takes just 1 click to do from the WordPress plugins section of your site.
And if you are not using Ninja Forms, then you should consider switching to it, as it’s a fantastic contact-us form plugin, with a lots of features like support for the new captcha from Google, auto responses, storing the emails online in the plugin’s settings, just in case you don’t get the actual email delivered, and so on. I have the link to the WordFence security article in the shownotes at subscribeme.fm/30/
And then they also found a vulnerability in Yoast SEO. That needs to be updated as well.
And do you know what is the 2nd plugin I install on every new WordPress site I create? Nope, it’s still not DAP. It is iThemes Security. Formerly known as WP Security.
And there are a few features that both of them have, so you have to be careful not to turn those features on in both plugins at the same time.
So here are some of the easiest ways to protect your WordPress installation:
* Be alerted when an unauthorized user tries to log in to your web site: Like someone trying to log in as admin, or trying to use a username that doesn’t exist, from an IP address that’s not authorized, etc.
* You can lock down the admin part of WordPress so that only certain authorized IP addresses can log in as admin
* You can change the location of the WordPress admin login page to a secret page
* Scan WordPress files – like plugin files and theme files – against the WordPress repository to see if anyone of them have been modified, because that’s one of the easiest ways your site can become the target of a phishing scheme
* Scan file contents for backdoors, trojans and suspicious code
* Scan posts and comments for known dangerous URLs and suspicious content
* Scan files outside your WordPress installatio
* Lock out after how X number of login failures or remind-password attempts
* Block IP’s that access URLs that no one is supposed to access – like certain internal URL’s
* Hide the WordPress version
* Change location of the WordPress admin login page
* If you have the default username of “admin”, then you can change it to something else with a couple of clicks
* Change your WordPress database prefix – which is good to prevent an automated database hack-attack, especially if you have used an automated installer to install WordPress – these installers are usually provided by most hosting companies, and the default settings they use are not very secure.
So there’s a whole bunch of settings that these two plugins provide – WordFence and iThemes Security. And I’m in the process of creating a video that shows the entire set up.
And then, there’s one CRITICAL CRITICAL line of code that you need to add to your .htaccess file on your web site – this one is so critical, that without having this line, our web site DigitalAccessPass.com got hacked a couple of times a few years ago. BUT… if you want to know what that one line of code is, all I ask from you, is that you join my list, by going to subscribeme.fm, and wait a few seconds, you’ll get a popup, enter your email there, and you’ll be on my list. And I’ll be emailing this one SUPER CRITICAL line, to you. And you must then add it to your web site right away. No charge. Totally free. Just join my list by going to subscribeme.fm. That’s it!
You should IMMEDIATELY change your password to all your webmail accounts – like Google, Yahoo, and Hotmail and your bank’s web site.
For 2 reasons.
First one is that a guy named Alex Holden, who is the founder and chief information security officer of Hold Security, discovered that hundreds of millions of web mail accounts were recently hacked, and the hacker is selling these off online.
Use a browser tool called LastPass. There are a few similar ones – like 1Password and Roboform. If you already use one, then that’s awesome. But if you don’t, then it’s really important that you use one – and I personally use LastPass. It’s a free online service that stores your passwords in the cloud. Now, before you freak out, remember that all of your passwords are one-way encrypted with super-strong encryption, and the key to opening this encryption, is stored on your computer. So every time you ask their system for a password, this secret key stored on your computer is required before your information can be unencrypted. So even if their service gets hacked, the passwords they get will all be worthless without your secret key. There’s a lot more to this, but explaining the technology is beyond the scope of this podcast. So just go with my recommendation – use LastPass. Do not store passwords in your browser. LastPass is available as a plugin for Chrome and Firefox and Safari. So even if you’re switching browsers or using multiple browsers on your computer, like I do, then LastPass will help you secure and remember all of your logins and passwords for all of your web sites.
One of the biggest issues I see when I do 1-on-1 coaching and membership site set up calls with DAP customers, is a lot of them will spend a whole bunch of time looking for logins and passwords. It is amazing how much time people waste trying to find their log in information for various web sites – like Paypal, Stripe, ClickBank, Aweber, multiple WordPress sites, Godaddy, web hosting control panel, and on and on and on. And using LastPass, you can share passwords securely with other people on your team, like your business partners, virtual assistants, developers and designers. And you never have to send such information by skype or email or any other insecure method. You just share a password from your vault with another LastPass user, and that’s it. They get it through the cloud. Super simple, and secure. And the cool thing is, LastPass also has a location to store secure text information. So if you have other secure information that you would normally write on a piece of paper and keep in your bedroom locker, now you can securely keep it in your LastPass account, and now all your kids and spouse and lawyer needs, is the secret key to your LastPass account. That’s it! Just one password to remember for all the important people in your life, just in case, you know.
So get LastPass, and you will save a CRAZY amount of time, effort and frustration by using LastPass. And no, I’m not affiliated with LastPass and I don’t get a single penny from recommending them. Same thing goes for WordFence and iThemes security.
So those are the 3 major security tools that I highly recommend you install and use right away: WordFence and iThemes Security for your WordPress sites, and LastPass. And don’t forget to change the passwords to every single online service – especially because May 5th was world password day, and it was created to remind us that passwords to mission critical services must be changed every now and then.
And don’t forget that one last piece of security super tip that I haven’t given to you yet – you can get it simply by signing up for my list, here at SubscribeMe.fm.
Until the next time, here’s a quick tip of the day: If you’re using Chrome, search for Lastpass, and download the Chrome plugin. And set it up today, and every time going forward, every web site you visit and log in to, LassPass will ask you if you want to store the login information. Just keep saying yes, and you’ll never ever use paper, or fumble and stumble for passwords ever again.
Friends don’t let friends go without telling them about SubscribeMe.fm. So please let a friend know about this security episode – the link you can share, is http://SubscribeMe.fm/30/ .
Thanks again for listening. I’ll talk to you soon.
If you want future episodes to be automatically downloaded to your device as soon as they’re available, then subscribe to the show on iTunes at SubscribeMe.fm/itunes/ , or on Stitcher at SubscribeMe.fm/stitcher/ .
– Ravi Jayagopal
PS: The audio player above is powered by CoolCastPlayer 🙂
PPS: Don’t forget to join other SubscribeMe listeners and a network of folks all interested in the same thing: Membership sites and online courses. Join the group at subscribeme.fm/group/ and that will take you to my Facebook group.
Check out the full podcast below…