Watch This Lesson


Lesson Overview

In this lesson, we’ll discuss offering Security Services in your Website Maintenance Plan. This includes:

  1. iThemes Security
  2. SSL Management
  3. Site Backups
  4. Security Scans
  5. Virus Removal
  6. CloudFlare

Software & Services: iThemes Security Plugin, IONOS SSL Certificates, Really Simple SSL Plugin, ManageWP Security, UpdraftPlus, Sucuri SiteCheck, How to Clean a Hacked WordPress Site Guide, CloudFlare


Lesson Transcription

Welcome! I’m Leighton, your webmaster. In today’s lesson, let’s discuss another feature of your Website Maintenance Plan: Security! Security is a hot topic nowadays! It’s no longer optional in the digital realm, and for you as a webmaster, that means doing everything in your power to make your clients’ sites as secure as possible. So how do you do that on an ongoing basis? Let’s consider 6 ways you can incorporate Security into your Website Maintenance Plan. We’ll look at iThemes Security, SSL Management, Site Backups, Security Scans, Virus Removal and CloudFlare. Most of these include free services, so be ready to pause and setup your accounts!

  1. iThemes Security — So first off, isn’t WordPress itself secure?  Well, yes, but the larger the software, the bigger of a target it is to hackers. Truth be told, WordPress isn’t necessarily the problem. It’s weak user account passwords, outdated plugins and low quality themes that pose a greater threat than the core software itself. For that reason, about 30,000 new websites are hacked every day! That’s where a plugin like iThemes comes in to save the day. This is one of the most popular free security plugins for WordPress. It includes more than 30 ways to protect your website from attacks, such as locking down WordPress, fixing common holes, stopping automated attacks, backing up the database, strengthening user credentials, and much more. Rather than just talking about it, let me show you this amazing plugin that I install as a staple on every WordPress website!
  2. SSL — In one of the first lessons in this course, we talked about the importance of an SSL certificate. I really don’t view this as optional anymore. You should install one with every client you take on. But isn’t that a one-time thing?  How is this an ongoing maintenance service?  Well, what happens when the SSL throws up an error? When it displays a NOT SECURE warning?  When your client gets an SSL Renewal email?  See, there are plenty of instances where you can provide support on your SSL certificate. Not only do you need to install it in the first place, but also ensure it remains active. How do we do that? I rely on 3 different services for SSL: IONOS, iThemes and Really Simple SSL. Obviously, you will purchase and setup the SSL certificate in your IONOS hosting account. You can’t shop around for a 3rd party SSL. You have to use the ones designed to work with IONOS. Install it, make sure Auto Renewal is turned on, and you’re all set. So what plugins can we use?  iThemes Security has a specific module for SSL. It enables SSL across the entire website. I also use the Really Simple SSL plugin as it ensures all content is loaded securely. Just 1 piece of content, like a logo, loaded over HTTP (insecure) instead of HTTPS (secure), is enough to throw up a THIS SITE IS NOT SECURE warning. Clearly, we don’t want that to happen, so let me show you how to use these plugins.
    • DEMONSTRATE IONOS SSL, Really Simple SSL and iThemes > SSL
    • PAUSE: Please pause the video, setup your own SSL certificate and install Really Simple SSL on your WordPress website.
  3. Site Backups — Has Microsoft Word ever crashed and you lost the document you were working on?  Has your computer ever died and you lost the pictures and files that were on it? Or have you ever physically lost your phone and now you don’t have your contacts or pictures?  That stinks! But with the proper backups in place, those things are inconvenient, but not tragic. Why?  Because you really didn’t lose anything. With a backup, you have a copy of your data and can restore it when needed. So how do you handle backups on your website?  Well, it is true that your hosting server usually backs up your files, but I wouldn’t rely on that. For one, they typically will only keep the last few days before deleting a backup. So what do I recommend, and what’s the cost?  Whatever I’m about to say, can you guess the cost??  You’re right! Free! You’re really starting to know me. I LOVE free software. Let’s see what’s out there. First off, you should know that ManageWP offers free backups. They’ll give you a monthly backup, which is better than nothing, so I’ll turn that feature ON for every client’s website. They do offer daily and weekly backups, but that’s in their Paid Add-On, which is about $2/website. Very low price, but every dollar counts, so if we can use free software and get the same result, let’s do it. iThemes Security does have a built-in database backup, which I’ll also turn on, but that doesn’t include your FILES. Both your FILES and your DATABASE need to be backed up independently. That’s where UpdraftPlus comes in! UpdraftPlus is one of the many free and paid backup plugins out there. It’s very popular, and the free version should suffice for our needs. You can set the frequency and destination of your backups. I choose Google Drive as my backup destination since Google Drive is generous with their cloud storage. Every few days, UpdraftPlus uploads a .zip file of my client’s files and database to my Google Drive. If ever I need to restore the backup, I just download the zip file and upload them to the server via FTP. The restoration process should be as easy as the backup! Let me show you these 3 services, all of which I take full advantage of to backup my client’s websites.
  4. Security Scans — So how do you determine the security status of your website?  Is it secure just because it hasn’t been hacked yet?  NO, it could be a sitting duck, waiting for the right hack to come its way! Instead, we want to regularly scan our websites for vulnerabilities. In fact, several of my websites were recently flagged because a major plugin announced a security vulnerability. They put out an update along with a public notice that if you DON’T update this plugin, you’re leaving your site open to hackers. So that’s why we stay on top of these things. But how do you scan your website for security?  Let me introduce you to 2 services: ManageWP’s Security Feature and Sucuri’s Free SiteCheck. First off, you’re already using ManageWP, so you should definitely take advantage of its Security Check. The free version will detect malware, plugin vulnerabilities, site errors, outdated software, blacklists, and more. This is a messenger, not a cleaner. It simply informs you of the issue and how to solve it. Very helpful — and free!! The paid add-on does the same thing, except it saves time by scanning your websites automatically instead of having to manually run the scanner on every site. The other service is Sucuri SiteCheck, which basically scans for the same things as ManageWP, but I’m a fan of running multiple scans in case one picks up something that another misses. Sucuri is one of the biggest names in website security. They have paid, on-demand solutions, such as malware removal, but the free scanner is a great starting point. Let me show you these wonderful scanners.
    • DEMONSTRATE ManageWP > Security and Sucuri SiteCheck
    • PAUSE: At this point, please pause the video and scan your website with ManageWP and SiteCheck. Notice what is reported in the scan results.
  5. Virus Removal — Have you ever been on a website that got hacked?  Maybe it had a NOT SECURE popup (OVERLAY) or redirected you to a site that obviously wasn’t the one you intended. Despite your best effort to stay on top of security, hacks can happen. It’s not about IF your website could get hacked, it’s what to do WHEN your website gets hacked. I call this the VIRUS REMOVAL part of your Website Maintenance Plan. If you have backups in place, simply wipe your files and restore the site with a recent backup. Delete the database in PHPMyAdmin and restore it with the database backup file. But then what? Once the website is cleaned and back online, you need to do your best to make sure this doesn’t happen again. How do you do that? Well, here’s a convenient guide from Sucuri on HOW TO CLEAN A HACKED WORDPRESS SITE.
  6. CloudFlare — CloudFlare has been around since 2010 and has grown into a web security authority. They serve over 25 million sites by improving security, performance and reliability. CloudFlare has both FREE and PAID plans. At their core, they secure websites against hackers and speed up websites with a CDN (Content Delivery Network). Have you heard of a CDN?  In the simplest terms, it connects you to the server and files closest to where you live. The less a website has to travel to get to you, the quicker it can load! It also does a ton of stuff behind the scenes to speed up the performance and reliability of your website. Let’s take a look at what CloudFlare offers and how we can utilize it.

So let’s recap. In this lesson, we learned 6 services you can include in the Security portion of your Website Maintenance Plan:

  1. iThemes Security for WordPress security optimizations
  2. SSL Security Certificate Installation, Renewal & Management
  3. Website File & Database Backups with UpdraftPlus
  4. Free Security Scans with ManageWP and Sucuri
  5. On-Demand Virus Removal
  6. CloudFlare Security and CDN.

I’m Leighton, and now you know, Website Security!


Lesson Homework

Sign up for the free services mentioned in this lesson. Incorporate them into your Website Maintenance Plan.