WordPress LMS Website Security With Chris Badgett

In his LMScast solo episode, Chris Badgett discusses the new safeguards in LifterLMS 9.0 and delves further into the significance of WordPress LMS website security.

He highlights effective practices, including employing technologies like Vimeo’s domain limitation for video security, depending on safe hosting with backups, evaluating admin accounts, and enforcing strong passwords.

Chris emphasizes that LifterLMS has always placed a high priority on protecting course developers, their users, and their intellectual property going one step further with version 9.0 while understanding the necessity to strike a balance between security and user experience.

Here’s Where To Go Next…

Get the Course Creator Starter Kit to help you (or your client) create, launch, and scale a high-value online learning website.

Also visit the creators of the LMScast podcast over at LifterLMS, the world’s leading most customizable learning management system software for WordPress. Create courses, coaching programs, online schools, and more with LifterLMS.

Browse more recent episodes of the LMScast podcast here or explore the entire back catalog since 2014.

And be sure to subscribe to get new podcast episodes delivered to your inbox every week.

Episode Transcript

Chris Badgett: You’ve come to the right place if you’re looking to create, launch, and scale a high value online training program. I’m your guide, Chris Badget. I’m the co-founder of lifter LMS, the most powerful learning management system for WordPress. State of the end, I’ve got something special for you. Enjoy the show.

Hello, and welcome back to another episode of LMS Cast. Today I’m joined by a special guest and it’s just me. I haven’t done a solo episode in a while. My name’s Chris Badgett. I’m the CEO and co-founder of Lifter LMS and host of the LMS CAST Podcast. Today we’re gonna do an episode about. WordPress websites and security, particularly in the learning management system niche.

So recently Lifter LMS released a new version, a major version, which is called Lifter, LMS 9.0, and it has a lot of new security features in it. And I wanted to discuss security with you because it’s helpful to understand and get into the details. Security, what it is, how it works, what it’s preventing, and so on.

So some of the great things about Lifter LMS 9.0 there’s so many things security related, but just to go through them the first is that we now have a setting you can turn on to block IP addresses that have 10 failed checkouts in 15 minutes. And basically what that does. Is that prevents bots on the internet or scammers from essentially trying to create free accounts or use stolen credit cards or fraudulent credit cards to test them on your website to see if they can find one that works.

So the reality of the internet is there is a lot of. Scammers, bots that are trying to get access to your website. There’s probably actually a lot more of it going on all the time than you realize. But the truth is WordPress is actually a very secure platform. LifterLMS is known as the most secure learning management system because since day one. Which is over 12 years ago, we’ve always been focused on security.

And protecting the users of lifter LMS, but also your users. Users. So we’ve implemented from day one the best security practices and we have continuously improved as time goes on, making things more secure, adapting to new issues of the time. So on. When someone tries to, check out too many times in a row, it’s not a real transaction and lifter LMS will stop that and block their IP address temporarily.

So if somebody made a honest to goodness mistake and, entered 10 different credit cards of their own trying to make it work, they are gonna be able to get back in, but they’re gonna be locked out for a while. And most of the stuff that is gonna block is actual fraudulent activity.

And if you don’t know what a IP address is, it’s just a location on the internet where somebody is trying to access your website from. So your router, your wifi, has a specific IP address or a location that you are connecting from. So if a spammer is at home. Trying to test credit cards on your website, they’re gonna get blocked.

Anybody in that home is not going to be able to keep doing what they’re doing. And the reality is that most of that is actually bots or computer programs that are running and, trying to test hundreds or even thousands or tens of thousands of cards on a schedule. So it will shut those.

Fraudsters, scammers, and scammers down in their tracks. The other thing we implemented in lifter LMS 9.0 is the most advanced capture protection currently available. So there’s two types of the main tools that you can integrate with for free to create a kind of a login or checkout. Or registration blocker if somebody is not a legitimate human or real user of your site.

Those two integrations that we’ve added natively into the free version of LifterLMS one is called Recapture and the other is called Turnstile by CloudFlare. And basically what these technologies do, you basically sign up for free, you get an API key. You put it on your site and through the lifter LMS settings.

And what they’re gonna do is they’re gonna use the advanced capture technology that those companies have to essentially score your user’s behavior on your website. And if anything looks out of line like it’s a bot that’s like clicking on a million things at once. Or, too many like rapid actions all at once.

It’s not really a human activity and there’s a lot more that goes into scoring than just that. But just as an example it will stop those people from being able to register or log in or in some way get into your site when they’re not a legitimate user. And it’s likely, again, not a person, it is likely a computer program.

That a spammer or a scammer is using to try to get into your website. So LifterLMS is implemented the most advanced capture technology currently available for free to Protect You, and we have resources on our website that show you how to set it up. It’s really just a couple things you have to copy and paste and turn on, and you’re good to go and you have dramatically improved the security and protection of your website.

We also did a native deeper integration with Akismet, which is also an anti-spam solution that you can turn on to prevent spammers from registering and commenting and doing things on your website that you don’t want ’em. There to do. So Smit has been around WordPress for a really long time. I highly recommend it.

It’s a great tool. You can get started for free with that as well. Again, the integration of that is built for free into the core free version of Lifter LMS. Now, let’s talk about a different aspect of security. Let’s talk about your intellectual property, your content, your media. So lifter, LMS as if you’ve been using our learning management system, you know you have to enroll in a course or a membership, and maybe you have to pay to enroll or maybe it’s free.

But either way, you have to become a, a user of the site that is allowed or granted access to specific course content or other membership protected content on your website. That whole user system protects your intellectual property from just being public on the internet. And for a lot of people, they’re charging for access to their courses and memberships with Lyft or LMS, and it might not be lifetime access.

Maybe you have to pay a monthly fee or you sign up for an annual membership. There’s a million different pricing models you can implement, but in terms of protecting your intellectual property. WordPress has had a challenge for a long time where the way that it handles media, like in the WordPress Media Library, which you’ve probably heard of those media files are actually public on the internet, and a lot of people don’t realize that.

If you’re in a course, if you’re a course creator. And you’re adding a PDF or a PowerPoint presentation, or an audio file or a download of some kind to a lesson that’s actually publicly available in the media library, which ha, which means the way that it’s publicly available, unless you really get into the guts of WordPress.

You may not have realized that, but the WordPress Media Library, every file in there, every image. Every PDF, everything has a URL associated with it that is public to the whole internet. So LifterLMS has solved this problem so that if you add media inside of a course. Or membership protected areas you can select which course or membership someone needs to be actively enrolled in.

In order for that content to display on the screen. So basically we have solved the issue that WordPress has had for a very long time about the media library being public, and we don’t fault WordPress for that. It started as a blogging platform. So when people would add images to a blog post, there was no reason to protect that image file and it was just publicly available all over the internet.

So if you’ve ever used Google search and done an image search, a lot of times you’re just surfacing media files from the WordPress media Library, which is not protected by default. But Lifter, LMS has solved that with protected media. We have other innovations as well. Where, when you’re creating a course, let’s say you’re creating a quiz and you’re putting images into the quiz questions, all that stuff is automatically protected outside of the WordPress media library.

So the only the enrolled students in that specific course or membership can see that particular media. So we’ve given you both smart media protection that’s happening, where it should be at a global level. Also giving you the ability to restrict content anywhere on your website to specific courses and memberships.

And by content media files. So that’s something you should know about how the WordPress Media Library works, and it’s always been important to us to help course creators, coaches, education entrepreneurs, school administrators. Protect their media assets. So we’ve locked that down to the maximum ability that you can, and there’s a lot more in lifter LMS 9.0, but I just wanted to highlight some of the top security innovations there.

And also just do a solo episode around security. Why it matters, what it is, how it works, why is it important, so for example. Lifter, LMS has a password strength setting that you can choose to make super strong, make it medium strength, or make it weak. Now, the, one of the most important things about website security is having particularly a site that has a lot of users on it, not just you as a WordPress administrator.

Or a couple people that work on the site. But if you have hundreds, thousands, tens of thousands, hundreds of thousands of users, every user account, ideally in a perfect world, would have a very strong random 16 character password that’s only ever used on that one website. It’s not also that person’s.

Bank account login or email account login or social media account login. Strong passwords are really important, and if you want to enforce that on your site, lifter, LMS, because people are creating accounts as they enroll in courses and memberships. They are, they’re essentially creating a user, a WordPress user on your website with a login.

So you can enforce that, Hey, you really need to have a strong password. Now, keep in mind that there’s also a concept of permissions. So in WordPress there’s a lot of different user roles, like the person who can do everything. The site owner is called the administrator, but there’s actually several other default roles like editors and authors and subscribers and so on.

In default, WordPress Lifter, LMS has roles too, the LMS manager, the student the instructor and these different levels have different per permissions. So all I’m trying to say here is even though your student has the lowest levels of permissions, ’cause they’re just a user that can log in and consume their course or membership content.

That doesn’t mean that if their pass, if their account got compromised, that somebody could come in and, start changing plugins or looking, doing, changing the website and stuff like that. The permissions are already way reduced to the necessary permissions for that user role. But even still a student is entitled to their, privacy and security. So even if you know your community of students or learners or clients are not security experts, you can still enforce a stronger level of security by using strong passwords. Now, if you’ve been on the internet for a while. Like myself, with over 15 years of being a power user, I probably have something like 3000 accounts in different apps and websites and logins and things, stores, whatever, on the internet.

Because of that, I use a password manager. I particularly like one password. And what that allows me to do is I don’t have to remember all my. Super strong, at least 16 character random passwords. My password manager, which has its own levels of security on it allows me to quickly create new logins that are always unique, always strong, and I can always log in from all my devices, from my phone, my laptop, my desktop, and so on.

This episode of LMS Cas is brought to you by Popup Maker, the most powerful, trusted popup solution for WordPress. Whether you’re selling online courses or memberships, popup maker helps you grow your email list, boost sales conversions, and engage your visitors with highly customizable popups. Imagine creating custom opt-ins, announcements and promotions that actually convert.

I personally use pop-up maker on my lifter LMS websites for lead magnet opt-ins, card abandonment, upsells, downsells in guiding users to helpful content. Popup Maker is an essential tool for growing my email list and making more money online through my website. Ready to take your website to the next level?

Head on over to wp popup maker.com/lmscast and save 15% on your order. Discount automatically applies when you visit through that link. Papa Maker also has an awesome free version, so you can just use that as well. Go to wp popup maker.com/lmscast and save 15% off your order or get started with the free version.

Now. Get more leads and sales on your website with popup Maker today. Now back to the episode.

Chris Badgett: So if you’re old school, like we all were one day, you might’ve kept us. Spreadsheet, or even before that, you would write ’em down on a piece of paper, right? And then as you start getting more passwords, you start creating a spreadsheet, and then ultimately you graduate to using a password manager. And your whole world just gets so much easier, and you’re being a much more secure citizen of the internet by not reusing passwords, by always using strong passwords.

So I highly recommend that you start using a password manager. Like One Password or LastPass, and there’s some other ones out there. The other thing when it comes to security is you should always look at your users on your website. And particularly there’s a filter for who are all the administrator users on my website.

And when you look at that, you can see. Okay, there’s me, there’s a freelancer I work with, there’s my business partner and so on. But what happens over time with some people is, particularly if you are hiring out a lot of different people to work on your website, is you start handing out administrator passwords and they just exist on your site.

And maybe it wasn’t even. The business owner of who you were working with, it was a team member who worked there, maybe they’re not working there anymore, and so on. So it’s always good to review the administrators on your website. And if there’s anybody on there that you know is probably a great person but doesn’t need to be on there anymore go ahead and delete them, delete that user off the site.

Pro tip, when you delete a user, you can assign all their content to yourself or somebody else. You definitely want to do that. If that person was, creating content on your website and WordPress prompts you with how to do that. Another thing you can do is you can just reduce somebody’s role from being an administrator to being a subscriber.

So if somebody comes back, a freelancer you worked with, and they’re like, Hey. Let’s do another project together, and it’s been a year since we’ve worked together. You still have them as that lowest permission level as a subscriber, and you can just move ’em back up to administrator. Obviously, the most secure thing you could do is just delete that user and when you work with somebody, again, create a new admin user or whatever role user you need for them to work on your website.

Another part of security is having backups. So if something goes wrong, you need to be able to revert your site to basically restore your database and files. Now there are a lot of WordPress plugins that can help with things like backups, but the reality is, particularly in the WordPress learning management system, niches.

This is like table stakes for good hosting. So you should always have a good web host that is doing daily backups, even monitoring your site for anything that looks off or things not loading or the site is down. And you should also always have a web host that if there is an issue, even if you’re not a developer, all you have to do is call or send an email.

They can fix your site or restore it for you. So when you’re selecting web hosting, I highly recommend the middle to upper tier. Which does mean it’s more expensive. It’s gonna come with more of these security features built in. Blocking bad traffic for you so that you don’t have to do it as much on your own website.

And also. They have a quote, disaster recovery plan if something were to go wrong and you needed to restore your site. Another thing that lifter LMS does is it has a setting called copy protection. So if you turn that on, what that does is that allows you to. For your users not to be able to copy and paste stuff off of your website.

So if you have text content inside of a lesson or some members only content, they literally won’t be able to copy and paste. They get a little message if they try to do that. So that’s just another level of security. Now it’s important to note that. There’s only so much you can do. If somebody wants to pull out their phone and take a picture of what they see on your website while they’re a paying customer and logged in, there’s nothing you can do to stop that.

So security is a game of just do as much as you can, but people are people and if you have downloadable PDFs and you’re. Training, somebody may share that with a friend, and there’s only so much you can do about that. And another pro tip for you, a lot of course creators and membership site owners are using a tool called Vimeo for their videos.

I highly recommend Vimeo. It’s very popular among the course creator and membership site community. But there’s a feature that not everybody knows about. Vimeo Pro where you can set a website domain where the video is allowed to be playable. If you have a video, you put it inside your lesson and in Vimeo you say, Hey, this website is only, or this video is only playable on the website, my academy.com.

If somebody were to somehow find the link. To that video, they’re not gonna be able to play it through vimeo’s protection of that intellectual property through the domain level protection. So that’s just another layer of security that you can add to your WordPress LMS website. It’s one of the things that makes Vimeo great, and that’s super easy to set up and even set up as a preset.

So whenever you upload a video. To Vimeo, it will always have that protection on by default. So it can only be playable on your website. And if it’s only playable on your website and the video’s only published inside of an area like a lesson or a membership protected page, you’ll be protected in that way.

So Lifter LMS has long been known as the most secure. Learning management system for WordPress 9.0, which just released, has taken that to a whole new level to protect you, to protect your users, to protect your intellectual property, content, and media. So definitely check out lifter LMS 9.0. If you have any questions about that or about security in general feel free to reach out to the lifter LMS team.

I hope you enjoyed. This solo episode on security, I want to see you keep your WordPress LMS website secure follow best practices. It is okay to be human like. So let me give an example. If you enforce really strong passwords but your audience is particularly let’s say like older generation maybe not as good with passwords and they’re having trouble even just creating a strong password or knowing what that is.

’cause it needs special characters, numbers, capitalization, lowercase, and all this stuff. There are times when it’s okay to reduce your security stands to a medium strength password. Just to make sure your users can actually get into your site. But so it, you do wanna accommodate and not make things too hard.

But I always like to err on the side of being as secure as possible to make sure everyone’s protected, you, your users, your website, your content, and so on. Thank you for checking out this episode of LMS Cast and engaging in this conversation around security. If you have any questions on any of that, just reach out to us and I hope you have a great rest of your day.

Take care.

And that’s a wrap for this episode of LMS Cast. Did you enjoy that episode? Tell your friends and be sure to subscribe so you don’t miss the next episode. And I’ve got a gift for you [email protected] slash gift. Go to lifter lms.com/gift. Keep learning. Keep taking action, and I’ll see you. In the next episode.