We're back for the last hour of disaster week here on AI themes training. We're talking all about clients today, and how to package and price and create care plan services for your clients using I theme security Pro and our other AI themes products. So great. First, our thanks, everybody for wonderful questions, we'll have another good time of q&a as we wrap up today as well. But in this last hour, we're going to be talking about how to actually set up our care plans, using AI things products. So I've been using, I think security pro Backup Buddy for years, and years and years. And we're going to talk about how to set all those things up to manage your client sites. And by the way, all of these products are on sale right now in the sidebar, beside the chat room, you'll see links to purchase those, or you can buy our plugin suite at 40% off that includes all the plugins, and also the WordPress toolkit is the best way to get everything I themes offers all the plugins, as well as everything in the cadence theme, as well, that's included in the web design toolkit, and premium themes, training membership as well in that toolkit. So good stuff, everything's included. And let's get started, shall we. So let's talk about how to set up our care plan. So we're into, we've gotten out of packaging and selling. If you have questions lingering about those I can I'll catch those at the very end of this hour in our wrap up q&a. But in this session, specifically we're going to be talking about, honestly, it's the settings that I use when I'm setting up client sites. So frequently on webinars, I get asked, well, you know, What settings do you use. And so this is what we're going to talk about today. So, it's all about process, if you're going to be managing websites for clients, it's important to create a process and a checklist. So you know that your work is consistent from site to site. Because if you're trying to rely on your memory to do everything on every site the same, you're just probably gonna forget something like I forget things all the time. It's pretty sad. It's worse as I'm getting older, and I live and die by checklists. And having a good system where you use the same tools in the same way. And you're using all these the settings are similar. Having consistency in your recurring revenue is so important, and in your WordPress care plans. So creating this system is absolutely critical. And again, the practices explained in this webinar are my own. Okay, this is what I do. It is not they are not necessarily endorsed by themes, you can certainly ask questions. And if you have specific product related questions, the support team is great. But I'm just telling you what I do. And what I'm doing here is free as part of this webinar for educational purposes, no guarantees, this is just what I do. And a lot of folks have found it helpful to understand that. Okay. Alright, let's move on down and talk about the first question here, this always comes up, when we start talking about getting a site ready for the client and launching a site, should you give a client administrator access, and there's lots of different opinions on this. Some folks believe that the only the developer should have admin access to prevent a client from breaking the site. Others believe that clients should have administrator access. But, you know, I believe it's just a matter of principle that the client owns the website, and the client should have access to an administrator user. Now that is worded very carefully. Okay. The client should have access to an administrator user, should the client log in as administrator every time, probably not. But I've had enough cases of rescue websites where the client comes to us and the developer has vanished into thin air. And only the developer had the keys to the web, to the WordPress install and the hosting platform and all that. And the poor client is just out blowing in the wind, like they have no access, they can't do anything. And then we have to untangle that mess. So I resolved years ago not to be that kind of developer. And so we give our clients that administrator login. But it's like, you know, break glass in case of emergency if for some reason, we, you know, are destroyed, you know, something happens and we're gone, you have the ability to access your website. So typically, I create an editor user for the client for normal website access and updating of the content. And actually, it's in the contract, that if the client uses their administrator login and break the site, the work used to restore the site is billable. So to not log in as an administrator just to knock around inside the site.
It's really easy to track client activity using I think security user logging. That gives you a lot of information just bundled right there. And I think Security. And Michael talked a lot about the logs yesterday for tracking hack attempts. And as soon as I locate my here it is the other window here. I think security also has user logging, let me get my Windows positioned correctly. All right. So if we go to all events, and if we go down to user logging, and hit filter, you will see, look, all the things that I've done, like I deleted a bunch of plugins, and so forth, as we get a good you know, when I logged in, and so forth, so we get good user logging. Now, if you want even more user logging, there is a fantastic plugin that we talked about in my plugin Roundup, I think it was the last time or the time before last. Maybe in January, I forget it was within the last couple of months, it is called stream, and it is fantastic. And let me find it. So if you are, especially if you have clients that log in and edit the content of your website, this is a fantastic tool, if you want to log what they're doing. So what stream does notice, this is very similar information to what I think security gave us. But this is why I like stream, you can set an alert. So for example, somebody asked either yesterday or Tuesday, whether you know, is there a way we could get alerted if a client logs into the website? Yes, right here. So here's an alert that says, when this user test admin, which would be like the the admin address that you give to the client, you can leave this part blank. So if this user logs in, send an email to a recipient, so it can email you, if that client logs in as their administrator, isn't that cool? It can also this is great. It can also send if you're using slack, it can send a Slack message or this is what's a lot of fun. And we talked about this in our plugin round up. It can send an IFFT notification. So if you're using IFFT, which is if this than that. It can do all sorts of things. Like if you can attach it to a smart light switch and have it turn on a light for things. Anyhow, this is a great way to know if your clients are doing something on the website. So I just mentioned that briefly. As an aside, and I've skipped down my handout. Let's see here. Sorry. I don't mean to make everybody busy by scrolling. That's the stream plugin. It's really helpful. If you have clients who are who are doing things on the website. Let's see Heather's asking How heavy is that plugin. So right it, it is a user log in. So it depends on how much access the site has, right? So for most of my sites, they're very low, either smallish sites, I'm not sure I'd want, you know, 60 days of logs on a very high traffic membership site, people logging in out and doing those things. Not sure I'd want that. But you can set those logs accordingly. Okay, let's roll into how do you set up I think security for client sites. So my first recommendation is we need to look at the I think security settings and determine which are the best for your clients in your specific situation. Now, I'm not going to have time to get into all of the granular details of I think security, we have spent way over an hour before doing just that. And there is a great webinar called the iPhone security seven premiere event, you can click that link and it goes through and walks you through the setup wizard for I think security, as well as many of the features. And I think security, you can also find excellent documentation for I think security in our Help Center. And so those links are provided there for you. So the I think security onboarding wizard is something that's brand new with I think security seven, the point of this, Timothy and Michael did a great job of reaching the goal that we want you to be able to secure your website without having to be a security expert. Right. And so I think security in the onboarding wizard asks a series of questions, the first time that plugin is installed and activated on your website to set the common settings that you would want. Now, if you ever want to rerun the onboarding wizard, there is a magic link right here. Now there's not any place in the UI that's going to give you this link. So this is your special treat for coming to this webinar. It's a secret. It's a secret link. So just replace mydomain.com with your domain name. And all of this and this tells I think security to run the setup wizard again, if
you for whatever reason, want to rewind, re run the onboarding wizard. So I'm going to walk through the settings and I've got this is WP nathan.com. The demo site that we use for our webinars here on I themes training. And I have I think security set up with the typical settings I use for client sites. And I'm just going to walk through and show them But I have set this up as an export. So if you want to download the settings as you're going to see them, as I walk through them in just a minute, you can just download and uncompress this file, that's going to give you a JSON file that you can then import into, I think security, right? Here settings and go down here to exports. And then import, and you can upload that file right here, and it will drop it in there. Okay, so again, yeah, don't don't use this link, you need to replace mydomain.com with whatever your domain name is. Right, Dave? This is, we are using the pro version of I think security here for this. And I don't know, Kristin, maybe you can tell if there's anybody from theme security? That is the Import Export part of the free plugin or not? I don't know the answer to that question. So if one of y'all could answer in the chat, that would be great. Only in Pro. Okay, so x import export is a Pro feature. Okay. So let's just walk through the settings. And I'll show you what I do. Again, this, these are the settings that I use, may or may not be endorsed by themes, this is just what I do. Okay. So let's go back to our bit. So first of all, the dashboard, there is a basic, I think security dashboard that I've set up with what I think are the most popular areas that clients might want to see if they're going to look at this. And so this is just a basic dashboard. With those important things, you can edit that change it around, again, not trying to explain the dashboard here. But there is a basic dashboard that I've called default, which is I know is a highly creative name. And it is accessible to editors and administrators of the site. So I give clients an editor user, so they would be able to see this dashboard if they wanted to. So that is that by the way, this dashboard. exe is part of that export file. So let's go on down in here to settings. And I'll just basically walk you through how I have the setup. Now I didn't turn on two factor because that's you don't want to export those settings, that's something you're going to want to set up on the site after you import things. So you can decide how you want to use two factor. I like many of you struggle getting clients to use two factor authentication, it is complicated, and I understand that and I wish we could all wave the magic wand and have people use two factor but it just doesn't happen that way. passwordless login again, I've left all of these off. For now, these are going to apply to your situation. passwordless login is super helpful, especially like for membership sites, and so forth, people can log in by just clicking a link in an email that is sent to them. And then trusted devices I have off as well it does work really well though. So in the lockout section, all the banned users is turned on. And all of the options are checked here. Local brute force, these are all the default settings or you can grab those from the import. Now one thing I will say about this API key, I learned something recently that I didn't know before even having been an i theme security user for many years. And by the way, any of you folks that are going to try to hack my API key, I'm going to reset this after the webinar is over. Because I know you people, you can actually use the same API key on multiple sites. So you can cut you know, if you have an API key set up, you don't have to put your email address in every time. It's what I'm trying to say, you can use the same API key from site to site, it's going to work fine. And then you got your reCAPTCHA as well. I use reCAPTCHA, v3, and I use it on all the places and include the script on all pages. Unless there's some reason you don't want to do that. It makes it a lot more effective. Alright, so the site check.
Here's this is the spot where you can exclude files and these windows are normally side by side, but I'm zoomed in. So they're stacking that in my default settings, I have excluded the directory where Backup Buddy backups live. A lot of times you'll get file change warnings when Backup Buddy is running because it's adding files to the WordPress install. So I will typically exclude the file folder area a Backup Buddy from the I think security file change warnings. So that's the only change there and then version management. This is my favorite feature of I think security. I don't use it. Actually I have for AP Nathan, I think security is updating all the themes and plugins automatically. But in the export this is actually turned off. But here's that beautiful setting my favorite single setting in I think security is this auto update if fixes vulnerability. So as we scan for as we scan for vulnerabilities if that patch exists when the site scanner finds a vulnerability, we'll automatically apply it. I love that setting. It's just it's a wonderful thing. Alright, so let's look at lockouts. Let's see, we did site check and utility. So that's all set up. We've gone through all of this in the user groups. So I have a couple of groups set up administrators, editors and everybody else. So typically, you know, many of the sites we use or brochure sites, if we have a site where there's going to be customers or members logging in, we'll just add a new user group, but basically set up for administrators and editors. And for administrators, who are more secure, we were requiring strong passwords, refused the compromised passwords. This is the have I been poned feature that we've talked about before. And then we're track their activity for editors. Similar settings. For everybody else, we're only using the refuse compromised passwords. Let's see here. Here under configure, we've gone through these already. And under advanced, so all the boxes are typically tweaked under System tweaks, those are all checked. Under WordPress tweaks. We disabled XML RPC, we restrict the REST API. And we disable the user archives. I've had problems with clients in this settings. So I typically leave this off, that's just me. I mean, there's value to the setting. But it sometimes like if the client doesn't fill in a nickname in their profile, and it gets will it will not let you save the profile so that I found that problematic with clients. So I just leave that one off. So those are the settings I use there. And somebody had a question yesterday or Tuesday about the hide the back end, like rename WP admin to something else, you can do that here. But it's really not an effective method of security for WordPress. It used to be people used to do that security by obscurity, it these days, it's 2022, the URL doesn't matter. It's better to protect your admin login with other things. Okay, that's basically all the settings there. They're in the JSON file. When you download that. Let me pause for a minute. Any specific questions about any of that stuff I was just blowing through right there are notifications. Thank you, Sue. You know, I went straight down this list and left off notifications. Okay. So thank you. Let's talk about that.