How to secure your LearnDash platform in just 10 minutes

Written by Andy Jack

24 January 2022

Want to learn how to strengthen the security of your LearnDash LMS in less time than it takes to eat lunch? We’ve pulled together a handy walkthrough guide on how to install and set up Defender on your WordPress site.


Hi, it’s Mark from Training Spark here. And in this video, we’re going to look at how we can help secure your LearnDash platform in just 10 minutes.

So for this you’ll need an admin level account, like the one I’m using at the moment. And as an admin on the left hand side in the navigation, you’ll see the option for plugins, and this is where we’ll get started here. So if you choose plugins and then at the top of the page, choose, add, we can now install a security plugin onto our WordPress site on the right hand side.

What we’re going to do is search for Defender. And this is a really popular WordPress plugin, which is really easy to use. We found it works really well with LearnDash with no conflicts or anything like that in the past that we’ve seen.

So you’ll see it here. Defender security, malware scanner and it’s by someone called WPMUdev. We’re going to click install now, and once it’s installed, we can choose to bit and nice and quickly. We’ve now got that plugin installed on our website on the left hand side. Now we’ll scroll to the bottom and because this is now installed and activated, we have this option called Defender, and this is where we will set up the plugin to help secure our, our platform here.

So I’m going to choose Defender here. And one of the great things about the Defender plugin is that it’s really easy to set up. All we need to do is click on this activate and configure button here, and it will automatically apply a series of security recommendations to our website and just watch how quick this runs. I click activate and configure it, scans the site, applies some recommendations, and then we’re preconfigured and, and ready to go.

So I’ll just click finish here and can see that a number of security recommendations have been applied here. It says nine outta 12, and it’s actually running a malware scan on our platform. As we speak. If I scroll down, I can see that there are also a number of additional recommendations that it says we could use to enhance and further harden the platform. If I click on view all here, we can see that it’s recommending that we disable the firelight it to prevent information disclosure and prevent PHP execution. Let’s take its word for it and take all of these and then click action all and then click apply. And it’s just now applying those security tweaks to the site, and we can see that those have now been actioned. So if we go back to the Defender dashboard here, we can see that it is now helping to protect the website.

It says that there’s some foul changes detected from WordPress. Sometimes these are false positives that they, the mal west on here is is found. And you don’t always need to to worry about these but it does these checks to make sure that all of the core on your system exactly matches what is in the WordPress and repositories and, and that no code has been modified or any code has been injected into anything that might give hackers any access to your site.

So one of the great things that it does here is add a firewall to your site. And what you’ll find is that WordPress platforms and every website really out there will be constantly getting attacked by bots that are trying to break into website login forms. And they do this by just constantly guessing credentials so that, you know, they’ll guess with user names like admin and just very commonly used passwords constantly.

So, you know, tens of times a, a second on some sites, and this can ultimately lead to your site in hack, if you have weak passwords and things on there, but it’s also quite bad for your server performance, if it’s certainly getting hit by these very frequent login attempts. So what defendant does is add some login protection here, and this protects from these things like these brute force login attacks.

What it’s saying here is that if someone fail to log five times within 300 seconds which is, is five minutes, it will ban them for five minutes and you can increase this. So if you wanted to say, you know, maybe give them 10 times to, to fail login. You want to block, block them for a whole day. Maybe you 24 hours there, these settings are all configurable. And what this does is just give you an extra layer of protection on your site that just, you know, prevents it from being constantly, you know, boxed constantly trying to log in.

Once we’ve done that we can click save changes. And there are other things that you can do here, like 4 0 4 detection, which means that when bots are just trying to find vulnerabilities on your site by repeatedly searching for you know, pages that don’t exist, you know, potential plugins that are vulnerable it will, it will block those as well. And, and likewise with the login protection, we can, the number of times they can hit them far, far before they get blocked. So these are automatically, and, and now we’ve got this set up, protecting the website and it’s already a lot more secure. And what I would say is that WordPress is a very secure platform out the box, but it doesn’t have anything like this. That’s constantly blocking your bots and things like that from, from trying to attack it.

There’s one more feature we wanted to show you in the plugin that will really help to strengthen your, your platform form. And that is something called two-factor authentication. And it’s in here under two FA, and this is something you may have seen in the past where you enter a username and a password for a platform. And then you’re subsequently asked to enter a code. And that’s what this is. And, and, and the Defender plugin allows you to enable this on your WordPress lend platform. And it immediately helps to secure it by ensuring that if anyone was to access your username and password, they still couldn’t get access because they would have to go through this two-factor authentication step to get in into your, your site. So what we can do is activate this, using this button here and can choose which roles to enable it for.

And under the within, within LearnDash, you’ll have a number of roles such as group leader and administrator. You can pick and choose which ones you want to enable it for. What would say is that you possibly don’t need to enable it for learners because then you might end up with people to contacting you, because they can’t log in or they forgot the code and things like that. But certainly for people like admins who can make changes to site, settings and content, we would recommend enabling that. So we choose to enable it here and then scroll down and click save changes. And then once that’s done what we can is enable it for our own account here. So to do this in the right top right hand side, we choose hover over our name here and then choose edit profile and then scroll right down.

And eventually we should find a section called security 2 factor authentication and any admin on this site where now see this and what they can do is enable the two-factor authentication for their account. And firstly, they need to install an app on their phone and these are available through the app star and Google play. And they can choose either Google authenticator, Microsoft authenticator, or author, they, and these are all free. And really quick to set up, I’m going to choose Google authenticator here. And what we do is install it on our phone and then open it. And then in the bottom right hand corner, we click on that plus sign here and we choose scan QR code. We can now scan the code that we see on the screen. And what we’ve now got is a code here that’s shown next to demo learning platform. And if we scroll down, we need to enter that code here. So

7 5, 7, 4 8 verify. And now two factor authentication is enabled on my account. So if I were to log out and then log in again, the next page, we’ll come up with something like this and then ask me to enter a code. At this point. What I would do is open the authenticator app, find the code, which will change every few seconds and enter it here. And now I’m into the site and I can progress as I would normally. So it’s just the extra step that makes your account a whole lot more secure. And this is all enabled by the Defender plugin. So we hope this helps. And we appreciate, we’ve got through quite a bit in a short time there, but just doing something like this really simply will help to make your LearnDash platform a whole lot more secure.


Submit a Comment

Your email address will not be published. Required fields are marked *

Other blog posts you may be interested in…