Don’t Default to Stupid: Site Security Management
Some website builders (WordPress included) do a bad thing. They default to stupid.
When you set up your website, and the system creates the first user – you – WordPress in all its brilliance gives you the default username Admin. And if you’re a new user, and you don’t know any better, hey, why not? Works for me… stick in a password, and on to building your empire, right? Not so fast there my young Padawan. Remember that cool little statistic about WordPress powering 20% of the web? Do the math there skipper, and that means if a lot of folks shrug their shoulders and move on to the next box, accepting “Admin” as their username, that means that a lot of hackers just got half their jobs done for them. Hackers count on us being lazy or stupid. Let’s not help them out.
So… about that username. No Admin. In fact there’s a whole bunch of stuff you cannot safely use for your username:
• do not use any permutation of your name, whatsoever.
• do not use any variation of your website name
• don’t use anything that hints at what your website is about – no “jewelryMakers6”
• No personal details in your username
Yes, I know that takes all the fun out of it and makes it really hard. That’s the idea. If it’s hard for you imagine how hard it is for the bad guys.
Make your user name as nonsensical as you possibly can, and for good measure, mix up the upper and lower case, all hodgepodge. If your platform allows it, use non-Roman characters (#$%^&*) WordPress doesn’t let you do this right now, alas, but if you can, do. Makes it harder to crack. For example, a great username is something like bAdgUysn0tGeTTininOnMYwaTch9z That is ever so much stronger than “Mary42”. Remember: You can change what displays in your user profile. Your username might say “SonOfDracula”, but you can make it display as “Bob”.
Now then.. Passwords. Please don’t do what a dear friend recently did, and not only go with “Admin” for his user name, but make your password “password”. It’s a miracle his site wasn’t flying the Al Qaeda flag by the time I got to him. Your password should be AT LEAST 16 characters, and include uppercase, lowercase, numbers AND those weird characters (!@#$%^&*() Please, make that puppy a humdinger. If your username is the fence around your property, your password is the security system and the big loud dog. Make it count. If you go all deer in the headlights when you have to come up with one, here’s a great free online tool I love for generating them: http://passwordsgenerator.net/
Developers and other users
What if you occasionally give access to other people, like theme or plugin developers, site designers, or people that are helping you? DO NOT give them YOUR login credentials. Ever. If you have someone who regularly needs to login on an ongoing basis, give them their own login, and make sure it is as secure as your own, following the protocols above. If you have to give out access once in a while to a variety of people (theme devs, etc) create a “guest developer” login – but every time you give it out, change the password when that session/task is completed. Most theme and plugins folks are fine, but you just don’t need those passwords hanging around out there. Change it. If they’re on the up and up they’re not keeping it anyway.
Brute Force Attacks
Why now on this topic? Because we just lived through yet another “Brute Force” attack on one of our sites, the third one this year. A brute force attack is when hundreds, or even thousands of hackers target your site, and continually attempt to login, trying to find “the keys”. Our Wordfence plugin caught everything, and shut down the IP addresses quickly, but we could see not only where they were coming from (mostly Russia), but also what usernames they were attempting to get in with – mostly “admin”, as well as permutations of the site name itself. One of the biggest fears I hear about using WordPress as opposed to expensive managed platforms is the security issue. Here’s a great example of how simply taking the right precautions can keep your door shut tight. No one was able to breach our username/password combos, our security software shut down the IP addresses involves very quickly, and let us see what was happening – and notified me by email as well at each instance. Done and done. And for a whole lot less than a managed solution charges.
I highly recommend Wordfence (note that some managed WordPress hosting solutions don’t allow Wordfence, because they have their own software that does the same thing). The basic version of Wordfence is free, but there is a premium version that has extra bells and whistles including country blocking, which I love!
Keeping it all straight..
I know, I know…. How do you keep 16+ digit nonsense passwords straight. You can’t. And putting them in a spreadsheet or an email is neither safe nor secure, and it’s a major PITA. It’s also not mobile friendly. The solution I love is LastPass. LastPass installs onto your menubar, and seamless and silently tracks and stores your passwords, while you only need one master password to access it. When you need to sign into a site, click the little LastPass icon in the login panel, and BAM! you have your credentials. It’s brilliant. It’s also free (there is a $12/year upgrade that give you premium access to two-factor authentication, customized permission and more – HIGHLY recommended!!) You can also store secure notes, and all sorts of other delicate things in LP. It works like a charm, and is finger-sensor friendly for Apple device users (cannot tell you how much I love and use this feature) The affiliate link here includes a free month of the Premium version if you want to give it a try!
Okay, let’s sum up:
Your first line of defense for your site is your USERNAME. Make it a good one.
The inner perimeter defense is your PASSWORD. Make this puppy so tough that the CIA will have trouble cracking it.
Security software. I like WordFence. iThemes Security also comes highly recommended. Use something… if you don’t lock the door…. Whatever you use, set it up to email you when there is questionable activity.
PASSWORD MANAGEMENT. This is so important, because if you have a good management program you’ll be more likely to use strong, secure passwords. Get one, use it religiously.
Security is not rocket science, but you do need to spend a little time on setting it up. Go now. Build your moat. Build it deep and wide….