I’m the tech person around here, so I’ve decided to offer a few basic security tips about protecting accounts. I’ll also touch on security for self-hosted WordPress sites, since many authors and readers have those. And yeah, I couldn’t really come up with a topic for this week. 😉
This won’t be an exhaustive list of tips. You can do more than what I’ll touch on here. When it comes to security, I don’t want to give too much away, because anything I share might clue-in someone who wants to hack into an account or site.
Use Strong Passwords
Always use strong passwords. I use Norton’s password generator whenever I need a new password. I usually set the length to at least 14 (often longer), and I always check the “Include Punctuation” box. Now, the password you’ll get will be ugly. Real ugly. Unless you’re some type of savant, it’ll take a while to memorize it. You certainly won’t be able to remember 20 of them (see a later tip). That’s why you’ll probably want to use a password manager.
Two popular ones are Roboform and Lastpass. How do they work? You’ll download an addon for your browser. Every time you complete a login form and press the login button, the manager will ask you if you want to save the userid and password. You’ll usually want to say yes. Next time you go to the same website and login form, the addon will fill in the userid and password for you.
You only ever have to remember one userid and password combination: the one for the password manager. If someone were to hack into your password manager account, it wouldn’t matter. All your information is encrypted, and the encryption key is on your device, not in your account.
If you’re using a password manager and you’re creating an account, you only have to type in the ugly password Norton generates for you once (or never, if you copy and paste it). The password manager will fill it in for you from that point forward.
Whenever I’m signing up for something, I bring up the password generator in another tab, generate the password, copy it into the password field, and then say “yes, save it,” when the password manager asks me.
Don’t Use the Same Userid and Password Combination
It’s tempting to use the same userid and password at multiple sites. Don’t do that. If a hacker gets your login credentials for one site, s/he now has them for all the sites that use the same userid/password. If you use a password manager, there’s no reason to reuse values.
Be Careful with Email Links
If you receive an email and all it contains is a link, don’t click on the link. If you receive an email that says something generic like, “Hey, check out this cool site!” and a link, don’t click on the link. It doesn’t matter if you received it from someone you know. When a hacking bot hacks into an email account, it sends emails to everyone on the account’s contact list. So yeah, the email comes from your friend’s account, but they didn’t send it. If it turns out they did and they were too lazy to write more, better safe than sorry. The world won’t come to an end because you didn’t click on a link they sent you.
Contact lists often include email addresses for Yahoo groups and the like. We’ve all seen emails posted to groups that just have links. When you see this happen, don’t reply to the group and say, “I think Jane Doe’s been hacked!” All that does is perpetuate the hack. It posts the link again. Someone skimming could click the link the second time around. Instead, quietly inform the moderator or list owner.
Tips for Self-Hosted WordPress Sites
Keep WordPress up to date
Keep your WordPress installation up to date. Each version plugs security holes in the previous version. The older the version you’re running, the more vulnerable you are to being hacked, which is why the latest versions of WordPress include an auto-update feature.
Don’t Use “admin” for the Username
It used to be that when you installed WordPress, it created an account with “admin” as the username. Because of that, when hackers are trying to brute force their way into your site, they’ll usually start with “admin.” Fortunately WordPress caught on, and now it asks you to fill in a username for the initial administrator account. But if you installed WordPress a while ago and your administrator account has the username “admin,” consider deleting the account. Here’s a great tutorial about how to do it.
Prevent repeated login attempts
Hackers try to brute force their way into your account by having a bot try tons of username/password combinations. Now, if you’ve used a strong password (and you have, right?), then you’re in better shape than if you hadn’t, but you’re still vulnerable.
The best way to thwart this type of attack is to lock out an IP address after a certain number of failed login attempts. One of the best plugins for this is Limit Login Attempts. Some hosts now include the installation of this plugin in their 1-click WordPress install scripts. It hasn’t been updated for 2 years, but it’s still one of the best plugins for this and it’s safe to install it. It has settings you can configure.
I always have the plugin send me an email when the same IP address has been locked out twice. Whenever I receive an email from the plugin, I usually check the server logs. There are ways you can tell whether a hacker is serious or just playing around. If they’re serious, you can ban the IP. If they’re super serious, meaning they’re using an IP farm to try to hack you, there are ways I won’t go into here to keep them out. But first you have to know that someone is making a run at your site, and this plugin will tell you. Since hackers are looking for easy prey, 99% of them will move on when they see that you have a lockout mechanism in place.
I have the Limit Login Attempts plugin installed on all my sites, but I don’t need it on all of them. I have another layer of security that prevents people from reaching my WordPress login pages in the first place. I won’t go into how to do that here, but if you’re interested in how to do it, you can contact me and ask. It’s not suitable for all situations (which is why I haven’t added that additional layer of security to this site).
Turn off the Feature to Post via Email
WordPress allows you to post by email. Unfortunately, that’s another way a hacker can try to get into your site. The Limit Login Attempts plugin also covers this route and will lock out brute force attackers. But if you don’t use the feature, turn it off. If you’re running WordPress 3.5 or greater, you’ll have to use a plugin to do this, since WordPress removed the setting from the dashboard. You can grab the plugin here. If you’re not running WordPress 3.5 or greater, upgrade WordPress already.
Plugins and Themes
Every plugin and theme you install is another potential doorway into your site. If you’re not using a plugin or theme, delete it. If you think you might use it in the future, you can always install it again. At the very least, keep it updated, even though it’s not active.
When looking for new plugins to install, don’t use plugins that haven’t been updated for a while unless you know they’re still secure and work (like Limit Login Attempts). Be careful when installing free plugins. Anyone can code a little PHP and throw something up. It’s EASY to introduce a security hole. Keep in mind that the fewer plugins you have installed, the better (for site performance, too!). You don’t need every bell and whistle.
There are other things you can do, like installing one of the many WordPress security plugins and using two-step authentication on your accounts. I just wanted to touch on a few items that will go a long way to protecting your accounts and self-hosted WordPress sites.