Tag security

OK, maybe there aren’t that many reasons, but there is one that counts, and that is: Wordfence is the best security plugin for WordPress out there, period.  Here’s an excellent article on one of the ways Wordfence keeps our sites secure, titled “Remote Scanning vs Source Code Scanning“. Without getting too technical, source code scans cover everything that makes your site what it is, including images, while remote scans can only cover, by their nature, the end result your source code produces.  Here’s a great metaphor (and you know how we love metaphors) taken directly from the article:

“Imagine you ask someone to check your home for a rat infestation. They arrive at your house, but they don’t get out of their car. They’re parked on the other side of the street and they’re examining your front door, front garden, porch, the walls on the front of your home, parts of the basement windows that they can see. Once they don’t find anything they honk the horn, shout out the car window “Yo, your home is clean” and drive off. Doesn’t sound very effective does it?”

No, it does not! So, if you want to keep your WordPress site “rat-free”, you need Wordfence.  If you need help installing or using it, be sure to call us!

The latest issue of “In The Loop”, from Sanford, Lea & Associates, has a terrific article on tips for keeping your family safe online.  Everyone is a computer user these days, from your child playing online games to grandma learning to use Facebook.  There are security and privacy concerns with any type of online activity, so be sure to read up and familiarize yourself with what you can do to be more secure.  (And if you need accounting services, you can’t go wrong with Sanford, Lea & Associates!)

Read the entire article here.

Yesterday, eBay reported that hackers had access to a stored password database sometime between February and March of this year. The company says no financial data was revealed — but it’s urging its users to update the passwords on their accounts anyway. (And if you use the same password for other sites, change them as well!)

Unfortunately, the hacked database DID include, in unencrypted format, eBay customers’ names, email addresses, physical addresses, phone numbers and dates of birth. Which means even if your eBay password is never cracked, hackers still have all the information needed to attempt identity theft.

Although the company did not release the number of people affected, if you do belong to eBay, expect to receive fake deals and offers. Be very aware of getting duped into revealing even more sensitive information, like your bank details or Social Security number. And, as always, keep an eye on banking and credit card transactions for anything that looks suspicious.

You can read the official post from eBay here: http://www.ebayinc.com/in_the_news/story/ebay-inc-ask-ebay-users-change-passwords

By now you have probably heard about the HeartBleed security vulnerability — news about this bug has been so widespread in the last few days that it even made the Tonight Show monologue.  But HeartBleed is no joke — it is potentially the most serious issue to ever have affected the Internet.

A quick technical explanation of HeartBleed: This bug allows remote attackers to read 64k of memory of systems running affected versions of OpenSSL. That means an attacker can potentially pluck out usernames, passwords, the secret keys of SSL/TLS encryption to crack secure communications and other sensitive information, and so on.

One important thing to know about HeartBleed is that it does NOT affect every website where you may have stored a password.  It DOES, however, have a good chance of affecting all the most important, sensitive websites, such as your bank, your credit cards, anywhere it is necessary for secure communications on the Web.

What should you do, then?  IMMEDIATELY log in to all of your critical websites (PayPal, bank, credit cards, loans, etc.) and change your passwords.  You can do this for all stored-password sites if you want, but for those less critical, it may be wise to wait around a week, to be sure the vulnerability has been addressed.  After a week, though, you should log in to all of your sites, including the critical ones, and change your passwords AGAIN.

A brief note on passwords: NEVER use the same password across multiple sites, especially critical ones.  Passwords should NEVER be words that can be found in the dictionary, proper names, easily identifiable dates (such as birth dates, anniversaries, phone numbers, etc.).  Passwords SHOULD be at least 13 characters in length, and consist of some combination of numbers, letters (lower- and upper-case), and punctuation.

If you are interested, you can find a Random Password Generator here: https://identitysafe.norton.com/password-generator/

There are also many password-storage programs out there, if you have trouble keeping track.  One free service that comes highly-recommended is Dashlane.  (Thanks, Preston.)

Finally, for an in-depth technical explanation of the bug and what’s being done about it, visit Heartbleed.com.

Actually, I wanted to title this post: “Why You Should Never, Never, Never, Never, Never, Never, NEVER Use ‘admin’ As Your WordPress Username”…  but that might have been a bit long for SEO reasons. 🙂  However, it’s certainly not overkill when it comes to getting the message across.  So, why is this such a bad thing?

Let’s start with the fact that, in most cases, a new WordPress installation will set the default site administrator username to ‘admin’, and all that is required is to choose a password.  Now, it might be said that humans are inherently lazy, but it’s true that many folks will just leave that default name as is.  (We’ll leave the discussion of using ‘password’ as your password for another day!)  With so many administrator names set to ‘admin’, it’s an obvious place for a hacker to start… 50% of the equation has already been solved for him!  Now he only has to determine your password to have access to your entire site.

What’s more, most hack attempts are made by automated ‘bots’ set to try as many combinations of ‘admin’ + (a password) as possible, often hundreds per minute, in what’s known as a brute-force attempt to gain access.  Other hack attempts are made in person, by someone who has studied you and your site, looking for clues to help guess your password.  (Pet name, anyone?)  And make no mistake, these attempts are numerous and ongoing, 24/7/365.  As a random example, one of our WordPress sites received well over 3,000 ‘admin’ hack attempts in the last 30 days, with an average across our sites being at least in the hundreds.  So why give hackers that head start?

So, what to do if you ARE using ‘admin’ and need to change it to something else?  Follow these steps, EXACTLY, and oh by the way you should probably back your site up first, just in case.

1. Sign in as ‘admin’.
2. Head straight to the Users tab, and “Add New”.
3. Choose a hard-to-guess username, but don’t make it so difficult that you’ll forget it.
4. IMPORTANT: Set the new user’s role to “Administrator”.
5. You will need to use a different email address, as no two users can have the same one.  (Can be changed later.)
6. Choose a password that has upper and lower-case letters and numbers in it. Symbols are OK too. NEVER use the word ‘password’ in your password, even if it has a different case and includes numbers.  10 characters minimum!
7. Click “Add New User”.
8. Sign out as ‘admin’.
9. Sign in as the new user.
10. Delete your old ‘admin’ user, MAKING SURE you assign all posts/pages/comments to your new user.
11. Congratulations, you now have a more secure WordPress system!

What else can you do?  Ban your users from any variation of ‘admin/Admin/adm1n’ as username, enforce strong passwords, and always keep your WordPress software/themes/plugins up to date.  Install a quality security plugin (such as Wordfence) to help you enact all of these items. And make routine backups, as no software is ever 100% hacker-proof.