Archives October 2013

A little spooky wake-up call on Halloween morning…

In case you were not aware of it, Adobe has confirmed the user account data of 2.9 million Adobe users has been breached. You can read the full story in the Washington Post, here:

http://www.washingtonpost.com/business/technology/adobe-confirms-security-breach

What does this mean for you?  Well, first the good news:  if you use Adobe products (like nearly every other single person in the entire known world), you may not be affected. (More on this later.)

The bad news:  the attackers may have had access to its users’ financial information.  Which means if you purchased something from Adobe within the last few years, you will need to keep a close eye on your credit card or bank statement for illegal activity.

Adobe has issued an official statement covering with details about the incident, and what you should do.  You can find the official Adobe statement here:

http://helpx.adobe.com/x-productkb/policy-pricing/customer-alert

Things to keep in mind:

1) Even though Adobe states it has already reset the passwords of the affected users, it would be wise, if you have any type of Adobe account, to immediately log in and change your password.

2) If you are in the (bad) habit of using the same password across multiple sites, and have used your Adobe password elsewhere, go to those sites and change your password there, as well.

The further bad news: Adobe has also said that parts of its source code were accessed, but that it was not aware of any exploits being used to target Adobe products. Yet.  To be on the safe side, you should verify that all of your Adobe software is up-to-date, and keep it up to date over the coming weeks, as it seems very likely (to me, at least) that Adobe will be releasing further updates as advance protection against the access of its code.

We hope you have found this information useful. If so, please share our blog and/or Facebook page with your friends and suggest that they subscribe to stay updated on the latest news from the World of the Web!

No other comments needed!

Actually, I wanted to title this post: “Why You Should Never, Never, Never, Never, Never, Never, NEVER Use ‘admin’ As Your WordPress Username”…  but that might have been a bit long for SEO reasons. 🙂  However, it’s certainly not overkill when it comes to getting the message across.  So, why is this such a bad thing?

Let’s start with the fact that, in most cases, a new WordPress installation will set the default site administrator username to ‘admin’, and all that is required is to choose a password.  Now, it might be said that humans are inherently lazy, but it’s true that many folks will just leave that default name as is.  (We’ll leave the discussion of using ‘password’ as your password for another day!)  With so many administrator names set to ‘admin’, it’s an obvious place for a hacker to start… 50% of the equation has already been solved for him!  Now he only has to determine your password to have access to your entire site.

What’s more, most hack attempts are made by automated ‘bots’ set to try as many combinations of ‘admin’ + (a password) as possible, often hundreds per minute, in what’s known as a brute-force attempt to gain access.  Other hack attempts are made in person, by someone who has studied you and your site, looking for clues to help guess your password.  (Pet name, anyone?)  And make no mistake, these attempts are numerous and ongoing, 24/7/365.  As a random example, one of our WordPress sites received well over 3,000 ‘admin’ hack attempts in the last 30 days, with an average across our sites being at least in the hundreds.  So why give hackers that head start?

So, what to do if you ARE using ‘admin’ and need to change it to something else?  Follow these steps, EXACTLY, and oh by the way you should probably back your site up first, just in case.

1. Sign in as ‘admin’.
2. Head straight to the Users tab, and “Add New”.
3. Choose a hard-to-guess username, but don’t make it so difficult that you’ll forget it.
4. IMPORTANT: Set the new user’s role to “Administrator”.
5. You will need to use a different email address, as no two users can have the same one.  (Can be changed later.)
6. Choose a password that has upper and lower-case letters and numbers in it. Symbols are OK too. NEVER use the word ‘password’ in your password, even if it has a different case and includes numbers.  10 characters minimum!
7. Click “Add New User”.
8. Sign out as ‘admin’.
9. Sign in as the new user.
10. Delete your old ‘admin’ user, MAKING SURE you assign all posts/pages/comments to your new user.
11. Congratulations, you now have a more secure WordPress system!

What else can you do?  Ban your users from any variation of ‘admin/Admin/adm1n’ as username, enforce strong passwords, and always keep your WordPress software/themes/plugins up to date.  Install a quality security plugin (such as Wordfence) to help you enact all of these items. And make routine backups, as no software is ever 100% hacker-proof.