Tag Archives: password

A basic primer on security for WordPress, update on current projects

So, this little experiment is still going fairly well. So far, there’s another wordpress site that went up, here. It’s a musician site for Nashville-based songwriter Lisa Carver. Very basic, using the WordPress spun theme. The design might shift with feedback from the client. I’m reminded thought that even the best design is useless unless there is content and the site is maintained. There’s a section for upcoming shows, but unless information on the upcoming shows is actually in there, there’s no point in even having it. Maintaining a website on even a basic level is work. It’s not much work, but it does take a little bit of doing.

Which is why I’d like to continue the adventure by talking about WordPress security. My friend Greg taught me most of what I know about coding when I took a free class he taught (information about that here if you are interested in learning some about basic PHP, HTML, mySQL, and C#) He also taught some about basic WordPress security. I followed at least some of it, and it definitely helped. Most of it is common sense, but it’s crazy how often it is disregarded. And it’s come into play already, as people already have tried to hack this site many times.

A friend of mine told me that WordPress had a bad rap for security. From what I’ve seen so far, that’s basically undeserved, but: I can see how if you didn’t take basic precautions during the install, you could leave yourself open. For example, during the installation of WordPress, it has a checkbox for “limit login attempts.” This means that if someone has a program or script that will repeatedly try to log in using different passwords, after a certain number of tries (I think the default is 8) they will lock them out for 20 minutes. If this happens 4 times from the same IP they’ll lock them out for a day.

So if someone who doesn’t know what they are doing unchecks that box, the site is wide open to this kind of hacking. But the box is checked by default. When I tightened up the security on this site, I reduced the number of failed login attempts to 4, and put a 24 hour lockout after I think 2 times. You can do that. And people still try to hack the site.

This person attempted to hack the "admin" username. Which doesn't actually exist!
This person attempted to hack the “admin” username. Which doesn’t actually exist!

See the image. This has been happening a lot. There’s something you can do to eliminate that completely, which I will talk about later, but there’s something else I’d like to mention.

If the “Limit Login Attempts” plugin is active, you’ll get a notification email like the one above every time someone tries to hack you. There’s some actions you can take. For one, you can go into cPanel (what I used to install WordPress) and block the IP- the problem with that is hackers usually aren’t trying to hack from their own IP- they’re doing it through another computer they’ve already compromised. So that won’t actually stop it. I’d like to point out though the username they are trying to hack: admin.

My administrate username is not admin. You should never never never use “admin” as a username. The username/password combination is what keeps your site safe, if you use “admin” you’re giving them half the battle. By trying to hack “admin” they’re targeting people who aren’t taking basic precautions. Don’t be that person.

The other username I’ve seen them try to hack is “akeythatshouldnotbeused.” Again, a good guess, it’s the name of the site, and also the author name on the posts. However, WordPress allows you to set it so that the name of the author displayed on the posts is different from the username of that author. Do this! If you do that, hackers will have nothing visible to indicate what your username might be and will be starting from zero.

Third thing is to use a strong password. Pretty basic, and WordPress forces you to use a password of a certain strength, but here’s a basic rule of thumb. Don’t use your name or birthday. Use at least 10 characters. Use letters and numbers with at least one capital letter, at least one symbol, and at least one special character. Also, WordPress allows spaces (something a lot of passwords don’t) so I’d do that to.

So, for example, here’s a weak username password combination for a person named Jane Doe. Let’s say she’s 34:

username: admin
password: password

(don’t EVER use “password as a password. that’s the first thing they try)

let’s say jane has a boxer named Prometheus. this would be a pretty decent username/password combo

username: janedoe
password: prometheusthedog
or this would be even better:
username: prometheusthedog
password: 0891EnajEod!

In this case, her password is her birth year backwords, her name backwords with the last letter capitalized, and an exclamation point, and her username is not her name (in case she’s being hacked by someone who knows who she is. That’s pretty strong, and would be very easy to remember, and very hard to guess even by someone who knew her very well. If you changed the order of the birth year and her name and used some other character than an exclamation point or substituted a number for letters of her name or used spaces, it would be nearly impossible to guess that kind of password even by someone who read this article and knew it was created using that method. Finally, here’s an alternative, very unorthodox philosophy for passwords that is also strong:

username: prometheus
password: I Am Jane Doe And I Am Awesome!

This is a sentence, very easily rememberable to Jane. Note a few things though, all of which make it harder for a script to hack: 1. The length.  2. The presence of capital letters. 3. The presence of spaces. 4. Special characters.

If you have login attempts limited and are using a strong password, your odds of being hacked in this way are almost nil. They drop even more if you use a Captcha. BWS sells a math Captcha for I think about ten bucks. I am not using it on this site yet, but I use it on all my clients sites, and it eliminates this kind of attempt completely. Eventually someone will write a program that sidesteps that, but it seems to work good for now.

So to recap, here’s the basic WordPress security steps:

On install:

1. Make sure “limit login attempts” box remains checked.

2. Use a username other than “admin” that is not your own name.

3. Use a strong password.

4. Change the name of the database to something other than the default (I didn’t talk about this, but it’s the same deal. If you use a naming convention other than the default it makes it harder to hack)

5. Change your author profile so the publically shown name is different from the username.

6. Shell out ten bucks for a Captcha.

That’s it. Do that and your site will be pretty darn secure.