So, per a previous blog post on security, this is why you don’t use an obvious username. If you look at the number of emails in my inbox, there are 316. There were actually over 400. The night before, there were 18. Each email represents 4 attempts to force break one of the sites I host so that’s around 1600 attempts to guess the password.
The site in question has a math captcha, so this really shouldn’t be happening at all. I guess someone found a way to nullify the WordPress math captcha I paid $8 for: these things happen. On the other hand: basic security does the trick here. The username they are trying to hack is the wrong one. They are basing it off of the URL: the username they are trying is the URL…
Guess what, that’s not the actual user name! So even if they somehow stumbled across the right password, they would have to have the right username and, in this case:
1. It has nothing to do with the name of the site.
2. It’s not admin, administrator, webmaster, or any conventional user name.
So- they won’t be able to hack the site this way no matter how hard they try. To summarize, use basic security precautions: nonstandard username, strong password, and set profile so name of avatar on posts is not the same as the username. On a multi-user site, give each user only the access privileges they actually need and no more. Do these things, and all will be well even if people try to hack you (as they did here)
It was a pain to delete the 400 email notifications- but that’s part of the trade I guess, and why people get paid money to host! Other people anyway- the clients still haven’t paid. That’s ok though- I altered the site to reflect that and it makes me feel better!
This article isn’t idle speculation. So far I have had one web design client who has not paid. It was a simple but functional WordPress site with a store. I’ve been paid negative money for my work after 3 months.
I do have a partner who is acting as a go between: and that might be part of the problem as I am not negotiating with this particular client directly. However, the dilemma still exists. I have work for which I haven’t been paid after 3 months, and yet I’m still hosting the site, something which costs me money. There are several lessons to be learned already: one is not to shell out money for materials upfront. The other is to collect in draws, and to have a written contract for scope of work. I played loose in this field because costs are so low for everything. And this experience will change how I operate in the future for sure. But I still have to decide what to do with a client who probably is not going to pay.
1. I could leave the site up as is.
I do not want to do this. Even though there are no ongoing expenses associated with this. I do not want to continue to provide a service for people who are deadbeats who don’t pay when I have the option not to.
2. I could add advertising to the site and leave it up.
This is the least emotionally satisfying solution but it’s a possibility. If they won’t pay I at least will be receiving something from it while I’m waiting for the partner to try and get money out of them. It’s also the nicest. On the other hand, I’m still providing free hosting to someone who gypped me.
3. I could take the site down.
This is an ok option. It will make me feel better. And it will also make the client answer the question of “Will you pay?” immediately instead of months later (in my head, I don’t think they will pay). Which I want.
4. I could change the A records (I own the domains) to redirect the domain for their site to a site of my choosing.
This is a little less mature, and kind of shady, but it’s probably what I’m going to actually do. It accomplishes the same thing as #3, ie taking the site down and forcing them to negotiate if they want it to go back up. If this were a paying customer, it would be completely dishonest. Since they haven’t paid, I am ok doing this. Especially as I plan to redirect them to this article. If they decide to pay (the amounts of money involved here are not large for a company of this size, they can afford it) the site goes back up. If not: well, I get a little extra traffic until the domains expire or I sell them. I go back and forth. But I’m definitely going to take action soon, and will post again if something comes from it.
So, this little experiment is still going fairly well. So far, there’s another wordpress site that went up, here. It’s a musician site for Nashville-based songwriter Lisa Carver. Very basic, using the WordPress spun theme. The design might shift with feedback from the client. I’m reminded thought that even the best design is useless unless there is content and the site is maintained. There’s a section for upcoming shows, but unless information on the upcoming shows is actually in there, there’s no point in even having it. Maintaining a website on even a basic level is work. It’s not much work, but it does take a little bit of doing.
Which is why I’d like to continue the adventure by talking about WordPress security. My friend Greg taught me most of what I know about coding when I took a free class he taught (information about that here if you are interested in learning some about basic PHP, HTML, mySQL, and C#) He also taught some about basic WordPress security. I followed at least some of it, and it definitely helped. Most of it is common sense, but it’s crazy how often it is disregarded. And it’s come into play already, as people already have tried to hack this site many times.
A friend of mine told me that WordPress had a bad rap for security. From what I’ve seen so far, that’s basically undeserved, but: I can see how if you didn’t take basic precautions during the install, you could leave yourself open. For example, during the installation of WordPress, it has a checkbox for “limit login attempts.” This means that if someone has a program or script that will repeatedly try to log in using different passwords, after a certain number of tries (I think the default is 8) they will lock them out for 20 minutes. If this happens 4 times from the same IP they’ll lock them out for a day.
So if someone who doesn’t know what they are doing unchecks that box, the site is wide open to this kind of hacking. But the box is checked by default. When I tightened up the security on this site, I reduced the number of failed login attempts to 4, and put a 24 hour lockout after I think 2 times. You can do that. And people still try to hack the site.
See the image. This has been happening a lot. There’s something you can do to eliminate that completely, which I will talk about later, but there’s something else I’d like to mention.
If the “Limit Login Attempts” plugin is active, you’ll get a notification email like the one above every time someone tries to hack you. There’s some actions you can take. For one, you can go into cPanel (what I used to install WordPress) and block the IP- the problem with that is hackers usually aren’t trying to hack from their own IP- they’re doing it through another computer they’ve already compromised. So that won’t actually stop it. I’d like to point out though the username they are trying to hack: admin.
My administrate username is not admin. You should never never never use “admin” as a username. The username/password combination is what keeps your site safe, if you use “admin” you’re giving them half the battle. By trying to hack “admin” they’re targeting people who aren’t taking basic precautions. Don’t be that person.
The other username I’ve seen them try to hack is “akeythatshouldnotbeused.” Again, a good guess, it’s the name of the site, and also the author name on the posts. However, WordPress allows you to set it so that the name of the author displayed on the posts is different from the username of that author. Do this! If you do that, hackers will have nothing visible to indicate what your username might be and will be starting from zero.
Third thing is to use a strong password. Pretty basic, and WordPress forces you to use a password of a certain strength, but here’s a basic rule of thumb. Don’t use your name or birthday. Use at least 10 characters. Use letters and numbers with at least one capital letter, at least one symbol, and at least one special character. Also, WordPress allows spaces (something a lot of passwords don’t) so I’d do that to.
So, for example, here’s a weak username password combination for a person named Jane Doe. Let’s say she’s 34:
(don’t EVER use “password as a password. that’s the first thing they try)
let’s say jane has a boxer named Prometheus. this would be a pretty decent username/password combo
or this would be even better:
In this case, her password is her birth year backwords, her name backwords with the last letter capitalized, and an exclamation point, and her username is not her name (in case she’s being hacked by someone who knows who she is. That’s pretty strong, and would be very easy to remember, and very hard to guess even by someone who knew her very well. If you changed the order of the birth year and her name and used some other character than an exclamation point or substituted a number for letters of her name or used spaces, it would be nearly impossible to guess that kind of password even by someone who read this article and knew it was created using that method. Finally, here’s an alternative, very unorthodox philosophy for passwords that is also strong:
password: I Am Jane Doe And I Am Awesome!
This is a sentence, very easily rememberable to Jane. Note a few things though, all of which make it harder for a script to hack: 1. The length. 2. The presence of capital letters. 3. The presence of spaces. 4. Special characters.
If you have login attempts limited and are using a strong password, your odds of being hacked in this way are almost nil. They drop even more if you use a Captcha. BWS sells a math Captcha for I think about ten bucks. I am not using it on this site yet, but I use it on all my clients sites, and it eliminates this kind of attempt completely. Eventually someone will write a program that sidesteps that, but it seems to work good for now.
So to recap, here’s the basic WordPress security steps:
1. Make sure “limit login attempts” box remains checked.
2. Use a username other than “admin” that is not your own name.
3. Use a strong password.
4. Change the name of the database to something other than the default (I didn’t talk about this, but it’s the same deal. If you use a naming convention other than the default it makes it harder to hack)
5. Change your author profile so the publically shown name is different from the username.
6. Shell out ten bucks for a Captcha.
That’s it. Do that and your site will be pretty darn secure.
So, this is the first post under this name on the new site- a site that I am hosting on server space I have real control over. It’s been an interesting transition. This blog and concept used to be at this site, on WordPress.com
I decided that I needed a hosting package in order to continue to be able to experiment with PHP, to be able to do Wordpress sites that could be more easily modified, etc… there was initially a pretty steep learning curve in terms of DNS entries, etc, and there was a certain cash investment in a hosting package.
However, the moment I did this I started to pick up paying work, and the money sunk has already been recouped. Right now I’m hosting four sites, two of which are paid for. All of them are WordPress sites.
I’ve made lots of mistakes, including what could have been a really embarassing failure.
He who installs WordPress in a directory different from that in which it will ultimately reside courts disaster, and rubs buttocks with the whirlwind- Peter Dickson
It’s not easy to move a WordPress install. I put it in a temporary location, and then bought the domain after and tried to switch it by adding that domain to an existing subdomain and cPanel wouldn’t do it. I backed up everything in public html, deleted the subdomain, and put it back up with the add on domain point to the original public html folder associated with the subdomain. At this point, I could direct people to the site using the correct URL but once you navigated away from the home page the page titles and the tabs in browser reflected the old names and not the new. I now know this was because of internal links in the database.
I then thought I’d uninstall WordPress and then put it back up with FTP (not sure why I thought that was a good idea) and of course this DELETED THE DATABASE and when the site was back up nothing worked. I stayed up all night redoing the site from scratch. Fortunately it was small enough that this was doable, and the end product was actually better than before.
It’s a very amateur mistake, and a really stupid one that I WILL NOT MAKE AGAIN EVER.
I now know there are scripts, you can do search and replace on certain tables of the database, or more important you can spend $11 on the domain you/the client actually wants and get it set up first so you don’t have to move a WordPress site unnecessarily.
And of course if I ever do have to do this again, I will back up the database and go slower, but hopefully I don’t have to do this for quite a while, or ever maybe. The site is up now, it is beautiful. Not perfect, but pretty good for a simple ecommerce site, especially if you want a chicken plucker that is under $50, fits into a standard drill, and is American-made.
Anyway, it’s been a trip and I am tired now. But if you’re here: welcome! I hope you find something here that interests you!