First off, NEW SITE! (If you’re reading this in email, come and have a look!). More to be added over the coming weeks, but I just couldn’t hold off any longer!!!
So, did you hear the news this week?
No, I’m not going to talk about Thatcher (and you should be thankful for that, no-one needs their ear bent by me about anything related to British politics…), I mean the WordPress-related story.
So, cliff notes in case you hadn’t:
Do you use the username “admin” for your WordPress login? Oh, you do?
And what about your password?
Oh, well my password is GREAT, it’s got letters AND numbers in it, I hear you say.
(And I’m totally sending a bitchslap your way you if it doesn’t, by the way…)
Well, great. But does your password contain a dictionary word or name with those numbers, e.g. robert1982 or 29doolanstreet? It does? Oh.
Well, bend yourself over the nearest desk, sweetcheeks, you might want to get prepared for a good, hard hacking. With a crap username teamed with a crap password, you’ve just handed the lube to a hacker.
If you’ve never had your site hacked before, let me tell you a little story; a good few years ago, fresh from university, I was working in-house for a computer parts and sales company as a web designer. I had just designed and built this amazing new and magical news page for them. It was basically BRILLIANT. Until one day we came in and found that a few customers had emailed to find out when we had started selling Viagra.
It turns out that hackers exploited a security flaw that I failed to consider in the design of this new news page, and added some cock-be-big pills to the products database. Luckily, they were just out to drive more people to their crappy Viagra site rather than take down the website of the company that I was working for. Basically, they could have completely decimated the ENTIRE database. Everything could have been obliterated, and would have had to restore everything from a back up which could have taken weeks. Luckily, the site was down for half a day, while I sat there feeling like a MASSIVE TWAT. I had a stern talking to, and in fairness, I have never made that mistake since.
I was lucky, VERY lucky, but the majority of hackers are quite happy to completely wipe your site, and replace it with a page that says “L0lz, u iz bin haxxxxxxd.” Which is basically the computer version of someone breaking into your house, stealing all your furniture and worldly possessions, then taking a shit on the floor.
So, if you value your website and the content that you’ve taken time and effort (and blood, sweat and tears) to provide to the world, take note. I am about to turn your website into a motherfucking portcullis.
1. Change the username and make it unique.
If “admin” is your username, CHANGE IT. If something like “test” or “user” or “aaa” is your username, CHANGE IT! NOW!
To do this, log in with your credentials and go to Users > Add New. Create a brand new user with a unique username – email addresses work brilliantly for this. Give them a role of “Administrator” and click “Add New User” (Quick note here, it’s one email address per WordPress website, so if your crap admin user has the email address, change it to another one and save before creating the new user) . Now, log out of the account with the crap username, and back IN to the new account. Delete the original user by going to Users > All Users, hovering over the offending user and deleting them. Easy peasy.
2. Make your password hard to crack
I am, once and for all, ruling out any creation of passwords where you patch together the name of your dead cat and the year they were born – “felix1995″ is a crappy password. Yes, really.
The best passwords are greater than 7 characters in length, they contain uppercase and lowercase letters, they also contain numbers AND special characters.
I can hear you now, “so, basically Gemma, what you’re telling me is that I have to have a password that looks like I’ve mashed my head against the keyboard four or five times? How the hell am I supposed to remember that?!”
Well, yes and no.
By all means, mash your head against a keyboard four or five times if you have a good way of remembering it. Alternatively, if you want something that makes visual sense to you, try this sort of format:
Take a name of someone or something you will remember, switch in numbers where letters should be, add some well-placed capital letters, chuck in an exclamation mark here or a question mark there, and already you have a password to be reckoned with. (Neither of them are my password, in case you were planning on trying!)
3.Make sure you have the latest version of WordPress
Every few weeks or months, WordPress releases a newer version. It not only means that you have the latest features, but you have the latest protection as well. Not sure which version you have? Go to Dashboard > Updates and that should tell you. Back that shit up before you do, mind!
4. Get some extra protection with security plugins
There are a number of different plugins out there, and while you don’t need them all, you can certainly benefit from using a couple in tandem with one another.
I personally recommend having a login checker type plugin that checks every failed login attempt within an IP address range – and blocks the perpetrator after several failed attempts. My friend Jenny from the awesome Not Just Another VA likes Login Lockdown (Plugins > Add New > type in “Login Lockdown” and install the top result), a blissfully simple way of making life very hard for someone trying to hack into your system.
The other I recommend is Wordfence Security (Plugins > Add New > type in “Wordfence Security” and install the top result). This is an awesome powerhouse that scans all of your WordPress files looking for anything dodgy, and gives you actual, simple steps to follow to fix any issues whether that be to change a pants password or upgrade to the latest versions of plugins.
5. Stop storing your passwords in your browser
The next time your browser asks you if you want to store that five millionth set of login details or turn on AutoComplete, think again. It’s not actually that hard for a hacker once they’ve cracked your computer to subsequently get all of your password details. Things get messy that way!
I use a system called LastPass which is basically the daddy of all password management systems. And best of all, it’s totally free. Not only does it store all of your new passwords in a very secure “vault”, it saves the insecure browser passwords and removes them from your browser and it generates excellent quality passwords and assigns them to the saved site in a click. It autocompletes with ease and you can lock it down pretty tightly, so no more mashing of heads on keyboards to make OR remember a password.
These are the main aspects of keeping your site ship-shape and hacker-free, but nothing is foolproof. Make sure that you back that shit up regularly in case the worst happens!