If you follow my weekly “Best Blog Post” series you have seen many scary reports about an increasing wave of brute force attacks on WordPress sites. These report are strong reminders to secure our accounts with a good, secure password.
At any given time I’m helping several website owners taking charge of their website or helping to fix errors and I am amazed by the number of websites that don’t have the most basic security and SEO functionality installed or activated. And what is even more surprising is that most of those are not set up by hobby bloggers but purchased from developers.
Ok, I’ll stop ranting 🙂
Bottom Line: Stop using “admin” and weak passwords!
For WordPress the easiest way to do this is to create a new account with administrator rights, associate your posts with the new account and delete “admin” as a user.
If you don’t want to deal with all that back-end stuff, contact your webmaster or…send me an email
But what is behind all of these scary reports?
In cases like these I like to contact my trusty network of helpers and my friend Cate Eales of Computer Care Kelowna happens to have a lifetime of experience in computer and network security. Cate operates a mobile computer business, Computer Care Kelowna, providing on-site service for home and business customers. Her weekly column, “Getting Along With Your Computer” appears Mondays on castanet.net. The column archive is available any time at the column archive.
First I asked Cate to explain what all the fuss is really about:
- What is a brute force attack?
- What is a “bot-net”?
- How do hackers get my passoword?
Brian Krebs is a well-known security expert, and I got some of the information from this blog post: http://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/.
One things I like about Cate’s advice is that she does have well founded suggestions for what to do.
(apologies for the first 1.5 minutes of silence - you can drag the little number to forward)
Summary:
- Create a strong password
- Use a login that is not a common login
- What a strong password really is
- Don’t use a word that can be easily guessed
- The best way to create a password is using a phrase
You want to use these strong passwords and you want to be able to remember them
Ways to remember:
What account name should you use instead of admin.
Sutton is known, albeit apocryphally, for the urban legend that he said that he robbed banks “because that’s where the money is.” ~Wikipedia
Here are more valuable resources Cate shared with me:
- The Sucuri Blog is here: http://blog.sucuri.net/.
- If you ever want to check your (WordPress) site to see if it’s serving up malware or blacklisted, try the (free) SiteCheck API here: http://sucuri.net/services/sucuri-sitecheck-api. It’s awesome.
- I drew heavily from a blog post about the Brute Force timeline here: http://blog.sucuri.net/2013/04/the-wordpress-brute-force-attack-timeline.html.
[hr]
Sites like http://random.pw can help you create a strong, yet memorable password. It even has a password strength checker so you can gauge how strong your passwords are.
Thanks for the tip Joel!