WordPress Security: Passwords

WordPress security

Internet security and privacy frequently makes the news these days with big name sites falling prey to hackers. We store more information online than we ever have before and we’re rightly concerned about the security of that information. If you own a website, you’re a potential target for hackers, but maybe not for the reasons you think.

As I monitor & maintain a growing number of WordPress sites, I have noticed over the years and especially of late, a gradual increase in malicious activity. Taking the steps to secure your WordPress site is a bit like backing up your data or wearing a seat belt – it’s best done before disaster strikes!

WordPress is Popular

WordPress (WP) is hugely popular and considered by many to be the number 1 open source content management system available. WP now powers around 17% of the top 1 million sites on the web and around 60 million ‘blogs’ (half of those on wordpress.com and many with ‘blogs’ as only part of the site).

This is great news as it means a solid future for the WP platform. The other side of the popularity coin is that hackers are becoming more interested in breaking into WP sites.

Why would someone want to hack into my site?

You may think that no one would be interested in your site, after all you’re a small business doing good things in the world, why would anyone want to bother you?

The short answer is money. Most hackers want to place hidden links or malware on your site which either directly or indirectly allow them to advertise (dodgy) products and will try to do so via automated programs. So it’s usually not personal – it’s all about the moolah.

Is WordPress Secure?

The short answer is yes, WP is secure but no site that’s accessible via the internet will ever be 100% secure. The core of the WP program is secure but your server and the way your WP site is installed & configured, your themes, plugins or passwords may not be.

What should I do?

Most attacks on your site are automated ‘brute force’ attacks. They attempt to guess your user name and password. Most try the old default user name ‘admin’, generate passwords and repeatedly attempt to login. Some I have noticed recently sniff out your user name and then work on your password. This is only a problem if your password is weak. There are a range of measures that can be used to secure your site, however at the top of the list is insuring that your passwords are ‘strong’. So here’s a list of recommended practises and things to avoid.

Password Do’s and Don’ts

Don’t use the same password across all your websites or accounts. If one is compromised the others may follow.
Don’t use any combination of your own real name, username, company name, or name of your website.
Don’t use a word from a dictionary, in any language.
Don’t use a short password, a numeric-only or alphabetic-only password

Do make your password at least 8 characters long, preferable 15 – think about using a ‘pass-phrase’.
Do use upper and lower-case alphabet characters as well as numbers and symbols/special characters (e.g. ^ & * # _).
Do change your passwords every month (or at least every 3 months).
Do make sure your personal computer is also secure – especially if you store your passwords on it!

Yes, a ‘strong’ password may be difficult to memorise, but there are good password managers available such as 1password (https://agilebits.com/onepassword) which make the process easier.

If you want to test the strength of different types of passwords, this site is interesting and a bit of fun: http://www.howsecureismypassword.net

Like backing up your data, it’s easy to put off sorting your passwords, but the negative impact of a compromised website (or any of your online or mail accounts) on your business and reputation means it’s something worth doing sooner rather than later.

If you have any queries about website security, are unsure about how to change your password or would like a website security audit, don’t hesitate to get in touch.

More Resource: http://codex.wordpress.org/Hardening_WordPress

This post is based on an article in the Jan 2013 newsletter – more on security in coming newsletters.

Read Part 2 of this series: Easy Secure Passwords.

a lifeform labs project supporting the brook waimarama sanctuary - nelson nz