Protecting Your WordPress Sites With Good Passwords

Protecting Your WordPress Sites With Good Passwords

WordPress Admin Security

The most obvious security issue with WordPress is your administrator account logon information. By locking that down you can protect your website content and install information. 

But there are other security measures you should implement if you really want your site to be secure. We’ll talk about those on this episode 113 of the BeBizzy Break Podcast.

Protecting Your WordPress Sites With Good Passwords

by BeBizzy Consulting | BeBizzy Break Podcast

Your WordPress Admin Account

There are several ways for a hacker to gain control of your website or server. I’m going to start with the most obvious, then give you some tips on protecting the rest of your site and social engineering opportunities

  • Admin Accounts

    • Admin Passwords – choose a good password. I assigned a tough, 16-characters admin password today which was promptly changed by the user to a weak password. The client didn’t want increased security on allowing weak passwords, so now an admin has an easy password, which would allow total access to the site and the data.
    • Delete unused accounts – I recently killed a few accounts on a site that haven’t technically been active in over five years. However, if that person had really wanted to cause an issue, it would have taken no time to change that password, log in to the site and start causing all kinds of damage. And technically, it wouldn’t have to be the person who “owned” that account, it could be hacked by virtually anyone, especially if they had email access (see below)

Other Website Security Concerns

So once you have a handle on the admin accounts in WordPress, now it’s time to take a quick audit of the other weak links

  • Your email password – This is 100% the most important password you will even use. Almost every password recovery, confirmation, and communication from other systems come through your email. If someone gets your email password, they can get almost anything else including your bank, your credit cards, your mobile phone records, Office accounts, business files… everything.

    Make your email password as secure as humanly possible, set up two-factor authentication (2FA) where possible, and guard this password with your life.

  • Password Managers – Now that I’ve made it clear your email is THE weakest link, a good password manager like LastPass is essential is managing strong, unique passwords for all of your pages. And most modern browsers allow easy use to auto-fill or provide easy copy/paste of passwords into your web apps and pages.
  • Server login – Having access to a WordPress site is good, but getting direct access to a server WHM or Cpanel is even better. You could point the site at a different location, change up some of the settings, or even just delete everything. Lock that down with a good password.
  • Registrar – Hijacking domain name isn’t new, but it is relatively easy with access to the registrar. From here DNS records can be changed, contact emails can be changed, and domains can even be cancelled/deleted. Turn on 2FA and set a good password.
  • Other technical sources for the site – Make sure logins to your CDN, WooCommerce account, plugin sources and more are all protected with great passwords and 2FA.

Passwords will usually scrub off the casual hacker, but to ensure your site’s security to those with a little more skill you may have to take some additional measures. Set good passwords, utilize 2FA when possible, and change the passwords on a regular basis. 

Update on WordPress 5.4 which was released on March 31, 2020. Some issues emerging on the editor going full screen, and favicons disappearing or affecting load time. So at this time I would advise you not to update until an incremental update is released to address some of these concerns.

Have horror stories or tips on securing your WordPress or other website? Send them to me @BeBizzy on Twitter!

Protecting Your WordPress Sites With Good Passwords

by BeBizzy Consulting | BeBizzy Break Podcast

Time To Check If You Own Your Digital Real Estate

Time To Check If You Own Your Digital Real Estate

Do You Own Your Digital Business Real Estate

Your business probably has a domain, email addresses, SSLs and ton of other places you live your digital life. But do YOU have control of them, or does another company or employee own it?

Own Your Digital Real Estate

by BeBizzy Consulting | BeBizzy Break Podcast

There are several things you should own in your digital life. Among the main reasons for having control of this is when it needs to be renewed, YOU get the notice and can choose to do the update or not. What you should “own” is : 

  • Domain – your domain is your home. It is where your customers are looking for information, so make sure you have leased the domain and are the administrative contact.
  • Social Media Accounts – social media is getting more prevelant in your life, for better or worse. But it’s where many people live on the internet, so if you are posting and driving traffic from Facebook, Twitter, LinkedIn, etc, create the account yourself and have control of it.
  • SSLs – If you are using an SSL, and you should, again lease the SSL yourself instead of through your host, developer or other company.
    WordPress Plugins – Many websites lean on plugins to achieve certain tasks. Not renewing the plugin can cause the site to lose functionality.
  • Email Accounts – Whether you like to admit it or not, companies rely more on email than phone calls. Know, and own the location that hosts your email. Get admin rights as well.
  • Google Analytics Account – did you know Google Analytics accounts and information are not transferable? That’s right… if your previous developer or marketing team created the GA account there’s a good chance if you ever want to move it or take control of it yourself you get to start over. So create your own account and move now.

Some digital items are not critical or even beneficial to own yourself. Things the you can “own” but it’s ok for your marketing or technical team to own as well are: 

  • Admin access – Many relationships are known to be “over” prior to announcing it’s done. Having admin access to the site, or at the very minimum READ access, will allow you to download the files and databases in advance to something catastrophic from happening.
  • Hosting – it’s unusual for many small companies to lease their own server space since it can be expensive and put the management back on you as the business owner to handle when it goes down needs updating or has other issues.
  • Google Ads – Most of the time Google Ads are managed by marketing teams and can be accessed by the business owner and the marketing agency.
  • Social Media/Review Management – Admin access can be given to marketing teams or management companies, and it can also be revoked just as easily.

With “owning” these pieces of your digital  comes some great responsibility. If you choose to log into ANY of these items, make sure you do not make changes unless you are prepared for the possible issues. In many cases data and files may not be backed up and if deleted or edited it can be costly, or even impossible to recover.

I’ll use this to issue my standard warning of back up, back up, back up. Own your backups. Save your backups. Download and backup your social media posts and other info. Keep your email server backed up. 

Backups are normally portable and in an emergency you can set up a new server and site in days, not weeks. But if you don’t “own” your domain you are relying on someone else to point towards the new host, which can be an issue. By owning it yourself you still may need help but you just need to find THAT person instead of relying on a negative relationship to accomplish the task. Own your own digital real estate.

Own Your Digital Real Estate

by BeBizzy Consulting | BeBizzy Break Podcast

Comments or No Comments on WordPress?

Comments or No Comments on WordPress?

ShouId I allow comments on my WordPress website?

It’s an ageless question. Leave comments turned on in every page of my website, only leave them on the blog posts, or turn them off everywhere?

There are pluses and minuses to all varieties of answers, but on today’s episode of the BeBizzy Break Podcast we talk about should you leave them on, how you can protect yourself if you do, and how to remove them if you don’t.

Subscribe to the BeBizzy Break Podcast on iTunes and Stitcher Radio

Some Things To Consider About Comments

In short, WP comments is feedback, positive or negative, left by visitors to your website. Usually they are at the bottom of the page and while they can many time require some data provided by the commentor, it doesn’t always provide a way to communicate with the person making the comments outside the page.

On the plus side, comments are a great way for your visitors, customers and readers to leave a message about the content. That usually involves something positive or negative, a response back to a current comment, or a general comment about the site or author. These comments can serve as a “social proof” to other visitors that you have an engaged community and might prompt a newsletter signup, frequent visits, or even a sale.

However, the negative side of comments are distracting at best, and damaging at worst. Un-monitored  commenters can be aggressive, even threatening, at times. Comments can be very negative about the content, the author or the company hosting the page. SPAM commenters can come in and offer their services or products in the comment thread to supplement or replace the products offered on the page. Images and language can be used in the comments that could potentially be abusive, even illegal, if not monitored or combated.

So, you can see while comments can be a valuable way to increase reader engagement, sometimes they really should be turned off for the protection of the website owner, and the consumers of the content.

How Can I Protect My Comment Stream?

There are several things you can do to protect your website from malicious comments. 

  • Require an account with verifiable email addresses before commenting : This will sort out the low hanging fruit of people who do not want to be found after making negative comments. These folks don’t have “burner” email accounts and fake names, so supplying actual names and contact info can sometimes be enough deterrent.
  • Put a comment filter in place like Akismet : Akismet will look for obvious signs of spamming and put these comments in a held state waiting for approval. Then the admin (or you) can go in and either approve or reject. If rejected, you will have the option to block all from this user/IP.
    Version:4.2.1
    Requires:5.0 or higher
    Compatible up to:5.8.1
    Released:20 October 2005
    Downloads:221450350
    Last Updated:01 October 2021
    Ratings:
    4.7
    (4.7 star out of 5)
  • Use a comment system like Disqus : Moving away from the standard WordPress commenting system and use a system like Disqus will allow users to use the same information across several websites. So just logging into the Disqus system and making comments speeds up the process.

    Version:3.0.22
    Requires:4.4 or higher
    Compatible up to:5.6.5
    Released:28 August 2008
    Downloads:3996013
    Last Updated:26 May 2021
    Ratings:
    2.7
    (2.7 star out of 5)

  • Employ monitors or admins : No one has time to monitor website comments if the site is large and doing well. For smaller, less visited sites you can see every comment, respond and remove as necessary. But if the site grows, you will have to employ or recruit some people to help out. Often these are frequent commenters who volunteer or can be trusted, but occasionally you will have to pay for professional help. 

How Can I Turn Comments Off?

I’m a fan of turning comments off. I simply don’t have the time, or the desire, to look through every post, comment, article and page to look for valuable or damaging content. So I turn them off with a plugin for my website, and my client’s websites.

  • WordPress settings has a toggle to turn off “future” comments : This works great if you’re building a new site and don’t have any comments. But if you do, the old comments will remain
  • Disable Comments Plugin : simply my go-to comment killer plugin. This be installed and activated, then configured to turn off all, none, or some of the comments on the site. Want comments only on blog posts, not pages? Easy. Want to kill all of them? Even easier.
    Version:2.2.2
    Requires:5.0 or higher
    Compatible up to:5.8.1
    Released:27 May 2011
    Downloads:13094323
    Last Updated:05 October 2021
    Ratings:
    4.7
    (4.7 star out of 5)
  • Disable Comments and Delete Comments Plugin : A fairly new plugin that does the same thing more or less as the earlier disable comments plugin. Quite simply, it just deletes and disables all comments.
    Version:
    Requires: or higher
    Compatible up to:
    Released:01 January 1970
    Downloads:
    Last Updated:01 January 1970
    Ratings:
    0
    (0 star out of 5)

Comments can be a great way to measure engagement, have visitors promote or provide critical analysis of your content, and even allow pingbacks and other shares of the content. But they can also be a drain on resources, especially time, and even be distracting or abusive to your other readers. Use them with caution, put failsafes in place, and if it gets unmanageable, turn them off before they become damaging to your and your website. 

Have any questions or suggestions on website comments? Leave them below, or send them to me @BeBizzy on Twitter!

Subscribe to the BeBizzy Break Podcast on iTunes and Stitcher Radio

Using Two Factor Authentication (2FA) For Better Security

Using Two Factor Authentication (2FA) For Better Security

What Is 2FA (two factor authentication)

In the most basic form, two factor authentication (2FA) is :

  • Something you KNOW – password, a PIN, answer to a security question
  • Something you HAVE – driver’s license, phone, last four of credit card
  • Something you ARE – face scan, fingerprints, voice

So realize it or not, you’ve been using 2FA for many, many years. Every time you enter a PIN for debit cards, or provide the last four of your social security number to bank, or even when you use a fingerprint to log into your phone, you are using a second “factor” to authenticate.

Subscribe to the BeBizzy Break Podcast on iTunes and Stitcher Radio

Where Should I Use 2FA

Many “secure” web apps or websites offer 2FA as an option that has to be enabled. When you try to log into your bank or mortgage company you will often be asked a security question, have to enter a PIN, approve a security image, etc. But unless you enable 2FA in some places a simple password is all that keeps you and another user from your email, social media accounts or banking information.

How Does 2FA Work?

Traditionally on the internet or phone app, the user enters a password on the computer or device which triggers something to happen from the application. An SMS is sent with a code, you are prompted to engage the fingerprint reader, or it asks for another time-coded PIN from a secure authenticator application. The user than enters the codes, provides a fingerprint or other criteria and is logged into the application.

Of the more popular methods, SMS is the least secure. SMS can be intercepted, sometimes read on multiple devices, or in extreme cases even hijack the phone number. 

Fingerprints are the obvious most secure. Virtually impossible to fake, fingerprints are with you pretty much all of the time. Make sure you read several fingers from both hands. On occasion users can injure specific fingers or in the most extreme circumstances lose a digit, which would make reading impossible.

Authenticator applications are becoming more and more popular in recent years. These apps run on your phones and reset a code every 30-60 seconds. When you try to log into the app, it will ask for a password, then ask for a six-digit 2FA code. You pull out your phone, open the app and find the appropriate code, enter it into the field on the app, and if the two match, you are logged in. 

Possible Issues with 2FA

Well the most obvious is not having your phone or having it not usable. However, most services that use 2FA like Google and Facebook have “backup” codes. If you have the codes but not access to your device you can still authenticate. The danger of saving these backup codes is now you have an insecure printed code lying around, which sort of defeats 2FA.

Time is another issue. Most of us want access to information and entertainment now. Having to open an app, pull out a text, or even manipulate the phone for fingerprint reading can take precious seconds… but isn’t security worth that time. Think of the minutes, hours or even DAYS it would take to recover or repair a hacked account!

Authenticator Applications

Several times I’ve referenced authenticator apps in this discussion. These apps are fairly easy to use. When you turn on 2FA on your app or website, a code or QR Code will appear. You add a site to the authenticator, it will ask for the code or the QR scan, ask for a confirmation code, and you’re all set up! Below are some of the most popular authenticator for Android. Most are available on iOS as well and there are almost no differences in how these programs work. 

  • Google Authenticator – The most popular 2FA app. If you use Gmail or GSuite it has very easy integration to secure your email and other Google applications.
  • andOTP – Free and open source it’s a very easy to use application with compatibility of Google Authenticator 2FA.
  • Microsoft Authenticator – Google’s biggest competitor
  • Authy – Probably the most popular app NOT created by Microsoft or Google, if you want to steer away from those to giants.

So how do I know if I can use 2FA?

Most sites that use 2FA have it listed in a security section of your profile. Simply looking there or through frequently asked questions will usually tell you if you are able to use 2FA.

There is a great list of websites and apps that use 2FA at TwoFactorAuth.org. This website has an organized list of sites and which types of 2FA they support. Some use SMS (texting), phone authentications, email or hardware/software tokens. This can be really helpful if you plan on using 2FA as part of the decision-making process.

Bottom Line on 2FA

Two Factor Authentication sounds scary. When you start talking about fingerprints and things of that nature people get weirded out by movies and potential issues. The bottom line is by taking a few extra seconds to log into your favorite apps, cloud storage and banking sites you could be preventing endless hours of trying to recover those accounts. Who hasn’t heard stories of hacked financial accounts, or hijacked social media logins, or changed email passwords with no way to recover because the backup email account was changed.

While 2FA won’t completely stop this activity, it will keep a vast majority of hackers from trying further. It’s much more cost effective in money and time to move on to an easier target than to dig deeper on to a secure accounts.

Take a few moments and test on something easy like Facebook. Then your email, then banking, then your website. You will feel better knowing you’ve taken some steps to be more secure.

Do you use 2FA? Send questions or comments to me @BeBizzy on Twitter!

Subscribe to the BeBizzy Break Podcast on iTunes and Stitcher Radio

Is WordPress Safe?

Is WordPress Safe?

It’s a widely sites fact that WordPress powers 25% of the internet’s webpages. Think about that, 25%! And nearly 60% of the sites that use a CMS (content management system).

That is the main reason it is also a target. Like the popular Microsoft Windows or Android OS, WordPress powers so many sites that if you can find a way to compromise even a small percentage of websites using the system, you can gain access to literally millions of sites.

Because of this, one of the first questions I get when I suggest using WordPress is about security. But as I stated before, criminals and people looking to do general mischief as looking for the low-hanging fruit, the easy to hit sites. So with some basic precautions, your website can be even more secure than custom HTML sites.

Making WordPress Safe

There are a few basic steps that  web developer or your company IT guy can take to secure your new or existing WordPress site. Below is a list of plugins, best practices and other items used by BeBizzy Consulting and many others to make your site as secure as possible.

Backups

Let’s start off with the most important part of the security system. If you don’t have a good backup of the site, it doesn’t matter how you set the rest up. Something WILL cause your website to fail; the webhost could suffer an attack or hardware failure, you could alter some code and break the site, or a security breach could happen directly to your site. With no backup, there’s no easy way to return to “normal,” so at minimal do a complete backup of the site files, and don’t forget to back up the database. There are automated methods as well for this process which are highly recommended.

WordPress Updates

The easiest way to gain access to a WordPress is through an out-of-date WordPress system. I’ve recovered sites running on 2.x (current is 4.7), and that’s a scary endeavor. WordPress puts out major releases a couple of times per year, and security patches about once a month or so to stay ahead of the pinholes that are found in WordPress. The best part is there are thousands of people who are looking at WordPress, for good and for bad, that identify issues and get them repaired. Keep you site updated and make sure PHP version can handle the update. If not, time to move!

I also suggest turning on automatic core updates. You should be able to toggle a switch that will update WordPress automatically for “X.x.x” updates, keeping your site secure without you even trying. Just make sure you test the site when notified of an update to make sure everything is running as it should.

Plugin Updates

The next best way to gain access to WordPress is through outdated, or poorly programmed plugins. Last summer I worked on recovering a WP site that had a plugin that had not been touched by the developer in over five years. When I updated the site to a new WP version, the plugin crashed and I had to find an alternative, more updated plugin that worked close to the same. But it’s not just keep the plugins updated, it’s keeping an eye open for poorly secured plugins as well. Do some research on a plugin before installing. Has anyone ever suffered a breach or WordPress crash after installing? What is the support like? How often do they update?

One thing that is often overlooked is deleting themes that are not being used, or are even active on the site. This is extra code that has been abandoned for one reason or another, and leaving it on your website can open a hole you don’t even know is there.

A final note on plugins, themes and other items is to NOT use pirated versions of software. Most plugins are fairly inexpensive and the alternative to paying $10 for a plugin is often spending hours, or even paying hundreds of dollars to have malicious code removed from a site. Pay the $10.

Themes

Next on the list of vulnerabilities is your theme. Every WordPress site is working on a theme, whether it’s the 2016 theme that came installed or one you paid for or got for free. Again, do a little research to make sure the theme you are planning to use isn’t a know security issue, does not get updated or supported, or is poorly written before you install it on your site. Then, update it as soon as you get a notification it has been revised.

More Security Steps

Below are a few other steps that are taken by BeBizzy Consulting, and should be considered by your team, host, or developer to make your site as secure as possible.

Change Username

Like on a computer or virtually every other system, do not use “Admin” as your administrator username. Pick something a bit more robust and always use a secure password. Changing the password often also makes it more difficult to keep access once it is achieved.

Move The WP-Login.php Page

There are several plugins that allow you to choose a different admin login page for your site. Install one of them and rename your login to something less known can eliminate some from even trying to access your admin simply because it doesn’t exist at the usual spot.

Install a Security Plugin

Many sites have Sucuri or Wordfence installed to protect the admin and other parts of the site. Even the free versions will notify you when the admin is accessed, limit login attempts at wp-login.php and the premium versions can lock down the admin to specific locations or IP address, security scans for malicious code, and much more.

Keep Your Site Safe

There are definitely more ways to secure your WordPress site. Editing the .htaccess file, hiding WordPress from source viewers, hiding site author names, picking a good (reputable) host, automating security audits, removing plugin and theme editors and others will help keep your site safe, but do require some knowledge and planning by someone that knows their way around WordPress.

Adding an SSL to your site and hosting is also a good idea not only for encrypting data being shared back and forth with users, but also to the search engines which are starting to use it in their algorithms.

I still feel that having a good backup is THE step you have to take. If you have a restore point on which you can rely, you can move, restore or save your website pretty easily. But if you are starting from a dirty site and have to clean it, be prepared to spend either a lot of time, or a fair amount of money, to have it back up. And frankly, some times it’s even more cost effective to build over than to attempt the save.

Have questions about securing your WordPress site, or considering a new website? Contact BeBizzy Consulting today, and leave the technical stuff to us!