Protecting Your WordPress Sites With Good Passwords

Protecting Your WordPress Sites With Good Passwords

WordPress Admin Security

The most obvious security issue with WordPress is your administrator account logon information. By locking that down you can protect your website content and install information. 

But there are other security measures you should implement if you really want your site to be secure. We’ll talk about those on this episode 113 of the BeBizzy Break Podcast.

Protecting Your WordPress Sites With Good Passwords

by BeBizzy Consulting | BeBizzy Break Podcast

Your WordPress Admin Account

There are several ways for a hacker to gain control of your website or server. I’m going to start with the most obvious, then give you some tips on protecting the rest of your site and social engineering opportunities

  • Admin Accounts

    • Admin Passwords – choose a good password. I assigned a tough, 16-characters admin password today which was promptly changed by the user to a weak password. The client didn’t want increased security on allowing weak passwords, so now an admin has an easy password, which would allow total access to the site and the data.
    • Delete unused accounts – I recently killed a few accounts on a site that haven’t technically been active in over five years. However, if that person had really wanted to cause an issue, it would have taken no time to change that password, log in to the site and start causing all kinds of damage. And technically, it wouldn’t have to be the person who “owned” that account, it could be hacked by virtually anyone, especially if they had email access (see below)

Other Website Security Concerns

So once you have a handle on the admin accounts in WordPress, now it’s time to take a quick audit of the other weak links

  • Your email password – This is 100% the most important password you will even use. Almost every password recovery, confirmation, and communication from other systems come through your email. If someone gets your email password, they can get almost anything else including your bank, your credit cards, your mobile phone records, Office accounts, business files… everything.

    Make your email password as secure as humanly possible, set up two-factor authentication (2FA) where possible, and guard this password with your life.

  • Password Managers – Now that I’ve made it clear your email is THE weakest link, a good password manager like LastPass is essential is managing strong, unique passwords for all of your pages. And most modern browsers allow easy use to auto-fill or provide easy copy/paste of passwords into your web apps and pages.
  • Server login – Having access to a WordPress site is good, but getting direct access to a server WHM or Cpanel is even better. You could point the site at a different location, change up some of the settings, or even just delete everything. Lock that down with a good password.
  • Registrar – Hijacking domain name isn’t new, but it is relatively easy with access to the registrar. From here DNS records can be changed, contact emails can be changed, and domains can even be cancelled/deleted. Turn on 2FA and set a good password.
  • Other technical sources for the site – Make sure logins to your CDN, WooCommerce account, plugin sources and more are all protected with great passwords and 2FA.

Passwords will usually scrub off the casual hacker, but to ensure your site’s security to those with a little more skill you may have to take some additional measures. Set good passwords, utilize 2FA when possible, and change the passwords on a regular basis. 

Update on WordPress 5.4 which was released on March 31, 2020. Some issues emerging on the editor going full screen, and favicons disappearing or affecting load time. So at this time I would advise you not to update until an incremental update is released to address some of these concerns.

Have horror stories or tips on securing your WordPress or other website? Send them to me @BeBizzy on Twitter!

Protecting Your WordPress Sites With Good Passwords

by BeBizzy Consulting | BeBizzy Break Podcast

Basic Technology Troubleshooting Steps

Basic Technology Troubleshooting Steps

Troubleshooting Technology Is Easier Than You Think

Ever sit down at your desk ready to get the day started and push the power button on your computer, only to have NOTHING happen? I mean nothing. No lights, no fan sounds. nothing…

You’re not alone. But before you run out the door to your favorite computer or tech store to have it looked at, here are some tips on how you can solve the problem, or at least help the tech repair place solve the problem.

Subscribe to the BeBizzy Break Podcast on iTunes and Stitcher Radio

Basic Steps To Fixing Your Technology

There are some things you can do 

  • 758ba104655a443ba12a2fccdb035ebbReboot! – “Have you tried turning it off and back on again?” 
    THE basic troubleshooting step is to power the device all the way down, give it a few seconds, then turn it back on. We have a tendency to leave tech sleep mode or standby, and while that makes it easy to quickly power it back up it can leave the device in a mode that isn’t fully functional. Rebooting also clears out running processes and programs that are using memory and even processor power.
  • Document Errors – If the reboot doesn’t fix your problem (it will, most of the time), write down or make note of the exact error you are seeing. Does it boot to a black screen, does it even turn on, is there an error box on the screen, can you close it out or move past it? This information is very important to you or the technician to solving the exact issue you are experiencing.

    If you can get past the error, type the exact error into Google and find out how thousands of other users have solved the exact issue.

  • Check the cables – Whether you’re talking about smartphones, computers, lights, tv’s… whatever, cables come loose. Maybe it wasn’t plugged in correctly the first time and it worked itself loose. Power everything down, unplug and replug everything, then power back up. A loose cable can cause not only the attached device to not work but also the operating system or top-line device.

Steps To Ensure You’re Prepared For A Breakdown

Tech issues are inevitable… here are some steps you can take that when something big happens, you’re prepared.

  • Virus Scan – I’m not a fan of the big anti-virus programs like Norton, McAfee, Avast, etc. If you’re running a Windows computer, Windows Defender does a great job of protecting your PC. Just make sure it’s turned on, updated and running. I run a full scan around when I do a feature update (twice a year).
  • Updates – Keep your operating system, phone OS, and various programs and apps updated to keep small pinholes from being exploited by attackers. If Microsoft, Android or Apple is telling you NOT to run an update, hold until they give you the green light. 
  • Backups – Need to restore information damaged by viruses, attacks, broken hard drives or virtually anything else? Backups are your savior. Backups are also great in the event you get hit by ransomware. If your files are corrupted and you have a backup, you can tell the guy holding your tech hostage to pound sand, reinstall Windows and restore the backup. All you lose is some time.
  • Get Rid of Programs You Don’t Need – Uninstalling programs, apps or even browser plugins that you don’t use or will probably not update is a great way to harden your device from attack. 
  • Eliminate Insecure Wi-Fi Hotspots – Lock your devices down to connect to know and safe hotspots, and if you do have to run on an open system, get a VPN.

Regardless of how great your technology is, it will fail. It may be today, it may be four years from now, but it will fail. Power supplies quit turning on, hard drives stop spinning, memory fails. Prepare yourself from an issue, and if you do suffer a failure, take a few moments to reboot, document issues, and hopefully you will get your machine back online in minutes, not days. 

Have any questions or suggestions on fixing your own technology issues? Leave them below, or send them to me @BeBizzy on Twitter!

Subscribe to the BeBizzy Break Podcast on iTunes and Stitcher Radio

Using Two Factor Authentication (2FA) For Better Security

Using Two Factor Authentication (2FA) For Better Security

What Is 2FA (two factor authentication)

In the most basic form, two factor authentication (2FA) is :

  • Something you KNOW – password, a PIN, answer to a security question
  • Something you HAVE – driver’s license, phone, last four of credit card
  • Something you ARE – face scan, fingerprints, voice

So realize it or not, you’ve been using 2FA for many, many years. Every time you enter a PIN for debit cards, or provide the last four of your social security number to bank, or even when you use a fingerprint to log into your phone, you are using a second “factor” to authenticate.

Subscribe to the BeBizzy Break Podcast on iTunes and Stitcher Radio

Where Should I Use 2FA

Many “secure” web apps or websites offer 2FA as an option that has to be enabled. When you try to log into your bank or mortgage company you will often be asked a security question, have to enter a PIN, approve a security image, etc. But unless you enable 2FA in some places a simple password is all that keeps you and another user from your email, social media accounts or banking information.

How Does 2FA Work?

Traditionally on the internet or phone app, the user enters a password on the computer or device which triggers something to happen from the application. An SMS is sent with a code, you are prompted to engage the fingerprint reader, or it asks for another time-coded PIN from a secure authenticator application. The user than enters the codes, provides a fingerprint or other criteria and is logged into the application.

Of the more popular methods, SMS is the least secure. SMS can be intercepted, sometimes read on multiple devices, or in extreme cases even hijack the phone number. 

Fingerprints are the obvious most secure. Virtually impossible to fake, fingerprints are with you pretty much all of the time. Make sure you read several fingers from both hands. On occasion users can injure specific fingers or in the most extreme circumstances lose a digit, which would make reading impossible.

Authenticator applications are becoming more and more popular in recent years. These apps run on your phones and reset a code every 30-60 seconds. When you try to log into the app, it will ask for a password, then ask for a six-digit 2FA code. You pull out your phone, open the app and find the appropriate code, enter it into the field on the app, and if the two match, you are logged in. 

Possible Issues with 2FA

Well the most obvious is not having your phone or having it not usable. However, most services that use 2FA like Google and Facebook have “backup” codes. If you have the codes but not access to your device you can still authenticate. The danger of saving these backup codes is now you have an insecure printed code lying around, which sort of defeats 2FA.

Time is another issue. Most of us want access to information and entertainment now. Having to open an app, pull out a text, or even manipulate the phone for fingerprint reading can take precious seconds… but isn’t security worth that time. Think of the minutes, hours or even DAYS it would take to recover or repair a hacked account!

Authenticator Applications

Several times I’ve referenced authenticator apps in this discussion. These apps are fairly easy to use. When you turn on 2FA on your app or website, a code or QR Code will appear. You add a site to the authenticator, it will ask for the code or the QR scan, ask for a confirmation code, and you’re all set up! Below are some of the most popular authenticator for Android. Most are available on iOS as well and there are almost no differences in how these programs work. 

  • Google Authenticator – The most popular 2FA app. If you use Gmail or GSuite it has very easy integration to secure your email and other Google applications.
  • andOTP – Free and open source it’s a very easy to use application with compatibility of Google Authenticator 2FA.
  • Microsoft Authenticator – Google’s biggest competitor
  • Authy – Probably the most popular app NOT created by Microsoft or Google, if you want to steer away from those to giants.

So how do I know if I can use 2FA?

Most sites that use 2FA have it listed in a security section of your profile. Simply looking there or through frequently asked questions will usually tell you if you are able to use 2FA.

There is a great list of websites and apps that use 2FA at TwoFactorAuth.org. This website has an organized list of sites and which types of 2FA they support. Some use SMS (texting), phone authentications, email or hardware/software tokens. This can be really helpful if you plan on using 2FA as part of the decision-making process.

Bottom Line on 2FA

Two Factor Authentication sounds scary. When you start talking about fingerprints and things of that nature people get weirded out by movies and potential issues. The bottom line is by taking a few extra seconds to log into your favorite apps, cloud storage and banking sites you could be preventing endless hours of trying to recover those accounts. Who hasn’t heard stories of hacked financial accounts, or hijacked social media logins, or changed email passwords with no way to recover because the backup email account was changed.

While 2FA won’t completely stop this activity, it will keep a vast majority of hackers from trying further. It’s much more cost effective in money and time to move on to an easier target than to dig deeper on to a secure accounts.

Take a few moments and test on something easy like Facebook. Then your email, then banking, then your website. You will feel better knowing you’ve taken some steps to be more secure.

Do you use 2FA? Send questions or comments to me @BeBizzy on Twitter!

Subscribe to the BeBizzy Break Podcast on iTunes and Stitcher Radio