There are two main ways a website can be insecure: hacked user accounts and malicious exploits. The internet is still a lot like the Wild West (good thing we are a firm made of pioneers!). There aren’t a lot of enforceable rules, and it’s hard to figure out who the bad actors are.
User Accounts
Every person who is online needs to pay attention to user account management. Your usernames and passwords are the keys to the kingdom, and you need to keep them secure.
Passwords
First of all — no sharing passwords, especially by posting them in company documents or sending them via slack/email. No sharing goes triple for WordPress passwords. WordPress has excellent built-in user management. Even if you are working with a temporary contractor, that person should have their own username and password to your account.
Passwords need to be strong. Really strong. A mix of letters and numbers and special characters. You should have no hope of remembering your password, and it should be complicated to type in. Fear not—there is a solution to this so you can still have a good user experience.
Password Managers
Please use a password manager. We like 1Password. We suggest setting it up for everyone on the team and having a shared vault as well. Yes, I said no sharing, but let’s be realistic. You will have shared resources that you all login to. Keep those passwords here. Make them difficult. Never pass them outside of 1Password.
1Password will also generate passwords for you, so anytime you need one, you just create it and then save it to the account. Here is an example of a good generated password: 7k8R6s3@uyGreAWoRGJ
Two Factor Authentication
The best way to log in to secure sessions is by using a two-factor authentication token (abbreviated 2FA). Having two-factor authentication means that to get into your account, you enter your username, password, and a code from an authenticator. To log in, you have to have something you know (the username and password) and something you have in real-time (the authenticator code).
Our favorite 2FA app is Authy and we run it on our phones and watches.
Usernames
Never use admin as a username. It’s one of the easiest ways to crack a WordPress or other site. If bots start by testing ‘admin’ as the username, all they have to guess is the password. And bots don’t guess—they do something called brute force entry where they rapidly try many passwords to see if there is a combination that will get them in.
Using an email address is usually the best bet for a username (people forget ones they set up).
Malicious Exploits
Most of the WordPress sites that get compromised are due to insecure plugins. WordPress is open-source, meaning anyone can create and release a plugin. WordPress doesn’t vet these plugins, but a very active community of system admins are constantly watching, finding, and smashing vulnerabilities.
We usually ask clients not to install any plugins and to instead run them by us first to investigate the plugin. We look for a good support base, regular updates, and do some additional testing and vetting before we install them.
There are other exploits out there — things like code backdoors and cross-site scripting. We’re not trying to scare you or have you go looking in a dozen places but remind you that there are some simple steps you can take (like strong user accounts and vetting plugins) to keep your site safe. Beyond that, we take care of several other security updates for our clients.
Who would want to hack a site?
It usually has nothing to do with you or your company (unless you are being extorted or embarrassed). It’s like a lot of petty crime; someone could, so they did. So who would want to hack your site?
- Bored teenagers—and there are a lot of extra bored people stuck inside because of the COVID pandemic.
- All of Russia—that is partly a joke, but not really, we see the lion’s share of exploits coming from Russia.
- Botnets—this is the main culprit to website hacks. A botnet is several connected devices running code. They usually start by looking for vulnerabilities then corrupt the site.
Why would someone want to compromise a site?
People and bots hack sites for lots of malicious reasons.
- To serve up malware or irrelevant ads.
- To lock the site and demand ransom.
- To steal secure data and sell it or use it.
And general mayhem—like the ongoing MeowAttack that has deleted over 4000 databases (as of July 27, 2020) and left only the word ‘meow’ behind.
What to do if your website Is compromised
First off, get your website and security teams in direct contact as soon as possible. They need to work together to stop, find, and secure the vulnerability.
Next, it’s time to do a user audit and change passwords.
Then your tech people will dive deep.
In our office, and for our clients, we just scream STEVE! into the ether, and he shows up and fixes things. We recently gained a client because malicious code had infected their site, and their front-page removed. Then the hackers/botnet removed the WordPress login so they couldn’t get back in. Steve was able to route his way around it and fix their site. A few days later it went down again, we’d advised their original web firm to remove the flawed plugin—but they didn’t get to it. So we snuck back into the site and made things right. Then it happened again, this time we went in and deleted the plugin, which did remove some site functionality, and sent them on their way.
Anchor & Alpine Keeps Sites Secure
We work hard to keep the websites we manage secure. We offer managed hosting and are the gatekeepers of dozens of websites. We keep an eye on everything with a lot of security monitoring and log checking. If we find a vulnerability on one site, we often proactively address it with our entire managed hosting portfolio.
With all WordPress sites, we install additional security; we like Wordfence or iThemes Security.
Our commitment to security doesn’t end there. We have strict policies around data sharing, storage, and protection. We require 2FA on all logins. Our office has at least two locked doors before you can access our space. Our computers are all encrypted and set to remote-wipe, as are our other devices.
Security can no longer be an afterthought or something you leave up to chance. You have to be proactive about your security—and it helps to work with a firm that has the same commitment to protecting your data and assets.
Do you want to work with us on a Security Audit or web project? Let’s talk.
You may also be interested in our resource: Quarterly Audits for WordPress Users, A Security Imperative