If you are a writer, and if you’re reading this, you probably are, then you may have a WordPress blog. WordPress is one of the most popular blogging platforms on the internet. (No, AP Stylebook, I won’t be capitalizing internet anymore.) A blog, of course, is a powerful tool for marketing your writing business as well as an outlet for the stream of writings your mind produces.
However, just because you are a writer, and just because you have a WordPress blog, doesn’t mean you really understand the inner workings of WordPress all that well. It also doesn’t mean that you really understand security very well either. All of which means that you might be very nervous about the news of a major security attack on WordPress websites, but not know much about what to do.
Making WordPress Site Safe
First, let’s start with an unpleasant reality. In the world of computers and networks, there is no such thing as “safe.” There is always someone out there trying to defeat the latest state of the art security, and there is always data out there worth having. However, just like home security, taking intelligent steps to safeguard your property and data can go a long way.
To get an idea of where we are going, think first of your home. You have a door. That door has a lock on it. However, there are people who can pick that lock. Locksmiths do it all the time. Taking it a step further, your home probably has windows. Those windows can be smashed by someone with no skills whatsoever. Does this mean that your home is unsafe? Does this mean that your possessions will all be stolen next time you leave home?
The reality of the situation is that people do not risk the danger of getting caught to break into your home without either a reason, or opportunity. Home burglaries increase after the holidays when thieves notice who puts out empty boxes that used to contain expensive electronics, for example. If you leave your garage door open overnight, it is more likely that something will be missing in the morning. These scenarios speak to motive (knowing that expensive things are inside) and opportunity (easy to grab a bike from a dark garage when the door is open).
Fortunately, as a writer with a WordPress blog, you already have one of these things covered. Unless you are doing something vastly different than most writers, chances are there are no credit card numbers, classified information, or trade secrets stored on your website. That means that international hacking rings with sophisticated tools and techniques aren’t probably coming for you.
Unfortunately, as a writer with a blog on WordPress, you may have inadvertently left your garage door unlocked, so to speak.
When you install WordPress, it comes with certain default settings. One of those settings, is that the administrator account is called admin. Username-password security depends on an intruder being unable to match a username to a password. If someone knows your username, they already have half of the key. On commercial systems, this is not always useful. Try to login to your bank account with the right username and the wrong password more than three or four times, and you’ll find your account locked.
Unfortunately, you can’t lock an administrator account. That is the account you need to fix problems, like locked accounts, so hackers can develop small programs to continuously try different passwords until they guess correctly.
If you have some technical skills, there are many things you can do to make your WordPress installation more secure. If you are one of those people, I encourage you to bust out the Google and find and do some of those things.
If you do not have much technical skill, you can still make your site much safer from these kind of attacks by doing some simple things.
First, change the username on your administrator account. The simplest of these hacking programs just assume you have the default username. Changing the admin account takes away half the key. No matter how many passwords it tries, they won’t be successful if there is no “admin” account to hack.
When you do change your username, don’t make it the same as the Display Name. A smarter hacking program will try the displayed usernames as well to see if one of them is the administrator account. Try to make the admin username unrelated to the site. It doesn’t take much of a leap to think the admin account on ArcticLlama is arcticllama!
Strong Passwords on WordPress Blogs
Finally, make sure your password is serious. Do not re-use passwords across multiple accounts. One of the tricks hackers love to use is to find a single username and password on a site that isn’t very important and then try that same username and password elsewhere. It is surprisingly effective.
Is your username and password on any site the same as the username and password at your bank, your PayPal account, or your credit card?
Next, make sure your password is a strong password. And, before you blow this advice off, please know that adding a number to the end of a word does NOT make it stronger. The first trick hackers try after running a bunch of dictionary words and common names as your password is to run the same words with a 1 thru 99 after them!
The best passwords are not words at all. Try combining words that mean something to you with a variation that breaks them apart. For example, if you lived here in Denver, a password of Broncos7 is almost as bad as just using your name, even if it does have a capital letter and a number. However, Broncoz7Rules! is a better password. Even better than that is Bronc7ozRule! or another variation that won’t show us in a dictionary or commonly used password list.
Even better, of course, is something less related to you or your publicly available online information. (Oh, and before you start using your pets names, make sure they aren’t on Facebook or other profiles first!) Your password doesn’t have to be completely unintelligible to be secure. Something like, 4Shots!Goldshlager=sick is a really good password. Even though it means something to you, that’s a lot of letters, number, capitals and special characters to try and have to figure out. Chances are they’ll give up before they get there.
Just changing your administrator account username and having a strong password will probably save you from the current WordPress botnet account. When you have the time, consider using a security plugin that is highly recommended by a source you trust. (Don’t just Google it. Go through your online resources and find one manually. It’s too important to leave to someone trying to earn some referral dollars with a link.)
Are you worried about your WordPress writing blog? Have you taken the basic steps to secure it?
Practical advice for all levels of users. Especially relevant was the warning about generic and oversimplified passwords. I developed a simple formula for generating my passwords that is relevant to me and the particular site while avoiding mention of names – mine or pets – or related personal info that could be easily Googled.
LastPass and KeePass deserve honorable mention. As part of my own “Last Pass”, my Significant Otter can apply my formula to designate me as Silent Key once I leave this orbit for the next.