Keeping Some Level of Security In Mind

As you are working on the Internet, you most certainly want to keep a certain level of security for yourself and your website.

For your website, it is particularly important, especially if that website becomes your livelihood. You wouldn’t want to lose your income from one day to the next (another reason for having multiple sources of incomes, putting all your eggs in the same basket is dangerous unless you go really big and have people to help you keep the site up and running.)

The following is about how to Secure Your WordPress Website, although if you are not using WordPress, most of these tips still apply to you. Just those that reference some code won’t work as is for you, obviously.

1. Protecting Your WordPress Website

If you are using Content Management System (CMS) other than WordPress (WP), I strongly suggest that you look into whether you need to do similar things to better protect your website from hackers. WordPress, though, is the one CMS that has the highest market penetration with some 76% market share. Therefore it is essential for you to think about protecting your website properly because it is going to be the target of many hackers. Quickly.

For that reason I propose that you install the All In One WP Security (click for details about installing this plugin and make it useful on your installation,) which includes very many features, many that you can run just once but just that will increase your chance of not getting hacked (at least not as easily as without the plugin.)

The other important security feature to work with is your password (see below).

2. Protecting Your Data

The Niche Website you create includes Media Files and a Database.

You may keep a copy of all the Media Files on your computer, but that won’t make you much good because re-adding the files will give them a different path each time (a big flaw in WordPress, I guess?).

So, you should look into making backups of your Database and Media Files.

I suggest the UpdraftPlus – Backup/Restore plugin. Install, Activate and go to the settings (UpdraftPlus » Backups). There you see tabs near the top, one of them is Settings. Click on it.

At first, you want to test a manual backup to make sure it works. Always test your systems! Then you can set up an automatic backup. While you are working on your site on a daily basis, you can set it up to back up once a day. Once you are done creating content, you can always change it to make a monthly backup instead.

Note that most of the solutions they offer will probably work for your website. For example, Dropbox offers 2Gb by default. More than enough for a small Niche Website. Remember that when you get your own domain name from your hosting company such as BlueHost, you can create a new email address which you can then use with a system such as Dropbox.

Importance of Using a 3rd Party Location

A rather important point about your backups. Since your server may end up being compromised (i.e. once you had a hacker on your server, you really can’t tell whether he’s gone or whether he’s going to use your server as a bot,) having your backups on that server won’t help you restore your website on another server. Those backups are also compromised.

That being said, having backups on your own server is useful in case you mess up; because you’re not likely to also mess up your backups. Outside of that, I very strongly suggest that you make sure to keep backups on a 3rd party computer or your server at home if you have such. As I mentioned above, you can start with Dropbox since it is free up to 2Gb of data which will be just fine for quite a few of your Niche Websites.

Fixing a Hacked WordPress Website

My first inclination toward this one is: don’t.

Yes. Well… Let me explained.

What is generally futile is to attempt to fix a system that was compromised. The hacker is not unlikely to have had some code installed on your server and whenever you attempt to fix it, that code will still allow that hacker to access the server day in and day out. So unless you are that good and can find out what files were modified or added and can really clean up your server, just restoring your website and upgrading your plugins won’t help much if at all.

Instead, I strongly suggest that you:

  • Get a new clean account
  • Restore your backups on that new computer
  • Run all the upgrades quickly

If you have such knowledge, just after you got a new account, you should first block all access using your firewall. That way, while you do the restore and upgrade process, you know the hacker can’t come in. Otherwise, there is a chance that the hacker will have the time to access your site while you’re doing your upgrades. In most cases, though, you won’t have access to a firewall since you will be using a shared server and the other websites would certainly not want to be blocked while you fix your problematic system.

If there were no upgrades to install after your restore, then know that your website is still unsecure. This may be due to a plugin you installed and which opens a door to a hacker. At that stage, it becomes too complicated for me to explain how to determine such a problem. You’d want to use your logs and have a knowledgeable programmer (like me) helping you with this. The programmer should be capable of finding the culprit. Note, however, that good hackers hide their tracks. They edit the logs and remove their access attempts, especially the one that succeeded (many just completely delete your logs). This is where having a third party log mechanism like Loggly, which offers a free account for small websites, can be useful. Don’t get me wrong, you won’t really need such a feature until you actually get hacked twice in a row even after upgrading everything and things otherwise look good. Until then, save your $$$ for other things that are more important to you. The cost of installation of such a feature is what will make you think about this twice. The account is free, but how do you send your logs to it? Unless you’re a knowledgeable system administrator, you probably won’t be able to do it on your own and there is no WordPress plugin for it. Loggly may have some help easy enough to follow but it requires you to have your own server.

3. Updating Your Website

There are two main reasons for updates: fixing bugs and adding new features.

Many of the bugs include security issues being patched. Such issues are quickly looked up by hackers and used to access and destroy or take over websites.

In order to avoid such problems, you want to always keep your website up to date. WordPress itself will automatically update itself, however, the themes and plugins do not. It is very easy to update. Just go to your website, go to the Dashboard and you’ll have directions about it. You can also go to the Plugins » Installed Plugins area and click on the Update link for each out of date plugin.

It can take just minutes for a hacker to end up taking over your website. Luckily, most patches are not so dramatic that they will allow hackers to take full control. (i.e. most bugs are not about security issues, many are because the functionality is incorrect.)

Themes are usually less likely to have a security bug, but I would not bet on it. If you’re working on a WordPress website and see that some updates are available, please make sure to go to all your other WordPress websites and update them. Keep in mind that hackers make lists of websites that use WordPress (and other CMS) and whenever such a bug is found, they write code to hack those websites. If you’re on their list, you sure have a problem.

4. What is a Strong Password?

Contrary to what we’ve seen for a while, a strong password is not automatically one that includes all sorts of characters. The strongest passwords, I think, are longer ones with enough heuristic (not all the same repeated character or character chain like “aaabbb”.)

If you want to use a sentence (useful for passwords you want to memorize), then using a phrase with at least 5 words, two of which are not so common, is going to be rather hard to crack. The sentence should not be a well-known sentence. Actually, it should be something you can remember. Probably something funny or that you love. Let’s say your first car was a Volks Wagen, it could be something like:

I loved my first yellow and pink bug!?

Note that punctuation is more than welcome.

Although the English dictionary has well over 600,000 words, the common language is just around 100,000. With 5 words, this gives you:

100,0005 = 1025

Which is already a pretty good number of possibilities (trying to discover such a sentence could take some 3×1014 years or 300 Tera years.)

Add slang and your own funky spelling or names (Say you had a dog named “Pynkie” and your sentence could describe something that happened to you and Pynkie, who is going to guess that one?!) and it really becomes difficult for a hacker to guess that passphrase. Not only that, the hacker won’t know whether you used a passphrase or a password… and it is uncommon to have spaces in passwords.

Taken as a regular password, a 5-word sentence is likely 30+ characters. The odds I mention below. The hacker could find that sentence, but it would take eons with current technology.

That being said, there are passwords that are really really bad. Those are short passwords or password that are composed of one word or one word and one digit (password1, anyone?) There are lists of cracked passwords and many are such really bad password. For example, some people came up with 10 exclamation points (!!!!!!!!!!). Although it would be unlikely for a hacker to test that specifically, it’s easy enough to think that people would do such things and test with many of the same letter or punctuation. Not a strong password.

Warning: Passphrases and Asian Languages

More or less, many Asian languages use one character per word. Although a “standard” hacker may not think of testing with Asian characters, using a passphrase in Cantonese with 5 words, is like using a 5 letter password. It will be considered fairly weak. Although you have a good 2,000 common words, meaning that you get roughly 2,0005 = 3.2×1016 possibilities. Considered as strings of bytes, it would be between 2 x 10 = 10 bytes and 3 x 5 = 15 bytes. However, many combinations are not possible, so that’s not a good way of calculating the possibilities.

5. Protect Your Login with SSL

In order to protect your login credentials, you want to use SSL on your website. Until you have SSL installed, you should not use your final credentials (this means if you start using your website before you get SSL installed, you want to change your credentials once SSL is installed.

SSL stands for Secure Sockets Layer. It means all data traveling from your computer browser to your Website server is encrypted. It’s not 100% impossible for a hacker to decrypt that data, but it is very unlikely.

This, along having a Strong Username and a Strong Password will really help and you’ll be safe.

Transferring Files To and From Your Server

The transfer tool that a lot of people use is called FTP. However, FTP is not secure. The tool you want to use is sFTP, the secure version, or if you can/know how, use SSH.

Just like with your browser, sFTP allows transfers over SSL. That means all the data being transferred will be transferred encrypted and that includes your Username and your Password.

Changing Password

In most cases, there is no need to change your password. This is required only if you suspect that someone got a hold of your existing password. In all other cases, a policy to change your password(s) is not required.

Of course, if you’re using a weak password (“Poodle” is your password?) then changing your password to a strong password is a great idea! But that does not require you to look into a 90-day password changing policy.

Such a policy is often implemented by large businesses because there’s a staff turn around that requires it. That is, someone who leaves or worst, who gets fired, still has an account with the company, it could end up being an open door to such ex-personnel to continue to use your systems. With a 90 day password policy, you are more likely to catch such problems automatically in case the IT staff does not properly turn off this or that account (i.e. the renewal of passwords has to occur on a company’s computer, so physical access is required which in most cases staff that isn’t working there anymore won’t have.)

As mentioned above, if you created your WordPress account before installing an SSL certificate, then in that very case you want to change your credentials because before the data was traveling in clear. Anyone who could intercept your data could get your username and password.

6. Database Strong Password

Note that quite often people tell you to also put a strong password for your database. I’m not too sure how that can protect you much because if the hacker has access to your computer, it’s most certainly as root and therefore they can get the password in clear from your WordPress configuration file.

There is what you see in that file:

/** MySQL database username */define('DB_USER', 'top-secret-username');

/** MySQL database password */define('DB_PASSWORD', 'password1');

And there is the password in clear (and there isn’t really another way to get it to a PHP CMS that I know of.)

Now, if you have a tool that lets you access your database from your browser such as phpMyAdmin (which I would imagine is much better now a day, but really was so bad for a while… full of security issues!) or you allow remote access to happen, then you want to make sure that the connection only happens over SSL and in that case you definitely need a Strong Password (and a Strong Username too.)

Since you are just creating a small Niche Website, you really should not need this at all. Although in many cases, your host will offer a way to access the database remotely and you may not even know it. That’s when having a Strong Password (like, you know, 64 random characters…) is a really good idea. KeePassX will keep that password safe and a quick copy/paste will give you access to your database. (although I strongly suggest you don’t access your database.)

7. Keeping your Passwords Safe

For each website that you are using, you should have a different password, and possibly even a different email for different types of websites.

The few websites that you access in regard to your finance (probably including your Niche Website where you have all your affiliate links) could make use of one email and all your other accounts can make use of a different email address. This is a tad bit of management, but it can make things a lot safer. If someone messes around with your Facebook or Instagram account (Assuming you are not making money with those) it’s probably not such a big deal. You can simply create a new account, ask Facebook to close the old one and reconnect with your friends explaining what happened. It’s time-consuming, but it’s not the end of the world. Now, someone who hacks your bank account is way more problematic…

One way is to use a tool that will keep your passwords encrypted and linked to the website and username/email address that you used with that website. Such a utility is KeePassX.

This tool works on all major operating systems (MS-Windows, Mac OS/X, Linux) and it has the advantage of being free.

The tool has a way to create passwords automatically. This means you get very strong and very long passwords just by clicking on a few buttons. I know how to create such passwords, but it looks like many people have an incredible lack of imagination when typing a totally random password (trust me, I’ve seen that many times…) Since you do not need to memorize those passwords, KeePassX does the memorization for you, you can really get anything you want as passwords. Frankly, most of my passwords are 32 characters long of any ASCII character (code 32 to 126). This is really hard to crack. Testing all the possibilities of such a long password requires:

32126 – 32 + 1 ≈ 9.76×10142

So a number of 143 digits, the first digit being a 9!

Even if a hacker could write a software that was capable of testing one password per millisecond, it could take 3×10132 years for that hacker to find your password. You’re probably going to be dead by then and the website you were using too… So it certainly eliminates some worries. To increase the odds in your favor, you should not use an exact size of 32 for all your passwords. Instead, you can use about 32 (say, between 30 and 64). This increases the odds in your favor many millions of times.

Of course, future computers will get even faster and may allow for password discovery which is only taking minutes, but guessing a random password is not like decoding a message written in a known language such as English or French.

8. Strong Username

As with your password, you may want to consider using a strong username. Unfortunately, by default WordPress does not offer a way to edit your username. You can do so by installing a plugin, though. Change your username, then remove the plugin.

A Strong Username is one that won’t be easy to guess from your personal name, your website domain name, or your email address. I have some details about Usernames on my User Accounts section, part of Finishing your WordPress Installation. For sure, don’t use a common name such as “admin”, “administrator” or “root”. These are for sure going to be checked out by hackers. Older versions of WordPress would actually offer you to use “admin” as your username on installation. This is now gone, luckily.

Contrary to your password, you probably don’t want a whole sentence or even a very long username. Still, having something hard to guess (uncommon) is certainly better, more likely to not be found by a hacker.

By having a username that’s uncommon, testing with millions of password won’t do the hacker any good since he will have to guess both: your username and your password. That certainly squares the time it will take those hackers to crack your website credentials.

9. Protecting the wp-config.php File

The wp-config.php file is a PHP file, which does not write anything, so accessing it from a browser should result in nothing (an empty page.) However, you’re never too sure about what could happen.

The All In One WP Security mentioned above will do that for you so you should be good if you followed my installation instructions.

Another way to protect this file is to move it one directory up. I haven’t tried, but that’s probably a good solution since that way clients really do not have access to it.

10. Multi-User Consideration

When you let multiple users access your website, then similar security have to be used or you create a weakness.

First of all, only provide other users with rights to modify your content only if you entrust them sufficiently that they won’t just blow away all your content. One of the major costs to large businesses is their staff destroying something of theirs (data, machinery, stealing from the cashier, etc.) It is less known for small businesses because these often just go out of business when something like that happens and the statistics for small businesses are skewed as a result.

All your users should use a funky username (hard to guess) and a strong password (as mentioned above, between 30 and 64 characters, although 64 is not an upper limit, it’s just considered good enough in most cases.) And using a tool such as KeePassX to store their password on their computer. For example, having users named “editor” and another “qa” is not a good idea. These names are very likely to be checked by hackers, just like the “admin” name.

Note that would not apply to guest users. This is because you are not likely to be able to apply such stringent rules to such users. Also, those users data is probably less valuable to your website than your main content. However, in my case, I instead completely prevent automatic registrations on my WordPress websites. No one can register an account on their own. I have to do it for them. Since you are creating Niche Websites, doing the same will be the easiest because there should be absolutely no need for your users to register (some people think that forcing registration for people to comment is a good idea, I think that’s bad because most people will just never comment in that situation. I know I had the same problem on three websites where I used to get comments before I tried that kind of a policy…)

Terminating a User

Obviously, if you terminate someone who has access to your website and whatever the reason for the termination, you want to prevent access to your website from that user. This is done by blocking or even deleting the user’s account. Note that deleting may be a problem if the user’s name appears in various posts or pages. Luckily you can just block a user and prevent them from login back in and edit your content.

11. Really Paranoid? Maybe use a 2-Way Authentication?

There is more if you’d like. You can look for a plugin offering a 2-Way Authentication. I really don’t see the need. A Strong Username and a Strong Password won’t ever be hacked. Really. And make sure that you put your password in an App. like KeePassX so that way it’s encrypted and can’t easily be stolen.

12. Reduced Permissions

Other users should have Reduced Permissions. If you have a user who can edit all your posts, it’s already somewhat dangerous if you don’t trust that user 100%. However, a user who can come in and play with your plugins, permalink settings, the All in One WP Security settings, etc. is even more dangerous.

When you create a new user account, only give your programmer and your business partner an administrator account. Anyone else should be limited to editing and creating new posts and pages. Not manage the website as a whole. If management is required, they can pass off the necessary steps to you who then has a chance to verify that it is safe for your website.

13. Disallow File Editing

The WordPress CMS allows you to edit many files from your browser. This is a potential security issue. It’s not just the database and upload folder that are writable. Every single plugin file is also editable.

The concept is that this way you can adjust your website to your liking and not be locked up in what the existing code offers. Although frankly, unless you know HTML, CSS, PHP, and SQL, you probably won’t be able to do much with those editors. So for you to disallow editing is probably not a bad idea.

To do so you want to edit your wp-config.php file and add the following line of PHP code:

define('DISALLOW_FILE_EDIT', true);

This way the code that allows editing will be turned off. It should prevent quite a few potential problems.

14. Domain Name Cloaking

You may have heard that it is possible to use cloaking on your domain name. Whenever you purchase a domain name, you can either have your name and address or you can have your hosting system offer to put their name and address instead.

Cloaking is good for you to hide your real name and address. However, you have to keep in mind that this is a negative as far as Google is concerned. A website generally takes about 6 months to appear high in the search engine and when you have cloaking turned on, it can be extra long (Another 3 to 6 months.) So that’s something to keep in mind.

Frankly, I never had a problem other than marketers emailing and calling me day and night to offer me the best deal ever. If you can bear such hassle, the rest will be just fine. It’s really only a very small number of people who would benefit from hiding they name and address. Remember that your name and address used to appear in the telephone white pages and that did not end the world for 99.9% of the population.

The paranoia around your name cloaking on the Internet comes from the fact that this service is not free. It’s pretty cheap, like $5 to $10 a year, so most people fall for it. But I think that the benefit of having the search engines happy from day one is more important to you. So unless you know you have enemies who want your demise…

15. Disable XML-RPC

I find this issue to be a big problem. XML-RPC is a way for remote tools to connect to your WordPress system in order to create and edit posts and pages. Only by default WordPress does not give you a way to prevent the feature from working.

Luckily our All In One WP Security plugin protects us from this flaw. So if you followed my instructions on how to install and setup that plugin, you are already in very good shape.

Note that removing the meta tag and HTTP headers is the first step, but if the xml-rpc URL still works, then it is not yet completely turned off. So whatever type of CMS you have, make sure to test that you just can’t access your website from an XML-RPC standpoint.

16. Further Reading about Scams and Hacking

I suggest you keep up to date with new scams and hacking schemes. I know it’s difficult if this is not your domain of expertise, but reading one or two posts about security every year is a good idea to keep abreast of what’s happening in the hacker world and it may save you a lot of money.

I suggest my Scam Pages by Alexis Wilke blog. I post a few blog posts every now and then as scams evolve and reading some of these will keep you up to date with what’s happening out there. I also post various email and snail mail scams on that website.

Leave a Reply

Your email address will not be published. Required fields are marked *