Home » Security

Tag: Security

WordPress Security – The Weak link is YOU!

WordPress, as a Content Management System, is a secure platform. The Weak link is YOU!

Yup it’s your password the one that you use for every website from bank accounts to email. It could be your dog’s name, wife’s middle name and birthday, it’s something that no-one who didn’t know you would ever guess.

The problem is that Software can guess it

WPScan is a “WordPress Security Scanner” Sponsored by the RandomStorm Open Source Initiative *. WPScan like a scalpel is a great tool in the right hands, it’s just destructive when used by the malicious or the criminal.
WPScan is free and available to anyone with an internet connection.

Using WPScan a bad player can attack your login using the aptly named Brute Force Attack **.

A Brute Force Attack is when software like WPScan is used to figure out your website’s username, easy if it is admin, once it has that it will try every possible password until it succeeds.

If your password is letmein or jesus ***, God help you! You’ll be owned in a few hours.

This is where common sense can save you

  1. Don’t ever use a password like the two above! Shame on you!
  2. Don’t ever use admin as your username, if you do call me so I can come over and slap you. And YES you deserve it.
  3. Update WordPress when a patch is released.
    1. This is because any security fixes addressed by that patch are also common knowledge soon after the patch is pushed to you.
    2. The major feature updates are normally released as point upgrades. As in 3.4 to 3.5. These updates you can wait on if your worried about a Theme or Plugin breaking.
  4. Hire a professional to manage your site.
    1. If you make money off your website and it is a crucial part of your business treat it with the respect it deserves. You’re not a web developer you’re a Lawyer, an Innkeeper, a fill in the blank. And  your nephew with a computer is… well… you get it.
  5. Install the Limit Login Attempts **** plugin.
    1. This plugin will block software like WPScan from Brute Forcing your password. It works by blocking an IP address of a user after X amount of login attempts.
    2. You can set the length in hours of the block and the number of failed attempts before the block kicks in.
    3. If you forget your own password just remember to reset it before you get blocked.
* http://wpscan.org/ a black box WordPress vulnerability scanner.
** http://en.wikipedia.org/wiki/Password_cracking
*** #7 and # 21 on CBS list of most common passwords for 2012 http://www.cbsnews.com/8301-205_162-57539366/the-25-most-common-passwords-of-2012
**** Limit Login Attempts