Strong passwords help secure your site and your reputation

Some things are so important they bear keeping in mind. This evergreen post was initially published in 2012 and has been updated to make it current.

Without strong passwords, your site is open to thieves

We want to speak to you about the importance of using strong passwords.

In recent days, we have recorded thousands of separate attempts to access WordPress accounts on our servers. Undoubtedly there could have been more, as our security software is configured to send us reports when a user has been locked out after entering the wrong password multiple times. This is not a deliberate attack on our servers. Attacks like this go constantly, day in and day out, on every web server on the internet.

Resistance is futile without strong passwords

These attacks are carried out by networks of compromised computers known as botnets. An individual computer can be infected in various ways and become part of a network which is then used, without the knowledge of the owner, in endeavors such as denial of service attacks and password guessing schemes. There are literally thousands, in some cases hundreds of thousands of computers involved in a single network.

Our security software allows multiple retries before imposing a lockout or total ban on your IP address.

These attacks are not very sophisticated. They do not have to be, as there is zero cost to the attacker who is using someone else’s computer for the attack. These attacks often succeed because the average person does not use a strong password. The statistics on most cracked passwords from 10,000 Top Passwords make it obvious why these attacks work:

  • 4.7% of users have the password password
  • 8.5% have the passwords password or 123456
  • 9.8% have the passwords password, 123456 or 12345678
  • 14% have a password from the top 10 passwords
  • 40% have a password from the top 100 passwords
  • 79% have a password from the top 500 passwords
  • 91% have a password from the top 1000 passwords

Check to be sure your password is not on a list of the worst passwords.

Securing your site

Your minimum goal is to make sure you are not part of the 91% using the top 1000 passwords. It is not as difficult as you may think. You can have a reasonably strong password that is not impossible to remember.

Simple / common passwords are always tried first. Cute or unusual spellings are no replacement for a good password. While you may think that unusual spelling or replacing letters with similar numbers, i.e. secure spelled s3cur3, will make it hard to guess, someone else has already come up with it many times before and it is in the common passwords list. Simple, short, one word passwords just are not good enough. In this case, size matters.

Use either a totally random string of characters, such as this, FT3GvOUZn4WOZ077hL5B (make up your own, do NOT use this one), from my password generator, which requires a password manager to remember (which is what we do), or use at least two random words and at least one random number. Go ahead, write it down (but don’t reuse it anywhere else). You are not defending against someone that’s breaking into your office to search your desk, you are defending from automated attack by a botnet.

A great resource for generating random words is unique-names.com. Just open the page and pick two or three words from the list. Stick in one or two random two or three digit numbers between and/or after the words, and you have a password with extremely low odds of being on the list of guessed passwords. The words themselves are almost guaranteed to be on the list, so DO NOT use only one word. It is the particular combination of words and numbers which is strong. If you’d like to use a truly random number, ramdom.org has a true random number generator on their front page. Just enter a minimum and maximum, say 100 and 999, click Generate, and use the three digit random number you’ve just generated. Write your password down or enter it into your favorite password manager.

Manage your passwords

Should you wish to start using a password management system, there are several good ones reviewed at InfoWorld, both free and commercial. We prefer KeePass, but read the review and see which one works for you.

Changing your password in WordPress is easy. There’s a video at WordPress.tv showing how to do this. While this video was generated a number of years ago for WordPress.com, the basic functionality still applies and works for both WordPress.com and self-hosted WordPress.

One of the most important things to remember when using a password manager is that there is now a single password which grants access to all the others. It is imperative you use a very good password to access the password manager’s database. We recommend trying several words arranged into a memorable nonsense phrase (those random word lists at unique-names.com are handy for this). Again, size matters.

You may think, why should I worry about someone guessing my password, there’s nothing valuable on my website. What happens to your brand’s reputation if malware is installed on your site and all your visitors are infected? And what happens when Google marks your site as infected and posts that in conjunction with your URL? If your site spews malware, you’ll see all the hard-earned SEO efforts you’ve dedicated yourself to crumble.

Don’t share your login with others. If you must share with someone, so they can perform maintenance or install software or perform some action you have authorized, change your password after the task is completed.

Last, but extremely important, never, never, ever, reuse passwords. Once a password is guessed, the attackers will attempt to identify other accounts you own and try the password on all of them, like your online banking accounts. What about your domain registration? What would it cost your business, in money and reputation, if someone logged into your account at your domain registrar, and stole your domain? What if they then linked it to a pornography site?

Adding 2 Factor Authentication to your site

Adding two factor authentication (2FA) to your site is one way to add another layer of security. It uses something you know (like your password) with something you have (your phone for example which can generate or receive other login information.

WordPress writes:

Logging in with a password is single-step authentication. It relies only on something you know. Two-step authentication, by definition, is a system where you use two of the three possible factors to prove your identity, instead of just one. In practice, however, current two-step implementations still rely on a password you know, but use your Phone or another device to authenticate with something you have.

WordPress Beginner offers a tutorial on adding Google Authenticator as a 2 factor authenticator service.  Plugins for 2FA can be installed as well. Here’s one from techjourney.com about how to use Authy for 2FA on your site.

Make sure you have a strong password, and consider adding 2FA

We figure a word to the wise is sufficient. Create strong passwords. Don’t share them. And never resuse them. Your business and reputation depend on it.

 

Do These Things if You Are Moving to a New Host, or Upgrading Your WordPress Theme

Don’t try to move your website or update your theme without packing up the most essential items: Your WordPress database and all your posts and images.

Before you move your site, you must pack

It’s rare that someone chooses to move and leave all their worldly goods behind. But that’s exactly what some people do when they relocate their website to a new host or upgrade their website’s theme, or replace their existing static html site with a dynamic CMS based website.

There are two essential steps to prepare to move your site or change your hosting: back up and the creation of an inventory of all pages by creating a sitemap.

If you are going to undertake a hosting change you or your web developer must do these things in order to have an easy move.

Back up your site

By not backing up or copying your site’s content you risk losing it all in the transfer. Before doing anything, back up both your theme and your MySQL database if you have a content managed website.

You can use Filezilla to make copies of all your website directories and files, saving them to your hard drive. Or if you have a WordPress site, can use WordPress’ export tool to allow you to export all your data neatly.

Create a sitemap

Next, build a sitemap of your existing site capturing all URLs and relationships of pages to each other.

You can use Google’s Webmaster Tools to create a sitemap, or if you have a WordPress self-hosted site you can install the most popular WordPress plugin, Google XML Sitemaps. But what if your site is not a WordPress site? How do you create a sitemap? Either with Google’s Webmaster Tools or with an online tool such as XML Sitemaps.

After you move your site, you should create 301 redirects which will prevent the loss of your SERP (search engine results pages) referrals. When you setup your new site, especially if you are not maintaining an exact copy of your previous site’s structure, need to set up redirects for every page which previously existed and which no longer exists in your new site.

As with preparation for any trip, your digital data needs good planning. And tidy packing. Happy Travels!

Photo By: Drew Coffman

Difference between WordPress.com and WordPress.org

What is the difference between WordPress.com and WordPress.org?

There is a lot of confusion about the difference between the two flavors of WordPress: WordPress.com and WordPress.org. While each of these platforms allows you to create a website that may include a blog and static pages, there are some critical differences to comprehend between the two.

The best analogy which I can use to help you understand the difference is that of housing choices.

WordPress.com is a landlord

Imagine that you own a very large house and you choose to rent out rooms in this house. For the safety of your residents you need to limit the types of permissible tenant activity. While it might be acceptable for a tenant to have a well-behaved pet dog or cat, it may not be acceptable for a tenant to have dog that bites or a poisonous snake as a pet.

WordPress.com must control what is allowed into their home.

Establishing a controlled environment is (in this example) done to protect — because either a bad dog or a poisonous snake may get loose and cause injury to tenants. This is exactly the type of limitation that WordPress.com places upon blogs and websites it hosts.

Let’s extend this analogy just a bit further. Perhaps you don’t want to rent and prefer to own a home. However, you don’t wish to bear the cost of design, and time selecting finishes, you may purchase a new home from a volume home builder. You get a new home, but much of the difficulty has been removed and you get to go straight to the pleasure of enjoying your new residence. On WordPress.com this is like paying for your own domain, and selecting one of the approved themes and moving in, arranging the furniture (your web content) to suit you.

Control your own space

Conversely, if you choose to build your own house you might like to select your architect, your builder, and your interior designer so that you may create a home that is most well-suited for you. In this case, you must specify exactly how many bedrooms and bathrooms are to be built, whether you want brick or lap siding, etc. The cost of a custom built home is more than a volume builder’s new home, just as a full-custom website is more costly than the earlier example of WordPress.com.

WordPress.com offers a handy table outlining the differences between the two flavors of WordPress which we have reproduced below (click the table to view the original, including links on WordPress.com.)

Difference between WordPress.com and WordPress.org

WordPress help for either flavor of WordPress

Don’t be overly concerned regarding the WordPress.org notations about “getting your hands dirty” by digging deep into code, that’s why we’re here. We do the heavy lifting or in this case the arranging of electrons to help you gain the home most well suited for you.