In 2012, we had our presumably secure sites hacked by a malware attack. A week later – after we hired the talented and helpful folks at WeWatchYourWebsite.com, working in tandem with the equally outstanding staff at BlueHost … and the dust settled on that bit of silliness – our sites were back, and more secure than ever.
One of the many recommendations we’ve followed since is taking our already difficult-to-guess passwords and making them astronomically more difficult by NOT using the default ‘admin’ username for our WordPress logins. Raising a very large number by the power of another very large number seems like a good way to minimize the probability of that potential vulnerability being exploited. I figure an analogy might be that using a very strong random password with the default ‘admin’ username is like sending a satellite to the outer reaches of our solar system (past Neptune and Pluto); not easy to do, but it can be done and has been done. If you combine that with a very strong random username, the metaphor might be closer to sending that satellite to the Andromeda galaxy or beyond.
An aside: For example, if there are 256 possibilities for each ASCII character, a 3-character password would have potentially 256^3 = 256*256*256 or possibilities or 16,777,216 permutations, and most passwords don’t use all 256 possibilities. In practice, if you limit (and we all usually use just the ones easily entered via a standard keyboard, which is about 68, not counting ones you can get to with modifier keys other than the shift key) that would still be 68^3 = 68^68^68 = 314,432 which is a much easier number to hack, even with brute force methods. One would think that using a strong random password (e.g. 15 very random characters) would help since 68^15 = 3 x 10^27 (a really big number) but this, to a sophisticated hacker isn’t as big a challenge as one might think, since often other tricks are exploited that dramatically decrease the effort involved, from what little I’ve studied about the subject. So let’s say you use a USERNAME of 15 random characters AND a password of 15 random characters; this would make for about 68^30 possibilities or about 9 x 10^54 (that’s 9 with 54 zeroes after it)… That’s why I figure it’s a galactic needle in a haystack at that point, but that only covers the obvious ‘front door’ attack on a site. Needless to say, I don’t even claim to be an amateur cryptographer or security consultant and leave that to the pros, but it does seem like doing the simple ‘low hanging fruit is the place to start, so that’s where I started.
Here’s an article explaining why choosing good security questions and answers is also important; and another about why you should use strong passwords, such as this free tool (Strong Password Generat0r) provides. We also are fans of 1Password for not having to keep track of the ever-growing number of online accounts. I use it dozens of times a day; probably the best utility I’ve ever bought for our Macs. … Recently, I’ve also started using LastPass, a free – also multi-platform – password utility that works well.
There are other common-sense practices like using password logins for your computers at home or work if you share them and don’t have a locked office (or even if you do), always assume public computers aren’t secure, always make sure any supposedly secure webpage has a URL that starts with HTTPS, etc. Here are specific suggestions for WordPress hardening, How to prevent your site from getting hacked, How to repair a damaged site and Website security precautions, Best practices against hacking, Ten Security Tips To Protect Your Website From Hackers.
Update (27Nov2021): If you have reliable, secure access to a smartphone, it may be helpful to use 2FA (2-Factor-Authentication) to dramatically reduce hacking opportunities. There are lots of other security upgrade opportunities, but it’s best to go after the “low-hanging fruit” first.
Update (6Apr2023): Here is a list of some more resources, recent considerations and musings on the subject including the “reality check” that with current online resources like ChatGPT and likely future availability of large-scale quantum computing resources, what once seemed reasonable and adequate approaches to online security may no longer be sufficient best practices. Meanwhile, it’s just silly to not use the simple current best practices to keep your data safe.
If you have other suggestions that you find helpful, contact us and we’ll share them here as appropriate. May all your online experiences be happy – and secure!