This week has been filled with a lot of security updates and releases. So this issue of Five on Friday will provide you with some things you can use or try out from a security standpoint.
1. Change your “Admin” User Account
When you install WordPress the default user name is normally “admin.” During a DDoS attack, the bots are looking for this user name and will randomly hit your login page using various passwords to try to gain access to your website. If your user name is “admin” you should change that immediately.
Unfortunately, you cannot change it in the Dashboard but you can in the database. However, most people are not comfortable going into the database. So what can you do?
- Create a new user account for yourself with administrator access.
- Log out of the “admin” account.
- Log in with the new user account.
- Go to Users > All Users.
- Select the “admin” account, then select Delete from the drop down.
- The system will ask you what to do with all the content (pages, posts, images) that are associated with the admin account. From the drop down, select your new user account.
- Then proceed with deleting the account.
2. Change Your Passwords
I have had so many clients who haven’t changed their passwords in years! And they use the same password for everything including their bank accounts. Or the worst is just using “password” for the password. The best way to secure your accounts is to 1) change your passwords often and 2) change them to something no one can figure out.
WordPress now offers “hard” passwords when you click “Generate Password” in your user account. However, you may want to generate your own and also generate more passwords to use on other accounts.
Norton’s Identity Safe Password Generator will create a highly secure password that is difficult to crack or guess. Passwords are case sensitive so you will want to write or print and keep in a safe place.
I really like this plugin a lot mainly because it provides a level of security where I didn’t have to modify the .htaccess file inside my own site. Developed by Jesse Petersen, it provides a “PIN” field on your login screen similar to bank cards or pins you use for other types of accounts. To gain access to the site, you need to enter your user id (or email address), your password and your pin number. Just install, activate, enter a pin and save. That’s it.
One of the biggest reasons websites become compromised or hacked is because they’ve neglected to update WordPress and their plugins. The plugin screen doesn’t offer a way to see when the plugin was updated. If the plugin was downloaded from the WordPress repository, the Plugins Last Updated Column will display the last time it was updated. The rule of thumb has been that any plugin that has not been updated in 2+ years should not be used as it could be unsafe. If you find plugins that are outdated in your dashboard, you should visit their respective support tabs in the repository to see if the plugin is still being supported. If not, you should deactivate and delete that plugin, then search for a new one.
If you ever think your site may have been compromised or hacked, or you just want to make sure your site is clean – you can use the free scanner provided by Surcuri. It will check your website for any known malware, blacklisting status, website errors, and out-of-date software. If it does find something and you don’t know how to fix it, you can purchase a plan to hire them to clean the site for you. You may even want to purchase a monthly plan just to know that the site is being monitored and protected on a regular basis. They also offer a free WordPress plugin here.
If you know of a cool plugin or product that you would like to see on Five on Friday, send me a link and tell me why. I will try it out first before I add it.