JENerally Informed usually gets a minimum of 7 hack attempts each day, sometimes more. Sometimes A LOT more.
I’m not talking about spam attempts, which are annoying, but people trying to compromise the security of this site and gain control of it. Some of the attacks are from automated bots (computers looking for a random target.) Others are definitely real people looking, for whatever reason, to compromise THIS site specifically, even though there is no obvious financial impetus to do so.
Website security is a big problem. In last week’s leaked celebrity photographs scandal, the general thought was “I can’t believe those poor people had their photographs leaked.” While sympathetic to that thought, as a tech guy, my thought was “Seriously, iCloud was hacked?” This is a really big deal. A huge deal, in fact, one that could actually end Apple as a company if they do not get a handle on the problem.
You see most cases of “hacking” really aren’t. They are generally “social engineering” hacks. This is from people breaking into a physical location and gaining the password to a computer because it is written on a sticky note next to the monitor, or by perhaps pawing through your trash looking for sensitive documents, or the most likely reason, you left a private internet session open on a public computer.
In the case of iCloud it looks like the hacking was legit, meaning it took someone with great skill to accomplish it, the fact those people exist scares me and should probably scare all of us.
But back to the original topic, if someone is trying to hack JENerally Informed, they are likely attempting to hack your site as well. So what can you do to protect your site?
1. Make sure that the main username to your site isn’t your email address, the username you blog under, “admin,” or “administrator.” Yep, those are the ones that everybody uses when trying to access this site. The smart ones, have tried to login under “Jensguy” because they think that I am the administrator of the site. I am, but I’m not stupid, so good luck with that. Seriously, though, if your username is any of these things, change it right away.
2. The simplest thing is to add “Limit Login Attempts.” This plugin does exactly as it says. It gives you three opportunities to get the username/password combo correct when logging into your site, then it will lock you out for a specified period of time if you are unsuccessful. It also keeps a log of the people trying to login to your site, so you can feel superior that you have thwarted them or terrified that there are so many.
3. Update your plugins and WordPress version soon after updates become available. Many of these updates are security fixes.
4. Don’t update your site from a public location or even a public wifi station with your laptop unless you are 100% certain that it is secure. Hackers will sometimes set up “dummy” wifi stations next to actual public ones to get people to log into them. Once you login to their station, they can monitor traffic from your machine.
5. When somebody shows special resilience or creativity in trying to access JENerally Informed, I ban them using “WP-Ban.” Be careful with this as you can ban yourself if you are not careful.
6. If you are getting way more login attempts and you want more security, it can be done, but many of the real secure options can be expensive and/or slow your site down considerably. If you think you may need this type of protection, contact Jennifer, and I will help.
Good luck blogging everybody, and stay safe!
P.S. If you haven’t already watched the new Sherlock BBC series available on Netflix you really should.