- Reading time: 7 mins
- Website Design & Development
As I am sure you are aware, the first Thursday of May is celebrated as World Password Day — be sure to order your cake in time and buy Gorilla Glue to seal the envelopes of the cards you will send out to friends and family to mark this joyous occasion. If you’d like to celebrate World Password Day another way, brush up on some best practices to help prevent you from being hacked with a few easy updates.
Sadly, as a WordPress developer, I am all too aware of the risks out there for websites and user accounts. The automated security attacks probing for website vulnerabilities start almost immediately after a site is launched. You might think that if you have a smaller website, or if you aren’t storing any sensitive information, that hackers would have no interest in your site. However, it is often the chance to harness your site’s resources for nefarious means that attracts hackers to small websites. Once in control of a website, these digital scoundrels can send out spam messages and set up malware and phishing pages, among other dark deeds.
Keep WordPress and plugins up-to-date
WordPress is wonderful. That is why we at Pulse Marketing use it almost exclusively to build our websites. It’s also why WordPress currently powers around 40% of all websites on the Internet. But having a large install base also makes WordPress a larger target. After all, criminals know that they have a large pool of potential victims to prey on. Part of WordPress’s power and flexibility comes from a wonderful ecosystem of plugins available to extend sites running on WordPress, but a problem with all of this common code is that if a security vulnerability is found in a plugin, that vulnerability will be present on a large number of websites.
For these reasons, it’s important to keep WordPress itself and plugins up-to-date. At Pulse, we do monthly updates of all sites hosted on our servers and recommend you do the same. Furthermore, we monitor security issues in the WordPress community to more quickly address any updates issued for security holes. If you would like to keep tabs on WordPress and plugin vulnerabilities, I recommend following Wordfence’s blog.
Don’t Reuse Passwords
One of the simplest but most important things you can do to protect your sites and accounts is to avoid using the same passwords in multiple places. Obviously, a lot of people do this because it’s difficult to keep track of lots of different passwords for a myriad of online accounts, but the good news is that you don’t have to. I strongly recommend using your browser’s password management tools to generate and remember these randomly-created passwords. Beyond this, if you use one type of browser on both your desktop and mobile devices, it’s likely that you can sign into a single account that will store your passwords. For example, Google has a solution for their Chrome browser, Mozilla offers an account for Firefox, and Apple has their own password solution that works across their ecosystem.
If you would prefer a browser-agnostic solution, you can also explore dedicated password managers such as 1Password or LastPass. These tools offer browser extensions to fill in website credentials for you after providing a single master password. 1Password on iOS even integrates into the iPhone’s facial recognition to unlock your passwords.
The great thing about password managers is that they allow you to use a completely random password for each of your accounts. This way, if there is a security breach at, for example, an online retailer, you will just need to change your password for that one account. Hackers know that many passwords are reused, so if they get access to a user’s password from one place they can try it on other websites as well. By keeping your credentials unique, you reduce the chance that having any account hacked will lead to bigger problems down the road.
Create Separate Accounts
A lot of company websites have multiple users administering them and editing content. Often, for simplicity, people will often just share a single username and password among team members. However, I would encourage you to set up different accounts for each user. There are a few benefits to doing this:
- If a team member leaves your organization, you can simply revoke that one account. Otherwise, you would need to change the password on the shared account and alert any other users to this change. Because of the friction in changing the password and notifying all users, some people might be tempted to leave the password unchanged.
- When using separate accounts, you can grant just the level of access needed for a user to accomplish their particular tasks. Someone will need to be an administrator for your WordPress website to control user accounts and site plugins, but it is likely that not everyone needs to have this amount of power on the site. If a user just needs to edit posts they can be set up as an Editor instead of an Administrator. This has the added benefit of simplifying WordPress’s administration interface and showing just the tools that a user needs.
- Although not specifically security-related, another benefit of having separate accounts is that you have a history of edits on your site and who has made changes. When a single account is used, it is impossible to know who has made alterations to a post.
Other Good Practices
There are other steps that you could take to protect your WordPress site even further. There are plugins available that add many security features to your site. We use Wordfence for many sites. The free version of the plugin offers additional protection and the commercial version adds many other compelling features.
Plugins are also available to add two-factor authentication to your site. You have probably used sites with this type of security mechanism in place. Instead of simply having a username and password log you in, you will need to verify the login in one other manner. This could be through a code texted to your phone or a code generated in a phone application like Google Authenticator. This adds some friction to the login process, but does add in an extra level of security to your site.
Verify that your site is being backed up regularly and that you have the ability to restore a site from an earlier point in time if needed. If your site has been hacked, often the best way to get back up and running safely is to restore the website to an earlier time before the website was compromised. If you are hosting with Pulse, you are all set! We regularly backup our client websites. Many other providers also keep regular backups, but you will want to check on their frequency and difficulty in accessing and restoring a site backup.
Finally, take care to secure your computing devices. If they have been hacked, your passwords and other personal information can be at risk. Make sure you keep your web browser and operating systems updated and take care not to submit your credentials over insecure network connections, such as a library computer or public WiFi. If you have any questions or concerns about your website’s security or would like to learn more about site hosting, reach out to Pulse Marketing and we would be happy to help. Contact us today!