The Importance Of Using Strong Passwords And Keeping Your WordPress Site Updated
We often hear the advice that we should keep our passwords secure and our firewall and antivirus software updated. Why aren’t we doing this with our WordPress installations?
Aside from being lazy, there’s no excuse not to keep the installation up-to-date and a strong password policy in place. Let’s start with the importance of keeping the software up-to-date.
Like any software application, WordPress requires constant patching and updating to correct any software glitches, particularly those glitches that could introduce backdoors and exploits that give hackers the tools they need to bypass the security settings you spent a lot of time and effort to set up.
If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.
Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.
If the comment text is long enough, it will be truncated when inserted in the database. The MySQL TEXT type size limit is 64 kilobytes, so the comment has to be quite long.
The truncation results in malformed HTML generated on the page. The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core.“
is damning, and shows what happens when WordPress administrators refuse to keep their software up to date.
It doesn’t stop there. Some WordPress administrators , much like some everyday Internet users online, can be accused of being carelessly lax with their password security policies.
A strict password policy is not an inconvenience, but a necessity to keep the data entrusted to WordPress installations safe and secure.
Much like the common online user, WordPress administrators provide hackers nearly all of the necessary tools to do their job. It is for this reason the following steps must be taken to make the work of hackers much harder to accomplish:
- Making a hard to guess password
- Keeping it secret
Ironically, it’s the same advice given to the common online user, and it bears repeating for administrators of WordPress installations.
Making A Hard To Guess Password.
Change all default system passwords to something else.
Take advantage of the full length offered in assigning passwords. The longer the password length, the harder it is for hackers to break it.
Never use a word that is straight out of the dictionary, regardless of the spoken language. Some hackers use programs that read from a lexicon such as a dictionary to guess your password.
Currently, passwords are no longer limited to just letters of the alphabet (26 characters from “A” to “Z”). You are also allowed to use numbers from 0 to 9. You can even use special characters (such as “$”, “#”, “@”, “%”, “*”, and “&”).
As an added twist, letter case (stating “A” instead of “a”) makes passwords more difficult to crack, since it introduces a new permutation for hackers to guess at. With examples such as “Escargot”, “escargot”, “ESCARGOT”, “EsCaRgOt”, and so on, you can see how that adds an extra layer of defense.
Avoid using strings like “qwerty”, “asdfgh” or “123456”. Those are the first strings the hacker will likely try.
Avoid using personal information such as your social insurance number, credit card number, driver’s license. Expanding on this, do not use personal information that is known about you, such as your mother’s name, date of birth, the city you were born in, favorite music band, or the name of someone special to you like a significant other or child’s name.
Keeping It Secret.
Even if you follow the above suggestions, it’s a wasted effort if you can’t keep it a secret. Do not keep your passwords (along with the associated user ID and service name) on a sticky, notepad, or even in an Excel or Word document on a USB key or some other unprotected storage device. There are encrypted master password storage systems out there; for example the online service lastpass.com. These are great for people with hundreds of logins and passwords but all depend on having an extremely secure master password.
The ideal method is not to record it anywhere and keep it in your head. Make it easy to remember without it being easy to guess. One approach is to use what is known as leetspeak, or the substitution of letters with numbers or special characters. For example, the word “Motherlode” is instead remembered as “M0th3r!0de”, with the combination of letter case, special characters and numbers making a very hard password to crack.
Memory keys are another way to keep it in your head, and usually associated with a favourite phrase. A lyric from Procol Harum’s “A Whiter Shade Of Pale” (“Cartwheels On The Floor”) could be remembered as “AwSoP!CwOTf@”. Are you a Star Wars fan? Try “G0tB@dF33ling” as one example.
Never give out your password for the purpose of account sharing. If additional user IDs are required, create them with the appropriate authorizations and security access.
Never use the same password for every user ID: use a unique password instead.
Implement a password cycling protocol for all WordPress accounts and make it a uniform cycle.
By following these suggestions, you can rest assured your WordPress installation will be safe from hacker attacks. Let Social Visio manage your WordPress site and we will keep it updated and secure.