[BreachExchange] Hackers Do Not Discriminate: Why you should follow these Security Tips
Audrey McNeil
audrey at riskbasedsecurity.com
Fri Aug 12 13:56:45 EDT 2016
http://www.htmlgoodies.com/beyond/security/hackers-do-
not-discriminate-why-you-should-follow-these-security-tips.html
Many small businesses bless the day when the Internet gained popularity
because leveled the playing field for them. They could now compete in terms
of promotion and marketing to the big players, and potentially sell their
products and services just as effectively as a big company sells. For that
to happen, however, they need a website, and the most popular platform for
creating one is WordPress.
WordPress is an easy choice for many small companies because the basic
package is free with no limitations, and you can have a website up and
running in a few minutes. It is also SEO-friendly and easy to maintain
even if you are not tech-savvy. However, one of the potential problems with
WordPress is security breaches.
A good example is the Panama Papers, a high-profile case of data leaks
involving more than 4.8 Million emails from the Mossack Fonseca website, a
Panamanian law and accounting firm. It turns out the security breach was
because the WordPress version of the website was outdated.
If you think you are safe because you are a small company, you would be
mistaken. Hackers are not really discriminating when it comes to breaching
websites. Small business, large business, is all the same to them. It is
not all the same to you however, as a compromise to your website can bring
down your website, your business, and your customers. You are responsible
for ensuring your website does not pose a threat to any visitor to your
website.
It is easy enough to protect yourself if you are aware of the threat. Here
are some ways you can secure your WordPress website without taking too much
trouble.
Make a Careful Selection of your Host
One report reveals that as many as 41% of websites that were hacked are
because the hosting service did not put a lot of importance on security. It
is important to select the host service not only for its compatibility with
WordPress or price point, but also for its security protocols. While
choosing a reliable web hosting company it is not a guarantee against a
security breach, it will go a long way towards reliving some of the worry
you may have about your website. Before choosing a hosting service, ask
about their security protocols to find out if they have the requisite
firewalls and malware scanning.
Activate the Security Keys
The WordPress Security Keys also known as WordPress Secret Keys are built
into the software starting from the 2.5 version. You have to define it by
changing the wp-config.php, found in the root directory of basic
installation of WordPress. This is a set of random characters, of which
there are four types: AUTH_KEY, AUTH_KEY, SECURE_, NONCE_KEY, and
LOGGED_IN_KEY. This makes it more difficult for hackers to crack site
passwords. You can generate your own key, copy and paste it to the
wp-config.php, and that is it.
Keep your website updated
Hackers are always coming up with new ways to get access to websites, and
WordPress developers move just as constantly to block them. However, you
have to update your website to take advantages of these security fixes. As
mentioned earlier, the problem with the Mossack Fonseca website was the
failure to update it. Fortunately, WordPress has automatic update features
you can configure, something that came with the 3.7 version. You can update
it manually as well if you choose.
Use stronger passwords
It may seem obvious, but as many as 8% of websites hacked simply because
people are too lazy to use strong passwords. If you have a hard time
keeping track of your passwords, you can use a password manager such as
LastPass. If you want to make sure you create a strong password, you can
use a password generator. You should also make an effort to use more
creative usernames instead of admin, as many people do. You can change your
username quite easily.
Keep track of access attempts
You can stymie hackers, which will keep trying to access your site by
randomly using different usernames and passwords, by restricting the number
of failed attempts you will allow. WordPress does not do this by default.
You need to use a plugin such as Login LockDown to control access to your
site by setting the number of failed attempts before refusing access, and
for how long. You can also try using two-step authentication, where any
user has to input the login credentials and then enter a one-time code sent
to either a mobile phone or email address.
Conclusion
As a small business owner with a website, you cannot afford to have your
site hacked. These five tips can help you secure your WordPress site
without much trouble, but there are certainly more you can do. Please leave
a comment below if you have any suggestions to making WordPress sites more
secure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160812/f14c9db3/attachment.html>
More information about the BreachExchange
mailing list