The Biggest Security Risk in WordPress (and EVERY computer security system)
An introduction to WordPress Security for the savvy site owner, Part 2
Here’s a neat trick to discover the single biggest hole in your computer and Internet security. Go turn your webcam on, I’ll wait while you do it. OK, got a picture from your webcam on screen now? See that person looking right at you? That right there is the single biggest security hole you’ve got.
“People are the biggest security risk in any computer security system.”
Why? People make mistakes, sure, that’s where software bugs and vulnerabilities come from, but unless you’re a coder then its unlikely that you’re making mistakes that could effect millions of people. The sort of mistakes that people make are the ones that effect only them directly and which can cause no end of headaches and hassle – and there’s a whole range of folks out there waiting for you to make a simple error that they can exploit.
Its still largely a free and open Internet out there, an Internet that was never really designed to become what it has today, which means some things (like your email) are fundamentally insecure. Whether it was Jefferson or others who first coined the phrase “The price of freedom is eternal vigilance” is less important than it being a quote that is highly applicable to the freedom of the Internet today. If we want to enjoy that freedom that the Internet offers then we have to be vigilant, we have to be aware that there are bad actors out there and we have to take the time to take simple steps to be a little more secure in all we do online.
A first, excellent step you can take to protect, monitor and remediate your WordPress site would be signing up for one of our WebCare Plans, which protect from numerous known hacking threats and keep your software up-to-date to protect from yet to be known/emerging problems. Maintaining your site is part of being vigilant, but overlooking your personal internet hygiene can seriously derail the best services and tools you put into place.
Now lets be clear, even though our official headquarters is in Santa Fe, New Mexico we’re not entering tinfoil hat territory here or seeing the digital equivalent of “a commie under every bed”. The number of bad actors out there is infinitesimally smaller than the number of average Joe’s and Josephine’s using the Internet (and by Internet we’re meaning every connected device, computers, phones, tablets, even your Amazon Dash buttons). The problem is that a tiny number of bad actors can use those connected devices against you and indeed against the Internet itself (the so-called “botnets”), meaning that they can work a lot faster than we can. Vigilance has to be our response.
All Systems Must Move Forward
What do I mean by vigilance? Here’s a practical example – DO YOUR OPERATING SYSTEM UPDATES.
Remember those coders who make mistakes that can effect millions of people? That’s where your operating system security updates come from. They’re fixes for those mistakes and the single best thing you can do to protect yourself is to do your operating system updates. That’s updates for all of those devices, not just your computer. Make sure you’re doing your updates for everything that you have connected to the Internet. Do the system updates on your phones and your tablets, but also remember to check for updates for things like your wifi router (I guarantee you, there’ll be one), your smart TV, your set top box, your security cameras etc – if its connected to the Internet then check for updates.
No updates available? That means that either you’re really great at doing updates (you can have a cookie) or – and more likely – is that the manufacturer of the Internet connected device has abandoned the device. The price we pay for constant tech progress is shopping vigilance. That cheap Internet webcam that you bought from China on eBay because it was a couple of bucks cheaper? I guarantee you it will be riddled with Internet security holes and is almost certain to be a part of one of the botnets which have been causing Internet outages throughout 2016. Be vigilant when you’re buying devices and make sure its from a manufacturer who releases updates – a quick check of the manufacturers website can show you if they make security downloads available.
That same shopping vigilance applies to your phones and tablets too. Again, make sure you’re buying a device that will be updated (cheap phones and tablets from Amazon and eBay are almost always abandoned and some even come with malware pre-installed!) but also be vigilant on your device app store. That free app that promises you the moon may we be helping itself to your data in the background, so if you want to stay safe then stick with popular and reputable apps and always check the app permissions (on Android) and app reviews (on all mobile app stores).
So, you’ve got your computer and your devices all updated and you’re only using reputable software and apps. You’ve done everything you can to protect yourself from everything but unknown technical exploits, now what do you do? Lets get into some practical things you can do.
First, lets find out of if any site or app you’ve signed up for has ever been compromised. Go to https://haveibeenpwned.com/ and input any email addresses or usernames that you use. Not finding any results here is a good thing. If you do get a result then the first thing is to change the password on the affected site and the second is to change the password if you’re using it on any other sites.
Did I mention not to re-use passwords? No? OK, DON’T RE-USE PASSWORDS!
Yeah, I know that remembering passwords is hard if you’re supposed to have a unique password for every site. Password managers like LastPass can help with that, if you’ve got a bit of tech savvy to set them up and use them right. They’re the best option, but you can also make unique passwords for all sites by using a “stem” password. Most people can demonstrably remember at least one complex selection of letters and numbers, because most people can remember their car registration plate numbers!
Create one complex password that you will remember and that will be your “stem”. Then, on each site or app that needs a password you input your stem password and then add to it with something about the site you’re on, like the name of the site. For instance on Amazon.com you could have a stem password like “SiONTErIge” and add “Am4z0n” to it to make a completely unique password of “SiONTErIgeAm4z0n”. Do the same process for every site and app you use and you’ll have unique, secure passwords that you can remember for each site. Stay vigilant and keep your passwords secure!
What else can we do? For that you’ll have to read Part 3 (coming soon) in our security series, to find out why George Orwell declared the the price of freedom wasn’t eternal vigilance, but eternal dirt!
Lets stay safe out there, folks…
Written by our illustrious lead programmer, Mark McBride