I wrote about this sarcastically, but here goes nothing.
I’m doing this, because it was talked about on Twitter, and wellp, here are my secrets.
I joined hacker communities. No big deal.
1. I started joining hacker communities under an alias to learn their ways and how they hack into things instead of reporting them to their hosts (since their hosts do nothing about it anyway).
This probably makes me a hypocrite, but Sean had said something on Twitter once that got me to thinking. Since then, I started joining their communities, carrying on some conversations with them, and learning what makes me vulnerable. It’s not a smart thing to do if you publicly share your IP address, though, and I’m not saying this is like Monopoly’s Get Out Of Jail Free card. 6birds can still get hacked, but I monitor it so frequently that if you tried to login and failed, I’d see it on the list and block you ASAP.
2. I don’t give the WordPress version number.
But I took it off via Better WP Security. People say that taking off “Powered by WordPress” in your footer limits your chances, but I’ve done that and it doesn’t. I’ve also read where people said it literally doesn’t do anything. You should never use an outdated WordPress. Always update. 😉
3. I don’t have a place on my site that says, “ADMIN ONLY”.
Put one of those, and you’re just screaming for trouble. As stated by a hacker, “Always look for a backdoor. So many site owners are dumb and put their log in link on their sites. It’s the easiest way to find the login AND the directory.”
4. I keep up with it constantly, daily, frequently.
Okay, so I’ve got a security plugin. Yeah? IT IS NOT GOING TO RUN ON ITS OWN. YOU HAVE TO TAKE ACTION AS WELL. I mean, do you REALLY want it to run on its own? It wouldn’t know who is doing what. Like, ugh. I hate it when people think that they can install a plugin for WordPress and that said plugin will solve all of their worries. No, it won’t. For example, that plugin that requires you to check a box to confirm you’re not a spammer only works on bots, not human spam. Therefore, having JUST THAT will not wipe out the human spam.
So I have the security plugin, and I watch it, and I take action rather than simply ignoring IP addresses that have “Bad log ins”. I also watch the 404 errors that ring up on my site, and I know the bots. It’s not because I’m a guru (trust me, I’m not); it’s because I have and use common sense. ~
For example, if I said I’m going to hack your site, would you just change your password, or would you change your password and block my IP address?
5. I look up plugins before using just any plugin, and I search hacker communities for that plugin.
I refuse to go back to using Contact Form 7 because of this, no matter how many people tell me it’s secure.
Don’t run more than one security plugin more than once, because they can’t coexist without screwing up your shit.
6. I choose a strong password.
I use passphrases, mixed letter cases, numbers and symbols in my password. “Kitt3ns:)” came up as “Very Strong” at 82% on a password strength checker. Doesn’t look like a very good one, though. o.-
Database passwords can be generated. You’re not really going to use them like you are the actual scripts they’re linked to, so why make them the same/something you can remember easily? Just write them down.
These things don’t make you unable to get hacked; they just help prevent it. I am not responsible for what happens to your site, blah, blah, blah.
In other words, if you’re dumb even after you do these things, I’m so not taking you seriously in the future.
If you loved this post, please share or buy me a pretzel:
You know Liza, that’s actually pretty brilliant of you and brave too. I mean who better to learn how to secure your site then from those who are always trying to get in.
You’re right about a lot of this and I know that most people new to blogging don’t have a clue about all of this. My goodness, it took me years to learn this stuff because I had no idea.
I have a plug-in that will alert me when someone tried to log into my dashboard and I immediately go and block their IP address on my server. Instantly, I don’t care who the heck you are. If you’re trying to hack my blog you aren’t wanted here. Like you, I do something about it instantly.
The strong passwords are a must and for goodness sakes, remove the admin as your username. I’ve preached that too until I’m blue in the face. But some people are doing something about it at least.
Thanks for sharing and you’re a smart girl! 😉
Joining a hacker community is a great way to learn about security! I don’t think that you’ve done anything wrong. After all, there’s a difference between speaking to them and actually hacking.
I made sure that I had uninstalled Contact Form 7 after you mentioned that it was insecure. Out of curiosity, is the Jetpack plugin secure? It is awfully convenient, and I’d be really sad if it wasn’t.
This was such an awesome post. Definitely agree with you on the passphrases, which I’ve been using a lot more of lately. I thought they’d be more annoying to type but they’re not. Really a lot easier to use than switching for symbols and letters, and it’s unlikely that someone guesses that you put caravan, lollipop, infestation and ball in the one password.