How to remove passwords from your browser and increase your online safety

In Fast Web Formula today, we are talking about password security. How to keep your passwords safe, make them complex – and not have to remember them!

I recommend LastPass for generating secure passwords, and keeping them secure. It's free, works on all major browsers. The premium version lets you share your passwords and secure notes to your smart phone.

But…

Once you have LastPass installed, you might think you're safe. Your passwords are safely locked away, encrypted, and no one could get them – even if they got your computer.

Nope! The passwords you imported in to LastPass are still in your browser. Encrypted, yes, but anyone can get around that just by opening up a browser window. So you have to remove all your passwords from your browser.

We were talking mostly about Chrome today, so I whipped up a quick how-to on removing all saved usernames and passwords from Chrome. Be careful, there's no undo on this, so make sure LastPass is installed and working ok before you do this.

http://nathanbriggs.clarify-it.com/d/a37xw3

Why you shouldn’t use an Administrator-level WordPress user whenever possible

If you're like most people, you use an Administrator-level account for your WordPress site all the time. Even doing something simple like comment moderation or posting something new, you use the admin account (minus 5 Spanky-points if its username is “admin”). It's just easier, right?

What if an asshat hacker gets into that account? They can do anything you can. Delete posts, put spam links in content and menus, mess up your theme settings, even create their own user so they can get in if you change your password.

How could they get in, you ask? A few ways…

Obvious

The obvious way is password-guessing. Just throwing password after password after password at your site, trying to log in. Good news – this is easy to stop! Don't use admin as your Administrator username (which means they'll have to guess at the admin username as well as the password); use a strong password; and, limit the number of times someone can try to log in and fail.

Sickening

Because password-guessing is so easy to stop, the asshats have come up with other methods. A favourite method is to infect as many computers as possible with a virus, and have the virus keep an ear out for passwords. This way, they can get a lot of FTP and logins for things like WordPress, but it doesn't really take them much effort. The only way to defeat this type of attack is make sure your computer – and your team's computers – have good, up-to-date anti-virus and anti-malware software. Especially if you're using a Mac. There's still an idea in the Mac community that Macs don't get viruses – and the asshats takes ruthless advantage of this myth.

And it's not just your computer you should be worried about. Are you sure your VA's or team's computers are secure?

Scary

This last way is probably the scariest one. They take advantage of when you're relaxed, enjoying yourself… thinking you're safe. You're in Starbucks. Having a coffee (or five), doing some work. But who's that sitting innocently at the next table? He's stealing your login information? Surely not!

Wireless networks for customers, like you get in coffee shops, aren't secure or encrypted. Everyone's computer “sees” traffic for everyone else's. You don't see what other people are doing, because your computer knows to ignore it. But what if you tell your computer not to ignore it? To suck it in. Analyse it. Look for logging in events and passwords.

Programs that do that – literally suck usernames and passwords out of the air – do exist. And they're easy to use. There are even programs dedicated to looking for social media logins. So, on any network you don't absolutely control and are sure of the security, don't go logging in to anything you care about.

Action steps

  • Create yourself a new WordPress user with the lowest level of access that makes sense for you. Normally, this is Editor, which allows you to create and publish content, approve comments, and manage categories and tags. Use this user whenever possible, and always in public places.
  • Create a new user for each member of your team (or edit their current user to give it a lower permission level)
  • Have a cookie (you deserve it 🙂 )

Is your host ready to nuke your business?

What do you think could be crazy enough to make a mellow nerd see red? Let me tell you a story. A couple days ago I heard about a case of a really bad web host.

You need to read this, because there's a cautionary tale, and I want you to be aware of what kind of scoundrels you might be dealing with, who are hosting your websites.

You count on your host. Your business depends on them keeping your site online and safe. But what happens when things go wrong?

The host in our story, who I’ll call Dr Evil, Inc, don’t like it when their clients’ sites get hacked. Far enough, I don’t like it when sites get hacked either. It’s nasty. It’s traumatising for site owners. It’s damaging to your business. And it’s expensive to clean up.

But there’s traumatising and there’s traumatising, and Dr Evil, Inc seem to be going for the gold medal.

Their procedure when a client’s site gets hacked is to immediately block access and not let the client get in again. At all. Until the account has been totally deleted. Totally deleted. Including the backups.

That isn’t quite believable, so I’ll repeat it. Totally deleted. Including the backups.

To cover their ass, they make you email them an authorisation for the site to be nuked before they’ll give you access again.

Wiping out an entire account, and all the backups, potentially destroying your business is so far out of proportion I’m not sure I can come up with a comparison. It’d be like someone stealing a chocolate bar and the government believing the appropriate response is to nuke the entire city.

What Would Austin Powers Do?

So what should they do? (aka “how does a good host behave?”)

The first job of a host when something goes wrong is to help you relax. Being panicked doesn’t do a damn thing for your website, and it does hurt you.

Automatically blaming clients and going full on Storm Trooper isn’t helping – it's making a bad situation worse. A hack usually is the client’s fault, but there’s no need to be a dick about it.

Fact is, most people do not have a recent, off-server backup of their site. Odds are you don’t. You know it’s important, you know you should, but it’s got pigeonholed in your brain into the “someday” category… which we all know actually means “never”. Even if you do have a backup, it’s probably on the same hosting account, by nuking it they’re getting rid of your one chance for salvation.

And the worst thing is: it doesn’t fix the problem. Most hacks we see have actually happened days, weeks, months or even in rare cares years before the website is defaced. Restoring from a backup doesn’t fix the problem at all.

Oops

The really stupid thing is they’re missing out on great profits for providing a valuable service to their clients.

What they should do is have their own team, or professionals like us or Sucuri, clean up and remove the hack, then secure the site (do all needed updates, check code quality, etc) and charge a monthly maintenance fee.

Or even let clients do it themselves; we’ve worked several times with people who have had their hosting turned off – but not wiped – and the hosts have been happy to turn the account back on so we could work.

Results? Happy, grateful clients and a new revenue stream.

Takeaways (mmm… takeaway)

  1. Don’t choose a host for your business based on price
  2. Keep control of your backups – have them run automagically, and automagically moved off the server (e.g. to your Amazon S3 account)
  3. Ask your host today what their policy is for dealing with hacked sites

How to know if that security plugin is any good

A few days ago a friend asked me to take a look at a new security plugin for WordPress. I was not impressed. Let me tell you how I evaluate a new security service, most are little tips you can do yourself without needing to know code.

How much is it

I don’t much like prices outside the middle ground.

Too cheap means they won’t have the money to pay for a decent support team, and with a security plugin (which are more complex and error prone than most) you’re going to need good support backup.

But, too expensive is also a problem. A service at $30, $60 or even $100 a year isn’t pocket change (okay, it might be pocket change to some people, but it’s enough that expectations get raised). A lot of plugins sold around these price points, and you have a right to expect them to work and fulfil all the promises on the sales page. Most don’t, of course, nature of pretty much any information or software product.

Does it actually protect you?

Here you have to play detective a bit. The tricky bit is that with clever marketing you can spin one actual feature into 6 or 7 benefits or features with no trouble at all. So we have to read between the lines a little and think about the types of attacks your site faces and how to stop them.

Types of threat

  • Code injection (can an asshat get their own HTML saved into your WP settings and output)
  • SQL injection (can they delete your database, or edit your posts)
  • Bruteforce (password guessing)
  • Specific, know vulnerabilities (like the TimThumb remote file upload bug)
  • Unknown threats (vulnerabilities we don’t know about yet, but that follow a pattern of an earlier vulnerability)

Does it protect?

Read the feature list carefully, even without expert knowledge you can make a pretty good guess at which category each feature falls under.

What doesn’t it protect against?

This is the most important part of your analysis.  Only when you know what the plugin/service doesn’t protect against will you know what you still need to protect against, and if the commercial plugin you’re considering is worth the price.

Can free plugins do the job?

There are a lot of free security plugins for WordPress in the repository.  Of course, many are crap. A few are excellent. Often, commercial plugins will use code from the repository for their own product. This is perfectly legal and ethical (as long as it is acknowledged in the code), I don’t have a problem with it at all, but you might and it is nice to know when someone is making money off other people’s volunteer efforts.

Does it do anything stupid?

My two top indicators for “this person should burn in hell” (in the context of security plugins, at least J ) are disabling the right click and “securing” wp-admin with a password. Why? Because disabling the right click is harmful to users (there’s a lot of reasons someone might want or need to right click, and taking that away without a damn good reason is not kosher), and it doesn’t even fulfil its stated purpose of “protecting” your content from getting copied – getting around a right click disabler takes about 3 seconds, and any thief who’s passed kindergarten will know how to do it, so all you do is hurt innocent visitors.

Passwording wp-admin is equally stupid. Not only does it do little to nothing to improve the security of your site, it completely blocks AJAX for visitors of your site (interactive tools). Not cool.

Is the code secure?

Finally, look at the coder themselves. What qualifications do they have to be writing any plugin – let alone a security plugin, which should be the most secure code possible. Pretty much anyone can write a plugin, hardly anyone can write one correctly and securely. Has the code been audited by an expert, like Mark Jaquith?

Does the coder use modern best practices, like using the data escaping tools WordPress provides? If they don’t, they have no business calling themselves a coder, much less and security system coder. Write and ask them.

I hope you’ve found this article useful. Is there anything you’re wondering about that I haven’t covered?

Display Buddy worth it?

A friend of a friend messaged me on Facebook tonight, asking about the Plugin Buddy developer pack (which includes Backup Buddy, the Display Buddy suite, Frolic and Email Buddy).

He'd seen my status messages about Backup Buddy. I talked about how important it is to have automagic backups for your site. It is especially important to take a backup before you upgrade your site.

The developer pack, with unlimited licenses for all plugins is $197, but an unlimited license for just Backup Buddy is $147. So you have to figure out if the extra plugins like Frolic are worth $50 to you.

Display Buddy

The display buddy set can be useful, very flexible. If what they do is exactly what you need, wonderfully quick, if not forget about them. For me it's worth having access to them just in case I need to do a basic slideshow or whatever. I haven't really explored them in depth, but a couple of them have been very useful (read: saved me from having to code my own) in a couple of projects I can remember off the top of my head.

Come Frolic in the water

Frolic is pretty new but I'm impressed with the power & options it gives. It's a one-stop-shop for social media in WordPress.

You can create Like and Send buttons for Facebook, publish Facebook comments on your site, and a whole lot more.

For Twitter, you can display your recent tweets, let visitors follow you or tweet to you (@youraccount) or your hashtag.

Google Plus has the normal +1 button, as well as a Share button and a display of people who have +1'd the page.

LinkedIn is new in Frolic, and I haven't had a chance to play with it yet. I'll test it out and write about it soon, but it does look impressive.

Buy or do not

I think it's probably worth the extra $50 if you're likely to need any of the things they can do in the near future. Otherwise, wait & upgrade later on when you need them (email sales@ithemes.com and they'll sort you out a price-difference upgrade).

Hugs,

Spanky

Securing Your WordPress Sites …

As more and more people use WordPress…

As more and more plugins are used to extend WordPress

As more and more themes are created …

It's time to be concerned about your WordPress site.

Whether your WordPress site shows off your business, entices prospects to buy your products, or use it to promote affiliate programs …

You are vulnerable…

They DON'T care … the crackers and the hackers of the world…

They don't care who you are.  It is, the infamous words from “The GodFather”, “It's nothing personal, it's just business.”

It doesn't matter whether your site is active or not … your site is vulnerable.

What are things that you can do today to keep hackers away ?

First …

If you are not using the latest version of WordPress, or your theme, or your plugins … do that … not tomorrow, not next week … do it today.

Secondly …

If you have themes and plugins and old WordPress installs you are not using, just sitting on your server … delete them.

Thirdly …

Don't use Fantastico to install WordPress.

We love automation, but the automation comes a cost, at the loss of customization and uniqueness.  When you install WordPress with Fantastico, certain files get installed that hackers can easily find.  It uses a formulaic way of naming the WordPress database that hackers know about.  And a few other things that make it much easier for hackers to crack into your site.

At some point, I will create a video showing you how to install WordPress nearly as quickly as you can install it with fantastico … and make it much more secure.

My name is Judy Kettenhofen, and WPShine.com is the combined site of Nathan”Spanky” Briggs and me.  We care about security.  We want you to be safe. We will be adding to this site to help you be more secure.