Hacking the WordPress CMS. Or Stopping Someone Who Wants To
Right this moment, someone is trying to hack your website. And if you use WordPress, right this moment about 90,000 someones are trying to break in.
None of that is hyperbole. There really are bad guys out there trying to break the security on your web site every moment of every day, and there really is a broad-scale attack currently in-progress on web sites running the WordPress Content Management System.
And despite the solution being incredibly simple, somehow this story, that all the many, many WordPress sites in the world are currently under attack, has managed to become mainstream news. Since your run at Influency would be severely derailed if anyone broke into your web site, this one’s worth taking a look at.
Matt Mullenweg, the guy who invented WordPress, has chimed in. Matt, who of course has an obvious horse in the race, sees this exactly the way I do: there’s no real problem in WordPress security, and there’s no real problem for WordPress Admins, as long as their name isn’t … ‘admin’.
Coincidentally, one of our Answer Guy Daily Influency Videos covered this point last week. And sometimes, things really are that simple.
Matt goes a bit further, suggesting that a good second step is using two-step authentication, but the truth is that while the idea of two-step authentication is a great one, changing your user name from Admin to anything harder to guess and combining it with a password that’s a bit better than ‘password’ already gives you two-step authentication. Having another password, even one that’s constantly changing, stored and generated elsewhere, is overkill.
I’m not anti-security, by the way, I’m pro-common sense.
Think about it. If a bad guy or determined piece of software started knocking on your WordPress installation’s door, and knew your name, it would need to provide only a password to get in. On the other hand, if it needed BOTH to know that your name was WordPressInfluency and that your password was cONTENTmANAGEMENTsYSTEMSmAKEfORgREATiNFLUENCYiN2013 or it wasn’t getting in, the chances of anything happening would drop to approximately zero.
Here’s the problem this leaves: the current WordPress security problem isn’t actually a security problem, at all!
I mean, part of it is; you need not to have a user named ‘Admin’. But that’s incredibly simple to fix (and if you can’t figure out how, contact us here and we will fix your WordPress user name problem for free).
The problem is that once something becomes as popular as WordPress is, it magically grows a huge target on its back. This is the reason that for so many years it looked like Microsoft Windows was vulnerable to virus attacks and Apple computers had no such problem; virus writers liked the huge target.
So let’s manage the security part of your Influency, right now.
- You absolutely need a content management system
- It absolutely should be WordPress
- Keep your CMS and your browser software up to date
- Your User Name Shouldn’t be ‘Admin’
- You Never, EVER alter the Core Files in Your Content Management System
That’s about it.
There’s more, of course, and you need to make lots of decisions about things like which advertising networks work, and what you add to your WordPress installation to make it all Influence-y. But the simple stuff is simple, and security can be too if you approach it the right way, using common sense.
Want help with those pesky choices? I’m right here.
