Marketers and content developers usually don’t get too involved with security conversations and hacker behavior. That’s usually left to website developers.
Furthermore, those who write for information-only sites (like this one) that don’t collect visitor payments often think these sites aren’t vulnerable to hackers. But that doesn’t mean these sites can’t, or won’t, become a hacking target.
Every Website is a Hacking Target
Obviously, e-commerce websites are the biggest targets for hackers. But the reality is that every site is a link to another one and to someone’s own computer. That’s enough for any site to be a hacking target.
IThemes wrote a very insightful post about why hackers hack and highlighted a few scenarios that I certainly could envision on a site like this that doesn’t sell products or collect payments.
- Injecting sites with malware that redirect visitors to their own information-stealing sites
- Installing ransomware and demanding an unlock fee
- Just for the fun of it
Even having good SEO is enough of a reason to be a potential target. After all, if your site is ranking well for keywords, it’s attracting more than potential customers and could be a reason to look for a back door to install spyware, redirects, and other mischief.
These are good enough reasons (for me, at least) to ensure my site has strong security.
How to Frustrate Hacker Behavior
Without question, good security practices offer enough protection to deter most hackers looking for an easy break-in.
Dana Baedke, founder of the marketing materials firm Runmark, shared a couple of security observations from an SEO Trends and Best Practices panel on the Slack channel run by the Arizona Word Press Group. The panel was sponsored by AZIMA, the Arizona Innovation Marketing Association.
- Don’t use the wp-admin prompt to login to a WordPress site
- Most panel participants were leery of security plugins
Those two recommendations prompted interesting and useful commentary from two guys who know a lot about WordPress security: George Lerner and Mark Rudder.
Don’t Stress Over a Login Page But Pay Attention to User Names
George Lerner is a well-known WordPress security expert who runs Lerner WebTech. In his opinion, the wp-admin login concern is overblown. The login names “administrator” or “admin,” however, should never be used. If it can’t be avoided, it should be changed in the Users section in the admin panel.
Another commenter rated the wp-admin issue a 2 out of 10 in terms for security concerns. Hackers already know that site owners often change the login portal name (“security by obscurity” in tech lingo) so it’s mostly a rote exercise so to speak.
Mark Rudder, co-owner of OnsiteWP, doesn’t disagree with these comments. Still, OnsiteWP uses a tool that hides login information with most clients. It’s not a perfect solution, he says, but it has enough benefits to be useful.
50% of usernames are “admin” or a variation of this. Be more creative.
Rudder echoed Lerner’s admonition about usernames: 50% of hacks begin with usernames that are easy to guess like “admin.” That’s half the battle lost right away.
Use Unique Passwords and 2FA
It’s worth repeating that using long, convoluted passwords is the best security for any user on any website. It’s also important to use unique passwords for every site you visit.
This isn’t easy and it’s tempting to use the same password for at least a few sites. If you struggle with coming up with creative passwords, consider using a password manager to create and save user names and unique passwords complete with numbers, symbols, and capital letters. They also prompt users to replace weak or old ones.
If you’re concerned about the security of password managers, take a look at Lerner’s guide to creating passwords. He’s also in the planning stage for a security course.
Rudder urged site owners to adopt two-factor authentication (2FA), a security Best Practice. Otherwise, he says the most comment element he sees in hacked sites (cleaning up sites is a major OnsiteWP service) is the lack of a security plugin. And that’s because…
Security Plugins Work to Frustrate Hacker Behavior!
Contrary to the AZIA panel, Lerner endorses the WordFence plugin mainly because it does a much better job than web hosts, and he’s evaluated a lot of them.
Even WordFence’s free version has a web application firewall Lerner says offers “amazing protection” against hacking. Lerner thinks a competitor, iThemes Security, is better in some ways than WordFence in some ways but WordFence does a better job educating users about security issues it finds.
(I use Sucuri for security. My site host, SiteGround, also provides security although as Lerner notes, it’s probably not the greatest. I used to use WordFence but it actually locked me out a number of times.)
OnSite uses WordFence for all sites they manage. “Without some security plugin, in our estimation, it won’t take very long before a site gets hacked,” Rudder says.
You’ll Get Used to Using Extra Security Measures
I know using 2FA and creating new passwords is a pain. Once you adopt them, though, these extra measures eventually become a habit.
The security experts try to stay ahead of hackers but as I noted earlier, they’re a clever bunch. They’d probably do just as well in legitimate businesses but I guess this isn’t as exciting. Let’s do our part and make their work a little harder.