Hide wp-admin

Over the past few months we have been seeing a huge spike in the number of brute force attacks. These attacks can not only break into a site’s admin section, but can also cause such an increase in traffic that the site load times can slow to a crawl – think 1990’s dial-up internet kind of slow. To help prevent this, one thing we have been doing on the sites we build and host is hiding the wp-admin login screen.

One of the security concerns with WordPress is that everyone, legitimate users and hackers alike, know that if they go to domainname.com/wp-admin they will be at the site’s default login page. Once a hacker or brute force script is on that page, they can start guessing username and password combinations at rates of up to 350 billion per second.  While programs like WordFence do a great job at stopping multiple logins from the same IP address, they won’t completely prevent the brute force attacks. The various malware scans and security options WordFence provides still make it an essential plugin, but going one step further and hiding the wp-admin link takes security to another level.

To hide the wp-admin link, we use another plugin to rename that link to whatever we want. With this plugin, instead of having domainname.com/wp-admin to login, a user would go to domianname.com/abc123 or domainname.com/secret-login. Since at Full Scope Creative we don’t use any formula or set pattern for those names, each client login is 100% unique to that site and that site only. By hiding the admin login page, it creates another layer of security that a hacker or brute force attack must get through.

You’ve likely heard me say before that there is no fool proof computer system, but WordPress is a great system with great built in security. With plugins like WordFence and hiding the admin login, we can take that security to a whole new level.

Usernames to Block

Remember when you were a kid, and you needed a password to get into the tree fort? Not a bad security step. If you recognized the person who wanted to get in to your fort and they knew the password, that person was welcomed in. If they didn’t have the password – and they weren’t bigger than you – they didn’t get in. If you didn’t recognize them, there’s no way they’d get in, even with the password. Your website can work in much the same way: no username, no password, no entry.

One of my favorite plugins in WordPress is WordFence. Even the free version of the software has some amazing features. You can easily limit the number of login attempts as well as block a user after a certain number of attempts (10 or 20 is what I recommend). In the tree fort, if you didn’t recognize someone, it didn’t matter if they had the password, they weren’t welcomed in; we can do the same through WordFence. If someone uses a certain username, we can automatically lock them out.

One username to block right away is ‘admin’. These usernames are all set up by either your developer who built the site or you yourself when you created the various user accounts. If you never set up an account with the username of ‘admin’ – which you should never do, by the way – no one should ever be looking to login with that username. ‘Admin’ is one of the first names that spammers and hackers will use in a brute force attack to gain access to your site. Block the use of the ‘admin’ username, and then block the IP that they’re using: quick and easy.

The other names you should block are any names that a spammer or hacker attempts to use. With WordFence, the plugin will send you an email anytime a user is locked out because they failed with a username and password 10 times (or whatever you have it set to). An awesome feature of WordFence is that they’ll also tell you what username was used and where this user was logging in from. I received one of these emails from a client’s site and it said that ‘clientsDomainName’ had attempted login 10 times. I went in to the client’s WordFence settings and added ‘clientsDomainName’ to the list of blocked names. Now any time a spammer or hacker attempts to get in with that username, they’ll be blocked immediately. Whenever I receive an email like that, I will always login and block that username.

If you are a Full Scope Creative client on Security Essentials Hosting, you enjoy the benefit of having your site monitored by us. We maintain all of those emails from WordFence for you and will add any of those username attempts as soon as we see them.

When I was a kid, keeping my tree fort free of unwanted visitors was a top priority. Our websites shouldn’t be any different. We know to keep passwords safe and secure, but there’s also work to be done on the usernames as well. Thankfully, with WordFence for WordPress, we’ve got a lot of great tools at our disposal.

Security by Obscurity?

In 2018, security on your website is a big deal. One security measure you may have heard of is “security by obscurity” or SBO for short. While it may sound like a great idea, the results will likely leave you frustrated. Security by obscurity – while sounding logical – is actually a huge vulnerability.

SBO can be traced as far back as Alfred Charles Hobbs, who in 1851 (yes, 167 years ago) demonstrated and spoke of the issue as it applies to padlocks of the time. The idea behind SBO (again, yes logical) is that if the bad guys (hackers) don’t know how your systems are laid out, they’ll never be able to hack them. Many programmers, including yours truly, have used this technique only to see it fail… miserably. Hackers and spammers are just simply too good. Yes, SBO might keep the rookies out, but anyone who has been at it a while will still get through.

Thankfully, with WordPress (my content management system – CMS – of choice), there are a couple of great ways to provide security to your site. One way is with the plugin WordFence. We talked about WordFence in a recent blog about brute force attacks. You can easily install and set up the plugin to block unnecessary logins in and scan your site for vulnerabilities.

Another great feature of WordPress is that the core system (and themes and plugins) are updated fairly often; in fact, we just had another big update this week. While the hackers do have access to the new code, they will need to dig into it and start working up a new way to hack into sites all over again. Of course, this is only a benefit if you keep your site regularly updated. If you have Security Essentials Hosting from Full Scope Creative, no worries – we handle all those for you.

While it sounds logical, security by obscurity will eventually lead to headaches for your site. It’s been proven wrong for at least 167 years thanks to Alfred Charles Hobbs. Security is a big deal, obviously, for any website. Take the time and make sure you use the best security measures available for your site.

What is a Brute-Force Attack?

I’m sure you’ve heard the phrase ‘brute-force’ at some point in time. Whether used to describe an army invading a castle or a raging river, it simply speaks to the sheer volume and power of the force. In recent years, the phrase “brute force” has taken on a new meaning. Today, a brute-force attack is one of the most common and cornering security threats to any website or secured login. Thankfully, there are a couple of great options for preventing our sites, especially WordPress sites, from falling victim to a brute-force attack.

A brute-force attack is a trial and error type of method used to guess useful information, such as username and password. Just like a river slowly and gently flowing downstream isn’t too big of a concern, a person sitting and guessing usernames and passwords isn’t that big of a concern (though still not appreciated). The concern with the river and our logins, is simply in the sheer brute force. To accomplish this, spammers and hackers will use a software-based algorithm to automatically generate a large number of guesses for the desired piece of information. Some sources that these guesses can be as numerous as up to 350 billion per second. As you can probably guess, 350 guesses per second can be a problem – and 350 billion per second can be catastrophic. The obvious concern is that the attacker could gain access into your site and wreak havoc. The problem with that many hits on a page (attempts to login) is that it will eventually cause your website to crash and simply be down. While that can stop the attacker, it also means legitimate users can’t access your site. Thankfully, there are several easy-to-implement security protocols in WordPress as well as basic practices that can help eliminate the risk for brute-force attack.

First things first – I gotta say this, and I know you’ve heard it before: PASSWORD for your password is a HORRIBLE idea! 1234 is a horrible idea! When you’re setting up your password in WordPress, one of its great security features is that WordPress will let you know how secure it feels your password is. Simply keep adding to your password until it comes up as Very Strong. To do this, you’ll most likely be using a combination of lower and uppercase letters, numbers, and special characters (!, @, #,$, etc.). For example, as I’m writing this, I’m listening to Quiet Riot. A musically influenced strong password would be something like Qu!t3#Ri0t#coftnoize – (Quiet Riot, Come On Feel the Noize). I added in uppercase, lowercase, numbers, and characters.

Okay, so now that we got the obvious one out of the way…. You can also install a plugin such as WordFence and customize its installation to protect your site further. With WordFence, you can take additional steps such as blocking a username. I never set up the username ‘admin’ – that’s far too obvious. With WordFence, if anyone tried to use that username, they’d be automatically blocked from being able to login for however long you specify. You can also set it up so that if they do try a legitimate username but miss the password a certain number of times (10 or 20 ideally, if you use strong passwords), it will again lock them out.

With WordFence, you can also run a scan on your site to see if there are any effected or infected files on your site that need to be cleared up. If there are any suspicious files, the program will let you know which ones are causing concern and which specific folders they’re in so you (or your web developer) can check them out and remove them if necessary. While this won’t stop a brute-force attack from hitting or entering your site, this scan can help prevent the amount of damage that can be caused by an attack.

Thankfully, there are several simple and easy-to-implement tools and plugins to help prevent brute-force attacks. Unfortunately, cyber threats such as a brute-force attack are one of the most common and concerning security threats that we face with websites, and the problems (the hackers/spammers/evil-doers) won’t be going away anytime soon. Just like when an invading army would storm a castle or the water in a river rages, we can be proactive and ready to counter these attacks when they come.

The Importance of Backups

When I was a web design teacher, I always told my students to keep a backup of their homework and any projects they were working on, just in case anything happened. I had a couple of students who had the great misfortune of having their homework assignments somehow “disappear” the day that assignments were due. Being the cruel teacher that I was, I never gave them an extension. Keeping adequate backups of important documents is obviously essential; your website is no different. There are a number of things that can happen that could require a readily available backup of your website.

If Your Website Gets Hacked

It’s an event no business owner or webmaster wants to see. You can be as prepared as you want and have as much security as you want, but the risk of having your website hacked is always there. If there are easily accessible backups, getting the site at least restored back to a safe version of it will get the recovery process started. Once that safe backup is in place, then you can investigate where the vulnerability was in the site and see about securing it. If your site has a feature such as a shopping cart that is always being updated with new products or new orders, this might not be ideal as some of that data might be lost depending on how old the backup is. However, for most sites that only have periodic updates, having a backup ready to simple upload and use is a great way to avoid some horrible headaches.

User Error

No matter how computer savvy a person may be, there is pretty much always an instance or two where they quote Homer Simpson and have to say, “D’oh!” (You just read that in Homer’s voice didn’t you?) 
A few weeks ago a client called me and said, “Chris, I don’t know what I did, but I goofed something up on the site and I can’t get it fixed. Can you fix this?” Thankfully, we had several backups of his site available, so I was able to tell him that we could get it back up and running right away. I looked at his site for a few minutes thinking it would be an easy fix… but even I have no idea how he goofed the site up like he did. I grabbed the most recent backups we had of his site from a few days prior and uploaded that version. His site was back up and running in less than 10 minutes.

Older Version Worked Better

We also had a client who emailed and said that a few months prior they had made some changes to the text on their site and it was no longer performing as well as they had hoped it would. I went through some basic WordPress versions that were stored there, but couldn’t find the exact version they wanted for of each the pages. Again, thankfully, we had several months’ worth of weekly backups to choose from. I went back 3 months and pulled the content from that backup. It was exactly what they were looking for and we were able to get that desired content back for them. They were worried they’d need to re-write what was there from memory as best they could, but we were able to retrieve it exactly as it was.
Losing data is an unfortunate side effect of having a high-tech, computerized world. There are some documents we just can’t afford to lose. To best protect those documents, such as your website, be sure to keep sufficient back up copies of the site.
We provide a weekly backup for all our clients who have Standard Hosting accounts. Those backups are stored for one week before being replaced with a newer version. With our Security Essentials Hosting plan, we download and store those backups for several months, providing us with several backups to choose from should they ever be needed.

Is an SSL Enough for Security?

One of the best things that any website can do for protection and security is installing a SSL (Secure Sockets Layer) certificate. Although SSL provides great security and protection for the site and users, it is not the final step. While there are any number of steps that can be taken for security, at a minimum, a site should also have a dedicated IP address, consistent WordPress system updates, and regular backups.

Dedicated IP

Having a dedicated IP address provides your business and website a unique identity that won’t get muddied up by another user. In a shared hosting environment, many sites can be using the same IP address. There’s nothing wrong with this, so long as each site, ‘plays by the rules’ as they say. If one of those sites is blacklisted (accidentally or otherwise), it can have the same impact on your website. By having a dedicated or unique IP address, only be your website can cause issues for your site, removing that unnecessary vulnerability.

WordPress System Updates

We’ve mentioned before the need for regularly running WordPress updates for themes, plugins, and the core system. These updates should be monitored and run weekly at the very least. By keeping the WordPress system updated, you’ll always be running the latest and most secure version of the software. When these updates show up, some of them are there to address security issues that have been found and the patches are made available. Running the updates is quick and easy to do with just a few clicks of the mouse and about 60 seconds.

Regular Backups

Even by following best practices such as installing a SSL certificate, having a dedicated IP address, and keeping all updates monitored and installed, there is always a risk for problems. When they happen, having access to site backups will make the recovery process much quicker and easier. With most website hosting providers, it’s easy to set up automatic backups. Having access to these backups for a least 4 weeks is usually enough time to be able to provide a safe backup if needed.

At Full Scope Creative, one of our most popular hosting options is our Security Essentials hosting plan. This plan includes a SSL certificate and dedicated IP address, as well as management of all system updates by Full Scope Creative. Furthermore, we make weekly backups of the site and store them for several months. If you want to add this level of security and protection to your site, simply email me at Chris@FullScopeCreative.com and we can begin getting your site set up for secure hosting.

Benefits of SSL

I’ve mentioned before that it’s an unfortunate sign of the times, but today in 2017, having SSL security (Secure Sockets Layer) added to a site is highly recommended. If you accept credit card payments or have a form where the user submits any confidential information (social security number for example), a SSL is required. But even for a more standard, information-based website, having a SSL certificate installed and having the green padlock in the address bar is strongly recommended. There are two main reasons for this – first, Google and second, users.

Google has not been shy in saying that they want the World Wide Web to be fully secure. One reason behind this is that spammers will have a difficult time getting approved for a SSL certificate which would help improve their search results even more. Google has even gone as far already as to provide a slight boost in search engine ranking to sites that are secure and have a SSL certificate installed as opposed to those sites that are running without one. While it’s not a huge boost, any search ranking improvement is helpful.

The second reason – and the main reason as far as I’m concerned – to have a SSL certificate is because most users prefer seeing that the site they are on is secure. It’s easy to tell if a site has security enabled simply by looking at the address bar. If you see a green padlock on the left side of the address bar (like you do on this site you’re reading now), then that site has a SSL certificate installed and working. If you look to the left corner of the address bar and don’t see a green padlock or worse yet, you see a gray triangle with an exclamation point in it, that site either does not have SSL protection installed or it is not working right. Seeing that a site is secure provides a bit of reassurance that you are looking at the site of a legitimate company, a company that is offering the high quality product or service that you need.

For those two reasons alone – increased search engine ranking and improved user experience – the choice to add SSL security to your site should be a no-brainer. Adding one is easy; if you host your website with Full Scope Creative, simply email me and let me know you’d like to add SSL to your website. We will go over pricing options and can get one installed in about a day.

Website Security and SSL

Sadly, turning on the nightly news and hearing about a big data security breach somewhere is becoming more and more commonplace. From things like the Target credit card breach to Yahoo email accounts being hacked, it’s an unfortunate sign of the times. As a business owner, it is your responsibility to make sure that your website is as safe and secure as possible. One of the best things you can do toward that end is to add SSL protection to your website.

It’s fairly easy to know if a site is using SSL (Secure Sockets Layer). If you look to the left side of the address bar and see a green padlock, the site has security measures that have been installed and are currently working. Alternatively, some browsers (such as Google Chrome) sites without SSL encryption display a gray exclamation mark and a warning that the site is not secure.

Frequently, I get asked by clients if their sites should have SSL encryption. My answer is always the same – YES! If you include online features on your site, such as a shopping cart or job application, you are required to have security encryption. But what about a “regular” website as many clients have (basic information, contact page – a brochure style site)? Are security measures still needed? That question can best be answered with another question:  how safe do you feel when you’re on a site and there is a warning that says, “The connection is not secure” in the address bar?

The Full Scope Creative website has SSL enabled and working. We don’t sell anything online, nor do we ask for any personal information (such as a social security number or driver’s license number like someone might for a job application). However, the site is still secured in order to provide site visitors (and me, the site owner) confidence. Our site is protected and everything is being done to keep both the site and its users safe.

If you’re looking to add another level of security for you and your site users, get in touch with us today about adding SSL protection to your website. A SSL certificate can be purchased, set up, and installed in a day or less, providing the peace of mind that comes with knowing that your site is secure.

Why is Domain Name Privacy Important?

When it comes to actions you can take to help prevent identity theft and other cyber security risks, there really is no stone NOT worth turning. One possible risk that is usually overlooked is allowing your personal information to show on a domain name. While it isn’t a huge amount of personal info, it is some, and adding Domain Name Privacy Protection is an easy step to take to combat that risk.

With Domain Name Privacy Protection, your domain name, website, and email will all work just the same. The big difference comes in regarding a WHOIS search. Here’s a definition of a WHOIS search from http://www.webhostingbuzz.com: “WHOIS actually means ‘Who is?’ and reads the same. It’s a useful utility for looking up information on any domain name…. WHOIS search results provide helpful information surrounding a particular domain name. It may include personal or business information about domain name ownership, registration and expiration dates, nameservers, status information, etc. It may also include contact information such as physical address, phone number and email address.”

With Domain Name Privacy Protection, none of your personal contact information, such as your name, phone number and email, will be shown. Without Domain Name Privacy Protection, your name, phone number, and email address will all be listed and available for all to see.

How important does Full Scope Creative think that Domain Name Privacy Protection is? We require it on all domain names that we register and maintain for our clients. Domain Name Privacy Protection through Full Scope Creative is $6.99 per year for any domain name and domain name registrations start at just $15.99 per year. If your domain name doesn’t have Domain Name Privacy Protection added to it, contact us today and we can transfer your domain name to our registration and setup domain name privacy protection for $22.98 per year: a small price for peace of mind.