A Note On Blog Security

As you know I recently fixed up my blog after it had been hacked. A job that took quite a few hours. As part of doing that I included a new WordPress plugin called Wordfence. As its name suggests it fences off aspect of access to the blog and prevents hackers getting access.

A week after installing this there is something important that I have discovered, and I think anyone running a blog might find it interesting.

Default Usernames Are Evil

As you’re probably aware one of the recommendations when setting up for blog security is not to use the default username admin. Because it’s a known default, hackers write their bots to try and access a blog through that account name. Okay, you also have a password, but if you’re using admin as the username, the hackers already have half of what they need. If you’re also using a weak password it becomes trivial for them to brute force their way in.

But what you might not know, and what I discovered, the hackers will also attempt to use the nickname that you post under. In the last week there have been over 160 attempts to access this blog using Stropp, via the United Arab Emirates by the look. In fact, it’s two and a half times the number of access attempts on admin. The hackers have also used the name of the blog both with and without the .com.

So. Tip of the day: Make sure you use an account name for your blog that isn’t used by or on your blog.

This Goes For Games Too

I also use this principle for games. When I need to create a new account, I’ll use an account name that does not coincide with any of the character names I use in game.

That way if someone sees me in a game, they won’t be able to attempt a login using that char name.

There are a couple of games that use the login name as the character name, which is a little insecure, but in that case…

Use Strong Passwords

Depending on the login system, the strength of your password plays a big part in the security of your account. Password systems that only allow three login attempts before locking the account tend to put the kaibosh on brute force attacks. Once again, the WordPress plugin system comes to the rescue. There are blog security plugins that restrict logins to three attempts before locking out the IP address. Just be sure you remember your own password!

Barring that, strong passwords with at least 10 characters using both uppercase and lowercase, numbers, and punctuation make a lot of difference. Here’s another tip: Good passwords can be hard to remember, whereas a phrase can be easier. Using “The Blue Goose Flies At Midnight!” not only ups the character count, but adds spaces and case changes, and potentially punctuation as well. If you do some character for number substitution it can make it even tougher.

Final Words

Unfortunately WordPress doesn’t allow you to change a username once it is created. If you’ve already created an admin user, you can create a new secure username with a nick/display name that you want, and move all your posts over to that.

I thoroughly recommend you check your blog now and make security changes where necessary. It’ll save you hours of messing about later.

3 Comments

  1. Missy

    Good post, shared! I only have the free version of WP so I can’t have any plugins 🙁 It’s scary to think it’s so “easy” for them, with having half of the job one for them already.

    1. Stropp (Post author)

      Thanks!

      That’s one of the disadvantages of using the wordpress.com service, you lose a lot of control over what you can do with your blog. Of course, you do get a free hosting service, so there’s that tradeoff.

      You should still be able to set up a different admin user though, so you can still take some steps to improve your security. And of course, a super strong password is always a good idea.

  2. Ysharros

    I’m happy with wordpress.com but I don’t require anything particularly fancy for my blog and I don’t mind being limited in terms of customisation. Glad you got it sorted though.

Comments are closed.