Protecting your website admin page

Let’s get a bit geeky today. The life of a web developer these days is way much simpler than ours in the 2000’s, the diehard’s will claim, “we do it from scratch, html, js, php, css” but the reality is we are in the information age and that means we receive more information daily than we can process meaning we need to work smarter.

Word press is a content management system (CMS), it is one among many, others include Joomla.
How WordPress works / helps you. A content management system as the name states is a platform that allows you to easily manage content but most importantly abstract the technical bit from the results. This means that with word press I don’t really have to know “html, js, php, css e.t.c” to be able to output a great site, I simply need a creative eye and a few clicks and I am good.

To launch a site, one browses for a theme template which is a design, colors, nuts and bolts of beauty +++, one loads it and one starts to click edit content and as if one is in an advanced text editor like Microsoft Word, you type out the words of your choice, click insert and add pictures, links, media and finally publish. No need to know complex things, all one needs is basic text editing skills.

Protecting your site against attack.
A saying in the computer world is that if hackers really want you there is a big chance they will get you but that doesn’t necessarily mean you use a bed sheet as your door to your site. A few tips and many will not even get in.

A myth is in believing you can do one thing and hope it will protect you for life or years, this is wrong, security just like medicine involves constant attention to what might be going on but this doesn’t mean one should start looking for news daily but simply follow some rules.

Rules.

  • Always update your CMS software, word press is free but every update contains the previous version weakness but also better protection so always update your CMS Software, for word press, every time you login to the admin login page if there is a new version it will prompt you to update
  • Always update your plugins, plugins in the modern world are things that make your site perform certain tasks for example a sharing plugin puts the latest social network plugins on your site, doesn’t matter if you know twitter, it will add it and that is you being modern but also giving users the latest options
  • Implement captchas, captchas are those pictures that annoy some people, enter xya131 to submit, they are marketed as spam blockers, they prevent “internet robots” from sending you that nasty posting of whatever pill e.t.c. In the case of security, captchas prevent an attacker from running username and password robots against your site. By default word press doesn’t limit how many tries one can execute towards your site so it means with a robot guessing usernames and passwords, one can simply go to sleep and wake up to find your credentials waiting when the password robot is done. Captchas ensure a human being has to try not a robot, in my case I love Google captcha but there are many options
  • Use long passwords, human passwords suck, period, what you need is a long password chunk of gibberish, e.g. qYtVN2cRPC2klad)&, daunting for some but a good password shouldn’t be known off head, to get this, simply use a random password generator, e.g. http://www.kujahapa.com/password-generator.com, copy and save your password.
  • To manage your site, always use your computer or a computer you trust, avoid internet cafes and library computers, you don’t know “who is listening” as you type or paste passwords to login with things like key loggers, if you have to manage your site, use a computer you trust.
  • Avoid free Wi-Fi to manage your site, free Wi-Fi is great but all I would have to do is setup a free Wi-Fi station, wait for people to come login, start accessing as my computer captures all traffic and I will see your password come through and voila with no work I have access to your site’s admin page login
  • Use SSL/TLS if possible, SSL/TLS is a way of ensuring your traffic between your computer and your website or a particular known endpoint is encrypted and the person on the free Wi-Fi cannot see your password contents in case you are on free Wi-Fi.
  • Constantly Audit your site, I discovered various plugins for this task, I settled for Gauntlet Security plugin, you can choose one that works for you, a screen shot of its findings is below, it shows you simple best practices to further secure your site.

Ganutlet

Where does this put you? Having the above ensures an extra step to ensure you protect your website admin page access, it might not be all but it ensures best practice is the little you can do, if a hacker should find a bug in the software and access your site, hard luck but let it not be because you used Iamawesome as your password.

#23rd December 2015, an update to this article, just enabled two factor authentication for my website using mini-orange, http://miniorange.com/2-factor-authentication-for-wordpress, great utility

By: Simon Peter

Ug Rocks!

Find me on twitter, @clarsp

Advertisements

2 thoughts on “Protecting your website admin page

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s