Last week Twitter discovered a breach in their system that could have allowed someone to download the passwords of every user of their platform. They send out a message recommending that everyone change their passwords as a just in case measure, while indicating that they didn’t think anyone else had discovered the issue.
There was a lot of grumbling about it; not the breach itself but in the need to create new passwords. I understand it; I hate changing passwords all the time myself. However, I don’t think my issue is the same as the issue of many others. Continue reading →
This post about the Limit Login Attempts plugin for WordPress blogs was initially written back in 2009. However, at that time I didn’t really talk all that much about how it worked or its settings, nor did I put images on my blog back then.
This is one of those things where, based on a lot of things I’ve been reading, it’s not only good to republish a piece, since most of the content is changing, but upgrading it so that it reflects more of what I want to tell you about since it’s still pertinent to our needs and security.
As stated before, the plugin is called Limit Login Attempts, and its purpose is to dissuade hackers from attempting to use their nefarious software from gaining access to our blog’s username and password. I keep coming across more folks who’ve had their blogs hacked, including some of the more famous names, and there’s usually two ways their sites get hacked. One is that a hacker’s found a backdoor way of getting in, possibly via old themes you’re not using anymore that you didn’t remove from your Appearance tab. The other is them figuring out your username and password by hitting it multiple times with their bots.
Most of us are too lazy to change our username from Admin, or forget to change it to something stronger when we first create blogs; heck, many don’t even know they can do that.. I used to be bad at this, but I’ve taken care of both that and my password with my newer blogs. Still, against automated software, you need something stronger to protect your property. That’s why I love this plugin so much.
Obviously, the first thing you have to do is install it via the install plugins link. It should pop up pretty quickly, and you should feel pretty safe using it since. One thing that violates my norm is that it hasn’t been updated in about 5 years, but it’s been uploaded way over a million times and people are still using it. I read some of the latest reviews and it seems that most people love it, but nothing’s ever 100%. However, people who are having problems with it either tried to modify it or have already been hacked, which is a totally different issue.
As you see in the image above, the first two things you get are options you don’t have to take any interest in. They’re stats that tell you how often idiots have tried to get into your blog, which I’ve never reset, and how many active bots are trying to get in now. I have to admit it’s freaky realizing that 34 of these morons are trying to break into my account right now; it’s not going to happen in their lifetime. 🙂
Before I go any further I need to warn you that whatever settings you set also apply to you. So, you’ll either need to feel confident in knowing and typing correctly your username and password unless you have it set to automatically put it in on your browser, which you probably don’t have set up if you’re doing it away from home. Just so you know, if you lock your silly self out (because you’ll feel pretty silly if it happens), you can always get back in by FTP’ing into your account on the back end, deleting the plugin, and once you get back into your blog adding the plugin and starting again.
You need to decide how many login attempts you’ll allow before it shuts down for a certain number of minutes. It’s defaulted to 4, but I’ve made mine 3 times for this blog since it’s my most popular. I have it on 4 times for my business blog and all my other blogs 5 times because I’ve been known to forget what those passwords are; sigh! lol
The second is how long you want to make people wait before they can try it again if they get it wrong whatever the number of times you set it for. The default is 20 minutes, but that didn’t feel strong enough for my tastes. I have mine set at 4,500 minutes, which is 75 hours or just over 3 days. I figured that was enough to frustrate the normal hacker who’s not all that bright.
The third is how many times you want to allow someone to try to get it and locked out again. The default is 4 more times and an increase to 24 hours. Since I’d already decided on 75 hours up front, 24 hours would have made it easier for the hackers. Once again I thought that was too generous, so I changed mine to 2 more times and 300 hours, which is 12 1/2 days. At this level the hackers have had just over a month to try to break into my blog; that’s not a bad deterrent I’d say.
This last one is the biggie though. It’s nice of the folk who created it to still give you a chance to have it automatically reset after a certain period of time. Their default was 12 hours; once again that seemed deficient from where I stand. I decided to up the ante and go with 900 hours, which ends up being 37 1/2 days before a reset.
The next two things are the default settings, and I’ve left them alone because, truthfully, I’m not sure what they really mean. Even on their page they don’t really tell you what it means, but they recommend we stick to the default.
The last two are kind of a crapshoot, depending on what kind of information you want to see.
I told mine to log all the IP addresses, and it’s been listing them since I initially added the plugin in 2009. They’re all listed just under the Change Options button, almost 15,000 of them. lol Actually, that’s not quite true, because many of the IP addresses tried multiple times to get in. You get to see all that information, which can be intriguing, but for most of you it’s probably unnecessary.
I also told mine to stop sending me email, which is the default setting. I initially wanted to get email alerts when I first installed it, but after a couple of weeks my stress level was rising and I decided I didn’t want to know. lol After this one, you hit that Change Options button to save your settings and you’re good to go!
I feel that I have an extra layer of protection, and that helps me sleep better. You’ll still want to add a backup plugin just in case someone figures out how to get into your blog and you need to restore it, as well as a firewall plugin just in case something’s already on your blog and you want to block the weasels who got it on there from activating it. This one is definitely a must to have if you ask me… so go add it immediately! 😀
By now, almost everyone should have heard about the hacking of the adult cheating site Ashley Madison. Because the hackers decided to release all the information online (actually, I have no idea where they released it because I didn’t care), it’s caused a lot of grief and scandal and a few suicides; come on now, really?
As stupid as it is to join a site like that in today’s world, especially once we hear of all the website and corporations that have been hacked, what seems to be even more stupid are the most common passwords used on the site. Those passwords are: 123456, 12345, password, DEFAULT, 123456789. According to Gizmodo, the only bad password not listed in the top 25 of 2014 was ‘DEFAULT’. The password ‘123456789’ was in 6th place on their list; the other two in the top 5 were ‘qwerty‘ and ‘12345678‘.
Good grief; no wonder so many people seem to get hacked so easily. I mean, I know right now it’s very difficult to stop people who really want to get into your accounts but why make it too easy for them?
Now, I’m not going to act like I’m totally perfect; at least not in the beginning. I never used any of the passwords listed above (thank goodness I wasn’t quite that dumb), but I wasn’t above having very short passwords initially, as well as common names of things that might have been easy to figure out. Then again, back in the day there weren’t as many people hacking into accounts and there weren’t as many sites so we could get away with it.
What made me start changing up my passwords was having my business email account hacked. I never thought about it all that much until I was getting bombarded with email… from myself! lol I’d set up the email account in 2002 and given it a fairly easy password. However, I’d also started using a script on my site that I found online which turned out not to be all that secure.
Thus, I knew a lot of emails were going out in my name, which was painful enough, even after I removed the script. For a few years everything dwindled down and I thought I had it all fixed… until it started up again, this time way more intense than before. It took my hosting company to finally contact me and tell me they believed my account had been hacked for me to realize how stupid I was and to change up all my passwords, making them tougher & harder to break.
On one level that’s perfect; on another… well, I’m betting many of you know the other side. We create tough passwords but if we have a lot of things to get into it makes them difficult to remember. As I sit here right now I know that I only know the username and password for 3 of my 5 blogs, and for maybe 3 or 4 other websites I participate with in some way; that’s it. I’ll admit that I have a file on my computer that has all that information, and for many others I use Keeper, which is on my smartphone and mainly keeps passwords for wifi spots in restaurants I visit often.
We all need to either create very strong passwords or change our passwords at least every 90 days. Some IT authorities believe we should change them every 30 days, and many of you who work in corporate know that’s what you end up having to do.
However, even this might not be enough to keep you from having a bit of grief. I know this because last night I went to GoDaddy to update my subscription for this blog and, even though I’d changed my password a few months ago, I was blocked because apparently there’s someone out there trying to get into my account… probably not me personally but using software trying to get into multiple accounts. Luckily GoDaddy shuts it down after so many attempts, but it seems that changing my password does no good because you can’t change your account number without canceling your account and starting again; nope, I’m not doing that.
Since we can’t attain perfection across the board I warn you to do something to protect your interests. For me, I’d gone with harder passwords so I don’t have to constantly change them. When it comes to your blog, many of you might have missed my post about Limit Login Attempts since I wrote it in 2009, or my post on the Top 10 WordPress Plugin Recommendations I wrote here in May, which includes the one above and a couple others that will help you protect your blog.
Be smart with your passwords and usernames; protect yourself.
All of us have heard these tales of someone finding out that their email or website or blog or whatever has been hacked into by some nefarious rogue (you know, sometimes my language is just so strange!), taken over, and that’s that. Sure, you can recover, but it can be a hassle and a mess.
by Denise Mattox
This idea of security can be taken to extremes. Many folks I talk to seem to worry more about spam than they do about security. Y’all know how I am in making things easy for people to read what I have to say and comment without anything blocking your way, and I expect to continue doing that, even though by the time you read this I might have added the GASP Anti-Spambot plugin.
Anyway, security is a different thing. For the most part there are two things you can do for your WordPress blog to help protect yourself. One I wrote about just over a year ago and it had a lot of comments and reads, but I think I need to bring it back to the forefront again. I wrote about a WordPress plugin called Limit Login Attempts, which will automatically block anyone who tries to get into your account after so many attempts. You can change the settings any way you want to, but it’s a great deterrent towards those who might be trying to guess your password over and over.
This came to fruition last Monday when I received an email telling me that someone had been blocked from trying to get into my site. It had to be a bot, I expect. It tried 4 separate times, each 20 minutes apart, which is how I have my settings. After those times, it then blocks the IP address from trying to login for another 24 hours. It gave me the IP address and the name of the person or bot that tried to get in as well.
No, I didn’t follow it back to see what it came from. My thinking was that it could be a malware site as well; why take that chance? But it proved to me that it worked, and worked well. That was probably one of the smartest moves I’ve ever made.
The other way to protect yourself is to make sure you have a long or complicated password. User names are also recommended by some to be long and complicated, but my brain just can’t handle too many complications. And truthfully, you don’t even have to go for too complicated; long works just as well. Making one or two letters capitalized does wonder. Throwing a number somewhere in there works also. With a WordPress blog, it will tell you when you’re creating a password whether it’s strong or not as you go along. I’m betting some people ignore that, but it’s a smart thing to do.
That’s it from me for the day; protect yourselves y’all!