Yesterday I talked about why people might want to hack into your website to make subtle changes that you might not notice. How do we stop them?
As ever with these things, there’s so much low-hanging fruit out there for hackers that they’ll just go for the easiest targets. These will be content management systems, such as WordPress. These all have the same URL for their administrative page (e.g. ‘/wp-admin’), so all that’ll be needed by default will be to guess a user name and password.
The default (and only) user name when a WordPress site is created is ‘admin’, and it’s amazing how many website design companies just present their client with this. It’s the first thing a hacker is going to try! However, don’t think by changing the user names to real people, you’ll make them unguessable. When I look at the logs on my site, the second user name that hackers attempt, after ‘admin’, is ‘chris’. Even automated bots can look at the site and see the page authors. We can all do better than this.
Then of course, every user needs a really decent password. We all know the rules on these: long beats complicated, both is even better. Don’t think of passwords, think of passphrases. And if you can stand the irritation, do add two-factor authentication, perhaps through a plugin or other extension to your content management system.
Many other ways exist to hack into a website, but at least ensure the very basics are covered.