Admin is about the most common and is the most guessable username if you want to hack into a website.
It’s the first one any cyber criminal will try. So make it a difficult one to guess, like your password!
Have you got children? Yes? DON'T use their first name followed by their date of birth as a password! Or your parent’s either, or worse still yours! A name followed by a date of birth is one of the most common password configurations, after ‘12345’ and ‘password’.
If you’re on Facebook the chances are a determined hacker can figure out from your postings what your password might be from personal information like this, so don’t make it obvious. If you must use something easily guessable add some punctuation to it like an exclamation mark ! or a # like !mypassword! This is harder to guess and currently very difficult for programs made by hackers to get into as these are programmatically characters, for the moment special characters foobar them, but you can’t be too careful, like your username make it as hard to guess as you can.
Don’t have your login link visible on your website it’s an invitation to hackers. It’s like putting your company’s safe in the front garden and advertising the fact. It might be really robust and secure, but when people drive by they will be thinking ‘now how do I get into there?’ and some hacker might just get through. Better safe than sorry!
Don’t have one account for everyone to use to update the website! If you have a team of people updating your site, and one member needs to be dismissed or suspended you will need to stop their access to the backend to prevent them sabotaging your online reputation. They may not of course go rogue and start adding inappropriate text, images or god forbid videos to the website, or delete pages and posts, but prevention is better than cure. If you had one account for everyone you would need to change the password and let everyone know, which is a bit of a pain, especially if that's a lot of people. So have one account for each, then you only have to suspend or cancel that one account, which is best practice in such circumstances.
If you are a developer, and you want the website you are building to be solid and updateable and always work as you intend. Do not change the code in any core Wordpress or Drupal file (apart from config files). If you change that code you might make it less secure or an update will overwrite your code changes rendering the site unusable or breaking site functionality. This also extends to plugins and modules. A good CMS plugin or module should have a simple way of doing what you want (what is called an API) to make such changes unnecessary.
So, in a nutshell, it’s a bit like when your phone, laptop or tablet asks for updates to be run. You’ve heard in the news where people have viruses or people being able to hack into their devices? Having good virus protection is a must but making sure you run those updates when your smartphone asks you to is a robust way to prevent your bank account getting hacked into via your an out of date app or operating system, it could break all together. To Keep your devices running smoothly and securely you need to keep up with those hackers and allowing your software to update is the best way to prevent disaster.
Your programs or apps need updating, imagine these are your modules (for Drupal) / plugins (for WordPress) and the operating system OSX or Windows 8 being your CMS platform like Drupal or WordPress. They all need to be kept up to date to continue to run smoothly together, just like your computer.
Do you remember the Panama Papers a few months back? It was all because the security hadn’t been kept up to date on a number of WordPress and Drupal websites.
Spam attack - “but I don’t even like spam!” You really won’t like it if it starts coming from your website.
Online forms are great for catching data and getting newsletter signups but if you don’t run those updates they can get hijacked and send out masses of spam emails, potentially coming from your email address and certainly coming via your mail server’s IP address. This can mean your mail server will get blacklisted, disabling your email and if your website is on shared hosting your service provider may stop your website as a precaution to prevent further damage to its other customers and reputation. In this event if you have a backup you can reinstate it from that, but your website will need to be secure first.
Your worse case scenario is having to rebuild your website from scratch and your email being inaccessible for a time which could be disastrous for any business, especially web based ones.
A popular misconception is that only large well known company websites get hacked. The truth is any of them can. Drupalgeddon for example compromised all Drupal sites prior to version 7.32 and Zero Day affected all WordPress sites from 4.2 and previous versions.
So there are two types of website attack. The one most people think of is when big companies get targeted by hackers manually targeting sites. The most common and the least well known seems to be where we mentioned above where there is a lack of security updates being run and vulnerabilities being exposed with time.
In a recent LinkedIn conversation I had with Tony Addison CEO of Free Rein
“We had a meeting with the National Crime Agency a while back and they suggest that it is somewhere between 90-95% of web developers don't understand security.”
This suggests there is a great lack of awareness even by developers on website security.
Don’t think you’re saving time by not carrying out updates. We have had the dubious task of taking on many crippled Drupal and WordPress websites, some of which had to be rebuilt from scratch because they were so out of date as many of the modules / plugins stopped working or were no longer supported or work with current versions of the CMS platforms they were on.
So don’t get caught out, either run these or get us to take the worry away - See polyspiral.com/websitesecurity for help with your website.
To non website developers this might be a new concept and a bit alien. I’ll use the computer analogy again. So if you bought a new Windows 10 PC and thought you might like to change the operating system a bit, then found your computer didn’t work any more and the security updates didn’t run because you broke that bit. You would find your computer to get slower and more buggy, less secure and eventually just plain break, probably right after it had been hacked by ransomware, a virus or your bank account details got stolen by someone getting in by a backdoor you inadvertently left open. Microsoft doesn’t allow you to do this anyway, their code isn’t opensource. Drupal and WordPress are opensource and fall under the GPU Licence, which means you can add and modify the code and it will still be owned by the public and more importantly the client.
I have taken on many a Drupal site that has had it’s core rewritten, this is known as hacking core and it’s like one of the ten commandments for any good website developer NOT to do ‘Thou shalt not hack the core’.
The beauty of Drupal and WordPress is that they are well supported (as long as the core is intact) so that you know where everything is and how to properly update and change it. If you take on a website that has had it’s core tampered with and you can usually find out when something breaks in that give away fashion when it shouldn’t, usually when the security updates fail to run smoothly, then you’re never going to know in the thousands of lines of code among the hundreds of files what’s been changed. A hacked core Drupal or WordPress website usually means having to rebuild it cleans it of any bugs or security holes. If you keep running a site whose core has been hacked, you will be in the situation as mentioned above in the security updates section, you website will eventually be compromised, potentially damaging your business.
Keep that CMS core safe, add modules / plugins get a developer to change things safely and properly.
Member since: 31st July 2014
Graphic designer and website developer since 2000.
Specialist in WordPress and Drupal.