In his “Three the Easy Way” presentation at today’s WordSesh , Jason Cosper spoke about what can happen when you use open wifi and how to make your WordPress site more secure.
Here are my notes from his talk.
Like many of us, one of Jason’s friend went to a local coffee house and used the free wifi. She checked email, posted to Facebook, shared updates on Twitter, and posted an update to her WordPress site.
A couple days later, she logged into Google to check her site and discovered all kinds of hidden spam in the website files. Her website was hacked.
She kept her site updated with current theme and plugins. The server software was fully patched. It took Jason three days of work to clean up the site and get rid of the hacked files. Yikes!
Open Wifi Isn’t Secure
On open wifi, it’s really easy to sniff the traffic that’s going across the network. Non-secure traffic can be easily tracked. Session information, login credentials and cookies can be easily sniffed. It’s an issue many people don’t think about.
Secure Socket Layer (SSL) is a solution, but it can be a pain to set up. You need to buy an SSL certificate for your domain, set it up on your host, and set variables in WordPress so your login sessions are routed correctly.
And you need to remember to renew the certificate before it expires.
So what do you do?
Three Steps to Make Your Site More Secure
- Get a VPN (Virtual Private Network)
- A VPN encrypts your Internet traffic, preventing people from snooping on your account details, passwords, and network traffic.
- If you’re on a Mac, get Cloak. Affordable and easy to use, Cloak works on your iPhone as well. You can set trusted wifi networks (example: your home or office). Cloak will secure your connection automatically (you don’t have to remember to turn it on).
- For PC, try TunnelBear for your VPN. It has a simple interface and free tier for 500M of traffic. It’s not like Cloak, you’ll need to remember to turn it on and off. That can be a problem when you forget.
- Enable Two-Factor Authentication
- Enable it on your site (it’s not that hard!). Google Authenticator or Clef plugins are two options to consider.
- Google Authenticator is available for iPhone, Android, and Blackberry. Once installed, you’ll need both your password and the Google Authentication verification code to log in.
- For Clef, you will find a button on your login page. After installing the Clef app on your phone, you use your phone to authenticate login. Clef uses RSA public-key cryptosystem. You can log out of your site using the Clef app on your smartphone.
- Audit all the actions on your website
- Create a trail of what actions are taken on your website, logins, changed files, etc.
- Jeff recommends the Sucuri Security plugin to audit your site. The plugin will log all types of status updates: when users log in, what files are modified, and more. It can even run a basic malware. Note: all the status updates are logged on Sucuri servers, which may be a concern for some users.
During the Q & A, Jason recommended attendees follow the @WPVuln Twitter account, which lets you know about exploits in plugins. If one of your plugins is listed, check if there’s an update. If there’s no update, disable it. And remove it.
Disabling isn’t enough to remove the vulnerability. Look for an alternative for the plugin.
Jason graciously posted his presentation slides on Slideshare.