WordPress Security

I attended the Cybermummy 11 conference today and thought it would be a good idea to go to the WordPress session. I like WordPress and always take any given opportunity to learn more. Some (ironic) points about security were mentioned. If you want to check out my parent blog, it’s called Daddacool.

It didn’t start off well when the presenter warned us all off 123-reg for hosting. Whilst this site is hosted with Dataflame, another of our sites, Mummy Reviews is hosted with 123-reg and aside from one hacking issue, they’ve been brilliant. Good value for money in terms of bandwidth and storage too.

I did learn something though. Of particular use was the section on plugins that covered a couple that I will probably use. The first of these is a plugin that allows you to control widgets- whether they display on all pages/posts or just specific ones. The second was a security plugin that locks you out for a specific time if you get the password wrong a certain number of times- useful to stop hackers cracking your password. Unfortunately due to IT issues(!) we were unable to see this in action as the internet connection went down. Being told about things isn’t a substitute for seeing them.

We were also told never to use the default username “admin” as this gave hackers half your username/password combo for the administrator account. Obviously any theme that shows author detail automatically gives a username but hopefully not all your users have admin rights.

So it was with a real sense of irony I realised that the demo site the lecturer had set up actually had a password that was criminally easy to guess. So easy I was able to log on with my iPhone, enable the remote protocol to let the iPhone WordPress app post to the site and post this:

wordpress security fail

This entry was posted in Technology. Bookmark the permalink.