Tag: security

  • WordPress.com Two Step Authentication

    If you’re using WordPress.com, or Jetpack with your WordPress.com account, protect yourself by setting up WordPress Two Step Authentication.

    In fact, you should use Two Step Authentication (also known as Two Factor Authentication) for every website that supports it, especially your social media accounts, your Gmail account, financial websites like your bank, and any other website where losing control of your account would be a disaster.

    Here’s how it works:

    1. You set up your WordPress.com account using a strong password or passphrase.
    2. You tell WordPress.com about another device you control, (usually your smartphone), and use that device to receive a second authentication code.
    3. You enter this second code after you enter your user name and password.

    It’s this second step of entering the second code that dramatically increases the security of your login. It turns out that passwords are pretty easy to guess, especially if you use a computer to help guess it. This is called a “brute force” attack. Because the additional, second code is generated right when you need it, and isn’t saved, there’s no way to guess the code. Also, you presumably control your smartphone, and that’s not something that a hacker on the other side of the planet has easy access to, either.

    If you’re using your smartphone as an authentication device — and that’s really the best choice, because you probably carry it with you everywhere — you’ll want to secure your smartphone, too. At the very least, set up a password on your phone, and use Touch ID or Face ID to unlock your phone. If you want to secure your smartphone to the highest degree possible, use only a password to unlock it (not Touch ID or Face ID) and use the longest password you can stand to type in each time you unlock your phone. Also, set up your phone to automatically erase itself if there are too many attempts to unlock it unsuccessfully.

    So, your smartphone is secure and you want to use Two Step Authentication. Here’s what you do:

    • Install the Google Authenticator app (Apple or Android). If you can’t install or run the Google Authenticator app, you can still use SMS (texts) to receive authentication codes, but this option is not as secure.
    • Install the WordPress app (Apple or Android). Once Two-Step Authentication is set up, you can also use the WordPress app to authenticate, without having to type in an additional code.
    • Visit the Two Step Authentication settings page for your WordPress.com account. Note that you may need to log in to your WordPress.com account to view this page.

    Set up Two-Step Authentication

    Once you’ve opened the Two Step Authentication settings page you can set it up using Google Authenticator:

    1. Click Two-Step Authentication then Get Started]
    2. Select your Country Code and enter your Phone Number for the mobile device you want to use to authenticate your account.
    3. Click Verify via App (or, if you can’t use Google Authenticator, click Verify via SMS and follow the instructions below for SMS authentication).
    4. Open the Google Authenticator app on your phone.
    5. Tap the “+” symbol and then tap Scan barcode
    6. Use the barcode scanner to scan the QR code that WordPress.com displays. If this works, Google Authenticator displays a new six-digit code for WordPress.com
    7. Enter the six-digit code on WordPress.com and click Enable.

    Now, WordPress.com will display a list of backup codes and ask you to print them. I prefer to copy them and paste them into the Notes field of my password manager. Either way, save your backup codes! You’ll need them if anything happens to your phone.

    Click [All Finished] after you’ve printed your backup codes, or pasted them into your password manager.

    Backup Codes

    If for any reason you didn’t save your backup codes in your password manager, or print them out, it’s not too late!

    On the the Two Step Authentication settings page, scroll down and click the [Generate New Backup Codes] and print them or save them in your password manager.

    Copy one of the backup codes and paste it into the Type a Backup Code field. Click [Verify].

    Use SMS Codes

    If you can’t use the Google Authenticator or another app like Authy, you can use SMS (text) authentication instead. When you’re setting up Two-Step Authentication, click Verify via SMS instead of Verify via App. You won’t see the QR code appear. Instead, WordPress.com will ask you to Enter the code you receive via SMSOnce you’ve typed or pasted the code into this field, click [Enable] and follow the same steps (above) to save your backup codes.

    What’s the difference with SMS codes?

    The biggest risk with using SMS codes instead of an authenticator app (like Google Authenticator) is that SMS (text) messages aren’t encrypted. This means someone could possibly steal your authentication codes when they are sent to your phone. This is highly unlikely, but not impossible. It’s also possible to SIM-swap your phone to redirect your texts to another device. Again, this isn’t common, but it’s not impossible. To prevent SIM swapping, ask your mobile provider to add a PIN to your account.

    Also, your mobile provider might block these authentication text messages, because they come from automated systems. If this is the case, you can call your mobile provider’s support line and ask them to allow these types of messages (don’t forget to set up that PIN, too).

    Finally, even if your SMS messages aren’t hacked, it can take some time to get the authorization code via SMS. The authenticator apps, on the other hand, display the codes as soon as you open the app. There’s no delay.

    Using Two Step Authentication

    Once you’ve set it up, using Two Step Authentication to log in to WordPress.com is the same as before, except for one new step: after you type in your username and password, and click Sign In, you’ll  be asked to enter the Verification Code, and click Log In. Enter the code you retrieve from your authenticator app, or SMS, depending on which option you selected when you set up Two Step Authentication.

    Remember to click the Remember Me checkbox so you won’t have to re-enter a new authentication code every time you log in. But, keep in mind, only the browser you’re using will remember you. If you switch to another browser, or to another device, you’ll have to re-enter a new authentication code.

    More Information

    From WordPress.com Support:

    • Two Step Authentication :includes screen shots and also instructions on how to switch to a different device, if you lose your smartphone (or get a new one).
    • Selecting a Strong Password: excellent ideas on how to select and maintain unique, hard-to-crack passwords for all your web accounts.

  • Why Your Website Needs a Security Certificate

    When visitors come to your website, do they see a reassuring green padlock icon telling them that your site is Secure? Not only is this reassuring to visitors to your site, it’s reassuring to search engines like Google. This means if your website is not marked as secure, Google and other search engines will punish your site in their search results.

    In this article from the Google Webmaster Central Blog, HTTPS as a ranking signal (published on Aug. 6, 2014!), Google explains the importance of using a Security Certificate to signal to visitors and search engines that your site is secure:

    [W]e’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal.

    What does this mean? Basically this: Google has determined that websites that use Security Certificates are more reliable and deliver better search results than websites that don’t use a Security Certificate.

    Why is that? Partly, it’s because it takes a little time and a little effort (and some money) to add a Security Certificate to your website. And who’s not going to make that effort? Spammers, and any kind of fly-by-night operation that wants to whip up a website quickly to make a fast buck. Do you want Google to lump your site in with these jokers?

    How Do Security Certificates Work?

    Website Security Certificates, also know as SSL Certificates (or, more accurately, TLS Certificates), make it possible for web browsers to connect to your web server over a secure, encrypted connection, using a protocol called HTTPS.

    Maybe you figured that secure connection was already happening? Unless you see that little padlock icon in your browser’s address bar, the site you’re visiting isn’t using HTTPS, but instead regular old HTTP. This means that all the communication between your browser and the web server is completely visible to anyone who wants to spy on you. Sending information between your browser and a web server using HTTPS is like sending a letter in one of those Tyvek Priority Mail envelopes that you can’t open without a knife or a chainsaw. Regular old HTTTP communications is just like sending your messages on a postcard: anyone can read what you’re sending if they bother to look at it.

    But who would want to spy on you? Well, most hackers aren’t after you in particular, but just looking for ways to steal information as easily as possible. If you’ve ever connected to a website in a coffee shop or an airport over Wifi, using an insecure HTTP connection, it means that anyone else on that network can snoop in and view everything you’re sending back and forth between your browser and the web server, things like passwords and credit card numbers.

    When you have an Security Certificate set up correctly on your website, all the network traffic between your browser and the web server is encrypted, and can’t be decoded except by your browser and the web server you’re connected to. This means that no one can eavesdrop, steal passwords, or create a fake website that looks like the one you want, but is just a trap set up to steal passwords (phishing).

    You Need A Certificate for WordPress

    If your website runs on WordPress, you absolutely need a Security Certificate. If you ever want to log into your site and add or update a post, you want to do so over a secure connection using HTTPS. If your connection isn’t secure — maybe you want to make that update while you’re traveling, or in your favorite coffee shop — anyone can grab your username and password and then log into your WordPress site to make any changes they want, using your account credentials.

    You Need a Certificate Before Your Site Is the Last One In Your Industry that Doesn’t Have One

    It’s already been several years since Google announced that they would rank sites with HTTPS better than those without. If your site doesn’t use HTTPS, and your competitors are, that might be why they are getting more traffic than you. Also, when visitors come to your site and see it’s not secure, where all of your competitors display that green padlock icon, whose site will they choose? And you certainly don’t want your site to be hacked or defaced because someone was able to steal your username and password when you logged in to update a blog post. Protect your site and protect your search engine ranking: add an SSL certificate to your site today!

    Cadent offers Security Certificates for all of our Hosting Packages. Since we specialize in WordPress hosting, we want your site to stay safe and secure. Plus, HTTPS will improve your site’s performance and reduce download times. Contact us if you’d like us to install an Security Certificate on your Cadent-hosted WordPress site, or if you’d like to move your hosting to our dedicated high performance WordPress servers.