Last updated: 6 June 2021
Passwords are a terrible way to secure things. If you have a WordPress website, the only thing that protects your account is a username and password. Email accounts are even more vulnerable, as they are only protected by a password. Anyone can try to log in to your accounts, and we are seeing scripts that try to brute-force accounts all the time.
In addition, it is probably fair to say that most people are pretty bad at managing passwords. We like to be able to remember our passwords, but the only way to do so is by (re)using weak passwords, such as Rebecca1984 or Darling123. Passwords like that are easily compromised. In fact, there are various websites such as Kaspersky’s password checker that estimate how long it takes for someone to crack a password (Rebecca1984 takes three minutes and Darling123 takes 20 minutes).
This article covers basic steps you can take to secure your accounts. It won’t protect your accounts against, say, state-sponsored hackers. If the likes of GCHQ are after you then it is pretty much game over. Most attacks, though, are fairly basic. Attackers typically run scripts that try to log in to an account. They often try lots of weak passwords in a very short period of time. In other words, most attackers are after people who use weak passwords, or the “low hanging fruit”. The aim of this guide is to make sure you are not low hanging fruit.
The more complicated a password, the more secure your account is. Using names such as “Rebecca” or “Darling” in your password is a bad idea, as attackers typically try variations of common words: rebecca, Rebecca, rebecca1, Rebecca1 etc. Scripts can fire thousands of passwords at a login page, so it really doesn’t take that long before they have tried Rebecca1984. A password such as, say, lf8@NGRkx>c;DYt~iK is obviously going to be a lot harder to guess!
When you create a password in cPanel you have the option to generate a random password. We recommend creating a password that is at least 12 characters long and contains letters, numbers and symbols.
Image: cPanel’s password generator.
Unless you have an incredible memory you can’t remember every random password you create. To securely store your passwords you can use a password manager. There are lots of password managers, both free and paid-for. We like Bitwarden. It is free, open source and has been audited by independent security researchers. You can run Bitwarden as a desktop application or integrate it into your browser, and you can even host Bitwarden yourself.
Whichever password manager your choose, almost all have the same principle. You need to create a master password, which you use to unlock the password manager. You can then access all your passwords (and any other data you want to store securely, such as your National Insurance number). Obviously, you do need to pick a master password that is complicated but which you can remember. You might want to use a pass-phrase, such as “My horses like eating straw!” (which, according to the above-mentioned Kaspersky password checker takes 10000+ centuries to crack).
Multi-factor authentication (better known as two-factor authentication or 2FA) adds an extra layer of security to your accounts. A password, however strong, is just one factor of authentication. There are still various ways via which an attacker can get a password. Someone could get access to your password manager, or perhaps a website where you enter your password is running malicious code that looks for login credentials. Your operating system might have been compromised and have a keystroke logger installed.
The solution is to add a another factor of authentication. Your password is something you know, and is factor one. The second factor is typically something you have. That thing can be a so-called OTP code that is generated by an app on your smartphone.
Multi-factor authentication is available for both your hosting control panel (i.e. cPanel or Plesk) and your billing control panel. There are also various WordPress plugins that enable 2FA for your website. This is particularly useful. WordPress is widely used and therefore a popular target for attackers.
In your WordPress dashboard, select Plugins » Add New and search for “2FA” or “two factor authentication”. There are plenty of 2FA plugins and we can’t make recommendations. Take some time to read the descriptions of plugins that look suitable, and pay attention to both reviews from other users and how actively maintained the plugin is. You don’t want to install a plugin that has bad reviews and hasn’t been updated for over a year!
For this article we are going to install a plugin named Two-Factor. The plugin is free, has been actively maintained for years and users seem to like the plugin. It also has some useful features, such as backup codes (which you can use if you ever lose access to your 2FA app).
Image: Installing a WordPress 2FA plugin.
To install the plugin, simply click the Install Now button. This should take a few seconds, after which the button turns into an Activate button. You can now enable 2FA for individual users via the Users menu.
The plugin can send you an email with an OTP code or you can use an app such as Google Authenticator (the latter option is recommended). Next, you can either scan the QR code shown on the page or manually enter the code that appears below the image in your preferred 2FA app. The app will then start generating OTP codes. To complete the set-up you just need to enter an OTP code in the Authentication Code field.
If you lose your phone you also lose access to your 2FA codes. To prevent you are locked out of your own account you can use backup verification codes. These are codes you can enter at any time to get access – you can think of them as an OTP code that never changes. If you store the backup codes somewhere safe (such as a password manager) then you are always able to log in, even if you no longer have access to your 2FA app.
Not all 2FA plugins let you create backup codes, so that is one thing to check when deciding which plugin to use. In the case of the Two-Factor plugin you can get backup codes by clicking the Generate Verification Codes button in the plugin’s settings menu.
Image: generating backup codes.
Clicking the button gives you ten backup codes. Store them somewhere safe!
You don’t have to use a multi-factor authentication app on your phone. There are various desktop applications and browser plugins you use instead. For instance, in the below screenshot I use a browser plugin called Authenticator. The plugin is freely available for Chrome, Firefox, and Microsoft Edge.
Image: the Authenticator browser plugin.
So far we have only talked about things you can do to secure your accounts. You might wonder what we do to secure your accounts. There are lots of things we do, and we got an ISO 27001 Information Security Certificate to proof it.
All our servers are monitoring traffic for suspicious behaviour, including failed email and WordPress logins. When there are a number of failed logins in a short period of time the IP address from which the logins come is blocked. That does mean that we occasionally block someone who simply entered their logins incorrectly a number of times, but it does stop a very large number of attacks.
We are fairly strict when it comes to reducing attack vectors as well. For instance, we don’t allow SSH and remote database access on our shared hosting plans, and for other packages we put everything behind a VPN. Of course, we also look after our infrastructure. Our servers are patched regularly and we use multi-factor authentication everywhere.
And of course we make sure that multi-factor authentication can be used for all our hosting control panels as well as our billing control panel. We hope that you will make use of it!