There’s been a lot of stories lately about fake accounts, hacking, viruses and all kinds of nasty things going on with social networks. Plus the fact that both Twitter and Facebook have recently introduced full time SSL – it’s time to get yourself secure online.
If you aren’t familiar with Twitter you can check out my old article here – Why Twitter is SO Popular. I’m pretty sure you all know what Facebook is, the majority of you have a Google account and for the self-hosted bloggers out there you use WordPress.
I’ve tweeted a few tips lately about online security habits and practice – and quite a few people seemed interested, so I thought I may as well blog about it in more detail.
First up, make sure you have a strong AND unique password for each service. Don’t use the same password for everything, especially important accounts like Facebook and Google, use totally different passwords for forums and sites that have a greater chance of being hacked.
You can generate strong passwords here – http://strongpasswordgenerator.com/
They don’t necessarily have to be hard to remember either, you can always take a phrase and convert it into l33t-sp34k and add some special characters. For example ‘I like cookies’ can become:
Which would be considered a very good password.
As a general rule always use https:// for any site that requires a login, some of these services allow you to force it all the time and all sites that deal with financial information WILL force it anyway. But you can always type it in yourself to ensure your session is protected.
Facebook recently introduced full time SSL, but for some reason they don’t set it on by default – so for the majority of people it passed by unnoticed.
To turn it on you need go the Account Settings page, then under Account security click ‘change’ and you should see this:
Tick the box next to “Browse Facebook on a secure connection (https) whenever possible” and it’ll ensure you’re always using an SSL encrypted session. This is especially important for users that surf Facebook on public Wifi spots.
You can also monitor Login notifications & Your recognised devices on this page – make sure there’s nothing fishy in there. I suggest you set email notification whenever a new location or device is added.
Some people will also have the option of dual factor authentication if you’ve added a mobile device, this means every time you login from an unknown location you’ll receive an SMS with an authentication code. That’s the theory anyway, how well it works with Malaysian telcos is another issue entirely.
Just tick the box next to “Always use HTTPS”. That’s the only option they have in relation to security right now, but then Twitter doesn’t really store any personal data or anything important so it doesn’t have to be super secure. It’s only really a risk in terms of identity theft.
Now Google, since they store a LOT more of your information has a whole magnitude of security options to keep your account safe – so many in fact it can be quite bewildering.
IMHO the best place to start is at the extremely comprehensive Gmail Security Checklist. This will really help you measure the security level of your Google account and get you up to scratch.
If you value your Google account as much as I do (which is likely) – turn on 2-step verification and read this – Getting started with 2-step verification.
The awesome part of this for me is the application or device specific passwords, and the fact you can revoke them. That means if you have your Google accounts/e-mail set-up on your smartphone (very likely) and for some reason you lost you phone or it got stolen – you can revoke the password for that device and all your accounts will instantly stop working!
For signing in through the browser or supported applications you’ll need to use the 2-step verification application, there are apps for iPhone, Android and BlackBerry devices – so there’s no excuse not to use it.
You can also set Gmail/Google to always use https, do so here (link for Gmail) under Settings – General.
WordPress being a web application is a much more complex beast, I could write multiple posts just about that – but I’ll try and cover a few basics to make your WordPress install more secure.
- The #1 most important is ALWAYS MAKE SURE YOUR WORDPRESS IS UP TO DATE!
- The second after that would be, ensure all plugins are always up to date.
- The third would be try and use a safe theme, if you code your own check it for XSS vulnerabilities especially in the search form.
- Don’t use the main admin account, create another account with Editor privileges and use that for publishing stuff (less likely to get caught out with XSS etc).
- Use a strong password
There are some plugins that can help you too, I recommend:
Others worth a look are:
- BulletProof Security
- Login Lockdown
- Remove WP version everywhere (or just do it manually in the theme)
There are some more in-depth guides here:
That’s all folks 🙂