Robert Mueller (special counsel investigating Russian interference in the 2016 US election) indicted 13 individuals and 3 companies a few days ago. If you read the summaries of what he’s discovered so far in the course of his investigations you should be having a serious think about your own personal security online.
To summarise the strands of what the Russians allegedly got up to:
They (at least appear) to have:
- Hacked the Democratic Party’s computers
- Hacked a voting tech company
- Hacked Twitter in order to target users in the Defence Department
- Hacked state and local election databases (21 states were affected)
- Hacked computer accounts of Republican lawmakers and GOP organisations
- Created bogus Facebook, Instagram and Twitter accounts in order to post political advertisements and sponsored posts
Additionally, and separately, they appear to have attacked elections in some European countries and former Soviet states.
But this is not all about Russia.
You have the fastest growing cybercrime over the past 18 months: Ransomware. That one seriously affected the NHS in the UK in May 2017.
The insertion of cyber currency mining software into hacked websites is another fast-growing attack vector. The computers of people visiting those websites are infected and then used by the hackers to mine Bitcoins or any of the other crypto currencies
And hackers can find out within an hour when a new website is set up, using a process called Certificate Transparency. So within 1 hour of being set up that site is a target.
I could go on, but you get the point: cybercrime is going through unparalleled growth and its success is helped by the fact that there’s still a huge proportion of the general population who do not appreciate the sophistication of these criminals.
Be safe online checklist
There is something over 20 articles on this site that address website security and security online (they are all filed under the website security category), but for a quick reference I’ve set out below a list of things you should consider in order to make yourself as safe as possible online.
On your computer:
- Install a full-feature Internet Security application (not just an anti-virus)
- Make sure that your software drivers and firmware are up to date
- Make sure Windows updates are set to do so automatically
- If you don’t want Windows to update automatically make sure you establish an important routine to manually process updates once a week (this is critical)
- Don’t click on links in emails from people you don’t know
- Preferably don’t even open emails from people you don’t know (even opening an email is sometimes enough to trigger deployment of the malware load it’s carrying)
- Exercise extreme care when opening files from anyone (even people you do know – they may have been hacked)
- Don’t use coffee shop WIFI for anything that requires you to enter login credentials
- Preferably don’t use coffee shop WIFI at all – create a WIFI hotspot with your phone and use that
- Subscribe to a VPN and use it all the time on all your devices
- Don’t re-use the same password on separate accounts
- Where possible use different usernames on different accounts
- Use a password manager (but don’t set your browser to remember login credentials – they are not stored securely)
- Don’t enter personal or financial information into websites unless they are secure (look for a little green padlock on the left edge of the address bar)
On your WordPress website
Some of these require some technical knowledge – get it if you don’t have it – It’s cheaper than the result of being hacked:
- Change the database prefix from wp_ to something else
- Create a new administrator account using a complicated username and the WordPress generated password, and delete the original admin account
- Restrict Administrator accounts on the site to one
- Use a Content Data Network or a cloud-based Web Application Firewall
- Install a top security plugin
- Don’t use free or cheap hosting
- Don’t give your login credentials to anyone who needs to work on your site. Set them up with their own account and delete it when they’ve finished
- Make sure your website running on HTTPS (not HTTP)
- Check your site each day in order to implement any security patches or updates
- Make sure you have a regular full site backup routine in place
- Store your site backups off line (or on Google Drive, Dropbox or other cloud storage)
- Delete all unused (deactivated) plugins
- Exercise great care when installing new plugins or themes – research them thoroughly before installing them and only install them from trusted sources (many themes and plugins contain malware)
- Check and set file permissions correctly on your server
- Disable the theme and plugin editors
- Ensure the WordPress version is hidden
Don’t relax your vigilance!
Two important messages:
- Implementing all the steps I set out above will not guarantee you won’t be hacked – but it will make you a lot safer
- You can never relax your vigilance: new angles and variations of cybercrime emerge every day and you have to keep your eyes open
Get in touch with us if you have questions on the security of your WordPress installation:
Cheers (and stay safe!),