- Keeping your secrets secret
- Choosing and using good passwords
- Logging out to prevent public access to your Dashboard
- Safely sharing control of your site with other users
- Using a secure connection to log in to WordPress.com
- Augment your password with an extra layer of authentication
Your sites are well-protected on WordPress.com. We monitor potentially harmful activity to ensure there is no unauthorized access to your content. To help keep your sites secure there are a few things you can do to protect your data.
Keeping your secrets secret
The weakest link in the security of anything you do online is your password. It’s the key to your blog, your email, your social networking accounts or any other online service you use. If your password is easy to guess, your online identity is vulnerable.
All it takes is one person to guess your password and they can delete every post you ever made. They could deface your site. They could read you emails or hijack your address and impersonate you. They could ruin what you have taken time to build.
Choosing and using good passwords
Every password you use has to be easy to remember and hard to guess. A random set of numbers and characters make for a hard-to-guess password, but they’re also hard to remember. On the other hand, you’ll probably never forget your birthdate or the name of your first pet, but these make for very bad passwords, as they are increasingly easy to guess or find out.
On WordPress.com, you can use very long password with any combination of letters, numbers, and special characters, so the security of your password – and by extension, of your blog – is really up to you.
To choose a memorable password that will be hard to guess, come up with a word or two that are not in any dictionary, yet are easy to pronounce. It’s easier to remember a pronounceable word then a string of random characters. Then, mix in some numbers, capital letters, or special characters.
You can also use passphrases – whole sentences, such as quotes or favorite song lyrics. Passphrases are harder to guess yet easier to remember. They take longer to type, but are considered more secure, especially if you pepper them with some random numbers and special characters.
However, even if you manage to think of a good password, it will only be as secure as the number of sites you use it on. If you always use the same password on every site you sign up for, the chances of your password getting compromised are greatly increased.
Instead of trying to keep track of dozens of passwords in your head or in unsecured text documents on your desktop, use password management software. They will lock all your information down behind one single password. If you only have to remember one password, you can make it as random and as hard to guess as you want.
These are some the password managers we use for our own passwords:
- Keepass – Open Source, free to download and use. Available for Windows, Mac and Linux.
- LastPass – Free service with premium option. Available for all major OSs, browsers and mobile devices.
- 1Password – Paid download. Available for Windows, Mac and iOS, with support for all major browsers.
Logging out to prevent public access to your Dashboard
You can protect your account by logging out when you are finished working. This is especially important when you are working on a shared or public computer. If you don’t log out, someone may be able to access your account just by viewing the browser history and going back to your WordPress.com Dashboard.
To log out of your WordPress.com account, select My Account → Log Out from the gray toolbar at the top of any WordPress.com page.
Make sure you log out when you’re are done editing!
Safely sharing control of your site with other users
WordPress.com provides a rich multi-user platform. While each site has only one owner, you can have as many users as you want – this is ideal for group blogs with multiple authors, for magazine-style sites with an editorial workflow, or for any other large site where you want to share some of the administrative load.
However, sharing the load also means sharing the responsibilities. That’s why on WordPress.com, you can set different Roles for each user you add to your site. Roles determine a user’s access level.
The most limited role, Contributor, can only write draft posts, but can’t publish them. Users with an Author role can publish posts and upload images, but can’t touch other users posts. Editors can not only edit or publish any user’s posts, they can also moderate comments and manage categories and tags. Finally, the Administrator role has full control of the site – they can even delete it.
When adding users, try to find the role that best describes what you want them to do on your site. If you’re setting up an account for a user that only plans to contribute a few posts, make them a contributor. Reserve the Author and Editor roles for trusted users that have a long-term commitment to your site.
Finally, be particularly stingy with the Administrator role. When you make another user an Administrator on your site, you’re literally creating a separate set of keys for your site and handing them to someone else. Not only will they be able to take your site for a joyride, just having an extra set of keys laying around significantly increases the risk of your site being hijacked.
In fact, we suggest you avoid the Administrator role entirely. In almost all cases, the Editor role would be a better choice.
Using a secure connection to log in to WordPress.com
When you sign in to WordPress.com via a public Internet connection, such as a Wi-Fi connection at a library or a coffee shop, your account may be vulnerable to hijacking.
To keep the bad guys out, you can use a secure, encrypted connection to connect to your Dashboard. Under Users → Personal Settings, check the box that says “Always use HTTPS when visiting administration pages, and click Save Changes.
When you log out and log back in, you’ll be using a secure, encrypted connection, and on one will be able to decipher your communications with the Dashboard. Note however that this may cause the Dashboard to feel a little slower.
To learn more about this options, see the HTTPS support page.
Augment your password with an extra layer of authentication
With Two Step Authentication, you can use any iOS, Android, Blackberry, or SMS-capable mobile device as a unique key to your blog. After you sign up for the service, you will need to enter a specially generated one-time code whenever you try to log in to your blog. This means that even if someone gets your password, they won’t be able to log in without possessing your mobile device as well.
You can learn more about this service in the Two Step Authentication support page.