There are criminals all over the globe. They have no morals and do not care how many people they harm by their criminal activities. Over the last week 308 criminal attempts were made to inject criminal code onto the web site provided by this little all-volunteer public charity – all in hopes of spreading their spam bots and other criminal malware.
Protect your web sites against stupid sociopaths by identifying and blocking brute-force attacks. Use clean html code if possible, or even keep a dynamic version of your site that you maintain off line and use a plain html copy on-line.
Use passwords over 12 characters – it doesn’t matter *which* characters because hacking programs try them all equally. Never use passwords that have been used on other sites – ever. Change your passwords periodically and don’t reuse old ones.
You can build memorable passwords by choosing a memorable phrase and typing the first letter of each word plus punctuation – for example “Mary had a little lamb: it’s fleece was white as snow” could be used to remember a password “Mhall:ifwwas” – very unguessable and long enough to be harder to hack with a rainbow table attack. “HueyDeweyLouie” would be slightly more hard to hack (14 characters vs 12 – both are at least 12 characters). In the latter case when one is pressed for hints one could always say “It’s just three characters” and not be lying.
A for-pay password manager such as LastPass greatly enables your security and relieves you of the endless mental anguish of needing to choose something random enough to satisfy various web site’s security misconceptions concerning ‘strong’ passwords and it will remember them and type them in for you correctly every time. Yes, LastPass will let you download your list too, just in case. DON’T save any passwords in your browser – EVER!
Avoid user ids of common names like Bob or Admin or your own actual name or any name ever posted on your site or used in email, and use random character sequences or unusual names such as “La Beaver Bionic” or “Heir Trusty Tahr”. Well maybe not those exactly because they are names of GNU/Linux releases but “The Bald Wookie” or “Raving Parted Hare” might work.
If there is more than one person with access to change the web site, assign different logins and limit their access to only what is needed for their work. As soon as you know they are leaving change their PASSWORD not their login – you must block any further access for them but you might need to login as them later – companies – listen to this – don’t just delete their account until you KNOW you have everything you need to get on without them!
For updating your web sites, use GNU/Linux and SSH with an ed25519 key, not a password. Do not use telnet or FTP. Do not let people create accounts on your web site – many WordPress hacks require the hacker to simply be logged in first, then s/he can get access to the rest of your site through hacks: if you are just publishing then just publish! Keep all components updated – for WordPress this means all themes and plugins, and WordPress itself. Use child themes do not edit the distributed themes, and delete all unnecessary plugins and themes.
Use SSL. You can get SSL for free forever – look up the Let’s Encrypt project. Once you have it set up it renews automatically. Let’s Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG). It works from cPanel (use the FleetSSL thing), or command line, or you can make the needed certificates via their app for your desktop and install them manually.
Read up on security for your flavor of website and stay up to date. There is much information and it changes often.