wp-security Scan is a must-use plugin for anybody looking to secure their website. It’ll tell you all the basic WP security settings you do or don’t have enabled.

….

I would also change your ‘admin’ username. Then hackers have to try and guess your username AND password.

Also use the ‘Login Lockdown’ and “Secure WordPress” plugin.

Login LockDown adds some extra security to WordPress by restricting the rate at which failed logins can be re-attempted.

Secure WordPress automatically changes a few things inside WordPress to make it a little bit more secure.

….

It’s better to strip down the permissions to “admin” and make yourself a new account with full permissions. Then even if hackers manage to get into “admin” account they can do nothing :) They wasted their time.

….

I’ve also found that the most secure thing you can possibly do is also very simple. After your site is set up simply change your theme file permissions to 444. They can be read, but they can not be changed (ie- hacked by an automated bot).

The ONLY downside is that when you want to modify your theme you need to change the permissions back to 666 temporarily. This is a small price to pay not to get hacked.

via HOW TO: Secure Your WordPress Blog.

Some good advice on security for WordPress from the comments.

Far too many people still use easy-to-guess passwords. Admittedly, keeping track of multiple passwords for every occasion is difficult, but at least one’s universal password should not be easily guessable!

A lot of people like KeePass (portable) to securely manage their passwords, though I have my own system.

Back at the dawn of the Web, the most popular account password was “12345.”

Today, it’s one digit longer but hardly safer: “123456.”

…

Mr. Shulman and his company examined a list of 32 million passwords that an unknown hacker stole last month from RockYou…  The list was briefly posted on the Web, and hackers and security researchers downloaded it.

…

Imperva found that nearly 1 percent of the 32 million people it studied had used “123456” as a password. The second-most-popular password was “12345.” Others in the top 20 included “qwerty,” “abc123” and “princess.”

More disturbing, said Mr. Shulman, was that about 20 percent of people on the RockYou list picked from the same, relatively small pool of 5,000 passwords.

That suggests that hackers could easily break into many accounts just by trying the most common passwords. Because of the prevalence of fast computers and speedy networks, hackers can fire off thousands of password guesses per minute.

One commenter also suggested this tool:  http://www.pctools.com/guides/password/

Mikey Hicks is 8-years old, was born shortly before 9/11/01, and is on the terrorist selectee list for extra screening when flying. Story: Meet Mikey, 8: U.S. Has Him on Watch List

There are two problems with this type of screening that are well-illustrated in the article.

1) That the list’s only criterium for flagging a person is a name match. There are no other factors taken in account: not history, demographics, nor other intelligence. In one case, someone managed to avoid the list by changing his name. In effect, this renders the list totally useless in that it captures very high false positives and can easily made to result in false negatives.

2) There is no reason that this child has spent eight years, his entire life, on this list without some sort of effective recourse.

It points to a complete lack or interest or inability of our government to design an intelligent system.

My guess, is that it is designed this way so that no one actually needs to be trained. A computer flags the kids, and a TSA staff member does the computer’s bidding. There is no apparent place for the assessment of the TSA agent him or herself.

What a poorly thought-out use case.

From the New Scientist: The pocket spy: Will your smartphone rat you out?

When Buck looked at my colleague’s iPhone, he found two 4-digit numbers stored in his address book under the names “M” and “V”. A search through his text messages revealed a few from Virgin informing him that a new credit card, ending in a specific number, had just been mailed to him. Buck guessed that “M” and “V” were PIN codes for the Virgin credit card and a Mastercard – and he proved to be correct on both counts.

“Out of context, an individual piece of information such as an SMS is almost meaningless,” says Jones. “But when you have a large volume of information – a person’s diary for the year, his emails, the plans he’s building – and you start to put them together, you can make some interesting discoveries.”

In this way the DiskLabs team also identified my colleague’s wife’s name, her passport number and its expiry date, and that she banks with Barclays. Ironically, Barclays had contacted her regarding fraud on her card and she had texted this to her husband. Buck’s team also discovered my colleague’s email address, his Facebook contacts, and their email addresses.

This article really drives home the point of how important it is to safeguard our digital information wherever it may be stored.  I, myself, have received emails from people with account information for various websites.  Email, as you may know, is not a secure form of communication.

The lack of security consciousness or even awareness in most people will surely be a source of great trouble as more an more of our personal information becomes readily available.  A few facts here and there can put together a clearer picture than we might imagine.

Here’s some tips for remembering passwords (1, 2 see comments) and some posts about encryption.

But no, apparently the publisher changed its mind about offering an electronic edition, and apparently Amazon, whose business lives and dies by publisher happiness, caved. It electronically deleted all books by this author from people’s Kindles and credited their accounts for the price.

This is ugly for all kinds of reasons. Amazon says that this sort of thing is “rare,” but that it can happen at all is unsettling; we’ve been taught to believe that e-books are, you know, just like books, only better. Already, we’ve learned that they’re not really like books, in that once we’re finished reading them, we can’t resell or even donate them. But now we learn that all sales may not even be final.

As one of my readers noted, it’s like Barnes & Noble sneaking into our homes in the middle of the night, taking some books that we’ve been reading off our nightstands, and leaving us a check on the coffee table.

via Some E-Books Are More Equal Than Others – Pogue’s Posts Blog – NYTimes.com.

What poetic irony that the already purchased books were George Orwell’s “Animal Farm” and “1984″.  Could you imagine Microsoft of Apple remoting into your computer and deleting programs?  How is this acceptable behavior?

WEP doesn’t actually keep anyone out. I like MaribelAlligator’s comparison of a WEP key to a home bathroom lock, the one you can open just using a bent paperclip. Everyone knows how to unlock it, but when it’s locked everyone who walks by understands they should stay out. Glenn Fleishman likens WEP to a “No Trespassing” sign—a clear indicator the people inside don’t want the uninvited in, but nothing that will actually keep people out.

The Point: Now You Know How to Better Secure Your Wireless Network

Knowing how to crack WEP keys doesn’t mean you go out and actually break into people’s Wi-Fi networks. It means you’ve seen, firsthand, exactly how crackable WEP keys are. I’ve “known” for years now that WPA is more secure than WEP, but the bridge on my network offered WPA but couldn’t authenticate with it on my old, cheap router. It wasn’t until I wrote the article last week that I got an updated router that did work. That’s the power of seeing something in action you’ve normally got to wade through nefarious blackhat web sites to dial into.

via WEP Cracking Redux: Beyond the Command Line – Security – Lifehacker.

An article that just proves how easy it has gotten to crack wireless network security, WEP authentication in particular.

Interesting new browser plugin for Firefox or Internet Explorer with realtime link and code scanning. May be a strong competitor for McAfee SiteAdvisor.

SecureBrowsing plugin by Finjan:

Gives you the highest rate of malicious code detection:

• Scans the current form of a page as it available on the Web now, in real-time.
• Detects malicious content based on code analysis, rather than using signatures like anti-virus products.
• Provides the most accurate page safety rating based on the actual page content, rather than database lookup of web address like URL filtering products.

Ensuring your privacy:

• Doesn’t track each and every URL you visit.
• Doesn’t require your identification details.
• Doesn’t install additional programs or change settings of your desktop.

via Finjan Vital Security- SecureBrowsing.