On today’s episode, we are going to talk about a few things we can do to make sure that we can do to make sure that we are keeping ourselves secure online.

Hello, everybody. Welcome back to another episode of Your Website Engineer Podcast. My name is Dustin and I am here today and we are gonna be talking security. Security for our online profiles, for our WordPress website. But let’s go ahead and dive into the news and get into the Plugin section before we jump right into the security checkup.

So there’s two pieces of news in the WordPress announcement space, and the first one is JetPack 3.7.2 came out within the last week or so, and it patches two security vulnerabilities, and it fixes a few other things. It’s got the Google+ logo on sharing buttons, added some custom capabilities for module management for multisite install, and it also fixed a bug that was sending the Contact Form Response field in the wrong order, so it was getting things a little bit on the mixed up side. Those are some things that came in JetPack. If you see that update inside your WordPress dashboard, go ahead and click that update button, and make sure that you’re running the latest and greatest version of that.

Another thing that came out, and this is when it comes to WordPress 4.4 which we’re expecting to see towards the end of this year – probably in December we’ll see that next major release of WordPress – and one of the things is they’re actually closing a ticket that was open four years ago. And this ticket is, it’s going to remove the View Post button. Remember when you publish a post or a page, then right underneath the title there’s the permalink section, and then it has an Edit button, it has a View Post, and it has a Get Shortlink button. Those are all right there next to that permalink button – or next to the permalink itself. And they’re actually going to go ahead and remove some of that stuff. They’re gonna remove the View Post button, and so that gets rid of a button, and then if you want to, you can click right on the permalink. The permalink is going to be hyperlinked; instead of having a button, you can just click on the permalink.

So it’s just making the dashboard a little bit cleaner, so that’s something to look forward to in WordPress 4.4. There’s a lot of other things that are coming, but this is just a simple UI thing that’s going to remove a button and just add better functionality for that permalink. So the Edit button’s still there if you need to edit and change that permalink, but that’s what’s getting set up in WordPress 4.4, so I thought you might be interested in that.

Is There A Plugin For That? Section today is, there is a plugin that we’re gonna talk about, it’s gonna come a little later in the show, but I wanted to highlight it in this part of the show. It’s called Cleft, or Clef, C-L-E-F, and it’s at wordpress.org/plugins/wpclef. And it is a secure two-factor authentication that people love to use. It’s a strong authentication without passwords or tokens, and you don’t need a password anymore for your WordPress site. You can single sign-on and off, and it’s pretty much a magical user experience. And we’ll talk a little bit more about how you can use this in a few minutes here as we roll through this show.

So today, what I wanted to do is, I just wanted to spend some time talking about an annual security checkup. And I’m calling this annual because the last episode I did on security type things for our WordPress sites and whatnot, that was back all the way, Episode No. 200 which was released in October 1st. And that was just a little over a year ago, and so I thought this would be a good time to talk a little bit about this. And this actually comes up really good – a good timing for me as well as I’m getting ready to do an – we’re having an all company meet up. The whole company of Automatic is getting together in Park City here soon, and we are gonna all be traveling there.

And some of this is stuff is really important about – especially if we’re traveling, if our computers are out, if our computers get lost or stolen or something like that. Some of these precautions that we’re gonna talk about today are going to help us set up more secure ways so that people can’t hack into our stuff and get into our bank accounts and all that kind of stuff. So we’re just gonna talk through some different things. Within our company we had, within our team, we had a little security checkup ourselves to make sure that we were being as secure as absolutely possible with all of our security things. And so I just wanted to kind of highlight some of those things today, talk about them a little bit, and then make sure that you are using the latest and greatest, and you’re keeping everything safe and secure.

So let’s go ahead and just dive right into this checklist and this checkup. So the first one is, password-protect your computer. You want to make sure, especially, especially, especially when you are out and about, that you have a password that’s protecting your computer; both the log-in and when you wake up from sleep. These are two big things because, say for example, you’re in a coffee shop, you go to the bathroom, somebody steals your computer, and it’s unlocked, they can get access to everything, virtually everything that’s on your computer as long as there’s no password on there. So you wanna make sure that you’re password-protecting your computer.

And you may say, “Dustin, I’m always at home, I never leave the house. Why do I need to password-protect my computer?” And it’s just a good security practice; it gets you in that habit of typing a password every time that you come to your computer, which is a super good idea. But also, if your computer gets stolen or something like that, from your house, your hotel, places along those lines, you wanna make sure that it’s hard for people to access your data once they’ve stolen your computer and taken it. So I know that 99 percent of the time I’m at home, 99 percent of the time there’s no need for a password, there’s nothing on my computer that I’m keeping safe and secure from the rest of my family. It’s just the fact that I’m just making it harder for people to hack in and get into my stuff that’s on my computer.

So another thing you wanna do – so you are password-protecting your computer, we’re also password-protecting our phone. I know that with the new iPhones there’s some really sweet technology that it makes it really simple to have a password on there. You wanna make sure that you’re using the new default which is the six-digit PIN. On our iPhones we can actually use a longer PIN number as well, or even some alphanumeric characters as well, to make it really long. I know I have the iPhone 6s and it unlocks so fast with the Touch ID that I don’t even think it’s really working. I know it is because I’ve done it sometimes with my fingers that I haven’t set up as the Touch ID fingers – I normally just use my thumbs – but if I press it with my first finger it’s like: nope, that’s not the correct finger.

It works magically well, it is so super fast. So it helps to keep people away from personal information, especially if you’re going through security and you leave it at security or something like that; people can’t get into your phone. There are so many different things. If you leave it on your desk while you’re at work, it’s gonna keep troublemakers out, they’re not gonna be able to reach your photos or set up wallpaper that’s goofy or change your password or things like that.

So that’s a good thing to do for just basic security. And if it is setting – you forget it in the lunchroom or something like that and there’s a password on it, it’s less likely that somebody’s actually going to steal it and really keep it. Because I know for iOS, there’s no way to unlock a phone once it has a password; the phone is pretty much worthless unless it can be authenticated. So that’s another thing you want to do, we want to make sure that we have passwords on our phones.

And if you’re using an Apple device, either an iPad or an iPhone, you wanna make sure that you turn on Find My iPhone on mobile devices. You might actually be able to do this on your computer as well, the Find My iPhone or find my device, and you just wanna make sure that you’ve got that ability set up to remotely wipe. I know especially with the phone or an iPad, those things are super easy to set up, and as long as you have backups turned on on those, you can wipe those and reset them up in an afternoon; it’s not a huge, huge deal. So if somebody does get hold of your device, you wanna make sure you wipe it so they don’t have access to your content.

Another thing that we wanna do, and this is super urgent, is to use 1Password or LastPass or some sort of management software to manage all of your passwords. LastPass is a free online solution that works well with – they’ve got different apps for your phones and whatnot. And 1Password is a “pay for”, Mac only – I guess it’s Mac and Windows, but it basically helps you to remember passwords, it helps you generate passwords, it helps you to easily log in without having to know your passwords.

And so I use this and make sure that none of my passwords are ever the same. I go in and actually do an audit myself every Friday; I spend a few minutes on Friday trying to change the oldest ten passwords in my password book, basically is what I do. And it’s more along the lines of precautionary for me; making sure that, in case there was some sort of breach that those companies didn’t let me know of, then I’m randomly changing my password, and I’ll get through all of my passwords within a year’s time.

So every year, my passwords get reset and makes it more difficult and whatnot. I always use 24 characters, combinations of upper-case, lower-case, symbols, numbers, all those good things; and it really depends on what type of service it is. Sometimes there only 20 characters or sometimes there are only eight, and you’re like: uh, I don’t really believe that this is actually right. I’d rather have something that’s a lot bigger, I like to have a lot more. I like to have just a lot of characters in my password – just 24 is the number that I picked – and it helps to really keep my account secure.

Now I’m looking up, I’ve got this tab open on my website and I have no idea if this is actually correct or not. I put in a 24 character password containing lower-case, upper-case, numbers, and symbols; and it says that with the 24 characters, it will take 99 million, trillion, trillion years to crack that password. So I don’t know if that’s correct or not; I’m like, does that even make sense? 99 million, trillion, trillion years; that seems like an awful lot. But as I take down characters – so if I go from 24 to 23, then it’s down to one million, trillion, trillion years. And then if I go down, it’s down to 200 trillion, trillion years. And then it’s 19 trillion, trillion years.

And so it just continues to go down. If you go all the way down to, let’s say, eight characters – eight characters, it says, will take eleven centuries. Seven characters will take 51 years. Six characters will do seven months. And then, as you get down to five characters or less, it’s really, really insecure. So, five characters will take three days for somebody to crack your password. Four characters will take 43 minutes. Three characters will be 30 seconds. Two characters, it’ll take .03 seconds. And with one character passwords it’s going to take zero seconds, and then the review section on that says, “Oh dear, using a password like this is like leaving your front door wide open,” if you have a one-character password.

So I’ll put a link in the show notes for this website. It’s my1login.com and it’s just a resource for password strength test, and it really can show you how long it will take to hack in or somebody to crack your code. So I think that 99 million, trillion, trillion years is quite a long time, so I’m gonna stay with the default of 24 characters in all of my passwords.

Another thing that we wanna do is, we wanna make sure that we are turning on two-factor authentication for all supported websites. I’ve talked about this a little bit before in the past, but what this means is, when you log into your website, it’s going to prompt you for a question for something that you know and then something that you have. And so, for example, if you go to log into – if you turn on two-factor authentication for Gmail, say for example, then when you log into your Gmail, you put your username and password, then you hit Enter, and then it’s going to ask you for a six-digit code. And that six-digit code will be something that’s generated on your phone. And you can have it set up so it sends you a text message with a six-digit code, or you can set it up with different types of apps on your phone that it will generate in there, and you can type with your six-digit code.

Basically, it’s making sure that anytime somebody logs in, or you’re logging in from a different device, or say somebody – say your Gmail password is compromised in some way. So somebody is trying to log in over there on the library computer, their own personal computer or whatnot, and they don’t have your phone, then they’re gonna get stuck because they don’t have your phone and they don’t have that ability to generate that six-digit code.

And so it’s just making it one level more secure. And yes, it is a little bit of a pain to do, it makes it an extra step to log in; but thankfully, a lot of these services will remember that code for 30 days. And so if it’s on your own personal computer and you log in with your username and password, it’s only going to prompt you for that code once every 30 days. So it’s not super, super annoying that it does it every single day, every time you log in, but it is that extra level of security. It does make it a complete pain sometimes when you’re trying to log into different sites and different services and do things because you’ve always gotta have your phone there; and if you don’t have your phone, you’ve gotta go find your phone.

But, in the overall grand scheme of things, it’s helping to make that much, much more secure; especially if the usernames and passwords get leaked by the company. I think that’s one of the biggest things we need to think about. Yes, we can do everything that we can do to be 100 percent safe; we can change our passwords regularly, we can update our own – we can do all this stuff; we can keep them in a locked vault in our basement, whatever you wanna do.

But if the company itself has a data breach, somebody gets in and steals passwords, there’s nothing we can do about that. We can change our passwords but that’s about it. But when you set up two-factor authentication, then there’s no way for somebody to actually go in and log into your account if they have your username and your password. So that’s another way.

So some of the big sites that have two-factor authentication – there’s a lot of them out there and there is a link, I’ll put a link in the show notes to a website that actually lists all of them out. There’s just a whole bunch of them out there, and then there’s actually a button to suggest and send an e-mail to that company to turn on two-factor authentication. And the big ones are: Apple, Google, Dropbox, Box, Evernote, and all the bank sites, or big ones that do.

I know that I’ve recently set up the two-factor authentication on Apple devices, and it’s a little bit different than some of the other ones. So like with my Google account when I log in, there’s actually an app on my phone that’s called Authy, A-U-T-H-Y, and it syncs across different devices which is really nice. So it gives me the ability that if I have my iPad right next to me instead of my iPhone, then I can log in really, really easily.

But how Apple does it is, if you try to log into your computer, it asks you for two-factor authentication, and then you pick which device you want to authenticate with, either your phone or your tablet. And then, right next to you, wherever that device is, it’s going to pop up and it’s gonna have those six digits or four digits or whatever it is, and then all you have to do is just type them right in it. Super, super easy. You get it set up, it takes a little bit. I know with Apple, you have to request for two-factor authentication, and then about 48 hours later they’ll actually turn it on and then you can do the steps to set it up. So that’s super nice.

And the last piece of the puzzle, you may be thinking, “Okay, Justin, you’re talking all about passwords and all of these things to keep ourselves secure online, but what about our websites? What should we do for our websites?” And we want to definitely use a two-factor authentication plugin within WordPress. There’s one called Duo Security that you can use. There’s Google Analyticator that will do it. But my favorite as of this week – and this is something that I’ve known about for the longest time in the past and I’ve just never set it up on my own sites – and it is called Clef, C-L-E-F. I talked about it a little bit earlier in the show, but basically we want to add Clef, or some sort of two-factor authentication plugin, to all of our WordPress sites. You don’t even have to remember your passwords anymore.

So for example, let’s take a look at – let’s say I have three WordPress websites and I log into the first one and it’s going to prompt me with, “Hey, you need to authenticate with Clef.” And how Clef works is, it has an app for your phone, and it’s both Android and iOS, and you open up the app and it’s got a camera on it, and on your website it’s all these bars are moving. It looks like a barcode that’s kind of moving up and down and kind of at random intervals – it’s kind of a weird looking thing. But basically, you put your phone up right to your screen, it captures it, and then it logs you into that website that you’re trying to log into. Well then, what happens if you open up your next WordPress website and you want to get in there? You’re already logged in because you’re authenticating all of your sites at one time.

Within, an app on Clef is really cool as well: you have the ability to set how long you want to stay logged in. So maybe you only wanna log in for an hour and so you can say, “I wanna log in for an hour and then I’m done,” and then it’ll just automatically log you out of all of your sites at one time. Maybe you get to work at 8:00 in the morning and you know that you’ll be working somewhere between eight and five. And so you set in there, you’re gonna say: in a nine hour window, that’s the only time I want to be able to get to my site, and then turn off; like, log me out at the end of the hour. So that is really pretty cool as well. If you wanna log out, just click the button at any time and it’ll log you out of all of your sites that are set up with Clef, which is really, really cool. So I highly recommend doing that.

I know today I’m going through – this is also part of one my audits that I’m going through to make sure that I’m safe and secure before I jet out of here in a couple of weeks. But I want to make sure that I’m having Clef on every site, making sure that that works perfectly, and so that all of my websites can be logged in and out very, very simply and very, very easy. And it takes that second form of authentication where I have to go in and have my phone with me to log into my sites to make it more difficult for people to log in.

So in the grand scheme of things, you really have to be careful about all your online profiles, your passwords – especially you don’t wanna keep anything the same passwords. Because if somebody gets your e-mail account, then they can start resetting all of your passwords for all your different services, especially like Facebook and Twitter and Google+. I’ve heard about these stories in the past and it’s just tons of energy and time that you have to take to get all of your content back from these hackers, and if they start deleting your stuff, it is an utter, completely – a nightmare to do that.

So I just wanna make sure that, once a year or so, we’ll talk about security things and some of the new things that are the new technologies, and different ways to keep everything safe and secure. And then we’ll just make sure that, once a year or so, that we’re making sure that we’re doing the best practices that we can to keep everything safe and secure, updated and very, very difficult for hackers to get into our websites.

All right, so the Action Items today is going to be: Go out, make sure that you set up two-factor authentication for as many sites as possible. Make sure your own WordPress sites have some sort of two-factor authentication. And then you just wanna make sure that you have as many different passwords as possible. If you’re using the same password for every one of your sites, head on over to LastPass, sign up for a free account, and start changing those passwords regularly on all of your sites.

That’s all I’ve got for you this week. Take care. Bye, bye.