Computer security best practices

As a WordCamp.org admin-level user, your account has access to sensitive information and the ability to make potentially damaging changes. We take security seriously, but security is only as strong as its weakest link, so it is important that you go above and beyond to make sure your personal computer, passwords, and data are secure.

You are a target. Contributors have been specifically targeted in the past (personal accounts included), so always be on the lookout and be sure to immediately report anything strange to us. For a good read on why this is important, and why even one insecure account can lead to escalation, see how Mat Honan at Wired got hacked. Here are some things you need to do and keep in mind before gaining Super DeputyProgram Manager Program Managers (formerly Super Deputies) are Program Supporters who can perform extra tasks on WordCamp.org like creating new sites and publishing WordCamps to the schedule. access. Some things seem tough at first, but after a while they become habits and are second nature.

General Password Hygiene

  • Never give your password, passphrase, or passcode to anyone else, no matter how nicely they ask and regardless of their familial or romantic status.
  • No two passwords should ever be the same – even if they are “throw away” passwords.
  • To manage these passwords, you should use a password manager. 1Password and LastPass are two we recommend. Lastpass has some cool features, but 1Password has an infinitely better design. This is a SPOF (single point of failure), so use a long passphrase (at least four words) with special characters.
  • Be sure to use high entropy passwords everywhere. If you are using a randomly generated password, it should be at least 24 characters and have numbers, mixed case letters, and symbols. Use passphrases for the passwords you need to “remember”, like your Apple account, your computer, and your password manager.
  • Passwords and passphrases should not be constructed from known phrases. For example, “Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1.” is a bad password even though it has varying capitalization, punctuation, spaces, and is an excellent length. That password was cracked in minutes because it was a known fictional phrase from the H.P. Lovecraft short story The Call of Cthulhu. Avoid all known phrases, as it is likely that a given phrase is on or will be on a password cracker word list. Instead, mix and match disparate words to create a truly unique password or passphrase.
  • Do not store the 1Password file in Dropbox or any other online service unless you have enabled 2-step authentication for that service and your 1Password file has a very strong master password.  The safest thing to do is to just make a local backup in case your computer is damaged or lost. But we understand that syncing to multiple devices is very handy.
  • Do not store any passwords in a Google Doc or other online service, even if you have enabled 2-step authentication. Again, use a password manager to secure your passwords.

Top ↑

Web

  • Enable 2-factor authentication (2FA) for every important site that supports it.
    • Never use SMS-based 2FA, unless it’s the only option. Whenever possible, use an app to generate the one-time passwords.
  • For your self-hosted WordPress site you can use the Google Authenticator or the Duo Security pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party.
  • Make sure all your WordPress installations are following the best practices for security.
  • Do not store your 2-factor recovery codes online or in your password manager. Print them and put them in a safe place in your house instead.
  • Ensure that you are using strong passwords everywhere, even on accounts not directly connected to WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/. GitHub is a good example. 1password allows you to sort your logins by “Password Strength” so you can easily prioritize which accounts need better passwords.

Top ↑

Computer

A lot of contributors uses Macs, which are generally pretty good but still need anti-virus, secure device password, and encryption set up properly. Similar advice applies to Windows and Linux.

  • Set a system passphrase (at least four words) on your computer, even if it is a desktop and you live alone. Make sure the password is required to wake from sleep or from the screen saver.
  • Have the screen saver turn on in 15 minutes or less if unattended. You can configure a shortcut to enable the screen saver, which you should do whenever you get up from your computer.  If you use Alfred, you can have it “lock.”
  • Encrypt your hard drive. You can use FileVault on OS X, and BitLocker or DiskCryptor on Windows. On Linux systems, encryption is usually offered when you install your system, but if you’ve already installed it, then you will probably need to re-install.
  • Make sure your backups are encrypted. Here’s how on OS X Time Machine.
  • Install and run anti-virus software with the latest virus definitions. Microsoft Security Essentials is good for Windows 7 (it is built into Windows 8 and up under the name Windows Defender) and Sophos for OS X. Both are free. (If you have trouble with proxy connections after installing Sophos, try this workaround.)
  • When connecting to any WordPress.org sites, always use the proxy.
  • Your SSHSSH Secure SHell - a protocol for securely connecting to a remote system in addition to or in place of a password. private key must have a strong passphrase. Neither the passphrase nor the key itself should be stored online in a service like Dropbox. You should make a backup of the key to an encrypted external hard drive, Time Capsule, or USB stick. Never store the key and the passphrase in the same place.
  • Turn on your firewall.
  • Consider running a “reverse firewall” like Little Snitch, it is noisy at first, but then gets quieter as you set up your rules.
  • After you have set up two-factor authentication for your Apple account, you should turn on Find My Mac to allow your device to be remotely locked and wiped if the need ever arises.
  • Make sure your home router firmware is current and you aren’t using the default password. Also review any port forwarding settings to make sure they are all needed and expected. Remove anything you are not currently using. (We have seen hacked routers, which means the router can capture your traffic.)
  • Don’t use wireless keyboards from Microsoft, because they are vulnerable to eavesdropping. Use a Bluetooth keyboard instead.

Top ↑

Phones and Tablets

Top ↑

Is It All Worth It?

Yes. Think of how much you value everything on your computer and on web services: photos of your loved ones, correspondence, financial information, your writing. Multiply that by all the people who have shared their information on a WordPress.org/WordCamp.org/community website. Even a single contributor getting hacked puts every other contributor and all our users at risk. We trust organizers to take this seriously.

Top ↑

We’re At Your Service

  • If you notice anything suspicious on your accounts such as weird behavior or emails you don’t recognize, let us know immediately.
  • If you have any questions about anything above, let us know.

Last updated: