Computer security best practices

As a WordCamp.org admin-level user, your account has access to sensitive information and the ability to make potentially damaging changes. We take security seriously, but security is only as strong as its weakest link, so it is important that you go above and beyond to make sure your personal computer, passwords, and data are secure.

You are a target. Contributors have been specifically targeted in the past (personal accounts included), so always be on the lookout and be sure to immediately report anything strange to us. For a good read on why this is important, and why even one insecure account can lead to escalation, see how Mat Honan at Wired got hacked. Here are some things you need to do and keep in mind before gaining Super Deputy access. Some things seem tough at first, but after a while they become habits and are second nature.

General Password Hygiene General Password Hygiene

  • Never give your password, passphrase, or passcode to anyone else, no matter how nicely they ask and regardless of their familial or romantic status.
  • No two passwords should ever be the same – even if they are “throw away” passwords.
  • To manage these passwords, you should use a password manager. 1Password and LastPass are two we recommend. Lastpass has some cool features, but 1Password has an infinitely better design. This is a SPOF (single point of failure), so use a long passphrase (at least four words) with special characters.
  • Be sure to use high entropy passwords everywhere. If you are using a randomly generated password, it should be at least 24 characters and have numbers, mixed case letters, and symbols. Use passphrases for the passwords you need to “remember”, like your Apple account, your computer, and your password manager.
  • Passwords and passphrases should not be constructed from known phrases. For example, “Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1.” is a bad password even though it has varying capitalization, punctuation, spaces, and is an excellent length. That password was cracked in minutes because it was a known fictional phrase from the H.P. Lovecraft short story The Call of Cthulhu. Avoid all known phrases, as it is likely that a given phrase is on or will be on a password cracker word list. Instead, mix and match disparate words to create a truly unique password or passphrase.
  • Do not store the 1Password file in Dropbox or any other online service unless you have enabled 2-step authentication for that service and your 1Password file has a very strong master password.  The safest thing to do is to just make a local backup in case your computer is damaged or lost. But we understand that syncing to multiple devices is very handy.
  • Do not store any passwords in a Google Doc or other online service, even if you have enabled 2-step authentication. Again, use a password manager to secure your passwords.

Top ↑

Web Web

  • Enable 2-factor authentication (2FA) for every site that supports it. Other sites that support two factor authentication are Apple, Facebook, Twitter, Dropbox, GitHub, LastPass, Box, Gmail, Yahoo, GoDaddy, LinkedIn, Dreamhost, NamecheapPayPal, and Microsoft/Live.com. (Have tried to link to how-tos for each service there.) The sites listed above are just some of the popular ones. For a full list (as far as we know) of sites supporting 2-factor authentication, see Two Factor Auth List, and enable 2-factor authentication on every single one that you use.
  • For your self-hosted WordPress site you can use the Google Authenticator or the Duo Security plugin.
  • Make sure all your WordPress installations are following the best practices for security.
  • Do not store your 2-factor recovery codes online or in your password manager. Print them and put them in a safe place in your house instead.
  • Ensure that you are using strong passwords everywhere, even on accounts not directly connected to WordPress.org. GitHub is a good example. 1password allows you to sort your logins by “Password Strength” so you can easily prioritize which accounts need better passwords.

Top ↑

Computer Computer

A lot of contributors uses Macs, which are generally pretty good but still need anti-virus, secure device password, and encryption set up properly. Similar advice applies to Windows and Linux.

  • Set a system passphrase (at least four words) on your computer, even if it is a desktop and you live alone. Make sure the password is required to wake from sleep or from the screen saver.
  • Have the screen saver turn on in 15 minutes or less if unattended. You can configure a shortcut to enable the screen saver, which you should do whenever you get up from your computer.  If you use Alfred, you can have it “lock.”
  • Encrypt your hard drive. You can use FileVault on OS X, and BitLocker or DiskCryptor on Windows. On Linux systems, encryption is usually offered when you install your system, but if you’ve already installed it, then you will probably need to re-install.
  • Make sure your backups are encrypted. Here’s how on OS X Time Machine.
  • Install and run anti-virus software with the latest virus definitions. Microsoft Security Essentials is good for Windows 7 (it is built into Windows 8 and up under the name Windows Defender) and Sophos for OS X. Both are free. (If you have trouble with proxy connections after installing Sophos, try this workaround.)
  • When connecting to any WordPress.org sites, always use the proxy.
  • Your SSH private key must have a strong passphrase. Neither the passphrase nor the key itself should be stored online in a service like Dropbox. You should make a backup of the key to an encrypted external hard drive, Time Capsule, or USB stickNever store the key and the passphrase in the same place.
  • Turn on your firewall.
  • Consider running a “reverse firewall” like Little Snitch, it is noisy at first, but then gets quieter as you set up your rules.
  • After you have set up two-factor authentication for your Apple account, you should turn on Find My Mac to allow your device to be remotely locked and wiped if the need ever arises.
  • Make sure your home router firmware is current and you aren’t using the default password. Also review any port forwarding settings to make sure they are all needed and expected. Remove anything you are not currently using. (We have seen hacked routers, which means the router can capture your traffic.)
  • Don’t use wireless keyboards from Microsoft, because they are vulnerable to eavesdropping. Use a Bluetooth keyboard instead.

Top ↑

Phones and Tablets Phones and Tablets

Top ↑

Is It All Worth It? Is It All Worth It?

Yes. Think of how much you value everything on your computer and on web services: photos of your loved ones, correspondence, financial information, your writing. Multiply that by all the people who have shared their information on a WordPress.org/WordCamp.org/community website. Even a single contributor getting hacked puts every other contributor and all our users at risk. We trust organizers to take this seriously.

Top ↑

We’re At Your Service We’re At Your Service

  • If you notice anything suspicious on your accounts such as weird behavior or emails you don’t recognize, let us know immediately.
  • If you have any questions about anything above, let us know.