WordPress Essential Plug-Ins – Security for Dummies

Written by Tcat Houser. Posted in Wordpress Plugins

There is a mantra in the computer security world. It goes: Security Through Obscurity = Bad. Defense in Depth = Good.
Of course using security through obscurity as part of your defense in depth plan = Great.
WP Email login pluginHere we’re recommending a simple WordPress plug-in known as: E-Mail Login. As you see from the graphic, I eat my own dog food. It is installed on the sites that I administer. As you can also see it has a number of downloads and the perfect five star rating.
It installs like any other plug-in. If you read the author’s comments you will see that optionally you can change the WordPress login so it says enter your e-mail address rather than your username.
That to me seems to be going to do extra work to be an ID10T. Why would I give any clue to a black hat that they need an e-mail address rather than a username? This seems to me to go a long way towards defeating the concept of security through obscurity.
If you have an existing WordPress site where you are logging in with administrator rights by username here is what I would do, if I was you.
Install the plug-in and create a new user with admin rights. (Word press will not allow you to delete your old admin account if it is the only one (creating an orphaned account).
Because WordPress still allows login by the username with this plug-in, when creating a new god account, I would strongly recommend creating a username that is total gibberish. A username that is long and once again, complete trash. For example: gwvnh;nhgvnheanh;QHI!
(I I made that up by just running my fingers across the keyboard). The truly paranoid may want to copy and paste the random username onto a USB key which is then removed from the computer and locked in a secure location such as a safe or safety deposit box. After all the username still does work.
Unfortunately there are still a few plug-ins out there which require the actual user name of the admin account. So do keep a copy of that trash username.
Again I would not modify the login panel to let anybody know you are using an e-mail address. And if you have to keep handy a copy of the trash name for other plug-ins, keep that on a USB key at a minimum, not on your computer (even on the client-side). Just plug in the USB key when needed and do a copy paste.
While you are at it, consider using the same USB key for other security issues such as MD5/SHA-1 checksums.
While you can get away with a very small USB key, do not grab any old unnamed thumb drive. The size is not important as we’re talking about simple text strings. And you want to use a high-quality key because the failure  the flash memory containing all these critical text strings could be disastrous.
For the same reason, be sure to unmount/eject/close the key before removal. Demonstrating my paranoia level, I keep an encrypted version of my key as a file on a dropbox like site. No the filename of this oh so important set of data I like to think of as the keys to the city,  does not indicate its importance. I would suggest using an encrypted PDF, and call it something like: Christmas shopping list 2005.

Leave a comment

You must be logged in to post a comment.