Ignore the fact that Google’s going to downgrade your sites if they’re not HTTPS soon. That’s not what I’m talking about.

I’m a strong proponent of Net Neutrality and Freedom of Speech. I certainly intend to speak up and write and protest in the coming weeks and months, just like I have my whole life. I look at the world and I see things that need changing. So while this blog is about technology and computers and the Internet and websites, it has an impact on my political actions.

Or rather, it’s that my political actions impact this site.

People try to hack me all the time. All the damn time. Within the last 24 hours, over 400 people have tried to break into my ‘root’ account. It’s not named root. Good luck there. But the point is that people do try to hack me. They attack my WordPress install, my server, my email, my social media accounts, and my home wifi. I suspect the last one is my neighbor being stupid.

This means I know that speaking up will make me a target and, because of that, I need to secure the hell out of my stuff. And that means using Two Factor Authentication.

Use Strong Passwords

I use 1Password to both create strong passwords and securely store them. A popular alternative is LastPass, but having used both, I find 1Password easier to use. Regardless, use them. My passwords are things like 4seqKD)CsbG=iQnVoirwZ77+ which I hate typing in when I have to change them, but thankfully with browser extensions I not only don’t have to, but I don’t know my own passwords.

Example of the 1password generator

I can just generate and go.

Secure your Email

I know a lot of people use Gmail. I pay them for email right now (long story, tl;dr no one does spam better). That doesn’t mean I fully trust them but, since I pay them, I know I have a different relationship than the free Gmail one. Still I use 2-step verification on gmail.

If you need super secure and private email, ProtonMail is the way to go. Sadly it’d be $30 a month for my multiple domains. I wish they’d charge per email address, but that’s another issue.

Secure Your Panels

Everyone logs into web hosts the same way. We use a panel. It might be Plesk or cPanel or a home-grown system. It doesn’t matter which. Whichever one you use, make secure passwords, don’t share them with anyone, and if at all humanly possible, use Two Factor Authentication. If your webhost doesn’t offer it, leave. I know what I just said. If they don’t offer some method of verification, they’re not safe.

When you secure your panel, make sure you also secure your billing stuff. For example, I use LiquidWeb. They use cPanel and I activated Two Factor Authentication for that. But they also have a proprietary manage site where I log in for billing and server allocations. That also needs security. Make sure you do it on both.

Secure Your Blog

If you use WordPress.com, Turn on Two Step Authentication.

If you self host WordPress, use a plugin like Two Factor. That’s the feature project’s plugin that hopes to be added to WordPress core, so it’s a little rough around the edges. While I do have fundamental issues with 2FA being enabled by default for all users of a blog, it’s because I understand that most users are not technical.

It’s a double-edged sword. If we don’t teach people to be a little more technical to be a little safer, they won’t become safer. On the other hand, with things like 2FA and WordPress, there’s no real way for them to contact a person for help. If you turn it on, then everyone who locks themselves out gets to either call their webhost (who isn’t responsible for that) or a young relative (who didn’t sign on for that) or post in the support forums (who did sign on for that, but still).

Secure Social Media

Twitter, Facebook, and Tumblr have Two Factor authentication. Use it.

Twitter’s sucks, by the way. It’s text based, which means you can only use it via text-messages. Facebook requires you to use texts, but allows it to be a backup to a code generator like Google Authenticator.

Be Secure

The moral of all this? Be secure.

Reader Interactions


  1. Thanks, Mika, for this article.
    What struck me most were your thoughts on 2FA on self-hosted WordPress sites. I for myself have had it for a while now.
    While I do encourage people around me to activate it I haven’t suggested using it to my clients. Usually I am pretty happy if they manage the initial process of setting their password…
    On the other hand I can see your point with “if you don’t teach them…”. It probably is worth the effort to at least try to teach some of them and see how they fare.
    (Then again I am still struggling with getting my clients to have their site encrypted and it sometimes feels like I was some kind of paranoid alien. :mrgreen: )
    Thanks so much for the nudge is what I meant to say. 😀

    • @Elisabeth: It’s hard, isn’t it? There are a lot of people who don’t understand what it is, and when they get locked out, which they will, they have no recourses to unlock.

      There’s no decent ux for setting up 2fa, and there’s no sane fall back for non technical users. I locked myself out of WordPress.com when I had to get a new phone, and if I hadn’t known people personally, I’d still be locked out! And I know what I’m doing. It’s just messy 😕 But we have to try or no one will learn.

  2. Hashim Warren says:

    I turned on 2fa for Gmail but then turned it off after I locked myself out during a really critical moment.

    I was on a different computer, and had left my phone at home.

    Ever since then I turned it off. There has to be a better way.

    • @Hashim Warren: The entire idea is ‘something you have with you.’ So yes, you need your phone.

      Of course, if you use 1Password, it has 2FA built in so you could have that on your laptop. Then again, being on a ‘different’ computer without all your things is how you get hacked anyway 🙂 How do you know that computer was safe?

%d bloggers like this: