Use a password manager to store and fill in your passwords.

Learn, how to create and use long, complex and strong passwords, without having to remember or type them manually.

Stop using weak passwords.

Passwords, that you can remember and type in manually, are no longer considered secure. This is even the case, if you are using word phrases, that are mixed with birthday or date related numbers. These kind of passwords can be brute forced and hacked in a short amount of time. If you also use the same passwords for different sites, then you are more vulnerable to these kinds of hacker attacks.

An example of how my website could look, if WordPress had been hacked and defaced by a hacker or automated bot network driven hacker toolkit.

The following passwords are examples of weak passwords, that can be hacked with brute force hacker attacks, that are based on dictionaries, leaked passwords and generators. They can also be noticed and remembered by an observant person.

There is no place like home

Use a password manager.

You want to use long, complex and strong passwords. You want each password to be used only once per site. You want your computer to automatically fill in these passwords for you. This secure practice is accomplished by using a password manager.

A password manager is a password management utility or tool, that maintains a database of your sites, usernames and passwords to automatically fill in your passwords. You can obtain a password manager in the form of free and open source application for your computer, but a password manager does not have to be a piece of software, that runs on your computer. It can also be a database of your own or even a spreadsheet, that you can copy and paste from. In any case it is important, that your passwords are stored on a secure and encrypted file system. There are also professional grade secure and portable password managers.

Modern browsers, such as Firefox, comes with a secure built-in password manager, that can store and automatically fill in your passwords on the websites, you use. This feature should not be confused with cookies, that are used, when you enable, that the website should remember your password for future logins.

Use as long, complex and strong passwords as possible.

If you use a password manager, that fills in your usernames and passwords automatically, then there is no reason, why you should not want to use passwords, that are as long, complex and strong as possible. In order to create strong passwords, you should find out, how long passwords, you are you allowed to use, and, which characters, you are allowed to use. Modern and secure authorization systems will generally allow long, complex and strong passwords.

The passwords below are examples of strong passwords. Note, how they are long and contains a mix of special characters, numbers, lower case letters and upper case letters. These password would be very difficult to hack.


Use a password generator.

You should not try to create a long, complex and strong password yourself. This is best done by using a password, that was generated by a password generator. This is a piece of software, that uses a random number generator to create a strong mix of special characters, numbers, lower case letters and upper case letters to generate a strong and unique password for you.

I recommend using my password generator. You might already have a password generator, that is built into your password manager, but do make sure, that the passwords, that are generated, are strong enough.

Use other authorization methods than passwords.

If the system, that you will be logging into or using, supports other and more secure authorization methods, then you might stop using passwords at all. An example of this is SSH keys, where you have your private key and the server has your public key, which is enough to provide a fast, easy and secure authorization method. This can even be combined with other authorization methods for added security. SSH keys are often used when accessing SSH and SFTP servers.

6 steps to secure WordPress against hacking and hacker attacks.

Learn how to secure your WordPress installation from hacking and hacker attacks by following these 6 steps to control access and eliminate vulnerabilities.

An example of how my website could look, if WordPress had been hacked and defaced by a hacker or automated bot network driven hacker toolkit.

Why are WordPress websites hacked?

Hacking of WordPress and other websites are done by hackers for many reasons, which not only include gaining access to valuable information, but also to claim bitcoin or money for ransom, eliminate competition, spread illegal software, spread political messages, perform negative search engine optimization or abuse your website network bandwidth in larger coordinated hacker attacks against other sites. Only rarely is hacking done just for the fun of it, but when it is, it is usually about putting up a picture, which is known as defacing.

More often than not, hacking are not actually done by a single hacker, but by an automated attack, that is executed by a hacker, that initiated a password cracking tool from a hacking toolkit, which controls a large coordinated bot network. In that case, your WordPress installation just happened to use a specific vulnerability, that this attack exploits. An example of such a vulnerability could be a security hole in a plugin, that has not been updated.

How to check, if WordPress are being hacked.

When WordPress is under attack, the website might become slow, unresponsive or unavailable. You might also see walls in network traffic. However, there is a better way to check, if your website are being submitted to hacker attacks or has been hacked.

Each time a user visits your WordPress website, or a hacking attempt is made, the web server, that hosts your website, logs any request. Each log entry includes a time stamp, the IP address of the visitor or hacker network, the targeted WordPress file and the error code from the web server. It can include more information, such as the user agent, which is the browser finger print of the visitor.

In the example below the log shows, that a Google bot visited the website and requested the sitemap, which was served. This is not a hacker attempt, so blocking this IP address could be a costly mistake, because Google would no longer be able to index your website. - - [26/Feb/2021:23:04:19 +0100] "GET /sitemap_index.xml HTTP/1.1" 200 770 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +"

If your website is under attack, you will discover patterns of repetitive requests to WordPress login page, WordPress plugins or other parts of WordPress, from suspicious network addresses. Store the log, so you can investigate, which part of your WordPress is being targeted and who is responsible for the attack.

Example of a brute force attack on WordPress login page.

Below is an example of a brute force attempt against the login page of a WordPress website. A hacker is running an automated piece of hacker software, that are trying different usernames and passwords from a long list of hacked accounts, common passwords from a dictionary and randomly generated passwords.

If your server does not identify this attack, then a brute force attack like this can run for days, weeks or months – and eventually obtain access. It is in an attack like this, that the length and difficulty of your password is important.

By looking in the web server log, you will notice a pattern of repeated login attempts. In this example the web server was not secured, so you will notice, that each request are followed by HTTP error code 200, which means, that the request was completed. - - [07/Apr/2016:07:26:41 +0200] "POST /wp-login.php HTTP/1.1" 200 3568 - - [07/Apr/2016:07:26:42 +0200] "POST /wp-login.php HTTP/1.1" 200 3568 - - [07/Apr/2016:07:26:42 +0200] "POST /wp-login.php HTTP/1.1" 200 3568 - - [07/Apr/2016:07:26:43 +0200] "POST /wp-login.php HTTP/1.1" 200 3568 - - [07/Apr/2016:07:26:43 +0200] "POST /wp-login.php HTTP/1.1" 200 3568 - - [07/Apr/2016:07:26:44 +0200] "POST /wp-login.php HTTP/1.1" 200 3568 - - [07/Apr/2016:07:26:45 +0200] "POST /wp-login.php HTTP/1.1" 200 3568 - - [07/Apr/2016:07:26:45 +0200] "POST /wp-login.php HTTP/1.1" 200 3568 - - [07/Apr/2016:07:26:46 +0200] "POST /wp-login.php HTTP/1.1" 200 3568 - - [07/Apr/2016:07:26:47 +0200] "POST /wp-login.php HTTP/1.1" 200 3568

A quick look-up in WHOIS reveals, that this attack was done from a single IP address, that was registered to a local internet registry in Ukraine. It is not uncommon to learn, that scammer and hacker attacks originate from Russia and Ukraine.

# whois
inetnum: -
org:            ORG-PS152-RIPE
country:        UA
mnt-by:         GLUBINA-MNT
created:        2007-09-21T12:32:02Z
org-type:       LIR
address:        Gvardeyskay, 14 , K. 1
address:        Severodonetsk
phone:          +380661922248

Further research confirmed, that these IP addresses were used by scammers and hackers, and was reported and registered in real-time black-hole lists (RBLs) and other abuse databases, that servers can use to identify and block hacker attacks.

Step 1: Restrict access to the WordPress login page.

Restrict access to the login page, dashboard and administration part of WordPress, so only administrators and editors of WordPress can access from known networks. This is called access control. This is not only a very strong protection from hacker attacks, but it also takes off the server load, that your site endures, while being submitted to brute force attacks.

This is best done by configuring the website, which is known as a virtual host, in the web server configuration. Below is an example of such protection in Apache. First the main directory of WordPress is secured. Replace the path with the path of your website and set your own IP addresses in the bracketed variables.

<Directory ".../">
  <Files "xmlrpc.php">
    Require all denied
    Require ip ${admin}
   <Files "wp-cron.php">
    Require all denied
    Require ip ${server}
   <Files "wp-login.php">
    Require all denied
    Require ip ${admin}

Then the login part of WordPress is secured.

<Directory ".../">
  <Files "admin-ajax.php">
    Require all granted
  Require all denied
  Require ip ${admin}

If this is not possible for you, then an alternative is to restrict access to the WordPress login page by using a WordPress plugin, that offers access control with the use of IP address white listing. Some plugins also offer limits for login attempts, two factor authentication (2FA) and other security measurements.

Consider country wide blocking or redirection.

You might consider going as far as blocking entire countries, that are not part of the market, that your website are targeted for. This is known as country wide blocking and is done by loading aggregated access control lists of IP addresses, that are used in countries, that should be blocked. These country lists are available and maintained by security sites on the internet.

The lists are either loaded by the web server or by the server firewall. An alternative to this is to use the lists, that are offered by WordPress plugins, but these are not as effective.

An alternative to blocking these countries are redirecting them to another site, that you might have dedicated for those and thereby segmenting your traffic into different sites.

Step 2: Use strong passwords for WordPress, database and web host.

The time, it takes for a brute force attack to be successful, depends on the strength of your passwords and the response time of your website. The strength is not only about the length of your passwords, but also, that it has never been used on other sites, that could have been hacked or otherwise compromised.

Use a password generator and a password manager.

WordPress comes with a built-in password generator, which is recommended, because it generates passwords, that are unlikely to be cracked by brute force attacks within reasonable time. You can also use another password generator or generate your own.

The fact, that the passwords are long and complex, should not be a problem, because you should be using a password manager, which is either a part of your browser or a separate piece of software, that stores and handles your passwords securily.

Examples of strong passwords.

The passwords below are examples of strong passwords, that were generated by different password generators. The first one was generated by Mozilla Firefox. The next by WordPress. The last by a custom password generator, based on makepasswd, made by myself. These are just examples and should not be used. Note, how none of them contains dictionary words.


Implement strong passwords everywhere.

It is not only the WordPress user account, you should secure with a strong password. You should also ensure, that the passwords to your WordPress devices, WordPress database and web host are protected by strong passwords as well. These passwords should also be unique and never used anywhere else. WordPress devices has separate passwords within the user accounts and are known as application passwords.

Finally you should go through the registered users accounts in your WordPress installation. Each one should use a secure password. Users, that are no longer active, should be logged out and deleted.

Step 3: Disable and delete unused and unnecessary themes and plugins.

Each theme and plugin for WordPress are vulnerable to hacker attacks. If they are no longer used, and no longer updated, they will become a day by day increasing target for hacker attacks. Your entire WordPress website will be at risk. For this reason, the use of themes and plugins should be kept at an absolute minimum and each theme and plugin should come from a trusted source and be actively maintained and supported by its developers.

Step 4: Update WordPress, themes and plugins regularly.

As times goes by, new features and software developments are introduced to WordPress, themes and plugins. As mentioned before, failing to keep software updated makes your website vulnerable to hacking. You should, for that reason, update your WordPress installation, and its themes and plugins, regularly. You can either have the server do this automatically, but if you are running a professional site, that offers a critical server, I recommend, that updating and testing is performed manually on a regular basis.

WordPress depends on the programming language PHP. You will also want to make sure, that you are using a PHP version, that is recommended by WordPress. WordPress also depends on a database server, such as MySQL. You will also want to make sure, that the version of this server is up to date and secure.

Step 5: Install a web application firewall.

While not necessary, you can consider installing a web application firewall, such as the Wordfence plugin for WordPress. If step 1 is not possible for you, this option becomes more important, because it is able to handle brute force attacks, identify security related issues with your WordPress installation and perform a number of security related measures to mature your website against hacker attacks.

However, you should be aware, that a web application firewall like Wordfence is not a real firewall. The reason for that is, that a real firewall runs on a network level and can effectively block hacker attacks and take off the server load from these attacks.

Step 6: Backup WordPress and its database contents regularly.

You should, at all times, have a backups of your WordPress installation. You should not rely on your website host to backup your site alone, but also have your own independent backups. If you have your own backup, you will be able to restore from even a worst case scenario, where your website and cloud backup has been lost.

A backup of your WordPress installation includes themes, plugins, uploaded files and configuration files. It should also include encryption certificates, analytics configuration files and other files, you might have. Because WordPress stores your posts and pages in a database, such as MySQL, then your backup must also include the contents of your WordPress database.

Creating backups of WordPress should be completely automated. Either by scheduling a script on your web server or by using another piece of software, that automates your backup process. You should keep a number of backups, so you are able to restore your website to a specific date. I recommend, that you have the web server dump your WordPress database and export a backup of your WordPress directory and database dump file to your external backup repository daily.

In the example below, a web server has been scheduled in crontab to run a script backup-wordpress, that dumps the WordPress database and exports the WordPress installation to an external backup repository each day at midnight while maintaining a number of rolling backups.

# Min    Hour   MDay  Month  WDay  User      Command
  0      0      *     *      *     root      /root/bin/backup-wordpress

If WordPress has been hacked and you need help.

If your WordPress website has been hacked, and you need urgent help to restore your website and secure your website from new attacks, then follow these steps at once.

  1. Secure your backups, so they are not over-written by ransom ware or bad data.
  2. Take your website offline immediately. Not only to protect your website from further damage, but also to stop spreading illegal software or being part of a larger coordinated hacker attack.
  3. Change all your passwords. This includes all WordPress users, the WordPress database and the web host.
  4. Obtain a copy of the web server log file. This will be used to investigate, what kind of hacker attack, your website has been submitted to, for how long, the extent of damage and other information.
  5. Make a backup of your WordPress installation. This might not seem important, if you know, that you have a backup elsewhere, but this will provide further insight into the kind of hacker attack, that your WordPress installation has been submitted to.
  6. Make a backup of your database content.
  7. Contact me at or directly. Please include a link to a copy of the log file.

How to import a GNU Privacy Guard (GPG) public key into email client.

You should have received a GNU Privacy Guard (GPG) public key from the sender in GPGs default binary file format, such as example.gpg, or in a armored text format, such as, for cross platform compatibility. You might have downloaded it from senders website or you might have received in another way.

Thunderbird Mail.

If you will be using Thunderbird Mail, then you will open the Tools drop down menu and select OpenPGP Key Manager. If you have your own key, you should see it in the list of keys, that is already loaded. Open the drop down menu File and select Import Public Key(s) From File. Find the key file and open it. A window will ask you to confirm the key. If this is in fact the correct key for the sender, then click OK. You will now se a window, that confirms, that the key has been loaded. You can see its bit length, its date of creation and its unique fingerprint. Click OK.

You have now imported the key and it should be visible in the list of loaded keys. Open the imported key by double clicking it. Select Yes, I’ve verified in person this key has the correct fingerprint.

A GNU Privacy Guard OpenPGP public key has been imported into Thunderbird Mail and accepted for use with verifying and encrypting messages.

You can now verify signatures from this sender and encrypt your messages to this sender using the imported public key.

A lock and a diploma indicates, that this message has been encrypted and signed by the sender. GNU Privacy Guard was used with Thunderbird Mail to protect privacy.

If you look in the upper right corner, you can see, that a lock indicates, that this message was encrypted, and, that a diploma indicates, that this message was signed by the sender.

Would you like your own key?

If you would like to know, how you can create your own key, read my post about that in How to sign and encrypt email for free with The GNU Privacy Guard (GPG).

How to sign and encrypt email with The GNU Privacy Guard (GPG).

The GNU Privacy Guard, or just GnuPG or GPG, is a complete and free implementation of the OpenPGP standard. GPG can be used to sign and encrypt email messages and other data and communication.

The OpenPGP lock and a diploma indicates, that this message has been encrypted and signed by the sender. The GNU Privacy Guard keys was used with Thunderbird Mail to protect privacy.

If you implement GPG for use with email, then you can digitally sign your message, so your recipient will know, that the message has in fact been sent by you. The recipient will also know, that your messsage has not been modified. If you have the public key of the recipient, then you can encrypt and sign your message. You and your recipient can now safely assume, that your message has been protected against surveillance systems and other kinds of breach of privacy.

Create your new signing and encryption key.

The following GPG command will create a new key, that will be based on your selections from the menu. You will want RSA keys for signing and encryption. You might not want the key to expire. You will want maximum RSA key strength. Enter your name as it appears, when you send email. Enter your email address. Enter a passphrase. The passphrase should not just be a single password, but rather a phrase or complex password.

$ gpg --full-generate-key

You have now created a GPG key, that can be used for signing and encrypting data and communication. It has been inserted into the GPG key ring on your computer. If you did not have a key ring, then one has been created for you in a hidden directory in your home directory. You might want to ensure, that it is backup up.

$ ls .gnupg

The following command lists the key, and other keys, that exist in your key ring. The key will have a key for signing, a user identification and a subkey for encryption. The email address is used for identifying a key, if you later should want to make changes.

$ gpg --list-keys

The following command lists other options, that will help you find out, what you can do with the GPG command line tool.

$ gpg --help

Import your secret key into your email client.

The final step is to import your new key into your own email client, such as Thunderbird Mail. This key, which is your secret key and not the shared public key, will then be used by your email client to sign your messages. If you also have the public key of your recipient, you can also encrypt your messages.

The following example will export the secret key, that is identified by the email address , to a file private.gpg, that can be imported to your email client.

$ gpg --output private.gpg --export-secret-key 

If your email client is Thunderbird Mail, you can import it by adding your key as an OpenPGP key from the encryption section in your account settings. You will need to enter the passphrase, that you entered during the creation of the key.

Note: Thunderbird Mail has its own PGP built-in system, that replaces the former EnigMail add-on, and stores its keys in its own key ring, that is different from the main GPG key ring. Thunderbird can also create a key for you, but in this example, you will create your own key with GPG and import it.

Export your public key to your recipients.

You can now generate a public key from your private key. If you share the puplic key with your recipient, then your recipient can import it and it will be used for validating your signatures and encrypting messages to you. I wrote a guide about this in How to import a GNU Privacy Guard (GPG) public key into email client.

The following example will export a public key from the key, that is identified by the email address . The public key will be written in the default GPG format to the file example.gpg.

$ gpg --output example.gpg --export 

The following example will export a public key from the key, that is identified by the email address . The public key will be written in armored text format to the file This format is can be used for copy and paste operations.

$ gpg --output --armor --export 

The file can now be shared with your recipient, who can import it to an email client, such as Thunderbird Mail, that support signing and encryption with GPG. You can safely share your public key via email or other medium. The public key can only be used to encrypt messages to you. The message can only be decrypted by the one, who has the private key.

Sign and encrypt your message.

That’s all there is to it. You can now sign and encrypt messages with GNU Privacy Guard.

If your email client is Thunderbird Mail, then you will compose a new message as normal. When you are ready to send your message, you will open the drop down security menu and enable encryption. This will automatically sign your message too. If you only want to sign your message, you can do so too by just enabling your digital signature. Note, that you can only encrypt the message, if you have received a public key from the recipient.

Example of a signed and encrypted email message.

The following picture is an example of a signed and encrypted message, that has been received and opened in Thunderbird Mail.

A lock and a diploma indicates, that this message has been encrypted and signed by the sender. The GNU Privacy Guard was used with Thunderbird Mail to protect privacy.

If you look in the upper right corner, you can see, that a lock indicates, that this message was encrypted, and, that a diploma indicates, that this message was signed by the sender.

How to upgrade to new minor and major releases of FreeBSD.

New versions of FreeBSD are posted on the front of the homepage.

The supported releases comes with an announcement, release notes, installation instructions, hardware compatibility list, readme, errata and more, which I recommend looking into before upgrading.

The homepage of The FreeBSD Project.

Determine the version of FreeBSD kernel and userland.

The built-in freebsd-version utility can determine the installed, running and userland version and patch level of FreeBSD. These should all match.

# freebsd-version -k -r -u

Confirm, that the system can be restored in case of failure.

You might want to ensure, that the system can be restored, if something goes wrong during the upgrade.

If the FreeBSD in question runs on a virtual host, then an offline snapshot at this point in time will make you able to do a quick and easy restore. If the system uses ZFS, then a snapshot can also be used to do a quick restore of one or more datasets. This requires, that the file system and partitions are still working.

In any case you should be able to restore the data from a regular backup repository.

Upgrade FreeBSD to new minor or major version.

FreeBSD can be upgraded to a new minor or major release by using the built-in freebsd-update utility, which can fetch, install and rollback binary updates to the FreeBSD base system. The current patch level does not matter. The upgraded system will have the current patch level.

The update utility will first inspect the system before it will fetch patches, apply patches, fetch files and merges changes in configuration files. The patches and files depends on the internet speed and can take a long time. In the following example FreeBSD is upgraded from 12.1 to 12.2.

# freebsd-update -r 12.2-RELEASE upgrade

When the first step has completed, then the kernel updates can be installed and the system can be rebooted into the installed kernel.

# freebsd-update install
# reboot

The userland updates, which is everything else than the kernel updates, can now be installed. This depends on hardware and can take some time.

# freebsd-update install

If a third party software rebuild is required.

If the upgrade requires, that old shared object files are removed, then third party software, such as packages and ports, needs to be rebuilt. This rebuild can also be done, if you experience problems with packages after the upgrade.

If packages are used, then a static version of pkg can be used to upgrade itself and packages.

# pkg-static install -f pkg
# pkg-static upgrade -f

If ports are used, then portmaster can be used to upgrade the ports, but the recommended practice is, that the package builder poudriere and pkg-static is used. Follow the last procedure, that is given in the manual.

# man portmaster

If a mix is used, then portmaster can be used to rebuild the ports after the packages has been rebuilt. They will overwrite the target files. An example of this could be a desktop computer, which has to use a special port, that replaces a default package, such as a graphics driver.

When third party software has been rebuilt, then the freebsd-update utility can finish the upgrade.

# freebsd-update install

If the running kernel can not be identified.

If the running kernel can not be identified, then a symbolic link can be created as a work-around and the upgrade can be continued. This is a problem, that is related to encryption and ZFS. The issue is described in FreeBSD Forums.

Cannon identify running kernel
# ln -s /bootpool/boot /boot
# freebsd-update install

If the upgrade failed.

If the upgrade failed, then the upgrade can be rolled back by using the rollback feature of the freebsd-update utility.

# freebsd-update rollback
# reboot

If the upgrade was succesful.

If the upgrade was succesful, then the new version and patch level of FreeBSD can be confirmed with the freebsd-version utility. These should all match.

# freebsd-version -k -r -u

You might want to update packages at this point. This would ensure, that your FreeBSD system is completely updated.

FreeBSD wallpaper with BSD daemon on red background.

I needed an eye friendly and neat wallpaper for a laptop computer, that runs the FreeBSD operating system, but a quick search for FreeBSD themed wallpapers did not result in a suitable one. I downloaded a free wallpaper and modified it with the Gimp graphics editor to meet my requirements: The BSD daemon on a dark red background.

I exported it to the widely used 1920×1080 Full HD (16:9) resolution, 1920×1200 Ultra HD (16:10) resolution and 2560×1600 WQXGA (16:10) resolution and made it available for free download via the thumbnail links below. Enjoy.

FreeBSD themed wallpaper with the BSD daemon on dark red background for 1920×1080 resolution.
FreeBSD themed wallpaper with the BSD daemon on dark red background for 1920×1200 resolution.
FreeBSD themed wallpaper with the BSD daemon on dark red background for 2560×1600 resolution.

Jitsi Meet: Free and open source online video conference.

The demand for online meetings went up as the corona virus pandemic encouraged people to work from home. Unfortunately, many of the existing solutions does not support different operating systems, is not encrypted and does not ensure privacy. One of the best alternatives to all this, and one of the best solutions for online video conferences and online meetings, is Jitsi Meet.

The default homepage of Jitsi Meet.

Jitsi Meet is 100% free open source and uses encryption, supports microphone, webcam, different operating systems and desktop computer as well as smartphone app. There are no advertisements. You can present and share application windows, entire desktops and text messages with the participants. Jitsi Meet is based on the video conference code at the main homepage of Jitsi. You can find technical information on the homepage.

If you wish to have an online meeting with me, you can go directly to my meeting room at Jitsi Meet. Let your browser use camera and microphone, enter your name and and join the meeting.

Enter your name and enter Micski’s meeting room at Jitsi Meet.