Nov 18, 2016
Why I created AXS, a new plugin for website security
After I heard about AXS, which started as a side project at Madeo and is now used by more than 1,000 websites, I sat down with Motaz, the senior engineer at Madeo who created it.
So, what is the AXS plugin?
It is a plugin that allows wordpress users to easily change the default WordPress login URL to a unique secure URL of their choice. It also adds a reCaptcha to secure the login even more. The plugin helps protect websites against spam logins, bots, and other security risks.
Why did you create it?
After having done what the plugin does manually over and over with every wordpress website project, it made sense to block off some time to create it as side project, and then let it save me time moving forward.
Have you had to deal with spam logins and website hacks before?
More than you would think. Just as everyone’s inbox receives spam emails, websites get spam logins, which can create fake users, inject content, and potentially do much worse.
When we use an open-source CMS, like WordPress, we always change the default login URL and structure. This way anyone not part of the website team wouldn’t even know where to try to log in. With that said, you still get spam login attempts, which we block with more security tools and layers. You obviously don’t want to jeopardize all the content and presence of your public website with spam or attempted hacks.
Is security a big part of what you do?
It is, especially when you think of some of our clients in finance, legal reform, and other areas with sensitive data. But, a lot of people think of Madeo as a design company, because design is so visible to people, but to code some of the complex projects and products that we create, we invest in so many other aspects of engineering, that don’t just have to do with implementing design, and security is one of them.
Have you seen a difference after using the security plugin?
Definitely. Within the websites that I oversee, compared to other ones that we don’t manage, I see a significant difference, especially in the number of login attempts.
How do you oversee website security for clients?
Almost 9 out of 10 new clients invite us to manage their website’s digital foundation. Part of managing the digital foundation of a website is making sure that it is secure, which requires ongoing updates, code reviews, and analysis of any unusual patterns. What we refer to as “managing the digital foundation” is our very unique approach of supporting websites, which has an interesting approach of involving the engineers on the team, but also strategists, and even designers.
Why did you decide to create AXS as a free plugin?
When we use wordpress as a CMS, we can’t forget that it is so popular and successful, because of the community members that contribute to it. Being part of that community means that we need to give back and help the rest of the community work faster and easier so that we have better tools for everyone.
Also, it helps me and the team to have it as a plugin to save us time. Now it doesn’t take any time to customize these links, and anyone can use it on their site. Last time I checked, Secure AXS was already being used by more than 1,000 websites, and more developers and other agencies download it every day.
In addition to using Secure AXS, do you have some simple recommendations for people when it comes to security?
To start with the basics, I would recommend using a password manager. I like Dashlane, which has a ‘password-creator’ feature that generates very secure passwords. It can also be used to save passwords and to share them.
I would recommend avoiding traditional usernames (such as ‘admin’), which makes websites more vulnerable to spam logins and other security risks, so unique usernames are just as important as unique passwords.
Also, for an extra measure, to try and apply two-step verification in logins. For example, you would use your phone to receive a message with a code to enter along with the password.
The one that people always undermine is to really cut down on the number of plugins they use on a website that they do not maintain and professionally manage. A simple plugin for a photo gallery can be the source of a very serious hack, and the Panama papers scandal is an example of that. It all started with two mistakes: having the website hosted on their main server and not updating a photo plugin on their website, which was used to break into the website, then the server, and leak an incredible amount of sensitive data.
Photo of Motaz by Ramy Nagy. Q&A by Tamar Stein.