Most browsers display a secure icon (e.g. padlock) in the address bar when they are using a secure connection to a web-site, and the site's address will begin with https rather than http.


When users log-on to a web-site site using an insecure connection, their username/password can be intercepted by hackers. Modern browsers may warn users when they are about to send a password over an insecure connection.

Hackers will try to guess username/passwords to gain entry to your site. Hackers use automated systems that keep trying until they have gained access; base-camp hosted sites have recorded 35,000 such attempts over a 50 hour period.

Once a hacker has a username/password, they can gain access to the site. Hackers will also try this username/password combination speculatively on other web-sites.


1. Use a strong and unique password

Strong password are less likely to be guessed by hackers. Include punctuation, numbers, upper-case and lower-case letters. A password such as {1/8/1990@13street] is perfectly acceptable.

Users should ensure they do not use their site editing password for for anything else. Once a hacker obtains a username/password (either by guessing or interception), they will try it on other sites (e.g. banks) and sell the details on to other hackers.

2. Use a secure connection when editing the site

In general, all base-camp hosted sites have a security certificate installed. This means users can connect to the site securely, and information passing between the site and the user cannot be intercepted by a hacker.

If necessary, an additional security certificate can be added to any base-camp site. This will cost (not a lot), please ask Richard for details.

Remember, this secure connection only prevents hackers from intercepting a password. Hackers can still gain access to the site if they guess the username/password.

3. Use 2 factor authentication

2 factor authentication requires users to have another device as well as a password to log-in. If a hacker guesses or intercepts a username/password, they still can not log-in to the site without the second device.

There are 2 options available:

  1. Install Google Authenticator on a smart phone / etc (the phone becomes the second device)
  2. Purchase a Yubikey (a small USB device)

Read more about this method of log-in here.


Users are recommended to collect email using the secure server. These are the details described in Email help.