Powerful Blog Security for dummies
Our host today is Alicia Mendez. If you're interested in getting in front of the readers of Site Sketch 101, check out our guest posting invitation here.
Blogs are windows that allow us to display whatever we want to the world. However, not all the visitors are friendly visitors and not all of them are happy with just a look, some of them may try to break the glass and play around with your files -wich can result in your site being replaced with a bad picture of an angry lama or in the lost of all your valuable information-.
Break-ins can happen to any of us, but no need to panic! Here are some easy tricks to prevent your blog becoming an easy target:
1. Choose a good web host.
Having a good secure host is the first step to have a secure site. Be sure that they know what to do in case of a break in and that you can count on them 24/4.
2. Use the latest version of your blog software.
Each new version of your blog software has less bugs and security holes than the last one. So keep it updated!
3. … and hide it!
The less you let know about your blog, the more secure it´ll be.
If using WordPress you can hide wich version you use putting this code into the functions.php file:
function hide_wp_vers()
{
return ”;
}
add_filter(‘the_generator’,'hide_wp_vers’)
Also, delete the readme files that come with your WordPress package and themes.
4. Get rid of your admin account!
If you use WordPress, you know that “admin” is the default user name for the administrator account – so does hackers. So go to your “Users” menu and create a new one with an administrator role. Then loging with your new account and delete the “admin” user (WP gives you the option to change the author of all your published posts, so don´t worry, they won´t be lost).
Also, delete any inactive account you may have in it.
5.Choose a bullet proof password.
A good passwords is easy for you to remember, but hard for others to guess it. Use more than one word and numbers, don´t use your blog´s name, your name, 123456 nor password.
Also, don´t tell anyone about it! Passwords are supposed to be s-e-c-r-e-t.
6. Get Security Plugins (for WordPress)
This is my Top 3 in Security Plugins -remember that having too many can slow down your site or create conflicts- but there are more than 20 available according to your needs:
WP Security Scan: This plugin checks your site´s files and directories permissions and passwords in order to find security holes and recommends how to fix them. It also removes the WordPress version information and offers database security.
http://wordpress.org/extend/plugins/wp-security-scan/
Login LockDown: If someone is trying to get in your blog by trying different passwords/user names Lock Down will record the IP adress and disable the login function for that IP. You can manage the times allowed to try to login in the control panel.
http://wordpress.org/extend/plugins/login-lockdown/
Secure WordPress: The thing I like the most of this plugin is that adds a fake index.html page for intruders to get it instead of your actual files. Besides it removes Error information on login page and removes the WordPress version, except in admin area.
http://wordpress.org/extend/plugins/secure-wordpress/
7. And make regular Backups.
Despite all, stuff happens, so make regular backups of your files in case you need to restore your blog – I hope you don´t have to, but better be safe-.
Eric B. said:
Yep, security is very important for every site that the creator has put at least 10 minutes into. If you don’t have good security, you could end up like this http://xkcd.com/327/
Nicholas Z. Cardot said:
Eric B. –> Ha ha. That’s so funny. I feel like such a nerd for actually understanding what that’s all about. I love it.
Alicia Mendez said:
Yeah, if you put your time and hopes in a web project, no matter how small, you should take the time to secure it.
And no one should name their kids like that XD, but also, you need to know what you´re doing with your data base… thanks for the laugh!
ZXT said:
Hahaha…funny how a name can make records disappear.
HelpfulAdvisor said:
Arisu! Great post and very informative. Thanks so much for sharing these tips, as I wondered what I could be doing to better lock down WordPress.
Thanks so much for your post. I can’t wait to see your blog!
Alicia Mendez said:
I´m glad you found it helpful! My mission is acomplished! :3
And I´m happy to say, I´m almost done with the blog. I finally found a plugin that automatically translates the website to other languages without sending you to Google Translate, so this week is going to be THE WEEK. Mmm, I forget the name of the plugin but if anyone is interested I´ll put the name later on.
akira07 said:
#5 is important…!!! And commonly do mistake in this point. There is many people use their birthday date as password. It’s easily known by the other.
Alicia Mendez said:
Hey Akira, good to see you around.
Yeah,#5 is very important, not only for blogs but for your email and other accounts too. But people tend to forget that very often.
Roschelle said:
Minions who troll the internet looking for sites to crash, infect or just plain tamper with in any malicious way are the worst of the worst. One of the great things about blogging platforms like blogger is a bit more security than hosting on your own…especially those who use their own server. Great advice.
Alicia Mendez said:
Yeah, blogging plataforms have their pros and cons. The more flexible they are for customization, the more mistakes and security holes may happen.
But also, it´s easier to get your backups, not only for posts, but comments.
Stefan said:
I truly hate people who are just looking for new sites to crash. This is the bad thing about using such a popular software, meaning there are free information to get about how to hack it.
This is why you always should maximize your security. One step in the future from WordPress might be to let the user create a unique user account when creating the blog.
HelpfulAdvisor said:
Hi Everyone,
Actually if you use a Fantastico script to install WordPress, you can actually specify a different user account than the default “admin”.
The Fantastico installer is found on cPanel control panels with many hosting services.
For the benefits one receives with regard to SEO and web traffic, which can also mean good revenues from your blogging efforts, it makes sense to host your own blog.
Having your blog on a parent host like Blogger or WordPress.com only robs you of your full SEO and revenue generating potential, and gives it all to the parent host.
If we change how we blog and deny ourselves the self-hosted aspect of blogging because of a fear of being hacked, then the low-lifes win.
This is why I like this article, because it shows we can host our own blogs, as long as we take the time to secure it. Just like any other computer or network out there with firewalls and anti virus, a blog should receive no less consideration.
That’s my story and I’m sticking to it.
Alicia Mendez said:
Helpfuladvisor>>
Yeah, it´s true, security shouldn´t be the issue stopping anyone to have a self hosted blog. Also, if someone is affraid of having one or even spending some money in making it awesome because of hackers, information is all they need to go for it.
Nicholas Z. Cardot said:
Stefan –> I agree. I think that would be a great improvement for the WordPress creators to implement.
kalyan said:
Nice and informative mostly for word press users and password is supposed to be top secret and i use blogger platform so i cant use all your suggestions.
Alicia Mendez said:
Kalyan>>
Well, self-hosted blogs are the ones that can get attacked more easily and many of us invest money and time in our own domain, hosting and such, so security is very important.
If you use Blogger be sure to use a good password, even if you don´t need to mess with server issues and plugins, someone may try to break in … and well, stuff happens, so keep a record of all your posts in your computer.
InternetHowBlog said:
I think it would also be helpful if you can change your password every few months or so. also, thanks for the plugin tips. I will install them straight away to my blog.
Alicia Mendez said:
That´s a great advice too, but no need to do it too often. Also, let us know how the plugins work for you!
David said:
This is great post and a timely one, as I was already looking and seeking for information on this topic. Big, big thanks for the tips.
Alicia Mendez said:
Anytime, I´m glad you found it useful!
Typhoon said:
Nice Post Alicia. It’s important to raise awareness towards blog security which most bloggers overlook.
I made a post nearly a month back in which you can find 15 Plugins for increasing blog security.
Here is the link:
http://www.smartbloggerz.com/2009/08/15-plugins-to-boost-up-your-wordpress-security-and-a-special-tip/
By the way, Nicholas if you are reading it, I want to ask you that How you made the articles show fully in email feeds because your feed earlier was showing only partial part from the articles but today got it read fully. I want to know because I am experiencing the same problem and have tried the two basic solutions.
Andrew said:
Typhoon you can fix that by setting your RSS to show full posts from the WordPress Settings.
Once you’ve done that go to your feedburner account and under Troubleshootize click on the resync.
After that your feed should show a full post.
Typhoon said:
Thanks Andrew for the help. Will try that out now =>>
Alicia Mendez said:
I know security was the last thing I thought of when working on my own.
Now, I know that it should come first, because of all the time and effort I´ve put into learning and creating something valuable. And I hope I´ve made the security issue easier for someone.
Dana@Online Knowledge said:
Securing our blog really important. We should hide our blog file content by add blank index.html/php in each folder.
Alicia Mendez said:
Thanks for sharing! The more tools we have to secure our blog, the best, right?
Javs said:
That was a great post and I was in need of such one. Thanks for it.
Alicia Mendez said:
Great! Now put it to good use
I hope non of us gets hacked ever!
Roxanne Browning said:
Formerly in the cyber security business and now blogging (it took a while to come out knowing what I know about hacking)
Your advise is spot on, thanks for sharing.
Alicia Mendez said:
Good to know you like it. And even more to know that you decided to get your own blog after all.
Andrew said:
This is a great post on security and you’ve covered almost all the bases.
If everyone follow this advice and implements everything correctly, you’ll have made the task of breaking your site much more difficult.
Alicia Mendez said:
Thanks Andrew, I did my best and I´m glad that someone found it useful. And I hope it helps people to make their blogs more secure.
Klaus @ TechPatio said:
Thanks for some great suggestions on blog security. I didn’t know it was possible to hide the WordPress version with that code snippet – but won’t it disappear when you update to a newer WP version?
I’d love to read a blog post from you on which plugins you recommend for automatic wordpress (database) backup.
Nicholas Z. Cardot said:
Klaus @ TechPatio –> I use a plugin called WP-DBManager and it actually emails me a copy of my database every night at 9 pm. This way I always have a fresh backup on my local computer and in my email box. If the site goes down, I’ll never lose more than a day worth of material. I also manually backup my files every couple of days.
Alicia Mendez said:
Good to know you found it useful!
And yeah, you need to put the code with each update, but plugins can do it for you too.
I usually do backups right from the cPanel of my host account.
brigid said:
great inforormation
thanks, I will be installing the plugins now, I didn’t realise any of this was possible!
Alicia Mendez said:
I know, security plugins aren´t that popular, but they´re very important
I´m glad you find this post useful!
Blake @ Props Blog Reviews said:
Very thorough steps.. Sounds like this topic hit close to home
This is definitely good advice though; nothing would suck more than having your entire blog hijacked and ruined or lost
Alicia Mendez said:
I know. And it sucks even more because it´s not difficult at all to prevent it, but unfortunately we don´t think that much about security till something happens.
Gabe | freebloghelp.com said:
Excellent tips. It always amazes me how many bloggers don’t have back ups of their posts.
Alicia Mendez said:
I´m surprised that not all bloggers have them, it doesn´t take much, and you´re taking care of something that you put time and effort into.
Nicholas Cardot said:
Gabe | freebloghelp.com –> I agree. It’s too important not to back up.
Sernan said:
a few months ago, i started my site using joomla, actually i have followed tip number 4 which i have also read from other posts… after doing it and everything was lost, i cannot login as admin on my site, some modules are not working…even the super admin i created has no access, found out that i have removed the database admin account…(how stupid of me) Tried restoring everything manually on the server but to no luck the only solution is to redo everything…Just to add on that tip… “Be sure you know what you are doing, before removing anything…” hehehehe…
Arisu said:
Sorry to hear that, that´s really bad luck, but at least now you know what not to do.
And I bet that you can make it even more awesome this time!
Sernan said:
yup.. learning from blogs like this helps me and others improve.. Thanks!
ZXT said:
Stop using Joomla and switch to Wordopress Sernan.
My Latest Blog Post: Undelete Files from formatted Flash Drive and Memory Card
ZXT said:
Doing regular back ups is the most important thing to do. you don’t want months of hard work, comments, articles, conversations goes into thin air.
My blog has been hacked last month and good thing my host has an automatic back up so I didn’t lose that much, just 2 days.
Thanks Nick for sharing your tips.
ZXT said:
Sorry I was supposed to thank Arisu but my fingers typed NICK.
So let me try that again.
Thanks Arisu for sharing your tips.
Arisu said:
No problem, Zee! It´s good to know you didn´t lose that much.