Don’t Make These Mistakes with Your Blog Security

By: | December 8, 2015 | Tags: , , , , ,

#Blog Security can be a problem for #bloggersAre you concerned about hackers?

Are you worried about the security of  your blog?

Should you be?

Blog security is a blog topic this site has not yet explored.

My guest author, Keith Lunt from 13 Week Challenge, is here today to help us explore it.

Keith, take it away!

Hackers want to break into any blog and that includes yours. It doesn’t matter whether it’s a big site or a brand new blog; if they can gain  entry into your blog, then they can control it and go about their activities anonymously.

Don’t think that just because your blog is new, doesn’t have much traffic, doesn’t have many pages etc that it is safe. I’ve seen daily hacking attempts recently on sites that are from 4 weeks to 4 years old.

Whether you are using WordPress.com (“Hosted”) or WordPress.org (“Self-Hosted”) there are some vital tricks to help protect your site from intrusions. On the Self-Hosted version there are a lot more levels of security that you need to apply yourself, which are otherwise looked after by WordPress on the Hosted version, but for now I’m going to look at the basic tricks that any blog owner can do whether they run their blog on WordPress, Blogger or any other provider. In fact, the first two tips apply whenever you are using anything on the internet that is password protected.

How to Improve Your Blog Security

Use a Secure Connection

Whilst at home then you should be fine, assuming you have your wi-fi correctly set up. Bu,t if you are using a public wi-fi, make sure it is a secure connection before entering your password. If not, there is the risk that someone else could be “listening” in to your connection.

Keep virus protection up to date on your machines and remember to log off if it’s not your own machine.

 

Use a Strong Password

Hackers will try to attack your blog using ‘bots’. They can try hundreds of potential passwords every few seconds. If you have chosen an obvious password (e.g. password, password1, letmein, 123456, 12345678) then they are going to guess that in the first second or two.

 

Use a combination of upper and lower case letters, numbers and symbols and is at least 8 characters long. Now it’s going to take a long time for their bot to guess the right combination and before that happens they might try elsewhere and / or other protection on your site kicks in. Have a look at the list of passwords hackers have used when trying to attack my blog at http://www.13weekchallenge.co.uk/security/the-worst-possible-passwords/.

 

Don’t Be “Admin” or “Administrator” (Self-Hosted)

‘Admin’ used to be the default username on all new WordPress.org blogs and I’d say that in 99% of the cases of someone trying to hack my blogs, they are using one or the other of these 2 user ids.

 

If you have already setup your blog and are using one of these, then it’s difficult to change it, but not impossible. Log in and create a new administrator with a more secret name. Give it a nickname to display that doesn’t give the name away and then log off and logon as the new user.

 

Finally, whilst logged on as the new admin user edit the old admin user. Changing them to a subscriber will prevent any damage should they be guessed, or delete them and move all posts to the new user.

 

Don’t Give Away Your User Id

If a hacker tries to use a robot to guess your password then they also have to know your user id. If you can hide your user id from them, then they have to guess not only your password, but also your user id.

 

In self-hosted WordPress, it’s quite simple. Go to the users’ section, click on your user id to edit it, and scroll down to Nickname and edit that.

 

For the Hosted WordPress, it can be more tricky because there are several ways of giving away your user id, but if you click on your profile picture to edit your profile, then Account Settings, you can change your Username there. Make it something secret and on the My Profile screen ensure that the Public Display Name is not giving the game away…

 

Keep A Private Email Address

If you display a contact email address on your blog, don’t display your blog admin email. It’s a dead giveaway to any hackers what your registered email address is and might be usable for logging in. If you have displayed the email address create a new one, e.g. gmail, and then change your admin to use the new “secret” email address.

 

If you own your domain name and can administer emails then you can have 1 address that’s public and others that you use for services that simply forward to the main address. You then only collect email from 1 address, but you keep the secret address to yourself.

 

Plugins

I promised Janice I’d keep this simple and aim at all WordPress users, but if you are using a Self Hosted version then plugins can be very useful. If you want to know more, then there are some suggestions on my blog (http://www.13weekchallenge.co.uk/useful-plugins/my-4-essential-wordpress-security-plugins-why-and-how-i-use-them/), and if you leave a comment below, if there is interest, I can follow this post up with another one looking at useful security plugins.

 

Have you had your blog hacked in the past (I have!)? Have you detected and blocked hackers attempting to gain entry (I have…)? Let me know your thoughts and any other tips you’d like to share in the comments.

Admin Blogger’s Commentary

Keith did an amazing job with this post. He mentioned my concerns that it would only be helpful to self-hosted bloggers. However, he managed to write a post that was relevant to everyone.

Readers, please share Keith’s post. Internet security is a real concern these days. Keith has been generously devoted his time and knowledge to writing a thorough checklist of all we can do to protect our blogs from hackers.

When you are done sharing and thanking Keith in the comments section, go show him some blog love and visit his fascinating site, the 13 Week Challenge.

Related Post:

8 Backlinking Mistakes that Every Blogger Should Avoid

  1. John Doe | at 5:57 am

    This was a great post on security; thank you for having such a knowledgeable guest blogger. Sometimes we all lose sight of security, and he has turned on the light

  2. Jeanette Hall | at 8:26 am

    Had an old site (not wordpress hacked years ago) lost thousands of dollars over the hack. About cost me my marriage. My site follows all the security suggestions in the gentleman’s post.

  3. DGKaye | at 6:07 pm

    Wow, this is a great post, chock full of information. And I don’t mind saying I’m confused lol. My blog is self-hosted. I originally hired a web designer to make and manage my site. I eventually had to let go of his services and learn the techy dashboard by myself. He initially filled in all the user info, it was tricky just getting him off as an admin. But I think all the no, no’s you’ve mentioned here are happening on my blog. My user id , display, and nickname are the same name, and they are my public name. It says I can’t change my user name? I am listed as administrator too. I have a managed hosting now with Godaddy and I have sitelock. I’m so confused where to begin.

    • Keith Lunt | at 5:20 am

      Hi DGKaye,

      I have heard such stories many times of designers using WordPress and not fully finishing / understanding the basic security steps. You are certainly not alone. You can’t directly change the username, you need to create a new user and delete the old one. It’s not as hard as it sounds but to help you I’ve just published a post to my blog with screen prints to show the steps needed.

      Hope you can follow them, let me know how you get on!
      Keith Lunt recently posted…How To Change Your WordPress UserNameMy Profile

  4. Pingback: My Article Read (12-8-2015)

Would you like to share your thoughts?

Your email address will not be published. Required fields are marked *

CommentLuv badge

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: