Are you worried about the security of your blog?
Should you be?
Blog security is a blog topic this site has not yet explored.
My guest author, Keith Lunt from 13 Week Challenge, is here today to help us explore it.
Keith, take it away!
Hackers want to break into any blog and that includes yours. It doesn’t matter whether it’s a big site or a brand new blog; if they can gain entry into your blog, then they can control it and go about their activities anonymously.
Don’t think that just because your blog is new, doesn’t have much traffic, doesn’t have many pages etc that it is safe. I’ve seen daily hacking attempts recently on sites that are from 4 weeks to 4 years old.
Whether you are using WordPress.com (“Hosted”) or WordPress.org (“Self-Hosted”) there are some vital tricks to help protect your site from intrusions. On the Self-Hosted version there are a lot more levels of security that you need to apply yourself, which are otherwise looked after by WordPress on the Hosted version, but for now I’m going to look at the basic tricks that any blog owner can do whether they run their blog on WordPress, Blogger or any other provider. In fact, the first two tips apply whenever you are using anything on the internet that is password protected.
How to Improve Your Blog Security
Use a Secure Connection
Whilst at home then you should be fine, assuming you have your wi-fi correctly set up. Bu,t if you are using a public wi-fi, make sure it is a secure connection before entering your password. If not, there is the risk that someone else could be “listening” in to your connection.
Keep virus protection up to date on your machines and remember to log off if it’s not your own machine.
Use a Strong Password
Hackers will try to attack your blog using ‘bots’. They can try hundreds of potential passwords every few seconds. If you have chosen an obvious password (e.g. password, password1, letmein, 123456, 12345678) then they are going to guess that in the first second or two.
Use a combination of upper and lower case letters, numbers and symbols and is at least 8 characters long. Now it’s going to take a long time for their bot to guess the right combination and before that happens they might try elsewhere and / or other protection on your site kicks in. Have a look at the list of passwords hackers have used when trying to attack my blog at http://www.13weekchallenge.co.uk/security/the-worst-possible-passwords/.
Don’t Be “Admin” or “Administrator” (Self-Hosted)
‘Admin’ used to be the default username on all new WordPress.org blogs and I’d say that in 99% of the cases of someone trying to hack my blogs, they are using one or the other of these 2 user ids.
If you have already setup your blog and are using one of these, then it’s difficult to change it, but not impossible. Log in and create a new administrator with a more secret name. Give it a nickname to display that doesn’t give the name away and then log off and logon as the new user.
Finally, whilst logged on as the new admin user edit the old admin user. Changing them to a subscriber will prevent any damage should they be guessed, or delete them and move all posts to the new user.
Don’t Give Away Your User Id
If a hacker tries to use a robot to guess your password then they also have to know your user id. If you can hide your user id from them, then they have to guess not only your password, but also your user id.
In self-hosted WordPress, it’s quite simple. Go to the users’ section, click on your user id to edit it, and scroll down to Nickname and edit that.
For the Hosted WordPress, it can be more tricky because there are several ways of giving away your user id, but if you click on your profile picture to edit your profile, then Account Settings, you can change your Username there. Make it something secret and on the My Profile screen ensure that the Public Display Name is not giving the game away…
Keep A Private Email Address
If you display a contact email address on your blog, don’t display your blog admin email. It’s a dead giveaway to any hackers what your registered email address is and might be usable for logging in. If you have displayed the email address create a new one, e.g. gmail, and then change your admin to use the new “secret” email address.
If you own your domain name and can administer emails then you can have 1 address that’s public and others that you use for services that simply forward to the main address. You then only collect email from 1 address, but you keep the secret address to yourself.
I promised Janice I’d keep this simple and aim at all WordPress users, but if you are using a Self Hosted version then plugins can be very useful. If you want to know more, then there are some suggestions on my blog (http://www.13weekchallenge.co.uk/useful-plugins/my-4-essential-wordpress-security-plugins-why-and-how-i-use-them/), and if you leave a comment below, if there is interest, I can follow this post up with another one looking at useful security plugins.
Have you had your blog hacked in the past (I have!)? Have you detected and blocked hackers attempting to gain entry (I have…)? Let me know your thoughts and any other tips you’d like to share in the comments.
Admin Blogger’s Commentary
Keith did an amazing job with this post. He mentioned my concerns that it would only be helpful to self-hosted bloggers. However, he managed to write a post that was relevant to everyone.
Readers, please share Keith’s post. Internet security is a real concern these days. Keith has been generously devoted his time and knowledge to writing a thorough checklist of all we can do to protect our blogs from hackers.
When you are done sharing and thanking Keith in the comments section, go show him some blog love and visit his fascinating site, the 13 Week Challenge.