This week I heard of more folks who had their blogs hacked. While the first impulse is to blame the blogging platform, the truth is there was a security loophole that made it easier for a hacker to gain access to these blogs.
Those loopholes usually include one (or all) of three things:
1. Easy to Guess Passwords Raise your hand if you use the same password on every site; or if you use your birthday, your anniversary or you child or dog’s name. Using a long, difficult to remember, much less guess, password is the first step in securing your blog.
However, a secure password starts at the web host level, not merely at the blog setup level. If your hosting control panel password is not secure, then if that is breached, someone could gain access to all of your site content, databases, email and more.
Web site and blog security starts with a secure hosting account password.
I use RoboForm to create hard to guess passwords and to securely store those for me. They have a free version, but the paid version is well worth the money.
2. Out-of-Date Blog Version Seriously, this is critical, if there have been security loopholes discovered within WordPress, the developers release updates to patch those loopholes. Not all updates mean there was a security loophole, but it’s still very wise to always use the latest version of your blogging software. The same is true for plugins, use the latest versions of those too.
While in version 2.7 WordPress released and automatic upgrade feature, it is not complete – in that you have to still backup your site files and your database before you click that link. Most people do not do that! Therefore, I recommend the WordPress Automatic Upgrade Plugin.
3. Phishing Scams Nearly every day, I hear of scams where you will receive an email stating you need to reset your password, or you need to verify your account information and to click the link in the email. DO NOT CLICK THE LINK!
If you did not specifically within the past few minutes of receiving that email, request a password reset link from one of your online accounts – then DO NOT CLICK THE LINK!
If you are curious if the email is genuine, then type the normal/regular URL you use to gain access to the web site in question straight into the web browser and login to see if there are any messages on the site stating you need to update your account information. If you are ever in doubt, then contact the web site owners directly asking them if they sent the email.
Always verify the validity of these emails before you ever give away your personal usernames and/or passwords.
Personal information should always be setup and entered on a secured server. A secured server will start with:
Notice the ‘s’ – that means it’s secure.
Installing and keeping active anti-virus, anti-spyware and anti-malware software is absolutely critical. Without this software running at all times, you could visit a web site, enter in your information and it could be scraped.
These types of security software will flag and stop email virus’ – and while this security software may not stop phishing scams (common sense is your best defense against phishing) it will stop other threats that could ultimately compromise the security of your computer, and your blog. I recommend Avast. They have both free and paid versions.
While the above three are usually the more obvious and common reasons for a blog security breach, there are other equally as important steps you need to take to secure your blog.
1. Block the Bots from Free-for-All Searching and Indexing Use your robots.txt file to prevent search engines from indexing your wp- folders Add this to your robots.txt file
2. Block Browsing Access in Your Plugins Directory Every directory on your site should have an index page of some sort. If you do not have an index.html file in all directories/folders on your site, create one (you can leave it completely blank, with no content, if it’s for a directory like a the WordPress plugins or themes folders), just create a file, name it index.html and upload it into your folder(s) (i.e, /wp-content/plugins)
Basic blog security is really just some common sense and a few steps and precautions to keep your information secure.
P.S. Has your blog or web site ever been hacked? Did you learn how or why the hackers got in? Share you experience below.