Blogging Pitfalls: Password Fail
Question: What is the most common door hackers use to enter your site?
Answer: The same one you use.
It is a little-known fact that much of what we think of as “hacking” and “cracking” is really just social engineering and guesswork. Though blogs can and often do get exploited because of some kind of security issue, your password is your first and best line of defense against attacks.
Yet, far too many bloggers are very relaxed about their passwords. It starts with picking poor ones, continues with reusing them on untrustworthy services and all-too-often ends with one’s site being defaced, deleted or, even worse, loaded up with malware that infects with visitors.
It’s a very dangerous blogging pitfall but, fortunately, one that can be very easily avoided.
Setting up a new blog is, typically, a whirlwind of activity. From installing a blogging platform to setting up databases and building the layout, there’s a lot of things to do and, quite frankly, many times people forget to take care of the little things.
One of those “little things” is creating a good password and treating it with the proper respect. The first mistake is often picking a weak or easily-guessed password. Though most blogging systems have password gauges that estimate the strength, they aren’t perfect and can’t predict against passwords that appear strong but are easily cracked, such as those based on names, birthdays, etc.
However, even a strong password is vulnerable if it is shared widely. Many, to save time and energy, reuse passwords, meaning they use the same one to log in at many different sites. This raises the risk of someone getting phished, meaning tricked into entering their password onto a fake site, and that makes it very easy for a would-be hacker to enter your site and have fun.
Either way, once someone either has gained access to or has guessed your password, it opens a Pandora’s box on your site and can literally destroy years of hard work within just a few short moments.
There are many ways a malicious person can use your password for evil. The most basic and least-harmful way is to simply deface your site. This can mean anything from adding a few sneaky lines of text into your HTML to completely replacing the front page with an ominous “This site has been hacked” page.
Stepping up the danger is that hackers often delete the site’s contents as well, purging the database and erasing all relevant data. If you have a good backup strategy in place, this might not be a complete catastrophe but it will still result in significant downtime and at least some data loss.
Finally, and perhaps worst of all, is that many hackers use blogs as a means to install malware on visitors’ computers or to collect information about them. This not only poises a very serious security risk for your visitors, but can cause your site to get blacklisted by Google, not only removing it from search results but also preventing users of Google Chrome and other browsers that use Google’s malware warning system from visiting your site.
In all of the above cases, the issues can linger long after you actually fix the site as you’re forced to rebuild the trust and repair damage for weeks, maybe months to come. If you don’t have proper backups and your host isn’t able to help, you may be complete knocked offline and forced to ether walk away or start over.
All in all, it is a very nasty pitfall that every blogger should work hard to avoid.
How to Avoid It
The first step when choosing a good password is to stop for a moment when you reach the screen where you are creating your user account. This is not a step to blow through or take lightly and, instead, requires a few moments of consideration:
Specifically, take the following steps:
- Pick a Good Username: Though I previously called your password your first line of defense, technically your username comes before even that. Picking a username that is hard to guess but easy for you to remember will go a long way to making your site more secure. Fortunately, WordPress 3.0 allows you to pick your admin username, eliminating the need to create a new account for yourself and delete the “admin” one.
- Pick a Good Password: There is something of an art to picking a good password but, ideally, it should include lower case letters, upper case letters, numbers and symbols all while staying in the 8-12 character range. This is no small feat and there are many different methods for simplifying the process.
- Consider a Password Generator: If creating a password yourself is proving challenging, you can always use a password generator. Most blogging systems have a reasonably good password generator built in that can make decent passwords on the fly though there are others online that work as well. Once you have a generated password, you can then focus on finding a way to make it memorable for you.
- Don’t Share Your Password: This one is fairly simple, once you’ve created a new password for your blog, don’t share it with anyone else or use it again for any other site. Though it is good to store your passwords in a safe place accessible to a loved one in the event of an emergency, giving it out broadly makes little sense, especially since you can usually just set up new accounts for friends and family.
- Change Passwords if Needed: Finally, if you suspect that your password has been compromised in any way, change it. Many times hackers won’t attack a site immediately after obtaining the password, instead they often wait for a better opportunity. You may be able to head off such an attack by changing your password if you suspect a problem, such as your home computer becoming infected.
All in all, it doesn’t take a great deal of time to generate a safe password and make your site more secure, but it does mean sacrificing some convenience for security. However, it is a trade off that is well worth making and it is one that your readers will thank you for.
Creating a good password and keeping it safe is vital for the security of your blog. Failure to do so can lead to a disaster that can, at the very least, create a major headache and, at its worst, completely destroy your site.
However, it is important to remember that a solid password is only a fraction of your security plan. It is equally important to make sure that you keep your blogging software, including plugins, are up-to-date and, if appropriate, making sure your server is up-to-date. You should also make sure that your folder permissions and database settings are as secure as possible as well.
In the end though, all of the technical security precautions in the world will do you no good if an attacker is able to gain access to your username and password. So, when given the prompt to create a new password, take a moment and make sure that you do it right. Otherwise, you could wind up paying dearly.