Performancing Metrics

Blogging Pitfalls: Why You Should Perform a Blog Security Audit Today

Imagine sitting down to your computer one morning and opening up your blog. However, instead of finding your homepage your admin panel staring back at you, you instead see a bright red warning screen telling you that malware has been detected on the site and you are advised not to enter.

The realization quickly sinks in that, if you are seeing that error, so is everyone else trying to visit your site. You begin to hurry and try to figure out what happened but quickly realize that your site has been compromised and, if you’re even able to log in, you have a very big mess to clean up. Worst of all, when you’re done, you have to apply for reconsideration with Google and other security companies and then wait 12 hours or more for the warning to clear off.

It’s a painful process and, in the best of circumstances it can ruin an entire day and, in the worst, it can destroy an otherwise healthy site.

Still, it is an all-too-common occurrence on the Web. Bloggers learn too late that their sites are vulnerable and are left to clean up the mess an attacker leaves behind. That mess could be as simple as adding malware to the site, inserting spam links into the theme or defacing the site but in some extreme cases, it can go as far as to delete everything the blogger has done.

To help keep you, your visitors and your site safe(r) from hackers, you need to make sure your server is secure. Fortunately, it isn’t very complicated but failure to spend the time and energy today can be very costly tomorrow.

The Pitfall

Sadly, security is one of those things that few bloggers seriously think about until after something goes wrong. However, at that point, it’s pretty much too late. Once a site has been compromised it is almost impossible to trust again, either from the perspective of a blogger trying to clean up their site or a visitor who may have been infected or attacked through it.

For all intents and purposes, every site on the Internet is vulnerable to some degree, there is no such thing as a perfectly secure site. However, there are definitely sites that are more secure and less secure and the easier it is for your site to be hacked, the more likely it will be.

Typically, hackers go after after blogs that have known exploits that haven’t been patched, sites that can be easily attacked through a simple script and/or sites that can be opened up through a very simple attack. In short, most website hacks are not done by elite hackers targeting a specific domain, but attackers running scripts to exploit a known vulnerability in as many domains as possible.

That does not mean, however, that these hacks are not dangerous. On the low end, they can deface a site as a joke, in extreme cases, it can result in a site being deleted or destroyed, something that may not be able to be recovered from without good backups.

Any attack will erode hard-earned trust with your visitors, creating a setback that will remain long after the hole has been closed and the hack cleared up, but a particularly nasty one may be a blow your site can’t recover from, bringing an abrupt end to a site you’ve worked very hard on growing.

How to Avoid It

As mentioned above, there is no way to be 100% secure with your site. If someone is motivated and skilled enough, there are always ways to attack your server. Rather than focusing on being hack-proof, the goal of security is being a tougher target. The more you raise the difficulty in attacking your site, the fewer people that will have the skill and interest in doing so.

On that note, much of the responsibility falls to your host. They, usually, have the duty of making sure your server software, including OS and various applications, are up-to-date and properly locked down. However, very few hacks actually attack a server from that angle, though at least some appear to, and most instead focus on what you put on your account, something that is your responsibility.

With that in mind, here are seven crucial steps to make your blog much more secure, regardless of where it is.

  1. Choose Good Passwords: Regardless of where you host, your password is your first line of defense. Using a bad password is like buying an expensive safe and leaving it unlocked. Make sure all of your passwords are difficult to attack, including the one for your admin area, your database and your site’s control panel. Any password that can be easily attacked is an exploit waiting to happen. Also, avoid reusing passwords and consider using a login manager such as LastPass to help generate and remember all of your passwords.
  2. Keep Your Software Up-To-Date: Though not relevant for bloggers on hosted solutions, for those who host their own sites make sure you keep your software up to date. This includes your blogging platform and any plugins you use. Likewise, be careful of any plugins that you choose and make sure they are maintained, current and follow the same coding/security practices as your main application.
  3. Harden Your Installation: Also, if you run your own software, make sure to harden your installation. This means making sure folders don’t have unneeded permissions, blocking access to key folders, installing security-related plugins, etc. WordPress users can see our previous guide on WordPress security for more tips.
  4. Be Mindful of 3rd Party Services: Any service you add to your site is a potential avenue of attack. Consider, for example, what would happen if an attacker found a way to insert code into every single Facebook widget. They would instantly have their code running on millions of sites. That type of access makes these services tempting targets for hackers and an easy way for your site to get attacked. Only run services with a good track record of security and reliability. According to security experts, this is the number one flaw that opens hosting accounts to hacking.
  5. Be Wary of Social Engineering Tricks: Amazingly, the easiest and most common way for hackers to break into an account is not to take advantage of a computer exploit, but to trick its human owners into giving them access either through phishing or cross-site scripting (XSS) attacks. Be careful of who you give your password to, where you type it in and what you do while you are logged in to your site.
  6. Seek Outside Help: Consider having your site monitored by a service such as Sucuri to help spot malware attacks or other alterations to your site before they impact your visitors or are noticed by Google. They won’t help you prevent an attack but they will help detect and clean up after one, thus minimizing the damage.
  7. Create Off-Site Backups: Having backups is crucial but it is not enough to have them on your server, keep backups of your site in several locations including on your computer and, if possible, elsewhere on the Web. Consider using services such as Backupify, SiteAutoBackup or VaultPress to ensure that you can pick back up no matter what happens to your server.

Taking these steps will by no means make your site hack proof but it will go a long way to prevent your site from being attacked and to minimize the damage any successful attacks may cause.

In short, you’ll be ensuring that your data is protected and that your hard-earned trust with your readers remains intact.

Bottom Line

Blog security is not something you can treat lightly. Whether you run a small, personal blog or a major blog for your business, you are a target and you have visitors who are trusting you to keep them safe when they are on your site. Slacking in this area can and will cost you dearly.

So take a few moments if you haven’t and take a quick security audit. Take a look at the above tips read the past articles on the topic. See what you can do to improve your site’s security and take any steps necessary to ensure that you are up to code.

Though it may seem like a lot of work for very little reward, the next time a major blog hack is going around and it passes you by, the relief and security you feel will make the effort more than worthwhile.

After all, you can’t put a price on peace of mind nor can you put a price on having happy readers who get exactly what they expect from your site and nothing they don’t.

Categories: Blogging Sense, WordPress Plugins, WordPress Tips
Tags: , , , , , , , , ,

This post was written by . You can visit the for a short bio, more posts, and other information about the author.


Comment with Your Facebook Account

Comments

  1. Roy Scribner ) says: 9/29/2010

    I have been hacked a few times, both on my main blog and recently on TaB. I always recommend new bloggers actually practice restoring their blog from a backup. It is very reassuring when they see that it actually works and hopefully it encourages them to make regular backups.

    Reply

    • Jonathan Bailey ) says: 9/29/2010

      That’s a very good suggestion. Make a backup and then restore it almost immediately thereafter. It’s important to know how the process works, kind of like a fire drill. Still, backups alone aren’t the answer, one does have to be able to clean up too…

      Reply

  2. Suresh Khanal ) says: 9/29/2010

    It would be most expensive and very tricky to clean up and restore a site after it is compromized. Its better to create backups regularly and restore from it in case of accidents.

    Reply

    • Jonathan Bailey ) says: 9/29/2010

      While that’s a good point, the problem is that a lot of hackers will insert malicious code and then wait for weeks before exploiting it. So restoring from a backup just returns your site to the still-vulnerable but no longer actively-hacked position. You have to be able to do some cleanup and, fortunately, Sucuri does have a pretty cheap service there. I haven’t used it but it comes highly recommended.

      However, barring that, you can always reinstall WordPress and check your folders for any extraneous files after the backup completes.

      Reply

  3. Alex Arthur ) says: 9/29/2010

    I always suggest making a full backup prior to installing plugins too. You never really know what’s in the code you are intentionally installing on your blog. Even if the code itself isn’t malicious, as you point to, it may be vulnerable or not updated regularly enough.

    Reply

    • Jonathan Bailey ) says: 9/29/2010

      Though it probably isn’t a bad idea per se and you are certainly right about the dangers of plugins, if you make backups on a daily basis you probably don’t have much to lose should a plugin create issues.

      Backups are all about risk and reward, finding a balance between the time/cost of making backups and the potential data to be lost.

      Reply

  4. joshua strebel ) says: 9/29/2010

    I don’t mean for this to be a advert of any kind so allow me disclose I own a secured service in this space.

    Your choice of host is the most critical and proactive step in the the process. As they say an ounce of prevention…. The hosting industry at large is slowly figuring it out that their business is being made or lost on their reputation of security. Ask NetSol, MT, GD and the rest how their summer was with unprecedented levels of hacks and malware infections affecting 100,000′s of their customers.

    Simply put if your host is giving you “unlimited everything” for $3.99/mo. There is no room in their overselling model for proper security.

    We have hired Firehost.com to manage all our infrastructure, They have a proven track record of securing every kind of site with a huge investment in security hardware and expert staff. They put security and performance over volume overselling. I pay 3x what I would for similar priced server hardware elsewhere, but i gain 100x the security benefit I can pass on to my own clients.

    Our service (backed by firehost) runs the same WordPress code as everyone else and we have had exactly zero malware or hacks: ever. It’s not the app that is faulty 99.999999% of the time in malware cases, Its the host with total emphasis on profit per client vs. security that configures these servers that are easy to exploit.

    Make a wise decision where you house your blog and you will already be 10 steps ahead in the game.

    Reply

    • Jonathan Bailey ) says: 9/29/2010

      You are definitely right that hosting does play a big role in security. There have been many major hacks against GoDaddy and the other companies you list. However, after speaking with the head of security at a major Web host, I have to agree with him that host-level hacks are very rare and most are actually caused by insecure accounts on a server letting attackers get inside and infect other accounts.

      Hosting is crucial but it can only work if users do their part, something I hope everyone does.

      Reply

      • joshua strebel ) says: 9/29/2010

        1 comprised account spreading a trojan and infecting an entire cluster is not an App issue, it is a server config issue which is the providers responsibility.

        Reply

  5. Andrew @ Blogging Guide ) says: 9/30/2010

    Backups are crucial. I lot of bloggers think that backing their databases covers everything. It doesn’t. You need a full backup service like the ones you mention. I use Backup Buddy.

    Also I would recommend you change the admin username name to something other than ‘admin’.

    I also use Login Lockdown plugin on my blog.

    Andrew

    Reply

    • Jonathan Bailey ) says: 9/30/2010

      Agreed completely. To me, those are steps considered to be a part of hardening WordPress but they are definitely worth mentioning here. Thanks!

      Reply

  6. Jim says: 10/12/2010

    And if you want to be warned when someone changes or add some code to your website you can use the WordPress File Monitor plugin.

    Then you know where to look.

    Reply

Content


Receive the top stories from BloggingPro and the Splashpress Media network every week, right in your Inbox. Relevant and timely content is yours for FREE!