Blogging Pitfalls: Why You Should Perform a Blog Security Audit Today
Imagine sitting down to your computer one morning and opening up your blog. However, instead of finding your homepage your admin panel staring back at you, you instead see a bright red warning screen telling you that malware has been detected on the site and you are advised not to enter.
The realization quickly sinks in that, if you are seeing that error, so is everyone else trying to visit your site. You begin to hurry and try to figure out what happened but quickly realize that your site has been compromised and, if you’re even able to log in, you have a very big mess to clean up. Worst of all, when you’re done, you have to apply for reconsideration with Google and other security companies and then wait 12 hours or more for the warning to clear off.
It’s a painful process and, in the best of circumstances it can ruin an entire day and, in the worst, it can destroy an otherwise healthy site.
Still, it is an all-too-common occurrence on the Web. Bloggers learn too late that their sites are vulnerable and are left to clean up the mess an attacker leaves behind. That mess could be as simple as adding malware to the site, inserting spam links into the theme or defacing the site but in some extreme cases, it can go as far as to delete everything the blogger has done.
To help keep you, your visitors and your site safe(r) from hackers, you need to make sure your server is secure. Fortunately, it isn’t very complicated but failure to spend the time and energy today can be very costly tomorrow.
Sadly, security is one of those things that few bloggers seriously think about until after something goes wrong. However, at that point, it’s pretty much too late. Once a site has been compromised it is almost impossible to trust again, either from the perspective of a blogger trying to clean up their site or a visitor who may have been infected or attacked through it.
For all intents and purposes, every site on the Internet is vulnerable to some degree, there is no such thing as a perfectly secure site. However, there are definitely sites that are more secure and less secure and the easier it is for your site to be hacked, the more likely it will be.
Typically, hackers go after after blogs that have known exploits that haven’t been patched, sites that can be easily attacked through a simple script and/or sites that can be opened up through a very simple attack. In short, most website hacks are not done by elite hackers targeting a specific domain, but attackers running scripts to exploit a known vulnerability in as many domains as possible.
That does not mean, however, that these hacks are not dangerous. On the low end, they can deface a site as a joke, in extreme cases, it can result in a site being deleted or destroyed, something that may not be able to be recovered from without good backups.
Any attack will erode hard-earned trust with your visitors, creating a setback that will remain long after the hole has been closed and the hack cleared up, but a particularly nasty one may be a blow your site can’t recover from, bringing an abrupt end to a site you’ve worked very hard on growing.
How to Avoid It
As mentioned above, there is no way to be 100% secure with your site. If someone is motivated and skilled enough, there are always ways to attack your server. Rather than focusing on being hack-proof, the goal of security is being a tougher target. The more you raise the difficulty in attacking your site, the fewer people that will have the skill and interest in doing so.
On that note, much of the responsibility falls to your host. They, usually, have the duty of making sure your server software, including OS and various applications, are up-to-date and properly locked down. However, very few hacks actually attack a server from that angle, though at least some appear to, and most instead focus on what you put on your account, something that is your responsibility.
With that in mind, here are seven crucial steps to make your blog much more secure, regardless of where it is.
- Choose Good Passwords: Regardless of where you host, your password is your first line of defense. Using a bad password is like buying an expensive safe and leaving it unlocked. Make sure all of your passwords are difficult to attack, including the one for your admin area, your database and your site’s control panel. Any password that can be easily attacked is an exploit waiting to happen. Also, avoid reusing passwords and consider using a login manager such as LastPass to help generate and remember all of your passwords.
- Keep Your Software Up-To-Date: Though not relevant for bloggers on hosted solutions, for those who host their own sites make sure you keep your software up to date. This includes your blogging platform and any plugins you use. Likewise, be careful of any plugins that you choose and make sure they are maintained, current and follow the same coding/security practices as your main application.
- Harden Your Installation: Also, if you run your own software, make sure to harden your installation. This means making sure folders don’t have unneeded permissions, blocking access to key folders, installing security-related plugins, etc. WordPress users can see our previous guide on WordPress security for more tips.
- Be Mindful of 3rd Party Services: Any service you add to your site is a potential avenue of attack. Consider, for example, what would happen if an attacker found a way to insert code into every single Facebook widget. They would instantly have their code running on millions of sites. That type of access makes these services tempting targets for hackers and an easy way for your site to get attacked. Only run services with a good track record of security and reliability. According to security experts, this is the number one flaw that opens hosting accounts to hacking.
- Be Wary of Social Engineering Tricks: Amazingly, the easiest and most common way for hackers to break into an account is not to take advantage of a computer exploit, but to trick its human owners into giving them access either through phishing or cross-site scripting (XSS) attacks. Be careful of who you give your password to, where you type it in and what you do while you are logged in to your site.
- Seek Outside Help: Consider having your site monitored by a service such as Sucuri to help spot malware attacks or other alterations to your site before they impact your visitors or are noticed by Google. They won’t help you prevent an attack but they will help detect and clean up after one, thus minimizing the damage.
- Create Off-Site Backups: Having backups is crucial but it is not enough to have them on your server, keep backups of your site in several locations including on your computer and, if possible, elsewhere on the Web. Consider using services such as Backupify, SiteAutoBackup or VaultPress to ensure that you can pick back up no matter what happens to your server.
Taking these steps will by no means make your site hack proof but it will go a long way to prevent your site from being attacked and to minimize the damage any successful attacks may cause.
In short, you’ll be ensuring that your data is protected and that your hard-earned trust with your readers remains intact.
Blog security is not something you can treat lightly. Whether you run a small, personal blog or a major blog for your business, you are a target and you have visitors who are trusting you to keep them safe when they are on your site. Slacking in this area can and will cost you dearly.
So take a few moments if you haven’t and take a quick security audit. Take a look at the above tips read the past articles on the topic. See what you can do to improve your site’s security and take any steps necessary to ensure that you are up to code.
Though it may seem like a lot of work for very little reward, the next time a major blog hack is going around and it passes you by, the relief and security you feel will make the effort more than worthwhile.
After all, you can’t put a price on peace of mind nor can you put a price on having happy readers who get exactly what they expect from your site and nothing they don’t.