October 19, 2021 5:16 pm

How Secure is Your Blog? Top Security Tips

More and more of my I.M. colleagues and indeed new people that I meet on line are `getting into blogging’. And why not? Blogs are relatively easy to produce and use, no matter which platform you choose, and they can be a brilliant tool for internet marketers.

However, no matter how easy they are to install and use, and no matter how helpful they can be to your business, the one thing that I’ve noticed more frequently is that many people are neglecting the security of their blogs.

Now I’m actually talking in particular about WordPress blogs here. Yes, I have used Blogger blogs in the past, and  outdoorfield   I know that many people swear by them, but I found Blogger a bit too restricitive for my liking (though I understand that things have changed a lot at Blogger since I first used them).

Because WordPress is an open source blogging tool, meaning that it’s free and available to everyone, it’s a prime target for hackers and ne’er-do-wells. Of course, the WordPress development team are tireless in constantly working on the script for our benefit, but none of this is any use if we don’t actually get up off our backsides and do a bit of work on our blogs behind the scenes.

It’s par for the course to worry about your blog theme, your next blog post, your readership, attracting subscribers to your RSS feed etc. etc., but do you actually think very much about your blog’s security?

I suppose that I might perhaps see more WordPress blog security problems than most, being in the hosting business. Did you know that probably the biggest cause of server compromisation is actually people who install WordPress blogs and other open source scripts and don’t keep them up-to-date with the latest versions and patches?

Hackers find it easy to search around, find a way in through an old script, hack your blog, access your email accounts, start sending viagra and cure for baldness spam emails `from you’ and generally get up to all kinds of nasty things.

I can’t tell you how many panicky emails I’ve had to answer from people who’ve logged into their blog one day and have been smacked in the face by a skull and cross bones proudly proclaiming that their carefully crafted, lovingly nurtured blog has been hacked by Hound Dog Horris the Hardcore Hacker!! Great!

So I’ve put together a few suggestions that you might like to implement to help keep your WordPress blog safe.

Keep Up-to-Date

First of all, the most obvious fix is to ensure that you keep your blog up-to-date with the latest version released by WordPress.

Most WordPress blogs display a little warning in the Dashboard that tells you when a new version is released and a link for you to click to download it. If yours doesn’t, then it’s worth checking the WordPress website fairly regularly for updates. They also invite you to sign up for email notification of updates.

If you feel a bit daunted installing updates via FTP, or you installed your blog initially using Fantastico in your cPanel, so are not sure how to install the updates, WordPress offer quite a good set of instructions for this.

Plugins

It’s a good idea to hide the list of plugins you are using.  worldshandicraft   Any known vulnerabilities and bugs that may occur in some plugins can be used as tools to harm your website.

Check out your blog, now… yourdomain.com/wp-content/plugins

The chances are, you will see the full directory of all of your blog plugins, and in some cases, the date they were installed.

To hide your plugins, simply create an index.html file and upload it to the wp-admin/plugins folder. This index file can be blank or you can be really creative and add some promotions to it.

Another way that Hound Dog Hacker uses to determine whether your blog is furtile ground for hacking is to check which WordPress version you’re using.

So, if you’re one of those that has put upgrading on the back burner, then you could be announcing that you’re ripe for a hack harvest with a huge magaphone!

How so? Well, go to your blog… go on.. open a new tab in your browser and type in your blog’s url. Then right click on your blog with your mouse and select View Source, View Page Source, or similar, from the drop down menu.

Check out the coding….. about 10-12 lines down, you will see something like this

 

Obviously the 2.6.3 version is the latest version as I’m writing this article today, and your one, hopefully, tells you the latest version on the day you check your code. However, there’s a possibility that you’ve not updated your version and an old version is showing. Naughty, naughty! Talk about dipping your cut finger in shark infested water and inviting all the sharks for a slap up meal!!! Slight exaggeration, there, but I’m sure you get what I mean?

Why advertise that you’ve been a bit too busy to update your blog to the latest version, or that that upgrade keeps get shoved down your list of things to do?

I’ve been using an excellent plugin by David Kierznowski, which removes the display of your WordPress version to prevent attacks. Check out your blog… do the right mouse click and then view source code.

The plugin is merely one small .php file that you upload to your plugins folder, and then activate it in the usual way in the plugins section of your Dashboard.

Block Access

A folder that Hound Dog Hacker likes to have a good old nosy around on your blog is your wp-admin folder – this is the storage place for all your blog’s most sensitive data. So here’s a quick tip to secure this directory…

Open notepad or wordpad on your computer, and add the following code:-

AuthUserFile /dev/null

AuthGroupFile /dev/null

AuthName “Access Control”

AuthType Basic

order deny, allow

deny from all

allow from TYPE YOUR IP ADDRESS HERE

If you don’t know your IP address, you can find it here whatismyipaddress.com

Next, save your txt file as .htaccess and then upload it to your wp-admin folder.

NOTE: This method might  nulled plugin   be a pain in the neck for you if you don’t have a static IP address, however, if you are with an internet service provider that has a range, you can add the range.

I have to say that my IP address isn’t static BUT, I’ve only had to add extra IP addresses twice in the past 6 months or so, to allow me to login.

I did wonder why, when I went to my blog login page whilst on my laptop that I was denied access… doh, then I realised that my .htaccess file was denying me access from this computer. I now keep the .htaccess file on my desktop and just add an IP address, if and when it changes, to the file and upload it in seconds. So your file might look something like this

AuthUserFile /dev/null

AuthGroupFile /dev/null

AuthName “Access Control”

AuthType Basic

order deny,allow

deny from all

allow from TYPE YOUR IP ADDRESS HERE

allow from TYPE YOUR IP ADDRESS HERE

allow from TYPE YOUR IP ADDRESS HERE

I hope this has helped give you some ideas, or at least galvanized you into taking a closer look at your blog security.

Paula Brett is a writer and internet marketer in several niches. She works mainly with newcomers to internet marketing. You can check out her blog here where you will also be able to download the plugin mentioned in the above article.

If you are an internet marketer, you probably have quite a bit on your plate already. You have spent a great deal of time putting together a good website or blog and are really concentrating on how to deliver your product or information. Unfortunately, there are a certain breed of people out there in cyberspace whose self appointed mission is to break into your vault and create havoc.

If you are using WordPress as a platform to blog from, here are a few tips on how to secure WordPress

Keep WordPress Updated and Backed Up

Older versions of WordPress still have many vulnerabilities that are widely known in the hacker community. To their credit, the WordPress people are always doing their best to plug security holes and are updating constantly.  muscleandscience  So your first line of defense is to keep your blogging platform updated.

Medical Tip: To avoid increasing your blood pressure, always be sure to make a backup of your blog before installing any updates. Its a good idea to regularly to keep your WordPress backed up regularly anyhow, since any number of things can go wrong.

Another tip is to delete the meta tags that tells the world of the version of Wp you are using. This info is usually in the header file.

Keep Your Plugins Hidden

One of the great things about using WordPress is the plugins. While they greatly increase your blogs capabilities, they too contain certain bugs and vulnerabilities that are exploited by hackers. So be sure to keep them updated also.

It is easy for anyone to see what type of plugins you are using by visiting the wp-content/plugins folder. To keep potential intruders from finding out the plugins that you use, create an empty ‘index.html’ file and place it in your plugins folder

Its also a good idea to check your plugin folder and make sure the plugins there are the ones you want. Some hacker, once they get into your files upload their own plugin. So if you see something that you are not familiar with, delete it.

Here is a Free WP plugin that keeps track of the attempts to login to your site. Many hackers use brute force to try and get your password. So, if there are too many of them coming from the same IP address within a short period of time, the plugin will disable the login function for that IP range. Login Lockdown: bad-neighborhood.com. Click on login lockdown and you will be taken to the download page. Be sure to check out their other plugins to.

Change Your Passwords

This is an easy hack that is often exploited. You can have a more secure blog by making up a crazy, difficult password. Even change it monthly if need be.

But not only your WordPress login. Don’t forget your hosting account and your ftp passwords as well.

Headache tip: Be sure to write your passwords down immediately and keep all your them all in a safe place.

Secure the /wp-admin/ directory

Your most sensitive WordPress information is stored in the /wp-admin/ folder. By default, WordPress leaves that folder open, so people can access these files to make changes if they know what they are doing.

To secure this folder:

Place an .htaccess file inside the /wp-admin/ folder to block the access to all IP addresses, except yours.

Here is the code you need to put in the .htaccess file:

AuthUserFile /dev/null

AuthGroupFile /dev/null

AuthName “Example Access Control”

AuthType Basic

order deny,allow

deny from all

allow from xx.xx.xx.xx

allow from xx.xx.xxx.xx

Now, ff you ever find your site being redirected to another website you will need to:

Check For Hidden Code

This requires a bit more knowledge of  etechrev  the inner workings of WP on your part, so don’t mess with it unless you know what you are doing.

Browse your theme files

Log into your WordPress control panel, go to the theme editor, and look inside your theme files. See if there are any lines of code that are not supposed to be there, or that contain a PHP code that you don’t recognize.

Check your database tables

Some hackers upload fake images to your “Uploads” folder and activate them with a plugin call. To detect this you need to open PHPMyAdmin, browse the “wp-options” table, and edit the “active_plugins” record.

On that record you will see a list of all the plugins that active on your blog. Delete any that seem unusual or that you aren’t using

Browse your site files through FTP

Log into your FTP account and browse through the folders on your site. You are looking for any files that have a strange name or that look suspicious. If you have another WordPress blog installed on another site, compare the structure of the files to make sure they match up.

Tip to avoid a heart attack: Remember: Backup, backup, backup, before you star messing with anything!

Be Fearless

Billy Ojai

Do you want to make more money in Internet Marketing? One way is to learn good copywriting techniques. Pick up your Free copy of ‘Copywriting for the Web’

 

Comments (0)

Leave a Reply

Your email address will not be published. Required fields are marked *