Tech Tuesday – locking down your blog’s security

As an IT professional with over 25 years experience, I am almost ashamed to admit that the professional diligence I display during my working day wasn’t being applied in the evening to my blog.  So keen have I been to write stories of our past, that I hadn’t attended my blog’s housekeeping.  However, an enforced spell at home because of a post-New Year bout of flu for my son (and to a lesser extent, for me) has meant that I’ve had a chance to redress this.

So today’s post is tips about your WordPress blog’s housekeeping and security by using WordPress Plugins.  If your blog uses anything other than WordPress, then the principles will still be the same but the methodology different.   For all the security issues I mention below, I use WordPress Plugins.  Plugins are just little computer programmes (Apps) which can be easily installed onto your WordPress blog.  They are often written by third-party developers (i.e. not by the makers of the WordPress software) so there is sometimes a baffling amount out there.  The plugins you choose are very much down to your personal preference.  But before you install any plugin, ensure that your version of WordPress is up-to-date with the most current version – unless, of course, you are supa-techie and have customised your installation of WordPress.

Installing a WordPress Plugin
Let’s say that, for example, you want to find a plugin that stops the endless stream of spam to your blog. Follow the steps on the screenshots below (click on the screenshots to open them in new windows).

Finding new WordPress plugins

For each plugin you’re interested in, click its ‘Details’ hyperlink on the search screen (as above) to view the details of the plugin (see below).

Installing new WordPress plugins

When I select a plugin, I use the following criteria before installing it:

  • Does is support my version of WordPress?  Your WordPress dashboard will show your version of WordPress.  The Plugin’s ‘Details’ page will show you if it will support your version.  Do not install any that are not for your version of WordPress – you may introduce a problem into your blog.
  • Is the developer regularly maintaining the plugin?  If it is being regularly maintained then the developer has a vested interest in their plugin.  Therefore, they will be ensuring that it works correctly and will be improving it all the time to cater for new technology and new security breeches.
  • Has it got good ratings from other people?
  • Does it (seemingly) do what you want the plugin to do?
  • If you are still unsure about the plugin, then use google to search out reviews for that particular plugin.  All the best plugins should have reviews somewhere on google.  I reviewed every plugin I installed – knowledge is power!

So now onto the type of plugins you should have installed.  I won’t tell you exactly what I have installed because it’ll be an open invitation to be hacked.

1. Backup your blog
You must backup your blog.  On the front-end, you blog appears to be a series of posts you have lovingly crafted.  But at the backend it is a complex database with entries for your posts, categories, pages, comments and a 101 other things! If the worst comes to the worst and you are hacked or your database corrupts, having a backup will ensure that you won’t have lost all your hard work.

Because I’m paranoid about being hacked (and you’ll see why further down my post), I use two Plugins to backup my blog to the Cloud, I also backup the entire blog to my computer and I print all my posts out so I have hard copies. Yep, I know the last stage is probably me being over paranoid  but a lot of hard work and research has gone into my posts.

How frequently you backup is down to you and how frequently you update your blog.

2. Stop spam comments
During the lifetime of my blog, I have received thousands of spam comments – normally goods purporting to be from well-known designers (but more likely fake).  The majority of spam can be stopped by adopting two or three methods.

a) Make sure your comments are moderated, i.e. they are not published to your blog until you have read them and approved them.

b) Install a plugin that forces a human response when writing a comment.  For example, my plugin for comments will force you to complete a simple maths question before you can leave your comment.  No computer-bot will be able to answer these questions.

c) The above two options will stop the majority of spam, but you will still get computer-generated spam.  So to stop it all, install an anti-spam plugin – I use the most commonly used one and it stops dead all my spam.  It has occasionally trapped a real comment so you will have to regularly check it to ensure everything there is really spam.

I must admit that every-now-and-again I do read my spam.  Some of the comments really do make me laugh-out-loud – they are so clever and so finely crafted by the spammers. But, sadly, have no place on my blog.

3. Beware of hackers
I always had the above two points covered on my site.  But this part I didn’t until very recently – and it scared me silly – hence today’s blog post.  Do you know who is trying to hack into your site?  Mine is a history hobby blog, surely noone would hack me? WRONG! I installed a plugin which fires an email to me if anyone tries to hack into my blog.  Within a the very first 48 hours, I received over 300 emails alerting me that ‘someone’ was trying to log into my blog.  Of that number, over 50 emails were generated because of a single sustained attack on my blog over a 10 minute period.   ‘Someone’ (or rather someone running a computer-generated script) sent a stream of requests trying to login into my site.  Another sustained attack came from a well-known company who used about 20 different IP addresses.  Googling this company showed many many complaints on the internet all dating from January 2013.  One person complained to the MD, only to receive a ‘denial of service’ attack on his website.  So for obvious reasons I won’t name them here.

So tighten up your security.  Most hackers are like normal thieves – they are opportunist in nature so if your security is tight, they might give up and go away to the next poor person. Again, for obvious reasons I am not going to tell you what I’ve done to my security.  If you use any of my points below, ensure you do it calmly and not in a panic.  Take your time over each step.  Remember, you may end up locking yourself out of your own website (I did… Several times!) so ensure you have plenty of uninterrupted time to resolve any problems as they arise.  And backup your blog first.

a) Ensure that any passwords for your blog are super-tight.  No password is unbreakable but you can use very strong passwords to thwart hacking attempts.

b) If you are setting up a new WordPress blog, DO NOT use the username ‘admin’ – 90% of attacks will be aimed directly at this out-of-the-box name.  If you have already set up your blog, then you won’t be able to change the name.  Google the steps that you can take to secure your ‘admin’ user.

c) Install a plugin which will give you an extra layer of protection on the login-form to stop a human trying to login.  This won’t stop the computer-bots, but it will stop humans hacking.  Make your human-hacker work hard and have to guess at more than just the username and password before they can attack your blog.

d) Install a plugin that will send you an email when an attempt is made to login into your blog.  Your chosen plugin has to alert you both to the fact that the login-form has been reached (for human-hackers) and that at attempt has been made to login (the computer-bot will not reach the login page).   This part is the scary one because you will probably receive a stream of emails in your first 48 hours.  So set aside some time when you do this calmly without panicking that you are under attack!  Studying the emails will show you that sometimes the login-form has been reached but then no attempt was made to login (a human nosy-parker scared off from actually logging in?).  Other emails will show that the login page was never reached – the computer-bot hacker went straight in for the kill.

For each email you get, you will be given the IP address of the hacker.  An IP is a unique string of numbers separated by periods which identifies each computer attached to the internet.  So knowing the IP address can sometimes give you information such as the location and company of the hacker.  Google ‘whois ip’ to find a list of online apps that will give you free-of-charge full details about your hacker.  Once you find out more details, you can see if you are under attack by one hacker using several different IP addresses, or if IPs from a particular company are attacking you.  The ‘whois’ will also show you if your hacker has a range of sequential IP addresses.  My most frequent hacker uses a large range of IP addresses (some sequential, others not) but they are all registered to the same company. Once you have the IP addresses (or the sequential range), you can either block them by using WordPress plugins or by using your web-hosting Security software – most web-hosting companies will provide this free of charge.  If you are getting a lot of hacking attempts from one particular country, you may decide to stop access of your blog from anyone in that country.   A drastic step, especially if your blog appeals internationally, but if needs must…

e) Obviously the above (blocking IP addresses) is almost after the event – the attempt has been made and even if you’ve blocked the IP, the hacker can often quickly move onto another IP and restart their attack on your site.  So install a plugin which will shut down your hackers access to your blog if ‘unusual’ behaviour occurs.  For example, you may wish to restrict the number of login attempts.  I caught one computer-bot hacker sending a continuous stream of login attempts.  So limiting the login attempts to a very low number cut them short and gave me their IP address so they’re now blocked.  Of course, limiting the number of logins may mean that you lock yourself out, so be careful with this (but at least you know now that your tighter security has worked!).  Plugins can also show unusual behaviour if ‘someone’ is trying to access an ‘adminy’ type page i.e. one that a normal visitor shouldn’t be accessing.  Once again, you’ll have the IP address so you can block them – obviously if it’s a real blog visitor then you’ve blocked them too but they shouldn’t be hunting around your website.  Plugins could also help you block activity if ‘someone’ is hitting a large number of pages over short time-period.  Again, you could be blocking genuine visitors or spiders (I managed to block a few search-engine spiders !Doh!).  If it’s a genuine visitor then they should have spent more than a nano-second reading your finely crafted post!!

(f) Install a plugin to scan your blog for any issues or problems.  These type of plugins should show up any successful hacking attempts or viruses on your blog. Run the scan regularly and make sure you action any security points it highlights.

For all the points I’ve covered above, I managed to block and lock myself out of my own blog countless times.  Remember, do this calmly and with plenty of time so you can undo any damage… One plugin I installed managed to lock out my ability to upload media files (images) to my blog – I just uninstalled and then reinstalled the plugin and everything worked fine again.

I hope today’s post has been helpful to you and, at the very least, has made you think about your blog’s security.   Remember, the above steps are PREVENTATIVE which is far better than cure (i.e. at the worst starting all over again, at the very least spending hours to restore your blog).

Have I missed anything out?  
Have you had to take additional steps to secure your blog?  
Please do email me and let me know if I’ve missed anything.
thenarrator[at]essexvoicespast.com

*_*_*_*_*_*_*_*_*_*

Disclaimer:  If you decide to action any of these points on this post, you do so entirely at your own risk. The author and Essex Voices Past expressly disclaims all liability for actions taken or not taken based on any or all of the contents of this blog. This blog is provided “as is”, without warranty of any kind, either express or implied, including without limitation warranties of merchantability, fitness for a particular purpose, title, security, accuracy and non-infringement.

This entry was posted in Blog Tips & Tricks and tagged , . Bookmark the permalink.

4 Responses to Tech Tuesday – locking down your blog’s security

  1. Andrew Jones says:

    This very useful. All the more so because it comes from a REAL user of the facilities.
    Would you care to share the names of the particular plug-ins that you’re usng?

  2. The Narrator says:

    Thank you for your comment Andrew.

    On Saturday, before my post was published, I received a massive attack on my blog. In the space of 3 hours, over 2,000 attempts were made from one IP to login using a variety of usernames. Some of the usernames existed, others did not but were very good guesses. Within 5 minutes of the attack starting, one plugin had emailed me and other had locked and blocked the IP. Even though the IP was blocked, the hacker still continued the attack and I could see the attack going on in real-time. (I’m not sure why the hacker was able to continue the attack even though their IP was blocked – I guess the computer script just kept on running even though access was blocked.) This has convinced me
    even more that blog security must be taken seriously.

    So I won’t tell you what plugins I’m using but I’ll email their names to you.

  3. Pauleen says:

    A great post Kate, especially for WP users, though perhaps more for WP.org. I would be interested in “talking” to you about the relative merits of WP.com vs WP.org. I must admit I’ve been quite happy with WP and their security for spam, but Hackers!! Yikes!! I am going to digest this post. I’d be happy for you to email me any tips/links. I backup my WP regularly but also type the posts on Word which also gets backed up. Not foolproof I know. Thanks for sharing your expertise with those of us lesser IT mortals :-)

  4. The Narrator says:

    Sorry Pauleen and Andrew – I still haven’t got round to writing that email for you!

    Today, within a 10 minute period, there were over 100 attempts to log into my blog from 14 different countries and about 30ish separate IP addresses. Because they were all within a small time-period, this must have been a coordinated attack – very scary because it was across so many different countries. Time to start blocking specific countries! Backup well and truly in place!

Leave a Reply

Your email address will not be published. Required fields are marked *