How to Protect Your Blog
Whether you run an internationally known blogging portal or simply a small blog for a devoted circle of fellow fanboys, you must be aware of the potential of hacking. I’m not talking about your friendly neighborhood ‘security researchers’ in the white (or greyish-white) hats, I’m talking about the reckless cyberscum who just live to get access to a site, any site, YOUR site and turn it into an unrecognizable pile of malformed data. Probably with some nasty bits of NSFW content; simply because they can.
Thankfully, we’re on your side, and we have ten easy ways to protect your blog from hackers. They’re so easy that you probably already know them, so forgive us in advance for being patronizing. But if we can save just one blog from cyberscum, we’ve earned our right to hold our heads up high for at least one more day.
- Old or Default Credentials. I can’t even believe that I need to say this, but even at this late date there are people who haven’t changed the default login. If you still have the “admin” and “password” combo, you’re leaving your door wide open. Change your password at least every three months or even sooner if something changes (database upgrades, new ISP, new software versions, working with different people). By the way, these tips apply to your blog login, your FTP login, your hosting and webmail login, etc.
- Weak and Personal Credentials. Don’t use your name, company, birth date, address, words related to your blog topic, etc. There is enough personal info on the ‘net for hackers to assemble a list of likely logins and passwords. Use a random mix of numbers, letters, and even symbols. There are strong password generators available that do the work for you. [http://strongpasswordgenerator.com/]
- Encrypt your passwords. You’ve heard the phrase ‘plain text passwords’? That refers to unencrypted credentials. Even with strong and freshly changed credentials, your vital login data passes through multiple authentication protocols and gateways on the way to the server. Each step is an extra opening for malicious scripts to intercept, so learn about how you can make SSL, HTTPS, and other encryption methods work for you.
- Limit Logins. Remember seeing “reached max number of login attempts” messages all the time? There was a reason, and I wonder why it’s so much more uncommon now. Installing a ‘lock out’ counter on your login stops the automatic ‘dictionary’ or ‘brute force’ attacks at 3,5,10 failed login attempts, or whatever number you set.
- Trust no One. Are you the only person that can access your blog? If not, make sure that everyone else follows these practices as well, and be ready to lock out everyone but yourself at the first sign that something isn’t right. Make sure that you’re the only one with ‘admin privileges’; if you had someone set up your blog for you, or come in to do design work or ‘guest blogging,’ this could be a major risk, especially if you lose track of them as the years go by.
- Forms and Comments. Of particular risk are any forms or text entry fields on your blog. The classic SQL injection attack still work wonders, even on major corporations with dedicated cybersecurity departments. Ensure that any third-party input is validated or filtered before it gets accepted, either manually or through a trusted commenting/social framework.
- Update everything. Some extras are essential, of course, especially those that provide extra security. There’s also version updates to the CMS and database itself. Very often, the whole point of these updates is to patch holes and fix bugs that allow recently discovered security vulnerabilities. So get those updates installed ASAP.
- Backup Early, Backup Often. You may not be able to avoid getting hacked, but you can bounce back a lot more quickly if you have an up-to-date snapshot of the way things were. Don’t count on the hosting or CMS to save anything for you, and don’t get caught with nothing more recent than the backup you did back in 2009 when all you had were a few dozen pictures of Lolcats.
- Don’t Forget the Real World. You’d be surprised how well the low-tech approach works for hackers. You can have airtight cybersecurity, yet forget that people can look over your shoulder while you type, or pick up your laptop and run away with it while your back is turned. Avoid public computers (or if you must use them, at least know how to delete your cookies, history, and saved form fields afterwards), and keep access via smartphone apps as infrequent and private as possible.
Stephanie Cable is from Salt Lake City and writes for CableTV.com. When she isn’t watching TV, you’ll probably find her geeking out on the internet.