43 comments on “Securing Your Blog

    • Mitch Mitchell says:

      It’s a good one, Gabriele. Just this one incident is enough to remind me of that fact.

  • You are right Mitch, there are some nasty people out there that will love to see your blog go down on it’s knees with a big black skull on it.
    What’s even worse is getting hacked and now knowing about it(it happened to me – and as a reward I got all may ads replaced with his 😐 ).

    So people you should really listen to Mitch and protect your accounts things could get bad if someone with bad intentions guesses your passwords.

    • Mitch Mitchell says:

      Thanks Alex. Nick wrote in a previous post about having his blog hacked, and others have had that happen to them as well. I can’t think of anything more frustrating to deal with.

  • Zac@hair removal price says:

    One of the best things I’ve done is to change the login area of WordPress. It can’t be hacked if it can’t be found! haha.

    • Mitch Mitchell says:

      Does that really work, Zac? I thought all these guys had to do was send their, whatever we want to call them, out directly to the wp-admin, whether it showed or not.

  • Delena Silverfox@Coupon Codes says:

    I didn’t know about that plug-in! And I’ve only very recently heard of GASP. But I think I’ll be checking into uploading both onto my new WP blog very, very soon!

    Thanks for the heads up,
    Delena

    • Mitch Mitchell says:

      No problem, Delena, and welcome to the blog. We have to help protect ourselves, right? 🙂

  • Regarding all CMS, there is one critical point, the use of plugins, components and modules. Usually the CMS for example WordPress or Joomla is very well secured with that that many critical security holes. The same is not in power for plugins, which usually open a possibilities for hackers to crash the blog. My advice is always to use trusted plug ins and always have a fresh back up of database and files.

    • Mitch Mitchell says:

      That’s why this particular plugin works wonders, Carl. Few multiple attempts, then instant blocking; can’t get much safer than that.

      • Actually it can, but it depends on the hosting company. Usually ports 80, 8080, 8083, ets – all standard ports. However, a good web hosting is changing the default ports if you request. This is more complicated but advanced method. Actually even Akisimet stops working as it is useing some of this ports, so permission is given to a website for example api.akisimet.com. I have been dealing with corporate hackers before, there are about 7 ways to crash wordpress and about 20 to do it on Joomla. Even all the security doors are locked again there is a possibility of brutal force and DDoS attack, but again can be dealt with cashing and cloud hosting.

  • Nick Grimshawe says:

    Hi Mitch,

    I did take your advice and add GASP and I will follow up with the LLA. At work we have a three tries you’re out policy and then you face the hassle of phoning infosecurity to get reinstated. I love the idea for having the same protection on my site. Having been hacked and suffering through the consequences, I’m pretty careful about passwords and use the wordpress password checker when I changed it.

    All good tips.

    Nick

    • Mitch Mitchell says:

      Nick, I knew you’d had the problem and pretty much figured you’d mention something about your being hacked. I know I’ve been skating slightly under the radar until recently, but I was so glad I not only had added this plugin some time ago, but changed my password to something much longer than I initially had.

      By the way, I noticed that you’re moderating comments. After adding GASP you shouldn’t have to do that anymore; “shouldn’t”, that is. 😉

  • This may be a sign of my own lack of knowledge, but I’d always assumed there could be a connection between spam and security. What I’d really like to know is, how have these people gotten themselves into a position that allows them to spend so much time trying to hack into a blog? What’s the payback, for the most part, other than the sheer thrill of ruining someone else’s work?

    • Mitch Mitchell says:

      It’s all about numbers, Charles. They do these things all at once, so it’s never one guy going after one guy at a time. If they can get in, they can mess things up, drop code, change any paid links you have to theirs so they’ll get the money, and then move on. Sometimes it’s only about showing how smart they are, but in the long run the majority do it because they’ve found ways of making money from it.

  • Mitch, this is a good first-line of defense. It’s like putting a deadbolt on your front door.

    However, like Carl pointed out, it’s not fool-proof. What if your door and jamb are cheap wooden structures? So much for that.

    Still, I like the idea and I will try the plug-in.

    Also, regarding Zac’s solution, that’s referred to as security by obscurity. Two problems with it. First, he just told the world about it, second, bots probably spider the entire folder and may find it, anyway. (I would love to see a detailed report about such a feature. However, my understanding is that, unless the file resides totally off the www root, it can be found. Now if Zac is reading this and can confirm that the wp-adimin/login.php file indeed resides outside of the domain root, then my hat is off to him for a clever solution.)

    @Charles, Hackers don’t waste time on secured sites. They are opportunistic, like burglars jiggling front doorknobs to see if someone forgot to lock it.

    Cheers,

    Mitch

    • Mitch Mitchell says:

      Thanks for the additional stuff, Mitch. Supposedly we’re only really safe if we’re behand “https”, yet I have no idea if that type of thing can be created for blogs and signing into, and I’m not sure I’d want to go quite that far anyway. I have to admit I don’t know anything about how that all works.

      • Neither, do I, Mitch. I do know https costs money. LOL
        Anyway, I tested it out. Worked beautifully.
        On your other post, you mentioned not being sure about the other two options. Say John Q. Hacker tries 4 times to get in.
        He gets locked out for 30 minutes. 30 minutes later, he tries again and gets locked out. That’s TWO lockouts. If John Q. tries 4 times and gets locked out each time, the third option kicks in and won’t let him try for 24 hours (if you leave the settings at 4 and 24.) Finally, Even after waiting 24 hours, John Q. won’t be able to try again until the number of hours in the fourth option have passed.
        Presumably you’ll want those to be the same.

        In my opinion, unless you are allowing multiple users to have authoring rights (or admin rights to fix stuff), you might as well jack those last two options sky-high. After 4 attempts, it’s obviously not you, so why give John Q. more opportunities? Set the fist value on option 3 to “1” and the second value on option 3 to “99”. This will show up immediately after four failed login attempts. I tested it and locked myself out for an hour. LOL

        Now, for option 4,I imagine that this can be “99” as well. I doubt Little Johnny is going to wait 4 days to try again.
        (Since I can by-pass this by going to FTP, I will try a stupid large number and let you know.)

        {wanders off} …

        Well, duh! I got in by renaming the plugin, but unless I modify the database to reset something, I get kicked out on the very next dashboard pageload!
        That’s pretty cool design.

        So, if you’re confident that you’ll NEVER lock yourself out, go ahead and jack those values up. I’m going to try “999” hours.

        I just have to wait 44 more minutes. LOL

        Cheers,

        Mitch

      • Mitch Mitchell says:

        Thanks for explaining some of that other stuff. I don’t have the guts to go as far out as you recommend, but I did decide to extend the times a lot for a bit more protection.

      • Mitch, I jacked the hours up to 999 (41 days!) w00t!
        Thank goodness, I have RoboForm.

        Hey! I just noticed! You have GASP! I’m so used to clicking that box, I hardly pay attention anymore. I should tell Gail about that 🙂
        Cheers,

        Mitch

      • Mitch Mitchell says:

        Nah, let’s keep that to ourselves Mitch. lol I had written that I might be adding it, though, seeing how well it was working on my other blogs. Still, it’s amazing that even with the drop that I get maybe 10 “human” spam messages a day.

  • Jessica Sieghart says:

    Oh, I like it! I’m going to install it right now. I lost my previous blog due to something like hackers or whatever. Who knows. The whole thing was crashed and erased and poof….gone. I lost patience (along with a years worth of posts) and just started over elsewhere with super strong passwords.

  • Great tips Mitch. I’m always telling people to make sure that their passwords are not guessable. Unfortunately it sometimes takes a disaster for this to really sink in.

    That plugin sounds like a good idea, I’ll have to check it out. I have never had a site hacked into before, but I want to make sure that it never happens.

    • Mitch Mitchell says:

      Exactly Keith. I’d been reading about it happening to others for a couple of years before I’d heard of the plugin.

  • Hey Mitch,

    The most I do to protect myself is create a long or complicated password. I agree, most of the people I know too seem to be more concerned about spam than security. I guess it’s the “it won’t happen to me” mentality. Thanks for sharing your thoughts on this topic.

    • Mitch Mitchell says:

      No problem John; it’s something we just need to make sure gets out, so I’m doing my part.

  • I also would like to add: be careful about registering on sites that are not that popular, or still new. I once registered for an account for some site and the next day my GMAIL account was hacked… sure enuff, I used the same username and password, and I bet that was how it was hacked.

  • Admittedly, I am not overly concerned about the security of my site until you mentioned it, Mitch, and I am glad that you did. Pointed out something I should work on. Thanks a lot! 🙂

    – Wes –

    • Mitch Mitchell says:

      No problem Wes. I’ve been there. Didn’t want to upgrade to newer versions of WordPress because it always seemed like they were changing too often. Then heard of people getting hacked because they hadn’t upgraded and learned my lesson. It’s been on my mind for awhile until I loaded this plugin; no worries since.

  • How can we ever keep those hackers at bay? Why don’t they leave us alone? Anyway, this LLA sounds good to me. I’m glad WP is doing all they can to help bloggers feel and stay secure.

    • Mitch Mitchell says:

      It’s a good one, Anne. Unfortunately, we all know that at some point someone’s going to probably be smart enough to figure out a way around it. Until then it’ll do its job.

  • Rachel Lavern says:

    Thanks for this info on securing our blogs Mitch. I was not aware that blogs hacking was becoming increasingly common. I was concerned about my blog being compromised when I first established it; however, had forgotten all about that possibility other than backing it up regularly. I will check out the plug-in yiou mentioned so that my blog can be slightly less vulnerable. I certainly don’t want to become the next victim.

    Rachel Lavern
    http://www.fearfully-n-wonderfullymade.com
    Personal Transformation, Enlightenment and Development

  • I’ll have to get that login attempt plugin Mitch it sounds like a great idea. As for the password itself I use a password manager software for my password. It’s about 15 characters long and it’s a mixture of letters, numbers and characters so it would be pretty hard to crack.

    • Mitch Mitchell says:

      Goodness Sire, that sounds like an interesting program. What happens if you’re on your computer and then go to the laptop?

  • Thanks for this content on securing our blogs Mitch. I was not conscious that blogs hacking was decent increasingly frequent. I was haunted active my blog beingness compromised when I opening official it; however, had unrecoverable all around that construct different than blessing it up regularly. I testament examine out the plug-in you mentioned so that my blog can be slightly inferior unprotected. I certainly don’t poverty to prettify the incoming person.

  • Mitch Mitchell says:

    Allan, I just got back in town late yesterday afternoon and I’m taking the day “off”, if you will. Of course that just means I’m working differently than I normally do. Good luck with the plug in. I’m reading ahead so I know you’ve loaded it already.

Comments are closed.