Social Media, SEO
& Your Business

by Mitch Mitchell




Using Your Website
As A Marketing Tool

by Mitch Mitchell


Pages




Follow Me On Twitter;
Click The Bird!



Add me on Google Plus!


Embrace The Lead
by T. T. Mitchell




mailwasher


Free Download; right-click on book



Leadership Is/Isn't Easy
by T. T. Mitchell


«
»


Securing Your Blog

Posted by on Jan 26, 2011

All of us have heard these tales of someone finding out that their email or website or blog or whatever has been hacked into by some nefarious rogue (you know, sometimes my language is just so strange!), taken over, and that’s that. Sure, you can recover, but it can be a hassle and a mess.


by Denise Mattox

This idea of security can be taken to extremes. Many folks I talk to seem to worry more about spam than they do about security. Y’all know how I am in making things easy for people to read what I have to say and comment without anything blocking your way, and I expect to continue doing that, even though by the time you read this I might have added the GASP Anti-Spambot plugin.

Anyway, security is a different thing. For the most part there are two things you can do for your WordPress blog to help protect yourself. One I wrote about just over a year ago and it had a lot of comments and reads, but I think I need to bring it back to the forefront again. I wrote about a WordPress plugin called Limit Login Attempts, which will automatically block anyone who tries to get into your account after so many attempts. You can change the settings any way you want to, but it’s a great deterrent towards those who might be trying to guess your password over and over.

This came to fruition last Monday when I received an email telling me that someone had been blocked from trying to get into my site. It had to be a bot, I expect. It tried 4 separate times, each 20 minutes apart, which is how I have my settings. After those times, it then blocks the IP address from trying to login for another 24 hours. It gave me the IP address and the name of the person or bot that tried to get in as well.

No, I didn’t follow it back to see what it came from. My thinking was that it could be a malware site as well; why take that chance? But it proved to me that it worked, and worked well. That was probably one of the smartest moves I’ve ever made.

The other way to protect yourself is to make sure you have a long or complicated password. User names are also recommended by some to be long and complicated, but my brain just can’t handle too many complications. And truthfully, you don’t even have to go for too complicated; long works just as well. Making one or two letters capitalized does wonder. Throwing a number somewhere in there works also. With a WordPress blog, it will tell you when you’re creating a password whether it’s strong or not as you go along. I’m betting some people ignore that, but it’s a smart thing to do.

That’s it from me for the day; protect yourselves y’all!

Digiprove sealCopyright secured by Digiprove © 2011 Mitch Mitchell
Share on Google+0Share on LinkedIn1Tweet about this on Twitter2Share on Facebook0

Tags: , , , ,

48 Comments »

I didn’t know about that plugin but it seems very valid, I am gonna try it out for sure, thanks for sharing Mitch

January 26th, 2011 | 10:16 AM
Mitch Mitchell:

It’s a good one, Gabriele. Just this one incident is enough to remind me of that fact.

January 26th, 2011 | 1:08 PM

You are right Mitch, there are some nasty people out there that will love to see your blog go down on it’s knees with a big black skull on it.
What’s even worse is getting hacked and now knowing about it(it happened to me – and as a reward I got all may ads replaced with his ๐Ÿ˜ ).

So people you should really listen to Mitch and protect your accounts things could get bad if someone with bad intentions guesses your passwords.

January 26th, 2011 | 2:09 PM
Mitch Mitchell:

Thanks Alex. Nick wrote in a previous post about having his blog hacked, and others have had that happen to them as well. I can’t think of anything more frustrating to deal with.

January 26th, 2011 | 3:23 PM

One of the best things I’ve done is to change the login area of WordPress. It can’t be hacked if it can’t be found! haha.

January 26th, 2011 | 3:41 PM
Mitch Mitchell:

Does that really work, Zac? I thought all these guys had to do was send their, whatever we want to call them, out directly to the wp-admin, whether it showed or not.

January 26th, 2011 | 5:12 PM

I didn’t know about that plug-in! And I’ve only very recently heard of GASP. But I think I’ll be checking into uploading both onto my new WP blog very, very soon!

Thanks for the heads up,
Delena

January 26th, 2011 | 8:49 PM
Mitch Mitchell:

No problem, Delena, and welcome to the blog. We have to help protect ourselves, right? ๐Ÿ™‚

January 26th, 2011 | 8:53 PM
Carl:

Regarding all CMS, there is one critical point, the use of plugins, components and modules. Usually the CMS for example WordPress or Joomla is very well secured with that that many critical security holes. The same is not in power for plugins, which usually open a possibilities for hackers to crash the blog. My advice is always to use trusted plug ins and always have a fresh back up of database and files.

January 26th, 2011 | 9:43 PM
Mitch Mitchell:

That’s why this particular plugin works wonders, Carl. Few multiple attempts, then instant blocking; can’t get much safer than that.

January 27th, 2011 | 12:10 AM

Actually it can, but it depends on the hosting company. Usually ports 80, 8080, 8083, ets – all standard ports. However, a good web hosting is changing the default ports if you request. This is more complicated but advanced method. Actually even Akisimet stops working as it is useing some of this ports, so permission is given to a website for example api.akisimet.com. I have been dealing with corporate hackers before, there are about 7 ways to crash wordpress and about 20 to do it on Joomla. Even all the security doors are locked again there is a possibility of brutal force and DDoS attack, but again can be dealt with cashing and cloud hosting.

January 27th, 2011 | 2:34 AM

Hi Mitch,

I did take your advice and add GASP and I will follow up with the LLA. At work we have a three tries you’re out policy and then you face the hassle of phoning infosecurity to get reinstated. I love the idea for having the same protection on my site. Having been hacked and suffering through the consequences, I’m pretty careful about passwords and use the wordpress password checker when I changed it.

All good tips.

Nick

January 27th, 2011 | 12:19 AM
Mitch Mitchell:

Nick, I knew you’d had the problem and pretty much figured you’d mention something about your being hacked. I know I’ve been skating slightly under the radar until recently, but I was so glad I not only had added this plugin some time ago, but changed my password to something much longer than I initially had.

By the way, I noticed that you’re moderating comments. After adding GASP you shouldn’t have to do that anymore; “shouldn’t”, that is. ๐Ÿ˜‰

January 27th, 2011 | 12:22 AM

“Prevention is better than cure”

Thanks for reminding my brain Mitch! Great help.

January 27th, 2011 | 2:13 AM
Mitch Mitchell:

No problem Ron; just trying to look out.

January 27th, 2011 | 8:47 AM

This may be a sign of my own lack of knowledge, but I’d always assumed there could be a connection between spam and security. What I’d really like to know is, how have these people gotten themselves into a position that allows them to spend so much time trying to hack into a blog? What’s the payback, for the most part, other than the sheer thrill of ruining someone else’s work?

January 27th, 2011 | 6:44 AM
Mitch Mitchell:

It’s all about numbers, Charles. They do these things all at once, so it’s never one guy going after one guy at a time. If they can get in, they can mess things up, drop code, change any paid links you have to theirs so they’ll get the money, and then move on. Sometimes it’s only about showing how smart they are, but in the long run the majority do it because they’ve found ways of making money from it.

January 27th, 2011 | 8:50 AM

Mitch, this is a good first-line of defense. It’s like putting a deadbolt on your front door.

However, like Carl pointed out, it’s not fool-proof. What if your door and jamb are cheap wooden structures? So much for that.

Still, I like the idea and I will try the plug-in.

Also, regarding Zac’s solution, that’s referred to as security by obscurity. Two problems with it. First, he just told the world about it, second, bots probably spider the entire folder and may find it, anyway. (I would love to see a detailed report about such a feature. However, my understanding is that, unless the file resides totally off the www root, it can be found. Now if Zac is reading this and can confirm that the wp-adimin/login.php file indeed resides outside of the domain root, then my hat is off to him for a clever solution.)

@Charles, Hackers don’t waste time on secured sites. They are opportunistic, like burglars jiggling front doorknobs to see if someone forgot to lock it.

Cheers,

Mitch

January 27th, 2011 | 7:44 AM
Mitch Mitchell:

Thanks for the additional stuff, Mitch. Supposedly we’re only really safe if we’re behand “https”, yet I have no idea if that type of thing can be created for blogs and signing into, and I’m not sure I’d want to go quite that far anyway. I have to admit I don’t know anything about how that all works.

January 27th, 2011 | 8:52 AM

Neither, do I, Mitch. I do know https costs money. LOL
Anyway, I tested it out. Worked beautifully.
On your other post, you mentioned not being sure about the other two options. Say John Q. Hacker tries 4 times to get in.
He gets locked out for 30 minutes. 30 minutes later, he tries again and gets locked out. That’s TWO lockouts. If John Q. tries 4 times and gets locked out each time, the third option kicks in and won’t let him try for 24 hours (if you leave the settings at 4 and 24.) Finally, Even after waiting 24 hours, John Q. won’t be able to try again until the number of hours in the fourth option have passed.
Presumably you’ll want those to be the same.

In my opinion, unless you are allowing multiple users to have authoring rights (or admin rights to fix stuff), you might as well jack those last two options sky-high. After 4 attempts, it’s obviously not you, so why give John Q. more opportunities? Set the fist value on option 3 to “1” and the second value on option 3 to “99”. This will show up immediately after four failed login attempts. I tested it and locked myself out for an hour. LOL

Now, for option 4,I imagine that this can be “99” as well. I doubt Little Johnny is going to wait 4 days to try again.
(Since I can by-pass this by going to FTP, I will try a stupid large number and let you know.)

{wanders off} …

Well, duh! I got in by renaming the plugin, but unless I modify the database to reset something, I get kicked out on the very next dashboard pageload!
That’s pretty cool design.

So, if you’re confident that you’ll NEVER lock yourself out, go ahead and jack those values up. I’m going to try “999” hours.

I just have to wait 44 more minutes. LOL

Cheers,

Mitch

January 27th, 2011 | 9:29 AM
Mitch Mitchell:

Thanks for explaining some of that other stuff. I don’t have the guts to go as far out as you recommend, but I did decide to extend the times a lot for a bit more protection.

January 27th, 2011 | 10:27 AM

Mitch, I jacked the hours up to 999 (41 days!) w00t!
Thank goodness, I have RoboForm.

Hey! I just noticed! You have GASP! I’m so used to clicking that box, I hardly pay attention anymore. I should tell Gail about that ๐Ÿ™‚
Cheers,

Mitch

January 27th, 2011 | 12:22 PM
Mitch Mitchell:

Nah, let’s keep that to ourselves Mitch. lol I had written that I might be adding it, though, seeing how well it was working on my other blogs. Still, it’s amazing that even with the drop that I get maybe 10 “human” spam messages a day.

January 27th, 2011 | 3:42 PM

Yes, any web site can be run on a secured server with a purchased security certificate, but this does cause problems for the running of a lot of scripts. Especially since hosting services tend to be beefing up their “not allowed” list on secured servers. I should think that running a blog entirely secured would be a headache. I use secured servers for shopping carts and that’s all.

February 4th, 2011 | 10:35 AM
Jessica Sieghart:

Oh, I like it! I’m going to install it right now. I lost my previous blog due to something like hackers or whatever. Who knows. The whole thing was crashed and erased and poof….gone. I lost patience (along with a years worth of posts) and just started over elsewhere with super strong passwords.

January 27th, 2011 | 9:29 AM
Mitch Mitchell:

It should help a lot, Jessica; I’m really glad I had it installed.

January 27th, 2011 | 9:39 AM
Dennis Edell @ Direct Sales Marketing:

TIP! if you’re going to combine that plugin with a long weird password, please keep said password somewhere safe for yourself…..don’t become one of those bloggers to lock themselves out of the blog. ;-P

January 27th, 2011 | 11:52 AM
Mitch Mitchell:

I was thinking that and just didn’t say it Dennis. lol

January 27th, 2011 | 3:41 PM
Dennis Edell @ Direct Sales Marketing:

That’s what I’m here for. ๐Ÿ˜‰

January 28th, 2011 | 11:43 AM

Great tips Mitch. I’m always telling people to make sure that their passwords are not guessable. Unfortunately it sometimes takes a disaster for this to really sink in.

That plugin sounds like a good idea, I’ll have to check it out. I have never had a site hacked into before, but I want to make sure that it never happens.

January 27th, 2011 | 12:38 PM
Mitch Mitchell:

Exactly Keith. I’d been reading about it happening to others for a couple of years before I’d heard of the plugin.

January 27th, 2011 | 3:43 PM
John:

Hey Mitch,

The most I do to protect myself is create a long or complicated password. I agree, most of the people I know too seem to be more concerned about spam than security. I guess it’s the “it won’t happen to me” mentality. Thanks for sharing your thoughts on this topic.

January 27th, 2011 | 6:55 PM
Mitch Mitchell:

No problem John; it’s something we just need to make sure gets out, so I’m doing my part.

January 27th, 2011 | 7:25 PM

I also would like to add: be careful about registering on sites that are not that popular, or still new. I once registered for an account for some site and the next day my GMAIL account was hacked… sure enuff, I used the same username and password, and I bet that was how it was hacked.

January 27th, 2011 | 9:10 PM
Mitch Mitchell:

People should always be cautious of stuff like that, Henway, even with long passwords.

January 27th, 2011 | 11:41 PM

Admittedly, I am not overly concerned about the security of my site until you mentioned it, Mitch, and I am glad that you did. Pointed out something I should work on. Thanks a lot! ๐Ÿ™‚

– Wes –

January 27th, 2011 | 9:34 PM
Mitch Mitchell:

No problem Wes. I’ve been there. Didn’t want to upgrade to newer versions of WordPress because it always seemed like they were changing too often. Then heard of people getting hacked because they hadn’t upgraded and learned my lesson. It’s been on my mind for awhile until I loaded this plugin; no worries since.

January 27th, 2011 | 11:40 PM

Thanks Mitch, Just went in an removed the moderate comments box.

Nick

January 28th, 2011 | 12:53 AM

How can we ever keep those hackers at bay? Why don’t they leave us alone? Anyway, this LLA sounds good to me. I’m glad WP is doing all they can to help bloggers feel and stay secure.

January 28th, 2011 | 5:53 AM
Mitch Mitchell:

It’s a good one, Anne. Unfortunately, we all know that at some point someone’s going to probably be smart enough to figure out a way around it. Until then it’ll do its job.

January 28th, 2011 | 10:55 AM

Thanks for this info on securing our blogs Mitch. I was not aware that blogs hacking was becoming increasingly common. I was concerned about my blog being compromised when I first established it; however, had forgotten all about that possibility other than backing it up regularly. I will check out the plug-in yiou mentioned so that my blog can be slightly less vulnerable. I certainly don’t want to become the next victim.

Rachel Lavern
http://www.fearfully-n-wonderfullymade.com
Personal Transformation, Enlightenment and Development

January 28th, 2011 | 12:26 PM
Mitch Mitchell:

Good stuff, Rachel. I know it’ll do the job well for you and everyone else.

January 28th, 2011 | 12:33 PM

I’ll have to get that login attempt plugin Mitch it sounds like a great idea. As for the password itself I use a password manager software for my password. It’s about 15 characters long and it’s a mixture of letters, numbers and characters so it would be pretty hard to crack.

January 28th, 2011 | 5:36 PM
Mitch Mitchell:

Goodness Sire, that sounds like an interesting program. What happens if you’re on your computer and then go to the laptop?

January 28th, 2011 | 8:15 PM

Thanks for this content on securing our blogs Mitch. I was not conscious that blogs hacking was decent increasingly frequent. I was haunted active my blog beingness compromised when I opening official it; however, had unrecoverable all around that construct different than blessing it up regularly. I testament examine out the plug-in you mentioned so that my blog can be slightly inferior unprotected. I certainly don’t poverty to prettify the incoming person.

January 29th, 2011 | 1:40 AM

That sounds like an excellent plug-in to have. And I should follow your trail back through the other posts you reference to see what else you recommend.

I think itโ€™s silly to ignore security, and I have tried to follow the advice on securing things that I found on Mikeโ€™s blog and Barbaraโ€™s blog. You may recall that recently I blew things up by monkeying with the htaccess file to beef up security. Oops!

Still, security is an issue we need to pay attention to. Thanks for this advice and Iโ€™ll follow that back; maybe not today, Iโ€™m SUPPOSED to be working on a book today ๐Ÿ™

February 4th, 2011 | 10:26 AM
Mitch Mitchell:

Allan, I just got back in town late yesterday afternoon and I’m taking the day “off”, if you will. Of course that just means I’m working differently than I normally do. Good luck with the plug in. I’m reading ahead so I know you’ve loaded it already.

February 4th, 2011 | 10:57 AM

OK, I installed it on both my WordPress blogs. Piece of cake, though I think I’ll take Mitchells advice and goose those last numbers.

Off to tickle my keyboard now. Thanks!

February 4th, 2011 | 10:41 AM