guest post by Kelly Diels
warning: there are lessons and even actionable advice in here, but it is buried inside a story. I write stories because I love you and don’t want to bore you and because if you laugh then chances are that you’ll remember the educational bit, too. There’s actual research that this works – it is not just because I am in love with bloviation but hey, tomato tahmahto.
I have big love for tech. You could not pry my dishwasher out of my house without bloodshed and death, most likely yours. And the internet? Don’t even get me started. I want to french-kiss the web. In fact, I’m pretty sure that’s my job or at least my blog’s mission statement.
Still, I’m more of install (or pay someone to install) and hope-it-works kind of gal. I want the fuss without the muss.
And I have this theory about tech: some key pieces of hardware and software make a huge difference and everything after that amounts to tweaks and hacks. But the good tech, like a great love, (initially) inspires awe, affection, and respect and make your life much better on a daily basis. You think: how did I ever live without you, front-loading washer? We wasted so much time.
And then, after the infatuation fades, you get on with your happily functioning and newly-enhanced life and start taking your love, machines, shockingly-white-whites and programs for granted.
I like it like that. I like low-maintenance relationships (don’t tell anyone) and I LOVE that electricity just works and I don’t have to think about it. I like finding the right things, that work, and let them do that in the background. Nearly invisible function is hawt.
WordPress is one of those key pieces of tech that made a big difference in my life. It is like a long distance lover. I don’t quite understand it and I should probably spend more time with it but damn I like it a lot. It does me right, mostly virtually.
Actually, let’s be honest: I LOVE WORDPRESS. My blog is my boyfriend. I adore it. I spend all my time with it. Because of all the fabulous people who love me up in the comments, my blog sates my unabashed lust for attention – which, in turn, has started saving me from terrible IRL relationship decisions.
(WordPress is saving the world from needy girlfriends. Someone call the Nobel Peace Prize Committee.)
So the thought of someone getting their sweaty, malicious hands on my boyfriend blog and doing dirty things to it makes me nauseous.
It happened to a friend of mine, Kelly Livesay. One of her blogs was hacked and posts and theme modifications deleted. It happened to journalist Helen Mosher. If you Google her name, the first search result is now “Cheap Viagra Online”. This is not – perhaps obviously – what she intended for her blog. It happened to Robert Scoble, who lost two months of blog posts and gained a very serious sense of personal violation.
And that sense of violation is exactly the prompt for this post: the movie The Girl With The Dragon Tattoo completely FREAKED ME OUT (capitalization absolutely appropriate and required).
Do you know The Girl With The Dragon Tattoo? It is the first of a trilogy of books by Swedish author Stieg Larsson who completed this epic series and then promptly dropped dead. It is a gripping book and it almost killed me, too. I read it in five hours.
And then I got my hot little hands on the movie. Lisbeth, the main character and dragon-wearer, is one tough chick. You don’t want to mess with her. She’ll hack you.
Because that’s what she does. Lisbeth is a freakishly talented hacker. She works as an investigator and conducts her investigations from the convenience of her laptop. She gets into your computer and reads your naughty e-mails, your work memos, your sexts, your bank statements, your browsing history, and then uses that information as she sees fit, for her clients, or herself.
And if you’re on her side – I mean, who doesn’t want her to catch the lady-killing villain? (the villain) – then you’re with her, all the way, as she uses her scary powers for good.
So: The Girl With The Dragon Tattoo. Wrenching read, haunting movie. Great entertainment, especially if you’re looking for a new reason to become deeply paranoid about all the ways people can screw with you online.
Robert Scoble’s not kidding when he says that he feels his virtual house was burgled. Thanks to this paranoid movie, I now feel his paranoia pain and I’m deeply worried about my boyfriend blog.
Still, I don’t understand the point of hacking blogs, so I asked my friend Dave Doolin (Website In A Weekend), who knows Serious Stuff about WordPress, code, programming and How Things Work.
Kelly Diels: What’s the point of hacking a blog? Why would someone want to break into a blog and make it say BUY VIAGRA! instead of just building a sex blog to sell Viagra?
Dave Doolin: Honestly, I’m not really sure, but I’ll hazard a guess: it’s cheaper to spray spam by the trillions than it is to create your own site and work at building traffic. It costs next to nothing to hire people to send a e-mails, so even a really tiny conversion rate generates profit.
Kelly Diels: So how do we keep hackers out of our blogs? On your site, you recommend that bloggers change “Admin” to something specific and then delete the Admin user, so I did that, and Amanda Farough told me to make a unwieldy, ridiculous password that is actually a sentence with random capitalization and characters.
Dave Doolin: Yeah, those two things are a good start. You do want a long, complicated password. The other thing that everyone should do is read the WordPress Development Blog and Other WordPress News. They’re both in your dashboard, and they’ll keep you up to date on the latest hacks and security threats.
(I studiously ignore those two boxes in my WordPress dashboard but now, as of right this minute, I’m going to pay attention.)
And, now that I’m paying attention, I checked in once again with Amanda Farough, who is my designer/developer/chief-cupcake-sharer/coder-extraordinaire. She takes care of my site, because, as I mentioned, I like my tech to work but I’m not really inclined to make it work myself.
Kelly Diels: So, Amanda, what are we doing to keep my site secure? And by “we”, I mean you. What advice do you have for bloggers to keep their blogs on the unhacked side?
Amanda: Here’s my security short list:
- Change your .htcaccess to protect your database name and password by adding the following line of code: <FilesMatch ^wp-config.php$>deny from all</FilesMatch>. In the event of someone hacking your blog, they won’t be able to determine where your tables are, protecting you from losing everything.
- WP-DB-Backup is your new best friend. Get it emailed to you once a week or, if you’re really paranoid, once a day (note: Dave Doolin said we should do it once a day and I heart paranoia. That’s totally where I’m living right now. Thanks, Dragon Tattoo conspiracy). Don’t trust your server or your email server. Save copies of the database to your local drive as soon as you get the email. That way, you’ve got two copies: one on your email server and the other on your local drive.
- Update WordPress every single time you’re prompted to. These releases are the blogger’s equivalent to driver updates: they fix holes in security, functionality, and usability. If you’re running 2.8 when we’re on 2.9.2, then run that update. You’ll be glad you did.
And that – according to my friends in the know, because trust me, I didn’t know – is the short story of how to keep your blog safe and out of the sweaty, dragon-tattooed hands of malicious hackers itching to delete your hot copy and sell us sex aids in your name.
WordPress Security Summary:
- Get rid of your Admin user account
- have a long, complicated password
- keep up to date on WordPress tips and news by reading WordPress
Development Blog and Other WordPress News
- BACK IT UP, baby
- Protect your database name and password
- UPDATE UPDATE UPDATE
Join the Dragon Tattoo Blog HUNT – an internet wide scavenger hunt tied to the feature film launch of bestselling book The Girl With the Dragon Tattoo. Win great prizes – free movie tickets, books, movie soundtrack, posters and more. To join the contest, start at the beginning of the HUNT by visiting www.dragontattoofilm.com/contest for full details and the first clue. The Girl With the Dragon Tattoo is in theaters near you starting March 19th.
THE NEXT CLUE:
This site explores everything Apple, but don’t tell Steve Jobs because this weblog is officially unofficial.
Kelly Diels writes for ProBlogger every week. She’s also a wildly hireable freelance writer and the creator of Cleavage, a blog about three things we all want more of: sex, money and meaning.
haha, you sound like my mummy! I like to add a bit about password. It is better to use onscreen keyboard just in case a trojan horse program is installed in our computer.
scheng1: If your site is of low value then an onscreen keyboard will avoid the simpler keyloggers.
But if someone was trying to attack a high value blog like Scoblizer then they wouldn’t be stopped by such things. Among other things an attacker who has a trojan installed (a pre-requisite for running a software keylogger) can hijack the session. One thing they could do is hijack the logout button to simulate closing the session but allow the attacker to continue using the session. If the session in question had administrative rights then the attacker could add new accounts.
One protection against trojans is to have multiple backups stored on removable media – and to hope that the attacker doesn’t encrypt all files and hide the key (as some viruses have done in the past).
But really anything you do on a compromised platform is going to result in you losing if it’s worth enough to an attacker. It’s best to just use a reliable system.
You could consider having one computer dedicated to doing nothing but blog administration (computers are cheap). When viewing links from blog comments and reading other people’s blogs use a different computer. A Windows box that does nothing but talk to your blog server should be safe enough.
Or you could use an OS that doesn’t tend to be prone to keylogger attacks, such as Linux. The above URL has a post I recently wrote with some design ideas for a particularly secure Linux system. Linux security is reasonably good but we can improve it.
I should have mentioned it before, generally it’s regarded that for good computer security your access control should be based on “something you have and something you know”. There are a variety of hardware devices you can use for authenticating yourself. One of the cheapest and easiest is the Yubikey which emulates a USB keyboard and requires no special device driver support and no transcribing long numbers.
I’ve written about some of the technical aspects of the Yubikey at the above URL.
Thanks for the tips! This is defintely a concern of mine as my blog continues to grow. From now on I’m making sure I backup once a week.
Thanks for this post .I’ve recently had the experience of one of my WordPress blogs being hacked. Fortunately it was one which I had not done much work yet and I’ve ended up completely deleting it and the wordpress installation. The first thing I know about it was when I went into the admin panel and it was all messed up. I then tried to access the blog and got a big red warning from Microsoft about it being a dangerous site. I decided to completely delete the entire blog and make a fresh start .
I will certainly be implementing your security tips on my main wordpress blog
That was awe-awe-awe-some=)
I also liked this one =)) =^_^=
You got numerous positive points there. I made a search on the issue and found nearly all peoples will agree with your blog.
I’m so happy using blogger you could forget all about security only you have to do is write and write
Genuinely wonderful !! I’ve just ordered a cellular app progress at codingate, they rapidly determined real critical and more than inexpensive developpers who created the thing in couple of times!!mobile – telecom and voip – web – desktop applications .
Hi there may I quote some of the material found in this blog if I reference you with a link back to your site?
Learned as much as I would if I had written this.. nice post thanks!