Facebook Pixel
Join our Facebook Community

Blog Security: The Girl With the Dragon Tattoo Scares Me Into Taking It Seriously.

Posted By kellydiels 11th of March 2010 Miscellaneous Blog Tips 0 Comments

guest post by Kelly Diels

warning: there are lessons and even actionable advice in here, but it is buried inside a story. I write stories because I love you and don’t want to bore you and because if you laugh then chances are that you’ll remember the educational bit, too. There’s actual research that this works – it is not just because I am in love with bloviation but hey, tomato tahmahto.

I have big love for tech. You could not pry my dishwasher out of my house without bloodshed and death, most likely yours. And the internet? Don’t even get me started. I want to french-kiss the web. In fact, I’m pretty sure that’s my job or at least my blog’s mission statement.

Still, I’m more of install (or pay someone to install) and hope-it-works kind of gal. I want the fuss without the muss.

And I have this theory about tech: some key pieces of hardware and software make a huge difference and everything after that amounts to tweaks and hacks. But the good tech, like a great love, (initially) inspires awe, affection, and respect and make your life much better on a daily basis. You think: how did I ever live without you, front-loading washer? We wasted so much time.

And then, after the infatuation fades, you get on with your happily functioning and newly-enhanced life and start taking your love, machines, shockingly-white-whites and programs for granted.

I like it like that. I like low-maintenance relationships (don’t tell anyone) and I LOVE that electricity just works and I don’t have to think about it. I like finding the right things, that work, and let them do that in the background. Nearly invisible function is hawt.

WordPress is one of those key pieces of tech that made a big difference in my life. It is like a long distance lover. I don’t quite understand it and I should probably spend more time with it but damn I like it a lot. It does me right, mostly virtually.

Actually, let’s be honest: I LOVE WORDPRESS. My blog is my boyfriend. I adore it. I spend all my time with it. Because of all the fabulous people who love me up in the comments, my blog sates my unabashed lust for attention – which, in turn, has started saving me from terrible IRL relationship decisions.

(WordPress is saving the world from needy girlfriends. Someone call the Nobel Peace Prize Committee.)

So the thought of someone getting their sweaty, malicious hands on my boyfriend blog and doing dirty things to it makes me nauseous.

It happened to a friend of mine, Kelly Livesay. One of her blogs was hacked and posts and theme modifications deleted.  It happened to journalist Helen Mosher. If you Google her name, the first search result is now “Cheap Viagra Online”. This is not – perhaps obviously – what she intended for her blog. It happened to Robert Scoble, who lost two months of blog posts and gained a very serious sense of personal violation.

And that sense of violation is exactly the prompt for this post: the movie The Girl With The Dragon Tattoo completely FREAKED ME OUT (capitalization absolutely appropriate and required).

Do you know The Girl With The Dragon Tattoo? It is the first of a trilogy of books by Swedish author Stieg Larsson who completed this epic series and then promptly dropped dead. It is a gripping book and it almost killed me, too. I read it in five hours.

And then I got my hot little hands on the movie. Lisbeth, the main character and dragon-wearer, is one tough chick. You don’t want to mess with her. She’ll hack you.

Because that’s what she does. Lisbeth is a freakishly talented hacker. She works as an investigator and conducts her investigations from the convenience of her laptop. She gets into your computer and reads your naughty e-mails, your work memos, your sexts, your bank statements, your browsing history, and then uses that information as she sees fit, for her clients, or herself.

And if you’re on her side – I mean, who doesn’t want her to catch the lady-killing villain? (the villain) – then you’re with her, all the way, as she uses her scary powers for good.

So: The Girl With The Dragon Tattoo. Wrenching read, haunting movie. Great entertainment, especially if you’re looking for a new reason to become deeply paranoid about all the ways people can screw with you online.

Robert Scoble’s not kidding when he says that he feels his virtual house was burgled. Thanks to this paranoid movie, I now feel his paranoia pain and I’m deeply worried about my boyfriend blog.

Still, I don’t  understand the point of hacking blogs, so I asked my friend Dave Doolin (Website In A Weekend), who knows Serious Stuff about WordPress, code, programming and How Things Work.

Kelly Diels: What’s the point of hacking a blog? Why would someone want to break into a blog and make it say BUY VIAGRA! instead of just building a sex blog to sell Viagra?

Dave Doolin: Honestly, I’m not really sure, but I’ll hazard a guess: it’s cheaper to spray spam by the trillions than it is to create your own site and work at building traffic. It costs next to nothing to hire people to send a e-mails, so even a really tiny conversion rate generates profit.

Kelly Diels: So how do we keep hackers out of our blogs? On your site, you recommend that bloggers change “Admin” to something specific and then delete the Admin user, so I did that, and Amanda Farough told me to make a unwieldy, ridiculous password that is actually a sentence with random capitalization and characters.

Dave Doolin: Yeah, those two things are a good start. You do want a long, complicated password. The other thing that everyone should do is read the WordPress Development Blog and Other WordPress News. They’re both in your dashboard, and they’ll keep you up to date on the latest hacks and security threats.

(I studiously ignore those two boxes in my WordPress dashboard but now, as of right this minute, I’m going to pay attention.)

And, now that I’m paying attention, I checked in once again with Amanda Farough, who is my designer/developer/chief-cupcake-sharer/coder-extraordinaire. She takes care of my site, because, as I mentioned, I like my tech to work but I’m not really inclined to make it work myself.

Kelly Diels: So, Amanda, what are we doing to keep my site secure? And by “we”, I mean you. What advice do you have for bloggers to keep their blogs on the unhacked side?

Amanda: Here’s my security short list:

  1. Change your .htcaccess to protect your database name and password by adding the following line of code: <FilesMatch ^wp-config.php$>deny from all</FilesMatch>. In the event of someone hacking your blog, they won’t be able to determine where your tables are, protecting you from losing everything.
  2. WP-DB-Backup is your new best friend. Get it emailed to you once a week or, if you’re really paranoid, once a day (note: Dave Doolin said we should do it once a day and I heart paranoia. That’s totally where I’m living right now. Thanks, Dragon Tattoo conspiracy). Don’t trust your server or your email server. Save copies of the database to your local drive as soon as you get the email. That way, you’ve got two copies: one on your email server and the other on your local drive.
  3. Update WordPress every single time you’re prompted to. These releases are the blogger’s equivalent to driver updates: they fix holes in security, functionality, and usability. If you’re running 2.8 when we’re on 2.9.2, then run that update. You’ll be glad you did.

And that – according to my friends in the know, because trust me, I didn’t know – is the short story of how to keep your blog safe and out of the sweaty, dragon-tattooed hands of malicious hackers itching to delete your hot copy and sell us sex aids in your name.

WordPress Security Summary:

  • Get rid of your Admin user account
  • have a long, complicated password
  • keep up to date on WordPress tips and news by reading WordPress
    Development Blog and Other WordPress News
  • BACK IT UP, baby
  • Protect your database name and password
  • UPDATE UPDATE UPDATE

__________________________

Join the Dragon Tattoo Blog HUNT – an internet wide scavenger hunt tied to the feature film launch of bestselling book The Girl With the Dragon Tattoo. Win great prizes free movie tickets, books, movie soundtrack, posters and more. To join the contest, start at the beginning of the HUNT by visiting www.dragontattoofilm.com/contest for full details and the first clue. The Girl With the Dragon Tattoo is in theaters near you starting March 19th.

THE NEXT CLUE:

This site explores everything Apple, but don’t tell Steve Jobs because this weblog is officially unofficial.

Kelly Diels writes for ProBlogger every week. She’s also a wildly hireable freelance writer and the creator of Cleavage, a blog about three things we all want more of: sex, money and meaning.

Comments
  1. I love your writing style Kelly. Thanks for all of this info and this fantastic journey through this post directly to your blog.
    Cleavage is something that I’ve been endowed with so I should feel right at home there.
    @Ileane

  2. I back up my database automatically, but you did remind me that I need to back up my theme following some recent changes.

    Having backups also prevents you from accidents. More than once, I’ve broken my theme with a code change and didn’t have the time to analyze the particular problem. So I just reverted to the back up version and went about the rest of my work for the day.

    Also, you should replace the fire in your firewall at least once a week. Otherwise the fire can get too old and can easily be doused by a hacker with a bucket of water.

  3. Hi Kelly,

    These are great tips; I will implement right away – thanks.

    One more question:

    How do I backup my theme and plugins, that also took a long time to configure and tweak?

    Is there a good way to do that?

    Thanks again,

    Ami
    BeeaBlogger.com | REAL-TIME Blogging Report

  4. Hi Kelly,

    I added this code to the .htaccess:

    deny from all

    After this my blog was not accessible anymore so I took it down – do you know how to resolve this?

    Ami
    BeeaBlogger.com | REAL-TIME Blogging Report

  5. Hi Kelly.

    Thanks for the tips – security, and backups in particular, are only needed when it is typically too late. Thanks for making me think about it now.

    I would also echo Ami’s question – is there a way to backup themes etc? or do we just make an FTP dump of the whole site?

    Thanks again,
    Dave

  6. @Ami Oh honey, you’re putting way to much faith in my technical knowledge. I HAVE NONE. That’s why I interviewed Dave Doolin and Amanda Farough about security (and why I pay Amanda to take care of my blog: Because They Know Stuff.

  7. I’m using WP-Backup for my blog and love it!

    So easy to backup and restore your blog on the same dashboard, where other backup plugins just back up your data and you have to go to myphp in your cpanel to get it restored. Great tips

  8. I think different, because I love how the stuff works, I use joomla wordpress blogger and a little bit drupal and for me learn how the programs works in background is like an adventure, so both thinks are necessary :)

  9. Kelly,

    I don’t have clevage, But do appreciate it. Love your writing and I am 80% complete with the book. Lisbeth Salander is a great character along with Blomkvist!

    Did not know there was going to be a movie! Who is playing Salander?

    Thanks for the tips!

    Mark

    PS I am now going to read Copyblogger.com’s post with the same Lady with the Dragon Tattoo hook. Interesting that both of these top blogs are running similar but not duplicate themes.

  10. Kelly,

    Great post – you did make me laugh, and you’re right… I will remember it. However now you have me completely freaked out, I have sudden urge to buy and external hard drive and a safe to store it in.

    Thanks for the warnings!

    I completely appreciate with this line: “My blog is my boyfriend. I adore it. I spend all my time with it.” Welcome to my life… Does this mean I have gone from Loving Wife to Adulterous wife? LOL!

  11. I think WP-DB-Backup should be #1 on your list.

    @Dave Higgs
    I ftp down my themes and uploads folders once per week. Works best IMO

  12. wow, you have some interesting point

    i have never think WordPress can replace boyfriend :D

  13. Hey Kelly,

    Thanks for this post and I agree that security and backup pf wordpress is really important and backup of themes can be taken.

  14. PAINFUL lesson (and I, too, ignore those WP posts to the right. In fact, I ignore virtually everything to the right-Google Ads, Facebook Ads, Republicans, etc).

    I am, today, despite being fluish, changing my admin name. I suppose that will involve seeking out Mr. Doolin’s blog to find out HOW. Sigh. I just want to write and make pretty.

  15. How about using Login Lockdown plugin?
    It is also a good quick start for people to try and stop hackers to use brute-force to login…

  16. That .htaccess technique is a good one. Folks, learn htaccess on a test blog, not on your main blog!

  17. Ah, Le securitee.

    I have most of these done, but need to get on the .htaccess update taken care of. I had never even heard of that one.

    I have also always wondered how to write “tomato, tahmahto”. Thanks ;)

  18. THANKS!! This is great advice. I’m installing WP Backup as I type.

  19. Hey Kelly,

    Thanks for the great tips…
    I agree stories are a great way to explain personal expriences that can help people understand your tips.

  20. I think I may have become a fan of your blog… Thanks.

  21. Nice post, Kelly. You really conveyed the important stuff we should be aware of when it comes to security. Way to sock it to us.

  22. Hi. I read a few of your other posts and just wanted to say “good job”.

  23. I loved reading your post, Kelly, and now I’m definitely going to visit Cleavage. I’m also going to have a chat with my designer/developer/coder about why in the world we would leave my login as admin??? I wondered before, but now I have a reason to do something about. Thanks :-)

  24. “No fuss, no muss” is definitely my mantra as well, but this hacking thing scares the crap outa me, especially since my content is family related. I just employed all the tips you suggested. Thanks Kelly… and Darren, for allowing Kelly to be here.

  25. Kelly you write another great post for everybody to read. Yes these were great tips and WP are great for blogging.

  26. Totally loved the girl with the dragon tattoo books – Didn’t even know their was a movie!!! I sure want to have a brain like Salander when I grow up!!! Meanwhile thanks for the great post full of practical ideas… Good grief who would have thought…

  27. Kelly Gal, I love your writing… so hot!
    And it’s sooo unfair! I was building up body to impress you and be your boyfriend… but you already have someone.. sob!

    Well.. thanks for enlightenment on hot dragon gal and some security thing .. I have no chance with the dragon gal, do I?

  28. Thanks a lot man.
    Gives me something else to be paranoid about now

  29. Nice post. Vulnerable sites or poorly configured sites seem to be getting hit hard lately; being a small site is no defense. Here are a few other recommendations from my experience:

    1) Use as few plugins as possible. Bad plugin code = vulnerability.

    2) In addition to DB-Backup, install TAC (Theme Authenticity Checker) , WP-Security Scan, and Login Lockdown.

    3) Have your admin person/php guru setup your wordpress install using different table prefixes thatn “wp_” It’s a great tip, but don’t try to change this on an existing blog without someone knowledgable to help.

    4) Have your admin/php guru setup wordpress so that wp-config is not located in the public html space of your account.
    http://wordpress.org/support/topic/249496

    5) Require a separate server login before loading the wp admin pages, setup with the .htaccess file.
    http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/

    6) Know how your server works. Use strong passwords not just for wordpress, but also for server admin, ftp accounts, and email accounts. Your blog can be hacked in many ways.

    7) Be very careful on unsecured public wifi. It is easy to steal all the passwords that go back and forth on unsecured wifi networks. If you surf from coffee shops often, consider putting your wp-admin pages behind an SSL certificate. That way at least your communications with your blogger are harder to crack – this is also why gmail defaults to https now.

  30. This post was really informative. I have heard about sites being hacked, but I had no idea how it was done or how it could be prevented. I have WP Backup installed and I backup to my computer on a daily basis and once a week to my server. I will implement the other changes ASAP.

    I also want to read this book and see the movie. It sound like the kind of movie my readers would enjoy.

    Thanks.

  31. Kelly, there are 3 reasons why people go surfing the ‘net:
    1. to be entertained
    2. to learn
    3. to buy

    You might be entertaining some people, but I gotta say you’re writing style doesn’t do it for me.

    You might be learning some people, but when I struggle with your writing style it is impossible for me to learn.

    Finally, because of the above, I just aint gonna buy.

    PS You could have given us thegist of your tips in about 5 lines.

  32. @Ileane – we’re in the same tribe! Thanks. Glad you liked the piece and hope you like my blog.

    @Kosmo – good tips. Thanks for adding them. I appreciate it.

    @Dave – I responded to Ami about this, too. I can’t even PRETEND to be an expert at this stuff. That’s why
    I interviewed Dave and Amanda (because they DO know this stuff).

    @Jack – thanks. Gotta love it when things work.

    @series – you definitely have more skills than me!

    @Boomer54 Mark – check out the link to the movie in my piece. Noomi Rapace plays Lisbeth, and she’s terrific. (And what you noticed on Copyblogger…there’s a reason for the commonality…hint hint)

    @ Shannon O – I’m telling your husband. XO

    @IamANT – you’re absolutely right.

    @hokya – you’re absolutely right, too :)

    @Suhasini – thank you!

    @Kelly Livesay – your list made me laugh. Awesomesauce. And definitely do check out Dave Doolin’s site. He’s helped me oodles.

    And this: “I just want to write and make pretty.” ME TOO. Did you hack my computer?

    @Jez – great suggestion. I’m going to look into it. (Or, more accurately, Amanda will).

    @Dave Doolin – good advice. As always. Mwah.

    @Deacon – lookit you with all your franglais. Glad I could set you straight on the phonetics of tohmahto.

    @Sharon – fantastic! Hope it works out for you.

    @Tip$toIntern – oh thank you. Really, that’s so lovely and I’m glad the piece connected with you.

    @Steve Quinton – I won’t mind if you do :)

    @Bamboo Forest – thank you so much. It is so nice to hear such positive feedback. I really appreciate it.

    @Bill – thanks, Bill! Always nice to hear that.

    @Michy – it is really easy to change – just follow the steps in Dave Doolin’s post (the one I linked to) and you’ll be able to get it done in just a minute or two.

    @daveconrey – oh, you definitely do not want to lose precious family memories. Sorry I scared you – but get on it!

    @Killer_Ab_Workout – thank you so much.

    @se7en – the movie will be out next week. I’ve already seen it (their PR person very helpfully sent me a copy) and it is GOOD.

    @King_Sitbarth – how did you know I love the word “gal”? Thanks so much. I’ll put a good word in for you with our imaginary heroine, Lisbeth :)

    @Surgery Houston – I know. Paranoia is contagious but also quite useful.

    @Clarabela – glad it helped – and definitely check out the film. I recommend it.

    @Gerry Faehrmann – What can I say? My style’s not for everyone – no one’s ever will be – and fortunately Darren’s site is wide and deep with lots of different voices and approaches.

    Don’t give up on ProBlogger. The archives are overflowing with truly useful pieces that will help you out.

  33. Thanks for the tips. I like all of the points and I think having a long and somewhat complex password is still one of the best ways to ensure online security.

  34. James says: 03/11/2010 at 5:58 pm

    Also, check out http://www.backupalicious.com as it will do automatic daily backups to Amazon S3 for you of not just your WP database but a full cPanel backup of all of your files, databases, settings, etc. Set it once and forget it because even if your host does backups for you then there is still a major problem if there is a security issue with your host.

  35. Fun trivia: The original title in Swedish translates to “men who hate women”, Stieg Larsson used to work on a anti-fascist/nazist publication and the movies are a classic case of swedish fasttracking. The movies are excellent (the third just got released on DVD in sweden), it’s just that they could have been even better. The books are amazingly entertaining, though. Well worth the read.

  36. Good advice! I’d reorder them, however:

    – Update WordPress
    – Update your plugins
    – Choose complex, long, non-dictionary, unique, unguessable passwords
    – Back up your database regularly (i.e. not manually!) and keep local copies of all your customized theme files

    Note that this advice isn’t WordPress-specific. This is good advice for using software in general.

    How about using Login Lockdown plugin?
    It is also a good quick start for people to try and stop hackers to use brute-force to login

    It won’t hurt. But if you have a small number of people with Author-or-higher privs on your blog, just use better passwords. A good, long, unique, unguessable, non-dictionary password will make brute-forcing moot. I’ve never seen actual brute-force attacks — only “common passwords” attacks.

  37. The best advice is to always back up your blog even before updating. Recently, I tried upgrading my blog (I cannot remember the version) and the blog was giving me error after updating. i was glad it was new blog. I had to remove and reinstall the blog. I cannot imagine what I would have done if it was an already existing domain.

  38. I now learning about blog security too, because security in internet is really important. Thanks for your lessons.

    Dennis

  39. If she didn’t have flaws, she would be unrealistic, and no one would read the book. Who wants to read about a truly perfect protagonist, one who has everything figured out?

  40. Excellent and timely post I will have to check into this dragon tattoo story. I mean where the heck was I? Oh thats right running a blog LOL

  41. Kelly, I like this post. Definitely another tip. I’ve been reading Dave Doolin’s blog since I stumbled there early this year. Bdw, your article made me think of something that Blogger blogs are more secure than WP. Not really sure, though.

  42. Wow that is really scary I never thought I could wake up one day and my blog is hacked. I am not sure what I would do thank you for the heads up i will go change the user name from admin and make the password a bit longer. It was also a very funny post.

  43. Deanna V says: 03/12/2010 at 2:54 am

    I don’t even have my blog set up yet, and I’m already loving reading all of these articles. Your writing style is so entertaining and yes, I did learn something I won’t forget.

  44. It’s very important to have a good WordPress theme that will still work when you do updates. Before I switched to Thesis I had two blogs running on free themes.

    When I updated to a newer version of WordPress, one theme crashed completely.

  45. Very well written Kelly. I too am in love with the internet. My wife calls my laptop my mistress,but she is glad it is technology and not a real woman. Something about fondling keys being better than other things.
    Great Security heads up too, That book makes it seem way to easy to hack into anywhere. And it can be!

  46. This was a very good blog. It was fill with lots of advice. I never heard of people hacking blogs. I guess people will hacked anything these days.

    Kind Regards,
    Sam
    X

  47. wordpress security is really a big issue, i had lost my previous blog because i didn’t had the backup.

  48. Remember to check your backups periodically, sometimes something goes wrong with the backup process and there’s nothing that can be restored.

    I recommend doing backups at the database level if possible. I run a mysqldump on the database server and then scp the files to another system. So even if something was going wrong with my blog it wouldn’t affect the backups unless it had changed the database.

    Make sure that your backups are under your control. Emailing them to a gmail account etc is not good enough! The data must end up on physical media that you personally own, preferably multiple pieces of media. My blog backups are transferred daily to a RAID-1 array on my home server and I periodically back them up to removable drives.

  49. i love the girl with the dragon tatoo, it’s fascinating. won’t hurt. But if you have a small number of people with Author-or-higher privs on your blog, just use better passwords. A good, long, unique, unguessable, non-dictionary password will make brute-forcing moot. I’ve never seen actual brute-force attacks — only “common passwords” attacks.

  50. Very good article. There is a security plugin as well that will help patch up your WordPress install:

    http://wordpress.org/extend/plugins/secure-wordpress/

    I have this installed on my blog along with a highly customized .htaccess and mod_security installed and configured.

    @Ami, take out the Deny from all in .htaccess, and replace it with this:

    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    # END WordPress

    That should get you started again.

A Practical Podcast… to Help You Build a Better Blog

The ProBlogger Podcast

A Practical Podcast…

Close
Open