This guest post is by Sean Sullivan of F-Secure.
It’s a notion that strikes fear deep in the heart of every blogger. No, we’re not talking about getting dooced (fired for blogging). We’re talking about waking up in the morning, loading up your blog, and finding a screen that looks something like this:
Or perhaps it wasn’t as overt—you just discovered links injected into your site footer containing the anchor text of a certain famed pharmaceutical brand.
In any case, these kinds of scenarios aren’t good news for bloggers. Those fickle web users you work hard to attract can easily be put off by a hacked site and never return. Or, just as bad, being hacked (and not fixing it) risks the search engine equity you’ve built up over years of blogging, and which is time-consuming to restore.
If your site has been hacked or spammed, you’ve likely been through the tedious and time-intensive process of combing through MySQL databases, theme files, and directories on your server. If you’re lucky, you found the problem, removed it, and got things back up quickly (without having it replicate again, which we’ve seen). Or perhaps you had a backup copy and completed a restoration process.
But even then, this situation is not ideal. If you’re anything like us, you feel it’s unacceptable for your blog to be brought down, even for a moment—and especially by hackers.
The single most important tip? An ounce of prevention is worth a pound of cure.
In no area other than security is that adage more important. This is simply because hackers, both the automated and the manual kind, choose the path of least resistance.
To a large extent, many are playing the numbers game to try to build black-hat links or manipulate website content for the benefit of helping illegitimate companies rank higher in search engines. To accomplish this, hackers frequently send crawlers searching around the web, to seek out the most vulnerable sites.
So how can you stay safe?
1. Keep your blogging software up to date
As we know, most bloggers here use WordPress (and definitely most professional bloggers use a self-hosted installation). Keeping it up to date is critical. Since WordPress is so popular, unfortunately that means it’s frequent prey for hackers. By keeping up with the latest updates, you’ll ensure security, and get vulnerability fixes straight from the source, as the WordPress community actively seeks to maintain security of the software.
2. Choose secure logins and passwords
Brute force attacks can easily be prevented: choose a secure login and password. By “secure login” we mean change it from the typical “admin” to be more specific. For a “secure password,” use something that is at least ten characters long, and contains at least one upper-case letter and one symbol, such as an exclamation mark. This will make it virtually impossible for either a human or computer to guess your login details.
3. Beef up security with WordPress plugins
There’s a huge number of free WordPress plugins written by Good Samaritan developers looking to keep their blogging peers safe. A few must-haves include Secure WordPress, which removes some critical meta information that a hacker could use against you from your WordPress install, Limit Login Attempts, which makes a brute-force attack basically impossible, and WP Security Scan, which provides a report about your specific configuration of WordPress and suggests corrective actions.
4. Only blog from a system that is safe, secure, and spyware-free
For those who aren’t so tech savvy: your WordPress install (or any blog install) is software and runs on an operating system, similar to how your own computer runs.
One of the easiest ways for malicious code to find its way onto your blog is through an infected system. In reality, your blogging software is only ever as safe as the system you access it from. The best way to keep your system safe is with a comprehensive Internet security and anti-virus product. Alternatively, you can check with your ISP—many of them now offer Internet security to their subscribers.
5. Automated backups: set it and forget it
You can setup backups to be made easily via a simple plugin. Alternatively, for those who run popular sites and are very serious about the safety of their posts, Automattic (the makers of WordPress) recently started to offer a premium service called VaultPress, which provides the dead-simple backup of not just databases, but all files associated with WordPress. Frequent snapshots of your install are critical and, aside from providing peace of mind, will ensure even if you ever get hacked, you don’t lose your work.
6. Stop spammers in their tracks
You can use Akismet (which analyzes comments via hundreds of tests) to quickly and effortlessly deal with spam comments, or use Bad Behavior (which references bad IP addresses via Project HoneyPot) and block them from even reaching your site in the first place.
What to do in the worst-case scenario
Even with prevention, code compromise is always possible. It happens to even the savviest bloggers. If you ever do get hacked or find webspam on your site, and aren’t sure what to do, don’t panic and start deleting files. This can make the situation much worse.
Instead, take screengrabs of the issue, and send them to someone who specializes in WordPress (or whatever your blogging software is) along with the most recently known good backups. This issue is very common, so there are many who specialize in helping fix just this situation.
Of course, these are just basic tips for prevention that everyone should take. There are more advanced tips (for example, locking down the /wp-admin/ directory with an .htaccess file) but if you can start out by implementing the tips above, you’ll already be a notch safer than most.
Has your site been hacked? Tell us what happened—and how you rectified the problem—in the comments.
Sean Sullivan is security advisor for F-Secure, a provider of award-winning anti-virus and computer security software. You can find more great security tips like this on F-Secure’s Safe and Savvy blog and stay at the cutting edge of the latest online threats via the F-Secure labs blog.