Essential Tips For Blog Security

by
30 responses

…posted under Blogging Tips

Essential Tips For Blog Security post image

 

Beware the new blog hacker!

A new WordPress blog has that same smell as a new car.

Any time I install a new blog, I can feel the freshness of it and relish the first post! It’s just like the first paragraph on the first page of a new notebook but it can quickly turn in to a nightmare if you don’t quickly get yourself some basic security quickly.

There are bots out there that hunt for brand new blogs (they can probably smell that new car aroma!) and quickly fire off every known vulnerability attack as soon as they’ve published their first post so here’s a list of basic things that you should consider any time you’re starting a new blog.

Don’t use ADMIN as your admin username

use a different username for admin

source : http://www.otreva.com/10-steps-to-securing-wordpress/

This used to be the default name for every admin but spammers, crackers and hackers know this and will set their bots to try different user/pass combos to try and get admin access to your account.

If you’ve got an admin account with the username of admin then they’re already halfway to hacking your blog!

Solution : Use a unique username when you first set up WordPress
If you’ve already got your admin account with username of admin then just add a new user with a different username and set it to administrator and then set the old admin account to subscriber or delete it.

Use a non dictionary password!


Never ever ever (ever!) use a word that can be found in a dictionary as your password.

These are the most comment passwords in use in 2011/2012 . Do you recognize any?

  • seinfeld
  • password
  • 123456
  • princess
  • peanut
  • shadow
  • ginger
  • michael
  • sunshine
  • tigger
  • bailey

haha, lol at the password ‘bailey’ . oh how famous I am :-)

Seriously though, by using a password that is a normal word that can be found in a dictionary you are making it very easy for automated bots to throw every word in a dictionary at your login page and get access (it only takes a few minutes for a bot to try every word in a dictionary in your log in form)

Solution : Use a combination of letters, numbers and perhaps special characters as your password.

Use a limit login attempts plugin

limit-login-attempts

I never realized how many bots tried to login as my admin account until I installed this plugin! I get 2 or 3 emails from this plugin each day to tell me it has blocked someone from my site for trying to log in with the wrong details too many times.

Keep an eye out for too many attempts at logging in with the admin username (see point 1 above) as this is a good indication that a bot is trying to access your blog.

Solution : Install the limit login attempts plugin

Ban the spammers!

access_denied
When you get a notification that someone has been blocked for trying to access your admin account or failed to log in as admin too many times then you should consider banning them entirely.

There are multiple ways to do this but the easiest is to install a plugin called WP Ban

You should be careful not to ban yourself! the plugin page will show you your own IP address so you don’t make this mistake.

Solution : Install the WP Ban plugin and ban anyone who gets blocked for trying to log in as admin

###

So these are the simple things that I always make sure I have done or installed on any new site that I create. Once you install the limit login attempts plugin you will start to realize just how many attempts are made to break down your WordPress door!

Don’t have nightmares!

An article by -



Socialize with

Free Traffic Generation eBook!

Enter Your Details Below To Get An Exclusive (and FREE!) Book On How To Generate High Quality Traffic! You'll receive the book via email - therefore, enter you best email address below to get the ebook instantly!








  • saad naeem June 4, 2012, 12:38 am

    great post andy , would love to invite you for a guest post at my blog. Hope you remember me.

    I love the new theme raaj , side bar has too many ads and looks spammy , otherwise it all looks great.
    saad naeem recently posted..How To Recover From The Google Penguin UpdateMy Profile

    Reply
  • Felicia June 4, 2012, 5:59 am

    This sure is a basic yet wise tips for blog security, especially for newbies. I really liked the picture on the tip “Use a non-dictionary password” where one threw a dictionary on the other, LOL!

    I think I haven’t installed a limiter plug-in on log-in attempts in my personal blog. Glad to be reminded of that. Thanks for sharing!
    Felicia recently posted..Cory Zeidman crushed Chris Bjorin’s dream of a 3rd braceletMy Profile

    Reply
    • Andy Bailey June 4, 2012, 6:54 am

      yes the limit login plugin was a real eye opener. you’d be surprised at how many attempts are made even on a quiet blog
      Andy Bailey recently posted..CommentLuv Premium DemoMy Profile

      Reply
      • Felicia June 5, 2012, 9:04 am

        I have installed the limit login plugin and I was surprised that my personal blog has been a target for some hackers. I really am not sure why they would do that and what would they gain in case they have successfully hacked into my blog?
        Thanks again for sharing this plugin!
        Felicia recently posted..2012 WSOP: Doyle Brunson plans on playing 4-5 events this yearMy Profile

        Reply
  • Ileane
    Twitter:
    June 4, 2012, 7:04 am

    Hi Andy Bailey, I just heard about this WP Ban plugin yesterday on Sonia’s blog and I was going to Tweet you and ask your thoughts. How ironic to see you here on Raaj’s blog mentioning it. Oh well I better go get it asap! Thanks Andy!
    Ileane recently posted..AWeber Tour and Rapportive Integration in GmailMy Profile

    Reply
    • Andy Bailey June 4, 2012, 8:30 am

      hey, great minds think alike! :)

      I’ve found it quite useful, the limit login plugin will block them for a certain amount of time but I use the ban plugin to lockout repeat offenders or obvious bots permanently.
      Andy Bailey recently posted..CommentLuv Premium DemoMy Profile

      Reply
  • Abhi Balani
    Twitter:
    June 4, 2012, 7:39 am

    Hello Andy,

    Very useful and important article it is. You mentioned the main aspects for keeping our blog secure. It’s good to limit log in attempts. But why to show how many attempts are remaining? OR if the username was wrong or password?

    I also wrote an article on WordPress Security. It includes SO MANY features. Like, limit log in attempts, locking out users, secure our blog from basic attacks including brute force in a single click. It suggests us total of 19-20 security issues, or if we are safe from them or not. Also scheduling backups and a few more options. I found it the most effective security plugin ever.
    And I have a maths CAPTCHA on my blog registration page to prevent from spam registration.

    Here’s the link: http://oddblogger.com/best-wordpress-security-plugin/

    You might like that plugin. If you like it, please share it with all your friends. I am doing the same.

    Thank you for this article.
    Abhi Balani recently posted..OddBlogger WON Blog Engage Guest Blogging Contest #2My Profile

    Reply
    • Andy Bailey June 4, 2012, 8:36 am

      hi Abhi,

      thanks for the comment.

      You can show how many attempts remaining so real people know what is going on, I know for sure that I forget my login details to some places so the notification lets anyone know that they made a mistake instead of just being locked out without warning

      that security plugin looks ok but for new blogs I like to keep the initial set of security plugins to the minimum. Too much security can hamper a lot of things and wordpress already has some great security related code built in. I’ve had millions and millions of hits to my sites and it’s always the login form that gets the attention (and comment spam bots but I’ve coded a plugin for that) so that’s where I concentrate the security.
      Andy Bailey recently posted..CommentLuv Global Search EngineMy Profile

      Reply
      • Abhi Balani
        Twitter:
        June 4, 2012, 10:30 am

        You are right. Too much security can hamper. Just we need to understand first what we are going to do, how and what can be it’s effects.

        The limit log in option in that plug in has options to specify the number of times users are allowed, lockout time and a few more.

        And I have got a good feedback for my that article. People find it easy when they can solve their big issues in a single click or with an ease. So, for non techie out there, this can be good.

        After the day I installed that plugin, I get so many notifications for the users which gets ban by login attempts or, to open a file that doesn’t exist and I am amazed to see those IP addresses from places I have never heard of. The plugin blocks them, notifies me, send me a back file to my email address according to the schedule I have made.

        For a bit more security, I enable “Away mode” from 1:00 AM to 7:00 AM. It disables dashboard, and login links for that particular time and redirect to homepage. I like this feature, we really don’t need our dashboard to stay enable even if we are sleeping. Right? :)
        Abhi Balani recently posted..5 Techniques for Successful On-Page SEOMy Profile

        Reply
      • Abhi Balani
        Twitter:
        June 4, 2012, 10:34 am

        And yes, I would love to publish any of your guest post on my blog. :D You are most welcome!
        Abhi Balani recently posted..Handy tips to scare away blog readers!My Profile

        Reply
  • Martin Cooney
    Twitter:
    June 4, 2012, 10:08 am

    The Internet has and always will be a playground for naughty little boys and girls.

    With that in mind, we all need to be aware that it is only a matter of time when you’re likely to be targeted by these idiots. They will find your site in an endevour to take advantage of any insecurities.

    Some good tips. Also check out plugins such as http://wordpress.org/extend/plugins/secure-wordpress/ to ensure the core files are also locked down. And make sure you’re doing regular backups, just in case you do have to restore, due to a nasty.

    Great reminder, Andy, on the importance of security. You can never have too much.
    Martin Cooney recently posted..Top 4 Relationship Post Reviews for the WeekMy Profile

    Reply
    • Abhi Balani
      Twitter:
      June 4, 2012, 10:43 am

      Thanks for the suggestion, Martin!

      It does look good. I am going to check the details and compare it with my current security plugin. You can scroll up to see my first comment where I suggested a plugin.
      Abhi Balani recently posted..OddBlogger WON Blog Engage Guest Blogging Contest #2My Profile

      Reply
      • Raaj Trambadia
        Twitter:
        June 4, 2012, 10:51 am

        Hey Abhi! Just wanted to give you a feedback. Better WP Security seems to really amazing. Will soon be implementing that plugin here. Just saw the post on your blog and it seems to be fantastic. Cheers brother!
        Raaj Trambadia recently posted..How To Make Money With CommentLuv Premium PluginMy Profile

        Reply
        • Abhi Balani
          Twitter:
          June 4, 2012, 4:20 pm

          Hello Raaj,

          Thank you for visit my blog. And I feel the same, it is a very good plug in. And Andy is right, there might be some conflicts with themes and plug in if you apply all the solutions. That’s why I have suggested only those fixes which doesn’t conflict with any theme or plug in. So, you don’t have to worry with conflicts. Let me know if you need any help. Thank you!
          Abhi Balani recently posted..10 Simple Tricks To Improve Your Website RankingsMy Profile

          Reply
    • Andy Bailey June 4, 2012, 11:26 am

      you should be careful about locking down some admin files though. wordpress ajax functions (like commentluv uses) need access to the wp-admin/admin-ajax.php file and if you lock that all plugins that use standard wordpress ajax functions will stop working!

      it’s been a regular problem reported by over eager security plugins on my support ticket system.
      Andy Bailey recently posted..Buy CommentLuv PremiumMy Profile

      Reply
  • Phoebe Woods June 5, 2012, 2:21 am

    Very helpful and informative post, Andy. I’ve been a victim of hackers many times now and I am guilty as charged for using dictionary words as my passwords then. Well, I’ve learned enough. Ha ha! Thanks for the tips and yes to web safety and protection! :)
    Phoebe Woods recently posted..Entry Level Regional Sales Executive – Downtown ChicagoMy Profile

    Reply
  • Ahsan
    Twitter:
    June 5, 2012, 3:57 pm

    yea..these are great tips to secure WP blog. I installed limit login attempts plugin too.
    Ahsan recently posted..Facebook Launch Promote Page Post featureMy Profile

    Reply
  • Theresa Torres June 11, 2012, 10:20 am

    How very scary! I thought only the well-established and successful blogs are vulnerable to attacks. Now they are even targeting new blogs. Thanks for letting us know, Andy and for providing solutions. Every one with a blog, especially newbies, should be made aware of this.
    Theresa Torres recently posted..Do Men and Women Use their Credit Cards Differently?My Profile

    Reply
  • Pavan Somu
    Twitter:
    July 3, 2012, 1:09 pm

    Yeah, you had mentioned good points. As everyone know about the recent hacking stories of Indian Blogging Legends Amit Agarwal’s blogs and Amit Bhawani’s Twitter had been hacked and data is completely wiped out. So, we must be secure in the web world.
    Pavan Somu recently posted..Accomplish Aimed Traffic for Your Website with SEO ServicesMy Profile

    Reply
  • April Atkins July 9, 2012, 5:46 am

    Aside from these, there are also simple security things that you should do on the pages of your blog. One is that you should definitely removed the powered by Wordpress phrase on your pages. WordPress hackers simply search these terms and adds in a keyword to find a page having the keyword using a WordPress CMS which is by far the easiest ti hack because of the resources online.

    Reply
  • Prabhat August 15, 2012, 7:55 am

    Hi,
    Thanks for this useful information, these things are really important for any web site in case of security reason, thanks again to write such a useful information.

    Take Care
    Thanks & Regards
    Prabhat
    Prabhat recently posted..Where is God and What is GodMy Profile

    Reply
  • website design December 14, 2012, 5:28 am

    Its informative post. The plugins for your WordPress blog are installed under the blog/wp-content/plugins directory. In older versions of WordPress this was not protected adequately, but in recent versions there is better protection. A simple way to protect it from prying eyes is to leave a blank HTML file with the name index.html in it. Make sure to check if this file in there. Thanks

    Reply
  • Kenya safari January 23, 2013, 12:14 pm

    A lot of people slag Commentluv off because they think it is a prime target for spammers… what they don’t realize is, every blog is a prime target!

    Reply

Have Your Say – Leave A Comment

CommentLuv badge
You can add a link to follow you on twitter if you put your username in this box.
Only needs to be added once (unless you change your username). No http or @