10.1 Why you need to take blog security seriously
You have probably read news reports about “hacking” and cyber security issues in the mainstream media. It is important to understand what “hacking” entails, before taking steps to minimise your risk. According to hosting provider GoDaddy (godaddy.com), to be “hacked” means that two breaches have occurred. Firstly, someone has managed to gain access to the account you use to manage your blog or website. Secondly, the individual who has succeeded in breaching your site's defence has taken advantage of the fact and chosen to change it in some way.
Sometimes, it will be obvious that a site has been hacked. For example, a hacker may remove the site content and replace it with a single page or message of their choosing. Other obvious signs include a number of links (often to undesirable or obscene content) scattered throughout a site and other visual content, such as unwanted advertisements and pop-up windows. However, it isn't always possible to tell from a superficial inspection that a site has been hacked. Hackers can adjust a website's code or settings in such a way that the site owner may not realise that visitors to their site are automatically redirected elsewhere or have malicious software automatically downloaded to their computers.
Many people assume that only large websites and corporations fall victim to hacking, but hundreds of thousands of personal and small business blogs are hacked every day. Unless you take appropriate precautions, both your website and your online reputation could suffer serious damage.
It is safest to assume that your site will almost certainly be on the receiving end of a hacking attempt at some point in the future, so one of the first steps you should take after you have set up your blog is to choose a security option that βits your needs and budget. Do not risk losing your blog content or driving away visitors.
10.2 The consequences of successful hacking attempt
Complete erasure
If someone manages to break into the account you use to make changes to your blog, they theoretically have the power to erase all of your content and turn the site into a blank slate to use as they please.
Slower running times
If a hacker succeeds in placing malicious links or viruses within your blog's code, the only sign may be a slower page loading time. Nonetheless, even if this is the only tangible consequence, it can still have a detrimental effect on your visitors' experience.
Stolen personal information
If you use the same or similar passwords across multiple accounts - for example, you may use the same password for your main email account and the account you use to edit your blog - it is possible that a hacker may try to get into other accounts using information they have gained from a successful blog hack. Many bloggers make their email addresses and social media handles publicly viewable. If a hacker has managed to crack the password to the account they use to edit and control their blog, they may well decide to try using that same password to gain access to other accounts.
This can have disastrous consequences, if the hacker gains access to personal or financial emails. If you run a membership website, maintain an online store, or charge people money to view certain pieces of content on your blog, it is possible that a hacker could gain access to your customers' personal information. Severe security breaches cause, at minimum, an unwelcome level of stress and, at worst, can ruin your online reputation.
Lost time
Even if you back up your blog content on a regular basis, it still takes time to recover from a successful hacking attempt. If your blog were to be hacked, you would need to not only upload the content again, but also invest time in scanning your site for any threats that have escaped your attention and change your passwords. You may also have to spend time seeking advice from your hosting provider or the company responsible for maintaining your blogging platform.
Blacklisting by Google
If your site is hacked in such a way that a hacker leaves behind malicious links or makes other changes that could jeopardise your visitors' internet safety, it may be “blacklisted” by Google. Google takes the safety and quality of user experience very seriously and its algorithms work on the principle of “better safe than sorry”. This means that if your site is judged to be dangerous, your chances of showing up in the first couple of search results are greatly reduced. As a consequence, any work you have put into improving your search engine rank could literally disappear overnight as the result of a hack.
Emotional distress
Discovering that your blog has been hacked can be upsetting, especially if the hacker has left behind some offensive content or changed your site in another way that could damage your reputation. Although hacking is seldom personal - remember that many attacks are automated and carried out by robots who attempt to crack passwords by simply attempting multiple combinations of letters and numbers - it can feel as though you have been insulted and victimised.
FACT
Figures published by the government in 2017 revealed that almost half of all UK firms were hit by a cyber breach or attack in the previous year.
Source: iod.com
10.3 Why do people attempt to hack into blogs?
You may be curious as to why some individuals attempt to gain control over other peoples' websites. According to Tony Perez of internet security firm Sucuri, the reasons range from calculating to apparently irrational. The first point he makes is that it is increasingly easy to automate hacking attempts. Hackers do not have to manually locate a login page and then try various passwords, in an attempt to access a control panel. Most hacking incidents are the result of automated processes.
This means that hackers do not need to discriminate between small blogs and the kind of websites you might imagine to be “better” or “bigger” targets - because the effort required to run mass hacking attempts is so minimal, they are content to try and gain access to sites of all kinds. Automated attacks are made possible by the deployment of “crawlers”. These are programs created by hackers that trawl the internet, looking for websites with vulnerabilities.
For example, a website built with an outdated version of WordPress is often vulnerable, because hackers continually find security loopholes that require “patching up” with a new version of the software. This is why you must always use the latest version of WordPress, if it is your content management system of choice.
According to Sucuri, it takes around 30-45 days for a new blog to become vulnerable to crawlers and therefore, to automated hacking efforts. Another common type of attack is a Denial of Service (DoS) attack, whereby an attacker's aim is to simply render a website unavailable. This can be done with the intention of wiping out a competitor's website, or just for the challenge. Many hackers are motivated purely by boredom and a drive to prove that they can outsmart website owners. Hackers can make a lot of money, as a result of their activities.
For example, if they can install software which automatically downloads onto a visitor's computer, they can gain access to personal information such as passwords to bank accounts. Another means by which hackers can make money from a hijacked website is via “Blackhat SEO” campaigns. This entails changing the content of a website, so that visitors are redirected to a website (such as an affiliate site) that encourages them to spend money on various products and services.
10.4 Why you should always keep backups of your content
As illustrated in the previous section, your blog is at risk of complete erasure should it come under attack. This is why it is vital that you keep backup copies of your content. If you are using an all in one platform such as Blogger, Tumblr or Wix, you should familiarise yourself with their backup functions as soon as you set up a blog. Usually, these platforms have simple one-click options that allow you to save a copy of your site to your computer. In the event of a security breach, you can use this backup (following advice from the provider as necessary) to restore your blog.
If you are using a self-hosted WordPress site, you should use a plugin that automatically creates and stores a copy of your blog. Two popular plugins designed for this purpose are BackupBuddy (ithemes.com/purchase/backupbuddy/) and UpdraftPlus (updraftplus.com). BackupBuddy costs around £60 per year, whereas UpdraftPlus is available in both free and premium versions, the latter costing from £50 per year. These plugins come with helpful customer support, the ability to create backups on a schedule of your choosing (e.g. daily, weekly, or monthly) and the option to send a copy of your website files to an email or online storage facility, such as Dropbox (dropbox.com).
Activity: Back Up Your Content
Time: 5-15 Minutes
Ensure that you know exactly how to back up your content and create a new backup today.
This may require you to look through the help pages associated with your preferred blogging platform, or to install and use a backup plugin if you are running a self-hosted WordPress blog. Either way, it is important that you have a backup plan in place from the very start of your blogging career.
10.5 How to prevent hackers from accessing your WordPress blog
This section outlines a few steps everyone using WordPress should take, when securing their blog. Although these tips are specific to WordPress, the general principles underlying them are a solid foundation for good cyber security, regardless of which platform you use.
Never use the default “admin” account
When you first install WordPress, your default username will be “admin” when you log in to your control panel. Remember that in order to hack into your blog, a hacker needs to know or successfully guess both your username and password. If you do not change your account name from the default, you have effectively given them 50% of the information they need to break in. Make sure that you create a new user with full administrator rights, so that you can delete the original “admin” account.
Update software, themes, plugins and add-ons, whenever new versions become available
WordPress is continually under development. Occasionally, its developers will be alerted to potential or proven vulnerabilities in the software, which could leave users at risk of being hacked. In an attempt to keep up with hackers, WordPress releases new updates as soon as these vulnerabilities have been fixed. It is therefore in your best interest to download any new versions, as soon as possible. The same advice applies to themes, plugins and any other add-ons you use on your site. Vulnerabilities in old versions of WordPress are public knowledge, so hackers can easily research ways of exploiting weaknesses in blogs that are run using outdated programs.
Choose themes and plugins with care
When you are looking to download a plugin or theme for WordPress, only use those available from the official WordPress store (wordpress.org). When you download items from the WordPress directory, you know that they have been checked and scanned for viruses before being made available to the general public. If you want to use plugins from other sites, carry out some background research first and make sure that the company has a good reputation, has been reviewed by independent sources and has comprehensive customer support in place in the event that something does not quite work as it should.
Choose a good all round security plugin or application
There are several options - both free and paid - for WordPress users who want all in one security solutions for their blogs. The advantage of an all in one solution is that you do not have to worry about learning how to use an assortment of plugins (for example, a plugin that guards against malware and a plugin that guards against malicious spam) - all you have to do is make a single installation and then ensure that you are using the latest version. Three of the most popular options are outlined below.
Sucuri's (sucuri.net) is perhaps the best known paid WordPress security solution. It costs £230 per year and is specially designed to detect and remedy vulnerabilities, malware and viruses within WordPress websites. As soon as you install the application, Sucuri promises to remove any infections from your site within six hours. They have a dedicated customer support service that offers advice to anyone who has concerns about their website security and can offer step by step guidance as to how you can prevent future attacks.
If your site is hacked and blacklisted by Google as a result, Sucuri will even help remedy the situation the same day. This limits damage to your website's reputation. The service is unlimited, meaning that you do not have to pay any extra costs if your site is reinfected. The disadvantage is that Sucuri's complete protection plan is expensive, so hobby or beginner bloggers may not be able to justify the cost.
Free solutions
A free solution is the All In One WP Security & Firewall plugin, available from wordpress.org. It does not offer live customer support, but it works in the background to detect and identify any security threats. It includes many useful features, such as anti-spam measures, file system security scanning, an ability to block or blacklist particular internet IP addresses, automatic logout of users after a specified period of time and a simple to use interface that invites you to make security changes deemed to be either “Basic”, “Intermediate”, or “Advanced.”
A visual guide - the Security Strength
Meter - helps you to identify and implement the most appropriate measures for your blog. It also allows you to create backups of your files. As of early 2017, this plugin had a rating of 4.8 out of 5 stars on the WordPress directory and has been installed over 400,000 times, signalling its strong reputation.
Another free option is the WordFence plugin, which is also available from the WordPress directory. As of June 2018, WordFence had recorded 2+ million active downloads. With a rating of 4.8 out of 5 stars it has been very well received by the WordPress community. It is now in its seventh version and is frequently updated by its creators, who have kept the original plugin open source and free to use. It has many features in common with the All In One WP Security & Firewall plugin, allowing you complete control over who logs into your WordPress installation, as well as continually scanning your blog for any signs of malware or other security breaches.
When you first install WordFence, it carries out a comprehensive scan of your blog to check for pre- existing infection. There is also a premium version of the plugin available, for around £6.50 per month (wordfence.com). The paid upgrade includes additional features, such as the ability to block visitors from particular countries and the option to use two-factor authentication when logging in to edit your blog. Paid users receive access to a live “threat feed”, notifying them of the number and nature of attacks across all WordFence-protected sites. Those using the free option also have access to this information, subject to a 30-day delay.
10.6 Strong passwords, two-step verification and other security measures
A strong password makes it much harder for someone to hack into your account and by extension, into your blog. Do not incorporate any words commonly found in dictionaries - your password should be a combination of letters, numbers and symbols that combine to make a random assortment of characters. Generally, the longer the password, the better. A common guideline is to create passwords that are, at minimum, eight characters in length. If multiple people contribute to the blog, ensure they too adhere to these guidelines when choosing passwords.
Two-factor authentication (also known as two-step authentication) is an effective way of preventing brute force attacks, because it requires anyone logging in to not only have the correct username and password (both of which may be possible to guess, either through considered thought or automatic processes), but also a code sent to a user's phone. Whether you can use this feature will depend on the blogging platform you have chosen to use. If you are using WordPress, two plugins that permit you this option are Clef (getclef.com) and Duo Two-Factor Authentication (available from wordpress.org). Be sure to keep your phone with you at all times when using this technology, as you will not be able to access your own blog without it.
10.7 Safeguarding your identity and personal information whilst blogging
Your primary concern with regards to security is probably to limit the likelihood that your blog will be hacked open, but it is also important to be aware of other security related issues that are relevant to bloggers. These include device management, disclosure of personal information and remaining mindful of the type of internet connection you are using.
Always keep your smartphone, tablets and other mobile electronic devices protected with a passcode or password. If your device is stolen, the thief may be able to access your emails and, by extension, your login data for your blog. This is especially important, if you have the habit of remaining logged in to your email or even your blog account. Even if your device is passcode or password protected, it is still a good idea to change your login details as soon as you notice the theft.
When blogging, always consider what you are sharing and revealing about yourself online. Remember that you do not have to post your full address, telephone number and place of work for a reader to deduce your identity.
For example, if you work in a small or specialist field, have a photo of your face posted on your blog and mention the county or district in which you live, you have given someone sufficient information to track you down, if they were determined enough to do so.
Most people using the internet are reasonable, law-abiding individuals. Unfortunately, a significant minority are sufficiently disturbed that in some cases, they take pleasure in trolling, harassing, or even stalking others based on information they discover online. Use your common sense when blogging. In some instances - for example, if you are running a business blog - it is perfectly appropriate to use a headshot and to indicate that you work for a particular company.
However, if you are writing about more personal or controversial matters, keep photos and identifying information to a minimum. If you want to mention or even picture your family, friends, or colleagues on your blog, always ask for their permission beforehand. If you have children, think very carefully before posting photographs and never mention where they go to school, who their friends are, or where they live. Although it is unlikely to happen, such information could be used by predators who wish to harass or assault children.
Security breaches
Finally, remember that an unsecured internet connection can result in security breaches. When you log in to the account or accounts you use to manage your blog - or any related accounts which may contain information such as passwords, including the email account you use for blog related business - it is possible for someone to intercept and “read” the information you send over an unsecured internet connection, if they have access to the right technology.
Do not edit your blog or process any confidential transactions whilst using a public Wi-Fi network, unless you are using a Virtual Private Network (VPN). This is a program that encrypts data you send over the internet, in such a way that a hacker cannot intercept it. Trusted VPN providers include NordVPN (nordvpn.com) and IPVanish (ipvanish.com). Both cost around £5 per month to run.
10.8 How to stop spam and malicious communications on your blog
Blogging is a great tool to use in building online communities and inviting discussion. Allowing comments on your blog posts is an effective way to interact with your readers, learn what they think about your posts and encourage them to exchange ideas. Unfortunately, unless you take steps to ensure otherwise, you will soon find that your blog posts attract nonsensical, link-filled, or hostile comments. Human spammers often have no interest in the content of a post, but wish to comment because they want to promote their own site or business. Alternatively, they may post hostile comments that add nothing to the blog content or discussion.
Automated spamming technology - sometimes referred to as “spambots” - are programmed to scan for comments sections and forms on blogs, fill all fields in a form and submit it as a comment with no need for human effort. Spambots are often created for the sake of spreading a link as far as possible all over the internet.
Fortunately, it is usually possible to screen all comments for spam as soon as they are submitted to your blog and before they are published. Before you sign up with a blogging platform such as Squarespace or Wix, check that they have measures in place that allow you to inspect all comments and manually approve each one before it is published. You should also check whether you will havethe option of using an application that uses CAPTCHA technology. A CAPTCHA is an extra field added to a form that requires the individual billing it in to complete a short and simple task that cannot be easily undertaken by spambots.
For example, a CAPTCHA form may randomly generate a numerical sum every time a comment form is loaded and not permit submission of a comment unless the correct answer is entered into the relevant box. This prevents most robot-generated spam.
Activity: What Precautions Do Others Use?
Time: 10-20 Minutes
Visit your two or three favourite blogs, within your niche. Search for “security” or “spam” within their website and you may discover one or more posts in which they talk about their anti-spam precautions or how they have used a particular software following an attempted or successful hacking.
Do they have any useful tips to share? Look at their blog comments section, if applicable. Do they have any kind of screening or moderation process in place, especially for new commenters?
10.9 What you should do if you suspect your blog has been hacked
If you think that someone has managed to hack into your site, a good first step is to use Google's Safe Browsing tool.
Go to google.com/safebrowsing/diagnostic?site=[your domain name/blog address].
This tool will inform you whether your blog has suffered a security breach. Your next step will depend on the blogging platform and any security software or plugins you are using. For example, if you are using an all in one platform such as Wix, you would log in to your account and send a support ticket to their helpdesk. If you are running a self-hosted WordPress blog with a plugin such as those mentioned earlier in this module, you should log into your WordPress account and look at the most recently generated security reports, before following the plugin's instructions as to how you can secure your blog and restore a backup version if necessary. If you have a self-hosted WordPress blog that has been hacked and you cannot access your WordPress control panel in the usual way, you may need to contact your hosting provider and explain what has happened.
As WordPress is the most widely used blogging tool on the internet and many blogs are hacked each day, your hosting provider will be well equipped to advise you on your next steps. In an earlier module, you were encouraged to choose a hosting provider that offered specialist WordPress hosting if you chose to build a self-hosted WordPress blog. If and when your WordPress blog comes under attack from hackers, having the support of a dedicated hosting provider on hand can be more reassuring and effective than the standard customer service offered by non-specialist hosting services.
Module Summary
In order to safeguard your blog, your content and your identity, you must take ongoing security precautions against hackers and other individuals who wish to cause disruption on your site. It is important to remember that many attacks are automated, with little regard to the financial value of your blog. This means that even new or hobby bloggers are vulnerable to attack. The results of a successful hack can be devastating - for example, hackers can use blogs to promote malicious links and spread computer viruses. You should use strong usernames and passwords, consider two-factor authentication, understand how to back up your content, create copies of your blog on a regular basis and ensure that nobody has ready access to your login page.
Aside from hacking, spam is another problem you need to address as a blogger, if you allow viewers to comment on your posts. As is the case with hacking attempts, much spam is posted automatically by automated programs. Common and effective anti-spam strategies involve plugins that filter comments likely to contain spam elements and CAPTCHA plugins that force every commenter to verify that they are a human rather than a robot. You should always use common sense online - avoid giving out personal information and do not click on links, unless you are confident of their source.
.svg)
