03/28/2008

Tips for protecting your blog

There's an Open Discussion For Dealing With Site Crackers going on at SEO Scoop wherein Donna asks for methods of protecting sites from hacking. While that's a big topic, I'll bite. If we're talking about blogs:

  • Take the "stats" line out of the head area; WordPress needs stats less than you need not to tell anyone what version you're running.
  • Password-protect the wp-admin directory (this means you'll have to log in twice to get to the Dashboard)
  • Do not require that people register before they post (see above); that's less useful than protecting your admin directory
  • Have good passwords, and change them regularly
  • Do not leave directories CHMODed to 777. Yes, I know the WordPress internal image uploader is neat, but I put images on my blogs the same way I do them for regular websites: by FTP
  • Use good passwords on your hosting account as well, and change them regularly

On your computer, use a *good* anti-virus program (which may not be what came with it). I've visited websites (one from a link in a Sphinn submission) that tried to lay keystroke loggers on my machine. That means they could get login information, among other things.

What's a good anti-virus program? You might be surprised. virus.gr runs comparative tests where they throw a large number of viruses (and other stuff) at anti-virus programs, and rate them. See Comparative tests of antivirus programs.

Heck, while you're at it, get a real firewall (that's hardware, not software) for your computer. And if you're using WiFi, take precautions because you're broadcasting information.

And here's Fighting Blog Hacks: Preventing And Eliminating Intruders, a good, very detailed read.

6 Comments to "Tips for protecting your blog"

  1. TheEatons says:

    Thanks for the tips. We used to have a blog, but it was hacked and had loads of vi@gr@ and gambling links hidden in it. When I mean loads I mean 100s!

    Some other things it is good to to are:

    *Block access to the admin either by password protecting the directory or only allowing access to it from an IP.
    *Block access to all folders that only hold server-side scripting.
    *Remove "Powered by WordPress" from the footer as hackers and spammers use this to harvest WP blogs from Yahoo.
    *Also remove the generator tag from the WP feed which gives away your WP version.

    However, the best thing to do would be to move away from WordPress. WP has a long history of security exploits and the guys who are making it are not only not keyed up on php, session and database security. They also have some of the worst programming standards I have seen since osCommerce. Its all very well and good screaming about HTML validation and Web 2.0, but its more important to have standards on your server-side, because this is where you are going to get hacked.

  2. Diane Vigil says:

    Thanks. You've named some of the items I mentioned, but they're good tips.

    And your last sentence there says everything: "Its all very well and good screaming about HTML validation and Web 2.0, but its more important to have standards on your server-side, because this is where you are going to get hacked."

    Thanks.

  3. Emma Johnson says:

    What is the best freeware spamblocker on the internet ?;,*

  4. Diane Vigil says:

    For WordPress? I favor a combination of Askimet and Conditional Capcha. These have worked great for our blogs.

    Unless you're asking about server spam blockers, or something else …

  5. Oscar Turner says:

    spam blockers are really needed these days because you will always get spam from e-mails and on your facebook account too.'`'

  6. Diane Vigil says:

    I quite agree. For blogs (WordPress blogs), I find a combination of Akismet and Conditional Captcha very effective in combatting comment spam (comments made for the purpose of adding links or "sales" information, etc., to a blog).

    As to email spam, that's a different subject. For that, I particularly like setting up separate emails addresses for different purposes — such as an email address solely for Facebook, etc. — so that, even if that email address starts getting a lot of spam, I can just change it.

    Also, running a spam detection program on your web hosting account, such as Spam Assassin, is very useful. I get very little email spam in my inbox (although I suspect that my server blocks the bulk of it, so I never see it).

Have your say ...

First-time comments will be held for moderation (but comments are appreciated). Otherwise, just be courteous. If your name is a bunch of keywords, your comment will be deleted. Don't post links unless highly pertinent. Posters must be 16 or older.

Manage your subscriptions

Archives
© 2004-2017 DianeV Web Design Studio. All Rights Reserved.
34 queries. 0.241 seconds.