Securing your self-hosted WordPress site is one of the most critical aspects of starting a…
Security for Bloggers
Nearly every day you hear about some new security breach on the web. Sensitive information is leaked, millions of dollars are lost, and websites go down. As a blogger, how worried should you be about security?
You might think you don’t have much to worry about, but an unpatched vulnerability on your computer, your hosting company’s server, your WordPress install or even a rogue advertisement could severely damage your business and your reputation.
Fortunately, an ounce of prevention is worth more than a metric ton of cure.
Here is how to protect yourself and your audience from security issues.
Back Up Your Blog
Backups are like insurance: annoying to set up but you’ll be glad you did when disaster strikes.
Backups don’t just defend against hacking. You might accidentally delete a post or other content. It can be a lifesaver in these situations.
Wix bloggers don’t need backups — at least, according to Wix. They keep historic copies of your site. But, Wix does offer a handy way to duplicate your entire site to use like a backup.
Is Your Password Safe?
If an attacker gets your password, they can lock you out of your blog, delete it, redirect it, and all kinds of other nasty things. This is the key to the kingdom.
You should pick a password that’s hard to guess. Treat it like a toothbrush. Change it every three months and don’t share it with anybody.
If nothing else, pick a password that you don’t use with any other accounts. Certainly not your bank account. The reason is that if one password is cracked, hackers know that people often use the same password for everything.
When that happens, it’s (security) game over.
You should create a new password and username for your blog that isn’t a default user account for your blogging software.
It can be hard to remember your passwords, so try using a password manager like 1Password to keep up with them all. Update all passwords at least yearly (but every 3 months is better).
If you have a blog with multiple authors, you should encourage them to take similar precautions. The user that’s least knowledgeable about security is the weakest link.
More on passwords:
WordPress.com’s guide to selecting a strong password – great tips that apply to everyone, not just WordPress users or bloggers.
Change your Wix password – quick link & instructions for bloggers using Wix.
Google on strong passwords – solid info from google on creating a strong password.
Notes on WordPress Security
WordPress installs have automatic updates enabled for minor core releases, which includes security updates. However, this doesn’t cover plugin and theme vulnerabilities.
Plugins and themes are a major cause of hacks. You should choose plug-ins that have a good user base and receive frequent updates. Check the reviews. Only download plugins from reputable sites like WordPress’s own repository.
That reduces the risk of introducing malware to your blog. Remove any plugins you don’t actually use. That’s just a way to introduce more possible holes.
WordPress Theme and Plugin Security Info:
WPvulndb.com tracks WordPress theme and plugin vulnerabilities.
Theme Authenticity Checker (TAC) – well-trusted plugin that scans all your theme files for malicious code
All Hosts are Not Equal
Hosting companies vary in their commitment to security.
How can you tell a good host from a poor one?
Do they update their software frequently? What is their policy if you do fall victim to a security breach?
Be aware that larger hosting providers have more resources to devote to security than smaller providers do. That means they tend to have more time and money to spend on security hardware and software like firewalls and intrusion detection.
Look for a provider who has been around for a while and has good reviews. Even better, look for a host that is built for the blogging software of your choice.
More on hosting security:
WordPress hosting reviews – our suggestions for best web hosts for bloggers.
Hardening WordPress – nerdy bits on how to make your WordPress installs harder to hack
Blogs and Malware?
If you’re monetizing your blog, you should pay attention to the advertising networks you choose to work with.
It’s possible to send malicious advertisements, or “malvertisements” to users through disreputable networks. You’re better off with one of the larger ad network providers like Google Adsense and Commission Junction.
While most of the advice in this article concerns the server side, there are a few things you can do on your end to keep your blog — and digital life — safe.
Beware of Phishing
You’ve probably heard that no legitimate company will ask you for your password or credit card information, but people keep falling for these schemes time and time again.
Most of the time, phishing attempts are scattershot, but if your blog is popular enough, you may be the subject of a spear phishing campaign, a phishing attempt that is specifically targeted toward you.
One defense is to use an email address that’s devoted to responses to your blog. You’ll know any suspect emails telling you to reset your accounts are bogus.
Beware of Wi-Fi
Wi-Fi seems ubiquitous, in homes, offices, coffee shops, and hotels, but do you really know who’s behind the networks? That convenient public Wi-Fi network might be run by a hacker sniffing your passwords.
You should be careful about which networks you choose to connect to. That Wi-Fi network that appears to belong to the coffee shop you’re in might actually belong to an attacker.
One defense is to use encryption. HTTPs is becoming more common, with sites like Let’s Encrypt providing free certificates. If you don’t have it enabled on your blog, talk to your host or get an SSL certificate yourself.
You might consider signing up for a VPN service if you blog away from home a lot.
If you use your own Wi-Fi network, you should turn WPA2 encryption on.
Under no circumstances should you use the old WEP encryption because it’s long been broken.
You don’t need to go overboard if you’re using a simple home or small office Wi-Fi. With small networks, you’ll most likely use WPA2-Personal. Be sure to pick a good password and disable the admin account in your Wi-Fi settings.
Check If You’ve Been Hacked
Most breaches are crimes of opportunity. They’re usually automated, like a burglar who checks every house in the neighborhood for unlocked doors or open windows.
Securi SiteCheck is a good option for scanning for vulnerabilities
Google Search Console – You can set up email alerts to automatically notify you when Google detects hacking attempts.
So, What If You Do Get Hacked?
If the unthinkable happens and your site does get hacked, all is not lost. Probably. You have backups right? ;)
Securi specializes in removing and protecting sites from hacks — including for popular blogging software like WordPress. If you are hacked, you can sign up for their monthly plan protection plan which includes cleaning up your hacked site at sign-up.
WordFence cleans Joomla & WordPress hacks, and like Securi — you get the cleanup + subscription in one package.
Bloggers should keep up with what’s going down in the security world. You might follow blogs like Krebs on Security, Securi’s Blog, or other resources like the Security Now podcast to get wind of the latest breaches and protect yourself.
Keeping your blog secure shouldn’t keep you awake at night. As long as stay on top of your updates, stay smart and informed — you should be fairly secure.
A secure site will let you do what you do best: write awesome blog posts.