My blog isn’t huge but, thanks to social sharing and a little syndication, it is beginning to gain a bit of traction. I’m proud to say that traffic grew by 1,685 percent in 2013.
Like every serious blogger, growth brings content theft issues that have pushed me to make some security changes along the way.
It’s not the closet hacker down the block you have to worry about, he’s only looking to change his grades in the high school computer system and cause a bit of mischief.
It’s the sophisticated bots created by some pretty serious hacking companies that you should be concerned about, and their attacks also get more advanced every day.
Arghh, me matey, don’t let WordPress pirates drop anchor in your lagoon! They’ll kill off the mermaids, steal your treasure and fill it with poison. (tweet this)
And if it happens to your client’s website or blog when you could have prevented it? Not good. Really not good. If you handle their site maintenance or content, you could be liable.
Trust me, you don’t want to spend days fixing a major problem when a few minutes of prevention will keep you as safe as a teenage girl wearing a chastity belt her father welded together. (Can we still do that? As a parent, I’d really like to.) These tasks are fairly easy, yet commonly not done by most people.
1. Install an encrypted password management system like LastPass, then use the “generate password” feature to ensure your password is complicated and different for every single site that requires a password. ESPECIALLY IF YOU HANDLE CLIENT PASSWORDS. Don’t use the same one for everything and never, ever, ever use the password originally assigned with a new account!! The bots try that first, along with any proper names the bot can ferret out from your online activity, such as pet names, children’s birthdays and more. Be sneakier than the pirate, even though it is inconvenient.
On top of LastPass, I use Google Authenticator, a two-step authentication process which you can set up from within the LastPass settings dashboard. It requires me to enter a six-digit code on my smartphone before I can access my passwords – giving me an extra layer of security by proving that the person logging in is who they say they are. Without my phone, I can’t get in. (Yes, there are solutions if you lose or replace your phone.)
I also use two-step authentication for my social media accounts. It’s a pain, yes, but I don’t have to worry about my reputation being destroyed by someone posting on my behalf.
Why the heck doesn’t every bank do this?
2. Make sure you do not have an administrative account with the user name “admin” or variations of it. I can’t tell you how important this is. Just Saturday alone, I had OVER A DOZEN bot-driven hacker attacks try to brute-force there way into my site.
How does it work? A bot keeps trying different passwords combined with the user name “admin,” hoping it will strike gold and get in. Once in, they have a backdoor even if you change the password. The only way to get rid of it is a painful, manual process that takes forever. This change is EXTREMELY worthwhile if you use a generic user name. (Don’t believe me? Read this InformationWeek article. )
In WordPress, you can’t change a user name once it is set. You’ll have to create a new user, give it admin privileges, then delete the original account with the admin user name. It takes about five minutes.
3. Install a security plugin that blocks the attempts after a specified number of incorrect log-ins. I use WordFence (free) and the notifications are very revealing of just how big the hacker issue really is. I get dozens of attempts every single day and HAD NO IDEA the problem was that bad.
4. Make your email passwords the most difficult. Why? Because once they are into your email, it triggers a “reset password” request to every account you have on your computer. Not only will they reset your WordPress password, but every credit card and bank account you have. Yikes. It’s pretty scary. Use upper case, lower case, and the symbols above numbers on your keyboard.
5. Don’t log-in to write blog posts with your primary administrative account. Create a secondary one with an editor level of permission – or almost any setting other than administrator – then use that account for writing. Only log-in with the administrator password when you need to do admin level work, such as updates, installing pages, etc.
This was suggested by a speaker at WordCamp Phoenix 2014 and it makes total sense. Here is their full presentation.
6. Delete all unused themes and plug-ins. Because you don’t know the level of skill the programmer has or how clean these are coded, themes and plug-ins are potential weaknesses that a hacker or bot can exploit, especially if you are not keeping them updated because they are inactive. Delete them, then do a full back-up of your website. You can use a paid or free back-up plug-in, just be sure to do it regularly to an off-site location. For your own sanity, do not rely on your hosting company to do your back-ups.
One last thought on content theft that isn’t really related to my WordPress site – every time a new post hits, I do a headline search to see if my content has been stolen or shared incorrectly. YouTube is the worst offender, thanks to automated software that “reads” a blog post, then creates a video of the audio file with a computerized avatar. It’s outright theft that happens now for every single post that I create. I recommend making a search part of your process once a week or month, depending on how often you post. If you find offending videos, go through YouTube’s flagging process for copyright infringement and have it removed. It takes about five minutes and is started by clicking on the flag icon right below the video.
I also like this recent post by Gary Hyman (@garyhyman) on Copyright Removal Guidelines & Tools.
Do you have advice, tools or a security issue you’ve battled? Post a comment!