NOBODY IS SAFE.
But some blogs are more prone to be hacked than others, and it feels horrible.
One day, you wake up and grab a cup of coffee, sit down in front on your computer and turn it on.
The first thing you try to do is to log into your blog and watch for new comments or statistics, but it won’t load.
You think there’s no internet or that something just went wrong and press F5, but it doesn’t work. When you start checking other websites just to see if they work (and boy they do) your hearth starts pumping adrenaline trough your body like you were running a 10Km marathon.
Congratulations. You have been successfully hacked. Or should I say: your blog has been hacked?
The truth is that it feels like we are the ones being hacked after all, because our blog is like a window to our mind and soul. It feels as if someone had actually been into our house when we were sleeping and robbed something, and while a real case would imply stealing valuable things (a.k.a. money), having our blog hacked is like being depraved from our credentials and personal stuff.
It just sucks.
But are you doing something to avoid it? Or will you cry and go crazy when it happens?
You know, many cases of blogs being hacked happen because the blog had weak security and the owner/webmaster didn’t do anything to solve it. There are a lot of ways to hack a blog (some of them just deny the access temporarily but some others really get you out of the game for a good time), and some people even contact you for money to sell it back.
The thing is, that most of the times, hacks can be prevented by doing simple things. Unless a really experienced hacker wants to rip your system away, most of the times blogs are hacked by automated bots or even using simple tools like key loggers. Even worse, sometimes we handle out our passwords without knowing we’re not logging into our real account.
What should you do to prevent this tragedy?
Let’s move on and read. Please implement these easy strategies ASAP. Not tomorrow. Not next week. Do it ASAP. Remember, you’re not alone.
Yeah, you know… That boring message that appears once every 2-3 months saying that a new WordPress version is available to download. Don’t ignore it. Security is just a click away from you. But why?
Well, you might argue that you don’t update your WP version too soon because you want to hear if it’s stable from other people instead of testing it for yourself.
Normally, WP should work out of the box and you shouldn’t have any problems. However, there are times a Plugin or even your theme doesn’t work as expected, and this is fine. But, you can go to your FTP and delete/modify the plugin that is causing the failure and you’re good to go.
When instead you don’t update your WP version, you’re being exposed to a lot of bugs and security holes. When a new version is out, you’ll find a log similar to this:
From the announcement post, this maintenance release addresses 37 bugs with version 3.5, including:
- Editor: Prevent certain HTML elements from being unexpectedly removed or modified in rare cases.
- Media: Fix a collection of minor workflow and compatibility issues in the new media manager.
- Networks: Suggest proper rewrite rules when creating a new network.
- Prevent scheduled posts from being stripped of certain HTML, such as video embeds, when they are published.
- Suppress some warnings that could occur when a plugin misused the database or user APIs.
Additionally: Version 3.5.1 fixes a few security issues:
- Server-side request forgery (SSRF) and remote port scanning via pingbacks. Fixed by the WordPress security team.
- Cross-site scripting (XSS) via shortcodes and post content. Discovered by Jon Cave of the WordPress security team.
- Cross-site scripting (XSS) in the external library Plupload. Plupload 1.5.5 was released to address this issue.
As you can see, they’re saying everything about security and fixes. It’s like having a bank manager say:
Hey yeah. We released a few updates on our electronic bank account system because if you typed the wrong password, you could actually log into your account and move your money. We’re sorry, but here’s an update for that.
Do you get the point?
The point is, that even if hackers couldn’t break the system before, now they know which are the weak holes in the system, and by not updating your WP version, you’re giving them full access to those security holes.
Update your Themes and Plugins
The same criteria applies here. Every time a plugin releases a new version, update it. You don’t need to check for updates as WordPress will check them automatically and will ask for you to confirm. It’s that simple, yet many people forget about it mainly because they don’t visit their blog that much.
If you’re using a premium theme (I don’t recommend free themes), make sure you check their page once every 3 months or so, so that you can update your Theme and get more functionality too. Most Themes will ask you to erase and re-upload your theme, but if you’re using a Framework like I do, everything is one click away.
Don’t use admin as your user and 123456 as your password
Come on! I shouldn’t say this but it’s still one of the most common mistakes.
Bots are too smart nowadays to get into your WP log screen and try a different mix of obvious combinations including “admin” as a user, your blog’s name and even your real name. They’ll also try to login using the most common passwords out there, so make yourself a favor and put a really difficult password.
Don’t forget to include numbers, capital letters and even signs.
Let me tell you an example of how weak your password is nowadays and how easily can it be hacked with a single computer:
E.g. Imagine a single computer with a 4 core processor and a graphics card with 500 cores (very normal nowadays).
Each Core is capable of doing 3,000,000,000 operations per second. Which means it’s capable of doing a lot of attacks PER SECOND.
Now let’s simulate a password with 2 different digits. The number of combinations you can do with those 2 digits are:
And of course when you start adding digits you get more combinations, and then we have 10 different numbers (0-9) and (25-26 letters from the alphabet) all of which you can mix and repeat in the password.
The combinations are way too much for a human to try, but what about a computer?
If my computer is capable of trying at least 3,000,000,000 passwords per second, how many seconds, minutes or hours do you think it will take me to discover your password?
Oh, and if I use the 500 cores of my graphics card or a more powerful computer, I’ll be able to do A LOT more.
Well, use a really difficult password and do it NOW!
I actually use a WordPress plugin that limits the number of attempts on my admin/user dashboard and the it locks out the IP from the address that’s trying to access. That way if a bot is trying to access by brute force, it will have a difficult time with my blog.
And do the same for your hosting and domain accounts. You never know where are they going to attack.
Make regular backups
Oh boy this one is obvious yet most people don’t know how to do backups or just don’t do them because it seems to technical.
It’s true it might not be as easy as right clicking and save all your data, but there are a lot of plugins that allow you to create manual (and scheduled) backups from your blog.
You can backup your posts and pages only, or you can backup the whole blog with the design, images and database.
I recommend doing this once a week or at least once a month depending on your posting schedule. But don’t forget it because a good backup is what is going to save you if your blog gets hacked later.
And create physical backups once on a while (CD/DVD/USB/external hard drive) or have a secondary backup on the cloud. We never know when is our lovely computer or hard drive going to fail and take everything with it.
This is just the beginning
Of course this is just the beginning of a secure blog. There are a lot ways to make your blog more difficult to hack, and I’ll write about them (pretty technical stuff) on another post.
But just by following these easy steps, you’ll be many clicks away form being hacked. It’s easier to hack newbie’s blog than a blog that take care of their security.
I bet your blog will be much more difficult to hack than millions of blogs out on there that don’t create backups, use strong passwords and update their codes.
Remember, it’s not about being the best on your niche. It’s all about being better than your competitors 😉
Has your blog ever been hacked? What else are you doing to protect it? Leave a comment below and enjoy this info-graphic from Backgroundcheck.