Is it always useful to be on the lookout for the signs of your blog being attacked, even if you do not think it has been attacked. These signs might just reveal an attack has taken place.

First, posts could be changed to display strange messages. This is in a way counter productive as it is quite often the first indicator that you have been attacked and why you notice the attack. If the messages weren’t there, you would never know about it. But it seems this is what the attackers want – you think you have cleaned up the attack but there is still something somewhere.

After this, executable files might be left on your server, which can install viruses onto readers’ machines or allow access for the hackers. If you know the date of the attack, look in your downloads directories for any files added since that date.

Another obvious sign is that your permalinks change and suddenly add a bit of code and strange characters. ‘eval’ appearing in your permalinks is a sure sign of an attack and is the attacker leaving a way of running hidden code through the links.

Lastly, you should also keep your eye on new user ids created. WordPress does email you if any new users are created, but it is easy enough for the attacker to change the admin email, add the new id (and receive the email confirmaton) and then revert the admin email. So check in case suddenly new admin ids are appearing.

And if you find any of the above it is not just a case of clearing them out as you will probably leave more parts of the attack elsewhere. If you find you have been attacked, it is down to those backups and reinstall the blog from fresh. Cleaning the damage might not remove it all.

Want to know how to do these or other security considerations? Come back again, or follow the blog security tag.

Why do people want to attack blogs? What are they getting out of it and where is the point?

Well, for many I am sure that they are just doing it for the fun of the attack. If they can invade your blog and leave a message or two they are happy! It is a sad thing to do, but they do try it.

But for most there is a reason to do it and that is to steal the power in your blog. Search engines put a lot of emphasis in blog links, so if they can take over your blog and add loads of links to their own websites, they are getting a huge benefit. It does not matter that in the process they can completely destroy your blog!

For others the purpose is to spread viruses, malware and other software. They can plant files in your blog and hope that readers access them. They might invite your readers to open a file expecting that your readers trust you, see the link and follow it without question, installing bad software onto their computer. Or they can upload scripts an call them as images so that when they open they do the same trick.

In all, there is profit in attacking your blog and if you read accounts of attacks it is common that there are multiple attacks. Attackers suceed and leave a backdoor, which is not closed. They can then come back using that and it can be this second attack in which the actual damage is carried out. That is why a full reinstall of a clean version of your blog is needed after any sucessful attack.

Want to know how to do these or other security considerations? Come back again, or follow the blog security tag.

If someone sucessfully attacks your blog and gets admin access, then untold damage can be wreaked. So you need backups now that you can fall back on in this case.

First, install WP Database Backup or a similar plugin. This emails you a backup of the essential database tables at intervals you set. Use this and save at least a few generations of backups so that if it takes you a week or two to discover the attack.

Also, make sure that you have a copy of the version of WordPress that you are running, plus your theme and plugins. Although for themes & plugins, as long as you have a written note of their names and where to download them, you should be safe! Lastly, if you are uploading media such as videos, photographs and images, store copies of these on your PC. Do not rely on the server versions!

If the worst happens and you discover an attack then a piecemeal rebuild is probably going to take a long time and might not clear out everything. Attackers will leave damage around the site hoping that you only find some of their work. They might leave backdoors into your admin hidden away.

So you have to be prepared to deleted everything and to roll back to your last known safe backup. This means deleting all WordPress files and the database and reinstalling onto an empty server, without any of the potentially infected database files. Effectively, you are creating a new WordPress blog, just using the backup files to reinstall the database and get back posts, comments, user id and so on.

Make sure that your backups are sufficient today!

Want to know how to do these or other security considerations? Come back again, or follow the blog security tag.

Protecting your blog is more than keeping it up to date and using good strong passwords. There are general security questions you can consider as well.

Regular updates and strong passwords are vital. But, there is more than that to security. You must also take care in how you use your blog and when you update it.

For example, can people you don’t know register? If so, why? Is it needed? Switch off the anyone can register feature to remove this unless you absolutely need it.

Is your computer secure? Do you use updated anti virus software, or could someone easily attack your computer and use a key logger to watch what you are doing?

Are you using unsecure WIFI connections or internet cafes? Could someone else on the network be accessing your computer and watching the passwords that you are using? It is easy enough to create a new user with just author permissions and use that when you are away from home. That way, if you are attacked using that id all the person can do is add posts and amend that author’s posts. Move all posts to admin when you are safely back home and they can’t even change them!

Yes, maybe these are far fetched and highly unlikely methods for attacks. But, they are all possible and easy to prevent, and prevention is better than cure! So why not take the basic security steps and be safe?

Want to know how to do these or other security considerations? Come back again, or follow the blog security tag.

One of the reasons that new versions of WordPress are released is that security holes have been discovered and patched up. So it is absolutely vital that you make sure that your installation is up to date.

Some people prefer to work on versions of WordPress that are established and other people have had the chance to find any bugs in the code. Whilst I understand this and support the theory in some ways, in other ways it is extremely dangerous.

I have read stories about different bloggers who have had their blogs successfully attacked. But, in every case, these bloggers were all using old versions of WordPress rather than the latest versions. People who get their pleasures from attacking blogs are likely to know the tricks used to attack old versions of WordPress, so by leaving yourself on an old version you are opening yourself to more possible attacks.

There is a balance to the risks, but on the whole, I believe in keeping WordPress on the most recent version. But, with some precautionary steps.

First, download and unzip the latest version of WordPress, but keep the version of WordPress you are currently running somewhere on your PC. Next, run a full database backup and save that. Now, if it comes to the worst, you can reinstall the current version of WordPress with your existing database files, as though you never upgraded.

Then upload the new files and logon to wp-admin to force any database updates. Quite simple really, as long as you only have one or two blogs. More complicated with 20 blogs, but I’m testing a way around that too!

Want to know how to do these or other security considerations? Come back again, or follow the blog security tag.

OK, a very simple measure and it is quite easy in actual fact to work out that you are using WordPress, but there are reasons for this very simple security change.

In short, does your blog very proudly display somewhere, probably in the trailer, ‘Powered by’ (or whatever) WordPress? If so, then straight away hackers know what system you are using and any potential weaknesses that it might include. Worse still is if your theme displays in the comments what version of WordPress you are using!

OK, it is easy for someone to work out that you are using WordPress – they just look for the wp-admin directory! Unfortunately, there is currently little you can do about this (WordPress does not allow you to move the admin directory, which would be a great security measure!).

If it is so easy to work it out, why is displaying the message a problem? Well, quite simply, because attackers can search on the powered by message to find blogs using WordPress that they can attack! If you display the message then they can come across your blog and start to put your defences to the test. If they never discover your blog, then they cannot attack it.

So, how do you remove it? Very simply go to your theme editor, look in your footer and find the code! If you look at the footer and find that it is encoded, then all is not lost. Just open your blog and look at the source code (for example, in Internet Explorer View then Source). Now look at the main index file in your editor and look down to the last few lines of the code. Have a look at these and identify them over in your blog’s source. The code that appears after them is your trailer code. Copy and paste that into your trailer code, remove the powered by line and save it and check your handywork!

You might also like to check your header in case it is displaying the version of WordPress you are using. Not too much of an issue if you are using the current version, but why give attackers any more information than you have to?

Want to know how to do these or other security considerations? Come back again, or follow the blog security tag.

If someone is going to attempt to attack your blog through brute force, a good password and an unusual admin id both provide a lot of protection. But, if you can then lock out brute force attacks, you are really creating an impregnable fortress.!

Basically, if someone is attacking your blog by trying out loads of password combinations, if you can detect their presence and stop their logon attempts then they will not suceed in loging in. For this reason I have installed Login Lockdown, which is an excellent little plugin for WordPress blogs.

What is does is quite simple. It records failed login attempts and if there are a certain number of failed login attempts from the same computer within a set amount of time, it prevents that computer making any more attempts for a while. For example, the default is 3 failed login attempts in 5 minutes locks the computer out for an hour.

It is not totally foolproof, the attacker can change IP address, but that is every three login attempts! They could try a login every 2.5 minutes, but that only allows 24 attempts per hour, less than 530 per day. At that rate it would take weeks, even years, to guess your password.

And that is how protection against against brute force attacks works – just make it so hard that the attack will take so long that that attacker ends up going elsewhere. Simple, but secure.

The only add on I would add to this would be a notification of failed login attempts. I’m currently looking for a suitable plugin for this. The worry is that in the case of an attack, such a plugin could fill an email box. So I’m looking carefully!

Want to know how to do these or other security considerations? Come back again, or follow the blog security tag.

Renaming your WordPress blog administrator user is a huge security step, increasing the safety of your blog. So, what must you do?

It is simple. Sign on and create a new user, giving them administrator permissions. You need to provide an email address, so if you only have the one to use, change the current Admin’s email to a false address, as you can only use each email once per blog.

Now, sign on as the new administrator and remembering the post about user id and nick names, give yourself a good nickname.

Finally, remove the admin id. Some people delete it and move the posts to the new administrator, whilst others just change the permissions of Admin to subscriber, meaning that the user can do nothing at all, but the posts don’t need moving.

As a sign of how important this step is and how WordPress do make changes to keep up with security updates, the system now no longer defaults the administrator to admin, which is great. But, if you created your blog on a WordPress of pre 3.0.0, or you did set it up as Admin when you installed, now is the best time to put the situation right, if you have not already done so.

Want to know how to do these or other security considerations? Come back again, or follow the blog security tag.

If you want to make sure that you beat brute force hackers, then you must change your admin userid. Here is how and why.

If a hacker is randomly trying all possible 10 letter password strings containing upper & lower case letters, numbers and a few special characters, there are around 70 to the power of 10 combinations to try. That is a lot, but still just about possible with a dedicated attack.

But, if you change the admin id to be as strong, there are as many combinations there. Now, the hacker has to guess both at the same time – so 70 to the power of 10, squared.

That is why this trick is so strong. But, how to pick a new id? Well, don’t use your name! They could work this out from the URL registration, your nickname or comments in your blog. So pick an admin id that is unrelated. Maybe a nickname you were known as as a child (as long as you have not blogged about it!), a favourite person’s name (that you have not blogged about) or just a random id that you write down and can remember with your password.

Go to the user settings and change the nickname to whatever you want to show and make sure that your nickname is displayed on your posts, not your userid. This way hackers now have an aweful lot to guess!

Want to know how to do these or other security considerations? Come back again, or follow the blog security tag.

It sounds simple, secure your login with a good password. So, why do so many people struggle?

I know of plenty of people who think that the word “password” is a safe and reliable password. Let me tell you now that although it is one of the most common passwords, it is neither safe nor reliable! One of the first attempts a hacker will probably try is to use that as a password to gain entry to your admin.

So, what is a safe password? Well something that you can type in without too many mistakes, that someone else will have to spend an aweful long time trying to guess it through brute force.

Just using letters does not give many options and although hackers do not know whether you have used letters, nor how many to try, if their nastly little program is just trying alpha / numeric passwords, then you are a target.

By including upper case letters, lower case letters, numbers and symbols such as @ # $ and so on, you are decreasing the odds that they will try all of the characters you have used.

Many security experts also give the opposite advice than that which is given for your PIN – do write down your internet password. This way, you can make it extremely complicated and a lot harder for someone to guess. If they just try family names and words trawled from your blog, then a random string will be better to protect you.

Want to know how to do these or other security considerations? Come back again, or follow the blog security tag.