Guest Post: Securing A Blog Against Hacking

untitled-design-32

 

Today’s post is our first guest post, curtesy of Charlie Stelling. Charlie (Chazz) is the founder of TheOnlineCity.co.uk – a deals and voucher code social network allowing users to submit their own deals; earning points and badges. The site boasts its own community pages allowing users to post their own questions and to connect with other users.

Charlie is covering a subject that becomes more relevant the more we blog and a subject I have thought would be good to cover here at some point, so thank you Charlie. hacker-1446193_640

Everyone knows what a blog is, chances are, if you’re reading this- you’ve got one yourself. Having a blog on your website is a often a requirement when launching any new site. It can be run by both individuals and businesses alike and used to gain organic traffic.

Unfortunately, there’s one simple truth – It will probably get hacked. Even the best prepared sites could be hacked if a hacker tried hard enough. Here are some simple tips you can do to protect your site now and some guidance should you fall victim.

The first thing you can do is to backup your site (and database) frequently. Depending on how often you write a blog will affect how often you should do a backup. Keep a backup separate to your server.

Pro Tip If you have direct access to your hosting server you can run the following command through SSH to backup your entire          website.

Linux
tar -czvf backup.tar.tgz ./*
mysqldump -u username -p database_name > backup.sql

WordPress is a great platform that can be installed by users with little or no-coding experience. Millions of users depend on WordPress to allow them to manage the content of their website.

WordPress has a great number of advantages but has several flaws. WordPress is open-source, meaning anyone can see its code. This makes it easier for hackers to find and test ways of getting around its security. When a vulnerability is found, it doesn’t take long for this bug to be passed around the hacking underworld. WordPress frequently release updates that address these vulnerabilities, however your site is exposed whilst not fully updated.

When creating a new WordPress blog, the first thing I do after installation is to install the Wordfence plugin. This free plugin can be obtained through the plugin tab, and is particularly good at notifying you on a number of factors.

You will periodically receive a new email when the plugin detects that WordPress, plugins or themes are out of date, and that they should be updated. As discussed previously, the importance of updating is paramount. Additionally Wordfence scans these files against the official version held on the WordPress repository. If it spots the files have been tampered with i.e. potentially hacked – It will notify you. What’s more, the plugin will also notify you if your content contains malicious urls. This can help keep you off of Google’s SEO black-list.

This is just one example of a WordPress security plugin that you could install on your site. In essence there are several which do an equalling good job in terms of security (including ‘Better WordPress Security Plugin’).

Less of a security concern, but can help your site look less spammy. The Askimet comments plugin offers a range of packages, including a free basic tier that can prevent spam comments from accruing on your site. More advanced packages can even periodically backup your site and perform malware searches. A good investment if your blog is vital to your business.

Make sure every user is using a strong password. Basic passwords can be hacked in a matter of minutes. If you have been hacked, make all passwords are reset. Remember to reset FTP and Database passwords if applicable. Use letters, numbers and punctuation marks where possible. WordPress auto-creates strong passwords, you shouldn’t really be using anything weaker.

Only install tested plugins. Plugins with a low star-rating and/or a low installation count should be avoided. If you’re not 100% sure, review the code yourself if possible. If you must have the plugin’s functionality but don’t trust the plugin, you should seek out a web development company for assistance.

More advanced checks can be performed on your web server, including:

  • Securing file permissions (avoid 777)
  • Changing SSH port
  • Sanitizing all user input / Prepared Queries
  • Htaccess / NGINX rules to prevent PHP executing in uploads directories.

If you do find that your site has been hacked, there a number of things you can do depending on the severity of the hack. If you don’t have a backup you either need a professional or locate a self-help guide. We will update this content once we have written a DIY ‘So You’ve Been Hacked..’ guide.

If you have any advice on how to better protect your blog or you’ve been hacked yourself – let us know about in the comments. We’d love to hear from you!

By Charlie Stelling

 

Leave a Reply

Your email address will not be published. Required fields are marked *