[image error]






Today's guest post is from Triona Guidry, a computer consultant and freelance writer
in the northwest suburbs of Chicago. Her
blog offers tech support for Windows and Mac, security alerts, and advice on blogs
and social media.







--



Writers depend on blogs to promote their work, interact with readers, and attract
the attention of agents and publishers. But what if you discover that all your links
have been changed to porn sites, or that your readers are being spammed?




You need to know how to protect your blog, and what to do if it's hacked.




The following advice is geared toward those running their own installations of WordPress,
but also applies to those hosting their blogs with WordPress, Blogger,
or other services.




The main idea behind computer security is to avoid being the "low-hanging fruit," meaning
that hackers are deterred and move on to easier targets.

1. Use strong, unique passwords, for your blog plus your other accounts.


You may groan at the idea of different passwords for every site, but ask yourself
whether you would rather remember passwords or deal with the aftermath of being hacked.
Passwords should be eight characters or more and contain a mix of letters, numbers,
and symbols. Try mnemonics like substituting symbols for letters in words, or use
a password generator. But please don't rotate between the same two or three passwords,
and don't use common words with exclamation points at the end.




2. Post as "editor" instead of "administrator."


Editor accounts can create, modify, and edit posts, but can't make changes to WordPress
itself. Create a new administrator account and disable access to the default one to
make it harder for hackers to infiltrate.




3. Keep WordPress up to date.


There will be a reminder on your Dashboard if there is a new version available. Don't
forget to update your plug-ins also.




4. If applicable to you: Keep your server's system software updated with the latest
bug fixes and patches, and don't run beta software.


If you want to test something, create a server you can use for experimentation. Old
computers are great for this purpose.




5. Use the WordPress Exploit Scanner Plug-In.


It's a good idea to
run this utility on a regular basis.




6. Never access WordPress from public wireless networks.


Hackers and their automated password-harvesting software often lurk there.


The same advice goes for e-mail, Facebook, and especially your financial accounts.




7. Keep the computers on your network free of viruses.


The easiest way to do this is to follow my four steps to computer security: a security
software suite, a firewall, strong unique passwords, and a method for updating of
your software including your applications (Microsoft Office, Adobe Reader, Flash,
etc) and your operating system (Windows or Mac).




If you are using free antivirus, consider a paid version. I used to recommend the
freebies, but I've seen so many infections in my consulting business that I decided
they don't offer adequate protection anymore.




8. Make backups of your
blog.


There are a number of WordPress plug-ins that compress your blog files into an archive
which can be stored on your local computer.




9. Monitor your server's logs.


If someone is trying to get in, you may find the first evidence here.




10. Moderate comments, and never approve spam comments.


To tell if a comment is spam, look for poor grammar and punctuation, web sites that
don't match e-mail addresses, foreign languages, lengthy lists of links, and comments
on ancient posts. When in doubt, don't approve.

What if your blog has been hacked?


First, how do you know if your blog has been hacked? Usually your links have been
changed or posts appear you didn't create, that's a good indication. But there may
not be any visible signs, which is why monitoring is so important.




If you discover you've been hacked, here's how to rescue your blog:




Change all passwords immediately, for WordPress and for the server itself. This won't
get rid of any bad links or back doors, but it will give you time. You should also
change your password for your e-mail account if someone has attempted to use the "reset
password" page to commandeer your account.



Next, change your secret keys. Otherwise the hackers will be able to stay logged in
even if you change your passwords, because their cookies will still be valid. You
can find out how to do this in the WordPress Codex FAQ on what to do if you've been
hacked.






Scan your computer for viruses and malware. There's no point in using a contaminated
computer to fix a contaminated server.






If your WordPress server is hosted elsewhere, contact your provider. Other blogs on
the same server may have been affected, and your provider can offer information and
assistance.




While it's possible to clean up WordPress after it's been hijacked, it's safer and
easier to wipe WordPress, reinstall it, then restore your blog from backup. If you
choose not to do this, you need to check anywhere hackers could have installed back
doors: in your .htaccess file, in your PHP scripts, and so forth. Again, the WordPress
Codex has advice on what to do. Be sure to download clean versions of your theme and
plug-ins. When WordPress is clean, change your passwords again. Finally, make another
backup of the cleaned blog and monitor your logs to look for further hijack attempts.




If you make blog security part of your routine, like checking your email, you can
dismiss your worries and get back to your writing.




Additional Resources




Hardening WordPress from
the WordPress Codex


WordPress Codex: Security FAQ 


Triona's
Tech Tips: How To Create Secure Passwords






--



Many thanks to Triona for this excellent advice on site security. Be
sure to visit her blog.




If you're thinking of starting your own website, or would like information on how
to improve your site/blog—from a content perspective, not a technical/security perspective—you'll
want to check out the class that I am offering on April 7. Registration
will soon appear here.


[image error]