Don’t Let Hackers Crash Your Blogging Party

This is a guest post by Robert Regehr.

Are you a full-time blogger earning a living from your WordPress blogs or an aspiring Problogger with your first taste of the freedom that comes from blogging? There’s a ton of really good advice out there on getting up and running from bloggers like Darren Rowse and Yaro Stark. However, there’s shockingly little on protecting your blogging nest egg. If you rely on income from blogging to support your family you need to secure your WordPress installations immediately. Here are five actionable steps you can take today to ensure hackers won’t disrupt the income stream you’ve worked so hard to build from blogging.

What’s All The Fuss About? I’ve Never Been Hacked

The default WordPress install is about as secure as a wet paper bag, especially if you make a habit of blogging from your favorite coffee shop. You’ve put a lot of hard work into enjoying the rewards that come from blogging. The last thing you want is some script kiddie or hacker taking over your site; it’d be like someone breaking into your home and robbing you blind.

I’m sure you’re very careful when shopping or banking on the Internet; would you ever consider logging into online banking or shopping without looking for the “https” in the URL? If you’re like me and blog with a white chocolate mocha on free Wi-Fi, you’re pretty much shouting your username and passwords to anyone within earshot. Public access points in coffee shops and cafes are far from secure and you never know who’s sitting across from you with a packet sniffer watching your every move.

Fortunately there are steps you can take to secure WordPress and protect yourself. I’m not just talking about using stronger passwords but actual bank level security for your site. If you’re serious about earning a living from your blogs you simply cannot ignore security when it comes to protecting your online assets.

Step One: Secure Your WordPress Dashboard

When you log into the WordPress dashboard, your login credentials are transmitted in plain text and are unencrypted. (Remember, default install = secure as a wet paper bag) This means your dashboard session can be intercepted and hijacked, something I’m sure you’d like to avoid.

The most important thing you can do to secure your blog is install an SSL (Secure Socket Layer) certificate on your site to protect your admin dashboard. What this does is encrypt everything you do in the dashboard to your webhost just like your bank does with online banking.

I’m not going to get into the technical aspects of installing SSL certificates; your webhost can do that for you. Think SSL is overkill? I’m not talking about running your entire site on SSL, just the admin. If you’re not securing the WordPress dashboard everything you do is being sent in the clear for anyone with a packet sniffer to exploit.

If purchasing a certificate is not within your budget, contact your webhost about using their shared certificate. While shared SSL is not as good as buying your own, shared SSL is better than no SSL. If you want to purchase your own certificate there are plenty of affordable options available from companies like Verisign and Comodo. You’ll need a dedicated IP address for your blog which may or may not be included in your web hosting plan.

Once your webhost has installed the certificate and verified that it’s working correctly you need to let WordPress know to start using SSL for the dashboard. In your installation root folder locate the file wp-config.php and simply add this line to enable SSL for your dashboard:


define('FORCE_SSL_ADMIN', true);

This will enable SSL for your dashboard; however, you’ll probably see certificate errors for WordPress including unencrypted content. Fortunately, there are plugins available to force WordPress to encrypt everything in your dashboard, eliminating these errors. I use WordPress HTTPS by Mike Ems and find it does a nice job of forcing SSL for all dashboard content.

http://wordpress.org/extend/plugins/wordpress-https/

You can verify that SSL is working correctly by using the Chrome browser to log into your WordPress Admin and you’ll see the green padlock and https in the address bar.

Step Two: Install WordPress Secret Keys

Hackers can exploit cookies found on your computer to gain access to your dashboard even if you’re using SSL. Fortunately, WordPress allows you to configure secret keys for strong encryption cookie goodness. Why this isn’t done by default is beyond me; however, it’s very easy to enable.

You’ll need to access that wp-config.php file again from the previous step. First, generate your secret keys using with WordPress API located here:

https://api.wordpress.org/secret-key/1.1/salt

You’ll get something that looks like this:

wordpress-secret-keys

Notice that the keys change every time you refresh the page so your keys will be unique; don’t share these keys with anyone and please don’t use the ones I’ve shown here. Simply add your keys to your wp-config.php file, replacing any that might already exist. (I didn’t have any in my wp-config.php) That’s it! You’re now protected from cheeky cookie-exploiting criminals.

Step Three: Deny Access to wp-config.php

Now that we’ve enabled SSL and set up secret keys in our wp-config.php, we need to deny access to this file. This is easy to accomplish by editing the .htaccess file found in the root directory of our WordPress install. If you’re not comfortable editing any of the files discussed today make sure you’re having someone trustworthy make the changes for you.

You should already have the .htaccess file in your WordPress install root directory if you’ve enabled permalinks on the site, so simply add this code to the end of that file:


<Files wp-config.php>
Order deny,allow
Deny from all
</Files>

This will prevent anyone from looking at your wp-config.php file using a web browser. Note that if a hacker gains access to your webhost they will have access to everything… which is of course, very bad.

Step Four: Kill the Admin Account

If you’re still using “admin” as your WordPress login, shame on you! The problem with using the admin account is that hackers know it exits and can exploit the login with brute force. Most WordPress users don’t bother to change the default settings reinforcing our notion of security by wet paper bag. If you’re still blogging under the admin account you’re well on your way to getting hacked. Even if you’re not using the admin account but it still exists you’re vulnerable; make sure this account has been deleted from your user list.

Fortunately it’s very easy to delete the admin account. In your dashboard, create another user account with a custom username and grant it administrative rights. Login to your dashboard using your new account and delete the old admin account. WordPress will prompt you to transfer all the posts you’ve made under the admin account to another user; just make sure you don’t mess this up.

Step Five: Rename The WP Tables Prefix

Another feature of wet paper bag security found in WordPress is that the SQL table prefix is “wp” by default. If a hacker knows your table’s prefix then you’re vulnerable to SQL injection attacks. What you need to do to protect yourself from this exploit is rename the prefix. This used to be tricky because you’d have to login to phpmyadmin and change the prefix manually; however, there are a number of plugins that automate this process for you. One example of a plugin with this functionality is Secure WordPress:

http://wordpress.org/extend/plugins/secure-wordpress/

WordPress Security by Website Defender is free and not only renames that table prefix for you but will perform several security checks on your site, even back up your database and scan for malware. You can’t beat free when it comes to good plugins and this is one is a must for every WordPress installation.

Securing WordPress Doesn’t Have to be Difficult

There you have it; five actionable steps you can complete today to make sure your blog and income are protected. Talk to anyone that’s had their site hacked and you’ll quickly discover the threat is real. Part of succeeding as a blogger is treating your blog as a serious business; this is why you simply cannot afford to ignore your blog’s security any longer.

Enjoyed this post?

Be sure to subscribe to the Kikolani newsletter and get regular updates about awesome posts just like this one and more! You will also receive my free 8,000+ word guide on guest blogging!


Kikolani Proudly Uses StudioPress

Genesis Framework

Like the new design? Kikolani uses a theme called Magazine Pro on the Genesis Framework from StudioPress. It's great design right out of the box, easy to follow installation instructions, and built-in SEO features makes it perfect for professional bloggers.

If you have several websites and blogs powered by WordPress or design websites for others, then you will want the Pro Plus Package. It gives you lifetime access to all of their current 40+ professional designs plus new themes regularly added to their collection for unlimited use on your own websites and blogs as well as your clients' websites and blogs. Learn more about Pro Plus!

If you already use StudioPress and love it like I do, be sure to sign up for their affiliate program and start making money with your blog today!



Comments are open for one year after the post goes live. If you don't see the comment form below and you'd like to discuss this topic with me, become a fan of my Facebook page and post a comment on my wall!





Comments

  1. says

    Thanks for this information. I thought I was being somewhat safe by killing the link to log in through the footer and having a killer password. I see that I was not even close. I will be using this information to add security to my site. Thanks.
    Bryan just posted Countdown of things I’ve Learned

  2. says

    I can say i am one of those people who say “O that will never happen to me ” until it does. It is not worth losing everything. Thank you for sharing your tips. You can never be too careful.

  3. says

    Thanks for sharing these awesome tips. For people who have never been hacked, let me assure you that it is not something you want to deal with. It is much easier to take the necessary precautions to protect yourself. Do you really want to risk all your hard work?

  4. says

    You bring up a lot of really good points in this article. People do not usually think about blog security and it’s a very important issue. It’s also important for people to think about their passwords. Too often I see people choose passwords that are really easy to guess and they never take it seriously when I tell them to choose a more difficult password. If your password is still password123, please please change it!

  5. says

    I am super paranoid about these issues, so I have taken a lot of precautions, but I still haven’t heard of most of this stuff! Thanks for bringing it up.

  6. says

    My main blog has never been hacked but my fitness blog has been hacked many times. Thank goodness I have a wordpress guru that has helped me. I thought I would mention that there are wordpress plugins as well. I get emails when people are attempting to hack my blog and they are locked out after the 3rd attempt. Secure WordPress & WordPress Defender are the ones that come to mind that I’ve installed. I haven’t had any problems lately! It was definitely a pain!!

  7. says

    Awesome tips. So far I’ve been lucky not to have been hacked. *cross fingers*. However, I still try to be security conscious and generally put your tips into practice on my blog. One note is that ask does slow down a site ever so slightly, but I think it’s worth the trade off.
    Richard just posted Choosing the Right Host for Your Blog

  8. says

    Great advice,

    Privacy has become main issue in today’s era if you are famous person in online market then any body can try to hurt you with your privacy through you blog/site. So these are the good tips to stop that kind of activities which can be hurt you in many ways.
    India carnival just posted Goa Holidya Packages

  9. says

    Thanks for answering a question that has been on my mind.

    Getting my blog hacked is one of my worst nightmares. My friend was hacked and my hotmail account also. But, MY BLOG…. after spending thousands of dollars and 3 years; NO!!!

    Of course, I have back up files and such. But, I want my blog up and running at all times. So, I bookmarked your article, and will study it with my designer–ASAP.
    David Sneen just posted Imagine–Monthly Raises!

  10. says

    Here’s a bonus tip: Use a VPN service (Virtual Private Network) like Cloak (getcloak.com) at Starbucks to encrypt everything you do on public wifi for the cost per month of a latte and a pastry.
    Robert Regehr just posted Cash Out Refinance

  11. says

    Thanks for the tips you have shared here. In my first WP blog, I really experienced being hacked. But there is no big deal because i was not serious then of updating the blog. On the time that it was hacked, everytime i scan my WP installation, it detected something malicious in the codes. But i cannot fixed it because i don’t have enough knowledge in PHP. What i did was copy all the five articles in a notepad and reinstall WordPress on ony webhost.

    With that experience, I’m researching on different ways to secure my installation to avoid intruders to access my files. And again thanks for this informative post coz it will somehow add more security to my present and future WP installations.
    Joel just posted 18 Useful Online Resources for WordPress Tips and Tricks

  12. says

    Hi Robert,

    There is no doubt that this is a great post, and I would certainly stand behind everything mentioned here. While I know it is WordPress specific, I wanted to add my “two cents” with website security in general. Since I build web servers and email servers, I know the vulnerability that servers receive constantly. One thing I would propose in addition to these items is for users to try and avoid using an FTP client without using sftp:// (secure). Many may find a shared hosting environment difficult to obtain this, but I would certainly ask. Using an SSH file manager like Bitvise Tunnelier will keep all data encrypted (whether through a server signed SSL or validated). Other commonly used FTP clients like Filezilla are also capable of this using (generally) port 22 versus 21. This will prevent key-logging, which is a very powerful method of site hacking. Maybe Mrs. Hines will let this definition of Keystroke Logging go through. All the best,

    Bryan

  13. says

    Here’s one things that I do with all of my websites. I setup up a cron job that creates a unique checksum of all of the php files on my website.

    If any file gets changed in any way, shape or form, the checksum will change and I get sent an email telling me that I’ve been hacked.

    Then, you can use the following command to see which files have changed
    find /path/to/your/folder -cmin -62 -print

    This job runs every hour for all of my websites. It’s inevitable that you will get hacked at some point. The key is identifying when and reacting swiftly.

  14. says

    Some excellent advice there Robert – thanks for sharing it with us. I’ve just done one of them immediately (deleted the old admin) – the other I’ll gradually add. I actually never blog or access my site from a public arena, so maybe that helps a little (not wanting to tempt fate!). However – as you say, when our website is our main place of business it makes sense to get as much protection as possible – just as you would for a brick n mortar business!
    Tanya Smith Lorenz just posted Social Media Basics