We were looking for some valuable guest posts since long time. Many of our readers submitted articles but we rejected most of them either due to copied stuff or posts with less importance. Security tips are some thing that a blogger need in each step. Mr. Satyajit who is an active blogger from Cuttack, Orissa, India is coming up with an exciting article about Security Tips for bloggers who are blogging on Google Blogger and Wordpress platforms. I request my readers to send us comments about this incredible post.
GUEST POST by a genius blogger, cool heart and a great personality. Mr. Satyajit Das
Feel his incredible works at |
Many people now a days are very serious about blogging and even picked it up as there profession but at the same time few tend to forget about the security issues concerned with blogging. Have you ever thought that if you have a high traffic blog which if of good income source to you and one day it get compromised or hacked then....!!! So in this post I will illustrate few security tips for bloggers.
Note:This post is mainly for people having there blog on www.blogger.com and www.wordpress.com platform.
1.Phishing and keylogging Threats:
a) These two are the most hyped tricks used by attackers these days so no need to explain these.While logging in always make a habit of typing the url in the address bar.
b) Always avoid accessing your blog dashboard from public computer cafes because you never know a keylogger may be planted.I advice the readers to use an firefox addon called "Keyscrambler" or a software called "Zemana Anti-logger" for safety.
2. Session Hijacking Threats:
Recently you must have come across "Firesheep" addon for firesheep,its simple but a killer one.By session hijacking one may access your account even knowing your password but by trapping the session cookies.
Countermeasure:
a) Use SSH Socks proxy for encrypting your sessions by setting up a ssh server and accessing it through a client.This is called as SSH tunnel.If you have Linux or mac installed in your box its really easy to do so but for windows users you can use cygwin to setup a SSH server using a free software openSSH
b) Always use SFTP instead of FTP especially for your self hosted wordpress blog.
c) Donot access your blog dashboard in public or open wifi network like coffee shop,airport etc.
d) define('FORCE_SSL_ADMIN', true); copy this code to the wp-config.php file(for wordpress only)
e) Can also use wordpress secret key option in wp-config.php(for wordpress only)
3. Backup
Always keep a backup of the blog posts and database because you never know someone may hack into your account and delete all your post.
4. Strong Password
It is advisable to change the password of the account at least 2-3 times in a month.The password should be at least of 10 character and must be the combination of special characters(#,@...etc),numbers(1,2,3..etc)and characters so,that it will be hard to guess.
5. Update and hide the version ( For Wordpress only )
a) Always use an updated version of Wordpress because some attacker may exploit the vulnerability of the old version and get access to your blog.
b) Also donot forget to hide the version shown in between <head></head> tag of the source code.You can do this by this simply adding remove_action('wp_head', 'wp_generator'); to the function.php of the theme.
6. Restrict indexing by search engine ( For Wordpress only )
a) You can restrict the search engine to index certain files and folders so that they are not available publicly to attackers by using dorks.Just use "Disallow:/wp-[desired folder]" in the desired folder so that it will not be indexed. For example:Disallow: /wp-admin.php or Disallow: /wp-login.php etc.
b) Never put the login page link in the footer of the blog as many bloggers do.This makes the work of the hacker easy. For more details regarding this read (http://www.askapache.com/seo/updated-robotstxt-for-wordpress.html)
7. Security for wp-admin folder,wp-content folder,wp-config.php using .htaccess file(For wordpress only)
a) Wp-admin folder:
-This is one of the important folder so you need to harden it very well.
Take a text file and copy the below code with your Ipaddress to restrict the ipaddress access.
order deny, allow
allow from 192.168.78.1 (Your Static IP Address)
allow from 192.168.78.3 (Your Static IP Address)
deny from all
-If you are having a dynamic ipaddress then you an use this plugin to provide a password and username to the folder
(http://www.askapache.com/wordpress/htaccess-password-protect.html),this is if you are on apache.Check this out for more details (http://httpd.apache.org/docs/2.0/howto/auth.html)
b) Wp-content folder:
-This folder mainly contains images,themes etc so there is no harm if we restrict this folder,which can be done by using the below code with in .htaccess file in the folder.
Order Allow,Deny
Deny from all
<files ?\.(jpg|gif|png|js|css)$? ~>
Allow from all
</files>
c)wp-config.php :This file is also very important as it is the key file for the database
<files wp-config.php>
Order deny,allow
deny from all
</files>
It is also advisable to restrict the browsing the contents like plugins etc we can do this by copying "Options All -Indexes" to the .htaccess and putting it in the root folder.
8. I would like to point out that, If you are using a gmail id for blogger account, then do not share it with any of your friends or put it in your contact page of your blog or put it in "from:" email id section in Feedburner etc. So even if your secondary email id is hacked you will not lose your blog.
More to Read