[powerpress]Getting hacked is one of the worst things that can happen to a blog or website owner.
It can destroy weeks or months of work, cause large amounts of personal stress and even affect your revenue streams.
Sadly, getting hacked is one of the realities of online business.
In today’s episode I am going to go over 15 tips that will hopefully help you become more prepared. It’s my sincere hope that some of this information might be a catalyst for keeping you and your blog safe.
View the episode in iTunes here or if you like you can download it to your computer here and listen later.
What’s in this episode?
Here are a few of the things mentioned in this episode, as well as links to some useful relevant material.
- Distribute.IT is the company that experienced the terrible hacking incident here in Australia. Here is a summary of the incident and a breakdown of how it went down, and here is a news article about the 4800 websites that were lost. Fascinating (and very sad) story.
- Here’s a review of a VPN that I use in order to be a little bit more safe online.
- Security plugins and services for WordPress include BulletProof Security, Limit Login Attempts, Wordfence and Sucuri.
- I recommend David Steven-Jennings if you’d like to get a security audit done on your blog and/or blog servers.
- Sign up to Google Webmaster Tools if you haven’t already as they offer some good monitoring for SEO and security.
- Here’s some good information about WordPress backups and how to get a grip on it all.
- A good summary of password managers that can help you use complicated passwords, simply.
- Protection for your personal computer here and here.
Do you have any extra tips?
I’d love to know any other tips you might have in terms of security or managing a bad event. Please leave a comment below as it might really help someone who reads it.
© Top photo: Valeriy Kachaev.
Good topic to tackle and very important for anyone that has taken the time and effort to create a blog – it’s amazing how quickly they can simply vanish!
My tip is to be careful of the ‘free’ plugins you use and to make sure you update them regularly.
Unfortunately I learnt the hard way and lost hundreds of hours of work!
Keep up the great work Rams
Yeah that’s a big one. There’s a lot of not so great plugins out there.
Great article.
What about 2 factor authentication?
Yep, I talked about that in the podcast. Very good idea.
Thank you so much for these reminders, Ramsay.
We’re never prudent enough. That’s why I have checked my blog as soon as I’ve received your clear councels.
I’m a user of Wordfence and UpdraftPlus and I like them.
I think I’m going to give a try to BulletProof Security today.
I’m still cautious about Limit Login Attempts because I live most of the year in Africa and I don’t want to be blocked myself one day. Is there any risk?
Keep up your good work, even for the French fan that I am.
Yep, there is a chance you’ll lock yourself out for sure.
Also, not sure you need BPS and Wordfence. Might create a conflict.
Thank you for your quick answer 😉
The Distribute.IT story reminds me of an incident at a company I worked for in South Africa. A disgruntled ex-employee from one of our clients got into their servers because his accounts weren’t deactivated (including his company VPN account). Caused havoc for them as he created a ‘backup’ account for the VPN and servers that looked very similar to a system account so it took a while to be found.
Also, ‘DDOS’ stands for *Distributed* Denial of Service :p
What did I say? I meant to say that. lol
“Deliberate” 🙂 I still think it’s an accurate description though as 99% of the time it’s deliberate.
Hey Ramsay!! As for the plugin wordfence you mentioned, it’s a nice state of the art plugin, but i was forced to uninstall it because it was sucking my blog’s memory on my shared hosting account.
any other feasible and lighter option you know to protect my blog?
That’s really interesting. BPS is really lightweight as far as I know, but takes some time to get set up.
Any security plugin requires to have some good knowledge and takes some time to setup. And it’s normal to be this way because the last thing you want is to block yourself.
Hi Ramsay,
That’s another great piece for us to consume, but you see, VPN is expensive, and it’s not 100% as you rightly mentioned (VPN Review).
I believe in combination of WordPress security plugins with all other measures to fortify our site’s walls.
Well, they all won’t definitely be 100%. Maybe that’s why this post is made available.
I’ve tried most of the measures outlined. What’s left right now is to try David and VPN.
Thanks for the guide.
Francis
Strong VPN is around $9 for three months I thik. Good investment.
Hi Ramsay,
Thanks for covering this topic. It has me so confused- sorry for this long response but perhaps you can help.
I use Limit Login Attempts, and at least once every day I get locked out of my own site.
It says too many failed attempts, yet it happens when I’m already logged in! So does that mean someone somewhere knows my IP address and is using that when trying to guess my passwords?
And then inevitably logs me out of my own account?
The LLA log shows loads of attempts everyday from random IP addresses trying to guess the username and/or password. I am too afraid to uninstall the LLA plugin though.
I also use Sucuri (because I got flagged as a malware site once about 9 months ago and it took them a week to fix it).
Everyday I get notifications from Sucuri saying “your site is under Bruteforce attack”. And it lists loads of IP addresses and timestamps that are attempting to login every few seconds (it must be automated).
Is this normal, does it happen to your site?
The sucuri notification doesn’t actually tell me to do anything or make any recommendations. Unsure whether I should be worried.
Thanks!
Hey mate.
My site gets something like 40,000 hack attempts a month. LLA does do a lot of lockouts but you shouldn’t be getting locked out yourself.
What host are you on? A brute force attack should be handled by your host pretty quickly as it will start to affect them as well. I’d get in touch with support ASAP and fill them in.
Okay so hack attempts is “normal”.
Yeah very confused about lockouts considering it locks out IP addresses.
Im with hostgator.
Thanks for your response.
Thanks for the reminder of how important security is for a blog.
Thanks.
Very helpful. Thank you, Ramsay
A lot of bloggers or even website owners take these security measures for granted.
Hi, Ramsey it’s a great post you have here. I benefited a lot. Thank you
[…] Source link […]
Hi Ramsay,
Are you using any kind of security on your own blog? I own a blog but it is very small at this time and I am not much worried but when it grows to a good level, I am sure I would want to have it secured. Thanks for this great info.
hi Ramsay,
first time on blog tyrant and welcomed with a stuffy podcast.
btw, I got a genuine idea from your podcast for my next blog post.
thanks buddy
Hi, Ramsey your post help me a lot thanks
Hey – do you make transcripts of your podcasts available? I tend to be a better reader than listener. Not a big deal if not. 🙂
Luckily I learned my lesson of a really poor password AND poor username after I stopped blogging on my first blog attempt. The thing got hacked a few months after it was dead.
Back-ups and plugin updates are so, so, so important!
Hello Ramsay..
Really Nice security tips you got here ,
Instead of hiding the WordPress version of your site a better solution is to simply keep your site updated.
Thanks for this post Ramsay. I have a blog set up with Managed WP w/GoDaddy. I hope they have my back with some of the thing you’ve talked about. I’m thinking of starting a second website and thought I’d stop by to see what you have to say. I appreciate the reminder not to use free internet at Starbucks etc. and to have more secure passwords.
grate post very informatic thanking you, and try to improve the conversation level…
Realy Thanks for this post Ramsay.
Very Nice Post Ramsay, In my view on can use limit login attempt with login captcha to get tight security of website.
Hi Ramsay,
Thanks for the security tips. What are your thoughts on setting your blog up yourself versus having a web developer company do it for you? I don’t know if this could possibly run into a security issue. I have all of the tools to start my blog myself using Bluehost, but I have recently found a company named Varisage. They are willing to start my blog (everything from hosting, email subscriptions, web design, etc.) to where all I would have to worry about is my content. They already work with several very successful bloggers that I look up to and who are blogging full time which is my goal. I guess I thought my blog success would be more secure if signing with this company because they would help with my branding. Is this common and a good idea?
It’s crazy how frequently our sites are getting attacked every day and we don’t even know it. I installed the iThemes Security plugin, and within minutes my logs were full of failed login attempts. Holy crap! Without the plugin, I’d have (and I had) no idea that was happening on a daily basis. I can’t even begin to imagine what bigger sites like Facebook and Amazon must go through in terms of hacking attempts.