Whether you’re just starting your blogging career or have been doing this for a while there’s no doubt blog security is important to you. Having your website snatched away, lost, defaced, or membership lists stolen, can impact you financially and emotionally. Read on to make sure you’re following some basic security practices on your site to keep that from happening.
WordPress
Most blogs today use some form of WordPress. It’s easy and has matured to be a very flexible system. I still remember using a program called HotDog to code HTML. You pressed a button to select a kind of format you wanted, bold, italics, colored font, and the HTML would plop down on the page like a sort of crazy looking word processor. It was a great way to learn some HTML.
WordPress has made life so much easier and prettier! The themes and the plugins are all so amazing and fast to setup. This also means there are more security-related issues. Those plugins, like your phone apps, are constantly being updated. WordPress itself has new versions. The theme you picked to format your site just had a new version come out. Who’s taking care of all these updates?
There are a few ways you can tackle this.
Third-party
You’re busy with other blog activities and you want to hire this out. A company should make you feel good about their security skills in this realm though. Ask them how they practice security, beyond a marketing answer. Do they have someone in charge of security? How often do they check for updates? Have they ever been hacked before? Do they invest in security training for their employees?
Automatic
This is exactly how it sounds. It means you set most everything to update on its own. This has good and bad with it. Updating a plug-in sometimes breaks the site and the plug-in has to be backed out. It is helpful in that you are kept up with the latest version and avoid the older security holes that others get caught having.
Manual/Yourself
It’s the most time-intensive. Automatic can be a risk because an update can break the site. Manual lets you handle when it might break and allow you to roll it back if it does. Manual also saves the most money. Sure, this is arguable depending on whether you know what you’re doing if your site does get hacked, and if you have to pay for the cost of getting it working again. But if you’re tech-savvy, you can login to check when plugins need an update and DIY! If you don’t want to login once a week/month to check, using plugins like Wordfence help keep you aware when you’re missing the new version. What is Wordfence?
Wordfence
I’ve been using Wordfence for years. They have a free model or a pay version for greater features, and the free worthwhile if that’s all you are up for initially. It sets up a simple front line of defense against computers that are seen as attacking other computers. Like your body’s outer defenses of an immune system, this creates an outer shell to lessen the attacker’s way in. Wordfence has a second free feature that’s a huge benefit. It will monitor your WordPress, theme, and plugins for version updates. If any fall out of line with the latest available you’ll get alerted via email of it. I can’t recommend this enough to get a baseline of security going on your site.
2 Factor Authentication
You’ve probably heard of this and if you don’t recognize the name I guarantee you’ve used it for accessing different services online.
The username and password are the bane of people’s existence. But they aren’t enough anymore. If this is all you are using to get into your blog, you will be hacked. I’m not saying you could be hacked or that you’re at a higher risk of getting hacked. You will be hacked.
Using two-factor will greatly reduce your risk. The important question is what kind to use? I’ll do another post on evaluating the types in detail for those interested. For this, post I’ll say turn on whatever you can for your blog logon. If it texts you, emails you, links to an app like Google‘s or Microsoft‘s Authenticator, anything is better than a flat username and password.
Email Security
Why secure your email? Because your logins to other systems commonly depend on a reset link sent to your email. If an attacker can get access to your email that’s the key to the kingdom. Make certain you’ve configured 2-factor for email and if your email provider doesn’t support it one of the major providers out there do. Time to make a change.
Some links of interest to get this turned on:
Gmail
Yahoo
Microsoft
DNS Security
We’ve covered WordPress, email, and this next layer is just as important. DNS allows computers to find your website. Without it there’s no way followers can read your articles. The attacker that takes over your DNS can point your website elsewhere. An analogy would be the road up to your home. One day you wake up and the road has been moved to your neighbor’s home. Now all your mail, friends visiting, pizza delivery, all end up at this neighbor’s instead of yours. That’s what can happen if someone takes the DNS of your site over. Know who’s managing your DNS and secure the portal to it with a strong password and 2 factor authentication. I use Bluehost (disclaimer: I’m an affiliate) because they handle DNS, hosting, and have the ever-important 2-factor authentication.
Backups
If your site got hacked and defaced, and all your articles were lost, what would you do? Well, a backup would allow you to quickly get the site going again. An attacker might use your site to spread malware or to funnel phishing email attacks back to your site to trick unaware visitors into giving up their email or other credentials. You could have your site shut down under the right(wrong?) circumstances. Ask your website provider what they offer for backup solutions.
Expiring domains
When you register your website it’s for a specific period. It’s done with a specific party called a registrar. This can be the same company you’re hosting with so don’t let the jargon bog you down too much. This could be a year or a few years depending on what you selected when setting up the website. Three years go by, you’ve forgotten about the renewal date, and your domain expires. Shortly after it gets bought by someone else and you can’t get it back. It happens.
Look into auto-renewal for your domain. It saves a ton of headaches and usually isn’t a big cost in the grand scheme of things.
Summary
Blog security can seem overwhelming but I’d suggest you make a checklist and work through this over the next month. Make it manageable this way. Get help if you’re unsure what to do. Otherwise, you’re leaving your livelihood flapping in the breeze.
