Author and ethical marketing consultant Lynn Serafinn shares 8 essential strategies for keeping hackers off your blog and minimising damage if they do break in.
Throughout this 4-part article series ‘Invasion of the Blog Snatchers’, we’ve been looking at the cyber-crime of blog SPAM. We looked at how to recognise SPAM (Part 1), the ‘mythology’ behind spammers’ thinking (Part 2) and how to take assertive action against blog spammers (Part 3).
If you missed these 3 articles, I recommend giving them a read before moving on to today’s article, where we’re going to look at how to protect your blog from the most aggressive and disruptive kind of cyber-invader:
What is a Hacker?
While the term ‘hacker’ can sometimes refer to a skilful computer programmer, these days the term more frequently refers to someone who breaks into computer systems or networks to gain unauthorized access to data on someone else’s website. Every now and then, a major hack spreads around the web, invading many thousands of websites. This often happens when a hacker has cracked the security on a particular version of WordPress, WordPress plug-in or WordPress theme.
How Do Hackers Get Into Your Site?
Hackers get into our sites by attempting to log in, often without our even realising it. They use automated software to crack user names and passwords, often attempting to log in thousands of times before finally gaining entry.
I’ve had two different sites hacked over the past 5 years, and let me tell you, it isn’t fun. On one of my sites, the hackers had installed over 65,000 blog posts of SPAM, all set to be published over the coming weeks. Of course, this would mean all my readers and all my social networks would receive these articles (about sex toys, fake designer handbags and virility drugs), thinking they were from me. Although they would probably have figured out these articles were not from me, if I hadn’t caught it when I did, I might have lost hundreds (or even thousands) of subscribers.
On the other site that was hacked, the hackers had rigged it so my site brought up a bogus page, with animations and very loud techno music, saying ‘This site has been hacked by Nando of Indonesia.’ It was sort of like a high-tech form of graffiti.
Getting hacked is a pain in the proverbial backside. It wastes an enormous amount of time getting your site back online. It can also cost you a lot of money in lost sales and/or paying your webmaster to fix things for you.
The best way to deal with hackers is to PREVENT them from getting into your site in the first place. So today, I’m going to share 8 essential strategies that can help protect your blog from being invaded by hackers, or minimise the damage if your site does happen to get hacked.
NOTE: For these to work effectively, I suggest following strategies 1-7 religiously, with #8 being an additional ‘push’ to help put an end to hackers.
Anti-Hacker Strategy 1: Choose a COMPLEX User Name
LOTS of people use either ‘admin’ or their real name for their login. Hackers will always try to log in first using ‘admin’, so if you can think up a more complex alter-ego for yourself, you’ve already made it that much more difficult for them to break into your site.
It’s important to remember that once you create a user name in WordPress, you cannot change it. But there is a way to get around this, if you happen to have ‘admin’ as your user name. Here’s how:
- Log into your WordPress site as ‘admin’.
- Go to ‘Users’ and find your admin user account. Click your user name to open your profile.
- In your user profile, CHANGE your email address to a secondary email address you have (such as a Gmail account) and save the changes by clicking ‘Update Profile’.
- Click on ‘Users > Add New’
- Create another user with a COMPLEX user name.
- Use the email address you originally used for your ‘admin’ account.
- You CAN enter your ‘real name’ where it asks for this information (see screenshot below)
- Create a COMPLEX password for this new user (see next strategy for more info on creating passwords). Check ‘send this password to user’.
- Set this new user’s role to ‘Administrator’.
- Click ‘Add New User’ to complete the task.
- Once the new profile is made, log OUT as ‘admin’ and log back IN using your NEW user name and password.
- Click on ‘Users’ and then look at ‘Administrator’. Make sure both ‘admin’ and your new user are listed as administrators.
- Click on ‘admin’ to open its profile.
- CHANGE the role of ‘admin’ from ‘administrator’ to ‘author’ and click ‘update changes’.
- Go back to ‘Users’ and find ‘admin’ listed under ‘authors’.
- Underneath the name ‘admin’, click ‘delete’.
- A new window will open up, asking you which user you want to attribute the past posts published by ‘admin’. Choose your new user name and click ‘confirm deletion’.
- Once this has been done, you should see ALL the posts originally assigned to ‘admin’ being associated with your new user name. Double check on your site to be sure the posts publicly list your REAL name and NOT your user name. If it doesn’t you can fix this easily in your profile area.
Anti-Hacker Strategy 2: Use a COMPLEX Password
In this era where we seem to have a password for everything, it’s easy to get ‘lazy’ with them. My experience has been that most people make up passwords that are a combination of a real word plus a few numbers after them, e.g.: Beauty2012 or MyBusinessName123. You might think this password is ‘complex’ because it contains uppercase and lowercase letters and some numbers. But it really isn’t complex at all. Using whole words (or words that are part of your name or business name) are easy to crack. Using a simple number sequence or date is also an easy crack.
A truly COMPLEX password is not comprised of real words or number sequences. It also should contain some symbols, e.g.: ! ” ? $ % ^ & ). Here’s an example of a complex password (and no, it’s NOT the password to this website!):
If you’re thinking such a password is hard for you to remember…well…yes, that’s the point. If it’s hard to remember, it’s also hard for hackers to guess. SAVE your passwords somewhere safe (print them out if you need to). If you need some sort of way to remember them, make up a password using a mnemonic device known only to you. For example, use the first letters of each word of your favourite song, and mix it up with characters. Use <3 instead of the word ‘love’. Use ‘2’ instead of the word ‘to’.
Anti-Hacker Strategy 3: CHANGE your password regularly
I strongly recommend changing your log in password once a month. It might seem like a big hassle, but if you make it a habit, you won’t forget. It only takes a few minutes and it could save you days of damage control.
Anti-Hacker Strategy 4: UPDATE Your Software Regularly
Most hacks come through breaks in security in out-of-date software. Set aside some time every week to make sure your site has the most up-to-date version of WordPress, themes and plug-ins installed.
CAVEAT: Always BACK UP your site and files (see below) before doing any major upgrading. Also, never update all your plug-ins in one go; do them one at a time instead. This is because updated plug-ins can sometimes create conflicts on your site (even causing your site to disappear!). If you do them all at once, you have no way of knowing which one is creating the problem. Be sure you have access to your site’s FTP so you can DELETE the folder of an offending plug-in if conflicts arise.
Anti-Hacker Strategy 5: BACK UP Your Site Regularly
Be SURE you are backing up your database and files on a regular basis, either manually or using an automated plug-in. How frequently this should be is dependent upon how often you publish or make other changes on your site. Some bloggers back up daily, but if you are a typical blogger posting once or twice a week, backing up once a week should be adequate in most instances.
There are several automated back-up plug-ins you can use in WordPress. Some trusted names include ‘BackWPup’ and ‘Backup’. It’s always best to check on WordPress.org for the latest version, compatibility issues and user reviews.
Anti-Hacker Strategy 6: WordPress Users: Use ‘Limit Login Attempts’ plug-in
I think ‘Limit Login Attempts’ is one of the MOST important and useful plug-ins for any WordPress user. Here’s how it works:
- It enables you to block out people who try to access the site without a valid user ID and password.
- If someone tries to log in 4 times without a valid user ID and password, they will get temporarily blocked from logging into your site. You can set the amount of time for this temporary block out (the default is 20 minutes, but you can increase this).
- After the block out time, they can try to log in again. If they persist and get 4 block-outs (16 bad log-in attempts), they will be blocked from logging in for a longer period of time (for example, 24 hours).
- At this point, if someone has been blocked out 4 times due to 16 bad log in attempts, you will receive an email notification with the user’s IP address.
- This enables you to take action, which I will explain in strategies #7 and #8.
When I first installed this plug-in, I was getting notice of about 4 different attempted hacks every day. After about a week of using it (and following my assertive strategies #7 and #8 below), I had only about 1 hacker attempt per week. Now it is rare for me to receive these warnings at all. Fingers crossed that will continue. I hope this means my strategies are sending the word out to hackers that they shouldn’t bother trying to invade my sites. Hopefully, I’ve been put on their ‘blacklist’ as someone who takes action against hackers.
NOTE: Don’t worry about legitimate users on your site getting accidentally blocked out. Most sensible people know to click the link that says ‘I forgot my password’ rather than continually try to log in without the correct password. Also, the plug in will warn them that they have only X number of attempts left before being blocked out.
Anti-Hacker Strategy 7: Block IP Addresses in ‘IP Deny Manager’
Whenever you receive a notification of a block out from ‘Limit Login Attempts’, add their IP address to ‘IP Deny Manager’ in your CPanel, as I explained in detail in Part 3 of this article series.
Entering an IP address in IP Deny Manager prevents anyone from that IP address from EVER getting back onto your site. THIS IS A MUST-DO part of the prevention process. If you don’t know how to do this, read ‘Step 3’ in ‘Invasion of the ‘Blog Snatchers Part 3 – Assertive Action Against Spammers’.
Anti-Hacker Strategy 8: Report Malicious Log in Attempts to Internet Service Providers
If you get a report from ‘Limit Log-in Attempts’ that someone has been blocked out after 16 failed log in attempts, you can BET this person is a hacker. Even if you don’t bother reporting spammers to their ISP, please DO report any suspected hackers.
I explained how to do this in ‘Step 5’ of ‘Invasion of the ‘Blog Snatchers Part 3 – Assertive Action Against Spammers’. In that article, I showed you how to find out the Internet Service Provider (ISP) of specific IP addresses using ‘Who Is’ (http://whois.com), along with the email address for reporting abuse.
The report you receive from ‘Limit Log-in Attempts’ provides you with several pieces of information you will need if you are to report the abuse:
- The abuser’s IP address
- The date
- The time (including time zone)
- The ‘last user attempted’, which is the name they used when trying to log in
To make it easy for you, here’s a sample email template you can send to the ISP:
SUBJECT: Possible malicious log in attempt IP [insert IP address of suspected hacker]
I would like to report abuse originating from your user at IP: [insert IP address of suspected hacker]
We received a report on [date] at [time, including time zone] that this user has had 16 failed login attempts (4 lockout(s)) on our site at [insert your website’s URL]. Their last attempted login in used the user name: [insert user name they attempted to log in with].
This user is now permanently blocked from accessing our site.
I would appreciate it if you could follow this up, as this seems to be a malicious hacker attempt.
Support team at [insert your business name]
I am committed to fostering a more ethical marketing world, especially on the Internet. Sadly, there will always be unethical people in the world. There will always be people who want to ‘invade’ our space, even if their effort brings very little return. And while cyber-laws and higher security systems are very helpful, I believe the biggest deterrent to unethical behaviour is ETHICAL behaviour.
I believe, if we ALL make a concerted and conscious practice of being vigilant against spammers and hackers, we can rid the Cyberverse of the Deadly Sin of Invasion. But to make an effective statement, we have to do this en masse rather than as individuals. Don’t be passive when invaders strike. Keep blocking and reporting them, and eventually they’ll get so tired of getting nowhere, they’ll stop.
Heck, maybe a few of them will even grow a conscience.
And then, let’s focus on creating legitimate ways to support and cross-promote each other’s businesses through our blogs and social media, with the hope of inspiring former cyber-criminals to change their strategies and opt for more positive and ethical ways of getting noticed.
I hope you found this article series to be useful. Please let me know what you found helpful (or not) by leaving a (non-spammy) comment below.
And then, please do subscribe to this blog so we can continue this dialogue, and make the world a more ‘Inviting’ place to work, play and do marketing.
21st May 2013
Like this blog?
Then please subscribe using the form at the upper right side of this page, so you can receive our articles to your inbox.
You can help subsidise ethical marketing training courses for young social entrepreneurs in need. Just subscribe to the blog on Amazon for 99 cents a month (77p UK), and you’ll receive all our articles delivered directly to your Kindle device. All profits go to our 7 Graces Scholarship Fund. You can take a 14-day free trial before you decide. You’ll get a new article 2 or 3 times per week. Check it out at Amazon US or Amazon UK.
Looking for a Tribe?
Come join our 7 Graces group on Facebook, and join us at our monthly meetings. They’re free to attend and we have them both in person and online, so you can participate from anywhere in the world. This is NOT a “business group” but an active community where people actually know and support each other.
The 7 Graces of Marketing: how to heal humanity and the planet by changing the way we sell, by Lynn Serafinn, where you can learn how the 7 Deadly Sins and the 7 Graces impact the world through media and marketing.
Brit Writers Awards Finalist
eLit Book Awards Silver Medal in Humanitarian & Ecological Social Issues
Tweep-e-licious: 158 Twitter Tips & Strategies for Writers, Social Entrepreneurs & Changemakers Who Want to Market Their Business Ethically, by Lynn Serafinn, which can help you learn how to create meaningful collaborations through Twitter and other social media.
eLit Book Awards Bronze Medal in Business and Sales
Get instant access to a free 90-minute Twitter marketing class at http://tweepelicious.com
LYNN SERAFINN, MAED, CPCC is a certified, award-winning coach, teacher, marketer, social media expert, radio host, speaker and author of the number one bestseller The 7 Graces of Marketing — How to Heal Humanity and the Planet by Changing the Way We Sell and Tweep-e-licious! 158 Twitter Tips & Strategies for Writers, Social Entrepreneurs & Changemakers Who Want to Market their Business Ethically. She is listed in the Top 20 of the Top Marketing Authors on Twitter by Social Media Magazine and was a finalist for the prestigious Brit Writers Awards. She also received the eLit Book Awards Silver Medal in Humanitarian and Ecological Social Affairs, as well as the Bronze Medal in Business and Sales.
Lynn’s eclectic approach to marketing incorporates her vast professional experience in the music industry and the educational sector along with more than two decades of study and practice of the spirituality of India. Her innovative marketing campaigns have produced a long list of bestselling non-fiction authors through her company Spirit Authors. Lynn is also the Founder of the 7 Graces Project CIC, a not-for-profit social enterprise created to train, support, mentor and inspire independent business owners to market their business ethically, serve society and planet, and restore all that is best about humanity.
(not just for Londoners, as we meet also on Skype)