If you are here on Blogable then you either already have your own blog or are looking to start one. Perhaps you’ve already poured countless hours into your site, created your ideal platform for sharing your words and images, gained some followers. Now that your site is out in the world, it is important to make it as bomb-proof as possible. In this post I’m going to take you through my six steps to blog security.
The last thing you want to happen is to lose your work. At your own hand- user error- this would be hard enough, but what if someone decides that they don’t want your site up and running anymore? An internet stranger perhaps? Your competition? Or, as in my case, someone I know.
Between May and October last year I experienced a series of DDOS attacks, when someone I know decided I needed teaching a thing or two. I don’t think that my lessons were quite what he had in mind though, and my site is still up and running. To ensure it stays that way I’ve found six simple steps that are technophobe friendly. Each has been applied to my own blog to make it less vulnerable.
Before we start on the six steps to blog security, I want to make it clear that I am writing from my experiences using WordPress and certain plugins. I’m sure there are more ways to give yourself more security, particularly if you use a different platform. This is what works for me and I hope it will help you. After all, prevention is always better than cure.
Here are my six steps to blog security.
Below you will find six separate items for improving your site security. If you are familiar with some sections you can skip through the different options using the list here.
The first sign that anything was wrong with my site was when I couldn’t access it. The message “Error 508: Resource Limit reached” headed up a blank screen. Checking with my hosts and c-panel I could see that I wasn’t reaching the limits set out in my hosting agreement. There was one exception to this, a series of spikes on the bandwidth screen.
If you get this error message the first thing that needs to happen is for you to contact your hosts. It is more than likely NOT an attack on your site, but whatever the cause your hosts are in the best position to get your access up and running as soon as possible. Mine were quickly able to extend my resource limit while I worked hard, using the following techniques and plugins, to improve the security.
Jetpack is a great plugin, one that offers so many different functions. Marie has written a comprehensive guide to Jetpack here. Their website makes a bold claim that shows me I have made the right choice:
“More than 5 million WordPress sites trust Jetpack for their website security and performance.“
The free version of Jetpack allows you to link up to social media, find stats and improve the functionality of your site. In addition there are two features that support your site security. The first is brute force protection, which will secure your account when your site is under attack from bots trying to work out your password. The second is downtime monitoring. This is not an automatic feature, you have to select it. As a result of this it is a more recent addition to my usage of Jetpack. There are all sorts of reasons your site could be down, so no need to panic, but this could be a sign that your site is under attack. Had I had downtime monitoring enabled I would have known my site was not functioning sooner when my research limit was reached, as mentioned above. The sooner you learn that your site is down, the quicker you can get it back up and running. Whatever that reason may be.
Akismet Anti Spam
I use Jetpack, and one of the automatic features of installing this plugin is Akismet anti spam. Now, I didn’t sign up for this immediately. It seemed like just another thing to put my name to. After all, when Akismet’s site it said, “We all hate spam… It’s annoying…and time consuming”. It was easy to think that I could take care of that myself. However, if someone is trying hard to damage your blog, along with your site reputation with google and other search engines, then one of the easiest ways is to flood you with spam comments and feedback. Plus, there are a lot of sites which would like to use your comments section to share malicious links. As soon as I realised this I got round to setting up my account. As a result I spend so much less time deleting spam feedback via my contact form. I do, however, slip into my spam folder every so often, where I scan through the messages. You never quite know if Akismet is going to be overzealous!
This is a plugin which has always been on my site since I moved to a self hosted site, and it is the one I am most grateful for. Wordfence is an endpoint firewall, which basically means that it stands between your blog and attackers at the last possible moment. Attackers can’t sneak in around the outside, leak data or break the encryption. If security is what you are after, then a plugin like Wordfence is what you need. There are two ways that I have found helpful for calming my worries of future attacks.
Wordfence and rate limiting.
The basic firewall settings are enough to keep most problems at bay, but you can tweak the set up to give yourself more protection. You can find help on this topic on the plugin help pages, but here is a quick guide to get you started.
- In the sidebar of your WordPress dashboard select Wordfence.
- Next select the Firewall option.
- Choose rate limiting on the following page.
Using rate limiting it is possible to reduce the amount of undesirable traffic on your site. Google crawlers are the bots that you want to be able to freely traverse your site. There are other search engines which you can give the same permission to trawl your pages, to enable them to find your work. The rest of the limits can be left as default, or tightened up to suit your specific needs.
You also have the option to throttle or block visitors that exceed your settings. If you select throttle visitors will be slowed down (have their viewing rates limited) until their activity comes back into line with your limits. If you select block then visitors exceeding your settings will automatically have their IP address blocked for your chosen period of time.
Here is an example of how I used rate limiting to protect my work: At the height of my troubles I chose to limit humans to 30 views per minute, and block any visitors exceeding this. As a human I struggle to click that fast, so it made sense to keep it very tight. The warning of “Very strict. May cause false positives” was spot on! Often when I tried to log in (with autofill) I would get locked out for a couple of hours. As the threat level has reduced I have changed the settings, let my guard down a little. My current settings throttle over-active viewers rather than blocking them. And allows more requests per minute. What is important is that the process to tighten things up again is straightforward, should I need to do so.
Wordfence and live traffic
Using Wordfence you can also monitor your live traffic. Access your WordPress dashboard again, select Wordfence and then tools. This will bring up your live traffic page. The new default setting is “Security Only” which will show traffic which will show you log in attempts, certain blocks and successful logins. This also uses less bandwidth, so puts less strain on your hosts and server than choosing to view all traffic. It also reduces the opportunity to go through traffic with a fine toothed comb in an attempt to spot a malicious ex in order to block them. While users are able to block IP addresses from here, all a malicious user needs to do is reboot their router. It can become the most exhausting game of whack-a mole you will ever play! Not only is “All Traffic” mode using your hosts bandwidth, it will likely eat into your emotional bandwidth too! Give yourself a break and pop it onto “security only” live traffic!
So, we’ve added different layers of protection to your site, but even with the best technology in the world things can go wrong. If prevention is not enough, what can we do to further protect ourselves from malicious activity? The following steps have given me peace of mind, and a feeling of control in the face of unwanted attention.
Hackers are always coming up with new and (for them) exciting ways to glean information from our sites, and to exploit vulnerabilities. Wordfence provides us with robust protection, but it is important to remain vigilant. Keeping this in mind, I semi regularly use a free malware checker to scan my site. These checks are much the same as each other, they scour the blacklists for the domain you enter, and tell you of any issues. You can choose your own by searching “Free malware site checker” or similar. I use sucuri.net for ease of use, and because it was the first non-ad listing in my search results! (If you want to know more about SEO’s then check out this blogable post by May More on the subject)
While I am semi regular in my malware checking- once a month- I am fastidious about backing up my work. I use the plugin Updraft Plus. As with most of my techno-phobic ways I go for ease of use and compatibility with other important plugins, such as Wordfence, Jetpack and Akismet. Once it is installed and activated you can get started straight away. Back in your WordPress dashboard select Settings, then UpdraftPlus Backups. Follow the instructions to backup your work. I try to do this weekly, and I retain the three most recent backups.
Concluding Six Steps to Blog Security
I recommend you try out these six steps to blog security. As a technophobe myself I believe they are a great place to start. Perhaps there is something that you do which could benefit others (including me). Please do get in contact in the comments below and let us know!
Header image from Pexels