Blog Security Tips

There are two ways of writing a blog. The first is to use the free service of wordpress.com or blogger.com and the second is to have a host host your blog on which you run WordPress (which is different from “wordpress.com”). The advantage of the first is that you can start writing directly and not worry about techie things. The advantage of the latter is that it offers you a lot of flexibility but it comes with the headache of maintaining a few things.

Paul Krugman has a post on how Michael Pettis’ blog was hacked recently. In fact in the last 1-2 days, there was a huge rise in hacking activity according to Akamai. Even for my site which has far less traffic than Pettis, the number of attacks was huge and my host hosting millions of sites went down for 8+ hours (and is still recovering – although they won’t admit, I think it was a DoS attack because I remember seeing  “too many requests” on some screen). Krugman feels the hacking was for Pettis writing openly about China but methinks it was simply because of a huge rise in attacks in the past 48 hours.

For some – especially businesses such as travel companies – something such as what happened recently can mean a lot of lost revenue and clients complaining. But even for others, it can be difficult to recover old stuff. So here are some tips.

  1. Use Amazon Route 53 as your name server instead of using your hosts’ name server. with a low TTL such as 300 seconds or 15 minutes or whatever. If your account or the hosting company is hacked, you can always change DNS entries in Route 53 to either point it to a backup site or to completely remove access to your domain name. So if your domain name is example.com and someone hacks, you can use Route 53 to immediately redirect browser requests for example.com to some other IP address or block it completely.
  2. Do not use “admin” as your username. In fact there are some good WordPress plugins such as Better WP Security which – among many other things – lets you change your username and also hide the login screen so that it is known only to you. You can also ban IPs using the tool if you still see someone still trying to hack.
  3. Backup. If using WordPress, you need to backup two things – the database and the “uploads” folder.
  4. Cloudflare: Although I don’t use it, it seems like a good option for security and is free for normal usage.
  5. Something I missed.

Touch Wood.

Leave a Reply

Comments are welcome, but not published—see comments policy. Required fields are marked *