I spoke with a new blog owner yesterday, who almost lost a fair bit of content as the result of an intrusion. Additionally, he was locked out of his own site (which prompted the phone call). Fortunately I was able to help him avoid any further damage to his content as we were able to stop the unauthorized access in it’s tracks. But what could he have done to avoid or mitigate any loss? What steps can we as bloggers take to help safeguard our valuable content?

In my opinion, one issue is to maintain your own server. Do not host your blog on a shared server hosting account. Shared hosting accounts mean just that – other people (whom you don’t know) also have accounts on the same server, it can increase the likelihood of an incident. To give you one simple example, I was using a shared server for a quick small web site development project about six years ago. The hosting company had some issues with the server and left it in an unprotected state (they were working on it at the time). I remember logging in (via FTP) that afternoon and had full access to the files of every single account! I terminated my service the same afternoon. Using a dedicated server (or at the very least a VPS server) avoids such issues as you are in control of your own server.

All too often it seems we are so involved in how to grow, promote, enhance, etc. our blogs, yet seldom do we give serious thought to safeguarding our valuable investment.

Having said this, the question remains, for most of us (who are not network administrators), what can we do to help avoid (being proactive is more effective than reactive) security related issues? The following six tips should help you. Some may require a little more knowledge, but they are pretty easy steps to take. So, without further ado, here are the helpful tips:

1) Make sure you ALWAYS have an off-site backup.

I use a plugin called WP-DBManager, which emails me a scheduled backup of my database and also store several versions on my server. I should note that these database backups in turn are backed up by the server based software. The critical point here is that you have a CURRENT copy of your database (and blog files) offline in YOUR possession. Never ever assume that the server software (backup) is working as expected.

2) Keep your blog software updated – Always.

Updates often include bug and security fixes that plug potential exploits. One good feature of Wordpress for example is that the administrative area will tell you when an update is available. It’s a simple matter to backup all your data and files, perform the update and continue blogging. If needed, you can find the update (upgrade) steps directly from Wordpress’ post “Upgrading Wordpress“.

3) Change your password – Do so often.

When you forget your Wordpress password (or have just installed Wordpress), it sends you a password. That password is short and fairly easy to crack – Change it to something more difficult. Also, there is a plugin you can use to help you lock out visitors who are trying to guess your password (to break into the administrative area), it’s called Login LockDown. Login LockDown will lock out the IP addresses of incorrect password submissions for whatever time period you choose.

4) Disable indexing of your files.

Search engines do not need to index all your Wordpress files. Use a robots.txt file to disable such indexing. SImply add the statement:

Disallow: /wp-*

to your robots.txt file. The above statement tells the search engines that any directory beginning with “wp-” should not be indexed.

5) Disable viewing of your folders.

Anyone attempting to access your system may be able to see your files (such as plugins). In your web browser, try to visit your wordpress plugins by going to:

http://www. Your-Domain-Name.com/wp-content/plugins

If you can see a list of files and/or directories, that’s not good. You can create an index page that redirects visitors trying to see those directories, back your blog. Here is the code I use:


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="refresh" content="0;URL=http://bloggersavvy.com/" />
<title>Nothing Here</title>
</head>
<body>
</body>
</html>


Name the file “index.html” and place a copy of it (with the above code) in your plugins folder. Now if you try to view the contents of the plugin folder, you will be redirected to your blog’s home page. Note: Obviously, you will want to substitute the URL of my blog for your own. This tip is important because it prevents authorized visitors from inspecting your plugins and finding an exploit.

6) Deny access to your administrator login.

I use an .htaccess (among other things) to accomplish this. An .htaccess file allows me to customize how a folder is “treated”. In this case I want to deny access to all IP addresses except my own. If you find one day that you are locked out, simply edit the .htaccess file and re-upload it the the “wp-admin” folder of Wordpress.

Here is an example of the code I use:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from 206.138.140.97
</LIMIT>

Again, change the IP address to your own. Don’t know your IP address? I’ve included a handy tool below. It does not store any data, it just shows you your current IP address (which means everyone else will only see their own IP address below). You can use this post whenever you quickly want to see your current (new) IP address:

This is your connection:
(For the technically adept, these addresses are not logged by the script that displays the IP address above, it simply finds the variable “REMOTE_ADDR” and displays it to you).

While there are several more advanced things network administrators can do to help protect your blog, the above are six simple tips that you may implement as soon as possible. Have any input, ideas, questions? Feel free to include them in your comments below.