Comments on: Blog Security: The Girl With the Dragon Tattoo Scares Me Into Taking It Seriously.

By: Bloxom Cheap

Bloxom Cheap — Sat, 05 Jun 2010 08:37:46 +0000

Learned as much as I would if I had written this.. nice post thanks!

By: Sherise Mccoo

Sherise Mccoo — Sat, 15 May 2010 00:35:58 +0000

Hi there may I quote some of the material found in this blog if I reference you with a link back to your site?

By: Demarcus Puzio

Demarcus Puzio — Sat, 24 Apr 2010 13:38:44 +0000

Genuinely wonderful !! I’ve just ordered a cellular app progress at codingate, they rapidly determined real critical and more than inexpensive developpers who created the thing in couple of times!!mobile – telecom and voip – web – desktop applications .

By: pacific

pacific — Tue, 13 Apr 2010 01:52:31 +0000

I’m so happy using blogger you could forget all about security only you have to do is write and write

By: Raymond

Raymond — Mon, 05 Apr 2010 04:02:55 +0000

You got numerous positive points there. I made a search on the issue and found nearly all peoples will agree with your blog.

By: Emo girls

Emo girls — Thu, 25 Mar 2010 06:50:23 +0000

I also liked this one =)) =^_^=

By: Emo girls

Emo girls — Thu, 25 Mar 2010 06:47:45 +0000

That was awe-awe-awe-some=)

By: Anne

Anne — Wed, 17 Mar 2010 08:22:31 +0000

Thanks for this post .I’ve recently had the experience of one of my WordPress blogs being hacked. Fortunately it was one which I had not done much work yet and I’ve ended up completely deleting it and the wordpress installation. The first thing I know about it was when I went into the admin panel and it was all messed up. I then tried to access the blog and got a big red warning from Microsoft about it being a dangerous site. I decided to completely delete the entire blog and make a fresh start .

I will certainly be implementing your security tips on my main wordpress blog

By: Living with Balls

Living with Balls — Mon, 15 Mar 2010 19:42:32 +0000

Thanks for the tips! This is defintely a concern of mine as my blog continues to grow. From now on I’m making sure I backup once a week.

By: Russell Coker

Russell Coker — Mon, 15 Mar 2010 12:54:21 +0000

http://www.yubico.com/home/index/
http://henrik.schack.dk/yubikey-plugin/

I should have mentioned it before, generally it’s regarded that for good computer security your access control should be based on “something you have and something you know”. There are a variety of hardware devices you can use for authenticating yourself. One of the cheapest and easiest is the Yubikey which emulates a USB keyboard and requires no special device driver support and no transcribing long numbers.

http://etbe.coker.com.au/2010/03/15/yubikey/

I’ve written about some of the technical aspects of the Yubikey at the above URL.

By: Russell Coker

Russell Coker — Sat, 13 Mar 2010 10:40:07 +0000

scheng1: If your site is of low value then an onscreen keyboard will avoid the simpler keyloggers.

But if someone was trying to attack a high value blog like Scoblizer then they wouldn’t be stopped by such things. Among other things an attacker who has a trojan installed (a pre-requisite for running a software keylogger) can hijack the session. One thing they could do is hijack the logout button to simulate closing the session but allow the attacker to continue using the session. If the session in question had administrative rights then the attacker could add new accounts.

One protection against trojans is to have multiple backups stored on removable media – and to hope that the attacker doesn’t encrypt all files and hide the key (as some viruses have done in the past).

But really anything you do on a compromised platform is going to result in you losing if it’s worth enough to an attacker. It’s best to just use a reliable system.

You could consider having one computer dedicated to doing nothing but blog administration (computers are cheap). When viewing links from blog comments and reading other people’s blogs use a different computer. A Windows box that does nothing but talk to your blog server should be safe enough.

http://etbe.coker.com.au/2010/03/08/designing-secure-linux/

Or you could use an OS that doesn’t tend to be prone to keylogger attacks, such as Linux. The above URL has a post I recently wrote with some design ideas for a particularly secure Linux system. Linux security is reasonably good but we can improve it.

By: scheng1

scheng1 — Sat, 13 Mar 2010 06:15:13 +0000

haha, you sound like my mummy! I like to add a bit about password. It is better to use onscreen keyboard just in case a trojan horse program is installed in our computer.

By: Zach

Zach — Fri, 12 Mar 2010 09:02:18 +0000

Very good article. There is a security plugin as well that will help patch up your WordPress install:

http://wordpress.org/extend/plugins/secure-wordpress/

I have this installed on my blog along with a highly customized .htaccess and mod_security installed and configured.

@Ami, take out the Deny from all in .htaccess, and replace it with this:

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

That should get you started again.

By: abercrombie london

abercrombie london — Fri, 12 Mar 2010 08:29:15 +0000

i love the girl with the dragon tatoo, it’s fascinating. won’t hurt. But if you have a small number of people with Author-or-higher privs on your blog, just use better passwords. A good, long, unique, unguessable, non-dictionary password will make brute-forcing moot. I’ve never seen actual brute-force attacks — only “common passwords” attacks.

By: Russell Coker

Russell Coker — Fri, 12 Mar 2010 06:45:25 +0000

Remember to check your backups periodically, sometimes something goes wrong with the backup process and there’s nothing that can be restored.

I recommend doing backups at the database level if possible. I run a mysqldump on the database server and then scp the files to another system. So even if something was going wrong with my blog it wouldn’t affect the backups unless it had changed the database.

Make sure that your backups are under your control. Emailing them to a gmail account etc is not good enough! The data must end up on physical media that you personally own, preferably multiple pieces of media. My blog backups are transferred daily to a RAID-1 array on my home server and I periodically back them up to removable drives.

By: Nimit Kashyap

Nimit Kashyap — Fri, 12 Mar 2010 05:45:59 +0000

wordpress security is really a big issue, i had lost my previous blog because i didn’t had the backup.

By: Samantha Milner

Samantha Milner — Thu, 11 Mar 2010 19:27:52 +0000

This was a very good blog. It was fill with lots of advice. I never heard of people hacking blogs. I guess people will hacked anything these days.

Kind Regards,
Sam
X

By: Justin Matthews

Justin Matthews — Thu, 11 Mar 2010 18:40:16 +0000

Very well written Kelly. I too am in love with the internet. My wife calls my laptop my mistress,but she is glad it is technology and not a real woman. Something about fondling keys being better than other things.
Great Security heads up too, That book makes it seem way to easy to hack into anywhere. And it can be!

By: John Soares

John Soares — Thu, 11 Mar 2010 15:58:48 +0000

It’s very important to have a good WordPress theme that will still work when you do updates. Before I switched to Thesis I had two blogs running on free themes.

When I updated to a newer version of WordPress, one theme crashed completely.

By: Deanna V

Deanna V — Thu, 11 Mar 2010 15:54:26 +0000

I don’t even have my blog set up yet, and I’m already loving reading all of these articles. Your writing style is so entertaining and yes, I did learn something I won’t forget.