Created this infographic based on my years of protest with CodePink Women for Peace in DC and my years as a security manager at a major museum.
Save the image or click for PDF .
Security Recommendations for Blogging
Here a Hack, There a Hack, Everywhere a Hack, Hack
(Updated 2015 version)
In this world where hacking seems to be de rigueur, it is becoming more and more difficult and important to have a secure blog. The attacks that began a couple years ago on WordPress sites left an especially sinister taste in my mouth. But every single node along the information superhighway can be hacked. Heartbleed infiltrated via certain models of Cisco routing equipment. Little guys and big guys are not safe. Banks are robbed in real life. Sites are hacked in real life.
It seems that there may be a staging happening for a future truly sinister attack. I am not a conspiracy theorist! (Pardon me while I stamp my feet in vehement disagreement and adjust my tinfoil hat.) War is raging. It isn’t clear what the purpose of many of these hacking attempts might be. This is one of the most worrisome aspects of the hacking.
But do what you can. Keep your site up to date via software and plugins. Don’t host abandoned sites that you aren’t keeping up on your self-hosted account just because you can. If you have an account with a host and you have three sites on it, but two of them are just for testing or to maybe be developed in the future, and these two are not kept up to date as rigorously as your primary site – take those sites down. They are veritable thru-ways for hackers. Hackers want your server, not your blog.
Your chip embedded credit card info can be scanned from a distance, stolen, if you do not employ an RFID shield to protect your cards. Mortgages, bank accounts, and credit companies have all lost private data, client data. And these data losses are from these major sites.
So it isn’t surprising that hundreds of thousands of smaller sites have been hacked.
Hosting
I have moved my business from a self-hosted to a managed host. I may also be moving to another hosting company for my non-commercial site. Because I am an impoverished blogger I will be learning how to maintain much of the site myself; it may take a while, but it will be worth it. Managed and maintained are different things in the hosting world, but I will take that on at another time.
Why am I switching?
I need a different hosting company. I need a server company that I trust and that will be reliable and can let me know if anything looks flaky. Fiduciary responsibility mandates I do the best I can. I need to know that I will have backup that will kick in should anything happen at their primary location. I want a U.S. based company. I want a company that will take it seriously if sites that share a server with me suddenly look like Swiss cheese from a security standpoint.
Many hacks of websites are simply to use the websites as tunnels to the servers. I want to work with companies who are diligent in their attempts to foil hackers.
As a semiotic anthropologist I know something about information, more than most, but I do not know that much about computer security although I probably know a lot more than most bloggers. This is the most straight forward account I have found of security and the current situation bloggers are facing:
While these attacks against popular content management systems are nothing new, the sudden increase is a bit worrying. Until the botnet in question is taken down, however, there is not much that can be done aside from ensuring you are taking every precaution. That includes using a solid username and password combination as well as ensuring your CMS and plugins are up-to-date. From: The Next Web.
Tucson is a cool place that attracts cool people. That is a metaphor folks, it is hotter than blazes here in Tucson right now. I like supporting local community, and I like supporting local businesses. And Tucson is a blue oasis in a sea of red. And it has good karma. People have lived here for thousands and thousands of years; some say humans have been here for over 10,000 years. You can read more about community and good juice or strong referral and reputation credentials in the second part of my Juice, Juju, Karma, and The Business of Blogging.
It is difficult to decide what is the best platform for you. I hate to say it, but if you are a small blogger that operates as a small business working on the solo-preneur model, you may be up a creek without a paddle. Security costs. Ad Sense and Etsy incomes just are not going to cover a hiring a developer to create a Drupal site for you. (Think tens of thousands of buckos.) If you are someone like me who is thinking about being able to sell digital downloads in the near future you know that you need a site over which you have control. No one will take a iwantafreewebsite.blogspot.com seriously as a major business. If you do not have control over your own website and do not own your domain, which is your basic online branded identity, you do not own the most important intellectual property associated with your blog.
This is why most bloggers who leave their blahblah.blogspot.com or blahblah.wordpress.com sites for self-hosted websites do so. There are other popular platforms used for blog hosting, but WordPress has the largest percentage of the blog market. Some would argue that makes it a reason to not use WordPress as it makes it a huge target. At one time that might have been an issue, but now with increased security and the general growth and maturity of Automattic, the company behind WordPress, the argument is moot. The company has very specifically addressed security with the purchase and incorporation of Akismet and Brute Protect.
Most of the bloggers I interact with on a regular basis are either running collaborative sites or will be selling digital products if they are not already doing so. With the hacking, the vast number of plugins a blogger has to use to have a sophisticated site you, it is not unreasonable to have to do several updates a week to keep up-to-date with security releases.
I was VERY uncomfortable with my attempts to create a pay site on a self-hosted WordPress site. By the time I added up my costs for a somewhat secure framework, a responsive child theme, a payment gateway, social media, and curation plugins I am spending way too much money and time with too many different sellers, plugins and updates, for products that while they are much safer than the free versions of similar products, are by no means guaranteed to be secure. If I am going to have to do all that I want a system where my efforts will allow me to scale up to add e-commerce, meeting software, webinar, direct feeds from my social media accounts, and integration with them for posting, and publication software.
So I am now hosting my business site through a well-established provider on which my ecommerce will be channeled on Rainmaker. And surprise, surprise, this is a WordPress-derived platform.
As long as I own my domain, and keep backups of my content, I would rather deal with one known agent rather than a dozen vendors from who knows where.
Feel free to ask questions. I will attempt to answer them, and if I can’t do that, I will talk to my network and get the answers.
My Annual BlogHer Logistics Post – #BlogHer14
As I have said before, “Prepare now so you can seem effortlessly organized later.” The secret to success seems to lie in being organized enough to take advantage of what the moment offers. At a conference, such as BlogHer, this means knowing where everything is. No, not knowing where all the junk you brought and don’t need is, but rather knowing the space you are in and knowing where to purchase or find what you might need should your light and easy packing have overlooked something you really need. So, herewith, a former museum security and facility manager’s:
Guide to #BlogHer14 Logistics
There are two parts to this Guide: Info about the Convention Center which is primarily abridged information from the facility guide available at the Convention Center site, and Nearby Stores and Stuff (further down the page.) You probably know the BlogHer’s 10th Anniversary Celebration will be held at the San Jose Convention Center in San Jose, California. You may also see references to Team San Jose, who manages the venue, and the official name of the center: San Jose McEnery Convention Center.
Info about the Convention Center (150 W. San Carlos St., San Jose, CA)
The full PDF is scores of pages long, so I have copied some common information needs below, for your convenience. I edited, cut and rephrased bits and pieces, but the information is theirs and I make no warranties as to its accuracy.
For your convenience:
ATM MACHINES
The Convention Center has three onsite ATM machines. Two are located on the first level and one is located on the second level.
PARKING
The garage attached to the Convention Center provides 500 spaces for general use. 22 spaces are available for persons with disabilities and there are 8 electric car charging stations.
The Market Street entrance/Exit is open 24 hours. Almaden Blvd entrance/exit is open: Monday-Friday: Opens 6am, Saturday and Sunday: Opens 7am, Closing times vary based on event schedule
Current rates are $1 per 20 minutes with a $20 daily maximum. Rates are in effect seven days a week.
CONCIERGE SERVICES
Once onsite, attendees may take advantage of a SJCC restaurant and citywide information desk in the main lobby of the Convention Center. Based upon event demands these Concierge specialists can provide the following: complimentary restaurant reservations, complimentary San Jose guides and brochures,restaurant menus available for review,discount coupons, arts and cultural information
For your safety and security:
EMERGENCY MEDICAL SERVICES
The San Jose Convention Center requests that should an accident occur, that you report it immediately to Public Safety at Extension 3500 on any House Phone.
Or call Public Safety from your cellphone at 408-277-3500.
Licensed First Aid staffing is required and will be onsite during event hours.
SECURITY
General Facility Security
Team San Jose (aka the Convention Center) is not responsible for the property of clients, exhibitors and guests. Our 24 hour security staff is responsible for safety and security in the public areas of the building. Call Public Safety from your cellphone at 408-277-3500 or report your concern via any House Phone at Extension 3500.
SMOKING
By state law, and in the interest of public health, the Convention Center has adopted a non-smoking policy. Smoking outside of the facility is only permitted at a distance of 25 ft. from the building.
EMERGENCY PROCEDURES
Detailed procedures are outlined in the TSJ Emergency Evacuation Procedures PDF The most common question people ask about emergencies when they travel to California may well be, “What do I do if there is an earthquake?” I have taken the following from the emergency guide:
EARTHQUAKE
- Take shelter under desk, table, work surface or other stable object.
- Face away from windows and chemical storage containers.
- Remain where you are until the shaking stops.
- After the earthquake subsides stay where you are (shelter-in-place) unless it is unsafe or you are told to evacuate the building by the ERT. Then proceed to the nearest exit.
- Do not use elevators.
- Proceed to designated area of safe refuge. (See Evacuation Map)
- Do not return to the building until told to do so by the ERT representative or Security.
Nearby Stores and Stuff
DRUG STORES Nail polish, aspirin, etc., etc., etc. Sometimes you just need stuff!.
GROCERIES Grocery stores are handy to know about if you want to buy more reasonably priced drinks, food stuffs, and forgotten personal items than what is usually available in hotels affiliated with the event or conference location.
What is listed as The Market Safeway on the map is probably the closest full grocery to the Convention Centers.
For anything else you might want to find out, try out a local news app which you can find at: http://www.mercurynews.com/mobile No time for all this? Don’t worry, be happy. Just get to the conference and have fun!
Heartbleed and Your Blog Security
Concerned about the Heartbleed computer vulnerability? Me too.
What Is HeartBleed?
As soon as I heard about the massive hole in Open SSL that leaves the majority of sites and blogs on the internet open to data grabs, I went to a popular computer tech site, TechCrunch, to find out what is what. The article there seems like a good overview of what is happening with the massive breach that makes, according to most reports I have read, over 60% of sites using OpenSSL protocol vulnerable to massive data breaches.
As soon as I realized this was very, very bad news. I then went to my “go to” source for blog security: Sucuri.com’s blog. I trust this company and if my site gets hacked these are the people I am going to for help.
Is My Site Infected?
Sucuri recommends going to http://filippo.io/Heartbleed/ in order to find out if the servers you are using are affected by the vulnerability.
This site then recommended Heartbleed.com as a good source of information about the Heartbleed hack.
Fixed Open SSL has been released to fix the problem, but it must be deployed. This is something done at the hosting service level so there really isn’t much an individual blogger can do beyond find out what the status of updates are on your hosting companies servers.
Recommendations
I can only tell you what I am doing; I cannot make recommendations for you. The old adage, “If in doubt, don’t.” seems like the most prudent course of action.
I will continue working on my sites as long as my host’s server comes up clean per testing on Filippo. I probably won’t visit too many other sites and I definitely will not use any financial or sites that have my private health information on them for a few days, or until I find out more about how the Apache and perhaps other types of servers are compromised and whether accessing my accounts makes my data more vulnerable. I do not think it does. But, better safe than sorry. I’m banking in person and making any health copays in cash. I’m also going to purchase groceries with cash. I probably will not shop for anything else for a few days.
I will try to update this post when everything seems okay. It could be a while.
Self-hosted Blog cPanel Security Tips
Yesterday I covered some basic security tips for WordPress blogs. Today I am covering some of the very basic things you can do to make your site or blog more secure cPanel, the panel through which you set up the basic self-hosting service particulars of your site.
I am not a computer programmer or software specialist, but I tell such folks that I know enough to be dangerous. I do install and maintain much of my own site software. I have been using computers, dare I say it, since the late 1970s. I have learned a few things along the way and offer this information as is in order to familiarize my readers with some of the security problems and solutions that may inform them. But as a caution, if you are not comfortable changing something in your setup, don’t do it. If you do change something, keep a log of exactly what you did. As always, back everything up before you make any changes.
A Host You Can Reach
– panel often has a video tutorial available. Ask your hosting service if such a video is available if you do not know where to access it. Cannot easily get in touch with someone from your hosting company? Get another one. Make sure you have in person support, live cha
t, and a support phone number. Having the ability to submit a support ticket is not good enough.
What the Crooks Want
cPanel is essentially a dashboard through which you adjust and install software components of your website. It is the gateway to the physical server space you rent from a hosting service. Most hackers are trying to get to your server space where they can install their software to do all sorts of nefarious things.
How They Do It
Those pesky spam comments may be much more than a way to get stupid links on your site. The message could contain code you cannot see that, if you have not secured the files they want to get to, will inject code into your databases. Don’t have databases? Yes you do. They are created to manage user names, comments, likes, and a host of other information that it takes to have a pretty, shiny website or blog. So you want to secure as many files as possible.
Know Your cPanel
Per the image of the cPanel shown below, there are several parts of the panel that concern different functions of your site. When you log in and go to your cPanel, just click the arrow at the right on your panel to open or minimize the various sections.
Preferences: This is where you access tutorials, like the ones I mentioned above, and your basic access info.
Mail: if you have an email address associated with your website, you may want to enable “Spam Assassin and configure the options to fit your needs.
Files: Several things under this section of which you probably want to take advantage. Backups of your entire site is the best kind of security. You can create backups here. You can also ban people from loading files and retrieving their files from your server through anonymous FTP. FTP is file transfer protocol. Just disable it. If any hacker finds this FTP door open, they will let themselves in and turn your site into their play thing. Disable Anonymous FTP.
Logs: There is nothing here that you can enable, however the data that is available here, such as the ip addresses of all the computers that have visited your site (people, bots, and hackers) will be in these log files. If you scan the data, you know who is getting into, or trying to get into, your site. I recommend looking at these raw stats. Just don’t confuse these stats with Google Analytics or the like.
Security: While all of the options available in this section are worthwhile, I don’t recommend that basic users do much more than enable HotLink Protection to preserve their bandwidth. If you don’t do this people can link to you images and elements of your website and display your content on their sites while you are actually paying for the bandwidth they use to access and display it.
Domains: Don’t mess with this unless you know what you are doing. It really does not have much to do with basic security.
Databases: Again, don’t mess with these unless you know what you are doing. MySQL database injection malware resides in these databases, but unless you know what you are doing, just don’t mess with these.
Software/Services: Unless you know enough to install your own software, once again I don’t recommend doing much here. This is where most basic bloggy types access Fantastico and install WordPress.
Advanced: Unless you are advanced at cPanel configuration, I do not recommend accessing these functions.
Hope this helps someone. And really, if you don’t do anything else, disable anonymous FTP under the Files section. If someone else takes care of this part of the process of having a blog for you, talk to them about these things.
Is WordPress Security Oxymoronic?
Security again… sigh.
I am trying to figure out how to ip deny certain ip addresses from visiting (read: hacking) my blog as a bit of preventive security. I spent a couple hours yesterday cutting and pasting ip addresses from my cpanel stat files into an excel spread sheet so I could easily cut and paste individual ip addresses (from .ru and .vt) into the IP Deny Manager under the Security section of cpanel. Easy enough, right?
No, I know. For most people this is total gibberish. And this is just what hackers count on.
WordPress is the most hacked blogging platform on the inter-webs-cyber-grid-o-rama. Why, because next to Tumblr, WordPress is the most popular blogging platform. It only makes sense that villains would target the biggest market.
I will eventually move off of WordPress to a more secure platform, but I know that no platform is completely secure. Might I add that this is especially true now that we know that NSA is building and requiring backdoors into everything. Sigh again.
There are some things you must do right now to secure your WordPress site if you have not done so already.
- Go to Sucuri and scan your site(s).
- Change your passwords to log into your blogging dashboard and your cpanel on your hosting account.
- Install the Akismet plugin. Do this from your blog’s dashboard. It is about half way or so down the left side column. Pay them something, even a couple bucks, even though you can get it for free.
- At the very top of that same left column you can click at the top on Dashboard. You will see “Home” and “Updates” and maybe some other things dependent upon what you have installed on your blog. click on updates. You will want to install the latest version of WordPress and the latest version of each and every one of your plugins. But BEFORE you click update, do a backup of your blog. How? Simple.
- Go to that left column again. Under the “Tools” section select “Export.” Save the .xml file on your computer. In doubt about what parts to click to save? Just select them all.
- Now you can manually go through and update your versioin of WordPress and each Plugin. Do this immediately any time an update becomes available. You should always have the latest version of any and all software. Yes, you will have to check this out a couple times a week by going to the “Updates” section of you dashboard.
There is much more you can do, but that is enough for today. I will cover some other simple things you should be doing to keep you site safe in other posts later this week.
G’luck.