I miss this blog! I miss my readers. I miss my topics.
In case you don’t know, I am working on a new site called the Women’s Legacy Project. It is more focused on a certain topic and a certain demographic than this free-for-all that is my life and my quest for a fair trade cuppa.
New endeavors always present a liminally-enriched and -challenged experience (and yes liminally is a slightly invented word.) Liminal is transitional – neither one or the other and sort of an eerie feeling and state of being between. The Wikipedia entry (at least in the version I called up today) is a pretty good coverage of the concept.
I am going to have to double up on the writing to be able to do that project, which is needed and a very good thing, and still have my sanity keeping writing and commentary here.
I have to run. Off to visit my Aunt Maralee who is age 89, and the last person genetically standing in the generation above me, and my cousin Linda who lives with her and takes care of her.
I just wanted to pop in and say, “Hi!” before I check out of the Clarendon Hotel and Spa (that I will write about here or on my Hill Research Site) where I stayed for the Press Publish Conference I attended yesterday.
Press Publish – 21st C. Paper and Pen
Women’s voices need to be heard. Those of us over the first blush of youth, and the second, and maybe even the third… sigh… are the first generation of women who are writing, podcasting, vlogging our history, the first inclusive history ever written about women. About women, for women, by women. I know it has been said before, I have said it before, “We are the first global grandmother’s council.” We are laying down the base layer of a collective thought process that can be used, drawn upon as it is right now with all data being scooped up by everyone. By our daughters, and our sons, if they are interested – as well as corporations and government entities.
This will be world-changing. And there are people out there to help us. As I write this I am in Phoenix, Arizona, at Press Publish. It is a conference for bloggers by the folks at Automattic. I will not get into all the interconnections between this company and the products they offer to make life easier, safer, and to integrate our digital words more effectively and efficiently, but WordPress, Jetpack, Akismet, Brute Protect, to name just a few of the tendrils you should let them wrap around you to make your life easier as you write on the web. And no this is not a “compensated” post. I do not that. I just want to connect you with some of the best tools out there, so that you can make informed decisions about how you craft your words and stories.
Press Publish is a relatively new conference series, this is the second one. The people at Automattic are friendly, well-informed, and genuinely helpful. It has something to do with open source and the belief that freedom of information is a very good thing. But I am not going to make you head to yawnsville with all that information.
Part of The Women’s Legacy Project is to help get women’s voices out there by sharing tools with you that are free, or at least inexpensive, and relatively straight forward to downright easy to use and that help you get your words, images, and ideas out there.
The world needs us. It needs what we have. Allow others to help you do what you want to do. We are all in this together.
—
Day 16, Letter P, April A to Z Blogging Challenge
#presspublish
Self-hosted Blog cPanel Security Tips
Yesterday I covered some basic security tips for WordPress blogs. Today I am covering some of the very basic things you can do to make your site or blog more secure cPanel, the panel through which you set up the basic self-hosting service particulars of your site.
I am not a computer programmer or software specialist, but I tell such folks that I know enough to be dangerous. I do install and maintain much of my own site software. I have been using computers, dare I say it, since the late 1970s. I have learned a few things along the way and offer this information as is in order to familiarize my readers with some of the security problems and solutions that may inform them. But as a caution, if you are not comfortable changing something in your setup, don’t do it. If you do change something, keep a log of exactly what you did. As always, back everything up before you make any changes.
A Host You Can Reach
– panel often has a video tutorial available. Ask your hosting service if such a video is available if you do not know where to access it. Cannot easily get in touch with someone from your hosting company? Get another one. Make sure you have in person support, live cha
t, and a support phone number. Having the ability to submit a support ticket is not good enough.
What the Crooks Want
cPanel is essentially a dashboard through which you adjust and install software components of your website. It is the gateway to the physical server space you rent from a hosting service. Most hackers are trying to get to your server space where they can install their software to do all sorts of nefarious things.
How They Do It
Those pesky spam comments may be much more than a way to get stupid links on your site. The message could contain code you cannot see that, if you have not secured the files they want to get to, will inject code into your databases. Don’t have databases? Yes you do. They are created to manage user names, comments, likes, and a host of other information that it takes to have a pretty, shiny website or blog. So you want to secure as many files as possible.
Know Your cPanel
Per the image of the cPanel shown below, there are several parts of the panel that concern different functions of your site. When you log in and go to your cPanel, just click the arrow at the right on your panel to open or minimize the various sections.
Preferences: This is where you access tutorials, like the ones I mentioned above, and your basic access info.
Mail: if you have an email address associated with your website, you may want to enable “Spam Assassin and configure the options to fit your needs.
Files: Several things under this section of which you probably want to take advantage. Backups of your entire site is the best kind of security. You can create backups here. You can also ban people from loading files and retrieving their files from your server through anonymous FTP. FTP is file transfer protocol. Just disable it. If any hacker finds this FTP door open, they will let themselves in and turn your site into their play thing. Disable Anonymous FTP.
Logs: There is nothing here that you can enable, however the data that is available here, such as the ip addresses of all the computers that have visited your site (people, bots, and hackers) will be in these log files. If you scan the data, you know who is getting into, or trying to get into, your site. I recommend looking at these raw stats. Just don’t confuse these stats with Google Analytics or the like.
Security: While all of the options available in this section are worthwhile, I don’t recommend that basic users do much more than enable HotLink Protection to preserve their bandwidth. If you don’t do this people can link to you images and elements of your website and display your content on their sites while you are actually paying for the bandwidth they use to access and display it.
Domains: Don’t mess with this unless you know what you are doing. It really does not have much to do with basic security.
Databases: Again, don’t mess with these unless you know what you are doing. MySQL database injection malware resides in these databases, but unless you know what you are doing, just don’t mess with these.
Software/Services: Unless you know enough to install your own software, once again I don’t recommend doing much here. This is where most basic bloggy types access Fantastico and install WordPress.
Advanced: Unless you are advanced at cPanel configuration, I do not recommend accessing these functions.
Hope this helps someone. And really, if you don’t do anything else, disable anonymous FTP under the Files section. If someone else takes care of this part of the process of having a blog for you, talk to them about these things.
Is WordPress Security Oxymoronic?
Security again… sigh.
I am trying to figure out how to ip deny certain ip addresses from visiting (read: hacking) my blog as a bit of preventive security. I spent a couple hours yesterday cutting and pasting ip addresses from my cpanel stat files into an excel spread sheet so I could easily cut and paste individual ip addresses (from .ru and .vt) into the IP Deny Manager under the Security section of cpanel. Easy enough, right?
No, I know. For most people this is total gibberish. And this is just what hackers count on.
WordPress is the most hacked blogging platform on the inter-webs-cyber-grid-o-rama. Why, because next to Tumblr, WordPress is the most popular blogging platform. It only makes sense that villains would target the biggest market.
I will eventually move off of WordPress to a more secure platform, but I know that no platform is completely secure. Might I add that this is especially true now that we know that NSA is building and requiring backdoors into everything. Sigh again.
There are some things you must do right now to secure your WordPress site if you have not done so already.
- Go to Sucuri and scan your site(s).
- Change your passwords to log into your blogging dashboard and your cpanel on your hosting account.
- Install the Akismet plugin. Do this from your blog’s dashboard. It is about half way or so down the left side column. Pay them something, even a couple bucks, even though you can get it for free.
- At the very top of that same left column you can click at the top on Dashboard. You will see “Home” and “Updates” and maybe some other things dependent upon what you have installed on your blog. click on updates. You will want to install the latest version of WordPress and the latest version of each and every one of your plugins. But BEFORE you click update, do a backup of your blog. How? Simple.
- Go to that left column again. Under the “Tools” section select “Export.” Save the .xml file on your computer. In doubt about what parts to click to save? Just select them all.
- Now you can manually go through and update your versioin of WordPress and each Plugin. Do this immediately any time an update becomes available. You should always have the latest version of any and all software. Yes, you will have to check this out a couple times a week by going to the “Updates” section of you dashboard.
There is much more you can do, but that is enough for today. I will cover some other simple things you should be doing to keep you site safe in other posts later this week.
G’luck.
Security Alert for WordPress Users
There has been a massive attack on WordPress sites in the last few weeks, and it continues at this very moment; it continues into May although chatter about it seemed to peak around mid-April. Insecure passwords, out-of-date software, and server vulnerabilities all contribute to the access points which these brute force attacks exploit.
Brute-Force Attacks
A brute force attack is one in which the bot tries again and again to gain access to software on the physical server so that it can take over control of the server. This banging up against your login information with different plausible user id and password combinations again and again until it gets it right.
These attacks are not focused on any particular “value” of site. Friends have told me, but my site is “low value,” no one would want to hack into my site. The hackers do not care about your site. They only care about access to the servers that host your site. They want to get to the servers to launch attacks, take downs, or commit crimes. The type of site you have makes no difference. If you use WordPress on a self hosted site with your own domain name you are potentially vulnerable.
A good overview of this topic is: http://tonyonsecurity.com/2013/04/25/crazy-april-for-the-wordpress-platform/
Insecure User Names and Passwords
One of the ways brute force hacks often get server access is through user negligence in creating their user names and passwords both for WordPress and or control panel access. If your user name is “admin” or your password is “abcd1234” your account can be broken into in no time flat. If you have not changed your password in a few months or your user name is admin, go change your wordpress password RIGHT NOW. Your password should use upper and lowercase letters, numbers and allowed special characters and be made up of at least 8 characters.
For further information about the need for good passwords, read: http://www.wphub.com/botnet-attacks-show-need-for-strong-passwords/
Out-of-Date Software
Software updates are most often minor bug fixes that address little bits of code t that can turn into major holes in and tunnels through your WordPress platform to the server which hosts your site. You should always be running the most current release of WordPress. To make sure you are doing so, go to your Dashboard and when you hover or click, that depends on what type of computer or mobile device you are on, you will see two tabs, the Home tab and the Updates tab. Select Updates. You should then see something like the image I have clipped and framed below. If you see something other than “you have the latest version of WordPress,” you need to make sure you have a backup of your website, however you do that, and then install the latest software.
Do the same thing for the plugins that you use by going down the Dashboad, toward the middle of the coloumn, and you will find Plugins and when you click or hover you will find options for Installed Plugins as a choice among three options. Select it.
You will find a similar option to that you had with the version of WordPress. It could tell you that your plugins are up to date or that you have version such and such and that versions such and such is available. Again, make sure your site is backed-up and then install the update or updates.
Old Files on Your Servers
Another common way for a hacker to gain access to your site and resources is by hacking into “inactive sites” that you may have played around with as a test site, or a domain you purchased, were thinking about using, or created for a friend. These could be distinct sites or add-on components such as forums or galleries that you did not merge into a final site.
If you have files, directories or sites such as this on your server, the odds are that you have not kept the code for these sites and bits of sites up to date from any WordPress or plug-in updates. Any vulnerabilities in old versions of code may still be there presenting wide open doors and windows for hackers. A good hosting service will shut down any site that shows signs of being hacked. Not all hosting services are good.
What’s A Blogger To Do?
You can mitigate most of your risk very simply.
- Ninety-nine percent of the sites that have fallen victim to the current ongoing attacks have probably had active out-dated software on the server space of hosting accounts use, or had woefully inadequate username and passwords on the accounts. So if you take care of these problems, you will be far ahead of all other bloggers using WordPress.
- Talk to your tech person about old versions of anything that might be in your files on the hosting server and make sure that is not the case.
- Make sure your user name has been personalized by you. Do not use or allow user names such as admin or user.
- Then make sure your password is a minimum of 7 to 9 characters length, and uses both upper and lower case letters, numbers, and other grammatical characters.
- If any of your accounts are compromised, change all your passwords.
- Build an update check into your weekly routine. Once a week go to your dashboard and make sure all your WordPress software, themes, and plug-ins are up-to-date.
Luck seems to happen to those who are most prepared. Adopt a scout motto and prepare yourself with these relatively painless steps. You will increase your chance of getting lucky and remaining hack free.