folio

One of my favourite weblogs was hacked recently and its author lost all of her content. I commend her in putting a positive spin on the matter — I have often said that computer problems are usually a blessing in disguise, for some of my greatest mistakes have been aborted by my computer timing out (you Mac users are deprived of such blessings, I gather) — but though her philosophy is more succinct than mine, I don’t doubt that she must be feeling some sense of loss. The periods of reflection that follow those puritanical moments that have caused me delete whole chapters over the years have taught me that much.

Her experiences follow on from that of a wedding photographer, whose website I chanced upon recently. He seems to have bought a hosting package aimed specifically at photographers that includes a Flash portfolio and a WordPress weblog. Recently he lost all of the posts on his weblog and his hosting company has been unable to restore a backup (presumably because there wasn’t one). This is rather poor given that he is paying for a service, but at the end of the day, responsibility for our websites ultimately lies with us.

I should really have pulled this post together when I first came across the latter’s case, and that may have prevented what happened in the past few days to a wonderful website we now find ourselves without.

What follows is aimed specifically at webmasters and bloggers running self-hosted websites using the open-source CMS, WordPress, but I am sure there are general principles here that can benefit others. If you have a self-hosted weblog or website, there are two things that really should be your priority: beefing up your security and having some sort of backup process in place.

WordPress appeals to many of us because as an open-source application it is free for us to use. Unfortunately it appeals to hackers too for similar reasons – not only are the ins-and-outs of WordPress documented extensively and available to anyone for free, the code is also freely available, enabling malicious users to comb through it in search of exploits. In my experience, the WordPress developers are very good at fixing bugs as soon they appear and pushing out software updates, but the nature of this open system means that we have to keep up too.

Here are some of the basic things I would suggest you do to beef up your security:

• When you’re installing WordPress the first time, change the table prefix for the database to something other than wp_; this is changed in the wp-config.php file. This can help disguise the fact you’re using WordPress from hackers. If you already have an installation in place, you may be able to change it using the WP Security Scan plugin, but you’ll need to know what you’re doing.
• Change the default administration account for WordPress to something other Admin: login with the original admin username, create a new user with a unique username, give it administrator priviledges, then log out of Admin, log back in with your new username and delete the Admin user (transferring ownership of all your posts to the new user – you should make a backup first!).
• Install the WP Security Scan plugin, run it and follow the instructions to fix key security issues. You can deactivate the plugin afterwards.
• Always ensure you are using the latest version of WordPress. This will help you avoid the identified exploits found in earlier versions. I use a plugin called WordPress Automatic upgrade to stay up-to-date, as it guides you through the process in a few easy steps, backing up your files and database before making its changes. I understand that the next major release (2.7) will have this functionality built in; until then, you can download it from the WordPress plugin repository.
• Only download plugins from sites you trust to avoid unwittingly giving a malicious person access to your site. For me, that basically means the official WordPress plugin repository. Also keep your plugins up-to-date; I use the One Click Plugin Updater.
• Consider changing your login path with a plugin like Stealth Login. Otherwise, password protect the admin folder on your server if you can. Logging in twice doesn’t bother me to be honest, though I appreciate it might irritate some users. Others suggest limiting the IP addresses that can access login to your own, but I’m not sure how practical that is.
• Consider using a plugin like Sabre to counter spam registration on your blog.

There are a few other fixes that I still need to implement myself, which are explained in the following articles. Please read through them and try to implement these suggestions as well:

• WordPress Security Tips and Hacks
• Establishing A Sense Of Security On Your Blog
• Three tips to protect your WordPress installation

And if you’re not convinced that all of this is really necessary, have yourself a read of these articles before you log off your computer today:

• My blog was hacked…
• Did your site get hacked…

As far as backing up is concerned, I have to say that I am no expert, but you clearly need to have something in place. There are a couple of options available within WordPress that are very easy to use, so really there is no excuse for losing anything.

First of all, you have the ability to export all of your posts as an XML file from within the core of WordPress, which you can re-import should everything go pear-shaped. Go to your Manage tab and then select Export. Simple.

Next, there are plugins you can use to backup all the content from the WordPress database, such as WP-DB-Backup and WordPress Automatic upgrade.

Either way, just remember to do it regularly if you post a lot; put it in your diary. If you’re an infrequent publisher like me, backups could probably be less frequent. If you post several times a day, however, I guess you ought to look at the backup tools on your webserver.

No doubt fans of the Movable Type will be along shortly to argue that their blogging platform has the best security track record of any of the popular options – which is undoubtedly true – but I think this post is still necessary. The majority of the weblogs I read on a regular basis use WordPress, and the last thing I want is to lose another one of them to hackers.

A few months ago I noticed that the content of another of my favourite weblogs was being duplicated on a spam website – I noticed because an incoming link showed up in my site statistics – and so I let its author know. I’m not sure if there was anything she could do about it, as it may have simply been pulled from the newsfeed, and I’m afraid I had nothing to offer with regard to dealing with it. In the case of protecting against hackers and the importance of making backups, however, I think maybe there is a little that I can contribute. Hence this post.

So all in all, this is a modest plea to my respected companions: before disaster strikes, take a few steps to protect your website so I can carry on reading what you have to say to my heart’s content.