How much is a blog instance worth?

I wrote in the post  Do you really know who’s visiting your website? about how often hackers probe my websites.

IT Security News has of today this:

  • 5,914 blocked malicious login attempts / was 2092 on May 8th
  • 2,182 spam comments blocked by Akismet. / was 2115 on May 8th

The login attempts more than doubled in just 5 weeks. Of course, they are all automated attacks, so we can’t really speak of an effort from anyone’s site.

 

Why ?

If a hacker “owns” a website he is able to do a few things:

  1.  Change content and possible deliver malware to your readers

  2. Host individual “sub-pages” or “sub-websites” in your blog and reference them from email campaigns or post spams.

  3. Send mail from your blog to just anyone, but the worst is when it sends to your subscribers.

All are very bad things as they ruin your website’s reputation and drives your visitors away. And they can happen all together or just any combination of them.

 

What can you do?

It turns out that you can do quite a lot of things:

  1. don’t user the default admin account  (WordPress: admin)

  2. set a hard to guess password

  3. keep your blog and its extensions/plugins up to date

  4. don’t install just any plugin you find in your productive blog

  5. update your themes as they very often are vulnerable to XSS and other web vulnerabilities

  6. if you run WordPress, install a plugin that implements an application firewall. It filters these login attempts, blocks IPs and a lot more.

However, I have to be frank here, all plugins I tried fail miserably after a few weeks of good functioning and I lose access to my own website. The solution is always the same: erase the plugin files via FTP or restore WordPress from backup. Not nice, but I don’t know any other solution. Maybe I just had bad luck but I tried 3 and all failed. This is actually why I add this option just as last one.

 

Conclusion

You can block malicious login attempts with little effort and almost zero maintenance.

Here are more tips how to harden WordPress. More or less the same applies to other blogging platforms.

 

This blog post appeared initially in ITSecurity.co.uk


© Copyright 2015 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check www.mustaca.com for the IT Consulting services I offer.
Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie http://de.itsecuritynews.info für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca

Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since year 2000 in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is an independent IT Security Consultant focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close