Wordpress Blog Security

It is a terrible feeling the day you realize that your Wordpress blog security was compromised.  When you've been hacked, it is like getting punched in the stomach.  You've always heard how important it is to keep your site secure, but you never really paid attention. Passwords

Boom, you just learned the hard way.

Whether you know it or not, your site is constantly under attack.  There are malicious crawlers, bots, and scripts trying to poke holes into your site.  It might be happening right this second, and you'd never even know it until it is too late.

Here's some tips to keep your site secure.

Updates, updates, updates.

There's a reason that you see that band across the top of your Wordpress dashboard screaming at you to update.  Don't ignore it!  Virtually all Wordpress core updates come with some level of increased security.  The same goes for plugins.  When security flaws are discovered in Wordpress, the community is very quick to resolve them and push a new release.

Change your password regularly.

Yes, I agree.  Updating your passwords is a massive pain.  Keeping track of them all is ridiculously hard.  Unfortunately, it just needs to be done.  However, you need to go deeper than just your Wordpress dashboard password.  You should also change:

  • Email Password.  Remember, if I can get into your email, all I need to do is use the Wordpress "Forgot my password" feature to get into your blog.
  • Hosting Account Password. Why hack into your Wordpress account when I can just get right into your host?
  • Server Passwords.  If you are using your own servers and hosting provider, there's passwords for your database and FTP that need to be updated.

Take this stuff seriously.  Just look how bad it ended up for LinkedIn.

Try using a password generator to help you make a more secure password.  

Take the Offensive.

Be proactive and install some security enhancing plugins.  Here's a few we recommend.

Wordpress Backups.

This one isn't really a preventive measure.  It really is designed to help you quickly recover.  You need to be doing daily system wide backups.  If the worst happens, you will then be able to restore to relatively recent version of your site without major losses.

There are third-party vendors that will handle the work for you for a small fee.  Many hosting providers do this automatically, but do not assume.  Make sure you find out how long they store backups.

Wordpress Backups: What's your disaster plan?

What is your backup plan for your Wordpress site? You do have one, right? Anyone that has experienced a personal computer crashing or a web server disaster will tell you the same thing...they wish they had been better about backing up their files.

I don't care how often you think you will end up backing your systems up, it is never enough if you are doing it manually. Take it from someone who has gone down that road before.

I used to tell myself that I would be regular about backing up both my Mac and my websites. Hoe hard could it be? All that has to be done is setting aside a fee minutes on a regular basis to save some files to secondary storage. Not hard at all. It always seems to work for the a first few days or weeks too.

Inevitably, daily backups become weekly. Then weekly become monthly. Then monthly becomes never.

Then disaster strikes.

Your site gets hacked. An error occurs in your code. Your database becomes corrupted.


Luckily for Wordpress based sites, there is now a dead simple, bulletproof solution. Introducing VaultPress by Automattic.

The whiz kids behind Wordpress.com, Gravatar, Akismet, etc. have created a service that automatically backes up your entire Wordpress site, including database and static files without any manual intervention.

You simply install the ValutPress plugin into your site and never touch it again. From that point forward, VaultPress saves copies of file on your site and eve database entry onto the Wordpress.com enterprise infrastructure.

Within seconds of making a new post or template change, a backup copy is saved to VaultPress.

Multiple times a day, the system makes entire backups if your site.

If the unthinkable should ever happen to you, there is a full site backup sitting for you just waiting to be restored. Crisis averted.

There is also an additional service that checks your site for dangerous or malicious code. You are alerted to it's presence right away. There is even a function that pushes instant updates to your core files when new security fixes are released.

The $15 per month cost is NOTHING compared to losing years of work.

VaultPress is still in private beta, but you can sign up for an invite.

UPDATE: VaultPress is open to everyone now!

Attack "Local" for your Blog

Being as "Local" as you can with your blogging will yield big dividends.  By local, I mean incorporating as much geo-specific content as possible. First of all, you can see that the local game is hot right now.  Sites like Yelp are cashing in on these opportunities.  Even Google has continued to drive their local search focus.  Local is starting to spread across multiple products within Google, including:

  • Local Search
  • Google Maps
  • Google Directory
  • Adsense
  • Adwords
  • Google Voice
  • Goog411

All of these products rely on the thirst for local content and information.  Sites like Yelp are cashing in on the local directory and review market where users generate local content about everything from restaurants to dry cleaners.

How to cash in on "local" with your blog?

Try to incorporate a local element with every post you write.  It does not have to be local to you, but local to the post.

For example, right now I am posting about the importance of localizing content.  For this post, a great example of what I am talking about would be a blog called Hoboken411.  This site is all about the city of Hoboken, NJ, right outside New York City.  By mentioning how great this local site is and talking about their content in a local sense, I will increase my odds of someone finding this post when Hoboken is typed into the search query.

Ok, maybe not the best example.  Here's a few more.

Running blog. When you review that new pair of Nike running shoes for your blog, you should consider talking about the stores, cities, addresses, and websites of the stores that are going to get the first shipments of these hot shoes.  (A great example)

Reality TV blog. When you're giving the play by play review of last night's episode of The Apprentice, you should try to find out the name and address of the diner that the episode was shot.  Or the corner that they setup their street cart.  Or really any major landmark/scene from the episode.  There will be a lot of people out there that want to find out the name of the place.  They may be able to figure out that it was New York, but they won't know much more than that.  If your post answers the "where" question, you will rank well for that search term.

Baseball blog. Let's say that you write a blog about the New York Mets.  Each time the team hits the road, you could incorporate a post about the most "Mets Friendly" bar in that town to watch the game.  You'd be surprised how many displaced fans are spread all over the country looking for places to watch their favorite out-of-state teams. Here's a good example of what I mean.  Here is where you can see Yelp cashing in on this idea.

In most cases, you should be able to come up with a local angle for your post.

For anyone looking to start a new blog, starting as a local blog is the place to go.  Most small or even mid-sized towns/cities are in desperate need for good local content.  You could dominate the niche by turning out great content focused on that local audience.

It is much easier to start local and attempt to expand than it is to start with a national focus.  There are a lot more players in the national game right now.  Local is the place to be!

Should I Blog Anonymously?

341429556_4ad8824eec.jpgIt depends. No.  If you are writing a blog for your business or with a journalistic style, then generally: NO.  Go ahead and put your name on there and take the credit you deserve.  Since you're writing this blog to build your business and attract new customers, you want to tell everyone under the sun.


Yes.  Do not put your real name on anything!  If you don't fit the profile above, it is probably better to leave your name off the blog.  No one really needs to know who you really are.  In the long term, your life will end up easier.

Also, don't tell anyone you know about your blog including friends, family, co-workers, clients, employers, etc.  The nice thing about a blog is the ability to speak your mind freely.  If all of a sudden, your mom and your boss start reading your blog, you might run into some issues.

They might get pissed at you over something you wrote, or you are naturally going to hold back because you know they are watching.

You also would have to keep your politics to yourself if your name were out in the open.  If you ever go out to get a new job, and your blog pops up in a background search (and it surely will), your political views might go against your proposed employer's.

So if you are going to blog, just keep it under wraps when it comes to your personal life.  Everything will work out much better this way in the long run.  And you'll enjoy the complete freedom to publish anything you want without fear of personal retribution.

Know What You're Doing When You Upgrade

If you knew how to install Wordpress all on your own, you're above average.  If you figured out how to upgrade to the latest version (up to 2.3.3 now), you're probably better than most when it comes to your technical skills. The long story short, most Wordpress users don't upgrade their installations once they are up and running.  Basically, they think that if everything is working ok, what's the point?

Well, everything is working ok for now.

Eventually, your site can/will be hacked.  I can't tell you how many new client's I've "earned" because they needed someone to restore their messed up Wordpress install that had been hacked.

Think about it, as soon as a vulnerability has been detected and Wordpress releases a new version, the entire world is alerted to the security hole.  So how long do you think it will be before your blog is discovered with that big, gaping hole?

Well, one of the things you need to be aware when upgrading is the need to do a complete upgrade.  You really should re-upload all fresh files.

As ShoeMoney points out, not only is it a good idea to install fresh system files, but you should also change your system password.  You never know who might already have hacked your blog.  If they've got the password, it won't matter how often you upgrade.