Website Security: Security Checklist For Bloggers

Check LIst

Photo: tomasfitnesscoach

Simple basic online security is something anyone can do, and something everyone should do. For Bloggers, online security is even more important.  Every Blogger and webmasters MUST go through a Website Security Checklist that they follow for every website, blog, and money-related account that they have online.

I know some people don’t like lists – but personally, I love checklists. Why? Because they give me a road map I can follow. They tell me what to do, instead of having to work it out for myself.

I’m amazed at how many bloggers, Facebook users, and online surfers have not given their online security more than a passing thought.  For Example: many people think that Passwords are a pain in the neck – just one more thing that gets in the way of their freedom to surf the net at leisure.  Wrong!

Hackers and identity thieves love these people. And despite all the warnings, millions of people continue to ignore basic security….at their peril.  Don’t become a Statistic!

Don’t Wait Till You’re Hacked Before You Fix Your Blog’s Security

Many people rely on laughably obvious Passwords that give no security at all.  They even use the same Password for all their online accounts, so when one account has been hacked, hackers can also access your bank accounts, your credit cards etc etc.

Unfortunately for these people with little or no security, and fortunately for us, hackers are looking for the low hanging fruit…of any size or importance.  Hackers get their kicks by trashing someone else’s hard work. And they don’t care who they damage in the process. They are looking for open doors….in any neighborhood!

Or maybe hackers don’t want to trash your site, or hijack it and demand a hefty ransom payment before they will ‘give it back’ – maybe…. just maybe, they want to sneak in so you don’t notice them….and then steal your identity, or your bank balance.

Simple Basic Website Security is NOT Difficult!

No security system can be 100% secure.  But it doesn’t have to be 100% secure.  Why?  Because the best way to protect your own information, data or blog, is to make sure that hackers and thieves target someone else in preference to you.

The aim is to have better security than most other people online.  And given that many people have almost no protection for their blog, online accounts or bank accounts, this means that you can do better than them with only a few easy, basic security steps.

Basic Security Check List for Bloggers:

Security Checklist 1: Change Your login User Name:

If you use ‘Admin’ as your login username, change it!  Change it to something else – anything else is more secure than ’Admin’.   Your Login User Name is 50% of your Blog’s ‘Front Line of Defenses’.  It’s One of your Two available front-door Padlocks that protect your website from unwanted intruders. The other one is your Password – see below.

It’s not difficult to change your blog’s Username see how to do it at: How to Change Your Login Username.  Do it Today!

Security Checklist 2: Use Strong, Un-hackable Passwords:

This is probably the single most important thing you can do for your peace of mind (and blog security).  What? You think you can’t have super-strength Passwords because you can’t remember them?  Not any more, friends!

Surprise yourself by finding out how to use some handy tricks for making impossibly long, strong and secure Passwords…. that are also dead easy to remember.  Want to know how?  Check out How to Make Strong Passwords…That You Can Remember.

Do it today….and I promise you, you will feel very clever…. and a tiny bit smug.Smile

Security Checklist 3: Change Your Administrator Password.

Ok, once you have some mind-boggling, super-strength Passwords figured out, you need to know how to Reset your WordPress Password.  Easy as!  Check out How To Change My WordPress Administrator Password.  It only takes a few minutes.

Security Checklist 4: Keep your WordPress Installation up to date:  

Think about it. If WordPress issues an update, WordPress usually lists the particular security holes it has fixed.  Once this info has been published online, the hackers know about these security holes too.

Therefore, if you don’t update your WordPress installation to the latest version, hackers will be scanning the internet, looking for anyone still using an old version of WordPress – with its old security holes in it…. and they will find you.

I know – it sounds scary to update your whole website.  But…. you can safely update to the latest version of WordPress with minimum risk by following a few simple steps.

See how to update WordPress and survive in one piece at How to Update WordPress Safely.

Security Checklist 5: Update or Delete your Plugins

If your plugins are not being updated regularly, they could represent a potential security weakness or access security hole.  Monitor all your plugins to see if you

  • a) need them?
  • b) are they up to date?
  • c) are Updates issued regularly?

Unused Plugins: Hackers know how to dig around inside any part of your website, so don’t keep unused, deactivated Plugins on your Dashboard.  Delete all plugins that you don’t use.  You can always re-download a fresh updated version of them again later if you want to.

Plugin Update Frequency: Check to see how often the plugin maker is issuing updates.  If a plugin issued its last update several years ago, check to see if the plugin maker has ‘moved on’ and hasn’t bothered to keep up with the latest online security threats.  Use your judgment and consider using a newer plugin that does the same task if you think there is a security risk.

Security Checklist 6: Update Your Theme 

Theme updates are not just bug fixes and new options… they are also Security Updates against the latest know online threats. If your theme has a new version, do a backup first, and then update!

Security Checklist 7: Delete All Unused Themes

The need to do this security step is not well known – I know that, because I only found out about it last week (my excuse )  Last week when researching this article, I read a scary Post which told the sorry tale of a big-time blogger who got hacked…through an old unused theme he had sitting on his WordPress Dashboard!  It was to do with something called The Tim Thumb hack.

The take home message is: you don’t need to know about the Tim Thumb hack (unless you want to, of course) – that hack has probably already been replaced by others anyway – but Delete all your old unused Themes. 

If you have unused Premium themes sitting on your Dashboard, save them to a secure part of your own Hard drive – out of harm’s way, but they are still there for future use.

Security Checklist 8: Make Weekly Backups:

Your host might be doing regular backups too, but make your own, just to be sure.  Include mysql files, even if you don’t know what they are, because a geek might need to use them when restoring your site – apparently…  Keep them on your hard drive and also on your separate External Hard Drive, as a back-up Back Up.

Bonus Tip: You do have an extra External Hard Drive don’t you???? 

These days they are as cheap as chips – and if you use an Apple computer, Apple’s automatic Time Machine software backs up all your data several times a day, and it’s all totally automated – just plug in your external hard drive and your computer takes over, and does everything else, automatically – magic!

Security Checklist 9: Regular Checks for Malware

1. Google’s Webmaster tools – if you haven’t listed your blog with Webmaster Tools, you should do it – sooner rather than later.

Given that Google rules the world, it’s always a good idea to know what Google is ‘noticing’ about your blog.

Obviously, it’s much better to plug security weaknesses before Google ‘notices’ them, BUT…if Google has found Malware, you need to know about it immediately, and deal with it before Google penalizes you for it.

2. Check to see you are not Blacklisted by Google. Hostgator provides their customers with a suite of Attracta SEO Tools which includes an option to regularly check for Blacklisting.

If your Host does not provide you with Attracta, or similar SEO checking tools, change your Host!  And…. if you decide to sign up with Hostgator (good idea  ‘cos they’re the best!) click HERE.

3. Active Blog Monitoring and Malware Removal with Sucuri – Securi provides an excellent free online site checker.  But their big attraction is their top ranked Rolls Royce of Security blankets for protecting your precious blog.

The guys at Securi are leaders in Website Security.  Their prices are very reasonable, and they will also be the people you will want to contact if you ever do get hacked – they specialize in Malware Removal and are the best in the field.

Security Checklist 10: Block offending IP addresses

If you find that anyone is making multiple failed login attempts, or hitting your Comments section with dozens of Spam comments, you can block individual IP addresses in Dashboard>Settings>Discussion

And…If you have Spamfree WordPress plugin installed, you can also block IP addresses in the Settings section of that Plugin.

For more info on the best must-have Plugins every Blogger needs (including Spamfree WordPress Plugin) check out: Best Free Must-Have Plugins for Bloggers.

Security Checklist 11: Choose a Good Host for your Blogs

Of course you should do this right at the start of your blogging career, but it’s never too late to change. If you have any security doubts about your Host, or they don’t have 5 Star Ratings for Accessibility and Support, change you Host before you find out they will not help you, once you’ve been hacked.

See How To Choose a Good Host

Security Checklist 12: Limit Login Attempts

Check how many login attempts your WordPress installation will allow you (or anyone else, of course), before blocking new login attempts for a period of time.  You can test this by repeatedly logging into your own site with an incorrect username or password. After several attempts, you will get a message saying something like ‘Sorry, you have to wait 30mins before trying to Login again’.

Would-be Hackers will make many Login attempts to break in past your Admin login, so it’s nice to know that WordPress is, in fact, putting limits on the number of login attempts it will allow.

You can install separate plugins that claim to limit the number of Login Attempts, but I failed to find one that didn’t have lots of complaints saying how it wasn’t working. If a Login limit plugin is something you want to install, you should do a plugin search and make up your own mind – and tell us if you find a good one.

Security Checklist 13: Clean up your file structure:

Here’s what I found online when researching this topic – it’s at a site called: Websynthesis

“…..If you’re asking, ‘Where do I begin?’ Start at the root. Compare your file list to that of the default WordPress core. A few extra files, like your favicon? OK. Two times as many files including Power Point presentations for work? Time to do some dishes …”

Ok, I admit I don’t know what these geeks are talking about – but.. if you do know how to do this, it’s probably a good idea to do it.

Security Checklist 14: Free OSSEC

This is another add on to the Security Check List which I have not yet got to grips with, geekily speaking that is – but it looks good and it’s Free!  What can be better than that?

The OSSEC Getting Started blurb says:

OSSEC is a full platform to monitor and control your systems. It mixes together all the aspects of HIDS (host-based intrusion detection), log monitoring and SIM/SIEM together in a simple, powerful and open source solution.

Ugh? But check it out if you want to, it looks as if it could be understandable to non techy people, but you might have to spend some time there to understand what it can do.

check list 2

Photo: photogAScott

There you have it: 14 Security Checks to do before you can knock off for the day…

Seriously though, if you really don’t want to leave your Blog wide open for Hackers, go through this Check List and do the easy ones first: Security Checks 1-11, and plus/minus Check List 12…….and save items 13 and 14 for a rainy day when you have time to add the trimmings.

Onward friends! … and don’t let the turkeys get you down!

Get regular updates with the latest News from My Second Million by Subscribing to our Newsletter HERE

If you enjoyed this post, please click the Like button on the Left. And consider subscribing to the RSS feed to have future articles delivered to your feed reader, or by Email.


Website Security: Security Checklist For Bloggers — 10 Comments

  1. Hello. Your article so complete and detail. I like it. You explain so detail so it is easy to implements. Thanks for your sharing.

  2. Pingback: Make Website FAST with Quick Cache Plugin: Before & After Tests

  3. Pingback: Cut the Crap! WP-Optimize Your Data Base & Increase Page Speed

  4. A great check list. I use Wordfence (free version) and am satisfied with it. You can limit your login attempts with it (I changed mine to 4) and also be notified if anyone (including yourself) logs into your site. I help my sister with her site so I am notified when she logs in and when I’ve logged in. I use Akismit to block spam and go in and block some IPs through Wordfence several times a week. Sometimes when I block one, I see that it has spammed the site over a hundred times!

    I’m going to implement some of your suggestions as well. Thanks.

      • I need to thoroughly study everything Wordfence does, but since I changed the number of login attempts to 4, it has stopped quite a few attempts to hack into my site. You get a notice from Wordfence and they give the IP address and attempted login names.

        I don’t believe Wordfence interferes with comments; I use Akismit to stop spam comments and set my comments to have to be manually approved just in case Akismit misses a few.

        I also don’t believe Wordfence interferes with any other plugins, either, but you should look up Wordfence in a search and read about it.

        • Thanks for replying Angela – I did check out Wordfence but decided that since my site works well with current plugins and security settings, I won’t take the chance to interfere with what I currently have working. Wordfence does look ok though. Thanks for the tip.

Leave a Reply

Your email address will not be published. Required fields are marked *


* Copy This Password *

* Type Or Paste Password Here *

267,806 Spam Comments Blocked so far by Spam Free Wordpress