When I started my blog, I was inspired. I saw awesome stories in people’s lives and was fascinated with the I thought of sharing it with like-minded people. People enjoying something, sharing it with the world for others to enjoy as well. Continued enjoyment and inspiration. I also thought having a blog would be a neat way to have a time capsule into a section of my life. I wasn’t thinking about Ukraine hacking me in the middle of the night though, which is now a known part of continuing to blog. Sorry Ukraine, didn’t mean to single you out, there’s other offenders as well. This is me pulling the curtain back again to talk about my thoughts and lessons learned about the blogging process, specifically cyber attacks.
These green countries are awesome, they visit this site and come back regularly. If you’re in one of those green countries, thank you. Really. Some people though, they don’t come here looking for fat bike pictures or my thoughts on biking at beautiful mountain passes though. Some people like to break things.
These red countries have hosted attackers of my blog in the last sixty days. My site’s not abnormal from other sites, I just know a few things, have safeguards, and like metrics. I know the site next to mine on the web with similar traffic gets hit just as often. I manage enough online sites to see it consistently. Bigger sites or more advertised sites get hit more than smaller sites.
Why do they do it? Boredom, wanting to attempt some internet hack they read about on a forum, trying to place ads on someone else site for revenue, to be malicious, or a handful of other common reasons.
What do I do about it? Blogs like mine commonly use a few different frameworks to manage content. I use one called WordPress because it’s awesome. WordPress uses a default login URL at yourSite.com/wp-admin. A lot of attacker scripts know that fact and target that known login page with predefined login combinations. So one thing that I’ve done to prevent this is to move my login page to another URL. Sorry, it’s super secret now, only other soul that knows it is my floppy eared dog (and a handful of trusted people). With that done, you’d be surprised at the percentage of attacks you can avoid. Attackers tend to pick the lowest fruit on the tree. If they can spend a few minutes to get into another site, they tend to look past a more secure site, unless they have reason to single a site out.
I won’t detail all of my security measures, but I’ll outline a condensed list in interest of hopefully helping other blogs or sites stay safe too:
- Use good passwords, if you can find your password in a dictionary, someone’s name, a date, or all of the other common passwords, it’s no good. Statistics say most people who read this common tip are offenders but don’t fix it.
- Backups. Backups. Backups.
- WordPress – Don’t use the default user name of admin. Also, set up a nickname so readers can’t find your login name.
- WordPress – Don’t use the default login URL.
- WordPress – Install some sort of monitoring software. There are plenty of free options that are awesome. I like Wordfence for security monitoring and Jetpack for site stats.
- WordPress – Limit login attempts with automatic IP address bans on repeated failed attempts.
Almost three years into this, attacks are still a thing. It’s not a concern, I’ll continue to manage. I think most site owners or blog creators don’t even know the level of attack they receive, at least I know and will continue to place the appropriate safeguards. I’d like to think this will help someone. Ideally this falls into the right corner of the internet and onto someones screen so they can enjoy the creative possess more and not have to worry about the bad as much. If that someone is you and you need a hand, shoot me an email. I’ll give you some pointers.
EDIT 11-23-2015: 1:42PM
I’ve had a conversation with a fellow site owner and wanted to add a word of caution. WordPress plugins are written by individuals and as such they don’t test how they interact with combinations of other plugins. Sometimes bad things happen with software. Technology… I’ve locked myself out of my own site and other bad things in the past and as such, it felt like I needed to add a word of caution.