What sort of security measures should we be taking for our websites and blogs? In my case I don't sell anything, so I don't have a checkout and SSL. But should I be doing something with the "leech" icon or anything else?

Nothing more than the obvious security measures:

1. Do not give your user name or password to anyone.
2. Use a firewall and anti-virus on your personal computer.
3. Do not save passwords in your browser.
4. Don't let kids play on your computer.
5. Routinely dump cache in your browser.
6. If you want to get rid of your current computer, DESTROY the hard drive first (smash it with a hammer, then burn it in the fireplace.)
7. Make regular backups of your site.
8. Routinely change your passwords.

Notice ***do not let kids play on your computer***

Concerning blogs, if you use Wordpress:
- Always update to the latest version of Wordpress
- Always update the plugins (check the plugin menu in WP weekly or more often)
- Install and activate only plugins you really need
- Use a strong password

4. Don't let kids play on your computer.

What if they're really small kids? :D

Back up, back up, back up.

Also see:

http://codex.wordpress.org/Hardening_WordPress

I don't know what (if any) script you're using, but never trust the user.

Always validate your inputs, and check for injection or XSS attacks. And never rely on information provided by the user, such as their browser or referal for any purposes as it can be faked.

I don't know what (if any) script you're using, but never trust the user.

Always validate your inputs, and check for injection or XSS attacks. And never rely on information provided by the user, such as their browser or referal for any purposes as it can be faked.

Thanks for all the feedback. I don't know what any of the above means, though. :) What are injection and XSS attacks, and how do I check for them? What "user" should I not trust? I'm the only user on the site.

Does anyone use the "leech" option on the cpanel?

If you are the only user of the site then why did you put it on the web? It would be more secure on your own computer where the millions of other web users can't access it at all.

Actually there is a lot more you can do. I just finished battening down my hatches (the ones I knew about, anyway) after Akismet trapped a spam comment on my blog.

What is "Akismet"? It is a spam-catcher plugin that you should have in your WP installation. Be sure to open your plugin manager and activate it. You will need an activation code for it to work but you get that, for free, at the bluehost.com site. Can't recall at the moment any more than that. See if you can obtain it yourself, if not, come back here.

Anyway, the WP Admin Panel lets one review all trapped spam. In the contents I found the url (77.91.227.108) which, after doing a "whois" search, revealed it is part of a block of numbers given to some company in Russia. So how can I prevent this from occuring again?

Well, in the BH cPanel is Security block with an IP Deny Manager icon. Clicking that allows one to specify a single IP or a range of IPs to be BLOCKED.

I then entered the starting IP (that info was in the whois report), a hyphen, and the ending IP (also in the whois report) in the top data field. You can see a screen below to help you understand. The result is that the IP Deny Manager will not let anybody whose IP is within that range of IP numbers access your site. Bingo, no access = no spam.

Look at the following screen and study it a bit. You will see the range of addresses I blocked at the bottom of the screen dump.

http://pipsisiwah.home.bresnan.net/images/example3.jpg

So that is one thing you can do to help secure your site - use the IP Deny Manager to lock out undesired IP entries. You'll have to use your own judgement based on what you consider "undesirable" though.

Getting spam is one thing, but what really blew my socks off about this particular occurence is that I just happened to notice a new user had been added to my user list. And with full Administrator privileges!! :mad: I have not the foggiest idea how it got there. Mox nix, the IP Deny entry should prevent it from happening again FROM THAT PARTICULAR RANGE OF IPS.

That means you will have to periodically use your WP Admin Panel to check the users. Delete any entries you did not put there yourself or that you are not sure should be there. And while you are there, be sure to set your General Options as shown below:


http://pipsisiwah.home.bresnan.net/images/example4.jpg


Another thing I did is clear out the Update Services box at the bottom of the Options > Writing window. I'm not selling anything either, and I have no reason to broadcast my presence to the world (and to automatic eavesdroppers and snoopers!) everytime something changes in my site.

And finally, you might want to consider setting up your Discussion Options as I have (see below) to eliminate pingbacks and trackbacks (another automatic notification system I don't trust). Have to go to lunch now, hope this has helped. It is NOT an exhaustive list though. Just what I have learned in the last day or two.

http://pipsisiwah.home.bresnan.net/images/example5.jpg

If you are the only user of the site then why did you put it on the web? It would be more secure on your own computer where the millions of other web users can't access it at all.


Kind of a paradox, isn't it. However, I am the only "user" of my site. I should qualify that: I am the only "user currently entitled to do anything other than to comment on posts - at least I think I am" on my site. I tend to misuse the term quite a bit;) .

You will need an activation code for it to work but you get that, for free, at the bluehost.com site.

To obtain an Akismet API key, you need to start an account at wordpress.com. See:

http://codex.wordpress.org/Akismet#Setting_Up_Akismet

noscript (http://noscript.net/) for Firefox prevents Javascript attacks

As a free virus scanner I recommend AvAntivirus (http://www.free-av.com/antivirus/allinonen.html) personal edition.

I heard sygate (http://www.google.com/search?hl=en&q=sygate+personal+firewall&btnG=Search) is a good free firewall.

To prevent MySQL injection attacks put your post variables in the mysql_real_escape_string (http://www.php.net/manual-lookup.php?function=mysql_real_escape_string) . Don't allow your users to input html into forms that will be rendered on output or you're opening up a huge door to XSS. I would program a simple wysiwyg like bbcode in order to allow your users to style their input.

If you are the only user of the site then why did you put it on the web? It would be more secure on your own computer where the millions of other web users can't access it at all.

I'm probably not using the word "user" correctly. What I meant is that I'm the only one who puts content on the site (excluding anyone who wants to leave blog comments). I want it available for others to view.

Skeezix, I didn't install any WordPress plug-ins; comment moderation already existed.That is, I have to approve any comments before they show up on the site, and it was that way from the get-go. Does that mean I have Aksimet by default?

What does the Update Services option that you mentioned do? About pingbacks and trackbacks, I actually set my site to accept/send those out after reading someone else's blog about how it helps drive traffic to your site. Maybe the security issue negates that benefit?

Where is the WP Admin panel that you mentioned? Is it in the cpanel? I hope not, because as I've noted in other threads, I can't even find the WP uploads in the cpanel, lol. That IS weird about someone being added as an admin to your site.

The admin panel is accessed by adding /wp-admin the the end of your site address.

The admin panel is accessed by adding /wp-admin the the end of your site address.

Yes, but I'm wondering if it could be accessed through a cpanel icon, too. I'm still fuzzy about what is accessed through the cpanel and what is accessed through wp-admin. Since both my Front Page site and my Word Press site is on Bluehost, I would think that everything is accessible via the cpanel, but it seems like that's not the case.

You can access the files that are a part of WordPress from within cPanel but if you want to actually work on your blog content then you have to run the admin facility and not just edit the files that make up the admin facility.

cPanel provides you with access to the files on your hosting and to a number of common scripts that everyone using cPanel has access to (such as webmail and phpmyadmin). It does not provide access to actually run the control panel for any script you install yourself, you have to go to the address where you installed that conntrol panel to run that.

Akismet - I believe (can't recall right now) that Akismet is not a default option and you have to go get it from the WordPress Plugins link. You'll find that on the WordPress site, or you can google for it. Once you locate it, you must download it to your hard drive, then unzip it into a folder named 'akismet', then upload that folder with its unzipped contents) from your hard drive into your wp-contents folder. Hopefully you have found out how to locate folders inside your /blog folder.

After you have uploaded the Akismet folder and its contents, you use WP Admin Panel, Plugins Tab, to locate and active the Akismet plugin. I believe that during that process you will be asked for the special code number. Elsewhere in this forum you have instructions about obtaining that number.

Pingbacks and Trackbacks - Using them is a matter of preference. I like to think of them as more doors to a store. The more doors you have open, the more visitors you can have. Whether this is good for you, I don't know. With those visitors come the bad guys (spam, hackers, etc.) Just think of the recent shooting back east at one of the malls.

My site is specialized, non-commercial, and set up for a homeowners association. It has things of value only for the residents in that subdivision. Only too soon will the search engines will pick it up and broadcast its existence all over the world. I don't care about that, it offers no advantage for the purposes of this site, and so I have plugged that hole (closed those doors). You might want to do the opposite.

>> the mysql_real_escape_string (http://www.php.net/manual-lookup.php?function=mysql_real_escape_string) . Don't <<

LOL!! Thanks for the link, I think! That page looks like a weekend extra-credit homework assignment from SQL 303.

I'll need to drink some more ink for that - I'm still working on the meaning of <body>....

Akismet - I believe (can't recall right now) that Akismet is not a default option


Akismet is one of the two plugins that come with WordPress by default. All you have to do is to obtain a key from wordpress.com to activate it.

>>What are injection and XSS attacks, and how do I check for them? What "user" should I not trust? I'm the only user on the site.<<

If you are the only user and you have not provided a place where visitors can type in some text, then you probably don't have to worry about XSS. But if you would like to know a bit about what it is, just type XSS attacks into your search box and, happy reading!

>>If you are the only user and you have not provided a place where visitors can type in some text, then you probably don't have to worry about XSS.

Well, people can type in comments, so I guess that means I should worry about it. Ok, I will do a Google on it. :)

What is "Akismet"? It is a spam-catcher plugin that you should have in your WP installation. Be sure to open your plugin manager and activate it. You will need an activation code for it to work but you get that, for free, at the bluehost.com site. Can't recall at the moment any more than that. See if you can obtain it yourself, if not, come back here.

So - where at the bluehost.com site do you get your API key for Wordpress? Can't find it anywhere. Please be specific, what page or link you need to click to find it. I think Bluehost's help section is rather confusing.

Thank you!

Diana

The only place on the web to get a WordPress API key for use with WordPress installations anywhere is from www.wordpress.com

Tried that - I created my Wordpress account through Bluehost, so I already have a blog w/username etc. But when I try to log in using that name at the Wordpress site, to get my key code there, it says my username/PW is invalid. Since skeezix said you can get it through Bluehost, I figured THAT would be how to find it!

http://codex.wordpress.org/Akismet

You need to set up an account on wordpress.com and login to that account to get a key. What users and passwords you have set up on BliueHost are irrelevant.

Tried that - I created my Wordpress account through Bluehost, so I already have a blog w/username etc. But when I try to log in using that name at the Wordpress site, to get my key code there, it says my username/PW is invalid. Since skeezix said you can get it through Bluehost, I figured THAT would be how to find it!

Sorry I mislead you, didn't mean to. Like you, I am pretty new at WordPress, php, sql, and I feel like I just went through a 1-hour course on "How To Become a Pro at Blogging, Everything Else Remotely Related to a Computer, and Life in General" with a 30-minute break in the middle....

Are keys attached to a particular account? So I'd have to create a new Wordpress account and get a key, but want to USE the key on a different Wordpress account (the one I created at Bluehost) - will that work?

You can sign up for one key and then use it on all your Wordpress accounts.

Well, people can type in comments, so I guess that means I should worry about it. Ok, I will do a Google on it. :)

Ah, but if you have enabled "moderation" in your Administration Panel, the comments will not appear until you take specific ation to allow them to appear. Just go to Options > Discussion > Before your comment appears and check what you would like to happen.

Cheers!