William Computer Blog

Securing your Blog

This guide will provide blog owners the necessary information to secure their blog from keeping their blogging software up-to-date, securing their user account, backing up their blog, and protecting their blog from comment spammers.

If haven’t got a blog yet and wish to start blogging, you might be interested in reading this article on how to start blogging.

Secure your server/network

Before you secure your blog, you should make sure the server hosting the blog is secured. It would be useless to secure your blog if the server/network where your blog is hosted is vulnerable to attacks.

Securing the network/server is the job of the sys admin where your server is hosted. It is important to choose a hosting company with good security policies. Securing your server/network is beyond the scope of this article. Here’s what I consider a secure server:

• The operating system on the hosting server should be properly installed and configured with all security patches applied. All network services (http, dns, ftp, mail, ssh, etc) and applications (example: php, ruby, python) should be patched.
• The network should have the necessary firewall and intrusion-detection system to protect the server against denial-of-service attack.

Keep your software patched

You should follow the development blog of your blogging software (wordpress/movabletype/textpattern). Some blogging software such as Wordpress and Textpattern provide a notify list, which will notify you every time a new version is released.

When a new version is released, you should read the changes and decide whether you need to upgrade. Not all software releases contain security/bug fixes, it might also contain new features. You might not want to upgrade if there are no security/bug fixes and you don’t need the new features.

Besides updating your blog software, you also need to keep any plugins you installed updated. Some plugins may become outdated and no longer work with the newer version of your blog software.

User Account security

Your admin panels are where you control the operation of your site. You can use the admin panel to write/delete blog posts, and change any other important configuration. If a malicious user gain an entry to your admin panel, they can do a lot of harm to your blog such as posting an unwanted entry, or delete your site.

To access the admin panel, a user must first login with a username and password. It is important that you do not to give out your username and password to anyone. If you are running a blog with multiple authors, it would be better to create a separate account for each person with different roles and capabilities.

Use a strong password that you can remember but difficult for someone to guess. You can use this guide to create and use a better password.

When you login into your admin panel, your password is transmitted to the server in clear text, and may be read by anyone with low-level access to the network. To protect your password from people with low-level access to the network, you can make sure to use a secure connection (HTTPS) when you logging into the admin panel.

Backup

Backing up your blog is very important so you can easily restore the content of your blog incase the database or server that hosted your blog crashed. Backup should be done regularly, depending on how often you post a new entry. It’s also important to backup your blog before you upgrade your blogging software incase something goes wrong.

Backing up Database

The most important thing you need to backup is the database. The database contains the blog configurations, authors, posts, comments, trackbacks, categories, etc.

Resources:

• Backing up MySQL database.
• Backup/Restore PostgreSQL database.
• Backup/Restore SQLite Database.

Backing up attachment files

Besides backing up your database, you also need to backup any files you include in your blog posts. These media files can be photos, pictures, videos, sounds, slideshows, etc. It is recommended that you upload these files onto one folder on the web server so you can easily backup these files using your ftp client.

Backup the software

Backing up your blog software is the least important thing, however it might be a good idea to back it up if you install any 3rd party plugins, or made some modification to the source code.

Backup Services

If you’re too lazy to backup your blog, you can BackupMyBlog, a service that will automatically backup your entire blog database everyday. At the time of writing this article, BackupMyBlog is in public beta.

Comment/Trackback Spam protection

Comment spam is malicious and unwanted comments submitted to your blog by spammers through the use of automated scripts.

This kind of spamming is called Spamdexing, which according to Wikipedia is the practice of deliberately creating web pages which will be indexed by search engines in order to increase the chance of a website or page being placed close to the beginning of search engine results.

You can fight comment spam by installing anti-spam plugins to your blog. Akismet is an anti-spam plugin that will run hundreds of tests on the comment/trackback/pingback submitted to your blog. Akismet was originally developed for Wordpress. However other people have developed akismet to work with Movable Type, and many other blog tools.

I use a combination of MT-Akismet and SpamLookup on my Movable Type powered blog and it worked really well. There are many other ways to combat comment spam, you can read Sixapart guide to combating comment spam or you can also read Wordpress Codex on Fighting comment spam.

Feel free to leave a comment if you have anything to add to the list.

• May 17, 2006