If someone sucessfully attacks your blog and gets admin access, then untold damage can be wreaked. So you need backups now that you can fall back on in this case.

First, install WP Database Backup or a similar plugin. This emails you a backup of the essential database tables at intervals you set. Use this and save at least a few generations of backups so that if it takes you a week or two to discover the attack.

Also, make sure that you have a copy of the version of WordPress that you are running, plus your theme and plugins. Although for themes & plugins, as long as you have a written note of their names and where to download them, you should be safe! Lastly, if you are uploading media such as videos, photographs and images, store copies of these on your PC. Do not rely on the server versions!

If the worst happens and you discover an attack then a piecemeal rebuild is probably going to take a long time and might not clear out everything. Attackers will leave damage around the site hoping that you only find some of their work. They might leave backdoors into your admin hidden away.

So you have to be prepared to deleted everything and to roll back to your last known safe backup. This means deleting all WordPress files and the database and reinstalling onto an empty server, without any of the potentially infected database files. Effectively, you are creating a new WordPress blog, just using the backup files to reinstall the database and get back posts, comments, user id and so on.

Make sure that your backups are sufficient today!

Want to know how to do these or other security considerations? Come back again, or follow the blog security tag.

Protecting your blog is more than keeping it up to date and using good strong passwords. There are general security questions you can consider as well.

Regular updates and strong passwords are vital. But, there is more than that to security. You must also take care in how you use your blog and when you update it.

For example, can people you don’t know register? If so, why? Is it needed? Switch off the anyone can register feature to remove this unless you absolutely need it.

Is your computer secure? Do you use updated anti virus software, or could someone easily attack your computer and use a key logger to watch what you are doing?

Are you using unsecure WIFI connections or internet cafes? Could someone else on the network be accessing your computer and watching the passwords that you are using? It is easy enough to create a new user with just author permissions and use that when you are away from home. That way, if you are attacked using that id all the person can do is add posts and amend that author’s posts. Move all posts to admin when you are safely back home and they can’t even change them!

Yes, maybe these are far fetched and highly unlikely methods for attacks. But, they are all possible and easy to prevent, and prevention is better than cure! So why not take the basic security steps and be safe?

Want to know how to do these or other security considerations? Come back again, or follow the blog security tag.

The chatter in some search engine forums is that observers are seeing early signs that a PageRank update is about to take place.

Actually, the chatter was the end of last week and speculated that it would have taken place in the weekend that has just gone, but looking at recent PageRank update dates I chose to ignore them and instead expected a September update.

Why? Well recent updates have, on the whole, been early in the month and this weekend just seemed too late.

I’ve not heard of anyone talking much about any significant August updates to the values displayed, although I presume there were some slight changes (there usually are), so the September update (if everyone is correct) will be the first proper PageRank update since 3rd April.

I am sure that on Sunday morning many bloggers will be switching on their computers, going straight to their blogs and looking at that green bar to see if there has in fact been a September update. If there has, then we will find out whether Google is in the mood for punishing those selling paid posts or is just ignoring what is going on.

Either way, for those blogs that see an increase in position there will be joy at being able to charge more and those that see a decline in position will be upset that their potential advertising revenue has been cut.

As it is, for this blog anything must be an improvement. I started it too late to get a decent ranking before the April update and am hoping that September will see some improvements.

One of the reasons that new versions of WordPress are released is that security holes have been discovered and patched up. So it is absolutely vital that you make sure that your installation is up to date.

Some people prefer to work on versions of WordPress that are established and other people have had the chance to find any bugs in the code. Whilst I understand this and support the theory in some ways, in other ways it is extremely dangerous.

I have read stories about different bloggers who have had their blogs successfully attacked. But, in every case, these bloggers were all using old versions of WordPress rather than the latest versions. People who get their pleasures from attacking blogs are likely to know the tricks used to attack old versions of WordPress, so by leaving yourself on an old version you are opening yourself to more possible attacks.

There is a balance to the risks, but on the whole, I believe in keeping WordPress on the most recent version. But, with some precautionary steps.

First, download and unzip the latest version of WordPress, but keep the version of WordPress you are currently running somewhere on your PC. Next, run a full database backup and save that. Now, if it comes to the worst, you can reinstall the current version of WordPress with your existing database files, as though you never upgraded.

Then upload the new files and logon to wp-admin to force any database updates. Quite simple really, as long as you only have one or two blogs. More complicated with 20 blogs, but I’m testing a way around that too!

Want to know how to do these or other security considerations? Come back again, or follow the blog security tag.

OK, a very simple measure and it is quite easy in actual fact to work out that you are using WordPress, but there are reasons for this very simple security change.

In short, does your blog very proudly display somewhere, probably in the trailer, ‘Powered by’ (or whatever) WordPress? If so, then straight away hackers know what system you are using and any potential weaknesses that it might include. Worse still is if your theme displays in the comments what version of WordPress you are using!

OK, it is easy for someone to work out that you are using WordPress – they just look for the wp-admin directory! Unfortunately, there is currently little you can do about this (WordPress does not allow you to move the admin directory, which would be a great security measure!).

If it is so easy to work it out, why is displaying the message a problem? Well, quite simply, because attackers can search on the powered by message to find blogs using WordPress that they can attack! If you display the message then they can come across your blog and start to put your defences to the test. If they never discover your blog, then they cannot attack it.

So, how do you remove it? Very simply go to your theme editor, look in your footer and find the code! If you look at the footer and find that it is encoded, then all is not lost. Just open your blog and look at the source code (for example, in Internet Explorer View then Source). Now look at the main index file in your editor and look down to the last few lines of the code. Have a look at these and identify them over in your blog’s source. The code that appears after them is your trailer code. Copy and paste that into your trailer code, remove the powered by line and save it and check your handywork!

You might also like to check your header in case it is displaying the version of WordPress you are using. Not too much of an issue if you are using the current version, but why give attackers any more information than you have to?

Want to know how to do these or other security considerations? Come back again, or follow the blog security tag.

If you are setting up a new blog, or currently running one through a paid service, then here is an offer that you cannot refuse!

For just £1 you can buy a .info domain name! Yes, £1, instead of the usual £8 – £12 that they cost. The info says that the domain name comes with a sitebuilder, which builds a small site, which is no good for blogging.

However… Not only do you get your free email accounts, you also get free website forwarding and DNS control. So you can easily use the domain name to give your current blogger blog a proper URL (just follow the blogger instructions) or if you are setting up a new blog, just add some normal hosting.

I haven’t had the opportunity yet to play with this offer, but I’m sure that I will give it a go! It seems too good an offer to miss at only £1 for a new domain name. I’m sure that within the year I could easily turn that into a small profit, at least!

If you do try it out please let me know your thoughts. And if you mention your new domain name you get a free link, so the search engines should find your site quickly!

Details of the £1 URL can be found on that link.

If someone is going to attempt to attack your blog through brute force, a good password and an unusual admin id both provide a lot of protection. But, if you can then lock out brute force attacks, you are really creating an impregnable fortress.!

Basically, if someone is attacking your blog by trying out loads of password combinations, if you can detect their presence and stop their logon attempts then they will not suceed in loging in. For this reason I have installed Login Lockdown, which is an excellent little plugin for WordPress blogs.

What is does is quite simple. It records failed login attempts and if there are a certain number of failed login attempts from the same computer within a set amount of time, it prevents that computer making any more attempts for a while. For example, the default is 3 failed login attempts in 5 minutes locks the computer out for an hour.

It is not totally foolproof, the attacker can change IP address, but that is every three login attempts! They could try a login every 2.5 minutes, but that only allows 24 attempts per hour, less than 530 per day. At that rate it would take weeks, even years, to guess your password.

And that is how protection against against brute force attacks works – just make it so hard that the attack will take so long that that attacker ends up going elsewhere. Simple, but secure.

The only add on I would add to this would be a notification of failed login attempts. I’m currently looking for a suitable plugin for this. The worry is that in the case of an attack, such a plugin could fill an email box. So I’m looking carefully!

Want to know how to do these or other security considerations? Come back again, or follow the blog security tag.

For those that miht enjoy a few days away camping, or if you are wanting to entertain the kids when you are out and about, then a handheld TV could just be the answer to your problems!

These devices are nothing new and have been around for years, but a bit of research is required to not only find these devices, but also make sure that you are buying a decent one with good reception.

Renaming your WordPress blog administrator user is a huge security step, increasing the safety of your blog. So, what must you do?

It is simple. Sign on and create a new user, giving them administrator permissions. You need to provide an email address, so if you only have the one to use, change the current Admin’s email to a false address, as you can only use each email once per blog.

Now, sign on as the new administrator and remembering the post about user id and nick names, give yourself a good nickname.

Finally, remove the admin id. Some people delete it and move the posts to the new administrator, whilst others just change the permissions of Admin to subscriber, meaning that the user can do nothing at all, but the posts don’t need moving.

As a sign of how important this step is and how WordPress do make changes to keep up with security updates, the system now no longer defaults the administrator to admin, which is great. But, if you created your blog on a WordPress of pre 3.0.0, or you did set it up as Admin when you installed, now is the best time to put the situation right, if you have not already done so.

Want to know how to do these or other security considerations? Come back again, or follow the blog security tag.

Without looking to sell a blog, I have just been asked if one of my huge portfolio of blogs is up for sale!

I am not sure if the offer is genuine or just some spam, nor how much he is willing to pay for the blog, but I am not the sort of person who can say “No” to some cash. Who knows? He might be willing to offer me £5,000 for the website!

OK, a bit much. Maybe £500 might be more realistic, but even that amount I would probably say “Yes” to and start again on the blog. It is not one of the main 5 blogs that I am “attached” to, and not one that has really done a lot in the three years that I have ran the site for. I would be more than happy to sell it and to start again with a brand new URL, look and content.

And that is what blog flipping is all about. If you are the sort of person that enjoys setting up a new website then you can create it, get the traffic going and then sell it to a business. It is certainly a good way of creating an income through blogging.

So, if the guy gets back to me and makes an offer, I’ll be posting more details with a smile on my face!