Protecting your blog is more than keeping it up to date and using good strong passwords. There are general security questions you can consider as well.

Regular updates and strong passwords are vital. But, there is more than that to security. You must also take care in how you use your blog and when you update it.

For example, can people you don’t know register? If so, why? Is it needed? Switch off the anyone can register feature to remove this unless you absolutely need it.

Is your computer secure? Do you use updated anti virus software, or could someone easily attack your computer and use a key logger to watch what you are doing?

Are you using unsecure WIFI connections or internet cafes? Could someone else on the network be accessing your computer and watching the passwords that you are using? It is easy enough to create a new user with just author permissions and use that when you are away from home. That way, if you are attacked using that id all the person can do is add posts and amend that author’s posts. Move all posts to admin when you are safely back home and they can’t even change them!

Yes, maybe these are far fetched and highly unlikely methods for attacks. But, they are all possible and easy to prevent, and prevention is better than cure! So why not take the basic security steps and be safe?

Want to know how to do these or other security considerations? Come back again, or follow the blog security tag.

The chatter in some search engine forums is that observers are seeing early signs that a PageRank update is about to take place.

Actually, the chatter was the end of last week and speculated that it would have taken place in the weekend that has just gone, but looking at recent PageRank update dates I chose to ignore them and instead expected a September update.

Why? Well recent updates have, on the whole, been early in the month and this weekend just seemed too late.

I’ve not heard of anyone talking much about any significant August updates to the values displayed, although I presume there were some slight changes (there usually are), so the September update (if everyone is correct) will be the first proper PageRank update since 3rd April.

I am sure that on Sunday morning many bloggers will be switching on their computers, going straight to their blogs and looking at that green bar to see if there has in fact been a September update. If there has, then we will find out whether Google is in the mood for punishing those selling paid posts or is just ignoring what is going on.

Either way, for those blogs that see an increase in position there will be joy at being able to charge more and those that see a decline in position will be upset that their potential advertising revenue has been cut.

As it is, for this blog anything must be an improvement. I started it too late to get a decent ranking before the April update and am hoping that September will see some improvements.

One of the reasons that new versions of WordPress are released is that security holes have been discovered and patched up. So it is absolutely vital that you make sure that your installation is up to date.

Some people prefer to work on versions of WordPress that are established and other people have had the chance to find any bugs in the code. Whilst I understand this and support the theory in some ways, in other ways it is extremely dangerous.

I have read stories about different bloggers who have had their blogs successfully attacked. But, in every case, these bloggers were all using old versions of WordPress rather than the latest versions. People who get their pleasures from attacking blogs are likely to know the tricks used to attack old versions of WordPress, so by leaving yourself on an old version you are opening yourself to more possible attacks.

There is a balance to the risks, but on the whole, I believe in keeping WordPress on the most recent version. But, with some precautionary steps.

First, download and unzip the latest version of WordPress, but keep the version of WordPress you are currently running somewhere on your PC. Next, run a full database backup and save that. Now, if it comes to the worst, you can reinstall the current version of WordPress with your existing database files, as though you never upgraded.

Then upload the new files and logon to wp-admin to force any database updates. Quite simple really, as long as you only have one or two blogs. More complicated with 20 blogs, but I’m testing a way around that too!

Want to know how to do these or other security considerations? Come back again, or follow the blog security tag.

OK, a very simple measure and it is quite easy in actual fact to work out that you are using WordPress, but there are reasons for this very simple security change.

In short, does your blog very proudly display somewhere, probably in the trailer, ‘Powered by’ (or whatever) WordPress? If so, then straight away hackers know what system you are using and any potential weaknesses that it might include. Worse still is if your theme displays in the comments what version of WordPress you are using!

OK, it is easy for someone to work out that you are using WordPress – they just look for the wp-admin directory! Unfortunately, there is currently little you can do about this (WordPress does not allow you to move the admin directory, which would be a great security measure!).

If it is so easy to work it out, why is displaying the message a problem? Well, quite simply, because attackers can search on the powered by message to find blogs using WordPress that they can attack! If you display the message then they can come across your blog and start to put your defences to the test. If they never discover your blog, then they cannot attack it.

So, how do you remove it? Very simply go to your theme editor, look in your footer and find the code! If you look at the footer and find that it is encoded, then all is not lost. Just open your blog and look at the source code (for example, in Internet Explorer View then Source). Now look at the main index file in your editor and look down to the last few lines of the code. Have a look at these and identify them over in your blog’s source. The code that appears after them is your trailer code. Copy and paste that into your trailer code, remove the powered by line and save it and check your handywork!

You might also like to check your header in case it is displaying the version of WordPress you are using. Not too much of an issue if you are using the current version, but why give attackers any more information than you have to?

Want to know how to do these or other security considerations? Come back again, or follow the blog security tag.

If you are setting up a new blog, or currently running one through a paid service, then here is an offer that you cannot refuse!

For just £1 you can buy a .info domain name! Yes, £1, instead of the usual £8 – £12 that they cost. The info says that the domain name comes with a sitebuilder, which builds a small site, which is no good for blogging.

However… Not only do you get your free email accounts, you also get free website forwarding and DNS control. So you can easily use the domain name to give your current blogger blog a proper URL (just follow the blogger instructions) or if you are setting up a new blog, just add some normal hosting.

I haven’t had the opportunity yet to play with this offer, but I’m sure that I will give it a go! It seems too good an offer to miss at only £1 for a new domain name. I’m sure that within the year I could easily turn that into a small profit, at least!

If you do try it out please let me know your thoughts. And if you mention your new domain name you get a free link, so the search engines should find your site quickly!

Details of the £1 URL can be found on that link.

If someone is going to attempt to attack your blog through brute force, a good password and an unusual admin id both provide a lot of protection. But, if you can then lock out brute force attacks, you are really creating an impregnable fortress.!

IMPORTANT: Since writing this post I have discovered that this plugin is not as foolproof as it should be – please see this updated post.

Basically, if someone is attacking your blog by trying out loads of password combinations, if you can detect their presence and stop their logon attempts then they will not suceed in loging in. For this reason I have installed Login Lockdown, which is an excellent little plugin for WordPress blogs.

What is does is quite simple. It records failed login attempts and if there are a certain number of failed login attempts from the same computer within a set amount of time, it prevents that computer making any more attempts for a while. For example, the default is 3 failed login attempts in 5 minutes locks the computer out for an hour.

It is not totally foolproof, the attacker can change IP address, but that is every three login attempts! They could try a login every 2.5 minutes, but that only allows 24 attempts per hour, less than 530 per day. At that rate it would take weeks, even years, to guess your password.

And that is how protection against against brute force attacks works – just make it so hard that the attack will take so long that that attacker ends up going elsewhere. Simple, but secure.

The only add on I would add to this would be a notification of failed login attempts. I’m currently looking for a suitable plugin for this. The worry is that in the case of an attack, such a plugin could fill an email box. So I’m looking carefully!

Want to know how to do these or other security considerations? Come back again, or follow the blog security tag.

Renaming your WordPress blog administrator user is a huge security step, increasing the safety of your blog. So, what must you do?

It is simple. Sign on and create a new user, giving them administrator permissions. You need to provide an email address, so if you only have the one to use, change the current Admin’s email to a false address, as you can only use each email once per blog.

Now, sign on as the new administrator and remembering the post about user id and nick names, give yourself a good nickname.

Finally, remove the admin id. Some people delete it and move the posts to the new administrator, whilst others just change the permissions of Admin to subscriber, meaning that the user can do nothing at all, but the posts don’t need moving.

As a sign of how important this step is and how WordPress do make changes to keep up with security updates, the system now no longer defaults the administrator to admin, which is great. But, if you created your blog on a WordPress of pre 3.0.0, or you did set it up as Admin when you installed, now is the best time to put the situation right, if you have not already done so.

Want to know how to do these or other security considerations? Come back again, or follow the blog security tag.

Without looking to sell a blog, I have just been asked if one of my huge portfolio of blogs is up for sale!

I am not sure if the offer is genuine or just some spam, nor how much he is willing to pay for the blog, but I am not the sort of person who can say “No” to some cash. Who knows? He might be willing to offer me £5,000 for the website!

OK, a bit much. Maybe £500 might be more realistic, but even that amount I would probably say “Yes” to and start again on the blog. It is not one of the main 5 blogs that I am “attached” to, and not one that has really done a lot in the three years that I have ran the site for. I would be more than happy to sell it and to start again with a brand new URL, look and content.

And that is what blog flipping is all about. If you are the sort of person that enjoys setting up a new website then you can create it, get the traffic going and then sell it to a business. It is certainly a good way of creating an income through blogging.

So, if the guy gets back to me and makes an offer, I’ll be posting more details with a smile on my face!

If you want to make sure that you beat brute force hackers, then you must change your admin userid. Here is how and why.

If a hacker is randomly trying all possible 10 letter password strings containing upper & lower case letters, numbers and a few special characters, there are around 70 to the power of 10 combinations to try. That is a lot, but still just about possible with a dedicated attack.

But, if you change the admin id to be as strong, there are as many combinations there. Now, the hacker has to guess both at the same time – so 70 to the power of 10, squared.

That is why this trick is so strong. But, how to pick a new id? Well, don’t use your name! They could work this out from the URL registration, your nickname or comments in your blog. So pick an admin id that is unrelated. Maybe a nickname you were known as as a child (as long as you have not blogged about it!), a favourite person’s name (that you have not blogged about) or just a random id that you write down and can remember with your password.

Go to the user settings and change the nickname to whatever you want to show and make sure that your nickname is displayed on your posts, not your userid. This way hackers now have an aweful lot to guess!

Want to know how to do these or other security considerations? Come back again, or follow the blog security tag.

I was pleased (and very proud) last night to notice that I have been named as one of the two Izea posties of the month for July!

It is always nice to be recognised for something so I am proud as punch to have got a mention, especially as I only joined their systems earlier this year, probably almost exactly 6 months ago.

Writing posts about it might seem a bit like self indulgent showing off, but I am pleased and wanted to thank the guys over at Izea for the systems that they provide and the recognition that they have given to me. It’s also great that I’ve noticed a few people visiting this site from the Izea link and I’ve had one or two familiar faces from the Izea site leaving comments.

It was a nice surprise to get and an incentive to try even harder with the systems!