Imagine the horrible feeling if one day you visited your blog and found lots of posts not written by you advertising adult products. Or suddenly your site is hosting phishing pages or trying to install viruses onto readers’ machines. What are you going to do?

The process all starts before you get hacked. If your blog is currently safe and you do not already do so, make sure that you are taking a regular backup of your work. There are plenty of available useful plugins to do this for you and if the worst happens, then you have a way out.

But, if you have been hacked then what are you going to do? If you are not hosting the blog yourself then you need to ask for a lot of help from whoever hosts the blog and they will need to clean up the hosting. However, with FTP access you should be able to sort it yourself, but you might still want to tell your hosts so they can work out what has happened and why.

And sadly, the first thing to do is to close the blog down. If you can move it to a different host then great, but that is not an option for most people. Run an immediate backup of your blog and store the files produced somewhere safe, but it is likely that you are going to just be deleting them anyway.

If you have been uploading images and videos to your blog then you really need to get your hands on copies of these. If you have the originals then great, else download them back off your server. But virus scan each and every one of them and make sure they are all what you expect them to be. In all honesty, if you can do without them then just delete them.

Next, delete the entire database (hence taking a copy earlier) and delete all of the files on your server. Delete everything, don’t leave a single file there as you do not know what the hackers have done.

Now, reinstall the blog from a safe copy of the files. Download the latest WordPress files or whatever you are using and install the blog again. Finally, look through your recent backups of your blog and find one that is from before the hacker gained entry. Use that to rebuild your blog.Yes, recent posts will be missing but the risk of using the most recent backups is that you do not know what back doors the hacker has left here and there.

To complete the task you now nee to prove that the version of the blog you have restored to is ‘safe’. Look through your settings. Are there any strange permalinks lieing around? What about extra user ids that you don’t recognise, or posts and pages that have been written that don’t belong. Don’t forget that you, or a hacker, could add a post with an old date so that it does not appear at the top of the list. The easiest way to find these is to look through the updated date on the database, just to make sure nothing devious is there.

And once you are back up and running, make sure that you have a strong password, use a good user id, that you are blocking brute force hacking attempts and that your computer is secured. Stop the hacker from coming back in!

I am sure that plenty of people, like me, want to move the wp-config folder to a more secure and private directory to keep it out of the way of prying eyes.

And here it is not just hackers – maybe it would be best that other users with FTP access and so on should not see the contents and be able to change them.

However, all that WordPress allows you to do is to shove the config file up one level, e.g. from mysite.com/blog to mysite.com. Yes, it hides it, but does it really help?

So I have developed a little script here that can sort out the problem. For example, in my hosting there is a public directory into which the files are stored and a private directory that can only be accessed by FTP or from a call within a script from a relative path.

Now normally I’d call it simple by ‘../private/myscript.php’, however with WordPress we don’t know whether we are in the blog or deep in some convoluted file structure, for example /2011/march/28/ etc. So we have to work out how many directories into the site we are to give a relative path to the private directory.

So here’s what I did. I moved wp-config.php to my private directory and replaced it with this code. Just check your permissions to make sure that only you can read / write the file and everyone else can only execute it. There is also a check towards the end that the wp-config is being called from only our site, just in case a hacker gets clever there…

<?php
$found = substr_count($_SERVER['SCRIPT_NAME'],’/');
$i=0;
$myroot = ”;
while ($i {$myroot .= ‘../’; $i++;}
$togo = array (‘http:’, ‘/’, ‘www.’);
$thisserver = str_replace($togo, ”, strtolower($_SERVER['SERVER_NAME']) ) ;
if ($thisserver == ‘howtostartmyblog.com’)
{require_once($myroot.”private/wp-config.php”);}
?>

If you are writing a blog then you have to be aware that you could be the target for hackers that want to take over your work. Whatever their motive, a successful attack could destroy your blog. So, what steps can you take to protect yourself?

Hackers could attack your blog for a multitude of reasons. Maybe they think it is fun, or they could want to use your blog to give themselves plenty of links in, or maybe they want to use your blog to install viruses on your readers’ computers. The list of what they could do if they gained access just goes on and on.

But there is one thing in common with all of these attacks and that is that they need access to the admin side of your blog. Whether that is through your FTP or your admin screens does not matter. Once in they are there and can do almost what they like.

Protecting your FTP details should be relatively easy. Pick a secure password, change it often and don’t tell anyone what the password is. Don’t use your FTP from unsecured machines and you should be safe.

However, most hacking attempts are likely to take place via your admin screens. The first line of attack might be “injecting” sql into your queries. This is where using a platform such as WordPress is essential, rather than writing your own tool. With the experience behind the team of writers involved, sql injection should not be a problem.

This leaves hackers trying to guess your admin userid and password. Trying to guess both is quite difficult, especially if the password is tough to break. However, sometimes the userid is far too easy to guess and you might even be giving it to hackers on a plate. Look at your blog posts and do you say who wrote them? If so, does that match your user id? This is very easy to fix – just give yourself a nickname and display that on the site on posts and comments.

Another easy to fall for trick is to use the username ‘admin’. So difficult to guess that one! Easy enough to change this by altering the data in the tables if you are happy doing that, else sign on, create a new administrator level user id and then logoff and back on as the new administrator. Give it a totally different nickname and then go to the users screen and set admin to not be an administrator any more. Just give them the lowest level of permissions. That way, if someone does get on using that user there is nothing they can do.

With these steps in place a determined hacker has only two methods of accessing your blog. The first is getting the information off you – either through phishing or a key logger on your machine. So make sure you are always on safe connections when you sign on. After that it is a brute force attempt of trying loads of combinations. A plugin such as Login Lockdown will stop them in their tracks here and is well worth using.

If you are running a blog that has much of a presence on the search engines then you will almost certainly be popular with spammers. And with loads of automated comment spam hitting you, what can you do to protect your blog?

The onion approach
As with any form of computer security I like to approach spam filters like an onion. You peel your way through one layer of protection only to find another layer protecting the insides. And that is how my spam protection works on my blogs – the spammer might get through one layer of protection, but then has to get through the next level.

How spammers work
To best protect ourselves from spammers we must understand how spammers work. Some will go around different blogs manually submitting comments. However, a lot of these will be quite good comments and useful to your blog. There is a very fine line here between good comments and spam.

Then there are the robot spammers. These trawl the internet looking for blogs to comment on. They grab your comment form and start automatically submitting automated rubbish to your blog. Because they are automated they can submit thousands of worthless comments, but they are the easiest to trap.

Level 1 – stop them at source
Stopping spammers with a Captcha form can be an effective tool, however it is a distraction to genuine comment leavers and some spammers can now beat Captcha forms. So for my blogs I have installed WP Captcha Free. It is a great little plugin, with a hidden effect. Rather than offering a Captcha it puts an encoded timestamp on the comment submission form. When the form is submitted the timestamp is checked. If the form is too old, the comment is ignored.

Implementing this plugin drastically reduced the automated comment spam in many of my blogs, it really does work a treat!

Level 2 – stop those that are submitted
Where would we be without Akismet? It is so good that it is included now as part of WordPress. Those automated spam robots on their first visit (which will get through WP Captcha Free) and manually submitted spam should be caught on this level. Without it, our blogs would be full of comment spam.

Level 3 – a manual check
The reason I looked at WP Captcha Free is that Akismet is not 100% reliable. Spam is missed and allowed through, whilst good comments risk being accidentally marked as spam. So our third and final level of spam protection is just a quick manual check. Look through your Pending and Spam comments lists and confirm each comment is where it should be. Make any corrections (after all, marking a Pending comment as Spam can help teach Akismet more tricks) and then empty the spam folder.

Protecting your blog with a strong password is essential. How can you create a strong password and what else can you do? And what can happen if you don’t?

If a hacker was to get hold of your blog’s main admin password then they could take control of your blog. From simply adding posts that link to their own website, to loading virus software onto your readers’ computers and even getting you to unintentionally host phishing pages, there are loads of prizes a hacker can take if they access your blog.

And for you – well if a hacker gains access to your blog you can lose all of your hard work!

How a hacker gains entry
A hacker will gain entry to your blog in a couple of ways. First, they might use key logging software to ‘watch’ you type in your password. You protect yourself here by anti virus software and secure connections. But, this is a difficult way to get access to your blog.

The other way is to simply ‘guess’ your password. A hacker will use a program to constantly try different possible passwords to log on to your admin – known as a brute force attack. A simple password will not take long to guess and that is why a strong password is essential.

‘Simple’ passwords
Using something as simple as ‘pass1′ is very insecure. Why? Well if the hacker starts at a, the aa, then ab and so on it will not take them long to get to your password. However, even ‘Pass1′ is harder to guess as the attack needs to look at upper and lower case letters.

Stronger passwords
But even both of these examples are very weak. The longer the password is the longer it will take to go through all of the combinations required to guess it. Stick to lower case letters and numbers and there are 36 characters per position. Include upper case characters and unusual characters and that can jump to 70 or 80 combinations. Expand that to an 8 character long password and the combinations possible becomes 80 * 80 * 80 * 80 * 80 * 80 * 80 * 80! Trying to go through these combinations becomes a lengthy process, during which hopefully the attacker gives up and tries elsewhere.

Send the hacker elsewhere
There are two further tricks to make sure the attacker moves elsewhere. First of all do not use a simple to guess user id. For example, in WordPress, do not use ‘admin’, which is the default. Now the hacker has not just to guess the password but also the user name.

The second security trick is to install a plugin that will block out a hacker from attempting new passwords, such as Limit Login Attempts. This detects a brute force attack and locks out the hacker for a period of time. Suddenly, not only are they trying a lot of combinations but also taking days between guesses.

If you started blogging with WordPress before v3.0, or you installed 3.0 and didn’t take the advice of creating a different user name, then there is an essential security step that you need to take. But, it can be very difficult.

Hackers attacking your blog have to guess 2 attributes to gain access. First the user name and secondly the password. The thing is, get either wrong and you get the same error message, so you do not know which is wrong. Guessing both correctly at the same time is near impossible.

However, some people make the game very easy for hackers. Look at the screen print to the right (click to enlarge). We can see from that the site still has an Admin user, and a userid called Paul. And older versions of WordPress always set up the primary user as ‘Admin’, taking away the guessing game from hackers. Suddenly, getting into a WordPress admin area is only a fraction of the difficulty – you just need to guess the password.

There are 2 essential security steps that this blog needs to take. The first is to create a nickname for every userid, that will hide the “Admin”. Call it Fred or whatever you want, just so that it does not give away the real userid.

The second step is getting rid of that admin id. Now this can be a lengthy process. You have to create a new userid, move the posts from the Admin id to the new admin and then delete Admin. However, there is actually a much easier way about it.

Sign on as Admin and create a new userid. Give it a nickname that does not give away the userid and set it up as an administrator. This is going to be your main userid, so also allocate it your main email address (change the Admin email address to a dummy email address first, if needed).

Now sign on as that new administrator and look at the list of users. Edit Admin and look at it’s “Role”. It is Administrator now, so reduce it to as low as you can. Subscriber or Contributor – neither has the power to do anything without a senior user giving it the OK.

This means that all of the old posts are still active, but should someone hack into your blog as Admin they cannot actually do anything.

There is another tool to use as well that will stop hackers having too many attempts at guessing your password / userid (and yes, I tested the blog I am showing and it did not do this) and that is a plugin to limit the number of login attempts. Read more about it on that post!

With so many lazy ‘bloggers’ about happy to steal content from anyone’s website, what can you do to stop them in their tracks? Not much really, but there are a few possibilities to protect your work.
By Keith Lunt, ©howtostartmyblog.com

First we need to understand how someone might copy your blog’s content. It is actually very simple. You provide an RSS Feed of your latest posts and they subscribe to that. They then use a tool to turn these posts into posts on their own blog. Sadly, there are too many plugins available to do this task so it becomes very easy.

Stopping copying in its tracks
Because of this, the easiest way to stop someone from copying all of your posts in full is by just providing the summary, or the first so many words, in your RSS Feed. If the full post is not there, then they cannot steal it through the feed. Simple!

Why then don’t we all do this? Well readers wanting to access the information might not want to see only the summary and get fed up, eventually unsubscribing.

Making your posts less attractive to copying
If your can do something to your posts to make them less attractive to those wanting to copy them, then you should stop the copying before it happens. You could subscribe to a service such as Copyscape, but are you happy to pay for this service and do you really want that banner on your blogg and does detecting the problem prevent it?

However, there is an easy way around it. On some posts, it does not need to be every post, just include a simple copyright statement, such as:
By [my name], ©[mywebsite.com]

Quite simple and if anyone starts bulk copying your posts they are going to be displaying that copyright statement on their site. Not only showing they are copying your work, but also telling people where to go for the original work. You can take it a step further by making your name, the URL or the entire sentence a link back to your blog.

The side effect of this little trick
Displaying a copyright statement on your own posts does not exactly cause you a problem on your own website. However, if someone does miss the fact that a few of your posts link back to your website and start copying from you then they will actually be doing you a favour! They are spreading links back to your website across their website.

If they have a genuine readership then some of these people are going to be wandering over to your site when the see the links and search engines will see the links as one way, giving you the benefit. The search engines will also see that they are linking back to your website and Google in particular seems to take this as a sign of where the original content came from, preventing you from having a duplicate content problem. You actually therefore beat the person copying from your blog!

One way hackers will try to hack into a target website is by running a program that tries thousands of different passwords. A complicated password should defeat them, but you can make certain of this by detecting them at the source and locking them out. And on WordPress it is very easy to do.
By Keith Lunt, ©howtostartmyblog.com

Hackers wanting to get up to some mischief on a blog might just use a brute force attack to try to get access to it. A complicated password means that they have to try for longer and longer to gain access, but how long will that keep you safe for? Changing the user name to something that they cannot guess straight off is also excellent protection, but such a prolonged brute force attack could use a lot of bandwidth and ultimately slow down your blog as readers are trying to access it.

Slowing Down A Brute Force Attempt Is The Secret To Stopping It
You need to put them off by blocking them out. If they see that they are going to get locked out after every 3 or 4 attempts and not be allowed to try any more for an hour or more, then they know that just to try 100 passwords is going to take over 2 days. Therefore, to try the number of password / user id combinations needed to break your security is going to take years and hopefully they will move on.

Sadly, Not All Plugins Deliver On The Promise
There are several plugins that do exactly this, however in testing some of them on my own blogs I have discovered that not all do the job properly! They might lock out the login form, but you can still submit a userid / password indirectly and successfully log on.

The Plugin That I Use On My Blogs
The plugin that I was not able to defeat was Limit Login Attempts and I like it as it has a lot of good options. You can set how many attempts there are before a lockout and then how long the lockout is for. Then, if there are more lockouts within a longer time period you can lock the attacker out for much longer.

And with each failure, the person trying to log on is told that there are only a few attempts left, so they know what they are dealing with and hopefully will leave you alone.

What If You Log Yourself Out?
Yes, get your password wrong and you could log yourself out. And it is no good trying a different user id – the plugin monitors the IP Address of the attempt and will block any further login attempts from that IP address. So if you get it wrong, either because Caps Lock is on or because you are testing it, then you are locked out.

Assuming that you can’t change your IP address, you can still get back on. You just need access to your databases and then remove the record that shows that you are locked out!

Many people blog to share their thoughts and experiences, but sometimes you want to be able to open up to your audience safe in the knowledge that your identity is safe. How do you do that?
By Keith Lunt, ©howtostartmyblog.com

To many people blogging is therapy. You can open up to your blog and tell it your darkest secrets. For whatever personal reason, you feel happier getting rid of the demons, sharing the thrills of illicit experiences, or just writing your thoughts in a blog. But, you do not really want someone you meet in the street realising you are the blogger they are following daily.

So, what measures can you take to protect your identity? Well for a start, it can be very tricky. covering your tracks all of the time. Sometimes harmless comments that you make today can be added to previous comments, which ultimately reveal something about you when put together. Mentioning an upcoming holiday or break and spelling out when you are going, or when you are back, can be dangerous.

But, limiting these personal details is not always possible. However, to truely keep your identity safe, you really have to limit the sum total of what you say about yourself.

And then we need to look at actually starting the blog. What must you do then to protect your identity so that you can blog incognito?

Well it all starts when you register your URL. At this point you can end up giving all of your identity away with a single stroke. So make sure that you register the blog correctly, but then opt out of having your identity made public.

By using a self hosted blog you are then in total control of what is shown and how it is shown. With a basic blog set-up you are unlikely to give away many details, apart from your name! Make sure that you set your personal userid up to show a nickname that you can share with people that you are not known by to those you don’t want to recognise you. Display this name with each of your posts.

If you have accidentally left your real name showing on the posts you can quickly change it, but the search engine’s cached pages might retain this information for a while. If you are desperate to hide your identity, the old action open to you is to request the removal of the pages from the search engine listings.

Most bloggers will also want to post comments on other blogs, leave replies on their own and post articles or guest posts. So dream up for yourself a pen name and create a new identity under that name. Give this name an email address under your blog’s URL and create an avatar for this email address, although obviously don’t use a photo of yourself! Maybe a logo or an abstract image.

You can then use this identity whenever you are posting and listing elsewhere, safe in the knowledge that your blog gets the credit, but your identity is protected.

Finding out that someone is copying your blog posts can be a terrible thing and can cost you a lot of website traffic. But, what simple actions do you need to take to get the copies deleted and your traffic back up again?
By Keith Lunt, © HowToStartMyBlog.com

Recently I was notified that posts from one of my blogs were appearing on another blog, who was claiming them as original works. I had noticed that the traffic on that blog was dropping off rapidly over recent months and when I searched on sentences in my posts, the stolen content always appeared above my own. Google was favouring the reproduction over the original.

I reacted and thankfully most of the posts were removed. But a week later I had to do it all again as there were still some posts being displayed. In all, I spent almost a full day sorting the problem. By the end of it I had learned from my mistakes and knew how to do it better.

How is it done?
First of all it helps to understand how the content is robbed wholesale. In short, it’s the RSS feed. There are plugins available to do the job and I discovered which he was using, not that the information helped me. One answer is to just syndicate a summary by RSS, but is that as good for readers?

Don’t react too quickly.
If you discover this is happening to you, do not over react. Most bloggers stealing content are at it a few times a day, so show a little patience and follow these steps:

1) Add a new post to your blog – It seems daft when you know they will steal it, but that’s the point. Add to the post a copyright statement, your name and if you want your website address. Embed it deeply, say after the introduction paragraph. For example, By Keith Lunt, © HowToStartMyBlog.com.

2) Watch the offending blog – At some point they will access your RSS feed and steal the new post. Once they do that they have a post on their website which clearly shows it is copyright of you.

3) Find out who their hosts are – Just do a whois search on their URL and this will lead you to their hosts.

4) Search for a DMCA template email – This is the official complaint form. It sounds difficult, but it isn’t. Most of the content is just legal wording and then you provide the links to the copied content and the original content, using the recent post as evidence that they are stealing from you.

Once the DMCA email is sent to the abuse department of the hosts they have just 24 hours to sort the problem. In my experience it took just 40 minutes for the final posts to be removed. Better still, it is putting the onus on them to find any other stolen content.

What I wouldn’t do.
What I would not do again is to approach the website owner directly. Straight away they are alerted and will drop your RSS feed, but they can leave the older content up and then how do you prove who has the original?