An online buddy of mine, Keith Davis, asked me a great question in regards to WordPress 3.0 security. He asked:

Hi John

I notice that WordPress 3.0 has now been released and we are all urged to upgrade.
I would have to make changes to my theme to make it compatible with WP 3.0 and since I’m not looking for additional functionality, the only reason I would upgrade is for added security.

The only reference I can find to increased security in version 3 is the ability to change the default username from admin – but most of us will have done that anyway as per your advice.

Would you say that an upgrade to version 3 is essential on security grounds?

Great question… and here’s my response.

It seems the security enhancements in WordPress 3.0 really only apply to those end-users who are installing WordPress for the first time (manual install).

For better WordPress security and help keep malicious hackers locked out, it’s a good idea to do the following three things:

• Choose a different username than the default “admin”
• Change the default database table prefix to something other than wp_
• Add WordPress security keys

As Keith mentioned, I’ve shown him (and others) how to do those things in my ebook, WordPress Defender. WordPress 3.0 just makes it easier for you to do those things all during the setup process; in fact, the security keys are created automatically for you (see the video below).

So Keith, to answer your question about upgrading, no it’s not necessary in my opinion to upgrade right away; however, realize that although WordPress says they aren’t planning on a 3.1 right away, you never know. Tomorrow we might all discover one major security hole and every one must upgrade immediately.

If I were you or someone else in your position, I’d start planning how I’m going to upgrade real soon. You might contact your theme’s author and see what their plans are.

How To Install WordPress 3.0 Manually

Don’t forget, before you do a WordPress upgrade, it’s important to first fully back up your blog.

Related posts:

1. WordPress 2.8.2 Has Been Released & Provides Security Fixes
2. How To Upgrade WordPress Manually Video
3. How To Install WordPress Manually and Why Beginners Should Do It

But that’s a good thing, right?

However, something (or some group, rather) has pulled me out of my blogging break early and these A-holes have really pissed me off!

It seems there’s been a lot of talk around blogosphere about WordPress blogs getting hacked lately… and it’s been even more than the usual. Whoever is doing this doesn’t seem to be targeting your site specifically, but rather the web hosting companies, and their hacks infect all files on your hosting account ending in the .php extension.

Most of you know I’ve recently written a WordPress security ebook, called WordPress Defender: 30 Ways to Secure Your Blog from Attack Anyone Can Do, and packed it with a ton of things you can do today to better secure your blog from WordPress crackers.

Unfortunately, there’s one problem here.

Lately these assholes have been targeting the web hosting server itself and since you personally don’t have access to that level of your website’s security, it’s kind of out of your hands to thwart your site from being infected.

There’s been a lot of talk lately about Go Daddy being hacked and how they have been denying the problem resides on their side, but to be honest I’m not so sure; in fact, it’s not just Go Daddy lately, it’s also been hosting companies like DreamHost and Network Solutions that *seem* to be getting hit.

What These Hacks Might Look Like

Fortunately, the hacks are easy to spot.

Just log into your web hosting’s File Manager and open any file ending in .php. If the file is infected, you should see code at the very top looking similar to this:

<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3R

Those dirty little rats!

What You Need to Do Today

• Make sure WordPress is upgraded
• Make sure your plugins are upgraded
• Back up your database and set up an automated backup process for it
• Back up all the files contained in your web hosting’s File Manager
• Implement the security upgrades I talk about in WordPress Defender

The Good News For WordPress Defender Users

Even though there is little you can do to stop these hacks from happening, all is not lost as long as you follow some of the advice I give you in the WordPress Defender book.

The key to being able to recover from such vicious hacks is being:

• Aware of the problem
• Notified asap that your security has been compromised
• Prepared for a quick recovery

I think I do a pretty good job at showing you how to do these things in the ebook.

If you find that your blog has been infected with a virus or some other malicious code, the quick fix checklist is to:

• Put your blog / website into Maintenance Mode (click here to see how to do that without a plugin)
• Restore a clean backup of your database (see how to do that here)
• Restore a clean backup of all your web hosting files and folders (you have a recent backup, right? Click here to see more on that)
• Change your WordPress, FTP, and web hosting passwords

WordPress security is not an exact science.

Protect yourself the best you can and be prepared for the times you can’t.

It’s not difficult to implement, but at times it seems difficult for me to get through to those of you who are easy targets.

WordPress Defender Review

Not sure what this WordPress Defender ebook is all about?

Clive McGonigal of Blog Briefing has done up a wonderful review of my book. The video below will show parts of my ebook as well as a little of what you get in the video tutorials. Be sure to view the video in full window view.

If you find the video helpful and want to purchase the ebook, please use Clive’s affiliate link to purchase the ebook by clicking here.

Shoot them my way by commenting below.

Related posts:

1. WordPress Defender: 30 Ways to Secure Your Blog from Attack Anyone Can Do
2. How To Fully Backup WordPress Anytime With Just A Few Clicks

In the middle ages, the Samurai were Japan’s warrior class and were highly specialized in the art of war. They also carried with them a specific code of ethics and rules they lived by.

Although WP Blog Host is not at war with anyone, I do see them as the Samurai of the web hosting industry… especially for anyone looking to start a blog.

They are highly specialized in the domains and web hosting industry and the code of ethics which govern their system is based around taking care of their customers (see #9 below).

I’d like to point out real quick, too, that just because they brand themselves as the place on the web to host your blog with, their hosting and domain products really cater to anyone looking to build their online presence… from beginner sites to the most advanced and highest traffic generating sites.

10 Reasons WP Blog Host Kicks Other Hosting Companies Asses Like a Samurai

1. Security

When you purchase web hosting from a company, you’re not only getting a place to store your website, you’re also purchasing email accounts, FTP connections, ability to create online communities with logins and passwords, etc.

Over the past 3 years I’ve been blogging (and 15 years online), I seem to of earned a reputation around Internet-ville for being the guy that knows a thing or two about web security, especially WordPress security.

If you’re a blogger, realize that web security goes way beyond simply locking down your WordPress blog. Choosing the right web hosting company to host with is crucial to keeping:

• your website secure
• your emails hidden from view
• your FTP connections encrypted
• viruses firewalled from attacking your home computer

That’s where WP Blog Host kicks butt… security!

Hosting with them you can:

• Run your email through SSL encryption (even your iPhone’s email). That means your emails will be encrypted with the same technology used to encrypt credit card numbers online.
• Connect to your FTP account through FTPS (File Transfer Protocol Secure). This means your FTP username and password will never be transmitted in the clear and will always be encrypted.
• The servers used to host your website are upgraded to the latest and best security hardware/software there is.
• Customers can purchase SSL Certificates for their websites at a very affordable price which encrypts data sent to and from their website. So for example, if you use WordPress, you can log into your blog and work in your Dashboard area under the protection of SSL encryption.

2. It’s Easy to Find Customer Support & Help

This is a big one for me.

Recently, I did a WordPress upgrade for a customer who hosted their blog with a different company. The customer had a question related to their web hosting and being the good guy that I am, I tried to find the answer for them instead of telling them, “You need to contact your hosting provider.”

So I went to the customer’s hosting provider’s page (a relatively reputable company) and clicked on the Get Support button.

From there I was hoping to see a tech support phone number which I could call so I could get my question answered quickly. To my disappointment, there was no phone number to call.

To make matters worse, their “Get Support” page consisted mostly of links to tutorials so that hopefully you could answer your own question. There wasn’t even a clear area where to click to email their tech support.

Inevitably, this was the “Get Support” page option I was faced with:

What the heck? PAID support? Isn’t that what this customer was paying for when they purchased web hosting?

The WP Blog Host Alternative . . .

Simply head over to the Support Area of WP Blog Host and you’ll immediately find:

• 24×7 email and telephone support for hosting / domain products
• Extensive online help resources with a ton of downloadable pdf files
• WordPress help via this blog, contacting me, and WP Blog Host.tv

And what’s awesome about WP Blog Host is the fact that they have a really cool and experienced WordPress blogger (me) available to hit up when their customers have a WordPress or blogging question. I live and work right in the trenches doing what bloggers do everyday.

It’s my job. Not bad, huh?

3. Full Line of Hosting & Domain Products

We all hope that one day our blogs will explode and we get to become the next Darren Rowse of blogging. If that happens (lucky you) it would be nice to know your hosting company can stick with you no matter how much traffic your site receives or how popular you become.

WP Blog Host customers can choose from the following types of hosting:

• Low economical shared plans
• Virtual Dedicated
• Dedicated
• Unlimited options

When you become a problogger you need a web host who can stand by you and back you up no matter how popular your blog becomes.

GZip Compression for Speed

And if the speed at which your website loads is a concern for you, WP Blog Host’s servers are set and ready for gzip compression. Check out how with one simple copy and paste I sped up my blog’s load time here at WP Blog Host as much as 4.6 times!

4. Over 50 Free Simple Installations of Popular Programs

WP Blog Host has their own set of easy to install scripts, much like the Fantastico bundle of software you might see with other hosts.

I won’t bore you by listing out all 50+ programs you can easily install on your hosting account, but here are a few of the more popular ones:

• Blogs: WordPress, Geeklog, Serendipity, Lifetype
• CMS: Drupal, Joomla, Mambo, MODx, Nucleus, anyInventory
• e-Commerce: Zen Cart, osCommerce, nopCommerce
• Forums: phpBB, Simple Machines Forum, Vanilla Forum
• Misc: MediaWiki, phpFreeChat, phpmyvisites, phpMyFAQ

Click here to see the full list of the over 50 free programs.

5. Domain Names Come with Free Hosting & Free Email

You actually get a lot more than just free hosting and free email with each domain name, but those are the two most popular free products I see people use.

The email address comes with a full 1 GB of storage space and is personalized to your domain name. The free hosting is ad supported and comes with all the features found in the Economy Hosting Plan.

This is awesome because if you’re new to blogging and not sure you want to stick with it, you can purchase a domain name for under $10 and you can test your skills at blogging when you’re on a tight budget (though $6.95/mo. for hosting won’t set you back much).

6. Blog Security Upgrades Offered

If you’re a WordPress blogger, wouldn’t it be nice if your hosting company had someone on staff who knew a thing or two about blogging and WordPress?

That’s why I’m here at WP Blog Host.

My job is to simply be a blogger and do all the things a WordPress blogger does. By doing exactly the kinds of things our customers do and go through, I learn… plain and simple. I then can pass on my experiences to our customers through my blog, social sites, other blogs, etc. in hopes that I can help them succeed in this venture we call blogging.

Now what other hosting company does that?

Oh right… blog security upgrades! I was getting to that.

Because I’ve been there done that in blogging and have gone through the horrible experience of having a website hacked and broken before, I’ve spent the last year learning how to better secure a WordPress blog from intruders.

I now provide two services for customers: 1) A very informative ebook called, WordPress Defender, which includes nearly 2 hours of videos detailing how to systematically secure your WordPress blog and 2) forget reading the book, hire me to do it for you.

Again, what other web hosting company does that for their WordPress customers?

7. Economical Monthly Web Hosting Pricing

There’s one thing which really upsets me in the web hosting field… it’s when I see companies advertising things like $6.95/mo. web hosting in big bold letters only to find out that customers can’t really pay month-to-month, they must pay semi annually or annually.

Grrr… that gets me going.

They’re advertising something in big bold letters which they don’t really offer… monthly hosting.

It’s just a ploy so they can advertise the “low cost” of hosting.

On the flip side,

WP Blog Host not only offers truly affordable low cost month-to-month hosting (starting at $6.95/mo.), but they go the extra mile to make sure their customers always feel safe spending their hard earned dollars with them.

I’m not just talking security, I’m talking about making sure their customer’s money never goes to waste (see #10 below for more details on that).

8. Very clean and simple to use File Manager

It’s no secret web hosts share the same bundles of software which they use to allow their customers to connect to things such as their File Manager, FTP accounts, databases, etc.

Many web hosts use the cPanel program for such services; however, we’ve found that many new bloggers find the cPanel program’s File Manager to be a bit confusing. Take a look at the comparison.

cPanel File Manager (more confusing)	WP Blog Host File Manager (simple)

To this day I still have customers who host with other companies ask me what the difference is between the WWW directory and the public_html.

WP Blog Host’s File Manager is very clear, easy, and simple to use and figure out.

9. WP Blog Host Really Cares About Their Customers

If I could sum up in 3 sentences what WP Blog Host is about, it’s…

• Take care of the customer.
• Take care of the customer.
• Take care of the customer.

Of course they are a business and they need to make money to pay paychecks, lights, connectivity, etc., but their philosophy is that the best way to accomplish this is to focus on taking care of the customer.

If you focus on that, it’s only inevitable that money will follow.

I don’t work in the technical support department, but I know those are some of the nicest folks you will chat with and are very patient.

For me, I know I always try to take care of my fellow bloggers when they have questions, but when I know someone is a customer of WP Blog Host, I really try to go that extra mile when I can.

10. Web Hosting: You Only Pay for What You Use

How cool is this . . .

Let’s say instead of paying month-to-month for hosting you decide you want to pay for 1 year in advance (or any other number of years); however, after two months you decided “Ah, this really isn’t for me.”

All you’d need to do is call WP Blog Host’s tech department and let them know you wish to cancel your hosting and have the remaining 10 months you prepaid refunded back to you.

Done.

Just take care of the customer… it’s that simple.

Bonus Reason WP Blog Host is the Web Hosting Samurai – Backups!

Your website is safe and easily recoverable.

If you accidentally delete something from your website, or even worse crash it, fixing it is a snap.

WP Blog Host makes nightly backups of all hosting accounts and it’s easy for you to restore any part of your website back to 30 days prior. Just log into the File Manager, click the History button, and choose a date from which you’d like to restore a file, folder, or the entire site.

Now go get yourself a domain name and hosting account and start your website off with a web hosting company that kicks butt like a Samurai.

Related posts:

1. WP Blog Host Domain, Blog Security, & Hosting Promotions – Get'em While Their Hot
2. 8+ Drawbacks to Free Web Hosting
3. How To Choose The Best WordPress Blog Hosting Company

That hacker set me out on a mission.

Over the last couple of years I’ve soaked up everything I could about WordPress security. I learned many of the tricks those malicious jerks use to hack blogs, I watched as plugin developers developed plugins to fight back, I engaged the WordPress forums and other users in conversations about the topic.

All this time, experience, and knowledge I’ve gained over those last couple of years have culminated into one single resource I’ve been working on.

It’s called WordPress Defender, and it’s mission is to help you to never wake up one morning with the same kind of broken heart my wife had.

It’s a 150 page guide jam packed with things you can do today to start protecting your WordPress blog from malicious attacks. And if you’re worried it might be over your head, don’t. I’ve taken special care to make sure any and everyone can follow it.

You even get over 1.5 hours of video (14 videos in all) where you can watch me in real time set up many of these security features.

3 Day Special Offer

Don’t wait too long, because for 3 days only (March 1st – 3rd 2010) you can get it all for nearly 50% off ($19.99). After that, the price will go up.

Now let me ask you, is your blog worth $20? Is it worth skipping that night at the movies to ensure your blog is protected?

And if you’re the affiliate type… it also comes with an affiliate program which pays out 40%.

So take the time, go check it out and let me know what you think.

And if you ever have a question about anything contained inside the book, you know where to find me.

Related posts:

1. Something New to Blogosphere is Coming, Thanks to a Broken Heart
2. 2 Easy Ways To Set Up A WordPress Firewall
3. So You Think Your Website is Secure? Am I Scaring You Yet? I Hope So…

Procrastination is the killer of all that is good, if you ask me. Let’s take blog security.

I don’t think there’s a person out there that after learning just how much of a problem WordPress hacking is that it’s a good idea to enhance the security of their blogs. However, something I’ve noticed over the years is that when it comes to securing their blogs, bloggers seem to be stuck in this *reactive* state.

They don’t do anything until something has been done to them… until something bad has been done to them.

I live in Las Vegas. Las Vegas seems to be on the “bad” list for just about everything, crime included. It’s sad that I don’t feel real safe at night, but at least I have a house alarm which makes me feel a little more comfortable. Yes it is a reactive security feature I’ve set up, but it’s a proactive step. Many people don’t install house alarms until guess what? …they get robbed.

Why is that?

Because they get scared. It seems being scared is a big motivator. I scared one person when I emailed them to let them know I found a huge security hole in their website. Take a look at what I found:

If you click on the image above you’ll see that those are all database backups someone did for their blog. I found this (as well as many others) online and ready for download. If I were a bad, bad person, I could have done a lot of damage here, but instead I emailed the website owner their security problem. Hopefully they fixed the problem.

Let Me Show You Why You Need to be Careful

Since scare tactics seem to be what drives some people to take action (or at the very least start thinking about the problem), let me shoot a few scare tactics your way.

Let’s pretend I’m Joe the Butt Hole Hacker. I have nothing better and more productive to do with my life than hack into people’s sites and blogs and make their lives miserable. I don’t care about all the hard work and time you’ve put into your blog, I just want to break it.

Here’s some things I might consider doing.

1. Hang out at a local coffee shop or some other public area where there is free Wi-Fi.

After spending a few days and hitting a few spots around town, I finally find a cafe which offers free, unsecured Wi-Fi and to my pleasure, there are a ton of people sitting around each day connecting their laptops to the “free” Internet service. I sit down and use my handy dandy Wi-Fi cracker tool and log myself into people’s computers… remember, they’re all on a shared network.

From there it’s easy, all I need to do is upload a virus or key logger program so I can track your keyboard movements. “Hey look at that, that girl over there is logging into her blog. Here, let me see what she’s typing in her username and password for something.”

Lesson: Don’t trust free Internet connections. At least make sure the place uses a secured Wi-Fi connection if you’re going to use it.

2. Create fake online profiles

Since I (our fictitious hacker Joe) has nothing better to do with my time, I’ll go ahead and set up some fake social media profiles. Here, let me go to your blog and check out who your friends are and who you trust.

Got ‘em.

Now let me head over to one of your friend’s sites and take a couple screen shots of their blog, personal photos, and note a few names.

Got it!

Now it’s time to sign up for a new Facebook account and use this person’s name and identity to pose as your friend. Once I get it all set up, I’ll be emailing you posing as your friend and asking you to be friends with me on Facebook (or Twitter, or whichever social site).

Cool, now we’re friends. “Hey buddy, I’ve started doing blog upgrades. Tell you what, if you’ll do a review of my Facebook page and give me a little feedback, I’ll upgrade your blog for you – no charge. I’ll just need your username and password.”

Or perhaps it’s your computer I want. Instead, maybe I’ll just befriend you on Facebook and send a link your way telling you, “You gotta see this video! Click this link here.”

Oops, did I forget to tell you that link is not really a video? It’s a virus I created just for you!

Lesson: Don’t trust anyone online at all times. Yes you might make friends and over time you might even trust them, unfortunately, someone can use that trust against you.

Case in point: the other day my wife was watching Dr. Phil in the other room and when I heard him say something, I got up, walked out of my office and asked her to rewind it (oh how I love TiVo).

Dr. Phil said that someone was posing as him online and asking people to do something, like download a file or something… sorry, I forget now what that was. He said it was a fake site and he has never asked someone to download anything of the sort.

3. Password Guessing

As I (our fictitious Joe the Butt Hole Hacker) knows, people have way too many usernames and passwords to remember. You’ve got Twitter, Facebook, your online banking, LinkedIn, two blog logins, FTP, web hosting, etc. accounts which all come with logins and passwords you need to remember.

If you’re one of the proactive ones, I might find it a little harder to crack your password. But if you’re one of the reactive ones, I might just get you.

According to an article in the NY Times, one of the most popular passwords going around these days is 123456.

Lesson: Do I really need to say it?

I understand that since the birth of the Internet as we know it, things have gotten a lot harder to control and secure. People in 2010 assimilate 10 times the amount of information each day than people did in 1980 (that’s not a scientific study I did, just logic). I understand it’s hard to have a different username and password for all your online profiles, unless you use a program like Roboform (PC and affiliate link) or 1Password (Mac), which I HIGHLY suggest.

But realize that online security is something you really need to start thinking about. Don’t just be the reactive type, take steps to start protecting yourself today. Don’t let Joe the Butt Hole Hacker make your life miserable and turn all that you’ve worked so hard in creating come crashing down in a matter of seconds.

The point of this article is to hopefully get those of you who don’t think much about online security to start thinking.

So, did I put a little scare into you? Or is this just information you accept and figure if it happens, it happens?

Related posts:

1. WordPress Defender: 30 Ways to Secure Your Blog from Attack Anyone Can Do

I know, it sucks.

There are a ton of people out there with nothing better to do with their time than snoop around on the Internet watching for people who send login information, such as Usernames and Passwords, unsecured through the webs of the Internet.

Then when they capture someone’s login credentials, they take it upon themselves to easily log into the person’s account and fill it up with spam links and viruses.

Like I said, it sucks.

Unfortunately, it’s true and unless you take steps to protect what you’ve spend so many hours away from your family building, someone some day may take great pleasure in destroying. Even worse, they don’t even care that your website is what helps put food in your children’s mouths or collect donations to help fight cancer.

The worst part is many times they don’t even know who you are.

They use automated scripts/bots/spiders or whatever your choice term is for automated programs designed to sniff you, the unprotected WordPress users, out.

Where They Find Your Username & Password

As a web host, we have to deal with protecting customer Usernames and Passwords when they connect to their web hosting control panel, but when it comes to 3rd party programs like WordPress, it is up to the user to secure their program.

But that’s why I’m here, right?

When it comes to WordPress, there are 3 primary ways your Username and Password will be sent to your web hosting server unprotected:

1. When logging into WordPress
2. When changing passwords and/or adding new users to WordPress
3. Through your FTP connection (independent of WordPress)

In this article, we’ll discuss how to protect your Username and Password through SSL when logging into WordPress and doing things like adding new WordPress users and changing passwords.

In a follow-up article, we’ll discuss our FTP problem.

Encrypting Your WordPress Session

I know, no body wants to spend more money on something that doesn’t immediately get them a return on their investment.

But what does a business owner of a brick and mortar store think when she purchases a security system for their shop? That’s how you should think about your WordPress blog’s security.

The best way to encrypt your WordPress session is through SSL.

SSL stands for Secure Sockets Layer and basically what it does is allow for transfers of information over the Internet, such as your Username and Password, to be done in an encrypted manner.

You can buy one from our company by visiting our SSL Certificate page.

If you’ve ever purchased something online where you had to enter in a credit card number, chances are the web page you were on was encrypted with SSL. You can easily spot if this is so by looking up into the address bar and seeing if the web address starts with https:// as opposed to the standard http://.

The https:// means that when you fill in your name, address, credit card information, etc., it’ll all be transmitted over the Internet encrypted.

We can use this same method e-commerce sites use to encrypt our credit card information to encrypt our WordPress login information.

Setting Up SSL

To set up WordPress to work under SSL, you’ll need the following:

1. Your own domain name
2. Web hosting with WordPress installed
3. A dedicated IP address for your web hosting (purchased through your web hosting provider)
4. An SSL Certificate ($30/yr. if purchased from us)

Assuming you have your own domain name and WordPress blog already set up, the next thing you’ll need to do from the list above is purchase a dedicated IP address for your web hosting. To do that, you’ll need to contact your web hosting provider or visit their products page and purchase one.

Setting this up is easy. For the most part all you need to do is purchase it and tell it which domain name you want it applied to.

Once that is done, you’ll need to purchase an SSL Certificate. Some web hosts sell them while others do not. You can also find other companies that sell them, such as VeriSign; but in my experience, those companies are usually more expensive. Notice how they don’t even advertise the price on their landing page, you have to contact them for a quote.

How to install an SSL Certificate on your web hosting server is beyond what I want to get into in this article, but after you purchase one what happens is you will download the certificate and need to upload and install it on your web hosting account.

The process typically isn’t fun for those of you who think SSL was some kind of Saturday Night Live skit, but your web hosting company should help you get it installed. If not, tell them “Hey . . . thanks, buddy!”

The good news for WP Blog Host hosting customers is that we make this process very easy for you!

What else would you expect from a company whose target customers are newbie bloggers?

If you are a hosting customer of WP Blog Host, we will include free with your SSL Certificate (when purchased from us) a dedicated IP address and best of all, we’ll even install everything for you so your website is SSL ready.

All you’d need to do is wait for an email informing you everything is set up.

From that point, once you have managed to get your website SSL ready, you can move on to the next step and actually apply it to your WordPress admin area.

Setting Up WordPress To Use SSL

Now that you got SSL set up to work on your website (i.e. https:// is available), you can move on to the simple step of telling WordPress it can use SSL to log you into WordPress securely and encrypt the stuff you do from within your Dashboard (write posts, create users, change passwords, etc.).

Log into your web hosting control panel and head over to your File Manager.

From there, locate your wp-config.php file and open it up using your control panel’s file editor.

Once opened, paste this code anywhere inside it:

/* Force Login and Admin SSL */
define(‘FORCE_SSL_LOGIN’, true);
define(‘FORCE_SSL_ADMIN’, true);

Source: WordPress.org SSL

I know adding security to your blog is not fun, but it really is a necessity.

I think $29.99 a year for an SSL Certificate is money well spent. I know it might suck getting it set up (unless you’re a hosting customer of WP Blog Host), but once it’s done, it’s done – and you’ll be logging into your blog over an encrypted channel from now on.

You can see that I’m using SSL for this blog, just go up to the address bar and add a “s” to the http (i.e. https://wpbloghost.com/blog).

I don’t run my frontend encrypted because many of the images I have linked to are not https and would cause Internet Explorer to pop up a warning box to users which I feel might scare some of them away. It just tells them there are some items which are secure and some which aren’t (like pictures).

Questions:

Do you think your blog’s security is worth $30 a year?

How many of your are convinced this is something you really should do but in reality you probably will never get around to it?

UPDATE: I forgot to mention WP Blog Host is running a few promotional codes you can use when purchasing products. If you purchase an SSL Certificate, you can save 5% or more by using the promo codes below. Codes are good through Thanksgiving.

Promo Code Description Start Date End Date 100CN15 15% discount off any order $100 or more 11/2/2009 11/27/2009 50CN10 10% discount off any order $50 or more 11/2/2009 11/27/2009 5NC25 5% discounts on orders $25 and over 11/2/2009 11/27/2009 Visit our Product Catalog to view all our hosting and domain products.

Related posts:

1. WP Blog Host Domain, Blog Security, & Hosting Promotions – Get'em While Their Hot
2. 2 Killer WordPress Security Plugins You Probably Don’t Know About
3. WordPress 3.0: Security Upgrades Overview & How To Install It

People’s blogs get hacked on a daily basis. A simple Google search for my blog was hacked returns 2,620,000 results.

I tend to think of blog security like the progression of driving a car through the years.

At 16 when you’re new to driving a car, you know driving a car safely is good, but you don’t do it. Instead, teens tend to drive more carelessly than older more seasoned drivers. However, the one time one of these teens get in a serious car accident, all of a sudden a light bulb turns on and they realize just how dangerous it is to drive carelessly.

The problem is, the process keeps washing its hands and repeating itself. As that teen ages, new teens begin driving and take to the roads, and can you guess how they drive?

The same holds for blogging. When newbies begin blogging either they don’t know the statistics of blog security or they don’t think it’ll ever happen to them. Then one day if they do get hacked, all of a sudden blog security becomes an issue. If, however, they are lucky enough to not get hacked early on (i.e. as they age), they begin to realize blog security is becoming more and more important since they have a lot more to lose (posts, comments, design, etc.).

2 WordPress Security Plugins You Should Consider

1. Chap Secure Login

In order to log into WordPress, you need to enter in a username and password. The problem is, unless you log in through a SSL connection (tutorial post coming soon), this information is sent through the Internet unprotected and can be seen by snooping eyes.

That’s where the Chap Secure Login plugin comes in.

Chap stands for Challenge Handshake Authentication Protocol and what it does is encrypt your password through the use of the MD5 hashing algorithm in JavaScript so that it is sent to your web host in a secured manner.

Whenever possible, I suggest logging into your WordPress blog through SSL, but if that’s not an option for you, I highly suggest using this plugin; and the best part is, there’s no configuring, just upload and install the plugin and you’re all set.

2. WordPress File Monitor

Securing WordPress is great, but as I’ve mentioned before it’s impossible to completely secure WordPress 100%. Just as important as securing your WordPress from being hacked in the first place is knowing when your blog has been hacked.

Matt Walters developed an excellent file monitoring plugin, called WordPress File Monitor, which will monitor all your files for any alterations made to them.

Many times WordPress crackers will attempt to insert vicious viruses or spam links directly into your WordPress files. These viruses can be designed to do just about anything they want, including downloading viruses to your website’s visitor’s computers.

The WordPress File Monitor plugin monitors each of your files for changes that occur inside them. So, say for example, someone uploads malicious code to your footer.php file, the WordPress File Monitor plugin would capture that change and email you that a change has occurred. There’s also notification in your Dashboard.

Once notified, you can head over to that file and check for anything suspicious.

As a bonus, this plugin can also be configured to monitor and report changes to files outside of your WordPress directory. This is a huge bonus for those of you who run a static HTML website for your home page and have WordPress installed in a separate directory, like /blog.

Here’s a couple screen shots from this plugin:

Have you thought about blog security lately?

How would you feel if one day you found your blog has been cracked into?

Would you be prepared to deal with the problem and make your blog right?

If you’re interested in keeping up to date with the latest in blog security, WordPress, and my own personal blogging tips, you can subscribe to my RSS feed here. Also, if you’re interested in locking down your WordPress blog and add some security features to it, I can do that for you.

Related posts:

1. 50+ WordPress Plugins & Hacks Candy Store
2. WordPress Security: The First Thing You Should Understand
3. Increase Your WordPress Blog’s Security By Running It Through SSL

Taken from WordPress.org:

WordPress 2.8.2 fixes an XSS vulnerability. Comment author URLs were not fully sanitized when displayed in the admin. This could be exploited to redirect you away from the admin to another site.

You can download the latest version of WordPress here.

If you don’t know how to upgrade, WP Blog Host has the following video tutorials. I also provide this service for $50, by the way.

How To Upgrade WordPress Using The Automatic Upgrade

How To Upgrade WordPress Manually

Related posts:

1. WordPress 3.0: Security Upgrades Overview & How To Install It
2. How To Upgrade WordPress Manually Video
3. WordPress Management: Cleaning Up Your Root Folder

A few days ago I published a post, How To Install WordPress Manually and Why Beginners Should Do It. It was my first time using blip.tv to broadcast my videos and I have to say, I’m very pleased with the results.

The one great reason I think to use blip.tv to broadcast your videos over YouTube is video quality.

Basically, when you upload a video to blip.tv, it seems the video quality remains pretty much the same as what it looks like right after you record your video and watch it on your computer. When I upload videos to YouTube, on the other hand, I get a little loss in video quality.

Take a look. The two videos are the same videos I uploaded from my computer to both sites. You’ll notice in addition to a little better video quality, blip.tv did not resize my video when I copied and pasted in my embed code.

blip.tv version

YouTube version

YouTube does have one distinct advantage over blip.tv.

Can you guess what it is?

Popularity.

I’m sure more people will see my videos on YouTube than blip.tv simply because YouTube is so popular. So for now, I’ll upload my videos to both sites, but the ones you watch from my blog will be embedded from blip.tv.

Have you started video blogging (vlogging) yet? If not, you might want to consider it. I think we’re on the road to seeing a lot more of it.

Related posts:

1. Videos To Help Craft A Better Website & Attract Attention
2. WordPress 2.8.2 Has Been Released & Provides Security Fixes
3. How To Upgrade WordPress Manually Video

He sent me his username and password and noted that he was hosted with Host Gator.

Ok, no problem.

So I headed over to Host Gator’s site only to get frustrated as hell. They are suppose to be a web hosting company. I assume that means people will be logging in and out of their accounts often, not to mention needing access to their webmail accounts whenever they’re away from home and don’t have access to their normal email program.

But I couldn’t find a login / out link anywhere. Now when the person signs up for web hosting they will be sent a link to the login page in an email, but what if you want to login from your parent’s house? Or an Internet cafe? How are you suppose to get into your webmail? Do they have webmail?

Confused, I clicked on their Support link and typed in my question. The returned response made it sound like logging is was such a hassle I had to watch a movie on how to do it.

Ok, I’m not meaning to bash on a competitor’s website. Sorry Host Gator, I don’t have anything against you, I swear.

The point here I’m trying to make is this.

You need to make things easy for people online. If you own a membership based website, make it easy for them to get into their account. If you sell a product, make sure navigation to that product is laid out easily.

The worst thing you can do is create confusion on your blog, because I have a saying I’ve always stuck with and has served me well.

“A confused mind always says, no“.

Related posts:

1. Is Your Website Web 2.0 or Corporate?
2. Using Photos On Your Website
3. Marketing In A Crowded Market