In my previous two posts I talked about securing your data by backing up your personal computer(s) and your website so that you can recover quickly in case of a technical disaster. But aside from hardware failures, what can happen to your website?
About 40% of the Internet runs on WordPress. This makes it an attractive target for spammers and hackers, so it’s important to protect yourself from attacks as much as possible. The three main threats are spam; malware; and brute force attacks.
Let’s talk about spam first. Why is it called spam anyway? We can thank Monty Python for that.
The term spam is derived from the 1970 “Spam” sketch of the BBC television comedy series Monty Python’s Flying Circus. The sketch, set in a cafe, has a waitress reading out a menu where every item but one includes Spam canned luncheon meat. As the waitress recites the Spam-filled menu, a chorus of Viking patrons drown out all conversations with a song, repeating “Spam, Spam, Spam, Spam… Lovely Spam! Wonderful Spam!”.
In the 1980s the term was adopted to describe certain abusive users who frequented BBSs and MUDs, who would repeat “Spam” a huge number of times to scroll other users’ text off the screen….
It later came to be used on Usenet to mean excessive multiple posting—the repeated posting of the same message. The unwanted message would appear in many, if not all newsgroups, just as Spam appeared in all the menu items in the Monty Python sketch….
Spammers use automated scripts to post comments on WordPress sites. Most of them are annoying, but harmless, requests to visit porn sites. In order to avoid exposing your readers to this trash, the first thing you should do is go to the WordPress ‘Discussion’ settings (Settings > Discussion on the left toolbar) and make sure that ‘Email me whenever: Anyone posts a comment’ and ‘Before a comment appears: Comment must be manually approved’ are checked. But this will require you to manually check and delete a lot of spam messages. So we need to stop the spam altogether.
As we say in the WordPress world, “There’s a plugin for that.” There are usually a lot of plugins to choose for anything you want to do, and this is true for anti-spam plugins. WordPress even comes with one pre-installed, but not activated. Akismet is developed by Automattic, the company that developed WordPress. It’s one of the best anti-spam plugins available, but it costs $10/month if paid monthly, or $8.33/month ($99.96/year) if paid annually, for a commercial site. And your writing blog is a commercial site.
I used Akismet on one of my sites for a while. It did catch a lot of spam, but I still had to delete every spam message manually. If a site is “popular” with spammers, that can mean ten or more messages a day! So I installed a free plugin, Antispam Bee, that deletes spam silently. As with most plugins, do your research and try out various plugins to see what works best for your site.
Another reason to stamp out spam on your site is that it can contain malicious links that can infect your site, or your readers’ computers, with malware—viruses, worms, trojan horses, and other nasty stuff. Some of those infections can turn a computer into a bot that can be used to send more spam, or join with thousands of other infected computers in a Distributed Denial of Service Attack (DDOS) or a Brute Force Attack.
A Brute Force Attack hammers the login form on a site in an attempt to sign in with an administrator account. It uses a list of common passwords (that shouldn’t be used as passwords) and passwords that have been harvested from security breaches on other sites. Once a hacker gets into a site with admin privileges, it has access to all your users’ account information. But even if they don’t get into your site, a Brute Force Attack will impact the performance of your website—and possibly the entire server that your site is running on.
A DDOS attack simply pounds on a site with thousands of requests a second so that the site or server is brought to its knees. This can be done for political reasons, or to demand payment to stop the attack, or simply for the enjoyment of a twisted mind.
There are a couple of ways to stop this kind of attack. Some hosting services provide network- and server-level protection as part of their service. Check with your hosting company and ask them. And of course, there’s a plugin for that. if you search for WordPress security or firewall plugins you’ll find lots of them.
I use Defender, which does malware scanning, login (Brute Force Attack) protection, and firewall (hacking) protection. It’s easy to set up, and has a “recommendations” section that can protect your site from various hacks with a single click. For example, did you know there’s a way for hackers to find out the login names of all the users on your site? There is… and Defender can stop that with one click. I’ve been using the free version, but I’m thinking of upgrading to the Pro version ($60/year).
Of course there are other great security plugins. Check them out (or have your Tech Wizard do it) and install one to protect your site… and your users!
Next month I’ll be back to posting about writing, I promise!