Prevention

Is Your Blog Secure?

By Laura Rich

Like millions of Internet users, you may have embraced the online lifestyle by creating a personal blog. But do you realize that your page may feature a variety of avenues through which malicious threats and thieves can travel?

The pictures you post from external sources, the ads you run and even the platform you use could be providing online troublemakers the tools they need to perpetrate mischief.

Robert Scoble, a prominent technology blogger, discovered one day that two months of his blog entries had been deleted. Malicious code had been entered into some of the archived pages, leading Google to remove his site from its index. And links to porn sites had been added to several pages. “Once this happens, how do you feel safe again?” he wrote on his blog after the incident.

Fortunately, there are preventive steps you can take to make sure this doesn’t happen to you. Scoble’s first mistake was not upgrading to the latest version of his blog software. Updating is important because newer address known vulnerabilities.

He also did not back up his content, an essential step, be it files on your computer or your site. And finally, he did not change his automatically given “admin” login to something less generic.

“Bloggers are more into writing than into site maintenance,” says Denis Sinegubko, a security expert and researcher. “They do not always upgrade their blogs when security patches are available, leaving blogs vulnerable for a long time.”

These general rules will help keep your blog safe and secure:

• Create a new administrator account. As soon as your blog is up and running, make yourself the administrator with a new login and delete the original “admin” account. This will ensure that any threats developed to target the generic admin account won’t find it on your site.
• Use a complex and “unguessable” password. If you follow the general rules on setting a password -- avoid using your birth date, children’s names or any other personal information, and combine letters and numbers -- you’ll be in a defensible position.
• Install security scanning software. Use software recommended by your blog provider and set updates to occur automatically and frequently. The scan will check for malicious code and alert you to vulnerabilities.
• Always upgrade. Learn from Robert Scoble and make sure you have the most up-to-date version of your software at every chance. You will be prompted each time as soon as it is available. Upgrading is easy and usually involves a simple approval button, and then the installation takes place in the background.
• Be scrupulous about users and privileges. The most secure thing you can do is limit access to yourself. But sometimes, you’d like to let others post to your site. If you need to do this, be aware of the access you’re giving them and limit it to the specific task they’ll perform. When they are done, disable access to their account.
• Back up, back up, back up. Enough can’t be said about the importance of backing up your work. Most blog providers offer or recommend specific backup programs. They are easily installed and can be set to regularly back up automatically.

The general software that helps you run your site is not the only one that may carry risks to your blog are; every file and application you post to your site can too. Here’s how to spot specific risks and what you can do about it:

1. Copying and pasting. It seems easy enough: You want to comment on another person’s post, so you copy in an excerpt and write a little commentary. This is acceptable in theory, but in some cases, you may have copied unwanted code along with the text.

• How to fix: It’s OK to copy and paste, but if you do, take a look at the HTML before you publish to your site (you’ll find this option in the toolbar on your blog entry page). If you see any code you don’t want, take it out. That will solve it. You can also check for any unusual formatting and code by previewing your entry before you publish.

2. Images. Pictures are a nice touch on a blog, but they may also hide malicious code if you’re not careful.

• How to fix: Use legitimate, trusted sources. If you’re trying out a new source, view the HTML before you publish to make sure there isn’t extra code attached to the image, particularly file names ending in .php or .exe. The only file names that belong there include typical image file names ending in .jpg, .gif and the like.

3. Applications. Page counters, slideshows, animations, comment tools -- additions like these are sure to add flair to your blog, but they are also potential vehicles for attackers’ antics if you aren’t careful.

• How to fix: Only add applications that have been endorsed and rated by your blog software provider. It’s worth reading the reviews and comments from other bloggers who have used these applications, to understand where the glitches may lie. You might also be able to identify any peculiar behavior by previewing the application before publishing it to your site. Most importantly, always upgrade to the latest version as soon as you are alerted that it’s available.

4. Advertising. Most blog providers offer the option to carry ads on your site. This is a nice touch to earn some money for your efforts. But ads are prime targets for distributors of malicious code -- even The New York Times website became vulnerable to malware when an attacker posed as a respected national advertiser and then swapped out a seemingly legitimate ad for phishing material.

• How to fix: If you join a network that rotates ads across many sites, you may have some control over the type of ads it distributes to your site, but to prevent attacks, also scrutinize their security measures. As well, if security scanning software installed on your site will usually notify you when malware reaches your blog. If you work directly with an advertiser that you’re not familiar with, find out as much as you can before agreeing to add their code to your site.

Keeping a blog is a rewarding experience for many. Make sure it stays that way by guarding your work from the start.