Protect your blog
Castles have very regular (not to say, boring!) layouts.
Why is that? Why don’t they have any fancy layout ?
If they had a funny shape, they would be much more attractive!
Fancy, but less secure
Castles were built with defense in mind: they intend to reduce the attack surface, and keep control of it. Fancy extras create new openings, and make your defense less secure.
Boring, but more protected
When you create your own blog, you could be tempted to add many extra add-ons to make your blog more attractive: contact forms, slideshow, RSS…
It makes sense from a marketing perspective – who doesn’t want to look more attractive ? – but by doing so, you increase the attack surface. Many attacks have been reported recently, and they show that not all plugins follow the same quality standards when it comes to security.
Typically, attacks against blogs are either done by brute-forcing simple passwords or exploiting weak plugins.
The usual goal is to modify a part of your blog, to redirect visitors to malware or to link to other websites to increase their ranking in search engines, and thus generate ads revenues. Another possibility is to take your content hostage, or to take over your server and use it as a relay for malicious content.
At best, your blog is blacklisted, and your visitors will be prevented to enter, for their own safety:
This is not very attractive.
At worst, your database could be stolen /deleted / ransomed or your server could be taken over, and even worse: you could be liable…
Since such attacks are done transparently and silently, you may think this is a false positive, as nothing seemed to have changed in appearance: a small URL insertion in one of the PHP script can have big consequences.
What should you do ?
To protect your blog, you should reduce your attack surface, and keep your defense in control:
- Reduce your weaknesses, by removing unnecessary or insecure plug-ins (Google for a plug-in name, check if it’s widely used, check if there was any security bug reported, and if the authors seemed to care.
- Generate logs, and check them
- Backup your blog files: to recover deletion, of course, but also to make post-infection analysis much easier, so that you can easily check what was modified.
This article is also available in: German