Site Security, Again…

There is a security update for self-hosted WordPress sites that you need to install. It is numbered 3.4.1 and it contains security updates.

  • Back up your site.
  • Run the update.
  • Update your BPS Security installation, or update whatever site security softwear you use. You may have to create new, updated .hta accesss files. Then you will have to reactivate the BPS coverage of them.
Security updates are critical to your site’s ssmooth functioning. There are times when I sigh and remember the days of using Google’s Blogspot hosting. I decided I just couldn’t risk the continued control of my site by some other entity. I loved the ease of site design , the no-cost option, and not having to deal with spam. BUT I worried about the option Google could exercise to take my site down with no warning to me. Is that ever worth? Unless I backed up constantly to some external site or drive, the answer for me was a resounding, “No.”

I have invested too much of my soul into my writing to risk losing all those captured thoughts, or allowing someone else to control them. I also wanted to host my own images for the same reasons.

WordPress was the logical choice for me. I will admit that at first I did not understand what a huge security risk I was taking with this step. Live and learn. I learned a great deal about the real differences between a url, a domain, a site, a host, the site software, intellectual property, and a huge amount of other information about how I put my thoughts out on the web.

Because I had next to no funds to pay someone else to create and maintain sites for me, when I first started doing this,I learned how to do it myself.

I’m continuing to learn how to do as much as I can for myself. I have played aroud with Drupal CMS (content management system) sites in the past and will eventually use Drupal for some of my sites. But some of my main strengths are my skepticism and my DIY attitude. So I am not apt to give in and 1) believe everything I’m told, and 2) allow anyone else to do for me what I cannot do for myself.

One of my friends simply delights in telling WordPress users that something like, he says, 87% of WordPress sites are infected with malware. I say, that may be true, but 50% of those sites have taken absolutely no steps toward securing their site.

Get to stop spam comments. Require that people leaving comments prove they are human the first time they leave a comment by having to fill out name and website; this is an option under the discussion settings on your dashboard.

And MOST IMPORTANTLY of all, make sure that your cpanel settings, through which you access your hosting services, have anonymous ftp disabled. You do not want to allow anonymous access through which someone could upload files, malware, and all sorts of nefarious software onto your server. Seriously, if you don’t know how to do this, or how to find out whether it is enabled, talk to your hosting company or the person or company you use to maintain your WordPress site and make sure anonymous ftp access to your server is disabled.

Don’t be freaked out, just start doing and eventually it all falls into place.


W is for WordPress (continued) Widgets and for Weekday Blogging in May

I had intended this “W” post to be about weekday blogging  as a variant of the  daily blogging challenges that are popular with the more vociferous of bloggers.  I started a series of articles on WordPress security and easy fixes with updates to various parts of blogs that use this publishing platform that is overlapping with my intention to write about the frequency of posting I will be doing May.  I will just, for now, say that I will not be doing NaBloPoMo on BlogHer in May.  Writing every single day is not a problem for me, but writing a publishable blog post every single day of the month can be problematic.  I do like the structure and camaraderie that group writing challenges provide to me.  I will be writing about the quandary in which this places me within a couple of days….

…so now for WordPress Security,  part tres..

The basic and relatively easy security fixes for WordPress blogs covered so far have been version updates to the WordPress itself.  Plug-in updates have also been covered.  Themes should also be updated as new releases are made.  If the creator of the theme you are using does not release updates, you need to find a new theme provider.

Software evolves over time to include new features and fixes. Themes that were created using prior versions of HTML to that of HTML 5 for example have to have API or plug-ins to adapt websites to mobile devices while HTML 5 has divided object tags to define various specific type of media that may be included such as video.  If these things are not done then the them that defines how your website elements appear and mesh will show up as garbled mumbo jumbo on phones and other portable devices. Themes also have to co-evolve with the new versions of WordPress. The WordPress dashboard should let you know when a new version of your theme is available.

As promised, I am including links to other sites on some other security topics.  These cover some of the other easy fixes for common security mistakes made by lots of people and exploited by lots of bad guys.


This Mashable article lists the most commonly used passwords from 2011 as determined by hacker compromised accounts.  Don’t use any of these or anything like them.  It also suggests methods you can use to create secure passwords. User names are a lot like passwords.  Don’t use “admin.”

Site Scans

Sucuri provides a free scan of your sites to let you know if you have been infected by malware.  It also has a good blog that talks about current threats to WordPress from malware.  This blog also posted a video of a security webinar that occured yesterday and that lasts for about an hour and a half if you have the time and interest.  It is informative if you are new to WordPress, and maybe if you aren’t.  I learned a few new things when I watched it.


Prepackaged widgets can contain code that links to malware.  Use widgets with caution and read about what can happen with javascript links in widgets in a Sucuri post from last year.

There are a ton of other things you can do to secure your self-hosted site, but I am not a security expert, at least not when it comes to WordPress, but as I learn more I will share.  I do use noscript for my Firefox browser and I recommend it for folks who are not put off by having a few steps extra when you want to load a flash or javascript bit of code when you are on a site you trust and automatically block it on other sites.  It stops a lot of malware.

Other Platforms

I don’t know a tremendous amount about other platforms, but I can share why I decided to move my blog from Blogger at to a self-hosted WordPress blog.  And I will do so in another post; I will link it back here when I write it.  In the meanwhile, here is a link to a Google post on security on blogger blogs for those readers who asked about their blogs on this other platform.