It’s old news now but, last year, The Guardian, Netflix, CNN, and Reddit were taken offline in the largest Distributed Denial of Service (DDoS) attack in history, a simple but effective bit of cybercrime that overloads a service with data until it collapses. With hacking now an almost mundane occurrence, there’s an obvious question to ask – how does this affect me?
As a blogger, it’s easy to think that your website will slip under the radar of cybercriminals but, as DDoS tools can be loaned on black marketplaces (the above attack was done by an amateur and cost $7,500), the barriers for entry are falling – and it shows; ZDNet notes that 124,000 DDoS attacks occurred every week in 2016.
Granted, we only ever hear about cybercrime in the context of massive businesses but that’s because a DDoS attack on a small business or blog doesn’t make for interesting news, something which creates a false sense of security for both bloggers and small businesses alike.
Consider the following – if your blog makes any money or data loss would cause significant problems for your site, you need to protect it from DDoS attacks as well as concerns like SQL Injections and cross-site scripting (or “XSS”). The latter trick can install code on your blog that infects visitors’ computers, a good example of which is currently troubling Steam.
Unlike “hacktivists” (Anonymous, etc.), armchair criminals don’t always need a compelling reason to take sites offline; after all, the attack on The Guardian and Netflix was simply collateral damage from one person’s grudge against the PlayStation Network. So, with all the above in mind, here are just a few, quick security tips for savvy WordPress bloggers:
1. Find a Security Conscious Host
Your blog is much more vulnerable to attack if other websites on your host’s server are infected or hacked. Consequently, a secure host is your primary consideration when setting up a new domain. Look for hosts that have things like server-level firewalls, disk-write protection (to stop the embedding of malicious code), plugin screening, and a back-up policy. Dedicated, human, tech support is also a must.
2. Create a Disaster Recovery Plan
Disaster recovery is rapidly becoming an essential part of any business, sometimes constituting up to a quarter of IT budgets, according to Incapsula. A disaster recovery plan does exactly what the term suggests in ensuring that businesses prepare for every eventuality while taking steps to avoid negative scenarios. For instance, it may be pertinent for a company to outline a course of action in the event that a service provider loses connectivity or a computer room becomes unavailable.
3. Invest in Cloud Security
“Invest” is possibly the wrong word to use here as online security is an increasingly affordable option for website owners. Taking the form of web application firewalls (WAFs), cloud security acts as a “barrier” between an online service and malicious traffic, meaning that it can provide effective protection against DDoS attacks and SQL Injections. For websites handling transactions, WAFs can also assist with PCI DSS compliance.
4. Create a Backup
Backing up content, images, custom XML and CSS, as well as plugins is a great way to minimize downtime in the event of an attack. However, it can be a chore, especially if a website is more than a few months old. WordPress does give its users the option to download their blog wholesale (My Site > Settings > Export) but there are a number of third-party plugins that can expedite the process or create a backup in a preferred format.
Finally, reinforcing a blog against advanced threats is pointless if a website will yield to simple attacks like password-cracking software. It might sound counter-intuitive but the best passwords are the ones the user struggles to remember. Don’t underestimate the value of 2-factor authentication too, something WordPress has been offering for a number of years now.