Back in 1999, a new type of journalism started to gain ground, mostly powered by the emergence of a couple of free publishing platforms. Back then, no one had imagined that blogging would become one of the most important means of expression on the Internet, nor that it would change the face of conventional journalism as we knew it.
At the moment, there are about 147 million blogs (as tracked by BlogPulse), and other 54,000 new ones emerge on a daily basis, according to the same statistics. While most blogs are personal creations maintained by one or two individuals, others are part of complex corporate communication schemes, each catering to their own niches.
This material covers the basic guidelines for safe blogging and is especially focused on individual blogs that are either self-hosted or provided as a service by major blog providers.
While some of the bloggers opt for a hosted account with major blogging platform developers ” especially those who are just starting to get the “fever”- some others go with a self-hosted plan that offers extra flexibility in both management and design, but at the same time, that needs extra attention to avoid incidents.
Blogspot® , WordPress® and LiveJournal® are three of the most popular services that offer free blogs. They are publicly available as a service and professionally maintained by the provider, which means that the user does not have to worry about patches or other kind of server-side security fixes, because they are automatically pushed by providers. However, although a blog hosted with third-party providers is usually more difficult to break in, it is still prone to threats such as spam or phishing, as described next.
Regardless of the type of hosting and content niche, a blog is usually created and maintained to add a plus of value to the business or personal image, or it may even be the very business itself. Advertising-driven blogs are extremely common and represent a source of income for the vast majority of bloggers. There are, however circumstances when the blog can turn against its very purpose ” for instance, when it has been compromised or has been used to harm its owner.
Blog spam is one of the most common means of inflicting damage to the owner`s reputation. Spam comments usually contain links that might take the visitor to harmful or (at least) obscene content. A large number of spam messages would dramatically minimize the blog`s usability and would make the valuable information more difficult to reach. Various links to shady websites embedded in these spam messages are also likely to affect the blog`s reputation in search engines ” a key element in a cut-throat online business. More than that, users will navigate away from a spam-soaked blog, thus losing loyal reader base. The bad news is that blog spam is one of the threats that affect both self-hosted blogs and those offered as a service.
Side note
About 99 percent of the total number of spam messages posted on blogs and forums is sent by spam bots ” small applications written in a scripting language such as Perl or Python. These bots are highly versatile for their purpose, but at the same time, they are also extremely easy to defeat. Some of the most common approaches include forcing the usage of JavaScript of cookies in order to post a comment. Since spam bots are unable to handle JavaScript or cookies, they will fail to post the message. Other similar approaches include adding a text field hidden via CSS that has to be empty in order to go further. Since the spam bot sees them in the web page`s source code, it will try to complete it with junk text, which actually prevents the form from being submitted.
On the bright side, fighting blog spam is relatively easy, provided that you have the right tools and you have correctly set up your blog. Here are some tips to help you prevent the posting of junk messages.
Unless its owner hasn`t voluntarily uploaded malicious files on the blog`s hosting account, blog malware is usually the result of a successful hack attempt against the blog or against the server accommodating it.
There are multiple ways in which an attacker can gain control over a blog and its FTP account. Sometimes, these attacks are extremely carefully planned and involve a high degree of tech literacy, while other times attackers simply rely on logging in with a right combination of username and password.
Regardless of how malware gets on the blog, it will for sure impact on the blog`s ranking and functionality. Most search engines run constant malware checks against the indexed pages in order to see whether they pose any danger to their viewers. If they are found to be malicious, they will be immediately labeled as harmful in the organic search results, which means that users following these links will be warned that the requested content is likely to endanger the visitors or their computers.
Blog malware is not limited to e-threats present on the respective account, but also refers to various scripts that, once injected in the blog, would redirect users towards third-party websites serving dangerous content, as well as to scripts used by rogue antivirus products to simulate system scans. All in all, an infected blog will surely be delisted by search engines and the loyal customer base will likely never return, fearing that visiting the blog will damage their computer.
Bloggers who are extensively writing about themselves should consider extra security risks related not only to privacy, but also to identity theft and account balance.
Many bloggers have abundantly written on topics such as favorite music or movie artists, love, hobbies and other various topics that apparently can hardly pose any risk. It`s extremely easy to write on such topics, or to share different experiences with readers, but at the same time, bloggers might expose enough data for malicious persons to carry out a successful phishing or vishing (the phone equivalent of phishing) attack.
In order to better explain these risks, let`s take into account the following scenario: a blogger buys himself / herself a new, more efficient & intelligent mobile phone. It can open PDF documents, it has Wi-Fi connectivity (or at least, it can connect via GPRS to a blog, in order for its owner to fuel it with new material while travelling). It is quite common about bloggers to brag about new acquisitions in a more personal & descriptive manner. The scenario below is taken from a real-life blog post and modified to protect the original author.
“I have just purchased a new mobile phone in order to do some on-the-fly posting with the newest things that come across my life. I got myself the new [brand-goes-here] PDA yesterday from [mobile company]`s shop. You would not believe how cool this is.”
Next, imagine that the post above ends up read by the wrong person, who then calls the blogger back impersonating one of the [mobile company]`s employees. Bloggers who have registered their own domain names usually have their phone number listed in the registrar`s database, along with the rest of contact details, including billing post address, name & surname and personal contact e-mail.
“Hi there, sir! I am [name] of [mobile company], and I`d like to ask you a couple of questions about your [brand-name] handset you purchased yesterday from [shop]. But first, I`d like you to confirm your identity. Please state your SSN, birth date and address for verification first”.
This is only one of the scenarios that can lead to massive identity theft. As a rule, the more you say about yourself, the easier for the attacker to guess other details. Talking about favorite food, actors and day-by-day activities may be a good starting point for attackers to guess the e-mail password, or to fill in the necessary info to recover the allegedly lost password from one`s mail account.
Mitigation
If you own a domain name registered on your behalf, make sure that you treat every interaction with a potentially unknown person with maximum attention. If you have any doubts on the legitimacy of the person requiring personal information on the behalf of an institution, you should refuse the request and call back using the contact coordinates listed on the institution`s website.
Alternatively, you can always ask your domain registrar to activate the WHOIS privacy protection option on your account, which will completely replace your contact details with those belonging to the privacy protection organization. Your details will be kept private from third parties, except for law enforcement organizations.
Recovering from a hack may be a painstaking experience, and the effects of a successful penetration can stretch over a long period of time, but the faster you identify and solve the issues, the less damage is inflicted to your blog. Here is a short list of immediate actions to be taken after a potential attack has been discovered.
In order to minimize the probability of getting hacked, you are advised to obey a couple of extremely simple guidelines:
“¢ Never use blog scripts coming from untrusted, unofficial download repositories. Most of all never use nulled scripts, as it`s not only illegal, but also risky for your blog and web server.
“¢ Keep your FTP account clean: do not mix & match the account hosting your blog with other scripts you casually test. A small vulnerability in a third-party script can get your blog owned. Always test other scripts on a locally installed webserver.
“¢ Do not add unnecessary plugins or themes to your blog. Stick to what you really need and minimize the chance of having an exploitable plugin or theme. Also, ensure that any plugin you may want to upload comes from a trustworthy source; when in doubt, just ask the community.
“¢ Generate and store SQL backups regularly. Use a plugin to automate the job and have the backups delivered to you via e-mail or via a secondary FTP account. Using the same account for storing backups is usually a bad idea, as an attacker may tamper with them or even have them deleted after a successful hack.
“¢ Use strong passwords for FTP accounts and administrative users. Do not disclose them to anyone in any circumstance. You might also install a complete antimalware solution to ensure that your system is Trojan-free. Some of the successful blog attacks were carried using legit usernames and passwords intercepted by keyloggers or cache-monitoring Trojans.
“¢ Pay extra attention to the way you select your hosting provider. Paid hosting is usually much better than free offers, and, since you`re going to shed some money, ensure that you get automatic daily backups, access logging and a suitable web-server configuration for your blogging script of choice.
tags
December 19, 2024
November 14, 2024