Several News Challenge projects, including ours (the Boulder Carbon Tax Tracker), feature blogs as a publishing tool. So consider this a friendly tip: If you or anyone who will be posting to your blog even occasionally uses net access of unknown or uncertain security (such as public wifi, or a hotel’s network), make sure you use a secure login for posting to your blog.
Why? Because it’s pretty common for unscrupulous folks to monitor networks used by many people with the express purpose of “sniffing” userIDs and passwords. This can have obvious bad consequences if they get access to your web-based e-mail — but it can also mess up your blog, too.
I learned my lesson last November…
I travel quite a bit for business, and while I was at the BlogWorld Expo conference in Las Vegas I (like the hundreds of other bloggers there) used the convention center’s open wifi to post to my blog Contentious.com. I use WordPress, a popular blogging tool, for that blog, and was in the habit of logging in via a regular “http” (unsecured) address in order to post.
Geeky note: A secure login starts with https and must be supported by either a shared or dedicated “SSL certificate” from the web host.
…Well, wouldn’t you know it — someone sniffed my ID and password, gained access to my blog’s back-end, and then hacked my blog. Specifically, they planted a script in my site template that was posting spam to my RSS feed. This was a difficult and annoying problem to track down. But honestly, it could have been a lot worse. They could have done much more damage.
With the help of two first-class technodudes (Justin Crawford and Tom Vilot) I was able to fix this problem and implement secure login for Contentious. I won’t bore you with the technical details, but suffice it to say that it involved gaining access to the “shared SSL certificate” of my web host.
Since Boulder Carbon Tax Tracker also includes a WordPress blog hosted by the same web host, and since it’s not just me but several people who need to post to that blog, I knew we also had to implement secure access for that blog as well. (More users multiplies your access risk.) This required a bit of unexpected wrangling with our web host, because of how they manage domains on accounts that include more than one domain.
Well, we finally got secure access implemented with Boulder Carbon Tax — which gives me more peace of mind.
Lessons learned:
- When selecting a web host, make sure they’ll provide (at the very least) access to their shared SSL to every domain hosted on your account. And if they tell you “we can’t do that,” persist through their level 2 and 3 tech support to find out what the real answer is.
- Always use your secure login when there is any question in your mind as to whether someone might be monitoring your network.
- Provide only the secure login address to people who will be contributing to your blog. Don’t tempt fate.
…Of course, secure login is important whenever you’re accessing any site that could cause you damage or heartache if it was hacked, if you’re using a network connection of unknown security. (Which is why I always access Gmail via secure login, among many other sites.) Safer browsing is kind of like safer sex — a little carelessness can have terrible consequences.
So look over your bookmarks list. Which sites leave you vulnerable? Like with Gmail, check whether there’s a secure login option. If you’re not sure, contact the site owner. Or just try changing the login URL prefix to “https” and see if you get in. When you find the secure login address, bookmark that instead and you’ll never have to think about it again.
View Comments (12)
What about secure commenting? Commenting often requires login or a user's e-mail address.
Amy, I am agree with your suggestions, secure login is important for us whenever we accessing any site that could cause damage or heartache if hacked.
I believe encryption and strong passwords are so much "secure" . Maybe some people don't realize that anything that isn't encrypted is being sent over the wires as a clear text.
Securing website is a big challenge for web master. It includes server protection and website protection itself. Situation becomes more difficult when you are using some famous platform for your web site.
As wordpress expert, my aim is to secure and give maximum protection to my clients’ web site. We have to think as a hacker to block all possible ways of hacking a wordpress.
All in one seo pack is most common used plug in. It is automatically optimizes your titles for search engines and generates Meta tags automatically. All in One SEO Pack is helpful to avoid the typical duplicate content found on Wordpress blogs.
I am agree with your suggestions
Wow! great information I really enjoyed your article.
I recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.
great job my friend your blog will help lots of technical field personals as there is few person to notice this kind of problems and not only you this but also you have given a right solutions by mentioning the entire things with a proper format.
Thank you very much from my group.
keep on writing.
Going through your blog i can say only one thing for obvious is that, there are few people who will be aware of the fact and not only the fact but people will rarely figure it out this kind of problem finally they will realize when they suffer. So, if they don't want to be victimized they will surely have to go trough the expertise like you. i am satisfied with your knowledge. And i hope soon people will learn about these matter.