Ten Tips for Securing Your Blog

Here are a collection of ten short tips I’ve compiled from my experiences blogging over the past few years that new and even intermediate bloggers may find useful.  This isn’t anything new, but rather some common sense observances.

1. Choose a secure password for administration and change it every so often.
• Personally, I use KeePass to randomly generate my passwords and keep track of them for me;  I then back up my passwords database to a USB key for extra protection.  In this day and age, using passwords that can be guessed or compromised using social engineering is just so not cool.
2. Keep backups of your posts using an RSS reader.
• You never know when disaster will strike – like oh, say, your provider deletes your entire blog and hasn’t maintained daily backups for well over six months.  I use a feed reader like RSS Bandit to provide a backup of my posts and images.  I generally try to keep most files I post on my local HDD as well, which gets backed up regularly.
3. Use CAPTCHA to protect your feedback list from spam;  better yet, use reCAPTCHA.
• New bloggers are often dismayed when they find their posts hijacked with feedback spam containing URLs for pills, potions and other nefarious things.  Often this can be avoided by using a CAPTCHA plugin that prevents spambots from entering comments through a visual challenge (often called a Turing Test).  While good, CAPTCHA has proven to be hackable (see my old blog, for example).  I recommend the upgraded reCAPTCHA plugin that not only stymies 99.9999% of spam, but also helps digitize books.
4. Close off comments for posts after 60–90 days.
• This works in conjunction with #3 above to reduce your overall “attack surface” – this isn’t to say that spammers won’t try to coerce their comments into your blog by other means, but it does go a significant way to limiting their impact almost entirely.  If you need to have more feedback for longer periods, either write a new post to extend the conversations, or better yet:  Set up a Yahoo! mail list or install a forum.
5. Disable trackbacks for posts.
• Trackbacks are automatic cross-referencing flags that blogs and sites use to notify one another when they’ve been referenced directly.  A good example of this is dotNETKicks, where if your post is “kicked” into their queue, it sends a trackback to your blog saying “you’ve been kicked” which gets rendered in your feedback list.  While a cool feature, it’s also a huge back door for spamdexing.  By disabling this, you’re not really going to miss much – if you use a feed service like FeedBurner, you’ll know about other people referring to your posts.
6. If you’re using ASP.NET, make sure your pages are protected with validateRequest=”true”
• Yes, it seems obvious, but you’d be surprised at how many folks disable this, leaving their site open to playback and injection attacks.  I see attempts on this all the time in my security logs for my site.
7. Disallow <a> tags in your comments
• It’s a bit of a pain for those wanting to hyperlink away from a comment to check something out, but it also prevents a lot of link-harvesting, which results in just more spam and index climbing.
8. Throttle bad IP ranges.
• Often, you will notice attacks coming from common “ranges” of IP addresses – these are “open relay” proxies that spamdexers use to propagate their wares.  Either block these at the firewall (ie, stop all inbound traffic from 192.168.199.*) or use an httpModule/httpHandler combination (ie, UrlRewriter or similar) to block troublesome IP ranges and send out a “forbidden” 403 code, or similar.
9. Subscribe to a spam filtering service like Akismet.
• If you’ve got a bad case of spamming, consider using a service like Akismet that can provide fairly comprehensive comment and trackback spam filtering.  Some blog services offer this as a matter of course;  others require you to actively enable the service.  See Scott Hanselman’s post, Preventing comment, trackback and referral spam in dasBlog, for details on using Subkismet.
10. Be vigilant.
• Check your security logs frequently for spotting trends that don’t fit your usual daily traffic patterns;  monitor your comments lists via a feedreader to easily identify attacks;  keep looking for areas where you can “harden” your blog either with updates and patches or small code fixes.  If you have the ability, make the fix on your own rather than wait for someone else to do it for you.

Of these tips, #3 has been most successful for me to-date.  There may come a time when even reCAPTCHA is foiled, but for now it’s working wonders!

Additional References:

• SixApart Guide to Comment Spam 
• Preventing Comment, Trackback and Referral Spam in dasBlog
• reCAPTCHA
• WordPress – Combating Comment Spam