This post contains some guidelines to improve the security level of your Blogger blog and some tips to recover control
Two reasons may have driven you to this page:
- you are in trouble and I hope you can find some help here;
- you came by chance and you had better check the following tips.
Believe me, security problems are real even if they haven't yet hit you. Here are some tips and guidelines you should follow.
- Never give your username and password to other people. If you need someone to perform some administrative task for you, instead of giving the user name and password, add that person to the list of your blog administrators. If you what you need is just someone to post posts in your blog, give them only
Go to Permissions:
And invite authors. After the invitation has been accepted, they can become administrators (click "grant... admin privileges"). And you can also remove an existing user or downgrade an admin to a author:
- Never give your username and password to other sites. Suppose you discover a site that says for example
"Invite your friends to your network. Just enter your username and password so we can scan your email list. Your account details will not be stored."
Never do this. This a great approach for other people to gain access to your account. Actually, never enter your account credentials in your site other than the one where you are supposed to perform the login (e.g.Gmail or Blogger).
- Never grant access from other sites to your Google account. For example, Facebook can ask you access to your Google account to invite friends. It won't ask you the username and password. Instead, you will be redirected to the Google sign in page where you can grant access to Facebook. This is safer than giving the username and password to Facebook (see previous topic) but even thou, any security breach on Facebook can be exploited to access your Google account.
- Check which sites currently have access to your Google account and seriously consider to remove all sites with granted access. You can see which sites currently have access to your Google account with the following steps:
- go to you Google account settings:
You can go directly there with this link: https://www.google.com/accounts/ManageAccount
- click "Change authorized websites"
- Click "Revoke Access"
- Don't use the same username and password in all websites. Imagine that you are trying a new service and it asks you to register. Suppose that you use your usual username (a Google email) and password. If that site is a malicious one, then it can try to sign in to your Google account with the given credentials and, voilá!, they are in. You would be surprised with the number of persons that always use the same username and password everywhere.
Now you might be thinking about the madness of too many usernames and passwords. So you can define a strategy as follows:
- have a username and password that you only use for very important things and that you only uses in one place (your Google account, for example);
- in websites that requires you to register with your email and a password, never use the email's password in that site;
- even if you always use the same username every where, have 3 different passwords: one for your email, another for safe places (consider variations here to no be exactly the same password) and a password for all the other places that you don't care if you loose control there.
- When choosing your password never use correct words. Add some numbers and/or other characters. Example: instead of luisiana use, for example, 1ui5iana<. Remember that it's easy for a hacker to use a dictionary and a software tool to try different password combinations.
- In your Google blog, have multiple users with admin privileges. These users can be all different emails that belong to you. This way, if you loose the control of one email, you can use the other users to restore your control.
- Fill all the data at https://www.google.com/accounts/UpdateAccountRecoveryOptions. Here you can enter several emails and mobile phone number where you can receive a recover link (in the email) or a SMS with a password-reset code (in your mobile). Also, write your own question/answer pair.
- When you create your Google email, Google sends you an congratulations email which also contains a Verification code. This is a very important email because it's the only thing that allows your to recover your account control if all other things fail. Print it and save the email in different locations.
- Be very careful with the widgets that you add to your template, particularly if they aren't supported by Google. I'm sure you don't want some malicious JavaScript sneaking around your blog.
- Perform backups of your blog from time to time. Click "Export blog" and follow the instructions:
With these backups, later on you can import the blog to the same blog or into a new blog.
- Finally, if you really value your blog and you invest lots of work on it, be sure to use a custom domain for it. Therefore, if you totally loose the control of the blog, you still can move to another platform without loosing the Google Rank.
To setup a custom domain, do the following:
- Click at "Custom Domain"
- If you don't have a domain already, you can buy it at Google and let it do all the settings for you:
Otherwise, click at "Advanced Settings":
and don't forget to perform the correct settings at your domain provider (see instructions here).
- Security works better avoiding potential problems, so be sure to follow these guidelines before they arrive. When they do, however, use the links that Google to recover the control of your account.
How to regain control of the blog
So, even with all the precautions, you lost control of your blog. Try these approaches:
- Start with tip 13.
- If you weren't successful or if your blog is still being attacked, then try this:
- perform a blog backup (see tip 11) or use the latest backup you have;
- create a new blog with a new user (that is, create a new Gmail account to be used in this blog);
- import the blog into this new blog (see tip 11);
- change the custom domain (see tip 12) to point to this new blog. If you don't have a custom domain, you have to skip this step and, therefore, you will loose some page rank. This isn't dramatic. What ever made your blog's success will make them return again.
If you have other tips to suggest, just leave a comment. I will be glad to update this post and give you the credits for it :-)
Update: 2010-05-10
While checking for security problems, you should also have a look at your post by mail mail settings:
Be sure that the email posting address was inserted by you. And if you are posting by email, be sure that no one else knows the secret email for posting. Otherwise, new posts can appear on your blog without your consent.
Este é um post para guardar.
And yet, despite all the good advices, you haven't figured it out how Ramiro was "hacked". I bet that i can guess in one second.
Nice and clean template. Good job, Mr.Editor. ;)
Btw, the example of a strong word that you give on #6 is one of the first things that a brute force scanner tries, that is, a combination between some characters and numbers. But it is a good start. Better some variations than none. Increasing the bit order is another one more effective, therefore a longer pass is a safer one too.
Thanks Dr. Shue.
I'm not into guessing but be my guest ;-)
For sure better passwords do exist. Anyone interes can have a look here, for example: http://www.microsoft.com/protect/fraud/passwords/create.aspx.
Assustador!!! ;)
E ainda não li tudo...
I updated this post with another tip.
And you should credit the author of the tip... gotta feeling that the problem ain't over yet. Guess how.
Thanks Dr. Shue for the post by email tip ;-)