Castles' layouts

Protect your blog

Castles have very regular (not to say, boring!) layouts.

Why is that? Why don’t they have any fancy layout ?

fancy layouts If they had a funny shape, they would be much more attractive!

Fancy, but less secure

Castles were built with defense in mind: they intend to reduce the attack surface, and keep control of it. Fancy extras create new openings, and make your defense less secure.

Boring, but more protected


When you create your own blog, you could be tempted to add many extra add-ons to make your blog more attractive: contact forms, slideshow, RSS…

It makes sense from a marketing perspective – who doesn’t want to look more attractive ? – but by doing so, you increase the attack surface. Many attacks have been reported recently, and they show that not all plugins follow the same quality standards when it comes to security.

How

Typically, attacks against blogs are either done by brute-forcing simple passwords or exploiting weak plugins.

Why

The usual goal is to modify a part of your blog, to redirect visitors to malware or to link to other websites to increase their ranking in search engines, and thus generate ads revenues. Another possibility is to take your content hostage, or to take over your server and use it as a relay for malicious content.

Consequences

At best, your blog is blacklisted, and your visitors will be prevented to enter, for their own safety:

a browser warningThis is not very attractive.

At worst, your database could be stolen /deleted / ransomed or your server could be taken over, and even worse: you could be liable…

Extra

Since such attacks are done transparently and silently, you may think this is a false positive, as nothing seemed to have changed in appearance: a small URL insertion in one of the PHP script can have big consequences.

What should you do ?

To protect your blog, you should reduce your attack surface, and keep your defense in control:

  • Reduce your weaknesses, by removing unnecessary or insecure plug-ins (Google for a plug-in name, check if it’s widely used, check if there was any security bug reported, and if the authors seemed to care.
  • Generate logs, and check them
  • Backup your blog files: to recover deletion, of course, but also to make post-infection analysis much easier, so that you can easily check what was modified.

This post is also available in: German

Engine developer