Does Article Writing Produce New Visitors?

At the end of October I started a little Article Directory experiment, in which I wrote and published an article for several article directories and then watched what happened. The main aim was to produce new blog readers, but there might also have been a few other benefits that I’ll also explore.

Article Experiment

Reviewing The Experiment

I wrote articles, each to the minimum standards for each directory, and submitted them all. The targeted article directories were: EzineArticles.com, LargeArticle.com, ArticleCube.com, ArticleSpy.com, FreeContentArticles.com, ArticleDunia.com and ArticleMobi.com.

However, the signup to ArticleMobi.com never went through so I was not able to publish it there and FreeContentArticles.com wanted links to them before they would publish it, so I backed out there too.

Where Did I Receive Traffic From?

This one is very simple to answer by searching back on Google Analytics:

  • ArticleCube.com – 27 sessions, 76 page views
  • EzineArticles.com – 3 sessions, 9 page views

You may notice that the list is a lot shorter than the list of directories that I actually managed to get articles live on!

Out Of Interest, Sites Linking In According To Google Webmaster

  • ArticleCube.com
  • ArticleDunia.com
  • ArticleSpy.com
  • EineArticles.com

So 2 of the directories might not have sent any traffic, but at least Google is seeing and recognising their links. However, if you look back to the original part of the experiment, I was extremely unhappy with both of these 2 sites.

ArticleDunia.com sent me some spam about unrelated articles and inflicted constant popups onto me (probably why there are no readers clicking through) and ArticleSpy.com reviewed articles very infrequently (although I’m told it’s usually very quick) but it’s filling with a lot of spun content, which is also probably why it’s not sending real readers.

It’s Quality That Counts

EzineArticles.com has always been very strict about it’s quality controls. In years past I’ve been pulling my hair out trying to get articles accepted by their editors. In the past it has sent tons of traffic to my sites and I think it’s a matter of hit and miss as to whether 1 single article will work. Previously this has certainly been the case with 1 article having loads of readers and the next hardly any.

ArticleCube.com, whilst easy to get it reviewed, takes a lot more effort to prepare the article now requiring at least 1 dedicated image to be included in the article. However, they are a small directory, which I first thought would mean they wouldn’t send much traffic. I was wrong!

The smallness of the directory actually means it concentrates readers into a few articles. I’ve noticed on the directory a few areas in which there have not been posts recently that are relevant to my ramblings, so I will be targeting writing over the Christmas break at some of these areas.

Because of the way these directories work though, I’ll prepare the articles and release them over a few weeks. Best levels of traffic are achieved when the article is “new”. I expect this is because it also appears on the home screen for a few weeks after publication.

Coming Up

If you have found this useful then before you go off and submit your own articles do feel free to Stumble ad Tweet this article!

Don’t forget to follow me on Twitter and the newsletter as I will shortly be coming back to my blog commenting experiment from November. Some of the blogs sent plenty of traffic whilst others sent next to nothing (or indeed exactly nothing). I think there’s a very obvious pattern in which blogs are sending traffic through commenting so if you apply a little bit of thought you can concentrate on posting comments to just a few blogs and probably enjoy the experience much more. Commenting isn’t just about commenting to get visitors – it can be enjoyable too and that’s when it works.

You Can Rapidly Increase Website Traffic With This Trick, But Should You?

I’ll follow this up once all of the statistics are in and I’ve looked over everything objectively, but here’s a quick teaser on how I’ve been getting 200-300 new visitors to this blog EVERY DAY for the last 10 days. And why I probably won’t be doing it again!

Essential wordPress Plugins

Shortly after I first started out in my own business (2003!) I discovered the “power” of popups and expired domain redirects (I’ll explain in a minute) to increase website traffic. At the time monitoring traffic was very basic, so I just took the traffic and accepted it.

It appeared good and for a short time I was a reseller of the expired domain traffic. I advertised it on a stand alone traffic website and bought it wholesale from another seller. Complications with payment, more to the point a quick succession of failed payments, tied with difficulties of advertising what I was reselling cheaply enough to make a profit meant that I eventually dropped the product.

But then a few weeks ago I stumbled across on offer of free traffic, which was in return for writing a quick post and mentioning the company I could get a free 10,000 visitor campaign.

What is Expired Domain Traffic?

Simple. If you own a website and then don’t renew the URL, what happens to the people trying to find the website? Although the search engines should drop the listing between you not renewing it and someone getting to buy the URL, there will be bookmarks, links in forums & blogs etc.

So people are trying to visit this website, but finding it no longer exists. What happens if then someone buys the URL and redirects the traffic to another, similar, website?

That’s the theory. It should be highly targeted traffic looking for specific information to read. What could be better?

In Practice

For the first week Google Analytics was reporting just over 200 sessions a day to my site and the last couple of days around 300 new sessions.

But, is that real traffic? Does it have a benefit to my website? How do I measure it?

Well, during the campaign I’ve not had any increase in Twitter followers nor new subscribers to the newsletter that I would attribute to this traffic. I have seen new followers (and I sincerely thank you guys and welcome you to my site!), but concentrated around the day when a guest post was published on Mostly Blogging.

How about actual page views? I’ve typically seen page views from this traffic running around 110%-115% of number of sessions. It would appear at first glance that 10-15% of visitors are viewing a second page, or various combinations of maths around that.

However, that’s just the headline rate. When I looked at what pages have been viewed and their hit count, every single page view is of the home page. Instead it looks like 10%-15% of sessions are refreshing the home screen, which looks strange.

Funny Statistics

As I’ve said the campaign is still running, but I’ve noticed that the number of visitors through this source that are using Internet Explorer is over 90%. This to me isn’t “normal”. It’s a long time since IE was that dominant. These days IE is lucky to be around 40% of users.

It could be that there’s a problem with their software that means there are a lot of redirects going on and it’s only possible to do this with IE. Maybe.

However, the campaign to date has been 100% desktop. I usually expect 70% desktop and the remainder (see my earlier post The Importance Of going Mobile for a breakdown).

So the supporting figures are very strange.

It’s Not Finished Yet

The campaign isn’t over yet. It’s still got a bit of time to go and once it does complete I’ll analyse it fully and see which sources seem to have done what. However, the biggest problem is that the traffic providers can never provide example links etc to look at, so you can’t test for yourself that it’s doing what it says.

I’ll come back once I have had chance to analyse it fully, but later this week I need to go back to my little experiment with Article Directories as the traffic from those articles has now dropped to a background level so I can say what’s happened there with confidence.

If you want to make sure that you don’t miss the follow up of the full traffic analysis or want to read about my traffic generation through article directories, follow me on Twitter or sign up to the newsletter.

Or why not really make my day and Stumble this page!

Securing Your WordPress Blog With Plugins And More

3 weeks ago I wrote about my 4 favourite security plugins. It only took about a week for me to discover another plugin that I found so useful that it instantly expanded the list. Now it’s my 5 favourite security plugins!

stolenadminThe theory I work to is one of layers. Don’t leave all your security down to one method. At the time my blog was under attack – a very persistent attack as you can see here:

loginattempts

The attack went on for over a day with the attacker trying different passwords. Eventually I installed the new plugin and stopped their attempts. By stopping them from trying to guess the password there’s a new level of security in place.

Security through obscurity

This one is often hotly debated. Security through obscurity is basically hiding what you need to protect. But that level of security is breached by knowing where the hiding place is.

An example is leaving your front door key and alarm code in a plant pot by the front door. Anyone looking in the plant pot knows how to get in. This is where this type of security is poor.

Another example is the army camouflaging large tanks. Obviously a layer of paint doesn’t physically protect the vehicle and if you know where the vehicle is you can attack it. But the camouflage can make it more difficult to find the vehicle. It is adding a layer of security.

So I installed WPS Hide Login by WPServeur. Now anyone trying to access 13weekchallenge.co.uk/wp-admin (try it if you want) doesn’t see the admin page and can’t try to login. You need to know the URL of where it is moved to in order to try to login.

The other layers

I still maintain other vital layers of security. The next is Limit Login Attempts by Johan Eenfeldt. This detects multiple failed login attempts from the same IP address and blocks access from that IP address after a few failures. However, in the main attack I think they were using infected machines to direct the login attempts from different IP addresses, so getting around this tool.

After that Plainview Activity Monitor by Edward Plainview was setup to record all failed login attempts. I could see the userid and passwords tried on every attempt. Useful to see if the attackers are getting close…

This brings me to the base layer of security. Strong passwords and secret userids. I can’t stress too much how you should not use Admin nor Administrator as your userid (see the previous post for details on how to change your userid). 2 in 3 attempts that day used one of these, the remainder tried the website name. Simply by not using these I had ensured they could not guess the userid & password combination.

After that you are down to passwords. Use a good one. Most attempts to hack this blog have used password, 123456 etc. See the list of useless passwords that I detected hackers trying on this blog before I hide my admin.

Off site layers of security

After that we’re down to best practices. Keep your connection secure and virus free. An unencrypted internet cafe connection could just be being watched and give everything away.

Security isn’t complicated

None of the above security steps are difficult to apply, but together they give your blog a much stronger chance of staying safe and away from the control of hackers.

How To Change Your WordPress UserName

If you are using Admin or Administrator as a username on WordPress you are breaking one of the simplest security measures going. However, WordPress does not provide a simple way of changing the username. It is still possible and very easy. Just follow these steps!

loginattempts First though, why is it so important? Well look at these recent attempts to break into this blog. All are using one of 3 predictable user names (and this attack went on for over a day, a few attempts per minute from different IP addresses, until I closed it down with a clever plugin).

Because my username is none of the 3 being tried the hacker stood no chance. Even had they stumbled onto the correct password, the mismatched userid protected my site.

It’s almost like having 2 passwords to guess – they have to guess userid & password at the same time.

Unfortunately it’s not as simple as editing the username. However, the steps required instead are very simple once you know the sequence!

(If you can’t read any of the images click to enlarge).

createuserStep 1. Create A New Admin

You can’t rename your admin user, so create a new one. Give it a username that you can easily remember (however you can save it and your password into your browser).

You will need a separate email address to your main account for this, but if you are self hosting hopefully you can create email addresses and by using a separate email address you add a further level of security.

Give this new user the maximum “role” available – Administrator and then Add New User to finish creating them.

Click on the confirmation email to activate the account, sign off as the current user and sign on as the new user. That’s the difficult part sorted!

Step 2 – Edit User

renameuserNow that you are signed on as your new user, let’s apply the other security step of hiding your user name from posts. It also makes the posts look more friendly than posting them all by “Admin”

Go to Users, click Edit under your new Admin user and scroll down to Nickname and enter your chosen name. This is the name that we will be displaying on all your posts as your author name.

Just entering your nickname isn’t enough, WordPress won’t use it yet. Look at the drop down box below “Display name publicly as”. Expand the box to see the 2 names and tap your nickname.

Now hit save. From now on you have an admin user that is not obvious and you are hiding your login name. However, you still have that Admin / Administrator or whatever userid lurking.

Step 3 – Get Rid Of Old Admin

There’s 2 ways of doing this. The easiest (but least secure) is to simply edit the old Admin user and set their role to subscriber. Now, should someone break into the userid then at least they shouldn’t be able to do any damage.

The more secure way is to delete the userid fully. First, make sure you have a backup of your database (if you aren’t making backups already, look at my list of security plugins for a suggestion).

selectdeleteNow, simply go to the list of users and below the old userid, when you put your mouse over the row Delete will appear. Click that. Don’t panic, there’s a step to go yet before it is actually deleted!

confimdeleteOn the following screen you are asked what to do with all content created by that user. This is why it’s important to have a backup, just in case you get carried away here!

Just select  “Attribute all content to:” and from the drop down box chose your new userid (probably the only one there). Double check that the delete option is not ticked and then Confirm Deletion.

That’s it. A bit long winded but you have effectively changed your userid by deleting and creating a new one.

There’s plenty more security steps to apply – have a look through my list of security plugins. That list will be being updated shortly too as I have another one that I think is essential and that in the last week has prevented most hackers even being able to start to attack the blog!

If you are interested in that, then subscribe to the newsletter, follow on Twitter or both and you’ll be the first to hear about the updated list.

I Increased My Traffic Drastically Last Week And You Can Too, But Do You Want To?

Last week, after weeks of trying, my blog’s traffic finally shot up. It was an easy trick to apply and anyone can do it. But, would you want to?

redirecttraffic

As the above screen print from Google Analytics shows last Friday this blog jumped from hardly any visitors per day (especially on days when I wasn’t trying hard!) to over 200 new visitors every day. I’m studying carefully how useful this traffic is and it will keep coming for a couple of weeks from this source.

But the big question is although it is easy to do (and in this case totally free), would you want to do the same?

Put it the other way around, why would you not want to see such a huge increase in traffic with no effort?

Well although it’s great to see the increase, it’s only really beneficial if it’s useful visitors. That is visitors that come back and read again, maybe sign up for updates and possibly even comment. So for now, until I’ve fully analysed the results, I don’t want to say too much about what the trick is.

I don’t want to give false hopes nor criticise a system if it works well.

If you want to know how I’ve received over 800 new visitors from the USA in the last 4 days then you will need to follow me. I’ll publish my review and exactly how you can try the traffic too in a few days.

You can either follow me on Twitter (@13weekchallenge) or subscribe to the newsletter below. Don’t worry, in either case your details remain safe and the only time that you’ll hear from me is when a new post is ready.

Until then, if you prefer you can read right now about why I think SEO is no good for a blog and how to increase traffic simply by studying your Google Analytics. There’s tricks there that everyone can learn from to make sure their blog is working for them.

Don’t forget to subscribe – otherwise you might miss out on how I’m suddenly generating thousands of new hits to this blog!

 

21 Reasons Why Self Hosting WordPress Will Improve Your Blog [with InfoGraphic]

Whether you opt to use WordPress.com (“Hosted”) or WordPress.org (“Self Hosted”) is entirely a choice of your own preference, but I genuinely believe that Self Hosting is always better and as such I always self host. Here’s a list of 21 top reasons why based on lists from 17 other websites.

21reasons

Please feel free to include this infographic on your website  by using the code below:
<a href=”http://www.13weekchallenge.co.uk/21reasonshosted”><img src=”http://www.13weekchallenge.co.uk/wp-content/uploads/2015/11/21reasons.png” alt=”21 reasons to use WordPress.com” width=”100%” />

1. Thousands of free and paid themes.
When you use the hosted version you are limited to a relative handful of themes. With the self hosted version you have thousands of themes and if you, or someone you know, is handy with HTML / CSS then you can write your own. Almost all of the sites surveyed mentioned this as an advantage.

2. Your Own Advertising
If you want to display adverts then you can (you can’t display most with the hosted version). You can choose where to take them from – whether that be Google Adsense or advertising your own connections. Three quarters of the sites mentioned this.

3. Plugins to extend the site
Over half the sites surveyed liked the fact that with the self hosted version you can install a huge variety of plugins, including security, social networking, stats and many more!

4.Customisation
Being able to make your own changes to the source code was also mentioned by over half the sites. Whether that’s a major rewrite or just a simple tweak to remove something from the theme that you aren’t happy with, you are in control.

5. Own domain name
This is possible, but as an “extra” on the hosted version. But with wordpress.org you always use whatever domain name you want to use. You register it, you won it and you control it fully! A third of the sites suggested this.

6. Total freedom
It is possible to trip up on the hosted version by accidentally crossing a line and not sticking to a T&C. When you host it yourself, as long as you are legal you can do whatever you want.

7. Analytics
Because you can install plugins (or if you prefer you can do it through the code itself) you can install any type of analytics tool you want, including Google Analytics. You can monitor anything and everything about the traffic on your blog.  4 sites including janefriedman.com gave this as a good reason.

8. Reputation
Using your own domain name rather than a subdomain and being on obviously free hosting makes your blog look better. A different 4 sites to the previous suggestion recommended this, including blogging.org like this

9. Can’t be closed
As long as it’s all legal and above board you won’t find one day that your blog has vanished and everything been deleted without there being anything you can do about it just because you didn’t appreciate something in the terms, such as no advertising. This was raised by wpfreesetup.com, seedpod.com and boostblogtraffic.com.

10. No hidden fees
Free isn’t always free, but when you pay for your hosting you have an agreement as to what is provided. You avoid suddenly being hit with the prospect of paying for more bandwidth, more space, ability to upload media, removing adverts… boostblogtraffic.com and tsohost.com pointed this out.

11. SEO advantages
Because you can customise the code and use plugins you get the chance to search engine optimise your site better. You can also choose from themes that are written for search engines etc. shoutmeloud.com and tsohost.com liked this feature.

12. Scaleability
If your blog grows that so can your hosting, very easily. Both wpmudev.com and tsohost.com came up with this as a valid reason for self hosting.

13. Emails
If you own and manage your domain name then you can create email addresses within that domain name, brilliant for newsletters, contact addresses, setting up social media accounts, contacting other bloggers etc. boostblogtraffic.com and tsohost.com pointed this advantage out,

14. Unlimited space
No emails telling you you are 95% full and then having to work out what you can delete. You just buy the space that you need and go for it. Both wpfreesetup.com and bloggingbasics101.com came up with this suggestion.

15. No unwanted ads
Free isn’t free without something in return and here it normally means third party advertising. And it’s advertising in which you get no revenue! Plus you don’t have to pay to get rid of these adverts. This was suggested by both inkthemes.com and and diythemes.com

16. Web store
If you want to sell a product you can do so. Either use a plugin to create a site that’s a web store, or just have odd items for sale (e.g. an Ebook) throughout the site. Two sites suggested this – slbloggersupport.com and michaelhyatt,com

17. Your own data
You own it all, everything that you create whether it’s media or text. No-one else decides it’s not suitable and it’s up to you if you ever want to move or delete it. wpbeginner.com were the only site to mention this.

18. Affiliate links
No affiliate links allowed when you are hosted, but go for it if you are self hosted and see if you can make a living through your blog if you wish. Both inkthemes.com and boostblogtraffic.com suggested this reason.

19. Extra features
There are loads of extra features that are only available to self hosted bloggers, some of which might be relevant to you. Both yoexpert.com and wpinterns.com recommended this.

20. Free / cheap
Ironically, given all of the extras you might end up paying for on the hosted version the self hosted version could be cheaper when paired with a domain for a few pounds / dollars and basic hosting. wpbeginner.com & yoexpert.com suggested this.

21. Sell your blog
Not many will do this but if the site really takes off someone might want to buy the blog – url & content – from you. I have done this myself and it can be very profitable. But it’s only possible when you are self hosting. However, only shoutmeloud.com suggested this reason.

Sites referenced:

Hackers Want Your Blog – But Have You Ever Watched Just How Many?

It’s absolutely frightening how many attempts are being made to break into blogs. Even this blog, which is just 2 months old, is under frequent attacks. But, are you aware of the scale of the problem and what are you doing about it?

This site is new. There’s no Google Reputation to worry about and it’s only just starting to get traffic. But hackers have found it and are taking an interest.

In the last 90 minutes I’ve been watching my blog as it is under attack from what looks to be several hackers. Why, I have no idea. Most likely because I have made posts about how to increase blog security. Maybe they want to stop me from telling other people how to protect themselves.

I’m recording all of the failed attempts to watch what they are doing and there’s around 100 failed attempts in those 90 minutes. However, by watching these failed attempts it’s quite easy to see that they are very basic and the first level of security is working – use a difficult to guess username.

On top of that the passwords are all very basic. You can see the list that I’ve collected so far here. They certainly are poor passwords to use and demonstrate that you really do need strong passwords that do not have any predictable sequences in them.

Another level of security that I do apply is being avoided here. The attackers are managing to use a whole array of ip addresses, so I’m guessing that they could be employing computers that have been taken over by viruses to ensure they hit me from different IP addresses.

Normally, from such a huge amount of attempts Limit Login Attempts would do it’s job and lock them out. However, they are skipping around so much that it’s job becomes far harder. Also, just for the “fun of it”, whilst I’m monitoring the site I’ve set the lockout limit much higher so that I can continue to watch what the attackers try.

What have I learned so far?

  1. Use a complex userid. The attempts are coming in triplets, each trying the same password, from a different IP address and these 3 userid: admin, administrator, 13weekchallenge.co (obviously created from a bot that hasn’t realised that .co is part of the URL suffix!)
  2. A complex password is required. Write it down if needs be, or store it somewhere secure. But anything with a regular pattern might be guessed. e.g., some attempts are qazwsx and 159753. Look on the keyboard (a numeric keyboard for the second one) to see why they might be popular.
  3. Monitoring attempted break-ins is essential. In fact I’m also monitoring successful logins. If it looks like a hacker might have guessed your username or password then you might just have time to change it before they guess the other half of the pairing.

However, I’ve now had enough of compiling my “useless passwords list” and so have increased the security on this blog once more, adding in a new plugin to my favourite security plugins list.  Now I’m limiting logins to the admin system to people in the UK only.

They won’t give up and I’ll still be recording the attempts, it’s just another layer of security to protect the blog with. Should they guess the combination, this extra plugin will stop them from actually getting logged on!

The Worst Possible Passwords

Struggling to think of a password to protect your admin system. Well, here’s a list of passwords that you certainly do not want to be using! All of these have been gathered from recording what hackers are using when trying to get access to this blog!

All of these have been attempted using the user id “Admin”, “Administrator” or “13weekchallenge.co”. So, it spells out how vital it is not to use an obvious userid for your signon. Make both of these difficult to guess and you should have made you site far safer. Have a look over my other blog security best practices and if you want to know how I’ve gathered this list, just see the previous post (security plugins).

Some of these listed below have been tried by different hackers on 3 occasions in the last few nights. If my security plugins didn’t block them out then I might just find an even bigger list of attempted break-ins but if your passwords follow any obvious patterns such as the below change them now!

  • website name, with and without the suffix (e.g. 13weekchallenge & 13weekchallenge.co.uk)
  • 111111
  • 111222
  • 121212
  • 123321
  • 1234
  • 1234554321
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • 159357
  • 159753 (look at this on a numeric keyboard to see why it might be chosen)
  • 1q2w3e4r5t
  • 1qaz2wsx
  • 55555
  • 654321
  • 666666
  • 7777777
  • 987654321
  • admin
  • admin123
  • adminadmin
  • administrator
  • admadm
  • andrey (no idea on this one!)
  • changeme
  • genius
  • kirill
  • ktutylf
  • maksim
  • nurik
  • password
  • qazwsxedc
  • qwer1234
  • qwert12345
  • qwerty
  • qwerty123456
  • qwertyuiop
  • www
  • ssassa
  • zxcasd
  • zxcvbn
  • zxcvbnm

My 5 Essential WordPress Security Plugins; Why And How I Use Them

No matter how hard anyone tries I think WordPress will never be 100% secure, simply because of it’s popularity and the way it is used. Therefore, we as users need to put some extra security steps in place. Here are my favourite tips that anyone can install and understand.

stolenadmin

WPS Hide Login (WPServeur) An essential first level of security, enforced upon me really after my blog had suffered a 18 hours of brute force hacking attempts. This one ‘confuses’ hackers. It’s safety through obscurity, which some people argue isn’t a good idea. However, to me if it adds another layer of security it must help.

Download and activate this plugin and then click Settings. At the bottom of the settings page is a new box: “Login url”. Change the name in that box to something that you can remember but isn’t obvious. Hackers will use bots to try to find admin systems, so keep the name obscure.

Now, if anyone tries to access your login or admin pages they see your 404 page instead. Certain logins will still get through, but it should reduce the plague of a brute force attack.

Should you forget your new admin URL, then either use FTP to delete / rename the plugin or access your database and the new name is within the options there.

lockoutsLimit Login Attempts (Johan Eenfeldt). First on the list as it is one of my favourites and one I am never without. Hackers will attempt to take control of your blog by brute force – attempting obvious passwords in bulk using robots. However, these attempts will frequently come from the same IP address.

So this marvellous little plugin simple sits there and watches for failed login attempts. If there are 4 failed attempts in 12 hours (defaults, you can change them) then the IP address is prevented from logging in for 20 minutes. Another set of failed attempts will produce another lockout and after four lockouts it’s full 24 hour lockout.

OK, hackers can switch IP address. But if you have a secure password that’s going to take a million guesses to work out (let’s face it, 1,000,000 passwords can normally be tried in a few hours at just 100 per second) if you are blocking IP addresses after 16 failed attempts then to try 1,000,000 passwords they need access to > 60,000 IP addresses.

The plugin can be set to inform you when users are blocked so if you are on the end of a really bad attack then you can do as I have been known to do and move the wp-admin folder until the hacker goes elsewhere.

failedattemptsPlain view Activity Monitor (Edward Plainview). This one is new to my list, but already I’m a fan. But, you need to be careful on how you use it if you are using it the way I do.

You can set this to record all failed logon attempts (Activity Monitor, Logged Hooks, tick wp_login_failed, select Activate then Apply). However, this could be dangerous and give hackers information that they need so do read on!

With the above set all failed logon attempts are recorded in detail – IP address, attempted userid and attempted password. That’s great, but if you fail to logon as Peter using Password and Pete using Password1 then anyone discovering this could well guess that Peter and Password1 and the desired combination.

So it is vital that after any failed logon attempts of your own you delete them immediately you logon – Activity Monitor from the side bar, select your failed logons, change Bulk Actions to Delete and then Apply.

But now you can see when hackers are about and the userid / passwords they are trying. If they are trying random combinations then you are fine. However, if they start to try whatever you have setup as your Admin userid then you have a warning that it’s been discovered and can change it.

Changing a UserId is difficult in WordPress, but not impossible (more information). Go to Users and create a new user with Administrator permissions, giving it a secure userid and using the same nickname as you have previously used. Sign off and back on again as this new id. Then delete the old user id, or downgrade it to Subscriber.

Be careful if deleting your old userid that you don’t delete it’s posts. Either leave them orphaned or move them to the new userid.

If somehow the hackers are starting to attempt to break into the site with passwords that look like they are getting close then you must take that as a huge hint that your password is not strong enough and immediately change it. If it was a reasonably secure password and they are guessing it also ask yourself why. Have you been compromised in some way – virus, spyware or whatever?

WordPress Database Backup (Austin Matzko) – a lesson here for me in watching for similarly named plugins as I initially set this blog up with a different plugin, thinking I was getting this one and it wasn’t quite as good.

If all goes wrong on your blog then you need backups. No matter how well you protect the site, if someone still gets in and litters it with junk posts or deletes posts then your backup is where you will fall back to.

However, some backups store the backup on the server. This is great, unless the server itself is hacked. Then what might happen to the backups? I prefer to have the backups emailed to me. For this purpose I create a standalone email address that receives the various backups. Every few weeks I will logon and check that the backups are arriving and delete the oldest copies.

By using a separate email address you don’t clutter your own email with backup files. You do need to remember to logon regularly, but if they were being sent to your own email you’d still need to check they are arriving.

You can set this plugin up to do backups as often as you like – from hourly to twice a month. Extra tables on the database can be included and you can trigger a backup whenever you want to manually.

The files are quite small and email friendly. Hopefully you’ll never need them, but they are always worth having.

spamcomments2WP Captcha Free (iDope). Looking through similar lists other blogs prefer to go into highly technical plugins that move wp-content and so on. However, I believe that part of the protection of your site is protecting the comments.

Akismet is great, but it lets too many spam comments through for my liking. I know when I’ve only used Akismet I’ve seen a stream of junk arriving in my comments folder. Yes, it’s supposed to learn. But you still have to get rid of all of these junk comments.

I think that junk comments are very dangerous to a blog. If just a few get through to a post then it spoils the whole site. Your reputation for not caring is gone. Sometimes it can also be difficult to see if a simple comment is just a simple, but well meaning, compliment or a lazy link build attempt.

That’s where WP Captcha Free excels. There’s no captcha for the comment leaver to use and they probably won’t even realise there’s protection going on in the background. Instead it uses algorithms to protect your site from spammers.

It can differentiate between people who have arrived on your site and read the post before commenting and automated spam robots that are just trying to fill your comments with junk. Best of all, you don’t see these junk comments!

Well, that’s my 5 essential WordPress security plugins. I’m sure other people have their favourites, so why not let me know or share this post so that more people can be protected? There are also other Security Best Practice tips that you should remember when using WordPress, so don’t forget them.