Blog security: an interview with John Hoff

John Hoff blog security expertThere’s a lot of talk about how to use blogs to increase your traffic, attract prospects, and generate buzz. But there’s too little talk about blog security.

Like it or not, blogs are easy prey for hackers and other online ne’er-do-wells. And when they strike, and they will eventually, you need to be prepared.

Recently, this blog and Pro Copy Tips, were the victim of a series of sophisticated hack attacks. I contacted James from Men With Pens, who recommended John Hoff, co-founder of WP Blog Host, WordPress blog security guru, and author of the best-selling WordPress Defender.

I was so impressed with John, I asked him to do an interview with me on blog security.


Dean: When my blogs were attacked, I panicked a little. Is that a common reaction?

John: I’m sure it is. I know it was for me and my wife when her jewelry website got hacked a few years back. One day we went to her website and instead of seeing what we normally see, we saw a Google Warning stating that her site had been flagged by Google and may be downloading viruses to people’s computers. Yeah, our heart skipped a beat when we saw that.

Dean: Why do people hack blogs? Just for fun? Or is it more sinister?

John: Both reasons, actually. Every malicious WordPress hacker has their own agenda. Some reasons might include:
- Showing off to friends
- To learn something new
- They don’t like what you stand for
- They think it’s funny to ruin what others have worked so hard at creating
- Downloading viruses to people’s computers which could be configured to do just about anything
- Use your blog to create backlinks to their websites (SEO reasons, monetary reasons, etc.)

Dean: Fortunately, you were able to help me tighten my blog security. But what can happen if you just ignore the issue or rely on luck to avoid problems?

John: To me, there are 3 really bad things that can happen if you decide to ignore the problem of your website being hacked:

1. Google and other search engines would have caught up to what’s going on with your website and remove you from their search engines.

2. You could lose one of your most important assets online … trust! Tell me, would you trust if you knew their site had been hacked and they just ignored the problem?

3. You would be (morally) responsible for potentially allowing harmful viruses to download to your site’s visitor’s computers.

Dean: That’s scary stuff. It’s good that we have someone like you around to help us avoid those problems. Without revealing anything specific, what exactly did you do to make my blogs more secure?

John: I set you up to be prepared in case it does happen so that you can recover quickly and hopefully inexpensively; hooked you up with a system of monitoring and warning notifications in case something unexpected does happen; and then finally I customized key aspects of your blog to be only accessed by a small few.

Dean: The recovery element is really important. I know you can’t secure any blog 100%, but now that I’m set up to recover easily, I’m feeling a lot less stressed. But I’m wondering, is security a big problem? Most of the blogs about blogs don’t talk much about security.

John: It is a big problem and unfortunately most bloggers really are clueless as to how big of a problem WordPress “cracking” is. Nearly 2.6 million results are returned for the Google Search, “My Blog Was Hacked,” and I bet you most of those people didn’t realize this was a problem until it was too late.

I suppose the reason why you don’t see many people talking about blog security is because either the subject is kind of boring and at times can be a little technical, or like I mentioned before, the blogger is clueless as to how big of a problem this is … and that’s exactly what hackers want.

They want you to stay clueless.

Listen, real hackers don’t gloat and blog all about how they hack websites, they just do it and then leave an opening for the next hacker to come in and do their dirty work. It’s almost like they watch out for each other.

I’m sure there are hundreds of thousands (if not more) blogs out there which are hacked and the blog owners don’t even know about it.

Dean: What’s the most common security mistake people make?

John: If we’re talking technically, then the most common security mistake I’ve seen out there is failure to keep up with WordPress and plugin upgrades. However, I believe security always first starts with focusing in on you, the individual. In this case, I’d say procrastination is probably one of the biggest security mistakes bloggers make.

Dean: Good point. I’ve always done backups, but I didn’t do it very often until I had a problem. Lesson learned. If you were to list just 5 quick things people could do to prevent their WordPress blog from getting hacked, what would they be?

John: Well, I’d say …

1. Acknowledge there’s a problem and that you are not immune to it.
2. Don’t use the username “admin” and be sure to use a strong password, like t$#lLiS54@ew9.
3. Stay current with WordPress and plugin upgrades.
4. Run your FTP connection over FTPS or SFTP so your password is hidden.
5. Install the WordPress Firewall Plugin.

Dean: I’m curious, does it matter where you host your blog?

John: Generally, no it doesn’t as long as the host maintains the minimum requirements to run a WordPress blog. Just make sure your host has a good firewall installed, like Mod Security, and it would be best if the PHP version they run is at least PHP 5 and the MySQL database version is 5 or above as well.

I also would look for a host which allows secured FTP connections, like FTPS, FTPES, or SFTP. One way people hack blogs is by intercepting your FTP information when you log in. By using the secured FTP connections, this would be nearly impossible.

Dean: Working with you was fantastic, John. You spoke to me in plain English, answered all my questions, charged a fair price, and … well, you were just cool. Where did you learn that? Most tech guys are not that easy to work with.

John: Thank you, Dean. I’ve actually been told that many times. I suppose it comes from being very patient and when explaining how to do things I always try to remember all the issues I had when learning it and making sure those are all addressed in what I’m doing.

I’m also a laid back kind of guy. If it were up to me I’d be spending my days on a beach in Hawaii surfing everyday. Do they make computers for surfboards?

Dean: I don’t know, but it’s not a bad idea. You could embed an iPad right into the board. But I’m guessing you’d wipe out more often.

John: I could just float and work. What a cool way to spend my days.

Dean: How long have you been doing WordPress security?

John: About two and a half years.

Dean: What gave you the idea to start

John: I and a few others got together and noticed how big WordPress was becoming and the fact that no other web host really catered to people looking to start a blog, so we filled that void. We’ve created a ton of videos on our web television channel, for beginners / intermediates, and we really want to help bloggers jump ahead a little on the learning curve when they’re just starting out.

Dean: Your book, WordPress Defender, is amazing. It’s actually interesting and easy-to-read. And I learned a lot about blog security. How long did you work on that? Do you update it frequently?

John: Thank you. It took me a couple years to learn what I know today, but to write the ebook and create the 14 videos took me somewhere between 2 and 3 months. Since the subject can be boring at times, I really wanted to make sure my personality shined through in the book and the information I dished out was explained in as simple terms as possible.

I’ve updated the ebook once since its launch on March 1st, 2010. eBook owners can also choose to opt into my WordPress Defender Newsletter which will be used to send notifications of updates and/or new security features I come across in the future.

Dean: Well, I loved the book. And the videos are fantastic. I could actually understand them and you take your time explaining things. Your laid-back surfer dude approach works. But I’m sure someone is reading this thinking, “Oh come on, my blog won’t get hacked. I don’t have to worry about security.” What would you say to them?

John: You’re exactly the kind of target they are looking for.

Dean: Nicely said. Thanks, John. It’s nice knowing there’s someone to call who can helps us make our blogs more secure.


I hired John to secure my blogs, but if you want to do it yourself, I highly recommend WordPress Defender. It’s probably the only blog security book you’ll ever need. John makes it a pretty good read.

If you’re in over your head, like I was, and want to contact John, go to his WordPress Lockdown page and send him a message. He’s quick to respond. Just keep in mind, he’s on the “left” coast, so take the time zone into consideration.

Subscribe to FREE Newsletter / Subscribe to blog by RSS or E-mail


One Response to “Blog security: an interview with John Hoff”

  1. John Hoff on May 18th, 2010 9:40 am

    Hi Dean. It was a pleasure working with you and getting to know you, to bad it was under such circumstances.

    That picture of me above is actually a picture of me holding my second born son on day 2. Anyone who has kids and stayed at the hospital with their wife probably had a similar look–smiles but tired LOL.

    Thanks again.

FREE Newsletter
Get my monthly newsletter and a FREE 16-page Report: 99 Easy Ways to Boost Your Direct Mail Response!
Enter your main e-mail:
Past issues and more info.
Your privacy is guaranteed.