Several News Challenge projects, including ours (the Boulder Carbon Tax Tracker), feature blogs as a publishing tool. So consider this a friendly tip: If you or anyone who will be posting to your blog even occasionally uses net access of unknown or uncertain security (such as public wifi, or a hotel’s network), make sure you use a secure login for posting to your blog.

Why? Because it’s pretty common for unscrupulous folks to monitor networks used by many people with the express purpose of “sniffing” userIDs and passwords. This can have obvious bad consequences if they get access to your web-based e-mail — but it can also mess up your blog, too.

I learned my lesson last November…

I travel quite a bit for business, and while I was at the BlogWorld Expo conference in Las Vegas I (like the hundreds of other bloggers there) used the convention center’s open wifi to post to my blog Contentious.com. I use WordPress, a popular blogging tool, for that blog, and was in the habit of logging in via a regular “http” (unsecured) address in order to post.

Geeky note: A secure login starts with https and must be supported by either a shared or dedicated “SSL certificate” from the web host.

…Well, wouldn’t you know it — someone sniffed my ID and password, gained access to my blog’s back-end, and then hacked my blog. Specifically, they planted a script in my site template that was posting spam to my RSS feed. This was a difficult and annoying problem to track down. But honestly, it could have been a lot worse. They could have done much more damage.

With the help of two first-class technodudes (Justin Crawford and Tom Vilot) I was able to fix this problem and implement secure login for Contentious. I won’t bore you with the technical details, but suffice it to say that it involved gaining access to the “shared SSL certificate” of my web host.

Since Boulder Carbon Tax Tracker also includes a WordPress blog hosted by the same web host, and since it’s not just me but several people who need to post to that blog, I knew we also had to implement secure access for that blog as well. (More users multiplies your access risk.) This required a bit of unexpected wrangling with our web host, because of how they manage domains on accounts that include more than one domain.

Well, we finally got secure access implemented with Boulder Carbon Tax — which gives me more peace of mind.

Lessons learned:

  • When selecting a web host, make sure they’ll provide (at the very least) access to their shared SSL to every domain hosted on your account. And if they tell you “we can’t do that,” persist through their level 2 and 3 tech support to find out what the real answer is.
  • Always use your secure login when there is any question in your mind as to whether someone might be monitoring your network.
  • Provide only the secure login address to people who will be contributing to your blog. Don’t tempt fate.

…Of course, secure login is important whenever you’re accessing any site that could cause you damage or heartache if it was hacked, if you’re using a network connection of unknown security. (Which is why I always access Gmail via secure login, among many other sites.) Safer browsing is kind of like safer sex — a little carelessness can have terrible consequences.

So look over your bookmarks list. Which sites leave you vulnerable? Like with Gmail, check whether there’s a secure login option. If you’re not sure, contact the site owner. Or just try changing the login URL prefix to “https” and see if you get in. When you find the secure login address, bookmark that instead and you’ll never have to think about it again.