(This post belongs to the series About blogging.)

Securing a WordPress-powered blog is one of the most pressing concerns of newbie and pro bloggers alike (several horror stories are doing rounds here). I have done my own research on this topic, and here put together a list of some of the popular suggestions and tips to secure your WordPress blog.

First thing you must do, before getting to the list, is carefully read Hardening WordPress. Needless to say, many of the suggestions below are already included there.

Now to the list:

1. Upgrade. This is the most important word in WordPress security. Because WordPress does not release bugfix patches, all fixes are incorporated in the next full version release (which causes frequent new releases, to stay current with the latest security issues). So, it is usually a good idea to download and install the most recent version as soon as it is released. You can even automate the process with automatic upgrade plugin.

Unfortunately, many WordPress users (including me) find it hard to keep up with such frequent upgrades, mainly because plugin authors do not always release compatible plugins fast enough, and such mismatch can break your otherwise smoothly running blog. (Matt Mullenweg has something to say about this though.)

Another thing is that after each major version release of the type 2.x.x—>2.y (like 2.3.3—>2.5), there is a spike in reporting new bugs, and the next “minor” release 2.y.x usually fixes them (like the latest 2.5.1). It is a good idea to wait for this bugfix version, instead of grabbing the version 2.y itself.

Do keep in mind, though, that while upgrading helps prevent future hacking of your blog, it can do little to cure an already hacked blog. So, you must take additional precautions.

2. Back up. This is the second-most important step in securing your blog. You must back up your entire blog, including databases and web site files, at least once a week. This will allow you to revert back to an older version if the blog is hacked. You will, though, lose the new posts and any site changes that you made since the last backup.

There are several options available for backing up your blog. Most blog hosting companies provide various backup services, and you should also take regular backups yourself and keep them on your local computer. For database backup, you can either use phpMyAdmin or database backup plugin. You can also use this plugin to back up both your database and web site files.

Besides upgrading and backing up, there are a number of little things you should do to further protect your blog:

3. Remove version string from “header.php”. From the admin panel, go to Presentation–>Theme Editor–>Header, and delete the generator line containing “<?php bloginfo(’version’); ?>”. This will remove the WordPress version number from the page source file, and can delay a hacker from exploiting any known security loophole in this version.

If you want to be more cautious, you may also remove the generator line from “wp-includes/feed-*.php” files, so that the version number does more cautious not show on your WordPress feed either.

Even easier, use this plugin instead to do the job for you.

4. Change default “admin” username. This is an important point, and yes, you can do this without touching your database, as I have discussed in this post.

5. Copy .htaccess to /wp-admin directory. Use the FTP program of your hosting server’s file manager to copy the .htaccess file in your root directory to the /wp-admin directory. This sets the same access permission to your blog admin panel as your server login access, making sure that only the server owner/user can access this directory.

You can also use this plugin, which adds an extra layer of security by requiring a username and password (different from your blog username) to access the wp-admin directory.

6. Drop empty index.html file in /plugins directory. Create an empty “index.html” file in your text editor (make sure to set the file type to “All files”), and upload it to the wp-content/plugins directory. This will hide the content of this directory, and hence the plugins used by your blog, to any snooping outsider.

7. Check all links in your blog. One way to know if your blog has been hacked is to check all outbound links for any spam redirection. You can do this by searching for “http://” in the source file of every page in your blog, making sure there is no funny link lurking anywhere. Firefox makes this job easy with Tools–>Page Info–>Links.

8. Avoid sponsored themes. An easy way to get spam links in your blog is by installing an unknown 3rd party theme, instead of getting it from reliable sources (such as the WordPress theme repository). Advertisers often pay theme developers to add outbound links promoting their sites, which can have all sorts of bad effects on your blog. Matt wrote about it here.

I’ll add to this list if I come across any more security tip.

Based on the color of your car, you may be revealing more about yourself than you realize. This is what I just read in this somewhat old news. Unfortunately the story does not link to the original source of the scientific study, so there is an extra job for you if you would like to verify.

The study shows that your car color may reflect your personality to some degree. For example, the color silver, which over 30% of buyers choose, indicates wealth and prestige. (And I thought many choose silver because it comes standard, so they do not have to pay few hundred dollars extra on custom paint!)

If it is yellow, then you are probably idealistic and novelty loving. (When I see a yellow car on the road, I steer clear thinking the driver is advertising a big “L”, for learning, on the back. Don’t ask my why - I just do.)

Or, if you like green, you may have hysterical tendencies. (I mean come on! What about people “going green” in these days of global warming and environmental movement?)

The color red indicates lot of energy and zest, and the owner is likely to be fast mover. (No argument there - stay away from red cars on the freeway!)

And black car owners are supposedly aggressive, and have rebellious personality. (I don’t know about that, but I avoid black to keep the interior tolerable during summer afternoons.)

There is some speculation on whether auto insurance companies are using such psychoanalysis (psychobabble?) to set your premium. But it appears they cannot, even if they would like to. There is no easy way for them to know about your car color, unless they actually ask you about it while selling insurance (the color is not encoded in any of the 17 characters of the VIN). So, go ahead and zip around in your bright red (or yellow, or green) SUV.

I just came across this Savings Bond Advisory:

Given that the current fixed base rate is 1.20%, it would much better to invest in I bonds this month rather than waiting until May 1 or later. I bonds you purchase today will earn a composite rate of 4.28% for six months, followed by six month of 6.06%. These are much higher rates than are available in bank CDs or even other US Treasury securities.

I should also add, this is better than any online money market rate, 6-month CD or 1-year CD you can get anywhere these days. There is a purchase limit though:

Also keep in mind that the Treasury changed the annual purchase limit on Savings Bonds in January to $5,000 per social security number per type of bond. This means you can invest $5,000 in paper I bonds at a bank and another $5,000 in electronic I bonds through Treasury Direct for a total of $10,000 per social security number.

Or, you can buy up to $5,000 gift bond for each member of your family (spouse, children) who has a valid SSN.

Sounds good to me - what about you?

In Part I, I discussed the two main and opposing theories of investing - efficient market theory (EMT) and fundamental analysis (FA). Here I talk about which one of these two can be thought as “correct”.

EMT or FA - which one is “correct”?

Interestingly, even though Buffett began his session with the Wharton students by criticizing the “misguided” EMT, he later advised average “non-professional” investors to buy-and-hold index funds (the strategy based on EMT), instead of trying to pick value stocks (the motto of FA) because “they are not going to be able to pick the right price and the right time”.

Coming from the Oracle of Omaha, this seeming contradiction can throw you. But, what he is really saying is that both these investing strategies are in fact correct, but they apply to two quite different types of investors. Value investing is the correct approach for professional investors, whereas portfolio diversification (with index funds) is correct for the armchair kinds.

A savvy investor, after finding a potentially undervalued stock, must do extensive study of the company (financial statements, annual reports, latest news etc.) before he can be confident enough to buy the stock. A value investor must execute frequent trading to replace old overvalued stocks in his portfolio with new undervalued ones.

By contrast, an average investor buys and holds a bunch of index funds from different industry sectors to diversify his portfolio (against market risks), and rebalances the porfolio once a year to restore the original proportion of funds. This investing method demands very little time and effort from the investor.

If both are correct, who gets more?

A simple portfolio, made up of a single index fund that tracks a broad market index such as the S&P 500 Index, experiences the usual market fluctuations over short times. Over long time, though, the portfolio guarantees the market return (minus the small operating cost of managing the fund), which was more than 10% over several past decades.

A value investor’s portfolio, on the other hand, is expected to grow (despite short-term fluctuations driven by market events) until the undervalued stocks are priced “right”. The probability of a higher-than-market return increases with the expertise of the investor, and with the time and effort spent in researching the stock’s prospect.

Simply put, an average investor with a portfolio of index funds will certainly get at least the market return over long term, whereas a professional investor with his value stocks has only a chance of achieving a higher-than-market return. (And unless the difference is substantial, high costs and taxes incurred from frequent trading can eat into the return, often pulling it down below the market return.)

There is overwhelming evidence available that achieving such higher-than-market returns on a consistent basis is an extremely rare phenomenon indeed, because no one can “pick the right price and the right time” year after year after year (if you want proof, I suggest reading Burton Malkiel’s classic A Random Walk Down Wall Street). As for me, I prefer certainty over chance, and I am very happy with index funds.

(This post is a part of the series Basics of Finance and Investing.)

It did not surprise anyone when Warren Buffett, while recently hosting a group of business students from the University of Pennsylvania’s Wharton School (his alma mater) for a two-hour question-answer session, began by pointing out the folly of the efficient market theory (EMT). After all, his objection to EMT is as legendary as his support for fundamental analysis (FA), as the foundation for smart investing.

But first thing first: what is EMT, and what indeed is FA? (These are my short-hands, by the way.)

Efficient Market Theory (EMT)

EMT holds that the (stock) market is so efficient in absorbing the latest developments in the industry (company merger, major product launch, corporate scandal etc.) that the stock prices almost instantly reflect these developments. Thus, there is very little time available to an average investor to act on such “inside information”, before it becomes common knowledge so everyone does the same (thereby quickly driving stock prices up or down). In other words, because such developments are unpredictable, stock prices in turn cannot be predicted and they execute a random walk down Wall Street.

The investing strategy based on EMT is known as portfolio diversification, where the investors buy and hold a range of stock (and bond) funds indexed to broad segments of the financial market (also called index mutual funds). Because the prices of individual securities in a fund do not move in lockstep with each other, the portfolio achieves “diversification” by spreading the risk of asset downturns (dip in one security is compensated by rise in another).

Fundamental Analysis (FA)

FA holds the contrasting view that although unpredictable market events drive the stock prices over short times (as in EMT), there is a fundamental (or intrinsic) value of every stock that can be determined by analyzing the company papers (financial statements, annual reports etc.) and other available information on its management policy, competitive edge and so on. The stock price eventually catches up with its value (which is predictable), and the investor can benefit by trading the mispriced stock and waiting till it is “corrected” by the market.

The investing strategy based on FA is known as value investing, where the investor looks to buy undervalued stocks of otherwise healthy companies. Such a portfolio is expected to grow with time despite short-term fluctuations (so no need for diversification). But, because a company does not generally stay healthy forever (management changes, economy takes a hit, and so on), a value investor must tune his portfolio time to time by selling old overvalued stocks and buying new undervalued ones.

Go on to “Part II - Which one of them is correct?”