JENerally Informed usually gets a minimum of 7 hack attempts each day, sometimes more. Sometimes A LOT more.
I’m not talking about spam attempts, which are annoying, but people trying to compromise the security of this site and gain control of it. Some of the attacks are from automated bots (computers looking for a random target.) Others are definitely real people looking, for whatever reason, to compromise THIS site specifically, even though there is no obvious financial impetus to do so.
Website security is a big problem. In last week’s leaked celebrity photographs scandal, the general thought was “I can’t believe those poor people had their photographs leaked.” While sympathetic to that thought, as a tech guy, my thought was “Seriously, iCloud was hacked?” This is a really big deal. A huge deal, in fact, one that could actually end Apple as a company if they do not get a handle on the problem.
You see most cases of “hacking” really aren’t. They are generally “social engineering” hacks. This is from people breaking into a physical location and gaining the password to a computer because it is written on a sticky note next to the monitor, or by perhaps pawing through your trash looking for sensitive documents, or the most likely reason, you left a private internet session open on a public computer.
In the case of iCloud it looks like the hacking was legit, meaning it took someone with great skill to accomplish it, the fact those people exist scares me and should probably scare all of us.
But back to the original topic, if someone is trying to hack JENerally Informed, they are likely attempting to hack your site as well. So what can you do to protect your site?
1. Make sure that the main username to your site isn’t your email address, the username you blog under, “admin,” or “administrator.” Yep, those are the ones that everybody uses when trying to access this site. The smart ones, have tried to login under “Jensguy” because they think that I am the administrator of the site. I am, but I’m not stupid, so good luck with that. Seriously, though, if your username is any of these things, change it right away.
2. The simplest thing is to add “Limit Login Attempts.” This plugin does exactly as it says. It gives you three opportunities to get the username/password combo correct when logging into your site, then it will lock you out for a specified period of time if you are unsuccessful. It also keeps a log of the people trying to login to your site, so you can feel superior that you have thwarted them or terrified that there are so many.
3. Update your plugins and WordPress version soon after updates become available. Many of these updates are security fixes.
4. Don’t update your site from a public location or even a public wifi station with your laptop unless you are 100% certain that it is secure. Hackers will sometimes set up “dummy” wifi stations next to actual public ones to get people to log into them. Once you login to their station, they can monitor traffic from your machine.
5. When somebody shows special resilience or creativity in trying to access JENerally Informed, I ban them using “WP-Ban.” Be careful with this as you can ban yourself if you are not careful.
6. If you are getting way more login attempts and you want more security, it can be done, but many of the real secure options can be expensive and/or slow your site down considerably. If you think you may need this type of protection, contact Jennifer, and I will help.
Good luck blogging everybody, and stay safe!
P.S. If you haven’t already watched the new Sherlock BBC series available on Netflix you really should.
Comments
Great tips and the plugin is definitely a must to help limit logins, as well as not using Admin or your e-mail address for user name. Thanks for sharing Jensguy and definitely hit the nail on the head with this one :)
Janine Huldie recently posted…Kindergarten Finally…
Thank you! Oh, and keep your pictures off of iCloud as well!
This freaks me out. While reading this I began to wonder why did I switch to WordPress?! I’m not sure if seeing a list of blocked login attempts would make me feel okay.
Not that my login is any of the ones mentioned but my login was setup for me by the person who set up my blog and I hate it. I thought it couldn’t be changed, but you’re saying it can? How do I do this?
Thanks for sharing Jensguy. I’ll be checking out that plugin.
Jennifer | The Deliberate Mom recently posted…Extra, Extra, The Deliberate Mom Turns 4!
You can create a second administrator account from the “Users” menu. Give it all the same information, except a different username. Use the account multiple times and when you are sure it fits your needs, delete the original admin account. Also, yeah, if you don’t have “Limit Login Attempts,” you need to get that post haste. ANd, yeah, it WILL freak you out just a bit.
Crazy and scary. Although the internet is kind of crazy and scary in general anyway. But good to know and a good reminder BE CAREFUL!
Leilani recently posted…We’re Co-hosting the Mommy Reality Challenge
Yep, Jennifer was even freaked out when she proofread the post. I had to show her the log of attempted logins. It is information that she wishes she could unsee.
Three points:
1. I miss Blogger for this reason, mostly. One week into WordPress I got hacked. My WordPress wasn’t hacked, just my IP address which led to the site being blacklisted. Awesome stuff, getting a crash course in WP security issues while simultaneously learning what a blacklist entailed. BlueHost support was able to remove me from the blacklist and apparently it’s quite common, but it still scared the stinky stuff out of me.
2. I purchased WordFence Security (there is a free version) based on the recommendations of multiple website gurus, but to be honest I don’t know anything about it and I fear I could do more harm than good if I tinker. I need to get a crash course in it (feel free to teach me Obi Wan). :)
3. Using Sherlock memes = I will always respect your opinion and take your advice!
P.S. How do you change your username? My transition person set it up, and I honestly didn’t know you could change it.
Great article, JensGuy!
Sarah Nenni Daher recently posted…Thank Goodness It’s Thursday Link Party
Yeah, Wordfence is good, but as I mentioned there is a tradeoff with rock solid security and site load times. Your site ssems to load up pretty well, so I suspect it is installed correctly.
As I mentioned to Jennifer, you can create a new admin account with the same info (different username) and use it for a while BEFORE deleting the old account you don’t want anymore.
Love Sherlock, but it is starting to lose some steam. . .
I hadn’t heard of this. I get spam, but I hadn’t considered hackers. I see that the commenter above said she misses Blogger. Does that mean that Blogger doesn’t get hacked or that some of these things don’t apply to Blogger?
normaleverydaylife recently posted…Motivational Monday #107
Blogger is a bit more secure as all of the sites are on the same domain and the security is handled by Google. That doesn’t mean you can’t be hacked, especially by the “social engineering” approach that I spoke of. But Google engineers handling security is greater than you or I handling security. But at the level our sites are at, we should be able to do pretty well for ourselves.
Wait, what? I was too busy looking at Sherlock and Watson.
Just kidding.
Stuff freaks me out big time! I switched hosting recently to a company that specializes in security too. It’s been eye opening, but I do feel very protected right now.
Tamara recently posted…Game Day Prep.
No love for Moriarty? Yep, talk about freaked out I feed my children by providing security. The iCloud hack made me feel very small and alone indeed. For the record, however, I have always encouraged clients NOT to rely on the iCloud as much as Apple wants them to. I have never thought that Apple has really taken the security thing as serious as it should.
Ummm….downloading the attempts plug in now. Thanks for the great advice!
Kristen recently posted…Miami Dolphins Fan Credo Shirt [Giveaway]
You won’t be sorry! Make sure you check the logs every once in a while to get a feel if you need to do a little more. Also, How about them Dolphins! You guys must be going crazy!
Last month for three consecutive weeks I was getting a minimum of 60 attempts a day from hackers! UGH! Security is a must! I remember before I secured everything how nervous I was, if you aren’t secure it’s not a matter of if, but when. Haha the Sherlock gifs are hilarious!
Heather {Woods of Bell Trees} recently posted…Mini Pinatas
Oh and my host told me my email address was a “good” username….BIG FACE PALM! I rebutted with – “yeah a hacker just tried to use my email address to sign in” which they had. LMAO
Heather {Woods of Bell Trees} recently posted…Mini Pinatas
So scary….I have mine set up so that I get a text message with a code if there’s an attempt to login on a computer that hasn’t been logged into before. Still, this makes me paranoid!
Rebecca recently posted…My Son, the Snob.
A great post although I could feel myself breaking out into a sweat as I read this post. It had never occurred to me that someone might try to hack my blog, just for the sheer hell of it. I did sort out the main user name when I first set up my blog and change my password pretty regularly, so at least I have those steps covered!
Can I ask a daft question?…How can you tell if your site has had an attempted hack? As I have no idea what to look for….Thank you.
Debbie recently posted…Debs Diary: A Glimpse Into My Life…#4
Did not know this. I’m off to get the plug in! Thank you!
April recently posted…We are not polar bears.