Select Page

If you have a WordPress blog or website, be aware of increased hack attacks. Partly because they are so popular and partly because the new versions have hackable holes, they’re a popular playground for hackers. Except they aren’t playing and they have a strategy.

It’s NOT about “I don’t have anything worth hacking, so I’m probably ok.” No, you aren’t. Autobots are searching through the Internet at random hunting for any site they can hack into. Sure, they’re hunting data, but also an open source for spamming or other less than legal or moral activities.

If they “stumble” onto your login info, they’ll add admin logins, admin functions, add plugins, change passwords, and add email addresses that have your domain name on them but don’t really exist. Then they can start massive spamming through your site, using the newly created emails with your domain as the “from” address. So who gets the SPAM hit? You do, and it can have serious consequences. And if you have sensitive info on the site, oh, bonus for them.

We’ve seen it in action since we have multiple WordPress sites. Finding a solution involved research, removing all the offending info, and ultimately adding anti-hack plugins to lock things down. One plugin used is Wordfence Security. We get reports of all the attempts that are being made on various sites: when, where and what words are being tried. They get stopped by the plugin, but it’s still amazing to see which of our sites attracts the most attempts.

On install, a WP site has a default “super user” admin account with the username “admin” and you decide the password. You can add any other user accounts you want, but the superuser admin really needs a strong password, preferably one that has nothing to do with your name, your domain, or your niche. These are all common searches the auto bots are programmed to attempt. We also changed the default login from “admin” to something unique to us. You can lock down your login with this plugin.

It doesn’t have to be overwhelming. First comes awareness, then making sure you don’t already have new users added to your site and plugins you didn’t install. If you do, get them removed immediately. Then add your own plugin protectors. If this is above your pay grade, it’s wise to check with your web host or another IT person who can help make sure you are protected.

Tomorrow I’m going to share a truly amazing spam attack. It’s jaw-dropping amazing.