This is a cautionary tale for my fellow bloggers.
I had thought my art site, Rohvannynshaw.com, was fairly safe. I had set up a couple of passwords that did the whole numbers, letters and symbols thing. I guess my FTP password, which I didn’t think of much because I don’t really use FTP, was too easy to guess.
This opened the site up to scammers!
It started with the multiple spam comments a day. After I locked that down by requiring sign up for commenters, I still got a few. Then the spam through my contact form started. Then I found a couple of blog posts that I hadn’t written. I changed my passwords and deleted the content, figuring that would be the end of it. It wasn’t. Then a couple of users I hadn’t added showed up. I deleted them, changed the password again…
Then someone built a phishing page that was harassing hotels in Germany, using the hosting I was paying for. Then they took over my email and started using that to spam people, and locked me out…
So I contacted my hosting company to see what I could do.
It turns out that FTP password, which I rarely even thought of, was the weak link. It had been too easy to guess and had given scammers access.
So my entire site had to be deleted and now I have to start from scratch. I’m waiting a bit to see if anyone is putting any other files on my site or database, before rebuilding the site. As many gray hairs as this has given me, I’ve learned a lot. So here are some things you can do to prevent the same thing from happening.
Keep an inventory of all your passwords and make sure they are ALL hard to guess. You may want to keep a little book, hidden or locked up somewhere, as a master list that is not accessible online. That way you can change things on a regular basis and not forget anything. I have done this. I know people say never write down your password, but honestly that’s probably the safest way to keep it – just don’t leave it where people can find it.
Watch for spam comments, new files you didn’t upload, and new users on your site.
If you pay for hosting outside WordPress, know how to get into your database and your files list so you can check for new things you didn’t add.
Watch for blog posts you didn’t write. They may be hidden in the middle of the list.
Get two factor authentication if you can.
Keep your blog updated with any security updates or patches.
Run an antivirus (I recommend Spybot S&D) or use a Linux machine. That way, you aren’t as likely to be hit by keyloggers that will save your password.
If you have a security issue, go to your hosting service – a lot of times they can be helpful.
Back up your site in some way. That way you don’t have to start from scratch in case you have to redo it – like I did. I have my blog entries for my art site saved on Goodreads so I know basically what I had.
Stay vigilant! If something looks odd, investigate.
Keep blogging! Sites with few or infrequent updates are prime targets for scammers and hackers because they know they aren’t watched as well.
May the Source be with you.