I recently took a few weeks off blogging. Those few weeks turned into more than I expected because of a minor technical hitch. A couple of people I know had their self-hosted WordPress website hacked recently. Since I have the same type of installation, I followed a great article written by Marcy Kennedy on securing a WordPress site. It was all pretty easy stuff to follow. Well, ok, easy because Marcy wrote a guide even an idiot could follow, and I’m a certified idiot.
Everything went well. I installed plugins, changed usernames and stuff. Extra pages on the admin page told me this, that, and the other were all now protected from hacker voodoo. I slept like a lamb that night, happy that my site was safe for harm. And it was. Very safe. Completely protected. Unhackable.
Yes, no fear of harm to my website … because the following morning I couldn’t remember my new password. Was it uppercase-underscore, control-seven, alt-backspace? Grrrr. One of the handy dandy security features I added to my blog was a plugin to lock IP addresses out after a few unsuccessful login attempts … for 24hrs. Oh glee.
To cut this tedious story short, I finally got the correct combination of neurons together to remember the password and I’m back in business (I have a black belt in the bleeding obvious).
So, is there a point to this story? Yes. The lockout plugin records the failed login attempts, and in the past week the following *&@#^% scum have tried to log into my site. I’m pretty sure they weren’t going to share their secret recipes for brownies if they succeeded.
22.214.171.124 admin (1 lockout)
126.96.36.199 admin (1 lockout)
188.8.131.52 Admin (2 lockouts)
184.108.40.206 Admin (2 lockouts)
220.127.116.11 Admin (2 lockouts)
18.104.22.168 admin (22 lockouts), anyone (1 lockout), 2012july (1 lockout), sherry (1 lockout), places (1 lockout), delivered (1 lockout), important (1 lockout), reading (1 lockout), igelblackwel (1 lockout), but (1 lockout), there (1 lockout), same (1 lockout), elblackwe (1 lockout), lear (1 lockout), litter (1 lockout)
22.214.171.124 admin (3 lockouts)
126.96.36.199 Admin (1 lockout)
188.8.131.52 Admin (1 lockout)
184.108.40.206 Admin (1 lockout)
220.127.116.11 administrator (1 lockout)
These ip addresses range all over the world, with the Netherlands being the most active. Mind you, if these people go to all the trouble of trying to logging into my site, I’m sure they’re capable masking their real IP address, so they could be from anywhere. On the upside, my web host has tools to block ip addresses, so some of these are history, although I expect they’ll just pop up from a different address.
I feel like I want to rant and rave and put 20,000V between their keyboard and their mouse, but until the http syntax is updated with an “electrocute the buggers” command, I’ll have to make do with Marcy’s advice and my new password … whatever it is.
What passwords have you forgotten lately?
Passwords and pin numbers are the bane of my existence. since you’ve scared me, I’m off to up my security. sighhhhh Off with their heads
PIN numbers are even worse for me than passwords!
I was amazed by the login attempts on my site given it only gets 20 to 50 hits a day – ha, half of them must be hackers!
I’m a web developer – I have so many, I pretty much have to write them down somewhere. Especially since the networks make me change my password every so often anyway. And yes, sometimes I still forget them – or forget where I’ve written them down!
I’ve been putting off installing better security on my site – but wow, seeing all the hacking attempts on yours, maybe I’d better move that up the to-do list…
Everything on the web seems to need a username and password. It’s getting so you can barely look at a site without being have a create-a-username page shoved in your face. As for the security, I only did it because Marcy laid out the instructions, I never thought people (bots) would be trying to log in. Ho hum…
I have a perfect solution for your dilemma. Hold on a second. Let me see if I can remember it. . . .
I seem to think I had a similar moment, David, but …
Why on earth would so many people want to hack into your WordPress account? That’s very strange. I forget passwords all the time. There are a few basic passwords that I use, with different prefixes and suffixes. So by the time I try all the different combinations, invariably I lock myself out of at least one a week.
Hi Madame Weebles
I don’t think they’re trying to spread the joy of their cookie recipes. The IP in the Netherlands is connected to several sex sites, as for the rest some will be for the malicious kick they get out of destroying your work, others will spread viruses, redirect to their sites and be used for various forms of swarming/denial of service etc type attacks. Believe it or not there is an industry that sells DOS attacks on a cost per hour basis. The worlds average is very average, but the bottom of the barrel know no limits.
Fortunately, wp.com does all the security stuff for you. I often wonder if a self hosted blog is really worth it given all the extra work (and in my case, potential screw-ups!)
Yeah, I considered the self-hosted option, but I stuck with WordPress just so I wouldn’t have to worry about security and anti-spam.
In the end, I created my landing pages in wordpress.com, and the rest is cross-linked to pages on my own site so I can do whatever I want with my HTML code. It’s not perfect because I can’t exactly duplicate the look, but it’s close enough for now. And at least I don’t have to worry about hackers. Much…
That’s not a bad solution, Diane. WordPress even offer a package where you can have your site hosted on their servers. It looks like your site but they manage it all. I might look at that next time I have to renew my host.
I think we’ll always have to worry about baster… I mean hackers.
My friend. If you qualify as an “idiot” than most of the rest of us are dumber than idiots. Thank you for the info. May I suggest that you apply the 20kv across their ankles rather than their PC?
I missed your articles. welcome back
No, idiot is definitely a good description of me on this one. The worst part is that after finally getting the right combination of weird keys, I noticed a link to reset my password. Oh glee, I could have cut out several days of the agony.
If I get the 20kv http command through the WWW review board, I will make sure to add an “ankle” option.
Have a great weekend.
Most recently I forgot my PayPal account password. Not good. I write them down but I try to put it in ‘code’ such as ‘t FR’ which means my friend Ted’s birthday is the password (I don’t have friend named Ted, hackers out there; I’m making all this up). But, as someone already mentioned, then you have to worry about where the H you put the blinking little post-it with that password code.
I, too, have a code system. I’m very sneaky in the words that remind me of the actual password. At least I thought I was. Now I just have a series of cryptic clues…
Good luck with paypal.
Oh, Nigel, I’m sorry you forgot your password, but thank you for the shout out and for giving me a real good laugh this morning. This is why I have my password written down and taped to the back of a picture 🙂
I find the number of hacking attempts made on my site to be disturbing too, but I’m very glad to know I have the items in place to protect my site.
One of the reasons I really feel like an idiot is because, having spent several days experimenting with passwords and getting locked out, I noticed the password reset link – right as I remembered the things!
I think paper is a good way to store passwords. I read an article that was comparing password managers for the iphone and blackberry. Over half did not encrypt the data, they just depended on the phones pin/lock feature.
Your post, and the hard work of the plugin writers, makes me feel better. Previously I was happy in my ignorance. It’s scary whats goes on that I have no clue is happening.
Wow! That’s crazy. I set up my site and haven’t done anything with it. Haven’t even checked on it in a while. Now I’m concerned. There’s nothing there, yet, just bought the domain. Still… I need to get on that.
You sure did make a fun post out of the situation. Love the way you turn a situation around. I have the hardest time with my passwords – and remembering where I write them down.
Yeah, the “where” is all important to keeping passwords. I frequently use a post-it note then a month later clear may desk without thinking about it.
Good luck with your site 🙂
I get the lockout emails everyday. It freaks me out, but my tech guy (husband) says it’s ok. We use a master password system that generates secure passwords and saves them all. I only have to remember one password. It’s all my brain can handle! I feel your pain Nigel. 🙂
Yes, it’s amazing how many people want to infect peoples websites. I’ve blocked several of the sites, but I expect they will pop up at another address again. A master password, or keychain like Apple, is definitely easier on the brain 🙂
My friend always puts in “Oh shit” as a password. She figured she might as well go with something that works.
LOL! There’s a method for remembering passwords. Perhaps login instructions should say “enter username” and “enter cussword” 🙂