Often when we think of websites being hacked we think of big banking or insurance institutions where identity is stolen. But, what if I told you that your identity might be stolen right now, right on your site, and you don't even know it.
I'd love to tell you that I learned this tip and applied it right away, but I wouldn't be telling the truth.
I'd love to tell you that my site did not get hacked too…
If it can happen to me, it can happen to you!
Today, I'll tell you about how I got hacked, what happened and how you can prevent this from happening to you.
How I got Hacked
A few years ago I created a telesummit program and it had its own WordPress site. (I'd link you to it, but I recently took it down!) Not knowing any better, my user name was the default “Admin” and that is the same name that I displayed in all of the posts, pages, comments.
A lot of people do that, right?
The problem with keeping your WordPress set up in this way (or any other online tool where your user name and your display name can be the same) is that you have told hackers 1/2 of what they need to get into your site!
To add insult to injury, my password was mediocre at best. I simply did not think keeping my site for the program super secure was anything to worry about.
What Happened When the Hacker Got Access
Well, someone got access to my site by using Admin as the user name and figuring out my password. Then, they created a new user with full admin authority. I never got notification and had no idea that a new user had been added to the site.
This happened months before I realized what was going on.
The hacker then went into all of my pages and added code, ads and keywords that were completely out of alignment with me!
I never received notification because they did not create new pages. They simply modified pages that already existed.
It Could Have Been Worse
They could have created a new user and then locked me out or added plugins that disabled the site.
Think of the information that you store on your site. Do you have programs in password protected spots? Do you store affiliate link information? Client membership sites?
How to Prevent This from Happening To You
Create strong user names
Your user name should not be “Admin” or your name. Pick something that is totally unrelated. It's even better if it is a combination of letters and numbers.
One idea is to pick a nickname and alter it.
- Pookey could become P00key
- Ginger could be G1nger or G1ng3r
- Sweet Pea could become Sw33tP3a
You get the idea. Create something that is not easy to figure out and has nothing to do with the name that actually displays on your site.
If your blog is already up and going and your user name is Admin, consider creating a new user on your site, changing the blog posts to the new user and deleting the Admin user. Note, you can't change a user name, so you have to create a new one if you want to change it. Here is how:
- Back up your site!
- In your back end user panel, choose “Users”
- Click “Add New”
- Fill out all of the required fields
Note, if you use the same email as your Gravatar, you will be able to have your picture show when you comment on your own site.
- Make sure to select Administrator under “Role”
- Click “Add New User”
- In the listing of all users, select the new user you just created and double check that all of the information is what you want.
- Go back to the list of users
- Check mark the user you want to remove (e.g. the one with the Admin user name)
- Look at the top and choose Delete from the Bulk Actions drop down menu.
- If you have posts and pages attributed to the user you are deleting, the system What should be done with posts owned by this user? Select Attribute all posts to: and pick your new user name. Note: Look for the name you chose to use other than the user ID.
- Click Confirm Deletion
You now have a new user with a better id and all of your posts moved to that user in under 10 minutes.
Create an even stronger password
Passwords are getting easier and easier to crack now. Pick something that is longer and contains lower and upper case along with numbers.
I love the idea of making my passwords do double duty by using affirmations. As you type the password every time you log in, you are affirming something you want in your life:
- 1AmAGreatBl0ggerT0day – I am a great blogger today
- 1AttractCl1entsC0ns1stently – I attract clients consistently
- 1AmACl13ntM4gnet – I am a client magnet
Or think of a song or poem that holds meaning for you:
- JLMT1K4TBTMS – Jesus Loves Me This I Know for the Bible Tells Me So
- Ta7D1twaS11oT – There are seven days in the week and someday isn't one of them.
- HHbSLL&PHS0&NGU- Have hope be strong, laugh loud and play hard, smile often and never give up
Get the idea?
Display something other than your user name
This is going to be set up differently depending on the technology you use to create your website, but if you use WordPress here are the steps:
- In your back end user panel, choose “Users”
- Click “Your Profile”
- Scroll to the section that says “Display name publicly as”
- Change it to anything other than your user name. In my case, you will see that my “about” on this post says “Stephanie LH Calahan” I made that happen by typing my full name into the “Nickname” field and then selecting it for my public display name.
Ok, what are you waiting for?! Go update your info!
Or, if you would like a bit more motivation, read this website theft horror story.
Live Fully -- Love Openly -- Laugh Often -- Leverage Your Brilliance -- Connect Authentically -- Get Your Message Out -- Serve with Impact -- Prosper Everyday