Often when we think of websites being hacked we think of big banking or insurance institutions where identity is stolen. But, what if I told you that your identity might be stolen right now, right on your site, and you don't even know it.
I'd love to tell you that I learned this tip and applied it right away, but I wouldn't be telling the truth.
I'd love to tell you that my site did not get hacked too…
If it can happen to me, it can happen to you!
Today, I'll tell you about how I got hacked, what happened and how you can prevent this from happening to you.
How I got Hacked
A few years ago I created a telesummit program and it had its own WordPress site. (I'd link you to it, but I recently took it down!) Not knowing any better, my user name was the default “Admin” and that is the same name that I displayed in all of the posts, pages, comments.
A lot of people do that, right?
The problem with keeping your WordPress set up in this way (or any other online tool where your user name and your display name can be the same) is that you have told hackers 1/2 of what they need to get into your site!
To add insult to injury, my password was mediocre at best. I simply did not think keeping my site for the program super secure was anything to worry about.
What Happened When the Hacker Got Access
Well, someone got access to my site by using Admin as the user name and figuring out my password. Then, they created a new user with full admin authority. I never got a notification and had no idea that a new user had been added to the site.
This happened months before I realized what was going on.
The hacker then went into all of my pages and added code, ads, and keywords that were completely out of alignment with me!
I never received a notification because they did not create new pages. They simply modified pages that already existed.
It Could Have Been Worse
They could have created a new user and then locked me out or added plugins that disabled the site.
Think of the information that you store on your site. Do you have programs in password-protected spots? Do you store affiliate link information? Client membership sites?
Ug!
How to Prevent This From Happening To You
Create strong user names
Your user name should not be “Admin” or your name. Pick something that is totally unrelated. It's even better if it is a combination of letters and numbers.
One idea is to pick a nickname and alter it.
- Pookey could become P00key
- Ginger could be G1nger or G1ng3r
- Sweet Pea could become Sw33tP3a
You get the idea. Create something that is not easy to figure out and has nothing to do with the name that actually displays on your site.
If your blog is already up and going and your user name is Admin, consider creating a new user on your site, changing the blog posts to the new user, and deleting the Admin user. Note, you can't change a user name, so you have to create a new one if you want to change it. Here is how:
- Back up your site!
- In your back end-user panel, choose “Users”
- Click “Add New”
- Fill out all of the required fields
Note, if you use the same email as your Gravatar, you will be able to have your picture show when you comment on your own site. - Make sure to select Administrator under “Role”
- Click “Add New User”
- In the listing of all users, select the new user you just created and double-check that all of the information is what you want.
- Go back to the list of users
- Checkmark the user you want to remove (e.g. the one with the Admin user name)
- Look at the top and choose Delete from the Bulk Actions drop-down menu.
- If you have posts and pages attributed to the user you are deleting, the system What should be done with posts owned by this user? Select Attribute all posts to and pick your new user name. Note: Look for the name you chose to use other than the user ID.
- Click Confirm Deletion
You now have a new user with a better id and all of your posts moved to that user in under 10 minutes.
Create an even stronger password
Passwords are getting easier and easier to crack now. Pick something that is longer and contains lower and upper case along with numbers.
I love the idea of making my passwords do double duty by using affirmations. As you type the password every time you log in, you are affirming something you want in your life:
- 1AmAGreatBl0ggerT0day – I am a great blogger today
- 1AttractCl1entsC0ns1stently – I attract clients consistently
- 1AmACl13ntM4gnet – I am a client magnet
Or think of a song or poem that holds meaning for you:
- JLMT1K4TBTMS – Jesus Loves Me This I Know for the Bible Tells Me So
- Ta7D1twaS11oT – There are seven days in the week and someday isn't one of them.
- HHbSLL&PHS0&NGU- Have hope be strong, laugh loud and play hard, smile often, and never give up
Get the idea?
Display something other than your user name
This is going to be set up differently depending on the technology you use to create your website, but if you use WordPress here are the steps:
- In your back end-user panel, choose “Users”
- Click “Your Profile”
- Scroll to the section that says “Display name publicly as”
- Change it to anything other than your user name. In my case, you will see that my “about” on this post says “Stephanie LH Calahan” I made that happen by typing my full name into the “Nickname” field and then selecting it for my public display name.
Ok, what are you waiting for?! Go update your info!
Or, if you would like a bit more motivation, read this website theft horror story.
Until we talk again,
Live Fully — Love Openly — Laugh Often — Leverage Your Brilliance — Connect Authentically — Get Your Message Out — Serve with Impact — Prosper Everyday
Hazel Thornton says
Sorry this happened to you, Stephanie. Thanks for sharing your experience with us!
Stephanie LH Calahan says
Thanks Hazel. When I learn my community learns!
Karine says
Thank you for sharing this with is! Sorry your site was hacked!
Thank you for the tip! I’m going to share this! 🙂 xx
http://tropicalcolours.blogspot.com.au/
Stephanie LH Calahan says
Karine – Thanks. Fortunately the damage was not as bad as it could have been. Thanks for the share!
Jenn says
THANK YOU! I never would have thought about any of this. I really appreciate you sharing it with us, so it doesn’t happen to others.
People have too much time on their hands, to be doing that kind of nonsense!
Stephanie LH Calahan says
Jenn
You are most welcome. Glad you found value in what I shared.
Jenn says
Has anyone else been a little scared to hit that delete button on admin though? I’m shaking over it….
Stephanie LH Calahan says
Great question Jenn! I know that the first time that I went to hit delete, I was a bit nervous too.
Make a backup of your full site. That way you have security that you have everything in the odd event that something does not go well.
Every time that you make a change to your blog, you should make a backup.
OR, you can switch your blog posts BEFORE the delete.
Here is how:
1 — Go to your posts
2 — Select all of your posts (you will have to do this screen by screen)
3 — Under the pull down menu choose EDIT
4 — Click the APPLY button
5 — An edit screen will pop up. — Look at the field that says AUTHOR
6 — Select the new user name
7 — Click UPDATE
Then do the same thing for Pages.
This method takes longer, but may help you click that delete button.
Martia Nelson says
I really appreciate this article! I had no idea about this. I’m going to change my admin name and password pronto. Thank you!!!
Stephanie LH Calahan says
Martia – You are most welcome.
Holly Jahangiri says
Also, for any email accounts that you may be able to get password resets on, be sure to set up dual authentication so that even if someone hacks your password, they can’t CHANGE it and lock you out of it.
Same for your domain name – if you’re using GoDaddy, this is fairly simple to set up. To steal my domains (as was done to a friend of mine), you’d have to figure out my password AND have possession of my cell phone. And it’d still be a pain – believe me. I’ve locked myself out a time or two, and getting back in isn’t just a simple email link. 🙂
There are some good firewalls for WordPress, as well as the “Limit Login Attempts” plug-in (which, unless you know how common it is for people to try to hack your site, could cause you some sleepless nights at first).
Stephanie LH Calahan says
Holly –
Excellent additions. Thank you! I agree those plugins are a must and I totally agree about the dual login. I have that for everything Google as well.
Kimberly Eldredge says
Soooo, here’s a question:
My login name is NOT admin. (And never has been Admin) And I just changed it to not match the name the posts are posted under. I have an 8-digit alpha-numeric password.
Is this enough?
I’ve had a site hacked before and they added code to my header. I could ONLY see it in IE, which I don’t usually use. I found it by accident. So how can I KNOW if I’ve been hacked?
Holly Jahangiri says
Eight is good. Sixteen’s better. But sixteen’s a pain in the butt to remember and type. Change it periodically. That helps. But there’s also a plug-in that will tell you what hackers are trying to use when they attempt to log in, and that “Limit Login Attempts” is great because you can just stop them every time they goof and lock ’em out for the next six months if you really want to. (They’re likely using proxy servers, but it slows them down and they have to use a different one each time.)
Stephanie LH Calahan says
So sorry to hear you’ve been hacked too. Yuck! Eight is good for a password, but know that you’ll always have more security the more complex it is. Adding plugins that lock out attempts (like LoginLockdown) really helps too.
Tai Goodwin says
Thanks for this post! I just changed my set up. I’ve been hacked before and it’s not a fun thing.
Stephanie LH Calahan says
You’re welcome Tai. So sorry to hear you had that frustration.
William says
This is a great post with excellent practical advice on securing your site. I especially loved the suggestion of creating affirmation type, strong passwords. Thank you for this great content!
Stephanie LH Calahan says
William, welcome to the site. You are welcome. Glad you found value in what I posted. Hope you come back soon.
Audrey says
Stephanie,
Thank you so much for turning your negative into a positive for all of us. I do have one question, how can I tell if my site has been hacked? I read in the comments about the Plugin Limit Login Attempts but will this plugin tell me if I’ve already been hacked?
Thanks again for posting this.
~ Audrey
Stephanie LH Calahan says
Audrey, You’re welcome. I found out by seeing another user ID and some ads. I don’t have ads on my site, so it was obvious. Not sure of other ways.
Peggy Lee Hanson says
I use the free version of WordFence. They send notification each time someone logs into my site. Generally, that’s only me. However, the other day, I received notification from WordFence that they locked out someone with a specific IP address from the Czech Republic after 20 failed attempts to log in under the admin username. My password also includes allowed special characters, such as an exclamation mark (!) placed in an inconspicuous spot.
WordFence also lets me know when plug-ins are ready to update.
Steph, I really appreciate the steps you shared with regards as to how to delete the admin user and change the display of our name as we want it to be, rather than the secondary username.
Thank you!
Stephanie LH Calahan says
Hi Peggy Lee. Thanks for the added tip. Sounds like a helpful plugin. You’re absolutely tight on the special characters. Now, when I can use special characters, I also make sure they are in an easy spot to type from my iPhone.
Holly Jahangiri says
And next up… are you opening your site to spammers? 🙂