oh bother

posted in: Blog | 6

Well, that’s a rubbish start to the day. Found out this morning — when the WordPress app wouldn’t let me in to see a new comment — that my website had been hacked. The last thing I did yesterday was press the ‘update’ button for a couple of plugins, so it seems quite likely that one of them was the culprit. Anyway, they are now deleted. I have also deleted all the old accounts and created new ones and followed various reset-everything instructions on the WordPress help pages, so I hope that’s it dealt with. However, if you notice anything nasty then please do let me know by comment, email, tweet, sky-writing… I would hate my site to be a nuisance to anyone (well, anyone but me!) The Ps are already quite fed up about it as their breakfast was half an hour late.

Off to the loom at last, thank goodness.

6 Responses

  1. Isabella
    | Reply

    Oh Cally, what a total pain. Can you confirm, did the pesky plug-ins come in through the WP site and via your main computer? Or do you work on an iPad or phone with an app? I would like to be forewarned of such impending disasters… just catastrophising here. A family trait.

    • Cally
      | Reply

      I should reassure you that — as far as I know — no plugins gained access to my website uninvited. I only have a small number installed (and now it is even smaller) but some have been around for a while, since I started using self-hosted WordPress before they developed the Jetpack in house. So in order to embed video, post to Twitter etc I had to install third-party plugins. On the assumption that WP’s own plugins will be more secure than third-party ones, I should probably update my site to get rid of more of them. Of course, the problems may have arisen from something else entirely… I’ll email you with the gory details rather than post them here!

  2. Meg
    | Reply

    My condolences. Oh, something I noticed; there are so many cats on this site!

    • Cally
      | Reply

      Do you think they are causing the problems? I wouldn’t put it past them! Anything that keeps the people from their concierge duties is Bad News.

  3. Tien
    | Reply

    Hi Cally,

    You might consider installing the Sucuri Sitecheck plugin – you can use it to scan your site for malware, which I do on a regular basis. Also, depending on your password, someone may have hacked into your system, so it may not have been the plugin(s). There are automated attacks that are typically trying to get at the account name “admin”, so getting rid of that account is a really good idea. I also have the plugin “Limit Login Attempts” that locks would-be hackers out for a set number of hours after four (you can adjust the number) unsuccessful attempts, and notifies me when they do it. It’s probably redundant if you just get rid of the admin account, though, since that’s usually the one the automated attackers try for.

    Also, a 12-character truly random password is nearly impossible to guess. I use the Lastpass plugin for Firefox (Chrome, Safari, IE, etc.) to generate and store strong passwords, a different one for every account – and of course I use a 12-character random password to protect that one, since all my passwords are stored there. This helps keep things secure since I don’t have to remember a bazillion unique 12-character passwords, one for every site I go to – I just need to remember one password and then I’m golden (and secure!).

    Sorry to hear you’ve been hacked!

    • Cally
      | Reply

      I’ve always made sure that my username and password are both weird and completely unique to my website so I think it’s unlikely that they would be hacked, though of course I couldn’t rule it out completely! I will look into the plugin you mention – that sounds very useful, thanks.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.