WordPress Jacking: Did you change your password?

Have you ever had a password compromised? About two weeks ago, for unexplained reasons, one of my colleagues started having problems with her MSN messenger chat ID. She’d log in and find that things had changed: her password, her picture, a bunch of stuff, messages were sent, etc.. Since this was accessed via a company account, we were pretty sure that the breach hadn’t occurred on our premises. No further breach occurred in any other pc or user machine. We did however take it seriously. She managed to regain control of her account easily enough, but it got me thinking about my own Blog security.

What if someone jacked your WordPress Account? Naturally, prevention is the best solution, so I’m recommending several things to help make your online behavior a little more secure.

1. when you create your WP login ID, you’ll get a password that is generated randomly. In fact, you should login and create a separate identity for day to day management of your blog. This new ‘id’ should have a name and authority role that is not at the same level, perhaps ‘editor’ should be fine. You’ll have enough authority to post and edit most of the time. Also, if you are blogging at another machine that is public, this account (or even a lower level account) will allow you some measure of security.

2. don’t use the same password for your FTP account and your MYSQL Database User. That way, if someone breaks into your FTP account, they won’t be able to link to your other resources.

3. make sure your password includes numbers, and if it includes a word, make sure that the word is not the only part of the password. Dictionary attacks can easily crack word-based passwords.

4. always email yourself backups of the database, just in case the files are hacked. How frequently will depend on your blogging habit, but you need to do it. You can do backups via Manage > Backup (make sure your backup plugin is enabled).

5. if you think your password has been hacked, login to your WP, and your FTP accounts, and update the passwords as quickly as you can. Your database password will be more difficult to change, as you will also need to change the password in your wp-config.php file.

    1. WP passwords are changed in the Users Section.
    2. Your database password will need to be changed within the database management area of your hosting. Then you’ll need to FTP to your FTP folder and edit the file there. It can’t be done within WP.
    3. To change your FTP user password, you’ll need to login to your hosting, find the User Management area and change the password there. If you have shell access, then this should work on Unix hosts.

      To change your password, issue the command “passwd” at the UNIX command prompt. You will be prompted to enter your old password then enter your new password twice.

      • shell [12] passwd
      • Old Password:
      • Enter the new password (minimum of 5 characters)
      • Please use a combination of upper and lower case letters and numbers.
      • New Password:
      • Re-enter new password:

Keep your blog secure, practice safe blogging and back up your files regularly! Happy Blogging!