Did you hear about the story this past week reporting that thousands of websites on WordPress.com were hacked? Perhaps upwards of a 100,000 sites.
The story didn’t make much of a splash, partly because the hack that was performed wasn’t particularly nefarious: it installed a page on each site advertising a money-making scam, and hijacked the home page to point to that page.
To their credit, WordPress.com apparently recognized and contained the damage fairly quickly. But for the site owners it was at the very least unsettling – sort of like if you came home one day to find someone had moved all your living room furniture around. And it could have been a lot worse. The hackers could have deleted content, deleted users or broken the appearance of the sites.
WordPress.com has yet to respond publicly to this story. (Are they hoping it just dies quietly?) A better approach: use this incident as a way to send a cautionary message loud and clear to all WordPress.com site owners: pick your usernames and passwords carefully!
Apparently the hackers were able to do their damage by exploiting administrator accounts with weak passwords. Such a simple thing that so many site owners ignore!
It’s easy to find lists of the most-used (hence, the most hacked) passwords on the Internet. (Here’s one.) WordPress.com doesn’t allow you to select some of the entries on this list, but it does accept some of them. (I won’t tell you which ones – just don’t use them.) Worse still: when you install the core WordPress software on a privately hosted site, the installation process still allows you to select “admin” for the administrator username and “pass” as the password. Pick this combination and you might as well hang out a sign, “Hackers Welcome!”
The moral of this story: if you are a WordPress.com site owner, just about the only thing you can do within WordPress itself to positively impact your site’s security is to make sure that all accounts on your site with administrator or editorial privileges have very strong passwords.
Of course, site security is much more complicated than just passwords for WordPress dashboard accounts. (Your site is only as secure as the hardware and network you use to access your account.) And, if your WordPress site is privately hosted, there is a lot more you should worry about and control, security-wise. Stay tuned for more on that topic.
In the meantime, don’t delay: upgrade your passwords today!
As always….Keep Pressing!