I’ve just published news and tips on how to respond to the recent announcement and news about the Epsilon email theft on WordCast, “Epsilon Email Lists Breached: How to Protect Yourself.” I’ve included a list of the companies involved and tips on how to identify email phishing scams, deal and respond to them, and advice on prevention.
One of my email addresses might be in the list of more than 40 million (and growing) stolen. I’ve reward cards with some of them. Is yours?
A client called me with the news that she was registered with six of the accounts on the Epsilon email theft company list, and that her son might also be on the list as his school is listed among the companies losing their contact information to thieves. She wanted to know if her WordPress business blogs were at risk. By the end of the day, with further announcements of more companies added to the growing list of victims, three more clients called.
It’s a good question. Could you WordPress blog be at risk?
Is My WordPress Blog at Risk from the Epsilon Email Theft
Her WordPress blogs would be at risk only if the thieves were determined and could make some connection between her site ownership and her contact information, and if she used the same email and wasn’t clever about her username and/or passwords.
The first premise is a huge leap. Yet, if they were really determined to squeeze out every last juice of evil and opportunity in the information in their hands, could they make that leap?
However – and this is a stretch – such lists don’t stay in the hands of one person. Such a list is worth serious money, often going to the highest bidder or someone with plans to market this the best way they can through the security theft criminal rings that plague us.
Down the road, say a year or two, the whole list or some part of it could fall into the hands of someone who had enough smarts to not seek viable and meaningful employment but is wicked enough to run it through a WHOIS database to match names with website owners. While it’s the stuff of fiction, anything is possible if one is determined enough.
Could they use your contact information, your name and email to gain access to your WordPress site? Would they want to? Probably not, but could they?
If your username is the same as your name or your name and the first initial of your last name, or some easy combination, with that and your email address, they could get your password reset. Unless they had hacked into your email account, the odds are they couldn’t get into your site specifically.
They may be able to use such information to gain access to your web server host by convincing them they are you with your contact information. Hopefully, web hosts will be smarter with handing out security access. Check with your site host on their privacy and security policies.
I can’t think of any other way they could use this information to directly break into your WordPress blog, but they could cause you trouble, if the trouble could bring them gain.
Odds are, not.
This doesn’t mean you are safe. I recommend you change passwords to your WordPress blog and all access points to your site, and consider getting a new or blog specific email, just in case. At the very least, you might sleep better at night.
As a refresher, here are more ways you can protect yourself and your WordPress blog.
How to Protect Yourself and Your WordPress Blog
A few years ago WordPress had a phishing scam running with a malware fake site that used a similar spelling to WordPress.org. Take care to pay close attention to URLs before downloading, registering, signing up, or buying. Remember that if they use WordPress in their domain name, they are violating the WordPress trademark for domain names, thus not to be done business with nor trusted.
I’ve seen a growing number of scams, phishing, and malware with WordPress, specifically WordPress Themes, Plugins, and out-of-date versions of WordPress. WordPress expert, Otto of OttoPress investigated a WordPress malware hack last year, uncovering the insidious methods they use. Having had two of my sites and a few client’s attacked in the past couple years, trust me when I tell you that removing this evil is time consuming, time wasting, and very hard work. If you are infected and don’t have much technical experience with servers, databases, or WordPress, hire a professional. Honestly.
In addition to the tips I provided in the Epsilon Email Theft article, I’d like to offer a few more WordPress-centric tips.
- If it doesn’t come from a trusted source, don’t trust it.
- Update, update, update, updates. Don’t wait when a security release is announced. Update immediately. Update WordPress Plugins and Themes immediately.
- At a minimum, secure your WordPress blog by changing the administration name to something complicated, changing the database table prefix from wp- to a1b2c3- or more complex, and using a very strong password on the blog, database, FTP, cpanel, and any other access to your site.
- Check and verify you’re using the right file permissions on your WordPress files, images, documents, files, and throughout your entire server.
- Use Akismet to protect your WordPress blog comments, as well as on your forum and other publishing platforms. Akismet is not just for WordPress.
- Use WordPress Themes from the official WordPress Theme Directory and WordPress Plugins from the official WordPress Plugin Directory, or through sites well-respected and trusted.
- Don’t assume because you paid for a WordPress Plugin or Theme doesn’t mean it is safe nor secure. Go with trusted sources only.
- Test and check your WordPress blog for security vulnerabilities and risks. WordPress Plugins can help such as:
- Do I need to tell you to backup? Backup the database, your Theme(s), Plugins, images, and all files on the server. Backup regularly and consistently.
- Stay informed and educated. Keep up with the news and announcements about WordPress and related security issues. It isn’t fun, but it’s necessary in today’s world.
What NOT to do:
- Don’t add CAPTCHAs to your WordPress blog comments. They don’t work and never did.
- Do nothing to get in the way of your reader’s experience no matter how tight your security behind the scenes.
- Don’t share your private login or information through examples in text, screenshots, or video. If you do screencasts or take any visual images of the WordPress Administration Panels, your database, Cpanel, or similar, blur or black out any private information or data that could put your site, or someone’s information at risk.
- If someone or thing does you wrong, do not seek revenge or publicly expose them. Use the right methods for reporting abuse, phishing, spam or scams and keep it to yourself or educate without naming names or pointing fingers. Libel and defamation are on the rise, so don’t risk it.
I’ve written a lot about how to protect your WordPress blog, your email, your social network exposure, and your privacy in general. Each time, I dream it will be the last.
It is an exciting new world out there in the social web, but like in the real world, we have to play safe. I’d love to spend more time sharing the joyous side of blogging and stay away from the dark side of the blorce, so please, share the news, tips, and help others learn from day one how to stay safe on the web.
Related Articles and More Information
- Are You Risking Your Blog With an Unofficial or Vulnerable WordPress Theme
- Protecting Your WordPress Blog
- WordPress Security Prevention, Reactions, and Scares « Lorelle on …
- WordPress Blogs and More Hacked by Google Redirects
- Warning: Fake WordPress Malicious Site
- Firewalling and Hack Proofing Your WordPress Blog
- Old WordPress Versions Under Attack
- Malware Found in WordPress Theme – Protect Yourself Now
- OttoPress – Anatomy of a WordPress Theme Malware Attack
- WordPress Theme Malware Prevention and Protection
- Downadup Worm Infection: Cyber Attacks on the Rise in 2009
- 80 Super Security Tips – PCMag.com
- Changing File Permissions « WordPress Codex
- Hardening WordPress « WordPress Codex
- WordPress Security Lockdown | Digging into WordPress
- How To Secure Your WordPress Blog – Martin Gardner
- How to Protect Your WordPress Blog From Getting Hacked | Onextrapixel – Showcasing Web Treats Without A Hitch
- How to protect your wordpress from being hacked? 14 tips and tricks to WordPress practical security