Skip navigation

Is Your WordPress Blog at Risk from the Epsilon Email Theft?

WordPress Security Tips and TechniquesI’ve just published news and tips on how to respond to the recent announcement and news about the Epsilon email theft on WordCast, “Epsilon Email Lists Breached: How to Protect Yourself.” I’ve included a list of the companies involved and tips on how to identify email phishing scams, deal and respond to them, and advice on prevention.

One of my email addresses might be in the list of more than 40 million (and growing) stolen. I’ve reward cards with some of them. Is yours?

A client called me with the news that she was registered with six of the accounts on the Epsilon email theft company list, and that her son might also be on the list as his school is listed among the companies losing their contact information to thieves. She wanted to know if her WordPress business blogs were at risk. By the end of the day, with further announcements of more companies added to the growing list of victims, three more clients called.

It’s a good question. Could you WordPress blog be at risk?

Is My WordPress Blog at Risk from the Epsilon Email Theft

Her WordPress blogs would be at risk only if the thieves were determined and could make some connection between her site ownership and her contact information, and if she used the same email and wasn’t clever about her username and/or passwords.

The first premise is a huge leap. Yet, if they were really determined to squeeze out every last juice of evil and opportunity in the information in their hands, could they make that leap?

Probably not.

However – and this is a stretch – such lists don’t stay in the hands of one person. Such a list is worth serious money, often going to the highest bidder or someone with plans to market this the best way they can through the security theft criminal rings that plague us.

Down the road, say a year or two, the whole list or some part of it could fall into the hands of someone who had enough smarts to not seek viable and meaningful employment but is wicked enough to run it through a WHOIS database to match names with website owners. While it’s the stuff of fiction, anything is possible if one is determined enough.

Could they use your contact information, your name and email to gain access to your WordPress site? Would they want to? Probably not, but could they?

If your username is the same as your name or your name and the first initial of your last name, or some easy combination, with that and your email address, they could get your password reset. Unless they had hacked into your email account, the odds are they couldn’t get into your site specifically.

They may be able to use such information to gain access to your web server host by convincing them they are you with your contact information. Hopefully, web hosts will be smarter with handing out security access. Check with your site host on their privacy and security policies.

I can’t think of any other way they could use this information to directly break into your WordPress blog, but they could cause you trouble, if the trouble could bring them gain.

Odds are, not.

This doesn’t mean you are safe. I recommend you change passwords to your WordPress blog and all access points to your site, and consider getting a new or blog specific email, just in case. At the very least, you might sleep better at night.

As a refresher, here are more ways you can protect yourself and your WordPress blog.

How to Protect Yourself and Your WordPress Blog

A few years ago WordPress had a phishing scam running with a malware fake site that used a similar spelling to WordPress.org. Take care to pay close attention to URLs before downloading, registering, signing up, or buying. Remember that if they use WordPress in their domain name, they are violating the WordPress trademark for domain names, thus not to be done business with nor trusted.

I’ve seen a growing number of scams, phishing, and malware with WordPress, specifically WordPress Themes, Plugins, and out-of-date versions of WordPress. WordPress expert, Otto of OttoPress investigated a WordPress malware hack last year, uncovering the insidious methods they use. Having had two of my sites and a few client’s attacked in the past couple years, trust me when I tell you that removing this evil is time consuming, time wasting, and very hard work. If you are infected and don’t have much technical experience with servers, databases, or WordPress, hire a professional. Honestly.

In addition to the tips I provided in the Epsilon Email Theft article, I’d like to offer a few more WordPress-centric tips.

  1. If it doesn’t come from a trusted source, don’t trust it.
  2. Update, update, update, updates. Don’t wait when a security release is announced. Update immediately. Update WordPress Plugins and Themes immediately.
  3. At a minimum, secure your WordPress blog by changing the administration name to something complicated, changing the database table prefix from wp- to a1b2c3- or more complex, and using a very strong password on the blog, database, FTP, cpanel, and any other access to your site.
  4. Check and verify you’re using the right file permissions on your WordPress files, images, documents, files, and throughout your entire server.
  5. Use to protect your WordPress blog comments, as well as on your forum and other publishing platforms. Akismet is not just for WordPress.
  6. Use WordPress Themes from the official WordPress Theme Directory and WordPress Plugins from the official WordPress Plugin Directory, or through sites well-respected and trusted.
  7. Don’t assume because you paid for a WordPress Plugin or Theme doesn’t mean it is safe nor secure. Go with trusted sources only.
  8. Test and check your WordPress blog for security vulnerabilities and risks. WordPress Plugins can help such as:
  9. Do I need to tell you to backup? Backup the database, your Theme(s), Plugins, images, and all files on the server. Backup regularly and consistently.
  10. Stay informed and educated. Keep up with the news and announcements about WordPress and related security issues. It isn’t fun, but it’s necessary in today’s world.

What NOT to do:
hide private and secure data in screenshots, images, and video

  • Don’t add CAPTCHAs to your WordPress blog comments. They don’t work and never did.
  • Do nothing to get in the way of your reader’s experience no matter how tight your security behind the scenes.
  • Don’t share your private login or information through examples in text, screenshots, or video. If you do screencasts or take any visual images of the WordPress Administration Panels, your database, Cpanel, or similar, blur or black out any private information or data that could put your site, or someone’s information at risk.
  • If someone or thing does you wrong, do not seek revenge or publicly expose them. Use the right methods for reporting abuse, phishing, spam or scams and keep it to yourself or educate without naming names or pointing fingers. Libel and defamation are on the rise, so don’t risk it.

I’ve written a lot about how to protect your WordPress blog, your email, your social network exposure, and your privacy in general. Each time, I dream it will be the last.

It is an exciting new world out there in the social web, but like in the real world, we have to play safe. I’d love to spend more time sharing the joyous side of blogging and stay away from the dark side of the blorce, so please, share the news, tips, and help others learn from day one how to stay safe on the web.

Related Articles and More Information

Feed on Lorelle on WordPress Subscribe Feedburner iconVia Feedburner Subscribe by Email

Copyright Lorelle VanFossen.

This entry was written by Lorelle VanFossen and posted on April 5, 2011 at 7:34 pm and filed under WordPress, WordPress News, WordPress Plugins, WordPress Themes, WordPress Tips with tags , , , , , , , , , , , , , , , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

6 Comments

  1. Jonan Castillon
    Posted April 6, 2011 at 2:33 am | Permalink

    Thanks Lorelle for this valuable tip. I’ve just been through repairing my site after it was hacked. I did spend a lot to have it put in order. Oftentimes, my busy schedules make me neglect my blog security. My sincere gratefulness for sharing what you know. Thanks a lot!

    Reply
    • Lorelle VanFossen
      Posted April 6, 2011 at 5:33 pm | Permalink

      It has taken many years to get the hack on one of my sites cleaned up, which I will be blogging about soon, so I understand schedules. 😀 We all need some reminding once in a while. Thanks!

      Reply
  2. Nick
    Posted April 9, 2011 at 6:32 am | Permalink

    Wow thanks for a great article, this was the first that I have heard of it. I run a social network on the wordpress platform using buddypress and luckily have not had any problems. I do however have people joining using ”bots” and posting a lot of content on the network that is not really needed, so this keeps me busy. Thanks again will keep an eye on your blog for future posts.

    Nick

    Reply
  3. Abe
    Posted April 23, 2011 at 3:58 am | Permalink

    Lorelle – I loved the fact that the epsilon theft happened. reason is I feel vindicated. My own WP blogs have been hacked. The first time it happened was when I developed a habit of keeping backups =)

    No longer using AVG free, paid to keep the antivirus on =))

    your posts madam are great btw

    Reply
    • Lorelle VanFossen
      Posted April 23, 2011 at 1:08 pm | Permalink

      Thanks. Luckily, the Epsilon email theft appears to not impact WordPress blogs, as I predicted, but rumors are spreading that some people are seeing an increase in email hacks. Three friends who were on those lists were hacked, so you are right. Prevention is the best medicine.

      Reply
  4. Doug Eikermann
    Posted May 2, 2011 at 7:37 am | Permalink

    As my blogs get bigger and the time I’ve invested in them grows, security matters of all sorts are coming to the fore. Thanks for the warnings!

    Reply

5 Trackbacks/Pingbacks

  1. By wpmag.com - WordPress News, Themes, Tutorials, Plugins, Questions, ... on April 6, 2011 at 1:18 am

    Is Your WordPress Blog at Risk from the Epsilon Email Theft? « Lorelle on WordPress…

    I’ve just published news and tips on how to respond to the recent announcement and news about the Epsilon email theft on WordCast, “Epsilon Email Lists Breached: How to Protect Yourself.” I’ve included a list of the companies involved and tips on how t…

  2. By Storytelling Business Social Media Marketing PR & Technology Curated Stories April 6, 2011 on April 6, 2011 at 1:59 pm

    […] Is Your WordPress Blog at Risk from the Epsilon Email Theft? Published: April 5, 2011 Source: Lorelle on WordPress I’ve just published news and tips on how to respond to the recent announcement and news about the Epsilon email theft on WordCast, “Epsilon Email Lists Breached: How to Protect Yourself.” I’ve included… […]

  3. By Update WordPress Now: Reuters Hacked « Lorelle on WordPress on August 26, 2012 at 10:07 pm

    […] Is Your WordPress Blog at Risk from the Epsilon Email Theft? […]

  4. By The Brute-Force Password Attack on WordPress Sites « Lorelle on WordPress on April 22, 2013 at 9:49 pm

    […] Is Your WordPress Blog at Risk from the Epsilon Email Theft? […]

  5. By WordPress Anniversary: WordPress and Evil « Lorelle on WordPress on June 10, 2013 at 8:57 pm

    […] Is Your WordPress Blog at Risk from the Epsilon Email Theft? […]

Post a Comment to Doug Eikermann

Required fields are marked *
*
*