It is Halloween so we thought that you all might enjoy a good horror story. So, put the flashlight to your face and gather around the camp fire and prepare to be spooked! This is what happens when you use weak passwords as well as default usernames and no encryption with your website…Bwahahaha!
Meet Jim!
Hi Jim!
Jim has just created a website for his business using WordPress. He is excited and he is hoping that his new website is going to take his business to the next level. All of his friends are telling him that the site looks great and he is even getting praise from his customers. Things seem good. With the ease of designing the site he wondered why he didn’t do this sooner.
Jim just finished designing his website
Designing a website can take a long time and Jim is understandably ready to take a break from all of the designing and creativity and just sit back, turn on the TV and enjoy a cold beverage. He has earned it after all but there is one thing that Jim should do before he does that and that is make the password for his WordPress account strong and secure.
WordPress and his hosting service told him to not use weak passwords from the start but Jim didn’t. He has so many passwords to remember he just uses the same one for everything, 12345678. It’s easier to remember and Jim can’t afford to get confused at work and waste time remembering what password goes with what website. It’s understandable certainly, we’ve all done it. He’ll do it later when he has a bit more time and a lot less on his plate. After all, what are the odds a small fish like him will be hacked?
WordPress can be hacked just like any other site
The problem is that any WordPress account can be hacked and one of the major culprits is easy to guess or weak passwords. Login credentials can be stolen easily, especially if they are sent in clear text (unencrypted) over the Internet. It is possible that the credentials will be routed through 5 or 10 or more different locations before actually arriving at the host of the site so it doesn’t even matter that Jim just used admin for his username. That is 5 to 10 opportunities for someone to steal the username and/or password. Of course a hacker can also just simply take a guess at it as well as part of a brute force attack. There are common passwords that far too many people use and that makes a brute force attack easy. Those passwords are also weak passwords.
Jim also did not enable SSL on his site so any information he transmits is not encrypted and is available to anyone using software like a sniffer that captures web traffic. He didn’t know how to and figured he would do it later when he had the time despite his hosting company’s warnings. He wanted to get the site live first. Oops, now someone has his username and password.
Hacking a WordPress site can be more than just the site
Now the hacker has access to Jim’s website. That person can rip everything down. That person can put something up that embarrasses Jim and his business like pornographic images or a message saying Jim’s business is bad. That person has control and can change the password so Jim cannot even log in (or they can create a backdoor for themselves) and since that person now has access to the server that the site is hosted on they can have a look around it and see if there are any other sites that they can get a hold and mess with. Ransomware or a virus can be unleashed as well as many other malicious actions creating a very unpleasant situation for not only Jim but everyone else whose websites are hosted on the same server. Uh-oh!
A pleasant night turns into a nightmare
Jim thought he was going to have a nice relaxing night until one of his employees called asking what the heck was wrong with the website. When Jim went to log in he found that he could not get into his website. He sent an email to the people hosting his website but they had noticed that there was suspicious activity on the server and were busy trying to deal with it. The number of people calling wondering just what the heck was wrong with his website just kept adding up and he had no answers. Jim’s evening went from pleasant to a nightmare in a matter of minutes.
Jim was finally able to get control of his website back at about 3 AM. By the time he got logged back in and put the website back into construction mode the damage was done. He did not get a wink of sleep that night while dealing with his hosting service. They were not happy with him and this time he listened. SSL was set up and he ditched weak passwords in favor of a much stronger one. He was so restless his wife made him get whatever sleep he could try to get on the couch. Suffice it to say he was a mess the next day at work when he should have been all smiles.
No relaxing for Jim
Jim was forced to completely rebuild the website so hours of work that could have been his precious free time was wasted. He missed his son’s basketball game and his daughter’s swim meet among many other things and his wife was not happy about that. It was just as well as he didn’t want to show himself because of the embarrassment. That of course all came before Jim realized that someone had been able to hack his email account and his Amazon account since he used the same weak passwords for them all. Someone was able to go on a spending spree at Amazon before Jim could even realize it. Now he has to spend hours on the phone with his credit card issuer and the credit bureau to clear it up, if it can even be cleared up.
Lock your business and lock your website
Your business represents you and the WordPress site that represents your business should be treated with extreme care. Jim never left the safe at his business unlocked, that is common sense, but by using a default user name as well as weak passwords he set himself up for a world of problems both for himself and for others on the hosting server that he uses.
Don’t be Jim
The username and password are in some ways the only line of defense between a malicious actor taking control of an account and keeping them out. Using those same weak passwords may be easier to remember but it also opens up any other account you use them with to being hacked as well. With so much of our life being done over the Internet all of our personal information is out there. Your bank account information is online, your credit card information is online, your social security information is online. Do everything you can to protect it!
At Nicely Done Sites we take security seriously. Every WordPress site that we design has an SSL plugin to make the website secure and encrypt any traffic sent by the site. We also do not use default usernames and we create strong passwords for the users. With monthly maintenance agreements we also keep the websites that we design up to date to close any known security vulnerabilities. We want our hosting servers to be as secure as possible so that nothing like what happened to Jim should happen to our clients. We cannot do it all, you have to want to do it as well.