Holy Botnet, Batman! How do I change my admin username?


You may have heard about the massive security threat toward Joomla and WordPress sites. (If not WHERE HAVE YOU BEEN???) There are lots of posts around the web on the subject, but not a lot of answers to “well, how do I change my username from admin?” This post answers that question.

batman-botnet-2Answer 1: You don’t

Going to the Users tab in WordPress and clicking the ‘admin’ username will tell you you can’t change your username. This is because changing your username actually involves a lot more than just changing your username. There are posts and relations and metadata and all sorts of stuff that could get broken if you just up and changed your username. Most of that stuff is tied to your user ID and not your username, per se, but there is still enough stuff that would get broken if all you did was change the username, so WordPress doesn’t allow you to do it.

Answer 2: Let a plugin do it

There are various plugins (like this one) that can change your username. I still think it’s sketchy since I don’t know exactly what the plugin is doing and it could break stuff. But to each their own. Surely nothing could go horribly awry, right? It’s only your data, right?

Answer 3: Hack the database

Yeah, I’m not even going to start with this. Hacking the database, while feasible, is probably not a good idea.

Answer 4: Create a new user

Let’s call this the “right way” (even though right or wrong is somewhat subjective).

  1. Create a new user account (I won’t go through the steps of making a user account, I’ll assume you can figure it out. Hint: Start with Add User.) Name this user account something you’ll remember. Like your name. Or, if you want to be a little more mysterious you can use a nickname or your Twitter handle or something. Just as long as your name isn’t Ad Min, or your nickname or twitter handle is Administrator, you’ll probably be all set. You will also need to use a different email address to create the account, but this can be changed after step 2. If you have a Gmail account you can add +something before the @ symbol to create a quick alias for your email address. So, something like [email protected] would be seen (by Gmail) as the same thing as [email protected] Or you can just use a fake address and change it in step 3.
  2. Once your new user is created delete your old, admin user. Log out of your ‘admin’ account and log in to your new admin user account you just created. Then go back to Users and hit the delete link.
    What? Delete?? you say? Yes. Delete. On the next screen you will be given a choice of which user to assign all the posts belonging to that user to, and at that point you can select your new user account.
  3. (Optional) If you want, you can now go back to your new user account and change the email address to your regular email address if you used a fake address or a temporary address.

IMPORTANT!!! Make sure you create an Administrator user!!! I don’t think WordPress will let you do something so dumb as deleting your one and only WordPress admin user, but then again, it might. Don’t let it. Make sure that the user account you’re creating is an Administrator. By default, it will be a Subscriber which will give you access to exactly nothing when you log in with that account.

That’s it. Like Gotham City, this doesn’t mean you are safe. There are always exploits, vulnerabilities, and a weak password will always be an invitation to hackers even if you’re using a non-admin username. But this will take care of the immediate threat. Want to harden your site even more? This post on WPDaily has some great tips. I also recommend the No Weak Passwords plugin which will disallow passwords if they are found on the most common passwords list. (You didn’t know there was a list? There is.)

Going Google-less

So, I’m still bothered by the Google thing.  I’m bothered by how reliant I am on Google’s products the same way I was bothered by how reliant I was on Microsoft’s products.  It happened so subtly that there was never a conscious decision to use Google products and services exclusively.  It wasn’t something where there was a “well, I can’t get this anywhere else” conversation or a “well it works better with this or that feature” conversation with myself.  Google just quietly (or not-so-quietly) put out their products, and we downloaded them and incorporated them into our lives.

The sheer amount of data that Google has of ours is staggering.  And that’s just the data we know about.  Seeing as how they “accidentally” picked up some private data from wifi networks on their Maps expeditions, it’s not out of the realm of possibility that they’ve got more on us than we know about.  And then there’s the stuff they have that we do know about, but don’t think about.  In The Big Switch, Nicholas Carr points out just how easy it is to identify people — and glean information about them that they would otherwise keep private — just from the types of searches we do, the city we live in, and our date of birth.  Besides being able to positively identify anyone with that information, think for a second about how much information a stranger would have about you if they knew every search query you ever typed into Google, whether it was for personal, academic, or business reasons.

So I’m going Google-less for a week, starting next Monday.  I want to see how easy or hard it is to weed Google out of my life as much as possible.  We got pissed off when Facebook started passing around our personal information but Google has now threatened to take on the FCC, a government agency, telling them “you have no jurisdiction over how we do things here” at the cost of small businesses and individuals worldwide.

Now, some things will be more difficult than others, for example, we use Google Checkout in our business (which came from boycotting PayPal), so there’s that.  And internally, we use the Google Talk protocol to send messages across the room (although I don’t actually use the client because I use Digsby, and other than that it’s just another Jabber server).  YouTube is so ubiquitous it would be somewhat difficult to avoid it entirely (though I’ll try) and this blog uses FeedBurner to handle the RSS feeds.  But in every other way I can think of I will try to avoid using Google at all costs and we’ll see where it takes me in a week.

I encourage anyone who reads this blog to do the same and to pass this message on.  It’s good to put things into perspective once in a while and find out just how dependent you are on certain services.  If Google went bankrupt tomorrow, what would you do?  And, possibly more importantly, what would happen with all your data?  What would happen if you went Google-less for a week?

iTunes Security: Worse than you thought?

On December 1, 2008, I woke up to find a series of disturbing emails in my inbox.  They were a pair of PayPal receipts and the corresponding iTunes store receipts for 2 purchases of $200 gift cards sent to anonymous Hotmail and Yahoo email addresses.  The problem was, I didn’t make the purchases.

The transactions took place around 5:30am while my wife, myself, and our son were in bed.  Seeing as how I couldn’t possibly have made the purchases, and how they were suspiciously paired one after another and sent to random and easy-to-obtain email addresses combined with the fact that, though I had linked my PayPal account to my iTunes account “just in case”, I had never actually made a purchase previously, it seemed obvious that I had been the victim of a scam and I could easily get the transaction reversed.

Not so.  Thus began one of the most frustrating and infuriating experiences of my life, leaving me with a foul taste for both PayPal and iTunes.

Contacting Apple yielded no help.

I understand you are concerned about purchases that were made with your iTunes Store account without your permission or knowledge.

I urge you to contact your financial institution as soon as possible to inquire about canceling the card or account and removing the unauthorized transactions. You should also ask them to launch an investigation into the security of your account. As part of the investigation, their fraud department will contact the iTunes Store directly to resolve this issue.

They also recommended I change my password, something I did the second I discovered my account had been hacked.

Unfortunately, my financial institution wasn’t a financial institution at all.  It was PayPal.  And there’s a difference — although I was blind to it at the time.  In a normal scenario, you could contact your bank, your bank would put a stop payment on the transaction, launch an investigation, and if anything seemed out of place at all you’d get your money back.  PayPal doesn’t work that way.  They aren’t a bank and don’t operate by the same rules as banks do.  Their only concern and primary objective is transferring money from one bank to another and, in that sense, their job was done.  It, apparently, didn’t matter to them my (presumably valid) claim that it was someone else who authorized the money transfer from PayPal to iTunes.  I had linked my PayPal account to iTunes and that stated intent (despite having gone unused), and made me liable for any transactions, including fraudulent ones.

I fought the issue for a week.  I had had just under $200 in my PayPal balance.  The remainder pulled from my bank account which I was able to get refunded easily (without even having to talk to anyone) from my bank.  (PayPal held firm even after I pointed out that the investigation my bank had done saw enough reason to refund the money.)  I called a hotshot New York criminal defense lawyer associate for advice. (File a police report, take it up in small claims court if I want to pursue it. I didn’t.)  Ultimately defeated, I let it drop.  If I wanted to take PayPal to court, I could force them to hand over the documents claiming to prove that it was me (or at least my IP address) that had initiated the transaction.  I had already lost enough sleep over the issue, I succeeded in getting the cash that was taken from our bank back, the rest, I felt, was the cost of two important lessons learned:

1) PayPal is not a bank.  As benign as they appear, they are a business.  A large, thriving business that makes money from you on every transaction you make through them.  That gives them huge capital without a large overhead since their costs of operating are minimal.

2) PayPal will, almost invariably, side with the seller as the default rule.  Even in the case of an eBay dispute, they will start by assuming the seller is correct and the burden of proof is on the buyer and potential victim in the scenario.

But one important lesson still went missed, even as I was removing my PayPal linkage from everything I could find, changing the password and email address on everything that matched what I had entered into my profile on iTunes, and finding alternative checkout systems to PayPal for my design business (we primarily use Google Checkout now).  That was: how secure is iTunes, anyway?  I had assumed my experience was an isolated incident, that I was just some poor victim most likely in a series of attacks that occurred that morning across multiple accounts.

According to this article, I was wrong.

It turns out, there have been a lot of people swindled on iTunes.  The most recent security breech artificially bumped up several Vietnamese books into the top 10 list by what looks to be authorizing the purchase without the buyer’s knowledge (or consent).  But this is only the latest scam.  Both the Mashable article and the comments on the article itself reveal countless others who have been swindled in similar ways — mysterious transactions that took place without their knowledge.  How is it that arguably the largest retailer for digital downloads has such shoddy security that accounts are routinely infiltrated and exploited for profit?  I was surprised to learn that, not only was I not alone in having my iTunes account hacked into (something I blamed myself for — my password wasn’t altogether secure and was the same one I’d been using for years, a combination of numbers and letters that was a combination of the AOL profile my dad had made me and the numeric code at the end of my username from the old telnet BBS systems I frequented back in the early days), but my $400 wasn’t the most that had been robbed (the first comment I saw on the Mashable post was from someone who lost over $550).

The most sound advice was given by another commenter: don’t use your debit card, don’t enter financial information at all, in fact; use only prepaid cards and remove them when you’re done.  It seems paranoid, but if it’s that easy to get into user’s account, wouldn’t you rather be safe than sorry?  From that perspective, it’s easy to imagine legions of opportunistic wanna-be hackers trying to infiltrate the mighty iTunes fortress and the treasures of nubile user accounts with endless caches of funds in the form of credit card info and PayPal accounts just waiting to be plundered.  The question is not is my information safe but rather how long until my information is comprimised?  With so little help from Apple and PayPal, it doesn’t hurt to be paranoid when your money is at stake.


Chris Reynolds is one half of the design team at Arcane Palette Creative Design. He writes in his personal blog, jazzsequence, on subjects like music, technology and social media and shares links, videos, and posts various personal music and writing projects. You can also follow him on Twitter.

web site security

can we really be that surprised by a hosting company that uses sex to sell its services?

i was listening to the replay of the teleconference hosted by WPSecurityLock (with special guests from GoDaddy) in light of the recent wave of website hacks that affected hundreds of sites not once, but twice.  it was actually when they were talking to a customer (one who had been hit twice) that a concern was raised in my mind.  the exchange went something like this:

a GoDaddy representative was on the line talking about ways to protect your site against attack, emphasizing the importance of keeping your software (be it WordPress, Joomla!, or whatever) updated.  — note: for the record, this seems like a lame cop-out.  yes, it’s great to keep your software updated, but when the attack is indiscriminately affecting php files — whether they belong to a known open source software or are completely custom-coded — i don’t see how this has any relevance on the situation at hand.  it should be noted that neither GoDaddy nor WPSecurityLock have been able to identify how intruders were able to access users’ sites and change the file permissions which allowed them to inject malicious code into the php files.  software version doesn’t really have any bearing whatsoever on that. —

after he said his piece, Regina from WPSecurityLock spoke with a customer who suffered in the first wave of attacks — actually the first client that they (WPSecurityLock) fixed, and then fixed again when the second wave hit.  she started talking about how, after the second intrusion, she noticed that all the files were left completely open in terms of file permissions (i.e. 777) and that she didn’t think he would have installed it that way.  he expressed gratitude for having them on his team because he admitted that he had absolutely no idea what she was talking about.

and that’s the problem isn’t it?

GoDaddy and other web hosts are saying you are responsible for your files.  you should know what goes into a WordPress installation so you can identify anything weird that’s not part of it.  you are expected to be familiar with FTP and changing file permissions.  but i think that most people hear “file permissions” and it’s like you’re suddenly speaking like the teachers in Charlie Brown: wah wah, wah-wah wah-wah wah.

godaddy: drunk on the job or just intoxicated by mon--er, success?you need to speak to the lowest common denominator here.  if you’re going to provide 1-click installations for any software at all, you have to make sure that when your auto-installer does its’ job it’s not leaving customers open to attack.  because no one that’s going to use a 1-click installer is going to know anything about FTP or chmod, that’s why they used the installer.  and even some people clever enough to know their way around FTP and WordPress’ patented 5-minute install might not know the proper file permissions for their site and just use 777 because it works.  we are lazy.  we use the same single password for everything we do online.  we can’t be expected by our service providers to be educated on proper security practices and safety procedures.  that’s what the geeks with the smelly t-shirts and glasses that make them look bug-eyed are for (although i wrote about some ways to help make your website more secure on arcane palette on tuesday).  no, it shouldn’t be the webhost’s responsibility to wipe their customers’ butt for them when it comes to securing their site, but neither do i think it’s fair that hosts honestly expect otherwise.  especially if one infected site on a server can spread to any or all the other sites hosted on the same shared server which seems like it was the case for both GoDaddy and Network Solutions.

wait, websites?  i just came for the pornit would be great if everyone remembered to change permissions on their files after installing software like WordPress.  it would be great if everyone knew and used the special extra security tricks WPSecurityLock mentions on the call, on their blog and in their free e-book.  but, i’m looking at you guys here, webhosts: the files may belong to your customers but they’re on your servers.  they, apparently, affect all the other sites on your servers (or have the potential to, anyway).  and you can point the finger everywhere except yourself as much as you like — you can say it’s the customer’s responsibility to keep proper permissions, you can say that old software has known exploits that can be used by hackers and that upgrading your software can even leave artifacts behind from older versions (so that, even if you are upgrading your software, you still aren’t safe) — but none of those things are going to make you any friends.  none of those things are going to make you into the good guy.  you know what is going to make you the good guy?  thinking for your customers.  taking care of the situation before it becomes a situation.  taking the role of assigning and/or correcting the file and directory permissions on a website out of the customer’s hands and taking responsibility for that yourself.  surely, by now, webhosts, you’ve figured out that people aren’t going to do something just because they’re told to do it.  surely you don’t really expect people to walk away from these widespread hacks and say “gee, i guess i should be more careful next time.”  unless that’s really part of the plan: give the user the responsibility, then when the shit hits the fan you can say “well, it wasn’t really our fault, but we can have one of our security analysts fix it for you for $150.”

wait.  nevermind.  i see the business model now.

i wish i could say that i made these pictures up, but this is actually how godaddy markets themselves

Keeping your website safe

class=”aligncenter” Once upon a time, a long time ago, you could buy a new computer and not have to worry about what type of virus scan software you needed to load onto it.  Firewalls were things only extreme geeks and intrepid hackers knew anything about.  Adware, spyware and malware weren’t even words.  Those days are so long ago that high quality, free virus scan software has not only become available, but ubiquitous, highly rated and able to hold its’ own against the big guys (see: Avast! and AVG Free vs. Norton and McAfee).

Just as the innocent days before antivirus software was a necessity are long gone, so too are the days in which website security is something to be considered only by paranoids, security professionals and government sites.  In just the last month we’ve seen WordPress sites on Network Solutions hacked (by gaining access to the database via an improperly secured wp-config.php file), GoDaddy sites hacked and then hacked again (infiltrating and embedding code into any php file — the access point of which is still, as of this writing, unknown), and then Network Solutions sites hacked again (this time by a different method, creating or editing php.ini and .htaccess files in the cgi-bin folder) including several U.S. Treasury sites.

Many of these hacks redirect the visitor to a malicious website which installs malware onto their computer which can then be used to harvest all kinds of information about the user.  Or maybe they inject your computer with malicious software and then direct you to a site that sells you antivirus software (which could, potentially, just be a cover for more data-mining spyware).  Code is indiscriminate — it doesn’t care if your site is high traffic or low traffic.  The attacks against GoDaddy and Network Solutions aren’t necessarily indications that those two webhosts have inferior security practices but rather that someone was able to find a workaround or a backdoor or had some kind of insight into the data infrastructure of those hosts which allowed them to run a script across all the sites hosted by those companies.

The point is, just because you haven’t been affected yet doesn’t mean you are safe.  It’s always better to be one step ahead of the bad guys.  Here are some ways you can keep your website, and the files it contains, safe:

File and Directory Permissions

This is the biggie.  It was due to bad file permissions that hackers were able to gain access to Network Solutions users’ databases last month.  This is also probably the most confusing safety precaution and the one most likely to accidentally render your site completely unusable (at least temporarily).  File permissions that are too permissive will allow just anyone to peek at your files, some of which may have sensitive or secure data in them.  Permissions that are too restrictive can render your site unusable by you or visitors or both.

To make things even more confusing, server permissions are generally referred to by arcane numerical codes or a string of letters, making them hard to understand for a lay person.  Take the time to familiarize yourself with what they mean, it could be the difference between your site remaining secure and having to clean hundreds of php files manually, restore from a backup, reinstall your software or risk losing all your data.

You may see permissions written out like this: drwxr-xr-x.  To a normal human being that just looks like gibberish.  To a server (and an admin or geek familiar with the lingo) the string means that: what you are looking at is a directory (drwxr-xr-x), the owner of the directory (generally the webserver or your own user account) has full read, write and execute permissions for the directory and the files contained within (drwxr-xr-x), the group (generally a server group for clients, or else an application group defined on the server) has read and execute permissions (drwxr-xr-x), and everyone else also has read and execute permissions (drwxr-xr-x).  This directory would be said to have 755 permissions:

   7      5     5
 user   group  world
 r+w+x  r+x    r+x
 4+2+1  4+0+1  4+0+1   = 755

Generally speaking, this is the default setting for most hosting environments.  And, generally speaking, it had the correct permissions to enable 99.99% of web-based applications to run correctly.  However, it does not have an ideal level of protection for anything you want to keep safe.  When WordPress sites on Network Solutions were attacked, it was pointed out that optimal permissions for the wp-config.php file should be 640 or, if that didn’t work with your hosting environment, 644 (in both cases, the execute permission is removed from all user groups — wp-config.php is a file that is read by WordPress, it is not executed, so there’s no need for the x), and in the former case, all permissions are removed from the “world” group, giving only you and your user group read permission (and only you have the ability to rewrite the file).  In most cases, you can safely increase your file permissions to 644, although typically 755 is accepted for directory permissions.

Great.  So what does that mean?

Permissions can be changed in a few different ways.  They can be done from a commandline via an SSH connection to your server, but most people probably don’t do it this way.  Permissions can be changed in an FTP program which you would have used if you uploaded a custom theme to your WordPress site or were responsible for setting up your website.  Permissions can also, often, be modified through the built-in, web-based file manager that many web hosts offer from their admin panel.  If you are using an FTP program like FileZilla, most of the time the option to change file permissions will be available upon a right-click of the file or folder you want to change permissions on, but always refer to available documentation if you have questions.  If you weren’t responsible for setting up your website and you don’t know what your file permissions are set to, contact your webmaster or designer and find out.  If they are too low, request that they change the permissions to something more secure.  Any designer worth their salt should be able to do this for you if they aren’t already (and if they can’t, you can always contact us!).

Learn more about changing file permissions.

Secure Passwords! (or: guest1234 is not a secure password…)

Now that we’ve covered the hard part (and, trust me, permissions is the hard part), we move on the the easier and more manageable stuff.  Like passwords.

You’ve been told this a million times: keep secure passwords.  You’ve been told to “keep your passwords in a secure place”.  You may even have been told never to write your passwords down (on paper or, especially not in a file on your computer).  And you’re wondering how the hell all of these things work together.  Are you really expected to memorize 20 different passwords of 8-16 alphanumeric characters and symbols?

It’s tough.  And most of us use shorthand — one password fits all, and to hell with security.

This is, increasingly, a bad idea.  Actually, this was a bad idea five years ago.  Now it’s a horrible idea.

Face it, we’re going to have to deal with this at some point and it’s better now, when your site is fine, then later, after your site has been broken into because your password for your WordPress backend, FTP and database were all “thomas13”.

There’s a couple different methods for creating secure passwords.  One is a configurable password generator.  There’s various applications you can download, websites you can go to, but the one I’m most familiar with is a plugin for Firefox.  The benefit of using a password generator is it’s completely random, therefore more secure and harder to crack, and in many cases you can specify special characters or not, numbers or not, case sensitive or not — however, the more “nots” you have in the equation, the less secure your password is.  (Even so, “SLKJJHE330” is still more secure than the day you were born and your son’s first name.  Ed. note: that’s not the day I was born or my son’s first name.  Just saying…)

What we used to do when I worked in IT and we made custom Windows install disks or used passwords for different types of apps or servers was take a word or phrase and translate it into L33+ [email protected] (“leet speak”).  Something like [email protected] is easy (easier anyway) to remember and much more secure.  Even better is the fact that misspelling words makes the password more secure!  (Presuming you can remember how you misspelled it…) You still need to be careful the kinds of things you use and try to make it not too obvious.  For example, if you run a blog about your kids, and their names are Antonio and Marie, you probably don’t want to use @nt0n10&[email protected] as your password.  While you could randomize the characters and symbols to change it up, it’s best to stay away from anything too personal as a rule.

Another method I’ve heard of people using is to take a word or phrase and inject symbols and numbers in the middle.  Today’s date is 5/4/2010, and I like Battlestar Galactica, so maybe my password could be [email protected]  Or rather than using today’s date, you could use your anniversary, your father’s birthday, the day you graduated college, anything that isn’t posted on your Facebook profile would probably work best in terms of security.

How do you keep them all straight, then?

So what if you have 5 different sites, each with a unique admin password, each with a unique database password, all hosted on the same server (so, thankfully only one FTP password, but that is different than everything else), how do you remember what’s what?  Well, you could always use the post-it method.  You could store passwords as “Notes” in Outlook or — gasp — save them in a document.  None of these are particularly great, though.  If your house was broken into, someone could easily grab all your post-its and gain access to your bank account, PayPal account, anything you use a password for.  Likewise, if your computer was ever compromised, someone could find the file that contained your passwords.  Anyone who was awake ten years ago or so would remember Microsoft Office “macro” viruses, which would enter through Outlook and then use the connectedness of the Office suite to harvest email addresses and other information from emails, your contact list, Word documents, etc, so if your passwords were stored in a Microsoft Word document, it is possible that all your passwords could be stolen by a particularly clever virus.

The solution?  Well, probably there’s some risk involved with what I’m about to suggest, but there are password managers, often protected by a password themselves, that store all of your various passwords for applications and/or websites you go to.  Many of them are built as Firefox plugins (and presumably Chrome and IE have equivalents out there as well, although I haven’t looked…yet).  This way, all of your sites can have a completely unique, completely secure password and you only need to know the one password you use to access them.  Part of me feels like even having a program like that is like putting the world’s largest diamond in a glass case and making it the centerpiece of a museum exhibit — it’s just sitting there screaming “look at me” — but, assuming you have a secure enough password to access the password manager, and — even better — change it regularly, you’ll be fairly safe, and it may be the best option in light of these new web security concerns.

Keep in mind that to be completely secure, you want your database password, FTP password, and any passwords you use to log onto  your site, or any other site, to be unique.  Using the same password means that a hacker just needs to figure out one to be able to access all of your sensitive data, and you don’t want that.

Be Prepared

So what if your site is hacked and you have no way to recover your data without trashing everything and starting over fresh?

Well, I’m sure you’ve been keeping backups, right?  You haven’t?  Oh, well in that case, you’re in trouble…

A lot of hosts will automatically create backups of all your data.  The timeframe in which the snapshots take place can range from every day to every week to every month.  Even so, it’s not safe to assume your host will have a backup — not all of them do — and even if they do have a backup, it would be beneficial to keep backups yourself, just in case your backup is more recent than theirs, or their servers go down and their backups are lost.

Within WordPress, this can be taken care of by using some highly useful plugins.  WordPress Database Backup is what we use to keep backup copies of the database, although there are others, such as WP-DBManager recommended by WPSecurityLock.  Even if you aren’t a code jockey, able to restore a database backup in your sleep, that doesn’t mean you shouldn’t keep database backups just in case you might need a code jockey to restore your database for you.  Both allow you to schedule backups and have them stored on the server or sent to you in an email.

WordPress itself can always be downloaded from WordPress.org, and that will always be a clean copy of the most recent version.  If you did need to trash everything and start over, that would be the best place to get a clean copy of WordPress.  However, what about your plugins and your WordPress theme?  WordPress Backup backs up your uploads folder, current theme and plugins directory.  Like the database backups, it can be scheduled to back up to the server or email you a copy.  This way, if your site was infected, you would have a clean copy of all the files you’d need to purge to get rid of the virus or malware infestation.

You may also want to consider hiding your site as a WordPress site.  While obfuscation is not necessarily a means of securing your site — especially if that’s the only thing you’re doing — it might not hurt.  A hacker who knows how to get into WordPress could be diverted if, for example, your wp-login.php page was moved to a different address.  Alex Denning of WPShout has some great suggestions of ways to confound potential hackers.

If you don’t have a WordPress site, never fear.  Most popular CMS software that has any kind of development community at all should have comparable equivalents of all of the above plugins.  If not, consider talking to your webhost or hiring a programmer to build a script to backup your database and/or your files and send them in an email.  Neither should be particularly difficult and could be run in a cron job (presumably they’d know what that means even if you don’t).

Make sure you are safe

In both the Network Solutions hack and the GoDaddy hack, it was my antivirus software, Avast!, which first alerted me to a problem.  Having an A/V program that has a realtime web scanning component is incredibly beneficial to finding an infiltration and protecting yourself from being infected by your own site.

If you’re running a blog, make sure you’re doing something to filter comment spam — it’s probably the easiest way to add some nefarious links on your site from the outside and is usually very easy to prevent.  WordPress comes built in with Akismet which does all the heavy lifting of filtering out spam comments — all you need to do is register a WordPress.com account to get an API key, which I strongly recommend doing.

Also, if you are running a WordPress site (or any web-based software) make sure you keep up-to-date on your updates.  It’s not going to save you from being hacked, but often there are security updates and it’s better to install those sooner rather than later. (That said, it has been suggested that too soon has its’ own risks — sometimes updates have new holes that were missed in the testing phase and may open your site up in new and exciting ways.  I usually check for updates once a month; by then, in most cases, any potential bugs that were serious have been worked out and fixed.)

If you have been hacked, here are a couple links that can help you recover:

FAQ: My site was hacked
How to completely clean your hacked WordPress installation

Web security isn’t going to go away.  These mass website hacks are not going to go away.  And it isn’t fair to assume that your host is going to be responsible enough to protect your site in what is, in their eyes, your responsibility.  Even if you have a retainer who manages your website(s), you should still make sure you are aware of what is going on in the outside world and make sure they know what’s going on, too.  A good thing is having your tech or designer fix your site in a matter of hours after you report that there’s something fishy on your website.  A better thing is having your tech contact you first to say “there’s a hack going around, I’ve taken precautions against it, and I’m monitoring your site in case of an attack.”  You don’t want to be the one left behind with the guy who says “um…what?” when you say you think your site has been hacked, whether that guy is your “web guy” or your hosting provider.