My other blog, Vic.Pics, was hacked!
Luckily it wasn’t too bad. Thankfully I have regular automatic WordPress back-ups to restore from.
I’d logged into the site’s Dashboard and installed some updates, I then clicked on “Visit Site” for a quick look before I started working on the next post. I was shocked to see that the most recent post title had been changed to “hacked by NG689Skw”. Clicking on the post revealed that the text and image had been deleted.
I had been using two factor authentication, where I needed my phone to log-in, so how had NG689Skw access my WordPress install? Checking my settings revealed that my admin password hadn’t been disabled. Doh!
My hosting provider, Crazy Domains, offers automatic back-up of WordPress installs, so I was easily able to roll-back the site to the previous back-up. The next step was to try to prevent any further un-authorised access, so I also updated my settings, removing all password log-in methods.
The moral of this story is to ensure is to have back-ups of everything and use two factor authentication for your log-in. Make sure you disable the legacy settings, so a password cannot be used to log-in. That way you can spend more of your time writing and publishing.