After the highly publicized hacking of Wired reporter Mat Honan’s identity, it is clear to me that hackers don’t always go about things they way we think they do. When we hear “I’ve been hacked”, we immediately think someone has been trying to crack our passwords using software that tries all sorts of passwords in the dictionary or based on whatever complex algorithm. Or maybe we think they install something malicious on our computer to spy on us.
Yet, Honan’s experience shows us that hackers don’t always need to do all that stuff. In fact, all they did was cleverly and logically work their way through various systems. They call it social engineering. Whatever the name, it’s not good.
Keep Your Security Processes But Keep Your Eyes Open
Don’t get me wrong. I’m not saying abandon your difficult to guess passwords that include caps, characters and numbers. Or don’t use tools to help you secure your personal accounts and business systems. Not at all. It would be foolish of you to. What I’m saying is, sometimes, sit back and take a moment to review if some loops need to be closed.
How I Cracked A WordPress Admin Account
Just this week, I ‘broke’ into the WordPress admin account of a friend. Before you crucify me, let me say I had permission. I was asked to help and he gave me the logins. But, when I went to work on the site, the logins wouldn’t work. I figured something has changed and didn’t know if it was password or username. I couldn’t contact my friend because I tend to work really late at night (or early morning if you prefer).
And then it struck me. Let’s try same password, different username but what username? Well, here’s something I know from years of experience working with WordPress and other people’s sites. Most users never change their display name. Which means, if you have a theme that displays the author name and you don’t change your display name. Guess what?
You are displaying your username for everyone to see!
So what do you think I did to get logged in? Yup! I went to one of his blog posts to look for “by author name” (crossing my fingers as I went because some themes have this hidden). Luck was on my side and sure enough it was on the blog. I simply used his display name as username and bingo! Account cracked. No malicious software necessary.
My friend is really lucky it was me and not someone else with nefarious intentions.
You Can Do Something About This
My question to you is, are you publicly displaying your username on your blog? If so. Go change it now. Just follow these steps.
1. Log in to your WordPress account
2. Go edit your profile
3. You can choose to add the first and last names or simply edit the nickname it doesn’t matter.
4. Update your Profile
5. Select Display name as
6. Update your Profile
Of course, it’s better to edit the username too so these names are vastly different than any of the displayed names. And no, my username is NOT displayed publicly 😉 you didn’t think I’d write a post about this and leave myself exposed did you?
