Warning: Don’t Make This Stupid Website Security Mistake

Ali Luke

background image

One of my less than happy memories as a blogger is from a couple of years ago.

It started with an email from a kind reader. Sadly, it was the sort of email that no blogger wants to receive, titled “Chrome is warning people off your site.” The reader alerted me to a malware message appearing when he tried to visit my site Aliventures.

Not great news at any time … but I was right in the middle of running an ecourse on my site, and about to head off for a weekend conference.

After a long struggle to find out what was wrong and how to fix it, I learned that the malware had got in through an outdated plugin on an old website, running an old version of WordPress, that I’d not looked at in years.

And the reason the malware had infected my main site, Aliventures, was because I’d (unknowingly) made a really stupid mistake.

I kept all of my sites under a single FTP user account, with one username and password. I thought because the password was strong, and I was the only person who accessed the sites, this wouldn’t cause any problems.

Wrong. Once the malware got in, it could affect any of the sites under that user account – including sites I hosted for friends, family and even a few clients.

Thankfully, a great security company, Sucuri, cleaned up the mess. (I have a monthly subscription to their service now, just for peace of mind.)

I learned an important lesson – if you run multiple websites, don’t put them all under the same FTP account.

(Oh, and keep all your WordPress installations – including plugins! – up to date too.)

Have you ever faced a situation like this? What caused it, and what did you learn? Share your tips with us in the comments…


Browse all articles on the General category

7 Responses to “Warning: Don’t Make This Stupid Website Security Mistake”

  • Shawn Gossman

    I’ve made this mistake before and learned from it the hard way. I will also note that if you bunch all your sites on one FTP user and a site gets hacked causing all the others to be defaced, pin-pointing the initial hack will be a nightmare.

    I run several blogs that use WordPress, forums that use different free and premium forum software and even a social network that uses a premium social script. I try to give at least each unique software its own FTP account since I have unlimited FTP accounts on my dedicated servers.

    Anything to avoid security headaches is the way to go even if it means you have to do a little bit more work because the amount of work you have to do from a security mistake gone wrong is way more stressful!

    Great post, Ali 🙂

  • Jenn Mattern

    That’s a great tip.

    I was slammed a few years back because of the TimThumb exploit. Like you, I went with a security company to clean things up, but in my case I went with Rack911 and I was extremely happy with them. In the end, it’s a good idea to research these companies before you need them because you never know when that time might come.

  • Lakhyajyoti

    Another great post. Heard first time about security company, Sucuri. Let me try their service. Thanks for the share.

  • Angelina

    Many thanksade some great changes based on your recommendations and continue to learn and grow as a blogger because of your posts! great

  • C.A Brown

    Wow sounds like it can be a headache, I have two sites I host under the same FTP account, after reading your post I am going to separate them tonight. Thank you for taking the time to make this post. I will check out sucuri later tonight also.

  • Ali

    Thanks Ali for all the great posts and information!

    I have made some great changes based on your recommendations and continue to learn and grow as a blogger because of your posts! Many thanks!

    Quick question about this post… I dont know what you mean by “FTP account”?

    Would you be able to explain in self-hosted wordpress terms?

    Thanks heaps!

    Ali 🙂

  • Aleksejs Ivanovs

    I have had the privilege of seeing some websites from the inside out and I have to tell you – the amount of people confusing real security with minor precautions goes beyond my word capability.

    Unfortunately, I cannot speak of those sites as I have an agreement I cannot step over.

    The simple most stupid mistake I have ever seen is:

    1) people leave empty ‘root’ password
    2) people using ‘password’ as root password

    It’s not a big deal, if nobody has access to your server.

Comments are closed.