Losing your wordpress password sucks

A few people have written to me over the past month asking why my website hadn’t been updated in a while. I usually post an article every 2 weeks or so and my last article is almost 2 months old.

The reason is simple: I had lost my wordpress password. But this is a long journey, with a lot of complications, so let me start from, well, the start, and explain why losing your wordpress password sucks. This is slightly technical, but I feel it may use future wordpress users.

  1. About six months ago, I got a notice my website was under heavy attack. Someone was trying to access my admin panel, which is basically where everything happens. I changed my password to a longer one and looked around for solutions.
  2. One highly-recommended solution is to change your username, i.e. from “admin” to “something else.” The reason is that most bots / brute-forcers try “admin” as a login first and foremost, thus it’s recommended to pick another username to edit your website.
  3. With that in mind, I created a new login, coupled with a strong password, and changed the permission of the “admin” username so it would not have any permission at all. You could also delete the user “admin,” but I believe it is better to leave it there so that bots keep trying to login with that “fake” username; even in the unlikely scenario they manage to get your password due to an exploit, they won’t have any access.

I should note know that keeping your wordpress AND plugins up-to-date is critical. Enable auto-update especially if you do not log on often or postpone some plugin updates.

  1. After that, I could only login using that new username, which we will call ABCDEF (this isn’t my username). Being an idiot, I only noted the password in a random notepad file which I saved on my computer.
  2. Of course, my computer crashed.
  3. With that in mind, I tried login on fscomeau.com again…
  4. … and bang.
  5. But this was no big problem right? Connect using FTP?
  6. Well, I hadn’t saved my FTP information anywhere.
  7. No big problem, right? Just contact your host?
  8. Well, guess what else I had forgotten?
  9. No problems, do a password recovery!
  10. … wait a minute, I don’t even remember my username cause I changed it from “admin” to “who knows what.”
  11. Maybe in my Gmail inbox there will be something?
  12. Anndddd this is the moment Google decided to lock my e-mail because of “suspicious login.”
  13. You know, I wanna stop here a moment to say I never asked Google to do anything like that. I never asked “oh, google, you know what, if my IP address changes, lock everything out!”
  14. I had no recovery e-mail or phone, of course, so…
  15. … yeah.
  16. I tried for ages to prove to Google who I was. I failed. Due to that, I could neither log on my FTP (to transfer files), nor could I login to my host, nor the registrar. My website was still up, but I couldn’t edit it.
  17. I tried to prove my identity to the host in some other means, but OF COURSE I had lost the card I used to pay them. I offered to let them send me a verification message by mail, which I offered to pay for, but this offer was denied as well.
  18. They asked for my previous IP, which I didn’t remember (duh!!)

So, how did I solve this quandary? Well, in the most stupid manner ever. Remember that hard drive that crashed? I paid $150 for someone to extract the data from it, with no guarantee that one notepad with that one password would be there, or even legible. Then, I spent a day going through every file because I couldn’t remember the name of this notepad file until I FINALLY found it.

Because I somehow got lucky, another notepad file had my registrar and host information, allowing to gain back full control. But my gmail account, I fear, is lost forever.

So, what’s the lesson here? This stupid situation could have been avoided easily had I not been so lazy/careless:

  1. KEEP a paper copy of everything. Computer crashes. I guess paper burns, but keep a paper copy of it. Lock that paper copy if possible.
  2. MAKE BACKUPS and not Google backups, if you are looked out of Google, you are done. Keep a copy of your important file on one, or better yet, several USB keys. Encrypt them preferably. You can even hide them around if you are afraid of a fire. Like, get a security deposit at a bank. Computers crash, that’s a fact. And Google LOVES to lock your account, trust me on that. In fact, I don’t think I would use gmail anymore for important business.
  3. If you do use gmail. USE the 2FA (two factor authentification) and all that crap that Google offers. You don’t want to lose your Gmail. Have a backup email AND phone number.
  4. When websites tell you to use complicated passwords, they aren’t joking around. People today hack even the most mundane website (let’s face it, this isn’t a website worth hacking) for the most mundane reasons. Bots are abundant.
  5. Use reCAPTCHA on your wordpress login. Seriously.

Other tips you can use are: make copies of your credit cards, use a IP block so only certain IPs can logon your things, use a good antivirus / anti-malware, use different passwords for all your things, use a password management system with encryption (such as KeePass). Yes, it’s a lot of trouble, but I almost lost this website forever due to random crap.

With that in mind, perhaps I can finally finish my article on Canadian REITs :). Going to be called 2018 edition at this point.


, ,