A few people have written to me over the past month asking why my website hadn’t been updated in a while. I usually post an article every 2 weeks or so and my last article is almost 2 months old.
The reason is simple: I had lost my wordpress password. But this is a long journey, with a lot of complications, so let me start from, well, the start, and explain why losing your wordpress password sucks. This is slightly technical, but I feel it may use future wordpress users.
- About six months ago, I got a notice my website was under heavy attack. Someone was trying to access my admin panel, which is basically where everything happens. I changed my password to a longer one and looked around for solutions.
- One highly-recommended solution is to change your username, i.e. from “admin” to “something else.” The reason is that most bots / brute-forcers try “admin” as a login first and foremost, thus it’s recommended to pick another username to edit your website.
- With that in mind, I created a new login, coupled with a strong password, and changed the permission of the “admin” username so it would not have any permission at all. You could also delete the user “admin,” but I believe it is better to leave it there so that bots keep trying to login with that “fake” username; even in the unlikely scenario they manage to get your password due to an exploit, they won’t have any access.
I should note know that keeping your wordpress AND plugins up-to-date is critical. Enable auto-update especially if you do not log on often or postpone some plugin updates.
- After that, I could only login using that new username, which we will call ABCDEF (this isn’t my username). Being an idiot, I only noted the password in a random notepad file which I saved on my computer.
- Of course, my computer crashed.
- With that in mind, I tried login on fscomeau.com again…
- … and bang.
- But this was no big problem right? Connect using FTP?
- Well, I hadn’t saved my FTP information anywhere.
- No big problem, right? Just contact your host?
- Well, guess what else I had forgotten?
- No problems, do a password recovery!
- … wait a minute, I don’t even remember my username cause I changed it from “admin” to “who knows what.”
- Maybe in my Gmail inbox there will be something?
- Anndddd this is the moment Google decided to lock my e-mail because of “suspicious login.”
- You know, I wanna stop here a moment to say I never asked Google to do anything like that. I never asked “oh, google, you know what, if my IP address changes, lock everything out!”
- I had no recovery e-mail or phone, of course, so…
- … yeah.
- I tried for ages to prove to Google who I was. I failed. Due to that, I could neither log on my FTP (to transfer files), nor could I login to my host, nor the registrar. My website was still up, but I couldn’t edit it.
- I tried to prove my identity to the host in some other means, but OF COURSE I had lost the card I used to pay them. I offered to let them send me a verification message by mail, which I offered to pay for, but this offer was denied as well.
- They asked for my previous IP, which I didn’t remember (duh!!)
So, how did I solve this quandary? Well, in the most stupid manner ever. Remember that hard drive that crashed? I paid $150 for someone to extract the data from it, with no guarantee that one notepad with that one password would be there, or even legible. Then, I spent a day going through every file because I couldn’t remember the name of this notepad file until I FINALLY found it.
Because I somehow got lucky, another notepad file had my registrar and host information, allowing to gain back full control. But my gmail account, I fear, is lost forever.
So, what’s the lesson here? This stupid situation could have been avoided easily had I not been so lazy/careless:
- KEEP a paper copy of everything. Computer crashes. I guess paper burns, but keep a paper copy of it. Lock that paper copy if possible.
- MAKE BACKUPS and not Google backups, if you are looked out of Google, you are done. Keep a copy of your important file on one, or better yet, several USB keys. Encrypt them preferably. You can even hide them around if you are afraid of a fire. Like, get a security deposit at a bank. Computers crash, that’s a fact. And Google LOVES to lock your account, trust me on that. In fact, I don’t think I would use gmail anymore for important business.
- If you do use gmail. USE the 2FA (two factor authentification) and all that crap that Google offers. You don’t want to lose your Gmail. Have a backup email AND phone number.
- When websites tell you to use complicated passwords, they aren’t joking around. People today hack even the most mundane website (let’s face it, this isn’t a website worth hacking) for the most mundane reasons. Bots are abundant.
- Use reCAPTCHA on your wordpress login. Seriously.
Other tips you can use are: make copies of your credit cards, use a IP block so only certain IPs can logon your things, use a good antivirus / anti-malware, use different passwords for all your things, use a password management system with encryption (such as KeePass). Yes, it’s a lot of trouble, but I almost lost this website forever due to random crap.
With that in mind, perhaps I can finally finish my article on Canadian REITs :). Going to be called 2018 edition at this point.