Yes, I have a Planet Doug WordPress blog. It can be found here:
Why have you never heard of it? Because WordPress drives me insane. It’s supposed to be the standard for this type of personal blog. Everyone recommends it. Everyone loves it. Yet, it has made my life a misery. I don’t understand anything about it or about website hosting and cPanel and .htaccess files and all the other thousand things that you are supposed to know about. It seems that all of this is second-nature to everyone out there in the world. People roll out of bed and create three functioning websites before they have their first coffee of the morning. But none of this is second-nature to me, and my attempts to have and maintain any kind of website have been disastrous and frustrating and stressful at every turn. I don’t understand any of it or why it needs to be so difficult.
I had big plans for the Planet Doug blog when I set it up. But I’ve accomplished none of that. And that’s because every time I go to my blog and the WordPress dashboard, there is some kind of technological problem. Every time. And I usually have no idea what the problem is let alone how to fix it. I can try to fix it, but that just leads to three days of research, and at the end of it, I still don’t understand anything, and the problem is still there. And when I ask for help, I’m given instructions that are just utterly baffling. I have no idea what anyone is even talking about.
I’ve embarked on this rant, because just now, I tried to go to my Planet Doug blog, and I got the disturbing message that my website has again been the object of a brute force attack to try and hack it. And for safety, my hosting company has disabled login. I actually get this message all the time. It is one of the dozens of online-security issues that haunt my existence. I get so many security-related notifications and have to implement so many layers of protection that it feels like I live inside a maximum-security prison of my own design. I built my own digital prison, and I live inside it, in fear of everything outside the walls.
In this case, my hosting company has offered me some possible solutions to stop this from happening in the future. I guess I am going to try to implement one of them right now tonight. This is their message to me:
“There are generally two things you can do to fix this issue for the long haul. The first option is to hide your WordPress login URL from hackers. They won’t know where to try to login to your site, and the blocks should stop. The second option requires you to edit your .htaccess file (can be difficult if you’ve never done it before).”
Clearly, I’m not going anywhere near the .htaccess file. I’ve gone down that road in the past and it led nowhere but to frustrationville. The thing is that even if you DO manage to follow the technical step-by-step instructions to get in there and monkey around with a system file like that, you have no idea what you’re doing. Even if you are successful, you don’t know what you did, and then it will be impossible in the future to alter what you did when the need arises.
And it appears that the easier option of hiding my WordPress login URL requires a plugin. And this is something that bothers me immensely about WordPress. I actually pay this hosting company a fortune to host my near-useless Planet Doug blog. It’s ridiculously expensive. And for that much money, you’d think they could take care of this for me. My website is hosted with THEIR company which is jammed with technology experts. Shouldn’t there be built-in systems to prevent hackers from taking over my humble blog? Failing that, why isn’t it built into WordPress? Why isn’t there a simple button that I can click on that reads, “Prevent hackers from brute-forcing your login credentials.” If it is so important to “hide your WordPress login URL from hackers”, why is it exposed in the first place? Why doesn’t WordPress automatically “hide” it, whatever that means?
But instead of having this important feature built into WordPress, you have to find some kind of third-party plugin to install. And who knows how effective the plugin is? Which one do I use? How do I know that the guy who built this plugin is going to maintain it and keep it updated for years into the future? All of WordPress appears to depend on plugins, and plugins are probably the least secure and the most glitchy aspect of any WordPress blog.
Anyway, my hosting company did mention a particular plugin that can do this for me. I don’t know what it is or what it does, but I’m going to investigate and see if I should install it and then figure out how it works. You can wish me luck here. I’m about to attempt it tonight. I’ll update later on about exactly what happened.
UPDATE:
Okay, so the first problem was that my hosting company in their endless help documents told me to install a security plugin called Solid Security. BUT rather than giving you a link to this plugin, they say that you should just type Solid Security into the plug-in search bar. And they even give you a screenshot to show you the results and they say that Solid Security will be the first one. YET, in the screenshot they include, it isn’t even called Solid Security. It’s called iThemes Security. So the hosting company didn’t use the correct screenshot or update their help documents.
Another problem I ran into is that months ago, I had another problem about some kind of security certificate that was missing. And they told me to install a plugin in called Really Simple Security and then do some fancy button-clicking to install some kind of certificate. I did that. But now what do I do? It seems like Really Simple Security and Solid Security do the same thing. Should I uninstall the first one? Will having two security plugins lead to a conflict? Of course, they don’t say. And if I uninstall the first one, does that mean I lose this mystery certificate that they tell me I need? I have no clue. I read through all the details for both plugins, and I don’t understand anything that they are talking about. And these are supposed to be the simple security plugins. They do not seem so simple to me.
FINAL UPDATE:
It is now two and a half hours later, and I just finished installing the new plugin and figuring out how to configure it and set everything up. And I NEVER could have done this without the help of an AI. I used Grok this time, and every time I ran into something that I didn’t understand (which was ALL the time), I stopped and asked Grok to explain it to me. And inch by inch, millimeter by millimeter, I worked through all the steps involved and figured everything out.
To be honest, Solid Security was pretty cool. It didn’t just present me with endless pages of settings and expect me to understand it all. It used a setup wizard that walked me through configuring it, and the setup wizard was very well-designed. I still ran into confusion on every page and with every choice I had to make. I didn’t understand my options at all or what they meant. But with the help of Grok, I figured it out and I think I made the correct choices.
Even then, all I had accomplished was installing the plugin. Once it was installed, then I had to dive into it and enable all the security settings that were available and necessary. It took a very long time, but I’m pretty happy with the end result. These are the security measures that I put in place:
1: Enabled 2FA (two-step verification).
2: Created emergency 2FA backup codes and saved them in a secure place.
3: Restricted login to ONLY my username (no email address).
4: I hid my login page by creating a custom-made login “slug”.
According to the messages from my hosting company, creating this hidden login page should stop the brute force attacks against my blog, and they will no longer have to shut it down all the time.
Of course, not everything has been smooth sailing. For one thing, now that I’ve installed this security plugin and configured it, my site seems to have slowed down dramatically. Now when I click on the “New Post” button, it takes up two minutes for it to respond. And then it just shows me an empty page. I have to then click on the refresh button and wait another thirty seconds before I finally get the page where I can write a new post on the blog.
This delay could be caused by Solid Security. It could be caused by a conflict between Solid Security and Really Simple Security. Or perhaps it is just a temporary thing that will go away if I close everything and reboot my laptop and start fresh. I will be trying that next. But for now, despite taking the entire night to complete, I would call this a success. I have added multiple levels of security to my blog. And that should stop the brute force attacks.
Of course, that means my digital prison is now larger and more complex. To log in to my own website, I have to remember my secret login page. And I have to remember my user name. I can’t use my email address anymore. And I have to get my password from my password manager (which has all its own layers of security). And then I have to get the 2FA security code from my phone and enter it.
That is LOT of work just to log into my own WordPress blog. You’d think that much work would allow me to hack the Pentagon. But I have to work that hard just to get into my own website.