Regardless of what anyone else tells you or what you might read on blogs or websites, there is no 100% foolproof method to protect yourself. You can do everything "right" and still may (at some point in your life) find yourself the unhappy host for something you don't want.
That doesn't mean you can't or shouldn't take the steps required to protect yourself. The more protections you set up, the harder you make it for someone to get into your accounts. Don't offer them an open door, which so many people seem to do because they haven't thought much about protection, until they really need it..
Where to Begin - the Google Account
- Choose your username carefully.
- Make your password hard to guess. If there's room, use as many as 20-25 characters for your password. Use a random choice of lower case letters, upper case letters, numbers, and characters (like a # sign, $ sign, ! sign, etc.) Not only are these harder to guess, they also take much longer for crypto program algorithms to find the correct set of characters. Since you choose these randomly, they're also very hard for YOU to remember, so write it down on paper. Don't lose it.
- Don't store it on your computer, or in your phone or mobile device.
- Don't let your browser save it.
- Don't use the same password anywhere else.
- Change your password weekly.
- Don't use the same password twice when changing it (don't don't alternate between 2 or 3 different passwords).
- Enable 2-step login verification. If you have a security key, use it.
- Don't login to your Google Account from anywhere except your own devices.
- Remember to log out when finished.
- Don't share your password or login information with ANYONE, even if you trust them.
- Don't share screenshots from your accounts in public forums unless you blank out your personal information.
- Don't invite other users to your accounts.
- If you must invite others, and they are not YOUR own other accounts, do NOT make them Administrators. Making anyone else an admin. means they can lock you out of your own account.
Since your Google account is your login for your AdSense account, taking these steps will also protect your AdSense account - at least as much as it is possible to protect an account.
All of the above are simply common sense. It really doesn't take a rocket scientist to understand the importance of keeping intruders out of your account.
But, there are other ways a hacker can get your information, and you need to be aware of these as well.
Learning What Not to Click, and What Not to Trust
Everyday, most of us will receive some sort of spam or email with the enticement to "click here" for something ... whether it's to change your password, or to login to another account, or to claim a prize or ... well anyone of a hundred different things.
DO_NOT_CLICK any link in any email from ANYONE without checking it out.
That's just the first clue though, and may not always be reliable.
If there's a link in the email, check it first. DO NOT click on the link. Just hover over it. Look at the status bar at the bottom of your screen.
It shows you (usually) where that link will lead. If it's fake, it won't lead where you think it should.
The next safety check is to search for that URL on the link. Highlight the link from your email, and select "copy link" or "copy URL". Paste that URL into a blank notepad. Most of the time, there will be a domain name in that link. Go to "Google.com" to search for the domain - don't go there directly, not yet.
Check the search results for the domain on the link you copied. See what the web has to say about it. If it looks legit, visit one of the pages using a cached page view. Make sure your browser is using security before visiting. use a popup blocker; use a tracker blocker like ghostery; use an adblocker; use a anti-phishing plugin/extension, and make sure your browser is protected by an antivirus.
Never just click a link in your email without first checking it. Doing so can take you to a site or page that can gather your personal information, including login data from your browser.
Protecting your Website Against Intruders
Fairly often we see frantic publishers in the AdSense forum whose websites have been hacked and taken over by others. While it isn't always possible to protect against every type of attack on a website, there are simple common sense things you can do if you are using paid hosting, but what's available on paid hosting can depend on what type of hosting you have, and what type of website you've developed.
- Set your "login attempts" plugin to really low allowances. Allow no more than 2 login attempts, without lockouts after that. Set the lockout to last for an hour. After two lockouts, they can't try again for 24 hours. Also note that this will make it difficult for you login if you enter a wrong password, so make sure you know your password.
- Make your login username different than the name you show on your blog as the person posting. For example, if you write a post and it says "posted by admin" do not use "admin" as your login name (also don't use administrator).
- Don't use your own name as your login.
- Don't use your site name as a login.
- Don't use a name that can be associated with you in any way as your own user login.
- Make your password long, with 20 or more characters.
- Don't use common phrases in your password (for example, don't use things like "4U" together).
- Don't use the name of your site, don't use your own name, birthdate, address, phone number or any other sort of personal information as part of your password.
- Don't use the same password as your Google account uses, in fact, don't use the same password anywhere else.
- If you host multiple sites under your hosting plan, make sure you use different logins and passwords for each of your websites.
- Install security for your website. Sites built on wordpress have multiple plugins you can use (WordFence, and Simple Firewall are just two). Before installing any plugins, check them out. Make sure the developer is trustworthy and the reviews are reasonably good.
- Follow the suggestions used above: don't login to your admin account unless using your own devices. Logout when you're done.
- Don't share your login with anyone.
- Don't let your browser store your logins.
- Change your password once a month - more frequently if you see people trying to access your admin account.
- Don't store your login/password anywhere online.
- If you can avoid it, don't post to your site using a mobile device. Turn off that option.
- Be careful how you set up your FTP accounts.
- If your hosting allows it, use an .htaccess file to block suspect IP addresses and web spiders you don't trust.
Note that blocking an individual IP address is not the most effective way to prevent problems, particularly if that's all you've been doing for protection. Many (if not all) hackers don't use their own IP addresses, and use one of the hundreds of proxy sites which assign random IP addresses. That means you could block thousands of IPs that don't necessarily belong to an actual hacker. Using other methods will provide more protection than just blocking a bunch of IP address, or even a range of IPs. So yes, you can block the IPs, but one shouldn't count on just that to do the trick.