Password reset spam and password protection

There’s a measure in our setup to prevent discovery of your usernames by preventing scans of ‘/?author=N’, the oEmbed API, the WordPress REST API, and WordPress XML Sitemaps.

However we’ve noticed a small increase in password reset activity to info@yourdomain.what.ever

We know these are not authentic password resets as the IP addresses are not local and in quite a number of the cases the email address info@ simply doesn’t exist.

As far as we know no harm can arise … but if you are concerned, or think you have done something you’d rather not have, drop us a line and we can take a look.

There’s limited preventative action:

  1. If you don’t need the address remove it info@yourdomain.

Do not:

  1. Mark the mail as spam as that will degrade the ability of our servers to send genuine email to you.

But it will do no harm to audit your passwords in one of the following ways.

  1. Check whether your email address has ever been compromised in a data breach;
  2. Check whether you use the same password across multiple websites (this is very common);
  3. If you use a simple password, or haven’t changed it since you first set it – ensure you change it for one that is harder to guess;
  4. Use your browser’s password manager (or a third party tool) to store passwords.

By @ourlocality

Publishing Locally in East Lothian since 2010