I want to be very careful in how I address this topic because I want to bring up a serious concern without being all “creepy internet guy.”
The topic is how to safely blog without giving away enough personal information to make you vulnerable. I’ve hinted at, but never come out and said, what it is I do for a living. I’m something of a jack of all trades when it comes to technology and I employ my skills wherever they are needed throughout the US and, in some cases, outside the US. One of the skills I’ve acquired over the last 20 years is computer security.
No, I don’t go breaking into anything, but I do know how to break into things because this is essential to one of my jobs: making sure no one else breaks into my systems. I’m by no means an expert, but I’m no babe in the woods either.
So it concerns me when I see someone commenting on my blog using their personal email address as the contact email. WordPress fills this in automatically when you comment using your WordPress account. That’s right, the email address you use to receive notifications from WordPress is the same email address that you are leaving on my blog and any other blog where you comment.
Using your personal email address is bad enough – if you don’t believe me, Google it and see what kinds of pages it brings up – but if your personal account is “myname@mylocalISP.net” it’s even worse. One person – I won’t say who – uses their work email address. Right there I could have the person’s name, work address, work phone number, etc. If this is you, don’t bother reading the rest of this post, just skip to the last paragraph as quickly as possible for how to fix it.
Pretend for a minute that I’m not a big nicey (“yeah, a REAL stretch of the imagination” – betrayed spouses everywhere) and that I want to expose my commenters to the world. I don’t know why I would do this, but I also don’t know why some people comment 2-3 times a day even when they know I trash their comments without reading them. But I digress. So let’s pretend I’m Joe Meanie (as my firewalls instructor used to refer to hackers). Since WordPress always logs the IP address of commenters, I can look up where in the world any commenter is by using a website like iplocation.net. Even if this fails, I could do a traceroute to find the general vicinity of a commenter, usually down to the level of a city name and ISP.
The IP address alone is not sufficient to find someone unless you have a warrant, but if you have also given the crazy hacker version of me your full name, or even just part of your name, in your email address, I can probably find your home address and phone number as well as all sorts of interesting information in just a few minutes. Think Facebook, Instagram, Twitter, and virtually anything else you’ve ever posted on the internet using your real name or email address.
This is not hacking. This is Googling publicly available information using the information you already give to every blog were you leave a comment. Sounds pretty creepy, right? Well, yeah, it is.
That’s why the email address I use for this blog is the Gmail address “isleofaman.” There is nothing in that email address that will tell you who I am. This blog is the only thing that uses that email address. My IP address maps back to a zip code with at least 50,000 people in it. The most that geographical information would do is if someone knew me in real life, they might put two and two together when they start interacting with a blogger who happens to live in the same general area as them.
The odds of some random hacker or blogger finding my personal information from what I put on the blog is very small. I’m careful not to post personally identifying information on my blog. I could make it even harder by using a proxy or TOR to hide my true IP address, but that’s not really necessary. Even if someone hacked my email address and the password for this blog, there is nothing in my account that would tell them who I am, where I live, etc.
So now we get to the point. If you are still using your personal email address for WordPress, regardless of whether or not it is your name, go now and create a new email address just for the blog. Gmail works great, so does Yahoo. Make sure you use a password for your blog email address that is different from your personal email address (and ideally different from your WordPress account password, too). Then go into your WordPress Account Settings (by hovering over your avatar in the top right of the screen and clicking the link). Click the Account tab and change your email address to your new email address. When you’re done, save it and you’re now about 1,000 times safer when you comment.
It’s not bullet-proof, but this will make you safer online and could save you the embarrassment of having your Facebook photos and home address posted on Tinder. Or worse.