Need help? Check out our Support site, then

HELP!!! My private blog is being accessed, and I didn't invite anyone to read.

  1. I recently changed the privacy settings on my blog to be PRIVATE after discovering that a long-time stalker/cyberstalker was aware of my blog. Since then, I regularly check my stats to ensure that no one (other than myself, since I've accidentally visited my blog a few times) has been reading it. However, I checked my stats today to discover that a different visitor has visited and read specific entries. Is there a way for support to figure out how my blog was accessed? I have tested the privacy settings I currently have, and when I go to my blog URL, it's blocked (Blog is marked private by owner. If you have been invited, etc... log in.) BUT, I have NOT invited anyone to read the blog. By deduction, this person could have only accessed by logging into MY wordpress account and reading from their computer (which is not in the same country, so I know it's not me on another device). In gmail and Facebook there's a way to see how/where your account has been accessed recently. Can I do that on WordPress? If it's not a feature, could someone who works for Support please please please help me find out? I'm literally really creeped out right now, and seriously considering using this as evidence for a restraining order or SOMETHING. I previously posted a question about getting help for personal account info, but no reply.

    Yes, I did just change my account password. But I still need (really really want) to know how that person accessed my account. To anyone who could help me out, thank you thank you thank you!!

    The blog I need help with is

  2. When anyone clicks the link they cannot see the content. This is what they see: is marked private by its owner. You can:

    Request access to view the site. We'll send your username to the site owner for their approval.
    Log out and sign in as different user. You're logged in as 'timethief'.
    Learn about privacy settings.

  3. However, I checked my stats today to discover that a different visitor has visited and read specific entries. Is there a way for support to figure out how my blog was accessed?

    I'll tag this thread for a Staff follow-up. Please subscribe to the thread so you are notified when they respond and please be patient while waiting.

  4. Yes I know. That's what I want, and what I set it to. But someone HAS seen the content yesterday, according to my stats. What I want to know is if I can see who has accessed my ACCOUNT, blog. Even if it's not a feature, there must be a record somewhere in the servers....

  5. Thanks for your help!

  6. If we click to confirm your blog is private (and it is) it still counts as a hit. If someone is given a link to a specific post on your blog, they get the same message, and it counts as a hit on that blog post even though they cannot read it. I think one of your actual authorized users may be leaking the links to this stalker.

    It's worth noting that when your blog is private, YOUR views are counted.

  7. Actually, when the blog is private, only when you enter to read is it counted as a hit. I've confirmed that multiple times. When timethief clicked the link yesterday, it did not count as a hit in my stats. And I know it wasn't me, because the hit was from a different country.

    And I mentioned earlier, I have NO authorized readers, at all. There's no legal way for this person to read except to hack into my own WordPress account and read. This isn't something I've been dealing with for only a few days (try YEARS), so I've checked my facts and checked and re-checked WordPress settings/features/behavior to understand it and by process of elimination and deductive reasoning, there's no other logical possibility other than the scenario described in my original post.

    By deduction, this person could have only accessed by logging into MY wordpress account and reading from their computer (which is not in the same country, so I know it's not me on another device).

    At this point, I'm quite positive that only staff (unless member users have access to that info) can help with this issue, to go into the back-end and actually look at how the account has been accessed---from what IP address, whether it was a login or a hack or something, what time. WordPress is supposed to have good security measures, so I'm really counting on staff this time.

    I think it might have been partially my fault, because my old password was not that difficult to figure out, if you know me. I've since changed it, and it shouldn't happen anymore, unless that person is a hacker.

    To staff: if anyone could help with this ASAP, it'd be greatly appreciated. Were it any other issue, I'd have absolutely no problem being patient and waiting a few days, but this is a major violation of personal privacy and security, and I would really like to have peace of mind. I don't want to have to close my entire account, but this person is really forcing me to consider that.... Thank you!

  8. Hello there!

    I'm not seeing anything amiss in your access logs that would suggest that someone had tried to hack your blog. Since you have no invited users, logging into your account would be the only way to view it.

    Aside from changing your password, I strongly advise that you activate two-step authentication on your account.

    Let me know if you have additional concerns. Thank you!

  9. Thank you for checking in on the issue so quickly! I will activate 2-step authentication from now on as well.

    Is there a way to check access logs to see times/locations of logins? Something similar to Facebook, where you can check where you've logged in, and it gives you info on time & date of access, device name/type, location... As I mentioned before, I'm considering using this as evidence for potentially filing a restraining order once I really can't take it anymore, so any & as much detail that is available to me would be wonderful. I don't know if this is something I can request to have sent to me, or if I actually need a subpoena to gain access to that info? Thank you so much!

  10. Hi there!

    Right now we don't offer a way for you to see the times and locations of your logins. Sorry about that! I do see that you've enabled two-step authentication. This should further secure your account and prevent any unauthorized access. If you had other questions, let me know. Thank you!

  11. Hi, and thanks for you all your assistance!

    I know that right now there's no way for me to see times and locations of logins through the WordPress interface, but I'm sure you have that information in my access logs, correct? Is that something I can request to be sent to me to keep as records (due to the unique and sensitive nature of this issue)? To put it bluntly, right now, I need proof. Black-and-white proof. Documentation. This information is probably not given out normally, but given the situation, it was my account that was compromised, so even (especially?) if it was not me who accessed the account, as account owner, I should be able to request that the information be made available to me. Thank you!

  12. Also, is there a way to continue this conversation privately, and delete this topic/question from the forum? I don't want my stalker to know 1) that I found out about his breach, and 2) any progress I make on collecting evidence. I hope you understand, due to the sensitive nature of the issue at hand.

    Again, thank you so much!

  13. Hm... yes, it is informative. Thank you, timethief. But, I am the owner of the account, so I should be able to request the information without a subpoena/warrant/etc, since I am the owner of the compromised account, I am the user, and it is my own account information that I am requesting access/documentation. That person used MY login to access my account.

    Now, if my understanding of the policy is correct, if that person somehow accessed my account using his/her own account, and I were requesting info about that account login, it would be a problem. But, as I've mentioned like a broken record already, I'm requesting access to MY own account, which was broken into.

    Yes, I know that I didn't previously have two-step authentication enabled, because I am not a smartphone owner nor do I use my cell phone frequently enough to make it convenient to enable two-step authentication, but that shouldn't factor into a denial of the request. What if I didn't have a cell phone? WordPress staff (druesome) has been great so far at answering my questions and helping to resolve the issue, so I don't think they'd say [essentially], "It's your own fault your account wasn't secure enough, that the other party figured out your password, so we're going to deny you access to information about YOUR OWN ACCOUNT that you legally have access to."

    But I've since learned my lesson, and enabled two-step authentication even if it's more inconvenient when signing in. And I would greatly, greatly appreciate it if I could just obtain the documentation for my own account.

    Thank you again for your time and effort in this matter!

  14. Also, I just checked my stats on a whim, and discovered that someone else has visited my blog within the last hour, from another country outside my country. The visitor was referred from a Google search, but I don't understand how a Google search landing on a private blog will count as a hit. (I just tested on a different, not logged in browser on my computer, and no, it doesn't count as a hit). I also still have not invited anyone to read. Could it be staff checking/testing the account by perchance?

    I'm sorry for seeming paranoid... other bloggers check stats to look for reader numbers, I check to make sure no one's reading....

    Thank you!

  15. Hey there,

    When your blog is accessed elsewhere, it means that someone may have chanced upon your blog somehow. Rest assured that the visitor was not able to see anything because of your privacy settings. These random occurrences are taken into account in your stats, but shouldn't be any cause for alarm. If you have any additional concerns, please don't hesitate to let me know. Thanks!

  16. Can you please answer my previous question? I pretty much know who it was, because the country from which my blog was visited was the same as the one that caused to privatize my blog in the first place. Not only that, the person, clicked on something to go to a tag filter. I'm pretty sure that was NOT a random occurrence.

    How come when I try to access my blog without being signed in, I get the privacy settings message, but it's not counted into my stats?

  17. Sorry, I know who it is, but I need documentable evidence. Deducing that then person who logged into my account based on screenshots of my stats is circumstantial, and I need something more specific.

  18. Hello again!

    Please be assured that your blog is set to private and properly secured with two-step authentication. When someone visits your blog, they will be met with this screen:

    And will not be able to go beyond that.

    How come when I try to access my blog without being signed in, I get the privacy settings message, but it's not counted into my stats?

    If you are logged in as administrator on your blog, your visits are filtered from your own blog's stats.

    Deducing that then person who logged into my account based on screenshots of my stats is circumstantial, and I need something more specific.

    I'm afraid that apart from the information available in your site stats, that's all the information we can give you.


  19. So, we went full circle and in the end, none of the assistance or information I initially requested was actually given.

    I personally have tested multiple times, and when I am NOT logged into my account, and try to access my blog, I get the privacy settings message, AND it's not counted in my stats. When my blog was public, my own visits were filtered out from my blog's stats. I don't understand why you're giving me contradictory and inaccurate information.

    A final request, since I'm pretty sure that the info I need will never be provided: given the nature of these privacy issues, and the giant runaround I was given, could you at least delete this thread, or delete my username from this thread? And I KNOW it can be done. As mentioned before, this is a privacy issue, and I don't appreciate the fact that a simple Google search of my username brings up this forum on the front page.

    I'd like to be able to tell people that WordPress at least tried to help protect my privacy when it was breached. Thanks.

  20. Hi there!

    Unfortunately, we like to keep threads intact for informational purposes should there be any other users searching for a similar issue in our forums. Note that we only delete a thread if it contains sensitive contact information that may pose a security or safety concern. You can read more about it in our Code of Conduct. Hope you understand. Thank you!

  21. From the Code of Conduct:

    Always be aware that you are posting to a public forum, and that forum topics may only be deleted if they represent a valid security or personal safety concern.

    Given the subject matter of this forum topic, and the specifics of the situation, how is my username and blog URL being public not a valid personal safety concern? What determines the validity of a personal safety concern? Whether or not I pay for an upgraded WordPress account?

    I provided 2 options. Deleting the entire thread would be preferable to me, but since that will not (NOT cannot) be done, I also provided a second option to delete my user name and and personally identifiable information from this topic. I refuse to believe that replacing my username with "Wordpress user" is impossible.

    When I first started my blog, WordPress came highly recommended for its usability and level of support, but after this experience, I seriously doubt that I will give the same recommendation to others.

  22. Hello there,

    Sorry for the inconvenience this has caused. I'm afraid that I'm not able to change or delete any names that appear in our forums, but rest assured that no private information other than your username and URL are made available in this thread. Thanks for understanding!

Topic Closed

This topic has been closed to new replies.

About this Topic