In the past week, two major firearm-related weblogs, including Old NFO‘s, have been hacked and some/all of their data was temporarily/permanently deleted/lost.
Once is an accident, twice is coincidence, three times is enemy action… and whether or not you believe in coincidence is up to you.
In general, you should be in the habit of changing/updating your passwords at least once a year, but if it has been around that long (or longer) since you have done so, I would recommend going ahead and changing them at least for whatever firearm-related weblogs you might run yourself – I have no way of knowing if this is a targeted attack (in all likelihood, it probably is not), but changing passwords does not hurt. In fact, given Old NFO’s bank accounts and other password-protected data were hacked, go ahead and change all your passwords.
A lot of folks I know recommend LastPass, but I am still stuck in the stone ages with hand-generated passwords… but hand-generated passwords that abide by the XKCD theory of password entropy. Still, $12 a year – I do far too many things on my Android to be able to survive without supporting it, and they only offer mobile support through their "premium" plan – is a small price to pay for some pretty hardcore security; the encryption they use for the information they store on their servers and your local computers is, well, absurd. In fact, the more I read about it, the more I am inclined to at least give it a shot…
Additionally, I would strongly recommend creating and maintaining backups of your weblog. WordPress can supposedly do this internally, but I have never been able to successfully execute the onboard script and download the file due to either the backup generator or the download command timing out; instead, I have been experimenting with UpdraftPlus, which backs up your database, plugins, themes, and uploads (but only uploads in the WordPress-created upload directory), and then pushes them to a DropBox, Google Drive, or a file on your own server for you to download. Better, it can do all of this on a schedule, so you can pretty much set-and-forget.
The plugin is free (you can buy a full version that unlocks some additional functionality – the free version works fine as is, though), so there are no guarantees, but it seems to work just fine on my notoriously persnickety host (so persnickety that their SQL admin panel cannot reliably create, save, and allow me to download an export of a <100MB database… go figure).
In parallel with the database backup, though, I would strongly recommend running a plugin like Better WP Security as well; this plugin watches for things like people attempting to brute-force your blog’s usernames, or repeatedly load bad pages (apparently this can be exploited in some way I do not fully comprehend), and then blocks those IPs. Obviously, the hackers can spoof IPs, but this cuts down on the attempts, even a little bit.
Yeah, all this sounds like a lot of work, but it beats the pants off losing over seven years’ worth of work (in my case). Think about it.