How to Protect Your Site from the WordPress Hacknet


WordPress Under Attack

As has been frequently reported over the last two weeks, WordPress sites the world over are under constant attack from a massive botnet. The attack was originally brought to light by hosting company HostGator and is believed to be made up of over 90,000 unique IP addresses. Botnets, networks of compromised computer systems controlled by hackers and spammers, have been mainly made up of individual computers in the past. This attack is specifically directed at websites on the popular WordPress blogging platform.

This is likely because of WordPress’ ubiquity: it is estimated that one of every six sites on the Internet runs on WordPress. When a WordPress site is compromised, the hacker then has control of a server with increased bandwidth and processing capability compared to a normal consumer-grade computer and internet connection.

Brute-Force Password Attempts

If there is a bright side to the matter, it is that the attack method is a very low-tech compromise strategy called a brute-force password attack. The botnet looks for the WordPress server’s login page and attempts to login with the default ‘admin’ account. For the password, the botnet attempts to use a list of common or simple passwords. It does so hundreds or thousands of times, simply running through a list of passwords.

Because of the number of IP addresses under control by the hack network, it’s not possible to simply block one IP range or hosting network – the attack will simply seem to come from India one minute, then Kazakhstan, and then China. The only option to defend against this attack is simply to disable the ‘admin’ account to ensure that no amount of password attempts will let the hackers in to the WordPress back-end.

How to Secure Your WordPress Site

Luckily, you can change your account from the default ‘admin’ to another administrator account in less than five minutes and with no loss of data. Here’s how:

First, login to your WordPress site with an administrator account (probably your default ‘admin’) account. Next, hover over the ‘Users’ tab on your dashboard. Then, select ‘Add New’.

Then, pick a new account name (like first initial, last name) and fill in the same information for this new account that you have on your admin account (signature, settings, etc.). You do have to use a different email address from your admin account email, but you can change this back later.

Once you save your new account, log out of the admin account and log in with your new account. Then, return to the ‘Users’ page and delete your admin account. It will pop up a page asking who you should attribute admin’s posts to – BE SURE to attribute the posts to you new account or you will lose your posts!

Once you confirm the account delete, you are all set! You’ve removed the admin account and your WordPress site is now much more secure than before. Users with WordFence Firewall for WordPress can see the unauthorized login attempts from the ‘Logins and Logouts’ tab on their Live Traffic view.

Be the FIRST to Know - Join Our Mailing List!

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

Previous ArticleNext Article
is a technology enthusiast and SEO consultant living outside of Atlanta, GA. He is the owner of several Wordpress sites, including LaserJammer.net.


  1. Hey Matt,
    Nice post and Thanks for sharing these important post with us. Yes, this time hacking is a common thing and we have to do something for protecting our account from hacking. I really like the ideas mentioned by you above and surely implement it on my account.

    1. Rohit – yes, that’s the short version of the article, really! You do want to make sure that the ‘admin’ account is totally deleted, however. You want to ensure that a brute force attempt won’t work whatsoever. Also, WordFence can lock out IPs attempting to login to a non-existent account.

  2. thanks for this great information Matt.., recentally i have seen many blogger friends have lost their WordPress account due to the hackers attack on WordPress, and they suffered a lot due to this..,

  3. Is this necessary to do immediately? I have an admin account in my blog as well as few guest posters. Since the security is more crucial it is a good move to remove the administrator account. What will happen to the posts I made from that account? Very good informative post, got me bit worried!

    1. What you have to do is create another administrator account with a new username. Then delete the ‘admin’ account and attribute all the posts to the new administrator account.

  4. Yes security is the first thing comes in mind after opening a WordPress blog or site. This is obvious too.Thanks for these nice tips for enhancing once WordPress site security.Thanks for sharing these valuable tips.

  5. Thanks for this really timely post. Been developing some new websites and will be sure to follow this advice for each. I can’t imagine what would happen….oh jeez! Thank you!

  6. Hacking of the wordpress account is certainly a problem these days. Our years of hard work on the website can wash away just in a few minutes. Thanks for sharing this informative post about the threat and providing the remedy. We must have the other account with a strong password to save our site or blog.

  7. Have you seen a recent increase in SQL injection attacks? We\’ve had reports of a disproportionate amount of them. Wonder if it\’s a secondary affect of this WordPress hacknet.Regards

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Send this to a friend