WordPress Under Attack
As has been frequently reported over the last two weeks, WordPress sites the world over are under constant attack from a massive botnet. The attack was originally brought to light by hosting company HostGator and is believed to be made up of over 90,000 unique IP addresses. Botnets, networks of compromised computer systems controlled by hackers and spammers, have been mainly made up of individual computers in the past. This attack is specifically directed at websites on the popular WordPress blogging platform.
This is likely because of WordPress’ ubiquity: it is estimated that one of every six sites on the Internet runs on WordPress. When a WordPress site is compromised, the hacker then has control of a server with increased bandwidth and processing capability compared to a normal consumer-grade computer and internet connection.
Brute-Force Password Attempts
If there is a bright side to the matter, it is that the attack method is a very low-tech compromise strategy called a brute-force password attack. The botnet looks for the WordPress server’s login page and attempts to login with the default ‘admin’ account. For the password, the botnet attempts to use a list of common or simple passwords. It does so hundreds or thousands of times, simply running through a list of passwords.
Because of the number of IP addresses under control by the hack network, it’s not possible to simply block one IP range or hosting network – the attack will simply seem to come from India one minute, then Kazakhstan, and then China. The only option to defend against this attack is simply to disable the ‘admin’ account to ensure that no amount of password attempts will let the hackers in to the WordPress back-end.
How to Secure Your WordPress Site
Luckily, you can change your account from the default ‘admin’ to another administrator account in less than five minutes and with no loss of data. Here’s how:
First, login to your WordPress site with an administrator account (probably your default ‘admin’) account. Next, hover over the ‘Users’ tab on your dashboard. Then, select ‘Add New’.
Then, pick a new account name (like first initial, last name) and fill in the same information for this new account that you have on your admin account (signature, settings, etc.). You do have to use a different email address from your admin account email, but you can change this back later.
Once you save your new account, log out of the admin account and log in with your new account. Then, return to the ‘Users’ page and delete your admin account. It will pop up a page asking who you should attribute admin’s posts to – BE SURE to attribute the posts to you new account or you will lose your posts!
Once you confirm the account delete, you are all set! You’ve removed the admin account and your WordPress site is now much more secure than before. Users with WordFence Firewall for WordPress can see the unauthorized login attempts from the ‘Logins and Logouts’ tab on their Live Traffic view.