WordPress Under Attack
As has been frequently reported over the last two weeks, WordPress sites the world over are under constant attack from a massive botnet. The attack was originally brought to light by hosting company HostGator and is believed to be made up of over 90,000 unique IP addresses. Botnets, networks of compromised computer systems controlled by hackers and spammers, have been mainly made up of individual computers in the past. This attack is specifically directed at websites on the popular WordPress blogging platform.
This is likely because of WordPress’ ubiquity: it is estimated that one of every six sites on the Internet runs on WordPress. When a WordPress site is compromised, the hacker then has control of a server with increased bandwidth and processing capability compared to a normal consumer-grade computer and internet connection.
Brute-Force Password Attempts
If there is a bright side to the matter, it is that the attack method is a very low-tech compromise strategy called a brute-force password attack. The botnet looks for the WordPress server’s login page and attempts to login with the default ‘admin’ account. For the password, the botnet attempts to use a list of common or simple passwords. It does so hundreds or thousands of times, simply running through a list of passwords.
Because of the number of IP addresses under control by the hack network, it’s not possible to simply block one IP range or hosting network – the attack will simply seem to come from India one minute, then Kazakhstan, and then China. The only option to defend against this attack is simply to disable the ‘admin’ account to ensure that no amount of password attempts will let the hackers in to the WordPress back-end.
How to Secure Your WordPress Site
Luckily, you can change your account from the default ‘admin’ to another administrator account in less than five minutes and with no loss of data. Here’s how:
First, login to your WordPress site with an administrator account (probably your default ‘admin’) account. Next, hover over the ‘Users’ tab on your dashboard. Then, select ‘Add New’.
Then, pick a new account name (like first initial, last name) and fill in the same information for this new account that you have on your admin account (signature, settings, etc.). You do have to use a different email address from your admin account email, but you can change this back later.
Once you save your new account, log out of the admin account and log in with your new account. Then, return to the ‘Users’ page and delete your admin account. It will pop up a page asking who you should attribute admin’s posts to – BE SURE to attribute the posts to you new account or you will lose your posts!
Once you confirm the account delete, you are all set! You’ve removed the admin account and your WordPress site is now much more secure than before. Users with WordFence Firewall for WordPress can see the unauthorized login attempts from the ‘Logins and Logouts’ tab on their Live Traffic view.
Matt is a technology enthusiast and SEO consultant living outside of Atlanta, GA. He is the owner of several Wordpress sites, including LaserJammer.net.
17 Comments
Leave a Reply
Cancel reply
Leave a Reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Sudipto
April 23, 2013 at 8:32 am
Hey Matt,
Nice post and Thanks for sharing these important post with us. Yes, this time hacking is a common thing and we have to do something for protecting our account from hacking. I really like the ideas mentioned by you above and surely implement it on my account.
Matt Gonglach
April 23, 2013 at 2:11 pm
Thanks, Sudipto – once I saw the first distributed attack on one of my blogs, I knew that I needed to disable the admin account on all of my WordPress blogs.
Rohit
April 23, 2013 at 9:37 am
I think the remedy to this is making the two admin account and setting the password recover email…
Matt Gonglach
April 23, 2013 at 2:14 pm
Rohit – yes, that’s the short version of the article, really! You do want to make sure that the ‘admin’ account is totally deleted, however. You want to ensure that a brute force attempt won’t work whatsoever. Also, WordFence can lock out IPs attempting to login to a non-existent account.
Anamika
April 23, 2013 at 10:05 am
thanks for this great information Matt.., recentally i have seen many blogger friends have lost their WordPress account due to the hackers attack on WordPress, and they suffered a lot due to this..,
Matt Gonglach
April 23, 2013 at 2:15 pm
You’re welcome! I hope your friends had backups at least…. WordPress Backup to Dropbox has saved my hours of frustration from other matters.
Frank Cern
April 23, 2013 at 6:18 pm
Wow, these hackers are getting more serious every day. I’ll have to double check my WordPress site on a continuous basis now.
Danilo
April 26, 2013 at 2:51 pm
An interesting way to increase WordPress security is to deny access to /wp-admin to every IP address except home/office ones!
Shalin
May 2, 2013 at 7:08 am
Is this necessary to do immediately? I have an admin account in my blog as well as few guest posters. Since the security is more crucial it is a good move to remove the administrator account. What will happen to the posts I made from that account? Very good informative post, got me bit worried!
Joseph Admin2
May 2, 2013 at 12:43 pm
What you have to do is create another administrator account with a new username. Then delete the ‘admin’ account and attribute all the posts to the new administrator account.
Shalin
May 3, 2013 at 5:11 am
Thanks, Alot Joseph
Mahendra
May 4, 2013 at 7:29 am
Yes security is the first thing comes in mind after opening a WordPress blog or site. This is obvious too.Thanks for these nice tips for enhancing once WordPress site security.Thanks for sharing these valuable tips.
Ryan
May 6, 2013 at 3:57 am
Thanks for this really timely post. Been developing some new websites and will be sure to follow this advice for each. I can’t imagine what would happen….oh jeez! Thank you!
amit tiwari
May 9, 2013 at 1:46 pm
Hacking of the wordpress account is certainly a problem these days. Our years of hard work on the website can wash away just in a few minutes. Thanks for sharing this informative post about the threat and providing the remedy. We must have the other account with a strong password to save our site or blog.
Greg
May 16, 2013 at 3:31 pm
Have you seen a recent increase in SQL injection attacks? We\’ve had reports of a disproportionate amount of them. Wonder if it\’s a secondary affect of this WordPress hacknet.Regards
Mike
May 20, 2013 at 12:45 am
Great tips for wordpress users. Especially creating the new account and deleting the admin one.
Matt
June 6, 2013 at 1:53 am
Hackers just won’t quit! 🙁 Thanks for the tips!