Are you "admin" on your Wordpress?
If you asked me from September 2012 forward, the answer would change dramatically with WordPress Brute Force Attacks now exceeding 50% of all attacks being reported.
Peter Abraham, dynamicnet.net
Viewing my stats recently on one of my websites, I noticed several persistent attempts from one IP address to log into my site with the username ‘admin’. I don’t have a user named ‘admin’ so it caught my eye.
It’s recognized best practice on WordPress sites to delete and replace this default user with another administrative username for your site – and here’s why.
As I looked deeper into this login attempt I noticed it was from a location in The Netherlands, and it had been happening on a regular basis for several weeks. In the hacker world this is known as a Brute Force Attack, persistent attempts to login with a list of possible passwords to a known or likely username.
So given that there are so many WordPress installations on the web and many installers don’t bother changing their username from ‘admin’ it’s a prime target. It’s likely that they start with some common, easy to remember passwords like; password, pa$$word, admin, administrator…and so on – don’t laugh, I’ve seen many people securing their sites with these type of passwords. If these don’t work, the would be hacker will move onto common dictionary words and, just like monkeys and typewriters, they will eventually enter something that makes sense and bingo! – They have control of your site.
Of course this is not done with someone sitting at a keyboard working through a list and typing in passwords to your site, automated routines or ‘Robots’ are dispatched to sites to very rapidly cycle through thousands of combinations in a very short time.
In response to this I’ve installed a plug-in on all of my WordPress sites to log failed login attempts and lockout specific IP addresses after a defined number of failures. What surprised me is the prevelance of these attacks. EVERY WordPress site I own is being Brute Forced, mostly with the ‘admin’ username, but also with some others, I have a growing list of IP addresses that are being progressively locked out.
If you have a WordPress site with an ‘admin’ username you will almost certainly be hacked – it’s just a matter of time.
Getting control of a site, even a small blog is a valuable asset for hackers, it means they have the ability to install software that can be used for all kinds of purposes. You may not even know the software is installed. It may be intended to do harm to your content, or be used as part of a ‘botnet‘ for more sophisticated reasons.
Regardless of their motivation, you don’t want to be hacked and have to potentially re-build or loose your site content.
So here’s my advice to WordPress site owners, as a minimum, to protect yourself from admin hacking:
- Create a new user account for yourself with Administrator privileges
- Use an obscure password, preferably using a password generator but definitely without a dictionary word.
- Delete the default ‘admin’ user
- If you have other users on your site with Administrator privileges, make sure they follow point 2
Mobile Users
Another related security aspect for people who work on mobile situations and have to log-in through public wi-fi or even through hotel or other similar non-home locations, it’s highly recommended that you create an alternative site login for yourself that does not have Administrator privileges. You don’t need to be an Admin to update your content, approve comments, create posts etc. so when you are away from home base, use a login with Editor or Author rights, NOT Admin!
Unless you have taken other precautions, interception of login details on public accessible networks is possible and does happen. If someone gets access to your site at Editor or Author level, their ability to do damage is severely limited compared to have Admin capabilities. You don’t always need to be Admin!
Don’t take my word for it, here’s a couple of other articles on the subject:
The Official WordPress line on Security
