The founder of WordPress, Matt Mullenweg has published a security alert on his site today because of a massive botnet that is searching for WordPress installations which use admin as their login username.
The botnet is using over 90,000 I.P addresses so it can constantly retry and login using different password combinations until it works out your password.
If you use a weak password which is less than 10 digits long and use the default username of admin, the botnet is searching for your site and has a very good chance of working out your login password. You are at more risk if you host your site using one of the large providers like Hostgator.
Avoid Being Hacked
Hostgator have reported on this recently and advised you take action as follows:
- Learn how to change your WordPress login username.
- Change your password
- Create full backup of all your files and website content (database)
- Install a security plugin which provides limit login attempts or an all in one security plugin like Wordfence which also includes limit login attempts. Probably won’t help much with this botnet but may prevent others. See Note below.
- Update all your themes, plugins and core WordPress files.
These are simply 5 of the best ways to secure WordPress and avoid the experience of finding out your site has been hacked and filled with malicious code.
Note: Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours). Source: Matt Mullenweg.
Add Nickname & Hide Username
Another good idea is to add a nickname to the name section in your user profile and display this name publicly rather than your username.
Think you’re safe?
Read about the 30,000 sites which where hacked and lost with NO chance of recovery.
The hackers also deleted all the backups stored on the web hosts backup servers.
I’m not suggesting you need to move your site to a more secure server but be aware of what can happen and how to prevent it from happening.
Personally, i take full backup daily and store it away from my server even though my host takes full daily backups and offers one click backup and restore as well as built in limit login attempts.
This week i have already cleaned up a clients website even though they used a strong password and didn’t use admin as their username. They also had a well known security plugin installed but it seems they hadn’t updated some of their plugins and their wp-login.php file was hacked with redirects.