WordPress Security Alert: Worldwide Brute-Force Attack on WordPress sites

This has been as interesting week in WordPress Security. First, a popular social media plugin was discovered to have malicious code in it. Now, there is a worldwide brute force attack on WordPress sites.

A brute force attack is when hackers, or more likely, hacker bots, try to guess your password over and over and over and over again. If you are using one of the most common passwords, then your site is easy prey. There are a few simple steps that you can take to make your site more secure:

  • Don’t use ‘admin’ as your login name – if your site was set up with admin as the login name, you might have been told that you can’t change it. While this is not exactly correct, methods to change it do stray into the techie realm. Here’s a simple way for you to lose the admin login. 
    • I ALWAYS recommend making a backup before you do any work on your site – especially something like this. If you have backup software, use it now!
    • Create a new Administrator Login. Go to Users > Add New. You will need a second email address for this new user, as each email address can only be used one time on each WordPress site. When making your password, use a tough one – more than 8 characters, using both upper and lower case letters, numbers, and symbols. Yes, hard passwords are harder to remember. But they are also more difficult to compromise using a brute force attack.
    • Log out of WordPress and log back in as the new Administrator user. Go to Users > All Users and hover over your old ‘admin’ username and click delete. This is the point of no return – did you make your backup?
    • You will be asked what you want to do with posts created by ‘admin’ – choose the option at attribute all posts to your new Administrator account and click Confirm Deletion.
    • Ta-da! Your ‘admin’ account can’t be used to compromise your site.
  • A slightly less drastic option is to just change ‘admin’ to a subscriber instead of an Administrator. Follow the steps as above, but instead of deleting the ‘admin’ account, click on Edit and change the Role to subscriber. With this option, there’s no danger of losing the posts and pages.
  • Use a plugin like Login Lockdown to prevent unlimited attempts to guess your password. Most often, once the site has been locked down, the hackers will move on to other sites.

Even with security and hardening measures, your site could still be compromised. No site security is infallible or bulletproof. Given that, the 2nd option is to have a reliable backup of your site that can restore it to its current brilliance if your site does get hacked.

If you need help locking down your site or making a reliable backup of your site, beyond the office can help you. We offer a Vulnerability Assessment that checks your site and WordPress installation for common areas that can be exploited and fix those issues if present. As part of this Assessment, we will also create your a reliable backup of your site, in case it needs to be restored.

2 thoughts on “WordPress Security Alert: Worldwide Brute-Force Attack on WordPress sites”
Leave a Comment