Hackers Target WordPress Sites: Change Your Passwords Now

Hackers Target WordPress Sites: Change Your Passwords Now

By: Katy Ryan Schamberger
April 13, 2013

protect from wordpress attackAlthough it’s always a good idea to regularly change your passwords, it’s an especially smart idea in light of news that WordPress is under a significant attack. The brute-force dictionary-based attack is an attempt to find passwords for the “admin” accounts that WordPress creates by default, according to TechCrunch.

HostGator, which, along with CloudFlare, first broke news of the attack, believes that about 90,000 IP addresses are currently involved.

“As for the scope of the attack, [CloudFlare CEO Matthew] Prince says that CloudFlare saw attacks on virtually every WordPress site on its network.”

How To Protect Your WordPress Site From Attack

There are several things you can do to help protect your WordPress site from the attack—and we recommend doing them immediately.

Change Your Password

Even if you’ve recently changed your password, change it again—and, please, make it difficult. Use random letters, numbers and symbols to create a combination that’s hard to guess or hack.

Change Your User Name

This attack is specifically targeting accounts with the “admin” user name, so if you haven’t changed this default setting, do it now. Change it to your name, your company’s name—anything other than admin will add an extra layer of protection to your site.

Install A Plugin

Want to add an additional layer of security to your site or blog? Consider installing a WordPress plugin that limits the number of login attempts from the same IP address or network. This isn’t a foolproof method—as TechCrunch points out, many hackers have a large number of IP addresses and/or networks at their disposal. Still, when it comes to security, you can never have too much—and if a plugin gives you some additional peace of mind, we say go for it.

We recommend taking these steps as soon as you can. This initial attack may be stopped at any time, but a scary prediction from the CloudFlare team indicates that this may only be a precursor to a larger event.

“One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack. These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic.”

We’ll be sure to keep you updated on the attack. In the meantime, go change your password and user name…now!

Image: CarbonNYC via Compfight cc

  • Graybaby

    My WordPress installation doesn’t allow me to change user names. I can obviously create new Admin accounts, but what happens if I delete an existing one I’ve used for posts, etc.?

  • ShellyKramer

    The workaround I’ve seen from others is to create a new admin account (and name it something other than “admin” with a really great password, then go back and delete the old admin account. If that doesn’t work, set a super duper password with both letters, cap and lower case, numbers and symbols in it and don’t make it the same as other passwords.

  • Set up a new user account with a strong name and password like ShellyKramer suggests, and then make sure you set the new user privileges to administrator. Then log out, and log in with the new user information. Delete the old user account (admin), and it will ask you if you want to delete the posts associated with that user or attribute them to a different user, just click your new user account. Hope that helps. 🙂

  • ShellyKramer

    Thanks Audra :))

  • Thank you so much for posting this. I did the admin work around that you suggested. Worked like a charm – one thing I would say – is make sure you update your profile with you google+ details for author rank!

  • Dear Shelly,

    Thank you for the post, and by reading through the comments here I leared how to get around WordPress not allowing you to change your username. I am primarily the only one who posts on my blog. I’ve had less than five guest posts so the posts are attributed to me. What can I do before I delete the admin username so that the posts are transferred over to my new username? Thanks! Avil

  • Thanks, Katy (and Shelly). I run a bunch of personal and client sites via WP and never knew how to change the admin handle. My passwords, however … crazy complex they are. My developers hate me for this alone, I think.

  • Hello Shally,

    Thanks for the updates. I already did everything you mentioned in your post. And one thing that I’d like to add is we should take daily back ups in case if something bad happens, after all its better to be safe then sorry. 🙂

    Anyways, thanks for the nice read. 🙂

  • Pingback: Wordpress Limit Login Attempts Plugin blocking IP History of Daddy Claxton()