Brute Force Attack Targets Wordpress Sites With Default Admin Username

A day on the internet wouldn't be complete without news of a major hacking event. Today's unfortunate victim? Wordpress. We're not talking about the organisation, but the great many blogs powered by the flexible content management system.

Wordpress co-founder Matt Mullenweg today posted on his blog that some 90,000 IP addresses hosting the software are being subjected to attacks focused on brute-forcing the password for the default "admin" account. He mentions that users with blogs on Wordpress.com can enable two-factor authentication, while all users should rename the "admin" account.

"Do this and you'll be ahead of 99% of sites out there and probably never have a problem," he states.

As noted by TechCrunch's Frederic Lardinois, the attack is likely being executed by a network of low-powered home PCs — bots — with content delivery provider Cloudflare concerned it could be an attempt to recruit more powerful machines.

We've pointed out before that securing your Wordpress site is not a complicated process and the time it takes could save you a lot of pain if someone decides to target your site. Now is as good a time as any (scratch that, it's the perfect time) to double-check that your installations are secure and up-to-date... and not using the admin account.

Passwords and brute force [Matt Mullenweg, via TechCrunch]


Comments

    But I can leave my password as "password1" still, right?

    Couldn't they just program it to force you to choose a password when installing wordpress?

      It's not the password that is the main problem. It's that most wordpress users leave their username as "admin" and don't limit login attempts. I manage a wordpress site and it's amazing how many emails i get notifying me of attempted login [fails].

        yeah, randomly generated username as well.

    If you run a wordpress site (or any other major CMS) you'll be getting brute force attacks regularly anyway (at least once a year) and if you've got a weak password and the default username it's just a matter of time before you're hacked

    This might be news because it seems to be a large scale single attack but it's literally happening constantly.

    How is this even news.. "Don't use the default auth details!" - SOMEONE CALL THE PRESIDENT, WE NEED TO GET HIM ACROSS THIS IMMEDIATELY!@#

    Except that Wordpress literally says "Can't change usernames" when you look at someones user details in the admin section.

    SOLID ADVICE MULLENWEG!

    6Scan’s WordPress plugin (http://wordpress.org/extend/plugins/6scan-protection/) has built-in protection against dictionary and brute force attacks as part of its “login security” feature.

    To ensure you are protected against almost any type of attack, make sure to run a free vulnerability scan on your WordPress site directly from 6scan.com, and fix any vulnerability found (6Scan offers manual fix instructions for vulnerabilities entirely free).

    Solve all your security problems with a single click, No expertise required!

    For more details, visit www.6scan.com

Join the discussion!

Trending Stories Right Now