Security

Brute Force Attack Targets WordPress Sites With Default Admin Username

A day on the internet wouldn’t be complete without news of a major hacking event. Today’s unfortunate victim? WordPress. We’re not talking about the organisation, but the great many blogs powered by the flexible content management system.

WordPress co-founder Matt Mullenweg today posted on his blog that some 90,000 IP addresses hosting the software are being subjected to attacks focused on brute-forcing the password for the default “admin” account. He mentions that users with blogs on WordPress.com can enable two-factor authentication, while all users should rename the “admin” account.

“Do this and you’ll be ahead of 99% of sites out there and probably never have a problem,” he states.

As noted by TechCrunch’s Frederic Lardinois, the attack is likely being executed by a network of low-powered home PCs — bots — with content delivery provider Cloudflare concerned it could be an attempt to recruit more powerful machines.

We’ve pointed out before that securing your WordPress site is not a complicated process and the time it takes could save you a lot of pain if someone decides to target your site. Now is as good a time as any (scratch that, it’s the perfect time) to double-check that your installations are secure and up-to-date… and not using the admin account.

Passwords and brute force [Matt Mullenweg, via TechCrunch]


Have you subscribed to Lifehacker Australia's email newsletter? You can also follow us on Facebook, Twitter and YouTube.