Brute Force Attack Targets WordPress Sites With Default Admin Username

Brute Force Attack Targets WordPress Sites With Default Admin Username

A day on the internet wouldn’t be complete without news of a major hacking event. Today’s unfortunate victim? WordPress. We’re not talking about the organisation, but the great many blogs powered by the flexible content management system.

WordPress co-founder Matt Mullenweg today posted on his blog that some 90,000 IP addresses hosting the software are being subjected to attacks focused on brute-forcing the password for the default “admin” account. He mentions that users with blogs on can enable two-factor authentication, while all users should rename the “admin” account.

“Do this and you’ll be ahead of 99% of sites out there and probably never have a problem,” he states.

As noted by TechCrunch’s Frederic Lardinois, the attack is likely being executed by a network of low-powered home PCs — bots — with content delivery provider Cloudflare concerned it could be an attempt to recruit more powerful machines.

We’ve pointed out before that securing your WordPress site is not a complicated process and the time it takes could save you a lot of pain if someone decides to target your site. Now is as good a time as any (scratch that, it’s the perfect time) to double-check that your installations are secure and up-to-date… and not using the admin account.

Passwords and brute force [Matt Mullenweg, via TechCrunch]


    • It’s not the password that is the main problem. It’s that most wordpress users leave their username as “admin” and don’t limit login attempts. I manage a wordpress site and it’s amazing how many emails i get notifying me of attempted login [fails].

  • If you run a wordpress site (or any other major CMS) you’ll be getting brute force attacks regularly anyway (at least once a year) and if you’ve got a weak password and the default username it’s just a matter of time before you’re hacked

    This might be news because it seems to be a large scale single attack but it’s literally happening constantly.

  • 6Scan’s WordPress plugin ( has built-in protection against dictionary and brute force attacks as part of its “login security” feature.

    To ensure you are protected against almost any type of attack, make sure to run a free vulnerability scan on your WordPress site directly from, and fix any vulnerability found (6Scan offers manual fix instructions for vulnerabilities entirely free).

    Solve all your security problems with a single click, No expertise required!

    For more details, visit

Show more comments

Log in to comment on this story!