Brute Force Attack Targets Wordpress Sites With Default Admin Username

A day on the internet wouldn't be complete without news of a major hacking event. Today's unfortunate victim? Wordpress. We're not talking about the organisation, but the great many blogs powered by the flexible content management system.

Wordpress co-founder Matt Mullenweg today posted on his blog that some 90,000 IP addresses hosting the software are being subjected to attacks focused on brute-forcing the password for the default "admin" account. He mentions that users with blogs on Wordpress.com can enable two-factor authentication, while all users should rename the "admin" account.

"Do this and you'll be ahead of 99% of sites out there and probably never have a problem," he states.

As noted by TechCrunch's Frederic Lardinois, the attack is likely being executed by a network of low-powered home PCs -- bots -- with content delivery provider Cloudflare concerned it could be an attempt to recruit more powerful machines.

We've pointed out before that securing your Wordpress site is not a complicated process and the time it takes could save you a lot of pain if someone decides to target your site. Now is as good a time as any (scratch that, it's the perfect time) to double-check that your installations are secure and up-to-date... and not using the admin account.

Passwords and brute force [Matt Mullenweg, via TechCrunch]

WATCH MORE: Tech News

Comments

    But I can leave my password as "password1" still, right?

    Couldn't they just program it to force you to choose a password when installing wordpress?

      It's not the password that is the main problem. It's that most wordpress users leave their username as "admin" and don't limit login attempts. I manage a wordpress site and it's amazing how many emails i get notifying me of attempted login [fails].

        yeah, randomly generated username as well.

    If you run a wordpress site (or any other major CMS) you'll be getting brute force attacks regularly anyway (at least once a year) and if you've got a weak password and the default username it's just a matter of time before you're hacked

    This might be news because it seems to be a large scale single attack but it's literally happening constantly.

    Except that Wordpress literally says "Can't change usernames" when you look at someones user details in the admin section.

    SOLID ADVICE MULLENWEG!

    6Scan’s WordPress plugin (http://wordpress.org/extend/plugins/6scan-protection/) has built-in protection against dictionary and brute force attacks as part of its “login security” feature.

    To ensure you are protected against almost any type of attack, make sure to run a free vulnerability scan on your WordPress site directly from 6scan.com, and fix any vulnerability found (6Scan offers manual fix instructions for vulnerabilities entirely free).

    Solve all your security problems with a single click, No expertise required!

    For more details, visit www.6scan.com

Join the discussion!

Trending Stories Right Now