Brute Force Attack Targets WordPress Sites With Default Admin Username

Brute Force Attack Targets WordPress Sites With Default Admin Username
To sign up for our daily newsletter covering the latest news, hacks and reviews, head HERE. For a running feed of all our stories, follow us on Twitter HERE. Or you can bookmark the Lifehacker Australia homepage to visit whenever you need a fix.

A day on the internet wouldn’t be complete without news of a major hacking event. Today’s unfortunate victim? WordPress. We’re not talking about the organisation, but the great many blogs powered by the flexible content management system.

WordPress co-founder Matt Mullenweg today posted on his blog that some 90,000 IP addresses hosting the software are being subjected to attacks focused on brute-forcing the password for the default “admin” account. He mentions that users with blogs on can enable two-factor authentication, while all users should rename the “admin” account.

“Do this and you’ll be ahead of 99% of sites out there and probably never have a problem,” he states.

As noted by TechCrunch’s Frederic Lardinois, the attack is likely being executed by a network of low-powered home PCs — bots — with content delivery provider Cloudflare concerned it could be an attempt to recruit more powerful machines.

We’ve pointed out before that securing your WordPress site is not a complicated process and the time it takes could save you a lot of pain if someone decides to target your site. Now is as good a time as any (scratch that, it’s the perfect time) to double-check that your installations are secure and up-to-date… and not using the admin account.

Passwords and brute force [Matt Mullenweg, via TechCrunch]


    • It’s not the password that is the main problem. It’s that most wordpress users leave their username as “admin” and don’t limit login attempts. I manage a wordpress site and it’s amazing how many emails i get notifying me of attempted login [fails].

  • If you run a wordpress site (or any other major CMS) you’ll be getting brute force attacks regularly anyway (at least once a year) and if you’ve got a weak password and the default username it’s just a matter of time before you’re hacked

    This might be news because it seems to be a large scale single attack but it’s literally happening constantly.

  • 6Scan’s WordPress plugin ( has built-in protection against dictionary and brute force attacks as part of its “login security” feature.

    To ensure you are protected against almost any type of attack, make sure to run a free vulnerability scan on your WordPress site directly from, and fix any vulnerability found (6Scan offers manual fix instructions for vulnerabilities entirely free).

    Solve all your security problems with a single click, No expertise required!

    For more details, visit

Show more comments

Log in to comment on this story!