Earlier this month, the BBC and others reported that “WordPress was targeted by a botnet [‘a network of hijacked home computers, typically controlled by a criminal gang’] of ‘tens of thousands’ of individual computers”. Essentially, the culprits are attempting to brute force their way into WordPress websites (and other CMS-based sites, such as Joomla) by trying to guess common log-in credentials.
In particular, the botnet is said to target WordPress websites with a username of ‘admin’, or another common term. Security firm Sucuri published some stats from their logs, showing the top five usernames targeted were:
Against these, common passwords, such as ‘admin’, ‘password’, ‘123456’ and ‘qwerty’ were tried, in an attempt to gain access to the WordPress admin area and thus hack the website in question.
Should you be concerned?
If you have an admin account ‘admin’ with a password of ‘password’, then yes! Following the advice of Matt Mullenweg, creator of WordPress, you should ensure that your administrator account is not in the list above, and that you have a ‘strong’ password.
- These days, rather than setting up a default user of ‘admin’, the WordPress install process asks for a custom username, which means there is no longer any excuse for having a username ‘admin’. If you do, set up a new user with administrator rights, and delete the old one, transferring any posts to the new account in the process. Let me know if you need a hand with this.
- Secondly, make sure your password is not easily ‘guessable’. Ideally it should be a combination of upper and lowercase letters and numbers and/or punctuation. There’s a useful article on strong passwords on WordPress.com.
As Matt Mullenweg says, “if you do this, you’ll be ahead of 99% of websites out there and probably never have a problem.”
At Hexagon, there are a few other precautions that we take to help ensure our client’s websites do not get hacked:
- Maintaining WordPress and plugins at the latest version – this is important, as older code is more likely to be exploited
- Changing WordPress security keys from the default
- Changing the database prefix from the default – this helps prevent SQL injection attacks (another ‘type’ of hack)
- Storing client usernames and passwords in a secure application, not in a spreadsheet!
If you require further information on any of the above, as always, don’t hesitate to get in touch.