WordPress is under attack and your self-hosted site may well be in the crosshairs of people with nefarious intent. I’d like to shed some light on what’s going on, how to protect yourself against becoming a victim, and what to do if you’re hacked.
A bot-what-now attack?
Over the last couple of weeks, WordPress sites all over the world have been subjected to an unprecedented attack. Botnets—essentially thousands or millions of infected computers working in tandem—are executing brute-force attacks on self-hosted WordPress sites, attempting to log into administrator accounts, and taking over the sites. A brute-force attack is when a computer tries to log in using every password under the sun. While this would take forever for a human, a computer can make hundreds or even thousands of attempts per minute and eventually stumble upon the correct user name/password combination. This is one of the most extensive and wide-reaching botnet attacks ever recorded and it’s targeting all kinds of sites, from personal blogs to enterprise solutions.
How do I protect my site from falling victim to this attack?
The primary user names targeted are “admin,” “Administrator,” “root,” and “test” while the first passwords tested are standard ones like “password,” “admin,” “root,” “abc,” and “123.” There are historical reasons why these user names and passwords are targeted; mainly that WordPress itself suggests the user name “admin” when it’s set up.
Your first line of defense to make sure that (a) you don’t have a user account in your WordPress installation with one of the target user names (especially not “admin”), and (b) you have a strong password. It doesn’t have to be something incomprehensible like $hso38Wd#$**$#&d but rather something long and hard to guess. One of my friends used to use soccer teams such as “ManU>L1verp00l” and the likes and I’ve also seen weird combinations like “15:TheNumberOfHatsOnMyShelf.” The longer the password is, the harder it is to crack with a brute-force attack.
If you have an account with the user name “admin,” you should get rid of it immediately. While you can’t change the user name of an existing account in WordPress, getting rid of a user name isn’t complicated: Simply create a new administrator account with a different user name and use it to delete the “admin” account, making sure to move the original posts over to the new account. Here’s a video tutorial to walk you through the process:
To further secure your site against attacks, you can use plugins to limit login attempts, enhance security on your site, add two-factor login authentication, and set up proper backup for your site. You can also add professional security through VaultPress and Sucuri. For a full breakdown of how to prevent brute-force attacks on your site, check out the WordPress Codex article on the topic.
While none of these will prevent a botnet or other hacker attack, they will decrease the likelihood of that attack being successful.
What should I do if I’ve been hacked?
The unfortunate thing about a botnet attack is that if your site is currently under attack, there’s very little you can do. Your site is likely to become unresponsive or go offline altogether because thousands of computers are trying to log in at the same time. If this happens, contact your hosting provider immediately. It has a vested interest in preventing these types of attacks as they slow down and damage performance on its systems.
If an attack is successful and someone manages to take over your site, get in touch with your hosting provider immediately. It should be able to help you get the site back to an unhacked state. If you still have access to the site, log in, change your admin password, delete any other users that may have been added to the site, and then do a full security scan of your site. Sucuri SiteCheck is a free scanning tool that will go through your site to see if it contains any malicious code or links. If the scan comes back clean, you’re in luck. If it comes back with warnings, talk to your hosting provider and consider hiring someone to help clean it up.
If you’ve been hacked, you need to do a full reset on your site access codes. That means resetting all your passwords including FTP, database passwords, admin accounts, and any other passwords associated with the account. If you use the same password for your email as you do on your site, reset your email password as well.
A remedy for the user name URL controversy
If you search the web and social media for remedies to these types of attacks, you’ll see a lot of people saying simply changing your admin user name isn’t enough because anyone can find out what your user name is by finding the author URL. Not only is this inaccurate, but even if it were a real security risk, there’s an easy way around it.
If you’re worried about this and you want to make absolutely sure no one can stumble upon your admin user name, set up a new user on your site, give it Author privileges, and attribute all the posts on your site to that user. That way, if someone manages to hack that user account, all they will be able to do is write new posts that won’t even be published.
We’re all in this together
The upside to this attack is that it’s a wakeup call for everyone involved with WordPress, from its developers to the users to the web hosts that allow you to install the application. Hopefully, what will come out of this is WordPress will stop suggesting “admin” as the user name in new sites, users will create stronger passwords and set up additional security features, and hosts will set up stronger safeguards to prevent brute-force attacks and also ensure that WordPress is as hard as possible to hack. So check your site, make a strong password, and do your part.