WordPress under attack: How to protect yourself

Published by | Monday, April 15th, 2013

WordPress is under attack and your self-hosted site may well be in the crosshairs of people with nefarious intent. I’d like to shed some light on what’s going on, how to protect yourself against becoming a victim, and what to do if you’re hacked.

A bot-what-now attack?

Over the last couple of weeks, WordPress sites all over the world have been subjected to an unprecedented attack. Botnets—essentially thousands or millions of infected computers working in tandem—are executing brute-force attacks on self-hosted WordPress sites, attempting to log into administrator accounts, and taking over the sites. A brute-force attack is when a computer tries to log in using every password under the sun. While this would take forever for a human, a computer can make hundreds or even thousands of attempts per minute and eventually stumble upon the correct user name/password combination. This is one of the most extensive and wide-reaching botnet attacks ever recorded and it’s targeting all kinds of sites, from personal blogs to enterprise solutions.

How do I protect my site from falling victim to this attack?

The primary user names targeted are “admin,” “Administrator,” “root,” and “test” while the first passwords tested are standard ones like “password,” “admin,” “root,” “abc,” and “123.” There are historical reasons why these user names and passwords are targeted; mainly that WordPress itself suggests the user name “admin” when it’s set up.

Your first line of defense to make sure that (a) you don’t have a user account in your WordPress installation with one of the target user names (especially not “admin”), and (b) you have a strong password. It doesn’t have to be something incomprehensible like $hso38Wd#$**$#&d but rather something long and hard to guess. One of my friends used to use soccer teams such as “ManU>L1verp00l” and the likes and I’ve also seen weird combinations like “15:TheNumberOfHatsOnMyShelf.” The longer the password is, the harder it is to crack with a brute-force attack.

If you have an account with the user name “admin,” you should get rid of it immediately. While you can’t change the user name of an existing account in WordPress, getting rid of a user name isn’t complicated: Simply create a new administrator account with a different user name and use it to delete the “admin” account, making sure to move the original posts over to the new account. Here’s a video tutorial to walk you through the process:


To further secure your site against attacks, you can use plugins to limit login attempts, enhance security on your site, add two-factor login authentication, and set up proper backup for your site. You can also add professional security through VaultPress and Sucuri. For a full breakdown of how to prevent brute-force attacks on your site, check out the WordPress Codex article on the topic.

While none of these will prevent a botnet or other hacker attack, they will decrease the likelihood of that attack being successful.

What should I do if I’ve been hacked?

The unfortunate thing about a botnet attack is that if your site is currently under attack, there’s very little you can do. Your site is likely to become unresponsive or go offline altogether because thousands of computers are trying to log in at the same time. If this happens, contact your hosting provider immediately. It has a vested interest in preventing these types of attacks as they slow down and damage performance on its systems.

If an attack is successful and someone manages to take over your site, get in touch with your hosting provider immediately. It should be able to help you get the site back to an unhacked state. If you still have access to the site, log in, change your admin password, delete any other users that may have been added to the site, and then do a full security scan of your site. Sucuri SiteCheck is a free scanning tool that will go through your site to see if it contains any malicious code or links. If the scan comes back clean, you’re in luck. If it comes back with warnings, talk to your hosting provider and consider hiring someone to help clean it up.

If you’ve been hacked, you need to do a full reset on your site access codes. That means resetting all your passwords including FTP, database passwords, admin accounts, and any other passwords associated with the account. If you use the same password for your email as you do on your site, reset your email password as well.

A remedy for the user name URL controversy

If you search the web and social media for remedies to these types of attacks, you’ll see a lot of people saying simply changing your admin user name isn’t enough because anyone can find out what your user name is by finding the author URL. Not only is this inaccurate, but even if it were a real security risk, there’s an easy way around it.

If you’re worried about this and you want to make absolutely sure no one can stumble upon your admin user name, set up a new user on your site, give it Author privileges, and attribute all the posts on your site to that user. That way, if someone manages to hack that user account, all they will be able to do is write new posts that won’t even be published.

We’re all in this together

The upside to this attack is that it’s a wakeup call for everyone involved with WordPress, from its developers to the users to the web hosts that allow you to install the application. Hopefully, what will come out of this is WordPress will stop suggesting “admin” as the user name in new sites, users will create stronger passwords and set up additional security features, and hosts will set up stronger safeguards to prevent brute-force attacks and also ensure that WordPress is as hard as possible to hack. So check your site, make a strong password, and do your part.

Interested in more?
Start a 7-day free trial at lynda.com
• Morten’s WordPress Essential Training course
• All of Morten Rand-Hendriksen’s courses
All WordPress courses on lynda.com

Share this:Share on Facebook41Tweet about this on Twitter24Share on Google+8Pin on Pinterest0Share on LinkedIn1

lynda.com - start learning today

8 Responses to “WordPress under attack: How to protect yourself”

  1. Sean says:

    How about passwords via htaccess? I have that set up on my personal blog and I hope that will keep botnets from even getting to the point where they can try to login.

    • Morten Rand-Hendriksen, lynda.com author says:

      The more secure you can make the site, the better. I’ve seen people build in IP restrictions and passwords in their .htaccess files to make the site more secure and someone is even circulating a crazy long “.htaccess lockdown” script that basically puts WordPress in a vault. The reason for dumping the admin username though is to drive the bots away from your blog. Once they realize they can’t just guess at your password they usually move on.

  2. [...] couple of methods for how to change the admin username Brute Force Attacks Build WordPress Botnet WordPress and spam: How to protect yourself How to Change Your Admin User Name in WordPress You might also want to search for security [...]

  3. Cheri Lasota says:

    Wow, this is incredibly useful information. I will get on this right now.

    Thank you for the great post!


  4. FRANCOIS says:

    Very Useful – I like the limit log-in, it is clean and simple… not so the Better WP Security which looks to have caused people problems with the Warning at the bottom that it makes database changes…
    - just thought I would add my thoughts, as I was hacked a few months ago and needed to do a total re-think.

    Great complex code creator as a mac widget, and created totally securely on your computer, and not online: http://www.autistici.org/rpg/
    Make a document listing all codes, and create it as a PDF, lock it with 1 passcode (memorable) with:
    Keep this on your computer, and when needed, open, and cut and paste code into WordPress admin area. Stops any chance of a trojan copying keypad strokes…

    Back up PDF file onto dropbox, as it is password protected and will always be there
    Keep fingers crossed!

  5. [...] WordPress under attack: How to protect yourself | lynda.com blog | lynda.blog [...]

  6. WordPress под атакой: Как защитить себя says:

    [...] По материалам blog.lynda.com [...]

  7. Madiha says:

    nice post plz share tips to secure disk data

Leave a Reply