In the past week, news has broken that scum-of-the-Earth hackers launched a large-scale attack on WordPress websites, particularly targeting people who use ADMIN as a username.
According to a BBC report, tens of thousands of individual computers that had been previously compromised by trojan viruses we ordered to attack any WordPress websites they could find and try to break the password.
This would explain why a number of clients reported a higher than usual string of attempted login alerts.
It is Baker Marketing policy to NEVER use ‘admin’ as a username on any website or service, let alone a WordPress website that we have built.
The rationale is that if you go with such a common, garden-variety username then the crooks have one of the two elements needed to break into your website.
However, if you use a custom username for logging into your site (and some of you will know we can be a bit creative in this regard), you have made the task of breaking into your site that much harder.
Every cloud of spammy, scoundrel-like behaviour has a silver lining
One of the good things to come from this attempted attack is to double check your username and password.
I have some instructions, below, of simple steps you can take to make sure your website is not deliberately making life easy for the hideous underbelly of the internet.
It is also worth noting that the plugin that became a standard part of our WordPress installations in recent years, Limit Login Attempts, provides an excellent first line of defense.
It basically works by limiting how many goes you can have in guessing a password, and then locking you out of the website if you fail more than a few times.
You can read about it here: I hear you knocking, but you can’t come in.
In short, there is a setting in the Limit Login plugin that sends you an email when an unwanted visitor has been locked out.
While these emails are reassuring, they can be monotonous during periods of intense, website hacking activity.
To turn off the notifications, go to Settings > Limit Login and uncheck the send email box. Click Save and you are done.
Some important WordPress housekeeping
Firstly, if you do have ‘admin’ as your login name (to be fair, there might be some clients from many, many years ago with such a username), please log into your website and create for yourself a new username. You do this via the following steps:
- Log in to your WordPress site as usual
- Go to Users > Add New
- Create a new User but note you need a unique email address (you cannot sign up with the same address as your admin User is based upon) and double check you give yourself an Admin role not the default ‘subscriber’ before you hit Add New User.
- Log out
- Log back into your site with your NEW username and password
- Go to Users, tick the box next to your old ‘admin’ account, and select Delete from the Bulk Actions box at the top of the list. Click Apply.
- NOTE: Pay attention to the next screen. It will ask whether you should delete all posts published under the admin account OR assign them to another user. Choose yourself from the dropdown list and make sure this option is selected and then click Confirm Deletion.
Secondly, please check to make sure your password is ‘tricky.
What helps is LENGTH and DIVERSITY of character types.
In other words ‘maxwell’ is much, much weaker than ‘luv4MYdogMAXWELL!’
Even though the latter password is not overly complex or meaningless (a good thing in passwords), it does complicate matters for crooks, sending their rotten code cracking bots into a long, fruitless journey, one that would be thwarted by the Limit Login plugin.
- To update your password, go to Users > My Profile and scroll down to the password area
- Enter your new password twice
- Click Save Changes
NOTE: Make sure you remember your new password AND have access to the email address it is tied to so you can benefit from the lost password mechanism. On that note, please make sure your email password is equally strong – that is a weak link in the online armour of many.
A final thought
The WordPress project team is looking at ways to make two-step authentication available to self-hosted WordPress websites.
This system will add even more security to your website.
Watch this space for news on that security development, likely to be included in the Jet Pack plugin.