Is your login name “admin”? You’re a hacking target

2091344257_92af02b8f4_z

Over at iTheme.com there’s an excellent blog post on the very serious ongoing hacking attempts of WordPress blogs.  I recommend having a read of it to understand what’s going on and how to protect yourself.

If you want to get a quick overview though, then stick with me!

The problem

Essentially what’s happening is that one or more botnets (a network of hundreds/thousands/millions) of compromised computers is being used to try to brute force its way into the admin area for blogs.

Brute force hacking works by trying lots of variations of passwords to try to gain access.  So, in simple terms, it’ll try “password1”.  If it doesn’t work then it’ll try “password2” and keep going until it gets in.  This one is a little less crude in that it’s trying typical passwords that people with a bad memory might use. i.e. password, 123456, 123123, qwerty, password, password123 etc.

What it does when it gets in there is a matter for speculation, but I’d wager that it’ll be adding links to your blog posts, pointing back to all sorts of weird and wonderful websites with the aim of getting better rankings for its clients.  It makes no sense to get access to a blog only to delete it.

The thing that jumps out at me here is that if you’ve been compromised then you may well know nothing about it because outwardly nothing will have changed.  And unless you have a habit of regularly reading your old blog posts then you won’t see anything different.

Anyway, I digress.  One thing that’s worth noting is that it’s trying only one or two different login names: i.e. admin, editor, moderator or the domain name (massmediadesign).  So if you have a fairly unique login name such as “thisisaloginanduniqueloginname” then you’re more secure than if you’re using the login name “admin” (and many of you will be!).

If your username is unique enough that you’re not too worried then all you need to do is make sure that you’re using a password that difficult to guess.  You should use upper and lowercase letters, some numbers and maybe one or two funny characters too.

If you’re using the login “admin” or something as simple, now is the time to change it and while it’s not dead simple, it’s not a major piece of work.

The fix

This isn’t a 100% fix, but it’ll make your blog much more secure than it currently is, and whilst it won’t deter the most determined hacker, it’ll make it much harder work for a botnet to compromise you.

Before you do anything,  make sure you back up your WordPress database.  This is good practice because things go wrong, no matter how careful you are!

  1. Create a new user in wordpress and give it the role “Administrator”.  This is the user that you’ll be administering the website with from now on, so give it a unique, difficult-to-guess name.  You’ll have to use a different email address to your other users, but we’ll be able to change that back later.
  2. Log out and then log back in as the new user.
  3. Delete the old “admin” user
  4. You’ll be asked what you want to do with the posts owned by the old admin user.  Set the “Attribute all posts and links to” the new user you created.
  5. Now that the old admin user is deleted, you can then change the email address to your new user.

Further reading

I recommend reading Chris’s full blog post at iThemes.com.  He covers the performance issues that come with an attack and has some very useful suggestions about further preventions.

Creative Commons image by Nina Amaho