WordPress Hacking Warning
A week ago, Aaron Brazell alerted me to “a brute force attack underway on a global scale” against WordPress sites. Essentially, they’re attacking a known vulnerability: the fact that “admin” is the default user account. Those who started their sites in recent years had the ability to change that during creation; those with older sites were stuck with it. So, essentially, those with enough computing power can simply try various combinations against WordPress installs and username “admin.”
Aaron recommends “a strong password and install[ing] a plugin that limits failed login attempts.” I already had a strong password. Yesterday, I had a plugin installed that limits failed login attempts. Overnight, I had two instances where a brute force attack was thwarted at OTB.
In addition to those steps, I took another important one Monday: I renamed my “admin” account to something else. Matt Mullenweg, the guy behind WordPress, points to directions explaining how. Essentially, you create a new admin account, log out, and then delete the old admin account attributing all the posts to the newly created account.If it was anyone other than Mullenweg pointing to those directions, I’d have been leery. But I did this myself in five minutes and it imported some 23,500 posts instantly.
If you own a WordPress blog, do these things today. If you don’t, why are you still reading?