WordPress Hacking Warning


A week ago, Aaron Brazell alerted me to “a brute force attack underway on a global scale” against WordPress sites. Essentially, they’re attacking a known vulnerability: the fact that “admin” is the default user account. Those who started their sites in recent years had the ability to change that during creation; those with older sites were stuck with it. So, essentially, those with enough computing power can simply try various combinations against WordPress installs and username “admin.”

Aaron recommends “a strong password and install[ing] a plugin that limits failed login attempts.”  I already had a strong password. Yesterday, I had a plugin installed that limits failed login attempts. Overnight, I had two instances where a brute force attack was thwarted at OTB.

In addition to those steps, I took another important one Monday: I renamed my “admin” account to something else.  Matt Mullenweg, the guy behind WordPress, points to directions explaining how. Essentially, you create a new admin account, log out, and then delete the old admin account attributing all the posts to the newly created account.If it was anyone other than Mullenweg pointing to those directions, I’d have been leery.  But I did this myself in five minutes and it imported some 23,500 posts instantly.

If you own a WordPress blog, do these things today. If you don’t, why are you still reading?


FILED UNDER: Blogosphere, ,
James Joyner
About James Joyner
James Joyner is Professor and Department Head of Security Studies at Marine Corps University's Command and Staff College. He's a former Army officer and Desert Storm veteran. Views expressed here are his own. Follow James on Twitter @DrJJoyner.


  1. Jim Swift says:

    Good advice here on setting up two step authentication and lock out procedures..


  2. Dave Schuler says:

    Yes, I was alerted to this problem some time ago. My !#$% web host even disabled comments on my blog briefly while the attacks on WordPress blogs hosted by them was under way.

    My administrative login hasn’t been “admin” for some time and I installed the plug-in to limit login attempts years ago.

  3. John Peabody says:

    …because I’m curious. Dang, way to end a post, dude.

  4. James Joyner says:

    @John Peabody: Ha. Just an acknowledgment that the information is mostly of interest only to other WordPress site owners.

  5. John Peabody says:

    No sweat. Do whatever is needed to protect our beloved OTB.