WordPress websites around the world are currently the target of a coordinated botnet attack. The brute force attack is targeting the WordPress administrative portals, whereby the attacker is trying to login using the username “admin” in combination with many thousands of the most common passwords.
WordPress is the most popular content management system in use on the web, powering more than 60 million websites. It is set up by default with an “admin” username as the administrator. Although WordPress has allowed users to pick a custom username on installation for over three years now, hackers are relying on people reverting to the default “admin” username. So far, this username vulnerability is fuelling the growth of an unusually powerful botnet thought to be made up of around 90, 000 web servers.
Botnets are used for malicious purposes such as spreading malware and launching distributed denial-of-service attacks (DDoS attacks) whereby a machine or network becomes unavailable to it’s intended users.
Right now there’s a botnet going around all of the WordPresses it can find trying to login with the ‘admin’ username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell ‘solutions’ to the problem)
- Matt Mullenweg, founder of WordPress.
WordPress users are urged to change their username if they are using “admin”, use a strong password and update to the latest version of the software.
How to change your WordPress admin username?
1. Login to your WordPress Admin area.
2. Click on “Add New” in the “Users” menu to create a new user account.
3. Type in a new username and other associated information. Make sure you use a different email address to the one you have linked to the “admin” username.
4. Select “Administrator” as the role and choose a hard to guess password.
5. Click on the “Add New User” button.
6. Logout of WordPress then login again using your new username and strong password.
7. Clcik on “Users” in the “Users” menu.
8. Point your mouse cursor over the “admin” row where you should see links for “edit” and “delete”. Click on “delete”.
9. Select “Attribute all posts and links to” and then select your new username from the drop-down list (This is a very important step, if you forget to select this option all your posts will get deleted).