WordPress Brute Force Attack, What to Do Now If You Have a Blog

In light of recent Botnet attacks on WordPress blogs, here are a few simple steps to help you ensure that your blog stays yours.
In the past week there has been a fair amount of coverage of a new Botnet attack on WordPress blogs.  Normally this would not be news, because WordPress is one of the most popular CMS systems in the world, and also because it is open source so any programmer can see how WordPress works and devise methods to breach the software’s security.  This latest hacking effort is interesting because of its sheer size (the Bot is supposedly working from over 90,000 IP addresses which makes it difficult to block), the fact that it is attacking Web Servers as opposed to Client (read desktop) systems, and because it appears to be a plain old cut-and-dry Brute Force Attack.  In this case, “Brute Force” means the Bot hammers continually at a blog’s user name and password combination until it guesses a successful combination.  The Bot then passes the blog’s URL and the successful password combo to its Owner, who logs in and installs software, which can include backdoor entry systems, downloadable viruses or “Zombie” software which lets the Owner control that Web Server to a certain degree.  There is nothing elegant about a Brute Force attack, and in most cases (including this one) it succeeds because blog owners have not taken obvious and well-known precautions.
The original creator of WordPress, Matt Mullenweg, published a Solution a few weeks ago, which is a rehash of what he and the WordPress Team have said many times before.  I’m going to publish that solution here, along with specific instructions for implementing the fix.  Then, while I hopefully have your attention for a few minutes, I’ll cover some other things you can do quickly that will help your blog ward off other attacks.  Feel free to log into your website as Admin and follow along:


  • If your Admin User name is “admin” change it now.  The default username for the WordPress core Administrator is “admin”.  This used to be hard to change, but that hasn’t been true for several versions of WordPress, and there really is no excuse for having the username “admin”.  With a username admin the Bad Guys are already halfway to gaining access, all they have to do is guess your password.  To change the Admin username, from any page in your Admin Panel hover over the words “Howdy <your user name>” in the top right corner of the screen.  You’ll see a drop down menu with an item for Edit Profile.  Click this to be taken to the Admin’s profile.  Where you see Username, change “admin” to pretty much anything else, but avoid having the string “admin” anywhere in the new user name.  And there you go, you have successfully beaten off the current attack.  But wait, here’s the problem; these Bots tend to get smarter over time, and there is a lot more you can do now that you are in your Admin panel, so please read on.
  • Change your password to something strong.  I’m a relentless advocate for strong passwords, and all the time I hear “but I like my password, it’s easy to remember”.  If it is easy to remember, it is easy to guess.  How do you get a strong password?  Hopefully you have not left your Admin profile yet, if you did go back there.  At the bottom of the page, you’ll see a place to type in your new password.  WordPress gives you a handy engine that will rate the strength of your password.  Don’t stop trying combinations until you at least get to the “strong” level.  Like the instructions say, put in at least seven characters, use upper and lower case, at least one number, and at least one special character (such as #*&^).  DO NOT embed some keyword in your password, i.e. if your site is all about shoes, don’t embed “shoes” somewhere in your new password.  WRITE DOWN YOUR NEW USER NAME AND PASSWORD.  You might never get them memorized,  that can be the price of a decent password that will protect your blog.
  • NEVER post anything under your admin user name.  Especially if that username is admin, but you just changed that, didn’t you (you did, didn’t you)?  If you are like some blog owners you have three different people posting with the one user name, which has admin privileges.  It’s time to give everyone their own username and password combo, and assign Editor privileges at most.  In the sidebar, click Users.  Now, up next to the Users title is a link to Add New.  Click that, give each contributor a username and strong password.  Neglect to tell them what the new admin username/password combo is unless they really need it.  Give yourself a username/password combo also with no better than Editor privileges (you should have only one User with admin privileges).   Use this new combo for your own posts.
  • Update to the latest version.  I can’t stress this enough.  As we said before, WordPress is open source, and even though all of the press makes this last attack look special, new attacks are happening all of the time, which are met by the magnificent WordPress Development Team in their latest update…..which doesn’t help your blog unless you install it.  Upgrade installations are almost automatic these days, you don’t really have to do anything except accept the update and watch the lights blink.  So as soon as you log in at the admin level and see the alert that says “There is a new update available” put aside that urgent post for just a moment and accept the update.

There are a lot of other things you can do to harden your blog (search “harden WordPress”), but with these few simple steps which take just minutes, you can go a long way toward ensuring that your blog STAYS your blog.