Apr 122013

Reports are making the rounds of a “huge attack” targeting web sites running WordPress.

I noticed suspicious behavior in the IP access logs of one of my web sites a little over a year ago. I turned on logging of failed login attempts to get a better picture of what was happening.

I checked the logs a bit later and was shocked by what I found. Thousands of failed login attempts against one WP site in only a few hours. And there was only one user for the site – me! Login attempts were coming in at a rate of 2 to 3 per second from a fairly small number of IP addresses.

What spooked me most was that all of the login attempts were for the same user account name – “admin”.  Which also happens to be the default admin account name for a WP installation.

It was pretty clear that someone was running a script of some sort attempting to “brute force” guess the password for the admin account of my WP web site.

You can and should make sure all your account passwords have sufficient complexity and length to fend off brute force guessing.

Having a strong password isn’t the end of the story. You can do better than just making it “very difficult” to guess your password. You can completely cut off the attacker’s ability to make password guesses by deleting the default “admin” user account of your WP site.  If you don’t have an “admin” account, then they can’t log into it.

Before deleting your WP “admin” account, be sure to create a new WP user account with full admin rights, and give it a nonobvious username. Don’t use your published “contact me” email address. Log into your site as this new admin account, and then delete the default “admin” account.

There are many levels of defense you should consider implementing for any web site, including possibly a smart firewall to automatically block rapid and repetitive traffic from the same IP address, but the first step to reduce the risk of someone logging into your site using the default “admin” account name is simply to delete the “admin” account.