Hackers target Wordpress

Dodgeboard

Dodgeboard

Well-known member
We've been dealing with those attacks all last week and this week at work. Thankfully no accounts with the username admin, but we've been blocking IPs as fast as we can detect them.
 
This is really overblown IMO. If you were to look at your security logs, you'd find the script kiddies have been hammering WordPress vulnerabilities for eons.

They're using a brute force dictionary attack. If your password can be looked up in a dictionary, you have bigger worries than this one.
 
There's a few things you can do with WP to make it a bit more secure. You can .htaccess protect the admin area for a start, then change the admin username to something else (plus make sure your password is very good). I used to get password reset emails sent from the site - someone fishing for (and finding) one of the admin emails, so I would change your registered email address to one NOT used by, or shown on, your site. Finally, you can install a plugin to limit incorrect logins.
 
These attacks actually happen quite a bit only on a much smaller scale. Aside from changing the default admin username and using a strong password, it is best to add a .htpasswd file to the wp-admin directory with an additional password. It is even better to restrict the wp-admin to an IP address if possible.
 
People actually use the user name "admin" ? :eek:

Wait.... That would mean people also keep using the user id #1 for such things as well? :confused:

^^ I know there are people out there who are still foolish enough to do so.... I just can't imagine why.
 
Actually, within Wordpress code, you can't change the "admin" account to something else. You either have to delete it, and choose what to do with the posts you've created with it, or install something like WordFence to limit password attempts, which is probably the easier option.

What's so foolish about having a userid of '1' Adam? You use it yourself on your own site.:rolleyes:
 
SneakyDave said:
Actually, within Wordpress code, you can't change the "admin" account to something else.
Click to expand...

Do you mean the username "admin"? You can change it easily enough using PHPMyAdmin to just edit the username in the database. However for new installs you apparently get the option to change the name when you're setting up.
 
Yes. you can run a query to change it, but if it was easy enough to change it that way, why doesn't WordPress let you change it in the user admin section? It seemed to me that it might break a bunch of other things, changing the username, if WP actually says "User name can not be changed" in the administration panel.

EDIT:
This site seems to ignore the WP warning regarding user names, and claims that changing the username is as simple as updating it in the wp_users table:
http://wpmu.org/how-to-change-your-wordpress-username/

This commenter thinks that other username data has to also change in the database....
If I remember correctly, the catch with the approach that you suggest is that for WordPress networks the user name is also added to the user meta data as part of a serialized array.
So for networks it’s necessary to also change the name in that array, and then, if the length of the new name doesn’t match that of the old name, to also tweak the data that defines the array’s structure.
I believe that this is why the seemingly straightforward option isn’t available in the WP Admin.
Click to expand...
 

Similar threads

DeltaHF
XenForo is outranking WordPress in Google search results on my site
Replies
12
Views
2K
RichDevman
RichDevman
Mr_Bob
Best way to integrate / bridge Xenforo and WordPress
Replies
6
Views
4K
whassell20
whassell20
Steve Freides
Syncing a WordPress web site and a XF 2 installation
Replies
2
Views
798
Steve Freides
Steve Freides
Paradoxer
XenForo and Wordpress Memory Usage Problems?
Replies
16
Views
5K
usAdultAds
U
denisx04
Xenporta or Wordpress
Replies
5
Views
982
Bryan Gilchrist
Bryan Gilchrist
Back
Top Bottom