1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hackers target Wordpress

Discussion in 'Off Topic' started by Dodgeboard, Apr 13, 2013.

  1. Dodgeboard

    Dodgeboard Well-Known Member

    euantor, zooki, Jeffin and 1 other person like this.
  2. ManagerJosh

    ManagerJosh Well-Known Member

    We've been dealing with those attacks all last week and this week at work. Thankfully no accounts with the username admin, but we've been blocking IPs as fast as we can detect them.
  3. RoldanLT

    RoldanLT Well-Known Member

    Thanks, I don't have any wordpress site atm.
  4. Wuebit

    Wuebit Well-Known Member

    Great >.> time to check about 20 wordpress sites #sigh

    Thanks for the info tho.
  5. craigiri

    craigiri Well-Known Member

    thanks for the tip - I did away with my admin on one site....
    I will up the ante on the passwords also....
  6. surfsup

    surfsup Well-Known Member

  7. Dodgeboard

    Dodgeboard Well-Known Member

    Yes, and as a preventative, make sure all your passwords are complex.
  8. Biker

    Biker Well-Known Member

    This is really overblown IMO. If you were to look at your security logs, you'd find the script kiddies have been hammering WordPress vulnerabilities for eons.

    They're using a brute force dictionary attack. If your password can be looked up in a dictionary, you have bigger worries than this one.
  9. Brogan

    Brogan XenForo Moderator Staff Member


    I'd better change mine from Antidisestablishmentarianism then.
  10. Mike

    Mike XenForo Developer Staff Member

  11. Ingenious

    Ingenious Well-Known Member

    There's a few things you can do with WP to make it a bit more secure. You can .htaccess protect the admin area for a start, then change the admin username to something else (plus make sure your password is very good). I used to get password reset emails sent from the site - someone fishing for (and finding) one of the admin emails, so I would change your registered email address to one NOT used by, or shown on, your site. Finally, you can install a plugin to limit incorrect logins.
    Markos likes this.
  12. Brogan

    Brogan XenForo Moderator Staff Member

    rexxxy, Renada, Jeremy and 1 other person like this.
  13. Keith Myers

    Keith Myers New Member

    These attacks actually happen quite a bit only on a much smaller scale. Aside from changing the default admin username and using a strong password, it is best to add a .htpasswd file to the wp-admin directory with an additional password. It is even better to restrict the wp-admin to an IP address if possible.
  14. zooki

    zooki Active Member

  15. Adam Howard

    Adam Howard Well-Known Member

    People actually use the user name "admin" ? :eek:

    Wait.... That would mean people also keep using the user id #1 for such things as well? :confused:

    ^^ I know there are people out there who are still foolish enough to do so.... I just can't imagine why.
  16. zooki

    zooki Active Member

    Is that sarcasm? o_O
    Adam Howard likes this.
  17. SneakyDave

    SneakyDave Well-Known Member

    Actually, within Wordpress code, you can't change the "admin" account to something else. You either have to delete it, and choose what to do with the posts you've created with it, or install something like WordFence to limit password attempts, which is probably the easier option.

    What's so foolish about having a userid of '1' Adam? You use it yourself on your own site.:rolleyes:
  18. SneakyDave

    SneakyDave Well-Known Member

    Just changed all my passwords from "12345"

    Adam Howard, Jeremy, Boothby and 2 others like this.
  19. Ingenious

    Ingenious Well-Known Member

    Do you mean the username "admin"? You can change it easily enough using PHPMyAdmin to just edit the username in the database. However for new installs you apparently get the option to change the name when you're setting up.
  20. SneakyDave

    SneakyDave Well-Known Member

    Yes. you can run a query to change it, but if it was easy enough to change it that way, why doesn't WordPress let you change it in the user admin section? It seemed to me that it might break a bunch of other things, changing the username, if WP actually says "User name can not be changed" in the administration panel.

    This site seems to ignore the WP warning regarding user names, and claims that changing the username is as simple as updating it in the wp_users table:

    This commenter thinks that other username data has to also change in the database....

Share This Page