Hackers target Wordpress


Well-known member
We've been dealing with those attacks all last week and this week at work. Thankfully no accounts with the username admin, but we've been blocking IPs as fast as we can detect them.
This is really overblown IMO. If you were to look at your security logs, you'd find the script kiddies have been hammering WordPress vulnerabilities for eons.

They're using a brute force dictionary attack. If your password can be looked up in a dictionary, you have bigger worries than this one.
There's a few things you can do with WP to make it a bit more secure. You can .htaccess protect the admin area for a start, then change the admin username to something else (plus make sure your password is very good). I used to get password reset emails sent from the site - someone fishing for (and finding) one of the admin emails, so I would change your registered email address to one NOT used by, or shown on, your site. Finally, you can install a plugin to limit incorrect logins.
These attacks actually happen quite a bit only on a much smaller scale. Aside from changing the default admin username and using a strong password, it is best to add a .htpasswd file to the wp-admin directory with an additional password. It is even better to restrict the wp-admin to an IP address if possible.
People actually use the user name "admin" ? :eek:

Wait.... That would mean people also keep using the user id #1 for such things as well? :confused:

^^ I know there are people out there who are still foolish enough to do so.... I just can't imagine why.
Actually, within Wordpress code, you can't change the "admin" account to something else. You either have to delete it, and choose what to do with the posts you've created with it, or install something like WordFence to limit password attempts, which is probably the easier option.

What's so foolish about having a userid of '1' Adam? You use it yourself on your own site.:rolleyes:
Actually, within Wordpress code, you can't change the "admin" account to something else.

Do you mean the username "admin"? You can change it easily enough using PHPMyAdmin to just edit the username in the database. However for new installs you apparently get the option to change the name when you're setting up.
Yes. you can run a query to change it, but if it was easy enough to change it that way, why doesn't WordPress let you change it in the user admin section? It seemed to me that it might break a bunch of other things, changing the username, if WP actually says "User name can not be changed" in the administration panel.

This site seems to ignore the WP warning regarding user names, and claims that changing the username is as simple as updating it in the wp_users table:

This commenter thinks that other username data has to also change in the database....
If I remember correctly, the catch with the approach that you suggest is that for WordPress networks the user name is also added to the user meta data as part of a serialized array.
So for networks it’s necessary to also change the name in that array, and then, if the length of the new name doesn’t match that of the old name, to also tweak the data that defines the array’s structure.
I believe that this is why the seemingly straightforward option isn’t available in the WP Admin.
Top Bottom