• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Hackers target Wordpress

Dodgeboard

Well-known member
#1

ManagerJosh

Well-known member
#2
We've been dealing with those attacks all last week and this week at work. Thankfully no accounts with the username admin, but we've been blocking IPs as fast as we can detect them.
 

Biker

Well-known member
#8
This is really overblown IMO. If you were to look at your security logs, you'd find the script kiddies have been hammering WordPress vulnerabilities for eons.

They're using a brute force dictionary attack. If your password can be looked up in a dictionary, you have bigger worries than this one.
 

Ingenious

Well-known member
#11
There's a few things you can do with WP to make it a bit more secure. You can .htaccess protect the admin area for a start, then change the admin username to something else (plus make sure your password is very good). I used to get password reset emails sent from the site - someone fishing for (and finding) one of the admin emails, so I would change your registered email address to one NOT used by, or shown on, your site. Finally, you can install a plugin to limit incorrect logins.
 
#13
These attacks actually happen quite a bit only on a much smaller scale. Aside from changing the default admin username and using a strong password, it is best to add a .htpasswd file to the wp-admin directory with an additional password. It is even better to restrict the wp-admin to an IP address if possible.
 

Adam Howard

Well-known member
#15
People actually use the user name "admin" ? :eek:

Wait.... That would mean people also keep using the user id #1 for such things as well? :confused:

^^ I know there are people out there who are still foolish enough to do so.... I just can't imagine why.
 

SneakyDave

Well-known member
#17
Actually, within Wordpress code, you can't change the "admin" account to something else. You either have to delete it, and choose what to do with the posts you've created with it, or install something like WordFence to limit password attempts, which is probably the easier option.

What's so foolish about having a userid of '1' Adam? You use it yourself on your own site.:rolleyes:
 

Ingenious

Well-known member
#19
Actually, within Wordpress code, you can't change the "admin" account to something else.
Do you mean the username "admin"? You can change it easily enough using PHPMyAdmin to just edit the username in the database. However for new installs you apparently get the option to change the name when you're setting up.
 

SneakyDave

Well-known member
#20
Yes. you can run a query to change it, but if it was easy enough to change it that way, why doesn't WordPress let you change it in the user admin section? It seemed to me that it might break a bunch of other things, changing the username, if WP actually says "User name can not be changed" in the administration panel.

EDIT:
This site seems to ignore the WP warning regarding user names, and claims that changing the username is as simple as updating it in the wp_users table:
http://wpmu.org/how-to-change-your-wordpress-username/

This commenter thinks that other username data has to also change in the database....
If I remember correctly, the catch with the approach that you suggest is that for WordPress networks the user name is also added to the user meta data as part of a serialized array.
So for networks it’s necessary to also change the name in that array, and then, if the length of the new name doesn’t match that of the old name, to also tweak the data that defines the array’s structure.
I believe that this is why the seemingly straightforward option isn’t available in the WP Admin.