WordPress Under Brute Force Attack: Targeting Admin Usernames

Image fromCloudflare

Image from Cloudflare

It’s been a scary week in the WordPress world.

First, a popular plugin that I’ve used and recommended to my WordPress Workshoppers, Social Media Plugin, was found to be infected with malware that injected unwanted advertising into sites. I have since deleted that plugin, even though it was eventually restored to the WorldPress plugin directory in a form of application probation.

Then, on Thursday, we learned from Ars Technica that an all-out “Brute Force Attack” was being committed on WordPress sites by a powerful Botnet that attacked US banks last year.

The botnet, they said, is seeking out, among other things, default user names like “Admin.”

Holy sharesite, I said to myself. One of my sites has “admin” as the user name! I have to change it.

How to fend off a brute force attack

Change Admin Username

The way you get stuck with the Admin username is during the WordPress install, the server gives “admin” to you and if you don’t change it, you’re stuck with it. I admit I wasn’t paying attention at the time and got stuck with the “admin” username.

Problem is, once an install is launched the username can’t be changed just by simply re-entering a different one. I read about some complicated ways of changing the login by going into files in the server database, but who has time for that?

Then, a suggestion on the Internet gave me a simple answer.

To change your default username, go to Users> Add New and simply add a new user with the role of “Administrator.” Now your site has two Administrators. Copy your personal info from the old Admin user to the new one, which must have a different email address, of course.

Then, log out and log in with the new account, and delete the old “Admin” user. When you delete a user, WordPress automatically asks who should that user’s posts be attributed to. Attribute the posts to your new user account, under whatever name you entered. Delete the Admin user, and boom – the new user is now the Administrator with all the posts properly attributed.

This process took me about 2 minutes to complete.

Install Security Plugins

But that is not all that is recommended to fend off a Brute Force Attack. Expert suggest installing a security plugin to stop the Bot from automatically attempting to login to your site.

I chose Login Security Solution and set the allowed login attempts to 2 and told it to tell me whenever there is a failed login attempt. I also asked it to log me out after 15 minutes if there is no activity.

All day Saturday I laid low and didn’t log into the site. Sunday morning I found eight alerts from Login Security Solution saying, “Attack Happening to Tasting Room Confidential”

The first, dated Saturday 11:07 pm, read:

“There have been at least 10 failed attempts to log in during the past 120 minutes that used one or more of the following components:

Component                    Count     Value from Current Attempt
————————     —–     ——————————–
Network IP                       1     87.253.162
Username                        10     admin
Password MD5                     1     f73c383d54473ee1286209c0102044e3

The Login Security Solution plugin (0.35.0) for WordPress is repelling the attack by making their login failures take a very long time.  This attacker will also be denied access in the event they stumble upon valid credentials.

Further notifications about this attacker will only be sent if the attack stops for at least 120 minutes and then resumes.”

Each attack used the craziest password combinations, but they all tried to use the login, “admin.” Did I dodge a bullet or what?

I’m still nervous, after reading that the host of three of my sites, HostGator, is a major target of the bots.

If your site uses the username, “Admin,” change it immediately! And install a security plugin to warn you of an attack.

Don’t think a brute force attack can’t happen to you.