Wordpress Admin Brute Force Password Hack | Web Development Services by Ed Nailor
Recently, a client of the company I am working for contacted me because their WordPress based website was “messed up.” This website was developed prior to me joining the firm, but I was happy to take a look. After reviewing the website, it was apparent that the website had been hacked.
It appears at first glance that this was an Admin Brute Force Password hack, which is not an uncommon hack that affects WordPress websites. As a matter of fact, this is a common attack on a number of CMS platforms. Any CMS platform that has a master user account with the login name of “admin” is vulnerable to this kind of attack.
The hack is a rather simple one, which is why it isn’t all that uncommon. Since a majority of WordPress and other CMS installations typically create the first and main administrator user with the user name of “admin”, all a hacker must then do is guess at the password. With a typical password (6-8 characters), this can be pretty easy. As a matter of fact, a leading newspaper recently published a report that showed that a high number of people use a simple password, the most common was actually 123456.
Hackers will use simple programs that will continually guess at the password until they get in. This is known as brute force, as they just keep up until they win. And since they already have the user name (“admin”) their job is simply to guess the password.
Securing your website against this type of attack is rather easy. Most people don’t do it simply because they don’t know to do it.
First, log in under the admin user name and click over to edit your user profile (in WordPress, you can click on your user name in the top right corner to get to your profile quickly.) Once on the profile page, change your email address to something generic. Since most CMS programs do not allow multiple users to share an email address, this is how we will be able to use our real email address when we set up the new user. Once you have made the email change, update your profile.
Next, you will add a new user. In WordPress, click on “Users” and then “Add New.” Here you will add your new administrative user. Think of something unique for the admin, not just “admin1″ or something simple. Maybe “superadmin24″ or “webmastersurpreme” would be good for you! No matter what it is, make it different that just “admin,” enter your real email address for this user, and create a good password (8-12 characters, with a combination of upper and lower case letters, numbers and special characters such as * _ – @ #.) Make sure you assign this new user the role of “administrator” – this is very important! One final thing… make sure your new admin name is not disclosed on the website. In WordPress, you can change the “public display” name to anything you wish. If you don’t change how the name is displayed publicly, all your work is in vain, as you just gave away the user login name! Once you have added this new user, log out of the CMS.
Finally, log back in to the CMS with your new user and password, return to the “Users” page and delete the “admin” user. In WordPress, you will be given the option of assigning all posts and pages to the new user. Make sure you do so or you will lose all that content!
There you have it! You have removed the “admin” user and replaced it with something more unique and more secure. Now a hacker will have to guess at the user name and password to gain entry this way, which most will give up after a few tries and move on to easier prey!
I hope this helps you secure your websites a bit more. Fixing hacked websites can be a messy thing to do, and inevitably, you end up losing some content… sometimes all of it. So until the CMS systems offer you an option during installation, you can help protect yourself from this attack.
PS. It is worth noting that this website was developed prior to my employment with Creative Services. WordPress / CMS websites that I develop are not released with the “admin” user in place. So hackers, I can save you the trouble of even trying!