A few days ago I became aware of an attempt to hack into WordPress sites to create a botnet. Basically what they are doing is finding websites built on WordPress, then trying to Brute-Force login to the site.
After I read that article, I installed a plugin that limits login attempts and locks a user out after ‘X’ amount of attempts. Within an hour of installing it on all of my sites, I noticed failed login attempts. These kept coming in and it appears they are only using the username ‘admin’ to try and gain access. An attack like this is most likely trying the username ‘admin’ alongside the most common passwords that people use.
Matthew Mullenweg, founding developer of WordPress, has suggestions for site administrators to get more secure, including not using the username ‘admin’. “Do this and you’ll be ahead of 99% of sites out there and probably never have a problem. Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).” Mullenweg wrote.
So, if you still use the username ‘admin’, change it immediately, and if you are using a common password, such as ‘1234567’ or ‘qwerty’ change it immediately to something more secure, such as one with letters. howsecureismypassword.net is a great tool to check the strength of your password.