Since 1999
Matt Mullenweg, the creator of WordPress suggests, “If you still use “admin” as a username on your blog, change it, use a strong password”.
Released in May 27, 2003, by founders Matt Mullenweg and Mike Little, WordPress powers around 17% of the world’s websites, according to a survey by W3Techs.
The stats prove the worldwide popularity of WordPress. No points for guessing the reasons that are quite obvious.
But unfortunately, the reasons that account for its popularity are also responsible for its massacre. When things are easy, people with less expertise and knowledge tend to ignore a very important thing – Information Security.
Initially, users started to choose simple passwords and the default username, “admin”, which soon became a trend. Botnet, which is a set of internet-connected programs that communicate with other similar programs to perform tasks, specifically targeted WordPress users having “admin” as the username and tried thousands of possible passwords to finally gain access to “tens of thousands” of blogs.
Matt Mullenweg, the WordPress founder, wrote in his blog, “Almost 3 years ago we released a version of WordPress (3.0) that allowed you to pick a custom username on installation, which largely ended people using “admin” as their default username”.
He further added, “Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell “solutions” to the problem)”.
Mr. Mullenweg may extricate himself by putting the blame on naïve users. But actually it’s the security weakness that allows an unidentified group of hackers to launch a “brute attack” on WordPress installations, hence forming a huge “botnet” of infected servers.
The WordPress has a history of vulnerabilities, probably because of the weak links it provides to the hackers. Wikipedia compiles a list of WordPress vulnerabilities.
A report by Dan Goodin in Ars Technica quoted, “The unknown people behind the highly distributed attack are using more than 90,000 IP addresses to brute-force crack administrative credentials of vulnerable WordPress systems, researchers from at least three Web hosting services reported.
The blog post continued, “At least one company warned that the attackers may be in the process of building a “botnet” of infected computers that’s vastly stronger and more destructive than those available today”.
There are enough talks about the WordPress massacre but what about the solutions. What can we do to prevent something like this in the future? Here is some ways to avoid the formation of any future “botnet”:
As Matt Mullenweg, the creator of WordPress suggests, “If you still use “admin” as a username on your blog, change it, use a strong password”. Still sticking to “admin” as a username is fatal. Make sure the hacker is not able to crack your username.
It should ideally be a mix of at least eight upper and lowercase letters, numbers, with a minimum one of the ‘special’ characters such as (^%$#@*)!
Two-factor authentication is the latest buzzword in Information Security. Twitter opted for it after suffering a hacker-attack.
Apple and Microsoft along with so many other companies have also considered two-factor authentication to ensure safety of their database. Even Matt Mullenweg recommends it as he says in his blog “if you’re on WP.com turn on two-factor authentication”.
Use the latest version of WordPress for your Website as it comes with advanced features and is more secure. Read what Mullenweg says, “Make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem”.
