WordPress Attacks – Time to Change the “Admin”
April 23, 2013
Matt Mullenweg, the creator of WordPress suggests, “If you still use “admin” as a username on your blog, change it, use a strong password”.
Released in May 27, 2003, by founders Matt Mullenweg and Mike Little, WordPress powers around 17% of the world’s websites, according to a survey by W3Techs.
The stats prove the worldwide popularity of WordPress. No points for guessing the reasons that are quite obvious.
- WordPress is user-friendly.
- It is easy and quick to set up a simple site.
- You can easily manage large amounts of content.
- Somebody who doesn’t know how to code php is able to add functionality, thanks to a large developer community that creates tons of free plugins.
But unfortunately, the reasons that account for its popularity are also responsible for its massacre. When things are easy, people with less expertise and knowledge tend to ignore a very important thing – Information Security.
Initially, users started to choose simple passwords and the default username, “admin”, which soon became a trend. Botnet, which is a set of internet-connected programs that communicate with other similar programs to perform tasks, specifically targeted WordPress users having “admin” as the username and tried thousands of possible passwords to finally gain access to “tens of thousands” of blogs.
Matt Mullenweg, the WordPress founder, wrote in his blog, “Almost 3 years ago we released a version of WordPress (3.0) that allowed you to pick a custom username on installation, which largely ended people using “admin” as their default username”.
He further added, “Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell “solutions” to the problem)”.
Mr. Mullenweg may extricate himself by putting the blame on naïve users. But actually it’s the security weakness that allows an unidentified group of hackers to launch a “brute attack” on WordPress installations, hence forming a huge “botnet” of infected servers.
The WordPress has a history of vulnerabilities, probably because of the weak links it provides to the hackers. Wikipedia compiles a list of WordPress vulnerabilities.
- “In January 2007, many high-profile search engine optimization (SEO) blog and low-profile commercial blogs featuring AdSense, were targeted and attacked with a WordPress exploit.”
- “In May 2007, a study revealed that 98% of WordPress blogs being run were exploitable because they were running outdated and unsupported versions of the software.”
- “In a June 2007 interview, Stefan Esser, the founder of the PHP Security Response Team, cites problems with the application’s architecture of WordPress that made it unnecessarily difficult to write code that is secure from SQL injection vulnerabilities.”
A report by Dan Goodin in Ars Technica quoted, “The unknown people behind the highly distributed attack are using more than 90,000 IP addresses to brute-force crack administrative credentials of vulnerable WordPress systems, researchers from at least three Web hosting services reported.
The blog post continued, “At least one company warned that the attackers may be in the process of building a “botnet” of infected computers that’s vastly stronger and more destructive than those available today”.
The Immediate Measures
There are enough talks about the WordPress massacre but what about the solutions. What can we do to prevent something like this in the future? Here is some ways to avoid the formation of any future “botnet”:
Choose Smart Username and Password
As Matt Mullenweg, the creator of WordPress suggests, “If you still use “admin” as a username on your blog, change it, use a strong password”. Still sticking to “admin” as a username is fatal. Make sure the hacker is not able to crack your username.
Choose a difficult password.
It should ideally be a mix of at least eight upper and lowercase letters, numbers, with a minimum one of the ‘special’ characters such as (^%$#@*)!
Use Two-Factor Authentication
Two-factor authentication is the latest buzzword in Information Security. Twitter opted for it after suffering a hacker-attack.
Apple and Microsoft along with so many other companies have also considered two-factor authentication to ensure safety of their database. Even Matt Mullenweg recommends it as he says in his blog “if you’re on WP.com turn on two-factor authentication”.
Use Latest Version of WordPress
Use the latest version of WordPress for your Website as it comes with advanced features and is more secure. Read what Mullenweg says, “Make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem”.