Botnet Brute-Force Attacks WordPress Sites – Update Your Logins

Over the past two weeks, webhost companies and security monitoring services for websites, have warned of large scale Botnet Brute-Force attacks underway to compromise WordPress sites.

Botnets Using Brute-Force Programs

What are these Brute-Force login attacks? These attacks by botnets are automated programs from virus-infected PCs, used to target your WordPress login page. These botnets use Brute-Force methods to deploy dictionary/popular password programs to figure out your password to your website. Specifically, if you are using "Admin" as your user login, you are at risk (also weak passwords leave you vulnerable as well).

What Does it Mean for You and Your WordPress Site?

If your site has been breached, a backdoor portal is installed to become part of this botnet to compromise other websites and networks. Should this happen, you risk losing your site, an investment of significant time and money. Unless you backed up your site prior to being compromised, you may have to pay for a malware clean up or worse, have to scrap it and start from scratch. Ouch!

Easy Fix – Change Your WordPress Logins

Step 1: Is your username "Admin"? If not, you are probably okay to skip to the next step. To change your username – the easiest way is to do the following:

1. Login to your WordPress dashboard – http://www.yourdomain.com/wp-admin.php,
2. Go to the "Users" tab and click on "Add New,"
3. Create a new username (something unusual would be best),
4. Enter the email field (you need something that isn’t being used by your current admin user account),
5. Create a random 12-character password (password generator),
6. Select "Administrator" for the Role,
7. Click on "Add New User" and log out,
8. With your new user account, login to the WordPress dashboard,
9. Click on the "Users" tab and click on "All Users" below the "Users" tab,
10. Click the check box next to the "Admin" username,
11. With the dropdown bar select "Delete" and the button "Apply",
12. If you have existing blog posts, it will ask you "attribute all posts and links to:" – be sure to pick your new user login. Confirm the deletion,
13. Go back to your new username under "All Users" under the "Users" tab in the dashboard and click "Edit", and
14. Change the display name field to something other than your username login (this is mainly for authors of blog posts.) Click "Update Profile." This step will make it harder for hackers to identify your username.

You now have a new admin user login without the exploitable "admin" username.

Step 2: You have an unusual username but need a stronger password:

1. Login to your WordPress dashboard – http://www.yourdomain.com/wp-admin.php,
2. Go to the "Users" tab and click, then click on "All Users,"
3. Hover your mouse under the username and click on "Edit,"
4. Scroll to the bottom and enter under "New Password" fields a 12-to-20-random character password (click here for a password generator),
5. Click on "Update Profile" at the bottom of the page to confirm your updated password,
6. Go back to your username under "All Users" under the "Users" tab in the dashboard and click "Edit", and
7. Change the display name field to something other than your username login (this is mainly for authors of blog posts). Click "Update Profile." This step will make it harder for hackers to identify your username.

Voila – all set! This will help protect you from the Botnet Brute-Force attacks.

Although nothing is 100%, there are more steps you can do to protect your WordPress site.

Check out our maintenance package; we help your site stay safe!

More about the mass scale Botnet Brute-Force attacks on WordPress:

• Homeland Security notice about WordPress sites being targeted
• KrebsonSecurity detailed post