Have you ever heard of the word “admin”. It’s short for administration or administrative. It’s also the default user id for millions of WordPress websites that are vulnerable to hacking and compromising your site.
Thanks to the incredibly large number WordPress users, and many active and eager developers offering their predefined templates and plugins free or at low rates; you can create your own WordPress website in literally minutes without having to know any form of PHP or computer code. Whether you use WordPress.com, a simple blogging platform with little computer experience and no setup required, or WordPress.org, a slightly more customizable blogging platform often used to create personal or business websites, chances are you are using WordPress because it is easy, effective, and sometimes even fun.
However, the predefined “admin” username for the login is the source of the problem. This allows hackers to access millions of potential websites with only the password needed to crack the sites and gain access to precious information or use your site to spread spam, viruses, or other destructive data.
Who is hacking hasn’t been identified yet though it is believed the source is only coming from a few small, personal computers. Nonetheless, the attack is powerful and incredibly dangerous. According to researchers from at least three Web hosting services “unnamed attackers are using more than 90,000 IP addresses to crack administrative credentials of vulnerable WordPress sites,” (Anthony Kosner, forbes.com). The hackers are using a botnet, more commonly known as a group of private computers infected with malicious software, and controlled as a group without the owners’ knowledge and the attack has already begun and can be expected to continue to affect users in coming weeks as the botnet grows and becomes more powerful.
HostGator is a popular website where WordPress users pay a yearly fee to access space on their server. HostGator, a hosting service, estimates 90,000 personal IP addresses have been hacked. CloudFare, another hosting service, estimates 100,000 (techcrunch.com).
A report from website security firm Incapsula stated that botnets are searching for installs of the popular WordPress platform and then using the most commonly used password-username keys. This allows the botnets to guess and effectively log in to many WordPress sites. Incapsula co-founder Marc Gaffan told KrebsOnSecurity, that “infected sites will be seeded with a backdoor the lets the attackers control the site remotely – the backdoors persist regardless of whether the legitimate site owner subsequently changes his password.”
Arguably the biggest concern of this current attack is not the immediate threat but that this could lead to a larger hack, carried out by more computers, on more servers, with more power, giving the hackers private access to WordPress sites, platforms and an incredible amount of personal and confidential information.
As more people turn to the internet not just as a resource, but as the backbone and structure to their everyday lives; The threat of attacks both personal and collective are going to grow exponentially. For many, this WordPress attack may be too late. The hackers may have already accessed your account. However, it’s never too late to be vigilant and increase security and other measures to protect yourself, your clients, your visitors and your site.
Start immediately by changing your user id from ‘admin’ to something that no one or no botnet can guess. This is also a good time to change your password for the very same reasons. The more difficult it is to guess by adding unexpected characters, numbers and other symbols (^%$#&@*)as well as names with initial or other capital letters, the more difficult it will be to infiltrate. There are also many third party plugins available to WordPress users that add extra protection to your site. These include plugins that prevent the number of login attempts, or specify which IP addresses WordPress can be accessed by. For a list of other simple but effective ways to protect your WordPress site, click here for tips from Forbes.com: (http://www.forbes.com/sites/anthonykosner/2013/04/13/wordpress-under-attack-how-to-avoid-the-coming-botnet/)