WordPress Hackers Exploit Username Admin

Thousands of WordPress sites with accounts that use the common default username admin have been hacked. One theory: the creation of a large WordPress botnet.

Anonymous: 10 Things We Have Learned In 2013 (click image for larger view and for slideshow)
Attention, WordPress users: If you have a WordPress username set to admin, change it immediately.
That warning was issued Friday by WordPress founder Matt Mullenweg, in the wake of reports that thousands of WordPress sites with an administrator username set to admin or Admin had been
compromised via large-scale brute force attacks
. Service provider HostGator, notably, reported Thursday that this attack is well organized and ... very, very distributed; we have seen over
90,000 IP addresses involved
in this attack.
According to survey website W3Techs, approximately 18% of all websites -- by some estimates, about
64 million sites -- run WordPress
.
[ Could a hacker use a smartphone to bring down your plane? Read
Airplane Takeover Demonstrated Via Android App
. ]
Successfully exploited sites get a backdoor installed that provides attackers with ongoing access to the WordPress site, regardless of whether a user subsequently changes the password guessed by attackers. Exploited sites are then used to scan for WordPress installations, and launch the same type of attack against those sites.
Thankfully, a quick solution to the attacks is at hand: ensure no WordPress site uses any of the targeted usernames, which include not just admin and Admin but also test, administrator and root.
Anecdotal evidence suggests that many WordPress installations are still using the default setting of admin for their administrator account. Almost 3 years ago we released a version of WordPress (3.0) that allowed you to pick a
custom username on installation
, which largely ended people using admin as their default username, said Mullenweb in a blog post. If you still use admin as a username on your blog, change it, use a strong password, if youre on WP.com turn on two-factor authentication, and of course make sure youre up-to-date on the latest version of WordPress.
But what are attackers after? The discussion at the moment is the
creation of a large WordPress botnet
. While we havent seen evidence of this, its an interesting theory, said Tony Perez, COO of security firm Sucuri, in a blog post. He noted that WordPress botnets have already been used by
brobot -- aka itsoknoproblembro -- toolkit-using
attackers whove been compromising large numbers of legitimate sites and using them to launch distributed denial-of-service (DDoS) attacks
against U.S. financial institutions websites
. A self-described Muslim hacktivist group, al-Qassam Cyber Fighters, has taken credit for the months-long attack campaign. But theres no evidence that the WordPress admin-account attacks are being conducted by the same group.
The WordPress admin attacks arent new, but theyve recently tripled in volume. We were seeing 30 to 40 thousand attacks per day the last few months. In April 2013, it increased to 77,000 per day on average, reaching more than
100,000 attempts per day
in the last few days, said Sucuri CTO Daniel Cid in a blog post. That means that the number of brute force attempts more than tripled.
According to Cid, of the approximately 1,000 different password guesses used by attackers, the six most commonly guessed passwords are admin, 123456, 666666, 111111, 12345678 and qwerty.
The advice to change frequently used admin-level credentials -- and to
use a strong password
-- applies to users of both the hosted WordPress.com site that offers hosted blogs, as well as the standalone WordPress software that is downloadable
from WordPress.org
. To date, however, only WordPress.com
offers two-factor authentication
built in. But
two-factor authentication
can be added to standalone WordPress installations using software from Duo Security that can generate one-time codes for log-ins, via either a smartphone app or SMS.
Other defenses against the WordPress attackers include using a Web application firewall to block the attacks. Other users, meanwhile, have reported using a variety of WordPress plug-ins -- including
Lockdown WP Admin
,
Better WP Security
and
Bulletproof Security
-- or simply
restricting access to wp-admin
, which provides access to the WordPress admin console, to approved IP addresses.
Eliminating the account names most often targeted by attackers, however, might be the quickest and least expensive solution for most users, at least in the short term. Do this and youll be ahead of 99% of sites out there and probably never have a problem, WordPress founder Mullenweg said. Most other advice isnt great -- supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plug-in isnt going to be great (they could try from a different IP a second for 24 hours).
People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital
How Hackers Fool Your Employees
issue of Dark Reading: Effective security doesnt mean stopping all attackers. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
WordPress Hackers Exploit Username Admin