Skip navigation

11 Comments

  1. Posted April 23, 2013 at 8:18 am | Permalink

    I was a bit taken aback when one of my web hosts contacted me to let me know WordPress was under attack. I follow many sites to help remain aware of new attacks, but apparently many end users don’t do this and are sometimes caught by surprise. The key, as you note, is to be proactive about your site security. Waiting for an attack and then responding to it is not a viable strategy for end users as the time between attack and realization that you are under attack can be hours, days, sometimes weeks. We need to be able to respond if someone breaches the walls, but having good walls and locks on the doors in the first place is just as vital.

    • Posted April 23, 2013 at 10:34 am | Permalink

      I, too, have been dazed by the lack of simple protection, such as making a solid username and password combination. You are right that it is hard to keep track of all the security issues, deciding who and when to trust and picking our battles depending upon our lives – then screaming when things go wrong.

      This is why I believe it is critically important that WordPress (and others) take a more active role in pushing out information to their users, be it through the WordPress Admin notifications, email alerts, or a single site that provides the useful information users need. So far, it is still hit and miss through official sources, mixing things up between dot com and org. We need to make it easier for users, hosts, and our publishing platforms to let us know when to really worry, and when to just play smart. Tough job.

  2. Posted April 23, 2013 at 2:26 pm | Permalink

    I find the comment ‘don’t use “admin” as your user name’ both amusing and frustrating. I use the latest version of WordPress where, as you probably know, the admin name, as a user name, cannot be changed. Perhaps a change will be possible with 3.6, perhaps it will merely remain as an unusable recommendation.

    One thing I miss from your list of recommendations is ‘change your password regularly’, a simple and effective method which can also assist against ‘accidental’ breakages.

    Viktoria Michaelis.

    • tektroy
      Posted April 23, 2013 at 4:45 pm | Permalink

      You can not rename an account, but you can achieve the same result by creating a new account with the administrator role or adding the role to an existing account, and then deleting the default admin account.

    • Posted April 23, 2013 at 8:51 pm | Permalink

      To Change the Admin Name

      Good point. The articles I referenced include instructions but here are the basics.

      To change the admin name for older installations of WordPress, you can do so through the database or with a WordPress Plugin such as Admin username changer and Admin renamer extended if you are on the self-hosted or managed version of WordPress.

      For WordPress.com and those wishing to do this an easier way, create a new user. You need a different email account as part of the registration, which can easily be done by adding a plus and word to most email accounts like yahoo and google such as myemail+wordpress@gmail.com. WordPress recognizes it as a distinct email address while Gmail ignores the plus and word. Set the username to whatever you want, set the user to be the administrator, and set up the account. Attribute all posts to this user, then delete the original Admin. You can then change the email back to the original. It is explained well in Change your WordPress admin Username by Digitalk Online.

      As for reminders to change your password regularly, if the password is strong enough, and you are conservative and careful about exposing it, you may not have to change your password very often. If you are on public computers and shared networks, exposing your password to the evil masses, then put a date in your calendar to remind yourself on a regular basis. This is a personal decision and preference, not a necessity.

      Thanks.

    • Posted April 24, 2013 at 1:06 am | Permalink

      Many thanks, both. I had also read the linked post on changing the admin designation, but find it to be a very tedious means of handling a possible problem, especially for new users. The option of changing the name right at the time of installation would be far better and, of course, ensure more security.

      Viktoria Michaelis.

    • Posted April 24, 2013 at 10:55 am | Permalink

      I completely agree. This has always been a whine of mine. In a way it serves as protection since it cannot be changed by you or anyone through the Administration Panels. Being able to shift and change it at will is also a form of security, too. If it is changed to make it “easier” I hope the dev team will make the changing process have multiple verification steps to ensure protection of the admin username.

      Thanks!

  3. Posted April 24, 2013 at 4:48 pm | Permalink

    Where to begin… Obviously, WP is free, so we can’t whine and cry too hard – yet we (and I!) do, as there is so much to be desired for. And, also very obviously, we can hardly fathom what is needed to crunch out a new version that is better, sleeker and more secure – all the while not breaking (too many) plugins and themes when users update their install. In that sense they are truly becoming Windows (with its endless backward compatibility – and holes…).

    The admin account being one of the main security-issues, it should be fairly simple to install WP with a different admin-name (anything but ‘admin’) – as defined in WP-config? If that is not possible, just install with ‘admin’, but strip it from all admin-functionality once the dashboard displays – only being able to create a new admin-user before posting or installing any theme or plugins – that takes over once the ‘admin’-account has been removed (and after logging in again).

    I also wonder why it is impossible to hide the admin-account name. My admin-name is clearly visible in urls like these: http://www.example.com/author/admin-account/. It totally doesn’t make sense: in the user-settings I enter a different ‘nickname’, plus another name to ‘publicly display’, yet the url reveals the login/user-name! So basically, removing the ‘admin’-account hardly helps (other than thwarting automated scripts, hoping for ‘admin’ still being active). Just write a script to strip an author-url and use that for brute-forcing. Why? Because most ‘authors’ are also the admin/owner – they have only one account to log in for both posting and maintenance. A better way would be to create 2 accounts: one as admin, another for posting only. But it would require logging in and out repeatedly – very tedious and frustrating – not really feasible.

    Anyway, one of my sites was hammered weeks before the final attack (then that weekend it all made sense): the wordfence.com -alerts kept coming in. It did block them, but it made me upgrade to the paid version – so I can now block countries (based on IP) – but obviously, that won’t work for all sites (our site gets 90% of its visits from 10 countries), though how many legit visits does one get from Ukraine? And, say the US being un-blocked, you still have hackers based there. So it is not 100%, but it works very well.
    In the meantime, I taught my client to rename wp-login.php via FTP to something like ‘111-wp-login.php’ – that way the login-page gives an error, thwarting the attempts. Slightly inconvenient, but within 30 seconds one gets much better protection.
    And, I just installed Stealth Login Page WordPress Plugin – works great as well!

    Great article, good resources – so much more to read!

    • Posted April 25, 2013 at 9:36 am | Permalink

      I agree with you, as stated in the article, that the username issue is a security risk. I’ve claimed this for many years with WordPress and hopefully this will be finally changed. As with most things that influence human direction, unfortunately it usually drive by crisis rather than common sense.

      Blocking by country has long been thought to be a way of protecting your site from comment spam and attacks. It has never been proven to consistently work as there are ways around these with proxies, as you have found out I’m sure.

      Interesting idea on changing the wp-login.php file name. All good suggestions.

      As we learn to respond to each of these issues, so will the attackers, so it is a battle of staying more than one step ahead of them. Thanks.

    • Posted April 25, 2013 at 10:46 am | Permalink

      True – never ending cycle. But just as in the real world, they go for the easy targets: my bigger lock makes them try my neighbors. In that sense we should be grateful for the ones that do not update, change admin or (re)use weak passwords – it keeps the hackers busy and away from the harder targets.

    • Posted April 25, 2013 at 3:38 pm | Permalink

      I’m with you!


5 Trackbacks/Pingbacks

  1. [...] “The Brute-Force Password Attack on WordPress Sites” on Lorelle on WordPress I explain the recent brute-force password attacks are on WordPress [...]

  2. [...] Read more… [...]

  3. [...] maar gebruik ik mijn eigen naam, Arie Nouwen. Aanleiding is de recente stroom aan berichten – onder andere deze van Lorelle – over aanvallen door hackers op websites die op WordPress draaien. Eén van de preventieve [...]

  4. [...] The Brute-Force Password Attack on WordPress Sites [...]

  5. [...] Source [...]

Post a Comment

Follow

Get every new post delivered to your Inbox.

Join 20,677 other followers

%d bloggers like this: