When WordPress is installed it defaults the username to “admin”. Everyone knows that, including the hackers who want to exploit your website. Using the default admin username makes brute force attacks easier by cutting the hacker’s challenge in half.
What are brute force attacks on WordPress?
Simply put, brute force attacks use a forceful program to guess and check every combination of username and password in order to gain access to your website. So if they already know the username, then breaking in to your website is much easier. Brute force attacks are by no means elegant, but they are effective and brute force attacks on WordPress websites are the most common type. In fact, brute force attacks are on the rise worldwide.
Don’t kid yourself into thinking that your site isn’t big enough or important enough to hack. With automated software tools, hackers are simply searching the web for any website to hack. They are not prioritizing their efforts by first selecting sites they want to exploit. They just have computers running 24/7 doing their dirty work.
What Should I Do?
If you’re using the default username (“admin”) change it to something less obvious. Note that WordPress does not allow you to change your username directly. Instead, simply create a new user account with your desired username, then delete the old username and assign that user’s posts to the new user.
You should also make sure that your password is strong. If it isn’t, consider using a strong password generator to help select a new one.
If we provide exclusive management for your website, we’ve already made this update. For those of you who manage your WordPress website yourself, or we co-manage it, you’ll need to handle this change.
Are there Additional Safeguards I Can Put in Place?
In short, yes. There are several additional methods that are recommended. Our WordPress Protection, Monitoring and Recovery (PMR) service includes many of them. One of the methods used is a real-time firewall that blocks IP addresses after a specified number of login attempts or forgot password attempts is made. This effectively stops brute force and other attack types immediately. But again, this is simply one of many methods employed to protect WordPress websites.
We’re here to help. If you have any questions, need help changing your username or password, or want to discuss full protection for your website please contact us today.