Critical Information for WordPress users

Published: 12th Jun 2013 in News

Protecting your WordPress website from the botnet 'Admin Hack'   

If you run a WordPress powered website please read this carefully and follow the steps to secure your WordPress website.

A mass hacking attempt using a huge 'botnet' of hundreds of thousands of infected computers is currently trying to 'brute force' attack WordPress websites. This attack works by trying to 'guess' your password multiple times per second. This attack is made easier if you have a WordPress user account called 'admin' as this gives the attacker half of your login information allowing them to focus on the password. There are several steps you can take to make it much harder for the attackers and prevent your site being compromised.

Backup before you start!

Login to Cpanel before you make any changes and backup your database and files - follow the backup instruction on our Green Hosting Support section.

Remove the 'admin' user if there is one

Never use the default WordPress username "admin". Instead, log in to your WordPress control panel, click "Users" and then add a new user with a username of your choosing. Give that new user account Administrator privileges, then logout and log back in as the new user you just created. Go back to "Users" and delete the default admin user.

Note: WordPress can transfer authorship of all posts created by the admin account to the new user account during the deletion process so you should do that and move the posts to the new admin you just created.

Use a strong password

Use a strong password that is hard to crack, use a password generator like this one to create it: http://passwordsgenerator.net/ don't use names, simple dictionary words or places.

Keep your WordPress install up to date

Always keep your WordPress install, themes and plugins up to date. Updates are usually released to plug security holes, so the sooner you update them the better. You should therefore  install all updates immediately (or as quickly as you possible can).

Use a WordPress plugin to limit the number of login attempts

While in the admin panel, click on Plugins > Add New. Search for a plugin called "Limit Login Attempts", then install and activate it. This will prevent new attempts to log in to WordPress for a specified period of time after a set number of consecutive failed login attempts. This prevents a bot from trying one new password after another until it finally finds the right one. You can also see the plugin here: http://wordpress.org/plugins/limit-login-attempts/

More news from Make Hay

Life Goes On project website
Every so often you're asked to create a website that is just a little different from anything you've done before. The Life Goes On... read more
Online shop for The Flower Deli
You may have seen the colourful website we built for edible flower producer, The Flower Deli. The site was originally created with a flower... read more
New website for PlayWorks
Here is a new website recently launched for PlayWorks, the home of children's play in Nottingham. The scope of PlayWorks'... read more
New website for Aldgate & Allhallows Foundation
It was a real pleasure to create the new Aldgate & Allhallows Foundation website, a charity which provides educational grants to... read more
Online shop for the Wildlife Trust
"We have had some great success with the new shop. Thank you" Here's a project we recently launched for Nottinghamshire Widllife... read more
New Near Future Garden website and gold medal garden show winners
We recently launched a brand new website, Near Future Garden, for our client Deborah at Climate Gardens. Near Future Garden is a conceptual... read more