With new technology comes new evil but using old school methods. This month, April 2013, it’s been reported of a huge increase in brute force hacks geared towards breaking admin logins. The report is that the attack focuses on “admin” usernames which is the default username in any wordpress installation. Then it tries to guess the password associated with the username.
Off the top of my head there are a few ways to help protect or deter these attacks. My recommendations are as follows.
- Never use the default username “admin”. Change it to something else.
- Use a non-common pass phrase that includes number, letters and symbols.
- Make sure your password is longer than shorter.
- If your site allows open registration use a captcha of sorts that include numbers and letters or a phrase as added security.
- If you are the sole blogger then password protect the wp-login page with a .htaccess login / pass as well.
- Make sure you always keep plug-ins and core files udpated.
- Never download free files that are normally commercial. While it may sound good odds are the files have been edited to allow remote attacks.
Finally if you are using admin, one solution is to make a new admin and delete the existing one, but I usually just log in to phpadmin and change the default username.
All in all it boils down to what I tell my clients.
“If it’s made by man, it can be broke by man”