Recently hackers have made a concerted effort to target WordPress based sites, in particular sites which have a user named Admin.
Whilst the hack attempts are by and large basic brute force attacks and unlikely to get into an account with a strong password, the method in which they are attacking can easily crash your site or server.
The method is called a DDOS or (Distributed) Denial of Service attack and it bombards your site with request after request, overloading the servers capability to handle things and causing it to crash.
How to avoid this!
The simplest way to avoid this is twofold.
1) Make sure that your password is secure. Passwords ideally need to be a minimum of 8 characters and should contain a mix of letters, numbers and symbols. If possible longer passwords are even better!
2) If you have an user named “admin”, remove it or at least change its capabilities.
How do I remove the “admin”, I AM the admin!
You can follow these step by step instructions to swap over your administrator user. If you do not feel comfortable doing this, speak to your developer or web designer, or local IT guru.
1) Log in as normal under your “admin” name
2) Go to Users > Add New and create a new user with a unique name and a strong password. This user must be given administrator rights.
Note you will need a secondary valid email to add in here as WordPress will not allow more than one user with the same email.
3) Make sure you have correctly noted down the password.
4) Log out of your old “admin” user
5) Log into your newly created user
6) Go to Users > All Users and find the original user named “admin”. Hover your mouse over the name and then select delete.
7) When you select delete a new page will show asking you what to do with the posts owned by the old user named “admin”. Make sure that you select the Attribute all posts to option and select the new user with administrator right’s name.
Tips for securing your site
1) Create a strong, and unique password over 8 characters long using a variety of letters, numbers and symbols. Do not use “password”, names, or other words or numbers that can be found out easily.
2) Change your password regularly
3) Make sure your new administrator user has a unique name
4) Keep WordPress up to date – every update comes with security fixes and improvements
5) Keep Event Espresso, your theme and other plugins up to date. Again, updates bring security fixes.
6) Keep up to date with WordPress news, sometimes you can find out about problematic plugins/themes
Thanks Dean
Very clear and easy to follow
very informative post I have been using Admin as my login-id but now i am gonna change this. Thanks for the information.
Thanks guys, glad you found it useful!
The WordPress have the admin pannel always at the same place (wp-admin) so that hacker have easy way to try to get in. Do they have a way to change the directory of admin of WP?
For brute force attacks do the normal configuration sever have already a firewall that block IP if to many load and request. Maybe need to add a directory apache pasword protection to avoid this thing.