Admin password spells trouble in recent WordPress attacks

April 14, 2013 by Nancy Owano, report

( —Sources from several Web hosting services this week raised an all-out alert: WordPress was under attack with at least 90,000 IP addresses involved to brute-force crack credentials of WordPress sites. The attacks, they said, are worrying in that they are on an unusually large scale, being described as "superbotnet" level. Among hosting providers detecting such attacks were CloudFlare and HostGator. "The attacker is brute force attacking the WordPress administrative portals, using the username 'admin' and trying thousands of passwords," Matthew Prince, CEO of CloudFlare, said in an April 11 blog posting.

Such attacks can result in the commandeering of servers that run the WordPress application. Might the attackers be in the process of building a strong, destructive botnet of infected computers? Prince added in his blog, "One of the concerns of an attack like this is that the is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack."

The well organized, distributed attacks try to brute force the administrative of WordPress servers, employing the username "admin" and 1,000 or so common . At least 90,000 IP addresses hit WordPress machines hosted by one hosting provider. "We have seen over 90,000 IP addresses involved in this attack," wrote Sean Valant of HostGator, in his April 11 blog posting. After a main force of the attack, signs were that it had died off, but then picked up again, he added.

On April 12, founding developer of WordPress, Matthew Mullenweg, took to his blog to relay his take and his recommendations:

"Almost three years ago we released a version of WordPress (3.0) that allowed you to pick a custom username on installation, which largely ended people using "admin" as their default username. Right now there's a botnet going around all of the WordPresses it can find trying to login with the 'admin' username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell 'solutions' to the problem)."

Mullenweg recommended that users check to see if they are up to date with the latest versions of WordPress. In addition, those who still had "admin" as a username should proceed to change it, and to create a strong password. Also, he recommended that those on turn on two-factor authentication.

Mullenweg stated that, outside, some other pieces of advice users might hear about what to do were not so great. "Supposedly this has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn't going to be great (they could try from a different IP a second for 24 hours)."

HostGator's Valant similarly noted the value of using a secure password. "We highly recommend you log into any WordPress installation you have and change the password to something that meets the security requirements specified on the WordPress website," he said. "These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including 'special' characters (^%$#@*)."

Explore further: WordPress back up after attacks 'from China'

Related Stories

Answers to your questions about massive cyberattack

March 29, 2013

Here are some answers to questions about perhaps the biggest cyberattack ever, which recently targeted Spamhaus, an anti-spam group based in Geneva and London. It ended up slowing down or blocking access to numerous Internet ...

Password-cracking feats at blistering speed shown in Oslo

December 11, 2012

(—Remember when the running advice for password setup was to avoid using your name backwards? My how we have smelled the coffee. A new rig-and-burn presentation for an audience of academics and security professionals ...

Hackers sock smartphone earpiece star Jawbone

February 13, 2013

Jawbone on Wednesday warned users of its earpieces and Jambox speakers that hackers stole names, email addresses and encrypted passwords from accounts used to make the wireless devices smarter.

Recommended for you

Archaeologists discover Incan tomb in Peru

February 16, 2019

Peruvian archaeologists discovered an Incan tomb in the north of the country where an elite member of the pre-Columbian empire was buried, one of the investigators announced Friday.

Where is the universe hiding its missing mass?

February 15, 2019

Astronomers have spent decades looking for something that sounds like it would be hard to miss: about a third of the "normal" matter in the Universe. New results from NASA's Chandra X-ray Observatory may have helped them ...

What rising seas mean for local economies

February 15, 2019

Impacts from climate change are not always easy to see. But for many local businesses in coastal communities across the United States, the evidence is right outside their doors—or in their parking lots.

The friendly extortioner takes it all

February 15, 2019

Cooperating with other people makes many things easier. However, competition is also a characteristic aspect of our society. In their struggle for contracts and positions, people have to be more successful than their competitors ...


Adjust slider to filter visible comments by rank

Display comments: newest first

4.3 / 5 (3) Apr 14, 2013
the solution would be another username than "admin" being the admin
Apr 14, 2013
This comment has been removed by a moderator.
Apr 14, 2013
This comment has been removed by a moderator.
1 / 5 (2) Apr 14, 2013
just use your brain.....morons
1 / 5 (2) Apr 15, 2013

I am a victim. How do i get rid of the hackers content, I cannot find it anywhere on the HTML code.

Please help!

not rated yet Apr 15, 2013
Anyone care to set up a tarpit and report on what these guys are trying to do once they break in?
3.5 / 5 (2) Apr 15, 2013
Rather than tarpit, did you mean to use the word honeypot?
2 / 5 (1) Apr 15, 2013
lt's to simple to just blame it solely on the users or admins. Obviously, Word press neglected to ENFORCE a strong username and password policy!
Selvakumar Manickam
not rated yet Apr 17, 2013
Wordpress or any other system should force the user to change username and password. This will ensure username/password guessing will be more laborious.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.