Botnet Targeting WordPress “Admin” Username Accounts on the Internet

If you are a blogger and you are running WordPress as your blogging platform, please read this article.  Attackers are logging in to WordPress blogs by using the default username “admin” and then using a brute-force dictionary-based attack to locate the password for the account.

According to reports from HostGator and CloudFlare, there is currently a significant attack being launched at WordPress blogs across the Internet.

So, if you are running WordPress at this time, it would be a good idea to make sure you are using a very strong non-dictionary related password or better yet, to either disable or delete the ‘admin’ account from your user list.

In 2012, SplashData released its list of the most popular Internet passwords for 2012. Because these passwords are commonly used, they are also the most vulnerable when it comes to digital security.  A list of the most popular passwords are listed below:

  1. password
  2. 123456 (Unchanged)
  3. 12345678 (Unchanged)
  4. abc123 (Up 1)
  5. qwerty (Down 1)
  6. monkey (Unchanged)
  7. letmein (Up 1)
  8. dragon (Up 2)
  9. 111111 (Up 3)
  10. baseball (Up 1)
  11. iloveyou (Up 2)
  12. trustno1 (Down 3)
  13. 1234567 (Down 6)
  14. sunshine (Up 1)
  15. master (Down 1)
  16. 123123 (Up 4)
  17. welcome (New)
  18. shadow (Up 1)
  19. ashley (Down 3)
  20. football (Up 5)
  21. jesus (New)
  22. michael (Up 2)
  23. ninja (New)
  24. mustang (New)
  25. password1 (New) 

WordPress founder Matt Mullenweg released a blog post saying, “If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem.”

He explained that in the WordPress 3.0 update, the company began allowing you to create your own login username when you first set up your WordPress backend — “admin” used to be the default. If you took the opportunity to make your own username, your account will be unaffected for now. – Source

This is not the first time WordPress has been a target, in 2012 an outdated versions of TimThumb, a popular PHP-based image resizer that is often used as the default by many WordPress templates cause a stir.

SecurityOrb.com, an information security and privacy awareness organization based in the Washington, DC Metro area agrees with the above recommendations pertaining to removing the ‘admin’ username and using a strong password.  In conjunction, also using WordPress plugins that limit the number of login attempts can also be helpful to mitigate brute force dictionary-based attacks.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.