In English, it basically means that someone, individual or group, is trying to break into WordPress installations by guessing the admin password.
This individual or group is doing the guessing by programming a botnet (a network of infected computers all running a set programs that work together) to systematically work through possible passwords until it gets it, by using a brute force attack.
Brute force in this context doesn’t mean a whole bunch of meanies with machetes showing up at your door, but its virtual equivalent: using every trick in the book to repeatedly, and rapidly try different passwords on your WordPress installation.
One way brute force attacks work is by trying every word in the dictionary and combinations of words from the dictionary to guess the password.
If your password consists of a regular, good ol’ English word, your WordPress installation probably already told you it was weak.
The other known thing seems to be that this brute force attack is targeting usernames that have been left at the default ‘admin’.
In short: if your administrator account is named admin, and you have used a word from the dictionary as your password, you are at risk. Like, seriously at risk.
Here is how you can quickly protect yourself:
Change Admin Account
If your admin account is named admin, create a new Administrator account, and call it something completely un-admin, like puppies32 or CaptainKirk. Just something that’s easy for you to remember, and cannot be easily guessed by just going through the dictionary. You could make it really hard to figure out and use LastPass (see below) to remember it for you.
Change the passwords to all your WordPress accounts super quick. Yes, it’s a pain, because then you have to change it in a couple of other places, like your WordPress mobile app etc. Believe me, it will a LOT less convenient if you have to rebuilt your site after a hack.
Choose A Strong Password
Either use LastPass (see below) to generate a difficult password, or use this little trick: choose a phrase, like, “I’m Awesome”. Then replace the letters with numbers and symbols. So the password imawesome becomes 1m@w3s0m3!, by replacing the vowels with numbers and symbols, and added an exclamation mark, because that’s how you say “I’m awesome!”, right? Bonus: choose a phrase that makes you feel good 🙂
Install Limit Login Attempts plugin
Just as it says on the tin, this plugin will, uhm, limit login attempts! It helps stop a brute force attack by limiting the number of incorrect tries. It then locks you out for a specific amount of time. You can customize number of attempts before lockout, length of lockout, and whether to get notified of lockouts.
I’ve been using this tool for a few years now, and would be lost without it. It will generate tough passwords for you, remember them, and optionally log you in automatically. It keeps all your usernames and passwords in a vault which you can access with a single, known only to you password. This means you can have really difficult-to-guess passwords without the risk of saving them in plain text Excel (don’t), or forgetting them.
These are all doable measures to protect yourself. They’re not completely bullet proof, but should deter the one-size-fits-all botnet attacks.
It goes without saying that you must backup on a regular basis, especially if you post often. It’s so painful to have to rebuild your content from Google’s cache. Check this post here on some pain-free backup tools.
Now stop reading, and get protecting. Then come back and share what other measures you take to protect your digital assets.