Critical Information for WordPress users
Published: 12th Jun 2013 in News
Protecting your WordPress website from the botnet 'Admin Hack'
If you run a WordPress powered website please read this carefully and follow the steps to secure your WordPress website.
A mass hacking attempt using a huge 'botnet' of hundreds of thousands of infected computers is currently trying to 'brute force' attack WordPress websites. This attack works by trying to 'guess' your password multiple times per second. This attack is made easier if you have a WordPress user account called 'admin' as this gives the attacker half of your login information allowing them to focus on the password. There are several steps you can take to make it much harder for the attackers and prevent your site being compromised.
Backup before you start!
Login to Cpanel before you make any changes and backup your database and files - follow the backup instruction on our Green Hosting Support section.
Remove the 'admin' user if there is one
Never use the default WordPress username "admin". Instead, log in to your WordPress control panel, click "Users" and then add a new user with a username of your choosing. Give that new user account Administrator privileges, then logout and log back in as the new user you just created. Go back to "Users" and delete the default admin user.
Note: WordPress can transfer authorship of all posts created by the admin account to the new user account during the deletion process so you should do that and move the posts to the new admin you just created.
Use a strong password
Use a strong password that is hard to crack, use a password generator like this one to create it: http://passwordsgenerator.net/ don't use names, simple dictionary words or places.
Keep your WordPress install up to date
Always keep your WordPress install, themes and plugins up to date. Updates are usually released to plug security holes, so the sooner you update them the better. You should therefore install all updates immediately (or as quickly as you possible can).
Use a WordPress plugin to limit the number of login attempts
While in the admin panel, click on Plugins > Add New. Search for a plugin called "Limit Login Attempts", then install and activate it. This will prevent new attempts to log in to WordPress for a specified period of time after a set number of consecutive failed login attempts. This prevents a bot from trying one new password after another until it finally finds the right one. You can also see the plugin here: http://wordpress.org/plugins/limit-login-attempts/