Security and WordPress Brute Force Password Cracking

clive Tech Tip, Web, Wordpress

There are ongoing botnet attacks on WordPress sites that try to gain access by brute 20121025-211505.jpgforce guessing a username / password to allow login to the site. If you have a WordPress site, we would recommend 2 urgent steps to prevent infection

1) Ensure all login accounts have hard to guess passwords. Easy to say, but in general any password you choose shouldn’t be a name, findable in a dictionary, be one of the many common phrases used (‘letmein’, etc), even if you have substituted numbers for letters (e.g. passw0rd will fool no-one, and nor will p455w0rd). Phrases make nice passwords, especially if you build in a deliberate mistake or misspelling into it – and the longer the better.

2) If you have an ‘admin’ user set up in WordPress, consider creating an alternative admin account instead (and disabling the original account) – 99% of accounts the attacks attempt to crack are called ‘admin’ or ‘administrator’.

Full details of the attack, and prevention strategies, can be found here: http://ithemes.com/2013/04/15/ongoing-wordpress-attacks-details-and-solutions/ together with a walk through of how to set yourself up an alternative admin account.