For years now, the “admin” account has been a well-known entry point to any WordPress site for an unscrupulous hacker:
Go to domain.com/wp-admin, enter “admin” as the user, and just keep trying passwords. You’ll eventually get in.
So, if you’ve got a WordPress site that still has a user named “admin” or even “Admin,” you’re a sitting duck. I’ve seen 750+ login attempts in 5 minutes happen on WordPress sites. A funny side-story, I was in the ER at the time and my iPhone started going nuts with plugin-generated e-mails and I had to insist on grabbing the laptop from my wife while hopped up on morphine to kill the attack.
Here’s a look at the current lockout list of several of my client sites with established histories and good traffic – you’ll notice lockouts of 155, 87, 48, 24, and 20 attempts from one IP address each:
Not looking good for sites who actually use “admin” as a valid user, eh? There is a science to hacking into accounts of all kinds using password lists, tables, and very easy scripts that run through entire dictionaries. It takes no effort to gain access to such sites or accounts if there is only one variable: the password. Password security is a whole other topic for another day, but let’s address killing the “admin” user for now.
Omigosh! I have “admin” as a user! What do I do?
Oh noes! You’re very clever to have checked now, aren’t you? Congrats. Let’s swoop in to the rescue with a very simple procedure to kill off such a glaring hacker welcome mat. To rid yourself of “admin” without losing any posts/pages/etc. you need only take the following easy steps:
- Create a new login with a better, less guessable username (to keep the same e-mail address, change the e-mail associated with “admin” first) – I recommend using a 15-20 character password using http://www.strongpasswordgenerator.com – and for goodness sake, make sure you make it an administrator account.
- Log out of “admin”
- Log in to your new user.
- head to the users page and delete the “admin” user
- On the next screen, assign all posts/content to the new user you just created.
- What? You expected another step? C’mon, I said it was easy.
Update from WordCamp Orlando 2012: if you have access and are comfortable in phpMyAdmin, then this is the command to auto-correct without looking for it:
UPDATE wp_users SET user_login = ‘username’ WHERE user_login = ‘admin’;
More on security
I’m going to be doing many more articles on WordPress and online security in the coming weeks.