The founder of WordPress, Matt Mullenweg, has published a security alert on his site today because of a massive botnet that is searching for WordPress installations which use admin as their login username. The botnet is using over 90,000 I.P addresses so it can constantly retry and login using different password combinations until it works.
A hacker successfully attacked all of the BRP Publishing Group websites and author sites last year, and it was really time-consuming to fix everything. We implemented a number of added security measures since then, and so far we’ve managed to stay ahead of the hacker hordes. But, if you have a WordPress website (either self-hosted or through WordPress.org), then make sure that you do not have any user accounts with the username “admin” or your website may be hacked.
I highly recommend a plugin called Wordfence, which will email you alerts if any of the program files change on your WordPress website and gives you a one-button click to restore to the previous version. It also notifies you if any of your plugins, themes or other programs need to be updated. It gives tremendous peace of mind and was easy to set up.
Here is a quick, step-by-step list to show you how to change your WordPress “admin” username:
- Sign in as “admin”
- Create a new user, choosing a hard-to-guess username (but don’t make it so difficult that you’ll forget it)
- Make that user’s role “administrator”
- Choose a password that has upper and lower-case letters and numbers in it. Symbols are okay, too. Never use the word “password” in your password, even if it has a different case and includes numbers.
- Click “Add new user”
- Log off as “admin”
- Log in as the new user
- Delete your old “admin” user and assign all posts/pages/comments to your new admin user