Notification – Global Brute Force Attack on the admin user in WordPress
About a week ago a major network of remotely controlled machines across the world started to actively scan for all WordPress that may have weak administration passwords. This caused outages, slowness, and site access issues for some.
As long as you don’t use “admin” as a username you should be okay. Artbiz Client’s don’t have “admin” as a username.
Make sure passwords are not a word based, totally random, and long over 14 chars with upper, lower cases, symbols and numbers.
How to delete the admin user in WordPress and create a new admin user account.
To be on the safe side download a backup of your content first. Under Tools > Export select all and save to your computer.
Create the new user account first
- Login with your “admin” username.
- Go to Users > Add New
- Create a new admin user account with a strong user name that will be hard to guess. This means DO NOT use your name if it is the title of your site. I use a combo of my 3 pet’s names for example.
- Create a strong password that is a combination of upper and lower case letters, numbers and symbols at least 14 characters in length.
- Make sure you provide administrative rights to the new use
- Enter a Nickname that will display publicly as the author of your posts.
Deleting the admin user
- After you create the new user account with administrative privileges – log out.
- Log back in using the new credentials
- Navigate back to Users > All Users
- Under the user “admin” click delete
- On the next screen you will be prompted to attribute all the posts under the admin user to someone else. Select your new user account.
- Click the Confirm Deletion button
- Viola bad user name be gone.
That’s it. Any Questions?