If you’re like most internet users, you regularly sign up for a site or service that requires a password and the passwords for everything gets to be a pain in the rear. I’m currently working with a client who has a good number of WordPress sites. Recently, this person’s sites were all compromised and a bogus Administrator account was set up for each one which used the same name. The client wondered how all this happened and if she was the victim of some personal attack.
Usually, these incursions are NOT because your name is “Bob”, because you’re a Freemason or anything like that. Most likely it is because your site(s) has been hammered by repeated attempts to gain access from Viet Nam, China, the Ukraine, Holland & probably a lot more places. The hacker – or hackette – doesn’t care whom the site belongs to – just that it’s a WordPress site. They employ web-crawling software robots that look for WordPress sites and when one is found, they immediately try to break in by using the default user name – “admin” and various combinations of characters as a password. Since it’s a robot doing the dirty work, it doesn’t matter how many times they try to gain entry. Sooner or later, the robot will either find the right combination of characters or give up because it has reached some specified limit of attempts set by the hacker.
If it does get it, the robot will make a note of the user name/password combination for that site and then set up a bogus account with administrator privileges and a second robot will use that account to spike your site with malware, links to scare-ware sites, etc. If you have more than one WordPress site, the robot will use the combination as a starting point for your 2nd site, etc.
The lessons to be learned from this are:
- DO NOT use the default user name for WordPress – or whatever – on a permanent basis. Use it just long enough to create a less than obvious user name for the Administrator account.
- DO NOT create a password that is a repetition of the user name or any variation of it such as “spotnap” for “pantops”, substituting upper case letters for lowercase ones & vice versa, etc.
- DO create a password that is a combination of upper & lower case letters, numbers and special characters such as “!$%(), etc.
Therefore, DO NOT have a bunch of sites using “admin” & the same password over & over again. Don’t use “admin” at all! Have a different administrator name and password combination for each site. The password should be a combination of Upper & Lower case letters, numbers and special characters.