If you’re like most internet users, you regularly sign up for a site or service that requires a password and the passwords for everything gets to be a pain in the rear. I’m currently working with a client who has a good number of WordPress sites. Recently, this person’s sites were all compromised and a bogus Administrator account was set up for each one which used the same name. The client wondered how all this happened and if she was the victim of some personal attack.

Usually, these incursions are NOT because your name is “Bob”, because you’re a Freemason or anything like that. Most likely it is because your site(s) has been  hammered by repeated attempts to gain access from Viet Nam, China, the Ukraine, Holland & probably a lot more places. The hacker – or hackette – doesn’t  care whom the site belongs to – just that it’s a WordPress site. They employ web-crawling software robots that look for WordPress sites and when one is found, they immediately try to break in by using the default user name – “admin” and various combinations of characters as a password. Since it’s a robot doing the dirty work, it doesn’t matter how many times they try to gain entry. Sooner or later, the robot will either find the right combination of characters or give up because it has reached some specified limit of attempts set by the hacker.

If it does get it, the robot will make a note of the user name/password combination for that site and then set up a bogus account with administrator privileges and a second robot will use that account to spike your site with malware, links to scare-ware sites, etc. If you have more than one WordPress site, the robot will use the combination as a starting point for your 2nd site, etc.

The lessons to be learned from this are:

  • DO NOT use the default user name for WordPress – or whatever – on a permanent basis. Use it just long enough to create a less than obvious user name for  the Administrator account.
  • DO NOT create a password that is a repetition of the user name or any variation of it such as “spotnap” for “pantops”, substituting upper case letters for lowercase ones & vice versa, etc.
  • DO create a password that is a combination of upper & lower case letters, numbers and special characters such as “!$%(), etc.
OK, so you don’t have a blog site. These same principles apply to user names and passwords for everything from Amazon.com to Zappos.com and you should try to use as many different combinations as possible. So how do you remember all of the different passwords? I used to work for a company that required its employees to change their password every 60 days. All you had to do was to cruise by someone’s cubicle after hours and you were likely to find a Post-it™ note with the latest iteration of their password scribbled on it. Instead, use a password-keeper to store all of your passwords. I have used one called “Password Safe” since the mid-90’s and it’s free at pwsafe.org. Besides Windows, there are versions –  some times with a different name – for Linux, iOS, Android and OS X. Of course, there are a bunch of similar products out there and a good many of them are free. Just remember to use it!

Therefore, DO NOT have a bunch of sites using “admin” & the same password over & over again. Don’t use “admin” at all! Have a different administrator name and password combination for each site.  The password should be a combination of Upper & Lower case letters, numbers and special characters.

2 Responses to Passwords

Leave a Reply

Your email address will not be published. Required fields are marked *

This Month’s Rants
June 2017
M T W T F S S
« Dec    
 1234
567891011
12131415161718
19202122232425
2627282930  
Pipe Count

Dr. Data's Pipe Count

480 (+/-)

Dr. Data has PAD - Pipe Acquisition Disorder

Professional Reader
Subscribe to my Rants

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 17 other subscribers