WordPress Website Security

Everyone and his uncle is now waking up to an imminent attack on WordPress websites.

Web hosting company Hostgator reported this past week “there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence. This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack… this is a global issue affecting all web hosts.”


WordPress sites are known to be a popular platform for hackers because they are easy to penetrate. Often the ‘bad-guys’ will insert malware or even deface a site completely. Some are out having fun, while others have very malicious intent!

Word is out that they’re currently using a network with around 90,000 IP addresses to compromise your website and in the future do something sinister using it (and that can lead to your ISP blocking you, or even worse – your website getting penalized or deemed unsafe by Google, your website can be de-indexed).

Once they’re in, I suspect they’ll replace some of the PHP code in the site via injection to get back in later… when they want.

They’re not really “defacing” anything … yet (as far as I’ve heard).

What do you think the cost would be to your business if you were hacked today?

I’m sure you have taken numerous precautions to protect your physical location, but has the same been done for your website?

The current attacks appear to be simply targeting the vulnerability of the default WordPress login Username “admin”. The attackers are in possession of 90,000 IP addresses from which they are trying to crack the default “admin” accounts on WordPress installations.

These bad-guys appear to be going after the low-hanging fruit, which is most often found in novice Web user websites, who don’t take the time to switch from their default login information. The pattern is pretty standard based on my observation. They’re trying the ‘admin’ username login. If it exists, they’re trying some simple password variations (and running cracking tools).

As an example, here are some of the Usernames attempted on sites that I’ve seen from my logs:

  1. “admin”
  2. “admin123”
  3. “root”
  4. “administrator”

So, if you are still using the default WordPress username “admin,” change it; and use a stronger password!

Here’s what you do. It just takes five minutes, tops.

  1. Simply go to your WordPress “Dashboard” and create a new user with ‘Administrator’ privileges (you will need to use a different email address than the one attached to the current admin) and give it a strong password (a mix of at least eight upper and lowercase letters, numbers and ‘special’ characters). Then log out and log back in as the new user and delete the old admin account and assign all of the posts in that account to the new user.

Changing your login username from the default ‘admin’ and giving it a strong password is a start to securing your website. I would also suggest you change the publicly displayed name for blog posts from the new username to something else.

Also, be sure to update and upgrade your WordPress installation, all needed plugins and your theme (as well as deleting any plugins and themes you are not using).

Again, it’s a start, and perhaps you are no longer low-hanging fruit to these bad-guys.

Additionally, here are 3 security tests you should run on your WordPress website. Failing any one of these three tests indicates your website is vulnerable to hacking.

  1. – a blank white screen means your configuration file is insecure – your passwords can be read!
  2. – version number is publicly readable – it’s easier to find known exploits which even inexperienced hackers can use!
  3. – installation script is still open – someone can simply destroy your current website with the click on a button!

I strongly recommend that you get these problems fixed as soon as possible.

Not trying to scare you, but I believe it’s only a matter of time until we see more sophisticated attacks. Time is of the essence! Can you and your business afford to be their next victim?

I’m offering a free audit with review; then a security fix for WordPress websites as a service to local business owners for a very small fee. The security audit and review are free; my security fix service is $100/hour.

Contact me at my personal email or (214) 810-3007 for your free security audit.

wordpress security update

My work involves your security, I should only discuss these concerns with you.

I look forward to hearing from you.

Best regards,

Nick Nicholls
(a collection of my digital footprint)

PS: I can install the proper advanced security measures for you in approximately 2-4 hours (if it’s not infected) and my usual hourly rate is $100/hour. However, if you contact me directly, I’ll take a 100 bucks off. Call me at (214) 810-3007 or email to right now!


Publish Your Own iPad Magazine