WordPress Security

WordPress Website Security

Everyone and his uncle is now waking up to an imminent attack on WordPress websites.

Web hosting company Hostgator reported this past week “there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence. This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack… this is a global issue affecting all web hosts.”


WordPress sites are known to be a popular platform for hackers because they are easy to penetrate. Often the ‘bad-guys’ will insert malware or even deface a site completely. Some are out having fun, while others have very malicious intent!

Word is out that they’re currently using a network with around 90,000 IP addresses to compromise your website and in the future do something sinister using it (and that can lead to your ISP blocking you, or even worse – your website getting penalized or deemed unsafe by Google, your website can be de-indexed).

Once they’re in, I suspect they’ll replace some of the PHP code in the site via injection to get back in later… when they want.

They’re not really “defacing” anything … yet (as far as I’ve heard).

What do you think the cost would be to your business if you were hacked today?

I’m sure you have taken numerous precautions to protect your physical location, but has the same been done for your website?

The current attacks appear to be simply targeting the vulnerability of the default WordPress login Username “admin”. The attackers are in possession of 90,000 IP addresses from which they are trying to crack the default “admin” accounts on WordPress installations.

These bad-guys appear to be going after the low-hanging fruit, which is most often found in novice Web user websites, who don’t take the time to switch from their default login information. The pattern is pretty standard based on my observation. They’re trying the ‘admin’ username login. If it exists, they’re trying some simple password variations (and running cracking tools).

As an example, here are some of the Usernames attempted on sites that I’ve seen from my logs:

  1. “admin”
  2. “admin123”
  3. “root”
  4. “administrator”

So, if you are still using the default WordPress username “admin,” change it; and use a stronger password!

Here’s what you do. It just takes five minutes, tops.

  1. Simply go to your WordPress “Dashboard” and create a new user with ‘Administrator’ privileges (you will need to use a different email address than the one attached to the current admin) and give it a strong password (a mix of at least eight upper and lowercase letters, numbers and ‘special’ characters). Then log out and log back in as the new user and delete the old admin account and assign all of the posts in that account to the new user.

Changing your login username from the default ‘admin’ and giving it a strong password is a start to securing your website. I would also suggest you change the publicly displayed name for blog posts from the new username to something else.

Also, be sure to update and upgrade your WordPress installation, all needed plugins and your theme (as well as deleting any plugins and themes you are not using).

Again, it’s a start, and perhaps you are no longer low-hanging fruit to these bad-guys.

Additionally, here are 3 security tests you should run on your WordPress website.

Failing any one of these three tests indicates your website is vulnerable to hacking.

  1. – a blank white screen means your configuration file is insecure – your passwords can be read!
  2. – version number is publicly readable – it’s easier to find known exploits which even inexperienced hackers can use!
  3. – installation script is still open – someone can simply destroy your current website with the click on a button!

I strongly recommend that you get these problems fixed as soon as possible.

Not trying to scare you, but I believe it’s only a matter of time until we see more sophisticated attacks. Time is of the essence! Can you and your business afford to be their next victim?

I’m offering a free audit with review; then a security fix for WordPress websites as a service to local business owners for a very small fee. The security audit and review are free; my security fix service is $100/hour.

Contact me at my personal email or (214) 810-3007 for your free security audit.

wordpress security update

My work involves your security, I should only discuss these concerns with you.

I look forward to hearing from you.

Best regards,

Nick Nicholls
(my website for business owners, professionals and entrepreneurs)

P.S.: I can fix this for you in approximately 2-4 hours (if it’s not infected) and my usual hourly rate is $100/hour. However, if you contact me directly, I’ll take a 100 bucks off. Call me at (214) 810-3007 or e-mail to my personal e-mail nick[at]nicknicholls[dot]net right now.


P.P.S. Here are some eye opening statistics:

87% of INFECTED sites are running WordPress.

In one year, $1 Trillion dollars worth of intellectual property was stolen due to hackers.

Report finds that 90% of businesses studied were hacked once within a 12 month period and 77% of the same business group were hacked more than once in the same year.

230 SERIOUS vulnerabilities found on average in ALL websites.

23% of ALL cyber-crime happens in the United States of America1.

It only takes 10 MINUTES to CRACK a 6 character password.

Average cost of cyber-crime is $5.9 million dollars annually (research studied 50 large companies); 72 successful attacks per week and more than 1 per company.

Greatest $$$ lost in cyber-crimes is through inserting malicious code, denial in service, stolen devices, and web based attacks.

First juvenile ever sent to prison for hacking was 16 years old. He hacked into NASA computers stealing software worth $1.7 million costing NASA $41,000 in repair.

Average of 30,000 websites are infected DAILY with malware.

Information theft is the number 1 cost, followed by business downtime.

73% of ALL Americans have been victims of some type of cybercrime.

15 year old, “Mafiaboy”, a script kiddie cost some of the largest internet vendors $1.7 BILLION in February of 2000.



Europol. Cybercrime: Top 20 Countries by Europol The Center to Fight CyberCrime.

Goldman Russell, Recession Turns IT Workers Into Hackers. ABC News. 2009.

Grossman, Jeremiah. Whitehat Security Website Statistics Report; How Does Your Website Security Stack Up Against Your Peers? 12th Edition. 2012.

iSight. Cracking the Code on Password Protection. 2013.

Leeson, Peter. T. & Coyne, Christopher. J. The Economics of Computer Hacking. University Essay.

Ponemon Institute. Second Annual Cost of Cyber Crime Study: Benchmark Study of U.S. Companies. ArcSight, HP Company. August 2011.

Sharp, R. Hack Attack Infographic: Lulzaec’s Hacks and Security Stats. 2011.

StopTheHacker. How StopTheHacker Works to Help Prevent Attacks on Websites.

Talmor, Eli. Cybercrime Victims Feel Ripped Off. Infosec Island. 2010.

Vijayan, Jaikumar. 90% of Companies Say They’ve Been Hacked: Survey. Computerworld. 2011.

Zscaler. WordPress Sites Hacked, Again! Threat Lab. 2010.



Publish Your Own iPad Magazine