Lots of people are talking about the latest attack on WordPress hosted sites.
One recommendation from Matt Mullenweg, WordPress founder, is
If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress.
That first comment is the one that seems to be confusing a lot of people. Change it? Change it!?!? I can’t change a username!
“Changing” the admin account username is actually a create / delete process. He worded it poorly but it’s still valid advice.
Here’s how you do it:
3. Create another user, preferably with a hard to guess username
- Use all 4 of the following: Upper and Lower Case letters, numbers and special symbols (!@%#^&*, etc)
- better still, use a password generator. I prefer offline generators like the ones contained in password keepers (more about that below) like Password Corral and KeePass, there’s less likelihood that someone’s watching and recording generated passwords, but likely most well known sites are safe too. This one is by Symantec.
- Record this password somewhere that it can’t be stolen. I use both Password Corral and KeePass.
9. Delete the Admin user
10. Assign posts, etc the new user, or another user.
12. Log in as the non-administrative user when doing anything other than admin work. You don’t need to be admin to blog about your cat/dog/food project/latest quilt
Also in his comment above, he mentions if your WP installation isn’t up to date, do the updates.
This includes your plugins and your themes. Let’s be honest, it’s a bit of a pain sometimes to do the admin when all you want to do is blog, but the latest version of your WordPress software, your plugins, and your themes are the most secure. It really only takes a couple of seconds.
Today’s attack is about trying to gain admin access to your blog through brute force. This is only one way to do it. There are other ways, and usually those ways are by using vulnerabilities in the software on the site. Plugins, themes, and wordpress itself are all software. Give yourself the best chance at keeping control of your site, and keep it up to date.
As always, if you have questions about this, or just need a little help, leave a comment below, or you can always reach us via email or phone.