For several years, WordPress automatically defined the initial admin username as “admin”. This meant that 99.99% of WordPress users used their admin as their login username.
It did not take long for hackers to catch onto this fact and use it to their advantage. They already knew the admin username, all they had to do now was guess the password. And with millions of people using simply generic passwords, they were able to hack into websites easily and insert their malicious code.
The only way to change your username from admin was to manually change it through your database. With so many WordPress lacking the knowledge of how to do this, their username was left as admin. Thankfully, WordPress now lets you create your own username when you install WordPress for the first time (though I have no doubt some people still choose admin!).
Around a week or so ago, I started seeing a significant increase in WordPress comment spam on this blog. I saw spam comments increase from two or three per week to hundreds per day. To combat the threat of hacking and reduce comment spam, I installed the Wordfence security plugin. It’s a great plugin that scans your directories for malicious files and makes your website much more secure.
The plugin is configured to email me whenever someone unauthorised tries to login to my website. The email details the time and date of the log in attempt, the IP address of the hacker and the username that they attempted to sign in with.
Here is an example of an email I received today:
This alert was generated by Wordfence on “Kevin Muldoon” at Monday 10th of March 2014 at 03:00:43 AM
The Wordfence administrative URL for this site is: https://www.kevinmuldoon.com/…
A user with IP address 184.108.40.206 has been locked out from the signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 3. The last username they tried to sign in with was: ‘admin’
User IP: 220.127.116.11
User hostname: 18.104.22.168.dynamic.ttnet.com.tr
I received a total of fifteen email alerts about unauthorised login attempts yesterday. I have always known that hackers use software to attack established websites, however I must admit that I was still a little shocked at the volume of attacks being made.
What did not shock me was that every attempt used the the username “admin”. I do not know much about hacking, but I imagine that if the possibility of hacking a website is small using generic keywords, the possibility is infinitely higher if you need to try it using random usernames too. Which is why hackers seem to be solely focusing on targeting websites who continue to use the “admin” username.
My advice to those of you who still use “admin” as your administrative username is to change it immediately. If you are not comfortable doing this directly through your database, I recommend using a plugin such as Admin renamer extended or Admin username changer. I also recommend installing Wordfence to help make your website more secure. You can also install it temporarily if you just want an idea of how often your website is being targeted by hackers.