WordPress Exploits: Strong Passwords Can Foil Would-Be Hackers
Marc Cornish, April 22, 2013
WordPress is one of the most popular Content Management Systems currently being used on the Internet. In fact, more than 60 million websites currently use the popular CMS. For the average user who does not have a strong technical background, WordPress is an ideal back-end for a website because it allows users to easily update and maintain the content on their websites. From an SEO-perspective, WordPress has tons of great features built in, or easily added with one of the many plugins that have been developed by their network of open source developers. But just as with any popular piece of software, there are risks.
Recently a massive attack was launched against websites running WordPress and Joomla CMSs. Characterized as a ‘brute-force’ attack, the method of infiltration was to use as many different computers as possible to try as many different username/password combinations as possible.
The attacker was able to utilize over 90,000 unique IP addresses from all around the world in a coordinated attack on the default login pages of the popular content management systems. Using the standard username ‘admin’, the automated attack then attempted to gain access by trying thousands upon thousands of different passwords.
The result was a huge strain on hosting servers, which caused many websites to go down or load poorly. In worst-case scenarios, the attacker was able to gain access to website owners’ CMS dashboards where they can do as they please. Preventing and stopping attacks in progress was a task that each hosting provider handled differently. Many opted to change the URL of the default login pages that the CMSs use, or to remove them completely. For many people though, the biggest question is "What can we do to prevent this from happening again?" The answer may be easier than you think.
While it is nearly impossible to prevent some lunatic from launching a wide-spread hacking attack on any website he/she/it wants to, there are steps you can take to make this task exceedingly difficult for them. With a brute force attack such as this one, the prey was websites with weak passwords. ‘Password’, ‘12345’, ‘login’…if your password resembles any of these, then you have a weak password. Strong passwords are crucial to keeping your site secure.
You may be wondering "What is a strong password?" Generally, you want the password to be at least 8 characters, and a good mix of letters, numbers, and special characters, with some capitalizations thrown in as well. Many CMSs come with a built-in password strength checking tool, but if you find yourself wondering, you can use one provided by Microsoft: https://www.microsoft.com/security/pc-security/password-checker.aspx.
You’ll also want to make sure you have a unique username as well. ‘Admin’, ‘User’, ‘Manager’…avoid simple usernames such as these. Try to pick a username that is a mix of letters and numbers. Case sensitivity is normally not important when setting these up, and special characters are often not allowed. Pick something that is unbiased and does not have anything generally in common with the website it is being used for.
These tips are great for your CMS logins but can be applied to all aspects of your life. Applying these simple principals when signing up for bank accounts, customer accounts at ecommerce websites, or loan or credit accounts can save endless amounts of frustration in the future. When it comes to your personal information, privacy is key. Having a strong set of login credentials will help you keep your personal information out of the hands of hackers. If you do not have strong credentials, take some time today to update them, you (and your wallet) may thank you later.