The brute force attack scare

brute force to crack a passwordThere is a story spreading on the internet of a brute force attack hitting WordPress sites and trying to break into your site.

A brute force password attack happens when a program tries to guess your password by simply trying lots of different possibilities – and making educated guesses.

This is even more important at the moment as there is evidence that the number of attacks per day may have more than doubled.

Luckily, or unluckily the site owners who are most likely to be impacted are those who have been ignoring simple advice for a long time – and will probably ignore this advice too.

Make yourself ‘lucky’

Luck is almost always about simple preponderation. If you take note of the following then you are way ahead of 99% of people and probably safe from the current password attack.

Basically – don’t use the default user name and choose a good password. One of the most commonly attacked names is ‘admin’. Your user names should not be obvious or easy to guess.

The simplest way to defend yourself against a password brute force attack is to not use a well known user name or password, if you do this then you are more protected than 99% of people. Make that luckier than 99% if you like.

How to check user names on your WordPress site

The first thing to do is make sure you don’t have a commonly used user as an administrator. Do this now:

  1. Log into the administration area of your site.
  2. Choose Users from the menu and look at the list of user names and the access they have.

If you see one called Admin then you are at risk – mitigate this risk by setting up another account as the Administrator and either delete the old admin account (reallocating any posts associated with it) or change the role of the account to something safer like subscriber or none. Personally I’d delete the account.

Don’t get sucked into too much hype

One of the things to be aware of when reading latest news is that it is often sensationalised to get you to read it.

Matt Mullenweg, a founder of WordPress, has written a great article reminding people that you can just do something simple but some of the advice being given is more designed about selling products than keeping you up to date and safe.

Take some simple advice

The simple solution is often the best – or at least a lot better than doing nothing. The reason these brute force attacks work is that people don’t change things once they are set up and they choose common settings or defaults.

Be a bit different – make yourself ‘lucky’

Do not use admin as your administrator name, and do a simple check of your site now.