You may have seen it in the news: over 90,000 WordPress blogs have been hacked so far. This time, hackers are going after blogs with the default username “admin” and hacking their passwords by brute force. You can easily save your blog in this case. Follow all these steps as they are all necessary and important.
1. Check your username. Is it “admin”? No problem, you can change that in just a few minutes. If it isn’t “admin,” go ahead and skip down to step three and step eight.
2. In your WordPress admin panel, go to “Users,” then “Add New.” For this user, don’t put in “admin” or anything similar. Also, don’t choose a username that can be easily guessed, like your name or some other information about you found easily online. You will have to enter a unique email, but you can change it later.
3. Create a new password. Make sure it’s something random with upper and lowercase letters, numbers, and symbols. WordPress has a detailed guide on creating a strong password.
4. Now select the role of this new user. Make sure the role is set to “Administrator.” Only the Administrator has access to everything in your admin panel, including the power to delete and add new users.
5. Once you’ve added your new user, logout of WordPress. When you log back in, sign in as the new user you just added.
6. Go to “All Users” in your admin panel. When you hover over “admin,” two options will appear underneath the name. Go ahead and click on “delete.” Attribute all posts to your new user, and press “Confirm deletion.”
7. Now, edit your new profile. In the Name section is a drop-down menu for “Display name publicly as.” For some reason, WordPress defaults it to your username. You don’t want that, because everyone can see your username and it defeats the purpose of changing it from “admin” in the first place. (Even if your username doesn’t show on the blog, it will show on your RSS feed.) Whatever you pick from the drop-down menu, make sure it’s not your username.
Congratulations! You’re one step closer to shutting down the hackers behind this round of attacks.
8. You can put a stop to those brute force password attacks, too. Download the WordPress plugin Limit Login Attempts. It does exactly what it says, and you can decide how many attempts to allow. We recommend three or five to give yourself a good shot at remembering your correct password without allowing a brute force attack to work. With a strong password, it should take them more than five tries.
For other ways you can protect your blog against a hack, check out our last article, How to Prevent Your Blog From Being Hacked. Do everything we recommend, and you won’t have to worry.
Has your blog been hacked before? How did you beef up security?