A few days ago, I was quite surprised when logging into this site. I saw a notification from Jetpack on my WP dashboard page that said it had blocked several malicious login attempts. Since I’ve installed simple login log plugin, I could see those attempts details. Here the screenshot of those malicious login attempts:
You can see that there’re 13 login attempts. You can see the similarities of them. One of the obvious similarity is all of them tried to log in maliciously using username ‘admin’. And the attacker tried several attempts with 2 minutes interval. It means he/she tried to log in once in every two minutes.
Since Jetpack protect blocks an IP if it is failed to log in maximum 5 times, the attacker used more than 1 IPs. I knew the attempts were made by one attacker because the interval between the attempts were consistent. I think the attacker used some kind of brute force software to try the hacks.
The attacker basically tried to log in using username ‘admin’ and any combination of passwords generated by the software. Why did the attacker use ‘admin’ as username? Why didn’t the attacker brute force the username as well?
Well, it’s because the default username of WordPress Administrators when they install their WordPress sites for the first time is ‘admin’. If they didn’t change the username when they Installed WordPress, then it must be ‘admin’. Attackers know this and use it to try hacking WordPress sites.
If attackers tried to brute force username as well, it would be never ending story because they don’t know what username a user choose. So, the safest bet is to use the most general usernames such as admin, administrator, etc.
If you want to experiment yourself, install a WordPress site with username ‘admin’ and password ‘qwerty’. After it’s indexed by search engine, wait for it getting hacked within days.
All WordPress sites get this attack all the time. So if you’re using WordPress and don’t want your website to get hacked, never use ‘admin’ as your login and database username. It’s being exploited by attackers and the best way to prevent it is to avoid using that username.
Don’t be lazy to change some letters ( a.k.a. username ) because it puts your website in jeopardy!