WordPress Botnet Attacks - How to protect your site

Posted Apr 17, 2013 | ~4 minute read

At the moment there's a lot of hype surrounding the recent botnet attacks on WordPress sites and I wanted to jump in with a quick and easy way to check if you could be affected by this attack, and more importantly, how to fix it!

So what's the problem, and what is a botnet attack?

Some bored teenager has written a virus that has infected a number of PCs around the world. This virus doesn't delete your files once installed on your PC but instead sits there idly topping up it's sun-tan until it receives instructions to do something.

In this case, the instruction it's received is to try and crack into WordPress sites on the web. It does this by visiting the login URL (wp-login.php) and then pre-populates the username with "admin". The virus then makes multiple attempts to log in using standard dictionary words. If it gets in, it simply records that it has and does nothing else, yet. If it can't, it simply moves on to the next site on it's list.

This initial botnet attack doesn't do anything malicious but that doesn't mean that it wont eventually. Acting now will secure your site from similar attacks in the future.

Golly, how do I fix this, or check if I could be cracked into?

Easy as pie!

First of all, if you login to your WordPress site with the username "admin" you're doing it all wrong! You're what I'm going to casually refer to as a high-risk category.

If you don't login with the username "admin" it would still be worth checking if a user exists on your site with that username, and getting rid of it.

I log in with the username "admin"

Put down that cup of tea, and run through these instructions :

  1. Log in to your WordPress website with your current login details. 
  2. Go to the "Users" tab, and click the "Add New" button.
  3. Create a new user with a different username and importantly, set the "Role" of that user to "Administrator". Once again, choose a secure password!
  4. Once the user has been created, log out of your WordPress site.
  5. Once you're back at the login form, log in with the user you just created.
  6. When you're back in your site, go to the "Users" tab again and click on "All Users".
  7. This time, delete the "admin" user. It'll ask you who you would like to assign the pages and blog posts you've written under that account to, and select the user you just created.
  8. Sit back, and finish that cup of tea. You're protected!

I don't login with the username "admin", what do I need to do?

By this point you've probably finished the cup of tea you were drinking on the first instructions, so stop working for a moment and follow this :

  1. Log in to your WordPress website with your current login details.
  2. Click on the "Users" tab and use the search tool to see if a user exists with the username "admin".
  3. If an account exists, check to see if there's another account on the site set to the role of "Administrator". If so, go ahead to point 4. If not, follow points 2 and 3 above.
  4. Delete the "admin" user. It'll ask you who you would like to assign the pages and blog posts you've written under that account to, and select your account, or another user with the role of "Administrator".
  5. You're done!

Parting thoughts

It's worth mentioning here that you should also keep an eye on any upgrades that are available to your WordPress site. WordPress is frequently updated to improve it's security and add new features. Having an up-to-date site is half the battle won against hackers.

If you need a hand with this, talk to your super-duper web developer!