WordPress attack underway; how to avoid being hacked


A botnet controlled by bad guys is doing a brute-force attack on WordPress sites, apparently via the former default “admin” administrative account. My hosting provider offers these instructions on how to avoid this particular issue:

Until a couple of years ago, the default/starter account on every WP site was named “admin.” That’s no longer true, but there are still a lot of sites out there with an account called “admin.”

There is currently a large-scale botnet-driven attack going on that is trying to brute-force its way into WP sites by guessing passwords on the “admin” account.

Visit the Dashboard of each of your WordPress sites, click on Users, and make sure none of the accounts are called “admin.” If you find any, please make sure you have another account with Administrator privileges, then log in with that new account name and delete the account named “admin.”

While you’re in there, please take the opportunity to make sure you’re using a good strong password, and to update WordPress itself and all of your plugins.

UPDATE: Ars Technica has a deeply reported piece on this attack, with some excellent additional advice. I’m installing two plugins Ars recommends, one to limit login attempts and another that is a popular security add-on.

Nieman Journalism Lab on New Project

I gave a talk last week about this project at the Harvard Berkman Center for Internet and Society. (Video here.) The Nieman Journalism Lab’s  has done a nice write-up here; it focuses more on the journalistic aspects of what I’ve been working on than the overall theme. Key thoughts from her piece:

These issues fall very low on the priority list for an industry that Gillmor described as being in a constant state of desperation. But the dangers are real, Gillmor says, and with his new project, he hopes to find ways of bringing the convenience of private platforms to services that are both free and secure.