It’s Probably a Good Time to Change Your Terrible WordPress Password
PSA of the day: Don’t use obvious usernames and passwords — like “username” and “password” — for your blog.
For one thing, it’s just dumb. It makes it easier for anyone to make a guess and take your account for a spin. Or perhaps, as was the most recent case, you’ll get cracked by a big scary hacker attack.
That’s what’s up with a slew of blogs on Friday evening, as one or more hackers used a “botnet” — basically a creepy name for a network of automated programs — to try to access WordPress-hosted sites by attacking the lowest common denominator: Sites that use “admin” as the login name, paired with a list of the most commonly used passwords.
The brunt of the attack began last week, according to Sean Valant of HostGator, an online hosting service for Web sites. After dying off for a bit, the attack picked back up again Thursday morning, and has received some attention from Web hosts and security companies around the net.
Some, like Web security services company CloudFlare, are ringing the alarm bells (while simultaneously promoting the company’s own security services ). Which is fair, I guess. If you’re someone potentially at risk and unaware, CloudFlare could be helping you out by sounding the alert.
But I’d say it’s simpler than downloading extra protections or signing up for CloudFlare’s security plan: Just don’t use absurdly stupid usernames and passwords. Hackers go after the low-hanging fruit, which is most often found in the novice Web users who don’t take the time to switch from their default log-in information.
“Here’s what I would recommend: If you still use ‘admin’ as a username on your blog, change it; use a strong password; if you’re on WP.com, turn on two-factor authentication; and of course make sure you’re up-to-date on the latest version of WordPress,” Matt Mullenweg, founding developer of WordPress and Automattic, wrote on his blog. “Do this and you’ll be ahead of 99 percent of sites out there and probably never have a problem.”
Completely basic password security is as simple as that. So please, do us all a favor and change your log-in data if it’s something easily guessed. It’ll save you — and everyone else — a huge headache.