WordPress websites are being the target of relentless DDoS attacks since last week (you can read the full article on the BBC website)
The attacks are focussing on WordPress websites that use the username ‘admin’ to get into the administration dashboard. This is the default username when at installation. Its important to make sure you don’t have a user account with the username admin.
To check this, just follow these steps
- log in to your website and click on “Users” on the left-hand side navigation
- You will then be presented with a list of all user accounts on your site, check the list for a username ‘admin’
Hopefully, it wont be there…but if it is then you need to delete it. So to complete this part
- Check to see that your other users have administrator rights, if they do then you can simply delete the admin user. This can only be done from a different user account with admin rights.
- If you only have one user, and that is ‘admin’ then before you delete it you must create a new user and give it admin rights.
- Once you have done that, login as the new user and delete the admin user.
When you delete an account all the pages and posts that have been created using that login will then need to be attributed to another user, pick the one that makes most sense to you!
Its also a good idea to change your display name to something totally different to your username, that way if a post displays the name it won’t give hackers a clue to a username.
WordPress Websites hosted by us now have an extra layer of security before getting to the /wp-admin/ dashboard login page.
Before getting to the login page, you will be presented by a Captcha page. This is to prevent unauthorised login attempts to the dashboard.