Attention, WordPress users: If you have a WordPress username set to “admin,” change it immediately.
Thousands of WordPress sites with an administrator username set to “admin” or “Admin” had been were compromised through a large scale brute force attack.
Sites with the login of “admin” or “Admin” or “Administrator” had a backdoor installed that provides attackers with ongoing access to the WordPress site.
Changing the password will not solve the problem, the backdoor is there which enables the to scan for WordPress installations, and launch the same type of attack against those sites.
WordPress advsise to not use “admin” and “Admin”, “test,” “administrator” and “root.”
“Almost 3 years ago we released a version of WordPress (3.0) that allowed you to pick a custom user name which largely ended people using ‘admin’ as their default username,” said Mullenweb in a blog post. “If you still use ‘admin’ as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress.”
The WordPress “admin” attacks have recently tripled in volume. “We were seeing 30 to 40 thousand attacks per day the last few months. In April 2013, it increased to 77,000 per day on average, reaching more than 100,000 attempts per day in the last few days,” said Sucuri CTO Daniel Cid in a blog post. “That means that the number of brute force attempts more than tripled.”
REMEMBER: Hackers can access your site through:
1. Login and PW vulnerabilities
2. Plugins can be a hacker access point
Suggested Resources for WordPress Vulnerabilities:
Which can shed some light on what happened, and how to fix and harden WordPress.