Most WordPress users are already aware WordPress sites are being heavily targeted by hackers. Hackers are targeting the wp-login.php page in particular and sites that have a username of “admin”
Don’t panic – here’s what to do
If you haven’t done so already it’s time to install the Limit Login Attempts plugin. This is a free but powerful plugin from the WordPress repository. It limits the number of times that a user can try and login to your site. Remember, these hackers are bots that are trying a number of combinations of passwords with the username of “admin”. Chances are they’ll need more than a few tries to get in. By using this plugin you are reducing the risk of them being successful.
Next, change your username if it is “admin” or something super simple and easily guessed. You can change your username in two ways:
Go to your dashboard, Users and add a new user (with a strong username) and Administrator rights. Delete the old “admin” user.
You may find that you are unable to delete a user because it was the original user name assigned when WordPress was installed. We can still change the username though and to do this we need to login to our Cpanel.
The steps to change your username via your cpanel are below. Or, if you prefer to watch, the short video below will guide you through the steps.
1) Go to your Cpanel and scroll down until you find the icon that says PHP My Admin and click that icon.
2) You will then be taken to a screen showing your databases. You need to locate the database that is relevant for this website. If you have a lot of sites installed (or a lot of databases on that server) you may find the list long.
3) Once you have located the database you need to click the relevant database. You will then be taken to a screen that lists all of the tables on your site.
Scroll down until you find the table that is named “wp_users” and click the Edit link.
4) You will then find that you can edit the name of the “wp-login” name to another name. Simply delete “admin” and insert a more difficult name. Click the Go button when you have finished.
Congratulations you’re done!
It is recommended that you have a strong password if you don’t already have one in place. Try and use a password generator which is often included with password management software like Roboform to create a password at least 14-22 characters long (comprising symbols as well as numbers and letters).
Should you find that these tips have come too late and you have been hacked then I thoroughly recommend that you call in the experts. This service has saved my bacon a number of times. Even when I’ve spent hours cleaning up a hacked website Sucuri have come and cleaned and found even more things that I didn’t find!
Sucuri also have a new service that is available only for Sucuri users. It is called Cloud Proxy and is an additional firewall level of security for your website. It’s certainly worth considering for any website that would cause you tears if it was hacked 🙂 There’s a small monthly fee for this additional protection. In my opinion, it is a worthwhile WordPress website security expense.