According to a news item on the BBC website and as mentioned elsewhere, there’s apparently a series of botnet attacks on WordPress websites.

The botnets are attempting to use the username admin – a default username in WordPress – and a series of password guesses to access sites.

What WordPress websites are at risk of botnet attacks?

  • Those which have a username of admin with administrator settings AND which have a weak password.

Quick and Dirty Fix to WordPress website botnet attacks

  • The quick and dirty fix is to change the password of the admin user from a weak password to a strong password – using a mix of letters, numbers and other characters should achieve this.

Full Solution to WordPress website botnet attacks

  • This involves creating a new user to use as site administrator and then carefully deleting the admin user.
  • I’d suggest exporting your content before doing this – just to be on the safe side – using Dashboard/Tools/Export.
  • Create a new user with a strong password – it will tell you the strength as you type the password – and set the role as Administrator.
  • Make sure you either know the password for this user or make a note of it.
  • If already logged in as admin, log out and log in with this new user.
  • CAUTION: Delete the admin user – making sure you ‘Attribute all posts to’ the new user first – otherwise you’ll lose your posts.
  • The users list will then show the updated list of users, including the new user you created and no admin user.