Take action before you become a victim of site defacement due to WordPress login privilege seizure.

What if a login vulnerability allows hackers to seize administrative privileges?

The most noticeable change is that the number of WordPress users increases without your permission, which means that hackers have taken over the administrative privileges of your site. By creating users, hackers can modify your site from within the WordPress administration panel and plant code to distribute malware, send spam emails, or direct users to dangerous websites.
This is a very dangerous situation, and can become a springboard for spamming, cross-site scripting, and can even be detected by search engines and blacklisted.

Reference What to do when WordPress displays “This site may have been hacked by a third party.

How do hackers hijack administrative privileges?

There are several ways to hijack administrator privileges, but the most common is a brute force attack on the login screen (a method in which a dictionary is used to try millions of ID and password combinations to log in). It is important to prevent these attacks in advance.

work-731198_640

It is also possible to generate users by exploiting vulnerabilities in WordPress, so we recommend that you check for vulnerabilities on our website and update WordPress itself and plug-ins if any are found.

Reference WordPress Vulnerability Assessment Security Scanner

What you should check about WordPress login security

1 Is the password at least 8 characters long and a random string of letters and numbers?
The latest versions of WordPress automatically set strong passwords for you, but in past versions, passwords were in a format that you had to enter yourself. For this reason, if the password is set to a simple word password, etc., it is highly risky.
Go to the WordPress admin page > User List > Edit User to set a stronger password.

2 Are you using WordPress version 4 or higher?
If you are using the 3 series of WordPress, the login screen is vulnerable, but many vulnerabilities have been discovered in the main body of WordPress as well, and strengthening the login screen alone will not protect the administrative functions. We recommend that you update your WordPress to the latest version.

3 Do you have a software firewall plug-in installed?
To prevent a brute force login attack on WordPress, we recommend installing a plugin that disables access to the login screen itself (login lockdown) with some degree of login enforcement. Plugins that have this functionality include the following

4 Do you have login capture?
Using a plugin that displays a login screen capture, a quiz that can only be solved by a human, is an effective measure to prevent hackers from mechanically repeating login enforcement actions.

5 Have you changed your login URL?
Changing the login URL is another effective way to increase login security. There is a plugin that allows you to change the URL from the standard WordPress URL.

For more information about WordPress security in general, please refer to the following articles
7 WordPress Security Tips