Since there has been an increase in the number of cases where there are certain trends in passwords for users with administrator privileges on sites that have recently been hacked and tampered with, we will explain what character strings should not be used as passwords for WordPress administrators based on this trend.
Brute force attacks are becoming more sophisticated.
A brute force attack is a hacking technique that uses malicious software to log in to WordPress one after another (sometimes hundreds of thousands of times) with commonly used passwords to find out the password for administrative privileges.
Brute force attacks in the past used a dictionary of commonly used passwords and repeated login attempts, but more recently, more complex algorithms may have been added to the attacker’s algorithm.
Recently, we have observed a certain trend in the passwords of sites that request malware removal from WP Doctor on more than one occasion. For example, the following passwords have been used
Example
Administrator ID mywp-admin Password mywp-admin1234
This administrator’s password contains the administrator’s ID, and although long enough, removing the administrator’s ID from the password results in a very weak password of only 4 characters, 1234.
Since the WordPress administrator ID can be easily obtained (WordPress is a system that does not hide the ID), if a brute-force attacker has an algorithm that repeats login enforcement even with a string such as the following, the administrator password can be cracked in a very short time. The administrator’s password can be cracked in a very short period of time.
Algorithm example
WordPress administrator ID + commonly used password
Brute force attack with
WordPress admin rights with a strong password
It is said that around 20% of the reasons why WordPress is hacked are due to password vulnerabilities, and since hacking tools are evolving daily, it is possible that various algorithms are being implemented for brute force attacks.
For this reason, we recommend that you use a completely random password for WordPress administrator privileges that does not include the administrator’s user ID or e-mail address, and that is at least 12 characters long and contains at least one upper and lower case letter, symbol, and number.
Such a password would in principle take 21 million years to break through, thus preventing a hacker’s brute force attack from succeeding.
If your site has been infected by malware, please use the [Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].
This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.
