– The Importance of Strong Usernames and Passwords

In today’s digital landscape, ensuring the security of our websites is more crucial than ever, especially when considering the potential vulnerabilities that come with poor password choices. Recent analysis of brute force login attempts on our WordPress sites revealed a staggering total of over 148,122 login attempts targeting a single real user account, with even more attempts across various accounts – during a 4-day period. None of these attempts were successful, thanks to security measures already in place. However, this incident emphasizes the urgent need to focus on improving our website security further.

Key Findings

  • Username Targeting: Common usernames were frequently targeted during these attacks. Notably, usernames like admin, wwwadmin, wadminw, john (and other first names), username, and other predictable names were under constant threat.
  • Aggressive Brute Force Attempts: Multiple IP addresses attempted to breach our sites, demonstrating a high level of malicious intent.

Despite the high volume of attempts, our proactive measures – including logging all login activity, removing users/usernames from sitemap.xml and the wp-json endpoint, and disabling xmlrpc.php – played a significant role in maintaining security.

Username Recommendations

To enhance security, consider the following recommendations regarding usernames:

  • Avoid Admin: The username admin is by far the most used in brute force attacks. By not having a user account with this username is a significant security measure.
  • Avoid Common Usernames: Steer clear of predictable usernames like admin, user, test, or any simple variations of personal names.
  • Use Unique Usernames: Encourage the use of unique usernames that are not easily guessable to reduce the risk of targeted attacks.

The Importance of Strong Passwords

Even more critical than usernames is the choice of passwords. Many users tend to select passwords that are easily compromised. Below are examples of weak passwords that people often choose, which should be avoided at all costs (these are identified during recent brute force attacks):

  • 123456
  • 123456789
  • 0192837465
  • 0192837465z
  • 000000
  • 0000
  • 111111
  • 1111
  • [USERNAME]2024 – where USERNAME is a real username revealed on the site / by WordPress. The year varies and may also represent a date.
  • !@#admin
  • admin@2024, admin@2023, admin@2022 – and so on
  • password
  • password123
  • pass
  • qwerty
  • abc123
  • letmein
  • letmein123
  • monkey
  • iloveyou
  • F*uckYou
  • admin
  • welcome
  • 123123123
  • 123123
  • wordpress
  • 12344321
  • 0192837465z
  • 1234[SITENAME] / 123[SITENAME] / 1234@[SITENAME] … – where SITENAME may be the domain name with or without TLD like .com/com
  • admin!
  • admin!@
  • root
  • admin888
  • adminadmin
  • administrator or Administrator
  • webmaster
  • administrador or Administrador
  • Adminp@ssw0rd
  • banana1
  • blah
  • blahblah
  • blogger

Best Practices for Strong Passwords

To create strong passwords, consider the following tips:

  • Length Matters: Passwords should be at least 12 characters long.
  • Mix It Up: Use a combination of uppercase and lowercase letters, numbers, and special characters.
  • Avoid Personal Information: Do not include easily accessible information such as birthdays or names.

As guardians of our websites, we must take every precaution to protect them – especially for the sites belonging to our children, who may unknowingly choose easily compromised passwords. While WordPress does share some user information, implementing additional security measures and promoting best practices for usernames and passwords can significantly bolster our defenses.

By prioritizing the security of our websites, we create a safer online environment for everyone. Let’s work together to educate our users on the importance of using unique usernames and strong passwords to enhance overall security.