Right now, someone is trying to break into your nonprofit’s website using the WordPress login page to guess your username and password.
The most common username an attacker will try is “admin” or “administrator”. Using automated bots, they’ll try variations that may include hyphens or underscores.
For example, if you have a user named “Anne,” they might try this:
- admin-anne
- anne-administrator
- anne_administrator
- admin_anne
- anne-admin
- anne_admin
- adminanne
- anneadmin
Depending on your organization’s level of website traffic, username guessing attempts could be happening every five minutes to every hour. Crazy, right?
You’re probably thinking: I always use “admin” for my username on our nonprofit's site. What’s the big deal?
The problem with is approach is that most hackers will use a technique called a brute force attack to break into your site, over and over again.
The WordPress login page (your front door) is one of the first places an attacker will try to get in. They’ll use automated software or “bots” that will try to guess your username many times over time until they either fail or get inside.
If they do get inside, secret code usually is added deep inside your WordPress theme files and plugins. The attacker will have full access to your site and you won’t know it’s there until something goes wrong.
A hacker can do all kinds of damage to your site:
“It’s like the shores of this war are spilling onto us. The next two or three years will really be about circling the wagons. I feel like we’re the poor townspeople who can’t protect ourselves. We need a gunfighter and I don’t know where to find that person.”
– Jim Daniell of Oxfam, on cybercrime against nonprofits
It’s really simple: never use “admin” or “administrator” for your username.
Otherwise, you’ve left the front door open to get hacked.
It’s important for your marketing team to adopt a security practice of always creating usernames that are unique to provide a layer of protection.
Tips:
