If you’re a small business owner with a WordPress website, this beginner tutorial is for you. It starts with a party scenario, a dash of humor and a hacker. Then it eases into some serious topics such as Malware and ends with 3 simple steps you can take to make your site more secure.

Let’s start with the party scenario.

Picture yourself standing there in a crowded room.

Someone walks up to you and says, “Hello. My Name is Admin.”

Of course, that sounds absurd. You’d probably burst out laughing. No one would ever really be named “Admin.” They’d be the butt of every joke.

Now picture that same party where someone named “Admin” naively walks up to a hacker. The hacker wouldn’t find the name to be absurd. Instead, they’d find it to be absolutely intriguing. “Tell me more,” the hacker would say, leaning in with his undivided attention.

WordPress Hacker at a Party
A Hacker looks for someone named Admin in a WordPress site.

In reality, “Admin” is not a real name, but it’s used ridiculously often as a username to log into a website…  especially a WordPress site.

Your WordPress Dashboard

  • If you’re a business owner with a WordPress website, are you familiar with the usernames you have listed in your “Dashboard”?
  • Have you been to your website in the past 3 months?
  • Have you ever logged into your WordPress Dashboard… or do you leave that job to someone else?
  • Is “Admin” your WordPress username?

Not sure? Then prepare for a Brute Force Attack.

That hacker you met at the party seemed like a nice guy. He probably didn’t say, “Hello. My Name is Hacker” to clue you into his malicious intentions.

How could you possibly have known that he went straight to his computer after the party, found your website and hacked into it while you were sleeping? Sadly, you woke up the next day and still knew nothing about it.

This all happened because your WordPress username is “Admin.”

What is a Brute Force Attack?

  • A ‘brute force’ login attack is a type of website attack used to gain access by guessing the username and password over and over again.
  • A website may be systematically bombarded with username and password combinations until a successful login occurs. 
  • The hacker often runs a script that uses automatically generated passwords at a rate of thousands of times per minute.

WordPress websites are often targets of Brute Force Attacks merely because WordPress is a popular CMS (content management system). Being popular, makes it an enticing target for hackers.

WordPress is a CMS.

To learn more about WordPress as a CMS, read WordPress 101 for Small Business Owners.

What is the purpose of a Brute Force Attack?

Brute force attacks are typically carried out to gain access to websites for the purposes of data theft, vandalism, or the distribution of malware.

What is Malware?

  • Malware is an abbreviated term meaning “malicious software.”
  • This software is designed to gain access to or damage a computer without the owner’s knowledge.
  • These days, malware is often created for profit. The hacker may change the content of the site (to add spam), or create additional pages, usually with the intent of phishing.
  • Malware can be used to open pop-up ads, redirect the visitor to pages with viruses or steal personal information.
  • Some hackers may even take administrative control over a hacked site.

Your visitors can suffer consequences from a malware attack on your site, and your business reputation may also suffer. But you can take some simple steps right now to protect your website, your visitors and your company.

1) First things first. Don’t call yourself “Admin.”

  • You should log into your WordPress Dashboard right now to check the usernames.
  • If you discover that you already have Admin as a username, here are the steps you can take to change it: 2 Simple Ways to Change WordPress Usernames.

2) Don’t Use Easy-To-Guess Passwords.

Do you use “123456” or “password” as the password to your business website? How about “baseball,” “monkey” or “sunshine”? You are not alone. Hello Hackers. My password is “monkey.” Come on in.

Ready to change your password?

WordPress Username and Password
  • Since you’ve already logged into your WordPress Dashboard, you can click on the “Users” link. (Then click on your username, scroll down the page, and enter a new password.) It will take you less than a minute.
  • Try using a combination of lowercase and uppercase letters along with numbers and symbols.

While you’re in your Dashboard, you should probably take a look at your Plugins. (Look for the Plugins link… near the Users link.)

Do you have any security Plugins installed in your site? No. Then that is your third task.

3) Add a Security Plugin to your WordPress site.

Your security plugin will monitor your website for you and notify you if your website is the target of a Brute Force Attack.

Try Securi , All In One WordPress Security Plugin, or Wordfence. Plugins such as these will help protect your WordPress site from viruses, malware and hacking attempts. They also have login security options available such as locking users out due to numerous failed logins.

Has your site already been hacked?

  • Google has launched a service that blacklists hacked websites and warns users before they visit these suspicious sites.
  • If your site has been blacklisted, Google will display the message “This site may harm your computer” in its search results. Chances are that your site contains malware.

Visit Google’s Help for Hacked Sites to learn more about Google’s process for marking sites as malicious.

Don't let hackers into your WordPress site.

But hopefully, you’re reading this tutorial first… before you walk into that party and shake the hacker’s hand.

If so, you’re in luck. It’s so much easier to do these simple steps, than it is to clean up your website and save your reputation.

If your real name is Admin, you can laugh it off and blame your parents. But if your WordPress username is Admin, it’s no laughing matter.

Hello Hackers - Pinterest Guide