WordPress, CSS Hacking and The Admin Username

I’m posting this purely because I hope it will help someone else with a similar problem. I’d searched high and low online for a solution to a WordPress hacking problem I’d had for the past month or so, and it took a while to piece together what was going on. Hopefully this will take the frustration out of the process for others.

I was notified by a client around one month ago that their website “looked weird”. When I checked it, the CSS styling was all over the place; almost like the styling had disappeared altogether. On closer inspection of the stylesheet (this was a custom CSS file, created as part of a Thematic child theme), there was a line of javascript inserted right at the beginning. Nothing particularly dangerous, just a link, very similar to this problem others have posted about. I deleted the javascript. Within a couple of days, it came back. I deleted it. It came back.

I should point out here that my web knowledge is very limited. When I say that I had a ‘client’, it just means that I helped them get a WordPress site online and not much more than that. Security of a website is way beyond me. And so I assumed that a hacker had installed some kind of scripting file on the host, which was continually entering the offending javascript. I asked the client to speak directly with their host, who should know more about security than me. Their response was:

…the theme is wrong and needs to be changed.

This was not helpful and no one should ever use these twits for hosting.

Fortunately, I came across a WordPress plugin called Better WP Security. Without this becoming a free advertisement, the plugin has basically pointed out the problem and promptly ended it. It turns out that someone (most likely a bot) in Sao Paulo was logging into the WordPress backend under the ‘admin’ username and using the editor to add javascript to the stylesheet. Better WP Security suggests that the ‘admin’ username isn’t used and once it’s not, any attempt to login using it is flagged and finally blocked. Here’s what I learnt from the process…

1. Don’t use the default ‘admin’ WordPress username. Even if you have a strong password (as I did), eventually a bot will be able to guess it and login. Every WordPress site has ‘admin’ as the default administrator username, making it a no-brainer for hackers. If you’re using ‘admin’, it’s fairly simple to create a new user and delete the default.
2. See number 1. Really, don’t use the ‘admin’ username. There are endless WordPress websites installed now, making a vulnerability like this an easy target painted across your website (WordPress is probably a victim of its own success on this point). If you’re like me and only know enough to get yourself into trouble (and not back out again), use a security plugin. If nothing else, they will highlight weaknesses in your site. In my case, the hacking was simply annoying; it wouldn’t have taken much effort for the result to be far worse.

Update: For anyone still in two minds about whether these steps to increase security are worth the effort, note that this is now the second most visited post on this site (as of January 2013). It’s reached not by people looking to increase their own security, but by people planning to hack others; found through search engines using terms like “how to hack wordpress admin” and similar. Clearly, this is something that will only become more problematic for WordPress users.