#2 is awful and is damaging for the Internet as a whole and a big oversight on the Automattic's part.
“admin” as a default username + lack of out-of-the-box rate limiting of incorrect login attempts + default login page address means that any Wordpress blog is bruteforcable. WP blogs are overtaken by malicious entities all the time, every day; they are used for SEO purposes and to spread malware. I would be hardpressed to estimate the actual spread of the problem, but a significant share of all malware online is spread precisely by the overtaken Wordpress blogs.
This list of common oversights could apply equally to any CMS installation. Although I really dislike working in WP, I've also seen these same mistakes in other setups that clients have come to us with over the years.
A few of these issues could be completely avoided by using a hosted Wordpress service like Pressable or WPEngine. Both of these services offer hosting cheap enough where I don't even think about launching a Wordpress site anywhere else and it will probably be a long time, if ever, I worry about how my site is running.
9 comments
[ 5.2 ms ] story [ 38.3 ms ] thread“admin” as a default username + lack of out-of-the-box rate limiting of incorrect login attempts + default login page address means that any Wordpress blog is bruteforcable. WP blogs are overtaken by malicious entities all the time, every day; they are used for SEO purposes and to spread malware. I would be hardpressed to estimate the actual spread of the problem, but a significant share of all malware online is spread precisely by the overtaken Wordpress blogs.
#2 - Default admin. I was given a secure admin password
#4 - Backups
#9 - Caching, and really that's an understatement.
#11 - Ignoring updates
#16 - Not using CDN
Thanks for the tip.