If you run WordPress in a self-hosted environment, I suggest installing the WPS Hide Login plugin. The default administrative login URL for every WordPress install is [domain]/wp-login, so bad actors know right away what URL to go to if they know you run WordPress and want to do some funny business.
Additionally, the default username for the first WordPress user—the one that installs WordPress on the server in the first place—is always “admin.” So WordPress gives away two of three rather important things bad actors might use to hack into your admin area. WordPress mind-bogglingly doesn’t allow you to change a username after it’s registered, but there are a few plugins of varying reliability that allow you to do that. There are workarounds, though.
I don’t know the first thing about hacking but I find deface pages fascinating, so for absolutely not reason other than simply wanting to do it, I created my own. “~~JudicialDignity~~” is a meaningless, randomly-generator username. View it here, and because I’m weird, I made sure it was decently responsive and passed accessibility checks. The JD image is a complicated svg, which is why the file is over 1mb. I could’ve use a much less expensive png for an image, but—remember, I’m weird—I wanted to contain the deface to one file, with no dependencies.
2 Comments
Cool defacement page. I’ve seen plenty of other hacks that do nothing more than beg sites to secure their services so that real bad guys can’t seize the server and use it for crimes.
It’s hard to find fault with someone who does that. It’s a matter of conviction, of course, but a prayerful hacker (if there are any?) would do some interesting work.