Subscribe: RSS | Email | Widget

Photo Credits

Protect WordPress from Attacks on the Default Admin User

Nicole Hernandez on April 14th, 2013

One of the easiest ways to hack a WordPress installation is through an account that still uses the ‘admin’ username. It basically takes half of the challenge out of it, leaving only the password to figure out. Most people, unfortunately, use passwords that are just too easy to hack. You want to AT LEAST use numbers and letters, and please think a little beyond abc123 style passwords. Just like a car with the keys in it will be a bigger target than one with a security system, it never hurts to make your website less desirable to hackers.

So how do you change the admin name and password on your WordPress? It’s actually pretty easy, and hopefully this series of screenshots will walk you through the process. Doing a backup first (or at least an export) is a good idea (those options are probably in your Tools tab).

Start by logging in to your WordPress installation.

step1

If you don’t have a backup email address, do a little Google search for temporary / disposable email accounts. You’ll find a lot of options to use. Take your time coming up with a good password, and don’t forget to write it down or email it to yourself (clicking that little button to email it to the user is only useful if you’re going to go log into that email account and forward it to the account you actually use).

step2

Now you have to log out (top right corner) and log back in with your new user credentials you just created. Head back to the Users page.
Next you’re going to delete your old admin. Don’t freak out, your posts won’t go away.

step3

As part of the deletion process, it will ask you who is going to be attributed as the author of those posts since you’re deleting the old author. This is where your posts will have a new username assigned to them.

step4

Now the new user should be the only one in the list. Hover over your new name and click edit.

step5

It’s time to change your email back to the one you actually prefer.

step6

WAIT! Don’t try to leave yet. I want you to look at that last screenshot and see what’s wrong with this picture.

Here, let’s zoom in and see if that helps.

step7

So if we leave it as it is currently, we’ll help against the generalized brute force attacks which are looking for the Admin username, but if someone is going after your site particularly, you are giving them your username anyway by making it your public name you sign all your posts with. Let’s change that while we’re here, shall we?

The fix is pretty simple. Just type in something else in the nickname slot. It will auto-fill the dropdown with that name and you can choose that for your display name. You still log in with your new username, but now a different name shows on your posts.

step8

So you’ve spent a few short minutes, on a very easy few steps, and the payoff is that now you’ve made your website more secure than the majority of WordPress installations out there. Congrats for successful digital prepping :D

Share this with your friends who may be blogging at risk. It really, really, really sucks to get hacked, and most people don’t even know they aren’t secure. So be a good friend and help out anyone you know with how to fix their blog security. While it sucks to get hacked, it’s probably even more annoying to find out someone you knew could’ve helped you prevent it from happening.

If you think this article is clear enough for your friends to follow, click the ‘Share This’ link right below here. If not, walk them through it yourselves and help them anyway.

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>