Securing Your WordPress Installation

WordPress with secure key

This is a guest post by the Wendy’s Eating Husband while Dr. Archer is busy burying her nose in naturopathic board exam review books.  Though it may not apply to your physical health, it does apply to the health of your WordPress website!

One thing naturopathic doctors love to talk about is “prevention”.  Trust me, I hear about it all the time.

“You keep eating those french fries, and your heart is going to develop atherosclerosis!”

“Stop hunching at your computer, or you’ll permanently look like the Hunchback of Notre Dame!”

I may not know much about physical health (admittedly, I probably know more than I ever wanted to), but I do know a lot about websites, especially ones built with WordPress.  Just like you need to prevent things from going wrong with your body, you need to prevent things from going wrong with your website.  And with more and more small businesses opting for websites created with WordPress, we could have an epidemic on our hands if we’re not careful.

WordPress sites usually install with a default username of “admin”.  This username is how you access the back end of your site.  It doesn’t help that hosting companies offer “one-click” WordPress installations, sometimes without even offering the chance to choose a different username.  As a WordPress DIY dud, changing your default username is easy to overlook.

Unfortunately, the dark corners of the internet have caught on, and have begun to really exploit this.  In the middle of April this year, it was discovered that a huge botnet (estimated at over 90,000 computers) began something called “brute force attacks” against millions of WordPress sites.  This occurs when a computer hits your login form over and over and over again, trying different passwords each time, in an attempt to break into the site.  Guess what username they are using?

That’s right: admin!


Tips on preventing brute force attacks on your WordPress site:

1. Create a new user account

Before doing anything with your new site, create a new account with a username that is hard to guess, and most importantly, not in any way relatable to “admin” (no adm, administrator, etc). When creating a password for this new account, choose one that is easy to remember, yet hard for others to guess.  Avoid using actual words found in a dictionary.  Exchange letters for numbers/symbols (3 for e, 1 for i, @ for a).  For more tips check out Google’s example.

aerosmithMy favorite password method is to base it off the first letters of an unforgettable song lyric, phrase, or movie quote.  For example, you could use something like:


If you couldn’t guess, that is the first line from the chorus of Aerosmith’s Billboard topping “I Don’t Wanna Miss A Thing“. Now think of your own song and have fun with it!

2. Delete the admin user account

Creating a new account for yourself won’t do a thing without rembereing to remove the weakness in your WordPress fortress: the admin user account.  Delete it permanently.

3. Install a strong login plugin

For good measure, install a plugin like Login Security Solution, which can detect and block brute force attacks on your site.  The best part is getting a notification email warning you of an ongoing attack, and seeing that the username they are attempting to use is “admin”. Sometimes I’ll just laugh maniacally over this for several minutes.  “Those silly bots… mwaahaha!”

Thanks for reading! Enter your email to send new articles directly to your inbox:

Leave a Response

* Required