Securing Your WordPress Installation
ditch the default "admin" user account
This is a guest post by the Wendy’s Eating Husband while Dr. Archer is busy burying her nose in naturopathic board exam review books. Though it may not apply to your physical health, it does apply to the health of your WordPress website!
One thing naturopathic doctors love to talk about is “prevention”. Trust me, I hear about it all the time.
“You keep eating those french fries, and your heart is going to develop atherosclerosis!”
“Stop hunching at your computer, or you’ll permanently look like the Hunchback of Notre Dame!”
I may not know much about physical health (admittedly, I probably know more than I ever wanted to), but I do know a lot about websites, especially ones built with WordPress. Just like you need to prevent things from going wrong with your body, you need to prevent things from going wrong with your website. And with more and more small businesses opting for websites created with WordPress, we could have an epidemic on our hands if we’re not careful.
WordPress sites usually install with a default username of “admin”. This username is how you access the back end of your site. It doesn’t help that hosting companies offer “one-click” WordPress installations, sometimes without even offering the chance to choose a different username. As a WordPress DIY dud, changing your default username is easy to overlook.
Unfortunately, the dark corners of the internet have caught on, and have begun to really exploit this. In the middle of April this year, it was discovered that a huge botnet (estimated at over 90,000 computers) began something called “brute force attacks” against millions of WordPress sites. This occurs when a computer hits your login form over and over and over again, trying different passwords each time, in an attempt to break into the site. Guess what username they are using?
That’s right: admin!
1. Create a new user account
Before doing anything with your new site, create a new account with a username that is hard to guess, and most importantly, not in any way relatable to “admin” (no adm, administrator, etc). When creating a password for this new account, choose one that is easy to remember, yet hard for others to guess. Avoid using actual words found in a dictionary. Exchange letters for numbers/symbols (3 for e, 1 for i, @ for a). For more tips check out Google’s example.
My favorite password method is to base it off the first letters of an unforgettable song lyric, phrase, or movie quote. For example, you could use something like:
1dwcM**1dwf@
If you couldn’t guess, that is the first line from the chorus of Aerosmith’s Billboard topping “I Don’t Wanna Miss A Thing“. Now think of your own song and have fun with it!
2. Delete the admin user account
Creating a new account for yourself won’t do a thing without rembereing to remove the weakness in your WordPress fortress: the admin user account. Delete it permanently.
3. Install a strong login plugin
For good measure, install a plugin like Login Security Solution, which can detect and block brute force attacks on your site. The best part is getting a notification email warning you of an ongoing attack, and seeing that the username they are attempting to use is “admin”. Sometimes I’ll just laugh maniacally over this for several minutes. “Those silly bots… mwaahaha!”
Enjoy More Archerfriendliness
If you want to read more back story on my struggle to balance being a doctor, a wife, a mom, and a blogger, click here. I encourage you to name the things you have learned about yourself when y...
When my worries don't pan out the way I worried they would, the Wendy's Eating Husband will roll his eyes at me. His diet annoys me. My worry annoys him. I can read what he's trying to say to me, ...
One of the many things I love about practicing at Eastside Natural Medicine is that I get to see newborns and adults. I love babies but it also fills up my buckets to have a deep spiritual convers...