WordPress is one of the most popular blogging platforms available today. However, it’s very popularity can work against it – due to the fact that many people install WordPress but don’t know how to properly lock it down, it’s a prime target for hackers who want to exploit it. Making your WordPress blog nice and secure requires a minimal amount of effort – but it will pay off when you don’t find yourself in the unenviable position of having your entire blog wiped out by some jerk who thinks it’s hilarious to mess with other people’s websites. This post is Part 1, which focuses on the Admin account in WordPress (the keys to the kingdom). Part 2 will discuss methods of protecting your wp-admin directory (which is the door to the kingdom, to continue the metaphor).
Note – this tip is for “self-hosted” WordPress installations. For purposes of this discussion, “self-hosted” means “not on wordpress.com”. It doesn’t mean you yourself own a server, or host your blog out of a computer connected to your cable modem in your basement. Want to know if you’re self-hosted? Here’s an easy way to find out: if you have the rights to install plugins into your WordPress, you’re self-hosted)
Renaming the admin account
By default, when WordPress is installed, an administrative account called “admin” is created. This account is a prime target for hackers, since they know that every WordPress blog has a powerful account with the name “admin”. They can launch a password-guessing tool against your blog with the user “admin”, and eventually, they might be able to get through. Obviously, we want to get rid of this account. Here’s the steps to follow:
Make sure you’re not posting as “admin”
You should have created a second account which you use for all your posting. If you HAVE been posting as admin, please slap yourself on the wrist. Bad blogger! No cookie! Luckily, this is easy to fix – create a new user account which you will use for your posting. You can go ahead and give it the role of “administrator” if you’d like. Be advised that email addresses must be unique inside a WordPress installation, so if you want to use the email address you’ve already assigned to “admin”, you’ll need to change Admin’s email address first.
Super secure tip – if you want to be REALLY tight, only give your new account the role of Editor. That way if a hacker figures out your username, they won’t have unfettered access to your entire blog. This might be considered an “overkill” step, as Editors still have the right to delete posts, but they won’t be able to install plugins that might be sneaky backdoors into your blog. When you want to do admin-type things, you’ll log in with the new admin account we’re creating in the next step.
Create a new admin account
WordPress won’t let you rename an existing account, but we can accomplish this in a roundabout way. Create a new account that will be considered your “backdoor” or “break glass” admin for your blog. I suggest giving it a name that you will remember, but not something like “root” or “administrator”. It’s okay to have the word “admin” IN the login name, however. For example, if your blog is called “Awesome Blog 2000″, you might call your admin account “abadmin”.
Give that account the “administrator” role, and set a REALLY strong password for it. It should be 14 characters long, and include letters, numbers, symbols, and mixed case. I recommend using the Strong Password Generator website to create this password. Don’t worry about remembering it – you’re going to store this password in a safe place, but not have to remember it in your head.
Now, go into Authors & Users under “Users” in your WordPress settings, and delete the account called “admin”. If you’ve been posting as this user, when you delete it, WordPress will ask you who to assign those posts to – just pick your own personal account for this. No fuss, no muss.
Lock image from Flickr user Darwin Bell
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_c.png?x-id=3aab49a5-e52a-45f2-8cd8-abf99f53cca6)
{ 4 comments… read them below or add one }
14 characters long? For a password?? Oh my word.
Oh wait, just saw that I don't have to remember it. Okay that makes me feel a bit better.
Oh and I like this article, it would have helped if I had had to set up my blog. Lucky I have you around to nip things in the bud. Seriously, don't know what I would do without ya. Don't leave me!!
You said, about the regular user account: “You can go ahead and give it the role of “administrator” if you’d like.”
Umm, renaming the default admin account is okay. However, if you replace it with an account that you use to post, and which has “administrator” privileges, you are just replacing one security hole with another. The user name of that account will be all over your new blog, and anyone with half a brain will just brute force that user, instead of “admin”. (Plus, since your “everyday” account has administrative privileges, all the typical worries about how/where you use your password, etc. become concerns.)
You really shouldn't be posting from a user with elevated privileges at all. Your editor tip was about as close as you got to getting it right here.
People who are serious about security should go to the horse's mouth on this one:
http://codex.wordpress.org/Hardening_WordPress
And you'll notice that I suggest, in my “super secure tip” that you do exactly that – DON'T use your everyday account as a admin. But it's a start to rename the default.
By renaming the default, you remove the “drive-by” hackers who are just spinning through and looking for holes on any site with a /wp-admin directory and a user called “admin”.
Truth be told, even an Editor right is pretty insecure for your everyday account, because, like I said, the Editor has “delete” privileges. So if your “Editor” account is compromised, your entire blog can still get deleted.
As I had hoped was clear by the “part 1″ in the title, this is not the be-all and end-all of Wordpress security. My audience is not the WordPress guru who reads long security documents on Codex – but the approach here is ANY improvement is better than none at all.
“The user name of that account will be all over your new blog”
Really? That's odd. MY username isn't all over my blog. My NAME is, but not the login. I suppose the extra step is to not use the login, but change it to the display name instead.
(to be completely fair, most of what you said is accurate. I don't know that posting as an admin is just as bad as having the default admin account enabled with a weak password, but I do agree that there are even further steps that can be performed)
{ 3 trackbacks }