« Fresh Project: Icebreaker Email
A Pre-launch Checklist for 2010 »

Basic security measures to keep your WordPress admin area safe

Dec 04 2009

Nobody WANTS to have their blog hacked.  But without a few basic precautions, you could be practically inviting them in without knowing it.

When you install WordPress, you will automatically have a user account named “admin.”  Everyone who knows WordPress knows this.  And that includes the bad folks who want to get admin access to your site.  Because they know that your site probably has an administrator-level account with the username “admin,” half the work is done.  Then they just need to figure out your password.  One of the most common attacks on WordPress sites is called “brute force” password guessing. A script will keep trying different password combinations until it finds the correct one.  They usually aren’t successful, but sometimes they hit the jackpot – and you don’t want your site to be the lucky winner.**

To defend against this type of attack, there are three fairly basic things you can do:

  1. Have a good password
  2. Get rid of the “admin” account
  3. Ban anyone with too many failed login attempt

Creating a strong password

WordPress makes it really easy to have a good password.  When you edit your profile and change your password there is a “strength indicator” that will tell you if your password is very weak, weak, medium or strong.  Always shoot for a “strong” rating.  That goes for anyone with any user role, but especially for someone with administrator-level access.

Getting rid of the “admin” account

This is a little more involved, but still really easy.  The most painless way I have found to accomplish this with WordPress is to use WPVN Username Changer to change the username from “admin” to something else.  The plugin doesn’t work with WPMU yet, unfortunately, as it doesn’t seem to transfer Site Admin status to the new username.

Here are the steps I’d recommend to change your username:

  1. If you want to change your account’s password to something other than the generated password, I found it’s easiest to change it before you switch usernames. If you do change it, make sure it gets a “strong” rating.
  2. Backup your database (unless it is an untouched, fresh installation of WordPress).
  3. Download, install and activate WPVN Username Changer.
  4. Expand “Users” in the main navigation, and click “Change Username”.
  5. Enter your new username, click save. The plugin will ask you to log in again using your new username (This is where changing your password comes in handy – you don’t have to go back to your installation email to copy/paste the generated password).

Change Your Username ‹ Pickle Surprise! — WordPress_1259712817340(yup, it’s that easy.)

There are of course other ways to rid your site of the ‘admin’ user.  Aside from other techniques for changing the username to something else (directly editing the user in the database), you can also create a new account for yourself, and then delete the admin user.  Steps for deleting the admin account are outlined clearly in this post at Internet Techies.

If you go this route, just be extra-cautious that you have given your new account proper permissions before you delete ‘admin’.  In WordPress, it’s as easy as changing the user’s role to ‘administrator’.  In WPMU, in addition to changing the role, you will need to add the new user name to the list of site admins on the Site Options page.  To do that, expand the Site Admin section in the navigation, then click Options. Scroll down to Administration Options. Add the new username(s) to the site admin list, separated by spaces.

Ban anyone with too many failed login attempts

There are a couple plugins I’ve found that can do this for you (though I’m sure there are more): Login Lockdown and  Limit Login Attempts. These plugin allows you to block anyone that has more than a certain number of failed login attempts.  You can specify what that number is in the plugin settings, as well as the duration of the lockout. Login Lockdown displays the IPs of anyone currently locked out on its options page.  Limit Login Attempts goes one step further: it can keep a log of all lockouts, and/or email you whenever it happens.  Also, if anyone has multiple lockouts (you can choose the number), Limit Login Attempts allows you to block them for an even longer period of time.

loginlockout

Final notes: Strong passwords, strong passwords, strong passwords. Did I mention strong passwords?

So you’ve deleted or renamed the ‘admin’ account, so you’re protected against malicious automated scripts.  That’s great!  But let’s say someone holds a grudge against you for that time you beaned them with a dodge ball in P.E.  And they have a new brute force password cracker they are dying to try out.  There are a couple ways they could discover your username. Aside from the fact that they may be able to guess it (if it’s your first name for example), they could also find it if you have posted any blog posts with your administrator account, and use the_author_posts_link() in your template.  That function generates a link to an archive of your posts, in the format of  http://www.site.com/author/nancyq. There’s your username, exposed to the world.  If they guess your password, they are in.

Even if you don’t have author archives, your username may also be displayed in the RSS feed generated by WordPress.  If you have not changed your display name from the default, the RSS feed source code will show your username as the content creator.

rsssourceIt’s probably not likely that you have a nemesis from 5th grade trying to get access to your blog – and both the above scenarios are easy to fix or avoid. However, if someone with malicious intent knows (or can guess or find) your username you can be in trouble if you have a weak password.  Even if a hacker gains access to an author or editor account, even though they couldn’t do a whole lot of harm, they could still post links, naughty pictures, or worse, blinking blue text saying “pwnd”.

If you don’t know how to create a good, strong password, there is a lot of advice out there.

Some resources

A strong password, some tricky username tactics, and locking down your login form are all some very basic things you can do to protect your WordPress admin area.  Of course there are many, many more things you can do to protect against brute force attacks, as well as other types of common WordPress attacks.  Google “wordpress security” and you will get a LOT of info.  Here are some links to get you started:

Hardening WordPress (WordPress codex)

13 Vital Tips and Hacks to Protect Your WordPress Admin Area (WPBeginner)

11 Best Ways to Improve WordPress Security (Pro Blog Design)

WP Security Scan (a plugin that will scan your site/blog for security vulnerabilities)

** Distributed account hacking schemes could be making brute force password guessing a more wide spread and successful. See articles:
Web service automates Wordpress account cracking
The Hail Mary Cloud: Slow but steady brute-force password guessing botnet

Posted by Jill at 9:00 AM

Published in Development, Tips & Tricks on Friday, December 4th, 2009

Tags: , , ,

2 Responses

  1. 1
    SunyiK says:
    December 4th, 2009 at 7:04 pm

    Hey Jilly-
    Thanks for the informative and fun read. Looking in to those password plug-ins!


  2. 2
    Tejaswini says:
    December 11th, 2009 at 10:39 am

    Nice and descriptive post. Very necessary to keep Wordpress admin away from security breaches. The most important thing is always we should keep the Wordpress version up-to-date as most of the releases are security releases. Thanks for sharing.


Leave A Reply

Currently you have JavaScript disabled. In order to post comments, please make sure JavaScript and Cookies are enabled, and reload the page. Click here for instructions on how to enable JavaScript in your browser.