In light of the recent WordPress attack where a botnet of “tens of thousands” of computers tried gaining access to WordPress blogs across the web, I’d like to share a few quick tips for locking down WordPress.
Here’s more about the recent attack on BBC if you missed the news
Changing WordPress Admin Username
Since this attack revolved around trying to guess the passwords for the username of “admin” I’d like to start by explaining how to change the username.
Since version 3 of WordPress came out we have been able to use a custom username for the main admin account during install. But… many people still use the default of “admin.”
I really think WP should leave that field blank to force a username to be added, but for some reason they don’t. Therefore, there are way too many installs using the “admin” username with weak dictionary passwords.
If your WP install has an “admin” username, here are the steps to change it. It’s not as simple as just “changing” it because usernames cannot be changed. Instead we will create a new admin account, login as that user, delete the admin account, and assign the admins posts to the new user. Here we go.
1. Login to your WP dashboard.
2. Click on Users >> Add New.
3. Create a new Administrator account with the following suggestions/requirements:
– Use a username that would be difficult to guess, something that isn’t very similar to your first name, or full name. Consider using underscores.
– Use a different email than the current admin (you can change it later).
– Use a strong password. A mix of uppercase and lowercase characters, numbers, and special characters is considered strong. Making it 10 or more characters long is best.
– Change the Role to Administrator.
4. Logout then log back in with new user account credentials.
5. Click on Users >> All Users. Hover over the “admin” user and click Delete.
6. Click on Attribute all posts to: then select the newly created user (most likely the only one there). Then click Confirm Deletion.
More WordPress Security Tips
Besides making a hard to guess username and using a strong password, many WP users are password protecting their actual login page as well.
This involves creating a password file that sits in a non-public folder on the server. Then a mod to the .htaccess file in the same folder will make sure the credentials are entered before gaining access to the login page.
The password file requires that the password is hashed (encrypted) using the MD5 algorithm, but it’s easier than it sounds. Here’s a quick 5-minute tutorial on HostGator to help for users with CPanel and Plesk.
The above change will effect all WP installs in the same hosting account. Some say it is overkill, but an extra layer could mean the difference of being hacked and not.
Also, the 2-step authentication system that is an option on WordPress.com blogs, and also for Google accounts, can also be ported over to self-hosted WP sites.
It involves the auto-sending of a text to a smartphone with a unique code, immediatelty after login. The user cannot gain access unless they input the code correctly.
To get it to work for WordPress.org (self-hosted) blogs, as far as I know, Authly is the only readily available choice, although reportedly, the WordPress JetPack plugin has that feature on the way.