Securing your WordPress Admin Accounts

On its own, WordPress is a very secure platform.  However, when you start introducing third party software and people into the system, this can change.  Today we are going to go over some good policies that every site administrator should put into place.

Don’t Give Away Your Username

Obviously if someone knows your username that you use to log in to your site, all they have left is to guess your password.  It used to be that WordPress automatically assigned the ‘admin’ username to the administrator when a site was created.  If for any reason your username is set to ‘admin’ you will want to change it.

WordPress won’t allow you to change your username after the fact, so you will have to follow these steps to fix it:

  1. Log into your administrator account.
  2. Create a new administrator account with a secure username.
  3. Log in using the new administrator account.
  4. Delete your old administrator account.
  5. When asked what to do with the content created by the old user, assign everything to the new user.

Changing your display name in WordPress profile settings

Beyond just avoiding using ‘admin’ as your username, you will need to prevent WordPress from displaying your username on the front of the site.  By default, your username is displayed on the front end of the site for all the posts that you have authored.  This is done because the username is required during user creation and not all users have assigned another name to appear on the site.  Thankfully, WordPress allows you to display the name of your choice on the front end of the site.  The image above illustrates the last step in this process:

  1. Log in to your administrator account.
  2. In the menu on the left, go to ‘Users’ -> ‘Your Profile’.
  3. Enter in a nickname that is different from your username.
  4. In the ‘Display name publicly as’ dropdown, select your nickname.

If you don’t mind displaying your real name on the site, you can always display that as well.  Keep in mind that if your username was being displayed on the site before, you will want to follow the aforementioned steps for changing the username for your admin account.

Use Secure Passwords

All too often people use insecure passwords because they are easy to type or easy to remember.  Here are a few pointers on secure passwords:

  1. Never use obvious or easy to guess passwords.  ‘Password’ or your pet’s name should definitely be marked of the list.  Also, don’t use the name of your spouse, parts of your address or other personal information like your birthdate.
  2. Don’t use a password across multiple accounts.  If someone were to gain access to your password for one account it would compromise all of your other accounts.  When I use the word ‘accounts’ here, I mean any website where you might have a username and password.
  3. Make your password long enough. The shorter your password is, the more likely a hacker will be able to crack it.  As a password gets longer, it becomes exponentially more difficult to crack.  Eight characters should be the minimum here.
  4. Mix up your characters. Don’t just use all letters or numbers, or even all upper or lowercase for that matter.
  5. Actually change your password occasionally.

Next Steps

The tips listed here cover just a few things you can do to improve security. Here are a few resources to help you take security to the next level:

Comments

    1. A database backup is probably the most important thing, but not enough to restore your site if it is hacked. It is also important to be sure that you backup any actual files on your server, particularly those that may have been customized and any uploads you may have. I recommend backing up the entire wp-content directory, your wp-config.php and .htaccess files. If you are interested in securing your site, I would recommend you start here: http://codex.wordpress.org/Hardening_WordPress. There is good information and some great resources on that page.

  1. I too have been following the advice to change your admin login Username, and then use a different Display Name so as not to reveal the Username….but it turns out that this may be a waste of time, especially if you ever post from that account, because there are ways to get WordPress to reveal usernames!

    1. Thankfully, WordPress doesn’t force you to utilize the ‘admin’ username anymore. Simply avoiding the use of ‘admin’ as a user account is actually helpful, as some automated hacking scripts work off of the assumption that the user exists. However, things do change and there are other ways to expose actual usernames to the public. Perhaps the most useful thing at this point is to ensure that you change the ‘Display Name’ setting in WordPress so it doesn’t show you username on the front end of the site… and I still would never use ‘admin’ as your username.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.