WordPress Security – why “Admin” is a bad thing

| September 2, 2013

If you are running WordPress there may be a common setting that is jeopardizing the security of your site.A computer lock

Recently, there was an organized botnet attack on WordPress sites. What that means is that a software program with millions of minions was scanning the internet for WordPress sites, especially ones that have an “admin”  log in user name.

It makes sense if you think about it.

A hacker trying to get into your site needs two things; the user name and the password. By having an “admin” account you just handed them half of the equation. The hacker then hides behind spoofed IP addresses and tries lots of different passwords until they find the right one. The scary thing is, depending on your host or how you do the installation, adding an “admin” account is done by default.

So what can you do?

If you are creating a new WordPress installation use a different name than “admin” for your default account. To check to see if you have an “admin” user account set up, log in to the administrative panel and select “Users” -> “All Users”.

To change an existing “admin” user:

Important: You must have at least one administrative Role level user at all times.

You must also be logged in as someone with administrative account rights. So if the “admin” user is the only user account with an administrative role, you will need to create a new user account and grant it “administrative” permissions.  Then log off the “admin” user account and log in under the new user account. You can then just delete the “admin” account.

There are plugins that can help you lock down your site, including dealing with a default “admin” user. I like “Better WP Security“. Full disclosure, I am not paid or compensated in any way by them, I just happen to really like the product.

Whether you use the plugin or decide to take matters in your own hands, the important thing is to not give the bad guys anymore help.

Category: Security, Wordpress

Comments are closed.