Every single day, multiple times a day, bad guys are attacking your website. One attack vector I see frequently is the brute force attack on the admin account. A brute force attack is the automated use of many different passwords until one works. If hackers get access to your admin account, they own your site. There are several things you can do to protect this account and your site.
- Use a unique login name for your admin account. Do not use admin, administrator, the domain name, or your email address.
- Do not use your login name as your display name.
- Do not use your admin account to create content
- Follow password best practices
- Use two-factor authentication
- Use security plugins
Use a Unique Login Name
When you install WordPress for the first time you have the opportunity to choose a name for the administrator account. The default name is “admin”. Do not accept the default. Use a different name for the admin account because that is the first and most frequent account name the bad guys will try to brute force attack. It happens on a daily basis.
There are three other logins that are frequently targeted. First is the “administrator”. Do not think that typing out the full name for admin will protect you. Also, don’t use the domain name with our without the “.com”. For instance, if your site is called WandasFishOil.com, you may be tempted to use WandasFishOil as the name of the admin account, especially if you own multiple WordPress sites. Don’t do it. The automated hacking bots are programmed to try that account too. Lastly, don’t use your email address as your administrator login. Hackers can get your email address from any number of sources including your WhoIs information, your contact form, your content, your registration at other sites or forums, correspondence you may have had, or social engineering. The brute force bots frequently use the name portion of discovered and guessed email addresses as logins for their brute force attacks.
The login name is the first piece of information a hacker needs to access your site. Don’t make it easy for them, choose something unique.
Changing the Admin Login Name in WordPress
If you already installed WordPress with the default admin name or one of the login names described above, you should change that name to something unique. You’ll notice that you cannot do this using the Profile page on the Users menu in the WordPress admin dashboard. You have two choices for making the change.
- If you have access to the database, you can change the admin login name using PHPAdmin. You’ll have to go to the correct database, table, and record and find the login field to make the change.
- If you are not comfortable with PHP Admin or don’t have access to the database, you can create a new admin account with an appropriate name and then demote, delete, or disable the old admin account
Do Not Display Your Login Name
WordPress users have multiple names associated with their profile including login, first name, last name, nickname, and display name. The display name is the login by default. The display name is the name that appears in the byline or post meta of most themes posts and pages. You do not want to show your unique login to the world, use the drop-down menu on the user profile page to select a different name for the display name. Popular choices for the display name are “First name Last name”, “Last Name First Name”, or “Nick Name” if you ensure it is different than the login name.
Do Not Use the Admin Account to Create Content
Your WordPress site requires an admin account, but you should only use it to administer the site. Create and use a separate author or editor account to add content like posts and pages to WordPress. By using a separate reduced-privilege account for frequent content creation and daily tasks, you can ensure that your more powerful account remains safe in the event that a hacker gets hold of your content account through leaked display name, accident, malware, or social engineering.
Follow Password Best Practices
- Choose a long password of at least 8 characters, preferably more
- Use a mix of uppercase, lowercase, numbers, spaces, punctuation, and special symbols when possible in your password
- Use a different password for each account
- Change your passwords several times a year
- Don’t use dictionary words by themselves
- Don’t use repeating characters or keyboard sequences
- Don’t reveal your password to anyone
Consider Using 2-Factor Authentication
A password is a one-factor authentication. A password is something you know. To improve security, consider two-factor authentication. One popular form of two-factor authentication for WordPress is something you know and something you have, like your password and an ever-changing code that appears only on your smartphone, or a text message code that goes only to your phone. There are several plugins in the WordPress Codex that allow authenticator codes and text message codes as a second authentication factor in WordPress. Biometrics like fingerprints, voice print, and retina scans are also sometimes used as a second factor of authentication. There is at least one WordPress plugin that claims to allow biometric security. Look for a future article with a roundup of these two-factor and alternative authentication plugins.
Other Security Plugins for WordPress
There are a number of WordPress security plugins in the Codex that can be used to make your WordPress installation more secure. WordFence and Securi are two that come to mind. These plugins can block attacks by vector-like brute force attacks or cross-site scripting. They can block attackers by IP address or even country of origin. A round-up of WordPress security plugins will be posted in the near future.
What Do You Think?
Do you have any other best practices or security tips for the WordPress admin account or WordPress security in general? Do you have any questions, comments, or concerns? Speak your mind in the comments section below.