I probably login to 5 different WordPress sites every day and I’m becoming concerned about the lack of login security being used by clients. The username is admin, the passwords are words that aren’t hard to guess, the same password is used in WordPress, ftp and for the MySQL database and they don’t change the login after I have completed working on the site.
So, this post is going to be a gentle nag and is going to include a couple of basic security tips.
You’re probably thinking why would anyone want to hack into my WordPress site? Why would they want my parenting, WordPress, or green-living articles? Well, the hackers don’t really want that data. And you can’t really apply standard login to what hackers do and don’t do. For most of them, the success of the hack is what matters – not what they are gaining access to.
And if they are able to get server level access they will be able to install nefarious programs that will get kicked you off of your webhost permanently. I’ve been there – years ago – but that is probably a subject for another post as the security problem had nothing to do with WordPress.
Anyway, here are my tips for your WordPress login.
- Change the username. I’d say 80% of the usernames I am given for WordPress are admin. Just change it – you don’t have to have the username admin to have administrator level access. And if you leave it as admin, you’ve made the hackers job 50% easier. You can even change the username after you’ve been using it for a long time.
- Create a new user with Admin level privileges.
- Log out and then login with the newly created username and password.
- Delete the admin account. You will be asked what to do with the posts by that username. You can delete them all, which I don’t recommend doing ;-), or attribute them to the newly created user.
- When you make a new username you don’t have to make it anything incredibly difficult but please don’t use your name, your child’s name or your site name. I use a name that means something to me but isn’t easily associated with me.
- Start trusting your WordPress site with well-renowned SEO companies as I do with PWD. They take care of all the aspects regarding SEO, and their strategists are even open to the idea of teaching you all the work they do step by step.
Make your password hard and remember it. You can rely on your browser’s remembered password feature but if you lose those settings, you will lose your password. Don’t use your name, your child’s name or your site’s name. Don’t use the same password that you use for your hosting account. If you do, that means the same password is being used for WordPress, ftp and probably your cpanel. You can create a secure password using a random password generator. - After I work on your site, change the login. If I am going to be working on your site on an ongoing basis, create an account for me. Don’t have me use the same one that you do. Recently I randomly tested some old logins from a site I worked on once or twice and the login was still valid. Fortunately, for them, I’m not an evil person ;-)
Ok, that’s it – lecture is over. Don’t wait until the damage has already been done before taking my advice into consideration.
Here is an article from The Blog Herald about password security and the most commonly used passwords. Does yours fall in the most common?
photo credit: lloydi
Hi Kim. More good advice. Thank you. I just had some additional security features installed on my blog, but this is not something I had considered. One cannot be too careful. My passwords are so complicated though, I don’t trust even myself to remember them. They’re stored under lock and key.
Davina´s last blog post – The Morning Muse — Photo Story
Hi Davinia – LOL on not being able to remember your passwords. There are a lot more things that can be done to secure WordPress but I just wanted to start with the most basic.
Kim this makes a heck of a lot of sense, and I’m not saying that I am one of those that uses admin as my user name, and I’m not saying that I don’t, but one thing is for sure I’m going to make sure whatever I have been using, it’s not going to be admin.
Sire´s last blog post – Blogging As A Source Of Information
Hi Sire – Ok – lol – don’t use Sire as your username either ;-) Or wassup ;-)
Now your making it kind of hard even for me. There is every chance I will forget who I’m supposed to be and won’t be able to log into my own blog ;)
Sire´s last blog post – Blogging As A Source Of Information
Nice tips. There are also quite a few security related plugins that blocks an IP address if a failed Login attempt is detected a certain number of times.
Madhur Kapoor´s last blog post – Divide Your Desktop into Regions with MaxTo
Hi Madhur – There is definitely a lot more you can do for security. I just wanted to start with the most basic.
hahahahaha. I love that picture!
I don’t have any nearly as bad as the ones on the article you linked to but I always feel my passwords aren’t strong enough. I need to go back and fix a couple and this article is a good reminder. :-)
Hi Jim – Was hoping someone would comment on the photo. That is quite a firewall. ;-)
Great advice, Kim! I will pass this on to my clients!
Terri Holley´s last blog post – Relationship Marketing: What is Most Important
Hi Terri,
Great! I hope it helps them out.
Passwords are a nightmare. If you’re at all active on the web, you quickly find a need for dozens of the things – what with blogs and social networks and feed aggregators. And who can remember them all? I use 1password (http://agilewebsolutions.com/products/1Password) which allows me to store all my login info. Then I’m not afraid to make unique logins for every site I use and truly hard passwords (it includes a password generator) because I don’t have to worry about forgetting them
Hi Jill,
I’m not familiar with that site – do you think it’s safe? I’ve found a password protected spreadsheet of logins works pretty well – then you only have to remember one password but you have to make sure it’s a really secure one and that you actually do remember it.
Thanks Kim for an important reminder.
Vered – MomGrind´s last blog post – Patient Parenting: Five Tried And Tested Tips
Hi Vered – Thanks!
Well Kim, i will have to disagree. Here is why. You don’t have to change the default username from “admin” to something else. You just have to have a secure password. And by saying secure i mean s-e-c-u-r-e. More than 8 characters long, mixed with numbers, lower and upper case letters, and ofcourse, special symbols. If you do that, a hacker’s chance of a brute force attack is more than slim, it’s actually undoable. Why give me a hard time with a username like “sguser” or something like that. Not necessary. I’ve been reading all over the blogosphere about changing the login username and guess what, mine is “admin”! The security lies on a lethal combination, username “admin” and password “george1234”. I remember telling you that i read once “passwords are like underwear, they are personal and they need to be changed often”. As for storing the passwords here is what i recommend. Use a program like truecrypt and store the passwords in an AES encrypted file. This way, even if you lose your flash drive it will be useless to everybody ;) But i must agree with you nagging. People are careless with their passwords and the security of their websites in general until they find themselves hacked and lose content. But, then again, it’s already late…
Hi Stratos,
So if the password is unhackable, it doesn’t matter what the username is.
I was looking at Truecrypt – can it be used with just one file or is it for directories and drives?
A couple of people have mentioned the plugin that locks a user out after a certain number of failed login attempts – Login Lockdown. Do you think something like that is worthwhile and can the same thing be done through the htaccess file?
See what you get for disagreeing with me – twenty questions ;-)
I like getting questions :P So truecrypt basically can work by creating a file that it can mount as a drive. That file is strongly encrypted. Now, the username does matter ofcourse but if your password is secure it is highly unlikely that someone will get in. So making your life harder with a “hard” username as well is not necessary. Finally on the lockdown one, it sounds pretty reasonable but again, if your password is secure the attacker will probably won’t make his way in. So, the only consideration in case of an attack is bandwidth, CPU and memory. That is definitely not the plugin’s job to take care of but apache’s and your firewall’s.
As you can see i am a pain in the butt :P Almost never mainstream :)
stratosg´s last blog post – Make your #FollowFriday easy!
Hi Stratos – Thanks! And you’re not a pain ;-)
you are right kim. i didn’t change my password after i gave it to you, probably cause i trust you and should anything go wrong, well i know who to blame. :) i don’t lose sleep at night over who has my password. you’re the only one. i probably won’t be changing it after this post either. :)
if hackers go in and mess it up, i might be mad, but my hosting company should have a backup and i make my own, sometimes.
i have a client that doesn’t change passwords either, they keep what i give them and i never ever ever sign back into their account or mail unless they tell me to.
Natural´s last blog post – My Two Left Feet
Hi Valerie – I didn’t really mean people like you. For people that I have a relationship with it would actually annoy me if they kept changing my login. But I have done work for people one time that don’t really know me from anyone else and they don’t change the login after giving them to me – that’s way too trusting and foolish.
And I don’t log in unless I am asked to or need to do more work. But there are people out there who would.
people just trust you i guess.
i’ll be needing your services in the future probably with my forum and WP upgrade. :)
Natural´s last blog post – My Two Left Feet
wonderful article Kim. in addition to whatever you have said, one can also consider installing this small plugin – “Login lockdown” which locks out the user from logging in if he repeatedly tried logging in using some sort of “brute force” method.
Raju´s last blog post – 15 Free Tools to Estimate the Value of a Website
Hi Raju – I just asked Stratos what he thinks about Login Lockdown ;-)
Thanks!
I’ve been reading this a lot lately, but stratosg might have a point.
Whatever the case, if you do change your username as a security measure, make sure the name displayed with your posts is not the same as your login username. That would defeat the purpose.
Armen´s last blog post – Dusk WordPress Theme
Hi Armen,
That is a very good point. I was going to mention that in the article but felt I was getting too much into template edits. I would hope that most templates use author_name or author_nickname rather than author_login.
And Stratos makes a very good point. If I change the username to Kim and the password to Kim123, I might as well have just left it as admin.
Nice;y done Kim, simple yet concise. There are also many good security related plugins as well; not just for failed login if anyone is curious.
Dennis Edell´s last blog post – Understanding The New Rules Of SEO
Hi Dennis – Thanks! There are a number of plugins for security. I suppose that could be another article ;-)
I think you should never keep ftp, and mysql user name the same with wp login , my blog has been hacked twice in the past but I restored everything within few hours as the hacker only changed the front page. you do not have to remember or retype ftp and mysql password often so you cane make it as long as you want.
Chinese Girl´s last blog post – Photo Hangzhou Yellow Dragon Cave Dressed in Green
Hi – I completely agree – all of those passwords should be different.
I had an old site hacked but it wasn’t WordPress. My host kicked me off the server – no discussions. I remember it happened on Valentine’s Day that year – it was a horrible day.
Okay, I know you are yelling at me through the computer because I am soooo guilty of this. So guilty but your post got to me and so the changes have been made. I am so proud of myself.
Sommer´s last blog post – Think Green Giveaway
Hi Sommer – I’m scolding a number of people. ;-) I’m so glad you made the changes :-)
Important tips. Will use them. I try to change my password regularly along with keeping different password for different aspects of the site.
Gennaro´s last blog post – United To Charge Large Fliers Double
Hi Gennaro – It’s hard to change passwords often though, isn’t it. I start to get confused. ;-)
Thanks for the advice. I have always wondered about WordPress security too.
Carla´s last blog post – Giveaway: Skinny Skinny Organic Soap and Body Oils
Hi Carla – I’m so glad you stopped by :-) I am so behind on visiting everyone’s site and I kept saying to myself -“go see what Carla is up to”.
Thanks for the important post. Every now then one need to take a look at the blog security and tighten it if not proper.
Nihar´s last blog post – Microsoft stops Main Stream Support for Windows XP & Office 2003
Hi Nihar – Thanks. And like Stratos recommends it’s good practice to change our passwords frequently.
I usually never keep ‘admin’ or something similar to admin as the user name. However, you are right in saying that usually almost all passwords are same :LOL: . Probably, just like the case with the workplace network passwords, they should enforce password changes once in a while. WordPress should incorporate these alerts (another plugin idea?)
It’s good that you have some tips for your direct clients as well :P
And as Jim said, the pic is really funny.
Ajith Edassery´s last blog post – Latest innovation from Google Labs – News Timeline
Hi Ajith – The place I currently work forces us to change our passwords every three months. It’s annoying but it’s a good practice. Most people use the same one and then put @ at the end rather than !
Yeah – that’s quite a firewall in the photo ;-)
Kim I agree with u..changing your user name is the first thing I will suggest anyone to do for the first time..now coming to password issue, I will suggest use keepass or xmarks Firefox plugin
Harsh Agrawal´s last blog post – Step by step guide to Install self hosted wordpress blog
Hi Harsh – I am familiar with Keepass but not xmarks – thanks for the info – I’ll look into it.
Hi Kim, excellent article – found you through Barbara’s blog. I’ve been preaching to WordPress users for some time about security issues.
I do have to say, though, I completely disagree with stratosg in that changing your username is not important. I understand his point, but remember, nothing is full proof. The best we can do is create multiple layers of protection.
Can anyone honestly say they know every possible attack out there and that none of them really care what your username is? No, of course not.
Also, you never know what new programs to hack your site will pop up next. Right now the easiest way to crack someone’s password is to “guess” the username is “admin” and then brute force attack the password. If the right combo is found, they gain access. (actually, the easiest way is to get into your database)
These programs are getting better every day. People who use these programs know that difficult passwords are hard to crack. So what do they do? Develop smarter, faster programs. Will you be prepared?
Your logic is right on. Create multiple layers of protection.
As for maintaining the multiple usernames and passwords, the easiest program I’ve found out there to use is RoboForm. Really nice and easy program.
I also highly recommend the Login Lockdown plugin. Get it and use it. Why not? I don’t believe there are any .htaccess codes out there which can mimic it, but who knows.
Hi John,
Thanks for visiting and commenting. I tend to agree with changing the username but Stratos knows a lot more about security than I do. I think
his point about using admin with a really difficult password as opposed to an easy username and password is valid though. And I know I don’t change my password often enough.
I have just posted a blog post describing how we can prevent hackers from hacking the IDs
Alwin Chuah´s last blog post – WordPress blog does not block multiple ID attempts.
Hi Alwin – Thanks for sharing the article. Login lockdown does seem
like a useful plugin for WordPress security.
Hello,
My website runs of WordPress; Someone made a buyout offer. Does this mean WordPress gets a share in court?
Really great post, enjoyed reading it. Thanks,
Barry
Hi Barry – As far as I know you can sell the site.