The blogging web was roughly awakened to the security issues around running a (self-hosted) WordPress blog last week as a botnet with 90.000 ip adresses at it’s disposal tried to hack all WordPress sites it could find.
Matt Mullenweg has three tips – and this post is about the first and hardest one to implement:
- Change your ‘admin’ username (default username on older WordPress installs) to something less common.
- Make sure your password is labelled ‘strong’ by the software itself.
- Make sure WordPress is updated to the latest version
So how do you change the admin username? Well – you go into the database.
Actually, once you feel comfortable doing that, changing the username in the database is not really all that hard. However, getting in and not feeling intimidated are perhaps not for everybody. On most hosts it involves going to a separate URL, using different login info than you’re used to using etc.
I’ve just done it on most of my blogs, as WP Engine makes it easy to access the databases of the blogs I have installed with them from their primary dash. However, on most hosts it’s way more hassle.
Here’s what I did on the few of my blogs that are NOT hosted with WP Engine:
- Log into WordPress with my admin account
- Add a new user with a not so generic name. All you’ll need are:
- Username (doesn’t matter which – as long as you make sure you keep track of it. Anything is less common and harder to guess than ‘admin’)
- Password (do use a tough one to crack. ‘password’ is definitely off, for instance. Again: keep a record for yourself)
- A different email address from the one you used for your admin account. Personally I have several email addresses that all end up in my gmail account, but your mileage may vary.
- Give that user administrator privileges
- Log out as the ‘admin’ user
- Log in as the new user
- Go to ‘users in your dashboard
- Change the privileges of the ‘admin’ user to anything other than ‘administrator’.
To make things look good on the front end, make sure your new user has a display name that makes sense, probably the same as the previous one.
Note that this method only works when you don’t really care that your posts will now be assigned to two different users. You may want to delete the former admin user altogether. WordPress will ask what you want to do with the posts and you can reassign them to the new account.