It's Time!

Start your development project now!

Contact Me! >>


Keep Reading:
4 WordPress Plugins to Assist in Blacking Out Your Site to Protest SOPA on January 18th
Upcoming Features in WordPress 3.5
How to Redirect Contact Form 7 to a Thank You Page
How to Customize the Blank Line at the Top of the WordPress Contact Form 7 Dropdown Box


  1. says

    Hi Kim. More good advice. Thank you. I just had some additional security features installed on my blog, but this is not something I had considered. One cannot be too careful. My passwords are so complicated though, I don’t trust even myself to remember them. They’re stored under lock and key.

    Davina´s last blog post – The Morning Muse — Photo Story

    • says

      Hi Davinia – LOL on not being able to remember your passwords. There are a lot more things that can be done to secure WordPress but I just wanted to start with the most basic.

  2. says

    Kim this makes a heck of a lot of sense, and I’m not saying that I am one of those that uses admin as my user name, and I’m not saying that I don’t, but one thing is for sure I’m going to make sure whatever I have been using, it’s not going to be admin.

    Sire´s last blog post – Blogging As A Source Of Information

  3. Jim says

    hahahahaha. I love that picture!

    I don’t have any nearly as bad as the ones on the article you linked to but I always feel my passwords aren’t strong enough. I need to go back and fix a couple and this article is a good reminder. :-)

  4. says

    Passwords are a nightmare. If you’re at all active on the web, you quickly find a need for dozens of the things – what with blogs and social networks and feed aggregators. And who can remember them all? I use 1password ( which allows me to store all my login info. Then I’m not afraid to make unique logins for every site I use and truly hard passwords (it includes a password generator) because I don’t have to worry about forgetting them

  5. says

    Hi Jill,

    I’m not familiar with that site – do you think it’s safe? I’ve found a password protected spreadsheet of logins works pretty well – then you only have to remember one password but you have to make sure it’s a really secure one and that you actually do remember it.

  6. says

    Well Kim, i will have to disagree. Here is why. You don’t have to change the default username from “admin” to something else. You just have to have a secure password. And by saying secure i mean s-e-c-u-r-e. More than 8 characters long, mixed with numbers, lower and upper case letters, and ofcourse, special symbols. If you do that, a hacker’s chance of a brute force attack is more than slim, it’s actually undoable. Why give me a hard time with a username like “sguser” or something like that. Not necessary. I’ve been reading all over the blogosphere about changing the login username and guess what, mine is “admin”! The security lies on a lethal combination, username “admin” and password “george1234”. I remember telling you that i read once “passwords are like underwear, they are personal and they need to be changed often”. As for storing the passwords here is what i recommend. Use a program like truecrypt and store the passwords in an AES encrypted file. This way, even if you lose your flash drive it will be useless to everybody ;) But i must agree with you nagging. People are careless with their passwords and the security of their websites in general until they find themselves hacked and lose content. But, then again, it’s already late…

    • says

      Hi Stratos,

      So if the password is unhackable, it doesn’t matter what the username is.

      I was looking at Truecrypt – can it be used with just one file or is it for directories and drives?

      A couple of people have mentioned the plugin that locks a user out after a certain number of failed login attempts – Login Lockdown. Do you think something like that is worthwhile and can the same thing be done through the htaccess file?

      See what you get for disagreeing with me – twenty questions ;-)

      • says

        I like getting questions :P So truecrypt basically can work by creating a file that it can mount as a drive. That file is strongly encrypted. Now, the username does matter ofcourse but if your password is secure it is highly unlikely that someone will get in. So making your life harder with a “hard” username as well is not necessary. Finally on the lockdown one, it sounds pretty reasonable but again, if your password is secure the attacker will probably won’t make his way in. So, the only consideration in case of an attack is bandwidth, CPU and memory. That is definitely not the plugin’s job to take care of but apache’s and your firewall’s.
        As you can see i am a pain in the butt :P Almost never mainstream :)

        stratosg´s last blog post – Make your #FollowFriday easy!

  7. says

    you are right kim. i didn’t change my password after i gave it to you, probably cause i trust you and should anything go wrong, well i know who to blame. :) i don’t lose sleep at night over who has my password. you’re the only one. i probably won’t be changing it after this post either. :)

    if hackers go in and mess it up, i might be mad, but my hosting company should have a backup and i make my own, sometimes.

    i have a client that doesn’t change passwords either, they keep what i give them and i never ever ever sign back into their account or mail unless they tell me to.

    Natural´s last blog post – My Two Left Feet

    • says

      Hi Valerie – I didn’t really mean people like you. For people that I have a relationship with it would actually annoy me if they kept changing my login. But I have done work for people one time that don’t really know me from anyone else and they don’t change the login after giving them to me – that’s way too trusting and foolish.

      And I don’t log in unless I am asked to or need to do more work. But there are people out there who would.

  8. says

    I’ve been reading this a lot lately, but stratosg might have a point.

    Whatever the case, if you do change your username as a security measure, make sure the name displayed with your posts is not the same as your login username. That would defeat the purpose.

    Armen´s last blog post – Dusk WordPress Theme

    • says

      Hi Armen,

      That is a very good point. I was going to mention that in the article but felt I was getting too much into template edits. I would hope that most templates use author_name or author_nickname rather than author_login.

      And Stratos makes a very good point. If I change the username to Kim and the password to Kim123, I might as well have just left it as admin.

  9. says

    I think you should never keep ftp, and mysql user name the same with wp login , my blog has been hacked twice in the past but I restored everything within few hours as the hacker only changed the front page. you do not have to remember or retype ftp and mysql password often so you cane make it as long as you want.

    Chinese Girl´s last blog post – Photo Hangzhou Yellow Dragon Cave Dressed in Green

    • says

      Hi – I completely agree – all of those passwords should be different.

      I had an old site hacked but it wasn’t WordPress. My host kicked me off the server – no discussions. I remember it happened on Valentine’s Day that year – it was a horrible day.

  10. says

    Okay, I know you are yelling at me through the computer because I am soooo guilty of this. So guilty but your post got to me and so the changes have been made. I am so proud of myself.

    Sommer´s last blog post – Think Green Giveaway

    • says

      Hi Carla – I’m so glad you stopped by :-) I am so behind on visiting everyone’s site and I kept saying to myself -“go see what Carla is up to”.

  11. says

    I usually never keep ‘admin’ or something similar to admin as the user name. However, you are right in saying that usually almost all passwords are same :LOL: . Probably, just like the case with the workplace network passwords, they should enforce password changes once in a while. WordPress should incorporate these alerts (another plugin idea?)

    It’s good that you have some tips for your direct clients as well :P

    And as Jim said, the pic is really funny.

    Ajith Edassery´s last blog post – Latest innovation from Google Labs – News Timeline

    • says

      Hi Ajith – The place I currently work forces us to change our passwords every three months. It’s annoying but it’s a good practice. Most people use the same one and then put @ at the end rather than !

      Yeah – that’s quite a firewall in the photo ;-)

  12. says

    Hi Kim, excellent article – found you through Barbara’s blog. I’ve been preaching to WordPress users for some time about security issues.

    I do have to say, though, I completely disagree with stratosg in that changing your username is not important. I understand his point, but remember, nothing is full proof. The best we can do is create multiple layers of protection.

    Can anyone honestly say they know every possible attack out there and that none of them really care what your username is? No, of course not.

    Also, you never know what new programs to hack your site will pop up next. Right now the easiest way to crack someone’s password is to “guess” the username is “admin” and then brute force attack the password. If the right combo is found, they gain access. (actually, the easiest way is to get into your database)

    These programs are getting better every day. People who use these programs know that difficult passwords are hard to crack. So what do they do? Develop smarter, faster programs. Will you be prepared?

    Your logic is right on. Create multiple layers of protection.

    As for maintaining the multiple usernames and passwords, the easiest program I’ve found out there to use is RoboForm. Really nice and easy program.

    I also highly recommend the Login Lockdown plugin. Get it and use it. Why not? I don’t believe there are any .htaccess codes out there which can mimic it, but who knows.

    • says

      Hi John,

      Thanks for visiting and commenting. I tend to agree with changing the username but Stratos knows a lot more about security than I do. I think
      his point about using admin with a really difficult password as opposed to an easy username and password is valid though. And I know I don’t change my password often enough.

  13. says

    My website runs of WordPress; Someone made a buyout offer. Does this mean WordPress gets a share in court?
    Really great post, enjoyed reading it. Thanks,


Comments are closed. Please contact me for specific questions or subscribe to my newsletter.