I probably login to 5 different WordPress sites every day and I’m becoming concerned about the lack of login security being used by clients. The username is admin, the passwords are words that aren’t hard to guess, the same password is used in WordPress, ftp and for the MySQL database and they don’t change the login after I have completed working on the site.
So, this post is going to be a gentle nag and is going to include a couple of basic security tips.
You’re probably thinking why would anyone want to hack into my WordPress site? Why would they want my parenting, WordPress, or green-living articles? Well, the hackers don’t really want that data. And you can’t really apply standard login to what hackers do and don’t do. For most of them, the success of the hack is what matters – not what they are gaining access to.
And if they are able to get server level access they will be able to install nefarious programs that will get kicked you off of your webhost permanently. I’ve been there – years ago – but that is probably a subject for another post as the security problem had nothing to do with WordPress.
Anyway, here are my tips for your WordPress login.
- Change the username. I’d say 80% of the usernames I am given for WordPress are admin. Just change it – you don’t have to have the username admin to have administrator level access. And if you leave it as admin, you’ve made the hackers job 50% easier. You can even change the username after you’ve been using it for a long time.
- Create a new user with Admin level privileges.
- Log out and then login with the newly created username and password.
- Delete the admin account. You will be asked what to do with the posts by that username. You can delete them all, which I don’t recommend doing ;-), or attribute them to the newly created user.
- When you make a new username you don’t have to make it anything incredibly difficult but please don’t use your name, your child’s name or your site name. I use a name that means something to me but isn’t easily associated with me.
- Make your password hard and remember it. You can rely on your browser’s remembered password feature but if you lose those settings, you will lose your password. Don’t use your name, your child’s name or your site’s name. Don’t use the same password that you use for your hosting account. If you do, that means the same password is being used for WordPress, ftp and probably your cpanel. You can create a secure password using a random password generator.
- After I work on your site, change the login. If I am going to be working on your site on an ongoing basis, create an account for me. Don’t have me use the same one that you do. Recently I randomly tested some old logins from a site I worked on once or twice and the login was still valid. Fortunately, for them, I’m not an evil person ;-)
Ok, that’s it – lecture is over. Don’t wait until the damage has already been done before taking my advice into consideration.
Here is an article from The Blog Herald about password security and the most commonly used passwords. Does yours fall in the most common?
photo credit: lloydi