WordPress Security – Admin Login

Written by: Tyler Ingram on Feb 23, 2009
Comments: 10
Advertisement

For those who are relatively new to WordPress and the administration section of a self-hosted WordPress blog, there is one great security tip that majority of people will tell you right away: Ditch that Admin account ASAP!

Though for those who are not setting up a new blog and are using the default ‘admin’ username still (shame on you) should also look at changing this too. I thought at first it might be hard to do and also have the potential to screw things up but fear not, it is really simple to do. The following steps can be used for both new and veteran users of a Self-Hosted WordPress blog who are still using that default admin username account.

Step 1: Create A New User Account

WordPress Add New Users

That’s right, go into your Dashboard-> Users -> Add New. Fill out all the information as listed on the form. Make sure you select the Administrator as the Role of this new account though!

Step 2: Logout and Login with New Account

Log out of of the default admin account and login with your newly created account. Then go Dashboard->Users->Authors & Users.

Step 3: Delete admin Account

Select the default admin account and choose Delete in the Bulk Actions. Ensure you only have the admin account selected, then click Apply.

WordPress Delete Users

You will be prompted by the screen above. Select the appropriate username to Attribute all posts and links to. This will ensure that your previous posts are not deleted and that your new account is now the Author of all your previous posts.

There you have it, 3 easy steps to secure your WordPress blog a bit more.

Why Do This?

Think of all the WordPress blogs out there. If you leave the default settings, you now give a potential hacker 1 username to use in their attack to gain access to your backend. Remove that account and you make it infinitely harder for someone to try and password crack the account you use to administator your WordPress Blog. Yes, this isn’t a fool proof method but it does make it a bit harder to try and hack your administrative account.

So please ditch that default admin account!

x

A Few Related Posts You Might Also Enjoy:

Filed under: Blogging, WordPress
Both comments and trackbacks are currently closed.

10 Comments

  • Jon Jennings
    Feb 23, 2009 @ 15:28:19

    A very important message Tyler.
    There’s two layers to the security of your administration account: the first one is the username, the second one is the password. By using the default ‘admin’ name you’ve reduced that to a single layer.

    I’d go further and say don’t use the same account for administration and for posting. Especially if you’re in the habit of posting from public machines or public wifi. Create a posting account in the editor or author role and use that for the everyday stuff.

     
  • Tyler Ingram
    Feb 23, 2009 @ 15:31:23

    Great advice Jon! Didn’t think of creating a separate account for just doing posts etc.

    I do hope people’s passwords are a bit harder to figure out. Alphanumeric etc!

     
  • Jon Jennings
    Feb 23, 2009 @ 15:43:29

    Not only does the second account improve your security, it also protects you from accidentally breaking something. And when you do deliberately login as the administrator, you’re more conscious of the ‘power’ :-)

    Agreed about the passwords. I use http://www.pctools.com/guides/password/ to generate really good random passwords. Of course the flaw in this scheme is I now need to write the password down or store it somewhere electronically – so now my password’s vulnerable to loss or theft.

     
  • Diet Blog
    Feb 23, 2009 @ 15:52:14

    This does make sense. I was using an administrator account, but after reading this, I think I’ll go setup a couple new accounts, thanks for the advice.

     
  • Karl
    Feb 23, 2009 @ 15:55:20

    Thanks for the tip, just changed my login! I was wondering about this default admin thing in the past but never figured out a workaround.

    New problem though, when I went into ‘authors & users’ I noticed about 100 users (spam type names). How did they get there and can I prevent this also? Thanks!!

     
  • Karl
    Feb 23, 2009 @ 16:01:43

    nevermind my previous comment, I think the problem stems from a BB Press forum I had integrated with my blog, but have since deleted because the only people registering were spammers!

     
  • Tyler Ingram
    Feb 23, 2009 @ 16:12:06

    Was going to say that’s odd, but glad you solved it :)

     
  • Karl
    Feb 23, 2009 @ 16:14:33

    Ya, I think that must be it. They weren’t even listed as ‘subscribers’ just said ‘none’. Deleted them all and hopefully no more appear! Thanks again for the post! Cheers

     
  • Michelle Evans
    Feb 24, 2009 @ 14:07:12

    Great post Tyler. I love the detailed how-to’s. I have been posting from a different account because I wanted to see my name instead of “admin” by my posts lol, but now I have deleted the original admin account. Thanks for spelling it all out :)

     
  • Raul
    Mar 1, 2009 @ 23:10:54

    You should start a series of CSS editing ;) hehehehe