WordPress Best Practices, Part One: Security through obscurity and the WordPress admin username

by Paul on August 29, 2011

Wordpress LogoIn the latest State of the Word address, we learned that the adoption of WordPress in 2011 is pretty incredible.

The introductory paragraph alone should get your attention – more than 1/5 of all new domains in the US are running on WordPress.

That’s a lot of WordPress out there. But WordPress is easy to install, no doubt, but is WordPress as easy to maintain?

Yes, when you know what you’re doing and cover all your bases, but unfortunately not everyone knows what they’re doing.

In this series of articles I’m going to provide quick notes for the novice and intermediate WordPress user that will serve as a checklist on their WordPress maintenance and best practices.

Change the WordPress Admin username

If your WordPress administrator username is ‘admin’, it’s a good idea to change it.

Why?

Obscurity. The default administrator username for WordPress is ‘admin’ which means that automated attacks designed against WordPress websites are going to automatically assume you’re using the ‘admin’ account name.

This alone wont prevent your site getting hacked, but it’ll lower your chances. Security is about minimizing risk and exposure to that risk.

There are 2 ways to change your admin username. The first set of instructions below is for when you don’t want to touch the database but do it all on the WordPress front end.  The second is a bit more advanced, but not difficult!

Change the WordPress admin username using only WordPress

This approach works simply by creating a new administrator account, and removing the old. In the process, you assign all posts/content of the old admin account to the new one so nothing is lost. Pay careful attention to step 8.

  1. (logged in as admin) Under the ‘Users’ menu click ‘Add New’
  2. Fill the in the necessary fields to create the new user
  3. Select the role at the bottom of this form to ‘Administrator’
  4. Log out of the WordPress ‘admin’ account
  5. Login using the new administrator account you just created.
  6. Go to (click) ‘Users’ menu
  7. Find the old ‘admin’ user account and hover over the name. Click the ‘delete’ link that will appear beneath it.
  8. On the page that follows, ensure that you select the option ‘Attribute all posts and links to:’ and select the new administrator username/account.
  9. When you are absolutely certain you have selected to attribute posts, click the button ‘Confirm Deletion’.

Change the WordPress admin username using phpMyAdmin

This is a little more advanced that the previous approach, but is much cleaner.

  1. Launch the phpMyAdmin tool (should be provided with nearly all modern web hosting accounts)
  2. Locate and click on the left-hand side the database that represents your WordPress site (if you’re unsure, open the file wp-config.php and locate the line that reads: define ('DB_NAME', '...'). Your database name is the second field beside DB_NAME.
  3. The items on the left-hand column will change to display the tables within the database. Locate and click on the table wp_users. Note, that if you’ve installed WordPress using a different table prefix, the table you will want is ‘myprefix_users‘.
  4. On the right-hand window pane, locate the row that has ‘admin’ under the ‘user_login’ column and click ‘edit’.
  5. In the following screen change the content of the field whose column name is ‘user_login’ to be the name of the administrator login name you’d prefer.
  6. Then click ‘Go’.

And you’re done. You must now login to the administrator section of WordPress using this new username. Speaking of logging into to WordPress as administrator…

One final tweak to this is to go into ‘Your Profile’ (under the ‘User’ menu) and change your display name so it doesn’t display your username, but instead your first name, or second name, or both. Anything but your username.

Log into WordPress as Administrator only when you need to Administer

You should create a user that you will use everyday on your WordPress site that does not have administrator privileges.

If somehow your everyday account is compromised, only limited damage that can be done to your site.

To do this, follow the first set of steps above 1~3 only instead of creating an Administrator account, but select ‘Editor’ as the role instead. Use this account to create your posts and content, make comments on the site etc., and when you have administrative tasks to perform, logout as editor and back in as Administrator.

Secure your accounts with high quality passwords

This goes without saying, but oddly, it still needs to be said.  Work that one out.

Choose a good, strong password that’s at least 12 characters long. Throw in a punctuation character for good measure along the way.

If remembering difficult passwords is a pain in your butt, take the easy approach and sign-up for a password manager tool. I personally use: LastPass.com. This will even import all your passwords from your web browser.

I also use LastPass on my browser to automatically generate random and complex passwords and then save it in the LastPass database. It’s easy!

The next step…

I’ve laid the steps out here as simple and as easy-to-follow as I can. Some would argue these are necessary, but personally disagree.

The following articles in this series will build upon this and on each other to help you get your WordPress installation into a state that is easy to maintain and reduce your exposure risk to hacks and attacks.

Let me know what you think in the comments section below.

Use the form below to join our Developer Channel

Do you need an automated CPanel web hosting backup script? There is that and more in the Developer Channel

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: