If you started blogging with WordPress before v3.0, or you installed 3.0 and didn’t take the advice of creating a different user name, then there is an essential security step that you need to take. But, it can be very difficult.
Hackers attacking your blog have to guess 2 attributes to gain access. First the user name and secondly the password. The thing is, get either wrong and you get the same error message, so you do not know which is wrong. Guessing both correctly at the same time is near impossible.
However, some people make the game very easy for hackers. Look at the screen print to the right (click to enlarge). We can see from that the site still has an Admin user, and a userid called Paul. And older versions of WordPress always set up the primary user as ‘Admin’, taking away the guessing game from hackers. Suddenly, getting into a WordPress admin area is only a fraction of the difficulty – you just need to guess the password.
There are 2 essential security steps that this blog needs to take. The first is to create a nickname for every userid, that will hide the “Admin”. Call it Fred or whatever you want, just so that it does not give away the real userid.
The second step is getting rid of that admin id. Now this can be a lengthy process. You have to create a new userid, move the posts from the Admin id to the new admin and then delete Admin. However, there is actually a much easier way about it.
Sign on as Admin and create a new userid. Give it a nickname that does not give away the userid and set it up as an administrator. This is going to be your main userid, so also allocate it your main email address (change the Admin email address to a dummy email address first, if needed).
Now sign on as that new administrator and look at the list of users. Edit Admin and look at it’s “Role”. It is Administrator now, so reduce it to as low as you can. Subscriber or Contributor – neither has the power to do anything without a senior user giving it the OK.
This means that all of the old posts are still active, but should someone hack into your blog as Admin they cannot actually do anything.
There is another tool to use as well that will stop hackers having too many attempts at guessing your password / userid (and yes, I tested the blog I am showing and it did not do this) and that is a plugin to limit the number of login attempts. Read more about it on that post!