“What about the content?”, you ask. Don’t worry – you can reassign the content to another user. More on how to do that further down the page.
In 2013, the BBC reported a spate of attacks on WordPress powered sites by a rogue botnet. (A botnet is a network of hijacked home computers, typically controlled by a criminal gang).
It was looking for sites using the admin username and tried thousands of passwords to gain access.
Matt Mullenweg, co-creator of WordPress, said on this blog:
Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem. Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).
If Matt Mullenweg’s advice isn’t enough, have a look at this image from another of my sites. It’s a screenshot of attempted logins using the inactive username admin and a password straight out of the dictionary.
(Click on the image for a better view.)
As you can see from the time between each attempt to log in, it’s lame compared to a targeted attack by a botnet trying hundreds or thousands of passwords per second. I’m showing you this image to alert you to what could be happening on your site without your knowledge.
If I wasn’t running the ThreeWP Activity Monitor (now obsolete – update Nov 2015), I wouldn’t know anything about these attempts to log in.
One of the easiest things you can do to secure your site is to use a hard to guess username and password combination.
Using a secure password alongside the admin user may make it more difficult to hack your site, but if your password is in the dictionary and/or you changed common letters such as e, o or i for numbers such as 3, 0 or 1, you may still be open to attack. Switching numbers for similar letters come from Leetspeak: an alternative dictionary for use online. It’s well-known in the hacking community and provides little resistance to software designed to guess passwords at the rate of thousands every second.
I hope what you’ve just read opens your eyes to the vulnerability of the admin username, which WordPress uses by default and millions of bloggers are either too lazy to change, or they don’t realize they’re partially opening a door for attackers.
Dealing with the admin user
When it comes to brand new installations of WordPress, always change the username to something other than admin.
WordPress is such a popular platform (related: pros and cons of free blogging platforms) these days, most web hosts offer a one-click installation process. As you go through it, check each section and when it comes to choosing a username, pick something other than admin.
If you’ve blogged for a while using the admin username, you can easily switch all that content to another user and delete the admin account. Before you do this, make sure you have a backup of your site for when something goes wrong.
Here’s how to do it…
If you don’t have another account with admin rights, you must create one.
How to create a new WordPress user account
In the left-side menu navigate to Users and click on Add New. You will see a screen like this:
There are four steps:
- Think of a username and enter it into the username field. The username cannot be changed and it’s only used for logging in. Each user can choose an alternative name to display publicly if your site displays author names.
- Enter the email address for the user. WordPress uses this email to send password reminders and contact the user.
- Enter a new password.
- Change Subscriber to Administrator so the new account has full control.
Now you have created the new account, log out of WordPress and log back in using the new details.
How to delete the admin user
Navigate to the Users screen via the left-side menu. If you only have two users the list looks something like this:
Click on the Delete link for the admin account.
On the next screen, you get the option to delete the user’s posts or re-assign them to another user. We want to re-assign the posts. So click the radio button next to that option and choose an account from the drop-down menu.
Now hit the Confirm Deletion button and the account is gone, with all posts attributed to the alternative user.
I’ve done this several times now and each time it’s worked flawlessly. However, you should back up your site for when something goes wrong.
A Lifehacker post from 2011 argues for using common phrases as passwords instead of “complete gibberish”, as they take longer to crack. The post is interesting and the comments enter the realms of geekism most of us avoid.
Its main point is that a phrase like “this is fun” (including spaces) is more difficult to guess than a group of letters and numbers. And it’s easier to remember.
It sounds crazy, but according to this site, which tests the strength of a password, it’s true.
In the WordPress scenario, a hacker already knows the username (admin) and the URL of the login page (if WordPress is installed in the root directory). So all they have to do is guess the password.
Here are the results of some passwords I tested. What you see is the length of time it could a desktop PC running hacking software to guess the password:
- password – instantly (duh!)
- t1m3tabl3 – 7 hours
- calculator – 9 hours
- wimfsiltc*** – 178 years
- iutla164*!” – 1,000 years
- i!love!winter – 7,000 years
- i love winter (spaces included) – 24,000 years
I’m sure none of us will need a password for 24,000 years. Conversely, using a password that takes just seven hours to crack is way too risky. And using an almost lethal combination of admin and password is insane – you’re asking for trouble.
Your average WordPress blog (how to start a blog) will never be fully secure. But I believe you should do as much as you can to prevent people from getting access to your site. For this reason, it makes a lot of sense to keep plugins, themes and the core files up to date. It also makes sense to close the door on a way-in people don’t often think about – the login page.
Doing these few things will save you a lot of stress and worry should your site(s) become a target.
If you’re using the admin username, your homework for today is: create a new user, switch the content from admin to the new one (or an alternative) and delete admin. Don’t forget to backup your site first!
If you don’t use the admin user, you’re homework-free! Go do something you enjoy.
If you want to know more about WordPress, you’ll find plenty of content in the Learn WordPress section.