Quick links
- What is the problem?
- So how do I go about fixing it then?
- Add a new user account with admin role
- Log in with new user account and dumb down the admin account
- Secure the admin account to deliberately make it harder for hacking attempts
- That’s all there is to do!
What is the problem?
Wordpress prides itself on its 5 minute install allowing you to essentially upload the core files, create a database and then run a script to join the two together. Easy. But secure it isn’t…
A hacker with limited knowledge of Wordpress knows that the login screen is generally found at the following path of http://blog.domain/wp-login.php and also that Wordpress by default sets up an admin account during the installation stage. You would hope the first thing the user then does is logs in with the auto-generated details and changes the password to something memorable and hard to guess right? You would have thought so.
The problem is most people then rush on creating posts, adding plugins, changing themes and so on because good content equals a good blog that makes people want to come back yet at the same time anybody searching for <meta name="generator" content="WordPress 2.9.1" /> finds (at the time of writing this article) 5,780 results in Google of which many of them could be unprotected admin accounts or with very simple, easy to guess passwords that could be obtained with brute force.
So how do I go about fixing it then?
There is no magic wand process you can use to secure Wordpress it all depends on the type of blog you have and how secure you want it. There are many guides already available such as Hardening Wordpress from the Wordpress codex and many blogs scattered around the internet but the easiest thing you can do is to deactivate the admin account and set up a harder to guess user account with the same permissions as an admin. Sounds so simple! Even if you do nothing else to your Wordpress installation may I suggest that you at least do this because it will eliminate any security issues later on.
Add a new user account with admin role
Log in with your admin account and create a new user account by going to Users > Add New and setting up a new account with all your personal details. You are not able to use the same email address twice so you might have to edit your admin account and change the email address to a dummy one such as dumb-admin@blog.domain to free up your email address.
Log in with new user account and dumb down the admin account
Once you have added the account, log out of the admin account and log in with your new user account. Go to
Users > Authors & Users and click on the admin account to edit it. Locate the Role dropdown which is in the Name section and change it to subscriber and then save the changes.
Secure the admin account to deliberately make it harder for hacking attempts
To make it even harder to guess the password I suggest you go to http://www.passwords.org.uk/different-length.php and copy the 14 character generated password from this page and change the password to the admin account which of course you will be able to do with your new-found admin privileges!
That’s all there is to do!
You will now have a much more secure Wordpress installation without getting bogged down with security and permissions. This should certainly be enough to get you started. Have fun blogging!
Email This Post
January 19th, 2010 at 12:34 am
[...] This post was mentioned on Twitter by Ian Roke, Jesse Luna. Jesse Luna said: RT @ianroke: Just blogged: 'Why I Dumb Down The Admin Account On New Wordpress Installations' http://bit.ly/4GSUV4 #wordpress Please pas … [...]