If you’ve changed the default WordPress admin user name from ‘admin’ to something else, great. However, if you write a post as the admin, your new admin username will be displayed on your blog. Not good.

In order to help you keep your admin username a secret from would-be hackers, I’m releasing a new WordPress security plugin: Admin Post Reminder.

How Does It Help?

The Admin Post Reminder plugin is useful if you’ve got a separate editor account just for posting.

Sometimes you’ll still need to log into WordPress as an admin to change settings, use certain plugins, etc. It can be easy to forget that you’re still logged in as an admin when you go to write a post.

What Does It Do?

What Admin Post Reminder does is simple–it checks to see if the user that’s logged in is an admin. If they are, an alert is displayed at the top of the page, reminding the user not to publish any posts while logged into this account.

Regular logged in users won’t see the message.

Download the Plugin

You can view the plugin page for more details or

Download Admin Post Reminder at the WordPress Plugin Repository

Buy Me a Coffee

If you enjoy this plugin, consider making a small donation–any amount is appreciated. Thanks!

I just had an unpleasant episode that really reminded me of the need to have some kind of encryption on your thumb drives.

I was leaving a friend’s house, got in my truck and drove home. I unloaded my pockets as usual and discovered–no thumb drive.

I did find the flash drive a few minutes later, by the curb outside my friend’s house. But the whole time I was looking, I was trying to do a mental inventory of what information was on that thumb drive.

Fortunately, I don’t store sensitive client information on my thumb drives. Yet, the idea of someone else finding the drive and being able to freely access the other info on the drive was not a pleasant one.

Lesson: Don’t put personal or client/work passwords or other sensitive data on a thumb drive. If for some reason you do have to have some of that information with you, make sure that information is encrypted.

To keep people from viewing your files if your thumb drive falls into the wrong hands, here are some tools, tutorials and products to help you encrypt your thumb drive.

TrueCrypt

TrueCrypt (Win XP+/Mac OS X/Linux) is a free, open-source software that can encrypt an entire partition or storage device (like a USB drive).

Once encryption is set for a volume and then the volume is mounted, file encryption/decryption is done on-the-fly–meaning it’s automatic and transparent (ie not a pain in the rear).

Note: TrueCrypt does not currently (as of Oct 11, 2009) support Mac OSX 10.6 Snow Leopard. View a full list of TrueCrypt’s limitations.

A Beginner’s Tutorial to TrueCrypt

Adding encryption to your entire USB thumb drive or just a portion (say a directory) is pretty simple.

TrueCrypt Security Precautions

Because of simplicity, the beginner’s tutorial skips some of the more in-depth security details, so it’s a good idea to take a look at the extra things you can do to keep your information even more safe.

What if the System You’re Using Your Thumb Drive With Doesn’t Have TrueCrypt Installed?

Since you’re going to most likely be using your USB with more than one computer, it doesn’t make since to install TrueCrypt on every system.

TrueCrypt fortunately lets you run in ‘portable mode‘–meaning you don’t have to have TrueCrypt installed on the system.

You can read more about portable mode and the various options you have on the TrueCrypt site.

Note: You will need to have admin privileges on the system (OS) you’re running under in order to run TrueCrypt in portable mode.

How to Create the Ultimate Encrypted Flash Drive

A New Morning has a great tutorial that walks you through how to use TrueCrypt specifically with a USB flash drive.

IronKey USB Drive

If you’re serious about security, IronKey is the USB thumb drive for you.

IronKey is a USB thumb drive with built-in 256-bit hardware encryption.

Since encryption is hardware-based, IronKey will also run on pretty much any operating system that will read a USB thumb drive–Windows 2000+, Mac OS 10.4 and Linux (2.6+ kernel).

Also, unlike software-based encryption solutions like TrueCrypt, you don’t have to have administrator rights on the system you’re using IronKey, and there’s no software to install.

It uses internet authentication as well to protect the information and site passwords you exchange when browsing the internet via a portable version of Firefox.

James Bond’s Thumb Drive

I could imagine James Bond using an IronKey–yes, it has self-destruct features built into it.

A stolen or lost drive can be remotely disabled, or a self-destruct can be initiated–erasing all information on the drive and/or physically destroying the drive.

IronKey Personal Demo Video

IronKey Enterprise Demo Video

Keep Your Friends Close and Your Thumb Drive Closer

Remember that if you put sensitive information on a thumb drive that it’s always possible that it’ll get lost or stolen. So make sure your thumb drive (or at least a directory within) is encrypted and secure.

Do you use anything else to secure your USB drives? Share in the comments.

Photo credits: USB Flash Drive by Stephen VanHorn, Abstract View of Data Storage and Abstract View of a Data Sequence by irabbiosi via Shutterstock.

Updated: 12/04/2009–Note: This information applies also to pages as well as posts.

Anytime you see suggestions for making your WordPress install more secure, you’re gonna see the regular suspects:

• Change your database table prefixes
• Update WordPress and WordPress plugins regularly
• Change the default WordPress admin username

These are all good suggestions that you should certainly be doing to make your WordPress install more secure.

But I want to address the last one–changing the default WordPress admin account–and a practice that will render this pointless.

The following may be common sense, but the reason I’m gonna mention it is that I have never seen this cautioned on any other WordPress security tips post.

Why Change Your Admin UserName In the First Place?

WordPress automatically generates an account named admin when you first install.

This means every single WordPress install on the planet has an account named admin. If you don’t change it, any would-be hacker/cracker only has to figure out your password–making it much easier to get into your site and muck about.

Don’t Use Your Admin Account to Post

Is there a flaw in your WordPress security?

So you’ve changed your default admin username to something totally unguessable. Then you write a post and publish it from your renamed admin account.

Oops!

The whole point in renaming your account is so pranksters have no idea what username you’re using for your admin account.

True, you can change the display name for your account so it doesn’t show your actual admin username on your site.

However, if your theme displays the post author’s name and a link to sort by author or author feed.

The actual username will be right there in the link address (usually something like: ‘http://blog.com/author/admin-username‘). Oops!

Posting from your admin account completely negates the whole point of changing your admin username in the first place.

Don’t Publish Pages From Your Admin Account Either (Updated 12/04/2009)

Beyond the author link in posts, there are other places the author’s username can show up.

Body Classes on Post and Pages

Even if you remove the link to the post author from showing in your theme, the username of the author also can be seen in classes on the body tag when you view source.

WordPress by default inserts various classes to the body tag. This is so you can target pages and posts via CSS.

One of the classes WordPress creates and inserts into the body tag is the author’s username (not the nickname).

Most of the time it will look like this: author-yourusername (for posts) or page-author-yourusername (for pages)

Most (all?) current WordPress themes do not remove the author class. This means, on both posts AND pages, the author’s username can be easily discovered by simply viewing the source code.

Depending on your theme, a class containing the author’s username may be displayed in other places as well.

Fix It Now

If you’ve changed your admin username and yet have been publishing posts (or creating pages – updated 12/04/2009) using that same account, fix it now.

Don’t worry, it’s easy enough.

Here’s the quickest way:

1. Add a new user who has an Editor or Contributor role
2. Add another user with Admin privileges
3. Log out and back into WordPress as the new Admin
4. Delete the old Admin user (the one you used to publish posts from)
5. WordPress 2.8+ will ask what to do with the posts you previously wrote…
6. Assign the posts to your newly created Editor/Contributor account
7. Only use that Editor account to write posts from now on

That’s it. It only should take 2-5 minutes, and your WordPress install will be more resistant to hacks and general tom-foolery.

More WordPress Security Tips

Here are some other WordPress security tips:

• How To Keep WordPress Secure (WordPress Blog)
• Hardening WordPress (WordPress Codex)
• WordPress Security Tips and Hacks (Noupe – Beware step #9 though)
• 12 Essential Security Tips and Hacks (Six Revisions)
• 11 Best Ways to Improve WordPress Security (Pro Blog Design)
• 20+ Powerful WordPress Security Plugins and Some Tips and Tricks

WP Plugin

(Updated: 10/19/2009) Based in part on the response to this article, I’ve created a new WordPress plugin called Admin Post Reminder.

Updates

(Updated 12/04/2009) Pages and posts also contain classes in the body tag that disclose the author’s real username.