Photo credit: Anton Balazh
Updated: 12/04/2009–Note: This information applies also to pages as well as posts.
Anytime you see suggestions for making your WordPress install more secure, you’re gonna see the regular suspects:
- Change your database table prefixes
- Update WordPress and WordPress plugins regularly
- Change the default WordPress admin username
These are all good suggestions that you should certainly be doing to make your WordPress install more secure.
But I want to address the last one–changing the default WordPress admin account–and a practice that will render this pointless.
The following may be common sense, but the reason I’m gonna mention it is that I have never seen this cautioned on any other WordPress security tips post.
Why Change Your Admin UserName In the First Place?
WordPress automatically generates an account named admin when you first install.
This means every single WordPress install on the planet has an account named admin. If you don’t change it, any would-be hacker/cracker only has to figure out your password–making it much easier to get into your site and muck about.
Don’t Use Your Admin Account to Post
Is there a flaw in your WordPress security?
So you’ve changed your default admin username to something totally unguessable. Then you write a post and publish it from your renamed admin account.
Oops!
The whole point in renaming your account is so pranksters have no idea what username you’re using for your admin account.
True, you can change the display name for your account so it doesn’t show your actual admin username on your site.
However, if your theme displays the post author’s name and a link to sort by author or author feed.
The actual username will be right there in the link address (usually something like: ‘http://blog.com/author/admin-username‘). Oops!
Posting from your admin account completely negates the whole point of changing your admin username in the first place.
Don’t Publish Pages From Your Admin Account Either (Updated 12/04/2009)
Beyond the author link in posts, there are other places the author’s username can show up.
Body Classes on Post and Pages
Even if you remove the link to the post author from showing in your theme, the username of the author also can be seen in classes on the body tag when you view source.
WordPress by default inserts various classes to the body tag. This is so you can target pages and posts via CSS.
One of the classes WordPress creates and inserts into the body tag is the author’s username (not the nickname).
Most of the time it will look like this: author-yourusername (for posts) or page-author-yourusername (for pages)
Most (all?) current WordPress themes do not remove the author class. This means, on both posts AND pages, the author’s username can be easily discovered by simply viewing the source code.
Depending on your theme, a class containing the author’s username may be displayed in other places as well.
Fix It Now
If you’ve changed your admin username and yet have been publishing posts (or creating pages – updated 12/04/2009) using that same account, fix it now.
Don’t worry, it’s easy enough.
Here’s the quickest way:
- Add a new user who has an Editor or Contributor role
- Add another user with Admin privileges
- Log out and back into WordPress as the new Admin
- Delete the old Admin user (the one you used to publish posts from)
- WordPress 2.8+ will ask what to do with the posts you previously wrote…
- Assign the posts to your newly created Editor/Contributor account
- Only use that Editor account to write posts from now on
That’s it. It only should take 2-5 minutes, and your WordPress install will be more resistant to hacks and general tom-foolery.
More WordPress Security Tips
Here are some other WordPress security tips:
- How To Keep WordPress Secure (WordPress Blog)
- Hardening WordPress (WordPress Codex)
- WordPress Security Tips and Hacks (Noupe – Beware step #9 though)
- 12 Essential Security Tips and Hacks (Six Revisions)
- 11 Best Ways to Improve WordPress Security (Pro Blog Design)
- 20+ Powerful WordPress Security Plugins and Some Tips and Tricks
WP Plugin
(Updated: 10/19/2009) Based in part on the response to this article, I’ve created a new WordPress plugin called Admin Post Reminder.
Updates
(Updated 12/04/2009) Pages and posts also contain classes in the body tag that disclose the author’s real username.
Similar Posts:
- WordPress Security Plugin: Admin Post Reminder
- Post to WordPress by Email
- Letting Non-Admins View CyStats Stats in WordPress
- 5 Problem-Solving WordPress Plugins You May Not Know About
- OpenX Admin Icon Set
You should 
13 Comments to 'WordPress Security Tip: Don’t Post From Your Admin Account'
October 14th, 2009
Good idea. Now we need a plugin that will hide the “Create New Post” button on admin accounts. :)
October 14th, 2009
Agreed. Or perhaps a message alert (similar to when you update a page) that appears at the top of the Write Post page with a reminder not to publish a post if you’re logged in as the Admin.
October 18th, 2009
What if your theme doesn’t show who posted the post? even when you change it to “no page style”? Do you still have security risks?
October 18th, 2009
Thanks so much for this! I never would have thought of it. It really was quick and easy to fix.
October 18th, 2009
Great idea I’ll be passing along and have already used myself. Thanks!
October 19th, 2009
If you theme does not display who wrote the post it will be much harder for people to figure out your admin username–but not
sure if it’d beimpossible for them to figure out though.I’ll have to look into this.Updated: Pages and posts display classes in the body tag that contain the author’s username as well.The best option, just to be on the safe side, is to not publish from you admin account. It’ll easy enough to fix though if you follow the instructions in the post.
October 21st, 2009
Cool article you got here. I’d like to read a bit more concerning this matter.
October 26th, 2009
Perhaps I’m missing something (really, I may be…), but if you use a nickname – that gets shown – not your renamed admin username, right?
October 26th, 2009
You can rename the display name (nickname) for your admin account.
However, if your theme displays the post author along with a link that lets you view all posts by that author, the real WordPress admin username will be shown in the address of that link.
Example: Your admin username is ‘garytheadmin‘. You change the display name in your WP settings to display ‘Gary‘.
The link created by your theme will contain a link to all Gary’s posts, but the link will look something like: http://garyscoolsite.com/author/garytheadmin/.
Based on the address, anyone can see that the real username is garytheadmin, not Gary.
This really depends on whether your theme shows the author and provides a link to more of the author’s posts. A very high percentage of WordPress themes do this, hence the warning.
Note: Posting comments from your admin account is okay, thankfully ;)
December 4th, 2009
Note to comment subscribers: Pages and Posts also contain body classes that reveal the author’s username.
Read the updates to this post for more details.
December 16th, 2009
Awesome write up. I’ve already implemented your information.
March 10th, 2010
How about this one? http://wordpress.org/extend/pl.....-extended/
March 10th, 2010
Thanks for sharing your plugin, Ramon.
Using that plugin would be a good 1st step.
However, the underlying issue is still there. Even if you change the default admin username (which you should), once you publish a post from that renamed admin account, anyone can easily find out your new username.
Subscribe to the Comments RSS feed—Follow the discussion.
Leave a comment
Note: All links in the comments are set to 'nofollow'. Search engines will not follow or index those links.
Follow this post's comments by subscribing to the Comments RSS feed.