wordpress-secure-hd
Photo credit: Anton Balazh

Updated: 12/04/2009–Note: This information applies also to pages as well as posts.

Anytime you see suggestions for making your WordPress install more secure, you’re gonna see the regular suspects:

  • Change your database table prefixes
  • Update WordPress and WordPress plugins regularly
  • Change the default WordPress admin username

These are all good suggestions that you should certainly be doing to make your WordPress install more secure.

But I want to address the last one–changing the default WordPress admin account–and a practice that will render this pointless.

The following may be common sense, but the reason I’m gonna mention it is that I have never seen this cautioned on any other WordPress security tips post.

Why Change Your Admin UserName In the First Place?

WordPress automatically generates an account named admin when you first install.

This means every single WordPress install on the planet has an account named admin. If you don’t change it, any would-be hacker/cracker only has to figure out your password–making it much easier to get into your site and muck about.

Don’t Use Your Admin Account to Post

Is your security like a screen door?

Is there a flaw in your WordPress security?

So you’ve changed your default admin username to something totally unguessable. Then you write a post and publish it from your renamed admin account.

Oops!

The whole point in renaming your account is so pranksters have no idea what username you’re using for your admin account.

True, you can change the display name for your account so it doesn’t show your actual admin username on your site.

However, if your theme displays the post author’s name and a link to sort by author or author feed.

The actual username will be right there in the link address (usually something like: ‘http://blog.com/author/admin-username‘). Oops!

Posting from your admin account completely negates the whole point of changing your admin username in the first place.

Don’t Publish Pages From Your Admin Account Either (Updated 12/04/2009)

Beyond the author link in posts, there are other places the author’s username can show up.

Body Classes on Post and Pages

Even if you remove the link to the post author from showing in your theme, the username of the author also can be seen in classes on the body tag when you view source.

WordPress by default inserts various classes to the body tag. This is so you can target pages and posts via CSS.

One of the classes WordPress creates and inserts into the body tag is the author’s username (not the nickname).

Most of the time it will look like this: author-yourusername (for posts) or page-author-yourusername (for pages)

Most (all?) current WordPress themes do not remove the author class. This means, on both posts AND pages, the author’s username can be easily discovered by simply viewing the source code.

Depending on your theme, a class containing the author’s username may be displayed in other places as well.

Fix It Now

If you’ve changed your admin username and yet have been publishing posts (or creating pages – updated 12/04/2009) using that same account, fix it now.

Don’t worry, it’s easy enough.

Here’s the quickest way:

  1. Add a new user who has an Editor or Contributor role
  2. Add another user with Admin privileges
  3. Log out and back into WordPress as the new Admin
  4. Delete the old Admin user (the one you used to publish posts from)
  5. WordPress 2.8+ will ask what to do with the posts you previously wrote…
  6. Assign the posts to your newly created Editor/Contributor account
  7. Only use that Editor account to write posts from now on

That’s it. It only should take 2-5 minutes, and your WordPress install will be more resistant to hacks and general tom-foolery.

More WordPress Security Tips

Here are some other WordPress security tips:

WP Plugin

(Updated: 10/19/2009) Based in part on the response to this article, I’ve created a new WordPress plugin called Admin Post Reminder.

Updates

(Updated 12/04/2009) Pages and posts also contain classes in the body tag that disclose the author’s real username.

Similar Posts: