Change your default WP ADMIN and ID - SECURITY
We all know when it comes to WordPress, security is on top of the list.
There are some malicious visitors out there who spend their time trying to break into your site and bring in down for some wicked reasons.
We can make things tough for them in many ways. But let me quickly give you two things to do and why.
- Change your default admin username
- Change your default admin ID
I see lovely members here asking how to change the default admin username and almost no one cares about the admin ID.
Look, if you simply go ahead and change the username without given it a higher random ID number, a hacker can easily get the new username from the default ID which is 1 and I will show you how.
If the malicious attacker does not know the admin username, he has to guess both the username and password during a brute force attack.
This means the chances that the attack will succeed are much less and the attack will take much longer to complete, and the longer the attack takes, the more the chances of you or the hosting provider identifying the attack, which is exactly what you want.
A brute force attack is a trial-and-error method used to obtain information such as a user password or username. In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data
Here is why you need to also change admin ID from 1 to a higher random number.
If you simply change the admin username, here is how anyone can effortlessly get the new username using the default ID.
He's simply going to your blog and type this in the browser:
https://www.yourblogurl.com/?author=1
Wordpress will redirect him to this
https://www.yourblogurl.com/author/superadmin/
and you see the new superusername at the end of the url.
I know you can use plugins to limit login attempts to 3 or 5 to block any user trying several failed attempts. But changing these elements takes you a step ahead in securing your business.
So How do I change these 2 elements?
1) Go to the database and manually effect the changes. But this is the hard way and must not be dared except you are familiar with the database environment.
2) Use a plugin.
I use iThemes Security on some of my blogs for this.
NB: Always make sure you run a backup of your db before doing any changes that affect it
Recent Comments
22
You're absolutely right. I never use the "admin" username on any of my blogs (WA hosted or otherwise) and I was surprised that WA default to using "admin" as a blog's username.
They also use the wp_ prefix on database table names, another security weakness. I'm sure it wouldn't take much effort for them to randomize the username and table prefixes for added security.
Here's a post I wrote about WordPress security some time back:
http://www.topdesignblogs.com/why-you-need-to-secure-your-wordpress-sites/
...and here's where you can download my WP security ebook that's mentioned at the end of the post:
http://webbizkb.com/dl/WordPress-Security-Bible.pdf
You can't afford to be complacent about the security of your blogs. WA do a lot to mitigate the dangers bit no system is 100% secure.
Hey Gary,
Thanks for your input.
What do you think about this article?
https://www.wordfence.com/blog/2016/12/wordpress-table-prefix/
I'd be with commenter Erik K's analysis in the comments on that post. Changing table prefixes may not be a huge security benefit, but it is a benefit nonetheless.
I ran the script but didn't get the same results as his.
It may not work in all cases and that's a huge point to consider
I've never had an issue with changing table name prefixes but then I do it first thing when installing a blog using BackupBuddy (I install from a clone of a basic site). I haven't done this on my WA blog since WA install the blog for you and you've no control over it. With self-hosted blogs hosted outside of WA, you can have full control of the blog install process.
I have changed the table name prefix successfully on older blogs with the "All In One WP Security" plugin (in Database Settings),
Thanks Enstine for this useful blog. I am really not accustomed with programming. What is the easiest way to do that? two months ago, somebody tried to break through my websites. But I asked help from the support center. This is really very essential!
Rania
Hi Rania,
You really do not need programming knowledge to excel with wp as you already know.
I recommend using the plugin I mentioned above or any other security plugin recommended by the training here
See more comments
Hello Enstine, I've purchased and downloaded iThemes Security to my computer ... now all I need to know is how to apply it to my website. =) Also, how do I run a backup of my database?
Hi,
Do you know how to install a wp plugin? The process is same.
I'll recommend you take a look at these tutorials https://ithemes.com/tutorials/getting-started-ithemes-security/
I don't know ... yet. But, I can learn. Thank you so much for helping me, Enstine. I really appreciate it. .... I will definitely watch the tutorials. =)