WordPress Security: Create a New User and Delete the Default “admin” Account

Nov 4, 2009

This post tells you the simplest way to improve security on your WordPress website or blog.

Recently there was a big security scare for WordPress users. A “worm” (a form of automated malicious software) was traveling around the Internet trying to break into unsuspecting WordPress users’ sites. Even high-profile bloggers like Robert Scoble were caught without adequate file and database backups in place. Scoble lost a bunch of posts, and said he felt less certain of WordPress as a result.

But the fact is, Scoble should have backed up his site. At the very least, he should have checked with his host to see if they create automatic backups. (You should do the same with your host. Why wait until after something goes wrong to find out?!) If you don’t know how to backup your MySQL database and the files in your wp-content directory, now is a good time to learn. Your web host should be able to help. If not, let me know. If your site is hosted on WordPress.com, no worries! They make backups for you. However, you might want to do a Tools > Export in the WordPress Dashboard (save the .xml file to your hard drive) just in case! Unless you have an explicit agreement with WordPress.com about backing up your data, don’t expect to hold them responsible for data loss on your site.

Here are two good posts about WordPress security inspired by the latest worm scare:

How to Keep WordPress Secure
by Matt Mullenweg – WordPress.org

Old WordPress Versions Under Attack by Lorelle VanFossen

The first thing everyone with a self-hosted (non-WordPress.com) WordPress site should do is this:
Create a new User account with a not-so-simple username. The default username that comes with WordPress is “admin”. That usually comes with a crazy-difficult password. Unfortunately, most people then change the password to something easy like “mydogname” or whatever.

Worms trying to hack into your WordPress site know to try “admin” as a username because it works probably 70% or the time or more! Then they just have to hack your simple password and they’re done.

So do yourself a favor. Login to WordPress. Go to Users (under Appearance) > Add New User. Use a difficult username, something with upper and lower case letters at the very least. Not something obvious. Then use a difficult password, something with upper and lower case letters, at least one numeral and one special character like * or ( or % etc. Don’t worry about the username displaying as your name on the site. You can enter your first and last name, and then use the dropdown menu to tell WordPress to use that instead of the username after blog posts and such. Be sure to note the email address you use for your site admin (under Settings > General). You can use a different email address for each new user account you create.

After you have created the new user account, log out and then login with the new account to make sure it works. After you have done that, you can delete the admin user account. That way, worms won’t be able to use that username to hack into your site.

Again, this is the simplest way to improve security on your WordPress website or blog.

Comments: 9