A few years ago, I wrote an article on securing your WP blog by deleting the original admin account. The default “admin” allowed an easier way for hackers to find a way in to your blog and wreak havoc. During that time, there were also a number of other vulnerabilities in the WP core. [Read more…]
Have you recently had your WordPress installation hacked? Did the hackers fill your theme files with link spam? If so, you might have spent some time doing an upgrade and clean install of WordPress. As part of this process, you probably also changed the password you use to login to WordPress.
I had this problem a few months ago and found that changing my password was not enough. One additional step to fully secure your blog is to delete the original admin account. If you don’t, it’s probably only a matter of time before you are re-hacked.
By deleting the “admin” login, a hacker now has to figure out an appropriate username AND password combination, making it exponentially more difficult to hack your login. Hackers know that the default WP installation process leaves you with an administrative username of “admin.” They can easily make the assumption that most people do not bother to change this and know that they only need to figure out your password.
If you haven’t done this and you are logging in as “admin,” follow these steps:
- Login as admin
- Create a new user for yourself and give it administrator privileges.
- Logout of admin and login under your new administrative username.
- Delete the original admin account.
- (optional) If you already have been posting on your blog using the original admin account, you can attribute those posts to your new account when you delete the user.
Since you are taking the time to do this, you should also consider using a secure password. Most people simply use an easy to remember word as their password. Words are easy to hack, even when they are case sensitive. There are only so many possible combinations of upper and lowercase letter. Adding a number or two to your password is better. This increases the security of the password exponentially as you are increasing the number of possibilities.
But if you REALLY want a secure password, you need a combination of the following:
- Upper and Lowercase letters
- At least one (1) number
- At least one (1) symbol (those do-hickeys above the numbers)
This makes it FAR more difficult for a hacker to figure out your password. Incidentally, WP 2.5 has added a nice feature in the users panel to tell you the strength of your password. If you follow the above, it will indicate you have a strong password.
Of course a complete set of random characters would be best, but who can remember that? So most people rely on a word they can remember. But words can be hacked with a dictionary cracker. One little hint to further password strength is to interchange a letter with a number. This changes your passWORD to a NONword. For example, if you use a “3” for your “E” (or “e”) then “Bubble” becomes “Bubbl3”. See how the 3 is a backwards E? Now add some other numbers and symbols and you have a much stronger password. 1%Bubbl3 is FAR superior to bubble. And should be just as easy to remember something like “one percent bubble” as it is for just “bubble” but it’s MUCH harder to hack.
These easy steps will make it much harder for you to be hacked again!