Over the last several months, the WordPress community was impacted by the worst security attack in its history. This round focused on simply breaking in through the login process, not using backdoor techniques, SQL injections, or other more devious approaches. Understanding how the attacks worked was a key part of patching the problem, and many hosting companies instituted extensive protective measures; some people did nothing.
“I fight for the users.” – TRON
Security should always be on our mind. If for some reason you never took action on this front, or you would like to be pro-active for the future, here’s a quick way to make sure that these hacking approaches will not work in the future.
Understanding the User System
WordPress usernames can never be changed from the Dashboard. This is for everyone’s protection, because so many things are tied to the user name and ID in the database, that altering these values on a whim would be disastrous. Yes, there are methods for altering the username in the database, but we’re trying to do this simply and easily, remember?
The process couldn’t be quicker:
- Add a new Administrator via the Users area of the WordPress Dashboard.
- Log in with the new account.
- Remove the “root” Administrator account and transfer all content to the new user.
See? I told you this would be simple. Let’s begin.
Adding and Removing WordPress Users
Step 1 – Add New User
Using an existing Administrator account, log in and navigate to the Users area of the Dashboard. We need to add a new Administrator account with a unique username. Don’t use a derivative of admin, editor, or any standard managerial term. We need to create something that hacking scripts will not be looking for; try using a combination of your name, numbers, etc. Try to avoid terms that include the name of the site itself as well; you can use the Nickname field to create any pubic-facing title that you like.
NOTE: This is also a great time to institute better passwords! It is a universal truth that you can always have a better password than you do right now. Read up on generating secure passwords and pick a good one, or all of these efforts will be wasted.
Step 2 – De-Throne Admin
Now that you have a new sheriff in town, it’s time to remove the “root” user from power. Log in with your new Administrator account and go back to the Users area. Don’t be frightened by the Delete button – all of your content will be transferred to the new user in the next step.
Step 3 – Transfer Content
After you try to delete the account, you will see a screen that asks what you would like to do with any content owned by the previous Administrator. Even if you think you don’t have anything to transfer, go ahead and attribute everything to your new Administrator account.
That’s it! You are now running a much more secure WordPress installation. There will always be risks involved with running a website; even this safe, secure method for switching accounts can be a problem if you are running a poorly-written plugin that is looking for the user’s name instead of their unique ID. Remember to evaluate your current setup before making big changes, take time to walk through what you know, then apply these simple steps to make an informed decision.
Taking steps like these can help you spend more time publishing and less time worrying about security…that’s the real goal, right?
Is your website slow?
Enter its URL below to find out now:
- PREVIOUS ENTRY: Avoid the Image Caching Woes in WordPress
- NEXT ENTRY: Protect Premium Content With This Simple WordPress Plugin