If you have a self-hosted WordPress blog using the default username of "admin" with the Administrator role, you've already given a hacker half of the credentials needed to get into your blog.
Case Study
One day I was checking the click log on one of my affiliate accounts to see which web pages were sending traffic to my offer. I noticed hundreds of entries from a handful of IP addresses over the course of a couple of days. They looked like mini denial of service attacks.
In an attempt to figure it out, I installed a plug-in called Bad Behavior. It blocks link spam, fake robots and other malicious activity. In reviewing the log, I noticed repeated entries from a malicious bot attempting to login with the username of "admin". The passwords being used were common words like abc123, 12345, test, password, password1, qwerty and even jesus.
If you're guilty of creating WordPress Administrator in such a manner, it's only a matter of time before a malicious bot gains access. Always create usernames and passwords at least 8 characters in length with a combination of upper and lowercase letters, numbers, and a few extra characters such as a period, dash, underscore, asterisk, plus or equal sign.
Creating a New Administrator
You can create a new user and assign it administrator privs, then be sure to delete the old Admin user. When you delete it you'll be asked if you want to transfer the posts created under that name to another user. Assign them to the new user. If you don't, they will be deleted. The other option is to change the admin's user name to something else.
Changing the Admin Username
Once a user has been created, its username cannot be changed from within the WordPress Dashboard. Changing the display name in the user profile does not change the username. It can only be changed at the database level by updating the user_login value in the wp_users table where the user_login = "admin". This can be done from within your web hosting control panel via phpMyAdmin.
To find the right database to update, use FileManager or FTP to get to your web server. In the root of your WordPress installation, open the wp_config.php file. Scroll down until you find the define statement for the DB_NAME parameter. It will include your hosting account user name followed by _wrdp and then a number. That number is your database number.
Regarding the Bad Behavior plug-in, it will create a log file of all blocked activity. Needless to say, if there is a lot of activity, the log will grow very rapidly. At the time of this writing, there is no way within the plug-in to clear the log. It can be emptied manually by deleting everything from the wp_bad_behavior table using phpMyAdmin. Another option is to use a database plug-in like WP DBManager to empty the table.
Changing Your Password To Improve Your Website Security How To Keep Users and Data Safe On The Web Reality Overtakes Fiction: We Are Already at War, Albeit Electronic, But War All the Same Protect Your Privacy With Reputation Management An Explanation of CISPA for Small Businesses Top 5 Reasons to Check Website Security
0 comments:
Post a Comment