Today we will discuss security of WordPress site. I am not an expert on the topic but I know a few little tips how to make a WordPress site more secure and I want to share this knowledge.
The WordPress is the most popular platform on the web and because of that the security threat is real. I have four WordPress websites and recently implemented some measures to lower the risk of hacking.
The three bits of information needed to log on as an administrator and take over the control over WordPress site is url address of WordPress login page, admin name and password (of course it is also possible to hack via FTP or database).
I think we should guard these three vital pieces of information but in many cases the hacker may already know two out of three key elements.
Changing WordPress admin username
The first problem, especially with older WordPress installations, is that the default administrator login name is ‘admin’. Today more and more hosting companies provide different login after WordPress automatic installation, but I am sure that some of them still use ‘admin’ as user name.
This is a serious mistake, the hacker knows about it and all he needs to find out is the password. If the site is not protected in any other way, brute force and other types of attacks can be used to crack the password.
The solution is relatively easy, if you log in as ‘admin’, you need to make a few changes to log as somebody else. Because things can always go wrong, before the changes are applied it makes sense to make a copy of the database (if you do not know how to do it in CPanel, ask for help your hosting company).
WordPress will not allow you to simply edit or change username. You need to do following steps, create a new admin user and delete the old one:
How to change WordPress admin username
- In the dashboard, click on Users, and create a new user (Add New).
- Use your nickname or any other name (‘admin_1’ if you do not have any better ideas) as username
- You also need to provide different address than on original account. If you do not have separate email, ask your family member for permission and use theirs (you will be able to change this email later on).
- First Name, Last Name and Website are optional
- You can see the password by clicking Show Password button. WordPress will create a strong password but you can overwrite it with your own one. Remember or copy the password or use checkbox to send it to the email address (I will briefly discuss passwords shortly).
- Click the box Add New User and your site will have two administrators: admin and your new username.
- Now you need to log out of the WordPress site as admin and log on back again with your new credentials.
- Go back to the Users menu, use the checkbox next to admin and delete it. Be Careful, you will be asked about post attribution. All the posts written by admin you need to attribute to your new username otherwise WordPress will delete all these posts!
- After deleting the old admin, you can edit your current user and change the email address to the original one.
That is all, if a hacker tries to use admin as login neme he will not be able to log on as such user does not exist any more 🙂
Secure WordPress Password
I briefly mentioned password creation previously. Of course, it is important to have a strong and unique password to protect your site. The problem is that strong password are difficult to remember. But there is a way. I have written an article about how easily create an easy to remember but very strong password. Please read How to create a strong password. As mentioned in this article, you can also use password managers like:
to help you out with creating and maintaining really strong password (you just need to remember one password to log on but password manager will help you with all other passwords).
Changing WordPress admin login URL
The last element to be guarded is URL address of the WordPress site. The standard WordPress login page URL finishes with:
so the whole URL may look like
Now, everybody interested in the topic know this but as the owner of the site, we can use a different, hidden URL to log on. Because many of the attacks are carried out without visiting the site by the hackers, even if you have got users on your website and have to include the link to login page, it still makes sense to change the address (you will just send people via link to different address).
It is possible to change login URL pragmatically, but an easier solution is to use one of the plugins for it. There are a few options but I think that WP Security is one of the best plugins out there. Apart from possibility of changing login URL, the plugin offers lots of other solutions that will protect your site and increase its security.
If you decide to install it, click WP Security link in the dashboard menu and choose Brute Force settings. Clicking the first tab will display Rename Login Page Settings. Read carefully all the information. At the bottom, you can specify Login Page URL, so instead of /wp-login.php the login page address will end with /login_ or something similar. Be careful and remember this new login address! Once you mark the checkbox to enable it and click the button Save Settings you will be logged out and you will have to use the new address to log back again.
If you have any links leading to old login page, you need to update those as well.
Last but not least, I encourage you to use other options of WP Security. This is great plugin that can help you to protect your site even further.
That is all this time, I hope you have found this information valuable. Please let me know if the comments below if you have any questions.