WordPress Hack Prevention Tip #2: Protect Your Usernames

In a previous article, WordPress Hack Prevention Tip #1: Use Strong Passwords, we discussed how important it is to make your user passwords unguessable. But passwords are only part the battle. For a hacker or malware-bot to login on your behalf, they need your password and username. By protecting your usernames on your site, you make it much more difficult for someone to even attempt to guess your password.

Below are some tips on how to increase your security by making sure all of your users and their usernames are protected.

Avoid Admin or Administrator

Two of the most widely used usernames in WordPress are “admin” and “administrator”. When bots attempt a Brute Force attack, they will simply try to login as “admin” or “administrator” and enter password after password until they are successful. In a later article we will discuss plugins that can help block Brute Force attacks, but as a basic precaution, we should be stricter about our choices of usernames.

If you have a user on your site with the username “admin” or “adminisrator”, you should change their username immediately. There are two ways to do this. Delete the user and attribute their posts to another user, or login as the user and use a plugin to help change the username.

Delete the user

To delete the user, navigate to the Users page in your WordPress backend. Hover over the user you want to delete and select the “Delete” link.

If the user made posts in the system, you will be presented with a page that allows you to either delete their content, or attribute the content to another user. In most cases you will want the latter. After all, you don’t want to lose any content on your site!

Change the Username

To change a user’s username you will first need to login as that user, and then navigate to the user profile page. Unfortunately, WordPress doesn’t allow you to edit your username. To make that change, you will need to install and activate a plugin called Username Changer. This will give you the ability to edit the username directly on the profile page.

After you have changed the username, remember to deactivate and delete the Username Changer plugin. You won’t need that anymore.

Block The Author Page

If hackers can find your usernames, they can use them to login to your site. Unfortunately, WordPress has a built in author page that can be exploited by hackers to attain your username. Place the following code in your .htaccess file to prevent this from happening. Please be very careful placing this code. One wrong character and your site may not load properly.

# BEGIN block author scans

RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* – [F]

# END block author scans

One User Account Per Team Member

Like I mentioned in the last article, it’s best if each user of your team has their own user. That way, the username won’t be shared by many and access can be easily revoked to users you don’t want on your system anymore.

Shameless Plug

Making your site secure by getting rid of “admin”, “administrator” and blocking the author page will help considerably with Brute Force Attacks. In a future article we will discuss some plugin that will help you prevent this kind of attack even more. If you need any help implementing a tighter security please contact us for a free security consultation.

Let us know what you think.

Happy Clients

Working with Eric Janofski and his team at Base 1 is a delight! I appreciate their positive attitudes towards content migrations and dedication to improving the process each time. From 100-page websites to 10,000-page ones, they will deliver on-time and in-budget. We rely on Base 1's services and often recommend them to our own clients.

We have worked with Base 1 since 2009, on many projects. Base 1 is an integral part of the website design services offered by Saxon Design. The sites they develop for us operate smoothly on the front and back ends, and they are great to work with as well with quick response times when we have questions. They always come in at budget on projects.

We highly recommend Base 1.

Base 1 is an invaluable business partner – helping me build, maintain and grow my website and capabilities. They are responsive, thorough, professional and essential members of my Clean Food team.