WordPress Security Tip #1 – Get Rid of the Admin Account

A number of people have asked me for some more detail on how to implement some of the suggestions I made in this post. So, here is the first in the series of in-depth tutorials on how to better secure your WordPress blog.

It’s important to secure your WordPress blog. We’re bombarded daily with tales of worms, virii, and Trojan Horsies. Secure this! Lockdown that! Protect yourself! Fortunately, the chances of your self-hosted WordPress blog are fairly slim, but it does happen. This is the first post in a series of how you can tighten down the security of your blog.

Step #1: Sign the online petition at http://shipthemoff.com to reopen Devil’s Island as a penal colony, and send all convicted hackers there to fend for themselves (remember Papillon?).

All right, so we can’t do that. SO, the first thing you should do is get rid of the default ‘admin’ user account that WordPress so kindly sets up for you when you install WordPress. You can do it in a few simple steps:

  1. create a new user account
  2. log out and log in under the new name
  3. delete the ‘admin’ account

Here’s how.

First step: always the very first step when you’re messing with important parts of your blog – backup your database! (I’ll be showing you how to do that in a future post)

After you’ve backed up your database, continue on:

In your dashboard, find Users and expand it. Click on Add New.

  • addnewon the Add New screen, enter your details, using a new username. Pick a username that isn’t obvious. If you really want to go all out, you can make up a username that mimics a password for effectiveness: mix upper and lower case letters and numbers (you can’t use symbols like ! ^ or @ in a username) and don’t use words that can be found in the dictionary.
  • enter your email address, and your website address (address is optional)
  • enter a new password twice. Get really creative with your password. Use at least 8 characters, preferably 12, and mix upper- and lower-case letters, numbers, and punctuation symbols, and don’t use words that can be found in the dictionary. Use something like JpXM20&33tY!89.
  • be sure to set the new user’s role to ‘Administrator’
  • when you’re done, click the ‘Add User’ button
  • at the top right corner of your window, click the ‘Log Out’ button to log out of your admin session.

Now, you’ll need to log back in as the new user you just created. If you did everything correctly, your dashboard will look identical to the admin user. If you  don’t see all of the menu options on the left, you probably didn’t set your new user up as an Administrator.

After you’ve logged back in and everything looks kosher, you’ll need to delete the original admin account. Don’t worry, you won’t be deleting your existing posts – unless you hit the wrong button 🙂

Click on Authors & Users again. Hover over the admin avatar, and you’ll see a ‘delete’ link (hint: if you don’t see that link, you’re still logged in as ‘admin’). Click.

deleteThe next screen allows you to either delete all posts and links associated to the admin user, or to assign them to the new user. Don’t delete all of your posts! (Personally, I think the ‘reassign’ option should be pre-selected, but that’s fodder for another day). Click the radio button to assign existing posts and links to another user, and choose your newly-created user from the dropdown box.

Click the ‘Confirm Deletion’ button, and WordPress will delete the admin account and assign the posts and links to your new account.

Next, click on the Your Profile link and complete your profile, including the dropdown box of how you want to display your name as an author.

In case of disaster:

If you managed, in the delete step, to delete all of your posts, it’s a relatively simple thing to restore them. You will, though, need to know a little bit about how to use your hosting provider’s MySQL administration tool (most likely phpMyAdmin, but yymv). More on how to restore from a backup in a future article.

Securing Your WordPress Blogs

DANGER! WARNING! DISASTER IS COMING!
YOUR WORDPRESS BLOG IS VULNERABLE!

The simple fact is that despite the scare tactics, it’s extremely unlikely that your WordPress blog is going to be the victim of an attack. Even if it is, if you use some common sense, it won’t be a complete disaster. The world won’t end. The sky won’t fall.

There are a few things you can do to protect your blog and its contents. They don’t take very long, and can make your blog much less vulnerable to outside attack. For the most part, I’m not going to repeat the how-tos of these simple protections. That’s what Google is for.

Before you do anything, make a backup of your database and files! You can install and use the WP-DB-Backup plugin, but I prefer doing it myself through my hosting provider‘s cPanel interface. Actually, I have a server cron job set up to automatically back up my WordPress databases, but that’s fodder for another article…

In no particular order:

Know who wrote your plugin. Do some research before you just slap up any old plugin. Plugins have full access to your WordPress installation. A badly-written or malicious plugin can destroy your blog.

Make sure you’re using the most current version of WordPress. A simple peek at your dashboard will tell you whether you’re current or not. The latest stable release version of WordPress can be downloaded here.

Remove the version meta tag from the header section of your theme. Yes, I know it says “Please leave for tracking purposes” or somesuch, but would you rather help with tracking or have your blog hacked?

Change your accounts. Everybody knows that WordPress’s famous “5-minute installation” produces an initial account with the username ‘admin’ and a generated password. Do yourself a very large favor–before you do anything else on your new blog, get rid of that admin user. Set up an account heirarchy much like Linux espouses, i.e. a ‘super-user’ administrator, and a normal account with minimal permissions. Here’s how:

  • login as ‘admin’
  • create a new ‘Administrator’ account. Be a hacker’s PITA– create a username in the same style as a good password–upper- and lower-case characters, numerals, and symbols. Create your password the same way. Brute-forcing a username/password combo like that would take forever.
  • create your ‘Author’ account. Us this account for making your regular posts. Use the same technique to create the username/password as you did on the Admin account. Only use your Administrator account when you need to.

Prevent directory listings. Different server setups take different solutions, so use the one appropriate for your hosting setup. But do it. Do it now. Nothing makes it easier to exploit a plugin vulnerability than to know which plugin versions you’re using.

Be secretive. Don’t blare out to the world that “these are the fantastic plugins I’m using”. I mean, it’s obvious enough anyway but why make it easier?

Exclude the nice robots from your files. Use a comprehensive robots.txt file that excludes the core WordPress files and folders. There is no reason for allowing your files to be indexed–any of them. Your WordPress site exists in the database, not in the server’s filesystem. The only exception to that may be your image files, if you want Google to know about them. Of course, bad bots will ignore the robots.txt file, but we do what we can.

Don’t use the vulnerable legacy search code. Make sure your theme has updated the code in the search results page to remove the vulnerability that existed by passing an unfiltered search term. Google for more information.

Listen–if you use some common sense and employ some best-practices security, odds are extremely thin that you’ll be the victim of an attack. If you are, delete your install, reinstall from your backups (you DO have those, don’t you?) and carry on.