There are many guides that provide information on hardening WordPress. Typical advices include updating everything, maybe protecting admin area and include files. One of the most popular advices is changing admin user name to something else. This advice is completely wrong usually.

Not using “admin” username should protect ones website from some of brute force password guessing attacks. You know, entering username in wp-login form, and trying various popular password combinations. This might be done with XML-RPC too. Theoretically, if hackers do not know username, they would have harder time trying these usernames too.

What is wrong with this advice? Well, typical WordPress set up provides enough information about usernames used. This is especially true now, when authorship information is used by Google+ and people have to make it public usually. If you enter information non-completely, authors username is used as in authors url. Although some automated attacks would just force default username (aka admin), this does not provide layer for security. Thus in some set-ups this advice is quite useless.

Additionally, it is very easy to brute-force usernames on default site setup. Lost password action will inform you if the username is correct or not, thus it is quite easy to try couple versions of persons name, surname, default nickname and so on.

So, how to improve that advice to make the site more secure for real?

Option 1. Remove Authorship information from WordPress and use non-default login names

The first option is making harder to guess your user name by removing everything reference to author pages. You will have to remove byline from your skin and redirect Authors list and author archives to index page. This can be done in .htaccess .

You should make sure there is no author page listed in Google XML sitemap if you use any. Even if they are not indexed, they might be included in the sitemap file and thus be recovered.

Option 2. Use safe password for administrator user

This is no-brainer. If you use passwords complex enough, your passwords can not be guessed using brute force attack (though you should ensure that they cannot be intercepted while you log in into your administrative panel). The longer the password, the harder to guess. The longer to guess, the easier to notice it in login logs ( I use Simple Login Log with failed attempts enabled). Then you can block malicious IP in .htaccess file.

Option 3. Use 2 accounts, one for posts, one for administration

This is a mix of former advice. Create 2 accounts instead of one. One account should have complex enough name and have administrators permissions. This account should not be used for writing. Another account should have lower permissions and can be used for posting content. This option is far safer if you have to post from public locations.

Typically, most visible account will be attacked first. If the brute force attack is successful, the administrator account will be safe, though you might have to recover some posts from the older revisions.

Option 4. Use Limit Login Attempts or similar plugin

Limit Login Attempts is a wordpress plugin that blocks access to login panel for a while if you fail couple login attempts. This makes Brute Force attacks inefficient. The plugin can be downloaded from main plugin repository : http://wordpress.org/extend/plugins/limit-login-attempts/.


Giedrius Majauskas

I am a internet company owner and project manager living at Lithuania. I am interested in computer security, health and technology topics.

1 Comment

8 Steps to Make Wordpress Safer — Giedrius Majauskas blog · June 25, 2012 at 4:38 am

[…] That’s one of the easiest things to do to make your WordPress blog more secure. Administrator account shouldn’t be used for everyday blog writing. You need it only for managing themes, plugins and updates, which you don’t do every day. Create 2 accounts : one for writing posts and one for administrating wordpress. The second admin user should not be used for posting at all. Why this should be done I explain in the post about username bruteforcing in wordpress. […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.