[This post is part of WordPress Security series.]
Ages ago, WordPress would set admin as default username. Apparently no easy way to change this username existed, aside from technical ways like changing via MySQL. This stayed for enough time for admin username to be considered the standard. Now even though WordPress allows to change the username, people still use admin username unknowingly putting their sites at stake.
The problem is that hackers know that WordPress used admin as default username for primary administrator accounts. So all they need is a password to break into a site. Because most sites already use admin, this approach works effectively for hackers. All they need to do is just attack the site with brute force scripts.
This is why you must take a few minutes and change your username if admin is it. Since WordPress’ doesn’t allow change of username once it is set during installation, you will need to do it the other ways. Here are a few methods:
Change via phpMyAdmin
phpMyAdmin is a simple software tool written in PHP to help you control MySQL over the Web.
And by the way, if you’re too lazy to use phpMyAdmin, you can user plugins like WP-DBManager, Adminer plugin. Make sure you uninstall it right away once you’re done with it, because it too powerful to be accessible via WordPress dashboard.
Running a SQL query
Follow the steps:
- Login to cPanel, Plesk, etc. (whichever applies to you)
- Go to phpMyAdmin
- User interface should look similar to following (depending on version):
- Click SQL tab (highlighted in the screenshot)
- Copy and paste following SQL query there and hit “GO”!UPDATE wp_users SET user_login = ‘newusername’ WHERE user_login = ‘admin’;
- Replace newusername with new username you want
- Also change wp_users to corresponding table if you’ve different table prefix
- OR.. If you want to change username from something other than admin, then replace that as well
Editing table value
Follow the instructions:
- Go to phpMyadmin
- Go to database corresponding to your WordPress installation
- Look for a table wp_users (or.. similar suffixed with users, but prefixed differently)
- Go to that table, look for user row for administrator account
- Double-click on user_login column’s value [or click “Edit”] and changeuesr_login‘s value
Why Not Use a Plugin!?
Best part about WordPress? There’s always a plugin for almost any task!
Plugins like Admin renamer extended, Username Changer and WPVN – Username Changer can be used to change username. Don’t forget to uninstall them once you’re done.
Limit Login Attempts
Limit Login Attempts plugin is really good for minimizing/avoiding brute force attacks.
It works by limiting number of failed login attempts. Thus if you failed to login for 3 times in a row, you’ll no longer be allowed to try. Consequently exponentially reducing number of brute force attacks.
Limit Login Attempts is highly configurable. It’s up to you:
- To reduce number of allowed attempts
- How longer the lockdown (block period) will be
- Whether to let lockdown occur if username entered is invalid
- After how many attempts should the plugin email admin?
WordPress Gives Away Your Username
You already know why we are hiding our usernames from strangers – because they will be halfway to hacking our sites! All they will further require is just brute force attack against that username! It is certainly not affordable to expose such critical information to anyone. Better than anyone WordPress must understand that, no?
But still when I see around I see that WordPress builds author archives with slug like http://www.example.com/author/username. Such author URL exposes usernames of all users. It’s weird, but don’t know why it’s the way it is.
Conclusion
That’s it! Lastly I will ask if your username is different than dummy admin. If not, please change it now using instructions given in this post.
[This post is part of WordPress Security series.]
0 comments:
Post a Comment