Imagine for a moment that hackers, whose bots constantly scour the web for vulnerable websites,
crack your administrative password, install malware on your site, and either redirect all of your traffic to their own spam, porn, or malware site.
What would the damage to your reputation and loss of traffic to your site cost you?
Probably more than you are willing to risk.
You know by now (or you should!) that using ‘Admin’ as your WordPress username is like holding the door open for rat hackers and saying, “Welcome! Come on in!” The reason for this is that hackers will try breaking your WordPress password using the default WordPress username of Admin. If you haven’t changed the username, you’ve cut their efforts in half and greatly increased the chances that your site will be hacked.
A persistent hacking attempt on one of my client’s sites today has raised a new alarm, though. This experience and its solution is one that you should assess your own site for and take similar precautions if your login has similar vulnerabilities.
Apparently, it’s no longer enough to simply change your username, because this wanna-be hacker user my client’s username. How could they have known what it was? Easy–they looked at the author name on one of her posts and guessed correctly that her username was the same as her nickname, or author name.
Had I not previously installed the Limit Login Attempts plugin on my client’s site and configured it to notify me immediately of all failed login attempts, I might never have been aware of this, and they may had ample opportunity to use their bot to continue guessing at her password would probably have cracked it within a week, installed malware, and at the very least caused her to lose reputation and traffic.
You can’t change your actual username in WordPress, but what matters most is limiting the damage a hacker can do.
First, I reduced the permissions on her current username from Administrator to Author, which will allow her to continue to post under that ID. She will not, however, be able to edit her WordPress settings in any way without logging out and logging back in with a new, more secure administrator user profile.I also changed her password for both IDs to a longer, stronger alpha-numeric password containing mixed-case alphas and a couple of random symbols, (such as * or !). Her new admin username is also alpha-numeric–not just a name.
This is only one of many security solutions that I add to every site I build, but it’s one of the most critical.
And if you are wondering whether spending fifteen minutes to secure your site by doing this, or hiring someone to do it for you, I’ll prove to you that hackers probe your site on a weekly–or even daily–basis. Just install the ‘Limit Login Attempts’ plugin (thanks for the tip, Carla!) on your blog or website and configure it to notify you by email after every lockout.
Then give it a week. Two, tops. You will be blown away by how many people are trying to hack your site. I guarantee it, or you’re invisible online. (And in that case, we should talk.)
So take a few minutes today and lock your site down just a bit more. And if you have an hour to take even stronger measures, here’s another easy (and free) way to secure your website or blog. I wrote the post for GoDaddy customers, but if you are hosted with a company that already has CloudFlare enabled for you, the information will still help you, but it should only take you a few minutes to speed your site up and add a layer of protection at the same time.