Lock Down Your WordPress Sites – Step 1 of 2
There is a constant, world-wide war being waged against WordPress sites.
If you use WordPress for your site, like I do, there’s one thing you can do immediately, and one amazing plugin you can add to it that will keep you safe from this attack.
And it’s all free. What do I recommend you do first?
First, a very brief summary of what’s happening. Then, I’ll give you some homework for today, then the plugin you need to get in the next 60 SECONDS.
Since Thursday of last week, a group of hackers has been using an automated program to attempt a large number of logins on sites that are identified as using WordPress. This is happening world wide, in an attempt to turn those sites into automated spam servers.
You don’t want your VO actor site turned into an automated spam server. You just don’t.
Here’s an article that gives the tech details, if you want to wade through it.
(You may have noticed that the VO2GoGo site is a heckuva lot faster than it was. It’s because I implemented these suggestions – I was getting hammered by this robot-like hacking tool.)
So, first, I want you to do one thing, right now, if you haven’t already: change the name of your administrator User login from the WordPress default “admin” to something else. Anything else. That’s the first thing the tool looks for – it tries the login with the username “admin”, and if it’s not “admin”, it can’t be successful.
Now, you can’t just change the name from ‘admin.’ If you try to simply change the admin name, you’ll get an error that says “Usernames can’t be changed.” What you actually have to do is create a new user with administration privileges that isn’t named ‘admin’, log out and then log in to the new user, then delete the old admin user and assign all their articles to the newly created user.
The hackers can still slow down your site by submitting username and password combinations, over and over and over, creating a real drain on your system, and potentially cracking your password.
But the plugin I’m going to tell you about tomorrow will finish the job.
So go – go change your administration username.
I’ll check in with you next time with further instructions.
I’m not sure I understand. I just logged in to wordpress.com, and my login name is not admin. Where do I find my administrator User login?
You may be just fine – if you’re the administrator and your name isn’t “admin” then you’re fine. If you’re NOT the administrator, that’s a problem. Go to your WordPress backend (where you see the menu to the left that starts with Dashboard at the top of the list) and click on Users. You’ll get a list of users and their roles. One or more of them will be administrators, and one might have the name “admin”. That’s the one you want to change. If you don’t find one, you’re all set.
Hi David! Thank you for the wordpress tip. Potentially dumb question though, when I go to my user profile, next to the username admin it says “usernames cannot be changed” is there a way around it that I am missing?
THANK YOU for your help!
The process of “changing the name to admin” should be renamed “replacing your default admin user with a user with administration privileges that isn’t named ‘admin’, then delete the admin user and assign all their articles to the newly created user”. And I’ve changed the post to reflect that. Thank you for asking!
Hi David – Thank you for this. As far as I can tell, the original admin user that was created as part of installing WordPress cannot be deleted. Any of the others can, but not the original one. I noticed that with the latest site I installed WordPress on, the initial administrator was created automatically with a name other than admin, perhaps that is in response to this issue, but on all of my older sites the admin username was automatic and cannot be changed or deleted. If you know a way around this, I’d love to hear.
When you go to the user list, doesn’t one of the action items include “delete?” (It won’t, if you’re logged into that user – you should start logged in to the new administrator-level user you created). It was on all of my sites, and if your install is old enough that it isn’t possible, you probably need to update WordPress for many other security reasons.
Hi David – Thanks, dumb mistake on my part. Had re-logged in as original admin and therefore couldn’t delete. Oops.
OMG you just saved me. For weeks I’ve been getting these weird log in emails from WP and I couldn’t figure out why. It is a really old dead site that I was going to start working on again this summer and revamp completely. Turns out they were using my site as a future spam site and there were 631 users in my admin. I cleaned it all out with my host, changed every password, updated the WP version, cleared out forms (where they think they were getting in) and changed the theme. Wow, sometimes you get a little push from the universe to get moving on something and this was that push! So grateful for this post. Thank you, thank you, thank you!!!!