Regarding user names and passwords; A best practice note from your friendly neighborhood web cat

featured image

 WordPress being the most-used software on the web these days, sites that run on it find themselves constantly under attack. If a hacker expends the energy to find a weakness that weakness will show up in so many other sites, makes it an efficient investment of time.  And suddenly your visitors will find themselves redirected to a site called “hotboobies” (ask me how I know this), and Google will be mighty displeased with you….

It’s time to take site security seriously.

One way to get  into a WordPress site is to try to log in with a username, guessing the password– that’s why WordPress (and most other sites these days) encourage or even mandate a STRONG password.  And far too many people install their WordPress site with the username ‘admin’ and the password “password” you would not believe how many! However, even the randomized ‘generated’ passwords can be discovered, with a really determined algorithm.

Here’s how to fix an insecure login name;

Now, if you happen to be reading this, and you need to change your username, never fear. Despite the warning on your profile page that your original name cannot be changed… There’s a plugin for that,   known as “Easy Username Updater.” 

Treat both your username AND  password like passwords. My suggestion is to use three to five-word phrases, based on whatever you are interested in– song titles for instance; “LoveMeTender” and a password that you can easily associate with that– “LittleSisterDontYou” plus some number and punctuation substitutions.

Or book titles, or fairytales, whatever. Car make and model is probably not such a good idea, but whatever works best for you!   
 
Once you are registered, UPDATE YOUR PROFILE.  This is not just vanity.  You might or might not want to fill in ‘first and last name” or  other contact information. But you want to make sure you delete “LoveMeTender” from the nickname field  and replace it with the name you want to show the world, or anyway that part of the world that visits your site.
Drop down a little ways and click on the pulldown menu to choose your nickname to be  your display name, and make sure that crazy username doesn’t show up as an author anywhere.
Use the username updater plugin well and wisely! And  delete it once it’s done its job.

Unfortunately, we still have still a security hole.

If you click on any author’s name in the post meta (meaning time and date, tags, author) you will be taken to a page that shows the author’s nickname as the title, but– in the URL you will still see the login name that should be hidden.  (WordPress needs to do something about that, honestly!)  Moreover, since the Admin account is the first that ever gets created in any installation, the admin’s ID number will be ‘1’ and a clever little hacker can see your login name in the URL by asking to see the information about user number 1.

Here’s how to fix the author slug problem

You will need to go into the database and manually change the user’s slug, the name that shows up in the URL. You will find it in the table ‘usermeta’ if you want to go there, but if you don’t feel comfortable with databases, there’s a plugin  you can use instead called, appropriately, “Edit Author Slug. ”
Install and activate it and it will add a new section to your profilem and it will ask you how you want your URL to read.

You can choose your nickname, or any of the other data listed in that table row, unfortunately (that long string of numbers you see is actually your encoded password so don’t choose THAT!),  or you can write in a custom slug. I like to have fun with that one, maybe even up my SEO score a little bit.
Once again, delete the plugin once it’s done it’s job.

WordPress will warn you, by the way,that these two plugins have not been updated and might not work properly with your site. They will, and will continue to work properly for a long time I promise. They both rewrite data in specific cells of one line in one table, and that’s all they do.  And– you will delete them once they have done their job.

And finally, you can  change the URL of the login page itself. this won’t hide it from everyone, but bots won’t be able to find it at least.
And there are  plenty of plugins for that.

Logins are not the only way to get into a wordpress site.

Other ways to keep hackers out;

 A security plugin, ( I like Securi, Wordfence, and Defender) (pick one only, you will run into all kinds of problems if you try to use two security systems at the same time)
and
 Spam control plugins for comments and contact forms, if your security plugin doesn’t include that.
Google Recaptcha is good too, and there are plugins to help you integrate it into your site.

I’ll be honest; I came into this strictly as a designer, and it took more than one calamity to wise me up. In my day, kids… he quavered, his cane wobbling…
ah, well, that’s water under the bridge.
My advice now, — as a designer– is to get your infrastructure solid as a (virtual) rock first. then you can use your dotting tools so to speak, without dear your work will crumble in you hand (also virtual)

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.