; A best practice note from your friendly neighborhood web dude
WordPress being the most-used software on the web these days, sites that run on it find themselves constantly under attack. A weakness found will show up in so many other sites, so it is an efficient investment of time for a hacker to find a weakness on your site even if the Hack on YOUR site does not result in much. Then suddenly your visitors will find themselves redirected to a site called “hotboobies dot com” (ask me how I know this), and Google will be mighty displeased with you….
It’s time to take site security seriously.
One way to get into a WordPress site is to try to log in with a username, guessing the password– that’s why WordPress (and most other sites these days) encourage or even mandate a STRONG password. And far too many people install their WordPress site with the username ‘admin’ and the password “password” However, even the randomized ‘generated’ passwords can be discovered, with a really determined algorithm.
Here’s how to fix an insecure username;
Now, if you happen to be reading this, and you need to change your username, never fear. Despite the warning on your profile page that your original name cannot be changed… There’s a plugin for that, known as “Easy Username Updater.”
Treat both your username AND password like passwords.
My suggestion is to use three to five-word phrases, based on whatever you are interested in– song titles for instance; “Love Me Tender” (WordPress doesn’t allow empty spaces between words but there’s a plugin for that and a password that you can easily associate with that– “Little Sister Dont You”
Or book titles, or fairytales, whatever. Car make and model is probably not such a good idea, but whatever works best for you! Add some some number and punctuation substitutions, and you’ll find happy messages of STRONG approval. once you are logged in;
Update Your Profile.
This is not just vanity. You might or might not want to fill in ‘first and last name” or other contact information. But you want to make sure you delete “LoveMeTender” from the nickname field and replace it with the name you want to show the world, or anyway that part of the world that visits your site.
Drop down a little ways and click on the pulldown menu to choose your nickname to be your display name, and make sure that crazy username doesn’t show up as an author anywhere.Use the username updater plugin well and wisely! And delete it once it’s done its job.
Unfortunately, we still have still a security hole.
If you click on any author’s name in the post meta (meaning time and date, tags, author) you will be taken to a page that shows the author’s nickname as the title, but– in the URL, or you will still see the login name, or “slug” that should be hidden. (WordPress needs to do something about that, honestly!) Moreover, since the Admin account is the first that ever gets created in any installation, the admin’s ID number will be ‘1’ and a clever little hacker can see your login name in the URL by asking to see the information about user number 1.
Here’s how to fix the author slug problem
You will need to go into the database and manually change the user’s “slug,” the name that shows up in the URL. You will find it in the table ‘usermeta’ if you want to go there, but if you don’t feel comfortable with databases, there’s a plugin you can use instead called, appropriately, “Edit Author Slug. “
Install and activate it and it will add a new section to your profile, and it will ask you how you want your URL to read.
You can choose your nickname, or any of the other data listed in that table row, unfortunately (that long string of numbers you see is actually your encoded password so don’t choose THAT!), or you can write in a custom slug. I like to have fun with that one, maybe even up my SEO score a little bit.
Once again, delete the plugin once it’s done its job.
WordPress will warn you, by the way, that these two plugins have not been updated and might not work properly with your site. They do work, and will continue to work properly for a long time I promise. They both rewrite data in specific cells of one line in one table, and that’s all they do. And– you will delete them once they have done their job.
And finally, you can change the URL of the login page itself. this won’t hide it from everyone, but bots won’t be able to find it at least.
And there are plenty of plugins for that.
Logins are not the only way to get into a wordpress site.
Other ways to keep hackers out;
A security plugin, ( I like Securi, Wordfence, and Defender) (pick one only, you will run into all kinds of problems if you try to use two security systems at the same time)
and
Spam control plugins for comments and contact forms, if your security plugin doesn’t include that.
Google’s Recaptcha service is good too, and there are plugins to help you integrate it into your site.
I’ll be honest; I came into this strictly as a designer, and it took more than one calamity to wise me up. In my day, kids… he quavered, his cane wobbling…
ah, well, that’s water under the bridge.
My advice now, — as a designer– is to get your infrastructure solid as a (virtual) rock first. then you can use your fine point brushes, so to speak, without fear your work will crumble in your hand (also virtual)