Back in high school, my friends and I loved going to the amusement park. It had some thrills, some fun and a lot of laughs for our group. Of course, being suburban high schoolers, there might have been a little bit of mischief as well.
One of our go-to bits of low-level mischief was to walk past one of the long, snaking queues of parents and kids waiting to get on the rides and yell “Mom!” or “Dad!” Invariably, a sizable fraction of the heads in the crowd would turn our way, since many of the folks waiting were usually addressed as, of course “Mom” or “Dad” and they needed to see if it was one of their offspring trying to get their attention. We found this hilarious for some reason.
Hey, it was the ‘burbs. We had to manufacture our fun somehow.
In that group, we knew that there were names that a high percentage of the individuals would answer to. Based on that knowledge, we knew we could get a response if we called out using one of those names. While fun for bored teenagers, this same process can be used by individuals who might be trying to compromise your WordPress® site. Here’s the situation and what you can do about it.
Ditch the default Admin
WordPress usually creates a default user called “Admin” when a new instance of WordPress is installed. Like the example above, if you haven’t changed that Admin username, all someone needs to do is use that Admin username and guess one thing — your password — after which he or she would have full access to your site. Changing your “Admin” username to something else takes away this common exploit, and is super easy to do. Here’s how:
- Log in to WordPress using your (existing) Admin user account.
- Add a new user via Users > Add New, fill in all the fields, and set the privilege for this user to be “Administrator.” This new user will become your new admin user, so try to make the username something non-obvious to an outsider.
- Log out of the original Admin user account.
- Log back into the system using the username you created in Step 2.
- Delete the original Admin user. WP will prompt you to reassign all of your old posts from the old Admin user to the new user. Do so.
The whole process takes just a few seconds, and is a simple way to eliminate one of the common vectors used in exploiting WordPress sites.
Bonus: Here is a link to the most commonly used passwords. I would recommend avoiding these as well.