This is my first of a mini-series on website security. Once finished, I’ll add a comprehensive checklist to my Install WordPress guidelines. I’ll also offer some website security services. If you need help managing your website security, please ask Keith Taylor now.
You might wonder why I am introducing website security now, when I am already busy with so many important topics. It’s because website hacking is on the increase, and if you do not manage the basics of security, you risk losing your website. I have recently installed Wordfence to help protect my websites, and it shows the threats we face every day. Established websites, especially with forums, are under constant attack. Brand new websites are not exempt, and I have seen attempted administrator hacking within a week of installing WordPress on a brand new domain.
Website Security: Basic Rules
A basic rule for self-managed WordPress websites is: never call your Administrator account admin, or the name of your website/domain. These are tried immediately by hackers, and Wordfence makes it easy to stop and block these.
A second basic rule for self-managed WordPress websites is: never post content when logged in as administrator. In practice, this means you should maintain at least two separate accounts. Your Administrator account is only for managing WordPress configuration. Your Author/Editor account is for writing posts, pages, and any other published content. Most WordPress themes will show links to Author archives, making it easy for hackers to identify account names that they can target. If they attack author accounts, it is annoying, but they are less likely to cause extensive damage to your website.
My third, and for now final, basic rule for self-managed WordPress websites is: always move the Administrator account away from the first user. The first user is the one with the lowest ID, normally 1. This is easy to see if you have direct access to your database via phpMyAdmin, or similar. You can easily see it in the WordPress Users list by hovering your mouse over the Username, where the ID shows in the target URL.
Website Security: Remedial Action
- If your Administrator account username is admin or your site/domain name, setup a new Administrator account with an unguessable name. After logging in with your new Administrator account, change the old one to a low access level, or delete it.
- If you have published content authored under an Administrator account, action as 1 above, or change the author on all affected content. If you need to change authors, it is easiest from the Posts and Pages lists. Show all posts for an author by clicking on the author name, then use Quick Edit.
- If your first user ID has Administrator status, follow 1 above.
Check these now, and whenever you export your website to a new hosting server.
Website Security: New Installation
- Install WordPress, using an unguessable Administrator account username, if your installation procedure gives you a choice.
- Add New User accounts (s) for posting content
- Add a new Administrator account with unguessable username.
- Delete original Administrator, or change Role to low privilege status