Website Security: Admin Author Basics

Web Security icon

This is my first of a mini-series on website security. Once finished, I’ll add a comprehensive checklist to my Install WordPress guidelines. I’ll also offer some website security services. If you need help managing your website security, please ask Keith Taylor now.

You might wonder why I am introducing website security now, when I am already busy with so many important topics. It’s because website hacking is on the increase, and if you do not manage the basics of security, you risk losing your website. I have recently installed Wordfence to help protect my websites, and it shows the threats we face every day. Established websites, especially with forums, are under constant attack. Brand new websites are not exempt, and I have seen attempted administrator hacking within a week of installing WordPress on a brand new domain.

Website Security: Basic Rules

A basic rule for self-managed WordPress websites is: never call your Administrator account admin, or the name of your website/domain. These are tried immediately by hackers, and Wordfence makes it easy to stop and block these.

A second basic rule for self-managed WordPress websites is: never post content when logged in as administrator. In practice, this means you should maintain at least two separate accounts. Your Administrator account is only for managing WordPress configuration. Your Author/Editor account is for writing posts, pages, and any other published content. Most WordPress themes will show links to Author archives, making it easy for hackers to identify account names that they can target. If they attack author accounts, it is annoying, but they are less likely to cause extensive damage to your website.

My third, and for now final, basic rule for self-managed WordPress websites is: always move the Administrator account away from the first user. The first user is the one with the lowest ID, normally 1. This is easy to see if you have direct access to your database via phpMyAdmin, or similar. You can easily see it in the WordPress Users list by hovering your mouse over the Username, where the ID shows in the target URL.

Website Security: Remedial Action

  1. If your Administrator account username is admin or your site/domain name, setup a new Administrator account with an unguessable name. After logging in with your new Administrator account, change the old one to a low access level, or delete it.
  2. If you have published content authored under an Administrator account, action as 1 above, or change the author on all affected content. If you need to change authors, it is easiest from the Posts and Pages lists. Show all posts for an author by clicking on the author name, then use Quick Edit.
  3. If your first user ID has Administrator status, follow 1 above.

Check these now, and whenever you export your website to a new hosting server.

Website Security: New Installation

  1. Install WordPress, using an unguessable Administrator account username, if your installation procedure gives you a choice.
  2. Add New User accounts (s) for posting content
  3. Add a new Administrator account with unguessable username.
  4. Delete original Administrator, or change Role to low privilege status

Are your WordPress Administrator accounts secure? Share your experiences, opinions, and questions in Shrewdies Make a Website Group, or Shrewdies Website Help Chatroom.

2 Replies to “Website Security: Admin Author Basics”

  1. never post content when logged in as administrator

    That’s easy to overlook when you’re a busy one-man band. If you regularly need to login as Administrator, but keep forgetting not to post. This code, adapted from Set a User as Author of all ‘New Posts’ posted, will come to your rescue.

    Never Post As Admin

    add_action( 'publish_post', 'shrewdies_replace_author' );
    function shrewdies_replace_author( $post_ID )  
        if(get_post_status( $post_ID ) == 'publish'){
        elseif(user_can( wp_get_current_user(), 'administrator' )){
            $my_post = array();
            $my_post['ID'] = $post_ID;
            $my_post['post_author'] = 3 ; //This is the ID number of your User Editor/Author record, but does not need Author status.
            // Update the post into the database
            wp_update_post( $my_post );
  2. The more I think about this, the less attractive it seems. Plugging holes in security is best done by improving security routines. All that code does is to paper over bad habits.

    Administration should always be separate from authoring. You should schedule separate time for admin jobs. Put admin jobs on a list, then if you notice an admin job whilst you are authoring, just add it to the admin list of tasks.

    If you really cannot avoid jumping between author and admin accounts, use different browsers, or different browser profiles for authoring and administering. Set color profiles to be distinct. Better still, ask me to create some code so you just cannot post when logged in as administrator.

    If you want to do it right, you can make it easier. First, set the name in the administrator account profile to “Do Not Post Now,” or similar. Second, create a new administrator account every year. Third, after you create your administrator account, go into phpMyAdmin, and change the user_nicename field to something different from the user_login field.

Leave a Reply