Use your widget sidebars in the admin Design tab to change this little blurb here. Add the text widget to the Blurb Sidebar!

Q is for quick

Posted: April 19th, 2013 | Author: | Filed under: Blogging from A to Z Challenge 2013 | Comments Off on Q is for quick

Quick — if you use WordPress on your own website and you have a username “admin,” you’ll want to create a new admin account with a completely different name, then delete that old admin account. Especially if you don’t use strong passwords.

Apparently there have been a number of botnet attacks on sites pairing the username “admin” with random passwords. This actually isn’t new, but a recent attack has an enormous botnet working at it, and the chances of your site getting hacked are higher because of it. Changing your admin login is a simple way to opt yourself out of this attack.

Here’s what to do:

  1. Log in to your admin account.
  2. Under Users, create a new user with a different name, preferably one that has some caps and numbers in it. Hackers need both a username and a password to attack; by making both hard to guess, you make it that much less likely you’ll be hacked. Also, you’ll have to slug an alternate email address in for that user, since WordPress won’t let you give two users the same email address. You can change this back later.
  3. Give that user administrative privileges.
  4. Give that user a strong password.
  5. Write that username and password down. Better yet, put it in your password manager program (I highly recommend 1Password for Mac users).
  6. Log out.
  7. Log in under the new username and password.
  8. Go to Users and delete the old admin account. It will ask you to assign posts made under that old account to another account. Generally, you want to choose the one you just created.
  9. If you care, go to your profile and change the email on the username back to the one you used before.
  10. Have fun blogging!

(If you use WordPress.com, you don’t need to worry about this, since you shouldn’t have an account named admin; you blog there under a username unique to the WordPress.com domain.)

I did this yesterday for the seven sites I have that run WordPress and had an admin account, and it took just a couple of minutes per site, once I got the hang of what I was doing. Two of the sites showed a couple of admin accounts that I don’t recall creating (“admin” + a number; I very well might have created them back in the Dark Ages, when I first started using WordPress, though), so I deleted those accounts, too, just to be safe. I went through all of the folders on those sites to check for unusual files and didn’t see anything, so I think I’m good for now. If indeed I didn’t create them, it looks like whoever did was only setting up, not actively doing anything yet.

This weekend I will also start the process of changing passwords on all of my web accounts. Huge PITA, but necessary to do once in a while.

Comments are closed.