WordPress is great, but its open-source strength is also a weakness, because it’s very attractive to hackers.
While the simple tweaks I’m going to show you here won’t keep out a determined hacker, it will make an opportunist hacker’s life more difficult.
Tweak 1: Change your Username.
The most common username for WordPress sites is “admin”. WordPress sets it as default, and most people don’t bother to change it. This makes life very easy for a hacker, because all they have to do is guess your password, and (hey presto!) they can get into your site, access the dashboard and do untold damage.
I know WordPress says your username can’t be changed, but that’s not strictly true.
Log into your control panel, and scroll down to where it says Databases, then click where it says phpMyAdmin.
This is what it looks like on my Cpanel – yours might look slightly different depending on your hosting company.
Select the appropriate database from the list, and scroll down to where is says “wp_users”.
You’ll see a page like the one below, double click under where it says “user_login” and change the “admin” to something else. Choose something that’s going to be hard to guess, and make it different from the log-in name you have for your control panel.
To save it, you may have to click a “Go”, “Save” or “OK” button (or you might not have to click anything) depending on what version of phpMyAdmin you have.
Log out of the control panel, and log into your WordPress Dashboard using your new username. Use your old password.
From the Dashboard, hold your mouse cursor over where is says “Howdy [your new username]” in the top right-hand corner of the screen. From the dropdown menu select “Edit My Profile”
Scroll down until you get to the section headed “Name”.
Where it says “Nickname (required)” enter the word “admin” (without the quotes).
Where is says “Display name publicly as” select “admin” from the dropdown menu.
Now all your posts will be attributed to “admin” but if a hacker tries to log in using the name “admin” they will be shut out.
Tweak 2: Get a stronger password.
The most common password on WordPress is: “password”. Seriously! That’s how WordPress sets things by default, and a lot of people don’t bother to change it. Other common passwords are: abc123, qwerty, or letmein.
To change your password, go to the “Edit My Profile” page as above, and scroll down to the bottom. Enter your new password in the box, and repeat it in the second box to guard against being locked out due to a typo.
Choose a strong password that’s going to be hard to guess. It should be at least 7 characters long, and for best results should include a combination of upper and lower case characters, numbers, and symbols like &#@ and so on.
If you’re in the UK or Eurozone, include a Pound (£) or Euro (€) sign in your password as hackers from outside these areas are unlikely to have them on their keyboards.
If you’re stuck for ideas, there are a number of free password generator sites on the ‘net. The one I like best is: FreePasswordGenerator.com.
When you’re done, click on the “Update Profile” button. Log-in again with your new password.
Be sure to choose a different password to the one you use on your control panel or other WordPress sites.
Tweak 3: Check if Your Themes or Plug-ins are Vulnerable.
Lots of themes and plug-ins have vulnerabilities in their code. Mostly these loopholes arise by accident, but some unscrupulous developers build a “back door” into their products to let them hack into your WordPress site any time they please.
To check if your plug-ins or themes are vulnerable, check them against the list in the US National Vulnerabilities Database
If any warnings show up, change the theme or plug-in to a different one. Be sure to delete all the associated files and code.
Tweak 4: Further Study
In this blog post, I’ve only been able to scratch the surface of what you can do to keep your WordPress site safe from hackers. If you would like to find out more, you may be interested in a video series I have produced. It’s called
WordPress Security Clampdown
In it, I explain how you can make your WordPress site super-secure, and cover things like:
- Two WordPress files you MUST protect. Leaving them unprotected is like leaving your front door key under the mat
- How WordPress hackers look for sites to hack, and how to make sure they don’t choose your site
- What an SQL injection attack is, and the steps you can take to prevent one from happening to your site
- What to do if your site gets hacked – I’ll show you, step-by-step, how to reclaim your site from the hackers
- Why your site might be vulnerable to a “server side” hacking attack, and what you can do to prevent it
- How a combination of two (free) plug-ins can protect your site from hackers – I’ll show you where to get them, and how to set them up
- And much, much more!