I recently listened to the WordPress Podcast – Episode 44. Although it’s a couple of months old now, it was quite interesting and one issue really caught my eye ear: the security related question for Matt Mullenweg at around 1:13:30 of the podcast.
A listener, Simon Jones from beforeiforget.co.uk, talked about the difficulty of changing the default WordPress user name from admin to something a little harder for hackers to guess. The only way to do this is to change it in the database itself – it can’t be done through WordPress.
Simon’s main question was "Why isn’t there an easier way to change the default user from admin to something else?". Matt didn’t actually answer this, presumably because Simon’s question was fairly long and to be honest, could have been a little more to the point.
However, Matt did mention that it’s very difficult to brute force WordPress because such an attempt would need to submit thousands of requests per second and web servers won’t allow that many requests. He also mentioned that he’d changed his user name, though obviously not for security reasons, because he told everyone what it was!
Anyway, the podcast has inspired me to go on to discuss a couple of points related to WordPress security:
Password Strength
What Matt didn’t say (because it’s elemental) is that having a strong password is essential. A user name / password combination of Admin and dS35Hg68p1d will be much harder to break than one of admin and WordPress.
If you have a strong password, leaving user name as admin is less of an issue. So make sure your password is reasonably strong.
Protecting The Wp-admin Folder
For the paranoid, such as myself, who are worried about their WordPress login being hacked, it’s possible to add an extra layer of security to the wp-admin folder. This is more effective than just changing the default user. There are different ways to do this, including:
- only allowing users from a certain IP address or range to access the wp-admin folder
- using the AskApache Password Protect plugin to password protect the wp-admin folder
- using CPanel to password protect the wp-admin folder (here’s a general tutorial, but one that could be applied to wp-admin)
The second two methods will present the user with an additional user name / password prompt before the normal WordPress login screen can be accessed. This obviously takes longer to log in, but it also makes it much more unlikely that your site can be hacked.
These two methods work in a similar way, setting security through the .htaccess file. If you really know what you’re doing, you could set this up manually.
Problem With Password Protecting The Wp-admin Folder
When I first tried to password protect the wp-admin folder, using the AskApache Password Protect plugin, I ran into a serious problem. I wasn’t given the “Authentication Required” window, I just got a 404 File not found message. This meant I was unable to log into my WordPress system and couldn’t access the plugin screen to turn off the password protection.
So how did I get access to my site again? I logged into my host via FTP and removed the following files:
- .aahtpasswd from the public_html folder
- .htaccess from the public_html/wp-admin directory (not the one from public_html)
I later experienced this same problem when password protecting the wp-admin folder via Cpanel, but of course, I could just turn off the password protection again via Cpanel.
I found a permanent solution to this problem at Developed Traffic’s WordPress admin password protection 404 post. The solution is to create an empty file called myerror.html and upload it to your public_html folder, then add the following to your .htaccess file (in public_html):
ErrorDocument 401 /myerror.html
ErrorDocument 403 /myerror.html
If you want to store the myerror.html file in a folder, rather than in public_html, then simply add the folder’s name to the two lines, ie:
ErrorDocument 401 /foldername/myerror.html
ErrorDocument 403 /foldername/myerror.html
That should fix the problem – although I’m not sure what impact it may have on other things (ie by having 401 and 403 go to the new file rather than WordPress handling it). If anyone out there know this please let me know in the comments.
The Real Lesson About WordPress Security
This post is all about trying to minimize the slight chance that someone may be able to break into your WordPress system via the login screen. I’m willing to bet that out of all the WordPress blogs ever hacked, very few of them would have been hacked via the login screen.
In the previous section, I mentioned how I locked myself out of the WordPress login screen, but got around it by FTPing in. All that security on the login screen is worth nothing if someone gets access to your host account via FTP.
From what I’ve heard, most hacked sites were compromised via:
- their host login being stolen after their email account was hijacked and used by the hackers to get the login details from the host service provider
- through an XSS exploit in WordPress
So the real lesson is to keep your computer free of viruses and spyware and your WordPress installation up to date with the latest security releases.
If you have any further thoughts on WordPress security, please let me know in the comments.
WOW.. What a post. this is one of the posts which are very interesting and outstanding. It has all the information which i was looking for like from ages. Really very helpful. Thanks for posting it 🙂
Personally I think that a lot of the hacking that goes on is unscrupulous website and blog owners who take advantage of the fact that many, many people use the same password everywhere. Put up some content that requires registration, ask for their blog address, and suddenly you have a database of websites with possible passwords. What percentage of those used the same password? Doesn’t have to be much to make this method much more effective than others.
Bill you did it again. Wonderful post, well written and very informative. I agree with “IT Governance” that one should use different passwords for different websites but these passwords should not me similar to the username or logins.
Having a strong password is important but it never hurts to having an extra layer of security. Good information for people wanting to sleep at night.
My blog was hacked only once and it was when the WordPress files were hacked on THEIR servers. Using a strong password that you ONLY use for your WordPress admin login will keep all but experienced hackers out.
Thanks for the info about protecting wordpress. I personally changed my user name by going though the database and honestly it not very complicated but still a pain.
Hopefully there will be a change in the near future so that users can change or enter their own user name. A lot of general users like to change their passwords so its easier for them to remember and typically they aren’t strong cause of it.
For those wondering if their wp blog is safe there is a nice plug-in by Michael Torbert that scan for security vulnerabilities for your blog. You can get the plug-in with the following link http://wordpress.org/extend/plugins/wp-security-scan/
Very nice article discovered on wpvote! WordPress security is very important so that’s always good to read something to protect your blog.
Good article you have here. I’m still waiting for them to make it much easier though. It’s a hassle especially when you have multiple blogs.
Good article, thanks. I know several people who have had their WP blogs hacked and then stuffed with all sorts of spammy links. Then they got banned by Google. Protecting your blog is very important.
Simple and powerful, can’t imagine why i didn’t think of just blocking all IP:s but mine on the server before. Well, thanks for the idea, going to go through all sites and kick up the security a notch.
The best part is that it works on any admin..
I guess I’m paranoid. I just put the .htaccess file in all my wp-admin directories (of all my blogs) using my static IP.
Good article. It is important to make sure that you are updating WordPress as new releases are made. Having a strong password is important. I have also heard about the WP security scan plugin but I haven’t used it.
and make sure ya dont use yer mothers maiden name as the pw. thats something that can be accessed online quite easily.
Blog protection, that’s a worthy thing to spend some time on. Bloggers spend so much time on their blogs that it would be a sad thing to see it all gone.
I also read some about the security issues with some wordpress blogs that were hacked. I have not tried any of the products I got from a paid membership as I haven’t found the time for it. Never thought there could be so many easy options. Following this discussion as a reminder to look into it another day 🙂
Nice post… Wha I have done so far is to block bots from wordpress folders via robot.txt and rename the index.php file. Will try your tips soon…
Cheers,
Ajith
Thanks for the tips. I hate having to use difficult passwords, but this day in age anyone can and will try to hack your site even if they will gain nothing from it.
Thanks for the tips. I love having to use difficult passwords. It’s another type of security as i think. But i fell sorry to you for being hazard. Anyway thanks for sharing this in your post with us.
LINK REMOVED: because of failure to use KeywordLuv syntax (name@keywords)
I’ve read about security issues/permissions on that folder for some time but yours is the first post that actually provides some solutions. The simplest thing to do is bar all unknown IPs from accessing as you stated.
good info and great article. I have tried several time before to change that “admin” username but never quite successful. thank you for this article i now can change it.
cash4gold
Hello there, this is an excellent lengthy post on protecting the admin folder. All users should follow these directions!
Hope you will write more posts like this in the future my friend.
Hey, any news when they would make it easier? In v2.8?
Hey, any news when they would make it easier? In v2.8?
(could you delete the previous post? sorry!)
Great article – saved me doing all this investigation. I’ve been concerned about the security of some of my WP based sites for some time so this has been enormously helpful.
I’ve been using Word press for around 6 months, I use free AV to keep my PC clean and I have never had my site compromised or exploited.
Just keep your computer free of bugs and viruses and you will reap the rewards.
Tony.
Hey Bill, just came across your blog and already found heaps of great info. The suggestion about restricting access to wp-admin based on IP is a great idea.
Great tips. WordPress security is one area too many overlook and doing some basics like you have just described – goes a long way toward protecting yourself from future problems.
hacked blog is not fun!
Great post! I have many clients who pay me to set up WordPress for them and I automatically change the admin in the database for them to make hacking a little harder.
LINK REMOVED: because of failure to use KeywordLuv syntax (name@keywords)
I have found (through a series of wp installations) that the inability to change the main user from admin is silly. Why even bother with a username if every single one is the same? Thanks for posting the solution and for the additional advice.
Thanks for a useful security article. Just a note for those blocking all IPs but their own – beware if your ISP ever changes your IP address (or you want to edit your blog from your laptop, while on the road)
Cheers, Jon
Hi John,
Yes, good point! Of course if that happens, you can ftp in and delete the .htaccess, but you may not be able to do that easily if you’re on the road…
I want to move to wordpress.org but i do not understand about hosting and instal the template..your post make me more confuse :D..but I will learn so I can blogging using WP
Wonderful post, well written and very informative. I agree with “IT Governance” that one should use different passwords for different websites but these passwords should not me similar to the username or logins.
The easiest way for me is make the password a lot harder to break. Combining letters and numbers would be the best but of corse you have to remember all on your head.
Great article by the way.
I think the biggest threat is posed by the exploits. Brute force attacks to the login screen are unlikely. I have about 15 wordpress sites, and I’ve had them for years, and I’ve never seen that myself. I have, however (and unfortunately) seen loads of exploits.. for example, last week, 2 of my sites got attacked by this exploit that adds adsense code to the posts!! so your blog is actually displaying adverts that are associated to the spammer’s account. I don’t think it’s long before google kills such accounts, but it’s crazy.
Great post. WP security is always a concern. I’ve recently had the same experience as a previous commenter wherein posts have some how been hacked and augmented with someones Adsense code – I reported the account to Google straight away – but its a worrying occurence.
If you’ve got Cpanel on your hosting account you can password-protect any directory easily. I hate tinkering with WP. I don’t think it’s well written.
In reguards to dissallowing certain range of IP addresses, is there some list of spam Ip’s or how would I know which IP’s to block?
Thanks,
Using a strong password and restricting access to wp-admin to certain IP’s should literally wipe out any threat to havking IMO.
Danny – we are talking about restricting IP’s to the WP-ADMIN and not to access the enitire blog
LINK REMOVED: because of failure to use KeywordLuv syntax (name@keywords)
And after all “old” comments being wiped – Im more worried about wordpress updates than hackers (an overstatement, agreed) but point made
Very informative. It’s definitely wise to be sure you’re updating WordPress as updates are released. Strong passwords matter as well.
Using IP addresses to restrict wp-admin access is one of the better means of securing your blog. You just have to remember not to forget that you have done this.
Most of the time, you will be blogging from your usual IP address, but if you happen to be trying to post from another location and thus a different IP address, you won’t be able to unless you update the htaccess file.
This is a very useful post–it is very dense with information. It’s hard to find well-written AND useful advice, but you succeed here with this post. I especially like your advice for password strength–this is a good tip for everyone who runs more than one wordpress blog, which is a lot of people.
LINK REMOVED: because of failure to use KeywordLuv syntax (name@keywords)
Nice article and walk-through of the options available.. This does add a lot more security to WordPress blog installations..
Hi AskApache,
Thanks for writing the AskApache Password Protect plugin – you’re helping bring this extra layer of security to the masses…
I would also prefer on blocking IPs, but that is for me since I don’t travel. And where could we get huge list of IPs? I only have a few.
Great tutorial on making wordpress more secure, which is so important but very easily overlooked. It is easy to think it won’t happen to your blog, but its certainly better to be safe than sorry.
Good to know WordPress is hard to brute force, thanks
Generally, I’d prefer to guard myself as much as possible earlier than at the WP-admin folder. I am always on the lookout for softwares that make my computer and my sites as hard as crack as possible and there is more then my WP that I worry about… But I do agree that anyone that has the same password more than once kind of have to suit themselves. Online security is more important than ever.
I guess that having a strong password solves most of the problem pertaining to the security issue. The other solution of having an additional layer of security doesn’t make any sense to me.
Great post. Most people never use a good password in first place. They use same one for mutiple things or something so easy anyone can figure it out. The point about email being hijacked is so true most people never realize hackers just send new password and take site over.
Word press has its own internal security and password system. You don’t need another one. And the files in Wp-admin do not necessarily all need to be hidden from the users in some way.
This problem exists with any password protected directory that resides alongside Word Press, not just the admin folder. Thanks for pointing out the solution, It will surely come in handy.
I hope it works, Lyndsey, because I’ve had some problems with it.
Strangely, I didn’t have this problem on our old servers. And I don’t have it if the blog is in a subdirectory, like site.com/blog — whether or not WP is in the /blog directory or /blog/word press.
Strange.
Oh. I just realized what you’re saying, lyndsey… that if WP is in root but there are other password-protected directories that may have nothing to do with word press, then there is an issue. Not good.
LINK REMOVED: because of failure to use KeywordLuv syntax (name@keywords)
WP is good for me, however I include various numbers and characters in my password, preventing my password being guessed. I must get 4 emails a week form WP with new password requests.
I will look at your solution and we all should be better protected in the future. Thanks for sharing this fab resource.
Yes, this is a good thing, but my word press hang on a while. the login to wp going only in the second try.
get yourself Lenovo T43p laptop with fingerprint scanner – so you just swipe your fingertip instead of entering passwords to login into your laptop or website admin account – thus no chance someone may overlook your password
I think sites get hacked, because some us don’t know squat about all this technology.
There is no point in having a super secure login page if they can get access through other means like you said, better secure all your stuff, email, ftp, etc with stronger passwords and keep the pc free of virus
few days back my blog got hacked, and i was very much concern about its security and installed lots of plugins that stopped my blogs to function properly thats why i totally agree with you and suggest every one to keep your computers from virus free.
Hi Nimit,
I’m sorry to hear you got hacked – hope it’s back to normal now.
i have a much simpler solution.
go to http://www.zubrag.com/scripts/password-protect-advanced.php and download that. it might be a little frustrating at first, because it takes a little getting used to, but it works like a dream, and is very lightwieght.
Hi darth,
Thanks, that looks interesting – although I’m not convinced that it’s any simpler than using CPanel’s password protect function.
“… the difficulty of changing the default WordPress user name from admin to something a little harder …” – when I start a new WP blog, I create new administrator’s account with the name I neen, and then just delete “admin”.