I recently listened to the WordPress Podcast – Episode 44. Although it’s a couple of months old now, it was quite interesting and one issue really caught my
eye ear: the security related question for Matt Mullenweg at around 1:13:30 of the podcast.
A listener, Simon Jones from beforeiforget.co.uk, talked about the difficulty of changing the default WordPress user name from admin to something a little harder for hackers to guess. The only way to do this is to change it in the database itself – it can’t be done through WordPress.
Simon’s main question was "Why isn’t there an easier way to change the default user from admin to something else?". Matt didn’t actually answer this, presumably because Simon’s question was fairly long and to be honest, could have been a little more to the point.
However, Matt did mention that it’s very difficult to brute force WordPress because such an attempt would need to submit thousands of requests per second and web servers won’t allow that many requests. He also mentioned that he’d changed his user name, though obviously not for security reasons, because he told everyone what it was!
Anyway, the podcast has inspired me to go on to discuss a couple of points related to WordPress security:
What Matt didn’t say (because it’s elemental) is that having a strong password is essential. A user name / password combination of Admin and dS35Hg68p1d will be much harder to break than one of admin and WordPress.
If you have a strong password, leaving user name as admin is less of an issue. So make sure your password is reasonably strong.
Protecting The Wp-admin Folder
For the paranoid, such as myself, who are worried about their WordPress login being hacked, it’s possible to add an extra layer of security to the wp-admin folder. This is more effective than just changing the default user. There are different ways to do this, including:
- only allowing users from a certain IP address or range to access the wp-admin folder
- using the AskApache Password Protect plugin to password protect the wp-admin folder
- using CPanel to password protect the wp-admin folder (here’s a general tutorial, but one that could be applied to wp-admin)
The second two methods will present the user with an additional user name / password prompt before the normal WordPress login screen can be accessed. This obviously takes longer to log in, but it also makes it much more unlikely that your site can be hacked.
Problem With Password Protecting The Wp-admin Folder
When I first tried to password protect the wp-admin folder, using the AskApache Password Protect plugin, I ran into a serious problem. I wasn’t given the “Authentication Required” window, I just got a 404 File not found message. This meant I was unable to log into my WordPress system and couldn’t access the plugin screen to turn off the password protection.
So how did I get access to my site again? I logged into my host via FTP and removed the following files:
- .aahtpasswd from the public_html folder
- .htaccess from the public_html/wp-admin directory (not the one from public_html)
I later experienced this same problem when password protecting the wp-admin folder via Cpanel, but of course, I could just turn off the password protection again via Cpanel.
I found a permanent solution to this problem at Developed Traffic’s WordPress admin password protection 404 post. The solution is to create an empty file called myerror.html and upload it to your public_html folder, then add the following to your .htaccess file (in public_html):
ErrorDocument 401 /myerror.html
ErrorDocument 403 /myerror.html
If you want to store the myerror.html file in a folder, rather than in public_html, then simply add the folder’s name to the two lines, ie:
ErrorDocument 401 /foldername/myerror.html
ErrorDocument 403 /foldername/myerror.html
That should fix the problem – although I’m not sure what impact it may have on other things (ie by having 401 and 403 go to the new file rather than WordPress handling it). If anyone out there know this please let me know in the comments.
The Real Lesson About WordPress Security
This post is all about trying to minimize the slight chance that someone may be able to break into your WordPress system via the login screen. I’m willing to bet that out of all the WordPress blogs ever hacked, very few of them would have been hacked via the login screen.
In the previous section, I mentioned how I locked myself out of the WordPress login screen, but got around it by FTPing in. All that security on the login screen is worth nothing if someone gets access to your host account via FTP.
From what I’ve heard, most hacked sites were compromised via:
- their host login being stolen after their email account was hijacked and used by the hackers to get the login details from the host service provider
- through an XSS exploit in WordPress
So the real lesson is to keep your computer free of viruses and spyware and your WordPress installation up to date with the latest security releases.
If you have any further thoughts on WordPress security, please let me know in the comments.
Last updated on July 20th, 2011