When you create a new WordPress website from scratch the software itself goes out of its way to make it easy for you to get going. Pages (static site components) and posts (dynamic site components) are already set up for you to give you starting-point examples to work from. The software even sets you up as the admin of the site with a username, email address and password.
The password requirements within WordPress have become much stricter over the last 4 or 5 years and the software will tell you when a password is not secure and will require you to explicitly take responsibility for using a poor password.
One thing that hasn’t changed is the naming of the first admin created as “admin”.
Why keeping “admin” as your admin username is a very bad idea!
WordPress is Open Source software where collaborative teams work on projects and report their findings to the general public. This process has meant that advances in software happen really fast as multiple eyes are on the project and outside interested parties can make suggestions and edits. However it also means that the bad guys are also kept in the loop so they become aware of issues and loopholes almost immediately – meaning that they can become exploited.
The use of “admin” as the admin username is the biggest open secret in the WordPress world and the bad guys try to exploit this at every opportunity. Normally this is done by hackers repeatedly guessing username and password combinations over and over until they find the “winning” combination (this is known as a “brute force attack”). Using “admin” as the username gives the bad guys a head start in this process because now they can concentrate just on the password.
If users were really good about using strong passwords then this might not be such an issue – but users are typically really, really, REALLY bad about using strong passwords! They want to use passwords they can remember easily and ideally they’d like to use them over and over again.
An eight character password with numbers only can be cracked essentially instantaneously by hackers. 8 characters using a combination of numbers, upper and lower case letters can be cracked in about 7 minutes!
Sites are being actively probed by the bad guys all day, every day looking for a soft spot to get in and create mischief (installing malware, stealing client data, ransomware, etc.) Probes using “admin” are the most common form of brute force attacks – multiple times an hour, can be 100’s of times a day.
How to strengthen access to your WordPress admin dashboard
- Change your admin username – picking almost anything else other than “admin” will slow down the bad guys. It won’t stop them completely because they’ll still be able to guess other usernames but it will slow them down.
- Use a strong password – use a minimum of a 12 character password mixing numbers and letters, this alone will increase the cracking time to about 24 years! My go to approach is using three random 5 letter words (15 characters) using both upper and lower case letters with spaces between the words – cracking time about 1 billion years!!
- Turn on Two-Factor Authentication – upon login you’ll need to add a second code that’s either sent to your phone or from an authentication app. It slows down logging in by a fraction of a minute but adds so much in the way of security and peace of mind.
- Employ a security plugin – I use iThemes Security on all my sites. One great feature iThemes Security has is an option to automatically ban anyone logging in using the word “admin” – this is turned on for all my sites.
- Use ReCaptcha on login – Another feature of iThemes Security is the ability to add a ReCaptcha (I’m not a robot!) to the login screen. I know people hate them but again it takes a fraction of a minute and in my world stops close to 100% of hacking attacks and probes.
Need help with any of the above? Please don’t hesitate to call me at 973-234-5623 or use the contact form and I’ll get right back to you.