Unless things have changed since the last time I set up a new self-hosted WordPress site, WordPress presents you with the username “admin” as default. And even if they’ve stopped doing this, it was the standard since the inception of WordPress back in 2003. That’s 19 years on WordPress sites that use “admin” as the username.
Here’s an interesting fact. According to Kinsta, out of all the websites in existence WordPress.org makes up just over 30% of them. And it encompassed more than 60% of all websites that are built on a contact management system. Over 14% of the world’s top websites are on WordPress.org.
Hackers just love the sheer volume of WordPress sites. Do you know what else they love? Users that don’t create a unique username for themselves.
Why Using “Admin” is Unsafe on WordPress
You might be thinking it’s no big deal. You’re nobody. Who’s going to try to hack your site?
Well, if most hacking attempts on your site were made by a single person looking for a single site to hack into, your lack of concern would—maybe—be warranted. However, that’s not what is happening. For the most part, hacking attempts against your site are made by bots launching brute-force attacks. These bots will either use best guesses for username and password, like admin and 123456, or they will use something like a dictionary attack where the bot literally goes through a dictionary trying to match words to your username. So yes, “admin” is a bad choice, but so is any other recognizable word. Jumble up those letters and numbers.
If you have a security plugin that sends you a notification when it locks someone, or some bot, out of your site because of too many bad login attempts, you’ll generally see all those attempts are using admin as a username.
So, now that we’re clear about not using admin as your username, what kind of measures can you take to secure your site?
WordPress Security Measures
Since I love factoids, here’s another one. According to a cybersecurity report published 2 years ago, organizations increased their online security budgets by 50%.
What does that tell you? Other than a whole lot of people probably didn’t get a raise that year? It’s an indication—a clear message—that none of us can afford to be lax when it comes to online security. Even if you’re that little guy with a hobby site.
Use a VPN
My first recommendation is to download a VPN. There are some free options available, but with limited functionality. VPN is an acronym that stands for Virtual Private Network and using one is a great step toward securing your site. As long as you access your site via the service, all data flowing in or out is encrypted and your local IP address is hidden. If you’re looking for a good VPN for your needs, check out this article on the best VPN by VPNpro.
Install a security plugin. You have a choice of a free option here as well, and any number of plugins to choose from. Some plugins are more feature rich than others, and some are more complex and may require more setup, so choose one that works for your specific situation.
Disallow File Editing
Turn off the file editing feature. The WordPress codex recommends taking this step, and it can be done by either manually editing a few lines of code in the wp-config.php file or by installing a plugin that will do it for you. If you’re making the change manually, simply add the following to your wp-config.php file:
Hide Sensitive Files
Speaking of your wp-config.php file, you should also hide it and your .htaccess files. Please note these steps, and the ones above, are not to be taken lightly. If you don’t know what you’re doing, I don’t recommend manually editing any of the WordPress core files. If you feel confident, take a backup of these files before doing anything, and then make the necessary changes.
After you’ve backed up your files, add the following to your wp-config.php file:
deny from all
Once you’ve done that, move on to your .htaccess file and add:
deny from all
Limit Login Attempts
Next, you should consider limiting login attempts to your site. Let’s assume a user has forgotten his password. WordPress will let that user make an endless amount of tries to get into the site. But that user could actually be a hacker, so you don’t want them to have limitless tries to log in. But if you limit attempts, this will deter a hacker.
Implementing this is typically done with the use of a plugin. Depending on what settings you use, you can block someone temporarily—and this is what you should do in the case where you might have legitimate users trying to log in—or you could permanently block that IP. Of course, a hacker will be circling through IPs, so it’s a bit like playing whack-a-mole.
Note this can also be done without a plugin, but since it’s a bit complicated, I suggest you stick with the plugin.
So there you have it. The first step is always to change the default username when you set up a WordPress site. And if you have any seasoned sites that have that default name, go change them now. And make sure you follow the steps above on how to secure your site.