I’m going to share a tip that only seasoned WordPress developers will know about and put into practice.
It will also help to keep your WordPress website safer.
So here’s the tip:
Remove the Admin user and the Meta Generator tag.
What are these things?
Before version 3.2 the WordPress installation and setup automatically created an account called “Admin”.
During the setup you could give the account a password but the username “Admin” was set in stone.
From experience I’m making an educated guess that many WordPress webmasters have kept the original Admin user account.
Perhaps they actively use it or have since created their own user accounts, forgetting about Admin all together.
Either way, having an account called Admin is inviting trouble.
Note: The WordPress v3.x setup and installation asks you for both a username and password. It is great to see WordPress address this issue; just remember to avoid using Admin as a username.
The default, WordPress themes also insert a meta generator tag than contains the WordPress name and version number running your site.
This can act as a beacon for hackers to launch an attack on your website, knowing which type of system to hack into.
What’s the issue?
There are bad people on the Interwebs and they like to hack into websites.
They need three pieces of information to help hack your website;
- What type of CMS you are using
- A valid username
- A valid password
It is pretty easy to identify a website that is using WordPress as the CMS, especially if your meta generator tag has not been removed, and hackers will write scripts to find these.
The scripts will then attempt to login to your WordPress CMS with the Admin username, trying to guess the password and your website has provided the first two pieces of information they require
What can you do?
Create a new WordPress account with a unique username and give it administrator rights.
Make sure you can login and out of the new account then delete the existing Admin user.
Next, you will want to remove the meta generator tag.
Locate your theme’s header.php file and remove the HTML code that inserts that meta generator tag.
If you don’t know how to do this, I suggest you find and install a plugin to do it for you. There are many.
Now your WordPress website is a lot safer from attack.
We use a nice little plugin called Login Logger to monitor our customer logins.
As well as successful logins, it logs failed attempts, complete with the username, IP address and date-time.
This is invaluable information for webmasters who are trying to protect their blog and websites.
I suggest you install the plugin and check back in a couple of weeks to see the failed activity. You may be shocked at the number of attacks on your website that you were previously unaware of.
We check the logs regularly and use reverse IP tools to find out the attackers ISP then contact them to report the abuse.
In some circumstances we also block the attackers IP address from our hosting account.
Remove the Meta Generator tag from your WordPress theme design.
Create a new Administrator account with a unique username and strong password then delete the existing Admin user account.
Install the Login Logger pluging and monitor failed attempts to hack into your website.
Remember to back up your WordPress DB and files beforehand.