Day 1. Leave no Chance to Find Out your Administrator Login
1. Really? Are You Still «admin»?
In every content management system there is a default administrator login. For those who want to get access to your website this makes their lives a little easier.
WordPress default login is admin. When you install WordPress, please do not be lazy to change it to anything else.
If you didn’t, go to phpMyAdmin to run the below query, of course replace notadminpls with the login you want and {database_prefix} with your current database prefix, the default prefix is wp_.
UPDATE {database_prefix}users SET user_login='notadminpls' WHERE user_login='admin';
I want to mention it one more time — if you run any queries in your database and you’re not sure what these queries do… Always make a backup first!
Are you running WordPress Multisite? The SQL query below allows you to reassign superadmin permission to your new login (“notadminpls” in the example).
UPDATE {database_prefix}sitemeta SET meta_value = REPLACE(meta_value, 's:5:"admin"', 's:11:"notadminpls"') WHERE meta_key = 'site_admins';
* 11 is the number of symbols in your new login. Too complicated for you? — use grant_super_admin() function instead.
2. Trick with your Author Archives
Okay… if you’ve changed your admin login, maybe you feel comfortable now. Not yet my friend.
Try to add to your website homepage URL something like this /?author=1. Press «Enter». The page is performing redirect… and… isn’t it your new login?
Surprised?
So, first of all we will close this /?author= redirect in .htaccess and later we’ll change your administrator nicename, which is used in author archive URLs /author/NICENAME.
Option 1. Redirect ?author= pages in .htaccess
Actually I can separate this step into two ways — simple way and interesting way. In the following simple code we just redirect users to the homepage. But when someone goes to your ?author= he will immediately understand that you use this code — that’s why I use the second option.
RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]
The code should be placed after the line RewriteEngine On and before the line RewriteBase /.
Option 2. Return your theme default 404 error page instead of ?author= pages
But the awesome way is to throw the 404 error just like this is how it should be.
This method is a little tricky because you need to open your website well-designed 404, copy its HTML and paste to 404.html, which should be located in your WordPress top directory.
After that, somewhere at the beginning of your .htaccess place this line of code:
ErrorDocument 404 /404.html
And then after RewriteEngine On and before RewriteBase /:
RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^.*$ - [R=404,L]
Done!
3. Changing your Nicename (not Nickname) and Display Name
Well, I think I had to begin my post with this, because these are very important things to do!
Your nicename and display name could be shown in so many places on your website. Please, pay special attention to changing them.
You username should never match your display_name!
Yes, yes, just right now go to Users > Your Profile and change it!
You’ve just prevented something like this:
Nicename is also important
It is not so simple to change it as the display name (you have to go to phpMyAdmin again) but your nicename is displayed in body_class(), in comment_class() and in admin author archive URL /author/MishaRudrastyh.
UPDATE {database_prefix}users SET user_nicename = 'MishaRudrastyh' WHERE ID = 1;
On the screenshot below the comment class is a nicename, the author title is a display name. So, if you have already changed them both — great!
I will be glad to answer all your questions in comments below.
Misha Rudrastyh
Hey guys and welcome to my website. For more than 10 years I've been doing my best to share with you some superb WordPress guides and tips for free.
Need some developer help? Contact me
Thanks for posting this. Your Protecting WordPress-Series is very helpful to me. I have a couple of questions.
1.) Does it make a difference if I rename the user_login (=username) (and the user_nicename) directly in the datebase via phpMyAdmin or is it better to do this with your sql commands?
2a.) The nicename and displayname will be visible, if you are author of a post or comment, so why are you going to change them? Is the important point just to make sure, that the user_login is different to the nicename/displayname?
2b.) Wouldn’t it be even better to never use the admin-account at all to write post/comments etc but to use for posts/comments/moderation the editor role?
3.) Wouldn’t it be even more secure to rename the user_login (=username) to something cryptic like “M4ig81Tr”? Can users (admins/editors/etc) be extracted from the database or does the redirect .htaccess you explained in this post do the trick to block such nasty queries? Is the reason to redirect the query to a 404.html to save performance or could the redirect also be a regular wordpress-404-page?
4.) I even think of adding a couple of simple followers-roles (with no special privileges) so that user_login, nicename etc look similar in order to confuse a hacker. Or is this too paranoic?
Sorry that I have so many questions.
Hi Herbie,
I’m glad that my post helps.
1.) No, no difference at all.
2a.) Yes, the user login just should be different from nicename and displayname.
2b.) Some people do it, but in my opinion — no.
3.) Yes, you can use “M4ig81Tr” if you want. To prevent “database extraction” your website shouldn’t have any holes for SQL-injections. I described it here. You can redirect users anywhere you want. I just think when you show 404 without a redirect, it looks more.. realistic.
4.) I suppose it won’t confuse a hacker – just make him smile :)
Have a great day!
Hey Misha
Thank you very much for your valuable information.
Ok to 1 and 2.
What I’m not sure about, is, if usernames (ie administrator login) still *can* be extracted as far as you know.
So in other words, with a.) an up to date wordpress, b.) without any plugins that leave holes for sql-injections, c.) with the above redirect ?author= pages and d.) with different user- and nice-/displaynames, e) with an admin-account with a non-guessable user-ID other than #1 I do “leave no chance to find out the administrator login”. If not quite, that would have been the reason to try to confuse hackers about the login-names as I suggested in my first comment @4 (with a couple of similar looking follower-accounts).
Or do you think above measures are sufficient to “Leave no [reasonable] Chance to Find Out your Administrator Login” (Day 1 topic)?
Sorry, if I have so many questions, I want to make sure everything reasonable is done, but not to be paranoic on the other side.
Hey Herbie,
completing the steps that are mentioned in this post is quite enough :)
If I find out about another method, I will add it to the post.
“quite enough” That’s fine. I was unsure about the smiling part ;)
Thank you very much for your expertise and support.
You’re welcome :)
I’m here if you have other questions later.