Day 1. Leave no Chance to Find Out your Administrator Login

This post is the part of WordPress protection series. Within a week we will cover all WP security weak spots. And we begin with basics.

/6 comments

1. Really? Are You Still «admin»?

In every content management system there is a default administrator login. For those who want to get access to your website this makes their lives a little easier.

WordPress default login is admin. When you install WordPress, please do not be lazy to change it to anything else.

Use custom administrator username during WordPress installation.

If you didn’t, go to phpMyAdmin to run the below query, of course replace notadminpls with the login you want and {database_prefix} with your current database prefix, the default prefix is wp_.

UPDATE {database_prefix}users SET user_login='notadminpls' WHERE user_login='admin';

I want to mention it one more time — if you run any queries in your database and you’re not sure what these queries do… Always make a backup first!

Are you running WordPress Multisite? The SQL query below allows you to reassign superadmin permission to your new login (“notadminpls” in the example).

UPDATE {database_prefix}sitemeta SET meta_value = REPLACE(meta_value, 's:5:"admin"', 's:11:"notadminpls"') WHERE meta_key = 'site_admins';

* 11 is the number of symbols in your new login. Too complicated for you? — use grant_super_admin() function instead.

2. Trick with your Author Archives

Okay… if you’ve changed your admin login, maybe you feel comfortable now. Not yet my friend.

Try to add to your website homepage URL something like this /?author=1. Press «Enter». The page is performing redirect… and… isn’t it your new login?

Surprised?

So, first of all we will close this /?author= redirect in .htaccess and later we’ll change your administrator nicename, which is used in author archive URLs /author/NICENAME.

Option 1. Redirect ?author= pages in .htaccess

Actually I can separate this step into two ways — simple way and interesting way. In the following simple code we just redirect users to the homepage. But when someone goes to your ?author= he will immediately understand that you use this code — that’s why I use the second option.

RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]

The code should be placed after the line RewriteEngine On and before the line RewriteBase /.

Option 2. Return your theme default 404 error page instead of ?author= pages

But the awesome way is to throw the 404 error just like this is how it should be.

This method is a little tricky because you need to open your website well-designed 404, copy its HTML and paste to 404.html, which should be located in your WordPress top directory.

After that, somewhere at the beginning of your .htaccess place this line of code:

ErrorDocument 404 /404.html

And then after RewriteEngine On and before RewriteBase /:

RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^.*$ - [R=404,L]

Done!

3. Changing your Nicename (not Nickname) and Display Name

Well, I think I had to begin my post with this, because these are very important things to do!

Your nicename and display name could be shown in so many places on your website. Please, pay special attention to changing them.

You username should never match your display_name!

Yes, yes, just right now go to Users > Your Profile and change it!

How to change a Display Name in a user profile.

You’ve just prevented something like this:

Preventing your admin username from displaying everywhere on your website.

Nicename is also important

It is not so simple to change it as the display name (you have to go to phpMyAdmin again) but your nicename is displayed in body_class(), in comment_class() and in admin author archive URL /author/MishaRudrastyh.

UPDATE {database_prefix}users SET user_nicename = 'MishaRudrastyh' WHERE ID = 1;

On the screenshot below the comment class is a nicename, the author title is a display name. So, if you have already changed them both — great!

A nicename is in the comment class, a display name is the author title. Make them differ from you administrator username.

I will be glad to answer all your questions in comments below.

#5DaysToProtectYourWordPress

Need some help with WordPress?

If you need some professional developer help, I will be happy to assist you.

Contact me Who I am?

Comments — 6

Leave a comment

php js HTML CSS Code