Why You Shouldn’t Use The WordPress Admin Account
What's wrong with using the admin account?
First of all let me say that people that post things on their site using the admin account, make me less interested in what they have to say. Maybe it has to do with the impersonal connection I feel with the author, who knows. That's beside the most important point.
There are hacker bots all over the internet. For example, spam comments are posted by bots that try to deface websites that allow anyone to comment, spam emails, these are bots (automated programs or snippets of code people write) that are created to look for ways to add spam and other malicious content to websites that aren't protected.
Hacker bots are extremely smart programs, that are more advanced than you might think. They scour the internet looking for exploits in commonly used website software such as WordPress. When exploits are found, the bots are able to insert links, files, viruses, and other pieces of malicious code etc. and they will hide it well so you aren't aware of it.
Still not convinced?
In his presentation, Brad explains how he had two separate websites on the same hosting account. One site was running WordPress, the other WordPress MU. A bot had dropped a hacker file on the WordPress MU site which started hacking the WordPress site inserting spam links into the theme and other files.
The WordPress site was entirely dropped from Google's search results which was how he became aware there was a problem. When looking at the source code of the site, it showed 375 spam links that were hidden using CSS.
<b style="display:none">Anything here will be hidden</b>.
He also found an infected phpBB forum, and organic traffic for Viagra started showing up, which is just lovely. It took almost a year to regain the sites PageRank it had prior to this happening.
Holy Shi- How do I prevent this?
You need to stop using the admin account for one thing. There are other things you can do too which I'll talk about another time.
You can change your admin account one of 3 ways:
- Create a new account
- Run a MySQL query
- Use a "friendly" name
The easiest and best way I think, is to create a new admin account.
In the WP dashboard under users you can add new users. Once you do that, you can change the user role to administrator. Logout out of the default admin account and log back in to the newly created administrator account. Then delete the admin account, making sure to assign all posts and content created by that account to the new account you just made.
Another, more technical way is to run a MySQL query.
If you don't know how to use PhpMyAdmin or how to run MySQL queries, then you shouldn't try doing this. Otherwise you should be ok.
In MySQL run this query to change the admin account name to 'newuser' setting this to the username you want to change it to.
UPDATE wp_users SET user_login='newuser' WHERE userlogin='admin';
If neither of those are an option for whatever reason, you should at least use a "friendly name".
Go to your profile page in the WP dashboard and change your Display name to be something other than admin. At least that way your posts won't give away the fact that your using the admin account. Showing that you're still using the default account that is made when you install WordPress is like a red flag to bots looking for exploits. They see it as a site they are more likely to be able to compromise.
Check out Brad Williams' presentation slides at Wordcamp Boston to learn more. I will link to the video once it is uploaded to Wordcampboston.com.
Do you still use the default admin account on your WordPress site?
About the Author
Jared is from Boston working as a web and graphic designer. Also owns the design blog Tweeaks.com, and has designed many other websites powered by Wordpress including the New2WP theme.
User Comments
( ADD YOURS )Techlook September 14
wp 3.0 and above support custom username at d tym of installing....
Jim November 1
Thanks for the tip. I still don’t understand how the account name being ‘admin’ makes my WP any easier to hack than any other user name. Surely the security depends on the strength of your password?
Jared November 1
There are spam bots that can detect vulnerabilities of sites and being as popular as WordPress is, it is easy for spambots, which are freakishly sophisticated pieces of code that collect and learn from data found from source code of websites, to find security holes in WordPress sites, especially if it uses an admin account, which can be stored as a default value for a bot to search for, and apply what they know for hacking sites that use them.
It's more involved than just having a secure password. It doesn't have to do with being able to use admin accounts for logging in to a site. It can be much more in-depth than guessing the password. It's just a good idea to use a name other than admin.
Mark February 13
Jared,
do you know who to query to find all users with the "admin" rights?
I have three but set only one....
Thanks,
Mark
Jared February 13
Funny you should ask. I just may have what you need and have posted it as a new snippet here http://new2wp.com/snippet/find-users-by-role-wordpress/
Hope that helps! :)
Fran May 9
Interesting post Jared, i didn't think about the use of the admin post like that, i only have a couple of sites like that (ones i have been lazy with) but i will be changing them asap. Cheers!
search engine marketing firm May 24
Sometimes there are problem that you’ve encountered with your admin account. And though it has been so hard making and coming back from the start and starting all over again because of a certain problem. This problem is happening all the time and in any time but using and doing it the right way with WordPress account.
Jessi May 26
Hi Jared, Thanks for this very helpful post. I've been researching ways to make my WordPress blogs more secure after one of my friend's sites got hacked and it was just a big mess. Reading about the admin account is definitely a wake-up call for me, since I have been using the admin account on all my sites.
Btw do you of any tool or easy way to scan your website for hidden text, like you mentioned. It's pretty scary to have all these spam links on your site without knowing and I was wondering if there is any way to detect this kind of spam early before getting dropped from Google?
Jessi recently posted..Ask Jessi- Blending Two Families Into One
Mike - 2gts May 26
I didn't realise that using the admin account was such a big problem. I've been posting as admin on all my wordpress sites, guess I was a little lazy about changing it. Can't say i've had any problems with viruses yet, but i'll change them anyway to be safe. Thanks.
Comfort Bike Reviews May 26
Wow, thanks for this. More security is never a bad thing.
miracle mineral solution May 27
Just looking around some blogs. I am also a web designer.
Jamison June 13
You would think that over time the problem would be getting better, but instead it's getting worse.
More security is good. And yes, I've been using the admin account to post on my blogs. I just dread the job of going in a changing it now on each one.
Can someone tell me why people feel led to do this destructive stuff?
- J
Ray Simon June 17
Another tip I would suggest to prevent your site from being hacked is to not save your username and password in your browser. I had the "Indonesian Hacker Team" Hack my site and they destroyed it. My hosting provider told me that they infiltrated through my browser where I had my username and password stored. Needless to say I never store this info in my browser anymore. I will take your advice regarding the admin account.
Thanks
Ray
Ray Simon recently posted..Kidco Configure Gate
sean June 21
I've always used a friendly name. I luckily have not had any problems to this point. I'm always amazed when people use the generic admin. How impersonal.
I think the most important point you made is the loss of Google rankings. As blog writers we our voice to be heard by as many as possible. Those rankings need to be protected at all cost. After all they were not easy to come by.
Trackbacks