Always back up your WordPress blog!
I’ve already done a post on how to backup and restore your WordPress blog but this is seriously SO IMPORTANT that I need to remind everyone again! If your WordPress site gets hacked, your blog is GONE! …unless you backup. If your security is lacking in even one area, this can easily happen to you. It’s so much better to be safe than sorry! Do not make the mistake of not backing up and losing all your hard work!
And remember: there are two parts to backing up your blog. You have to do BOTH of them if you want your blog to be completely recoverable!
1) Back up your database. Your database is where all your posts, pages, users, and settings are stored. The big one here is POSTS. All of your posts are saved in the database!
2) Back up your files Your files (like what you see in FTP) are where your images, themes, and plugins are stored. The big one here is IMAGES because themes and plugins can easily be installed again. But if you don’t want to lose all your images, you need to backup your WordPress files!
Have a secure password & don’t have a username called “admin”
If you have an insecure password and/or you have an account with the username “admin”, the chances of you getting hacked are VERY high! The last two days I have woken up to this:
That means I went to bed with 0 login attempts and woke up 8 hours later with 1,700. TWO DAYS IN A ROW! That’s 3,400 failed login attempts in two days. This means someone has an automatic script up and running that tries thousands of password combinations on my blog… all by itself, over and over again.
Luckily for me, every single one of those attempts is for the username “admin”, which doesn’t exist on my blog. But that’s my point! All the ‘robots’ out there will try to brute force their way into your blog by trying to login with the username “admin” and thousands of different possible passwords. If you have an account with the username “admin”, your chances of being hacked just went WAY up!
Delete/change the “admin” account name
If you just remove the account called “admin” you’re already several steps ahead of the hackers and you have that much less of a chance of being hacked.
Have an incredibly strong password
These automatic scripts usually go through dictionaries trying all the dictionary words as passwords. So if your password is “dog”, the ‘robot’ is going to have a super easy time guessing that!
Your password is easy to guess if:
- It is a dictionary word.
- It is short.
- It is a name (like your name).
- It is your blog name.
- It is “password123”.
- It contains any kind of personal information about you (like your name, followed by your birthday).
Your password is HARD to guess if:
- It contains a random string of numbers, letters, and symbols;
- AND it is at least 10 characters long.
- OR it is a random sentence, such as: “The dog went to the party and loves cake.”
To help with all this: Better WP Security
I highly recommend a WordPress plugin called Better WP Security. You can use it to examine your security, track failed login attempts, lock people out after a certain number of failed attempts, etc.
The one thing you have to be careful of with this plugin is locking people out for too many 404s. If your blog has a lot of 404 errors, DO NOT enable this feature because you might even lock yourself out! Or, if you use the Linky Followers widget, DO NOT enable this feature! Last time I checked, the Linky widget was HORRIBLY made and generated like 3 404 errors on every single page load. (You’ll see them if you open up the Console in Developer Tools.) I learned that the hard way when I still had the widget and locked myself out of my own blog for like an hour. The real message here is that Linky followers sucks *cough*cough*, but if you use it then don’t enable the “404 Detection” feature.
But it’s a fantastic plugin and will help you be more aware of your WordPress security!
Okay, for the website I keep up for my work, the person who created it created a admin user. He posted five post under the user name. First, how do I delete it, second, will it delete the five posts under that name?
1. Create a new account with the Administrator role.
2. Test to make sure you can login on that account and that everything is working.
3. From that new account, delete the “admin” account.
4. Upon deletion you will be prompted to assign “admin’s” posts to another user. You can select the new user.
Alternatively, once you create the new admin account, you can manually go to each post and change the author (you may have to activate the “Author” option under “Screen Options”).
If you need extra help, there’s a step-by-step guide with screenshots on how to do it here: Change your WordPress admin Username
Thanks so much. 🙂
Thanks to your endorsing of the Better WordPress Security on Twitter and on your blog, I already changed my Admin name. It was one of the first things I did upon moving to WordPress. 😀 Thanks! Hope the hacker has given up!
Woohoo! Great job! 😀 You’re seriously soooo much more protected if you don’t have an account called “admin”!
BAH. I must change my name from admin. And funny, I have had several hack attempts since I installed this plugin. I just don’t understand what’s wrong with people!
THANK YOU for recommending this, Ashley!
No problem!! 😀 You’ll be so much safter without an “admin” username! If you need help on how to do it, see my reply to Jennifer above.
Actually already did it! This post made me nervous! 😉 BUT thank you!
This is such a timely post. I installed Better WP Security a while ago but I’ve only just started figuring it all out. There’s so much there. O_o I was able to find the login-attempts log, though, which found 71 failed attempts so far… Many were for “admin”, but there were also LOTS for my own username. Is that uncommon? Bad? I have a really strong password, though…
Is your username in any way related to:
* your blog name
* your first name
?
Yes… I didn’t know when I was setting up my WP account that the “usename” was any different than usernames on other sites. And I guess it can’t be changed? At least it says it can’t on the WP Users > Profile page…. =S
Although it’s not possible to change the username, there is a way around that!
You can follow the instructions I listed for Jennifer (the first comment). Basically you can create a new admin account, delete your old one, and assign all your posts to the new admin account.
Thanks Ashley, I might end up trying that, but I just noticed… my theme actually shows the username of the author of every post. Not obviously visible on the page, but you can click on the visible author name, and the Author Archive page url uses the username. I’m guessing that’s probably not great? =/ (I’m so helpless with this stuff! =S )
You might still get a few attempts, but as long as you have a strong password, a few attempts aren’t anything to worry about!
You just want to avoid things that robots can easily pick up. Most of them are programmed to try “admin” because that’s the default one that most people use. But they could also be programmed to pick up your website name/url and try that.
Anything else will be in the pretty low minority.
Thank you so much!
Wow, I didn’t realize this was such a prevalent issue. Thanks so much for the warning! I’m going to upload that plugin right away.
Fantastic post, Ashley, I totally agree I don’t have a WordPress blog but I actually seriously love this post! That is totally scary, for a robot to just repeatedly try different passwords over and over again with the username admin I think my password is like exactly 10 characters and I’ve had it since I was five it was a suggested password I got after I made a WebKinz account lol it was actually super funny ;D
I get so paranoid each time you post something about this, I just created a new admin and now have something I hope I’ll be able to remember as username and password 😀
Thanks for the great tips, Ashley! I’ve been getting lots of failed login attempts myself, and I really want to keep my blog safe from hackers 🙂
“Congratulations! You do not have a user named “admin” in your WordPress installation. No further action is available on this page.”
Phew! Thanks for the Security plugin tip; going through it now 🙂
What about changing the name of your admin user to something like “admin_additional word” Is that still dangerous?
As long as it’s not admin_ followed by the URL of your blog (admin_hesperialovesbooks) then it should be okay!
Thanks!
Ashley, I’m so glad I found your blog! I’m new to WP. org (still setting up with all that needs to be done) and your advice is incredibly useful! I’ve been with WordPress com before and finding org a whole different boardgame altogether (which you’re making a whole lot easier to understand ! ). Security wise, I’m following your advice and getting a more secure p/w. Plus setting up using my Backup plugin of choice. There’s so much to learn esp at the start, I just can’t wait to start writing! Anyway, Security & Backing up is paramount. Thank you so much for the great work you are doing on this blog!
I’m so glad this was helpful to you! 😀
Thank you, I’m going to read up on how to backup my blog. I’m thinking about getting on one of those automatic backup plans or something. It might be worth a bit of money just to have it automated for me especially since I don’t know much about wordpress atm.
I had ALOT of plugins for security and haven’t even gone live with my site and already they’ve blocked hundreds of spam and some brute force attacks but I had to disable them because they were eating up all my cpu, it was up to 100%. Mainly it was the Bad Behavior plugin which is a nice one that I really liked but I think I had too many. My host provider told me just to use wordfence and Akismet which I have. I also use cloudflare now so I’m hoping that’s enough protection. My only complaint is that Bad Behavior and Stop Spammer were catching so much and I could see it all in a log but Wordfence is showing me nothing. Nobody’s been blocked. The scans work so I don’t know. I might just switch to the one you mentioned.
VaultPress is an excellent option if you’re willing to spend the money!
And yeah, you only really need one security plugin. Installing more than one (or two) is just redundant and, as you found out, will eat your CPU!