On its own, WordPress is a very secure platform. However, when you start introducing third party software and people into the system, this can change. Today we are going to go over some good policies that every site administrator should put into place.
Don’t Give Away Your Username
Obviously if someone knows your username that you use to log in to your site, all they have left is to guess your password. It used to be that WordPress automatically assigned the ‘admin’ username to the administrator when a site was created. If for any reason your username is set to ‘admin’ you will want to change it.
WordPress won’t allow you to change your username after the fact, so you will have to follow these steps to fix it:
- Log into your administrator account.
- Create a new administrator account with a secure username.
- Log in using the new administrator account.
- Delete your old administrator account.
- When asked what to do with the content created by the old user, assign everything to the new user.
Beyond just avoiding using ‘admin’ as your username, you will need to prevent WordPress from displaying your username on the front of the site. By default, your username is displayed on the front end of the site for all the posts that you have authored. This is done because the username is required during user creation and not all users have assigned another name to appear on the site. Thankfully, WordPress allows you to display the name of your choice on the front end of the site. The image above illustrates the last step in this process:
- Log in to your administrator account.
- In the menu on the left, go to ‘Users’ -> ‘Your Profile’.
- Enter in a nickname that is different from your username.
- In the ‘Display name publicly as’ dropdown, select your nickname.
If you don’t mind displaying your real name on the site, you can always display that as well. Keep in mind that if your username was being displayed on the site before, you will want to follow the aforementioned steps for changing the username for your admin account.
Use Secure Passwords
All too often people use insecure passwords because they are easy to type or easy to remember. Here are a few pointers on secure passwords:
- Never use obvious or easy to guess passwords. ‘Password’ or your pet’s name should definitely be marked of the list. Also, don’t use the name of your spouse, parts of your address or other personal information like your birthdate.
- Don’t use a password across multiple accounts. If someone were to gain access to your password for one account it would compromise all of your other accounts. When I use the word ‘accounts’ here, I mean any website where you might have a username and password.
- Make your password long enough. The shorter your password is, the more likely a hacker will be able to crack it. As a password gets longer, it becomes exponentially more difficult to crack. Eight characters should be the minimum here.
- Mix up your characters. Don’t just use all letters or numbers, or even all upper or lowercase for that matter.
- Actually change your password occasionally.
The tips listed here cover just a few things you can do to improve security. Here are a few resources to help you take security to the next level:
- WP Beginner: Ultimate WordPress Security Guide
- WordPress Codex: Hardening WordPress
- WP Scholar: First Steps to WordPress Security
- WP Scholar: Validating, Sanitizing and Escaping in WordPress Themes and Plugins