It is very essential to take each and every step to keep your WordPress Blog or site installation secure from the hackers and malicious bots continuously causing threat to thousands of WordPress installations on this planet. So, one simple step to avoid hackers landing to your administrative panel is keep your administrator account safe and far from them. For that your username and passwords should be unique and hard to guess and also passwords should be so strong that they should be difficult to be found out by a brute force attack.
Okay, now you have a unique username and a strong password, what next. Now remember, never ever post any blog post or page or comment using your administrator account username on the WordPress blog or site. This is because, we delete or rename the default ‘admin’ username that comes with each and every wordpress installation in order not to help the ghosts on internet guess our username. But if do post the articles on the blog using administrator account, then there is a possibility that your username gets revealed. Okay, you use a different ‘display name’ for the administrator account, I agree. But what if your theme or some plugin code is using the ‘Link to author Pages thru Posts’ or ‘List of Authors with Links’ or displaying some author feed. For example the below code displays the link to the author page from the post
<p>Written by: <?php the_author_posts_link(); ?></p>
The fact here is there is the actual username in the author page link. The URI of the author page is like ‘http://www.domainname.com/author/username’. Now if the post is written by administrator itself, then oops! The administrator username is ‘on display’ and now there can be the actual threat!
For example, on Internet Techies posts, the author link is displayed with ‘display name’ of the author and when you click that link you notice that it leads to the author page which reverse chronologically lists lists all the posts written by ‘Sanjeev Mishra’. The link to the author page in this case is http://www.clickonf5.org/author/samishra
So better that you never post any blog post or page or comment or anything using a user account with administrative privileges. Administrator account is for the site control like changing and adding settings, themes, plugins, creating users and so on. Posting the pages, posts, comments, moderating them are all the editorial and author role. It would be accurate to use these users to post to the WordPress blog or website rather than the using administrator account.
Do you have posts written by administrator account on your blog?
If yes and if you are on WordPress 2.8 and above, what you have to do is take the backup of your WordPress database, there are many free wordpress plugins available for this purpose, what I use is WP-db-backup for this purpose. There is no risk involved in the below process, still better to have the recent backup with you.
1. Login using the current administrator account
2. Add a new user with role as ‘Editor’ or ‘Author’ or ‘Contributor’
3. Add one new user with role as ‘Administrator’
4. Logout of the current administrator account and login using the new administrator account
5. Delete the old administrator account. After pressing the Delete link on the Authors and Users screen in Users section, WordPress will ask you what to do of the posts written by the user you are deleting. Select the radio button for ‘Attribute all posts and links’ to a particular user, and select the user as the new ‘Editor’ or ‘Author’ created in step 2 and ‘Confirm Deletion’.
Read more about deleting ‘admin’ user here.
6. Thus, the old administrator account is permanently deleted and all the posts and pages posted by the old user are transferred to new user with ‘Editor’ or ‘Author’ or ‘Contributor’ access.
7. Now always post to the blog using the non-administrator account created above and use the administrator account only to control the backend of the WordPress site.
Okay, now your author page link contains the username but it is not the administrator username, hurray…you are done! The above process take few seconds, but I bet, you could have a better night’s sleep as you have taken a good step to make your WordPress blog more secure.
Please post your valuable comments on the importance of not posting to blog using ‘administrator’ account. All your suggestions are welcome and will definitely help me to enhance this article and make it a bit helpful for all the other reader.