Why Not To Post Any Article With Administrator Account As Author On WordPress

It is very essential to take each and every step to keep your WordPress Blog or site installation secure from the hackers and malicious bots continuously causing threat to thousands of WordPress installations on this planet. So, one simple step to avoid hackers landing to your administrative panel is keep your administrator account safe and far from them. For that your username and passwords should be unique and hard to guess and also passwords should be so strong that they should be difficult to be found out by a brute force attack.

Okay, now you have a unique username and a strong password, what next. Now remember, never ever post any blog post or page or comment using your administrator account username on the WordPress blog or site. This is because, we delete or rename the default ‘admin’ username that comes with each and every wordpress installation in order not to help the ghosts on internet guess our username. But if do post the articles on the blog using administrator account, then there is a possibility that your username gets revealed. Okay, you use a different ‘display name’ for the administrator account, I agree. But what if your theme or some plugin code is using the ‘Link to author Pages thru Posts’ or ‘List of Authors with Links’ or displaying some author feed. For example the below code displays the link to the author page from the post

Written by:

The fact here is there is the actual username in the author page link. The URI of the author page is like ‘http://www.domainname.com/author/username’. Now if the post is written by administrator itself, then oops! The administrator username is ‘on display’ and now there can be the actual threat!

For example, on Internet Techies posts, the author link is displayed with ‘display name’ of the author and when you click that link you notice that it leads to the author page which reverse chronologically lists lists all the posts written by ‘Sanjeev Mishra’. The link to the author page in this case is http://www.clickonf5.org/author/samishra

author-link

So better that you never post any blog post or page or comment or anything using a user account with administrative privileges. Administrator account is for the site control like changing and adding settings, themes, plugins, creating users and so on. Posting the pages, posts, comments, moderating them are all the editorial and author role. It would be accurate to use these users to post to the WordPress blog or website rather than the using administrator account.

Do you have posts written by administrator account on your blog?

If yes and if you are on WordPress 2.8 and above, what you have to do is take the backup of your WordPress database, there are many free wordpress plugins available for this purpose, what I use is WP-db-backup for this purpose. There is no risk involved in the below process, still better to have the recent backup with you.

1. Login using the current administrator account

2. Add a new user with role as ‘Editor’ or ‘Author’ or ‘Contributor’

3. Add one new user with role as ‘Administrator’

4. Logout of the current administrator account and login using the new administrator account

5. Delete the old administrator account. After pressing the Delete link on the Authors and Users screen in Users section, WordPress will ask you what to do of the posts written by the user you are deleting. Select the radio button for ‘Attribute all posts and links’ to a particular user, and select the user as the new ‘Editor’ or ‘Author’ created in step 2 and ‘Confirm Deletion’.

Read more about deleting ‘admin’ user here.

6. Thus, the old administrator account is permanently deleted and all the posts and pages posted by the old user are transferred to new user with ‘Editor’ or ‘Author’ or ‘Contributor’ access.

7. Now always post to the blog using the non-administrator account created above and use the administrator account only to control the backend of the WordPress site.

Okay, now your author page link contains the username but it is not the administrator username, hurray…you are done! The above process take few seconds, but I bet, you could have a better night’s sleep as you have taken a good step to make your WordPress blog more secure.

Please post your valuable comments on the importance of not posting to blog using ‘administrator’ account. All your suggestions are welcome and will definitely help me to enhance this article and make it a bit helpful for all the other reader.

7 Comments

  1. Sahil Kotak

    October 26, 2009 at 9:09 pm

    Really Helpful post Tejaswini. I already use my name not admin. Just because I love my name :)

    Thanks again for this wonderful article.

  2. Dinesh

    October 27, 2009 at 7:38 am

    Thanks for the tip, recently i experienced same bad experience someone hacked my website and deleted all my data, but i was having my backup so got it back.

  3. crazy blogger

    October 27, 2009 at 4:21 pm

    i am posting all my articles to all my blogs from my admin accounts only.

    will i get any problem with hackers in future.

  4. Apoorva

    October 28, 2009 at 11:41 pm

    gr8 post…. very informative. needed something for me as my website was hacked just 2 weeks back. fortunately i was able to restored it quite quickly.

    But gr8 post will do the changed in my site too

  5. JO

    November 10, 2009 at 9:30 pm

    Thanx for you’re article.
    The best part of it, is the fact that is is written in plain “simple” english :-)
    therefore someone who’s just starting blogging with wordpress can follow it too!

    My compliments!
    I know what I’m going to do here… a lot of reading!

  6. Nicholas Teo

    January 3, 2010 at 12:54 pm

    Thank you for this advice, I was posting from the admin account but I have just switch to posting from an editor account base on your advice. Thanks again

  7. Sanjeev Mishra

    January 3, 2010 at 1:28 pm

    Hi Nicholas, I am glad that you liked the article and switched from admin user ID. This will really make your blog more secured. Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>