WordPress.TV

Get Involved

Brad Williams: Lock it Up

Learn how to keep your WordPress-powered website secure from hackers and exploits. Brad Williams from WebDevStudios.com shows examples of hacked sites, shares tips and plugins for keeping WordPress secure, and talks about his experiences with WordPress and security.

Special thanks to the Microsoft NERD Center for hosting WordCamp Boston.

Comments

5 responses to “Brad Williams: Lock it Up”

  1. pcgs51 Avatar
    pcgs51

    At 7:50 (timestamp) in this video, we are instructed to create a new administrator ID, log out and log back in as the new administrator user, remove the original ‘admin” ID, and set the new user ID to display a friendly name (firstname lastname).

    I did that and noticed that even when logged out and viewing pages as any visitor would, that if I click on the friendly name displayed, I see

    Author Archive for:
    ‘mynewusername’

    If the new user name can still be viewed on my site by any visitor doesn’t that defeat the whole exercise of removing the ‘admin’ ID in the first place?

    I’m new to all this and just wondering. Thanks.

    Reply
    1. Ryan Markel Avatar
      Ryan Markel

      Removing the “admin” account helps to prevent automated attempts at entry to your blog.

      Reply
  2. Travis Phillips Avatar
    Travis Phillips

    I realize that this article is now over 5 years old. With WordPress 4.x, it may not even be as relevant today as it was then. But I do think it is still somewhat relevant at the least and I’ve got a nagging question that I’ve been wrestling with for a long time. I hope you don’t mind me asking it now – despite it being 5 years later.

    I’ve heard it said many times by many people that you should delete the default admin account with the username “admin”. But what about leaving the “admin” username there, changing it to a random password, and finally changing the user role to subscriber? That way a hacker can waste time and resources trying to login to the admin account and then ultimately get nothing.

    My only concern with this logic is this, if a hacker does get access to a subscriber level account, is there anything he (or she) can do with that? Is there any other reason that the account should just be deleted verses changing the role to subscriber?

    Reply
    1. steef Avatar
      steef

      The downside of keeping the admin account is that it allows an attacker to keep asking the password (and WordPress answering). The removal is less resource intensive.

      Reply
  3. enhance wordpress security « SOFG

    […] Brad Williams: Lock it Up (Video) […]

    Reply

Leave a Reply

Video details

Published

January 23, 2010

Tags

Development 226
Plugins 115
Security 58
WordPress.org 373

Creative Commons License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Discover more from WordPress.TV

Subscribe now to keep reading and get access to the full archive.

Continue reading