A Security Advice for WordPress Users

Here Most of the bloggers are WordPress user. We know that WordPress is not 100% secure or hacking proof. But still, we do our best to keep our site safe from hackers.

I’m going to share a tip with all of you. Some of you may be thinking it’s simply silly but as I have noticed this thing. That’s why going to share with you.

During the WordPress installation, we choose a username and a password. And as usually anyone will start to write contents and managing site with that username, which always has admin privilege.

If someone clicks on the author name in a single post, the slug which loads in the browser bar contains your admin username (most cases).
Now if someone tries to hack the password of the username or try to login with that username, he/she may be able to login to your WP Admin.

That’s why. Keep your admin and public show usernames different.

  • Your admin username can only be known by you.
  • Your public username will only contain editor privilege.

So, if someone hacks this username, he will not be able to access the WP Admin directly. He/she will need some more time to get the admin access.

I know it’s not a perfect solution, but in the meantime (very short), you can look on this.

Moral of the story: Keep your admin and editor usernames separate.

That’s all. Happy Blogging!

1 Like

Sounds good to me. Thanks for sharing.

You can also hide admin username via phpMyadmin Database manager.

1 Like

For those sites, who need to show their author publicly, and maybe the admin itself writing articles. For them, it could be helpful.

Good Tips. BTW! Change your Admin password. Just saying. :thinking:

1 Like

Lol…i changed my admin login path. So if you cannot find the path is there a way to proceed further to hack?
Default path:- www.example.com/wp-admin
My path:- www.example.com/venus.

Okay, I understand this Saurav but still, hackers can find the login path, may be by adding random words of fruits, places, things etc.

Better to close every loop holes.

I don’t think its possible to try every possible combination if word.

Also use unique word that is not there in dictionary. My login path is so random with no meaning.

So that makes it difficult to get through.

Yes. That’s /xmlrpc.php. :smiling_imp:

One can login and post content using MS Office > Word app. It can be disabled for security reasons.

add_filter( 'xmlrpc_enabled', '__return_false' );

That’s disabled on my site since day 1.

1 Like

Great Initiative…
Let me list the activities to do…

  1. Username: must be between 8 - 12 characters (but should not be a proper name)

  2. Password: must be between 8 - 12 characters (includes 3numbers, 3 special char, not a proper name, capital letters)

  3. DB Name: must be 4 - 8 characters (random alphabets, suffixed with an underscore)

  4. Table Name: must be 4 - 5 characters (alphanumeric suffixed with hyphen)

So, it will become very hard to intrude into your system then.

Still we don’t about the hackers and their experience.

The best way which i just missed out.

Get a physical security key for 2 factor authentication. That’s the final nail in the coffin. I don’t think anything is more secure than that!

Also changing login link (domain.com/wp-admin) to something else helps a lot.