Securing your Wordpress site against brute force attacks, by creating new usernames

Written by
Date: 2013-04-14 20:55:35 00:00

Securing your servers

Some days ago Wordpress sites have been under attack, being the most used CMS it is an obvious target for attacks. This time thousands of computers worked in a synchronized brute force attack to guess the admin account password.

admin is the default administrative username when you install Wordpress.

I do not use Wordpress anymore, but when I was using it, I created two accounts, one used to post new articles. That one only has rights to post articles and pages. I created too a second account, this one with full administrative rights.

Why to do that?

Wordpress add by default a by line from where anyone may guess the account you are using to post, if that account also have the rights to install plugins, your site's security may be compromised.

The best way to avoid that, is to have one account to post new articles, and another to install themes, and plugins and make all administrative tasks on the site. That account should never be used to publish anything.

This way, if someone wants to crack your site, he will need to guess your administrative user, and the password. If both keywords are difficult to guess, it is almost impossible to crack your site.

Conclusion

Be sure to always take a lot of precautions in order to have administrative accounts hidden from the public. This is valid for Wordpress, Drupal, as well as Linux (block root account, and use another one with sudo).