WARNING: Lock down your wordpress!

By Ron Killian on April 9th, 2008

If you have a Wordpress blog, on your own server, not a Wordpress provided blog, you might want to check your security.

Few days back I was the lucky winner of a blog makeover. What a great day for me!

I wasn’t quite the make over I was looking for. My blog was hacked. Yep, lucky ducky me. It wasn’t the first time and if I was smart, it shouldn’t have even happened.

I wasn’t smart because I was using the same password Wordpress gave me when I installed the blog. I also wasn’t smart enough to study it and think to myself, gee, thats really a pretty lame pass. Sure wouldn’t be hard to figure it out. I am not going to go in to why I finally realized it was a less than secure password, don’t want to give any evildoers any idea’s.

If you installed a Wordpress blog, did you change your password, to a combination that’s near impossible to hack? I did not and I paid for it. Lucky I discovered it pretty quickly and it wasn’t hacked for long. Also lucky they just added some redirects to a few pages. Could have been worst.

So take my bad deal and save yourself, today, right now. You could be next.

How did I fix it? I opened notepad and typed in a long block or combination of letters, numbers and combination of lower and upper case. Next I went to the “Users” page, click edit for my user name and pass, then copied and pasted the new password into the “Updates Users Password” boxes. Of course I also copied the new info into a secret place on my pc.

You could even go one step further. If you’ll notice, with default Wordpress set up, you can not change the user name, it’s admin by default. You could create a new user, with a unique name of course, give that user the highest level of security for the blog. After you have added the new user, you delete the default “admin” user. So now the hacker not only has to figure out your password but now they also have to figure out the user name.

Now, for this to work, the new user name must NOT show up anywhere on your blog. You’ll have to remove any reference to the user name. This would include any “Posted by:” references on your blog. If not it wouldn’t be a secret would it?

One last thing, if you happen to get hacked like I did and they change your password, as they did to me, here is a great video on how to recover your password: Recovering Wordpress Password. I hope you won’t need to use it. Learn from me :)



  convert this post to pdf

Categories: Wordpress
Tags:

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading ... Loading ...

    Related Headlines:

    • No Related Post

Leave a Reply

« Google Analytics for Wordpress Time for a Theme change? »