Are You Broadcasting Your Log-In Details to the World?
Hi everyone,
“Who in their right mind would broadcast their log-in details to the world?” you may ask.
The answer is, “Intentionally? Hopefully, no-one!”
Okay, so that goes without saying. However, could you actually be inadvertently broadcasting your log-in details for the whole world to see, popping up as clear as day in the likes of Google?
This is something that I stumbled on completely by accident recently and soon made sure that I rectified it! If you already know about this then you’re already well ahead, but for those of you who have been blissfully unaware of this potential danger, read on…
A few days ago I was tinkering with my blog and testing a few things. To cut a long story short, I discovered that my WordPress username was appearing, bold as brass, tagged onto the end of my indexed posts! What this means is, anyone and everyone was able to see my login name if they came across any of my posts in a Google search.
Don’t Make Things Easy for the Hackers
Hopefully, most of you will already know about the importance of not having “admin” as your username and will have made any necessary adjustments. However, if your blog is setup in the way that I’m going to explain to you in a moment, then your precautions could be counting for little.
The problem with using “admin” as your username is that it’s the very first name that a hacker will try. So if they try to hack into your blog and determine that the username is correct but the password is wrong, then they’re half way in. There’s only your password remaining to crack.
In response to the media noise about brute force WordPress attacks Sucuri CTO, Daniel Cid published a blog post in April of this year that contained some worrying statistics: “As you can see from our numbers, we were seeing 30 to 40 thousand attacks per day the last few months. In April 2013, it increased to 77,000 per day on average, reaching more than 100,000 attempts per day in the last few days. That means that the number of brute force attempts more than tripled.”
What this means is, if you’re using an easy-to-guess username, such as “admin”, then it is much easier for a hacker to hack into your blog. Since WordPress 3.0 it has been possible to choose another default name right from installation so if you haven’t installed WordPress yet make sure that you choose your log-in name wisely. If you have installed WordPress but are still logging in as “admin” then please, please, please get it changed ASAP.
Daniel goes on to say: “Diving deeper into our data we find a few interesting data points. For instance, we can see the top user names being attempted:
652,911 [log] => admin
10173 [log] => test
8992 [log] => administrator
8921 [log] => Admin
2495 [log] => root
In these cases, by the shear (sic) fact of having a non- admin / administrator / root usernames (sic) you are automatically out of the running. Which is kind of nice actually.”
Yes, it’s very nice indeed! But supposing that, just as I had done, you have ensured that you have a unique username. Is that enough? Perhaps not, as I discovered. It turns out that, under certain installations, your posts are visibly attributed to your username and therefore completely visible in search engine results. If this is the case with you then I strongly advise that you change your username (perhaps for the second time!) and ensure that your username isn’t displayed in future.
So then, how do you do this? Fear not, intrepid web traveller, for I shall show you…
How to Protect Yourself
First of all, you’ll need to log in to your cPanel (*I’m writing this from the perspective of a cPanel-equipped site. I can’t cover all conceivable configurations but the principles should be universal). Next, you need to locate your Databases section and click on the link to “phpMyAdmin”. (Clicking on the thumbnails below will open up a screenshot in a new tab/window.)
Next, you will want to select the desired database from the tree located on the left of the screen. Once you have clicked on it you will need to locate “wp_users” from main window. The next screenshot shows where these are located (of course, I’ve blanked out certain personal or site info in the screenshots)
You will now see a list of registered users. This can be comprised of subscribers, contributors, authors, admins and so on. What you are looking for here is your username, so find this and click on “Edit”.
Now, the next step is where the important stuff is. Once you’ve found your username and clicked on “Edit”, you’ll be taken to a screen that shows various fields of information. The ones that you are interested in are “user_login”, “user_nicename” and “display_name”. This is where the potential problem is. If your WordPress installation is just a basic, default installation done using something such as Softaculous, then the likelihood is that the user_nicename is the same as the user_login and this is something that you absolutely don’t want as it is what shows up in search engine results and therefore tells people what your username is! So what you need to do now is simply to change the user_nicename so that it matches the display_name. Then, once you have made all the necessary adjustments, don’t forget to click on “Go” so that your changes will be saved.
All Done!
If you’ve done all the steps correctly, your site should be a little more secure. Now, a potential hacker could well attempt a brute force attack using the user_nicename. Let’s just say that he is successful in discovering your password. If he is attempting to gain access using the user_nicename he will be unsuccessful because it is not the same as your username. So even if he successfully guesses your password, the username will be incorrect because he will be working from the user_nicename and not the real username.
So there you have it! I hope that this post has been useful to you and you will be able to put the steps into action to secure your WordPress blog in this area if need be.
Don’t forget to rate, share, subscribe and all that good stuff. And if I can help in any way then please feel free to drop me a message.
Until next time,
Glenn
Hi there! This is kind of off topic but I need some guidance
from an established blog. Is it tough to set up your own blog?
I’m not very techincal but I can figure things out pretty quick.
I’m thinking about setting up my own but I’m not sure where to start.
Do you have any points or suggestions? Many thanks
Hi,
Thanks for stopping by. π No, setting up your own blog isn’t tough at all although it can be daunting for beginners. The most important things are having a firm idea of why you’re doing it and what you want to accomplish with it, making sure that you take the necessary security measures right from the start (some of which are mentioned in the above post) and keeping on top of your maintenance.
There is a variety of ways to host a blog such as WordPress.com, Blogger, Tumblr, etc, but I would strongly advise to purchase your own domain name and hosting and self-host a WordPress blog on there. That way you have total control over it. For hobby blogs things like Tumblr are ideal (although you still never have complete control), but for a blog that’s going to be used for business then self-hosting is really the only way to go.
I go into the details some more in my e-book “Why Not You?” that talks about how to get started with the basic of making money online. You can pick up a copy for free by using one of the opt-in forms here on my site. I also provide some training via a free e-mail course and I will very soon be releasing a complete over-the-shoulder beginners course that will actually show you from the absolute ground up how to set up a blog and use it for starting your own online business (if that’s what you want to do). Again, this will be available for free and exclusively to subscribers.
Hope that helps a little. π
All the best!
Β»GlennΒ«
Glenn Shepherd recently posted…When Your Business Hands You Lemons
Hi Renard,
I would want to believe the same thing. However, an enormous number of WordPress users have no clue about the importance of not using “admin” as their username, especially when they are placing themselves in the hands of third-party installation systems such as Fantastico.
The thing I found, though, was something even more ‘under the radar’, which is the fact that some installations configure your user nicename as being the same as your login name, thus creating a big security risk. I’m usually on the ball with this kind of stuff, but this one caught me out. Thankfully I discovered it before anything bad happened.
It’s very true, hackers are getting more and more innovative. Despite our best efforts they can still sometimes get past our security measure, but it makes sense to make things as difficult as possible for them so as to limit the chances.
Thanks very much stopping by and commenting. I wish you a fantastic week ahead. π
Β»GlennΒ«
Glenn Shepherd recently posted…Five Essential Reasons to Attend Live Events
[ Smiles ] Glenn, I would want to believe that the average website administrator should be intelligent enough to change his or her default username.
For the record, you brought up some excellent points.
Could you remember “Heartbleed”? It was a piece of spyware that stole countless passwords and personal data from websites and computer users around the world.
You and I can only do so much to protect our accounts and the truth is: hackers are getting more innovative by the minute.
Renard Moreau recently posted…We All Want Increased Traffic To Our Blog
Hey Glenn,
So you didn’t share with us how they’re finding this information so we can test that out ourselves. I’d like to see if it’s coming up in the search engines before I go to these measures once again.
My username, name and nickname are all different. They are also none of the above and no hacker will easily crack that one, trust me. I also have a very long and secure password as well so I honestly believe I’m pretty well protected. They also can’t even get to my login page so I’m covered there too.
Thanks for letting us know about this Glenn but I’m still confused how they’re finding this information out! (Scratching my head…)
~Adrienne
Adrienne recently posted…Jon Morrow Told Me It Is Okay To Steal
Hi Adrienne,
Thanks for stopping by and I apologise for causing any confusion!
It seems that the author/user_nicename is sometimes visible when a post comes up in search engine results whereas other times, it isn’t. I’m not sure why this is the case – it could be to do with plugins or how WordPress is set up itself. I could definitely do with trying to find out why this is but for now, I don’t know.
At any rate, what I do know is if the author slug does show up when a post comes up in a search engine result, you want to make sure that it isn’t showing your username. If your user_nicename is set to be the same as your username then this is exactly what will happen and it needs to be changed. From what you say, Adrienne, it sounds like you’re already covered.
But for example, go to Google and type “author/admin”. You’ll see a whole stream of people’s websites that appear to have not had the username changed from “admin”. So what this means is, if one of those posts popped up as a result of a search and a hacker attempted to log in with “admin”, they wouldn’t get an “invalid username” error message and would thus know that they had the correct username for that site.
So in the same way, if someone’s user nicename is the same as their username (which is what is set by default, depending on installation), if a hacker attempts to login with that name and doesn’t get the “invalid username” message, they’ll know they have the correct username and then only the password remains for them to hack rather than both the username and password.
Precisely what a hacker would search for in order to specifically bring up results containing your user_nicename, I don’t know. To be quite honest, I can’t actually remember exactly what it was that I was doing when I noticed the issue. All I know is that I saw my posts appearing in the search results as glenn-shepherd.com/author/ and then my username, which I soon set about changing! The bottom line is, you don’t want your username to be stumbled upon, even by accident.
I hope that’s helped a bit and not made things even more confusing!
Regards,
Glenn
Glenn Shepherd recently posted…2 Keys to Success
Hey Glenn,
the vast majority of us are very complacent about this I think. I know I am for sure. But now, while it’s on my mind, I’m going to go in and do the changes. I reckon I’m ok as I have a ‘strong’ psw according to the new WP algorithm. Surprisingly, my old psw, which I thought was strong before the latest WP version, turned out to be actually ‘weak’.
So now, I doubt if anyone would get in. But just for double safety, I’m gonna do the changes you suggest right now.
Thanks for the invaluable information Glenn.
Cheers,
Paul
Paul Henderson recently posted…The Tortoise and The Hare
Hey Paul,
You’re right, many of us are complacent about these things, which is all well and good until something goes horribly wrong! It’s good that you have a strong PW but I’d highly recommend that you make the other changes if necessary.
While it can be true that if a hacker really wants to get in then they’ll find a way, we need to make sure that we’re not making life any easier for them. It’s like having a car – we may have a good, strong steering wheel lock and feel confident that it would be unlikely that our car would be stolen, but would we want to do half the job for a potential thief by leaving the doors unlocked?
My philosophy is, if you have the ability to take precautions or make things more difficult for a hacker/thief, then make sure you do so!
Thanks so much for your visit and comment, Paul. Always appreciated and a pleasure π
Regards,
Glenn
Glenn Shepherd recently posted…Are You Sending Your Visitors Away?
Hi Glenn,
Great post, I just checked PHPmyAdmin and fortunately my user name, nice_name and my display name were all different anyway, however, I did change my nice_name to my display name to keep things simple.
Perfect instructions too, I would never have know how to change that.
Best regards
John.
John recently posted…Four Figure Days With The iPro Partner Program!
Hi John,
Well done for checking, it’s always a good idea to check these things if we’re not sure. As I mentioned in my post, I wasn’t even aware of this until recently!
Thanks for stopping by, buddy π
Regards,
Glenn
Glenn Shepherd recently posted…How to Remove Gmail Tabs
Great points, Glenn.
I usually use my own name for my username (I did do that for my previous blogs. I hadn’t thought of changing it – making it something unique. But, this time I have done that). I am also planning to use WordFence for security – to monitor and block hackers; I have already installed it. All I need to do now is look at the settings, before I launch the blog in Jan π
As for display name, WP itself allows us to change the display name (Users >> Your Profile). I think that should do the trick. It has worked for me π
Anyways, thank you for sharing the tips, Glenn!
Hi Jeevan,
Thanks for your input. I’ve heard good things about WordFence and have been using it myself for a short while. All seems good so far!
You’re absolutely correct, you can change your display name from within WordPress. However, what you need to be careful of is the “user_nicename”, which is the slug that gets tagged onto posts/pages and is visible in the search engine results.
For example, if I hover over my name at the top of this post where it says, “Published on 29/10/2013, by Glenn Shepherd in Tips & Tricks” then in my Firefox window (it may display differently according to your setup, browser, etc) I see :”glenn-shepherd.com/author/GlennShepherd” in the info bar at the bottom of my browser. This can also show up in search engine results. Now, this is fine because “GlennShepherd” is not my username, it’s my user_nicename.
HOWEVER – if you don’t take care to set your user_nicename then you may find that it’s actually your username that appears for the whole world to see! So again, for example, let’s say that my username is “myusername” (it isn’t!) and my user_nicename is also “myusername”. What would show up for the author slug would be: “glenn-shepherd.com/author/myusername”. Therefore, if a hacker tries to log in to my site with “myusername” they wouldn’t get an invalid username error and would thus know that they have the correct username and all they now need to crack is the password – 50% of their job is done!
Now, depending on your installation, it could be that you can set your user_nicename at the point of installation of WordPress. However, if it’s an older installation, it’s likely that your user_nicename was set the same as your username by default. In either case, it’s still worth logging into your phpMyAdmin just to make sure.
I hope I’ve clarified things a little and not made things more confusing with all that!
I look forward to your blog launch in January, Jeevan. Don’t forget to stop by and let me know when it’s live π
Regards,
Glenn
Glenn Shepherd recently posted…Get My Brand New, Free E-Book!
I installed mine with Fantastico in cPanel and just checked my database. It’s showing my display name for the nicename. At first I thought Fantastico might be a little better at setup but know I changed my display name within WordPress after setup and that’s what both reflect so I’m not sure.
Brian Hawkins recently posted…How Do I Get More Retweets? Twitter Tools We Use To Increase Re-Tweets
Hi Brian,
Thanks so much for stopping by and leaving a comment π
If your nicename isn’t the same as your username then you should be okay. One would hope that an auto installer such as Fantastico would set things up more securely by default, but it appears that it doesn’t, or at least not in all cases. It’s certainly worth taking the time to check or to tweak things a little yourself when setting up a new installation. This is something that I didn’t do but will definitely ensure that I do in future!
Kind regards,
Glenn
Glenn Shepherd recently posted…Four Figures in One Day! Why Not You?
Hey Glenn,
Very good points.
As an IT SysAdmin and someone who has studied network security and Ethical Hacking, I can attest to the fact that too many people not only just use default ‘admin’ or ‘administrator’ or ‘root’ accounts, but also set very easy to hack passwords. My advice to anyone is to not only have a random or hard to guess username for all accounts, but also to have a complex password of atleast 8 character length. Complex meaning, atleast one of each of the following – Letter in Caps, small letter, number and a symbol. Also using ‘dictionary’ words for passwords is a very bad idea, the are too easy to break with software.
Hope your post acts as a warning to many other IM-ers out there.
In saying that, I should probably do a post/video on passwords and general security.
Ben.
PS. feel free to add my bit about passwords to your post, if you think it will add value to your readers. π
Hi Ben,
Awesome to hear from you as always, buddy π
Thanks so much for your input. You’re right, having a good password is absolutely essential. In Daniel Cid’s post that I referenced above, he talks about some common passwords that are being tried by hackers. I found it very interesting that you’d think that some of them are complex enough, but apparently they’re not!
I think that you should definitely do a post on passwords and security. Coming from someone with your expertise it would be a valuable resource.
Regards,
Glenn
Glenn Shepherd recently posted…Get My Brand New, Free E-Book!
Just read that article. It does correlate with my experience with clients using such passwords. I have addressed that in the article, although there is always a lot more that can be written about it. π
Ben Solomon recently posted…Eliminating Distractions
Absolutely. Thanks again for your input and submitting the article. I look forward to sharing it with my visitors, I’m sure it will be greatly appreciated π
Glenn Shepherd recently posted…Are You Broadcasting Your Log-In Details to the World?