Are You Broadcasting Your Log-In Details to the World?
“Who in their right mind would broadcast their log-in details to the world?” you may ask.
The answer is, “Intentionally? Hopefully, no-one!”
Okay, so that goes without saying. However, could you actually be inadvertently broadcasting your log-in details for the whole world to see, popping up as clear as day in the likes of Google?
This is something that I stumbled on completely by accident recently and soon made sure that I rectified it! If you already know about this then you’re already well ahead, but for those of you who have been blissfully unaware of this potential danger, read on…
A few days ago I was tinkering with my blog and testing a few things. To cut a long story short, I discovered that my WordPress username was appearing, bold as brass, tagged onto the end of my indexed posts! What this means is, anyone and everyone was able to see my login name if they came across any of my posts in a Google search.
Don’t Make Things Easy for the Hackers
Hopefully, most of you will already know about the importance of not having “admin” as your username and will have made any necessary adjustments. However, if your blog is setup in the way that I’m going to explain to you in a moment, then your precautions could be counting for little.
The problem with using “admin” as your username is that it’s the very first name that a hacker will try. So if they try to hack into your blog and determine that the username is correct but the password is wrong, then they’re half way in. There’s only your password remaining to crack.
In response to the media noise about brute force WordPress attacks Sucuri CTO, Daniel Cid published a blog post in April of this year that contained some worrying statistics: “As you can see from our numbers, we were seeing 30 to 40 thousand attacks per day the last few months. In April 2013, it increased to 77,000 per day on average, reaching more than 100,000 attempts per day in the last few days. That means that the number of brute force attempts more than tripled.”
What this means is, if you’re using an easy-to-guess username, such as “admin”, then it is much easier for a hacker to hack into your blog. Since WordPress 3.0 it has been possible to choose another default name right from installation so if you haven’t installed WordPress yet make sure that you choose your log-in name wisely. If you have installed WordPress but are still logging in as “admin” then please, please, please get it changed ASAP.
Daniel goes on to say: “Diving deeper into our data we find a few interesting data points. For instance, we can see the top user names being attempted:
652,911 [log] => admin
10173 [log] => test
8992 [log] => administrator
8921 [log] => Admin
2495 [log] => root
In these cases, by the shear (sic) fact of having a non- admin / administrator / root usernames (sic) you are automatically out of the running. Which is kind of nice actually.”
Yes, it’s very nice indeed! But supposing that, just as I had done, you have ensured that you have a unique username. Is that enough? Perhaps not, as I discovered. It turns out that, under certain installations, your posts are visibly attributed to your username and therefore completely visible in search engine results. If this is the case with you then I strongly advise that you change your username (perhaps for the second time!) and ensure that your username isn’t displayed in future.
So then, how do you do this? Fear not, intrepid web traveller, for I shall show you…
How to Protect Yourself
First of all, you’ll need to log in to your cPanel (*I’m writing this from the perspective of a cPanel-equipped site. I can’t cover all conceivable configurations but the principles should be universal). Next, you need to locate your Databases section and click on the link to “phpMyAdmin”. (Clicking on the thumbnails below will open up a screenshot in a new tab/window.)
Next, you will want to select the desired database from the tree located on the left of the screen. Once you have clicked on it you will need to locate “wp_users” from main window. The next screenshot shows where these are located (of course, I’ve blanked out certain personal or site info in the screenshots)
You will now see a list of registered users. This can be comprised of subscribers, contributors, authors, admins and so on. What you are looking for here is your username, so find this and click on “Edit”.
Now, the next step is where the important stuff is. Once you’ve found your username and clicked on “Edit”, you’ll be taken to a screen that shows various fields of information. The ones that you are interested in are “user_login”, “user_nicename” and “display_name”. This is where the potential problem is. If your WordPress installation is just a basic, default installation done using something such as Softaculous, then the likelihood is that the user_nicename is the same as the user_login and this is something that you absolutely don’t want as it is what shows up in search engine results and therefore tells people what your username is! So what you need to do now is simply to change the user_nicename so that it matches the display_name. Then, once you have made all the necessary adjustments, don’t forget to click on “Go” so that your changes will be saved.
If you’ve done all the steps correctly, your site should be a little more secure. Now, a potential hacker could well attempt a brute force attack using the user_nicename. Let’s just say that he is successful in discovering your password. If he is attempting to gain access using the user_nicename he will be unsuccessful because it is not the same as your username. So even if he successfully guesses your password, the username will be incorrect because he will be working from the user_nicename and not the real username.
So there you have it! I hope that this post has been useful to you and you will be able to put the steps into action to secure your WordPress blog in this area if need be.
Don’t forget to rate, share, subscribe and all that good stuff. And if I can help in any way then please feel free to drop me a message.
Until next time,