For WordPress admins, a dangerous default setting

Photo: Lisa Risager (CC)

I’ve used WordPress for 11 years, with few headaches or hiccups.

It’s a great content management system and blogging platform, if properly maintained. But it has security vulnerabilities like any popular platform. Users with self-hosted WordPress sites should pay close attention.

For example, this open source software has regularly occurring updates, but like locks left unlocked, they’re no good unless actually implemented. I know that updating carries its own potential problems, namely breaking the site or a plugin or a theme. (I have survived these uncommon but still possible events.)

But one of the biggest vulnerabilities is a default setting on new installs (as I recall: It’s been a while since having a tech put in a new site from scratch). It’s the given suggested username, “admin.”

Tens of millions of sites are self-hosted WP sites, and I imagine many of them still have admin has a user, perhaps the only one. This user has full access to the entire site.

This gives potential hackers one less hurdle to overcome in seizing vulnerable sites. Combine that with weak passwords (such as “password” or “123456”) and it’s a huge security hole.

Do what I and millions of other users have done: Change from admin to a unique username. This requires creating a new account and deleting the admin account: Use the steps in this video.

•

•

This WPBeginner post has two alternate methods.

Take a few minutes and fix this security hole today. The site you save could be your own.

•

More posts on using WordPress.