How (and why) to : Never use admin as your username
tl:dr; At the top of the Point and Stare list comes WordPress security - most attempts to break into a site are via the login page simply using ‘admin’. 2 min readAt Point and Stare we have been predominantly designing and developing WordPress based projects since 2008.
At the top of the list comes security – most attempts to break into a site are via the login page using simple user names like ‘admin’.
The obvious advice is to never use ‘admin’ as your username.
When users are created they are giver a sequential number and another route for hackers is to use ?author=1 as an example.
So, we have 2 issues to sort out before we do anything else – create a user not named ‘admin’ and with a random number, not 1, 2 etc.
There are many ways you can do this but the easiest/ quickest way I have found is this:
1, Set up a fresh install of WordPress as usual and when you’re asked to set up the admin, go ahead and use anything simple – ‘admin’ and ‘password’ is totally fine at this point.
2, Once you’ve completed the install, log in as usual and download a plugin called “Add Multiple Users for WordPress” – ignore the “not updated for 2 years” message, it works fine.
3, Before you go any further, create a simple text file with as many fake users as you want (I have a sample file you can have if required – just ask).
The file needs to have the following on a single line:
Username,password,email address,role (I set all these to subscriber),First name,Last name
Create a few entries, all on a single line, then copy/ paste, changing some random characters – around 30 or 40 entries is fine:
jefhgfk,kj4R,jfkgfk@gil.com,subscriber,Bob,JJJe
jefk,kj4kg78jR,kjhg2lkjh@lkjkjh.com,subscriber,ff,Ke
jef6ijhgfk,kjhg78jR,jeujhgfk@gkjhgmjakjhil.com,subscriber,Je,ne
Make sure all the names and emails are unique.
4, When ready, go to AMU > Import CSV Data and copy/ paste all the details into the “Or paste your CSV data in the box below” – click ‘Next step’.
5, Click the blue “Skip form and Add Users’ button – voila! A ton of fake users created.
6, Now add a real user – Your preferred username/ password (a better, more secure idea would be to use a ‘pass phrase’).
Hint – For random passwords, I use Strong Password Generator.
7, Now it’s time to log out and then log back in using your real details.
8, Once logged in, remove the AMU plugin and all the users except yourself (obviously).
You should now have a clean user account not named admin and not a low number.
Of course, if you’re still using ‘admin’ as your login, get in touch with us and let’s get you secure.