By Jason Davis
Any time security is brought up with WordPress, the first thought is external sources that could be used to protect your website. But in fact hardening WordPress must start with the install and the administrator of the website. Websites are no longer like sheets of paper, they are dynamic and like software that require strong protection that has to start with the most basic things.
That’s what we are writing about here. Many of these issues arise when we, Element 502, take over the security, SEO and administration of a WordPress website.
Don’t use “Admin” as your username
Usually on hosting platforms that are not “Managed WordPress Hosting,” the fresh install of WordPress includes some defaults that they give you to get you started. Such as a default user called, “admin.” Now with recent versions of WordPress (post 3.0) however, the installation process is much more reliant on the user picking their username. Still it can result in a new user creating the name “admin” or “administrator.” No matter the urge you have, don’t do this. When a hacker wants to crack into a website the first thing is to look for not so savvy users that would create such an account for a login.
Pick a strong password
Along with the user begin created upon installation is WordPress’ password generator. It’s designed to avoid the typical passwords, like your dogs name or your first crush. Gone are the days of using passwords without number, symbols and letters. Passphrase’s are ok, but again, with a little extra digging into your Facebook profile or other public info, “I Love my dawg” (with spaces) doesn’t work well either. The best solution is two-step authentication or using a password service to manage the auto-generated passwords as they are completely random on purpose.
Don’t set your new users to the default of anything but “subscriber”
I’ve actually debated on whether or not to include this one, until we started migrating a few sites this year. I found several of the sites with the new user default setting to “administrator” not the “subscriber.” When creating users to login to your website, you have by default 5 access levels. Here they are in the order of authority and what they do:
Administrator: Nothing is off limits. A user with this level of access is granted to all the sensitive places on a WordPress website.
Editor: Create, edit, publish, and delete any post or page, as well as moderate comments and manage categories, tags, and links.
Author: Can create, edit, publish, and delete only their own posts, as well as upload files and images. Authors cannot modify or create pages and can edit comments made on their posts.
Contributor: A Contributor can create and edit only their own posts, but cannot publish them.
: People with zero editing ability and who have signed up to receive updates each time you publish a new post.
So you can see by the list above that the default should always be “subscriber” and if you are managing a team at your business, don’t …read more
Read more here::