There have (unsurprisingly) been a lot of blog posts written in the last few days about WordPress security and what you can do to keep your blog safe from hackers. I'll be chucking my own twopennorth in shortly, but for now, I want to look at one of the recommendations in more detail: "get rid of the user called 'admin'".

This is a pretty sensible piece of advice. On most WP installs, "admin" is the default user name; if you want to hack a blog, it's a good place to start guessing. Which halves the security of the username/password combo, because only the password has to be guessed.

So when you're setting up a new WordPress blog, pick something other than "admin" for your user name. But what do you do if your existing blog is has "admin" for a username? Unfortunately, WP doesn't have an easy way to change a user name. You can do it through PHPMyAdmin, but a couple of people I know have managed to lock themselves out of WordPress altogether trying that.

The easiest way is to create a whole new administrator through WP's admin:

• From Users > Add New, create a new account. Pick a strong password. You'll need to use an email address that hasn't been used for any other user of your blog. Assign the new user the role of Administrator.
• Sign in as the new Administrator.
• Assign all of admin's posts to the new user: from Posts, choose Bulk Actions > Edit from the dropdown menu at the top. If you have a lot (pages and pages) of posts, you can reassign them automatically as part of the user deletion routine, but I always feel much safer moving the posts first!
• Go to Users > Authors & Users, and choose delete for the user "admin".
• If "admin" has any posts left attributed to them, you'll see the message shown below; assign all of admin's posts to your new user ID.

One other note re. comments: reassigning posts to a different author will break some minor features in comments. My gravatar stopped showing up (even though my new ID's email address was also registered with gravatar.com) and CSS that I had to highlight the comment as being by an author no longer highlighted my comments. The only way I found to fix this was through PHPMyAdmin, changing wp_comments table's user_id from my old ID number to my new one.

The above routine will remove "admin" as a user of your blog and help to keep your WordPress a little more secure. It should go without saying that this isn't enough: there are other things you should be doing, primarily keeping your install up to date.

Tags: administrator, PHPMyAdmin, user

Posted by Sue on September 8, 2009 in Security, WordPress.