Most webpages use WordPress. However, the “admin”-area of WordPress is one of the biggest gateways to gain control over your website. Therefore, some security safeguards are necessary. In this article we focus on the creation of an additional WordPress-user with “author” rights.
Source: GIPHY, Pluralsight
Change the default username of the WordPress “admin”
New WordPress installations allow us to assign an individual username, while old installations automatically created the user “admin”. This is problematic in that the login to the WordPress backend (authentication) consists of the username and password combination. Thus, a potential attacker needs both the username and the correct password to gain access to the system. If one uses a common username like “admin”, “administrator”, “root” or similar, an attacker only has to enter the correct password to gain elevated privileges. Unfamiliar usernames complicate access.
Instruction: Create an additional administrator in the dashboard under “User”. Use an imaginary name like “blogfish65”. After this, log out. Then log in with the credentials of the administrator you just created and delete the existing default administrator account with the name “admin”.
Create an additional user with “author”rights
If you are already using a newer version of WordPress, just log in to your WordPress site as an administrator. Under “User” you create an additional user with “author” rights. With the author account you write and comment all posts, while the administrator account should only be used for maintenance and administration of WordPress. This way, the username of the administrator account is not mentioned anywhere on the page and is not viewable via a link. In other words, in addition to the password, an attacker must try all possible combinations of usernames before gaining access to the admin-area. Attackers have a harder time and we can drink coffee in peace.