WordPress Security: ‘Admin’ is a bad username
WordPress security is growing in importance. If you’re not using security measures with your website, you should be. Start right away.
Every day, I receive emails like this one, telling me that yet another person (or robot) tried to access my websites using the login name “Admin.”
I never take it personally. That same IP number tried to access a wide range of my sites last night, not just sites readily identified with me. Also, that IP number shows up regularly in these alerts. It might be the hacker’s real IP number, it might be a proxy, or it might be an innocent person’s IP number, “borrowed” by the hackers (or, more correctly, crackers).
In all likelihood, software is cycling through domain names at a high speed, looking for a site with a username of “Admin.” Not long ago, a news report claimed that more than 60% of website owners keep the default username of “admin” to log into their sites. It’s a very bad idea.
Simple WordPress Security Measures
First, always have a current backup of your website. I use (and rave about) WP-Twin for that, but you could use Flip Me Clone (about 1/4 the price), or you can get by with the free WordPress plugin, WP-DB Manager. In the settings for WP-DB Manager, be sure it emails you a full copy of your website’s database (that’s where your articles actually are) weekly, or more often if you update your site more than once a week.
Next, change your WordPress login username if it’s currently “Admin” or if it’s the same as the name that appears on your articles or on your “About” page.
In WordPress, this means:
1. Create a new user (in your WordPress dashboard, at Users > Add New). Make sure to assign that new user the role of Administrator.
2. Then, log out of your WordPress dashboard.
3. Log in with your new username and password.
4. Delete the old user account, and attribute all the old username’s posts & links to your new username. That’s important. Otherwise, you’ll lose all of your old posts, etc.
5. Confirm deletion (as shown in the screenshot, above).
6. Be sure your screen name is NOT the same as your login name. Otherwise, you’re giving crackers 50% of the information they need to hack into your WordPress account. I often use “Admin” or “webmaster” to throw people off, unless I really want my articles associated with another name for PR & marketing reasons. But, that’s still never the same as my login name.
7. Have a guess-proof password for your WordPress login. It shouldn’t be any word someone could find in a normal dictionary. In fact, it’s best if it’s 12+ characters long and includes letters, numbers, and characters. If you need help with this, you’ll find free password generators online. Click here for one of them.
Be sure to save your username and password somewhere. If you’re saving it on your computer, click here to download the blank .TXT form I use to save my information for each website. [Link]
8. Install the free WordPress plugin, Limit Login Attempts. In “Settings,” you might want to choose something more limited. On most of my sites, just one lockout means the IP number is locked out for a minimum of 24 hours, and usually 72 hours. I also ask WordPress to notify me every time there’s a lockout.
9. Install the free WordPress plugin, Secure WordPress. In “Settings,” I usually make sure the error message won’t be seen at login. Then, if someone is trying to hack into the site, they won’t know if they failed to guess the login username, the password, or both.
10. Do NOT panic and throw money at all kinds of security when you start receiving emails telling you that several attempts were made to log into your website. Most of the truly useful security plugins are free and available at WordPress.org. My favorites include Bulletproof Security and WP Firewall 2. (But remember: They only work if you activate them and follow their instructions to set up the security measures.)
As I said earlier, I receive security email alerts every day. It’s just part of maintaining a website; robots will try to access your website. It’s nothing personal and it doesn’t mean you’re under deliberate and focused attack.
You probably wouldn’t leave your home unlocked when you leave for work. You probably wouldn’t leave your keys in your car when you’re out shopping.
Likewise, a few simple security measures can remove yours from the easiest websites to hack.
Stay calm and carry on. This is all in a day’s work if you have a website, and — by taking these WordPress security steps — you don’t have to lose sleep at night.
H1 – When and How Often to Use It
H1 text — heading (bold) text in the largest size — sends a message to your readers and to search engines, about the subject of your post. Many of us use H1 text as the headings that break up a long article into topic-specific sections.
Often, the title of each post is automatically set in H1 text. It’s large, it’s bold, and it stands out from everything else you write.
Google and other search engines see the H1 text, and take it a little more seriously than anything else on the page, when they’re deciding which keywords are most important. That’s exactly what H1 text is supposed to do: Indicate what’s important on a webpage.
You may also use H1 for headings in your articles. In WordPress, here’s where you’ll select Heading 1 (aka “H1″) to make a heading stand out:
What you’ll do is select (highlight, with your cursor) the phrase you’d like to turn into H1 text. Then, click on the Format section of your WordPress post screen (the default usually says “Paragraph”), so the selected phrase is converted to H1 text.
Or, as you’re writing, you can select H1 text, type what you want in that headline-style font, and then deselect H1 (back to the default Paragraph style).
It’s that simple.
Note: How the H1 text looks in your post screen isn’t necessarily how it’ll look on your webpage. How H1 looks on your website… that’s determined by the CSS (stylesheet) in your WordPress theme.
In the past, “loophole” specialists have tweaked their CSS so they can write their entire posts in H1. That’s exactly what I recommend against: Following advice that’s designed to fool search engines. Don’t do it.
In many WordPress themes, H1 text looks huge and ugly. In the past, H1 was used so rarely, this hasn’t been much of an issue. Now, to help search engines and readers skim our articles and recognize what’s important, H1 can be useful. Just don’t overdo it.
Here’s what Google’s Matt Cutts said about overuse of H1:
Recently, I changed some of my WordPress themes so H1 text looks less obnoxious. If you’ve bought one of my themes that includes the better-looking H1 design, that’s not a license to pepper your articles with it.
Moderation is a good thing. Follow Matt Cutts’ advice in the video, above, and you’ll be fine.
Weekend Price Alert – WP Twin
WP-Twin may be one of the most valuable webmaster tools I own. It makes cloning my sites a breeze. I can clone and fully restore a site in under 20 minutes. Worried about hackers? Having WP-Twin backups will help you sleep soundly at night.
However, the software is not inexpensive. WP-Twin has been selling for $97.
Starting on Monday, May 21st, WP-Twin’s licensing will change and the $97 (unlimited sites) version will cost $297.
If you’ve been thinking, “Gosh, I should probably buy that,” get it before the price goes up.
WP-Twin is worth $297. I have no doubt about that. Frankly, I can’t imagine having multiple websites without WP-Twin in my arsenal. It’s prevented hacks, hosting changes, and site crashes from becoming absolute, time-sucking nightmares.
If I didn’t already own WP-Twin, I’d make this weekend purchase my highest priority. I’d eat spaghetti or hot dogs for dinner for the rest of the month, if I had to, to buy WP-Twin before the price triples.
If you’re a webmaster, you’ll probably buy this software sooner or later. Why pay more than you need to?
