Note: If you are one of my clients, you can ignore this warning. I’ve already checked your site and updated it where necessary. Rest easy!
Yesterday there was a password breach on WordPress.org that allowed malware to be added to three plugins: WPTouch, AddThis, and W3 Total Cache. The malware was found and removed very quickly and the password hole was plugged.
On Monday, I told you how to change your blog’s main username from “admin” to something else, to make it more difficult for a hacker to guess your username and password. (If he knows the username, half his work is done.)
So now you have changed it, and your log-in username is something else, perhaps your first name. Go to your profile page: Sign in and click on “Howdy, (your name)!” in the upper righthand corner. Look down at the section headed “Name.”
Your username is the one you set up in place of the insecure “admin.” But note the box marked “Display name publicly as.” It shows your new and more secure username to the public on every post you write… so you haven’t gained much by changing it!
The WordPress developers have thought of this. Take this next very simple step to completely hide your login username: Fill in the First Name, Last Name, and nickname fields, choosing something completely different for “nickname.”
Scroll down and click “Update Profile.” Now go back up to the “Display name publicly as” section. A dropdown menu will show you several choices: FirstName, FirstName LastName, LastName FirstName, etc. Pick one, then “Update Profile” again.
Now your chosen display name — NOT the same as your login username — will show on all your posts.
PS: That “nickname” field that is required? That is useful in cases where you don’t want your name to appear as author — if you are writing incognito or using a pen name. If neither the FirstName or LastName fields is filled out, the display name will default to “nickname.” You could log in as Laura and post as Peanut. 🙂
Prior to version 3.0, new installations of WordPress set up the first username as “admin.” If you’ve been upgrading your blog software at regular intervals, you may have the latest version yet still be blogging as “admin.” Using the default name makes it a bit easier for hackers — instead of having to guess or crack two pieces of information, they can assume the username is admin and concentrate on the password.
Unfortunately, you can’t change your username from the WordPress dashboard. Here’s how to do it without having to edit the database or dip your toes into MySQL.
Log in as “admin.” Go to Users -> Add New. Fill out the information for yourself, choosing a different username. (Remember that usernames are case-sensitive: If you sign up as “laura,” you can’t sign in as “Laura.”) Choose “Administrator” from the dropdown menu. Click “Add New User.”
Now sign out and sign back in using your new username. In the lefthand column of the Dashboard, click on Users.
Under the Admin username, click Delete.
Now you will see a screen allowing you to move all the “admin” posts and comments to your new username. Select the correct name and click “Confirm Deletion.”
That’s all there is to it! You’re done, and your blog is one step safer.
Just as your website needs to be maintained, so does your self-hosted WordPress installation. WordPress software has been updated ten times in just the past year, adding new features and closing security loopholes as they are discovered during use. In addition, plugins are constantly being updated and should be kept current as well. Here’s a checklist of what you should be looking for and when to tackle these tasks.