WordPress security…

WordPress has become the most widely used blogging software that runs about 10% of all of the websites on the Internet. The popularity had been fueled by easy installation and management of WordPress based sites. That’s the good news..

The bad news is that the majority of the people using WordPress don’t change the default administrator account (“Admin”) and database prefix (“wp_) at the time they install WordPress. Why is that a bad news? Well, hackers automated scripts/bots use the default values to insert content and links to your site using SQL injection. Just by changing the default administrator account and database prefix at the time of installing will prevent most if not all automated scripts/bots changing your site content.

If you didn’t change the default values, like most WordPress users, you can change them without much impact to your “live” site. Prior to making any changes to the default values, do backup your WordPress database, and pay attention to the syntax of various command that you’ll execute.

Let’s change the default administrator account of “Admin” first:

  1. Login to your blog as “Admin” and create a new user account “Newadmin”, a name of your choice, and assign the role of Administrator
  2. Logout as “Admin” and login with you new administrator account
  3. Delete the first administrator account, named “Admin”

While you could use the suggested new user account of “Newadmin”, change the name to a word you’d like to use.

Changing the database prefix is easier, just use the:

Better WordPress Security plugin

Among other nifty security checks and configuration changes, this plugin can backup the database, change the database prefix, and modify the wp-config.php file to reflect the “newprefix”; do change the “newprefix” to a word you’d want to use.

Unfortunately, the WebsiteDefender does not replace the database prefix of “wp_” inside in the options and usermeta tables. You can verify this by running the the SQL queires of:

Select *  
FROM %newprefix%_options
WHERE `option_name`  LIKE '%wp_%'
Select *  
FROM %newprefix%_usermeta
WHERE `meta_key`  LIKE '%wp_%'

You can use the phpMyAdmin GUI to change the database prefix inside the “%newprefix%”_options and “%newprefix%_usermeta” tables; it is about 20-30 entries that need to be renamed. Alternatively, run some more SQL queries.

If you don’t feel comfortable running SQL queries, have someone do it for you. Depending on the version of MySQL you have, the syntax below may require modifications.The %newprefix% in the script below indicates the prefix name changed in the previous step.

Replace the “wp_” prefix inside in “%newprefix%_options table:

UPDATE %newprefix%_options
SET %newprefix%_options = REPLACE (option_name  'wp_', '%newprefix%_');

And finally, replace the “wp_” prefix inside in “%newprefix%_usermeta table:

UPDATE %newprefix%_usermeta
SET %newprefix%_usermeta = REPLACE (meta_key,  'wp_', '%newprefix%_');

Will changing WordPress default values make your blog hacker proof? Well not really, you’ve just made your blog more immune to hackers automated scripts/bots. Jokes are good to explain things:

Joe and Tom go camping and setup the tent in the woods. Late at night, they hear some worrysome noise in the forest and they see a grizzly coming toward them. Joe panics, while Tom calmly puts on his sneakers.
Joe looks at him and says, “What are you doing, you are not going to outrun the bear?”
Tom replies, “I don’t have to, I just need to outrun you…”

When you replace the default WordPress values, you’ve just put on your sneakers….