Site Security – Don’t Overlook The Obvious
After the highly publicized hacking of Wired reporter Mat Honan’s identity, it is clear to me that hackers don’t always go about things they way we think they do. When we hear “I’ve been hacked”, we immediately think someone has been trying to crack our passwords using software that tries all sorts of passwords in the dictionary or based on whatever complex algorithm. Or maybe we think they install something malicious on our computer to spy on us.
Yet, Honan’s experience shows us that hackers don’t always need to do all that stuff. In fact, all they did was cleverly and logically work their way through various systems. They call it social engineering. Whatever the name, it’s not good.
Keep Your Security Processes But Keep Your Eyes Open
Don’t get me wrong. I’m not saying abandon your difficult to guess passwords that include caps, characters and numbers. Or don’t use tools to help you secure your personal accounts and business systems. Not at all. It would be foolish of you to. What I’m saying is, sometimes, sit back and take a moment to review if some loops need to be closed.
How I Cracked A WordPress Admin Account
Just this week, I ‘broke’ into the WordPress admin account of a friend. Before you crucify me, let me say I had permission. I was asked to help and he gave me the logins. But, when I went to work on the site, the logins wouldn’t work. I figured something has changed and didn’t know if it was password or username. I couldn’t contact my friend because I tend to work really late at night (or early morning if you prefer).
And then it struck me. Let’s try same password, different username but what username? Well, here’s something I know from years of experience working with WordPress and other people’s sites. Most users never change their display name. Which means, if you have a theme that displays the author name and you don’t change your display name. Guess what?
You are displaying your username for everyone to see!
So what do you think I did to get logged in? Yup! I went to one of his blog posts to look for “by author name” (crossing my fingers as I went because some themes have this hidden). Luck was on my side and sure enough it was on the blog. I simply used his display name as username and bingo! Account cracked. No malicious software necessary.
My friend is really lucky it was me and not someone else with nefarious intentions.
You Can Do Something About This
My question to you is, Â are you publicly displaying your username on your blog? If so. Go change it now. Just follow these steps.
1. Log in to your WordPress account
2. Go edit your profile
3. You can choose to add the first and last names or simply edit the nickname it doesn’t matter.
4. Update your Profile
5. Select Display name as
6. Update your Profile
Of course, it’s better to edit the username too so these names are vastly different than any of the displayed names. And no, my username is NOT displayed publicly 😉 you didn’t think I’d write a post about this and leave myself exposed did you?
Do You Want A Hands-Free Business?
Then get this guide to help you systemize your business so you'll have more time working on your business.
Hey! I want to make sure you know what you're getting here. In addition to the guide, you will also receive our memo that includes special offers, announcements and of course actionable information.
awesome Lynette! I’ve been trying to figure out how to change that this is so helpful… again! You’re such an angel ^_^
iamraincrystal Yay! Happy to help – again 🙂
Lynette:Huge debt of gratitude to you for posting this easy to miss item regarding logins on WordPress! Thank you so much! I will be sharing this post all over so be sure you’re secured. 😉
Idellah Woods You’re welcome and thanks for sharing this 🙂
Lynette,I went to make this change and my display name was already set to my name. Yet when you hover over Author in the meta data, the url showed the wordpress ‘nicename’ which is pulled from the admin name. How do you avoid this on setting up a new blog or fix it on a existing one?
Hey  MinnaBryant , you hit on something called author slug. It goes to the author’s archives. By default WordPress doesn’t change it because of SEO repercussions so this is something you have to weigh between SEO and security. I’d choose the latter.So to change that slug you can use a plugin called http://wordpress.org/extend/plugins/edit-author-slug/.
Lynette, Thank you. This plugin looks better than the ones I found, but I wasn’t searching for a “slug”. SEO is definitely a little less important than security. It doesn’t make sense to me from an SEO standpoint either but I’m just really getting my hands and mind around SEO.Anyway, thanks again, this plugin will be added to the very slim list of must haves.
MinnaBryant I liked this one because it gives me flexibility to edit or customize individually.
I happened upon the username change one day when fiddling with my profile. After reading the comments I have to thank you for the plugin recommendation. I have so much to learn and after finding your site today I’ve already learnt a lot.