Subscribe to
In the most recent post prior to this I said that I had been informed of a SQL injection hack that attempted to hijack Simple Forum to obtain the admin users login credentials. This is a very real, but very simplistic threat.
The stupid thing is that it can be easily avoided by taking a couple of very simple precautions when first setting WordPress up - yet the WordPress readme file does not appear to make these recommendations. So - two tips when setting up a new WP install that can help avoid this sort of attack - at least the more unsophisticated type.
- The config.php sample file that you need to edit before installation gives, as a default, the table prefix of ‘wp_’. Change it! Every hacker out there knows this and they also know that most people leave the default as it is. This is one of the things they rely on to gain access to your system.
- When you install WP, the system creates an ‘Admin’ user for you. This will ALWAYS have an ID of ‘1′. Hackers know this too! It is far better to create a new admin user with a different ID and then remove ID 1 when you have the new one set up.
These two tips alone will not protect you from all hacking attempts - the WP devs and plugin authors must still do battle in their code to prevent attacks - but they will help stop the obvious ones.
Thanks for that.
I’m going to try a few of your plugins. Thanks for those also.
Thanks for the tips! I want to make these recommendations to my blog but hesitated because of this question that i need answered…
Can you safely make these changes to an established blog?
Good question.
Yes to a new Admin id. The problem there is that if you have made posts using that id then they will get divorced from the new id as you will, in effect, be a new author. So that’s a decision that only you can take.
The table prefix is a bit trickier. You’d need to take your site off-line. You can change the prefix of tables (which is basically changing the table name) through a tool like phpMyAdmin. You can then change your config.php file to point to the new prefix.
But… there are also some rows of data in the usermeta table that prefix the acctual data with your table prefix so those woul need carefully changing as well. But that, as far as I am aware, is all.
Update to this information…
On an established Blog you can create the new Admin account as before.
When you go to delete the old admin account, WP now asks if you want to delete the posts associated with that account, or assign them to a different author…
Simply assign the old posts and such to the new Admin account and all is right with the world.
So happy I found your site! Thanks for these tips, which I will implement now, and special thanks for SimpleForum and the PopUp Gallery!
Liane
WP2.3.2 is not letting me delete the original admin! How do I overcome this little obstacle?
You did create a new one first and then log in with the new one?
Aaaah! Thanks for the reponse Andy.
Thanks for this information, it was exactly what I needed - this page came up as the first result in my Google search. I’ve also been using your Admin Drop Down Menus plugin for a while now. Do you know if it will work with the next version of WordPress?
Wooah, don’t know what happened then, I had to close the cocomment feature down to be able to post that last comment - it kept getting stuck with trying to send to cocomment. Never seen that happen before, wonder if it will do it again?
LATER: Yep it did happen again….
cocomment? What is that please?
On the menus then currently no - it doesn’t work. The WP team are putting in place a new UI for the admin pages and at the moment it is hard to see where it is going. As is usual with the WP developers they have not divulged to plugin authors what on earth is going on, what it will look like and how it will work. No doubt I will find out when it is released! But at the moment it doesn’t work.
Special thanks for this simple forum that can enable me to integrate with WP.