How to Delete the Admin user in WordPress

Notification – Global Brute Force Attack on the admin user in WordPress

About a week ago a major network of remotely controlled machines across the world started to actively scan for all WordPress that may have weak administration passwords. This caused outages, slowness, and site access issues for some.

As long as you don’t use “admin” as a username you should be okay. Artbiz Client’s don’t have “admin” as a username.

Make sure passwords are not a word based, totally random, and long over 14 chars with upper, lower cases, symbols and numbers.

How to delete the admin user in WordPress and create a new admin user account.

To be on the safe side download a backup of your content first. Under Tools > Export select all and save to your computer.

Create the new user account first

  1.  Login with your “admin” username.
  2.  Go to Users > Add New
  3. Create a new admin user account with a strong user name that will be hard to guess. This means DO NOT use your name if it is the title of your site. I use a combo of my 3 pet’s names for example.
  4. Create a strong password that is a combination of upper and lower case letters, numbers and symbols at least 14 characters in length.
  5. Make sure you provide administrative rights to the new use
  6. Enter a Nickname that will display publicly as the author of your posts.

Deleting the admin user

  1. After you create the new user account with administrative privileges – log out.
  2. Log back in using the new credentials
  3. Navigate back to Users > All Users
  4. Under the user “admin” click delete
  5. On the next screen you will be prompted to attribute all the posts under the admin user to someone else. Select your new user account.
  6. Click the Confirm Deletion button
  7. Viola bad user name be gone.

That’s it. Any Questions?

More information on securing WordPress


Ultimate Security Checker

A few weeks ago I helped Frances Clements Fawcett Art get her blog back online after it was infected with Malware. After we got the site back up I wrote the article “What to do if Your WordPress site Gets Hacked”

In this article I list some measures you can take to prevent your site being hacked in the first place; thanks to Ultimate Security Checker. This list is quite detailed and may not make sense to some of you who are not used to working behind the WordPress code. I would be more than happy to implement the following for you.

WordPress/Themes/Plugins Upgrades

You should upgrade your software often to keep it secure.
However, you shouldn’t upgrade WordPress yourself if you don’t know how to fix it if the upgrade process goes wrong.

Here’s why you should be afraid to upgrade your WordPress:

  • WordPress might run out of memory or have a network problem during the update
  • There could be a permissions issue which causes problems with folder rights
  • You could cause database problems which could cause you to lose data or take your entire site down

Step-by-step explanations are available at WordPress Codex.

You can let the professionals do the work for you and upgrade your blog with plugins. See details.

Config file is located in an unsecured place.

The most important information in your blog files is located in wp-config.php. It’s good practice to keep it in the folder above your WordPress root.

Sometimes this is impossible to do because:

  • you don’t have access to folder above your WordPress root
  • some plugins were developed incorrectly and look for the config file in your WordPress root
  • there is another WordPress installation in the folder above

Editing global variables or keys in config file.

Create secret keys from this link and paste them into wp-config.php

It’s better to turn off file editor for plugins and themes in WordPress admin.
You’re not often editing your theme or plugins source code in WordPress admin? Don’t let potential hacker do this for you. Add DISALLOW_FILE_EDIT option to wp-config.php

define('DISALLOW_FILE_EDIT', true);

WP_DEBUG option should be turned off on LIVE website.
Sometimes developers use this option when debugging your blog and keep it after the website is done. It’s very unsafe and allow hackers to see debug information and infect your site easily. Should be turned off.

define('WP_DEBUG', false);

Removing the WordPress version from your website.

When WordPress version which is used in your blog is known, hacker can find proper exploit for exact version of WordPress.

To remove WordPress version you should do two things:

  • check if it’s not hardcoded in header.php or index.php of your current theme(search for )
  • add few lines of code to functions.php in your current theme:
    function no_generator() { return ''; }
    add_filter( 'the_generator', 'no_generator' );

Removing unneeded files.

Users can see version of WordPress you are running from readme.html file.

When WordPress version which is used in your blog is known, hacker can find proper exploit for exact version of WordPress.

Remove readme.html file which is located in root folder of your blog.
NOTE: It will appear with next upgrade of WordPress.

Installation script is still available in your WordPress files.
Remove /wp-admin/install.php from your WordPress.

Removing unnecessary error messages on failed log-ins.

By default WordPress will show you what was wrong with your login credentials – login or password. This will allow hackers to start a brute force attack to get your password once they know the login.

Add few lines of code to functions.php in your current theme:

function explain_less_login_issues(){ return '<strong>ERROR</strong>: Entered credentials are incorrect.';}
add_filter( 'login_errors', 'explain_less_login_issues' );

Securing blog against malicious URL requests.

Malicious URL requests are requests which may have SQL Injection inside and will allow hacker to break your blog.

Paste the following code into a text file, and save it as blockbadqueries.php. Once done, upload it to your wp-content/plugins directory and activate it like any other plugins.

strpos($_SERVER['REQUEST_URI'], "eval(") ||
  strpos($_SERVER['REQUEST_URI'], "CONCAT") ||
  strpos($_SERVER['REQUEST_URI'], "base64"))
    @header("HTTP/1.1 400 Bad Request");
    @header("Status: 400 Bad Request");
    @header("Connection: Close");

Changing config file rights.

According to WordPress Codex you should change rights to wp-config.php to 400 or 440 to lock it from other users.

In real life a lot of hosts won’t allow you to set the last digit to 0, because they configured their web servers the wrong way. Be careful hosting on a web host like this.

Changing .htaccess file rights.

.htaccess rights should be set to 644 or 664(depending if you want WordPress to be able to edit .htaccess for you).

Changing rights on WordPress folders.

According to WordPress Codex right for next folders should be set like this.

Insufficient rights on wp-content folder!
/wp-content/ should be writeable for all(777) – according to WordPress Codex. But better to set it 755 and change to 777(temporary) if some plugins asks you to do that.

Insufficient rights on wp-content/themes folder!
/wp-content/themes/ should have rights 755.

Insufficient rights on wp-content/plugins folder!
/wp-content/plugins/ should have rights 755.

Insufficient rights on core wordpress folders!
/wp-admin/ should have rights 755.
/wp-includes/ should have rights 755.

Changes in database.

Default admin login is not safe.
Using MySQL frontend program(like phpmyadmin) change administrator username with command like this:

update tableprefix_users set user_login='newuser' where user_login='admin';

Default database prefix is not safe.
Using MySQL frontend program(like phpmyadmin) change all tables prefixes from wp_ to something different. And put the same into wp-confg.php

$table_prefix  = 'tableprefix_';

Your uploads directory is browsable from the web.

Put an empty index.php to your uploads folder.

Your server shows too much information about installed software.

If you’re using Apache web server and have root access (or can edit httpsd.conf) – you can define ServerTokens directive with proffered options (less info – better). 

Keep your blog secure with automated checks.

A lot of the security vulnerabilities are put back in place when themes and the WordPress core version is updated. You need to run regular checks using “Ultimate Security Checker”  or register for their service and they will check your blog for you weekly and email you the results.

Ultimate Security Checker also has a paid service which automatically fixes these vulnerabilities. Another exceptionally good Malware remove service and scanner is Sucuri Scanner. Sucuri also has a paid service that removes Malware in an extraordinary short turn around time, they understand the urgency.

Sucuri Scanner will automatically harden 3 of the most vulnerable penetration points of a WordPress site with the click of a button. With the built-in Malware Scanner you can scan your site on demand which provides a tremendous amount of peace of mind.

The content for this post is information provided by Ultimate Security Checker. I install, run and fix with both Ultimate Security Checker and Sucuri Scanner on all client sites.

RELATED POST: How to delete the “admin” user in WordPress


What To Do If Your WordPress Site Has Been Hacked

Last week I was hired to help an artist get her WordPress blog back up. When I went to the site all that was there was a blank white page. At first I thought it was a simple plugin conflict and if so a quick fix, but alas it was not.

The site was hacked with Malware/iframe virus code.

The first thing you have to do when this happens, as outlined in this great article from WordPress, is stay calm.

Ya right, your site is gone, all your hard work and Google may penalize you.

No really, you must get hold of yourself, there are logical steps to take to get your site back online and one of them is to use your WordPress Backups, but first…

  1. SCAN your computer for Malware and viruses. It could be that you inadvertently downloaded something and infected your computer. The Malware is lying in wait for you to upload something to your site and then goes with it.
  2. CHECK with your hosting company, they should be able to remove the virus.
  3. CHANGE your FTP, WordPress and database passwords. Also change the secret keys contained in your wp-config.php file. There is a link there where you can generate, copy and paste them in to the file.
  4. UPGRADE WordPress and plugins will help prevent a hack in the first place. This is one of the most important things you can do to protect your site. If you are at all uncomfortable with executing upgrades, Artbiz offers an upgrade service.
  5. DELETE everything and start over. Not what you were hoping to hear but sometimes this is the most expedient way to restore your site. Download and install the latest version of WordPress and restore a clean copy of your database from your database backup.
  6. BACKUP! Keep at least three weekly database backups. If you backup daily then you may want to keep a weeks worth so that you can go back far enough to get a clean copy.  You can export a database backup from PHPMyAdmin or install a database plugin that will export a backup right from the WP Dashboard.

Regarding item #6: The WordPress Export Tool is not the same as a database backup.

The export tool only creates a file that contains your post, pages and upload content, while a database backup creates a file that contains your site configurations.

It is important to note that the while the database backup does contain the site configurations and even NextGen Gallery image descriptions, it does not contain the physical images, themes or plugin files.

You should be performing both forms of backups, because if your database can not be restored at least you have your content!

What steps have you taken to create WordPress Backups?