When you’re dealing with WordPress, security should always be an area that you take seriously.
Remember, WordPress is open source, and as such, hackers trying to break into sites that run on the WordPress platform have access to it’s source code. This in itself isn’t that big of a deal, however, the fact that most WordPress websites are running third party created plugins as well, adds to the security risk.
Perhaps a plugin developer has left a security vulnerability in their plugin unknowingly, and once this vulnerability is discovered by the right hacker, every website running that particular plugin are ripe for the picking.
I’m not warning you to batten down the hatches, go sit in a closet, and say hail Mary’s, security just needs to be on your radar.
Also, you may not even know that your website has been hacked, until a much later date, depending on what the hacker decides to do once they’ve gained access to your website. Perhaps they just want to take your site offline, in which case, I hope you have a backup. Perhaps they just want to make a fool out of your website, and post unsavory content all over it to damage your image and wreak havoc. Perhaps they want to be crafty and see what affiliate advertisements you’re running, sign up for those affiliate programs, and then replace your affiliate links with theirs, so that your website traffic brings them commissions instead of you! The point is, it’s up to them, and I can promise you, no matter what they decide to do, it’s not going to be a good thing for you. They may even contact you and try to sell you security improvements based on the fact that they’ve already hacked your website. Now there’s a killer sales pitch, if they haven’t touched anything, and they’re very brave.
One very simple security improvement you can make easily which has a big positive impact on WordPress security is your admin username. Remember, the default username is ‘admin.’ If you’re running the default username, you’ve handed a would be hacker 50% of the login credentials to your dashboard before they even lift a finger to attempt to gain entry. This is definitely a bad idea, but I see it all the time.
Also, another mistake I see all the time is displaying the admin username in the context of the by line, e.g. “by admin.”
In this case, even if you have changed the default username, you’re advertising it openly, so again, you’ve handed any would be hackers 50% of your login credentials.
You cannot change usernames in the “User” dashboard menu, but some security plugins support this feature. What you can do from dashboard, however, is to create a new admin user, with a custom username, and then remove the original admin user.
Also, you can control the publicly displayed author name in the user dashboard. However, the link to the author archive will remain to be the author’s username, for instance: http://website.com/author/admin
This means that if you’re displaying the by line, with a link to the author archive, a hacker can still very easily find your username.
My recommendation is that if you’re not willing to take the steps necessary to protect against brute force attacks, do not display the by line at all. This can be done by manually editing your theme files. Remember, you can login to WordPress using the username, nickname, or display name of a given user! Even if you’re displaying the by line with your display name, you’ve still given the hacker your username.
Even after doing all of this, search engines will index your author archive page, so it’s a good idea to add a line to your robots.txt file to disallow indexing of author archives. If your author archive link isn’t freely available somewhere online, the hacker will have to figure out someway to guess your username, and your password, thus making any brute force attack twice as difficult, and theoretically, take twice as long, and twice as much computing.
Your best bet is always going to be to protect your website from brute force attacks, however, taking measures like these are always steps in the right direction, if you do not need the author archives for anything specific.