Hey, admin, hide your login!
I bet, that you, as a WordPress developer, knows very well that using “admin” for your administrator account isn’t very clever. Or “administrator”. Or something like that. Once I saw “root”. Even WordPress installer will let you know that. Use something different. Maybe “top-secret-user”. It is good thing, that is true.
Why we should avoid that? Because attacker may discover your administrator account login and may use it (in some top secret magical way) to attack your site. It isn’t a joke, it is a possibility. So, everybody should knows that and apply this to their sites.
But… There is a small trick about that… Many sites may reveal your admin login with this:
1 |
http://example.com/?author=1 |
and this may redirect you to something like:
1 |
http://example.com/author/top-secret-login |
It isn’t very good, no. So, what to do? There are at least two ways to fight that.
Trick attacker
1. Create “admin” account on installation
2. Create few other accounts.
3. Create real administrator account with login like “fVkr9ezfRdf”
4. Make all other users (including “admin”!) subscribers…
Disable ?author redirection.
That is funny one. Write something like this to your functions.php file:
1 2 3 4 |
add_action( 'template_redirect', 'erfvev_template_redirect' ); function erfvev_template_redirect() { if (is_author()) {wp_redirect(home_url()); die; } } |
I wrote small plugin to do this for you.
PS: of course you may and should use both methods at once.