Use Strong Usernames for Better Security
Image courtesy of eChunks.com Here is a quick security tip for people using popular apps on the Web. That is, apps like WordPress that may be widely used and targeted by bad actors and/or automated scripts. It’s all about adding another layer of security by hardening admin-level usernames..
Every now and then, I get an email letting me know that someone has requested a password reset for one of my admin-level WordPress accounts. Usually, the email notifications are sent directly from my WordPress installation. They look similar to the following:
Someone has requested a password reset for the following account: https://example.com/ Username: myusername If this was a mistake, just ignore this email and nothing will happen.
Besides this just being annoying, random people/scripts should not be able to guess your admin username, let alone request to change it.
Another layer of security
Even if it’s virtually impossible to change somebody else’s password without access to their email account, keeping admin-level usernames random and difficult to guess adds another layer of protection to your site. So that’s the basic idea:
Never use the default “admin” or similar username. Always change it to something that is random and/or difficult to guess.
Why? One good reason is the very common brute-force type of attack, where scumbags run scripts trying different password/username combinations to gain access to your site. This is significantly more time-consuming and difficult to accomplish when having to guess not just the password, but also the username.
It’s a simple yet effective way to add another layer of security
Using a difficult to guess username is like having two passwords for your account. I think this is a good way to add more protection, especially for admin-level accounts.
Keep it secret
It’s important to understand that some CMS/apps may display the admin username on the front-end of your site. For example, depending on your theme and plugins, WordPress may do this on various types of page views (e.g., Author Archives). So if possible, change the settings or template code to prevent this.
For example, in WordPress you can change which version of your name is displayed by visiting your User Profile settings. There you can change the Display Name to something other than the actual admin username. So even if you are using the default username, “admin”, or something else that is easy to guess, you can “hide” it from evil-doers by simply setting the Display Name setting to something else.
I picked up the username ‘superman’ on WordPress.com years ago and I get about 5 password reset emails every month. Invariably, someone ends up on the page (which I don’t post to often) and submits a password reset. So, yes, this is good advice.
Great username! (but yeah maybe could be more difficult to guess)
Thanks for the feedback, Chris.
I’m afraid that the tip to change the display name doesn’t work to mask the real username. If you go to example.com/author/display-name/ you will see a 404. In other words the archive is always attached to the actual username.
I think it should be possible to change that, probably with a rewrite rule or something?
As for your suggestion to use more difficult usernames, ever since I have the 1Password app to manage all my passwords, my usernames are similar to my passwords, because I don’t need to remember them anyway anymore.
Another idea to make a username specific to the site you need it for and then use a letter scrambler to mix up the letters to make it more difficult (read: near impossible) to guess. “pietfacebook” could then become “pefkbaiecoto” using the letter scrambler here.
I’m not sure about the username archive always being the case, here is mine:
..but “perish” is not my username. It could be because I changed it awhile ago, but I’m not sure. Either way, just because the resource exists, if it’s not linked to from anywhere then it’s the same as trying to guess a password (i.e., some are stronger than others).