Why you shouldn’t use an Administrator-level WordPress user whenever possible

If you're like most people, you use an Administrator-level account for your WordPress site all the time. Even doing something simple like comment moderation or posting something new, you use the admin account (minus 5 Spanky-points if its username is “admin”). It's just easier, right?

What if an asshat hacker gets into that account? They can do anything you can. Delete posts, put spam links in content and menus, mess up your theme settings, even create their own user so they can get in if you change your password.

How could they get in, you ask? A few ways…


The obvious way is password-guessing. Just throwing password after password after password at your site, trying to log in. Good news – this is easy to stop! Don't use admin as your Administrator username (which means they'll have to guess at the admin username as well as the password); use a strong password; and, limit the number of times someone can try to log in and fail.


Because password-guessing is so easy to stop, the asshats have come up with other methods. A favourite method is to infect as many computers as possible with a virus, and have the virus keep an ear out for passwords. This way, they can get a lot of FTP and logins for things like WordPress, but it doesn't really take them much effort. The only way to defeat this type of attack is make sure your computer – and your team's computers – have good, up-to-date anti-virus and anti-malware software. Especially if you're using a Mac. There's still an idea in the Mac community that Macs don't get viruses – and the asshats takes ruthless advantage of this myth.

And it's not just your computer you should be worried about. Are you sure your VA's or team's computers are secure?


This last way is probably the scariest one. They take advantage of when you're relaxed, enjoying yourself… thinking you're safe. You're in Starbucks. Having a coffee (or five), doing some work. But who's that sitting innocently at the next table? He's stealing your login information? Surely not!

Wireless networks for customers, like you get in coffee shops, aren't secure or encrypted. Everyone's computer “sees” traffic for everyone else's. You don't see what other people are doing, because your computer knows to ignore it. But what if you tell your computer not to ignore it? To suck it in. Analyse it. Look for logging in events and passwords.

Programs that do that – literally suck usernames and passwords out of the air – do exist. And they're easy to use. There are even programs dedicated to looking for social media logins. So, on any network you don't absolutely control and are sure of the security, don't go logging in to anything you care about.

Action steps

  • Create yourself a new WordPress user with the lowest level of access that makes sense for you. Normally, this is Editor, which allows you to create and publish content, approve comments, and manage categories and tags. Use this user whenever possible, and always in public places.
  • Create a new user for each member of your team (or edit their current user to give it a lower permission level)
  • Have a cookie (you deserve it 🙂 )

Speak Your Mind