Changing WordPress defaults — 3 Comments

  1. Good post! A lot of new DYI WordPress site owners often don’t know about these two security issues that come default with any new installation of WordPress.
    I cheat a bit though. When I used to do a fresh install of WordPress (and forgot to change the default account) the first thing I did was to log in under the default “admin” account, go to “Users” and create my own user account with administrative privileges. Then I’d log out of “admin” and log in under the new account and delete the default “admin” account.
    For changing the default “wp_” DB prefix, lately I’ve been using the script that comes with the “WebsiteDefender WordPress Security” plugin. It works well with my web host and it does require a bit of  preparation on the user’s part before running (mainly temporarily changing permissions for “wp-config”) but once the preliminaries are completed it automatically changes the prefix to what you specify in the DB as well as in “wp-config”. Once complete, change the permissions back to what they were and you’re done.
    Sure, i know running automated scripts has it’s risks but I figure that in my current condition both mentally and physically, it’s just as risky doing myself. 😉

  2. Setting up a new user with Administration level access is of course another simple way to do things, and I have done that a few times.  There are a couple of reasons why I prefer to just change the username though.  One is that I have gotten used to a particular password (or rather, my browser has 😉 ).  The other is that adding a new user demands a new email address, and the correct address is already used by the Admin setup.
    I have never used the auto-fix feature of WebsiteDefender WordPress Security plugin, though not for the lack of trying.  It just tells me that my database user doesn’t have sufficient rights, which is fair enough.  Like yourself, I’m always a little wary of using automated features.  The process above may seem lengthy and complex, but it has the advantage of setting all the changes that are made, so in the event of a total disaster the process can just be reversed.  For example, when modifying the database dumps, I always keep the originals so that I can use them in an emergency.
    Of course this is another point that may be overlooked – any database backups taken before the modification must be deleted, as restoring them would corrupt the whole system again.

  3. Laughingly enough I always used the “wrong” email address when i setup a fresh install of WordPress. Then I could use the correct email address with my (new) user and then delete the default user. I have enough email addresses to go around so no sweat. Besides, on my server for some oddball reason,the only email address I am able to use is the default wordpress (at) Otherwise WordPress will not send out any notifications whatsoever if I use another email address (comment notifications, etc). I used to have a plugin that used to fix that but it hasn’t worked for a long time now. It’s supposed to be a security thing.
    Yup, I used do the change DB prefix manually thing myself which is why I’m very  glad the script works. Always have the backup in case of screw ups though.

Leave a Reply

Your email address will not be published. Required fields are marked *

HTML tags allowed in your comment: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>