Changing WordPress defaults
If there is one thing a hacker likes, it’s default settings.
Two of the settings in WordPress that originally were unchangeable were the default user – admin, and the database table prefix – wp_.
Nowadays both these can be changed at the time of installation but many people fail to do so and they remain at the default.
Changing them on an established site is not too difficult. Once you have a tool like phpMyAdmin then it is pretty straightforward.
Changing the default username is the simplest job of all – simply open the ‘wp_user’ table and change the user_login to something other ‘than admin’. The password and permissions will remain the same. From experience, hackers trying a brute force attack will always use admin because a) that’s the default and b) because trying to crack a username as well as a password is exponentially more difficult.
Changing the database table names is a little more time consuming.
First of all, the site needs to be taken off line, as any changes (such as comments) made during the fix will more than likely be lost. I use the Ultimate Maintenance Mode plugin for this.
Next you need to check the maximum upload filesize allowed by your server. A simple way to check is to select “Import” in phpMyAdmin and it will tell you. A typical value would be around 10 to 15 Mb. The reason for this check is that it is easy to download a database dump. but you may not be able to upload it again if the file is too big. Most small sites will give little trouble, but a larger, well established site with thousands of posts and tens of thousands of comments will generate a dump well in excess or the limit. The simple way around this is to export the database in batches of groups of tables. Compression is another way around this, but for the sake of simplicity it’s best to use a SQL dump rather than a compressed one.
Once the file (or files) has been downloaded it is a simple matter of opening it (or them) in a text editor and doing a Search and Replace. Note however that within the dump file there are two types of single quote.-
DROP TABLE IF EXISTS `wp_posts`;
CREATE TABLE IF NOT EXISTS `wp_posts` (
`ID` bigint(20) unsigned NOT NULL auto_increment,
`post_author` bigint(20) unsigned NOT NULL default ‘0’,
Both types are shown in the above example. The oblique quote appears before wp_… and the straight quote at ‘0’. Doing the Find and Replace, it is essential to use the oblique version. Cut and paste is the simple solution.
Decide on a new table prefix (I’ll call it ‘fixed_’ and then do the Find (`wp_) and Replace (`fixed_). on each and every SQL dump file. Once that is complete, import the file(s) back into the database. You should now have doubled the number of tables, half with the old prefix and the rest with the new.
Now open up the file wp-config.php and change the value of $table_prefix to the new one .
The site is now ready for public viewing, but you will find one rather nasty looking problem – when you try to access the Dashboard. or the Admin area you will get a message –
“You do not have sufficient permissions to access this page”
To fix this, (using phpMyAdmin) open up the table ‘fixed_usermeta’ and modify any data in the ‘meta_key’ field that starts with the old ‘wp_’ to the new prefix ‘fixed_’. You should end up with fields containing the likes of ‘fixed_capabilities’ and ‘fixed_userlevel’.
Lastly, open the table ‘fixed_options’. You will see an entry under ‘option_name’ called ‘wp_user_roles’. Change that to ‘fixed_user_roles’.
That’s it.
The site should now be happily running with a new administrator user name and a non-default database.
Good post! A lot of new DYI WordPress site owners often don’t know about these two security issues that come default with any new installation of WordPress.
I cheat a bit though. When I used to do a fresh install of WordPress (and forgot to change the default account) the first thing I did was to log in under the default “admin” account, go to “Users” and create my own user account with administrative privileges. Then I’d log out of “admin” and log in under the new account and delete the default “admin” account.
For changing the default “wp_” DB prefix, lately I’ve been using the script that comes with the “WebsiteDefender WordPress Security” plugin. It works well with my web host and it does require a bit of preparation on the user’s part before running (mainly temporarily changing permissions for “wp-config”) but once the preliminaries are completed it automatically changes the prefix to what you specify in the DB as well as in “wp-config”. Once complete, change the permissions back to what they were and you’re done.
Sure, i know running automated scripts has it’s risks but I figure that in my current condition both mentally and physically, it’s just as risky doing myself. 😉
Setting up a new user with Administration level access is of course another simple way to do things, and I have done that a few times. There are a couple of reasons why I prefer to just change the username though. One is that I have gotten used to a particular password (or rather, my browser has 😉 ). The other is that adding a new user demands a new email address, and the correct address is already used by the Admin setup.
I have never used the auto-fix feature of WebsiteDefender WordPress Security plugin, though not for the lack of trying. It just tells me that my database user doesn’t have sufficient rights, which is fair enough. Like yourself, I’m always a little wary of using automated features. The process above may seem lengthy and complex, but it has the advantage of setting all the changes that are made, so in the event of a total disaster the process can just be reversed. For example, when modifying the database dumps, I always keep the originals so that I can use them in an emergency.
Of course this is another point that may be overlooked – any database backups taken before the modification must be deleted, as restoring them would corrupt the whole system again.
Laughingly enough I always used the “wrong” email address when i setup a fresh install of WordPress. Then I could use the correct email address with my (new) user and then delete the default user. I have enough email addresses to go around so no sweat. Besides, on my server for some oddball reason,the only email address I am able to use is the default wordpress (at) sitename.com. Otherwise WordPress will not send out any notifications whatsoever if I use another email address (comment notifications, etc). I used to have a plugin that used to fix that but it hasn’t worked for a long time now. It’s supposed to be a security thing.
Yup, I used do the change DB prefix manually thing myself which is why I’m very glad the script works. Always have the backup in case of screw ups though.