Delete original WP admin account for additional security
Have you recently had your WordPress installation hacked? Did the hackers fill your theme files with link spam? If so, you might have spent some time doing an upgrade and clean install of WordPress. As part of this process, you probably also changed the password you use to login to WordPress.
I had this problem a few months ago and found that changing my password was not enough. One additional step to fully secure your blog is to delete the original admin account. If you don’t, it’s probably only a matter of time before you are re-hacked.
By deleting the “admin” login, a hacker now has to figure out an appropriate username AND password combination, making it exponentially more difficult to hack your login. Hackers know that the default WP installation process leaves you with an administrative username of “admin.” They can easily make the assumption that most people do not bother to change this and know that they only need to figure out your password.
If you haven’t done this and you are logging in as “admin,” follow these steps:
- Login as admin
- Create a new user for yourself and give it administrator privileges.
- Logout of admin and login under your new administrative username.
- Delete the original admin account.
- (optional) If you already have been posting on your blog using the original admin account, you can attribute those posts to your new account when you delete the user.
Since you are taking the time to do this, you should also consider using a secure password. Most people simply use an easy to remember word as their password. Words are easy to hack, even when they are case sensitive. There are only so many possible combinations of upper and lowercase letter. Adding a number or two to your password is better. This increases the security of the password exponentially as you are increasing the number of possibilities.
But if you REALLY want a secure password, you need a combination of the following:
- Upper and Lowercase letters
- At least one (1) number
- At least one (1) symbol (those do-hickeys above the numbers)
This makes it FAR more difficult for a hacker to figure out your password. Incidentally, WP 2.5 has added a nice feature in the users panel to tell you the strength of your password. If you follow the above, it will indicate you have a strong password.
Of course a complete set of random characters would be best, but who can remember that? So most people rely on a word they can remember. But words can be hacked with a dictionary cracker. One little hint to further password strength is to interchange a letter with a number. This changes your passWORD to a NONword. For example, if you use a “3″ for your “E” (or “e”) then “Bubble” becomes “Bubbl3″. See how the 3 is a backwards E? Now add some other numbers and symbols and you have a much stronger password. 1%Bubbl3 is FAR superior to bubble. And should be just as easy to remember something like “one percent bubble” as it is for just “bubble” but it’s MUCH harder to hack.
These easy steps will make it much harder for you to be hacked again!
Issues with the Verse-O-Matic
There have been some issues with the Verse-O-Matic that have not been addressed. I’m not sure at this point if it is due to changes in WP that have not been accounted for, deprecated functions in PHP (I know there are some in the script), or if it is with MySQL. Regardless of where the issues lie, I will be releasing a fixed version to address the issues with the plugin.
However, note that this fix will be tested on and compatible with the most current version of WP (currently 2.5.1). It is important to keep up with the changes in WordPress to make sure that your blog is secure and running smoothly. While the fixes may work on earlier versions of WP (it has certainly been fine in the past), I cannot guarantee that it will for certain.
Changing WordPress Posts to Pages
During the time that I was having problems with the spam injection hijack, I upgraded through a couple of versions of WordPress. During this process, I somehow “lost” all my pages. They were still there as posts, but for some reason they were not being seen as pages.
I did some searching on the issue, but really came up empty on finding an existing discussion of what I was looking for. So, I did what I usually do when confronted with a WordPress issue that I can’t find a ready fix for – lift the hood and get my hands dirty figuring it out.
It didn’t take long for me to figure out the quick solution. In the WordPress database there is a table called _posts (it will look like wp_posts or whatever your table prefix is). In _posts, there is a field called post_type. This can be set to either “page” or “post”.
In my case, the pages had been changed to post. So I merely had to change the value of this field. To do this, you could use something like phpMyAdmin or some other tool. It helps to know the ID number of the original, but if you don’t know this, you can find it by browsing through the content of wp_posts.
Once you have changed the value of the post_type field to “page”, that post will show up as a page on your blog.
Site Update
Once again, I thank everyone for their patience. I believe that I have finally solved the problems with the site, but there is now much work to be done.
First, the issue I was having does not seem to be isolated. It was a spam injection hijack of my blog, and to be honest, the only reason I noticed it was the content of the AdSense ads that were showing up. It really was a bear to get rid of. I will have a single post later that covers this because the problem appears to be effecting a lot of WP blogs.
That brings me to another important issue. While I was infected via an exploit, some people that have gotten this hijack have actually installed it themselves. They did this by downloading a theme or plugin from a site other than WP or the actual developer. In the case of themes, they downloaded from a gallery where the download had actually been modified and contained javascript to run the hijack. Lesson: only download from the original developer or where from a trusted source (i.e. WP).
In the case of my plugins, I know that there are some sites that have downloaded from here and then helped themselves (w/o permission) to hosting it on their site. I generally don’t waste my time going after these guys because the plugins are opensource and I have too much else to worry about. But if you download from one of these, you could run into problems. Here are some reasons to only download my plugins from “official” locations:
- They are always going to be the latest version.
- The code will not contain any hijacks. (Bugs maybe, exploits I hope not, but malicious hijacks? NEVER!)
- You are supporting the author.
The only “official” location for my plugins are:
- This Site
- WordPress Plugin Database (http://wp-plugins.net/)
- WordPress (soon. They’ve been approved, just haven’t got them up there yet.)
My plan is eventually to have everything as part of the WP site using SVN.
Back to the greater point of my post. From here, I need to get the forum fixed and restore some of my content that was messed up during the recovery from the hijack. Then I will be systematically going through and addressing comments that were questions on support issues. If relevant, these will be moved into the forum (where support questions should be addressed).
If I can make it through all of that maintenance, then maybe we will get back on track with development of the existing plugins and new ones that have been on the back burner. Also, the existing work I have needs to be tested in WP 2.5, but I see no reason why it wouldn’t be compatible at this point.
That’s all for now. Again, thanks for your patience and support.
Maintenance, Updating, Support, and other Stuff
Well, I thought I had the theme hacks licked, but of course it was rehacked. I’ve been trying to track that down before I go back and fix the theme (and really the whole blog) again. To be honest, it’s rather depressing because it is a lot of work to keep this thing going. Sometimes I feel like I’m just spinning plates – about the time I get the last plate spinning, I have to go back to respin the first ones because they’ve come to a stop.
On top of the hacks to my theme, there has been a ton of spam comments. Unfortunately, when the theme got hacked it caused some problems with the WP-Members support forum so I’m getting support needs posted in comments because people are having problems with the forum. Since I very much want to help people that need help with the plugin, I’ve been carefully going through the comment moderation process so I don’t accidentally delete a legitimate comment with the spam. I want to come back and get those answered.
During this time, there have been some people that have used the PayPal donation for the plugin and of course, I give priority to their support needs. So if you are still waiting on free support, please understand that I have to give priorty to those folks. Of course, that was one of the purposes of the forum – to develop an area of common support issues so that people would be able to self-serve their needs, but with the hacks to the site, that hasn’t really worked out all that well.
So, to everyone, thanks for your patience! I do intend to work through these issues and get this blog back together. I put too much work into my plugins to just let them die. I just need some time to get this thing put back together.
![[Valid RSS]](/wp-images/valid-rss.png "Validate my RSS feed")
