There is Risk with Wordpress ID

Nov 06, 2008 in Blog Security

Do you know there is a BIG risk in Wordpress ID?

Well actually the risk is in the ID itself!

When you first time install the Wordpress software, it will generate a default ID known as ‘Admin’, then you will get a default password too.

The Password look complicated, so you think this is good enough, right?

Let me explain here.

Most of the hacker knows the default ID is Admin, the only thing they do not know is the password. In Wordpress software, you can retry keying in the password as many times as you wish without revoking the ID. This, in my opinion, is one of the weaknesses in the Wordpress Software.

In other applications, your ID will be revoke once you retry 3 times (depending on the administrator’s setting). In some computer installation, you password need to be change at a certain frequency depending on the administrator’s setting (monthly or bi-monthly)

Let me share with you my personal story. A few years ago, I have another blog site. This is my first blog site. Luckily I have not post a lot of information yet.

One day, I found myself unable to login to my ID. Can you guess what ID I am using?

That’s right, I am using Admin ID.

So I login to my web hosting account and check the MySQL database. True enough, someone has changed my Admin ID password. Also another ID was created.

Luckily, I was able to reset the Admin ID and managed to log in.

So in term of best practice,create an ID with Admin privilege. Use the new ID for your daily use. If you already have an Admin ID, delete this ID. Don’t keep it, else someone might one day hack into your blogsite using the Admin ID.