Those of you who publish content to your website are well aware that a CMS, or Content Management System is a great item to have in your online toolkit. Not only does it allow you to publish blog posts, update products & services, staff listings and other such content, but it also saves you the cost of having your web developer update content on your behalf. However, Content Management Systems do pose additional website security issues that need to be addressed and today I’d like to touch on one of them: default username “admin”, if you will.
A common convention with most Content Managment Systems is to use a default username of “admin”, and unless a unique username is indicated during installation that username remains. Platforms such as WordPress, Drupal & Joomla, all follow this practice under the assumption that those experienced enough to install them will select a unique username in favor of the default username of “admin”.
Chances are that if you use a CMS at least one of the accounts in your install was created under this default username, the reason being that unless an alternate user account was created, some form of an account was required in order to make your CMS accessible from the back-end. Make sense so far? Good, cause we’re just now getting into the meat and potatoes of this piece.
Why Not Use The Default Account?
The assumption on the part of the developers of these platforms is that the user will delete the account once they’ve created a new one, however, all too often I see installations that still use this default account. At first glance, most users will reckon that along with a unique password, this doesn’t present any issues, but it does. In a word: hackers.
Unbeknownst to the average user is the distinct possibility that by so doing, they’ve rendered their site vulnerable to attack, as hackers familiar with this convention will often use it to gain access to an otherwise secure CMS. After all, with a known username and advanced tools designed to crack passwords, a hacker’s job is 50% done.
And what can a hacker do to a CMS once they’ve gained access to it? In some cases, they’ll post spammed content to your blog, directing users to outside websites designed to entice them with unbelievable offers on discount drugs, inflatable dolls and all manner of unseemly propositions. In others however, they can take a whole site down, or even take out your server.
That said, if you or someone to whom you’ve entrusted administrative credentials are using the default “admin” account with your CMS, your heart rate may well have gone up by several dozen beats, however fear not! Following are a few simple steps that will go a long way to making sure your site remains safe, secure and inaccessible by those with nothing better to do than throw a great big monkey-wrench into your web works:
How To Create A New User Account & Delete The Default Account
- First you’ll want to create a new username for yourself, or whomever you’ve entrusted with administrative credentials to your site, preferably something meaningful only to you and the select few with whom you’ve entrusted your darkest secrets, something cryptic and hard to crack. No, your first name, last name or street name won’t do, as this is information that can be easily obtained by hackers, so you’re going to want to select something a bit more obscure, such as the name of your first dog, or your favorite ice cream.
- Next, you’ll want to create a complex alpha-numeric password under your new username, taking care to use something other than the tired old password you’ve been using since you first created your long-since abandoned MySpace & Friendster accounts. So “DaddysGirl12”, or “randyjohnson2001” won’t do. No, this should be a password that is unique to your CMS and not one that you use for any other account on the internet, something like “kd2MmvspNzPq&Xgh”, “pYBSb^VM%xP7” or some other such password. Sure, it’s impossible to remember such a password, but that’s the point! If ease of access is your concern, there are great tools out there like 1Password, or LastPass that will safely and securely store all of your passwords and keep them from prying eyes.
- The third thing you’ll need to do is create a new account for yourself. Make sure that this account includes administrative permissions so that you can maintain complete control over the content & configuration of your site. Once you’ve created this account, you’re going to want to logout of the old “admin” account and log-in to the new one.
- Finally, once you’ve logged in to your new administrative account, you’ll need to locate the default “admin” account and delete it. In some cases you may be asked to whom you’d like to assign authorship credit of previously published content, and unless there are other users to whom you’d like to assign credit, simply select the new account you created and you’re done.
Assuming you’re able to do so, the above steps will make your CMS far more secure than it was while running with this default “admin” account. You’ve effectively placed a deadbolt on your site, where once you had in place a flimsy chain. If however, you find yourself in need of further assistance, you can always contact us for further assistance, I’d be happy to help secure your site so that you don’t have to.